My FeedDiscussionsHeadless CMS
New
Sign in
Log inSign up
Learn more about Hashnode Headless CMSHashnode Headless CMS
Collaborate seamlessly with Hashnode Headless CMS for Enterprise.
Upgrade ✨Learn more

One time pad obfuscation

Agnius Vasiliauskas's photo
Agnius Vasiliauskas
·Apr 25, 2019

Is it possible to scramble output data to the client so that with each HTTP request it would be different and looking pretty much random ? The answer is YES. One method would be to use a one time pad with injected key.

Algo would be :

  1. Generate random key of same length as plaintext
  2. XOR key with plaintext
  3. Inject key into encrypted text and convert result to base64
  4. Emit JavaScript code which decodes encoded text

PHP data obfuscation code

<?php
function obfuscate($text) {
    $obfuscated = '';
    $random_key = '';

    // generating random key from printable characters
    for ($i = 0; $i < strlen($text); $i++) {
        $random_key .= chr(random_int(32, 127));
    }

    // XOR'ing source text and key with one-time-pad
    for ($i=0; $i < strlen($text); $i++) { 
        $obfuscated .= $text[$i] ^ $random_key[$i];
    } 

    // injecting key into output and converting to base64
    $obfuscated = $random_key . $obfuscated;
    $obfuscated = base64_encode($obfuscated);

    // outputing resulted string
    return $obfuscated;
}
?>

Output HTML and Javascript code for decoding

<html>
<body>
<p id='out'></p>
<script>
    var encoded = atob('<?=obfuscate("one-time-pad obfuscation rulez !")?>');
    var pass = encoded.substr(0, encoded.length/2);
    var code = encoded.substr(encoded.length/2, encoded.length/2);
    var decoded = '';
    for (sym = 0; sym < code.length; sym++) {
        var chr = pass.charCodeAt(sym) ^ code.charCodeAt(sym);
        decoded += String.fromCharCode(chr);
    }
    var el = document.getElementById('out');
    el.innerHTML = decoded;
</script>
</body>
</html>

Results

Running code above, you will see in text phrase : "one-time-pad obfuscation rulez !" BUT ... if you will look into source of document - you'll see that phrase above is encoded with each http request differently and randomly, like :

OGQrbj1kR1klbys9RD1mWilYcSJOdCx8RV1uYX8zJGRXCk5DSQ0qPAgfSllkUgQ8XCsSQzodQxJlLxsNGkkERQ==

XXx7fGJZfi9QQ25tNmAvfl8tJipiQEo3PS1xVzd9X2cyEh5RFjATSn0zDwkWD00YKl5FSxYpJVkdXwQ7Ugd/Rg==

e25OMEZuSTExYCt0dXlccSorJVt1fjxfOm9YTXxVeDQUACsdMgckVBwQShBVFj4XX1hGOgEXUzEaHS0hGS9YFQ==

...

So unsuspecting or casual "hacker" without a knowledge of encryption scheme and/or Javascript coding skills will not have any clue what is this and how to decode that stuff.

Now you have yet another tool for obfuscating sensitive data :-)