spring forward.

Download

Obfuscapery Notes

ob·fus·cap·er·y [ob-fuh-skeyp-uh-ree] noun, plural -er·ies

  1. Any one of many programmatic methods intended to render elements difficult to decipher or use automatically. Captcha is just another obfuscapery designed to make my life difficult.
  2. A neologism formed from the combination of "obfuscation," "escape" and "query."

Ok, we made that up, but ...

It is important to note that this program is obfuscation and should not be considered security. The objective is to make the process so difficult to reassemble, it would be too computationally expensive to be worth the effort.

Obfuscapery uses multiple layers to achieve this goal:

  1. Emails are encoded using a random string. A private key is used to generate the decode key that is passed back from the AJAX call. This ensures the decode key is always correct to decode the emails, regardless of their length. The length of the random string and the private key are always the same.
  2. Emails are padded with a random string of characters before and after the email address. These are stripped away when the email is rendered by jQuery.
  3. The Javascript method requires an onMousemove event to fire.
  4. The token that is used to obtain the decode key contains the private key as well as the http host name of the php script. This is encoded with the random one-time-pad. When the token is passed to the PHP script, the host name must match the http_referer header of the calling application.
  5. The decode key is encoded using the host name. The calling application must use the correct host name to obtain the decode key from the returned string.
  6. The id attribute of each of the <div> containers can be customized for the website. This is passed back as part of the decode key.

If someone wanted to write a de-obfuscapery script, it could be done, provided the script were able to:

  1. execute the javascript and mimic the mousemove event;
  2. do this while spoofing the http_referer of the page;
-OR-
  1. determine the id of the token <div>;
  2. make a POST request to the php script, spoofing the http_referer header with the website host name;
  3. decrypt the decode_key using the host name;
  4. know how to use the information to determine the ids of the email <div>s;
  5. decrypt the encoded emails and strip the random leading and trailing padding;

We post the above as a challenge to the reader.

The program leverages the fact that A ^ B = C and C ^ B = A. (^ is the symbol for the XOR bitwise operator.) Conversely, A ^ C = B, providing a method to produce the key from the encrypted string.

If you look at it from a bit level the math is computationally inexpensive:


		0 ^ 0 = 0
		1 ^ 1 = 0
		1 ^ 0 = 1
		0 ^ 1 = 1

You will notice that the bits that are different return true and bits that are the same return false, hence the name exclusive or. This means that we can mask a byte using the XOR operator with another byte to get a third encrypted byte:


		Unencrypted: 0 1 1 0 1 1 0 0
		Mask Byte:   0 0 0 0 1 1 1 1
		Encrypted:   0 1 1 0 0 0 1 1

Then, using the same mask against the encrypted byte, we get the original unencrypted byte:


		Encrypted:   0 1 1 0 0 0 1 1
		Mask Byte:   0 0 0 0 1 1 1 1
		Unencrypted: 0 1 1 0 1 1 0 0

Since the encrypted byte will usually be a non-ascii character we simply convert it to hexadecimal for use in the HTML. Obfuscapery handles this conversion automatically.

Future enhancements

  1. Fully integrate obfuscapery into jQuery as a true plug-in with real methods.
  2. Only render certain encoded emails.
  3. Use Base 64 instead of hex for shorter strings.

Back to Obfuscapery.