Cryptography-Digest Digest #579, Volume #10 Wed, 17 Nov 99 03:13:03 EST
Contents:
Re: AES cyphers leak information like sieves (Jerry Coffin)
Re: NSA should do a cryptoanalysis of AES ("Douglas A. Gwyn")
Re: AES cyphers leak information like sieves ("Douglas A. Gwyn")
Re: intelligent brute force? (Keith Monahan)
Re: Scientific Progress and the NSA (Jerry Coffin)
Re: NSA should do a cryptoanalysis of AES (SCOTT19U.ZIP_GUY)
Re: Scientific Progress and the NSA (SCOTT19U.ZIP_GUY)
Re: AES cyphers leak information like sieves (SCOTT19U.ZIP_GUY)
Re: AES cyphers leak information like sieves (SCOTT19U.ZIP_GUY)
Re: AES cyphers leak information like sieves (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: AES cyphers leak information like sieves
Date: Tue, 16 Nov 1999 21:45:17 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> After reading the recent contributions to the "SCOTT16U SOLUTION ON THE
> WEB" thread in this forum, I was disturbed to find that a number of
> sci.crypt subscribers were /still/ towing the party line that the AES
> block cyphers might have some security value - *despite* the efforts of
> David Scott to explain exactly why they should be considered insecure.
>
> The problem is simple: the AES cyphers are fixed 128-bit block cyphers.
> The encode identical blocks in the same way. For certain types of
> message, this is a complete security disaster.
What you've said is true if and only if the cipher is used in ECB
mode. If you run into the situationa you mention above, you'd
probably want to use CBC or CFB mode instead.
You're also apparently ignoring the fact that David Scott's choice of
chaining mode is a complete disaster in some situations as well. If,
for example, you're receiving an encrypted message over a radio, and
interference prevents you from receiving a bit of the message, his
chaining mode prevents ANY of the message from being decrypted in any
useful fashion at all. His dynamic pre-compression would prevent the
remainder of the message from being decrypted, even if the chaining
mode wasn't used.
Those who really believe that simply re-transmitting a message is
reasonable if it doesn't come through intact should read _Between Silk
and Cyanide_ continuously until they learn better.
IOW, advocating that "proper" security always requires pre-compression
and a particular "all or nothing" chaining mode is simply nonsense.
NIST (and others who have a clue) keep the chaining mode, the
algorithm and possible pre-compression separate for an excellent
reason: they bloody well NEED to be separate.
There's more to secure communication than JUST ensuring against
somebody else reading your message -- in many situations, being
certain the intended recipient CAN read (at least as much as possible
of) the message is JUST as important, and perhaps even MORE important.
In those situations, David Scott's approach is completely, totally,
utterly WRONG. In these situations, something like an AES finalist in
CBC mode is likely to work well while ScottXXu would simply be a
danger to all involved.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Wed, 17 Nov 1999 03:41:29 GMT
albert wrote:
> Do you think the reason they aren't giving an analysis is because they
> can break all the second round candidates and so they aren't going to
> say anything about it?
Suppose they said candidate X is uncrackable. Would you believe it?
So it would be pointless.
Another problem is that in order to demonstrate a vulnerability,
they'd have to disclose the method(s) for exploiting it, which
could potentially slam the door on current sources of intelligence.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Date: Wed, 17 Nov 1999 03:51:54 GMT
"Douglas A. Gwyn" wrote:
> I would be interested in *one* example of a well-respected block
> cipher that *does* provide error recovery.
>From later postings, it appears that they were talking about
a common side-effect of many block chaining modes. But it was
ECB style that was being complained about, and for an individual
block, the cipher provides no error recover.
------------------------------
From: Keith Monahan <[EMAIL PROTECTED]>
Subject: Re: intelligent brute force?
Date: Tue, 16 Nov 1999 23:51:17 -0500
Hey,
CoyoteRed wrote:
> But, man, you certainly beat me on this one.
>
Well what's funny is I've received some criticism from some peopleabout it, but
honestly, it could happen to anyone. I think we in this
group are especially vunerable because we know the importance of
things like keysize, passphrases succeptible to dictionary attack, entropy
etc. I think this has to happen to you before you are _really_ sensitized
to the problem.
> By the way, how certain of the characters that you think you know and
> their positions?
I'm very certain of the first ~ 25 characters and their positions.
> You could trying bruteforcing only the characters
> that you don't know.
I looked into the possibility, but I've done the math and it's ugly. Thenumber is
like 15 characters and 35 choices for each character. And
that's with drastically reducing the charset.
> Another thing do you know the word that was
> misspelled? You remember if it was phonetically spelled or letter
> tranposition, common misspelling, etc.?
I have an idea of the word, but I'm not entirely sure it's correct. Thespelling
was one of those replace 1 for I, 0 for O, type of deals. I
think it was only one character though that was swapped.
> Can you remember if the
> symbols were keyboard symbols (!@#$%^&*) or <ALT-0xxx> ( ·¶®§¤ΆΚρυ)
> symbols? You could build a bruteforce attack based on these
> assumptions and will eliminate vast amounts of attempts.
>
I remember the basic set of symbols. They weren't ALT characters,they were simply
printable symbols, including the "space". I think this
is what's really screwing me. I intermixed symbols, spaces, etc between
some phrases and words and what not. The symbols including the space
take up about 9 characters.
> Can you write simple programs? If so then you can write a program
> that will make you a list of passphrases to try. This way you won't
> be trying the same passphase multiple times.
>
Yeah, I can code in C/C++... I can handle any of the stuff we are talkingabout no
problem. Now, writing blowfish by hand, that I was having
problems with. :)
> If you don't mind (and this could be a security issue if you haven't
> changed your protocols ) tell me what you do know about the passphrase
> and I may have some more ideas. But I will understand if you decline,
> so don't worry about it.
>
No problem, I don't have any super duper government secrets or anything.The format
of the passphrase is something like
<big ~25 char pass here><various connecting symbols><possible a letter or
two><misspelled word><various symbols>
I don't know exact length of those fields, but I know the misspelled word was
relatively small, perhaps 6 characters or under.
> Hope this helps ( and isn't just a repeat of what others have already
> told you)
>
It's really something that I feel I can narrow down to the point, where the search
is relatively short. Like a few daysor something.
> --
> CoyoteRed
> CoyoteRed <at> bigfoot <dot> com
> http://go.to/CoyoteRed
> PGP key ID: 0xA60C12D1 at ldap://certserver.pgp.com
Thanks for your help,
Keith
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Scientific Progress and the NSA
Date: Tue, 16 Nov 1999 22:00:43 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> It's just as easy to play the "how do you know" game in
> reverse, i.e. How do you know the intelligence community
> actually invented differential cryptography first? Maybe
> they just _claimed_ they did so they wouldn't look foolish
> when they were scooped by a tiny group of researchers from IBM.
You're getting things more or less backwards: the researchers at IBM
designed Lucifer. The people at NSA looked at it, saw that an attack
using differential cryptanalysis would break it very quickly and
easily. Though the details of what the NSA contributed aren't
entirely clear, it appears that the number of rounds and the contents
of the S-boxes (at least) stemmed primarily from at least not-so-
subtle hints from the NSA.
Of course, for quite a few people were convinced that, for example,
the contents of the S-boxes had been chosen by the NSA for basically
the opposite effect that they really had: they were convinced that the
NSA designed them to look strong, but be easy to attack with some
secret method known only to the NSA. In reality, we now know exactly
the opposite was true: DES was designed specifically to resist
differential cryptanalysis -- had the NSA left things alone, they
could have broken it easily, but instead they helped re-design it to
prevent exactly that attack. The only weakness that appears to have
been intentionally left in the final design was an obvious one: the
key size.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Wed, 17 Nov 1999 06:22:25 GMT
In article <[EMAIL PROTECTED]>, albert <[EMAIL PROTECTED]> wrote:
> I see that NSA has not entered a candidate for AES. I assume it's
>because they don't want to give away some secrets they have. What
>secrets? My conspiracy theories...
They most likely have entries. Possibly more than one. IF they
don't have an entry then something is fishy and we are not getting
our moneys worth.
> Suppose the NSA has found a way to break feistel ciphers, and SP
>style ones. So what would that mean? That would mean that their
>algorithm would be based on something totally different, to combat that
>kind of attack, just like before Serpent came out, we all knew that
>Eli's entry would almost certainly be resistant against differential
>attacks. That is why Bruce says good crypto analysists make good cipher
>writers, because they will design ciphers that are resistant to their
>own attacks, so the better the attacker, the more resistant their
>algorithms (generally).
They would not be foolish enough to enter or publish a system
that can not brake when others are dumb enough to use it. Why
do you think they wanted short key short block ciohers in the
first place.
>BUT, they should post a thorough analysis of the AES candidates. We'd
>like to see what our tax-dollar funded crypto-think tanks have come up
>with in terms of attacks and analysis.
And cows should have wings. Dream on. No one in there right
mind would believe any analysis offered by the NSA. If anything they
would target there analysis to eliminate any candidates that might
actually be useful. If you belive the NSA would give an honest open
effert then you would belive the FBI didn't have there super sniper
that is a proven killer of unarmed mothers holding there babys there
as only a rescuer at Waco that never fired a shot.
>
>Do you think the reason they aren't giving an analysis is because they
>can break all the second round candidates and so they aren't going to
>say anything about it? I personally don't, but it's a thought...
>
I think its a safe bet that whatever wins is something they can break.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Scientific Progress and the NSA
Date: Wed, 17 Nov 1999 06:30:11 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Jerry
Coffin) wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>says...
>
>[ ... ]
>
>> It's just as easy to play the "how do you know" game in
>> reverse, i.e. How do you know the intelligence community
>> actually invented differential cryptography first? Maybe
>> they just _claimed_ they did so they wouldn't look foolish
>> when they were scooped by a tiny group of researchers from IBM.
>
>You're getting things more or less backwards: the researchers at IBM
>designed Lucifer. The people at NSA looked at it, saw that an attack
>using differential cryptanalysis would break it very quickly and
>easily. Though the details of what the NSA contributed aren't
>entirely clear, it appears that the number of rounds and the contents
>of the S-boxes (at least) stemmed primarily from at least not-so-
>subtle hints from the NSA.
>
>Of course, for quite a few people were convinced that, for example,
>the contents of the S-boxes had been chosen by the NSA for basically
>the opposite effect that they really had: they were convinced that the
>NSA designed them to look strong, but be easy to attack with some
>secret method known only to the NSA. In reality, we now know exactly
>the opposite was true: DES was designed specifically to resist
>differential cryptanalysis -- had the NSA left things alone, they
>could have broken it easily, but instead they helped re-design it to
>prevent exactly that attack. The only weakness that appears to have
>been intentionally left in the final design was an obvious one: the
>key size.
>
The only know obvious weakness was the key size. And many experts
at the time DES was invented complained since it was more that feasable
to build a machine that could break it.
You can be sure they had the hardware to rapidly decrypt most messages
when they needed to at the time the cipher was invented. I am not saying
computers I am saying specially designed hardware. They had the money
to do what they want.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: AES cyphers leak information like sieves
Date: Wed, 17 Nov 1999 06:49:58 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Jerry
Coffin) wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>> After reading the recent contributions to the "SCOTT16U SOLUTION ON THE
>> WEB" thread in this forum, I was disturbed to find that a number of
>> sci.crypt subscribers were /still/ towing the party line that the AES
>> block cyphers might have some security value - *despite* the efforts of
>> David Scott to explain exactly why they should be considered insecure.
>>
>> The problem is simple: the AES cyphers are fixed 128-bit block cyphers.
>> The encode identical blocks in the same way. For certain types of
>> message, this is a complete security disaster.
>
>What you've said is true if and only if the cipher is used in ECB
>mode. If you run into the situationa you mention above, you'd
>probably want to use CBC or CFB mode instead.
I have showed how CBC and CFB are weak in some cases.
Even Bruce had the balls in his book to say the the error correction
should be handled in the transmission protocals. Hell even in the
Navy they don't require radio operators to use morse code any more
it is going to secure digital communications. But maybe that is over
your head.
>
>You're also apparently ignoring the fact that David Scott's choice of
>chaining mode is a complete disaster in some situations as well. If,
I admit that it is not the best for certain cituations. But I also
realize that the AES methods are not the best for all situations either
And that is something your afraid to admit.
>for example, you're receiving an encrypted message over a radio, and
>interference prevents you from receiving a bit of the message, his
>chaining mode prevents ANY of the message from being decrypted in any
>useful fashion at all. His dynamic pre-compression would prevent the
>remainder of the message from being decrypted, even if the chaining
>mode wasn't used.
You have that correct. But if you want you can chop the file or message
up to blocks or bit lengths of varible size.
>
>Those who really believe that simply re-transmitting a message is
>reasonable if it doesn't come through intact should read _Between Silk
>and Cyanide_ continuously until they learn better.
Bullshit.
>
>IOW, advocating that "proper" security always requires pre-compression
I never advocated that "proper" security always requires pre-compression.
It is obvious your to don't bother to read my posts. What I advocate is that
if one is going to use compression then one should use a one-one compression
routine that does not add information to the encryption. Since many of the
common piss poor compressors can in theory add enought information that
an attacker has enough info to break a cipher based only on cipher text.
But maybe this is over your head. You may think that plaintext attacks
and cipher text only attacks are about the same thing.
>and a particular "all or nothing" chaining mode is simply nonsense.
>NIST (and others who have a clue) keep the chaining mode, the
>algorithm and possible pre-compression separate for an excellent
>reason: they bloody well NEED to be separate.
Actually I have been told Mr R of RSA has also come out with
simalar thing so I guess his ideas are crap to you also. The chaining
mode is seperate One can still chain even IDEA with wrapped PCBC.
The compression if used is also seperate.
>
>There's more to secure communication than JUST ensuring against
>somebody else reading your message -- in many situations, being
>certain the intended recipient CAN read (at least as much as possible
>of) the message is JUST as important, and perhaps even MORE important.
>In those situations, David Scott's approach is completely, totally,
>utterly WRONG. In these situations, something like an AES finalist in
>CBC mode is likely to work well while ScottXXu would simply be a
>danger to all involved.
Like I said mine is for "all or nothing". If you want to use stuff
where the recipent is not sure if the whole message is ther fine.
I prefer stuff at this for my files and messages that is a the more
secure than what the weak AES methods will be. I suppose you
belive the NSA will not be able to break them. I think they might
be able so I will continue to push for real secure crypto. Something
you obviously don't care about.
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: AES cyphers leak information like sieves
Date: Wed, 17 Nov 1999 07:03:11 GMT
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>Tim Tyler wrote:
>> David Scott has been pointing this obvious weakness in block cyphers out
>> on sci.crypt for as long as I can remember. It is relatively simple to
>> defend against this obvious weakeness - yet virtually nobody appears to be
>> interested in doing it.
>
>It might be that the mainstream crypto community understands
>how to do it already; that is what the chaining modes are for.
>As I pointed out in a recent posting, there have been formal
>proofs of the minimum amount of work required to crack certain
>modes (CBC for example) *if* the underlying block cipher is
>sufficiently strong. Therefore, much attention is paid to
>making a strong block cipher.
But the attention to proper chaining is sadly neglected.
>
>> That block cyphers allow recovery from errors in single blocks
>> is a *pathetic* excuse for leaking this type of information to
>> analysts on such a dramatic scale.
>
>The only "drama" has been added by you guys. Block ciphers
>don't usually support error recovery. That can be layered on
>in a total system, e.g. using Reed-Solomon coding.
>
>I would be interested in *one* example of a well-respected block
>cipher that *does* provide error recovery.
Then by your on words. What fucking good is it to have this
featured forced on one self. Error recover means that you get
a few garbled blocks but that the rest of message is ago.
But even in things like PGP this errory recovery is of no use.
So the option to dump it shoulf be there.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: AES cyphers leak information like sieves
Date: Wed, 17 Nov 1999 06:57:44 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Jerry
Coffin) wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
>[ ... ]
>
>> I still hold the opinion that performing the main component of the
>> encryption while the data is divided into non-interacting relatively
>> small chunks is not a good foundation on which to design a sensible
>> cypher-machine, though.
>
>You're ignoring reality: there are multiple chaining modes for a
>reason: in some situations, ECB is perfectly acceptable, and it allows
>(for example) using multiple encryptors in parallel, each encrypting
>independent of the others to produce higher throughput. In other
>situations, CBC works well: on one hand, it makes later blocks
>dependent on earlier blocks (and on the IV) but at the same time, it
>allows recovery from bursts of noise that affect single blocks, making
>only a small part of the message unreadable. No one chaining mode is
>best for all situations. This is why intelligent people keep the
>chaining separate from the encryption algorithm: you need to match
>EACH to your intended purpose, and picking a particular algorithm
>doesn't imply that one particular chaining mode is right for your
>situation.
>
You sir are ignoring reality. If you do the test I showed you.
You will see that all you pet modes are an illusion. They do
not spread the information though the file. But either you
don't understand or are to lazy to test. Think why are they
are this way. Could it be of use to the NSA. Look even
PGP use a weak chaing mode with compression. Most
people don't have the software to recover the real file
if a change occurred in the middle of the compressed encrypted
text. So what fuckin good does this error recovery do anyone
who depends on PGP. It does them no fucking good it can
only be of use to a dedicated attacker.
That is also way intelligent people should have the option
of using something like "wrapped PCBC" when they want
a far higher degree of security than the NSA 3 letter blessed
mods that you foolish think is safe.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
