Strength of builtin blowfish2 encryption?
756 views
Skip to first unread message
Stefan Klein
Sep 25, 2016, 10:24:20 AM9/25/16
to vim...@googlegroups.com
Hi,
I wonder how string the builtin encryption of vim really is.
The manpage states: "cryptmethod zip [ ... ] breakable [ ... ] a 6
character key in one day (on a Pentium 133 PC)"
Guess today's computers will use seconds if not microseconds.
But what about blowfish2?
Was this ever reviewed? Are there any tools out there to crack it
(with weak keys) to get an idea how long it would take with a complex
key?
I wonder if it's safe to put a blowfish2 crypted password file on a
cloud drive, how long it would take for it to be cracked if someone
really tries to.
Thank you,
Stefan
I wonder how string the builtin encryption of vim really is.
The manpage states: "cryptmethod zip [ ... ] breakable [ ... ] a 6
character key in one day (on a Pentium 133 PC)"
Guess today's computers will use seconds if not microseconds.
But what about blowfish2?
Was this ever reviewed? Are there any tools out there to crack it
(with weak keys) to get an idea how long it would take with a complex
key?
I wonder if it's safe to put a blowfish2 crypted password file on a
cloud drive, how long it would take for it to be cracked if someone
really tries to.
Thank you,
Stefan
aro...@vex.net
Sep 25, 2016, 12:02:15 PM9/25/16
to vim...@googlegroups.com
> I wonder how string the builtin encryption of vim really is.
>
cipher-text, feed it to the editor, encrypt when saving, and be sure to
delete any temporary/backup files.
Yes. there are windows of vulnerability in there, but I would suggest they
are less risky than relying on amateur cryptography.
Shawn H Corey
Sep 25, 2016, 1:15:46 PM9/25/16
to vim...@googlegroups.com
too have to be encrypted or it's all wasted effort.
Tim Chase
Sep 25, 2016, 2:33:45 PM9/25/16
to vim...@googlegroups.com
On 2016-09-25 13:15, Shawn H Corey wrote:
>> > I wonder how string the builtin encryption of vim really is.
>>
>> Encryption really isn't the business of a text editor. Decrypt the
>> cipher-text, feed it to the editor, encrypt when saving, and be
>> sure to delete any temporary/backup files.
>
>> > I wonder how string the builtin encryption of vim really is.
>>
>> Encryption really isn't the business of a text editor. Decrypt the
>> cipher-text, feed it to the editor, encrypt when saving, and be
>> sure to delete any temporary/backup files.
>
> It is the business of an editor when it stores temporary files.
> Those too have to be encrypted or it's all wasted effort.
swap/temporary files should be encrypted *or not used*. I believe
> Those too have to be encrypted or it's all wasted effort.
one of the GPG plugins I tried disabled a number options such as the
swap file, undo history, and persisting of registers in .viminfo so
it would read the encrypted file in, disable all the settings, pass
it through GPG to decrypt it, allow viewing/editing, then encrypt
upon writing. There's still the possibility of the OS swapping the
memory out to an unencrypted swap space, but that's an OS thing (on
OpenBSD, the swap is encrypted by default; on other OSes, you might
have to jump through some hoops).
-tim
Erik Christiansen
Sep 26, 2016, 4:01:15 AM9/26/16
to vim...@googlegroups.com
On 25.09.16 16:24, Stefan Klein wrote:
> Hi,
>
> I wonder how string the builtin encryption of vim really is.
> The manpage states: "cryptmethod zip [ ... ] breakable [ ... ] a 6
> character key in one day (on a Pentium 133 PC)"
> Guess today's computers will use seconds if not microseconds.
>
> But what about blowfish2?
>
> Was this ever reviewed? Are there any tools out there to crack it
> (with weak keys) to get an idea how long it would take with a complex
> key?
We discussed that on this list on 15.09.15, and the last post at:
> Hi,
>
> I wonder how string the builtin encryption of vim really is.
> The manpage states: "cryptmethod zip [ ... ] breakable [ ... ] a 6
> character key in one day (on a Pentium 133 PC)"
> Guess today's computers will use seconds if not microseconds.
>
> But what about blowfish2?
>
> Was this ever reviewed? Are there any tools out there to crack it
> (with weak keys) to get an idea how long it would take with a complex
> key?
https://groups.google.com/forum/#!searchin/vim_use/VimCrypt$3A$20A$20small$20framework$20for$20encryption/vim_use/SjP-JQB6Tgo/RM8xhTG-AQAJ
has a bit of a look at it. In short, blowfish2 is probably OK for
encrypting small (wrt 4 GB) files, but switching to twofish would be
prudent.
> I wonder if it's safe to put a blowfish2 crypted password file on a
> cloud drive, how long it would take for it to be cracked if someone
> really tries to.
banking passwords in there. As it's not behind a firewall, switch to
twofish for such exposure. ... I wouldn't put it out there.
The simplest way to switch to twofish might be one of:
$ apt-cache search twofish
...
keepassx - Cross Platform Password Manager
mcrypt - Replacement for old unix crypt(1)
Erik
(Who might just invoke mcrypt on vimming such a file, rather than
relying on blowfish2, adequate though it ought to be on small files with
strong keys.)
Stefan Klein
Oct 1, 2016, 11:56:11 AM10/1/16
to vim...@googlegroups.com
Thanks for all replies,
for my case I consider my computer(s) to be safe since there are no
other users on those machines, so I don't care to much about temporary
files.
On the other hand, any cloud service I do consider to be "public"
since I don't have any control about what google, dropbox, ... does.
Even though the password file won't be that big, it's pretty easy to
guess some content (e-mail and/or username).
So for me an external encryption is the way to got.
--
Stefan
for my case I consider my computer(s) to be safe since there are no
other users on those machines, so I don't care to much about temporary
files.
On the other hand, any cloud service I do consider to be "public"
since I don't have any control about what google, dropbox, ... does.
Even though the password file won't be that big, it's pretty easy to
guess some content (e-mail and/or username).
So for me an external encryption is the way to got.
--
Stefan
Shawn H Corey
Oct 1, 2016, 1:34:30 PM10/1/16
to vim...@googlegroups.com
On Sat, 1 Oct 2016 17:56:04 +0200
Stefan Klein <st.fa...@gmail.com> wrote:
> for my case I consider my computer(s) to be safe since there are no
> other users on those machines, so I don't care to much about temporary
> files.
Provided you're running a firewall.
Stefan Klein <st.fa...@gmail.com> wrote:
> for my case I consider my computer(s) to be safe since there are no
> other users on those machines, so I don't care to much about temporary
> files.
Reply all
Reply to author
Forward
0 new messages