Break my Encryption

Hello and Welcome Challengers

I'm wondering if anyone can break this Encryption I made for a product in that is in development.

That and my boss also wants a minor field test of it and gave a thumbs up to test in on forums.

I can not offer a reward, but you will get some bragging rights for breaking an encrypted sentence.

Post the decrypted Sentence as an Answer in the thread in a spoiler labeled "Attempt".

If this breaks any Paizo guidelines, Please delete the whole thread.

Is the space between the 2 and the C a genuine part of the message or a cut-and-paste error?

Attempt:

@Steve Geddes
The space is a copy-paste error

@Dr. Seymour Cray
Nope

The space is an artifact of the posting system. The same thing that causes urls to pick up spaces when posted without being turned into actual links. I think it's a line break converted into a space in the text window.

As for the actual encryption:

It's obviously hexadecimal notation. Probably 2 characters per letter, ranging from 01 to 79, which puts them all within the basic ASCII chart, though not within the printable characters. It doesn't look like s simple substitution, which is good. The frequencies don't match English and there are too many characters used. Of course, I don't know the plaintext looks like. If it's not standard English and includes numbers and punctuation, that would be different.
I'm not going to dig further into it now. Too many unknowns, not enough payoff.

I will say this: If your product actually requires any real encryption security, this isn't even remotely a valid test. Breaking a code from a single coded sentence is much harder than if you have a larger sample. Or better yet, better yet, examples of the plaintext and ciphertext.
If there is any chance of it being broken from just this sample, if there is the slightest doubt that it could, it's not remotely secure in actual use.
And there are plenty of free, essentially unbreakable, encryption schemes out there. There's almost no point in developing your own.

@ thejeff
The product just needs a little something to stop most people from getting a few freebies, and we don't want Fort Knox security slowing it down.
And it's also part of a personal starter project of mine, as I find math equations and systems fun.
And the system I'm working out as a personal project could be a very Hard Nut to crack, as I'll be using a few ideas that add a difficult twist.

@ thejeff

The product just needs a little something to stop most people from getting a few freebies, and we don't want Fort Knox security slowing it down.

The professionals have already addressed that. There are lots of good, fast encryption methods out there; I suggest XTEA.

Especially if this is a product that will be generated thousands of messages a day (let alone millions a second, as I suspect if speed is important), there are a lot stronger attacks I can use simply by harvesting messages.

RHMG Animator wrote:

@ thejeff

The product just needs a little something to stop most people from getting a few freebies, and we don't want Fort Knox security slowing it down.

The professionals have already addressed that. There are lots of good, fast encryption methods out there; I suggest XTEA.

Especially if this is a product that will be generated thousands of messages a day (let alone millions a second, as I suspect if speed is important), there are a lot stronger attacks I can use simply by harvesting messages.

XTEA is a great find.

XTEA is a great find.
I'll be adding it to my research on Encryption for my next Encryption project

This is going to sound like a rude question, but please bear with me. Since it sounds like cryptography is a serious interest of yours,.... how many systems have you yourself broken?

Most of the experts agree that a good background in breaking cyphers is key to being able to design a strong one. Bruce Schneier has a very good "self-study course in block cipher cryptanalysis" that I can recommend. But that's probably a better approach (IMHO) than playing around with cyphers that you don't really know how to break yourself.

RHMG Animator wrote:

XTEA is a great find.
I'll be adding it to my research on Encryption for my next Encryption project

This is going to sound like a rude question, but please bear with me. Since it sounds like cryptography is a serious interest of yours,.... how many systems have you yourself broken?

Most of the experts agree that a good background in breaking cyphers is key to being able to design a strong one. Bruce Schneier has a very good "self-study course in block cipher cryptanalysis" that I can recommend. But that's probably a better approach (IMHO) than playing around with cyphers that you don't really know how to break yourself.

That would be of great help in understanding the thought process of breaking them, and as I have only broken a few simple ones.

The course is available for download; just Google it. Enjoy!

Yoink

@Orfamay Quest
Are you going to try to break the code and find the sentence hidden within?

Frankly,.... no. As thejeff pointed out, it's almost certainly not worth my time. Almost any encryption can and will stand up to a cyphertext-only attack on a single, short, context-free text. Almost every context in which a cypher will in practice be used will generate much more (and more useful) information than that.

If there's any chance at all that your cypher will NOT withstand this attack, it's too weak to rely on.

You're asking people on a games message board to spend time and effort for something that, if your company was professional at all, would be paying someone to do.

Use an existing library written by professionals if you want it to be secure.

Well, the company -- and RHMG -- might not realize how professionalized cryptography is. A lot of people dabble in cryptography the way others dabble in web design. A small startup is well-served to see if they can get a cheap or freebie web page if they can get away with it and keep the cash flowing the right way. Nothing wrong with that, but cryptography doesn't quite work the same way.

Yeah, but a lot of the good 'professional' cyphers and libraries are free as in beer.

And any company asking the internet to do free work with no reward of any sort is not one I would associate with. A copy of the product, name in the credits, $20, fine. Bragging rights, really?

Now I could be wrong and this is a poor presented entry into an ARG.

Yeah, but a lot of the good 'professional' cyphers and libraries are free as in beer.

And any company asking the internet to do free work with no reward of any sort is not one I would associate with. A copy of the product, name in the credits, $20, fine. Bragging rights, really?

Now I could be wrong and this is a poor presented entry into an ARG.

Well, there's a long history of cracking-cyphers-for-bragging-rights in the professional community. Google for "squeamish ossifrage" sometime.

The main difference is that the challenge is usually better explained and grounded. And also the bragging rights are more substantial as they're usually accompanied by publications and conference presentations.

Thanks for the insight into all this. Not being sarcastic here.

As Orfamay likely figured out we are a very small company.

@Krensky
Free cyphers and libraries sounds nice, but give other people who know which one your using a doorway in, that and building one is a nice challenge for a math nut like myself.
And I'll get better at building them as I make more.

Update Notice:
Upon Hearing the cries of "No reward, No thanks." RHMG is offering a Prize to win.
The first one to crack the Code gets a free copy of MultiScope Pro which is in development with 5 scopes, it'll retail for about $500 (US).

MultiScopeLite is the currently released version, and Pro is going to be better than Lite, in that It'll do more than Lite, and have better performance.
------------------------------------------------------------------------

Free cyphers and libraries sounds nice, but give other people who know which one your using a doorway in, that and building one is a nice challenge for a math nut like myself.

Woah. Bad. Ahh-OOOO-gah! <suitable alarm klaxon noises>

The easiest way to make sure that your system will be cracked undetectably is by not publishing it. This has more or less been standard doctrine since the mid 19th century; a suitably determined bad guy can always figure out what you're doing. If you're talking about a software-based system, I can de-compile your code and recover your encryption algorithm in minutes, an hour at most.

The difference is that as a bad guy, I'm not going to tell you I'm doing that, and as a good guy, I've got too much else on my plate to bother.

The whole point of using a system like XTEA is that you can tell everyone that you're using XTEA and it doesn't matter, because hundreds of the best minds in the business have worked on this cypher since 1997 and the best they've managed to accomplish is an attack that requires millions of plaintext/cyphertext pairs and several months on a supercomputer. RC4 is similarly efficient and well-studied.

Security-through-obscurity, as you propose, is possibly the worst security plan you could develop. Let me recommend you reconsider, in the strongest possible terms.

Note: In security circles, it's generally considered far safer to use an established, well-tested, algorithm and implementation than to roll your own, even if that means an intruder will know the algorithm.

It's far more likely that an intruder will find the flaws in your implementation even without knowing what it is, than that he knows of a flaw in the free cypher that none of the thousands of high end mathematicians and crypto-buffs have ever found.

Modern public crypto is essentially unbreakable. Brute force can work if the key size is small enough, but is impractical for most situations. There are always rumours that the NSA can break the best cyphers in real-time either through vast amounts of brute force(not true), some theoretical breakthrough(very unlikely) or backdoors in commercial implementations (possible). But if the NSA is going after your implementation, they'll find the holes quickly enough.

@Krensky

Free cyphers and libraries sounds nice, but give other people who know which one your using a doorway in, that and building one is a nice challenge for a math nut like myself.
And I'll get better at building them as I make more.

If your cipher algorithm is worthwhile, it doesn't matter if people know how it works. That's part of the point. Similarly, by preference you want open sourced libraries so you know what the heck they're doing. Otherwise you have no idea if there's a backdoor or something else going on.

Rule 1: Don't roll your own crypto.

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around.

When I was in college in the early seventies, I devised what I believed was a brilliant encryption scheme. A simple pseudorandom number stream was added to the plaintext stream to create ciphertext. This would seemingly thwart any frequency analysis of the ciphertext, and would be uncrackable even to the most resourceful Government intelligence agencies. I felt so smug about my achievement. So cock-sure.

Years later, I discovered this same scheme in several introductory cryptography texts and tutorial papers. How nice. Other cryptographers had thought of the same scheme. Unfortunately, the scheme was presented as a simple homework assignment on how to use elementary cryptanalytic techniques to trivially crack it. So much for my brilliant scheme.

From the sound of things, you're looking to use this for license keys or something similar. This has been done before. Heck, MSDN probably has example code, standardized libraries, and white papers on how to do this. If you're doing this for work, rather than as a hobby, you're wasting your company's time and money.

@Dr. Seymour Cray

Nope

If you use this cypher, yes...

HAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHA!!!!

...

...

...

...meow.