Solved

How can I test encryption strength?

Posted on 2008-06-22
6
849 Views
Last Modified: 2008-06-28
I'm going to store encrypted text in my datebase. But before that I want to test whether the encryption is acceptable enough. The thing is that I've encrypted a 4-letter word and the encrypted string is only 12 characters, and that seems a bit "week".

I need some kind of assurance. Is there a software that tries to decrypt encrypted data?
0
Comment
Question by:Alfahane
  • 3
  • 3
6 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
Comment Utility
Depends on what you are using to encrypt it. 3des is secure enough for almost anything, and has a 8 byte data block size (so outputs 8 characters worth of encrypted data) - that's 8 bytes of binary though, so after some sort of bin 6/4 encoding you would probably end up with about 12.

if you are storing 4 characters though (and characters, not binary bytes) then you are looking at around 2^24 possible outputs no matter how secure the crypto is, which isn't good enough. you are going to want random padding to try and block that out enough to be more secure.
0
 

Author Comment

by:Alfahane
Comment Utility
I'm using this method:
http://aspencrypt.com/task_creditcard.html
What do you think about this method?

I was also thinking of salting the text string before encrypting. Also, I was thinking of storing the salt encrypted with the method above.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
looks ok. its using rc2 (and rivest usually knows what he is doing :) with a 128 bit key; I would suggest (given you aren't using a hash but invertible crypto) that you don't salt, but pad (in case you are wondering, padding is code you don't need to look at but can discard without examination; if you are encoding a fixed length string, of four bytes, and want a 8 byte input, then you generate 4 random characters, append them, then after decryption truncate and discard them. by never needing to know or care what the 4 bytes were, you have no need to store them.

also, if you are storing decimal digits (rather than characters) you might want to consider packing. you can conveniently pack two decimal numbers into one byte (at the simplest, just convert to a number 00->99 then add 32, and convert to an ascii character with the usual function) which will leave more space for your random padding and increase the entropy of your input block.

I would look askance at the idea of storing a fixed key in the registry though; security though obscurity rarely works.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Alfahane
Comment Utility
Great suggestions.

Yes, the encryption key storage is a problem, but I really don't have an idea where to store it. I need it to encrypt data when users register and/or edit their info. The only info stored will be name, email, address etc, but not credit card or something like that.
0
 

Author Comment

by:Alfahane
Comment Utility
Regarding padding, should I randomize the length? Does make any difference to the hacker wether the padding length is known?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
Comment Utility
a lot depends on what you are doing, I guess. Storing keys securely is one of the hard bits of crypto; If possible, you should arrange for this to require a number of things, including an active link to the database, and a physical token (or even keyboard entry on startup, but that makes automated restarts a pain)

I think the problem isn't the automated encryption, but the automated *de*cryption. if you were encrypting only, you could use asymmetric techniques and the problem would go away.

regarding padding, if the data is less than one block (8 bytes or more accurately, 64 bits) then you should pad to the next block boundary; if you have more than one block's worth, you can safely pad with zeros, but should use some chained crypto mode (CBC for example) rather than straight block-by-block crypto; that way, the "short" last block is also dependent on all blocks that preceded it. one option there is to pad the *first* block so that it your data comes out at an even number of blocks; that ensures that the same data encrypted twice doesn't come out as the same cryptotext (well, not really; but for one byte of padding, there are then 2^8 different possible cryptotexts, given the same key. having an entire block of padding is called an initial vector or iv for short; this is frequently done with large encrypts, as it ensures that there are 2^64 different possible cryptotexts for each repeated plaintext. if your input is of variable length, then you should find some way to encode the lengths into the data (usually just prepending a byte for length is good enough) and again, pad with zeros.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now