Encrypt/Decrypt a short string cross platform

I’m looking for a way to encrypt and decrypt a string, preferably resulting in another string that isn’t too long. It needs to work cross platform, so including iOS, Mac, Win and Android, which rules out plugins.
I know hashing won’t work, as the encrypted string needs to be decrypted as well.
I’m now using a simple XOR to obfuscate the original string, but would like to use something a little more secure. The source string is short; about 12 characters.

By the way, ChatGPT and Copilot aren’t very helpful when it comes to asking Xojo questions; the result is usually code that uses non existing functions.

https://documentation.xojo.com/api/cryptography/crypto.html

Choose something.

Reencode as Base64 later.

The encryption itself is the easy part. The hard part is what to do with the key. Both symmetric and asymmetric encryption need some kind of a key, so you then need to store that somehow.

What are you trying to protect?

Thanks, I know the documentation, but I haven’t found anything that works on all platforms.

I’m fine with using a key that could be a constant on every platform, the reason to encrypt it is to avoid people using variations of the original string.
For example, the string could have “REF00004” and then somebody could try use “REF00005”,
which I would like to avoid.

Uh… I don’t understand, but my gut reaction is that encryption is the wrong tool for this job.

Here’s a pure-xojo implementation of RC4 algorithm, a symmetric cypher:

He wants to obfuscate some IO data trying to avoid people to reuse it by hand? Maybe he intends some URL encoded data? I think he needs more protections, like avoiding GETs and using POSTs with contents INSIDE the message and not on the URL. Also ticket schemes for a use once only, and validation of the message against tampering. Some kind of basic OAuth scheme.

Then why not just use hashes for the check and then store an encrypted string? Every encrypted string would then just have a buddy hash. If I understand the problem statement right.

1 Like

No, it won’t be in a URL, it will be a QRcode

Because there is no “unhash”. I need to be able to go from readable to encrypted, and back.

That is why you have 2 files… A hash check file and the encrypted string aka something you can un-encrypt…

Ok I think I see the use case. You want to be able to generate and read a QR code that somebody cannot tamper with.

You don’t need encryption for this. You can sign the data instead. For example, if the value is ABC123, you would produce a hash of the value plus some secret. Such as ABC123:MySecret. You include both in the QR code, and when you read it, you take the value, hash it again, and compare against the included hash.

5 Likes

Just encrypt and BASE64. Add a validation field too, some check sum.

The issue is most of Xojo’s Crypto module doesn’t work on Android.

(Edit: This reply was meant for Rick, but it doesn’t seem to be attributed as such.)

Correct. I like your suggestion of adding a hash. People could try alter the readable string, which then would not match the hash.

Pretty much what I said, but thanks thom

I’m fine with using a key

have you used a byte sequence or just a single byte for XOR all chars?

What kind of data will the codes contain? ASCII? Binary?

Boudewijn - what is the sophistication of those you are trying to keep the string from? XOR is a simple start. If you take that result and subtract an integer value from the character value, then rearrange the characters in a pattern known to your decryption algorithm, that should obfuscate to a practical level. Maybe you XOR as a last step. It’s not RSA strong - but a “result” won’t be obvious if someone tries a simple XOR or ROT13 decryption method.