hi,

I was looking through the digisecret help files
It says

"When an archive is being created, the following actions are performed on the source files:

· Hash calculation to ensure data integrity;

· Compression;

· Encryption.



When files are being extracted from the encrypted archive, the following actions are performed on the archive:

· Decryption;

· Decompression;

· Hash calculation for checking data integrity. "


I think it would be better if the hash calculations are performed after
compression.It saves time hashing fewer blocks of text.Cipher text
poisoning can still be detected since CBC mode is being used.Even block
replays are not possible because of chaining.

I wonder why both SHA-* amd RIPEMD are used-doesn't any one suffice?


As for the expansion function in SHA-*
W(t) = S^*(W(t-*) XOR W(t-8) XOR W(t-*4) XOR W(t-*6)),the NS@ had
said that a ********* flaw has been eliminated in SHA-* by
introducing a right shift by * bit
W(t) = S^*(W(t-*) XOR W(t-8) XOR W(t-*4) XOR W(t-*6))>>*.May be it is a
good idea to introduce the shift.


"The passphrase entered by the user is not used as the encryption key directly. Rather, it is used as an input value for the functions that performs *,000 SHA-* hash iterations to produce the key that matches the maximum key space for the chosen cipher, which makes dictionary attacks more complicated. "


One round of SHA-* has 80 iterations.The above says,we take the
passphrase and then hash it to a message digest that is used as key.
One round of SHA-* over the passphrase will produce the same flat key
space as that produced by *000 iterations of SHA-*. I guess that lot
of time in computation can be saved here.


"The IV is created using a Pseudo-Random Number Generator (Mersenne Twister: A 62*-Dimensionally Equidistributed Uniform Pseudo-Random Number Generator). The derived IV is saved with the archive and is later used for encryption algorithm initialization when extracting the data. "

If the derived IV is saved with the archive-then isn't the very purpose of using MT****7 beaten?

The attacker can immediately recover the IV and successfully perform a
block replay attack.


The sender and receiver will need to agree on a common seed for MT****7-so that they can calculate all consequent IV's .
By a simple linear transformation MT****7 becomes a linear recurring sequence.If the attacker gets hold of enough number of IV's he will be
able to predict future IV's and to make them secure they needed to be
initially hashed using a hashing algorithm like SHA and then used as
IV for CBC mode.Then a PRNG like Taus88 with a period of nearly 2^80 would suffice.It is also faster than MT****7 and uses a much smaller working space as well as a sufficiently large period.

If the derived IV is just saved with the archive-it would be necessary to initially hash the plain text to detect corruption since block replay attacks can be successfully implemented if it is the compressed text that is hashed.


It would also be great to see Public key encryption algorithms on digisecret.It will eliminate the need for a shared secret if there is a key distribution/certifying agency.


Regards Data.