On Tuesday, March 2, 2004, at 09:07 AM, Richard Gaskin wrote:
As I mentioned in the article, I'm pretty ignorant on encryption, esp. compared to seasoned cryptohobbyists like Mark Brownell. So here's a question I can't answer about my own code:
If one were to try to characterize the relative strength of the "MDX" algorithm used in fwPack/fwUnpack, what phrase would be appropriate?
This is just too juicy to pass up. How about "Don't forget to drink your chocolate flavored Ovaltene."
For example, we hear about 128-bit encryption, but I couldn't find a primer dumbed-down enough to explain what that means in lay terms.
I need to see what controls there are for the "MDX" algorithm's passwords length before I can determine the bit level. In other words I just started looking at it.
Blowfish uses more than 500 iterations of changes on two 32 bit blocks at a time sending them left and right through each other. Blowfish is a 64 bit block-cypher. One very important recommendation while using powerful block-cyphers is in not doing so in a way that all you end up getting is a fixed code book kind of result. This fixed code book type is referred to as EBC, Electronic Code Book. One way to avoid creating a fixed code book is to use the first 32 bit word to XOR the next 32 bit word then use the second 32 bit XORed word to XOR the third 32 bit word. This alone would still be a weaker form of encryption. What can really change things is to either pass eight unrelated secret characters to XOR the first eight characters or to pad the text to be encrypted with eight randomly generated characters first. When decoding takes place the additional characters can be removed before viewing the text. This is known as CBC, Cypher Block Chaining.
If you add eight randomly chosen characters & CBC to your MDX, then it will be much harder to crack your 32 bit (I guess) encryption level. I need to look at it closer. It looks like you are XORing one char at a time. This would make it an 8 bit block cypher.
Here is how Blowfish increases encryption levels. If a user uses 32 bit level then four characters are used over and aver to encrypt with. Other levels are 64 bit uses 8 charaters, and 128 bit uses 16 characters. All example keys for Blowfish are 56 characters long.
Example 32 bit 56 char key: abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
Example 64 bit 56 char key: abcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefgh
Example 128 bit 56 char key: abcdefghijklmnopabcdefghijklmnopabcdefghijklmnopabcdefgh
Also, how easy would it be to crack MDX?
-- Richard Gaskin
If a programer had the MDX algorithm then a brute force attack would take about one minute to one hour. The 54 bit encryption level was cracked by a brute force attack using several computers in a long weekend. The trick is to just try every possible access key, eventually you get the one that works. If your access key is only four characters then there are only 256*256*256*256 (4,294,967,296) possible keys. If your algorithm restricts characters to the first 128 ascii characters then there are only 128*128*128*128 (68,435,456) possible keys. (This is assuming a four char key that I saw on the list as an example.)
So one way to stop the practicality of brute force attacks is to deliberately put a one second delay on processing the algorithm. If your application or CGI has a password input point then this one second delay will make a brute force attack difficult.
100,000,000 brute force attempts with a one second delay would take more than three to four years on a single computer. It would take 1000 computers hitting your CGI continuously to get past half of the possibilities in a single day or two. I doubt if that is even possible.
more later... i'm out RVing
Mark
_______________________________________________ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
