Guide for
better encryption.
I notice that many people are fascinated by cryptology. It's
an exciting branch of coding, but many put their first steps into
it without any background. This results in huge mistakes in
writing and implementing their new 'unbreakable' algorithm.
Every cipher can be broken! the only question is: How long does
it takes?
Many programmers proclaiming they have good encryption, and
i'm sure they believe it. Unfortunately their ciphers are all
broken within very short time without any 'brute force attack' or
cryptanalysing, but with a bit of examining and maths by anyone
who sets his mind to it. This goes surprisingly also for many
commercial software! I hope by giving some simple basic tips,
they realize how easy it is to break weak ciphers and they will
make the code a bit securer, so that not every amateur can break
their cipher.
Tip1: Don't thrust yourself
NEVER thrust your own encryption. Yes, you're smart and you don't
find a way to break it, but there are always others, smarter than
you (unless you're Stephen Hawkins), who will break it. Thats why
you allways need others to check your work. The best way to learn
writing ciphers, is by first learning how to break them. How can
you tell your encryption is safe, if you don't know how to break
(read cryptanalyse) it?
Tip 2: The easy way?
Stream ciphers like RC4 are popular because they are easy to
implement. Watch out! Streams have some big weak spots. You can
only use the key once. If you use it twice, simple cryptanalyse
can compromise the key. This very important disadvantage goes for
all xor ciphers! If you really want to use xor based ciphers, you
should always follow tip 3 and tip 10. Don't get blinded by easy
ciphers. A good example is the very simple one-time-pad. Although
theoretically unbreakable, it is impossible to implement it in a
practical way, due to hughe problems it poses on management and
distribution of keys. Often good ciphers are useless because they
are implemented the wrong way. It is not because a cipher is
unbreakable in theory, that you can also implement it on a
unbreakable way.
Tip 3: Easy to enhance
Finished your cipher? Take the next char to encrypt, and xor it
with the previous cipher output. On decrypting, just xor the
result with the previous decrypted char. This is called chaining.
That way, one decryption error is fatal to the rest of the
message and thus makes the cipher much stronger. You can chain
ciphers, output or input. This is a simple tip, easy to apply,
but has a great result!
Tip 4: Don't make it easy to the
bad guys
Never use your key or password directly to manipulate bits and
bytes in your plain text, or use the bytes of your key one by
one, and start all over at the end. That way you link your key
directly to the cipher text and the door is wide open to crack
the cipher. It's like giving it away for free. About 90 percent
of all ciphers, found on PSC, are all kinds of variations on
poly-alphabetic rotation or substitution, and easy to break by
simple multiple frequency analysis!
Tip 5: Make it hard to follow
Create a cipher where the plain input determins how the algorithm
works. A cipher that does the same work all the time is sensitive
to attacks. Simplified example: if the next plain text is an A,
the cipher will for instance xor it with a value, but if the next
plain is a B, it rotates the bits n times left, and is it a C
then rotate 2n times right. On xor ciphers, you could use a mask
byte, changed on certain conditions as just described, and xor it
with each cipher output. You could have the plain input
manipulate the key bits, or swap key bits or bytes, so that the
key changes all the time during encryption. How does the cipher
works? Who knows, it's changes all the time.
Tip 6: The serious work
To create a block cipher the most common way to encrypt data is a
feistel network. When you use 64 bit blocks, divide the block in
two 32 bit parts where the right part together with the key are
the input of a function, and the output is xored with the left
part. Next the left part is encrypted with the right and so on.
Each step is called a round (DES uses 16 rounds). To decrypt, the
whole process is reversed form step 16 to 1. You can find plenty
of documentation on the structure of block ciphers on the net.
Tip 7: The basics
A good function uses three important steps:
1. Substitution: the replacing of groups of bits or words by
others.
2. Fractionation: breaking up groups of bytes in smaller parts
before relocating.
3. Transposition: swap words, bytes or bits from position with
each other.
The combination of these three operations results in diffusion.
This diffusion is required for any good encryption scheme (see
Shannon). This can be applied in a whole text, or within blocks,
for instance combined with a feistel network. The way these steps
are executed must depend on a secret key.
Tip 8: Help the users
Don't make it possible for the user to use weak keys. Write a
routine where you refuse key's as 'aaaa', 'mamama' or '123'. Even
good ciphers are useless if you use those, or 'top secret' or
'britney spears' as password. There are many idi*ts that use
those keys. Be nice and help them to use only good passwords.
Of course, they will always be that negligent to use the same key
more than once. So take care that the key isn't compromised by
this (see straightforward used streams and xor's). If a key is
compromised, and they use it also for other important stuff like
banking or account login, this could mean that your weak cipher
is responsible for their problems!
Tip 9: Random and Random
Big mistake of many beginners: random isn't random when it comes
out of your computer. Computers are NEVER random, they are to
disciplined for that. If you do use a computers rnd function,
seed it first with randomly chosen values. Better to use your own
rnd-code. But it's very difficult to write a good one. Writing
good randoms, as for use in stream ciphers, is an art. You want
random? Get a bunch of xy values from the moving of your mouse,
and use these to initialize your own rnd code. that's random
(unless you have some tic). Never forget that there is a big
difference between randomness and crypto secure randomness, so
get well informed on the quality of Linear Shift Registers and
other pseudorandom generation schemes before getting into the
Random bussiness.
Tip 10: Get a good start
Put a bunch of randomly chosen bits and bytes before your real
data and encrypt them along with them. This is very effective in
a cipher where the algorithm is used in a chaining or feedback
mode. That way, others cannot retrieve the key settings at the
beginning of the actual data, and every encryption, althoug with
the same key, is different. Those rnd bytes are simply disgarded
during decryption. Even better is that the number of rnd bytes is
also a random quantity, by this hiding the position of the actual
start of data, so encrypt your rnd header length also. This tip
is an absolute must on xor ciphers like RC4 if you really want to
use them.
Tip 11: Stronger stuff
Compress your data BEFORE encryption, this will stenghten your
encryption greatly! Ofcourse, don't use a zip-file, but compress
it in your code. There are several good compressions in vb.
Compression will fraction the data already before any encryption
deals with it.
Tip 12: The finish?
Think it's finished? Try to encrypt let's say 100.000 A's with a
repetitive key like 'ABC'. Next, take a good look at the
encrypted data and do some statistics on it. If there are any
repetitions or regular patterns, there's a smelly thing about
your algorithm. Back to the drawing board! ALWAYS be paranoia
about your own cipher, and NEVER thrust others so called
unbreakable ciphers before you have done a good analysing of
them. I know, it's easy to copy and use that encryption scheme
from mister X. Do you want to use and thrust code that does
unknown things? Finally, copy these tips and save them. Read them
all over when you finished writing your cipher.
Tip 13: Top Secret?
A good algorithm should always be published. If you wrote some
encryption scheme, document it properly, with commonly used
notation, so that anyone can understand it. A secrecy system may
only depend on the secrecy of the key, NEVER on the secrecy of
the algorithm! Any crypto program can be reverse engineerd, so
secrecy is useless. A good hint on the quality of the encryption
is it's description. Watch out for snakeoil with great names like
chaos theoretics, triangulating arrays, cryptonic sublimation,
cosmic correlation, bla bla bla: Big crap! If they say it's a
secret algorithm, you can be absolutely sure that it's junk or
has backdoors.
Tip 14: Think it's too hard?
Never give up, it's a great and exiting art. look around, read
crypto papers, check out FIPS's and RFC's on encryption on the
net, visit sites, learn from the big ones. Start by learning how
the classic ciphers like Vigenere, Auto-key, Bifid and Trifid,
ADFGVX, and many more work, and how they were broken. These are
the origins of modern cryptology and a good learning base. Good
luck !
Tip 15: Some ideas
Check out submissions like 'Cipher Classics' or 'ULTRA file and
text encryption', an example that applies many of the tips...and
no, I won't say that ULTRA is unbreakable...but it's a strong one
;-)
Tip 16: Some great links
Introduction to Codes, Ciphers and breaking them:
http://www.vectorsite.net/ttcode.html
Basics on classic ciphers and how to break them:
http://www.simonsingh.net/The_Black_Chamber/home.html
Bruce Schneier's site, the crypto and security guru:
http://www.schneier.com/
Handbook of Applied Cryptography, pdf downloads
http://www.cacr.math.uwaterloo.ca/hac/
A cryptographic compendium:
http://fn2.freenet.edmonton.ab.ca/~jsavard/crypto/intro.htm
Claude Shannon Theory Of Secrecy, the basics on crypto:
http://www.cs.ucla.edu/~jkong/research/security/shannon1949.pdf
A crypto dictionary:
http://www.cryptnet.net/fdp/crypto/crypto-dict.html
Never forget:
A weak encryption
is more dangerous
than being careful without encryption !!!
Happy codings from Dirk ;-)
PS: and pleaaaase don't call your ciphers unbreakable any
more, even in best cases, call it strong... :-)
| 
By 17 Users
7/8/2004 8:27:51 AM: 
