Do you know a library in ActionScript 3 that can encrypt and decrypt using the TwoFish algorithm?
I have been using as3crypto for other cryptographic algorithms, but unfortunately, it doesn't seems to handle Twofish...
Thanks!
Unfortunately, I do not believe there is. I did a light search a little while back looking for such a library but there was not much. What I had planned on doing and what seems to be your best option, is to possibly roll your own? There are plenty of examples of implementation of the cipher that you can find through Google. I would go by a C# example and convert it over. Let us know if you do that so others can use it!
Twofish was Bruce Schneier's entry into the competition that produced AES. It was judged as inferior to an entry named Rijndael, which was what became AES.
However, there is a third-party encryption library for ActionScript that includes AES.
http://code.google.com/p/as3crypto/
Related
i'm a novice and trying the security shepard project where you have to pass challenges. https://www.owasp.org/index.php/OWASP_Security_Shepherd
I did all of the challenges but one that i have a really a hard time with.
To complete this challenge you have to find the key to an encryption method.
They just give you an application that can decrypt encrypted text.
IAAAAEkQBhEVBwpDHAFJGhYHSBYEGgocAw== gives This crypto is not strong.
Unlike other challenges there is no information in the source code.
I don't understand how I'm supposed to proceed.
Thanks
Instead of trying to find the algo, just try to find the algos which are most unlikely to be possible. for a instant, this is not a classic mono-alphabetic or key-less transposition cipher. On the other hand compare input and output bit sizes. Narrow down your possibilities like that and it will helps you to decide which cryptanalysis method to be used.
This may be not the perfect approach, but sure it's a start.
I have been reading up on encryption algorithms and am trying to implement them with my research without using any libraries. However, I am finding it a bit difficult to understand how they work.
The algorithms I have looking at in particular are,
triple des - uses 3 keys, 1st to encrypt, 2nd to decrypt and third to encrypt again
RSA - uses large positive integers to generate encryption and decryption e.g., e,d and n
AES - uses substitution permutation with fixed blocks of bits and key size.
I have searched online and came across many libraries like cryptoJS, OpenPGP and cryptico but am finding it hard to follow the code - because of being new to them.
I understand the main idea behind them but finding it difficult to put in code, please can someone guide me - is there any psuedo code/psuedo algorithm that I can use or make reference to when implementing.
I have implemented AES and DES on Java. For my experience, If you know theory everything is very simple. You can get MIT or Stanford course of cryptography. Anyway first off all you should know theory. After that there are too many implementations at Github. You may even use Youtube to see how algorithm encrypts on sample data.
To be honest I love resources of Ruhr University Bochum. AES/DES are chapter III, IV. This is official web page link. They have recorded video lectures and also free book, named "Understanding cryptography" published by Springer.
P.S BouncyCastle is very popular library. It is very well implemented on Java. You can look at this too.
I don't know much about the heavy math behind cryptosystems, I get stuck when it gets bad with the Z/nZ algebra, and sometimes with all these exponent of exponents. It's not I don't like it, it's just that the information you find on the web are not easy to follow blindly.
I was wondering: how reliable can a algorithm be when it encodes a message into plain binary. If my algorithm is arbitrary and known only to me, how can a cryptanalist study an encrypted file and decrypt it, with or without having the decoded file ?
I'm thinking about not using ASCII text to code my message, and I have some ideas to make this algorithm/program.
Attacking a AES or blowfish crypted file is more trivial for a cryptanalyst, than if the algorithm the file is encrypted with is unknown to him, but how does he do then ?
I don't know if I understanded well, but a CS teacher once told me that codes are harder to crack that crypted ciphers.
What do you think ?
Attacking a AES or blowfish crypted file is more trivial for a cryptanalyst, than if the algorithm the file is encrypted with is unknown to him...
What about:
Attacking an untested self written algorithm with no real research is more trivial for a cryptanalyst, than if the algorithm the file is encrypted with, is a well known and proofed one, that has been correctly used....
In short, DO NOT roll your own cryptography unless you're an expert, no unless you're part of an expert group in that field.
Nintendo failed when they implemented RSA on their own in the Wii, Sony failed too when using it in the PS3 (they pretty much used XKCD's random number function for M...)
And you really think you can win by using security by obscurity?
PS: That doesn't mean that you should take the Wikipedia entry on RSA and roll you own implementation from that one (that's exactly were Sony and Big-N failed), no use a tested, open source implementation.
You seem to be using two words interchangeably but remember that Encoding is Not Encryption
When the attacker has no idea which algorithm you used and it is safe, cryptoanalyst has a hard job. So it is unimportant if you use AES or your own cipher as long as it is as strong and safe as AES. Here is the but. Cryptography is a bit demanding and therefore you have many ways to shoot yourself in a foot without knowing it. I would suggest using standard algorithms, maybe with some safe variations.
Common wisdom is that you should not build your own algorithms, and especially not rely on these algorithms remaining secret.
The conceptual reason is that good encryption is about quantified confidentiality. We do not want our secrets to get cracked, but in a more precise way we want to be able to tell how much it would cost to crack our secrets (and hopefully show that the cost is way too high to be envisioned by any entity on Earth). This is the real advance which occurred a few years after World War II: to understand the distinction between key and algorithm. The key concentrates the secret. The algorithm becomes the implementation.
Since the implementation is, well, implemented, it exists as some code or a device, which is tangible and stored even when it is not used. Keeping an implementation secret requires keeping track of the hard disk on which the code resides at all times. If the attacker sees the binary code, he may be able to reverse-engineer it, something which depends on his wits and patience. The point here is that it is very difficult to be able to say: "it costs X dollars to recover a description of the algorithm".
On the other hand, the key is short. It can be stored safely much more easily; e.g. you could memorize it, and avoid committing it to any permanent storage device. You then have to worry about your key only at times when you use it (and not when you do not, e.g. in the middle of the night, when you sleep). The number of possible keys is a simple mathematical problem. You can easily and accurately estimate the average cost of enumerating the possible keys until your key is found. The key is a sturdy foundation for quantified security.
So you should not roll your own algorithms because then you do not know how much security you get.
Also, most people who rolled their own algorithms found out, usually the hard way, that they did not get much security at all. Designing a good encryption algorithm is hard, because it cannot be automatically tested. Your code may run, and properly decrypt data that it encrypted, but it tells you nothing about how secure the algorithm is. The design of the AES was the result of a process which took several years and involved hundreds of skilled cryptographers (most of whom had a PhD and years of experience in academic research on symmetric encryption). That a lone developer could do as well, let alone better, in the secrecy of his own workshop, looks kind of... implausible.
The biggest part of your strategy is called "security through obscurity." You're making the gamble that, since nobody knows the precise details of your little variation on an idea, they won't be able to figure it out.
I'm not a security expert, but I can tell you that you probably won't come up with something incredibly new. Cryptography has been studied by people for millenia and your idea is highly unlikely to be original. Even if you're a relatively good programmer and code something really tricky, the question will come down to who you're up against. If you're just trying to protect your data from your kid sister, then it will probably be fine. On the other hand, if you're using it to send credit card numbers across the internet, then you're doomed to fail. It will be analysed in ways you didn't think of or don't know, and ultimately cracked.
Another way to think of it: algorithms like AES have been extensively studied by professionals in the field and its level of security is pretty well understood. Anything you come up with by yourself will not have the benefit of having been attacked by the best and brightest minds out there. You will have almost no idea of how good it actually is until people start reporting identity theft.
Is there any ways to try to guess encryption algorithm used to encrypt the ciphertext?
Yes. There are some differences:
Is it a block cipher or not can be guessed from the length.
Block length
Entropy of the output (are all characters equally present? / can patterns be found?)
Recurrences (CBC or not...)
The entropy of the string is probably the best hint. A simple method to determine it is probably trying to compress it. Some methods can be found here: http://www.random.org/statistics/ They use them to make sure their numbers are as random as possible.
I've got no idea if it's really possible to determine the encryption using these methods.
Tools to see it:
PEiD with the Krypto Analyzer (KANAL) plugin
IDA Pro with the Findcrypt plugin
OllyDbg with the SnD Crypto Scanner
x3chun's Crypto Searcher
Keygener Assistant
Hash & Crypto Detector (HCD)
Draft Crypto Analyzer (DRACA)
but all to executables.
found here : http://fwhacking.blogspot.com.br/2011/03/bfcrypt-crypto-scanner.html
Quite often this information is readily available - in a good encryption scheme, only the key needs to be secret, not the algorithm used.
There are analyses you can can perform to test for particular encryptions, consult a textbook on cryptanalysis for details!
You can try fbcrypt which will scan for known hash & crypto signatures: http://fwhacking.blogspot.com/2011/03/bfcrypt-crypto-scanner.html
For now it supports MD5, CRC32, Blowfish, DES and SHA256, but more will be added soon. Anyway as the source is available you can also add your own.
It depends if you're talking about "raw encrypted data" (in that case you can use methods such as listed by "gs" in the other answer) or an encrypted file in some standard format (the most common are CMS/PKCS#7 and OpenPGP); in the latter case the encryption algorithm is explicitly indicated in the metadata contained in the very file.
For CMS you need an ASN.1 decoder such as command-line dumpasn1 program or my own web-based Javascript decoder while for OpenPGP you can use pgpdump.
How to write a BlackBerry program for AES/CBC with Initialization Parameter ecncryption and Decryption
and this encryption and decryption should work independent on Programming language
Ex= If I encrypt some data using BlackBery I must be able to decrypt the same data using Java Program.
Thanks
Deepak
The decryption half of your question is answered here: decrypting data with AES/CBC/PKCS5Padding using blackberry
It should be easy to figure out encryption using the same pattern (use Encryptor instead of Decryptor engines, etc).
Have you read this KB article? http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/348583/800332/800779/How_to_-_Use_Basic_Encryption.html?nodeid=800640&vernum=0
You will also need to use net.rim.device.api.crypto.CBCEncryptorEngine on top of the AESEncryptorEngine (and similar for decryption).
CBCEngine allows you upto 16 bytes for across platform. so donot use CBC. try to use the default supported cipher engine.
I think ECB will be great if you use.
Thanks
Sunil Kumar sahoo
Actually, you write your own code for AES algorithm and CBC mode, it is quite simple, around some hundreds of code lines. And, there should be reference implementation in Java language.