?

Log in

No account? Create an account
insecure encryption - rob's livejournal — LiveJournal [entries|archive|friends|userinfo]
RRC

[ website | rob's webpage ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Links
[Links:| Robs Homepage ]

insecure encryption [Mar. 24th, 2009|09:06 am]
RRC
[Tags|, , , ]
[Current Location |The Office]
[Current Mood |cynical]

Would you entrust your password database to this level of security?

function encrypt(inputTxt)
      'ASCII codes are 48-57 is 0 to 9 (10)
      '56-90' is A to Z (26)
      '97-122' is a to z (26)
      '62 characters to encrypt
      outputTxt = ""
      for i = 1 to len(inputTxt)
              'get each letter
              letter = mid(inputTxt,i,1)
              'use the length of the word to create a number
              jump = 1 + len(inputTxt) - i
              'move forward jump number of characters in ascii
              ANSIval = Asc(letter) + jump;
              newVal = Chr(ANSIval)
              'write the word out backwards
              outputTxt = newVal & outputTxt
      next
      encrypt = escape(outputTxt)
end function

No, I thought not...

Sigh

LinkReply

Comments:
[User Picture]From: niallm
2009-03-24 10:26 am (UTC)
Fantastic!

I think that's even vulnerable to letter frequency analysis.
(Reply) (Thread)
From: vatine
2009-03-24 11:00 am (UTC)
It may be that the individual text snippets are too short for that (you'd normally want a 20+ character sample before you can trust letter frequencies). But, then, there's bound to be LOTS of passwords with the same length.
(Reply) (Parent) (Thread)
[User Picture]From: bellinghman
2009-03-24 11:01 am (UTC)
Given a large number of samples, probably yes. (Assuming passwords follow normal letter frequency, which would have to be checked.)
(Reply) (Parent) (Thread)
[User Picture]From: bellinghman
2009-03-24 11:06 am (UTC)
Oh boy. Security through obscurity strikes again.

It's not very robust against a chosen plaintext attack, since the first thing the attacker would notice is that changing a single character in the input always changes the same single character in the output.
(Reply) (Thread)
[User Picture]From: ccomley
2009-03-24 10:44 pm (UTC)
To be fair, I don't think (remembering the hour!) that it'd be obvious from the output what has been doen even if you have several known passwords to compare.

But it'd be nice to see a few large prime numbers around the place...
(Reply) (Thread)