This blog has moved. Please update your bookmarks.

The Webshots Image Encryption

People always say security is hard to get right. While I agree to this fact in principle, I also think it's relatively easy to acquire a fundamental layer of security that at least denies access to the majority of the population.

Take Webshots, for instance. Webshots is a great service where you can download pictures into a little program and display it as wallpaper. The quality is excellent.

To protect the copyright, they elected to "obfuscate" the downloadable JPEG image files somewhat. They come in a proprietary .wbz image format, which is simply a JPEG file slightly shuffled around. I won't go into details about how it is designed, but it is a rather simple algorithm that leaves 98% of the file untouched.

I wonder why. Was it thought to be a relatively quick measure to prevent people access to the pictures? I certainly hope they didn't think it was an elaborate encryption scheme, which it isn't. Why did they deem it necessary to introduce a completely new (and rather poor) method, when so many excellent algorithms are already publicly available?

Consider, for instance, the following:

  • A 32-bit IV (Initialization Vector) is generated for each picture, and written down into the file, unencrypted.
  • This IV is used to seed a PRNG (Pseudo-Random Number Generator), providing a fixed number of pseudo-random data bytes. This byte stream might be prepended with a fixed password.
  • An MD5 hash is run on the PRNG byte stream, yielding a 128-bit key.
  • An RC4 cipher (or Blowfish, or any other cipher) is used to encrypt the JPEG data.
A scheme like this would take about an hour, maximum, for me to implement in Delphi. It would provide a mechanism whereby the file would be 1) completely encrypted, 2) the key wouldn't be hardcoded into the program, 3) the key would be different for every image produced, and 4) it would be moderately difficult to reverse-engineer the algorithm from the binary code.

It certainly wouldn't be foolproof, but it would make it far more difficult to decrypt the image files, since it would be necessary to obtain the key from reverse-engineering the binary code.

Source code for the algorithms mentioned above are almost universally available. Why not use them instead of devising your own obfuscation schemes? What's the point?

Just asking.


2 Comments:

At 10:13 PM, Anonymous Narendra said...

The Webshots file format is 10 years old and it was orginally developed for some lightweight protection for licensed images. It also contains metadata about the file and didn't take very long to devise ;-)

 
At 2:40 PM, Anonymous image encrypt said...

Thanks,I consider that it’s a very helpful subject.I like it very much. Its so exciting.So i want some facts for sharing this side with a number of friend.

 

Post a Comment

<< Home

 

Blog contents copyright © 2005 Mats Gefvert. All rights reserved.