final php versions of fwPack and fwUnpack

Wed Mar 3 19:07:00 EST 2004

On Tuesday, March 2, 2004, at 09:07  AM, Richard Gaskin wrote:

> As I mentioned in the article, I'm pretty ignorant on encryption, esp. 
> compared to seasoned cryptohobbyists like Mark Brownell.  So here's a 
> question I can't answer about my own code:
>
> If one were to try to characterize the relative strength of the "MDX" 
> algorithm used in fwPack/fwUnpack, what phrase would be appropriate?

This is just too juicy to pass up. How about "Don't forget to drink 
your chocolate flavored Ovaltene."

> For example, we hear about 128-bit encryption, but I couldn't find a 
> primer dumbed-down enough to explain what that means in lay terms.

I need to see what controls there are for the "MDX" algorithm's 
passwords length before I can determine the bit level. In other words I 
just started looking at it.

Blowfish uses more than 500 iterations of changes on two 32 bit blocks 
at a time sending them left and right through each other. Blowfish is a 
64 bit block-cypher. One very important recommendation while using 
powerful block-cyphers is in not doing so in a way that all you end up 
getting is a fixed code book kind of result. This fixed code book type 
is referred to as EBC, Electronic Code Book. One way to avoid creating 
a fixed code book is to use the first 32 bit word to XOR the next 32 
bit word then use the second 32 bit XORed word to XOR the third 32 bit 
word. This alone would still be a weaker form of encryption. What can 
really change things is to either pass eight unrelated secret 
characters to XOR the first eight characters or to pad the text to be 
encrypted with eight randomly  generated characters first. When 
decoding takes place the additional characters can be removed before 
viewing the text. This is known as CBC, Cypher Block Chaining.

If you add eight randomly chosen characters & CBC to your MDX, then it 
will be much harder to crack your 32 bit (I guess) encryption level. I 
need to look at it closer. It looks like you are XORing one char at a 
time. This would make it an 8 bit block cypher.

Here is how Blowfish increases encryption levels. If a user uses 32 bit 
level then four characters are used over and aver to encrypt with. 
Other levels are 64 bit uses 8 charaters, and 128 bit uses 16 
characters. All example keys for Blowfish are 56 characters long.

Example 32 bit 56 char key:
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

Example 64 bit 56 char key:
abcdefghabcdefghabcdefghabcdefghabcdefghabcdefghabcdefgh

Example 128 bit 56 char key:
abcdefghijklmnopabcdefghijklmnopabcdefghijklmnopabcdefgh

> Also, how easy would it be to crack MDX?
>
> -- 
>  Richard Gaskin

If a programer had the MDX algorithm then a brute force attack would 
take about one minute to one hour. The 54 bit encryption level was 
cracked by a brute force attack using several computers in a long 
weekend. The trick is to just try every possible access key, eventually 
you get the one that works. If your access key is only four characters 
then there are only 256*256*256*256 (4,294,967,296) possible keys. If 
your algorithm restricts characters to the first 128 ascii characters 
then there are only 128*128*128*128 (68,435,456) possible keys. (This 
is assuming a four char key that I saw on the list as an example.)

So one way to stop the practicality of brute force attacks is to 
deliberately put a one second delay on processing the algorithm. If 
your application or CGI has a password input point then this one second 
delay will make a brute force attack difficult.

100,000,000 brute force attempts with a one second delay would take 
more than three to four years on a single computer. It would take 1000 
computers hitting your CGI continuously to get past half of the 
possibilities in a single day or two. I doubt if that is even possible.

more later... i'm out RVing

Mark