in reply to Crypt::DES returns same string

I'm not sure what you are doing, but i get different ciphertexts for each plaintext:

#!/usr/bin/perl -w

use strict;
use Crypt::DES;

my $key = pack("H16", "hello");
my $cipher = new Crypt::DES $key;

for (my $i=1;$i<11;$i++){
    my $ciphertext = $cipher->encrypt(&pad($i));
    print "ciphertext: ".unpack("H16", $ciphertext);
    print " plaintext : ".$cipher->decrypt($ciphertext)."\n";
}

sub pad {
    my $padstr = shift;
    my $padlen = length($padstr);
    for (my $i=$padlen;$i<8;$i++) {
        $padstr = '#'.$padstr;
    }
    return $padstr;

}

[download]

Each pass produces the same ciphertext for each plaintext value:

ciphertext: b9f13b4dadafc8a7 plaintext : #######1
ciphertext: a63ce27095356ceb plaintext : #######2
ciphertext: df037bd297aa73af plaintext : #######3
ciphertext: 0eaf7e009f26dc71 plaintext : #######4
ciphertext: 878da30ec4b03db2 plaintext : #######5
ciphertext: 38bb5f88a797e62e plaintext : #######6
ciphertext: e001696d8bcec155 plaintext : #######7
ciphertext: 6c3446a5cf32e3f2 plaintext : #######8
ciphertext: 21b4798bb48eb72d plaintext : #######9
ciphertext: 8ff59b7237d31c90 plaintext : ######10

[download]

Random keys wont work unless you store the key somewhere, and associated it with the plaintext (or a hash of the plaintext), which in itself is bad security practise.

Your comment of "most of the time" I think is inaccurate. If you use the same key on the same plaintext, you will _always_ get the same ciphertext. If you didnt, then what would happen if you gave someone your ciphertext and the key, and asked them to decrypt it? - it would produce the incorrect result.

Check out Applied Cryptography. Its a fantastic book that explains symmetric (DES) and asymmetric (RSA) algorithms (among other things)..

Are you able to explain the wider problem, or post a code snippit?

Replies are listed 'Best First'.
Re: Re: Crypt::DES returns same string
by learn_forever (Acolyte) on Mar 30, 2002 at 22:42 UTC
    Hi !

    Now I found the better words to explain my problem :) I was able to do crypting and decrypting. Now my requirement was to get different encoded string for the same 'plaintext' each time so people can not store these.

    I tried your code and ran 3-4 times each time it generates 'b9f13b4dadafc8a7' for plaintext '#######1'.(This is what my exact problem is. It generates same enoded string for given plaitext). Now what I want is lets say we have userid=1 then the encoded URL should send something.pl?userid=b9f13b4dadafc8a7 this is fine till this point.

    But I also want each time the script should create the encoded string for this userid (1 in our example) using crypting so as it does not match 'b9f13b4dadafc8a7' at least (Quasi random is fine)
    How do I get this using DES? So as user can not guess what the encoded string is for a given userid.

    Hope this explains what I want vs what I get clearly.
[reply]

      Ahhhh ok, I think i'm begining to understand. DES cant do this. Given a key and plaintext, DES will always produce the same ciphertext.

      What I think you're after is session management.

      The basic gist is:

      1. You have already a bunch of users
      2. The user logs in and you give them a token
      3. Each page refresh you check their token against a list of known tokens. If its in the list, let them view the page, otherwise direct them to log in again

      The token can be an MD5 hash. The list of users can be in a database or in a flatfile, and you should have a sessions table (or ff) which would have the token and the user_id in it.

      Each page view you get the token (from a CGI param or from a cookie) and look it up in your session table.

[reply]
        Aye Aye Sir ! You are right there. But instead of managing my sessions and then managing to expire them etc, I thought a simple scheme would be in each subsequent chained script (say logon.pl, then menu,pl then user clicks submenu.pl and so on) ->

        I would grab the encoded string ecode it and get the actual userid when I pass the userid to next script I re-encode and substitute. This will even have better security as each time a new string is generated for same userid so even a session string can not be stored by malacious user
        I tried it successfully using my own crypt function and decrpyt function where I changed te salt randomly. But I was not sure if this is a secure enough way (and tested) , so I would like to rely on time-tested modules like DES or MD5. Does any of these have this type of functionality?

        Thanks
[reply]

In Section Seekers of Perl Wisdom