rotor alternative?

Paul Rubin http
Wed Nov 19 19:21:38 CET 2003


Robin Becker <robin at jessikat.fsnet.co.uk> writes:
> You're probably right, but given that the code itself has to unobfuscate
> to make use of the data then any key/algorithm etc has to be present
> somewhere.

The idea of cryptography now is to keep the data secure as long as the
key is secret.  It's ok if the algorithm is known.  If the key is known
too, all bets are off.

> How should we obfuscate? Using a crypto function just increases the time
> and effort that someone needs to get the plain text. 

If you can keep the key secret and the cryptography is any good, there
should be no way for anyone to break the cryptography without the key.
Rotor fails in that criterion.

> Likewise using a C
> extension makes it harder for the casual thief. The professional won't
> be bothered.

I think you're underestimating the technical ability and determination
of amateurs on the internet.  Look at all the virus writers out
there--who is paying them?  Almost every day Microsoft has to release
a new critical security patch because of some weakness that got
exploited by a non-professional and caused users a lot of hassle.  The
exploit usually isn't some technical breakthrough on the attacker's
part, but rather stems from an attitude problem at Microsoft, that
their products only have to be secure enough to make it "harder for
the casual thief" since "the professional won't be bothered".  That is
precisely the wrong attitude to have, as we see every time Microsoft
announces that "as of today security is our #1 priority" and then goes
back to doing the same dumb stuff, and a few days later, yet another
virus brings everyone's work to a halt yet another time.  If you're
going to use cryptography at all, use it as well as you can.

> The rotor module was small and speedy. In my case I'm sure that it makes
> very little difference to use base64 and a xor or something similar.

Using base64 or an xor should be even smaller and speedier than rotor,
so if that's your goal, the answer is still "use xor and get rid of
rotor".  The only reason to use rotor instead of xor is you think xor
isn't secure enough.  But if xor isn't secure enough, you should use
real cryptography, not rotor.

> When we really want data to be protected we're using one time passwords
> assigned by a special server.

If you really want data to be protected I hope whatever methods you're
using were designed or at least reviewed by someone who knows what
they're doing.  That's not intended as a put-down toward you; there
are a lot of mistakes that get made over and over again, and it takes
some knowledge and experience to recognize them and not make them.
Using something like rotor is very frequently an example of such a mistake.




More information about the Python-list mailing list