Re: New encryption thread
I am a little late, haven't had much free time these days.
Anyway, here are some comments:
Hawke' originally wrote (subject 'encryption'):
>as such, I am in need of person's interested in
>attempting to take an encrypted string (sequence of
>char) and determine what the password is, from that string...
After understanding your algorithm (don't ask me how, it's a
secret ;), I was able to find a password that will work:
'alecramiroden' (without the quotes). Many other passwords
will work as well; I didn't want to spend my time trying to
find a known word, just tried to find one that sounded good
(well, at least I can pronounce that one).
In crypto.e, you used an algorithm that is a lot better than
the shrouded one, because it cannot be easily cracked by hand,
so you have to use brute-force. However, I think a simple
change would make it even better: simply adding the password
bytes (in the sumup function) gives a low range of possible
seeds for the random number generator (using a 20-char
password, the maximum seed will be 255*20=5100). If you use a
function that will be able to return a greater range of seeds,
the strength of the function will be increased. The following
function returns a maximum seed of 12418266. It would be possible
to create an even better routine, but I am too lazy today ;)
-- begin code
function sumup(sequence data)
atom sum,sum_of_sums
sum=1
sum_of_sums=0
data=data&1 -- so data[i+1] won't give an error
for i=1 to length(data)-1 do
sum=sum+data[i]
sum_of_sums=sum_of_sums+sum*(data[i+1]+1)
end for
return sum_of_sums
end function
-- end code
In theory, it is possible that more than one key will produce the
same cipher, but this would be very rare and very hard to find too.
Hawke' wrote:
>my encryption dilemma mostly centers on the issue of
>*exportability*.
>
>since this server will be downloaded by members of
>this listserv, for example, and those members are
>of quite varied points of origin, I, as the coder,
>have to make sure that any/all algorithms used to
>control access to the server adhere to rather
>stringent (but often silly) laws regarding the
>exportation of encryption algorithms.
>
>if i did not have to worry about these laws, i would
>have simply swiped the DES (or sumfin) algorithm,
>slapped it into the server, and been done, long ago.
and also:
>furthermore, i have already thought of 2 more things i can
>do to the user password encryption system, that won't slow
>it down to speak of (speed counts :) and will magnify the
>resultant strength of the cipher without changing the
>bit strength (and thusly ruling out exporting it to you guys...)
Don't worry too much. According to RSA's Cryptography Export Laws
FAQ, you can export strong encryption if its purpose is 'access
control'. The only problem would be that, as the source code is
available, someone would be able to change it to create an
encryptor/decryptor. But it wouldn't be easy to do that with the
algorithm you created (I don't know if it would possible at all).
Anyway, as you said, the algorithm is still weak enough.
Well, if you didn't have to worry about export regulations, you
could just adapt my Blowfish encryption routines to do what you
want. I announced these on the listserv some time ago and some
people were interested. People who want them but haven't got
them yet should send me an e-mail and I will send it to them.
I haven't sent the program to the Archives because of... you
guessed it... the stupid export regulations. Maybe someday
(hopefully soon) I will create a homepage for it outside the
U.S. and then anybody will be able to download it directly.
Now, talking about the need for *very* strong encryption in
EUServer (when it becomes EU_FTP), I agree strong encryption
is important, but is this sooooo crucial? I mean, the files
containing the passwords are not in a public directory, so
only the owner would be able to crack the passwords... or
not? Well, I know almost nothing about servers/clients and
this kind of thing, so maybe I've just said something stupid.
Regards,
Davi Figueiredo
davitf at usa.net
____________________________________________________________________
Get free e-mail and a permanent address at http://www.amexmail.com/?A=1
|
Not Categorized, Please Help
|
|
