Your honest opinion...
Moderator: General Moderators
Your honest opinion...
I've spent the past week or so perfecting a 'string transformation project'- e.n.c.o.d.e
Basically, I'm opening it to the public for around 24 hours (user and pass 'tester') and I'd really like to know what you think.
It's at http://encode.fusionnx.com
Let me know what you think by replying, PMing or emailing robokoder@gmail.com
Thanks!
Basically, I'm opening it to the public for around 24 hours (user and pass 'tester') and I'd really like to know what you think.
It's at http://encode.fusionnx.com
Let me know what you think by replying, PMing or emailing robokoder@gmail.com
Thanks!
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
It's not perfect, but I reckon it serves most of its purposes.
Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.
When I first devised it, it only used lower-case letters. When I decided to add support for upper-case letters, it was simply imposible to change the entire fundemental base of the script. That's why it makes them lower-case. About punction- again that's a new addition, and my idea was to replace all punction with a code beggining in 'qf' (replacing them in the final stage of the detransformation). I am aware that question marks can screw up and I am trying to fix that problem
Granted, there's not a whole load of need, but I made it for three reasons:
1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.
2. My thinking is, if nobody knows the algorithm, how can they crack it?! Once I've finished working on allowing people to encrypt with specfic keys, I'm pretty sure that the transformed string will be prety secure, even from brute-forcing. (Due to fact that queries are restricted to one per 2 mins)
3. The heck of it. It's pretty satisfying to have made a function yourself that takes a regular string (with punction and spaces) and returns it as complete nonsense. Then when the detransformer returns the original string form the nonsense, that brought a smile to my face lol!
Incidentally, the reason it's not labled as an encryption project is due to possible legal issues
Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.
When I first devised it, it only used lower-case letters. When I decided to add support for upper-case letters, it was simply imposible to change the entire fundemental base of the script. That's why it makes them lower-case. About punction- again that's a new addition, and my idea was to replace all punction with a code beggining in 'qf' (replacing them in the final stage of the detransformation). I am aware that question marks can screw up and I am trying to fix that problem
Granted, there's not a whole load of need, but I made it for three reasons:
1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.
2. My thinking is, if nobody knows the algorithm, how can they crack it?! Once I've finished working on allowing people to encrypt with specfic keys, I'm pretty sure that the transformed string will be prety secure, even from brute-forcing. (Due to fact that queries are restricted to one per 2 mins)
3. The heck of it. It's pretty satisfying to have made a function yourself that takes a regular string (with punction and spaces) and returns it as complete nonsense. Then when the detransformer returns the original string form the nonsense, that brought a smile to my face lol!
Incidentally, the reason it's not labled as an encryption project is due to possible legal issues
There are plenty of algorithms that can be run in a single step that are sufficiently secure for most purposes. Further, if your host has that behavior, I'd change hosts. Running a script shouldn't have that much impact, and if it does, then you coded it poorly, or you shouldn't make it available to the world.robokoder wrote:Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.
That privacy requires trust - they have to trust that your site doesn't log input to it.robokoder wrote:1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.
Or as the cryptography faq says: "If the vendor won't tell you exactly and clearly
what's going on inside, you can be sure that they're hiding something, and
that the only one to suffer as a result will be you, the customer"
Again, from the crypto faq:robokoder wrote:2. My thinking is, if nobody knows the algorithm, how can they crack it?! Once I've finished working on allowing people to encrypt with specfic keys, I'm pretty sure that the transformed string will be prety secure, even from brute-forcing. (Due to fact that queries are restricted to one per 2 mins)
CryptoFaq wrote:Avoid software which uses secret algorithms. This is not considered a safe
means of protecting data. If the vendor isn't confident that its encryption
method can withstand scrutiny, then you should be wary of trusting it.
A common excuse for not disclosing an algorithm is that ``hackers might try
to crack the program's security.'' While this may be a valid concern, it
should be noted that such ``hackers'' can reverse-engineer the program to
see how it works anyway. This is not a problem if the algorithm is strong
and the program is implemented properly.
Such as?robokoder wrote:Incidentally, the reason it's not labled as an encryption project is due to possible legal issues
If i wanted to do my friends such a favor i'd redirect them to something as http://www.pgpi.org/.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Security through obscurity....robokoder wrote:It's not perfect, but I reckon it serves most of its purposes.
Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.
When I first devised it, it only used lower-case letters. When I decided to add support for upper-case letters, it was simply imposible to change the entire fundemental base of the script. That's why it makes them lower-case. About punction- again that's a new addition, and my idea was to replace all punction with a code beggining in 'qf' (replacing them in the final stage of the detransformation). I am aware that question marks can screw up and I am trying to fix that problem
Granted, there's not a whole load of need, but I made it for three reasons:
1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.
2. My thinking is, if nobody knows the algorithm, how can they crack it?! Once I've finished working on allowing people to encrypt with specfic keys, I'm pretty sure that the transformed string will be prety secure, even from brute-forcing. (Due to fact that queries are restricted to one per 2 mins)
3. The heck of it. It's pretty satisfying to have made a function yourself that takes a regular string (with punction and spaces) and returns it as complete nonsense. Then when the detransformer returns the original string form the nonsense, that brought a smile to my face lol!
Incidentally, the reason it's not labled as an encryption project is due to possible legal issues
Unfortunately...cryptanalyst's are usually amazing problem solvers and excellent at recognizing patterns...
Therefore it doesn't matter if your alogirthm is unknown...by feeding your engine known strings and having returned encoded strings and visa-versa is likely enough for a professional to figure out your algorithm and find loop holes...etc...
Other than for pure introduction into the world of cryptography, I dought your algorithm is viable for anything more than shoots and giggles
Cheers
I've implemented protections against web proxies- tell me if you find one that works, 'cos you should get an error.mickd wrote:btw, brute forcers can use proxies to avoid the 2 minute wait.
Something to do with suggesting that it is safe way of disguising data- this is not an encryption standardRoja wrote:robokoder wrote:
Incidentally, the reason it's not labled as an encryption project is due to possible legal issues
Such as?
I am stuck with them until septemberRoja wrote:robokoder wrote:
Just to deal with the point about time restriction- if you knew my host (supanames), you'd understand my need to be careful. They stopped my ENTIRE site when too many people used a php script, and the transformation process has quite a lot of steps, and is easily about as complex as the other script. Much as I like this project, it can't let it interfere with other operations I run.
There are plenty of algorithms that can be run in a single step that are sufficiently secure for most purposes. Further, if your host has that behavior, I'd change hosts. Running a script shouldn't have that much impact, and if it does, then you coded it poorly, or you shouldn't make it available to the world.
Sommat to do with them being my friends- trust is kinda implied.Roja wrote:robokoder wrote:
1. For friends, most of whom would look at me blankly if I talked in any way as to how to encrypt/decrypt stuff with different php functions (or any other systems for that matter- Basically none of them know what php even is). This site allows them to disguise email messages, for example, from our networks automatic content filtering. Its about privacy.
That privacy requires trust - they have to trust that your site doesn't log input to it.
Or as the cryptography faq says: "If the vendor won't tell you exactly and clearly
what's going on inside, you can be sure that they're hiding something, and
that the only one to suffer as a result will be you, the customer"
Also, remeber that I've yet to build in support for keys, so releasing the algorithm would be kinda pointless, seeing as its the only thing that keeps the messages private
Finally, i'd like to challenge anybody and everybody to try and crack my algorithm, short of hacking into the site and stealing it. I strongly doubt anyone will manage!
You asked for honest opinions, and you got them.robokoder wrote:Finally, i'd like to challenge anybody and everybody to try and crack my algorithm, short of hacking into the site and stealing it. I strongly doubt anyone will manage!
A "Secret" algorithm isn't trustable, isn't secure, and doesn't secure anything, except your ability to access the data of the people submitting it.
Your challenge doesn't stand up - if you want a secure algorithm, release it for public scrutiny. Crypto algorithms don't get challenged behind a time-locked, ip-locked, limited site. They get challenged by having math PHD's pour over the delicate interactions of the bits to ensure that you didn't make any errors, any where in your implementation.
Congratulations on making a site that does what you want. However, it falls far short of what people would want to use it for.