Pure Python Data Mangling or Encrypting

Johannes Bauer dfnsonfsduifb at gmx.de
Fri Jun 26 17:07:48 EDT 2015 

On 26.06.2015 22:09, Randall Smith wrote:

> You've gone on a rampage about nothing.  My original description said
> the client was supposed to encrypt the data, but you want to assume the
> opposite for some unknown reason.

While you seem to think that Steven is rampaging about nothing, he does
have a fair point: You consistently were vague about wheter you want to
have encryption, authentication or obfuscation of data. This suggests
that you may not be so sure yourself what it is you actually want.

All Steven is doing is pointing out that people do good crypto for a
reason. It's 2015 and we're still discussion "substitution ciphers",
really? Good crypto is available, it's fast, it has awesome
cryptanalysis. All Steven is pointing out is that when ten crypto-laymen
meet in a Python newsgroup and think they have invented a soooper secure
scheme, it may still be complete and utter crap. Just not everone can
see it.

You always play around with the 256! which would be a ridiculously high
security margin (1684 bits of security, woooo!). You totally ignore that
the system can be broken in a linear fashion. I don't need to know all
256 characters to do damage, sometimes even a handful will already give
me part of what I need and the option to crack more and more. This is
something that would ultimately and instantly disqualify your
"crypto"system as utterly insecure.

Nobody assumes you're a moron. But it's safe to assume that you're a
crypto layman, because only laymen have no clue on how difficult it is
to get cryptography even remotely right. Everyone who knows the trade
uses proven constructions not because it's inconvenient, but because
it's one of the very few ways to achieve a secure system.

That said, for your solution this type of obfuscation may be fine. And
chances are that nobody will ever notice. But don't claim you weren't
warned about the abyss when you designed your solution and people break
this stuff. Because then you might *look* like a moron (even if you're
not), since the first question people will ask will be: "Why? Why on
earth?" It's a blatantly obvious bad idea(tm).

That people in 2015 actually defend inventing a substitution-cipher
"crypto"system sends literally shivers down my spine.

Cheers,
Johannes

-- 
>> Wo hattest Du das Beben nochmal GENAU vorhergesagt?
> Zumindest nicht öffentlich!
Ah, der neueste und bis heute genialste Streich unsere großen
Kosmologen: Die Geheim-Vorhersage.
 - Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1 at speranza.aioe.org>

More information about the Python-list mailing list