I have made a badd*ss Encryption / Decryption with php and wish to have this tested to see how strong it is
Try an crack this… youtu.be/TsJtXD1BVUw
I am looking for any feedback and if you can crack it reply to this, if not I wish to sell this and would like advice where to sell this and how much should I expect for this, I do not wish to make public the source code as i want to keep it secure.
This is not usually how this works.
First off encryption and hashing are two different things. The most notable difference being that hashing is a one way function to produce a fixed length output that can not be reversed to the original text, while encryption is designed to be decrypted.
Second it’s common to refer to “don’t roll your own crypto”. Existing crypt and hash functions have been vetted for years before getting into daily use. Most are still using Bcrypt while Scrypt and Argon are arguably better in every way. Other people have said this much better than what I’d do here so I’ll just shamelessly copy some in here
Your question, MikeAzo’s comment, and your reply practically could not be a better example of Schneier’s Law in practice. Schneier stated:
Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.
To answer your reply
How can you break it if I send you this “QTCPIGXKUXTGG” ciphertext encrypted by a merely a simple algorithm which you have no idea about how it was encrypted?
Because even though we might not know exactly what your secret algorithm is, the first thing an attacker is going to reach for are common tools to attack substitution ciphers or polyalphabetic ciphers. Given even a few sentences of ciphertext is likely enough to fully recover every plaintext.
The fact that you don’t know how to break it is irrelevant. It’s trivial to create a cipher that you yourself can’t break, but it’s another thing entirely to create a cipher that others can’t break. And the odds that you are capable of doing it when you’re not aware of even the most basic attacks against ciphers hundreds of years old — not to mention modern concepts like indistinguishability under different attack models — puts you at an insurmountable disadvantage compared to ciphers designed by researchers with decades of experience in the field who are building off of modern notions of security and the discarded remains of thousands of failed ciphers that came before.
As an example, even if your cipher is somehow secure against a ciphertext-only attack (it’s not), is it secure if I can trick you into encrypting a message for me? What if I can trick you into decrypting a message for me? What if I know part of or all of one of the messages you send? What if you encrypt multiple messages with the same key?
I’ll leave you with another Schneier classic, Memo to the Amateur Cipher Designer:
A cryptographer friend tells the story of an amateur who kept bothering him with the cipher he invented. The cryptographer would break the cipher, the amateur would make a change to “fix” it, and the cryptographer would break it again. This exchange went on a few times until the cryptographer became fed up. When the amateur visited him to hear what the cryptographer thought, the cryptographer put three envelopes face down on the table. “In each of these envelopes is an attack against your cipher. Take one and read it. Don’t come back until you’ve discovered the other two attacks.” The amateur was never heard from again.
So here’s your first envelope. Given a paragraph or two of ciphertext, your cipher will fail to language-based frequency analysis.
Let me know when you’ve figured out the other two attacks.
Edit: The comment about indistinguishability under different attack models is one reason why most “decipher this message crypto challenges” are completely bunk. They often simply give an attacker some ciphertext, ask them to decipher it, and declare victory when nobody produces the plaintext after some amount of time. Unfortunately that’s not how crypto works in the real world; attackers have many more tricks up their sleeve in practice. They can trick computers into encrypting data of their choosing, they can trick computers into decrypting data of their choosing, and they can usually even do these things thousands, millions, or billions of times. Moxie’s post shows how even the most terrible, horribly-designed, and obviously insecure ciphers can be effectively impervious when you restrict an attacker to a single ciphertext-only attack, which aren’t representative of attackers’ capabilities against ciphers as they’re actually deployed in practice.
You can roll your own, but you probably will make a major security mistake if you are not an expert in security/cryptography or have had your scheme analyzed by multiple experts. I’m more willing to bet on an open-source publicly known encryption scheme that’s out there for all to see and analyze. More eyes means more likely that the current version doesn’t have major vulnerabilities, as opposed to something developed in-house by non-experts.
From Phil Zimmermann’s (PGP creator) Introduction to Cryptography (Page 54):
When I was in college in the early 70s, I devised what I believed was a brilliant encryption scheme. A simple pseudorandom number stream was added to the plaintext stream to create ciphertext. This would seemingly thwart any frequency analysis of the ciphertext, and would be uncrackable even to the most resourceful government intelligence agencies. I felt so smug about my achievement.
Years later, I discovered this same scheme in several introductory cryptography texts and tutorial papers. How nice. Other cryptographers had thought of the same scheme. Unfortunately, the scheme was presented as a simple homework assignment on how to use elementary cryptanalytic techniques to trivially crack it. So much for my brilliant scheme.
From this humbling experience I learned how easy it is to fall into a false sense of security when devising an encryption algorithm. Most people don’t realize how fiendishly difficult it is to devise an encryption algorithm that can withstand a prolonged and determined attack by a resourceful opponent.
(This question has more discussion of the above quote.)
If you are not convinced of “Don’t Roll Your Own [Cryptography/Security]”, then you probably are not an expert and there are many mistakes you likely will make.
Is your application robust against:
- Timing Attacks. E.g., to the nanoseconds do completely-bad keys and partially-bad keys take the same amount of time in the aggregate to fail? Otherwise, this timing information can be exploited to find the correct key/password.
- Trivial Brute Force Attacks; e.g., that can be done in within seconds to years (when you worry about it being broken within a few years). Maybe your idea of security may be a 1 in a billion (1 000 000 000) chance of breaking in (what if someone with a bot net tries a few billion times?). My idea is to aim for something like 1 in ~2128 ( 34 000 000 000 000 000 000 000 000 000 000 000), which is roughly ten million billion billion times more secure and completely outside the realm of guessing your way in.
- Attacks on user accounts in parallel; e.g., you may hash passwords with the same (or worse no) ‘salt’ on all password hashes in the database like what happened with the leaked LinkedIn hashes.
- Attack any specific account trivially simply. Maybe there was a unique random salt with each simply hashed (e.g., MD5/SHA1/SHA2) password, but as you can try billions of possible passwords on any hash each second, so using common password lists, dictionary attacks, etc. it may only take an attacker seconds to crack most accounts. Use strong cryptographic hashes like bcrypt or PBKDF2 to avoid or key-strengthen regular hashes by a suitable factor (typically 10(3-8)).
- Attacks on guessable/weak “random” numbers. Maybe you use microtime/MT-rand or too little information to seed the pseudo-random number like Debian OpenSSL did a few years back.
- Attacks that bypass protections. Maybe you did hashing/input validation client side in web application and this was bypassed by the user altering the scripts. Or you have local application that the client tries running in a virtual machine or disassembles to reverse engineer it/alter the memory/ or otherwise cheat somehow.
- Other attacks, including (but not attempting to be a complete list) CSRF, XSS, SQL injection, network eavesdropping, replay attacks, Man in the Middle attacks, buffer overflows, etc. Best protections very quickly summarized.
- CSRF: require randomly generated CSRF tokens on POST actions; XSS: always validate/escape untrusted user-input before inputting into the database and displaying to user/browser.
- SQLi: always use bound parameters and limit how many results get returned.
- Eavesdropping: encrypt sensitive network traffic.
- Replay: put unique one-time nonces in each transaction.
- MitM: Web of Trust/Same as site last visited/Certificate issued by trusted CA.
- Buffer overflows: safe programming language/libraries/executable space protection/etc).
You are only as strong as your weakest exploitable link. Also just because you aren’t rolling your own scheme, doesn’t mean your scheme will be secure, it’s quite likely that the person who created what you rolled out was not an expert, or created an otherwise weak scheme.
TLDR: don’t. And if you have to at least have the code (not the output) vetted by someone else, especially if you’re going to sell it. Those “someone else” obviously have to be someone who know what they’re talking about. First person to come to mind if this is PHP would be ircmaxell
I know the differnece between hash and encryption! im using both! next question! and dont tell me how it works when all the sites are getting comprimised i have a solution!
If you can, crack it and prove its not strong!
Thats the reason for the challenge.
I agree with Jim but i add: patting yourself on the back can be misleading because you will not try to view yourself with weakness. You will only ever see your self-perceived strengths. Also, part of being a clever hacker is knowing when to speak and when to keep silent. No hacker with credibility would reveal your code to be weak. I wouldn’t tell you if i found a weakness. I’d rather let you think that it is secure, then wait for you to use it in delusional secrecy. I’ve ventured down this road of encryption before and i’ve learned one notable fact: if i can come up with something clever, someone else, somewhere else, can also come up with the same idea.
i remember when i first made a prg form. i never heard of prg before. i just tried to make my form redirect back to itself to display results. voila! a prg. later, i read about prg and i laughed to myself. Now, i could be naive and run around saying that i invented prg simply because i’ve never read about it yet i produced a prg form. However, this is not realistsic. As you may discover, someone else already has this credit. Thus, if that person thought that they were clever, then how did an idiot like me discover the same thing? with zero programming education or experience?
quick story: many years my life crumbled around me. I ended up living in a run down hotel because i couldn’t afford to pay for rent plus security deposit for an appartment. The hotel was managed by a Russian man that only cared about money. The hotel was full of gangsters, druggies and ex-convicts. I was depressed to be in this environment. The manager even let these thugs work to pay for their rooms. It was a living hell. To the point: the hotel had very basic internet connectivity. A home router stuck on the rooftop of the office. When the manager would leave for the day, i had no internet. I started to discover that these thugs would hack into the router and turn it off for other guests. Isolating it for themselves. I had no internet for 16 of 24 hour per day. One day, i got pissed and had enough. Now at the time, i understood nothing about networking and routers. You would probably call me an idiot and believe that you are easily able to outsmart me. Well, when i had internet, i decided to try to figure out how networks function. I stared at my wireless adapter and my xp desktop. I looked at network connection data for my wireless adapter. While staring at network properties, i noticed a keyword: gateway. I thought, “gateway, as in a door? as in the way through the gate?” i entered this in my browser as a url and voila! the door to the modem. I saw a password challenge. I went to google, researched default passwords. Long story short, i seized the modem. Haha! thugs didn’t see it coming. They made my life miserable but now i got control of something better than the router. The gd modem! i had internet to myself until they couldn’t figure out why they had no control. Then they called the isp and it was revealed that the password was changed. This battle continued for months but i sharpened my brain every day until i was at a point where they could never kick me off the network. I successfully spoofed, hacked and fought my way to internet service. All i wanted was to use the internet that i rightfully paid for every week. Funny thing about this story is that the main thug was educated by the U.S. military for networking. haha! he couldn’t stop me from getting internet. One other noteworthy service that i exploited in the area: there was a hotel next door which is very expensive and very popular. I analyzed their network and noticed that they used a security firm out of California. I didn’t have internet again so i tried their network. I was able to spoof my way on. It was Christmas and i wanted to be with my internet girlfriend online (we are now married). That big tech silicon valley company couldn’t stop me, so they gave up and i had internet for all of Christmas day.
My point is that you should not think that you can outsmart even stupid people, like me. You may be surprised at how many smart people are walking around. Smart people will not tell you if they crack it. They will let you think that it is secure, so that you keep patting yourself on the back. Then, one day, cryptographers can use your code as an eample of what not to do: underestimate the world and roll your own security code.
So you cant reveal the decrypted text? cool then it must be strong, too strong for any hacker or cracker to crack! Im still waiting…, take your time.
you clearly did not read or take to heart anything that has been written here. This seem to be just trolling, or something…
Nope, thats not what the decrypted text should look like, I am not trolling this is a challenge thats all, I understand cyphers maybe floored and there is always a weak link somewhere, this is why I set this challenge, I also understand black hats are not going to disclose it is weak untill it is implimented, this is just a challenge, I expect resistence I know all about standards and how were supposed to use them and only them, but that is what security experts in the NSA would want you to beLIEve isnt it. I hope you see this is a bit of fun and learning for all parties.
ok, I consider this a waste of time though. please do not sell encryption where professionals have vetted the source. other than that have fun 
My site will not be comprimsed like the big sites like wastebook, they store their users credentails in plaintext while mine if breached would be an actual waste of time and no data would be comprimsed, by no data I mean the important stuff like password and notes! that is the point!
I encourrage everyone in the thread to check out the demo:
https://jnet.sytes.net/apps/Secure_Notes/
Also note you should read the info page available on the page link above while understanding https should be used, when not a security message will be displayed! Also understand the cypher text will be different everytime so no rainbow tables can ever be used!.. Enjoy!
Hello again, I’ve always liked the typographers test: The Quick Brown Fox…
At the hotel that i mentioned, i remember laughing to myself while thinking “these idiots think that i’m an idiot”. They weren’t idiots either because they brainstormed and figured that i was the unstoppable network presence. Of course, i denied it. However, the last year that i lived there, the manager asked me to configure the network for him. The thugs were never able to penetrate my setup. Not that it was unhackable but they didn’t possess the knowledge to defeat it at the time. Maybe now they are smarter, who knows and who cares. I’ve moved on. Anyway, i actually spoke with a degree holding it specialist that worked for the isp. I told him about my troubles at the hotel and he actually suggested that a password as simple as “John.123” is secure because it contained a dot/period/full-stop. Sometimes, even the perceived experts can be ignorant to a matter. All i can say is that if you find a clever cryptographer, then you will learn that you will not be able to outsmart the entire world. Yet it doesn’t mean that you will not be able to develop a noteworthy algorithm. I certainly don’t discourage anyone from trying but beware of the dangers and never underestimate your opponent(s). and, have fun…
edit: also beware of the illusions of your setup. if you create and test this algorithm only on a consumer pc, then you are all ready fooled. As you should know that pc systems are weak and not able to crack code by themselves. You’d need the power of a hundred-thousand pcs to fully test it or save 200 thousand buckaroos and buy a consumer super computer.
Thanks for your kind words and encourragment, the reason I am confident is that even if a hacker somehow changed the email address associated with an account to gain access to an account, the notes app I made will not render any data at all, it would be a complete waste of time, see they could change an account password by changing the target accounts email to then reset a password but the notes would then not be decrypteable and no data will be leaked in the event of any breach. I hope someone makes an attempt to try and crack it though as I want to make a new challenge at some point. if you like what you see or even if you dont I am always open to feedback 
I once watched a video where a so-called security expert gave advice on how to stop a brute force attack on your website. I decide to implement his code on my website and for just the heck of it I decided to test it out on another website that’s so job was to test website vulnerabilities. Well, all I can say the code was completely useless to brute force attacks as you will be amazed how many computers attacked the the code. No matter what I did to “shore” up the code had any affect on the code, so I just ended up throwing that code in file 13. Ever since then I realize nothing is really secure and if I need something to be as secure as possible (such as a retail checkout system) I’m using a trusted 3rd party application. I now go by the motto don’t poke the bear meaning don’t go challenging hackers to hack your website because you made it “100 percent secure” because it isn’t. You will just end up losing in the end. I also take advice from people here and other places who have more experience than me as my main goal is just to have a nice looking website not to become a security expert.
They are good valid points and my point was that even if my database got breached my users data will still remain safe so that was the sole intention of the app.
It is possible to secure a site from a casual (or wanna-be or script-kiddie) hacker but not to exclude the elite and there are more elite programmers than one might imagine. However, it is also possible to use similar tactics to annoy the elite (hack them back because they cannot stop you either depending upon your cleverness and skills).
But you certainly don’t want to slap the elite with a challenge. I remember at the hotl when i first became angry about no internet. I like all sorts of music but when i am angry i choose heavy metal. I think that Motorhead summarized my feelings at these thugs the day i drew a line in the sand: “i don’t know your name, i don’t know the score, but if you don’t like blood, you better close the door. – Life’s a Bitch”. I rolled up my sleeves and took them to school. They challenged me. Imagine challenge the world’s elite. It is like challenging Mike Tyson to a boxing match. Like Strider said:
all of the comments are for your own benefit. Matter-of-fact, the first few times i gained knowledge at the hotel, i got nasty: i noticed that they were cutting internet to download torrents from piratebay. I looked up what is a torrent the next day i had internet. Then, i got payback: i downloaded a torrent app, went to pb, loaded 100 1gb+ movie torrents and spoofed the leader’s ip. He was offline in under a minute. His computer wa slammed with packets and the router eventually crashed. See the problem with poking sleeping bears?
have fun and stay safe but most of all: stay sane.
wouldn’t use. closed source = no formal verification from independent sources, development can be canceled, security breaches stay unfixed, support maybe canceled by contract, unknown licensing and cost risk, platform dependencies from binaries, maybe backdoors, governmental supression applies.
Iv backed everything up so its all good, If you find any holes let me know
Im willing to bet most if not all professionals will not bother to spend time poking at output from yet another “unbreakable” encryption algo. So Id highly advise against jumping to conclusions like its uncrackable since no one has given you the plain text.
If you want this tested properly you will have to trust some crypto/sec experts to audit the code. Thats the only way it can be done.
Thats the only way you would have a hance at breaking the code to I expect, even knowing how the source works I doubt it will be viable or easy to crack in my opinion.
It wont allow me to edit, and i dont want to make public the code as i wish to sell it. and audit by an it pro ay? na im ok i dont want to give away my ideas or code or work to be honest.
Anyway as someone closed this thread youl have to reply here jnet.forumotion.com/t1662-can-you-crack-this-new-encryption
Not to be an ass but your opinion isn’t worth much.
I’m not saying you should post the code here, but have someone audit it. There are a lot of professionals to choose from.
I also want to throw in that Im not sure if there is much point in hiding the source. If youre going to let others host it then you can at best obfuscate it, which previously have been a so-so security measure. I trust licensing much more than trying to hide it when it comes to code
If the code is so great then post the source for evaluation, otherwise you are just wasting our time and trolling. This thread is about to be locked otherwise.