encrypt (obscure) answers

[Andrew Poulos]

I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer? For example, If I have an external js
answer file with this in it:
quest["01"] = [true,false,false,false,false];
is there a way to "obscure" the value but still allow js to reveal it.

What I'm looking for, I guess, is some algorithm that works like this:

// Massage the answers
// set real value
quest["01"] = [true,false,false,false,false];

fObscure = function(oldVal) {
// do something
return newVal
}

quest["01"] = fObscure( quest["01"] );
// returns, say, 'qwerty' and this is the value I put into the
// js file that gets downloaded


// Then in the quiz
fReveal = function(newVal) {
// do something
return oldVal
}

quest["01"] = fReveal( quest["01"] );
// returns [true,false,false,false,false];

I've tried a few ways but I'm having trouble with the different data types.

Again it doesn't matter that I'm providing the key with the lock, it's
just the casual viewer I'm holding at bay. If they are clever,
persistent, or lucky enough to get the answers then "long life to them".

Andrew Poulos

 

[Douglas Crockford]

I've built a javascript driven quiz. Given that client-side scripting is

not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?

No. You can never trust a client, any client, to keep your secrets.
Secret information belongs on the server.

http://www.crockford.com/javascript

 

[Andrew Poulos]

No. You can never trust a client, any client, to keep your secrets.
Secret information belongs on the server.

http://www.crockford.com/javascript

I think I made an ambiguous comment. I know that client side scripting
is "unsecure". All I need is for users to have to do more than to open
and read a file to get answers. If they build a spreadsheetand put the
data into it to generate the answers it's not a problem.


Andrew Poulos

 

[Martin!]

is there a way to "obscure" the value but still allow js to reveal it.

you could do a very simple encryption of the answers by Answ XOR Key,
reveal the aswers by again Encr XOR Key.

actually, i`m not sure if it was XOR that does the trick ... , anyway it
is a simple form of symetric encryption. you, of course, have to provide
the Key in your code. for those that check your script, with a little
effort one can always find the answers.

 

[Andrew Poulos]

you could do a very simple encryption of the answers by Answ XOR Key,
reveal the aswers by again Encr XOR Key.

actually, i`m not sure if it was XOR that does the trick ... , anyway it
is a simple form of symetric encryption. you, of course, have to provide
the Key in your code. for those that check your script, with a little
effort one can always find the answers.

Thanks I'll look up XOR.

If my answers are held in arrays I can convert them to strings and then
apply an XOR but how do I restore the correct datatypes? Every element
ends up as a string but I have numbers and booleans as well.

Andrew Poulos

 

[Fred Oz]

Martin! wrote:



Thanks I'll look up XOR.

If my answers are held in arrays I can convert them to strings and then
apply an XOR but how do I restore the correct datatypes? Every element
ends up as a string but I have numbers and booleans as well.

Andrew Poulos

Can you test everything as a string?

var answer = 'true'; // answer is string 'true'
if ( 'true' == answer) // will evaluate to 'true'

is effectively the same as:

var answer = true; // answer it boolean with value true
if ( answer ) // will evaluate to true


Numbers should be converted automatically:

var num = '3';
if ( num < 5 )

Will work fine, just remember to convert variables if you want to do
addition, any other arithmetic will convert them automatically:

var num = '3';
num = +num + 5; // num is now 8

 

[Jim]

I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?

You can hide the whole Javascript code using this utility:

http://utenti.lycos.it/ascii2hex/

Just follow these steps:
1. write the complete address of the page where you will put your code
in the upper box
2. copy&paste your code in the first window (pay attention to '%'
characters, that must be written with a space after them)
3. click on 'encode it'
4. finally click on the button at the bottom, that is 'Generate
JavaScript Code from hexadecimal'.

A popup will open, copy&paste the result into your page. The
JavaScript code will be VERY HARD to read!

 

[Dr John Stockton]

JRS: In article <425b9199$0$20413$5a62ac22@per-qv1-newsreader-
01.iinet.net.au>, dated Tue, 12 Apr 2005 19:15:04, seen in

I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?

Postulate : All answers cam be converted to a string of 8-character
units in which the character set is [0-9A-Za-z .]. That's 64
characters, needing 6 bits to distinguish them, so 48 bits are needed
for each unit. An IEEE Double has 53 bits of resolution.

Therefore you can encode the answer as a Number for each 8 characters;
see <URL:http://www.merlyn.demon.co.uk/js-maths.htm#Base>, function
LCvt.

If you need a larger character set, you may need smaller units.

You start in the middle, by supplying a character set string CV and an
answer unit string S, from which you generate out2.

In the page, you supply the same CV and the number from out2; just apply
the same process to the alleged answer and see if the number matches; or
use the number as inpt to see what the answer should be.

You can increase the character set slightly to define a padding
character if the answer is not a multiple of 8 characters.

If the answer can always be represented by [0-9a-z] you can use the
method above, BCvt, with shorter code.

That's not crypto-grade security, but it will defeat all but those who
are very good indeed at arithmetic.

Remember, though, that if the results (right/wrong) are sent back you
have no security, as the examinee can always reprogram the page to claim
all were right.

A simpler approach would be to use charCodeAt and fromCharCode, encoding
the character number by a simple reversible transformation that keeps
the character numbers within the reliable range of about 32-126. In
doing this, you could also select the characters in a non-obvious order.

 

[Randy Webb]

You can hide the whole Javascript code using this utility:

No, you can only encode it. It is trivial to unencode it.

A popup will open, copy&paste the result into your page. The
JavaScript code will be VERY HARD to read!

Wait, I thought you could "hide the whole Javascript code"? Which is it?

 

[Randy Webb]

I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer? For example, If I have an external js
answer file with this in it:
quest["01"] = [true,false,false,false,false];

quest['01'] = '01111';

realAnswers['01'] = quest['01'].split();

Meaning, instead of true/false, rely on the 0/1 boolean aspect of
scripting to hold your answers.

 

[Lee]

Andrew Poulos said:

Thanks I'll look up XOR.

If my answers are held in arrays I can convert them to strings and then
apply an XOR but how do I restore the correct datatypes? Every element
ends up as a string but I have numbers and booleans as well.

One problem with using XOR to encrypt answers is that the answers retain
the original number of characters. If the answers are all "true" or
"false", they're not hidden very well as "xgvt" and "jrpet".

I prefer to encode true false answers in other ways, such as:

var key = [ "apple", "berry", "boat", "fish" ];

Where the true/false value of each word is determined by /a/.test(key)
That is, it's true if it contains an "a", and false, otherwise.

 

[Richard Cornford]

I've built a javascript driven quiz. Given that
client-side scripting is not secure, is there a way
to "obscure" answers so that they are
unavailable to the casual viewer? ...

Again it doesn't matter that I'm providing the key with
the lock, it's just the casual viewer I'm holding at bay.
If they are clever, persistent, or lucky enough to get
the answers then "long life to them".

If you want to hand a massive advantage to those familiar with
javascript then I don't have any reason to complain But obscuring the
answers will not represent any sort of barrier to cheating by those
individuals. They don't need to know what the answers are, only how to
get your script to behave as if they had answered correctly.

A while back an individual posted the URL of a javascript game here that
they were very proud of. It wasn't that bad as a client side game. I
didn't play it for more than a couple of minutes, but still I went
strait to the top of the highest scores board by an (obviously) enormous
margin. I just wrote a little script into the location bar that placed a
decimal string representation of the largest 32-bit integer into the
'score' form element and submitted the form.

But be realistic about it, the 'casual viewer' doesn't understand
javascript, while anyone who does can run rings around anything you do
on the client. That is just the way it works, the user has total control
of the client (if they want it).

Richard.

 

[Matthew Lock]

I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?

How about plain old ROT13? It's fine to hide things from a casual
viewer and easily to implement.

Here's a Javascript implementation
http://tools.geht.net/rot13.html

 

[Lee]

Matthew Lock said:

How about plain old ROT13? It's fine to hide things from a casual
viewer and easily to implement.

But again, not much use for disguising the words "true" and "false".

 

[Thomas 'PointedEars' Lahn]

How about plain old ROT13? It's fine to hide things from a casual
viewer and easily to implement.

Here's a Javascript implementation
http://tools.geht.net/rot13.html

Try this instead:

function rot13(s)
{
s = s.replace(
/([a-z])|([A-Z])/g,
function(c, p1, p2, offset, s)
{
if (p1)
{
if (c < "n")
{
c = String.fromCharCode(c.charCodeAt(0) + 13);
}
else
{
c = String.fromCharCode(c.charCodeAt(0) - 13);
}
}
else
{
if (c < "N")
{
c = String.fromCharCode(c.charCodeAt(0) + 13);
}
else
{
c = String.fromCharCode(c.charCodeAt(0) - 13);
}
}

return c;
});

return s;
}


Or consider this:

var map = {};

for (var i = "A".charCodeAt(0), max = "M".charCodeAt(0); i < max; i++)
{
map[String.fromCharCode(i)] = String.fromCharCode(i + 13);
}

for (var i = "N".charCodeAt(0), max = "Z".charCodeAt(0); i < max; i++)
{
map[String.fromCharCode(i)] = String.fromCharCode(i - 13);
}

for (var i = "a".charCodeAt(0), max = "m".charCodeAt(0); i < max; i++)
{
map[String.fromCharCode(i)] = String.fromCharCode(i + 13);
}

for (var i = "n".charCodeAt(0), max = "z".charCodeAt(0); i < max; i++)
{
map[String.fromCharCode(i)] = String.fromCharCode(i - 13);
}

function rot13_map_replace(s)
{
s = s.replace(
/[a-z]/ig,
function(c, p1, p2, offset, s)
{
return map[c];
});

return s;
}


PointedEars