-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I took a look at it. Amusing. I didn't spend a lot of time on it. Probably not
more than twice what it took me to write this.
It has an obvious problem with known plaintext. You can work backward from
known plaintext to get a piece of their "tumbler" and since the tumbler is just
a big bitstring, work from there to pull out the whole thing.
The encrypted Karacell file format has 64 bits that must decrypt to zero. Since
encryption is an XOR onto a pseudo-one-time-pad, this leaks 64 bits of the
tumbler. Similarly, the "checksum" at the end is a bunch of hash blocks of
their special hash all XORed together. This doesn't work against malicious
modificationp; you can cut-and-paste through XOR, etc.
There are obvious vulnerabilities to linear and differential cryptanalysis. It
is a lot of XORing on large-ish fixed longterm secrets with only bit-rotating
through the secrets, and between the vulnerabilities of known plaintext as well
as the leaks in it, I don't see a lot of long-term strength. I bet that you can
use known structure of plaintext (like that it's ASCII/UTF8, let alone things
like known headers on XML files) to start prying bits out of the tumblers and
you just work backwards.
But beyond that, it isn't even particularly fast. Since it needs a lot of bit
extraction and rotations, I doubt it would be as fast as AES on a processor
with AES-NI instructions. The whole thing is based on doing 16-bit calculations
and some bit sliding; I don't expect it to be as fast as RC4 or some of the
fast estream ciphers.
Obviously, I could be missing something, but there are other errors of art that
lead me to think there isn't a lot here. For example, if your basic encryption
system is to take a one-time-pad and try to expand that out to more uses, zero
constants are errors of art. You should know better. There are similar errors
like easily deducible parameters that give more known plaintext. The author
discusses using a text string directly as a key, which is very bad with his
expansion system. He invented his own "message digest" functions, and they look
like complete linear functions to me. They're in uncommented C that's light on
indenting and whitespace. Confirmation bias might be making me miss something,
but it's not like he made it easy for me.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFQ225dsTedWZOD3gYRArauAKC5vrbr9HKPd0a0NoXL+eVQq428uQCgiiFE
GFlyVpZAY6w80CBqxXl2qHs=
=gncJ
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
