I recently had a need to query a remote server via HTTP and receive rather sensitive information. SSL was not an option because of the ISP’s setup. For these reasons (and a few others), I found myself in need of a good, general-purpose encryption module. For the purposes of prototyping and early testing, I whipped one up using the old stand-by system of circular-XOR’s. Geez, that’s quick and dirty, but it’s about as secure as a message sent on a postcard in the US Mail. My own home-grown cryptanalysis tools made quick work of cracking the code.

Obviously, I was going to need something much stronger than that for the site once it went into general production. I also wanted something that I could code completely in VBscript for ASP. Mainly because I wanted to be able to use the code in any ASP environment, regardless of any ISP’s component registration policies (or lack thereof), etc. In addition, I wanted something that was publicly proven and recognized as being fairly secure.

I chose the streaming-encryption algorithm known as RC4. RC4 is generally regarded as being “strong”, and has no known attacks (although a relatively weak class of keys has been identified – the discussion of which is beyond the scope of this document).

Other strengths of this algorithm include decent encryption/decryption speed and relative ease of coding in VBscript. It is also interesting to note the symmetrical nature of the RC4 algorithm. What I mean by ’symmetrical’ is that the same routine is called to do both encryption and decryption. To encrypt data, simply pass the data and the password you choose to the routine to receive encrypted data. To decrypt, pass the encrypted data and the same password. (Note: It is possible to encrpyt the data multiple times, even with different passwords on each iteration. To decrypt, simply reverse the steps you followed during encryption).

There’s an interesting story behind this algorithm. Well, OK, maybe it’s not interesting if you’re not a self-proclaimed geek. But here it is anyway. RC4 was invented by RSA Data Security. It is not a patented algorithm, but it is protected under federal law as a trade secret by RSA. In 1994, an anonymous person posted what they called the (do your Dr. Evil air-quotation marks here) “source code” to the RC4 algorithm. No one (outside of RSA) knows whether or not the “source code” that was posted was the actual RC4 algorithm or not, but it certainly does produce exactly the same output as the RSA product. So, in fact, the “source code” presented here can only be said to be “RC4-like” in nature… there’s no telling if it actually is RC4 as implemented by the RSA company.

One word of warning is in order here: If you plan to use this code outside the US, or if you plan to include it in a product that you are going to ship outside the US, please make yourself aware of the legal restrictions of crypto export. Always remember… guns don’t kill people, algorithms kill people.

I have included a sample test harness (rc4test.html and rc4test.asp) to help you see how the algorithm (contained in rc4.inc) works. The output of the test looks like this:

RC4 Test Harness Plaintext was: “To be or not to be: that is the question, whether tis nobler in the mind to suffer the slings and arrows of outrageous fortune.” can be anagrammed to form: “In one of the Bard’s best-thought-of tragedies, our insistent hero, Hamlet, queries on two fronts about how life turns rotten.” Encrypted text: 0E%89%02y%D9%9B%F7%C0%D48%D21%10%BF%0De%1A%7E%F9%C6%BE%B1%B8h4%ED%A6%1D%8B%27%B4O%3DXAk2%3F%88%98%E592s%DE%8C%E6%E1IM%0A%7F%C5f%C7V%3E%EC%19%C7%18%DA%25%B4%C1%2C%12%B8%80c%14%BB%E1h%A7m%E5%E8%E9%F6%21%04%9F%2B%0E%E3%B2%9D%A8%FB%FA%D7T%7B%FAQ%3Dw%E21%E4%29%FA%23%FB%F9%1D%0AT%BF%0E%FF%94%7Dm%B4%2A%C8%3E%01J%AF%C8%7EB%2CF%F0q%F8%AD%9EFB%DAo%17%AF%7C%3A%13T%B3%9E%B5%11%12%7F%94%3D%1C%0C9%21%26%AE%06%E6%E6%F0%0Em%90%EC%12%039%1DG%D7%BA%9C%A1%04%BF%FA%F9%A3%ED%C1l%E8AEM%CB%B4%1Ba%D2%ADT%BCZ%04%C2%1Bvv%F9%8F%DF%B8U%8C%17%8F%BF%A7%D1kV%D2%B2%C6%3F%2E%BFD%C3%E1Ht%2E%EF%A7%C6%0E%FFRFU%92%22%CC%FA%92%5E%DA%FAn%AB5%E1%DB%D9%83%D9%E8%C2i%ADP%8Fk%E7+%1E%A9%2C%1C6%16%8D%27%AF%B6R%C50%81KJ%18%F8%0CQ%2EU%04%C3%5B%9E%3E Hex dump of encrypted string: 30 45 89 02 79 D9 9B F7 C0 D4 38 D2 31 10 BF 0D 65 1A 7E F9 C6 BE B1 B8 68 34 ED A6 1D 8B 27 B4 4F 3D 58 41 6B 32 3F 88 98 E5 39 32 73 DE 8C E6 E1 49 4D 0A 7F C5 66 C7 56 3E EC 19 C7 18 DA 25 B4 C1 2C 12 B8 80 63 14 BB E1 68 A7 6D E5 E8 E9 F6 21 04 9F 2B 0E E3 B2 9D A8 FB FA D7 54 7B FA 51 3D 77 E2 31 E4 29 FA 23 FB F9 1D 0A 54 BF 0E FF 94 7D 6D B4 2A C8 3E 01 4A AF C8 7E 42 2C 46 F0 71 F8 AD 9E 46 42 DA 6F 17 AF 7C 3A 13 54 B3 9E B5 11 12 7F 94 3D 1C 0C 39 21 26 AE 06 E6 E6 F0 0E 6D 90 EC 12 03 39 1D 47 D7 BA 9C A1 04 BF FA F9 A3 ED C1 6C E8 41 45 4D CB B4 1B 61 D2 AD 54 BC 5A 04 C2 1B 76 76 F9 8F DF B8 55 8C 17 8F BF A7 D1 6B 56 D2 B2 C6 3F 2E BF 44 C3 E1 48 74 2E EF A7 C6 0E FF 52 46 55 92 22 CC FA 92 5E DA FA 6E AB 35 E1 DB D9 83 D9 E8 C2 69 AD 50 8F 6B E7 20 1E A9 2C 1C 36 16 8D 27 AF B6 52 C5 30 81 4B 4A 18 F8 0C 51 2E 55 04 C3 5B 9E 3E Decrypted text: “To be or not to be: that is the question, whether tis nobler in the mind to suffer the slings and arrows of outrageous fortune.” can be anagrammed to form: “In one of the Bard’s best-thought-of tragedies, our insistent hero, Hamlet, queries on two fronts about how life turns rotten.” 22 54 6F 20 62 65 20 6F 72 20 6E 6F 74 20 74 6F 20 62 65 3A 20 74 68 61 74 20 69 73 20 74 68 65 20 71 75 65 73 74 69 6F 6E 2C 20 77 68 65 74 68 65 72 20 74 69 73 20 6E 6F 62 6C 65 72 20 69 6E 20 74 68 65 20 6D 69 6E 64 20 74 6F 20 73 75 66 66 65 72 20 74 68 65 20 73 6C 69 6E 67 73 20 61 6E 64 20 61 72 72 6F 77 73 20 6F 66 20 6F 75 74 72 61 67 65 6F 75 73 20 66 6F 72 74 75 6E 65 2E 22 20 63 61 6E 20 62 65 20 61 6E 61 67 72 61 6D 6D 65 64 20 74 6F 20 66 6F 72 6D 3A 20 22 49 6E 20 6F 6E 65 20 6F 66 20 74 68 65 20 42 61 72 64 27 73 20 62 65 73 74 2D 74 68 6F 75 67 68 74 2D 6F 66 20 74 72 61 67 65 64 69 65 73 2C 20 6F 75 72 20 69 6E 73 69 73 74 65 6E 74 20 68 65 72 6F 2C 20 48 61 6D 6C 65 74 2C 20 71 75 65 72 69 65 73 20 6F 6E 20 74 77 6F 20 66 72 6F 6E 74 73 20 61 62 6F 75 74 20 68 6F 77 20 6C 69 66 65 20 74 75 72 6E 73 20 72 6F 74 74 65 6E 2E 22 Encryption took: 0.0078125 seconds (±55 msec)

(Note that the output of the encrypted text is shown in ‘urlencoded’ form. This is because it may contain illegal characters for a web browser. IMPORTANT NOTE: Microsoft’s URLEncode function does NOT work if there are embedded ASCII NULs in the data you’re encoding… the function assumes that the ASCII 0 is an end-of-string marker, and thus will not encode past that point)

Overview: This article contains a decent encryption tool that you may find useful. Read up on encryption technology to determine if this algorithm is strong enough for your needs. Don’t give this code to anyone who doesn’t love baseball and apple pie.

Test the script by clicking here