What makes NimingCypher secure?

[jferard]

Hi (I came from stackoverflow...). You should add some information on the "High security encryption" claim. As far as I understand:

• you build a dict char -> list of positions from a given text (the key) ;
• you use the dict to map every char of the message to one position picked (randomly) in the list.

This is a variant of polyalphabetic subsitution. This prevents frequency analysis, and won't reveal anything with https://en.wikipedia.org/wiki/Kasiski_examination because there is no periodic repetition of the key.

But I have some questions:

• how are keys exchanged between Alice and Bob?
• how do you verify that the web pages are the same? (try https://github.com : Bob won't get the same page as Alice if he's logged in and she's not; try a wikipedia page: it might change at any time)
• if Eve listens the network connections, she will know the IP from where your text is extracted, and maybe use a web crawler.
• have you asked some specialists (https://security.stackexchange.com)?

[mathix420]

Hi @jferard, thank you for your attention!

• I'm working on it, I'm gonna create a web page who can redirect to the private key only if the password is in the password hash list set before by all the clients who wants the key. Not very clear right now but I'm gonna publish a preview of this php code very soon.
• Maybe I can make a function who can generate a hash with all items in the dict char -> list of positions? Both hashes will be the same if webpages are the same.
• I think it's the main vulnerability of this system... I have to find an issue !
• Yes but in French : Bibm@th.net/9841, but I'm also gonna ask to https://security.stackexchange.com.

[mathix420]

• If Eve listens the network connections, she will know the IP from where your text is extracted, and maybe use a web crawler.

This will not give the right webpage, only the good website host

[jferard]

if Eve listens the network connections, she will know the IP from where your text is extracted, and maybe use a web crawler.

This will not give the right webpage, only the good website host

What if Eve has access to the logs (ie she works for the host owner)? And If Bob and Alice exchange a hash of the page, it becomes easier... Just get all the pages from the host and has them to find the good one. Other flaw: I can check the max position, and I will approximately (html -> text) know the minimal size of the key. This will help me.

I read Bibm@th.net/9841 (I'm French!): it seems that everything was here, including the issue with wikipedia pages! But I think there's a very good point in your method: if the key and the text are in the same language, you won't be vulnerable to statistics attacks. If the key is big enough, let's say 10 times bigger than the text, then you have roughly 10 choices for every letter, no matter its frequency in the language. An example: 35 "e" in the text, but 350 possible positions ; only 3 "f" in the text, but 30 positions, ...

Waiting for the php code, but beware: if you are Eve (the one who knows what page was used as key), it won't be secure for Bob and Alice!

[mathix420]

• how are keys exchanged between Alice and Bob?

Now implemented with the class NExchange who can generate RSA public and private keys to finally encrypt and decrypt the key with RSA algorithm. Is it a good idea ? Also other changes in last commit 9c1c992

[jferard]

I took a (quick) look at the code. I'm a bit busy right now.

How will you be certain that the public key owner is the one you think he/she is?

You have two main options: centralized or decentralized. A PKI or a chain of trust. In your browser, you have certificate authorities that you trust (this is the main important element of the PKI) and that tells you that this certificate is valid and this other is not. With GPG (PGP), you have friends, friends of friends, ... that build a chain of trust. I think you are still stuck with the key exchange, but maybe you will find a solution. Look at the Diffie-Hellman key exchange.

[mathix420]

Thanks for taking time to answer me.

I have learning something with the Diffie-Hellman key exchange. But i have thinking use rsa to sign a "proof of identity" by this way: first taking his username, hashing it, then encrypt the username with the emitter's private key. So when the recipient get the "proof" he decrypt the cypher with the emitter's public key and then if the heshed result is same as the hash gave with the message he know that this username is been associate at this public key.