What would be the most secure cipher?
Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: General Discussion
Forum Description: General discussion and chat on any topic.
URL: https://forums.webwiz.net/forum_posts.asp?TID=16112
Printed Date: 31 March 2026 at 11:58am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: What would be the most secure cipher?
Posted By: theSCIENTIST
Subject: What would be the most secure cipher?
Date Posted: 05 August 2005 at 6:50pm
|
Hi folks,
I'm re-designing an old password manager, you know a web app that manages all my passwords, forums/shops/servers whatever, they are so many, you really need something like this, however, I need the data to be encrypted on the database, so if anyone breaks into my database server, he won't have a clear view of all my passwords. It must be a symmetric cipher, so it can de decrypted back to clear text to be read by me when I need to login somewhere, I've collected a few symmetric ciphers, but not sure which one to go for, it must be one that's hard to decrypt using brute force/dict or computing power, which of these is the better: DES, 3DES, AES, Serpent, Blowfish, Twofish, CAST, RC2, RC4, RC5 Do you guys know more? Which one should I go for? ------------- :: http://www.mylittlehost.com/ - www.mylittlehost.com |
Replies:
Posted By: dpyers
Date Posted: 05 August 2005 at 8:29pm
|
Interesting article I had bookmarked - http://www.techworld.com/security/features/index.cfm?featureid=1213 - http://www.techworld.com/security/features/index.cfm?featureid=1213 Regardless of which protocol you use, a couple of thoughts...
------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: Bluefrog
Date Posted: 05 August 2005 at 9:10pm
|
DES is only 56 bits. AES will give you up to 256 I think. Blowfish is
160 bits. (All off the top of my head - double check that.) But the number of bits will only affect direct attacks on the actual cipher used. And since anything at 128 or higher is basically not-crackable, the only real way to crack a password is through brute force. (If anyone has cracked AES or any of the others, they aren't saying anything - it's really rocket science to do so and only major research labs have the man power to even attempt it.) That being said, no matter what cipher you use, they are all basically the same against a brute force attack whether it's 2-bits or a million bits. Given the state of computing power, the best way is to come up with a password that is long enough to require an unreasonable amount of time to crack. Over a network, this is makes things even slower, but on a local machine, it's much faster. A key of 6 characters is easily quickly cracked. Once you get up to 8 or more, it becomes incredibly more difficult. Including upper and lower case, numbers, and symbols makes the space much larger and more difficult to crack. A password that includes 10 characters with upper, lower, numeric, and symbols would take longer than the universe has been around to crack by brute force. A solid password creation technique that I use is to create a phrase and add something else like a number or symbol to the phrase. This renders brute force impossible and makes the password easy to remember. e.g. "ThisismyPassword123" or "trytocrackthisbuddy)(*", "In the beginning, I created the world! 666". The space for upper, lower, numbers and symbols is 26 + 26 + 10 + 30 (about) = 92. The space for a dictionary attack is all the words in the dictionary, and using only the 1,000 most common words, this is already 1,000, or using a comlete dictionary is about 50,000, but we'll use 10,000 as that's closer to the number of words that people actually know. So a 10 character password space is 10^92 (about) (= 1*10^92) and a 4 word passphrase with "3 character extra" (as above) space for a dictionary hybrid attack is 4^10,000 * 3^92 (= 3 * 10^6,064). If you brute force the passphrase above, assuming the words are 4 characters each, the space is 4 * 10^117. In either case, the space is far too large for a brute force attack by even the most determined hacker. In short, the longer a password, and the more types of characters included (upper, lower, numbers, symbols), the safer it is. I hope that helps. Cheers, Ryan ------------- http://renegademinds.com/" rel="nofollow - Renegade Minds - Guitar Software http://renegademinds.com/Default.aspx?tabid=65" rel="nofollow - Slow Down Music |
Posted By: theSCIENTIST
Date Posted: 06 August 2005 at 1:33am
|
Thx, the whole app is run off a 128bit SSL pipe, and there's safeguards to check if SSL is really on or login is not possible.
Good points being made, but I can't check against CPU ID, because I could be anywhere in the world and need to access my passwords to login in different places. Encrypting the already encrypted is a very good idea, however it takes key management to a new level, but I will definately explore this. My passwords in particular are all around 15 chars and have a mix of numbers, my master password, the one that accesses all passwords, will also have a mix of some hexadecimal that makes sence to me, so I'll remember, this password can't have UPPER/lower chars since it loses case sensitivity on hashing, but it's very strong never the less. I'm just having difficulty in finding a good AES or Blowfish functions out there for ASP (not .NET), I have code for both but it's very hard to work with, I would prefer a function that one call aesEncThis(str, key) and there you go, anyone knows where I can get this? AES, Blowfish or any other strong reversible encryption will do. Thanks guys. ------------- :: http://www.mylittlehost.com/ - www.mylittlehost.com |
Posted By: dj air
Date Posted: 06 August 2005 at 6:59am
|
hiya. in one app im making and used in a few others i use the 2 encryption keys. Main encryption Key then for each record i use a salt key this is stored with each records is 8 charters random (new one per record). any details within this record are encrypted with the salt key. and before the salt key is entered into the database, its encrypted by the main system key and that is something like 'dfsfg_213^sd_d-Sa!' so that encrypting a 8 charecter salt key. and the salt key is encrypted after being added to the end of the record details and encrypted . its not the most secure method but the results are like 'Key=I3%A6%A4%91%82%F1%E1%D0%DB%16%08%1DrSO%3D%A0&Acc=%3C5%3C%3B%CC5&UserID=Njjh%92i%5EWdt %7F%7C&Status=%3A3%3E6%CF7%03%2D%3E2%3E%3E%2B3%2BG87%3D' that is used on another app i have, it stores the account ID, Username and a key, the key is used on the account ID and Username and status. then the key is encrypted using the system Key. |
Posted By: theSCIENTIST
Date Posted: 06 August 2005 at 8:47am
|
I came up with my own encoding to be used temporarily until I find a stronger function, it basically converts every char to ASC, then HEXed, and I spice it all up with a ginger, this ginger can only have a max value of 255 because of the ASC.
This is very weak, so I further enhanced it with an alternate method to add and take from the result based on the ginger, this goes for every char, quite difficult to reverse, observe; My name [F6EAE7D1C1CBC7CCD6CBD1D6] with a ginger of [130], the ginger is different for evey record and also changes when editting to stir the soup a bit every now and then. [D1] there is an [S] but as the ginger changes so the result of [S] which will then be something else, offcourse a ginger of [0] will give pure ASCed encoded results, but I check that the ginger is generated always btw 100 and 255, this function is blazing fast and preserves case. I'm still looking for proper, strong encryption functions, if any of you know where I can get them, please let me know. ------------- :: http://www.mylittlehost.com/ - www.mylittlehost.com |
Posted By: the boss
Date Posted: 18 August 2005 at 9:16am
burn ur data on cd.. then run the cd in grinder.. the best one way encryption one can get.. ------------- http://www.web2messenger.com/theboss"> 
|
Posted By: theSCIENTIST
Date Posted: 18 August 2005 at 11:26am
|
This is a password manager application and must be a web application for me to make any use of it.
Say I travel to Saudi Arabia and need to login here at WWF, but I don't remember my passowrd, so I login to my application retrieve the cretedentials and I'm set. If I am to carry a CD with that, the computer I will be using there, might not have a CD-Rom, not working, not allowed, whatever, the CD could get bust, lost, stolen, scratched, whatever, so it's not pratical, at least the Internet, I will always have wherever I go or stay, that's the whole point to have this data avalable online. Due to it's volatile nature however, I need it secure, still could find any easy to use ASP encryption functions, and I'm thinking on using MySQL internal AES, MD5 and Blowfish/Twofish functions, never done this before but I heard it's very easy. ------------- :: http://www.mylittlehost.com/ - www.mylittlehost.com |
Posted By: the boss
Date Posted: 20 August 2005 at 9:35am
|
well if u are goin to do this in ASP.NET then i dont think u have to depends on database server encruption.. or if u are doin it in classic asp... u may buy some inexpensive encryption component.. ------------- http://www.web2messenger.com/theboss">
|
Posted By: dpyers
Date Posted: 20 August 2005 at 2:43pm
|
I use the usb version of AI Roboform when I'm on the road. http:// http://www.roboform.com - www.roboform.com / EDIT: Current issue of PCMagazine has a good article on stuff to carry on a usb drive. Includes links to a USB version of FireFox, recommendations for mini-unix's, etc. -------------
Lead me not into temptation... I know the short cut, follow me. |
Posted By: theSCIENTIST
Date Posted: 24 August 2005 at 1:53am
|
Probably works great for you, but I still would prefer no to depend on carrying something which you may forget, lose, get it stolen or damaged, there are many possibilities that could go wrong when you carry all your passwords with you.
Another advantage of having a web app, is that your family and friends can have accounts and have their own set stored. ------------- :: http://www.mylittlehost.com/ - www.mylittlehost.com |
Posted By: wcwarren
Date Posted: 24 August 2005 at 3:45pm
|
A reasonably secure web based system will meet most needs as questions of the method of decoding a cipher assumes that a hacker even wants to! With so much encrypted data flying around why would they pick on your data anyway? Most modern cipher systems make random cracking impractical and VERY unlikely. ------------- http://www.coolestguyontheplanet.com/ - Coolest Guy on the Planet http://www.yahoo.com/ - Google is Best http://www.pottershouse.com.au/ - Potters House |