Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > C Programming > bare bones file encrypter/decrypter using 128 bit Serpent algorithm

Reply
Thread Tools

bare bones file encrypter/decrypter using 128 bit Serpent algorithm

 
 
santosh
Guest
Posts: n/a
 
      01-24-2008
makobu wrote:

>> I pointed out a number of areas where it was
>> simply wrong.
>> --
>> Flash Gordon

>
> The compiler didn't give out any warnings, and the program does what
> its supposed to. So there might better ways to code the areas, but
> they waren't wrong. Not according to gcc anyway.


Compile with the '-Wall', '-W', '-ansi' and '-pedantic' switches. You
can use '-std=c99' instead of '-ansi' for partial conformace to C99.
Read info gcc for further switches.

 
Reply With Quote
 
 
 
 
Bart C
Guest
Posts: n/a
 
      01-24-2008

"Philip Potter" <(E-Mail Removed)> wrote in message
news:fn72ae$hmg$(E-Mail Removed)...
> http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
>> On Jan 22, 4:00 pm, makobu <(E-Mail Removed)> wrote:
>>> <snip>
>>> /* crypto */
>>> int crypto(FILE *infile, char *action, char *name)

>> crypto is a bad name, (there's already a 'crypto') I suggest you
>> choose a differend name.

>
> Never heard of it. n1256 doesn't mention it, and neither does "man crypto"
> on my machine. I *have* heard of crypt(), though.


I think it was Superboy's dog.


 
Reply With Quote
 
 
 
 
Nick Keighley
Guest
Posts: n/a
 
      01-25-2008
On 24 Jan, 10:22, makobu <(E-Mail Removed)> wrote:

> > *I pointed out a number of areas where it was
> > simply wrong.

>
> The compiler didn't give out any warnings,


you didn't ask it to

> and the program does what
> its supposed to.


wow. perhaps your testing is poor. You fail to check return
values of calloc(), you allow buffer overflow on input, you
misuse strncpy(), you don't seed rand(). You use rand()
for cryptography!?

I hope you don't write software for anything important.


> So there might better ways to code the areas, but
> they waren't wrong. Not according to gcc anyway.




--
nick keighley

 
Reply With Quote
 
Flash Gordon
Guest
Posts: n/a
 
      01-25-2008
Nick Keighley wrote, On 25/01/08 10:07:
> On 24 Jan, 10:22, makobu <(E-Mail Removed)> wrote:
>
>>> I pointed out a number of areas where it was
>>> simply wrong.

>> The compiler didn't give out any warnings,

>
> you didn't ask it to


In any case, if not producing any warnings is sufficient to prove a
program is bug free then here is my implementation in standard C of the
"Do whatever you want" program. Run it and it will do whatever you want,
and it must be correct because it compiles without warning.

int main(void) {return 0;}

>> and the program does what
>> its supposed to.

>
> wow. perhaps your testing is poor. You fail to check return
> values of calloc(), you allow buffer overflow on input, you
> misuse strncpy(), you don't seed rand(). You use rand()
> for cryptography!?


I'm sure there were a few other things I pointed out. Such as a buffer
overflow even if the user followed the instructions.

> I hope you don't write software for anything important.


Doesn't mater if he does, for anything important there would be at least
a little QA and any attempt by anyone competent would reject SW like the
OPs.

>> So there might better ways to code the areas, but
>> they waren't wrong. Not according to gcc anyway.


See above. Compilers are not required to issue diagnostics for all
coding errors, and in fact they cannot because the compiler does not
know what you intend only what you tell it.
--
Flash Gordon
 
Reply With Quote
 
makobu
Guest
Posts: n/a
 
      01-26-2008

> wow.


Woopa!

>perhaps your testing is poor. You fail to check return
> values of calloc(), you allow buffer overflow on input, you
> misuse strncpy(), you don't seed rand(). You use rand()
> for cryptography!?


Did you read the heading? "bare bones", its an example; not production
code.

> I hope you don't write software for anything important.


Gee, thanks; i hope you don't write software for anything important
too.
 
Reply With Quote
 
makobu
Guest
Posts: n/a
 
      01-26-2008

> > I hope you don't write software for anything important.

>
> Doesn't mater if he does, for anything important there would be at least
> a little QA and any attempt by anyone competent would reject SW like the
> OPs.


What you guys don't seem to get is that this code i just an example.
Anyone who wants to actually use it needs to make many changes to it,
and add a feature, not to be used as is, hence the words "bare bones"
in the title.
 
Reply With Quote
 
santosh
Guest
Posts: n/a
 
      01-26-2008
makobu wrote:

>
>> > I hope you don't write software for anything important.

>>
>> Doesn't mater if he does, for anything important there would be at
>> least a little QA and any attempt by anyone competent would reject SW
>> like the OPs.

>
> What you guys don't seem to get is that this code i just an example.
> Anyone who wants to actually use it needs to make many changes to it,
> and add a feature, not to be used as is, hence the words "bare bones"
> in the title.


Usually "bare bones" means code which is correct in function, but
stripped of all non-essential stuff like error handling, debug output,
etc.

Your code, in addition to being "bare bones", had several errors in it,
which were pointed out to you in more than one response.

There is a subtle difference between "bare bones" code and broken code.

 
Reply With Quote
 
David Thompson
Guest
Posts: n/a
 
      02-04-2008
#if offtopic

On Tue, 22 Jan 2008 20:11:22 +0000, Flash Gordon
<(E-Mail Removed)> wrote:

> makobu wrote, On 22/01/08 14:00:


> > MCRYPT td;
> > int i;
> > char * key;


> > char *IV;
> > int keysize = 19;


> > td = mcrypt_module_open("serpent", NULL, "cfb", NULL);
> > if(td == MCRYPT_FAILED)
> > return 1;
> > IV = malloc(mcrypt_enc_get_iv_size(td));
> > for(i=0; i<mcrypt_enc_get_iv_size(td); i++)
> > IV[i] = rand();

>
> You have not initialised the random number generator, so your sequence
> of "random" numbers will be the same each time the program is run.


True. And once you do make them different, the IV chosen to encrypt a
given message (here, file) needs to be stored and used for decryption.
The simplest way is just to tack it onto the beginning of the
encrypted data, but many other schemes are possible.

> Even > if you had initialised it rand() is still not suitable for cryptographic
> work.
>

Maybe. Assuming this (not-standard) mcrypt does indeed implement
Serpent (or any other decent block cipher) in CFB mode, which seems a
reasonable guess, you want an IV which is unique or at least
duplicated with only negligible probability per key, and I think you
want not influencable by an attacker, but you don't need unpredictable
aka 'crypto random'. Unlike some other crypto parameters, which do.

The seedable state space of the C library prng is not specified, but
it unlikely to be more than 32 bits and may be as little as 15.
Whether this can avoid dangerous duplication depends on your traffic
volume and key management. This would be ontopic in sci.crypt .
As would be limitations of CFB. And human-entered passwords.

<snip other good points>
- formerly david.thompson1 || achar(64) || worldnet.att.net
 
Reply With Quote
 
David Thompson
Guest
Posts: n/a
 
      02-10-2008
On Wed, 23 Jan 2008 10:07:07 GMT, Randy Howard
<(E-Mail Removed)> wrote:

> On Wed, 23 Jan 2008 03:44:46 -0600, Philip Potter wrote
> (in article <fn72ae$hmg$(E-Mail Removed)>):
>
> > (E-Mail Removed) wrote:
> >> On Jan 22, 4:00 pm, makobu <(E-Mail Removed)> wrote:
> >>> <snip>
> >>> /* crypto */
> >>> int crypto(FILE *infile, char *action, char *name)
> >> crypto is a bad name, (there's already a 'crypto') I suggest you
> >> choose a differend name.

> >
> > Never heard of it. n1256 doesn't mention it, and neither does "man
> > crypto" on my machine. I *have* heard of crypt(), though.

>
> I think it's part of openssl, iirc.
>

'crypto' is one of two (main) source trees, and (thus) library files,
in OpenSSL. But that source tree is divided into numerous modules, and
all the function names identify their module (DES_blah_this,
SHA1_that, EVP_the_other, etc.) so no function is just 'crypto'.

And elsethread, Superboy's dog was (is?) Krypto with a K.

- formerly david.thompson1 || achar(64) || worldnet.att.net
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MISSING (1982) DVD: New low standard for bare bones release lcl99 DVD Video 12 11-29-2004 12:56 PM
Bare-bones Sky receiver Fishb8 NZ Computing 4 11-01-2004 04:32 PM
Bare bones and add your choices of components joevan Computer Support 3 07-01-2004 07:54 PM
Looking For Bare Bones Computer Not a Hassle Keith Computer Support 4 06-02-2004 07:04 PM
bare bones <div> demo online Richard HTML 20 11-04-2003 09:38 PM



Advertisments