DonationCoder.com Software > N.A.N.Y. 2009
NANY 2009 Release: Crush Cryptonizer
Crush:
Crush Cryptonizer Release V1.1 is online.
dcm_rush:
Im new to the forum but have been following the site for a while. I downloaded this and intend to mess with it.
As for homebrew algorithms, it seems to me that Crush is correct in saying that all the best code at least starts as homebrew. I also agree that its free and non mandatory. As the above mentioned Bruce Schneider also said -This doesn't mean that everything new is lousy. What it does mean is that everything new is suspect.
Fodder, it seems more like your argument is more against anyone attemting to create a new cryptographic application than ANYTHING about this one or the authors work in this case, which seems to at the very least, solid and worthy of some further testing and research. If, Fodder, you would prefer to wait and take others opinion as gospel, join the masses, and wait. I dont recall seeing the author promoting using this as the most secure means available. Its a start. According to the paper you refer to above, even the tested commercial avenues are to be considered suspect, such as Microsofts. If you can find a better way to test it than to let it go for free and let people find flaws in the application or alg, let me know, but it seems like even way back in 1999 when that was written, they knew the only real way to test it was to give it to the public to chew up and spit out.
A new type of cypher is needed as even 256 AES is no longer as secure as it once was. Read the work on breaking disk encryption by the Center for Information Technology Policy at the University of Princeton. The process that Crush describes would greatly impede the breaking of this encryption.
At first glance, and thats all it is at this point, I would count this *homebrew* to hold up longer than the current 1344 bit 3*BF that someone like Drivecrypt is using, but I will agree that anything you want to know is as secure as is humanly possible, should be encrypted with a tested method, although, anyone who has data that they really NEED TO encrypt, already knows that, or they should be fired or hacked.
f0dder:
Fodder, it seems more like your argument is more against anyone attemting to create a new cryptographic application than ANYTHING about this one or the authors work in this case, which seems to at the very least, solid and worthy of some further testing and research.-dcm_rush (December 29, 2008, 08:46 AM)
--- End quote ---
Then you have misunderstood me.
I'm against using a new algorithm until it has had significant peer review. Crush's algorithm might be good, but as for now it's developed by a single person, there's no design document, and neither the algorithm nor source code are publicly available. This means there's no way to tell whether it's good or not (yeah yeah, you can analyze entropy, but meh), and there's no way to have peer review (outside of reverse engineering the application, but who would bother to do that?).
If you can find a better way to test it than to let it go for free and let people find flaws in the application or alg, let me know, but it seems like even way back in 1999 when that was written, they knew the only real way to test it was to give it to the public to chew up and spit out.-dcm_rush (December 29, 2008, 08:46 AM)
--- End quote ---
Yes, letting it into the wild... including design document and source code. And even then, new algorithms haven't been widely adopted until they've undergone massive testing, beating, analysis etc.
Again, I'm not saying that Crush's algorithm can't be good, but I'm a bit sceptical about claims like "in an absolute super-secure way".
Crush:
@f0dder:
Entropy is only a very small indicator for security. Try the other tests in Cryptool like the runs or vitany tests. They give much more information about the quality of the encrypted code and special ranges of these tests have been declared as main arguments in the FIPS-benchmarks of NIST to select the winners of their encryption contests. I can only repeat that I know all the other standard encryption-schemes, how they work, that mine isn´t worse and I even declare how it differs to the others. Even different products with the same AES encryption are different in security. Some products are told to contain a backdoor, others that their algorithm isn´t unbreakable. With the use of OTPs you can create unbreakable code. It´s a pity that I don´t have a quantum-line to ensure 100% transfer of the key or the OTP. I really spent a lot of time and great efforts in the development of these algorithms. It seems that you trust too much in open source. Open source is a good thing to show others how to do special solutions or to create free programs for others. In such things like encryption I personally don´t trust very much in the security of open encryption algorithms that everybody can access and analyse. The "open" that is in most cases a good thing is in this case a weak point. Additionally, I perhaps want to make a commercial product out of Cryptonizer with some other new features I don´t want to reveal now and these are the reasons why I don´t want to spread the source everywhere. Some time ago people thaught DES or AES128 would be secure like you do now for AES that seems not to be very secure to me as your guru Bruce Schneier wrote. During the AES process, everyone agreed that Rijndael was the risky choice, Serpent was the conservative choice, and Twofish was in the middle. To have Serpent be the first to fall (albeit marginally), and to have Rijndael fall so far so quickly, is something no one predicted.
--- End quote ---
I become a little bit sceptic when I see that NIST and the NSA wants everybody to use AES for public encryption. Would they really want you all to use an encryption they cannot decrypt without big efforts? Organisations that insist and live from controlling, information gathering and knowing everything about everybody doesn´t seem to be a trustful source for hints and tips. But if you trust in public recommendations of the inventors of the gigantic Echelon project :o , ok - it´s your decision :P.
@dcm_rush
Thank you for your words not to totally shut the eyes for new developments :Thmbsup:. With such an attitude I would never take a close look to other programs like FARR, fSekrit ;) or other cool things you can find here or anywhere else. I posted the code to other programmers that also said to me this could be a too simple way of encryption. After taking a look on it they admitted it´s impossible for them to say something about it´s safety but the principle should work. If someone has questions I will be here to answer them as good as possible. I started to work on this encryption about 6 years ago for granting a very secure user validation to access a delicate program I made for a big concern and I also want to use it for other things I created in the future. You can believe me. It´s not done just for fun over the weekend. If I see other new cool ideas and improvements I´ll try to integrate them into my Cryptonizer algorithm to even make it better.
f0dder:
I really spent a lot of time and great efforts in the development of these algorithms.-Crush (December 29, 2008, 03:59 PM)
--- End quote ---
I'm not saying you didn't, and I'm not saying your algorithm is bad, or that Rijndael is the best algorithm. What I am saying is that a new algorithm shouldn't be trusted until it has been through rigorous testing by a lot of people.
It seems that you trust too much in open source. Open source is a good thing to show others how to do special solutions or to create free programs for others. In such things like encryption I personally don´t trust very much in the security of open encryption algorithms that everybody can access and analyse.-Crush (December 29, 2008, 03:59 PM)
--- End quote ---
Forum regulars will know that I'm not an open-source zealot. But for something as critical as encryption, there's no way I'd ever use a closed-source algorithm - security through obscurity never worked. Without peer review, the only guarantee I have that your algorithm is good is your words. Try seeing things outside your own perspective - would you trust business- or life-critical data to a random guy?
(Please keep in mind that I'm not saying you're untrustworthy or anything silly like that, but I don't have any particular reason to trust you either)
The "open" that is in most cases a good thing is in this case a weak point.-Crush (December 29, 2008, 03:59 PM)
--- End quote ---
Why? If it's open, multiple people can look for flaws in the algorithm. Of course this doesn't to most people, as it takes a lot of math background to do crypt-analysis, but keeping it closed gets you zero peer review.
Additionally, I perhaps want to make a commercial product out of Cryptonizer with some other new features I don´t want to reveal now and these are the reasons why I don´t want to spread the source everywhere.-Crush (December 29, 2008, 03:59 PM)
--- End quote ---
You can make a commercial product even if the algorithm is open - there's a lot more to systems using encryption than just the algorithm used. I'd personally never use a product using a proprietary algorithm though, and I'd advice everybody against doing so, too.
Some time ago people thaught DES or AES128 would be secure like you do now for AES that seems not to be very secure to me as your guru Bruce Schneier wrote.-Crush (December 29, 2008, 03:59 PM)
--- End quote ---
That sounded slightly patronizing... if I was a Schneier I'd probably have been running around in circles promoting Twofish, don't you think? I do believe he often has som very sensible things to say, though.
I become a little bit sceptic when I see that NIST and the NSA wants everybody to use AES for public encryption. Would they really want you all to use an encryption they cannot decrypt without big efforts? Organisations that insist and live from controlling, information gathering and knowing everything about everybody doesn´t seem to be a trustful source for hints and tips.-Crush (December 29, 2008, 03:59 PM)
--- End quote ---
Ah, don't we love a good conspiracy theory? :)
Rijndael might have been chosen for backdoors, but I kinda doubt it - part of the focus for choosing an AES algorithm was decent software performance and efficient hardware implementation. Remember that the idea behind AES was finding a standard algorithm that would be widely deployed - and that the process started back in 1997, where processing power was a lot more limited than it is today. While I do believe in being skeptic and find conspiracy theories amusing, I don't believe the NSA is able to break, for instance, 256-bit Rijndael.
As for Echelon... heh. Yes, there's a lot of filtering, data collection and cross referencing going on, and it's scary what kind of information can be pieced together (especially in the .us) - and several countries do run Carnivore software at the ISPs border gateways. But the system is still nowhere near what the media scare claimed, and realtime bruteforcing of all encrypted traffic? Riiiiiight.
@dcm_rush
Thank you for your words not to totally shut the eyes for new developments :Thmbsup:. With such an attitude I would never take a close look to other programs like FARR, fSekrit ;) or other cool things you can find here or anywhere else.-Crush (December 29, 2008, 03:59 PM)
--- End quote ---
I'm not shutting my eyes for new development - agan, I'm only saying that
1) new algorithms shouldn't be trusted until they've been thoroughly tested
2) you shouldn't trust closed-source algorithms
I posted the code to other programmers that also said to me this could be a too simple way of encryption. After taking a look on it they admitted it´s impossible for them to say something about it´s safety but the principle should work.-Crush (December 29, 2008, 03:59 PM)
--- End quote ---
Not everybody who's a programmer is a cryptanalyst...
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version