Solved

How can I test encryption strength?

Posted on 2008-06-22
6
862 Views
Last Modified: 2008-06-28
I'm going to store encrypted text in my datebase. But before that I want to test whether the encryption is acceptable enough. The thing is that I've encrypted a 4-letter word and the encrypted string is only 12 characters, and that seems a bit "week".

I need some kind of assurance. Is there a software that tries to decrypt encrypted data?
0
Comment
Question by:Alfahane
  • 3
  • 3
6 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 21842915
Depends on what you are using to encrypt it. 3des is secure enough for almost anything, and has a 8 byte data block size (so outputs 8 characters worth of encrypted data) - that's 8 bytes of binary though, so after some sort of bin 6/4 encoding you would probably end up with about 12.

if you are storing 4 characters though (and characters, not binary bytes) then you are looking at around 2^24 possible outputs no matter how secure the crypto is, which isn't good enough. you are going to want random padding to try and block that out enough to be more secure.
0
 

Author Comment

by:Alfahane
ID: 21842936
I'm using this method:
http://aspencrypt.com/task_creditcard.html
What do you think about this method?

I was also thinking of salting the text string before encrypting. Also, I was thinking of storing the salt encrypted with the method above.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 21842980
looks ok. its using rc2 (and rivest usually knows what he is doing :) with a 128 bit key; I would suggest (given you aren't using a hash but invertible crypto) that you don't salt, but pad (in case you are wondering, padding is code you don't need to look at but can discard without examination; if you are encoding a fixed length string, of four bytes, and want a 8 byte input, then you generate 4 random characters, append them, then after decryption truncate and discard them. by never needing to know or care what the 4 bytes were, you have no need to store them.

also, if you are storing decimal digits (rather than characters) you might want to consider packing. you can conveniently pack two decimal numbers into one byte (at the simplest, just convert to a number 00->99 then add 32, and convert to an ascii character with the usual function) which will leave more space for your random padding and increase the entropy of your input block.

I would look askance at the idea of storing a fixed key in the registry though; security though obscurity rarely works.
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 

Author Comment

by:Alfahane
ID: 21842999
Great suggestions.

Yes, the encryption key storage is a problem, but I really don't have an idea where to store it. I need it to encrypt data when users register and/or edit their info. The only info stored will be name, email, address etc, but not credit card or something like that.
0
 

Author Comment

by:Alfahane
ID: 21843006
Regarding padding, should I randomize the length? Does make any difference to the hacker wether the padding length is known?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 21844160
a lot depends on what you are doing, I guess. Storing keys securely is one of the hard bits of crypto; If possible, you should arrange for this to require a number of things, including an active link to the database, and a physical token (or even keyboard entry on startup, but that makes automated restarts a pain)

I think the problem isn't the automated encryption, but the automated *de*cryption. if you were encrypting only, you could use asymmetric techniques and the problem would go away.

regarding padding, if the data is less than one block (8 bytes or more accurately, 64 bits) then you should pad to the next block boundary; if you have more than one block's worth, you can safely pad with zeros, but should use some chained crypto mode (CBC for example) rather than straight block-by-block crypto; that way, the "short" last block is also dependent on all blocks that preceded it. one option there is to pad the *first* block so that it your data comes out at an even number of blocks; that ensures that the same data encrypted twice doesn't come out as the same cryptotext (well, not really; but for one byte of padding, there are then 2^8 different possible cryptotexts, given the same key. having an entire block of padding is called an initial vector or iv for short; this is frequently done with large encrypts, as it ensures that there are 2^64 different possible cryptotexts for each repeated plaintext. if your input is of variable length, then you should find some way to encode the lengths into the data (usually just prepending a byte for length is good enough) and again, pad with zeros.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now