xor encryption absolutely insecure

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

xor encryption absolutely insecure

Karl Godt
Administrator
This post was updated on .
mount -o encryption -o loop /path/to/puppysave_cryptx.2fs /mnt/Y
returns messages in dmesg as 'unrecognized option "PASSWORD"'
where PASSWORD is the password that then opens the savefile .

Also
dd if=puppysave_cryptx-name.2fs of=superblock.dd count=10 bs=1024 
and
hexdump -C superblock.dd
 then reveals the PASSWORD several times .


Reply | Threaded
Open this post in threaded view
|

Re: xor encryption absolutely insecure

q5sys
I assume this is the 'light' encryption method?  Is the 'heavy' one using AES?

On Thu, Apr 9, 2015 at 8:33 PM, Karl Godt [via woof-CE] <[hidden email]> wrote:
mount -o encryption /dev/loopY /mnt/Y
returns messages in dmesg as 'unrecognized option "PASSWORD"'
where PASSWORD is the password that then opens the savefile .

Also
dd if=puppysave_cryptx-name.2fs of=superblock.dd count=10 bs=1024 
and
hexdump -C superblock.dd
 then reveals the PASSWORD several times .





If you reply to this email, your message will be added to the discussion below:
http://woof-ce.26403.n7.nabble.com/xor-encryption-absolutely-insecure-tp759.html
To start a new topic under woof-CE, email [hidden email]
To unsubscribe from woof-CE, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: xor encryption absolutely insecure

Karl Godt
Administrator
Yes, the so-called "light encryption" .

AES does not show anything except usual binary garbage in hexdump, and mount does return other messages to dmesg.
Reply | Threaded
Open this post in threaded view
|

Re: xor encryption absolutely insecure

JakeSFR
In reply to this post by Karl Godt
This "joke" encryption should have never been implemented, in the first place.
ROT-13 would be safer, lol.

Greetings!
Reply | Threaded
Open this post in threaded view
|

Re: xor encryption absolutely insecure

q5sys
I agree, there's no point for it being there.  It gives a false sense of security to people who really dont know any better.  Not that its up for vote... but i'd vote for it to be removed.  Even our target 'old hardware' can handle AES without being computationally burdened.

On Thu, Apr 16, 2015 at 10:40 AM, JakeSFR [via woof-CE] <[hidden email]> wrote:
This "joke" encryption should have never been implemented, in the first place.
ROT-13 would be safer, lol.

Greetings!


If you reply to this email, your message will be added to the discussion below:
http://woof-ce.26403.n7.nabble.com/xor-encryption-absolutely-insecure-tp759p765.html
To start a new topic under woof-CE, email [hidden email]
To unsubscribe from woof-CE, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: xor encryption absolutely insecure

Karl Godt
Administrator
In reply to this post by JakeSFR
I personally have no idea how encryption works .

I believe that encryption just puts a password and encryption-type of that password into the superblock of a file .

My faith or believe may be totally wrong .
Reply | Threaded
Open this post in threaded view
|

shutdownconfig light encryption BUG if called from rc.shutdown

Karl Godt
Administrator
In reply to this post by Karl Godt
There is a BUG in shutdownconfig script additionally in regards to light encryption .

I recently had Macpup-529 up that has some work-a-round to do the ugly shutdownconfig from terminal by calling shutdownconfig through rc.shutdown .

Now in Slacko64-5.8.8 it is still not fixed :

#v2.17 crap, '-p 0' works for aes, not for xor encryption....
  if [ "$CRYPTO" = '-E 1' ];then #light xor encr.

   T_note1="$(gettext 'Note, a bug in one of the Linux utility programs requires you to reenter')"
   T_note2="$(gettext 'the password in the case of light encryption...')"

   echo "#!/bin/sh
   echo \"${T_note1}\" >/dev/console
   echo \"${T_note2}\" >/dev/console
   echo \"${MYPASSWORD}\" | losetup-FULL -p 0 ${CRYPTO} ${DEVLOOP} ${SMNTPT}${SAVEFILE} >/dev/console" > /tmp/shutdownconfig_encrypt_password
   chmod 755 /tmp/shutdownconfig_encrypt_password
   urxvt -bg '#FFFF80' -fg black -geometry 80x5 -title "$(gettext 'First shutdown: reenter password')" -e /tmp/shutdownconfig_encrypt_password
  else
Here the call to urxvt would always fail due to not being in X .
And no error checking and handling as usual .

Would return to X then and give a xmessage about failure ..
Same for snapmergepuppy if savefile at shutdown full -> should return to X so the stupid user ( me myself and I ) can fix things .
Reply | Threaded
Open this post in threaded view
|

Re: xor encryption absolutely insecure

q5sys
In reply to this post by Karl Godt

In proper encryption the password should NEVER be stored.  What is usually done is there is some generic data that is encrypted which its plaintext value is know.  That way when it attempts decryption it is able to discover if its decrypting properly. 

And example of this is a Truecrypt encrypted partition will encrypt the first two bytes as the vale "OK".  If any password other than the proper one is used the first block will not decrypt with those two bytes, so it knows the password is wrong and will report the fail error.

At no point should the decryption password ever be stored in the ciphertext.  I've never used the 'light' encryption in puppy, so I've never bothered to look into it. 

Using a good encryption algorithm in a bad way is as secure as using a bad algorithm.  Most of time when there is a problem with encryption in a product its the implementation that's bad rather than the algorithm itself.  That being said though... a simple XOR is pathetically bad.



On April 20, 2015 4:18:40 AM EDT, "Karl Godt [via woof-CE]" <[hidden email]> wrote:
I personally have no idea how encryption works .

I believe that encryption just puts a password and encryption-type of that password into the superblock of a file .

My faith or believe may be totally wrong .



If you reply to this email, your message will be added to the discussion below:
http://woof-ce.26403.n7.nabble.com/xor-encryption-absolutely-insecure-tp759p767.html
To start a new topic under woof-CE, email [hidden email]
To unsubscribe from woof-CE, click here.
NAML

--
Sent from Kaiten Mail. Please excuse my brevity.