RSS | Module Info | Add a review of

Crypt-Lite (0.82.07)

As emphasised on CPANs documentation, Crypt::Lite is *not* designed to act as a competitor for the strong algorithms like Rijndael or Blowfish where Rijndael has been elected as the Advanced Encryption Standard (AES) by NIST (See http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html).

That user opinion cited Bruce Schneier "...won't stop a cryptanalyst for more than a few minutes.". Well that's true (and well-known) for trivial XOR encryption. Although I think the "few minutes" is a very imprecise conlusion since some certain requirements had to be met; I recommend Simon Singh's "Geheime Botschaften", ISBN: 3-423-33071-6 as a good reading on that matter (also available in English).

[ The documentation suggests using "double or tripple-encryption
with any data to increase the security." However, multiply
encrypting with XOR cannot possibly increase security -- it's the
same as XORing once with the XOR of the two keys used. ]

Wrong for Crypt::Lite.

I'd assume it is pretty challenging to decrypt, even for a crypto analyst and it would take weeks to make the first guesses. In the case the crypto analyst knows it's a German or English sentence, and not "any string".

Again, Crypt::Lite has many other useful purposes than to be a competitor for AES algorithms but in my humble opinion, it should be safe enough, even for sending encrypted passwords over the net.

[ Amazingly, the secret key is included as part of every encrypted
message. That can't be a good idea. ]

The usage of the secret string has a specific intentation. This part of the procedure is beeing improved as o releae 0.82.08.

[ Due to an apparent implementation bug, Crypt::Lite throws away
7/8ths of the secret key. ]

I don't understand the issue.
I never noticed such a problem.

Reto - 2006-09-15 07:32:57
Was this review helpful to you?  Yes No

Perl.org sites : bugs | dev | history | jobs | learn | lists | use © Copyright 2002-2008 The Perl Foundation Site Information and Contacts