Patterson Consulting, Inc

    Search



XOR Cipher Encryption in ActionScript 3

by Danny Patterson on March 6th, 2008

I typically use an external XML file in all my applications to store configuration variables outside my compiled SWF file. This allows me to make changes to those variables without needing to recompile the SWF application. This is really helpful if you’re deploying an application to multiple environments (development, staging, production). You can deploy the same application and just have a different XML file in each environment with different values.

The values in the XML file are easily read by anyone using a proxy like Charles or Service Capture. Therefore, I decided to put a simple encryption on the values I didn’t want people to be able to easily read. XOR Cipher encryption is a simple form of two-way encryption using a known key. This key would be compiled into your SWF application. So the only way someone could decrypt your variables would be if they decompiled your SWF or guessed the key. Obviously this solution is not hack proof, but it provides a road block for anyone trying to get at these values.

The following is an ActionScript 3 class that performs this XOR encryption. This encodes/decodes the XOR encrypted value using the Base64Encoder in Flex, so if you want to use this without Flex you’ll need to remove that dependancy. The xor() method performs the XOR encryption against the key. If you run a string through this method it with return and encrypted string, and if you run that encrypted string through this method it will return your original string.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

package com.dannypatterson.utils {
 
    import mx.utils.Base64Encoder;
    import mx.utils.Base64Decoder;
 
    public class XORcipher {
 
        public static var KEY:String = "eVBHOulunx8A6spikeRQ9UEgyaXINTyzpn3SJ7FSzmwSlewTWI3";
 
        private static function xor(source:String):String {
            var key:String = KEY;
            var result:String = new String();
            for(var i:Number = 0; i < source.length; i++) {
                if(i > (key.length - 1)) {
                    key += key;
                }
                result += String.fromCharCode(source.charCodeAt(i) ^ key.charCodeAt(i));
            }
            return result;
        }
 
        public static function encode(source:String):String {
            var encoder:Base64Encoder = new Base64Encoder();
            encoder.encode(XORcrypt.xor(source));
            return encoder.flush();
        }
 
        public static function decode(source:String):String {
            var encoder:Base64Decoder = new Base64Decoder();
            encoder.decode(source);
            return XORcrypt.xor(encoder.flush().toString());
        }
 
    }
 
}

21 Responses to 'XOR Cipher Encryption in ActionScript 3'

Subscribe to comments with RSS or TrackBack to 'XOR Cipher Encryption in ActionScript 3'.

  1. Saravanan R

    March 6th, 2008 at 11:11 pm

    Hi Patterson,
    First i will introduce myself .I’m working as a senior flash programmer in India.
    The company which i’m working is an e-publishing company.
    In our project we keep the content as a external XML file. I thing, XOR will help us . I would like to implement this in our project. From the post i’m not get cleared how to implement this so I request you to give me more detail about this by using AS3 and also with example.

    Thanks
    Saravanan


  2. Danny

    March 7th, 2008 at 1:05 am

    I’m not sure what isn’t clear. If I were implementing a solution like you describe, I would start by encoding your XML file. Take the following XML sample:

    <content>Hello World!</content>

    If you ran this through the XORcipher it would look like this:

    <content>LTMuJCBVOxocFFxg</content>


  3. raid.mul-timedi-a.net

    March 7th, 2008 at 6:02 am

    XOR Cipher Encryption in ActionScript 3…

    Dieser Art der Arbeit begegnet man in Japan sehr selten. In den Arbeiten von Albrecht Dürer und Albrecht Altdorfer erreichen diese frühen Verfahren einen eindrucksvollen Höhepunkt. \…


  4. Saravanan R

    March 7th, 2008 at 6:41 am

    Hi Patterson,
    i explain my doubts. For example consider a xml named as “a.xml” which contains Hello World!. I have a script to do xml processing named as “xmlProcess.as”. My doubt is how can i map both (a.xml and xmlProcess.as) by XOR in order to do encode and decode.


  5. Danny

    March 7th, 2008 at 1:36 pm

    I’m not sure whay you’re not getting. Here is the code to load the XML file and decode the XOR ecrypted value. This example is loading the Hello World XML I listed above.

    var loader:URLLoader = new URLLoader();
    loader.addEventListener(Event.COMPLETE, onLoad);
    loader.load(new URLRequest(“data.xml”));

    private function onLoad(event:Event):void {
    var content:XML = XML(URLLoader(event.target).data);
    trace(XORcipher.decode(content.toString()));
    }


  6. darren

    June 10th, 2008 at 10:56 pm

    Do you have a actionscript 2 one? Im in Flex 2.0 and Im not sure I can get to this XORCrypt as it shows undefined even with the imports. Adobe is saying that the utils one should not be used as it upsets the mac http://bugs.adobe.com/jira/browse/SDK-15232


  7. Jarav

    July 6th, 2008 at 2:57 pm

    Unfortunately, as3 decompilation is now more or less easily available. Here is one: http://www.docsultant.com/nemo440/


  8. hyaloide

    December 30th, 2008 at 10:50 am

    Thanks very much for that, it works great for me.


  9. Antisly

    January 13th, 2009 at 8:45 pm

    For performance reasons I would recommend to create full length key before for() loop… :)


  10. Just Saying...

    February 26th, 2009 at 5:46 am

    Why would you extend the key in this manner? It probably isn’t an issue for most XML, but performance could suffer if this method was used for very large strings or is called repeatedly for a very large XML file. Here is a better implementation; however, several other performance optimizations are possible, which are left as an exercise for the reader.

    //new and improved, but still not optimal…
    private static function xor(source:String):String {
    var result:String = new String();
    for(var i:Number = 0; i < source.length; i++) {
    result += String.fromCharCode(source.charCodeAt(i) ^ KEY.charCodeAt(i % KEY.length));
    }
    return result;
    }


  11. jon

    March 25th, 2009 at 7:39 am

    Is there a way to make it work it on flash, as flash does not have “mx” package.

    Thanks,
    Jon


  12. Danny Patterson

    April 2nd, 2009 at 12:50 pm

    You’d have to find an sopen-source base64 class. I think there are many available.


  13. Gopal Chavan

    April 9th, 2009 at 1:42 am

    Hi.
    Could you please explain what is “XORcrypt”.
    You used it as XORcrypt.xor(….


  14. Mark

    April 28th, 2009 at 3:27 pm

    Any comment on using this technique in XML. For example, will this cast to illegal xml characters using this key?

    See: http://www.eggheadcafe.com/tutorials/aspnet/8b53894c-a889-4914-8c46-122980cc44ae/simple-xor-encryption.aspx

    If so, how would you modify it.

    Thanks.


  15. Danny Patterson

    April 29th, 2009 at 11:55 am

    I don’t XOR the entire XML document, just some of the values within it.


  16. Atin

    June 26th, 2009 at 1:38 pm

    Hi, i tried using the same the same thing to encrypt one of my xml of about 4 mb size but it failed to do it. Any help in this respect?? In all i just need something to encrypt in asp.net and decrypt in actionscript 3.


  17. Slash

    July 16th, 2009 at 10:03 am

    If i used XORcrypt within Flex to encrypt say a URL Variable. Would it be possible to decrypt the variable in ASP? If using both the same encryption string key i would imagine it could be done but not got a clue how one would do it?


  18. Jillian

    July 28th, 2009 at 2:21 pm

    “So the only way someone could decrypt your variables would be if they decompiled your SWF or guessed the key.”

    It’s actually extremely trivial to decompile SWF files. There’s a free tool from HP to do so. (Google: SWFScan) So, expecially if you put your key in the source code (NEVER a good idea really), this would be pretty easy for a bad person to break. Even if the key is secret, XOR is an extremely weak form of encryption and wouldn’t take a lot of effort.


  19. Jillian

    July 28th, 2009 at 2:31 pm

    This might be better for any critical information, and it’s free: http://sourceforge.net/projects/actioncrypt/


  20. Cardin

    August 28th, 2009 at 9:07 pm

    I think this is a very good crypto program for Flash. With at least 3 options of cryptography out there for Flash: ActionCrypt, XORcipher, and AS3Crypto, it sets people guessing which cipher was really used for encryption.

    Though finding out will be really trivial. Actionscript is too easily decompiled, and once you know the method, and the Key, it’s just a matter of compiling your own program to decrypt it.

    Even if you use BlowFish, or SHA-256, it’s useless. All cryptography are equal in Actionscript decompilers.

    I still have to give my thanks to for the XORcipher though. I got it working under a minute, compared to my 3 weeks for the AS3Crypto. It appears its BlowFish implmentation has issues, and so does Flash’s ByteArray implementation.


  21. Roma

    December 5th, 2009 at 8:43 pm

    Thanks for this post.
    I have a question though. I’m developing flash apps, using FlashDevelop+Flex SDK.
    And this IDe can’t see mx.utils.Base64Encoder class.
    What swc do I need to add in order to make it all work?
    Thanks.

    (How can I subscribe to comments here?:)


Leave a Reply


Atom | RSS | © 2008 Patterson Consulting, Inc