Cryptography Reference
In-Depth Information
key character is discarded right away, rather than being included when
computing the deviation (line 99). 'Rare' means ten times rarer than
expected (as specified by the THRESH constant in line 17). The ratio
between the second smallest square deviation and the smallest deviation
is called the 'trust level' in this program (just an imaginative word). The
more this number deviates from 1, the securer the result.
•
Finally, the results from lines 113 through 131 are output in readable
form. It cannot be reasonably expected that all key characters are ASCII
characters, so the key is shown as a 'dump': ASCII characters are shown
as such; line break and tab characters are written with a backslash '
\
',
like in C; and all other characters (including umlauts) are shown as hex-
adecimal numbers.
The program is astonishingly surefire. On the configuration mentioned above
(133-MHz Pentium, PC-UNIX ESIX V.4.2), its computation times range
between 150 ms and 600 ms (the latter on very long passwords of about 60
characters). It works on English and German, on
vigenere.c
— WordPerfect
files encrypted onto themselves, on C programs — as long as the characters are
not distributed equally. Try it.
As a sideline, you can also use
vigcrack
on a 'sophisticated' combination of
transposition and subsequent Vigenere cipher. The substitution doesn't change
anything in the text's distribution so that
vigcrack
reconstructs the password
with the usual certainty. You can then break the transposition, for example, by
looking at the frequencies of digrams.
You can see that combining several different methods doesn't always lead to
benefits (and sometimes leads to even more insecurity!).
3.6.4 Compression
Compromise
=
The cryptanalytic programs introduced so far (except
Crack
) are rather simple
while still working amazingly fast and secure. A closer look reveals that the
theory behind these attacks is not particularly profound, but we can't generalize,
of course. This section introduces a problem that's different in every respect:
a cryptanalytic approach that totally does away with statistical analyses, and
the program used is downright tricky, requiring rather long computation times.
But you will find the result more interesting!
More specifically, I'm referring to the claim asserted in Section 2.2 that com-
pression does
not
always increase the security (as opposed to the widely held
