DonationCoder.com Software > N.A.N.Y. 2009

NANY 2009 Release: Crush Cryptonizer

<< < (2/8) > >>

f0dder:
Not to flame you, but...

friends don't let friends use homebrew crypto-algorithms. Personally, I'd feel safer using 128-bit AES than something like this (and in reality, I'd of course use 256-bit AES). You might feel that your algorithm is really fancy and all (I wrote some really fancy stuff back in the early 90es and thought it was supercool and supersecure), but as long as it hasn't gone through intensive cryptanalysis and mathematical torture, I'm not going to trust a new algorithm.

ewemoa:
Memories of: http://schneier.com/essay-189.html

Crush:
@f0dder: Thank you for your scepticism. You´re not the first one. Other coders had the same. Alpha1 has changed to Alpha2 with optimized algos. I sent the other my sourcecode and this also didn´t helped, because he wasn´t able to see how it differs to other crypters. If you´re not outstanding good in math and coding you´ll not be able to prove Crytonizer is more or less secure as others.

"friends don't let friends use homebrew crypto-algorithms" -> do you really think most of the Encryption-Algos are not homebrewn? If it would be so no free public encryption would be available.
If you´d take a closer look at some of the coolest freeware programs I bet the most of them are homebrewn.

Please remember: Cryptonizer is no weekend-project. I started with this thing a few years ago and used it in customers software. Later I saw it could be improved. This is what I do now.
The only way to show you it´s no fake is to explain all functions as good as possible.

Good encryption must not mean you need complicate code and mathematical mastership. The results are measurable and comparable with several testing tools from NIST and others. I use Cryptools testing-suite for my tests. That´s the same others did in the past. The tools for encryption are not so rich as it seems.

I know all the open encryptions and how they basically work. All weaknesses of "public" encryption algorithms have been eleminated in Cryptonizer. I´m still working and improving the encryption algorithm itself for even better results in all Cryptool-Tests. Its a funny thing is that I make a comparison especially to AES-256 that you mentioned. All Crypttool tests show at the moment (not the Alpha1 version) that Cryptonizer comparable or better results to AES-256. I suppose this means there is enough security by the entrophy and others.
All encrypting programs use the same ways to get to an aim:
1.) EORing bytes with the password  (adds/subs/rols/rors somtimes also)
2.) Shuffling the bytes (Shifting rows and mixing columns)
3.) Substitution with other datas
4.) Adding the key to the datas
5.) Iterations on the results
6.) Changing the encryption key each run

So do I. -> No big difference till now

Where are the flaws?
The main goal was maximum security with maximum speed.
The Key lengths, the size of the cypher-block and the size of the source-data-block is restricted to a fixed size
All rounds (iterations) are limited by the encoding depth.
There is no real salt inside, because the result block must bev than same as the source and cannot be safed with the datas
Real salt is not existing and can only be calculated from the password itself what is enough for some safety but not enough for higher security.
The key is not changing while coding.
Iterations do not change all input parameters
overall: Too many restrictions trimmed to speed

What does Cryptonizer?
My goal is maximum security - the speed isn´t important.
The Key lengths, the size of the cypher-block and the size of the source-data-block is restricted to the size of 2^32
The iterations are limited to 2^32
Real salt can be calculated in the size you wish or loaded from a one-time-pad or any other files-source you like - they get saved with the datas
The iterations changes the datas, the key, the password and the salt at each run. This is the reason why all must be saved together with the encrypted datas. Cryptonizers algorithm is a one-way-street that can go only back the same way to lead to the original source data without any possible shortcut.
Due to the extremely variable iterations you can create an encryption that takes minutes/hours/days or even years to decrypt even with the same password.

To assure the best possible encryption results, I make tests with a fully zeroed file with a one-byte-zero-filled
 one-time-pad and only one iteration. This result is tested with all tests of Cryptool. If the result is cool enough I go to the next testing step.

In this test I take several files and encode them with AES-256 with different password. To be sure I use the same settings in Cryptonizer (32 Bytes Key, the same password and 15 iterations - exactly like AES-256). Then I compare all test results with Cryptool again.

At the moment in Alpha  2 it seams that AES-256 delivers not as good results as Cryptonizer - and I´m still working on the algorithm to maximize results. Besides, some of the tests are not passed by AES-256. Cryptonizer passes all. This shows how hard it is to make a really good encryption! My goal is to have similar results as atmospheric noise at the end. Till now I´m not so far away of it.

Nobody is forced to use Cryptonizer. So if you don´t like it - don´t use it.
I did in the past and will do in the future.

f0dder:
"friends don't let friends use homebrew crypto-algorithms" -> do you really think most of the Encryption-Algos are not homebrewn? If it would be so no free public encryption would be available. If you´d take a closer look at some of the coolest freeware programs I bet the most of them are homebrewn.-Crush (December 17, 2008, 05:04 PM)
--- End quote ---
There's a difference between "homebrewn" as in "implementation of a specific algorithm" and "a new algorithm". Your algorithm might be all fine and good and secure, but until it has been scrutinized by cryptanalysts for several years, I'm simply not going to trust it... have to agree with ewemoa (or, really, Bruce Schneier) on this one.

Again, don't take this as negative critique of your work, but when dealing with crypto the sane thing is to stick with tried-and-tested (and bashed-to-death-and-weaknesses-known) algorithms.

Crush:
Crush Cryptonizer Release V1.0 is online.

Navigation

[0] Message Index

[#] Next page

[*] Previous page