Base64 Encoding Module

This is intended to be a free resource for anyone to use. It is covered under (CC BY-AD) Creative Commons Attribution-NoDerivatives 4.0 License.

This module is also not 100% secure, however it absolutely can work if implemented correctly. If any issues arise, feel free to let me know via my inbox (@MochaTheDev) or the replies below.

Resource & Usage

Download it here on GitHub or here on Roblox

Module API

Encrypt / Encode

local b64 = require(path_to_module.Base64Encryption)

b64.base64Encode(string_to_encode, key)

string_to_encode = String you want to be encoded with Base64
key = OPTIONAL key to be passed. Must be 8-bit (8 chars long) and comprised of 0’s and 1’s.

Decrypt / Decode

local b64 = require(path_to_module.Base64Encryption)

b64.base64Decode(string_to_decode, key)

string_to_decode = String you want to be decoded with Base64
key = OPTIONAL key to be passed. Must be 8-bit (8 chars long) and comprised of 0’s and 1’s. Must also be the same key as used with the encoding function.

Note regarding key value; if you wish to allow the system to use the default key, pass no value for key and only pass the string_to_encode or string_to_decode value. A default key to be used for all processes is random-generated at the beginning of the server’s initialization.

If any issues arise, feel free to let me know via the contact listed at the beginning of the post. I hope this can help someone!

Right, just for the record, before anyone gets any wild ideas,

This is not great for encryption.

• 8 bits as a key is not secure at all by today’s standards; 2^8 combinations of 0s and 1s is really not a high amount for a computer to figure out the key from.
• You released the source code on GitHub, so with point 1 in mind, anyone can figure out how to decrypt a string using your library.
• Base64’s intention was never to encrypt strings with - it’s meant to encode strings, and in some cases, compress them for easier transport (see: YouTube video IDs).
• Looking at the source code, your encryption is a 2-way operation; almost every modern encryption algorithm uses 1-way operations instead.

This is still great for encoding/compression, but I wouldn’t say this is great for encryption.

All are absolutely true. As very brightly tacked on to the top of the GitHub, I’m very aware it isn’t super secure. However, it is still more of an obfuscation than plaintext.

The intention for this was

1. Encoding, as I’ve used it
2. Simple obfuscation beyond using XOR funcs

Regardless, it is very modifiable, so if anybody comes across it and decides to take a crack at changing it or utilizing it for their own purposes, they can by all means.

While yes, that’s partly true, anybody using this is likely not attempting to encrypt anything too sensitive. If they are running a game large enough that they have actual threats to consider, they likely also have the funds to purchase their own API endpoint for their secrets.

To add onto that, anybody using this likely is not using it on data worth anything to any malicious user worth their salt.

Regardless, I appreciate the feedback and the fact that you pointed out the flaws a bit more clearly, so if anybody is looking at this they will also be aware of it’s limitations and vulnerabilities.

obfuscation

No.

Aside from the fact that security through obscurity is just a myth, Base64 strings tend to have a pretty obvious signature - all it takes to break it is one experienced guy taking one look at it.

Regardless, it is very modifiable, so if anybody comes across it and decides to take a crack at changing it or utilizing it for their own purposes, they can by all means.

Why would anyone, at least in the case of encryption, when they can just use any other algorithm?

anybody using this is likely not attempting to encrypt anything too sensitive

You put too much faith in the Roblox community.

Again, I think it’s totally fine to use Base 64 for anything else, and I think the library is totally cool - I just think the encryption part needs a lot more work, and shouldn’t be used for production at its current state.

Not necessarily a ‘myth’ per se, just bad to rely on, but yes. I don’t disagree. I would hope that anyone making a system large enough to be incorporating secrets wouldn’t be using this as their main method.

Because this is easy. Simple as that. If they’re knowledgeable enough to know of other encryption algorithms (AES, as a fantastic example for Luau,) they certainly wouldn’t be using this.

No harm in treating everyone like they’re intelligent. While I get what you’re saying, I would hope most people have the cognitive reasoning skills to figure out how breakable this is.

Regardless, I appreciate the criticism. I do plan to update this soon to be more encoding focused, but as of now it’s not necessarily configured for that use case. I also plan to release an AES encryption module as well somewhat soon, but I’ll have to take a look at it first and do some research as I’m not confident in my abilities with that quite yet

safe and correct AES is not truly possible, there is no good enough entropy source in Luau to make a good and safe random bytes function in my opinion, aside from that, it would be incredibly and stupidly slow, you are better off implementing a xorstring, but even then the string would have lived in there, and for security through obscurity for anti-cheats, it’s quite useless if the cheater knows where to look (I e: Match a functions constants, get to a metamethod, hook it to snoop in and listen for the arts; hook table.concat and const dump on scripts obfuscated by average obfuscators, etc), no method is truly safe from someone who knows, the main point of “Security by Obscurity” is deterring someone so much that they give up trying, a average password, well secure, can very well take whole universes to be cracked with conventional methods, making it basically uncrackable, even then, pieces of data like passwords shouldn’t be encrypted, rather hashed with a salt to avoid rainbow tables and other things, still good work with this.

pretty sure base64 is not associated with encryption, so title is misleading

Yes, I have changed it. I planned to but have been offline a few days.

Thank you, and I’m aware. I plan on pushing a new release with somewhat of a hash system soon. We’ll see how it goes and if I have time.

it in fact is, some things like IVs and other things normally come in hex or base64 format, so yeah you can associate Base64 with encryption if you are well versed in the subject or just had to waste time implementing something related to it (Me on my studio executor implementing Crypt, which I’m yet to fix)

The problem with hashing is that in Roblox there truly isn’t a reason to have any, perhaps for passwords, but even then there is no real safe source of entropy on roblox, even on servers to truly get safe stuff, you would have to rely on an external endpoint to provide you with that entropy in the form of an Http request, and we all know that enabling those (even for simple reasons) can lead to dangers such as Server Sides anyway, it would certainly be interesting, but not something I would see myself using as I find no practical use in it.