On Tue, Oct 15, 2019 at 05:07:33PM +0200, Ondřej Surý wrote:
First of all, all software in Debian must adhere to Debian Free Software
Guidelines. And I can’t find the source code anywhere on your website.
That said - who you seem to use a lot of buzz words and bold claims, but I
would recommend the old wisdom: “don’t ever roll your own crypto”. I would
recommend you to speak to an actual cryptographer before you do more harm to
your users.
I hope a cryptographic software based on hand-waving and no crypto audit would
never be uploaded in Debian.
Source code seems to be at
http://www.finalcrypt.org/downloads/other/finalcrypt_sourcecode.zip
but otherwise I agree that using this versus a recognized encryption
tools is a bad idea. The general mechanism seems to to generate a random
string equal to the size of the input data, then perform some operation
(presumably xor?) to generate ciphertext. The usual weak link from a
theoretical standpoint is the strength of the pseudo random number
generator. In this case it's using the java SecureRandom function, so
it's as strong or weak as that. If you don't trust complicated
mathematical functions to secure your data, I don't know why you'd trust
SHA-256. The weak link from a practical standpoint is the need to
securely store random pads equal in size to the data encrypted--if you
can secure the one time pad, you could just as easily secure the data
and not need the one time pad. Disclaimer: I only gave the source code a
cursory glance so there may be additional elements of this
implementation that I overlooked either for better or for worse.
