Regarding the strength of the cipher-beta.r script recently posted:
(this will be my last post to the rebol group on this topic, since it
is now about encryption and not rebol, future correspondance will be
sent directly to you Ryan, if that is ok? I just felt I had to defend the
script one more time)
Basically, Ryan is concerned that this encryption is crackable because
you can just try every passphrase.
I don't see that as a particular problem (see below) and especially I
do not see this as a special problem of this particular algorithm.
Ryan, don't your comments apply to _any_ encryption scheme if you don't use
a good passphrase?
[EMAIL PROTECTED] wrote:
> > It will keep most
> > people out, but it is still quite crackable.
> > Basically all you need to do is try every
> > password--automatically of
> > course...
>
True, but that is true of _any_ encryption.
>Try common words first, 3000^50. Yet still, not a job for the light of
>heart. Though a common five word pass phrase is 3000^5, possibly doable
>by individuals... Of course a one common word pass phrase is not much
>work at all.
See my calculations below. -Alan
> Perhaps you mean if two files are sent with the same passphrase? This
> would be bad, but CipherSaber takes care of t!
hi!
s by appending a random
> 10 character initialization vector to your passphrase, _greatly_
> reducing the chances of two messages being sent with the same
> passphrase. See the CipherSaber site for details.
>
>>Off the hip, I could'nt figure out what they where doing here.
>>Obviously it manages to decode it, thus making it irrelavent. Dont you agree?
You are missing the point of the initvector. It keeps two messages
from being encrypted with the same output stream from the state array.
If two messages are encoded with the same stream, then you can xor them
and get rid of the stream (xor is reversible). Then if you know one
message or part of one message, you can xor and get the other message
or part of it.
> > I am sure the FBI could break it, and the CIA could
> > cut right through it without much trouble. I definitely
> > wouldn't call it a "Carnivo!
re!
Buster." It is
> > probably the exact type of thing they are looking
> > for.
>
>>We can assume for the time being that a 6 or more word passphrase is
>>beyond the reach of your average single mortal hacker. I still would
>>not recommend to put it to the test of any major governments. Probably
>>more than sufficient protection from the IRS though. Police too--I have
>>heard of an instance where they could'nt even crack a zip file
>>password.
Ryan, check out the attached table (and check my math, I did this
rather quickly!) -Alan
I still say this script is the Carnivore Buster! ;) -Alan
>Have you thought of making this into an object or command line
>interface. In a /View based office environment, I could defineatly see
>a use for this type of thing. As a sort of text filter. It could work
>beside other text filters that format REBOL, check spelling, check
>HTML, etc. Your header could go in the about box of whatever application that
>uses it.
In the works.
Table follows:
number of characters Size of passphrase number of bits in passphrase
to choose from (246 maximum) bits=number * log2 size
(many common encryption schemes in use now use 40, 56, or 128 bit encryption)
using lower case letters
26 5 23.50
26 10 47.00
26 15 70.51
26 50 235.02
26 100 470.04
26 246 1156.31
lower and upper case and space
53 5 28.64
53 10 57.28
53 15 85.92
53 50 286.40
53 100 572.79
53 246 1409.07
l & u and space and numbers
63 5 29.89
63 10 59.77
63 15 89.66
63 50 298.86
63 100 597.73
63 246 1470.41
all 'keyboard' characters
95 5 32.85
95 10 65.70
95 15 98.55
95 50 328.49 **
95 100 656.99
95 246 1616.18 **
all ascii characters
256 5 40.00
256 10 80.00
256 15 120.00
256 50 400.00
256 100 800.00
256 246 1968.00 MAXIMUM
3000 common words
3000 5 57.75 **
3000 10 115.51
3000 15 173.26
3000 50 577.54
*
*
Diceware
7776 5 64.62
7776 10 129.25
7776 15 193.87
7776 50 646.24
*
*
* passphrase may contain 246 characters maximum. Number of words
depends on size of the words. If words average 4 to 5 letters long, then
can have about 50 words.
You can increase the entropy of the 3000 common words and the Diceware
words by using capitals and punctuation (all the non-alphanumeric
keyboard characters).
** An example of what this means. Using 246 keyboard characters, it
would take a computer that could test 1 million passphrases per second,
5.25 x 10**472 years to brute-force guess your passphrase.
A more realistic example, 50 keyboard characters --- 1.22 x 10**!
85!
years.
The age of the universe is about 5 x 10**9 years.
And I believe the total number of elemental particles (protons neutrons
electrons) is on the order of 10**40 (can't remember where I read
this).
5 of 3000 common words --- 3.8527 x 10**3 years
Of course, faster computers will reduce these numbers. Can your
computer do 1 billion passphrases per second?
Reduce the _exponents_ of the above numbers by 3.
5 of 3000 common words would take nearly 4 years
With a 1 billion passphrase per second computer.
To decode _1_ encrypted message.
The Carnivore Buster.
