QuoteReplyTopic: What would be the most secure cipher? Posted: 05 August 2005 at 6:50pm
Hi folks,
I'm re-designing an old password manager, you know a web app that manages all my passwords, forums/shops/servers whatever, they are so many, you really need something like this, however, I need the data to be encrypted on the database, so if anyone breaks into my database server, he won't have a clear view of all my passwords.
It must be a symmetric cipher, so it can de decrypted back to clear text to be read by me when I need to login somewhere, I've collected a few symmetric ciphers, but not sure which one to go for, it must be one that's hard to decrypt using brute force/dict or computing power, which of these is the better:
If 1 encryption method is good, a pass against the output with a 2nd encryption method and different key is better.
Incorporating a retrieved MAC address and/or CPU ID in the
key can limit the machines that can use the key. You can do it
either/or server and client side.
For the network, in addition to data encryption use 128-bit SSL encryption and Kerberos for device authentication.
Edited by dpyers - 05 August 2005 at 8:36pm
Lead me not into temptation... I know the short cut, follow me.
DES is only 56 bits. AES will give you up to 256 I think. Blowfish is
160 bits. (All off the top of my head - double check that.)
But the number of bits will only affect direct attacks on the actual
cipher used. And since anything at 128 or higher is basically
not-crackable, the only real way to crack a password is through brute
force. (If anyone has cracked AES or any of the others, they aren't
saying anything - it's really rocket science to do so and only major
research labs have the man power to even attempt it.)
That being said, no matter what cipher you use, they are all basically
the same against a brute force attack whether it's 2-bits or a million
bits.
Given the state of computing power, the best way is to come up with a
password that is long enough to require an unreasonable amount of time
to crack. Over a network, this is makes things even slower, but on a
local machine, it's much faster.
A key of 6 characters is easily quickly cracked. Once you get up to 8
or more, it becomes incredibly more difficult. Including upper and
lower case, numbers, and symbols makes the space much larger and more
difficult to crack.
A password that includes 10 characters with upper, lower, numeric, and
symbols would take longer than the universe has been around to crack by
brute force.
A solid password creation technique that I use is to create a phrase
and add something else like a number or symbol to the phrase. This
renders brute force impossible and makes the password easy to remember.
e.g. "ThisismyPassword123" or "trytocrackthisbuddy)(*", "In the
beginning, I created the world! 666".
The space for upper, lower, numbers and symbols is 26 + 26 + 10 + 30
(about) = 92. The space for a dictionary attack is all the words in the
dictionary, and using only the 1,000 most common words, this is already
1,000, or using a comlete dictionary is about 50,000, but we'll use
10,000 as that's closer to the number of words that people actually
know.
So a 10 character password space is 10^92 (about) (= 1*10^92) and a 4
word passphrase with "3 character extra" (as above) space for a
dictionary hybrid attack is 4^10,000 * 3^92 (= 3 * 10^6,064).
If you brute force the passphrase above, assuming the words are 4 characters each, the space is 4 * 10^117.
In either case, the space is far too large for a brute force attack by even the most determined hacker.
In short, the longer a password, and the more types of characters included (upper, lower, numbers, symbols), the safer it is.
Thx, the whole app is run off a 128bit SSL pipe, and there's safeguards to check if SSL is really on or login is not possible.
Good points being made, but I can't check against CPU ID, because I could be anywhere in the world and need to access my passwords to login in different places.
Encrypting the already encrypted is a very good idea, however it takes key management to a new level, but I will definately explore this.
My passwords in particular are all around 15 chars and have a mix of numbers, my master password, the one that accesses all passwords, will also have a mix of some hexadecimal that makes sence to me, so I'll remember, this password can't have UPPER/lower chars since it loses case sensitivity on hashing, but it's very strong never the less.
I'm just having difficulty in finding a good AES or Blowfish functions out there for ASP (not .NET), I have code for both but it's very hard to work with, I would prefer a function that one call aesEncThis(str, key) and there you go, anyone knows where I can get this? AES, Blowfish or any other strong reversible encryption will do.
I came up with my own encoding to be used temporarily until I find a stronger function, it basically converts every char to ASC, then HEXed, and I spice it all up with a ginger, this ginger can only have a max value of 255 because of the ASC.
This is very weak, so I further enhanced it with an alternate method to add and take from the result based on the ginger, this goes for every char, quite difficult to reverse, observe;
My name [F6EAE7D1C1CBC7CCD6CBD1D6] with a ginger of [130], the ginger is different for evey record and also changes when editting to stir the soup a bit every now and then.
[D1] there is an [S] but as the ginger changes so the result of [S] which will then be something else, offcourse a ginger of [0] will give pure ASCed encoded results, but I check that the ginger is generated always btw 100 and 255, this function is blazing fast and preserves case.
I'm still looking for proper, strong encryption functions, if any of you know where I can get them, please let me know.
This is a password manager application and must be a web application for me to make any use of it.
Say I travel to Saudi Arabia and need to login here at WWF, but I don't remember my passowrd, so I login to my application retrieve the cretedentials and I'm set.
If I am to carry a CD with that, the computer I will be using there, might not have a CD-Rom, not working, not allowed, whatever, the CD could get bust, lost, stolen, scratched, whatever, so it's not pratical, at least the Internet, I will always have wherever I go or stay, that's the whole point to have this data avalable online.
Due to it's volatile nature however, I need it secure, still could find any easy to use ASP encryption functions, and I'm thinking on using MySQL internal AES, MD5 and Blowfish/Twofish functions, never done this before but I heard it's very easy.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum
Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.
Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.
Topic Options
Post Options
Thanks(0)
