rotor alternative?
Paul Rubin
http
Wed Nov 19 13:21:38 EST 2003
More information about the Python-list mailing list
Wed Nov 19 13:21:38 EST 2003
- Previous message (by thread): rotor alternative?
- Next message (by thread): rotor alternative?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Robin Becker <robin at jessikat.fsnet.co.uk> writes: > You're probably right, but given that the code itself has to unobfuscate > to make use of the data then any key/algorithm etc has to be present > somewhere. The idea of cryptography now is to keep the data secure as long as the key is secret. It's ok if the algorithm is known. If the key is known too, all bets are off. > How should we obfuscate? Using a crypto function just increases the time > and effort that someone needs to get the plain text. If you can keep the key secret and the cryptography is any good, there should be no way for anyone to break the cryptography without the key. Rotor fails in that criterion. > Likewise using a C > extension makes it harder for the casual thief. The professional won't > be bothered. I think you're underestimating the technical ability and determination of amateurs on the internet. Look at all the virus writers out there--who is paying them? Almost every day Microsoft has to release a new critical security patch because of some weakness that got exploited by a non-professional and caused users a lot of hassle. The exploit usually isn't some technical breakthrough on the attacker's part, but rather stems from an attitude problem at Microsoft, that their products only have to be secure enough to make it "harder for the casual thief" since "the professional won't be bothered". That is precisely the wrong attitude to have, as we see every time Microsoft announces that "as of today security is our #1 priority" and then goes back to doing the same dumb stuff, and a few days later, yet another virus brings everyone's work to a halt yet another time. If you're going to use cryptography at all, use it as well as you can. > The rotor module was small and speedy. In my case I'm sure that it makes > very little difference to use base64 and a xor or something similar. Using base64 or an xor should be even smaller and speedier than rotor, so if that's your goal, the answer is still "use xor and get rid of rotor". The only reason to use rotor instead of xor is you think xor isn't secure enough. But if xor isn't secure enough, you should use real cryptography, not rotor. > When we really want data to be protected we're using one time passwords > assigned by a special server. If you really want data to be protected I hope whatever methods you're using were designed or at least reviewed by someone who knows what they're doing. That's not intended as a put-down toward you; there are a lot of mistakes that get made over and over again, and it takes some knowledge and experience to recognize them and not make them. Using something like rotor is very frequently an example of such a mistake.
- Previous message (by thread): rotor alternative?
- Next message (by thread): rotor alternative?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list