Monday, September 26, 2016

Re: Strength of builtin blowfish2 encryption?

On 25.09.16 16:24, Stefan Klein wrote:
> Hi,
>
> I wonder how string the builtin encryption of vim really is.
> The manpage states: "cryptmethod zip [ ... ] breakable [ ... ] a 6
> character key in one day (on a Pentium 133 PC)"
> Guess today's computers will use seconds if not microseconds.
>
> But what about blowfish2?
>
> Was this ever reviewed? Are there any tools out there to crack it
> (with weak keys) to get an idea how long it would take with a complex
> key?

We discussed that on this list on 15.09.15, and the last post at:
https://groups.google.com/forum/#!searchin/vim_use/VimCrypt$3A$20A$20small$20framework$20for$20encryption/vim_use/SjP-JQB6Tgo/RM8xhTG-AQAJ

has a bit of a look at it. In short, blowfish2 is probably OK for
encrypting small (wrt 4 GB) files, but switching to twofish would be
prudent.

> I wonder if it's safe to put a blowfish2 crypted password file on a
> cloud drive, how long it would take for it to be cracked if someone
> really tries to.

Decrypting a small file is much harder. Use a strong key. Don't put any
banking passwords in there. As it's not behind a firewall, switch to
twofish for such exposure. ... I wouldn't put it out there.

The simplest way to switch to twofish might be one of:

$ apt-cache search twofish
...
keepassx - Cross Platform Password Manager
mcrypt - Replacement for old unix crypt(1)

Erik
(Who might just invoke mcrypt on vimming such a file, rather than
relying on blowfish2, adequate though it ought to be on small files with
strong keys.)

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment