NYCPHP Meetup

[David Sklar]

If you're at the point where the difference between TEA and Blowfish is
important to your application, then you should read Applied Cryptography.

What are you encrypting? For the differences between algorithms to really
matter, you should be analyzing how much ciphertext you're generating, who's
likely to snoop it, what kind of resources they have, etc.

For most web-based services, the likelihood of a bruteforce attack (or
slightly-less-than-brute-force based on a weakness of a cryptosystem) is so,
so, so much less than the likelihood of an attack because someone was
careless and left a key in an accesssible place or chose an easily guessable
key. A 56 bit key and a 1024 bit key are equally weak when they're written
on a post-it stuck to a monitor.

David

On Tuesday, September 02, 2003 1:22 PM,  wrote:

> Thanks David--
>
> I guess if something is worth hiding, it's worth hiding well.
>
> I'm a little surprised that no one has written the native PHP
> implementation of Blowfish, slow though it may be. I noticed that
> there are PEAR classes that implement RC4 and TEA.
>
> I'm having trouble finding any sort of online resource that compares
> encryption algorithms. Short of reading "Applied Cryptography," are
> there any good overviews out there that might help someone say, "Oh,
> TEA is good enough for what I'm doing," or "Gee, I guess I need to
> recompile with mcrypt support so I can use Blowfish?"
>
>     chris.