AIVD warns organizations about the threat posed by quantum computers to cryptography – Computer – News

What you said at the beginning is also wrong. There is absolutely no possible way my algorithm can get a duplicate result. I took that into account when I built it. It is not a complex enough algorithm to be as complex as cryptography.

It is therefore a kind of symmetric encryption, regardless of complexity or efficiency. ROT13 is also, despite the fact that it is trivial to recognize and “crack”. The same is putting the input backwards. If no duplicate results are possible and the same input with the same key produces the same output at the same time, this must mean that no information is lost in your transformation step, so you can safely say that different outputs must also have different inputs. It also makes it trivially reversible, something you don’t want at all if you’re into hashing (which it still looks like). And it all depends on how you designed it and if you made any mistakes.

It’s a simple salt hash

That is by definition not the case given your quoted statement above.

There is also no hook that would allow anyone to enter this layer.

Nor does it necessarily have to be there for information to leak out.

Then, should something like MD5 happen again (ie calculating collisions for example), someone gets back a string like “49039~2GF” instead of “mywachwtoord” and they can do absolutely nothing with it until they crack the formula + key that I use to make these.

What if I type “abcdef” and see what kind of hash comes out and calculate a collision on that? And then a few times for “abcdeg” and “abcdeh” or something? Then you can calculate your algorithm and type with it.

And where you state that this “double value” could pose a problem, even if it were possible, it wouldn’t be a problem at all anyway. Because this value, double or not, could not be used anywhere. As in; you can’t enter this anywhere. Because each input expects a value with no salt.

For example, if there is a double value that ultimately gives the same hash after all your transformation steps, this means that a particular user can log in with two different passwords. The time it takes to crack the whole has become much shorter.

I admit my terminology is not that strong. This is mainly because I use it as little as possible and therefore haven’t followed what they call what exactly for years. This is mainly because there has been a lot of discussion about terminology and I no longer felt the need for it.

This discussion takes place mainly with people who are not interested in the correct terminology or who are simply not familiar with the subject. Gaining knowledge from action movies and mediocre journalism is one of the two. The terminology has not changed since its introduction. There is a world of difference between encryption and hashing, and the two terms are very easy to tell apart. The fact that you still don’t simply indicates disinterest to me and certainly not useful in a discussion.

I just keep calling it FTP because at its core it’s always a file transfer protocol, or eventually it falls back to that. You can wrap it in 1593932409 layers and then rename it ‘move containers’ or ‘deployment’ or all sorts of wonderful terms like that, but it’s still all FTP, just with some extra steps in between.

None. FTP is a file transfer protocol, yes. But it is a file transfer protocol does not FTP. For example, SCP, SFTP, and Rsync are independent protocols that are significantly different from each other and from FTP, and do not wrap FTP in any way. FTPS does, but I don’t think it’s a very popular protocol.

I would like to say that you (and others) are full of assumptions. Like your assumption that I would test something with “2 strings” instead of say building a string generator and jacket over 10 million strings through the thing exactly to avoid the point you make.

You are now making all sorts of assumptions yourself. My point about “2 strings” was that you probably tested your claims with X strings (say 10 million, but I still doubt that, I think 2 is closer to the truth), rather than having your assertions mathematically proven, after which testing is just a formality to check that your implementation follows the rules of your design.

The assumption that knowing how to use just the right terminology matters to the quality of what you do.

No actually. But it gives incredibly strong clues. In fact, with your use of terminology it seems almost impossible to study what you are doing properly, implying that such a thing never happened. With this, you automatically fall into all the pitfalls of overestimating yourself and the chance of something that still scores qualitatively somewhere on one scale or another is quite minimal. If only because no one knows who has reviewed your algorithm. Another assumption I’m making, but one I’m sure is true. I will reinforce that by telling you that I once also made my own encryption for fun, the algorithm of which also had to remain secret and which I thought was almost impossible to crack. It also met all the criteria you mentioned. I gave a presentation about this within the framework of a crypto lecture and the professor, even without access to the software, had guessed a number of pain points during the presentation (!), which I hadn’t thought of myself, and he was right. With those things in mind, I then did my own encryption analysis with a fellow student, completely fired my algorithm and got a good score for the analysis. Without the professor’s comments, I would not have been able to properly conduct that analysis at the time. You’ll already have to deal with horrible tunnel vision in the design phase because you’ve already covered every attack vector you can think of yourself. After that I never worked on that algorithm again and just started using the usual algorithms and implementations.

The assumption that I’m only one person working on it.

Everywhere in your post it says “I” and you speak in the singular. I don’t think that’s a very unusual assumption.

The assumption that one person could never make something as complex as something posted on github.

I don’t know where I made that assumption, the only assumption I made is that someone who makes claims about crypto the way you do doesn’t have enough knowledge to judge that he doesn’t have enough knowledge to do this properly itself must be done without outside help. By the way, with this assumption you seem to confirm the previous assumption, but oh well.

For the record; I am certainly not a cryptographer and know very little about cryptography. But I know more than enough about web security that my products have never been hacked.

My assumption: your products are not interesting enough to look at.

I also know that I don’t know everything, which is why I hire white hats to find leaks in my products instead of doing it myself.

If you are open to this, I would let these white hats or certainly a cryptographer look at your code under secrecy so that they can make an assessment of the quality of your algorithm, its added value and all the pros and cons of using that. Especially because of the following quote from you:

I can’t deny that I have seen custom goals that are actually as leaky as a basket and actually create holes.

Do what you want with it.

Leave a Comment