## Video game Password: Using base32 symbol array as a key

Need help with C, C++, perl, python, etc?

### Video game Password: Using base32 symbol array as a key

After my cryptography class, I coded a video game password system that takes 64 bit of data, adds 16 bit validation code, apply some permutation on the bits and encode everything in base32.

Now, I originally thought that my system was encryption by obscurity, which means that once you have the source code, you can decode and encode any password. But after some thinking, I am using various parameters in my algorithm and the biggest parameter is a string of 32 unique symbols used for the base32 encoding.

Normally, the symbols would be placed in alphabetic order so that each letter match each binary pattern in numeric order like for example:

A = 00000
B = 00001
C= 00010
D= 00011
etc.

But nothing forces me to use a list of symbols in alphabetic order, I could use any order as long as each symbol is unique. For example if I use: "QWERTY...." I'll end up with:

Q = 00000
W = 00001
E = 00010
R = 00011
etc.

Now I am wondering if this string of characters could not in fact be used as a key. Preventing anybody who does not have the array of characters to decode the password even if he knows the algorithm.

If my calculations are right, the number of possible permutations should be 32! which gives 2.63130837×10³⁵ possible combinations. It's a bit less than a 128 bit key, but I don't intend to use it for top secret information.

Could this array of 32 symbols be used as a form of encryption key?
larienna

Posts: 59
Joined: 2014-09-27 20:54

### Re: Video game Password: Using base32 symbol array as a key

larienna wrote:Could this array of 32 symbols be used as a form of encryption key?

Yes, as long as it does not form (fixed) part of the encoding algorithm, i.e. you need to somehow provide those 32 symbols as an input to the encoder every time you encode/decode a password.

(Note that even if you have roughly ~ 120 bits (due to the 2E35 permutations), your encoding is nowhere near as secure as a "proper" encryption algorithm using a key of 120 bits. I'll let you think about why..)
reinob

Posts: 771
Joined: 2014-06-30 11:42

### Re: Video game Password: Using base32 symbol array as a key

Yes, as long as it does not form (fixed) part of the encoding algorithm

There is 2 way I could do this:

1 Array of symbols per game: Each game has his own array of symbols. Which means that any password generated by that game will work with that game. That would allow carrying over save games around consoles, PC etc. It would allow publishing passwords on the internet for example.

1 Array of symbols per game and user: Take the user name as a seed to generate a random array of symbols. Then make passwords out of that array. This mean that the password is only valid for a game and that specific user. Which prevents publishing passwords on the net, and is only transferable between devices if the username is the same. This can only works if the platform offers a form of unique username.

(Note that even if you have roughly ~ 120 bits (due to the 2E35 permutations), your encoding is nowhere near as secure as a "proper" encryption algorithm using a key of 120 bits. I'll let you think about why..)

I am not exactly sure why. I know I am not using block chaining or other mechanism but in my case the message (data) is made of a fixed length (64bits). So I don't think it needs any. I cannot use the concept of session keys as it is designed to "save" a session where it was.

I have a few other parameters that will increase slightly the number of possibilities, but the array of symbols is the most important one.
larienna

Posts: 59
Joined: 2014-09-27 20:54

### Re: Video game Password: Using base32 symbol array as a key

larienna wrote:
Yes, as long as it does not form (fixed) part of the encoding algorithm

There is 2 way I could do this:

1 Array of symbols per game: Each game has his own array of symbols. Which means that any password generated by that game will work with that game. That would allow carrying over save games around consoles, PC etc. It would allow publishing passwords on the internet for example.

1 Array of symbols per game and user: Take the user name as a seed to generate a random array of symbols. Then make passwords out of that array. This mean that the password is only valid for a game and that specific user. Which prevents publishing passwords on the net, and is only transferable between devices if the username is the same. This can only works if the platform offers a form of unique username.

(Note that even if you have roughly ~ 120 bits (due to the 2E35 permutations), your encoding is nowhere near as secure as a "proper" encryption algorithm using a key of 120 bits. I'll let you think about why..)

I am not exactly sure why. I know I am not using block chaining or other mechanism but in my case the message (data) is made of a fixed length (64bits). So I don't think it needs any. I cannot use the concept of session keys as it is designed to "save" a session where it was.

I have a few other parameters that will increase slightly the number of possibilities, but the array of symbols is the most important one.

The thing is the security of the key depends not on how many bits are used to encode it, but on the number of bits necessary to encode every possible key. These are only the same if every bit of the key is fully random.

With your "Array of symbols per game" option, the number of games is the number of possible keys, i.e. you would need to iterate over the list of known games, where for each game there is a single key to test. If you have 16 games, your effective key size is reduced to 4 bits.

The same applies correspondingly to the "Array of symbols per game and user". Effective key size ~ log2(number of games * (for each game) number of users).

On top of this, you've mentioned you add a "16 bit validation code". If by this you mean some sort of CRC or such, then it means you can easily verify whether a given key is the correct decryption key. Normally ciphertext should have no "clues" for the attacker, so that the validity of the decrypted text cannot be inferred from the ciphertext itself.

Cheers.
reinob

Posts: 771
Joined: 2014-06-30 11:42

### Re: Video game Password: Using base32 symbol array as a key

On top of this, you've mentioned you add a "16 bit validation code". If by this you mean some sort of CRC or such,

I am currently using 2 dimension parity, but I intend to do another code with CRC for better scalability. The objective of this validation code is to avoid all codes to be valid. Else people could enter a random code and get random power up, save location, etc. With a 16 bit validation code, it ensure that the user had 1 out of 65636 chance to generate a valid random code.

The "per game" idea is that I store the array of symbols in the source code of the game to generate password. Since the array of the symbol is the same for every body, attackers could start logging list of password and trying to find a pattern. With enough password, it might be possible to find which letter corresponds to which data. But if I release a new video game, the data and the array of symbol will change. So the user will have to start the process over gain.

While the "per game and user" the array of symbols changes for each user. So only password logging from the same user can be used, which reduces the number of passwords that the user can analyze.

Anyways, thank for the information. I will probably put the code eventually on gitlab. I would like to try making a library importable from java. I never did this.
larienna

Posts: 59
Joined: 2014-09-27 20:54