Re: New encryption thread
- Posted by Davi Figueiredo <davitf at USA.NET> Dec 13, 1998
- 363 views
I am a little late, haven't had much free time these days. Anyway, here are some comments: Hawke' originally wrote (subject 'encryption'): >as such, I am in need of person's interested in >attempting to take an encrypted string (sequence of >char) and determine what the password is, from that string... After understanding your algorithm (don't ask me how, it's a secret ;), I was able to find a password that will work: 'alecramiroden' (without the quotes). Many other passwords will work as well; I didn't want to spend my time trying to find a known word, just tried to find one that sounded good (well, at least I can pronounce that one). In crypto.e, you used an algorithm that is a lot better than the shrouded one, because it cannot be easily cracked by hand, so you have to use brute-force. However, I think a simple change would make it even better: simply adding the password bytes (in the sumup function) gives a low range of possible seeds for the random number generator (using a 20-char password, the maximum seed will be 255*20=5100). If you use a function that will be able to return a greater range of seeds, the strength of the function will be increased. The following function returns a maximum seed of 12418266. It would be possible to create an even better routine, but I am too lazy today ;) -- begin code function sumup(sequence data) atom sum,sum_of_sums sum=1 sum_of_sums=0 data=data&1 -- so data[i+1] won't give an error for i=1 to length(data)-1 do sum=sum+data[i] sum_of_sums=sum_of_sums+sum*(data[i+1]+1) end for return sum_of_sums end function -- end code In theory, it is possible that more than one key will produce the same cipher, but this would be very rare and very hard to find too. Hawke' wrote: >my encryption dilemma mostly centers on the issue of >*exportability*. > >since this server will be downloaded by members of >this listserv, for example, and those members are >of quite varied points of origin, I, as the coder, >have to make sure that any/all algorithms used to >control access to the server adhere to rather >stringent (but often silly) laws regarding the >exportation of encryption algorithms. > >if i did not have to worry about these laws, i would >have simply swiped the DES (or sumfin) algorithm, >slapped it into the server, and been done, long ago. and also: >furthermore, i have already thought of 2 more things i can >do to the user password encryption system, that won't slow >it down to speak of (speed counts :) and will magnify the >resultant strength of the cipher without changing the >bit strength (and thusly ruling out exporting it to you guys...) Don't worry too much. According to RSA's Cryptography Export Laws FAQ, you can export strong encryption if its purpose is 'access control'. The only problem would be that, as the source code is available, someone would be able to change it to create an encryptor/decryptor. But it wouldn't be easy to do that with the algorithm you created (I don't know if it would possible at all). Anyway, as you said, the algorithm is still weak enough. Well, if you didn't have to worry about export regulations, you could just adapt my Blowfish encryption routines to do what you want. I announced these on the listserv some time ago and some people were interested. People who want them but haven't got them yet should send me an e-mail and I will send it to them. I haven't sent the program to the Archives because of... you guessed it... the stupid export regulations. Maybe someday (hopefully soon) I will create a homepage for it outside the U.S. and then anybody will be able to download it directly. Now, talking about the need for *very* strong encryption in EUServer (when it becomes EU_FTP), I agree strong encryption is important, but is this sooooo crucial? I mean, the files containing the passwords are not in a public directory, so only the owner would be able to crack the passwords... or not? Well, I know almost nothing about servers/clients and this kind of thing, so maybe I've just said something stupid. Regards, Davi Figueiredo davitf at usa.net ____________________________________________________________________ Get free e-mail and a permanent address at http://www.amexmail.com/?A=1