Private Data Communication Protocol Encryption

pishposh30 has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to write a script to encrypt a string that can be decrypted using the method descried here. While the script does get a value that at first glance looks correct it does not decrypt correctly. The output can be tested here.

#!/usr/bin/perl -w
use strict;
use Digest::HMAC_SHA1 qw(hmac_sha1);
use MIME::Base64::URLSafe;
use MIME::Base64;

my $initvectorsize = 16;
my $ciphertextsize = 8;
my $signaturesize = 4;
my $encryptedvaluesize = $initvectorsize + $ciphertextsize + $signatur
+esize;

my $encryptionkey = 'c488fdd0d81f';
my $integritykey = 'fe3fd7cc8731';
my $plaintext = '';
my $digest = '';
my $initvector = '';
my $ciphertext = '';
my $signature = '';
my $output = '';

print "Enter price to encrypt:";
chomp (my $input = <>);
$plaintext = $input;

for (my$c=0;$c<$initvectorsize;$c++) {
    $initvector = $initvector.int(rand(10));
}

$digest = hmac_sha1($initvector, $encryptionkey);
$ciphertext = $digest ^ $plaintext;

$signature = hmac_sha1($plaintext.$initvector, $integritykey);

$output = $initvector.substr($ciphertext, 0, $ciphertextsize).substr($
+signature, 0, $signaturesize);

print "ERROR: Bad encrypted length!\n" if (length($output) != $encrypt
+edvaluesize);

$output = urlsafe_b64encode($output);

print "ERROR: Bad base64 encoded length!\n" if (length($output) != 38)
+;
print "Encrypted Price:'$output'\n";
[download]

Any thoughts or advice?

Comment on Private Data Communication Protocol Encryption Download Code

Replies are listed 'Best First'.

Re: Private Data Communication Protocol Encryption
by fizbin (Chaplain) on Jun 20, 2011 at 09:20 UTC

Okay, I've figured out what was going on there. Sheesh, that was confusing.

First off, the easy (one line!) fix:

$plaintext = substr($input . ("\x00" x $ciphertextsize), 0, $ciphertex
+tsize);
[download]

The private data communication protocol is designed to send one 64-bit number, not a variable-length string.

That being said, the code above and the web page it links to both have a subtle error in the protocol. Well, "error" is maybe too strong a word - a subtle quirk, maybe? Both the prefilled values on the webpage and the constants in the code look like byte strings encoded in hex.

That is, it's natural to think that $encryptionkey = 'c488fdd0d81f'; defines a six byte encryption key.

It doesn't. It defines a twelve byte encryption key, where all the bytes used happen to be in the range 48-57 or 96-101.

If you're trying to develop perl code to create test AdX RTB responses (that is the point of this, right?), you'll need to do a few things differently:

You'll need to interpret both keys as hex strings; this is pretty easy - $encryptionkey = pack("H*", 'c488fdd0d81f'); does what you want.

You'll need to send the winning price not as a string "1.50" but as a number of micros (millionths of a dollar) packed into a 64-bit number. Try this:

print "Enter price to encrypt:";
chomp (my $input = <>);
my $micros = int($input * 1_000_000);
$plaintext = pack("N", $micros >> 32) . pack("N", $micros);
[download]

Depending on your decoding library, this might not be necessary, but you should still consider it anyway: the first eight bytes of your initialization vector should hold the time. Also, the random values should be drawn from the whole byte range, not just 48-57. (which is what bytes '0' through '9' give) Try this:
```
use Time::HiRes;
$initvector = join("", map {pack("N", $_)} Time::HiRes::gettimeofday()
+,
                       rand(2**32), rand(2**32));
[download]
```

Hope this helps. I do wish they'd add perl and python implementations to the sample site; it could have saved you some unneeded frustration.

@/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/;
map{y/X_/\n /;print}map{pop@$_}@/for@/
[download]

[reply]
[d/l]
[select]


Perl Monk, Perl Meditation
	PerlMonks