Solved

How can I test encryption strength?

Posted on 2008-06-22
6
874 Views
Last Modified: 2008-06-28
I'm going to store encrypted text in my datebase. But before that I want to test whether the encryption is acceptable enough. The thing is that I've encrypted a 4-letter word and the encrypted string is only 12 characters, and that seems a bit "week".

I need some kind of assurance. Is there a software that tries to decrypt encrypted data?
0
Comment
Question by:Alfahane
  • 3
  • 3
6 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 21842915
Depends on what you are using to encrypt it. 3des is secure enough for almost anything, and has a 8 byte data block size (so outputs 8 characters worth of encrypted data) - that's 8 bytes of binary though, so after some sort of bin 6/4 encoding you would probably end up with about 12.

if you are storing 4 characters though (and characters, not binary bytes) then you are looking at around 2^24 possible outputs no matter how secure the crypto is, which isn't good enough. you are going to want random padding to try and block that out enough to be more secure.
0
 

Author Comment

by:Alfahane
ID: 21842936
I'm using this method:
http://aspencrypt.com/task_creditcard.html
What do you think about this method?

I was also thinking of salting the text string before encrypting. Also, I was thinking of storing the salt encrypted with the method above.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 21842980
looks ok. its using rc2 (and rivest usually knows what he is doing :) with a 128 bit key; I would suggest (given you aren't using a hash but invertible crypto) that you don't salt, but pad (in case you are wondering, padding is code you don't need to look at but can discard without examination; if you are encoding a fixed length string, of four bytes, and want a 8 byte input, then you generate 4 random characters, append them, then after decryption truncate and discard them. by never needing to know or care what the 4 bytes were, you have no need to store them.

also, if you are storing decimal digits (rather than characters) you might want to consider packing. you can conveniently pack two decimal numbers into one byte (at the simplest, just convert to a number 00->99 then add 32, and convert to an ascii character with the usual function) which will leave more space for your random padding and increase the entropy of your input block.

I would look askance at the idea of storing a fixed key in the registry though; security though obscurity rarely works.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:Alfahane
ID: 21842999
Great suggestions.

Yes, the encryption key storage is a problem, but I really don't have an idea where to store it. I need it to encrypt data when users register and/or edit their info. The only info stored will be name, email, address etc, but not credit card or something like that.
0
 

Author Comment

by:Alfahane
ID: 21843006
Regarding padding, should I randomize the length? Does make any difference to the hacker wether the padding length is known?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 21844160
a lot depends on what you are doing, I guess. Storing keys securely is one of the hard bits of crypto; If possible, you should arrange for this to require a number of things, including an active link to the database, and a physical token (or even keyboard entry on startup, but that makes automated restarts a pain)

I think the problem isn't the automated encryption, but the automated *de*cryption. if you were encrypting only, you could use asymmetric techniques and the problem would go away.

regarding padding, if the data is less than one block (8 bytes or more accurately, 64 bits) then you should pad to the next block boundary; if you have more than one block's worth, you can safely pad with zeros, but should use some chained crypto mode (CBC for example) rather than straight block-by-block crypto; that way, the "short" last block is also dependent on all blocks that preceded it. one option there is to pad the *first* block so that it your data comes out at an even number of blocks; that ensures that the same data encrypted twice doesn't come out as the same cryptotext (well, not really; but for one byte of padding, there are then 2^8 different possible cryptotexts, given the same key. having an entire block of padding is called an initial vector or iv for short; this is frequently done with large encrypts, as it ensures that there are 2^64 different possible cryptotexts for each repeated plaintext. if your input is of variable length, then you should find some way to encode the lengths into the data (usually just prepending a byte for length is good enough) and again, pad with zeros.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Site-To-site VPN Natting inbound traffic? 9 72
Current Mac OS X Network Profiles and Firewall 5 57
ASP/VB email question 4 35
Hide cell in a table 2 14
Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question