Cryptography-Digest Digest #783, Volume #13 Fri, 2 Mar 01 19:13:01 EST
Contents:
Re: super-stong crypto, straw man phase 2 (John Savard)
Re: Will RIJNDAEL EVER HAVE BIJECTIVE MODES? ("Tom St Denis")
Re: Will RIJNDAEL EVER HAVE BIJECTIVE MODES? ("Tom St Denis")
Problem (Gabriele Alberti)
Re: Completly wiping HD (Albert P. Belle Isle)
Re: => FBI easily cracks encryption ...? (William Hugh Murray)
Re: => FBI easily cracks encryption ...? (William Hugh Murray)
Re: Completly wiping HD ("Douglas A. Gwyn")
Re: => FBI easily cracks encryption ...? (Timothy M. Metzinger)
Re: => FBI easily cracks encryption ...? (Timothy M. Metzinger)
Question about double encryption ([EMAIL PROTECTED])
Re: Question about double encryption ([EMAIL PROTECTED])
Re: Text of Applied Cryptography ("Ryan M. McConahy")
Re: Problem ("news.free.fr")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: super-stong crypto, straw man phase 2
Date: Fri, 02 Mar 2001 21:40:36 GMT
On 23 Feb 2001 19:10:21 GMT, [EMAIL PROTECTED] (David Wagner)
wrote, in part:
>For almost all of the publicly known attacks, doubling
>the number of rounds adds substantial protection. At
>the same time, for a fair number of the publicly known
>attacks, Gwyn's proposal does not add any security.
Now, I see that straw man phase 1 is off my server...I hadn't paid
attention to the earlier thread, because I didn't realize that it was
Mr. Gwyn who was making the proposal.
It's certainly true that his proposal doesn't add security against a
brute-force attack. Even though such an attack is not going to be
allowed to be possible in practice, this is still indicative of
security against other types of attack: basically, all ciphertext-only
attacks could be lumped together (yes, this is an inaccurate
generalization, but it's intended as a first approximation only).
Here's my concept of what he is proposing:
Each block to be enciphered contains, say, 64 bits of plaintext and 64
random bits.
These are enciphered by key K1, subject to change, to produce a
128-bit ciphertext block.
Key K2, which is secret, enciphers the 64 random bits, and K3 controls
the selection of a variable number of bits from the enciphered result.
These bits are then used to replace part of key K1 for the
encipherment of the next block.
Thus: every block is enciphered, the relationship between the keys
used to encipher one block and the next is variable, getting the
plaintext for one block leaves you in the position of cracking K2
before you can see what the next block is.
This is very nice, although indeed it may be complained that it isn't
worth the bandwidth.
The only thing I don't like is that if one operates by always making
K1' the same as K1 shifted from 0 to 64 bits left, say, with new
random bits added, then you still have a _relationship_ between the
keys used to encipher successive blocks.
This system needs a K4, so that after shifting in the new bits
selected by K3, the resulting K1 is then enciphered using K4 before
use as the key to encipher the next block.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Will RIJNDAEL EVER HAVE BIJECTIVE MODES?
Date: Fri, 02 Mar 2001 22:24:06 GMT
"Benjamin Goldberg" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> >
> > "SCOTT19U.ZIP_GUY" wrote:
> [snip]
> > Apparently you didn't read all the papers. The CTR mode can encrypt
> > single bit files just as easily as 8-bit or 128-bit ones.
> >
> > Go back to lalala land.
>
> The problem with that advice, Tom, is that he is in lala land, not
> lalala land. And, more important, is that he never left.
Oh true. Well at least my part about CTR is right :-)
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Will RIJNDAEL EVER HAVE BIJECTIVE MODES?
Date: Fri, 02 Mar 2001 22:26:38 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Tom St Denis) wrote in
> <LGPn6.5711$[EMAIL PROTECTED]>:
>
> >
> >"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
> >news:[EMAIL PROTECTED]...
> >> I looked at various FIPS and RFC that may be implimented for
> >> the new AES cipher. My fear is that not even one fully bijective
> >> mode will be allowed.
> >> I thought people would at least look at Matt Timmermans cool
> >> implimentation of RIJNDAEL that is bijective. But it seems that
> >> the phony crypto gods are either to stupid to understand what he
> >> did or they don't want only those who kiss assed there way into the
> >> closed group.
> >>
> >> For others of you out there in crypto land. Would it be nice
> >> to have a version of RIJNDAEL that handles all 8-bit binary files
> >> so that any file could be uniquely encrypted? And would it not
> >> be nice to have a encryption mode that can treat any file as
> >> an encrypted file. What I mean by this last statement is
> >> if one tests a worng key it can lead uniquely to file that when
> >> encrypted comes back to the same file.
> >
> >Apparently you didn't read all the papers. The CTR mode can encrypt
> >single bit files just as easily as 8-bit or 128-bit ones.
>
> I just found a paper on the net talking about CTR mode. You
> are correct if implimented correctly one could encrypt any length file
> with it and any file could be considered an encrypted file.
> However after reading it. I don't belive it is as secure
> as some of the other modes. But I belive it will be the main
> mode for AES in the future. What I was looking at was padding
> schemes that are applied to other modes such as CBC or even ECB.
>
> The main draw back I see with CTR mode is you have to send a
> unique starting value with the encryption or else if two messages
> sent with the exat same key and the same counter value then
> knowing nothing about the key just having one plaintext file
> and the coresponding cipher text file. You can trivally get
> any message from other ciphertext files. Worse than that you
> could modify the second message so that a phony message actually
> gets sent to second person all without ever knowing the key
> used. So it is ripe with potential dangers and something the
> NSA would love people to use.
>
> If I have missed something specail about it please comment back.
Start the CTR mode with Hash(msg + timestamp). Simple solution to both
problems. If you modify the message or send it at a later date the
timestamp or msg hash will not match. What I mean is you sent the hash and
the ciphertext. They then can use the IV to decrypt (assuming they know the
key) and compare the hash they can make with the IV.
Tom
------------------------------
From: Gabriele Alberti <[EMAIL PROTECTED]>
Subject: Problem
Date: Fri, 02 Mar 2001 22:27:58 GMT
Hello,
I have a complex problem, summarized with the following:
Let T1...Tn a set of different plaintexts, R a random bitstream with the
same
size than the plaintext and P1...Pn a set of bitstreams with the same
size
than the plaintext choosen from a space of 2^32 different bitstreams.
If I make this
Ci = Ti XOR Pi XOR R
for each i between 1 and n I get n cyphertexts.
If you know the whole space of Pi and the Ci, would you be able to get
the Ti?
Thanks in advance
Gabriel
------------------------------
From: Albert P. Belle Isle <[EMAIL PROTECTED]>
Subject: Re: Completly wiping HD
Date: Fri, 02 Mar 2001 17:37:49 -0500
Reply-To: [EMAIL PROTECTED]
On Fri, 02 Mar 2001 20:44:39 +0000, David Griffith
<[EMAIL PROTECTED]> wrote:
>I wish to completly wipe a 2gig harddisk. There is now no data i want to
>keep, however neither do i want anything to be recoverable.
>I thought a linux boot disk, root fs from a ramdisk , with a shell
>script doing this kind of thing
>
>dd if=/dev/random of=/dev/hda
>dd if=/dev/zero of=/dev/hda
>
>
>Is this enough to wipe it clean?
>Is /dev/urandom enough so as not to run out random data?
>
>Thanks in advance
>
As is always the case in INFOSEC, the answer is "it depends."
Without specifying the threat profile against which you're seeking
countermeasures, any out-of-context answer you get is useless.
Forensic disk data recovery attacks attempt to read "deleted" (or
inadequately overwritten) magnetically stored data on your disk either
(1) through its drive controller connector, using PC-hosted software;
(2) through its drive heads, bypassing the disk's controller circuits;
or
(3) directly on each disk platter's recording surface in a clean-room.
Class 1 ("keyboard") attacks can be mounted directly with forensic
software, hosted on your PC or on the attackers' PC. These
software-based attack measures can be countered with software-based
countermeasures; viz., any kind of disk data overwriting (such as
Clearing per DOD 5220.22-M).
Class 2 ("laboratory") attacks use special amplifiers and signal
processing to extract previously recorded data from under subsequent
overwrites. They rely on increased capabilities over the disk's
on-board electronics. Sanitizing per DOD 5220.22-M was designed to
counter such attacks by increasing the noise-to-signal ratio beyond
their capabilities.
Many (but not all) INFOSEC people believe that the increased
signal-processing sophistication of the on-board controllers required
to even read the last-written data has kept Sanitizing ahead in this
particular measure/countermeasure race. However, most question the
adequacy of Sanitizing in protecting older, lower-density disks
(especially diskettes) against the most modern and sophisticated Class
2 attacks.
Class 3 ("cleanroom") attacks (such as with magnetic force
microscopy), are generally considered able to penetrate any software
countermeasures, including _any_ kind of overwriting. They are very
costly techniques to use to recover the entire image-as-it-used-to-be
of an overwritten multi-gigabyte disk, as opposed to a few
specifically targeted bytes, however.
(Try getting a quote for recovery of overwritten data - not just
"reformatted" drive contents.)
Nevertheless, any data of sufficient value to intelligence services or
comparably-funded adversaries should not have its confidentiality rely
upon overwriting countermeasures.
The value of your data to the kinds of attackers who can use each
class of techniques will determine whether you must counter that
class.
This is the basis for requiring defense contractors to use Clearing or
Sanitizing per DOD 5220.22-M (for re-use or for disposal,
respectively) of media containing data classified as Confidential or
Secret, while requiring NSA-approved degaussing and destruction for
Top Secret media.
According to the Navy's Magnetic Remanence Guidebook, a Type II
degausser (351-to-750 Oersteds) - preferrably an evaluated model
from the NSA's Degausser Products List - is required for Purging hard
drives. This removes even the servo tracking data, making the drive
totally unusable, as well as suitably free of Classified data.
The three armed services' standards for disk data overwriting are
NAVSO P5239-26, AFSSI-5020 and AR 380-19, respectively.
If your main concern is "keyboard attacks," such as with forensic
software or disk sector editors, IBM's free WIPE.EXE utility from
their website overwrites all software-accessable sectors with zeros,
restoring the disk to "as-new" condition.
Albert P. BELLE ISLE
Cerberus Systems, Inc.
================================================
ENCRYPTION SOFTWARE with
Forensic Software Countermeasures
http://www.CerberusSystems.com
================================================
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Fri, 02 Mar 2001 22:47:05 GMT
Jim Taylor wrote:
> Sometimes I wonder about these groups. Are you all drug dealers or
> something?
No. We are patriots. We are interested in protecting an arrogant state from
the kinds of excesses that are likely to enslave us or destroy the legitimacy
of that government.
> What would be so bad about the FBI or NSA, with considerable
> effort and expense, being able to decrypt a PGP message?
If they had a warrant and served it, nothing. The problem is that read other
people's mail without serving the warrant. They overreach. They ask for
privilges and capabilities that are useful for surveillance but unnecessary for
investigation.
> Aren't they the
> good guys trying to protect _us_ against spies, terrorists and organized
> crime?
Perhaps. Perhaps they are bureaucrats. I am simply heeding Orwell's warning
that bureaucrats, simply doing what bureaucrats do, without any particular
motive or intent, will use technology to enslave the people. I am trying to
heed Franklin's warning that "the price of Liberty is eternal vigilance."
> If they had an encrypted message in their hands detailing a plan to
> nuke your city, none of you would want them to be able to decrypt it?
Perhaps. What I oppose is their reading all messages in the name of finding
that one. What I object to is their presumption that because I take the
precaution of hiding my message that I am otherwise doing something wrong. I
object to their spending my money to have 83 agents on capital hill lobbying
for the Congress to make my use of cryptography illegal per se. What I object
to is that such a law invites arbitrary and capricious enforcement and that
such enforcement undermines the rule of law. I object to their demanding that
the telecommunications industry provide them with 1000 times the eavesdropping
capacity that they have ever had warrants for and then, instead of paying for
on the budget, requiring that the industry pass the cost to the subscribers. I
object to them spending $500M per year for that capacity when they will only
admit to 1000 warrants per year. I object to them telling the congress that
they have significant evidence that terrorists, drug dealers, pornographers and
mafiosi are using crypto but that they cannot discuss it for fear of
compromising ongoing investigations.
> As long as the cost for decrypting a PGP message is too high to go looking
> for petty crimes, so what if they could decode one if they wanted to?
I was once ridiculed here because I published a 386 bit RSA key. I figured
that that was sufficient to prevent anyone but NSA and the FBI from reading my
traffic and that I could not prevent them from reading it in any case.
How do you feel when they tell the congress that strong encryption should be
outlawed for all users because it provides perfect security for their
adversaries?
> They
> would never let the cat out of the bag that they had the ability for even
> someone like Hanssen, so I think all your porno is safe.
That argument holds for NSA. The FBI has a very different reputation for
protecting sources and methods.
> Don't get me wrong, I use and like PGP, but it's not the NSA and FBI that I
> worry about. I simply want to keep some things private from co-workers, ISP
> employees and the like, and there's no doubt that PGP works very well for
> that.
Lessig warns us that Liberty is proportional to the cost of surveillance to the
state. Since the cost of surveillance falls with the cost and use of
technology in any case, it behooves us to keep the cost as high as we can.
>
>
> --
> Jim Taylor
Bill Murray
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Fri, 02 Mar 2001 22:49:14 GMT
kroesjnov wrote:
> > Sometimes I wonder about these groups. Are you all drug dealers or
> > something? What would be so bad about the FBI or NSA, with considerable
> > effort and expense, being able to decrypt a PGP message? Aren't they the
> > good guys trying to protect _us_ against spies, terrorists and organized
> > crime? If they had an encrypted message in their hands detailing a plan
> to
> > nuke your city, none of you would want them to be able to decrypt it?
> >
> > As long as the cost for decrypting a PGP message is too high to go looking
> > for petty crimes, so what if they could decode one if they wanted to?
> They
> > would never let the cat out of the bag that they had the ability for even
> > someone like Hanssen, so I think all your porno is safe.
> >
> > Don't get me wrong, I use and like PGP, but it's not the NSA and FBI that
> I
> > worry about. I simply want to keep some things private from co-workers,
> ISP
> > employees and the like, and there's no doubt that PGP works very well for
> > that.
>
> Could not agree more with you.
> Although I am not an American, I would not mind, if the BVD (Dutch National
> Intellegence service) would have this abillity.
> I think they (Like any other country`s national intellegence service) should
> try their very best, to make this possible...
Were you in Holland when the Nazi's invaded and took over all the police
records?
>
>
> Comments are welcom.
>
> (Sorry about the spelling, but the spelling controller of Outlook express
> just aint that good, and my English is far from perfect...)
>
> "Wisdom lies not in obtaining knowledge, but in using it in the right way"
>
> kroesjnov
> email: [EMAIL PROTECTED] (remove nov to reply)
> UIN: 67346792
> pgp fingerprint: 4251 4350 4242 7764 80DA DB1C E2B2 850A DF15 4D85
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Completly wiping HD
Date: Fri, 2 Mar 2001 22:21:00 GMT
David Griffith wrote:
> Is this enough to wipe it clean?
It depends on who you think the threat is.
One thing for sure, if you overwrite every sector
it will take equipment and skill beyond the reach of
your everyday "hacker" to recover the original information.
If you don't need to reuse the disk, follow up the basic
overwrite procedure with physical measures, e.g.
degauss it and polish off the oxide coating.
------------------------------
From: [EMAIL PROTECTED] (Timothy M. Metzinger)
Date: 02 Mar 2001 23:32:47 GMT
Subject: Re: => FBI easily cracks encryption ...?
In article <[EMAIL PROTECTED]>, William Hugh Murray
<[EMAIL PROTECTED]> writes:
>Perhaps. Seems very unlikely that the FBI can collect such information on
>its
>own and even less likely that the NSA would trust the FBI with it
Well the trust level will certainly be less NOW, but in the past a LOT of
information was shared between the Intel agencies and FBI.
Timothy Metzinger
Commercial Pilot - ASMEL - IA AOPA Project Pilot Mentor
'98 M20J - N1067W
Pipers, Cessnas, Tampicos, Tobagos, and Trinidads at FDK
------------------------------
From: [EMAIL PROTECTED] (Timothy M. Metzinger)
Date: 02 Mar 2001 23:32:46 GMT
Subject: Re: => FBI easily cracks encryption ...?
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> writes:
>It's pretty obvious why: consider information about suspected
>terrorists. Some of that information might be obtained via
>signals intelligence, the methods and in many cases existence
>of which must not be disclosed in order to protect valid
>national security concerns.
Yep, and remember the FBI is the counterespionage agency for the US.
Bottom line is that law enforcement agencies (USCS, USSS, DEA, FBI, ATF, USCG,
INS, and others) all deal with criminal activities that extend beyond our
borders. As a result there is a lot of foreign intel shared with these
agencies, and while the data itself may not be earth-shaking, the knowledge
that can be derived from it about HOW the intelligence was gathered IS
earth-shaking, and thus the data becomes classified.
Additionally, there's a lot of information shared to law enforcement agencies
by businesses about their business and security practices... That information,
if disclosed (especially to foreign interests) would degrade our national
security by possibly weakening our economy.. So that too becomes classified.
It's a neat fact to note that one of the few true MultiLevel secure computing
systems was developed by Boeing... who applied similar technology to protect
it's own engineering data.
Timothy Metzinger
Commercial Pilot - ASMEL - IA AOPA Project Pilot Mentor
'98 M20J - N1067W
Pipers, Cessnas, Tampicos, Tobagos, and Trinidads at FDK
------------------------------
From: [EMAIL PROTECTED]
Subject: Question about double encryption
Date: Fri, 02 Mar 2001 23:39:28 +0000
First of all I'm fairly new to all this, so apologies if this is a
stupid question.
Is it possible that the following scenario actually *weakens* the
encryption strength :
A TCP/IP link exists that uses Blowfish (128 bit). The link is used
for multiple ports, one of which is ssh. The ssh link uses 3DES (in
CFB mode I believe), so effectively you have a 3DES stream encrypted
by Blowfish and then transmitted. The receiving machine decrypts the
Blowfish algorithm and forwards on the ssh stream to another machine
which decrypts the 3DES.
Note that I am not concerned about the security at the receiving side
- I'm primarily concerned about the implications at the transmitting
side.
Please don't hit me with too much math - links to sites with papers on
this or similar topics would be good.
TIA.
________________________________________________________________________
Protect your privacy! - Get Freedom 2.0 at http://www.freedom.net
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Question about double encryption
Date: Fri, 02 Mar 2001 23:46:33 +0000
On Fri, 02 Mar 2001 23:39:28 +0000, [EMAIL PROTECTED] wrote:
________________________________________________________________
>Protect your privacy! - Get Freedom 2.0 at http://www.freedom.net
Oh and apologies about this tag line - I've disabled it now (I think).
------------------------------
From: "Ryan M. McConahy" <[EMAIL PROTECTED]>
Crossposted-To: alt.anonymous.messages,alt.security.pgp,talk.politics.crypto
Subject: Re: Text of Applied Cryptography
Date: Fri, 2 Mar 2001 18:43:52 -0500
http://www.cacr.math.uwaterloo.ca/hac/
------------------------------
From: "news.free.fr" <[EMAIL PROTECTED]>
Subject: Re: Problem
Date: Fri, 02 Mar 2001 23:52:42 GMT
"Gabriele Alberti" <[EMAIL PROTECTED]> a écrit dans le message news:
[EMAIL PROTECTED]
>
> If you know the whole space of Pi and the Ci, would you be able to get
> the Ti?
I think the answer is: Yes
the usual method consider Ci xor Cj in order to get rid of R
but in this case the key space (232^) is very small and I suppose a
brute force attack is possible
(you don't say if R has 32 bits or n x 32 bits , key space
2^32 or 2^(nx32) ? )
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
