[REBOL] Encryption with REBOL Re:(4)
From: civicminded4:y:ahoo at: 9-Sep-2000 6:33
--0-1957747793-968506429=:28100
Content-Type: text/plain; charset=us-ascii
Regarding the strength of the cipher-beta.r script recently posted:
(this will be my last post to the rebol group on this topic, since it
is now about encryption and not rebol, future correspondance will be
sent directly to you Ryan, if that is ok? I just felt I had to defend the
script one more time)
Basically, Ryan is concerned that this encryption is crackable because
you can just try every passphrase.
I don't see that as a particular problem (see below) and especially I
do not see this as a special problem of this particular algorithm.
Ryan, don't your comments apply to _any_ encryption scheme if you don't use
a good passphrase?
[ryanc--iesco-dms--com] wrote:
> > It will keep most
> > people out, but it is still quite crackable.
> > Basically all you need to do is try every
> > password--automatically of
> > course...
>
True, but that is true of _any_ encryption.
>Try common words first, 3000^50. Yet still, not a job for the light of
>heart. Though a common five word pass phrase is 3000^5, possibly doable
>by individuals... Of course a one common word pass phrase is not much
>work at all.
See my calculations below. -Alan
> Perhaps you mean if two files are sent with the same passphrase? This
> would be bad, but CipherSaber takes care of this by appending a random
> 10 character initialization vector to your passphrase, _greatly_
> reducing the chances of two messages being sent with the same
> passphrase. See the CipherSaber site for details.
>
>>Off the hip, I could'nt figure out what they where doing here.
>>Obviously it manages to decode it, thus making it irrelavent. Dont you agree?
You are missing the point of the initvector. It keeps two messages
from being encrypted with the same output stream from the state array.
If two messages are encoded with the same stream, then you can xor them
and get rid of the stream (xor is reversible). Then if you know one
message or part of one message, you can xor and get the other message
or part of it.
> > I am sure the FBI could break it, and the CIA could
> > cut right through it without much trouble. I definitely
> > wouldn't call it a "Carnivore Buster." It is
> > probably the exact type of thing they are looking
> > for.
>
>>We can assume for the time being that a 6 or more word passphrase is
>>beyond the reach of your average single mortal hacker. I still would
>>not recommend to put it to the test of any major governments. Probably
>>more than sufficient protection from the IRS though. Police too--I have
>>heard of an instance where they could'nt even crack a zip file
>>password.
Ryan, check out the attached table (and check my math, I did this
rather quickly!) -Alan
I still say this script is the Carnivore Buster! ;) -Alan
>Have you thought of making this into an object or command line
>interface. In a /View based office environment, I could defineatly see
>a use for this type of thing. As a sort of text filter. It could work
>beside other text filters that format REBOL, check spelling, check
>HTML, etc. Your header could go in the about box of whatever application that
>uses it.
In the works.
Table follows:
number of characters Size of passphrase number of bits in passphrase
to choose from (246 maximum) bits=number * log2 size
(many common encryption schemes in use now use 40, 56, or 128 bit encryption)
using lower case letters
26 5 23.50
26 10 47.00
26 15 70.51
26 50 235.02
26 100 470.04
26 246 1156.31
lower and upper case and space
53 5 28.64
53 10 57.28
53 15 85.92
53 50 286.40
53 100 572.79
53 246 1409.07
l & u and space and numbers
63 5 29.89
63 10 59.77
63 15 89.66
63 50 298.86
63 100 597.73
63 246 1470.41
all 'keyboard' characters
95 5 32.85
95 10 65.70
95 15 98.55
95 50 328.49 **
95 100 656.99
95 246 1616.18 **
all ascii characters
256 5 40.00
256 10 80.00
256 15 120.00
256 50 400.00
256 100 800.00
256 246 1968.00 MAXIMUM
3000 common words
3000 5 57.75 **
3000 10 115.51
3000 15 173.26
3000 50 577.54
*
*
Diceware
7776 5 64.62
7776 10 129.25
7776 15 193.87
7776 50 646.24
*
*
* passphrase may contain 246 characters maximum. Number of words
depends on size of the words. If words average 4 to 5 letters long, then
can have about 50 words.
You can increase the entropy of the 3000 common words and the Diceware
words by using capitals and punctuation (all the non-alphanumeric
keyboard characters).
** An example of what this means. Using 246 keyboard characters, it
would take a computer that could test 1 million passphrases per second,
5.25 x 10**472 years to brute-force guess your passphrase.
A more realistic example, 50 keyboard characters --- 1.22 x 10**85 years.
The age of the universe is about 5 x 10**9 years.
And I believe the total number of elemental particles (protons neutrons
electrons) is on the order of 10**40 (can't remember where I read
this).
5 of 3000 common words --- 3.8527 x 10**3 years
Of course, faster computers will reduce these numbers. Can your
computer do 1 billion passphrases per second?
Reduce the _exponents_ of the above numbers by 3.
5 of 3000 common words would take nearly 4 years
With a 1 billion passphrase per second computer.
To decode _1_ encrypted message.
The Carnivore Buster.
--0-1957747793-968506429=:28100
Content-Type: text/html; charset=us-ascii
<P> Regarding the strength of the cipher-beta.r script recently posted:<BR><BR>
<BR>(this will be my last post to the rebol group on this topic, since it <BR>is now
about encryption and not rebol, future correspondance will be <BR>sent directly to you
Ryan, if that is ok? I just felt I had to defend the <BR>script one more time)<BR><BR>Basically,
Ryan is concerned that this encryption is crackable because <BR>you can just try every
passphrase.<BR><BR>I don't see that as a particular problem (see below) and especially
I <BR>do not see this as a special problem of this particular algorithm. </P>
<P><BR>Ryan, don't your comments apply to _any_ encryption scheme if you don't use <BR>a
good passphrase?<BR><BR><BR><A href="http://us.f63.mail.yahoo.com/ym/Compose?To=[ryanc--iesco-dms--com]&YY=5521&order=down&sort=date&pos=0">[ryanc--iesco-dms--com]</A>
wrote:<BR><BR><BR>> > It will keep most<BR>> > people out, but it is still quite crackable.<BR>>
> Basically all you need to do is try every<BR>> > password--automatically of<BR>> >
course...<BR>><BR> True, but that is true of _any_ encryption.<BR><BR>>Try common
words first, 3000^50. Yet still, not a job for the light of<BR>>heart. Though a common
five word pass phrase is 3000^5, possibly doable<BR>>by individuals... Of course a one
common word pass phrase is not much<BR>>work at all.<BR><BR>See my calculations below.
-Alan<BR><BR><BR><BR>> Perhaps you mean if two files are sent with the same passphrase?
This<BR>> would be bad, but CipherSaber takes care of t!
hi!
s by appending a random<BR>> 10 character initialization vector to your passphrase, _greatly_<BR>>
reducing the chances of two messages being sent with the same<BR>> passphrase. See the
CipherSaber site for details.<BR>><BR><BR>>>Off the hip, I could'nt figure out what they
where doing here. <BR>>>Obviously it manages to decode it, thus making it irrelavent.
Dont you agree?<BR><BR>You are missing the point of the initvector. It keeps two
messages <BR>from being encrypted with the same output stream from the state array.
<BR>If two messages are encoded with the same stream, then you can xor them <BR>and get
rid of the stream (xor is reversible). Then if you know one <BR>message or part of one
message, you can xor and get the other message <BR>or part of it.<BR><BR><BR><BR>> >
I am sure the FBI could break it, and the CIA could<BR>> > cut right through it without
much trouble. I definitely<BR>> > wouldn't call it a "Carnivo!
re!
Buster." It is<BR>> > probably the exact type of thing they are looking<BR>> > for.<BR>><BR><BR>>>We
can assume for the time being that a 6 or more word passphrase is<BR>>>beyond the reach
of your average single mortal hacker. I still would<BR>>>not recommend to put it to the
test of any major governments. Probably<BR>>>more than sufficient protection from the
IRS though. Police too--I have<BR>>>heard of an instance where they could'nt even crack
a zip file <BR>>>password.<BR><BR><BR>Ryan, check out the attached table (and check my
math, I did this <BR>rather quickly!) -Alan<BR></P>
<P>I still say this script is the Carnivore Buster! ;) -Alan<BR><BR><BR>>Have you
thought of making this into an object or command line<BR>>interface. In a /View based
office environment, I could defineatly see <BR>>a use for this type of thing. As a sort
of text filter. It could work<BR>>beside other text filters that format REBOL, check
spelling, check <BR>>HTML, etc. Your header could go in the about box of whatever application
that<BR>>uses it.<BR><BR><BR><BR>In the works.<BR></P>
<P><BR>Table follows:</P>
<P>number of characters Size of passphrase number of bits in passphrase <BR> to
choose from (246 maximum) bits=number * log2 size<BR> (many common encryption schemes
in use now use 40, 56, or 128 bit encryption)</P>
<P>using lower case letters</P>
<P>26 5 23.50 <BR> 26 10 47.00 <BR> 26 15 70.51 <BR> 26 50 235.02 <BR> 26 100 470.04 <BR> 26 246 1156.31 <BR><BR>lower
and upper case and space</P>
<P>53 5 28.64 <BR> 53 10 57.28 <BR> 53 15 85.92 <BR> 53 50 286.40 <BR> 53 100 572.79 <BR> 53 246 1409.07 <BR><BR>l
& u and space and numbers</P>
<P>63 5 29.89 <BR> 63 10 59.77 <BR> 63 15 89.66 <BR> 63 50 298.86 <BR> 63 100 597.73 <BR> 63 246 1470.41 <BR><BR>all
'keyboard' characters</P>
<P>95 5 32.85 <BR> 95 10 65.70 <BR> 95 15 98.55 <BR> 95 50 328.49 **<BR> 95 100 656.99 <BR> 95 246 1616.18 **<BR><BR>all
ascii characters</P>
<P>256 5 40.00 <BR> 256 10 80.00 <BR> 256 15 120.00<BR> 256 50 400.00<BR> 256 100 800.00<BR> 256 246 1968.00 MAXIMUM<BR><BR>3000
common words</P>
<P>3000 5 57.75 **<BR> 3000 10 115.51<BR> 3000 15 173.26<BR> 3000 50 577.54<BR>
* <BR>
* <BR>Diceware</P>
<P>7776 5 64.62<BR> 7776 10 129.25<BR> 7776 15 193.87<BR> 7776 50 646.24<BR>
* <BR>
* <BR>* passphrase may contain 246 characters maximum.
Number of words <BR>depends on size of the words. If words average 4 to 5 letters long,
then <BR>can have about 50 words. <BR>You can increase the entropy of the 3000 common
words and the Diceware <BR>words by using capitals and punctuation (all the non-alphanumeric
<BR>keyboard characters). <BR> <BR>** An example of what this means. Using
246 keyboard characters, it <BR>would take a computer that could test 1 million passphrases
per second, <BR>5.25 x 10**472 years to brute-force guess your passphrase.<BR><BR>A more
realistic example, 50 keyboard characters --- 1.22 x 10**!
85!
years.<BR><BR>The age of the universe is about 5 x 10**9 years. <BR>And I believe
the total number of elemental particles (protons neutrons <BR>electrons) is on the order
of 10**40 (can't remember where I read <BR>this).<BR><BR>5 of 3000 common words --- 3.8527
x 10**3 years<BR><BR>Of course, faster computers will reduce these numbers. Can
your <BR>computer do 1 billion passphrases per second? <BR>Reduce the _exponents_ of
the above numbers by 3.<BR><BR>5 of 3000 common words would take nearly 4 years</P>
<P>With a 1 billion passphrase per second computer.<BR><BR>To decode _1_ encrypted message.<BR><BR>The
Carnivore Buster.</P>
--0-1957747793-968506429=:28100--