or Create a profile

Home Suggestions

MD should use more robust encryption

sth's Avatar

sth

08 Jan, 2012 01:22 AM

If I look at my data file correctly it seems that MD uses the DES encryption. This is an old encryption standard promulgated by NIST several years ago. Many projects have shown that this is relatively easy encryption to break. The computation power to break it is significant but available to many.

I would like to encourage the use of the AES encryption also known as Rijndael. This is the new "Advanced Encryption Standard" adopted by NIST and is substantially more secure. There are several public libraries to implement this standard. For more information see

Data Encryption Standard quote: "DES is now considered to be insecure for many applications."

Advanced Encryption Standard

  1. 1 Posted by Ben Spencer on 08 Jan, 2012 04:37 PM

    Ben Spencer's Avatar

    agree with you that DES is not secure and Moneydance uses triple DES. I am not convinced that 3DES is insufficient. While 3DES it is certainly crack-able in better than brute force time the amount of resources necessary to crack 3DES in a reasonable amount of time are very significant. To the extent that it is secure in a practice sense. According to wikipedia http://en.wikipedia.org/wiki/Triple_DES#Security "NIST considers [3DES] keying option 1 to be appropriate through 2030". I think it is a bit optimistic to think that 3DES will still be relevant in 2030. Perhaps you have more up to date information on the time it takes to crack 3DES. If it is the case that it can be cracked with less than a massive cluster of computers with GPUs in a reasonable time I will prioritise the ticket.

    Sincerely
    Ben Spencer
    Moneydance Support

  2. 2 Posted by sth on 09 Jan, 2012 02:58 PM

    sth's Avatar

    3DES is probably secure enough. The 112 bit effective length (assuming there are 3 independent keys) is probably more secure than the pass phrase most people use. The file header seemed to imply single DES which I do have problems with.

    I haven't seen a recent crack of 3DES and it is still used by most financial institutions. The move to AES will take place eventually but as you point out there is no hurry and no need to address it now. Thanks for the clarification that MD used 3DES and not DES, I just saw the DES phrase in the file header and was not clear on the algorithm used.

  3. Tom Freeman closed this discussion on 09 Jan, 2012 09:51 PM.

Comments are currently closed for this discussion. You can start a new one.

  • New Issue

  • Conversation Started

  • The discussion is closed

    No more actions from Infinite Kind or the discussion starter are required.

  • Re-open the discussion

Private Permissions

This discussion is private. Only you and Infinite Kind support staff can see and reply to it.

Public Permissions

This discussion is public. Everyone can see and reply to it.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

05 Dec, 2023 01:20 PM Exporting to Microsoft Excel
05 Dec, 2023 12:56 PM Transaction download issue
05 Dec, 2023 12:37 PM Interface no longer responsive after waking from sleep affecting 2023.2 5059 2023.3 5063 running on macOS
05 Dec, 2023 11:22 AM Error on Upgrade to 2033.2
05 Dec, 2023 07:38 AM Upgraded - Problem with Split Transactions

Recent Articles

Problems with Moneydance 2023.2
Upgrading
Data Files Associated with your Subscription
Opening Moneydance
Linux and HiDPI (High Resolution) Screens