Page 3 of 3
Re: Encryption Challenge!
Posted: Tue Aug 26, 2008 12:30 pm
by Parody
Mordred: Your decryption crack relies on the key being 32 characters long (md5), if md5 was not used the key would be of any length the method used would be invalid and if another decryption crack were to be used it would have to be much more complex.
Also: If the key itself defined the order of the characters in the encryption text (the characters were moved around depending upon the values of the key characters) the cipher would surely be much stronger.
The process could output "aaaaaaaaaa" and the string be: "DevNetwork" due to the output being nearly purely defined by the key and its properties as a combination of characters, there could be no way of decrypting that could there?
The process could be repeated a specified number of times (which the key could also define) to make a brute force extremely long winded in comparison to just once.
I'm trying to think of theoretical ways in which this basic cipher could be improved.
Don't post just to tell me to stop, I'd prefer if you didn't bother. This is just an interest now.
Re: Encryption Challenge!
Posted: Tue Aug 26, 2008 2:26 pm
by Mordred
Parody wrote:Mordred: Your decryption crack relies on the key being 32 characters long (md5), if md5 was not used the key would be of any length the method used would be invalid and if another decryption crack were to be used it would have to be much more complex.
On the contrary, one would only multiply the number of attempts by the unknown key length, by just trying all possible key lengths. Plus, in some cases, such as your particular cipher, there's an analytic tool: the index of coincidence, which may be used to find the key length.
If you want to learn more about cryptography, start by studying the classic ciphers and the ways to break them, then move on to the currently used ciphers.
Re: Encryption Challenge!
Posted: Tue Aug 26, 2008 3:11 pm
by Parody
Isn't that just brute forcing the key and programmatically checking whether the output is comprehensible by a human? Surely most ciphers are subject to this flaw.
What about the other ideas? Surely if the complete equation contains enough unknown variables (which the key provides) the only way to break it would be brute force.
Re: Encryption Challenge!
Posted: Tue Aug 26, 2008 3:30 pm
by Mordred
You're not reading carefully. I said to try different values for the key length, not the key. My attack does not depend on a specific key length value, I just happened to know it's 31. I could have tried index of coincidence to see if any particular key length was used, or I could have tried increasing key lengths. This increases the complexity of the attack only by a small constant, it's not bruteforce.
And anyway this is not the place to discuss new cryptography algos (apart from telling people that they shouldn't design new algos, hehe). There are enough books and sites out there, go read them if you're really interested.
Re: Encryption Challenge!
Posted: Tue Aug 26, 2008 3:58 pm
by Parody
Ok, I understand.
Thanks Mordred
Re: Encryption Challenge!
Posted: Thu Aug 28, 2008 6:47 pm
by Parody
I know this discussion sort of ended, but I remembered the logic puzzle with the locked box.
The puzzle:
You need to send a precious item to another person.
You have a box and several locks with the keys.
How do you send the precious item to the other person whilst ensuring the box is not opened en route or can be opened at any point by anyone other than you and the person the item is intended for?
The answer:
Place the item in the box and lock the box with one of your locks and send the box to the other person
The other person will attach their own lock to the box and send the box back to you
You then remove your own lock and send the box back to the other person, who can then unlock the box which is now only locked by their own lock
I'm sure you've all heard the puzzle before, but is this ever applied in encryption? The advantages are that a key is never sent between the two parties (just as a physical key is not sent in the puzzle) and both parties can use completely randomly generated keys (which would further increase security), have never communicated before and still benefit from complete security and all the while the data is always encrypted whilst being sent (obviously).
I have no idea if this is already done and I know I risk seeming ignorrant, I'm just curious.
Re: Encryption Challenge!
Posted: Fri Aug 29, 2008 3:33 am
by Mordred
Good thinking!
It's known as
Three-pass protocol, first suggested by Adi Sharmir (the S in RSA).
A very important thing that is missing from the Wikipedia article is that XOR, which is the first obvious candidate for an encryption function
will not work in the presence of an eavesdropper.
Alice sends the message M xor her key A
Bob sends back M xor A xor B
Alice sends back M xor A xor B xor A = M xor B
Bob decrypts with B.
If Eve listened to that traffic, she has all three messages: M xor A, M xor B and M xor A xor B
If she combines them: M xor A xor M xor B xor M xor A xor B = .... M (!)
Another problem is that it triples the transfer. Yet another problem is MITM attack, although I can't imagine the details without sitting to think it through
There are other protocols which can exhange session keys over an insecure channel, I have used
SRP, which is patent-free and mature (two very desirable properties in a protocol

Re: Encryption Challenge!
Posted: Fri Aug 29, 2008 4:44 am
by Parody
How would you combine 3 encrypted strings?
Does that also mean that if you had three encrypted strings:
String encrypted with key1
String encrypted with key1 and then key2
String encrypted with key2
You could calculate the "String" regardless of what encryption was implemented?
I realise that the three pass protocol system would only work if the cipher/encryption used could be reversed on the string regardless of the string itself.
In case that doesn't make sense: The string is encrypted with key1 and then key2 and then decrypted with key1 and then key2; so a string finally encrypted with key2 is decrypted with key1 first. Like this (M=String, A=Key1, B=Key2): (Multiplication is used to represent encryption)
M x A
M x A x B
M x B
M x A
Which works fine in algebra, but if the string is used in the encryption like I suggested with my own (albeit terrible) cipher then the process will not work as you are essentially decrypting with the wrong key. How could this be achieved using a strong, mature protocol? (It works with my cipher).
Re: Encryption Challenge!
Posted: Fri Aug 29, 2008 5:28 am
by Mordred
1. No, it won't work with your cipher, because it doesn't fulfill the requirement of the three-pass protocol (essentially, that you could apply decryption operations in any order)
2. The vulnerability I described works only if XOR was used for the encryption/decryption function. Do you know what XOR is?
3. By "combine" I meant XOR, check the example I already gave.
Read the wikipedia articles I linked, they explain the details. SRP (it's a link in my previous post) is a bit complicated, but it works and assures mutual authentication between the two parties and a shared session key, without ever transporting the key itself.
I can see you're interested in cryptography, so you should realy realy go read a book about it. There are lots of really basic things that elude you, which are explained in the texts.
This crypto faq has a list of recommendations:
http://www.spinstop.com/schlafly/crypto/faq.htm
Also try this site:
http://www.youdzone.com/cryptobooks.html
Good luck

Re: Encryption Challenge!
Posted: Fri Aug 29, 2008 10:31 am
by Parody
I assure you it does work with mine.
Code: Select all
$key1="Key1";
$key2="Keytwo";
if(!isset($string)){$string="Three pass string";}
print"<br><br><br><br>Testing Three-Pass-Protocol with key1=$key1, key2=$key2 and string='$string'<br><br>";
$one=fusionencrypt($string,$key1);//Sender encryption
$two=fusionencrypt($one,$key2);//Reciever encryption
$three=fusiondecrypt($two,$key1);//Sender decryption
$four=fusiondecrypt($three,$key2);//Reciever decryption
print"Step1: $one<br>";
print"Step2: $two<br>";
print"Step3: $three<br>";
print"Final: $four<br>";
It works because the decryption does not take into consideration the actual value of the string's characters, only the length which does not change through encryption which is the only way a three pass protocol compatible cipher/encryption could work isn't it?
Re: Encryption Challenge!
Posted: Fri Aug 29, 2008 11:01 am
by Mordred
I apologise, you are indeed correct.
The problem with your cipher is that it is inherently weak, so Eve would be able to recover the plaintext by intercepting either the first or the third message (not sure if the second will do too, but it doesn't matter).
Hmm, actually, come to think of it, it appears also vulnerable to the attack I described against XOR.
If you add the numeric values of $one and $three and subtract $two, you should get the plaintext.
Maybe try Shamir's prime number modulo function (but you first have to figure out how to generate large prime numbers, you'll need a big number library and a bit of reading how to test for primeness). Still, the sources warn that this scheme is vulnerable to MITM attacks (which are harder than eavesdropping, but might be still possible), so you'd better move on to another. Pick one that is well covered in the literature and has plenty of implementations in many languages.
Re: Encryption Challenge!
Posted: Fri Aug 29, 2008 11:18 am
by Parody
I'm just trying out AES and it seems that when the following strings are encrypted with the key "password" and sent via POST they are not decryptable with the same key:
12
password
and when the key is just "pass" the string 'var12' does not decrypt once encrypted.
I'm using these functions to encrypt and decrypt AES:
function aesencrypt($string,$key){
$modkey=substr(str_repeat($key,round(32/strlen($key)+0.5)),0,32);
$aes= new AES($modkey);
$encrypted=$aes->encrypt($string);
$string=str_replace(" ","SPACEREPLACE",$encrypted);
$string=str_replace("&","AMPERSANDREPLACE",$string);
$string=str_replace("=","EQUALREPLACE",$string);
return $string;
}
function aesdecrypt($string,$key){
$modkey=substr(str_repeat($key,round(32/strlen($key)+0.5)),0,32);
$aes= new AES($modkey);
$string=str_replace("SPACEREPLACE"," ",$string);
$string=str_replace("AMPERSANDREPLACE","&",$string);
$string=str_replace("EQUALREPLACE","=",$string);
$string=$aes->decrypt($string);
return $string;
}
These functions are so I can use any key I want and I'm using the phpaes.com implementation. I'm encrypting before sending and decrypting at the other end. I'm using CURL to send the POST variables.
Any ideas why this would happen with this setup?