3 Jan
2005
3 Jan
'05
10:17 p.m.
The use of the strong AES (Rijndael) cipher to encrypt fields in EpiData is laudable, but what is the logic of embedding the password encrypted with itself in the REC file header? Surely this makes a dictionary attack against the password much, much easier than it would be otherwise? What is gained by having the encrypted password in the header? Surely either the user knows the password, or they don't. Why leaves clues in the header which can help someone else find the password? If the idea is to provide a backdoor in case the user forgets their password, then why use a strong algorithm like AES in the first place?
None of this worries me - I am just curious as to why the design decision was made.
Tim C