XOR is NOT Cryptography

Posted on Updated on

During my many years of developing software, working with opensource projects and using GNU/Linux systems you tend to do something odd. Yes, at times you tend to do something that causes your eyes to skim through letters and words dedicated to educating you about a subject. Well I’ll be damned, they call this “reading documentation” 🙂

So yes, I assume many other developers spend as much time as I do, or anyone else, doing expected things like reading Linux MAN pages, manuals and all sorts of technical docs to gain a better understanding of a topic at hand.

Then what happens, you find the most retarded practice ever being used by some of the largest and most trusted software companies in the world. During my work I have encountered a financial software that was purchased (company names shall not be mentioned) that was written in Java. Being curious about how these things work I browsed the files and found a file named PasswordCryptography.class … Yeah, that’s what I’m talking about. Lets take a look.

So we whip up JAD and decompile that class file. I was expecting to see amazing algorithms being used or maybe some sort of custom crypto methods … you know, things like that. What did I see…

  • AES256 ? …… no
  • Blowfish ? ….. no
  • TripleDES ? ….. no
  • Not even regular DES ?? …. nope

What did I see? I saw XOR OBFUSCATION of passwords using a key that was embedded right into the java class file. At this point I was ready to jump out any window given it was open and large enough.

This is their idea of “cryptography”

for(int i = 0; i < aa.length; i++)
    int k = aa[i] ^ key[j];
    int l = (k & 0xf) << 4;
    int i1 = (k & 0xf0) >> 4;
    aa1[i] = l | i1;
    if(j < key.length - 1)
         j = 0;

WTF? And here’s the part that really kills me. Why call it “PasswordCryptography” ?? I would have been perfectly fine if the file was called “InsecurePasswordXorObfuscation” … ok ok too harsh, how about “PasswordObfuscation” Of course, you know the programmer must have spent a lot of time coding, testing, coding and re-testing this that it was sooooo hard it had to have been cryptography! And thus decides to name the class “PasswordCryptography” and then this somehow passes all engineering stages, peer review, unit tests …etc and ends up being a part of one of the largest financial software solutions in the world and your password is protected by cryptography XOR obfuscation. Anyone after reading Encryption Matters will know how to reverse the obfuscation.

Even when I was a beginner it took no less than 1 hour to google “password encryption” and figure out that I could just download a jar file, import it and make a 1 line function call to encrypt a password using REAL encryption.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s