Who’s asking for trust here? I’ve put up a file and a reward in my own money.
I’ve also spoken with the client who thinks it would be a good idea to hold a public contest with an even larger purse once we’re ready for the extra publicity.
Anyone is welcome to say all day long whether or not they think the security is worth anything. I have a grand of my own money that says it is.
The file is there, the password is there. One month, anyone that wants to take a crack at it feel free.
Here’s the format to help you along.
File Format
Bytes Description
4 Magic Number (always SMod)
4 Length of following string
n Original file extension
1 Require in-app viewing
4 Packet length
n Rules Packet
4 Packet length
n Encrypted file Packet
Packet Format
Bytes Description
1 Version
1 Revision
8 Encryption Salt
8 HMAC Salt
16 Initialization Vector
n Encrypted Data
32 HMAC
Which I’ll do when it’s the public contest with the large purse. I think we’ll be looking around 10K for that.
I only posted the file in response to the doubt over the integrity. Knowing the encryption scheme, format and password should make it pretty easy to bust through, right?
Your money is safe from me. I’m not a cryptographer, and I don’t have the time or energy to make an attempt anyway.
Know this, however. Your “obfuscations” will not protect you, because the very first thing that’ll happen is that your attacker will disassemble your code, and/or run it in a debugger, and will understand exactly what is happening. At best they’re adding no security, and at worst they’re compromising your encryption. At VERY worst they’re making it possible to recover the password by analyzing the “obfuscations”. They may be good for marketing, though. I’m not a marketing expert either.
I’ve tried to provide some food for thought for you. I’m not really interested in an argument or debate. This is as far as I’m going to take this.
Oh. One more thing. History is littered with the mutilated remains of software that was “completely unbreakable”. People who had a lot more to lose than you, who had a lot more knowledge than you (presumably), who had a lot more resources than you (presumably) have failed.
Some also succeeded. Here’s to hoping you’re one of the latter group.
You have no idea what the obfuscation techniques are, so you cannot speak to their effectiveness.
I’ve never claimed it unbreakable, because the one thing that you can always be sure of, is nothing is unbreakable. There is no such thing as perfect security.
I really wasn’t trying to argue with you. I took this as a friendly challenge, nothing more.
So let me get this straight. If I claim to have a good additional layer to a well respected encryption method I’m full of it. And if I back that up with proof, I’m selling “snake oil”.
Whatever. You don’t think an app based on the most widely used encryption method is worth it, don’t use it.
Some people can’t be pleased, the rest with have secure data.
