[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.programming

A new encryption software of mine

Mok-Kong Shen

6/8/2014 1:46:00 PM

I have written a new encryption software:

http://s13.zetaboards.com/Crypto/topic/...

For critiques and comments I should be very grateful.

M. K. Shen
2 Answers

Kaz Kylheku

6/8/2014 5:49:00 PM

0

On 2014-06-08, Mok-Kong Shen <mok-kong.shen@t-online.de> wrote:
> I have written a new encryption software:
>
> http://s13.zetaboards.com/Crypto/topic/...
>
> For critiques and comments I should be very grateful.

Here they are:

- Find a proper place to host your code. A posting in a web-based
discussion board is not a good place.

- Write a *document* which describes your algorithm and argues
for its security. Real developers of crypto do not just write code; they
write papers (in addition to reference implementations, which are
secondary).

- Your approach is naively weak, and has a dependency on the Python built in
PRNG, which is not suitable for this kind of use in the first place.
You're synchronizing PRNG seeds on the two communication ends and performing
some naive scrambling based on identical PRNG sequences. This will keep your
9 year old kid sister from reading your instant messages, but not your
government.

- Your biggest problem is the following belief, taken directly from your header
comment:

"for securing the communication security of communications of
the targeted users of his software, namely the common people,
the most overall optimal scheme would be one that is as simple
as is program-technically feasible (such that users with certain
minimum programming knowledge would be able to easily thoroughly
understand/verify the coding)"

You're saying that the security of someone's communication should be limited
by the degree to which he or she has software skills: a person only
deserved crypto whose implementation he or she can understand. So millions
of people who don't know anything about programming should have shitty
security. This is an extremely wrongheaded principle. People who have no
programming knowledge still have economically valuable secrets which make
them a target for eavesdroppers.

"Most overall optimal": what does that mean? "optimal" already means "most",
first of all: when you improve some parameter of a system so that it cannot
be improved any more, then that system is simply optimal in that parameter;
it is not "most optimal". What is it that you think you're optimizing?
As far as I can tell, you're optimizing the speed with which someone can
obtain a fool's credit card number from an e-mail.

Your program is *not* actually easy to understand for the common people;
it does not meet the stated goal. The "minimum programming knowledge"
among the common people is actually zero! Though your encryption is not
sound from a cryptographic point of view, it still requires significant
programming knowledge to understand. If it were to be widely used, most of
the users, the common people, would simply be trusting the code without
understanding it, the same way they trust the AES encryption in their
browser, and so on.

- Your program has a terribly user-hostile interface. For example, users have
to specify the alphabet they are using. The program later blows up if a
character occurs which is not in that alphabet. There is no reason anyone
would want to use this program in favor of something simple to use, like say
the AESCrypt utility which integrates with the Windows shell so you can
just right click on a file, select AES Encrypt from the context menu,
put a password twice into the dialog and you're done.

Mok-Kong Shen

6/9/2014 7:21:00 AM

0

Am 08.06.2014 15:45, schrieb Mok-Kong Shen:
> I have written a new encryption software:
>
> http://s13.zetaboards.com/Crypto/topic/...
>
> For critiques and comments I should be very grateful.

I like to add that in the prologe and epilogue of the
software document I have given some rationales of the
design, in particular concerning the use of Python's
built-in PRNG. Certainly, these are merely my humble attempts
to justify the design and not any proofs of security of
the scheme. Hopefully, however, that they might eventually
entice certain constructive critiques from the experts,
leading possibly to some feasible improvements and/or
corrections of my design.

M. K. Shen