Crypt json content

Projects Programming
1

Hi everyone,
I am doing a software on a ESP8266 which stores json files in the flash memory. I wanted somehow to crypt some json properties inside the file so that if someone access it doesn't ready my data (example: a username / password of mqtt server). I have google a lot for the last few days but without any succes. Can someone point me to what library should i use in order to do this ? thanks!

2

We used to hide things from prying eyes by just reversing the nibbles in each byte.

Paul

3

This is sort of hard to do, because you have to store the key to decrypt it somewhere... so if they've dumped the flash, they have the information needed to decrypt it...

Though there is probably some merit to at least a passing attempt to obfuscate it, so it doesn't jump out at someone snooping around in the flash - but if they've got the flash contents, a dedicated adversary will be able to get the sensitive data out of it... I mean, they could just write it to their own board, and see what requests it sends, and get the data that way if they wanted to.

4

The idea would be storing the key in the code itself, but leaving some json files on the flash memory encrypted. I know there is always a way, but at least i am protecting my data at some sort of level. Can you point me in any direction ?

5

There are AES libraries for Arduino / ESP8266 which can do the job - but they introduce a performance and storage impact. You could use some very basic bit inversion instead:

void xor_crypt(char *buffer, int buf_len, char* key, int key_len)
{
  int ki = 0;
  for (int bi = 0; bi < buf_len; bi++)
  {
    buffer[bi] ^= key[ki++];
    if (ki >= key_len) ki = 0;
  }
}

...

char* key = "secret";
char* str = "Say hello to my little friend!";

int str_len = strlen(str); //Remember this value in order to ensure proper decryption!

//Encrypt
xor_crypt(str, str_len, key, strlen(key));
Serial.println(str); //This will be "garbage" in the serial monitor

//Reverse
xor_crypt(str, str_len, key, strlen(key)); //Do NO rely on "strlen" for "str" here!
Serial.println(str); //This will be the original string again

Even though this form of encryption may seem crude, it may be just as hard to break as more advanced forms of encryption - but the performance impact is negligible.

EDIT: Bug in code fixed.

6

vaz83:
The idea would be storing the key in the code itself, but leaving some json files on the flash memory encrypted. I know there is always a way, but at least i am protecting my data at some sort of level. Can you point me in any direction ?

Then on the other hand this is just obfuscation as DrAzzy said. You could store the key on an external EEPROM chip or an sd card which you insert before operation and remove after operation (much like online banking dongles work).

7

Hi Danois, thanks! This is the direction i wanna take.
I was trying the code you sent, which works fine, but what i want to crypt is something i will read and send to the function. I have made this:

char* key = "secret";

void xor_crypt(char *buffer, int buf_len, char* key, int key_len)
{
  int ki = 0;
  for (int bi = 0; bi < buf_len; bi++)
  {
    buffer[bi] ^= key[ki++];
    if (ki >= key_len) ki = 0;
  }
}

void crypt(char * input)
{
  xor_crypt(input, strlen(input), key, strlen(key));
  Serial.println(input); //Crypted
  xor_crypt(input, strlen(input), key, strlen(key));
  Serial.println(input); //Descripted
  delay(5000);
}

What happens now is that when i pass the text i want to crypt, when i then decrypt it, it doesn't show all the text :frowning:

Danois90:
There are AES libraries for Arduino / ESP8266 which can do the job - but they introduce a performance and storage impact. You could use some very basic bit inversion instead:

void xor_crypt(char *buffer, int buf_len, char* key, int key_len)

{
  int ki = 0;
  for (int bi = 0; bi < buf_len; bi++)
  {
    buffer[bi] ^= key[ki++];
    if (ki >= key_len) ki = 0;
  }
}

...

char* key = "secret";
char* str = "Say hello to my little friend!";

//Encrypt
xor_crypt(str, strlen(str), key, strlen(key));
Serial.println(str); //This will be "garbage" in the serial monitor

//Reverse
xor_crypt(str, strlen(str), key, strlen(key));
Serial.println(str); //This will be the original string again




Even though this form of encryption may seem crude, it may be just as hard to break as more advanced forms of encryption - but the performance impact is negligible.
8

What do you mean by "doesn't allow all the text"? The encrypted buffer is binary and null-characters may therefore occur. Since "strlen" searches for the first null-character, some of the string may be lost. The sollution is to store / remember how long the original string was instead of relying on strlen (which I wrongly did, code in #4 updated).

9

Danois90:
What do you mean by "doesn't allow all the text"? The encrypted buffer is binary and null-characters may therefore occur. Since "strlen" searches for the first null-character, some of the string may be lost. The sollution is to store / remember how long the original string was instead of relying on strlen (which I wrongly did, code in #4 updated).

Got it! it's working now, but facing another problem: I want to save the result into a json file using arduinoJson, save goes ok, but then, when i try to open the file, says invalid input. Maybe i have to convert the crypt result to hex first to save, and then back to how it was to decrypt? Can you help me?