#!/usr/bin/perl -w
############
# Cryptomatic
# by Richard Still (oakbox.com)
############
# (C) 2001 oakbox.com This program is freeware and may
# be used at no cost to you (just leave this notice intact).
# Feel free to modify, hack, and play with this script.
# No guarantees about the utility of this script for any particular
# purpose!
############
# This should be placed on a web site with SSL enabled.
# see bottom for more comments :)
use CGI::Carp qw(fatalsToBrowser);
use MD5;
use strict;
my ($message, $temp, $key, $content, $item, @pairs);
my %fields;
# accept input from user and decode variables
read(STDIN,$temp,$ENV{'CONTENT_LENGTH'});
@pairs=split(/&/,$temp);
foreach $item(@pairs)
{
($key,$content)=split(/=/,$item,2);
$content=~tr/+/ /;
$content =~ s/<!--(.|\n)*-->//g;
$content=~s/%(..)/pack("c",hex($1))/ge;
$fields{$key}=$content;
}
if($fields{'action'} eq ""){&firstscreen; &shellout; exit;}
if($fields{'action'} eq "encoder"){&hexhex; &firstscreen; &shellout; e
+xit;}
if($fields{'action'} eq "decoder"){&ghex; &firstscreen; &shellout; exi
+t;}
sub hexhex {
my $pad_text = MD5->hexhash($fields{'seeder'});
# pad this key against the incoming text
my $ciphered = &pad_it($fields{'textinput'},$pad_text);
# hex the content so that it can travel through a 6-bit connection
$ciphered = unpack("h*",$ciphered);
# grab a checksum based on this hexed string
my $checksum = MD5->hexhash($ciphered);
# modify it a little so that it looks good in the browser
$ciphered =~ s/(\S{50})/$1<br> /mg;
$message.="<table width=\"200\"><tr><td>Cipher:<p>$ciphered
<p><P>checksum:<p>$checksum<p></td></tr><tr><td>Email both
of the above codes to your intended recipient. They can
DECODE this by coming back to this form and entering these
codes in the 'decode' area below. Your recipient has to
know your secret 'seed' to unlock this message. DO NOT
communicate this seed in your email or in any clear-channel
way.</table>";
}
sub ghex {
# remove spaces from input (there shouldn't be any spaces in the hexed
+ code)
$fields{'textinput'}=~s/\s//g;
my $pad_text = MD5->hexhash($fields{'seed'});
my $check = MD5->hexhash($fields{'textinput'});
# look at the checksum
if($check ne $fields{'checksum'}){$message.="<font size+2>Invalid
checksum!</font> I cannot guarantee that this message was not
altered en-route. Even if the text decodes clearly, there may
have been some tampering. . . . sorry <p>\n";}
# remove the hex encoding
my $ciphered=pack("h*",$fields{'textinput'});
# now we pad our key against our text
my $content = &pad_it($ciphered,$pad_text);
$message.=" Your decoded text:<P><table border=3><tr><td><pre>$content
</pre></td></tr></table> ";
}
sub firstscreen {
$message.=qq( <hr>
<font size=+1>Oakbox Super-Duper One-Shot Encryptomatic!</font><p>
Send your message securely over the internet! This particular
implementation is meant FOR DEMONSTATION PORPOISES ONLY. To be
genuinely secure, this form must be placed behind an SSL browser
connection (https://). Your recipient must know the secret
'seed' you use to encrypt your message. Without it, your message
remains a meaningless jumble.<p>
During Encryption, I take your 'seed', which should be a random
jumble of letters and numbers (think 'password'), and encrypt
that using <a href="http://www.faqs.org/rfcs/rfc1321.html">MD5
encryption</a>. That produces a string of letters and number
that I use as a <a href="http://pubweb.nfr.net/~mjr/pubs/otpfaq/">
one time pad</a> against the text of your message. As a last step,
I put everything into hexcode so that you can copy and paste it into
an email message. A checksum is produced from this hexcode so that
your recipient knows that they received an unaltered message.<p>
To decode a message, you need three pieces of info. The encoded
text, the checksum (to verify the encoded text is unaltered) and
the 'seed' code.
<hr>
Encrypt! <form method="post" action="commlink.cgi">
Text: <textarea name="textinput" cols="45" rows="10"></textarea>
Seed: <input type="text" name="seeder">
<input type="hidden" name="action" value="encoder">
<input type="submit"></form>
<hr>
<hr>DECRYPT
<form method="post" action="commlink.cgi">
Text: <textarea name="textinput" cols="45" rows="10"></textarea>
Checksum: <input type="text" name="checksum">
Seed: <input type="text" name="seed">
<input type="hidden" name="action" value="decoder">
<input type="submit"></form> <p> Written by Richard Still at Oakbox.co
+m
© 2001. There are NO guarantees about the utility of this script
for any particular purpose!<br> Thanks to Kurt Kincaid, author of
Crypt-OTP module (available on CPAN), for his OTP code!);
}
sub shellout {
print "Content-type: text/html\n\n";
print<<_TTT_;
<html>
<head>
<title>Cryptomatic by Oakbox</title>
</head>
<body>
$message
</body>
</html>
_TTT_
}
sub pad_it {
# Credit to Kurt Kincaid, author of Crypt-OTP module,
# available on CPAN, for this chunk of code!
my ($raw_text,$pad_text)=@_;
while ( length($pad_text) < length($raw_text) ) {
$pad_text .= $pad_text;
}
my @bart = split ( //, $raw_text );
my @pad = split ( //, $pad_text );
my $cipher = ();
my $i;
for ( $i = 0 ; $i <= $#bart ; $i++ ) {
$cipher .= pack( 'C', unpack( 'C', $bart[$i] ) ^ unpack( 'C',
+$pad[$i] ) );
}
return($cipher);
}
# Modifications that I'm too lazy to make:
#
# - To make this more secure, you should block the number of 'decrypt'
# attempts any single IP can make in an hour.
# - You can have encryptions 'expire' by tacking the Julian date
# onto the end of the entered seed.
# - If you want to do this yourself, and use it for personal purposes
# only, I would install and use Kurt Kincaid's full Crypt-OTP module
# which allows you to use uploaded files as pads.
# - What happens if you don't have MD5? Modifications to accomodate
# DES, Blowfish, or Triple-DES should be relatively easy :)
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.