-5

Note: I'm new to information security practices so feel free to point out anything I could be doing better.

Situation : I'm currently creating an encryption system for instant messaging and I want to know if what I'm doing is good.

I'm building a variant of polyalphabetic subsitution :

  • take a link, and then get all text on the webpage
  • build a dict char -> list of positions from the webpage's text
  • use the dict to map every char of the message to one position picked (randomly) in the list
  • encode the position in exadecimal
  • optionally compress the result if it's a file encrypted

It returns me things like that : 5118 35b0 60ec 3e19 6aa6 6bfb 32db 6cd7 4a2d for a 9 char string.

There is the full Python module code and a tiny tool to test all the module : https://github.com/NimingCypher

Questions :

  • Is it secure and possible to create a webpage to generate a public key?
    • Alice want to talk with Bob for example, so Alice generate a hash with a password and some random chars stored into her computer (or anywhere else)
    • Then Bob get the hash and generate his own by the same method
    • Bob put both hashes into the webpage and then give the private key
    • Then the webpage return a link who redirect to the private key if informations provided by php parameters generate one of the two hashes.
  • Is there a way to prevent sniffing attacks?

Thanks for your help.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
Mathix420
  • 107
  • 4
  • 4
    *"I'm new to information security practices so feel free to point out anything I could be doing better."* - Cryptography: [Why shouldn't we roll our own?](https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own) – Steffen Ullrich May 28 '18 at 18:01
  • 6
    The general advice for crypto is [don't roll your own](https://security.stackexchange.com/q/18197/5405). For proper security, use existing encryption tools that apply the algorithms made by crypto professionals. If you're doing this for fun and learning it's OK, but don't use it for any real-world security. – S.L. Barth May 28 '18 at 18:02

2 Answers2

7

Short answer: No, it's not secure.

Anything based on substitution ciphers will be vulnerable to frequency analysis. I'm not totally clear what you mean by this:

[keygen:] build a dict char -> list of positions from the webpage's text

[encryption:] use the dict to map every char of the message to one position picked (randomly) in the list

but I get the feeling that you will leak (at least) the distribution / frequency of characters in the message. (At the minimum) this will tell me which language the text was written in and probably something about the content.

I think it's great that you're exploring cryptography: keep on learning! But if you're going to put this into any software beyond toy programs for your own learning, please use standard crypto like AES and RSA.

Community
  • 1
Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
0

A substitution cipher is the basic cipher in cryptography so it can be easy detected by a letter (fast choice) frequency attack or key elimination or (bad choice) bruteforce attack, depending on the language you use.

English 26! factorial

So RSA, DES, AES are good choices for a cryptosystem to be used. Based on the attacks done on DES & AES, it requires high computational resources to start an attack on these algorithms. They cannot be attacked be classical attacks like math analysis and bruteforce.

schroeder
  • 125,553
  • 55
  • 289
  • 326
genral Hummel
  • 17
  • 6