One of my friends was talking to me:
Hey you see that guy? He is a very good programmer and he knows a lot of stuff.
I asked him whether he knew anything about this encryption algorithm. He told me that he knows a lot about encryption algorithms. In fact he writes his own encryption algorithms. He told me that it is always better to write your own algorithms.
Yeah.
Now I know how knowledgeable he is.
I have small request to make to all of the self proclaimed cryptographic experts out there:
Cryptography is hard. It is hard because there are always smarter people out there who can break your home-made super-duper encryption algorithm. If you are so confident in your abilities, use your own encryption algorithms in your own applications. Please don’t give it to the public. If are sharing your application with us, specify that you are using your own encryption algorithm so that we’ll understand how awesome you are and how awesome your products will be (and probably avoid using your awful application).
I know what you will be thinking right now:
But, nobody ever cracked my encryption algorithm!
That is because nobody cares. People have their own work to do rather than trying to crack your pet algorithm. If you really want to test the strength of your algorithm, try announcing a million dollar prize for the guy who breaks it.
And please don’t spread messages like “it is always better to write our own algorithms” among us mortals. May be you can do good security on your own; we can’t.
Reminds me of the joke about using triple rot-13 rather than the less scrambled single rot-13 in usenet posts that movie spoilers.
‘me’:
The post in question starts with a quote, with the response below.
Relevant section: “”"The only circumstance in which double encryption fails it’s (naive) expectations and triple encryption should be used instead is when you are using multiple encryption in order to increase keyspace – which is usually a bad idea in the first place, you should normally use a bigger and better cipher instead. “”"
In short, layering the encryption is something you do for specific technical reasons, not something you do to generically ‘make the encryption stronger’.
cwillu,
Exactly!
Security through obscurity doesn’t work.
I totally agree with the author.
In my opinion:
* Creating your own “very secure” algorithm may take longer to design and code than using an existing algorithm.
* Existing algorithms are proven to be secure to a certain level. A custom created algorithm is not proven to be secure. Proven by yourself and your team members cannot be compared to the hundreds (or thousands) of experts who analyses popular encryption algorithms.
* The popularity or internal knowledge of how works an encryption algorithm does not necessarily expose it to be easily broken. During the initial phases of exposure to the public several flaws will be identified. People will then judge the algorithm and either people will propose corrections or it will be negatively criticized as being weak or impractical.
* As computing power gets cheaper existing encryption algorithms that were strong at certain time in history are becoming obsolete. The purpose of the algorithm will determine who strong should be the algorithm. SHA-1 (a hash function, 1 way encryption algorithm) is said to be broken because a group of people were able to find collisions requiring 2^69 operations rather than 2^80 (which would be with using brute force). There is now a SHA-2 that is stronger and there are considerations for SHA-3. The algorithm is known and overtime is getting stronger. Yet, if you will use SHA-1 for protecting the personal information of 10 users in your database you will be fine. The people hacking your database probably will waste more time and money for cracking it than what is worth (unless those 10 people are rich). Probably they will even ignore it if they see that there are only 10 users.
* A comment regarding the encryption algorithm that uses the 1 TB hard disk:
- The 1 TB disk in this case needs to be sent to your customer, which involves shipping cost taking into consideration the safety material used for transportation.
- The 1 TB hard disk itself cost few hundred dollars.
- The disk needs to be connected to the server, which involves time of a technical person (not everybody knows how to connect a hard disk and don’t ask a Manager to do it).
- You need to keep hard disks inventory, which requires space (there is an associated cost with maintaining inventory).
- Someone will need to ship the hard drives to the customers, if you do it yourself it either takes a lot of time go to FedEx or a postal office or you pay for pickup.
- A 1 TB hard disk key will take a while to be generated and it will take a while for a computer to encrypt and decrypt messages.
The point is: An encryption algorithm can be very strong but is useless if it is impractical.
* The ego of a person can make him think that his or her code is better than anyone else. It could be true, but is not practical spending 1 week (being optimistic) designing and coding an encryption algorithm if there are many available in the internet for free and with no legal implications for commercial software, and possibly in the programming language of your application.
Example: Internet search + copy paste = 2 hours (and if you are lucky on the first search hit, 5 minutes).
The person could be a good programmer, but is not efficient in his work.
* All encryption algorithms are susceptible to brute force attacks regardless how many layers you are using.
Example: There are iPhone applications for protecting your personal information that uses a 4 digits encryption password. This means that there are only 10,000 possibilities for the password (from 0000 to 9999), which could be easily cracked. A fixed length password is a lot easier to crack than a variable length especially if the characters are only digits.
I hope the guy you met wasn’t Bruce Schneier. [http://en.wikipedia.org/wiki/Bruce_Schneier]
I think he writes crypto algorithms for time pass, and heard he’s pretty good too.
Watch out for him
Jokes apart, changing your keylayout to Dvorak and typing QWERTY, and vice-versa is a good way of fooling may ‘trained’ eyes.
Carb0n,
Yeah, but that is just a simple substitution cipher!
Hi Folks,
Please get set to welcome my own encryption algo – due to be released in about 2 months from now (after successful tests). A combination of some math & probability laws makes it extremely complex to break. Currently being tested on a 24 parallel-processors hardware with 64-bit deciphers for past 30 days.
A set of hints on how it works:
a. Develop a linear-pattern tree of every unique character;
b. Obtain relative differential values from every alternate tree;
c. Build a fresh tree-set using the supplied master-password;
d. Shuffle the step “c” tree-set by generating a new seed, using a combination of the master-password and base-2048 ultra thin-recurrence likelihood probability;
e. Using the “d” seed, build the 2048-bit long index array;
f. Shuffle & obtain a new character against each user-data character through this array (total 4,294,967,296 possible combinations of each character).
The proposed name of my algorithm is: GalacticRouter.
[...] As a precautionary step you may want to make the algorithms/protocols used in your application easily replaceable. This will make your life easier when the algorithm is broken and you want to replace it. Also, as a programmer you should understand that even if the algorithm is not yet broken, your implementation may be flawed. Most of the security vulnerabilities are caused by crappy implementations of secure algorithms/protocols. And did I mention that you should not write your own encryption algorithm? [...]
Hi,
can any one tell me how to make a encyption algorithm
I have great encyption algoritm..
mailme at
ralphnaderralphnader@gmail.com
Hi,
some of you guys have forgotten one thing:
- if there were no one who tried to write a own good algorithm, there wouldn’t be a good algrithm on earth
I want to learn encryption. I know c c++ langauges. Can you suggest how should i start and from where to start??
Vivek,
Start by reading the book: Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition by Bruce Schneier
Even though the above book will give you an introduction to cryptography as a subject you should follow up by reading the book Practical Cryptography by Niels Ferguson and Bruce Schneier to be able to understand the real-world implementation of cryptography.
Read this comment too.
I am a bit confused how it is hard to create cryptography.
xor the data with a key continuing every byte as long as the key, loop at the end of the key. Then don’t give the key out. This works with all kinds of data.
I know you guys will have a fit over this, “that’s so easy to unlock”. Really? What are you going to do attempt to decrypt with every possibility of length and bit order? Fine if the key is dumb and short (“god”), if its 64 characters and doesn’t contain in standard characters you will have a bit of trouble.
Slam it all you like, if no one knows the length of the key or its contents you are going to spend a hell of a lot of time trying to decrypt that data. And by the time you find it is their grandmothers name or their birth year it wont matter.
Isn’t that the purpose to encrypt and have a simple cypher, make it hard for others to decrypt?
Door and key guys. Doesn’t matter what the door has or is, if you have the key it will open.
And never forget if there is a way in people will always find a way. That is part of our nature.
I have to also agree with MikeC
You are all making this neat-o encryption so hard when it isn’t.
And as for no one caring as the author says about your encryption, well that is the best right? The data no one tries to break would be the most secure.
Hi guys and girls
im new to this but i need someone to help me with this tool i am developing.
I need a great or rather an entertaining level encryption program for text.
Any help please email me
klashmania@gmail.com
cheers
Anon,
You are exactly the idiot that this article is intended to address. Take a look at the vigenere cipher. It’s broken. You didn’t suggest exactly that, but it’s close enough.
Want to test your theory? Send me a 10k encryption of some english text and I bet you that I’ll be able to break it. Better yet, post it right here. (And by the bye, if I can’t break it, I’ll expect you to post what you’ve encrypted and the key you used to encrypt it with, because I’d give a 95% chance you just post 10k of random data to try to prove your point.)
Fred, did you just say that if I post the sentence “Hello World” encrypted with something you would give me the password?
what you want my friend wait for corporate world to give you what you need. and they will tell you it is secured. and it was proven by them. sometimes we think the most secured and cool cipher would be compose of millions of code. look at Einstein formula e=mc2. the world is not always what we see.
i don’t know how the encryption algoritms works….
but i have a question:
one day i wanted to make a list with all my friends ip addresses
i wrote them in a txt file but i didn’t wanted anyone to see the real ip’s
so i made a batch script that when you add an ip address it will calculate it like:
if u type 192.168.1.254 it will calculate as follows:
192+255-1+2×4
168+255-1+2×4
1+255-1+2*4
254+255-1+2*4
so it will become: 454.430.263.516
How could someone that dosen’t have the batch script that i am using crack this?
i know that is kinda noob but i’m a begginer
and sorry for my english
@KyKy,
You are just adding 262 to all the numbers. It is easy to spot just by looking at them.
Just looking at the grouping of the numbers and finding the smallest and the largest numbers in the list (assuming that you provide a large enough list of numbers) will lead us to the assumption that theses are indeed ip addresses.
hi, i’m creating my own encryption algorithm. it will produce different cipher text each time even the plain text and cipher text are same. well what you think about this. for example for the first encryption with the PT “asdf” and key “lkj”, it will produce something like “q$di?~a”. for the second time the same PT “asdf” and key “lkj”, it will produce something like “w0i%e@8.