RSS | Module Info | Add a review of Crypt-Lite

2 out of 7 found this review helpful:

Crypt-Lite (0.82.08) ***

One reason because of I was hacked off was the XOR discussion since the "Lite" term obviously not says heavy. Interesting things came up and I'd like to further discuss some of them in the blog mentionned below.

Now I have re-built some features since release 0.82.08, especially not to include the secret string anymore that I fully accept as a good point. Instead, a MD5 checksum of the secret string is being included. The reason for that can be read in the "What's Special" section. I will state much more clearly what a Module's purpose is and what is not. There is an Important Notice just after the Description section.

You may place your further comments also on the following Blog URL:
http://infocopter.blogspot.com/2006/09/cryptlite.html

Have fun!

RTFM - 2006-09-15 15:22:19
Was this review helpful to you?  Yes No

6 out of 8 found this review helpful:

Crypt-Lite (0.82.06) *

This package worthless. The author falsely claims that multiple encryption increases security: that's snake oil.

It seems to be throwing in data generated by rand(). Not very secure at all.

Installation of other crypto packages with complex dependencies is a false reason for promoting this package: it's eas yto install many of them, even on a Windows machine with no compiler.

Whether other packages have more complicated interfaces is no reason to provide a simple interface with a junk algorithm.

Robert Rothenberg - 2006-09-15 12:42:03
Was this review helpful to you?  Yes No

7 out of 8 found this review helpful:

Crypt-Lite (0.82.06) *

This module really does nothing else but XOR-ing the plaintext with the key. The key is repeated if the message is longer than the key, which means the encryption can be broken if the message is long enough. The module even helpfully adds a (partially known) string to the message. Creating a good encryption method is a task for specialists; judging from his reply to the previous review, the author probably isn't one, and judging from his module, he certainly isn't. DON'T USE.

Eugene van der Pijll - 2006-09-15 12:25:26
Was this review helpful to you?  Yes No

2 out of 6 found this review helpful:

Crypt-Lite (0.82.07) ****

As emphasised on CPANs documentation, Crypt::Lite is *not* designed to act as a competitor for the strong algorithms like Rijndael or Blowfish where Rijndael has been elected as the Advanced Encryption Standard (AES) by NIST (See http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html).

That user opinion cited Bruce Schneier "...won't stop a cryptanalyst for more than a few minutes.". Well that's true (and well-known) for trivial XOR encryption. Although I think the "few minutes" is a very imprecise conlusion since some certain requirements had to be met; I recommend Simon Singh's "Geheime Botschaften", ISBN: 3-423-33071-6 as a good reading on that matter (also available in English).

[ The documentation suggests using "double or tripple-encryption
with any data to increase the security." However, multiply
encrypting with XOR cannot possibly increase security -- it's the
same as XORing once with the XOR of the two keys used. ]

Wrong for Crypt::Lite.

I'd assume it is pretty challenging to decrypt, even for a crypto analyst and it would take weeks to make the first guesses. In the case the crypto analyst knows it's a German or English sentence, and not "any string".

Again, Crypt::Lite has many other useful purposes than to be a competitor for AES algorithms but in my humble opinion, it should be safe enough, even for sending encrypted passwords over the net.

[ Amazingly, the secret key is included as part of every encrypted
message. That can't be a good idea. ]

The usage of the secret string has a specific intentation. This part of the procedure is beeing improved as o releae 0.82.08.

[ Due to an apparent implementation bug, Crypt::Lite throws away
7/8ths of the secret key. ]

I don't understand the issue.
I never noticed such a problem.

Reto - 2006-09-15 07:32:57
Was this review helpful to you?  Yes No

9 out of 10 found this review helpful:

Crypt-Lite (0.82.06) *

DO NOT USE. This is a poor implementation of Simple XOR encryption. To quote Bruce Schneier from Applied Cryptography, "An XOR might keep your kid sister from reading your files, but it won't stop a cryptanalyst for more than a few minutes."

The documentation suggests using "double or tripple-encryption with any data to increase the security." However, multiply encrypting with XOR cannot possibly increase security -- it's the same as XORing once with the XOR of the two keys used.

Due to an apparent implementation bug, Crypt::Lite throws away 7/8ths of the secret key.

Amazingly, the secret key is included as part of every encrypted message. That can't be a good idea.

The module also can't tolerate tabs in the plaintext or secret key strings.

Some Guy - 2006-07-28 00:06:38
Was this review helpful to you?  Yes No


Perl.org sites : bugs | dev | history | jobs | learn | lists | use
© Copyright 2002-2010 The Perl Foundation
Site Information and Contacts
root: (Vh | Vc)
the camel