> > It will keep most
> > people out, but it is still quite crackable.
> > Basically all you need to do is try every
> > password--automatically of
> > course...
>
> True, but that is true of _any_ encryption. If you choose a
> significantly long and random passphrase, then the time required to
> try every passphrase is _very_ large. You are speaking here of a
> brute-force attack. Given enough time and computing power any
> encryption is "crackable" by brute-force (excepting maybe the one-time
> pad?). Remember, this is based on ARC4 (RC4 of RSA), and while RC4
> with 40 bit passphrases is brute-force "crackable", you can have a
> _much_ larger passphrase, as with this script you can choose the
> passphrase yourself [upto 246 ascii characters long. Even just using
> letters numbers and spaces you have 63 possible characters. 246 places
> with 63 possibilities each... 63^246 ... you do the math :) ]
>
Try common words first, 3000^50. Yet still, not a job for the light of
heart. Though a common five word pass phrase is 3000^5, possibly doable
by individuals... Of course a one common word pass phrase is not much
work at all.
>
> > Even easier is if someone sends a two files
> > of the same type ,as bmp's for instance, it
> > practically gives
> > you the password.
>
> How?
Actually I missed an important part of the algorithm where they swap
data. While still possible, it makes it a ton more nasty.
Coincidently, before noticing this, I came up with a encryption scheme
last night that is similar. Ever read "The Hundredth Monkey"?
>
>
> Perhaps you mean if two files are sent with the same passphrase? This
> would be bad, but CipherSaber takes care of this by appending a random
> 10 character initialization vector to your passphrase, _greatly_
> reducing the chances of two messages being sent with the same
> passphrase. See the CipherSaber site for details.
>
Off the hip, I could'nt figure out what they where doing here. Obviously
it manages to decode it, thus making it irrelavent. Dont you agree?
>
>
> > I am sure the FBI could break it, and the CIA could
> > cut right through it without much trouble. I
> > definitely
> > wouldn't call it a "Carnivore Buster." It is
> > probably the exact type of thing they are looking
> > for.
>
Sending encrypted files is suspicious. Want to get investigated by the
CIA? Send one of these to the Chinese Consolate.
>
> Again, only brute-force "crackable" if you use a too-short, non-random
> passphrase.
>
> I doubt that with the volume of mail going through a Carnivore system,
> spending years (or even hours or minutes) to crack each and every one
> of millions of e-mails is worth the FBI or CIA's time or even within
> their budgets. Just pick a length of passphrase appropriate to the
> sensitivity of the data.
>
I am sure they dont decode them all, especially the FBI. Although if
you score enough points with either one, they might start decoding
yours. In this duscussion we have probably gained 20 points each!
> > On the other hand, Its really good though for
> > keeping ISP's and hackers from reading your email.
>
> and your spouse, your boss, your business competitor... ;)
>
>
> > Why bother spending
> > 5 weeks to decode someone's email? Most people
> > wouldn't consider it, unless they were getting paid
> > to do so.
>
> Ryan, if you know of any way to "crack" RC4 (other than brute force) I
> would be very interested in knowing it. Both encryption and rebol are
> new to me and I would appreciate any feedback either on the algorithm
> or the workings of the script itself.
>
I dont have cracking scheme off hand. I saw no mention of a RC4 crack
(other than brute force) with a google search either. I would'nt rule
out the possiblility of a crack or partial crack in existance though. I
suppose in some circumstances knowing file type could give you enough to
crack a password, but I could'nt say for sure without closer inspection.
We can assume for the time being that a 6 or more word passphrase is
beyond the reach of your average single mortal hacker. I still would
not recommend to put it to the test of any major governments. Probably
more than sufficient protection from the IRS though. Police too--I have
heard of an instance where they could'nt even crack a zip file password.
Have you thought of making this into an object or command line
interface. In a /View based office environment, I could defineatly see a
use for this type of thing. As a sort of text filter. It could work
beside other text filters that format REBOL, check spelling, check HTML,
etc. Your header could go in the about box of whatever application that
uses it.
--Ryan
Ryan Cole
Programmer Analyst
www.iesco-dms.com
707-468-5400
