Alright, no stories to tell but something to ask: Which is - for you - the best encrypting algorithm and why?. I need to encrypt a couple of variable data, and I cant pick an algorithm because I havent tested them all, I heard of pros and cos of each so im wondering, with out giving away names or techniques or anything, whats best for you - We all know nothing is "uncrackeable" but its our dream, to make it the more secure possible.. isnt it? because at the end they might want to crack your application just because its protected (and its quite good of course). But that doesnt matter right now, the idea is to encrypt some data (and even not important data) thats what I want to do, this data are numbers mostly, and I can think of many ways of doing it, but as I stated before, I havent tested them all as well.
So whats your favourite method/s and why? (if you're willing to share experiences though).
( and if you, reader, are a newbie, but got some ideas, post them! no trouble we dont tag people by their range here (look at the left of each message if not! I forgot what I am right now but last time I checked I was a guru now im Lord Wannabe or something thanks to someone who has moderator rights ! )
Cheers!
! Black holes are where God divided by zero ! My little blog! (Not for the faint hearted!)
Security is relative to the data you want to store....
For passwords, i would just recomend an hash of the password... So even if that file is stolen no one knows the passwords...
If it's data that needs to be read/write i recomend this method
a) compress the data
b) use something like blowfish or serpentine over it
c) use large keys with alpha characters (Large is >10 characters), with 8 it takes a brute force attack 2.000.000 years !!! on a normal PC
ARCFour (RC4) plus MD5 to hash the password before it's used is a nice and very fast combo. And easy to do with PB.
PB has MD5 natively, and ARCFour (RC4 compatible) methods exist in at least one example on this forum allready.
The cool thing is that ARCFour and MD5 is very easy to use/implement in PHP and other languages too.
The strength of an encryption has very little to do with's it's security.
Even weak (RC4 combined with a hash like MD5 or similar) gives a decent middle of the tree encryption.
Using long passwords/keys you can make it very secure.
Silly but effective example.
Imagine "Password" only 8 letters.
If you where to MD5 hash that you would get a 128bit hash (16 bytes) out of 8 bytes (64bits).
I would call that insecure.
But if you do something like the following: (pseudo code)
hash1$=md5("Password") ;use string functions and
hash2$=md5("asswor") ;specify start end to chop up the password.
hash3$=md5("sswo") ;just typed directly here to show how it's chopped
hash4$=md5("sw"))
Then concentenante(sp?) those:
key$=hash1$+hash2$+hash3$+hash4$
Now you have a 512bit key based on a 8 byte (16bit) password.
Obviously the longer the password is the bigger you can make the key
as you just loop your key/hash routine.
Even if a evil cracker knows how it work,
he has to try so many variations it's not funny.
Without knowing what the initial password is, he has no clue how many
bits the key$ is, nor any idea how many letters the password was.
if the password is 7 or 8 chars, the key$ would be 512bits,
If the password was 9 or 10 chars the key$ would suddenly be 640 bits. (80 bytes)
If a 512bit key is used with ARCFour you would get a damn strong encryption actually.
ARCFour can easily handle a 256byte (2048bit) streamkey,
you could also do a md5 hash on the key$ and use that as a easy seed$ as well.
2048bit max key means you could easily have a password upto 16 chars.
You would have to truncate longer keys$ than 256bytes though,
the fun thing is the md5 hashing could still be done the same way,
hasing the entire very long password, but only use the 256 first chars of the big hash key$.
Besides, even a single char password would make a 128bit key which is nice but not too safe. against brute force.
Once passwords closer to 8 chars are used and you get 512bit hashed keys is when things get nice.
Even brute force would be painfull then, despite ARCFour being a middlerange chiper, good stream chiper.
To put it another way, a simple trick as I explained here would leave
dictionary attacks as the only weakness really,
and provided the user don't use too obvious passwords,
this solution is pretty darn safe for many years to come,
but using current tech, that is simple to implement and fast.
Not to mention that MD5 and ARCFour (or RC4 as the commercial one is called) is readily available pretty much everywhere in some form.
A subject of great interest is password and protection. Trouble is someone can buy product get the password and hand the program and password out to others and in no time everyone can have the program no matter how good the encryption is.
APC Magazine had an article on how to Crack software in it so I recently started a search for Crack Tutorials so as to learn their techniques. SoftIce seems to be one of the main tools plus a few Dissambler programs.
A popular method is to change the JUMP instruction and the Password has no bearing on the program running.
Compression programs and programs that relocate the PE sections seem good techniques for protection. However I see they have programs to rebuild the program.
Bizzy... There is no "winner" protection system that I know of.. and if there was one, sooner or later it would of get cracked - Same happens with the security of your house.. put a big wall all arround your house, still, a thief can climb it up and get in, no?... put some wires and electrify the wall! but.. wait, they can cut your power!.. oh, you can have a generator.. but.. wait, they can cut the source wires!... oh, you can have many... but wait, they can find and cut them too! perhaps even connect them to your toilet!.
Now, seriously.. something like that happens with software protection too.
I suggest this link: http://inner-smile.com/nocrack.phtml
Not bad, although you will spend more time reading ebooks and articles relating software security than actually developing your software!. it already happend to me hehe.
! Black holes are where God divided by zero ! My little blog! (Not for the faint hearted!)
