lightweight encryption of text file

Daniel Fetchinson fetchinson at googlemail.com
Sat Jan 9 05:45:14 EST 2010 

On 1/9/10, Steven D'Aprano <steve at remove-this-cybersource.com.au> wrote:
> On Fri, 08 Jan 2010 20:14:51 +0100, Daniel Fetchinson wrote:
>
>> I have a plain text file which I would like to protect in a very simple
>> minded, yet for my purposes sufficient, way. I'd like to encrypt/convert
>> it into a binary file in such a way that possession of a password allows
>> anyone to convert it back into the original text file while not
>> possessing the password one would only see the following with the
>> standard linux utility 'file':
>>
>> [fetchinson at fetch ~]$ file encrypted.data
>> encrypted.data: data
>
> If that is your sole requirement,

No, that was not my sole requirement, I also wrote:

"""
and the effort required to convert the file back to the original text
file without the password would be equivalent to guessing the
password.
"""

> then the addition of a single non-text
> byte (say, a null) anywhere in the file would be sufficient to have file
> identify it as data.

Yes, but this would not satisfy the other requirement quoted above.
One could read the file without an effort that is equivalent to
guessing a random password.

> You say "encrypt/convert" -- does this mean that you
> don't care if people can read the text in a hex editor, so long as file
> identifies it as data?

I do care. See the quote above :)

> Would something like a binary Vigenere Cipher be sufficient?
>
>
> # Untested
> def encrypt(plaintext, password):
>     cipher = []
>     for i, c in enumerate(plaintext):
>         shift = password[i % len(password)]
>         shift = ord(shift)
>         cipher.append((ord(c) + shift) % 256)
>     return ''.join([chr(n) for n in cipher])
>
> def decrypt(ciphertext, password):
>     plain = []
>     for i, c in enumerate(ciphertext):
>         shift = password[i % len(password)]
>         shift = ord(shift)
>         plain.append((256 + ord(c) - shift) % 256)
>     return ''.join([chr(n) for n in plain])

Thanks, this looks simple enough and probably sufficient for my purposes!
I'll see if I'll use this or Paul Rubin's p3.py.

> Is it acceptable if there is a chance (small, possibly vanishingly small)
> that file will identify it as text? As far as I know, even the
> heavyweight "serious" encryption algorithms don't *guarantee* that the
> cipher text will include non-text bytes.

Hmmm, that's a good point, but actually it doesn't matter if 'file'
identifies it as text with a very small probability.

>> and the effort required to convert the file back to the original text
>> file without the password would be equivalent to guessing the password.
>
> If you seriously mean that, then "lightweight encryption" won't do the
> job, because it is vulnerable to frequency analysis, which is easier than
> guessing the password. You need proper, heavy-weight encryption.

Well, probably you are right and I should have been more clear. What
typically people call obfuscation is sufficient for me, as long as the
obfuscation involves a password, something that your solution seems to
do.


>> I'm fully aware of the security implications of this loose
>> specification, but for my purposes this would be a good solution.
>
> Can you explain what your objection to real encryption is?

Not much really, I simply don't want to overkill, that's all. First
and foremost I wouldn't want to introduce a dependency on a 3rd party
module and also wouldn't want to read documentation of a complex API
when all I need are two functions: encrypt( text, password) and
decrypt( text, password ). I really like your solution because that's
all it does.

> The problem is that, as I see it, you've assumed a solution rather than
> state what your requirements are. I'm *guessing* that you are more
> concerned of having to learn to use a complex API,

Well, that's sort of true about learning a complex API :) But it's
also true that I'm not storing anything really valuable in the file
but still wouldn't want to leave it lying around in plain text. In
case I lose the laptop with the file I seriously doubt anybody who
finds it will go through each and every file and try to find what's in
it, even though they look like data files and there is no hint what so
ever that any one of them contains encrypted info. If they see a text
file, well, that can give them ideas, so let's encrypt a little bit.
So basically that's the story, granted, it's not a full specification
or anything like that, it's a description of a vague situation but
that's really all I have :)

Cheers,
Daniel

More information about the Python-list mailing list