Make Custom File Type - Developers

[QUOTE=Anthoni_c;19646204]I'll do plenty of tests, and get folks to test it. So far the formulas(that I have done) work out in theory but I still need to code and test them.[/QUOTE] Are you aware that there's an entire branch of mathematics, that people get Ph.D's in, devoted to cipher design? If you intend for anyone to take yours seriously you'd better be prepared to explain, in mathematical terms, how it resists linear and differential cryptanalysis, whether it has any weak keys and how they can be detected, and so on. Is it a block cipher or a stream cipher, by the way?

Did I ever say mine was going to be better than NSA or CIA Encryption algorithms, no. Quit assuming and quit trolling.

[QUOTE=Anthoni_c;19655584]Did I ever say mine was going to be better than NSA or CIA Encryption algorithms, no. Quit assuming and quit trolling.[/QUOTE] He's not trolling he's being realistic. You are just stubborn.

[QUOTE=Anthoni_c;19640990]I'll make my cipher how I want, I am smart enough to do so.[/QUOTE] quoted for fail

[QUOTE=Anthoni_c;19655584]Did I ever say mine was going to be better than NSA or CIA Encryption algorithms, no. Quit assuming and quit trolling.[/QUOTE] My point is, why design your own cipher that's almost certainly going to be unsuitable for any sort of real-world use, when there are good ones designed by credible experts freely available for you to use? If you were actually studying cryptography that's one thing, but I see no point in throwing together a hodgepodge of mathematical operations without any knowledge of the types of attacks it needs to resist. BTW, I think [url=http://en.wikipedia.org/wiki/Skipjack_(cipher)]Skipjack[/url] and the [url=http://en.wikipedia.org/wiki/SHA_hash_functions]SHA family[/url] are the only NSA-designed algorithms that have been released to the public, and CIA doesn't design ciphers at all. Most of the algorithms that we use in the real world (such as [url=http://en.wikipedia.org/wiki/Advanced_Encryption_Standard]AES[/url]) are designed by researchers working for universities and private industry. [url=http://en.wikipedia.org/wiki/Niels_Ferguson]Niels Ferguson[/url] (co-author of [url=http://www.amazon.com/Practical-Cryptography-Niels-Ferguson/dp/0471223573]Practical Cryptography[/url]) works for Microsoft, for example.

[QUOTE=Anthoni_c;19655584]Did I ever say mine was going to be better than NSA or CIA Encryption algorithms, no. Quit assuming and quit trolling.[/QUOTE] Going to be the next [url]http://en.wikipedia.org/wiki/MacGuffin_(cipher)[/url]

[QUOTE=jA_cOp;19621835]That will keep pretty much nobody out. ROT13 is not encryption. [/QUOTE] It'll stop average people from snooping in the file. If they're serious hackers, then yes it won't stop them. It's just enough to obscure the password from most people.

Stop trying to roll your own crypto. It's a bad idea unless you actually know what you're doing. Read a book, and try hanging around in ##crypto on irc.freenode.net, there are a lot of people who would be willing to help you out.

Lol I didn't know the thread was so long. automerge :(

Wow good job reading there F33P. Good advice though.

[QUOTE=blankthemuffin;19656958]Wow good job reading there F33P. Good advice though.[/QUOTE] What? Where? ;) [editline]08:33PM[/editline] To store saved passwords on a client machine, you'll want to encrypt the file in such a way that it can not be decrypted by someone possessing the file. Don't use things like hardware identification numbers or anything. I personally would have a "master password" that is entered by some "master user" who controls the password list. Take the password and feed it through Password Based Key Derivation Function #2 (PBKDF2) with a 64-bit salt and 10,000 iterations. Use the derived key and encrypt the password list with Serpent in CTR mode. Don't bother using AES256, it's broken. AES128 is also too weak for use today. RC4 is a bad idea as well. Take it from someone who knows what they're doing (me), and don't try to do things you're unfamiliar with.

[QUOTE=F33P;19656976]Don't bother using AES256, it's broken. AES128 is also too weak for use today.[/QUOTE] wat.

Definitely late, but: [quote='Wikipedia'][I]Cypher[/I] is a variant (chiefly British) spelling of the word cipher.[/quote]

[QUOTE=flair;19657063]wat.[/QUOTE] AES256 has been broken for about a year. AES128 doesn't provide a 128-bit security margin, which is recommended today. Serpent offers a 128-bit security margin, it's fast, and it's secure.

[QUOTE=F33P;19656976]I personally would have a "master password" that is entered by some "master user" who controls the password list. Take the password and feed it through Password Based Key Derivation Function #2 (PBKDF2) with a 64-bit salt and 10,000 iterations. Use the derived key and encrypt the password list with Serpent in CTR mode. Don't bother using AES256, it's broken. AES128 is also too weak for use today. RC4 is a bad idea as well. Take it from someone who knows what they're doing (me), and don't try to do things you're unfamiliar with.[/QUOTE] "Let's fill the post with big words to make myself sound smart!"

[QUOTE=gparent;19627013]No, you can't. Proper OS security would mean that you cannot read arbitrary memory from other users' processes, and guess his password as he is entering it into a text box or whatever. So while you would be able to find out everything about the encryption method used if you were sitting with a debugger and network sniffer, you'd still have no damn clue what the password entered was, and if a proper crypto system is used, that means you cannot have access to the data. This is why Pidgin doesn't encrypt passwords. It's useless. If you're not admin, you don't have access to the users' Application Data folder, and if you are admin, while you may not be able to read an encrypted file in the other users' AppData, nothing would stop you from attaching to the process and getting the pass from there, so there's no point in encrypting it in the first place.[/QUOTE] Windows doesn't have proper OS security.

[QUOTE=Eleventeen;19658436]Windows doesn't have proper OS security.[/QUOTE] I'm pretty sure it does: [img]http://imgkk.com/i/8MS9Hx.png[/img] oh wait, i forgot you're a super h4rdc0r3 linux user who [b]hates[/b] M$ Windoze.

h4rdc0r3 fuck M$

[QUOTE=turby;19658617]I'm pretty sure it does: [img]http://imgkk.com/i/8MS9Hx.png[/img] oh wait, i forgot you're a super h4rdc0r3 linux user who [b]hates[/b] M$ Windoze.[/QUOTE] Oh god it's not letting you in to your folders! Watch me load up a live CD and open up the files myself then. Anyway, I was referring to the 'no access to other program's memory'

'h4rdc0r3 M$ sux' people annoy me. It's just ignorant. They're too busy reminding themselves how l33t they are that they use linux that they ignore the great strides Microsoft have made towards improving their line of products. Vista/7 is awesome. IE8 is good (well, it's not as good as any other modern browser, but it's usable, unlike IE6) Microsoft Security Essentials is awesome. Don't get me wrong, I love Linux as well, but I recognise the fact that both Linux and Windows have their pros and cons.

[QUOTE=turby;19658717]'h4rdc0r3 M$ sux' people annoy me. It's just ignorant. They're too busy reminding themselves how l33t they are that they use linux that they ignore the great strides Microsoft have made towards improving their line of products. Vista/7 is awesome. IE8 is good (well, it's not as good as any other modern browser, but it's usable, unlike IE6) Microsoft Security Essentials is awesome. Don't get me wrong, I love Linux as well, but I recognise the fact that both Linux and Windows have their pros and cons.[/QUOTE] Dude I'm on Windows right now, I stopped bashing it a while back.

[QUOTE=Eleventeen;19658673]Oh god it's not letting you in to your folders! Watch me load up a live CD and open up the files myself then.[/quote] Same thing with Linux, unless the filesystem is encrypted. Windows lets you encrypt the filesystem as well, so you don't really have an argument there. [QUOTE]Anyway, I was referring to the 'no access to other program's memory'[/QUOTE] Programs ordinarily can't access other programs memory. [editline]05:39PM[/editline] [QUOTE=Eleventeen;19658743]Dude I'm on Windows right now, I stopped bashing it a while back.[/QUOTE] [QUOTE=Eleventeen;19658436]Windows doesn't have proper OS security.[/QUOTE]

[QUOTE=PvtCupcakes;19656907]It'll stop average people from snooping in the file. If they're serious hackers, then yes it won't stop them. It's just enough to obscure the password from most people.[/QUOTE] Ahh I missed this before. Jesus christ do you not understand that obscuring the password just makes the end user think it is secure? They're much more likely not to worry about something that looks secure than they are to share a text file with their passwords in it visible for all to see. And average people google the name of the application along with password hack and get a nice easy tool to reverse the crappy "encryption" the app employs. Do it right or don't do it at all. Both are valid options, anything in-between is totally wrong.

[QUOTE=blankthemuffin;19658789]and get a nice easy tool to reverse the crappy "encryption" the app employs.[/QUOTE] Along with a bazillion trojans. :p

[QUOTE=Eleventeen;19658743]Dude I'm on Windows right now, I stopped bashing it a while back.[/QUOTE] Quoted for future reference.

[QUOTE=turby;19658759][editline]05:39PM[/editline][/QUOTE] I wasn't bashing by saying that it doesn't have good security, was I? Oops. [QUOTE=Xama;19658891]Quoted for future reference.[/QUOTE] Alright. Anyway, if it's so secure how come MSDN has functions to memory in to other application's memory space?

[QUOTE=turby;19658315]"Let's fill the post with big words to make myself sound smart!"[/QUOTE] F33P / Moose really does know his shit on crypto.

[QUOTE=Eleventeen;19658939]Anyway, if it's so secure how come MSDN has functions to memory in to other application's memory space?[/QUOTE] You need appropriate access to the other processes memory space, or else the function fails. [url=http://msdn.microsoft.com/en-us/library/ms680553(VS.85).aspx]RTFM[/url] Also, any program on *nix with appropriate permissions can read the whole system's memory by reading /dev/mem So, what was your argument about Windows security?

Dont store the password, you should store a hash of the password, then everytime they enter there password, you has it and compare, still wise to encrypt the file storing hashes.

[QUOTE=bestoss;19660999]Dont store the password, you should store a hash of the password, then everytime they enter there password, you has it and compare[/QUOTE] That's true if you just need to check whether the user entered the correct password, but not if you actually need to retrieve the stored password for use elsewhere (e.g. in a password manager app). It's not clear yet which is needed in this case. [QUOTE=bestoss;19660999]still wise to encrypt the file storing hashes.[/QUOTE] No, there's no point. Then you need a decryption key, which just means you have to ask the user for another password (and how do you store the hash of [i]that[/i] one?), unless you store the key on disk, which defeats the purpose.