0

Is there any safe crypting algorithm that you can I can use this way?

<?php

   $message="Hi there!";

   $key1="ablablabla";

   $key2="fooboomoohoo";

   $tmp=encrypt($message,$key1);

   $tmp=encrypt($tmp,$key2);

   $tmp=decrypt($tmp,$key1);

   $result=decrypt($tmp,$key2);

   echo "\"".$message."\" is the same as \"".$result."\"";

?>

It should work like this:

  1. User wants to send an encrypted message to server, so he encrypts it with his secret key

  2. Server gets an encrypted message, so he encrypts it again with it's own secret key and sends it back

  3. User decrypts the message with his key and sends it back

  4. Finally, the server decodes the message

Brad Werth
  • 17,411
  • 10
  • 63
  • 88
m93a
  • 8,866
  • 9
  • 40
  • 58
  • The order seems somewhat suspect to me, you want to encrypt a message in one order and decrypt it in the same order? – NominSim Jul 23 '12 at 14:21
  • 1
    I'm almost positive that the algorithm required to make the encryption/decryption work would be highly susceptible to attacks, and would not recommend it. Also this might be best migrated to something like security.stackexchange.com – NominSim Jul 23 '12 at 14:30
  • At which points in this chain can an attacker view the ciphertext? – CodesInChaos Jul 23 '12 at 14:36
  • 1
    Since you're just overwriting `$tmp` several times I'm not sure what you want here... – deceze Jul 23 '12 at 14:38
  • @CodesInChaos It should work like this: 1) User wants to send an encrypted message to server, so he encrypts it with his secret key 2) Server gets an encrypted message, so he encrypts it again with it's own secret key and sends it back 3) User decrypts the message with his key and sends it back 4) Finally, the server decodes the message. Hooray! :D – m93a Jul 23 '12 at 14:41
  • What are you trying to achieve with this scheme? I don't see what use case this fills. – CodesInChaos Jul 23 '12 at 14:56
  • So the server encrypts the message using it's key and then sends back to the user that tries to decrypt with his own key... Something really suspect going on in that logic! – David Barker Jul 23 '12 at 14:57
  • What's the use case for this, if I may ask? – deceze Jul 23 '12 at 14:57
  • 1
    This is an old fairy-tale type scheme, ( http://en.wikipedia.org/wiki/Public-key_cryptography#A_postal_analogy bottom paragraph.)there are methods that work much better than this ever would. Use RSA/ElGammel for a key exchange, then chat away using AES. Commutative cryptology has been shown to be always flawed in some way. – lynks Jul 23 '12 at 14:57
  • 1
    The code posted makes no sense and I would say confuses your question more than sheds light on the solution. I would also say that adopting an industrially recognised algorithm would be better than trying to create your own. Many people, many times smarter than me have taken years to develop these algorithms! – Nicholas King Jul 23 '12 at 15:14
  • @NicholasKing The code makes sense. It's called postal analogy and it's a type of asymmetric cryptography. And - who said I want to create my own algorythm? o_O – m93a Jul 24 '12 at 08:48
  • @m93a As you are writing php why not use the encryption function that are present in the language? – Nicholas King Jul 24 '12 at 08:54
  • While this scheme works, and is probably secure if you choose the right commutative encryption(xor is broken), I see no advantage (and severe disadvantages) over a diffie-hellman key-exchange. So it's useless in practice. – CodesInChaos Aug 06 '12 at 10:49

2 Answers2

0

You appear to be asking whether there are encryption schemes with commutative keys. See, for example, this stackoverflow question.

There are certainly such commutative systems. A simple example would be a Caesar Cypher (i.e. shifting letters in the alphabet by n positions, where n is the key). In terms of safe schemes - and safe is rather subjective here - the commutative property for keys does exist at a more sophisticated level. Such an example can be see here which discusses why RSA is commutative for common n. (NB: common n is not usual.)

Community
  • 1
  • 1
borrible
  • 17,120
  • 7
  • 53
  • 75
  • Shared n is not usual, because it means that every user of it can calculate the private exponents of other users given their public exponent. In this specific case that's probably not a problem, provided both public and private exponents are large/unguessable. Essentially the scheme degenerates to shamir. – CodesInChaos Jul 23 '12 at 20:39
0

What about a stream cipher like RC4?

Encryption and decryption involve XOR with the output of a PRNG. (Actually decryption is the same as encryption.)

$tmp=encrypt($message,$key1); // tmp = P ^ A
$tmp=encrypt($tmp,$key2);     // tmp = p ^ A ^ B
$tmp=decrypt($tmp,$key1);     // tmp = p ^ A ^ B ^ A = p ^ B
$result=decrypt($tmp,$key2);  // result = p ^ B ^ B = p
tbroberg
  • 635
  • 3
  • 11
  • @m93a I think you're confused. Encrypting two different plaintexts with the same key is a problem, because you can XOR them together to cancel out the keys and get the XOR of the plaintexts. Encrypting the same plaintext twice with different keys is just XORing a bunch of random data. Is there some subtlety here you're aware of? If so, please share it. – tbroberg Jul 25 '12 at 22:19
  • You can trivially obtain key1 by xor-ing the first two messages, and key2 by xor-ing the second and third message. So using xor for this algorithm is obviously insecure. – CodesInChaos Aug 06 '12 at 10:45
  • @Codes - Thanks, right on the money. Yet another example of why amateurs shouldn't design crypto protocols. – tbroberg Sep 12 '12 at 04:47