0

Looking for techniques for taking a std::string and obfuscating it, using a key such that all calls to:

std::string obfuscate(const char *pInputStr, int minOutputLen, const char *pKeyStr);

*pInputStr will be a string which is up to 40 characters, and I want to map it to a human readable string of minOutputLen length.

Multiple calls with the same inputs should return the same value. Basically looking for a way where I can display a set of strings, and depending on if I'm in "obfuscate" mode, certain values will be encoded so that the user cannot reverse engineer the value.

Example: Let's say I have a structure:

class Person
{
public:
  std::string FirstName;
  std::string LastName;
  std::string SSNumber;
}

What I would like to do is something like this:

int main()
{
    Person p = {"Bob", "Needermyer", "12345678"};

    std::cout << "Display without obfuscation" << std::endl;
    std::cout << "First: " << p.FirstName << std::endl;
    std::cout << "Last: " << p.LastName << std::endl;
    std::cout << "SS: " << p.SSNumber << std::endl;

    std::cout << "Display to user, but obfuscate the data" << std::endl;
    char *pKey = "abcdefg";
    std::cout << "First: " << obfuscate(p.FirstName, 10, pSeed) << std::endl;
    std::cout << "Last: " << obfuscate(p.LastName, 10, pSeed) << std::endl;
    std::cout << "SS: " << obfuscate(p.SSNumber, 10, pSeed) << std::endl;      

}

Output like this:

Display without obfuscation
First: Bob
Last: Needermyer
SS: 12345678

Display to user, but obfuscate data
First: 4Tf7*f3f$r
Last: G9r3sfgvsr
SS: 9cd2832sd2

This would allow all logic in the program to continue to work as normal, but would change the display of the data.

For example, I could use something similar to ROT13, but ideally an algorithm that you can't reverse engineer without the seed/key.

bpeikes
  • 3,495
  • 9
  • 42
  • 80
  • I would use a hash for this. For instance here is MD5 in C++ - https://stackoverflow.com/questions/1220046/how-to-get-the-md5-hash-of-a-file-in-c or https://en.cppreference.com/w/cpp/utility/hash - hash collisions are possible, so you need to ensure that you have a sufficient solution for that. – nycynik Sep 11 '20 at 19:14
  • @nycynik hashes are surjective functions. I think OP wants a bijective function. – Ted Lyngmo Sep 11 '20 at 19:24
  • @nycynik - bijective would be ideal, but I suppose not necessary. – bpeikes Sep 11 '20 at 20:13
  • @nycynik - The other issue with std::hash is that it is returning a number, I'm looking for a string. – bpeikes Sep 11 '20 at 20:15
  • 1
    "obfuscate" and "cannot reverse engineer" are mutually-exclusive definitions. Also, what do you mean by "*I do want to show a value*"? You want to be able to reverse the encryption? – rustyx Sep 11 '20 at 20:33
  • "_bijective would be ideal, but I suppose not necessary_" - Ok, so you plan to have the clear text strings compiled into the program? If so, I misunderstood. – Ted Lyngmo Sep 12 '20 at 06:29
  • @TedLyngmo - The strings are not compiled into the program, they are coming from a data source. The idea is that I'd like to be able to display some strings, but have them obfuscated to the user. i.e. Let's say I want to run a demo with a product on using real data instead of having to create obfuscated copies of the data. – bpeikes Sep 14 '20 at 12:26
  • @bpeikes For that purpose, wouldn't something like [rot13](https://en.wikipedia.org/wiki/ROT13) work? It's simple and fast and unless someone takes pictures of the data with the intention of decrypting it, you should be fine. – Ted Lyngmo Sep 14 '20 at 17:01
  • @TedLyngmo - I want something more secure, i.e. I want to be able to run the application with a seed so that it's not as simple as ROT13. Basically, I want to "encrypt", but have the output have a max size, and be printable string characters. – bpeikes Sep 15 '20 at 15:37
  • What type of attack do you want to protect yourself from? If you keep a table of replacement chars that you shuffle at program start (unless the correct key is supplied) you can make it display different strings every time the program starts but someone filming the demo could probably figure stuff out afterwards. In that case a hash is probably better. Make a sha512 of every string and cut it down to the same number of chars the original string was (if the sha512 is too long). – Ted Lyngmo Sep 15 '20 at 17:56
  • 1
    @TedLyngmo - I want to protect against a simple single character replacement, but you are giving me some ideas to think about over night. – bpeikes Sep 15 '20 at 20:57
  • @KennyOstrom - Agreed, thats what the key is for. It could be set via command line by the person running the program, and then viewers wouldnt know what key was used. – bpeikes Sep 17 '20 at 01:57

0 Answers0