You've done the right thing in publishing your algorithm because trying to
keep the algorithm secret is no guarantee of cryptographic strength.
That was my thoughts exactly. The random bytes can be changed, and new
features can be introduced like "codepages" to make it so that the same
string will give a different byte string out every time, for instance, I
thought that, as it stands, a lot of the entries are going to be the
encryption of "Integrated Security=SSPI", so they're going to be the same.
Codepages would stop people seeing at a glance which SQL servers use windows
auth. and which use SQL auth....etc. etc. It's just common sense and
confusion as much as sticking to definitive mathematical theory.
But I will wager alot of money that your algorithm is very easy to break by a
cryptographer (of which I'm not one) unless you are a mathematical genius and
have actually come up with a new powerful crypto technique.
OK... I'm always one for a bet that involves skill, are you prepared to
honour that?
My basic terms are as follows:
1) The algorithm is not yet finished, but I must declare when it is, and
when I do so, I must make no further modifications.
2) I must distribute all compiled binaries necessary to run the encryption
(i.e. as a user would) but am not required to distribute any intermediate
data or software I have used to construct the actual source code for my
algorithm. Any "win" by the cryptographer shall be declared void should he
have obtained any of this secret media that wouldn't be distributed to a user
(such as my source code, intermediate data) via prior means, such as internet
hacking of my web server**.
3) The cryptographer must deliver a program capable of deciphering any
password encrypted by *any* release of my DLL*(see below)
4) You must name the cryptographer and time frame in which he is to complete
the task prior to the wager being agreed, but there are no limits on this (or
the number of cryptographers involved or the apparatus they use). If the time
frame is chosen to be more than a day, then the winnings shall not increase
by inflation or interest.
5) We both must provide the other with concrete proof that we have the
amount of money wagered.
6) Either party has the right to supervise the cryptographer during his
decipher attempts but must not impair him.
7) We must both undertake a gentleman's agreement to uphold the wager and
winnings to be delivered via PayPal.
* bear in mind that this is the only thing I'm worried about - laymen
downloading programs in order to be able to crack it. What use is any other
attempt to crack it? It's only going to be storing passwords in HKCU, and a
cryptographer isn't exactly going to want to crack his *own* password, is he?
He's going to want to profit / make a buzz for himself, from a program that
rubbishes my algorithm - the only way to do that is to make the crack
accessible to the layman. This is where the stipulation of the cryptographer
not having access to the actual release of the DLL used comes from, as each
one will be different and have a different key, etc... this won't impair the
functionality as the same one will always be used to decrypt as was used to
encrypt. Hell, it could even generate the random key on installation...
** not that it's in a web directory anyway so don't go trying...
At the end of the day, I'm not worried about an attack by a cryptographer,
I'm more worried about whether it could be cracked by a layman, possibly by
using a program written by a cryptographer. (And please don't simply say
"yes, it could" without explaining how...)
If you'd read my OP, you'd probably have got the gist of the question, which
was that I don't care about this. The question is more, how hard would it be
for a cryptographer to produce a *program* with which a layman (who may have
used the password remember feature) could leave his terminal unlocked for
long enough
for his rival to sneak on to his computer for long enough to run the program
that the "experienced cryptographer" had distributed (for free). Would the
experienced cryptographer be bothered to, or even know to?
And more to the point, how would such a program know which of my home grown
algorithms the data it set out to decipher had been encrypted by???
I could write ten like that... all in different DLLs scattered all over the
place disguised as something innocuous...
This is not meant to trivialise your efforts
See responses to others - do you see what I'm getting at?