Encrypt/Decrypt File with Crypto++
I have found this two functions in a post.
I have incorporated them into my project and they've been working as expected.
However, I was wondering how secure is the encryption type used there. Or another way(better or not) I could do it.
Also, I am a complete beginner to cryptography and I am not sure how they work. If some could give me quick explanation about it, maybe exemplifying with the code above, I would appreciate. Thanks
|
|
I have incorporated them into my project and they've been working as expected.
However, I was wondering how secure is the encryption type used there. Or another way(better or not) I could do it.
Also, I am a complete beginner to cryptography and I am not sure how they work. If some could give me quick explanation about it, maybe exemplifying with the code above, I would appreciate. Thanks
Last edited on
The DefaultEncryptor in the Crypto++ library (current versions) uses SHA256 and AES.
https://cryptopp.com/docs/ref/struct_default_encryptor.html
SHA256 and AES are widely used in mainstream cryptographic applications.
SHA256: https://en.wikipedia.org/wiki/SHA-2
AES: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
> I was wondering how secure is the encryption type used there.
Crypto++ wiki:
https://cryptopp.com/docs/ref/struct_default_encryptor.html
SHA256 and AES are widely used in mainstream cryptographic applications.
SHA256: https://en.wikipedia.org/wiki/SHA-2
AES: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
> I was wondering how secure is the encryption type used there.
Crypto++ wiki:
| Note: if your project is using encryption alone to secure your data, encryption alone is usually not enough. Please take a moment to read Authenticated Encryption and consider using an algorithm or mode like CCM, GCM, EAX or ChaCha20Poly1305. https://cryptopp.com/wiki/Advanced_Encryption_Standard |
I hate to break it to you, but the encryption isnt in your code, its hidden in the f function more likely the DefaultDecryptor function. Without researching those online or having the code for them, I can't comment on it much. Thankfully JLBorges bailed me out already!
encryption is a complex subject but the gist of it is that to decrypt the data you need to solve a very hard problem. An example of this is finding the prime factors of large numbers that only have 2 factors, each of those a large number. Eg, by hand (no computer) find the prime factors of 10,440,435,307? (This is NOT a 'large' number to the computer and it can solve this in a split second, but how do you do it by hand? It would take you a week or more unless you know something no one else does!). The same problem, using numbers that are much, much larger than this, takes 'a long time' to crack. The goal is 'several lifetimes to crack' given that the data is probably no longer interesting in 200 years.
from the wiki:
For example, as of May 2007, a 1039-bit integer was factored with the special number field sieve using 400 computers over 11 months.
So a ~2048 bit number (the result of a pair of 1024 bit numbers multiplied, give or take a bit or two) would likely still be sufficient to stop all but an entire countries' worth of computers crunching on it for years.
There are other difficult math problems that will do, but that is the most common one.
You can read about HOW the keys are used to do the actual encryption as well as additional security features of encryption algorithms (eg, salting the data) on the wiki pages; they have a ton of info about how it works broken down into beginners' terms.
a very simple encryption that is secure against less than motivated attackers (eg, co-workers, students, your kids, etc):
seed a random number generator with a numeric form of the password provided.
encrypt each byte by xoring it with the random byte from the generator
the decryption is identical! Xor is self reversing, and the result from random xors is effectively a random number for most of the bytes.
This is not too useful if you want professional level security, but it gives you some critical pieces... whatever you do, you have to be able to reverse it... you have to be able to make the password provided a part of the algorithm... things like that are as important as the math under the hood.
encryption is a complex subject but the gist of it is that to decrypt the data you need to solve a very hard problem. An example of this is finding the prime factors of large numbers that only have 2 factors, each of those a large number. Eg, by hand (no computer) find the prime factors of 10,440,435,307? (This is NOT a 'large' number to the computer and it can solve this in a split second, but how do you do it by hand? It would take you a week or more unless you know something no one else does!). The same problem, using numbers that are much, much larger than this, takes 'a long time' to crack. The goal is 'several lifetimes to crack' given that the data is probably no longer interesting in 200 years.
from the wiki:
For example, as of May 2007, a 1039-bit integer was factored with the special number field sieve using 400 computers over 11 months.
So a ~2048 bit number (the result of a pair of 1024 bit numbers multiplied, give or take a bit or two) would likely still be sufficient to stop all but an entire countries' worth of computers crunching on it for years.
There are other difficult math problems that will do, but that is the most common one.
You can read about HOW the keys are used to do the actual encryption as well as additional security features of encryption algorithms (eg, salting the data) on the wiki pages; they have a ton of info about how it works broken down into beginners' terms.
a very simple encryption that is secure against less than motivated attackers (eg, co-workers, students, your kids, etc):
seed a random number generator with a numeric form of the password provided.
encrypt each byte by xoring it with the random byte from the generator
the decryption is identical! Xor is self reversing, and the result from random xors is effectively a random number for most of the bytes.
This is not too useful if you want professional level security, but it gives you some critical pieces... whatever you do, you have to be able to reverse it... you have to be able to make the password provided a part of the algorithm... things like that are as important as the math under the hood.
Last edited on
sorry for the late reply
@JLBorges thanks for the links, I learned a bit more about cryptography and crypto++. WHY WAS YOUR REPLY REPORTED?
However I am finding it very to understand/learn crypto++, how it works(meaning its syntax, its functions, how/when to use each function), as I haven't yet found a tutorial on crypto++.
I have read a lot of code examples but still I can't tell what exactly they are doing even with comments.
Do I need to study cryptography and only then look for the way a certain cryptography method is done in crypto++;
Also, since DefaultEncryptor uses SHA256, which from what I understood(corect me please if I am wrong), I can use a 256 bit password, I don't see how is that not secure enough, a brute-force attack would take years to crack it.
If it is not secure enough how then, would it be cracked?
@jonnin Thanks for the examples to help me understand cryptography.
How can I implement the "very simple encryption" you mentioned in c++? Is there a name for it?
@JLBorges thanks for the links, I learned a bit more about cryptography and crypto++. WHY WAS YOUR REPLY REPORTED?
However I am finding it very to understand/learn crypto++, how it works(meaning its syntax, its functions, how/when to use each function), as I haven't yet found a tutorial on crypto++.
I have read a lot of code examples but still I can't tell what exactly they are doing even with comments.
Do I need to study cryptography and only then look for the way a certain cryptography method is done in crypto++;
Also, since DefaultEncryptor uses SHA256, which from what I understood(corect me please if I am wrong), I can use a 256 bit password, I don't see how is that not secure enough, a brute-force attack would take years to crack it.
If it is not secure enough how then, would it be cracked?
@jonnin Thanks for the examples to help me understand cryptography.
How can I implement the "very simple encryption" you mentioned in c++? Is there a name for it?
There isnt any name for it that I know. Its just a derpy exploit of the properties of the xor operation.
literally...
int password;
cin >> password; //password can be a string that you run thru like sha or other hash to make a number
srand(password); //use <random> tools if you do it for real, this is the 2 second hack example
for(int i = 0; i<bytestodo; i++)
data[i]^=rand();
with the same password, the same code decrypts it. This is because the random seed reset of the random generator gives the same random numbers back, so each byte is xord with same thing. and a^b^b is a.
It stops casual attacks (nosey co-workers, kids, etc) and its incredibly fast to encrypt**. But its not at all 'strong'.
note: this will make a binary file, not a text file, even if the input was raw text.
you should be able to use the library without understanding one bit (haha) of crypto theory.
You will have to learn the LIBRARY (what functions to call in what order) or hack on their example code to make it work, but the crypto part they did for you, you don't need to know it.
Crypto is pretty difficult to understand. I may have said that already. I don't get it, to be honest. Ive toyed with it but have no illusions I could make something acceptable without a lot of help and research.
Remember that something that takes 1 computer 10 years may be doable in seconds with a million computers. Which some governments have.
**with 64 bit ints, you can encrypt 8 bytes per operation except the leftovers at the end of the file. Its a little more work, but not much.
literally...
int password;
cin >> password; //password can be a string that you run thru like sha or other hash to make a number
srand(password); //use <random> tools if you do it for real, this is the 2 second hack example
for(int i = 0; i<bytestodo; i++)
data[i]^=rand();
with the same password, the same code decrypts it. This is because the random seed reset of the random generator gives the same random numbers back, so each byte is xord with same thing. and a^b^b is a.
It stops casual attacks (nosey co-workers, kids, etc) and its incredibly fast to encrypt**. But its not at all 'strong'.
note: this will make a binary file, not a text file, even if the input was raw text.
you should be able to use the library without understanding one bit (haha) of crypto theory.
You will have to learn the LIBRARY (what functions to call in what order) or hack on their example code to make it work, but the crypto part they did for you, you don't need to know it.
Crypto is pretty difficult to understand. I may have said that already. I don't get it, to be honest. Ive toyed with it but have no illusions I could make something acceptable without a lot of help and research.
Remember that something that takes 1 computer 10 years may be doable in seconds with a million computers. Which some governments have.
**with 64 bit ints, you can encrypt 8 bytes per operation except the leftovers at the end of the file. Its a little more work, but not much.
Last edited on
> Do I need to study cryptography and only then look for the way
> a certain cryptography method is done in crypto++;
We need to have at least a very basic idea of cryptography in order to be able to choose an appropriate cryptographic scheme for our specific application. However, knowledge of the innards of how a library implements a cryptographic algorithm is not essential; we only need to understand how the library functions are to be called.
> However I am finding it very (hard) to understand/learn crypto++, how it works
> (meaning its syntax, its functions, how/when to use each function),
> as I haven't yet found a tutorial on crypto++.
Their (poorly maintained and updated) wiki may be of some help.
For example, the SHA2 page has some example programs: https://www.cryptopp.com/wiki/SHA2
and pages have links to related topics; for example: https://www.cryptopp.com/wiki/HashFilter
> SHA256, which from what I understood(correct me please if I am wrong), I can use a 256 bit password,
> I don't see how is that not secure enough, a brute-force attack would take years to crack it.
It may be very secure against brute-force attacks;
but it may be somewhat more vulnerable to a well-crafted chosen-ciphertext attack. https://en.wikipedia.org/wiki/Chosen-ciphertext_attack
Authenticated encryption https://en.wikipedia.org/wiki/Authenticated_encryption defends against these kinds of attacks. (Encryption alone does not prevent malicious third parties from obtaining the decryptions of chosen-ciphertext messages.)
> a certain cryptography method is done in crypto++;
We need to have at least a very basic idea of cryptography in order to be able to choose an appropriate cryptographic scheme for our specific application. However, knowledge of the innards of how a library implements a cryptographic algorithm is not essential; we only need to understand how the library functions are to be called.
> However I am finding it very (hard) to understand/learn crypto++, how it works
> (meaning its syntax, its functions, how/when to use each function),
> as I haven't yet found a tutorial on crypto++.
Their (poorly maintained and updated) wiki may be of some help.
For example, the SHA2 page has some example programs: https://www.cryptopp.com/wiki/SHA2
and pages have links to related topics; for example: https://www.cryptopp.com/wiki/HashFilter
> SHA256, which from what I understood(correct me please if I am wrong), I can use a 256 bit password,
> I don't see how is that not secure enough, a brute-force attack would take years to crack it.
It may be very secure against brute-force attacks;
but it may be somewhat more vulnerable to a well-crafted chosen-ciphertext attack. https://en.wikipedia.org/wiki/Chosen-ciphertext_attack
Authenticated encryption https://en.wikipedia.org/wiki/Authenticated_encryption defends against these kinds of attacks. (Encryption alone does not prevent malicious third parties from obtaining the decryptions of chosen-ciphertext messages.)
Last edited on
@jonnin
Yeah that is the part I am having trouble with, learning the library, even the examples are not as many as I would be happy with but I was able to work very well with I have found and also hack the examples.
Thank you for the demonstration of the encryption code and the info in your reply.
@JLBorges
Thank you for the links and info. Much appreciated.
| You will have to learn the LIBRARY (what functions to call in what order) or hack on their example code to make it work, but the crypto part they did for you, you don't need to know it. |
Thank you for the demonstration of the encryption code and the info in your reply.
@JLBorges
Thank you for the links and info. Much appreciated.
Topic archived. No new replies allowed.