Re: Data Encryption

From: David Wagner (dawat_private)
Date: Fri Sep 06 2002 - 13:00:05 PDT

Next message: Mike Benham: "Re: Data Encryption"

Previous message: Eric Murray: "Re: Data Encryption"
In reply to: Bryan Ponnwitz: "Data Encryption"
Next in thread: Mike Benham: "Re: Data Encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bryan Ponnwitz wrote:
>I've heard that homegrown encryption is asking for trouble, [...]

Good heavens.  Yes, that's a bit of an understatement!

Your scheme is highly insecure.  See below.  If security
matters, you really need to find something better.  Please,
please, don't try to invent your own homebrew crypto: almost
everyone who does this ends up with something broken.

Why not just use SSL?

>All text is encrypted using the following algorithm:
>enc = ((((char + E0) * 2 * E1 + 31 + E2) * E3 + (69 * E4)) * (E5 + E6) +
>(E7 * E8)) * 2 * E9
>Where enc is a Visual Basic Double (8 bytes) and char is the ascii
>character code to encrypt.
[...]
>From Client: EC 03 00 00 70 40 00 40 AB 35 AF A0 70 42 00 40 5B BD 47 CA
>76 42 00 40 7A A6 58 B0 77 42 00 40 A2 62 8C 9B 74 42 00 40 B7 5C D0 46
>76 42 00 80 72 00 71 86 68 42 00 40 E9 07 D1 6C 72 42 00 40 E0 34 AE 67
>76 42 00 40 B7 5C D0 46 76 42 00 40 B7 5C D0 46 76 42 00 40 28 F6 9C 6E
>77 42 00 40 EA 23 7B A2 75 42 00 40 AD 6D 03 0C 77 42 00 40 A3 7E 36 D1
>77 42 00 40 09 0D 8C 88 76 42 00 40 A2 62 8C 9B 74 42 00 40 84 95 25 EB
>76 42 00 40 84 95 25 EB 76 42 00 40 28 F6 9C 6E 77 42 00 40 E0 34 AE 67
>76 42 00 40 5B BD 47 CA 76 42 00 40 1D EB 25 FE 74 42
>This is my username and password; validate me. (usr: Bryan Ponnwitz
>pass: password)

Ahh, so you've got yourself a simple substitution cipher.  In other
words, each character is encrypted the same way.  Simple substitution
ciphers are not very secure (they can be solved in the same way you
solve the crypto-puzzles in the back of the newspaper).

Notice that the above trace reveals that the 3rd and 4th letters of
your password are the same.  Look closely:

>                                                [...] 00 40 84 95 25 EB
>76 42 00 40 84 95 25 EB 76 42 [...]

Do you see what I see?  The "00 40 84 ... 76 42" string is repeated
twice.  It's repeated twice because the letter 's' appears twice in
your password.  That's a sign of terrible insecurity.

There are other flaws in your scheme, too, but it's not worth my time
to type them up here.  Just use something secure, like SSL or SSH or
IPSec or PGP.

Next message: Mike Benham: "Re: Data Encryption"
Previous message: Eric Murray: "Re: Data Encryption"
In reply to: Bryan Ponnwitz: "Data Encryption"
Next in thread: Mike Benham: "Re: Data Encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 14:07:37 PDT