Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Javascript > encrypt (obscure) answers

Reply
Thread Tools

encrypt (obscure) answers

 
 
Andrew Poulos
Guest
Posts: n/a
 
      04-12-2005
I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer? For example, If I have an external js
answer file with this in it:
quest["01"] = [true,false,false,false,false];
is there a way to "obscure" the value but still allow js to reveal it.

What I'm looking for, I guess, is some algorithm that works like this:

// Massage the answers
// set real value
quest["01"] = [true,false,false,false,false];

fObscure = function(oldVal) {
// do something
return newVal
}

quest["01"] = fObscure( quest["01"] );
// returns, say, 'qwerty' and this is the value I put into the
// js file that gets downloaded


// Then in the quiz
fReveal = function(newVal) {
// do something
return oldVal
}

quest["01"] = fReveal( quest["01"] );
// returns [true,false,false,false,false];

I've tried a few ways but I'm having trouble with the different data types.

Again it doesn't matter that I'm providing the key with the lock, it's
just the casual viewer I'm holding at bay. If they are clever,
persistent, or lucky enough to get the answers then "long life to them".

Andrew Poulos
 
Reply With Quote
 
 
 
 
Douglas Crockford
Guest
Posts: n/a
 
      04-12-2005
> I've built a javascript driven quiz. Given that client-side scripting is
> not secure, is there a way to "obscure" answers so that they are
> unavailable to the casual viewer?


No. You can never trust a client, any client, to keep your secrets.
Secret information belongs on the server.

http://www.crockford.com/javascript
 
Reply With Quote
 
 
 
 
Andrew Poulos
Guest
Posts: n/a
 
      04-12-2005
Douglas Crockford wrote:

>> I've built a javascript driven quiz. Given that client-side scripting is
>> not secure, is there a way to "obscure" answers so that they are
>> unavailable to the casual viewer?

>
>
> No. You can never trust a client, any client, to keep your secrets.
> Secret information belongs on the server.
>
> http://www.crockford.com/javascript


I think I made an ambiguous comment. I know that client side scripting
is "unsecure". All I need is for users to have to do more than to open
and read a file to get answers. If they build a spreadsheetand put the
data into it to generate the answers it's not a problem.


Andrew Poulos
 
Reply With Quote
 
Martin!
Guest
Posts: n/a
 
      04-12-2005
Andrew Poulos wrote:

> is there a way to "obscure" the value but still allow js to reveal it.


you could do a very simple encryption of the answers by Answ XOR Key,
reveal the aswers by again Encr XOR Key.

actually, i`m not sure if it was XOR that does the trick ... , anyway it
is a simple form of symetric encryption. you, of course, have to provide
the Key in your code. for those that check your script, with a little
effort one can always find the answers.

 
Reply With Quote
 
Andrew Poulos
Guest
Posts: n/a
 
      04-12-2005
Martin! wrote:

> Andrew Poulos wrote:
>
>> is there a way to "obscure" the value but still allow js to reveal it.

>
>
> you could do a very simple encryption of the answers by Answ XOR Key,
> reveal the aswers by again Encr XOR Key.
>
> actually, i`m not sure if it was XOR that does the trick ... , anyway it
> is a simple form of symetric encryption. you, of course, have to provide
> the Key in your code. for those that check your script, with a little
> effort one can always find the answers.
>

Thanks I'll look up XOR.

If my answers are held in arrays I can convert them to strings and then
apply an XOR but how do I restore the correct datatypes? Every element
ends up as a string but I have numbers and booleans as well.

Andrew Poulos
 
Reply With Quote
 
Fred Oz
Guest
Posts: n/a
 
      04-12-2005
Andrew Poulos wrote:
> Martin! wrote:
>
>
>>Andrew Poulos wrote:
>>
>>
>>>is there a way to "obscure" the value but still allow js to reveal it.

>>
>>
>>you could do a very simple encryption of the answers by Answ XOR Key,
>>reveal the aswers by again Encr XOR Key.
>>
>>actually, i`m not sure if it was XOR that does the trick ... , anyway it
>>is a simple form of symetric encryption. you, of course, have to provide
>>the Key in your code. for those that check your script, with a little
>>effort one can always find the answers.
>>

>
> Thanks I'll look up XOR.
>
> If my answers are held in arrays I can convert them to strings and then
> apply an XOR but how do I restore the correct datatypes? Every element
> ends up as a string but I have numbers and booleans as well.
>
> Andrew Poulos


Can you test everything as a string?

var answer = 'true'; // answer is string 'true'
if ( 'true' == answer) // will evaluate to 'true'

is effectively the same as:

var answer = true; // answer it boolean with value true
if ( answer ) // will evaluate to true


Numbers should be converted automatically:

var num = '3';
if ( num < 5 )

Will work fine, just remember to convert variables if you want to do
addition, any other arithmetic will convert them automatically:

var num = '3';
num = +num + 5; // num is now 8


--
Fred
 
Reply With Quote
 
Jim
Guest
Posts: n/a
 
      04-12-2005
Andrew Poulos <(E-Mail Removed)> wrote in message news:<425b9199$0$20413$(E-Mail Removed)>...
> I've built a javascript driven quiz. Given that client-side scripting is
> not secure, is there a way to "obscure" answers so that they are
> unavailable to the casual viewer?


You can hide the whole Javascript code using this utility:

http://utenti.lycos.it/ascii2hex/

Just follow these steps:
1. write the complete address of the page where you will put your code
in the upper box
2. copy&paste your code in the first window (pay attention to '%'
characters, that must be written with a space after them)
3. click on 'encode it'
4. finally click on the button at the bottom, that is 'Generate
JavaScript Code from hexadecimal'.

A popup will open, copy&paste the result into your page. The
JavaScript code will be VERY HARD to read!
 
Reply With Quote
 
Dr John Stockton
Guest
Posts: n/a
 
      04-12-2005
JRS: In article <425b9199$0$20413$5a62ac22@per-qv1-newsreader-
01.iinet.net.au>, dated Tue, 12 Apr 2005 19:15:04, seen in
news:comp.lang.javascript, Andrew Poulos <(E-Mail Removed)> posted :

>I've built a javascript driven quiz. Given that client-side scripting is
>not secure, is there a way to "obscure" answers so that they are
>unavailable to the casual viewer?


Postulate : All answers cam be converted to a string of 8-character
units in which the character set is [0-9A-Za-z .]. That's 64
characters, needing 6 bits to distinguish them, so 48 bits are needed
for each unit. An IEEE Double has 53 bits of resolution.

Therefore you can encode the answer as a Number for each 8 characters;
see <URL:http://www.merlyn.demon.co.uk/js-maths.htm#Base>, function
LCvt.

If you need a larger character set, you may need smaller units.

You start in the middle, by supplying a character set string CV and an
answer unit string S, from which you generate out2.

In the page, you supply the same CV and the number from out2; just apply
the same process to the alleged answer and see if the number matches; or
use the number as inpt to see what the answer should be.

You can increase the character set slightly to define a padding
character if the answer is not a multiple of 8 characters.

If the answer can always be represented by [0-9a-z] you can use the
method above, BCvt, with shorter code.

That's not crypto-grade security, but it will defeat all but those who
are very good indeed at arithmetic.

Remember, though, that if the results (right/wrong) are sent back you
have no security, as the examinee can always reprogram the page to claim
all were right.

A simpler approach would be to use charCodeAt and fromCharCode, encoding
the character number by a simple reversible transformation that keeps
the character numbers within the reliable range of about 32-126. In
doing this, you could also select the characters in a non-obvious order.

--
John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4
<URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
 
Reply With Quote
 
Randy Webb
Guest
Posts: n/a
 
      04-12-2005
Jim wrote:
> Andrew Poulos <(E-Mail Removed)> wrote in message news:<425b9199$0$20413$(E-Mail Removed)>...
>
>>I've built a javascript driven quiz. Given that client-side scripting is
>>not secure, is there a way to "obscure" answers so that they are
>>unavailable to the casual viewer?

>
>
> You can hide the whole Javascript code using this utility:


No, you can only encode it. It is trivial to unencode it.

> A popup will open, copy&paste the result into your page. The
> JavaScript code will be VERY HARD to read!


Wait, I thought you could "hide the whole Javascript code"? Which is it?

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
 
Reply With Quote
 
Randy Webb
Guest
Posts: n/a
 
      04-12-2005
Andrew Poulos wrote:

> I've built a javascript driven quiz. Given that client-side scripting is
> not secure, is there a way to "obscure" answers so that they are
> unavailable to the casual viewer? For example, If I have an external js
> answer file with this in it:
> quest["01"] = [true,false,false,false,false];


quest['01'] = '01111';

realAnswers['01'] = quest['01'].split();

Meaning, instead of true/false, rely on the 0/1 boolean aspect of
scripting to hold your answers.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypt/Decrypt a structured file kevininstructor@state.or.us ASP .Net 1 09-25-2004 05:25 AM
828 - "ppp encrypt" command doesn't work John Rennie Cisco 0 04-27-2004 04:44 PM
Encrypt line pwd Warrick FitzGerald Cisco 1 12-22-2003 01:34 PM
Encrypt in Perl, De-encrypt in Javascript http://ejobseek.com Perl Misc 3 09-01-2003 07:34 PM
Encrypt string for POSTing Markus Stehle ASP .Net 2 07-06-2003 03:23 PM



Advertisments