encrypt (obscure) answers

Discussion in 'Javascript' started by Andrew Poulos, Apr 12, 2005.

  1. I've built a javascript driven quiz. Given that client-side scripting is
    not secure, is there a way to "obscure" answers so that they are
    unavailable to the casual viewer? For example, If I have an external js
    answer file with this in it:
    quest["01"] = [true,false,false,false,false];
    is there a way to "obscure" the value but still allow js to reveal it.

    What I'm looking for, I guess, is some algorithm that works like this:

    // Massage the answers
    // set real value
    quest["01"] = [true,false,false,false,false];

    fObscure = function(oldVal) {
    // do something
    return newVal
    }

    quest["01"] = fObscure( quest["01"] );
    // returns, say, 'qwerty' and this is the value I put into the
    // js file that gets downloaded


    // Then in the quiz
    fReveal = function(newVal) {
    // do something
    return oldVal
    }

    quest["01"] = fReveal( quest["01"] );
    // returns [true,false,false,false,false];

    I've tried a few ways but I'm having trouble with the different data types.

    Again it doesn't matter that I'm providing the key with the lock, it's
    just the casual viewer I'm holding at bay. If they are clever,
    persistent, or lucky enough to get the answers then "long life to them".

    Andrew Poulos
     
    Andrew Poulos, Apr 12, 2005
    #1
    1. Advertising

  2. > I've built a javascript driven quiz. Given that client-side scripting is
    > not secure, is there a way to "obscure" answers so that they are
    > unavailable to the casual viewer?


    No. You can never trust a client, any client, to keep your secrets.
    Secret information belongs on the server.

    http://www.crockford.com/javascript
     
    Douglas Crockford, Apr 12, 2005
    #2
    1. Advertising

  3. Douglas Crockford wrote:

    >> I've built a javascript driven quiz. Given that client-side scripting is
    >> not secure, is there a way to "obscure" answers so that they are
    >> unavailable to the casual viewer?

    >
    >
    > No. You can never trust a client, any client, to keep your secrets.
    > Secret information belongs on the server.
    >
    > http://www.crockford.com/javascript


    I think I made an ambiguous comment. I know that client side scripting
    is "unsecure". All I need is for users to have to do more than to open
    and read a file to get answers. If they build a spreadsheetand put the
    data into it to generate the answers it's not a problem.


    Andrew Poulos
     
    Andrew Poulos, Apr 12, 2005
    #3
  4. Andrew Poulos

    Martin! Guest

    Andrew Poulos wrote:

    > is there a way to "obscure" the value but still allow js to reveal it.


    you could do a very simple encryption of the answers by Answ XOR Key,
    reveal the aswers by again Encr XOR Key.

    actually, i`m not sure if it was XOR that does the trick ... , anyway it
    is a simple form of symetric encryption. you, of course, have to provide
    the Key in your code. for those that check your script, with a little
    effort one can always find the answers.
     
    Martin!, Apr 12, 2005
    #4
  5. Martin! wrote:

    > Andrew Poulos wrote:
    >
    >> is there a way to "obscure" the value but still allow js to reveal it.

    >
    >
    > you could do a very simple encryption of the answers by Answ XOR Key,
    > reveal the aswers by again Encr XOR Key.
    >
    > actually, i`m not sure if it was XOR that does the trick ... , anyway it
    > is a simple form of symetric encryption. you, of course, have to provide
    > the Key in your code. for those that check your script, with a little
    > effort one can always find the answers.
    >

    Thanks I'll look up XOR.

    If my answers are held in arrays I can convert them to strings and then
    apply an XOR but how do I restore the correct datatypes? Every element
    ends up as a string but I have numbers and booleans as well.

    Andrew Poulos
     
    Andrew Poulos, Apr 12, 2005
    #5
  6. Andrew Poulos

    Fred Oz Guest

    Andrew Poulos wrote:
    > Martin! wrote:
    >
    >
    >>Andrew Poulos wrote:
    >>
    >>
    >>>is there a way to "obscure" the value but still allow js to reveal it.

    >>
    >>
    >>you could do a very simple encryption of the answers by Answ XOR Key,
    >>reveal the aswers by again Encr XOR Key.
    >>
    >>actually, i`m not sure if it was XOR that does the trick ... , anyway it
    >>is a simple form of symetric encryption. you, of course, have to provide
    >>the Key in your code. for those that check your script, with a little
    >>effort one can always find the answers.
    >>

    >
    > Thanks I'll look up XOR.
    >
    > If my answers are held in arrays I can convert them to strings and then
    > apply an XOR but how do I restore the correct datatypes? Every element
    > ends up as a string but I have numbers and booleans as well.
    >
    > Andrew Poulos


    Can you test everything as a string?

    var answer = 'true'; // answer is string 'true'
    if ( 'true' == answer) // will evaluate to 'true'

    is effectively the same as:

    var answer = true; // answer it boolean with value true
    if ( answer ) // will evaluate to true


    Numbers should be converted automatically:

    var num = '3';
    if ( num < 5 )

    Will work fine, just remember to convert variables if you want to do
    addition, any other arithmetic will convert them automatically:

    var num = '3';
    num = +num + 5; // num is now 8


    --
    Fred
     
    Fred Oz, Apr 12, 2005
    #6
  7. Andrew Poulos

    Jim Guest

    Andrew Poulos <> wrote in message news:<425b9199$0$20413$>...
    > I've built a javascript driven quiz. Given that client-side scripting is
    > not secure, is there a way to "obscure" answers so that they are
    > unavailable to the casual viewer?


    You can hide the whole Javascript code using this utility:

    http://utenti.lycos.it/ascii2hex/

    Just follow these steps:
    1. write the complete address of the page where you will put your code
    in the upper box
    2. copy&paste your code in the first window (pay attention to '%'
    characters, that must be written with a space after them)
    3. click on 'encode it'
    4. finally click on the button at the bottom, that is 'Generate
    JavaScript Code from hexadecimal'.

    A popup will open, copy&paste the result into your page. The
    JavaScript code will be VERY HARD to read! ;)
     
    Jim, Apr 12, 2005
    #7
  8. JRS: In article <425b9199$0$20413$5a62ac22@per-qv1-newsreader-
    01.iinet.net.au>, dated Tue, 12 Apr 2005 19:15:04, seen in
    news:comp.lang.javascript, Andrew Poulos <> posted :

    >I've built a javascript driven quiz. Given that client-side scripting is
    >not secure, is there a way to "obscure" answers so that they are
    >unavailable to the casual viewer?


    Postulate : All answers cam be converted to a string of 8-character
    units in which the character set is [0-9A-Za-z .]. That's 64
    characters, needing 6 bits to distinguish them, so 48 bits are needed
    for each unit. An IEEE Double has 53 bits of resolution.

    Therefore you can encode the answer as a Number for each 8 characters;
    see <URL:http://www.merlyn.demon.co.uk/js-maths.htm#Base>, function
    LCvt.

    If you need a larger character set, you may need smaller units.

    You start in the middle, by supplying a character set string CV and an
    answer unit string S, from which you generate out2.

    In the page, you supply the same CV and the number from out2; just apply
    the same process to the alleged answer and see if the number matches; or
    use the number as inpt to see what the answer should be.

    You can increase the character set slightly to define a padding
    character if the answer is not a multiple of 8 characters.

    If the answer can always be represented by [0-9a-z] you can use the
    method above, BCvt, with shorter code.

    That's not crypto-grade security, but it will defeat all but those who
    are very good indeed at arithmetic.

    Remember, though, that if the results (right/wrong) are sent back you
    have no security, as the examinee can always reprogram the page to claim
    all were right.

    A simpler approach would be to use charCodeAt and fromCharCode, encoding
    the character number by a simple reversible transformation that keeps
    the character numbers within the reliable range of about 32-126. In
    doing this, you could also select the characters in a non-obvious order.

    --
    © John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
    <URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
    <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
    <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
     
    Dr John Stockton, Apr 12, 2005
    #8
  9. Andrew Poulos

    Randy Webb Guest

    Jim wrote:
    > Andrew Poulos <> wrote in message news:<425b9199$0$20413$>...
    >
    >>I've built a javascript driven quiz. Given that client-side scripting is
    >>not secure, is there a way to "obscure" answers so that they are
    >>unavailable to the casual viewer?

    >
    >
    > You can hide the whole Javascript code using this utility:


    No, you can only encode it. It is trivial to unencode it.

    > A popup will open, copy&paste the result into your page. The
    > JavaScript code will be VERY HARD to read! ;)


    Wait, I thought you could "hide the whole Javascript code"? Which is it?

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
     
    Randy Webb, Apr 12, 2005
    #9
  10. Andrew Poulos

    Randy Webb Guest

    Andrew Poulos wrote:

    > I've built a javascript driven quiz. Given that client-side scripting is
    > not secure, is there a way to "obscure" answers so that they are
    > unavailable to the casual viewer? For example, If I have an external js
    > answer file with this in it:
    > quest["01"] = [true,false,false,false,false];


    quest['01'] = '01111';

    realAnswers['01'] = quest['01'].split();

    Meaning, instead of true/false, rely on the 0/1 boolean aspect of
    scripting to hold your answers.

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
     
    Randy Webb, Apr 12, 2005
    #10
  11. Andrew Poulos

    Lee Guest

    Andrew Poulos said:
    >
    >Martin! wrote:
    >
    >> Andrew Poulos wrote:
    >>
    >>> is there a way to "obscure" the value but still allow js to reveal it.

    >>
    >>
    >> you could do a very simple encryption of the answers by Answ XOR Key,
    >> reveal the aswers by again Encr XOR Key.
    >>
    >> actually, i`m not sure if it was XOR that does the trick ... , anyway it
    >> is a simple form of symetric encryption. you, of course, have to provide
    >> the Key in your code. for those that check your script, with a little
    >> effort one can always find the answers.
    >>

    >Thanks I'll look up XOR.
    >
    >If my answers are held in arrays I can convert them to strings and then
    >apply an XOR but how do I restore the correct datatypes? Every element
    >ends up as a string but I have numbers and booleans as well.


    One problem with using XOR to encrypt answers is that the answers retain
    the original number of characters. If the answers are all "true" or
    "false", they're not hidden very well as "xgvt" and "jrpet".

    I prefer to encode true false answers in other ways, such as:

    var key = [ "apple", "berry", "boat", "fish" ];

    Where the true/false value of each word is determined by /a/.test(key)
    That is, it's true if it contains an "a", and false, otherwise.
     
    Lee, Apr 12, 2005
    #11
  12. Andrew Poulos wrote:
    > I've built a javascript driven quiz. Given that
    > client-side scripting is not secure, is there a way
    > to "obscure" answers so that they are
    > unavailable to the casual viewer? ...

    <snip>
    > Again it doesn't matter that I'm providing the key with
    > the lock, it's just the casual viewer I'm holding at bay.
    > If they are clever, persistent, or lucky enough to get
    > the answers then "long life to them".


    If you want to hand a massive advantage to those familiar with
    javascript then I don't have any reason to complain ;) But obscuring the
    answers will not represent any sort of barrier to cheating by those
    individuals. They don't need to know what the answers are, only how to
    get your script to behave as if they had answered correctly.

    A while back an individual posted the URL of a javascript game here that
    they were very proud of. It wasn't that bad as a client side game. I
    didn't play it for more than a couple of minutes, but still I went
    strait to the top of the highest scores board by an (obviously) enormous
    margin. I just wrote a little script into the location bar that placed a
    decimal string representation of the largest 32-bit integer into the
    'score' form element and submitted the form.

    But be realistic about it, the 'casual viewer' doesn't understand
    javascript, while anyone who does can run rings around anything you do
    on the client. That is just the way it works, the user has total control
    of the client (if they want it).

    Richard.
     
    Richard Cornford, Apr 12, 2005
    #12
  13. Andrew Poulos

    Matthew Lock Guest

    Andrew Poulos wrote:
    > I've built a javascript driven quiz. Given that client-side scripting

    is
    > not secure, is there a way to "obscure" answers so that they are
    > unavailable to the casual viewer?


    How about plain old ROT13? It's fine to hide things from a casual
    viewer and easily to implement.

    Here's a Javascript implementation
    http://tools.geht.net/rot13.html
     
    Matthew Lock, Apr 13, 2005
    #13
  14. Andrew Poulos

    Lee Guest

    Matthew Lock said:
    >
    >
    >Andrew Poulos wrote:
    >> I've built a javascript driven quiz. Given that client-side scripting

    >is
    >> not secure, is there a way to "obscure" answers so that they are
    >> unavailable to the casual viewer?

    >
    >How about plain old ROT13? It's fine to hide things from a casual
    >viewer and easily to implement.


    But again, not much use for disguising the words "true" and "false".
     
    Lee, Apr 13, 2005
    #14
  15. Matthew Lock wrote:

    > Andrew Poulos wrote:
    >> I've built a javascript driven quiz. Given that client-side scripting
    >> is not secure, is there a way to "obscure" answers so that they are
    >> unavailable to the casual viewer?

    >
    > How about plain old ROT13? It's fine to hide things from a casual
    > viewer and easily to implement.
    >
    > Here's a Javascript implementation
    > http://tools.geht.net/rot13.html


    Try this instead:

    function rot13(s)
    {
    s = s.replace(
    /([a-z])|([A-Z])/g,
    function(c, p1, p2, offset, s)
    {
    if (p1)
    {
    if (c < "n")
    {
    c = String.fromCharCode(c.charCodeAt(0) + 13);
    }
    else
    {
    c = String.fromCharCode(c.charCodeAt(0) - 13);
    }
    }
    else
    {
    if (c < "N")
    {
    c = String.fromCharCode(c.charCodeAt(0) + 13);
    }
    else
    {
    c = String.fromCharCode(c.charCodeAt(0) - 13);
    }
    }

    return c;
    });

    return s;
    }


    Or consider this:

    var map = {};

    for (var i = "A".charCodeAt(0), max = "M".charCodeAt(0); i < max; i++)
    {
    map[String.fromCharCode(i)] = String.fromCharCode(i + 13);
    }

    for (var i = "N".charCodeAt(0), max = "Z".charCodeAt(0); i < max; i++)
    {
    map[String.fromCharCode(i)] = String.fromCharCode(i - 13);
    }

    for (var i = "a".charCodeAt(0), max = "m".charCodeAt(0); i < max; i++)
    {
    map[String.fromCharCode(i)] = String.fromCharCode(i + 13);
    }

    for (var i = "n".charCodeAt(0), max = "z".charCodeAt(0); i < max; i++)
    {
    map[String.fromCharCode(i)] = String.fromCharCode(i - 13);
    }

    function rot13_map_replace(s)
    {
    s = s.replace(
    /[a-z]/ig,
    function(c, p1, p2, offset, s)
    {
    return map[c];
    });

    return s;
    }


    PointedEars
     
    Thomas 'PointedEars' Lahn, Apr 16, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Batista, Facundo

    How to obscure a password

    Batista, Facundo, Feb 26, 2004, in forum: Python
    Replies:
    6
    Views:
    361
    Christopher A. Craig
    Feb 27, 2004
  2. Batista, Facundo

    RE: How to obscure a password

    Batista, Facundo, Feb 26, 2004, in forum: Python
    Replies:
    2
    Views:
    296
    Peter Hansen
    Feb 26, 2004
  3. Batista, Facundo

    RE: How to obscure a password

    Batista, Facundo, Feb 26, 2004, in forum: Python
    Replies:
    2
    Views:
    262
    Rene Pijlman
    Feb 26, 2004
  4. Frank Millman

    Obscure bug in pyPgSQL

    Frank Millman, Aug 6, 2004, in forum: Python
    Replies:
    2
    Views:
    365
    =?ISO-8859-1?Q?Gerhard_H=E4ring?=
    Aug 6, 2004
  5. http://ejobseek.com

    Encrypt in Perl, De-encrypt in Javascript

    http://ejobseek.com, Sep 1, 2003, in forum: Perl Misc
    Replies:
    3
    Views:
    295
    James Willmore
    Sep 1, 2003
Loading...

Share This Page