Re: Re: Web Cryptomatic

I appreciate the feedback. My original problem was "How to send short strings of text (less that 256 characters) in a hidden form field between two different web sites?" I needed to make the string encrypted enough to not be worth breaking (I'm not passing CC numbers or anything like that).

After looking at some different schemes, my problem became 'How do I whip up a good pad?' and this was my answer. My question is, HOW secure is the above scheme? Are we talking about a couple of hours or a couple of minutes to crack? What if the pad was 32 bytes long? 64?

I whipped up the above code so that I could get some good crypto advice and maybe make something useful. I guess my 'big' question is, can someone break into a short section of text (~256 bytes), encrypted by this engine, without the password?

-oakbox

Comment on Re: Re: Web Cryptomatic

Replies are listed 'Best First'.
Re: Re: Re: Web Cryptomatic by no_slogan (Deacon) on Sep 24, 2001 at 23:13 UTC
It doesn't matter how long your "pad" is, if you cycle through it in a predictable fashion. If the message is longer than the key, you will reuse key bytes. If you reuse key bytes, you're a sitting duck. 256 bytes of encrypted English text would be easy to break in a matter of minutes. Half that or less would probably be enough. When you're doing crypto, don't try to get clever. Use a real cipher module like Crypt::Rijndael or Crypt::IDEA or whatever. There was an article on crypto modules on perl.com recently. If for some reason you can't use one of those, there are secure ways to use hash functions like MD5 for encryption. You have to be very careful, though, because that's not what they were designed to do. For details, see <cite>Applied Cryptography</cite>.	[reply]
Re: : Web Cryptomatic by oakbox (Chaplain) on Sep 25, 2001 at 20:00 UTC
>When you're doing crypto, don't try to get clever. Use a real cipher module . . . You know, this was a little hard to swallow, because I consider myself to be such a clever fellow. I played around with a bunch of different schemes to derive larger pads from a password and ended up feeling like my brains were turning to mush. After spending too much time on what, in the beginning, was a simple problem, I realize I don't know jack about cryptography and should leave it in the hands of people who know what they are doing :) Again, thanks for the advice and pointing out the correct direction to a fellow monk. -oakbox	[reply]
Learning Crypto (was Cryptomatic) by no_slogan (Deacon) on Sep 25, 2001 at 22:59 UTC
>When you're doing crypto, don't try to get clever. You know, this was a little hard to swallow, because I consider myself to be such a clever fellow. I didn't mean to be such a downer. If you're interested in crypto, don't give up. Just use your hubris somewhere it will be productive. Instead of saying to yourself "I can design my own cipher," start with "I can figure out why these other ciphers are designed the way they are." That means both understanding how encryption algorithms work, and what attacks are possible against them. A lot of amazingly smart people have thought about that, and you can learn a lot from their work. So find yourself a good book and dig in - that's what I've been doing.	[reply]