Cape - New string encryption library. Need test/suggestions/critics

[gioscarab]

Hi there, I am working with the automation of my home based on PJON, that is a communication protocol like i2c or 1wire I wrote it in years of trial and error. It let communicate more then 10 arduino boards (supports 255) over a single wire that goes all around the house inside the walls. In any case, some time ago I found an article speaking about the capabilities of consumer products with a volume of a briefcase able to get digital data inside a wire, inside a wall, wirelessly quite far like 20 meters. For this reason to feel safer, I decided to add encryption feature to PJON and I went up writing the Cape library:

https://github.com/gioblu/Cape

(Obviously I am partially joking and I only wanted to dig further in cryptography and learn something new)

Cape can encrypt strings of maximum 100 characters (hardcoded in Cape.h) with an algorithm inspired by the RC4 standard with the addition of 1 byte initialization vector and tunable encryption_strength; all this is reversible, so two entities with the same key can share encrypted data and come back to original content without any other procedure (RC4 like part). Without initialization_vector, crypting the string multiple times will give you always the same encrypted result, that is generally considered as really not exactly the most secure crypted communication. Using initialization vector a pseudo random byte is added to the string, and is used after the RC4 like procedure to further fuzz the information you are sharing. In this case you will have 254 hashed versions of the same string, and for a possible listener would be really difficult to collect data about the system

The library let you choose if you want the initialization vector or not.

I hope this could be useful for your projects and to higher your privacy!!
I hope also to get some feedback from the community and maybe some critics / suggestion and hopefully testing!!


Good nerding!
 

[pito]

Initiate Cape passing a random string (maximum 255 characters)

It is not a random string - it is your encryption key

How do you know your modification with encryption_strength does not weak the encryption actually??

Btw, people recommend RC4_dropN because of potential attacks when not doing that.

[gioscarab]

you are perfectly right    I wrote like this because I generally use a random string generator to create my keys  .

Cryptoanalysis is a really hard and deep field of science, I don't have the necessary knowledge to tell you the efficiency and the reliability of this system, I sincerely hope to learn something with you and get some insight about it.

In any case I am almost sure that there is no encryption tecnique that could be secure on an Arduino Board with acceptable computation time. A simple old lapton is million times faster then a duemilanove to make calculations...

One of the first and most important rules of cryptography says that the security of your system is strongly related to the secrecy of your algorithm. In this case until Cape will not be an absolute standard and using a fuzzing tecnique like initialization_vector will be difficult for a listener to understand what is going on and so try to decrpyt.

In any case RC4 if I am not wrong is a reversible hashing tecnique, that for a given string always gives you the same hashed result, as for sure you know this is really not secure.

What I am doing is to use the general working mechanism of RC4, hashing less then RC4 (that if I am not wrong hashes 255 times and I am doing that only 2) but I then generate a random character or initialization_vector that is appended to the string and let the listener with the key decrypt the string. With this approach you have 254 different hashed versions of the same string, on the other side RC4 gives you always the same hashed version of the string and has decades of experimentations to predict and exploit its mechanism.