jdtoronto has asked for the wisdom of the Perl Monks concerning the following question:

Esteemed monks,

I have been considering the Crypt::CipherSaber module by chromatic for an application where I need to encrypt some reasonably large ( 500KB - 10MB ) text files before they are moved to a client site. The particular requirement is that the system must run on Win32 and should use a module fomr the Activestate repository.

I landed on this one because the author claims the module is rather fast. I haven't had time to code a test yet, but I would value any opinions you may have to offer.


Replies are listed 'Best First'.
Re: Choice of encryption modules...
by chromatic (Archbishop) on Oct 28, 2004 at 04:47 UTC

    The streaming interface isn't bad, but a module that used XS and could process the text in chunks would be faster. Also, be aware that CipherSaber uses symmetric encryption, so there's a shared secret key.

    Finally, I haven't touched the code in at least two and a half years; I might do it much differently these days.

      Thanks for the comments,

      In fact CipherSaber is not alone when it comes to lack of activity! Most of the crypt modules haven't been touched in some time.


Re: Choice of encryption modules...
by tachyon (Chancellor) on Oct 28, 2004 at 04:50 UTC

    You have a bit of a problem in that last time I looked ActiveState had dropped support for the Crypt:: modules due to legal issues. See here on ASPN which gives you apologies and links to Randy Kobes repository. I don't know if CipherSaber is available as a ppm or not. That repository is down at the moment. I do know it is Pure Perl and as a result it will quite probably be a lot slower than C/XS based modules. Also a ppm is fairly redundant.

    In terms of speed why not check yourself? Symetric ciphers are much faster that public/private key algorithms (PKI), in fact things like PGP only use PKI (RSA in that case) to encrypt the key. The rest of the plaintext is encoded with IDEA which is a symetric cipher. With a symetric cipher you have to share the secret key of course. Also you need a key length of about 3N with PKI to get roughly the same security as a symetric cipher key length N. Yes this is a generalisation. No my crypto is not good enough to prove it. I tend to use Blowfish but that is really only because I thought the name was kinda funky ;-) PGP is probably a good option if you want an assymetric PKI. IDEA is probably as good as any in practice for a symmetric.

    But what can I say, I get really strange images in my head, and a wierd grin on my face, every time I use Blowfish :=) Twofish is also good, but I like fishing. Twofish2 is less brain dead, or so the author says, and it does have a certain symmetry. Given that 99.99%+ of us have no real idea how secure a cryptosystem is I think choosing a module based on the funkiness of the name is as good an algorithm as most.



      I don't know if CipherSaber is available as a ppm or not.

      Yes it is. I was able to install it from the PPM (ActiveState Perl Build 810 (Perl 5.8.4)

      The only thing necessary for the triumph of evil is for good men to do nothing -- Edmund Burke
      Thanks tachyon,

      Yeah, some of the names are really neat eh? I have been using Blowfish in my **nix stuff for a while now. But this app requires cross platform compatibility (we have users on all major Perl platforms with this app).

      One of my colleagues who does FPGA stuff for me has an implementation of Rijndael running in an Altera Stratix device which we use for secure data transmission over fibre, we have also done Twofish and Blowfish which some clients prefer. We have a somewhat advanced cordless phone prototype here - it is called the 'Blow-Phone' - guess which encryption stadard it uses :)

      For whatever reason it seems that things have changed at ActiveState. I checked last night and they have a variety of Crypt:: modules there now, including CipherSabre, Twofish, DES and TripleDES. CipherSabre I was able to instyall, the others - no, sadly. They seem to be listed by the repository but not actually available.


Re: Choice of encryption modules...
by zentara (Archbishop) on Oct 28, 2004 at 10:49 UTC
    The AES encryption winner is rijndael based. I like Crypt::Rijndael. There is an xs version and a pure perl version, and ActiveState has it somewhere( I got it once, but I don't use Windows much, so I can't remember where.) You probably also need Crypt::CBC to use it easily.

    I'm not really a human, but I play one on earth. flash japh
Re: Choice of encryption modules...
by iburrell (Chaplain) on Oct 28, 2004 at 17:15 UTC
    You can't go wrong using AES. It is standard, well-designed, analyzed by experts. It is fast and secure.

    Crypt::CipherSaber is a stream cipher based on RC4. RC4 has some vulnerabilities. Also, it is easy to misuse stream cipher and lose the security; this is what happened with the design of WEP. The advantage is that it is fast, simple, and implemented in Perl.

    Crypt::Rijndael is an XS implementation and should really fast. Crypt::Rijndael_PP is a pure Perl implementation but it is supposed to be slow. If you can install XS modules, I would go with Crypt::Rijndael and not worry about the security.