RE: RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
I do have applied cryptography and only suggested using a larger keysize as it increases the work factor for a brute force attack. -Original Message- From: Evan Nemerson [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 22:39 To: Vinod Panicker; [EMAIL PROTECTED] Subject: Re: RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3 Um, it hasn't been proven as the best algorithm. It merely hasn't been broken... yet. Actually, many people think IDEA is better. According to Bruce Schneier (creator of blowfish and twofish), "...it is the best and most secure block algorithm available to the public at this time..." (Applied Cryptography, 2nd Edition, Section 13.9) Twofish, blowfish, AES, triple-DES... All are more than enough for pretty much anyone, but none has been PROVEN more secure than another, and all will probably be broken eventually. Go-go quantum computing ;) With regards to the "why use AES? Blowfish can have a 448 bit key size!" comment, does that mean if I XOR something with a 4096-bit key, I will have great security??? Sorry that was approaching flame, but I had to illustrate the point- its not just the size of the key that matters; it's how you use it! hehe i'm proud of that one. Now, as for the type of encryption, you really should get a copy of Appled Cryptography, 2nd Edition, and read chapter 9. It depends on your application. All have pros and cons. On Wednesday 22 May 2002 02:24 am, Vinod Panicker wrote: > And why not use AES, which is an industry standard and having > being proven as the best encryption algorithm in recent times? > > http://csrc.nist.gov/encryption/aes/aesfact.html > > As far as ECB mode is concerned, I dont know what problems you are > talking about. I'm aware that the data gets encrypted in > independed blocks and its easier to crack it, but its faster than > other modes. > > Tx, > Vinod. > > On Wed, 22 May 2002 John Horton wrote : > >why use AES? Blowfish can have a 448 bit key size! Also, why use > >ebc mode > >with all the problems which come with it? > >JH > > > >-Original Message- > > From: Vinod Panicker [mailto:[EMAIL PROTECTED]] > >Sent: 22 May 2002 10:06 > >To: Jimmy Lantz > >Cc: [EMAIL PROTECTED] > >Subject: Re: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? > >part 3 > > > > > >There is no use of hashing in file-encryption except to use it > >as > >a check - to see if the decrypted file matches the original > >file. > >To do this check, you can use either MD5 or SHA1. The choice > >is > >urs. > > > >If ur looking for a good encryption algorithm, you might want > >to > >consider AES (Rijndael). It supports encryption using > >different > >key sizes as well as all modes. > > > >You can take your pick from ECB / CBC also. For binary file > >encryption, i would recommend ECB mode. For text files, it > >would > >be better that you use CBC mode. > > > >Tx, > >Vinod. > > > >On Wed, 22 May 2002 Jimmy Lantz wrote : > > >>I believe that twofish has been successfully broken, so use > > >>blowfish > > >>instead. Typically, for encrypting files you will use an > > >>algorithm like > > >>blowfish in cbc mode (as opposed to ebc mode) but I don't > > > >know > > > > >>if Mcrypt > > >>supports this. Also, when creating the hash of the file, it > > > >is > > > > >>probably best > > >>to use SHA-1 instead of MD5, as there appears to be some > > > >concern > > > > >>with MD5 > > >>over it's compression function. > > >>HTH > > >>JH > > > > > >It helps :) > > >I have been looking into Blowfish with cbc mode :) > > >If I use SHA-1 it's still no way to dehash it during > > > >decryption > > > > >of the file, > > >so I fail to see the use of Hashing in fileencryption. > > >Could someone enlighten me? > > >/ Jim > > > > > > > > >-- PHP General Mailing List (http://www.php.net/) > > >To unsubscribe, visit: http://www.php.net/unsub.php > > > >_ > >Click below to visit monsterindia.com and review jobs in India > >or > >Abroad > >http://monsterindia.rediff.com/jobs > > > > > >-- > >PHP General Mailing List (http://www.php.net/) > >To unsubscribe, visit: http://www.php.net/unsub.php > > _ > Click below to visit monsterindia.com and review jobs in India or > Abroad > http://monsterindia.rediff.com/jobs -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mcrypt: Blowfish or Twofish or no fish?
I was mixing up with the attack against twofish with reduced rounds (I think this is true of blowfish with reduced rounds as well ) -Original Message- From: Evan Nemerson [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 22:57 To: John Horton; [EMAIL PROTECTED] Subject: Re: [PHP] Mcrypt: Blowfish or Twofish or no fish? Ah, when was twofish broken??? That's news to me if it's true. http://www.counterpane.com/twofish.html http://www.counterpane.com/about-twofish.html On Wednesday 22 May 2002 00:43 am, John Horton wrote: > Hi, > I believe that twofish has been successfully broken, so use blowfish > instead. Typically, for encrypting files you will use an algorithm like > blowfish in cbc mode (as opposed to ebc mode) but I don't know if Mcrypt > supports this. Also, when creating the hash of the file, it is probably > best to use SHA-1 instead of MD5, as there appears to be some concern with > MD5 over it's compression function. > HTH > JH > > -Original Message- > From: Jimmy Lantz [mailto:[EMAIL PROTECTED]] > Sent: 21 May 2002 17:28 > To: [EMAIL PROTECTED] > Subject: [PHP] Mcrypt: Blowfish or Twofish or no fish? > > > Hi, > started playing with Mcrypt and just wanted to ask which encryption method > makes the stronger encryption? > (I can supply the necesary keylength). > Should I go for MCRYPT_BLOWFISH or MCRYPT_TWOFISH? Or no fish at all :) > > So what do I need it for? I'm going to use it encrypting files, sizes > varies between some 100 k's and 4-5 mb's. > / Jim > > Paranoia + A system w/o users = Safe system :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
Ah it would be a good idea to use the hash as a checksum- especially if you encrypt in ECB On Wednesday 22 May 2002 01:30 am, Jimmy Lantz wrote: > >I believe that twofish has been successfully broken, so use blowfish > >instead. Typically, for encrypting files you will use an algorithm like > >blowfish in cbc mode (as opposed to ebc mode) but I don't know if Mcrypt > >supports this. Also, when creating the hash of the file, it is probably > > best to use SHA-1 instead of MD5, as there appears to be some concern > > with MD5 over it's compression function. > >HTH > >JH > > It helps :) > I have been looking into Blowfish with cbc mode :) > If I use SHA-1 it's still no way to dehash it during decryption of the > file, so I fail to see the use of Hashing in fileencryption. > Could someone enlighten me? > / Jim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mcrypt: Blowfish or Twofish or no fish?
Ah, when was twofish broken??? That's news to me if it's true. http://www.counterpane.com/twofish.html http://www.counterpane.com/about-twofish.html On Wednesday 22 May 2002 00:43 am, John Horton wrote: > Hi, > I believe that twofish has been successfully broken, so use blowfish > instead. Typically, for encrypting files you will use an algorithm like > blowfish in cbc mode (as opposed to ebc mode) but I don't know if Mcrypt > supports this. Also, when creating the hash of the file, it is probably > best to use SHA-1 instead of MD5, as there appears to be some concern with > MD5 over it's compression function. > HTH > JH > > -Original Message- > From: Jimmy Lantz [mailto:[EMAIL PROTECTED]] > Sent: 21 May 2002 17:28 > To: [EMAIL PROTECTED] > Subject: [PHP] Mcrypt: Blowfish or Twofish or no fish? > > > Hi, > started playing with Mcrypt and just wanted to ask which encryption method > makes the stronger encryption? > (I can supply the necesary keylength). > Should I go for MCRYPT_BLOWFISH or MCRYPT_TWOFISH? Or no fish at all :) > > So what do I need it for? I'm going to use it encrypting files, sizes > varies between some 100 k's and 4-5 mb's. > / Jim > > Paranoia + A system w/o users = Safe system :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
Um, it hasn't been proven as the best algorithm. It merely hasn't been broken... yet. Actually, many people think IDEA is better. According to Bruce Schneier (creator of blowfish and twofish), "...it is the best and most secure block algorithm available to the public at this time..." (Applied Cryptography, 2nd Edition, Section 13.9) Twofish, blowfish, AES, triple-DES... All are more than enough for pretty much anyone, but none has been PROVEN more secure than another, and all will probably be broken eventually. Go-go quantum computing ;) With regards to the "why use AES? Blowfish can have a 448 bit key size!" comment, does that mean if I XOR something with a 4096-bit key, I will have great security??? Sorry that was approaching flame, but I had to illustrate the point- its not just the size of the key that matters; it's how you use it! hehe i'm proud of that one. Now, as for the type of encryption, you really should get a copy of Appled Cryptography, 2nd Edition, and read chapter 9. It depends on your application. All have pros and cons. On Wednesday 22 May 2002 02:24 am, Vinod Panicker wrote: > And why not use AES, which is an industry standard and having > being proven as the best encryption algorithm in recent times? > > http://csrc.nist.gov/encryption/aes/aesfact.html > > As far as ECB mode is concerned, I dont know what problems you are > talking about. I'm aware that the data gets encrypted in > independed blocks and its easier to crack it, but its faster than > other modes. > > Tx, > Vinod. > > On Wed, 22 May 2002 John Horton wrote : > >why use AES? Blowfish can have a 448 bit key size! Also, why use > >ebc mode > >with all the problems which come with it? > >JH > > > >-Original Message- > > From: Vinod Panicker [mailto:[EMAIL PROTECTED]] > >Sent: 22 May 2002 10:06 > >To: Jimmy Lantz > >Cc: [EMAIL PROTECTED] > >Subject: Re: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? > >part 3 > > > > > >There is no use of hashing in file-encryption except to use it > >as > >a check - to see if the decrypted file matches the original > >file. > >To do this check, you can use either MD5 or SHA1. The choice > >is > >urs. > > > >If ur looking for a good encryption algorithm, you might want > >to > >consider AES (Rijndael). It supports encryption using > >different > >key sizes as well as all modes. > > > >You can take your pick from ECB / CBC also. For binary file > >encryption, i would recommend ECB mode. For text files, it > >would > >be better that you use CBC mode. > > > >Tx, > >Vinod. > > > >On Wed, 22 May 2002 Jimmy Lantz wrote : > > >>I believe that twofish has been successfully broken, so use > > >>blowfish > > >>instead. Typically, for encrypting files you will use an > > >>algorithm like > > >>blowfish in cbc mode (as opposed to ebc mode) but I don't > > > >know > > > > >>if Mcrypt > > >>supports this. Also, when creating the hash of the file, it > > > >is > > > > >>probably best > > >>to use SHA-1 instead of MD5, as there appears to be some > > > >concern > > > > >>with MD5 > > >>over it's compression function. > > >>HTH > > >>JH > > > > > >It helps :) > > >I have been looking into Blowfish with cbc mode :) > > >If I use SHA-1 it's still no way to dehash it during > > > >decryption > > > > >of the file, > > >so I fail to see the use of Hashing in fileencryption. > > >Could someone enlighten me? > > >/ Jim > > > > > > > > >-- PHP General Mailing List (http://www.php.net/) > > >To unsubscribe, visit: http://www.php.net/unsub.php > > > >_ > >Click below to visit monsterindia.com and review jobs in India > >or > >Abroad > >http://monsterindia.rediff.com/jobs > > > > > >-- > >PHP General Mailing List (http://www.php.net/) > >To unsubscribe, visit: http://www.php.net/unsub.php > > _ > Click below to visit monsterindia.com and review jobs in India or > Abroad > http://monsterindia.rediff.com/jobs -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mcrypt: Blowfish or Twofish or no fish? Part 2
On Wed, 22 May 2002, Jimmy Lantz wrote: > Thanx for the suggestions! > Someone mentioned that I could use MD5 and then encrypt the hash, > how would I ever decrypt that? Is'nt MD5 a 1-way thing only? > > Another question? > Should I go for bigger keylength or bigger blocksize or both? What makes > for the best encryption? Does it really make a difference? I'm not exactly crypto-literate, but the idea is to encrypt the thing so that it's not visible by Foo Bar even if he does break into your system. If someone is competent enough to break Mcrypt's 128/256bit cyphers, then it doesn't really matter if you use the "weak" or the "strong" ones. I've used 256bit Rijndael in CBC mode, but I wouldn't feel more/less safe if it was CFB or if it was 3DES. Just my 2c. --thalis > > / Jim > > (and before someone suggest that I read the book Applied cryptography it's > already orderd and on it's way :-) ) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 4
I always hate mentioning this 'cause I feel like an attention whore or something, but nevertheless, I can't get the thing tested thouroughly without a bit of whoring... I've been working on a crypto extension for PHP for a while now, and since you guys seem into the crypto thing, you might like to check it out. It's not really meant to be a replacement for mcrypt/mhash or anything, just as an alternative. (One advantage is that it works on Windows as well as UNIX, and I believe the native, non-cygwin win32 port of libmcrypt/libmhash are no longer maintained.) Anyways, if you're at all interested, see http://www.tutorbuddy.com/software/ It supports pretty much all of the algorithms mcrypt and mhash do, plus a few more. (30-some block and stream ciphers, the usual block cipher modes, and 17 hash/checksum algorithms altogether.) Again, I hate the self-promotion, but as you all probably know, cryptography is useless unless it's been tested, studied and proven to be effective. J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
Thats why lots of people like Blowfish, including myself. I am using it in a production environment with PHP and mcrypt. In ECB mode, the blocks are encrypted independently, whereas in CBC mode, the blocks are encrypted with information based on the previous block. What this means is that if a particular block which was encrypted using ECB mode is decrypted, it would show the plain text, whereas it wont happen if the data was encrypted using CBC mode. Plain text files can be seen and understood, whereas its much more difficult to understand if the crack attempt on a block of binary data was successful, since the data wont necessarily make any sense. Tx, Vinod. On Wed, 22 May 2002 John Horton wrote : >One of the reasons I like Blowfish is that I have used it for >years, and >there have been no successfull attempts to crack it. >Why do you encrypt binary files in ebc and text files in cbc? >JH >-Original Message- > From: Vinod Panicker [mailto:[EMAIL PROTECTED]] >Sent: 22 May 2002 10:25 >To: John Horton >Cc: [EMAIL PROTECTED]; Jimmy Lantz >Subject: Re: RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no >fish? part >3 > > >And why not use AES, which is an industry standard and having >being proven as the best encryption algorithm in recent times? > >http://csrc.nist.gov/encryption/aes/aesfact.html > >As far as ECB mode is concerned, I dont know what problems you >are >talking about. I'm aware that the data gets encrypted in >independed blocks and its easier to crack it, but its faster >than >other modes. > >Tx, >Vinod. > >On Wed, 22 May 2002 John Horton wrote : > >why use AES? Blowfish can have a 448 bit key size! Also, why >use > >ebc mode > >with all the problems which come with it? > >JH > > > >-Original Message- > > From: Vinod Panicker [mailto:[EMAIL PROTECTED]] > >Sent: 22 May 2002 10:06 > >To: Jimmy Lantz > >Cc: [EMAIL PROTECTED] > >Subject: Re: RE: [PHP] Mcrypt: Blowfish or Twofish or no >fish? > >part 3 > > > > > >There is no use of hashing in file-encryption except to use >it > >as > >a check - to see if the decrypted file matches the original > >file. > >To do this check, you can use either MD5 or SHA1. The choice > >is > >urs. > > > >If ur looking for a good encryption algorithm, you might want > >to > >consider AES (Rijndael). It supports encryption using > >different > >key sizes as well as all modes. > > > >You can take your pick from ECB / CBC also. For binary file > >encryption, i would recommend ECB mode. For text files, it > >would > >be better that you use CBC mode. > > > >Tx, > >Vinod. > > > >On Wed, 22 May 2002 Jimmy Lantz wrote : > > > > > > > > >>I believe that twofish has been successfully broken, so >use > > >>blowfish > > >>instead. Typically, for encrypting files you will use an > > >>algorithm like > > >>blowfish in cbc mode (as opposed to ebc mode) but I don't > >know > > >>if Mcrypt > > >>supports this. Also, when creating the hash of the file, >it > >is > > >>probably best > > >>to use SHA-1 instead of MD5, as there appears to be some > >concern > > >>with MD5 > > >>over it's compression function. > > >>HTH > > >>JH > > > > > >It helps :) > > >I have been looking into Blowfish with cbc mode :) > > >If I use SHA-1 it's still no way to dehash it during > >decryption > > >of the file, > > >so I fail to see the use of Hashing in fileencryption. > > >Could someone enlighten me? > > >/ Jim > > > > > > > > >-- PHP General Mailing List (http://www.php.net/) > > >To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > >_ > >Click below to visit monsterindia.com and review jobs in >India > >or > >Abroad > >http://monsterindia.rediff.com/jobs > > > > > >-- > >PHP General Mailing List (http://www.php.net/) > >To unsubscribe, visit: http://www.php.net/unsub.php > >_ >Click below to visit monsterindia.com and review jobs in India >or >Abroad >http://monsterindia.rediff.com/jobs _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
One of the reasons I like Blowfish is that I have used it for years, and there have been no successfull attempts to crack it. Why do you encrypt binary files in ebc and text files in cbc? JH -Original Message- From: Vinod Panicker [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 10:25 To: John Horton Cc: [EMAIL PROTECTED]; Jimmy Lantz Subject: Re: RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3 And why not use AES, which is an industry standard and having being proven as the best encryption algorithm in recent times? http://csrc.nist.gov/encryption/aes/aesfact.html As far as ECB mode is concerned, I dont know what problems you are talking about. I'm aware that the data gets encrypted in independed blocks and its easier to crack it, but its faster than other modes. Tx, Vinod. On Wed, 22 May 2002 John Horton wrote : >why use AES? Blowfish can have a 448 bit key size! Also, why use >ebc mode >with all the problems which come with it? >JH > >-Original Message- > From: Vinod Panicker [mailto:[EMAIL PROTECTED]] >Sent: 22 May 2002 10:06 >To: Jimmy Lantz >Cc: [EMAIL PROTECTED] >Subject: Re: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? >part 3 > > >There is no use of hashing in file-encryption except to use it >as >a check - to see if the decrypted file matches the original >file. >To do this check, you can use either MD5 or SHA1. The choice >is >urs. > >If ur looking for a good encryption algorithm, you might want >to >consider AES (Rijndael). It supports encryption using >different >key sizes as well as all modes. > >You can take your pick from ECB / CBC also. For binary file >encryption, i would recommend ECB mode. For text files, it >would >be better that you use CBC mode. > >Tx, >Vinod. > >On Wed, 22 May 2002 Jimmy Lantz wrote : > > > > > >>I believe that twofish has been successfully broken, so use > >>blowfish > >>instead. Typically, for encrypting files you will use an > >>algorithm like > >>blowfish in cbc mode (as opposed to ebc mode) but I don't >know > >>if Mcrypt > >>supports this. Also, when creating the hash of the file, it >is > >>probably best > >>to use SHA-1 instead of MD5, as there appears to be some >concern > >>with MD5 > >>over it's compression function. > >>HTH > >>JH > > > >It helps :) > >I have been looking into Blowfish with cbc mode :) > >If I use SHA-1 it's still no way to dehash it during >decryption > >of the file, > >so I fail to see the use of Hashing in fileencryption. > >Could someone enlighten me? > >/ Jim > > > > > >-- PHP General Mailing List (http://www.php.net/) > >To unsubscribe, visit: http://www.php.net/unsub.php > > > >_ >Click below to visit monsterindia.com and review jobs in India >or >Abroad >http://monsterindia.rediff.com/jobs > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
And why not use AES, which is an industry standard and having being proven as the best encryption algorithm in recent times? http://csrc.nist.gov/encryption/aes/aesfact.html As far as ECB mode is concerned, I dont know what problems you are talking about. I'm aware that the data gets encrypted in independed blocks and its easier to crack it, but its faster than other modes. Tx, Vinod. On Wed, 22 May 2002 John Horton wrote : >why use AES? Blowfish can have a 448 bit key size! Also, why use >ebc mode >with all the problems which come with it? >JH > >-Original Message- > From: Vinod Panicker [mailto:[EMAIL PROTECTED]] >Sent: 22 May 2002 10:06 >To: Jimmy Lantz >Cc: [EMAIL PROTECTED] >Subject: Re: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? >part 3 > > >There is no use of hashing in file-encryption except to use it >as >a check - to see if the decrypted file matches the original >file. >To do this check, you can use either MD5 or SHA1. The choice >is >urs. > >If ur looking for a good encryption algorithm, you might want >to >consider AES (Rijndael). It supports encryption using >different >key sizes as well as all modes. > >You can take your pick from ECB / CBC also. For binary file >encryption, i would recommend ECB mode. For text files, it >would >be better that you use CBC mode. > >Tx, >Vinod. > >On Wed, 22 May 2002 Jimmy Lantz wrote : > > > > > >>I believe that twofish has been successfully broken, so use > >>blowfish > >>instead. Typically, for encrypting files you will use an > >>algorithm like > >>blowfish in cbc mode (as opposed to ebc mode) but I don't >know > >>if Mcrypt > >>supports this. Also, when creating the hash of the file, it >is > >>probably best > >>to use SHA-1 instead of MD5, as there appears to be some >concern > >>with MD5 > >>over it's compression function. > >>HTH > >>JH > > > >It helps :) > >I have been looking into Blowfish with cbc mode :) > >If I use SHA-1 it's still no way to dehash it during >decryption > >of the file, > >so I fail to see the use of Hashing in fileencryption. > >Could someone enlighten me? > >/ Jim > > > > > >-- PHP General Mailing List (http://www.php.net/) > >To unsubscribe, visit: http://www.php.net/unsub.php > > > >_ >Click below to visit monsterindia.com and review jobs in India >or >Abroad >http://monsterindia.rediff.com/jobs > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
why use AES? Blowfish can have a 448 bit key size! Also, why use ebc mode with all the problems which come with it? JH -Original Message- From: Vinod Panicker [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 10:06 To: Jimmy Lantz Cc: [EMAIL PROTECTED] Subject: Re: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3 There is no use of hashing in file-encryption except to use it as a check - to see if the decrypted file matches the original file. To do this check, you can use either MD5 or SHA1. The choice is urs. If ur looking for a good encryption algorithm, you might want to consider AES (Rijndael). It supports encryption using different key sizes as well as all modes. You can take your pick from ECB / CBC also. For binary file encryption, i would recommend ECB mode. For text files, it would be better that you use CBC mode. Tx, Vinod. On Wed, 22 May 2002 Jimmy Lantz wrote : > > >>I believe that twofish has been successfully broken, so use >>blowfish >>instead. Typically, for encrypting files you will use an >>algorithm like >>blowfish in cbc mode (as opposed to ebc mode) but I don't know >>if Mcrypt >>supports this. Also, when creating the hash of the file, it is >>probably best >>to use SHA-1 instead of MD5, as there appears to be some concern >>with MD5 >>over it's compression function. >>HTH >>JH > >It helps :) >I have been looking into Blowfish with cbc mode :) >If I use SHA-1 it's still no way to dehash it during decryption >of the file, >so I fail to see the use of Hashing in fileencryption. >Could someone enlighten me? >/ Jim > > >-- PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php > _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
File hashing is used to take a hash of the clear text. In this way, you can append the hash to the encrypted text. When decrypting, you remove this hash, decrypt the rest of the file, hash this decrypted file and see if the two hashes match up. If they don't then an incorrect key was used with the algorithm (or the data was corrupted somehow). Hashes are typically used as sanity checks in this way. JH -Original Message- From: Jimmy Lantz [mailto:[EMAIL PROTECTED]] Sent: 22 May 2002 09:31 To: [EMAIL PROTECTED] Subject: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3 >I believe that twofish has been successfully broken, so use blowfish >instead. Typically, for encrypting files you will use an algorithm like >blowfish in cbc mode (as opposed to ebc mode) but I don't know if Mcrypt >supports this. Also, when creating the hash of the file, it is probably best >to use SHA-1 instead of MD5, as there appears to be some concern with MD5 >over it's compression function. >HTH >JH It helps :) I have been looking into Blowfish with cbc mode :) If I use SHA-1 it's still no way to dehash it during decryption of the file, so I fail to see the use of Hashing in fileencryption. Could someone enlighten me? / Jim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
There is no use of hashing in file-encryption except to use it as a check - to see if the decrypted file matches the original file. To do this check, you can use either MD5 or SHA1. The choice is urs. If ur looking for a good encryption algorithm, you might want to consider AES (Rijndael). It supports encryption using different key sizes as well as all modes. You can take your pick from ECB / CBC also. For binary file encryption, i would recommend ECB mode. For text files, it would be better that you use CBC mode. Tx, Vinod. On Wed, 22 May 2002 Jimmy Lantz wrote : > > >>I believe that twofish has been successfully broken, so use >>blowfish >>instead. Typically, for encrypting files you will use an >>algorithm like >>blowfish in cbc mode (as opposed to ebc mode) but I don't know >>if Mcrypt >>supports this. Also, when creating the hash of the file, it is >>probably best >>to use SHA-1 instead of MD5, as there appears to be some concern >>with MD5 >>over it's compression function. >>HTH >>JH > >It helps :) >I have been looking into Blowfish with cbc mode :) >If I use SHA-1 it's still no way to dehash it during decryption >of the file, >so I fail to see the use of Hashing in fileencryption. >Could someone enlighten me? >/ Jim > > >-- PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php > _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? part 3
>I believe that twofish has been successfully broken, so use blowfish >instead. Typically, for encrypting files you will use an algorithm like >blowfish in cbc mode (as opposed to ebc mode) but I don't know if Mcrypt >supports this. Also, when creating the hash of the file, it is probably best >to use SHA-1 instead of MD5, as there appears to be some concern with MD5 >over it's compression function. >HTH >JH It helps :) I have been looking into Blowfish with cbc mode :) If I use SHA-1 it's still no way to dehash it during decryption of the file, so I fail to see the use of Hashing in fileencryption. Could someone enlighten me? / Jim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mcrypt: Blowfish or Twofish or no fish?
Hi, I believe that twofish has been successfully broken, so use blowfish instead. Typically, for encrypting files you will use an algorithm like blowfish in cbc mode (as opposed to ebc mode) but I don't know if Mcrypt supports this. Also, when creating the hash of the file, it is probably best to use SHA-1 instead of MD5, as there appears to be some concern with MD5 over it's compression function. HTH JH -Original Message- From: Jimmy Lantz [mailto:[EMAIL PROTECTED]] Sent: 21 May 2002 17:28 To: [EMAIL PROTECTED] Subject: [PHP] Mcrypt: Blowfish or Twofish or no fish? Hi, started playing with Mcrypt and just wanted to ask which encryption method makes the stronger encryption? (I can supply the necesary keylength). Should I go for MCRYPT_BLOWFISH or MCRYPT_TWOFISH? Or no fish at all :) So what do I need it for? I'm going to use it encrypting files, sizes varies between some 100 k's and 4-5 mb's. / Jim Paranoia + A system w/o users = Safe system :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mcrypt: Blowfish or Twofish or no fish? Part 2
Jimmy, You could md5 something and send it encrypted and then verify the md5, something similar to sharing keys...md5 is similar to a key...i use it as something similar to kerberos... And yes, MD5 is a one-way hash...which comes in handy... Just remember that bigger is almost always better. I would suggest trying all three (blocksize, keylength, and both) and see which one works best for you. You should see how your system deals with it and then decide...I like to have bigger keylenghts personally... Thanks, Ray Hunter -Original Message- From: Jimmy Lantz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 12:58 AM To: [EMAIL PROTECTED] Subject: [PHP] Mcrypt: Blowfish or Twofish or no fish? Part 2 Thanx for the suggestions! Someone mentioned that I could use MD5 and then encrypt the hash, how would I ever decrypt that? Is'nt MD5 a 1-way thing only? Another question? Should I go for bigger keylength or bigger blocksize or both? What makes for the best encryption? / Jim (and before someone suggest that I read the book Applied cryptography it's already orderd and on it's way :-) ) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mcrypt: Blowfish or Twofish or no fish? Part 2
Yes Jimmy, you are correct. MD5 is a one-way hash. Its used for getting a unique fingerprint of some data (like files / passwords etc) so that it can be compared with another MD5 hash. Thats the point of a hashing algorithm like MD5 and SHA1 - you should never need to decrypt the data. Refer to how Digital signatures and PKI works - they use MD5 hashes. The next question - A bigger keylength means stronger encryption - but it also means more CPU cycles. A bigger blocksize means that bigger chunks of data are encrypted at a time. Its always a balance that needs to be found over here - you cant use a keylength that is 2048 bits - it will give u the strongest encryption, but it will also take a lot of time. Tx, Vinod. On Wed, 22 May 2002 Jimmy Lantz wrote : >Thanx for the suggestions! >Someone mentioned that I could use MD5 and then encrypt the >hash, >how would I ever decrypt that? Is'nt MD5 a 1-way thing only? > >Another question? >Should I go for bigger keylength or bigger blocksize or both? >What makes for the best encryption? > >/ Jim > >(and before someone suggest that I read the book Applied >cryptography it's already orderd and on it's way :-) ) > > >-- PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php > _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mcrypt: Blowfish or Twofish or no fish?
On Tue, 21 May 2002, Jimmy Lantz wrote: > Hi, > started playing with Mcrypt and just wanted to ask which encryption method > makes the stronger encryption? > (I can supply the necesary keylength). > Should I go for MCRYPT_BLOWFISH or MCRYPT_TWOFISH? Or no fish at all :) > > So what do I need it for? I'm going to use it encrypting files, sizes > varies between some 100 k's and 4-5 mb's. > / Jim > > Paranoia + A system w/o users = Safe system :) I'd suggest you went for neither. Rijndael is the AES (http://csrc.nist.gov/encryption/aes/) block cypher of choice. You can take it all the way up to 256 and its a standard. Of course that can mean one of two things: it was approved either because it can be broken, or because it is infact good. How paranoid are you 8-) I don't know though how fast it is. More online at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ cheers, thalis > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mcrypt: Blowfish or Twofish or no fish?
hiya, twofish runs at just over 25MB/sec when compiled into a test VC++ application, blowfish runs at 18MB/sec. As far as I remember, if you use the same keylenght (256 or 128) then you should get around the same level of encryption (probably not exact, but if one was that much weaker there'd be a warning on the Mcrypt page). HTH, Dw Sqlcoders.com Dynamic data driven web solutions - Original Message - From: "Jimmy Lantz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: May 21 2002 09:27 AM Subject: [PHP] Mcrypt: Blowfish or Twofish or no fish? > Hi, > started playing with Mcrypt and just wanted to ask which encryption method > makes the stronger encryption? > (I can supply the necesary keylength). > Should I go for MCRYPT_BLOWFISH or MCRYPT_TWOFISH? Or no fish at all :) > > So what do I need it for? I'm going to use it encrypting files, sizes > varies between some 100 k's and 4-5 mb's. > / Jim > > Paranoia + A system w/o users = Safe system :) > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php