[REBOL] Encryption with REBOL Re:(2)
From: civicminded4:yah:oo at: 31-Aug-2000 12:35
--0-596516649-967750511=:26976
Content-Type: text/plain; charset=us-ascii
Ryan, thank you for your response. I have a few comments/questions however...
(let me preface all of this with the fact that I am not an encryption expert, or even
a novice, I am going by my understanding of the info from the sites listed in the script
and links therein. I am genuinely interested to hear comments about the strength od
the ARC4 algorithm)
--- [ryanc--iesco-dms--com] wrote:
...
> It will keep most
> people out, but it is still quite crackable.
> Basically all you need to do is try every
> password--automatically of
> course...
True, but that is true of _any_ encryption. If you choose a significantly long and random
passphrase, then the time required to try every passphrase is _very_ large. You are speaking
here of a brute-force attack. Given enough time and computing power any encryption is
"crackable" by brute-force (excepting maybe the one-time pad?). Remember, this is based
on ARC4 (RC4 of RSA), and while RC4 with 40 bit passphrases is brute-force "crackable",
you can have a _much_ larger passphrase, as with this script you can choose the passphrase
yourself [upto 246 ascii characters long. Even just using letters numbers and spaces
you have 63 possible characters. 246 places with 63 possibilities each... 63^246 ...
you do the math :) ]
...
> Even easier is if someone sends a two files
> of the same type ,as bmp's for instance, it
> practically gives
> you the password.
How?
Perhaps you mean if two files are sent with the same passphrase? This would be bad,
but CipherSaber takes care of this by appending a random 10 character initialization
vector to your passphrase, _greatly_ reducing the chances of two messages being sent
with the same passphrase. See the CipherSaber site for details.
> I am sure the FBI could break it, and the CIA could
> cut right through it without much trouble. I
> definitely
> wouldn't call it a "Carnivore Buster." It is
> probably the exact type of thing they are looking
> for.
Again, only brute-force "crackable" if you use a too-short, non-random passphrase.
I doubt that with the volume of mail going through a Carnivore system, spending years
(or even hours or minutes) to crack each and every one of millions of e-mails is worth
the FBI or CIA's time or even within their budgets. Just pick a length of passphrase
appropriate to the sensitivity of the data.
> On the other hand, Its really good though for
> keeping ISP's and hackers from reading your email.
and your spouse, your boss, your business competitor... ;)
> Why bother spending
> 5 weeks to decode someone's email? Most people
> wouldn't consider it, unless they were getting paid
> to do so.
Ryan, if you know of any way to "crack" RC4 (other than brute force) I would be very
interested in knowing it. Both encryption and rebol are new to me and I would appreciate
any feedback either on the algorithm or the workings of the script itself.
--0-596516649-967750511=:26976
Content-Type: text/html; charset=us-ascii
<P>Ryan, thank you for your response. I have a few comments/questions however...</P>
<P>(let me preface all of this with the fact that I am not an encryption expert, or even
a novice, I am going by my understanding of the info from the sites listed in the script
and links therein. I am genuinely interested to hear comments about the strength
od the ARC4 algorithm)</P>
<P><BR>--- [ryanc--iesco-dms--com] wrote: <BR> ... <BR>> It will keep most <BR>>
people out, but it is still quite crackable. <BR>> Basically all you need to do is try
every <BR>> password--automatically of <BR>> course...</P>
<P>True, but that is true of _any_ encryption. If you choose a significantly long
and random passphrase, then the time required to try every passphrase is _very_ large.
You are speaking here of a brute-force attack. Given enough time and computing power
any encryption is "crackable" by brute-force (excepting maybe the one-time pad?).
Remember, this is based on ARC4 (RC4 of RSA), and while RC4 with 40 bit passphrases is
brute-force "crackable", you can have a _much_ larger passphrase, as with this script
you can choose the passphrase yourself [upto 246 ascii characters long. Even just
using letters numbers and spaces you have 63 possible characters. 246 places with 63
possibilities each... 63^246 ... you do the math :) ]</P>
<P>...</P>
<P>> Even easier is if someone sends a two files <BR>> of the same type ,as bmp's
for instance, it <BR>> practically gives <BR>> you the password. </P>
<P>How?</P>
<P>Perhaps you mean if two files are sent with the same passphrase? This would
be bad, but CipherSaber takes care of this by appending a random 10 character initialization
vector to your passphrase, _greatly_ reducing the chances of two messages being sent
with the same passphrase. See the CipherSaber site for details.</P>
<P><BR>> I am sure the FBI could break it, and the CIA could <BR>> cut right through
it without much trouble. I <BR>> definitely <BR>> wouldn't call it a "Carnivore Buster."
It is <BR>> probably the exact type of thing they are looking <BR>> for. <BR></P>
<P>Again, only brute-force "crackable" if you use a too-short, non-random passphrase.</P>
<P>I doubt that with the volume of mail going through a Carnivore system, spending years
(or even hours or minutes) to crack each and every one of millions of e-mails is
worth the FBI or CIA's time or even within their budgets. Just pick a length of passphrase
appropriate to the sensitivity of the data.</P>
<P> <BR>> On the other hand, Its really good though for <BR>> keeping ISP's and
hackers from reading your email. </P>
<P>and your spouse, your boss, your business competitor... ;)</P>
<P><BR>> Why bother spending <BR>> 5 weeks to decode someone's email? Most people <BR>>
wouldn't consider it, unless they were getting paid <BR>> to do so. <BR></P>
<P>Ryan, if you know of any way to "crack" RC4 (other than brute force) I would be very
interested in knowing it. Both encryption and rebol are new to me and I would appreciate
any feedback either on the algorithm or the workings of the script itself.</P>
<P> </P>
--0-596516649-967750511=:26976--