Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How can I test encryption strength?

Posted on 2008-06-22
6
Medium Priority
?
918 Views
Last Modified: 2008-06-28
I'm going to store encrypted text in my datebase. But before that I want to test whether the encryption is acceptable enough. The thing is that I've encrypted a 4-letter word and the encrypted string is only 12 characters, and that seems a bit "week".

I need some kind of assurance. Is there a software that tries to decrypt encrypted data?
0
Comment
Question by:Alfahane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 2000 total points
ID: 21842915
Depends on what you are using to encrypt it. 3des is secure enough for almost anything, and has a 8 byte data block size (so outputs 8 characters worth of encrypted data) - that's 8 bytes of binary though, so after some sort of bin 6/4 encoding you would probably end up with about 12.

if you are storing 4 characters though (and characters, not binary bytes) then you are looking at around 2^24 possible outputs no matter how secure the crypto is, which isn't good enough. you are going to want random padding to try and block that out enough to be more secure.
0
 

Author Comment

by:Alfahane
ID: 21842936
I'm using this method:
http://aspencrypt.com/task_creditcard.html
What do you think about this method?

I was also thinking of salting the text string before encrypting. Also, I was thinking of storing the salt encrypted with the method above.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 21842980
looks ok. its using rc2 (and rivest usually knows what he is doing :) with a 128 bit key; I would suggest (given you aren't using a hash but invertible crypto) that you don't salt, but pad (in case you are wondering, padding is code you don't need to look at but can discard without examination; if you are encoding a fixed length string, of four bytes, and want a 8 byte input, then you generate 4 random characters, append them, then after decryption truncate and discard them. by never needing to know or care what the 4 bytes were, you have no need to store them.

also, if you are storing decimal digits (rather than characters) you might want to consider packing. you can conveniently pack two decimal numbers into one byte (at the simplest, just convert to a number 00->99 then add 32, and convert to an ascii character with the usual function) which will leave more space for your random padding and increase the entropy of your input block.

I would look askance at the idea of storing a fixed key in the registry though; security though obscurity rarely works.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:Alfahane
ID: 21842999
Great suggestions.

Yes, the encryption key storage is a problem, but I really don't have an idea where to store it. I need it to encrypt data when users register and/or edit their info. The only info stored will be name, email, address etc, but not credit card or something like that.
0
 

Author Comment

by:Alfahane
ID: 21843006
Regarding padding, should I randomize the length? Does make any difference to the hacker wether the padding length is known?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 2000 total points
ID: 21844160
a lot depends on what you are doing, I guess. Storing keys securely is one of the hard bits of crypto; If possible, you should arrange for this to require a number of things, including an active link to the database, and a physical token (or even keyboard entry on startup, but that makes automated restarts a pain)

I think the problem isn't the automated encryption, but the automated *de*cryption. if you were encrypting only, you could use asymmetric techniques and the problem would go away.

regarding padding, if the data is less than one block (8 bytes or more accurately, 64 bits) then you should pad to the next block boundary; if you have more than one block's worth, you can safely pad with zeros, but should use some chained crypto mode (CBC for example) rather than straight block-by-block crypto; that way, the "short" last block is also dependent on all blocks that preceded it. one option there is to pad the *first* block so that it your data comes out at an even number of blocks; that ensures that the same data encrypted twice doesn't come out as the same cryptotext (well, not really; but for one byte of padding, there are then 2^8 different possible cryptotexts, given the same key. having an entire block of padding is called an initial vector or iv for short; this is frequently done with large encrypts, as it ensures that there are 2^64 different possible cryptotexts for each repeated plaintext. if your input is of variable length, then you should find some way to encode the lengths into the data (usually just prepending a byte for length is good enough) and again, pad with zeros.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question