RE: decrypt form variable... WAY more than you wanted to know.
IDEA has been shown to have some weak keys. However, the odds of you actually choosing such a key are nearly non-existent (The weak keys fall into a certain pattern which doesn't fit any normal password.) The odds of choosing one randomly are 1 in 2^96. There is also an XOR value that can be run against keys that will completely eliminate the possibility of producing a weak key. RC5 is relatively untested at this point, and is therefore of unknown security. Also, RSA has applied for patent on RC5, so it's not available for use without license. (This will also likely discourage further attempts to test it by the experts.) Using a block cipher in place of a stream cipher does not make it a stream cipher. :) It's still a block cipher. The lesson here is that unless you are dealing with "continual real-time transmission" of data, stream ciphers are not called for. (Even many transmission situations do not call for stream ciphers, ie. SSL and IPsec, which use block ciphers.) Undoubtedly, my favorite is Blowfish. I've used it, it performs very well, source-code is readily available (www.counterpane.com), there are is known crytanalysis against non-reduced-round Blowfish, and there are no licensing issues. Note that 16-round Blowfish (standard) is more than twice as fast as 16-round RC5, and 20-round Blowfish is still almost twice as fast. In order to beat 20-round Blowfish, you would have to drop to 8 rounds of RC5. (RC5 is a real dog, though not as slow as DES) Note that Twofish is slightly faster than Blowfish, even though it has a 128 bit block size vs. the 64 bit block size of Blowfish and RC5. Some more info on Twofish: Twofish is from the same people who brought you Blowfish. (Bet you'd never have guessed!) It is their submission for the Advanced Encryption Standard (AES) which will replace DES. Currently, it is one of five finalists from an original group of fifteen. It is unpatented, source code is uncopyrighted, and is available for use without license. (code can be downloaded from www.counterpane.com) It's also one of the most tested algorithms out there, since the competition is banging on it to try to prove it unsuitable, in favor of their own algorithms. Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -Original Message- From: David Cummins [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 20, 2000 20:18 To: [EMAIL PROTECTED] Subject: Re: decrypt form variable... Whoa! That's a rather complete answer... ;) Although I would warn that some of the "cryptographically strong" schemes have been shown to have some weak keys, i.e. I think IDEA has some weak keys. From what I'm aware, RC5 with 16 rounds does not (so I'm a fan). As far as stream ciphers go, could you just use a block cipher with an 8 bit block size, and some form of cipher block chaining as a stream cipher? I realise 8 bit sounds a bit (ok, a lot) low, but CBC does help. Maybe the stream could start with a random word (you know, like Unix salting). David Mike Sheldon wrote: Care to suggest a few? I've seen several, but I'm not sure how to evaluate them. The trick is, there's no way you or I can adequately evaluate an encryption algorithm for anything but speed. Therefore, you need to choose algorithms that have been tested by cryptanalysis experts (which is why public algorithms are so important). All information below has been at least partially obtained from "Applied Cryptography" by Bruce Schneier. The book includes C source-code for several algorithms, including Blowfish, DES and IDEA. Highly reccommended if you have any interest in cryptography. For Hashes: MD5 is still the standard almost everyone uses, though SHA and RIPE-MD are probably more secure. For Symmetric-Key Block Ciphers: I like using Blowfish, it's public domain, and quite fast on 32-bit processors. It has been used in a few commercial products. The TwoFish algorithm is showing a lot of promise in the competition for replacement of DES as the US Government standard. Other than that, I don't know much about it. IDEA is also a strong public cipher, it just never seemed to gain much popularity. I'd be very comfortable using it. Three-round DES is still fine for most uses, and has the advantage of being available in public libraries. Single-round DES should not be used for anything more valuable than your favorite cookie recipe. For Symmetric-Key Stream Ciphers: Stream ciphers are notably less secure than block ciphers, and are generally only recommended for things like real-time streaming of data where encrypting a "block" at a time is not practical (IE: hardware implementations of "scramblers" for radio, etc...). RC4 is commonly used, though it is not truly public, and use of it might get you into conflict with RSA Data Security. All the other stream ciphers I've seen are described as highly insecure. Remember that these algorithms
Re: decrypt form variable... WAY more than you wanted to know.
Hi Mike, Firstly I would point out that I don't know the actual algorithms for most of the methods we are discussing, so if a comment seems a bit off hand - well, it probably is. ;) Mike Sheldon wrote: IDEA has been shown to have some weak keys. However, the odds of you actually choosing such a key are nearly non-existent (The weak keys fall into a certain pattern which doesn't fit any normal password.) The odds of choosing one randomly are 1 in 2^96. There is also an XOR value that can be run against keys that will completely eliminate the possibility of producing a weak key. But if some weak keys can be shown to exist, can we be sure that there isn't a whole new class of weak keys that are so far undiscovered? If an algorithm has weak keys which are an obvious by-product of the mathematical description, and can be easily avoided, that is one thing, but unpredictably weak keys could be disastrous. RC5 is relatively untested at this point, and is therefore of unknown security. Also, RSA has applied for patent on RC5, so it's not available for use without license. (This will also likely discourage further attempts to test it by the experts.) I've seen a document on both linear and differential attacks on RC5, and it seemed fairly convincing. It seems that out of the three operations involved (addition, xor and rotation), two of them have incompatible linear analysis techniques, and a different two of them have incompatible differential formulae. So far distributed.net seems to be chugging along at about as slow a rate as one would expect. On the other hand, I'm not so keen on the whole licensing thing... ;) Using a block cipher in place of a stream cipher does not make it a stream cipher. :) It's still a block cipher. The lesson here is that unless you are dealing with "continual real-time transmission" of data, stream ciphers are not called for. (Even many transmission situations do not call for stream ciphers, ie. SSL and IPsec, which use block ciphers.) When you are talking about stream ciphers, are you thinking bit streams? In that case... well, the start of the message seems almost doomed to be easy to crack because there's an insufficient number of message combinations if you can only take historical parts of the data into account. Undoubtedly, my favorite is Blowfish. I've used it, it performs very well, source-code is readily available (www.counterpane.com), there are is known crytanalysis against non-reduced-round Blowfish, and there are no licensing issues. Note that 16-round Blowfish (standard) is more than twice as fast as 16-round RC5, and 20-round Blowfish is still almost twice as fast. In order to beat 20-round Blowfish, you would have to drop to 8 rounds of RC5. (RC5 is a real dog, though not as slow as DES) Note that Twofish is slightly faster than Blowfish, even though it has a 128 bit block size vs. the 64 bit block size of Blowfish and RC5. I'm actually surprised that Blowfish is faster, because the RC5 inner loop is pretty damn simple. Is there a site about the algorithm anywhere that you know of? Incidentally, RC5 _is_ expandable to whatever block size you like. Does the same apply to Blowfish? Some more info on Twofish: Twofish is from the same people who brought you Blowfish. (Bet you'd never have guessed!) It is their submission for the Advanced Encryption Standard (AES) which will replace DES. Currently, it is one of five finalists from an original group of fifteen. It is unpatented, source code is uncopyrighted, and is available for use without license. (code can be downloaded from www.counterpane.com) It's also one of the most tested algorithms out there, since the competition is banging on it to try to prove it unsuitable, in favor of their own algorithms. Thanks for the info, I don't have time to keep track of developments in the encryption field these days... ;) David -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: decrypt form variable... WAY more than you wanted to know.
Maybe this interests you:..? http://www.granularity.net/technologies/ [EMAIL PROTECTED] GIACloakTM Allaire ColdFusion extension allowing for strong encryption giaCryptoTM Java classes to allow for encryption via Allaire ColdFusion All the best, Stephen M. Aylor Aylor Insurance Agency, Inc. "Specialized Insurance for IT - We Cover IT" [EMAIL PROTECTED] 949.581.2333 (v) 949.581.2814 (f) Thanks Mike and David for the discussion. It's not WAY more than I wanted to know, but I could use some help in applying all my new found knowledge ;-) Should I be using CFHASH for has hashing? I've heard lots of criticism of CFENCRYPT, but I don't remember seeing any for CFHASH. Do you know if it uses MD5, SHA, and RIPE-MD, or something else? If not CFHASH, then can you recommend a CF implementation for hashing? Is there a CF version of Blowfish do can recommend? I saw the 12 implementations of blowfish at http://www.counterpane.com/blowfish-download.html, but I don't know how to integrate any of them with CF, other than maybe writing a CFX tag, which I don't know how to do. I also found CF_ENCRYPT by Jim Fuller in the tag gallery ($150), but thought there might be a free CF version somewhere. Finally, what does "non-reduced-round" mean when you said "here are is known crytanalysis against non-reduced-round Blowfish" Is this 20 round? thanks, Gregory M. Saunders, Ph.D. Senior Design Architect Cognitive Arts Corporation (http://www.cognitivearts.com) 120 S. Riverside Plaza, Suite 1520 Chicago, IL 60606 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: decrypt form variable... WAY more than you wanted to know.
I *think* CFHASH is using MD5, but I really don't know. These discussions have me considering writing an encryption tag myself. Export regs have discouraged me from attempting this previously. However, with the new regs, I may go ahead and do it now. If I do it, it will not be commercial. All of my tags are free. Standard Blowfish is 16 rounds. There is a cryptanalysis that has been shown effective for up to five rounds, but that attack vector "disappears" at 6 rounds or more. (This is pretty typical for most algorithms.) Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -Original Message- From: Greg Saunders [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 21, 2000 06:05 To: [EMAIL PROTECTED] Subject: RE: decrypt form variable... WAY more than you wanted to know. Thanks Mike and David for the discussion. It's not WAY more than I wanted to know, but I could use some help in applying all my new found knowledge ;-) Should I be using CFHASH for has hashing? I've heard lots of criticism of CFENCRYPT, but I don't remember seeing any for CFHASH. Do you know if it uses MD5, SHA, and RIPE-MD, or something else? If not CFHASH, then can you recommend a CF implementation for hashing? Is there a CF version of Blowfish do can recommend? I saw the 12 implementations of blowfish at http://www.counterpane.com/blowfish-download.html, but I don't know how to integrate any of them with CF, other than maybe writing a CFX tag, which I don't know how to do. I also found CF_ENCRYPT by Jim Fuller in the tag gallery ($150), but thought there might be a free CF version somewhere. Finally, what does "non-reduced-round" mean when you said "here are is known crytanalysis against non-reduced-round Blowfish" Is this 20 round? thanks, Gregory M. Saunders, Ph.D. Senior Design Architect Cognitive Arts Corporation (http://www.cognitivearts.com) 120 S. Riverside Plaza, Suite 1520 Chicago, IL 60606 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: decrypt form variable... WAY more than you wanted to know.
Not very much info there... Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -Original Message- From: Stephen M. Aylor [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 21, 2000 08:23 To: [EMAIL PROTECTED] Subject: Re: decrypt form variable... WAY more than you wanted to know. Maybe this interests you:..? http://www.granularity.net/technologies/ [EMAIL PROTECTED] GIACloakTM Allaire ColdFusion extension allowing for strong encryption giaCryptoTM Java classes to allow for encryption via Allaire ColdFusion All the best, Stephen M. Aylor Aylor Insurance Agency, Inc. "Specialized Insurance for IT - We Cover IT" [EMAIL PROTECTED] 949.581.2333 (v) 949.581.2814 (f) Thanks Mike and David for the discussion. It's not WAY more than I wanted to know, but I could use some help in applying all my new found knowledge ;-) Should I be using CFHASH for has hashing? I've heard lots of criticism of CFENCRYPT, but I don't remember seeing any for CFHASH. Do you know if it uses MD5, SHA, and RIPE-MD, or something else? If not CFHASH, then can you recommend a CF implementation for hashing? Is there a CF version of Blowfish do can recommend? I saw the 12 implementations of blowfish at http://www.counterpane.com/blowfish-download.html, but I don't know how to integrate any of them with CF, other than maybe writing a CFX tag, which I don't know how to do. I also found CF_ENCRYPT by Jim Fuller in the tag gallery ($150), but thought there might be a free CF version somewhere. Finally, what does "non-reduced-round" mean when you said "here are is known crytanalysis against non-reduced-round Blowfish" Is this 20 round? thanks, Gregory M. Saunders, Ph.D. Senior Design Architect Cognitive Arts Corporation (http://www.cognitivearts.com) 120 S. Riverside Plaza, Suite 1520 Chicago, IL 60606 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
