November 9, 2011

The Telephone Game

Posted in Uncategorized at 2:34 pm by dgcombs

Ever played the game of Telephone?

In this game, the first player thinks up a phrase or sentence and whispers it to his neighbor. The neighbor then whispers to the next in line. This continues around to the end where the last person announces the result. Jocularity ensues when the final whispered message bears no resemblance whatsoever to the first. This is exactly the opposite of encryption. Encryption is all about keeping a message secret. Decryption passes on the message exactly as it began no matter how many people have handled it.

The value of having a secret is being able to tell someone. The value of encrypting a message lies in permitting someone to decrypt that message later. But what happens if you can't decrypt the message? It's just like the game of Telephone but not nearly as much fun.

I was working on a Java project to accept a SAML Assertion in an HTTP POST of a hidden form variable encrypted using triple-DES (DESede). The purpose was to permit a cross-company federated login authenticated remotely as asserted by the the identity provider. Testing this process is difficult without coordinating multiple schedules. So I figured a simple solution might be to exercise some JavaScript muscles and build a Chrome Extension.

But DES is a complex encryption algorithm. As I reported earlier, there are precious few DES implementations in JavaScript. I only really came up with two. One only handles DES and the other produces undecryptable code. Well, to be honest, it will decrypt things it has encrypted itself. But this doesn't really help. It's like having a secret you can't share. Anything encrypted by Java was not decryptable by the JavaScript module.

I couldn't tell which one is wrong or even what the difference was. Only that it didn't work. I have even tried encrypting/decrypting by hand using Tropical Software's description to see if I could, you know… decypher the problem. No go.


Below is a comparison of encrypting a plain text message in Java, PHP (using mcrypt), PERL and JavaScript.

Plain Text: "Hi World"
JAVA implementation: P02VZ6bJJHgIu122s3wG1w==
PHP implementation (using mcrypt): P02VZ6bJJHg=
PERL implementation (using Crypt::DES): P02VZ6bJJHg=
JavaScript implementation: SGkgV29ybGQ=

All decrypt what they encrypt, but they all need to be able to do that with each other. Note the wide divergence between Java and JavaScript. Personally, I blame the interaction of the JavaScript implementation double-precision floating-point and the integer conversion required to execute the required bitwise shifts.

The only solution to move the testing forward was to exercise the Kobayashi Maru option and refactor the problem. I wrote a very bad bit of command-line Java to generate an HTML page with a Triple-DES encrypted SAML assertion built-in.

But I'll tell you a secret: Guvf jbhyq or rnfvre vs bayl gur gjb V arrq jbhyq nterr!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: