Cryptography-Digest Digest #922, Volume #13 Fri, 16 Mar 01 22:13:01 EST
Contents:
Re: OverWrite: best wipe software? (Anthony Stephen Szopa)
Re: Cesar principle ("Joseph Ashwood")
Defining a cryptosystem as "broken" ("Joseph Ashwood")
Re: Anonymous web browsing (Dave Howe)
Re: Cesar principle (br)
Re: Anonymous web browsing (Dave Howe)
Re: => FBI easily cracks encryption ...? (Dave Howe)
Re: => TV detection (was: FBI easily cracks encryption ...?) (Dave Howe)
Re: Computing power in the world (Frank Gerlach)
Re: Text of Applied Cryptography .. do not feed the trolls (Dave Howe)
Re: GPS and cryptography (David Schwartz)
Re: Q: IP (those who know me have no need of my name)
Re: Q: IP (those who know me have no need of my name)
Re: Secure overwriting (those who know me have no need of my name)
Re: Defining a cryptosystem as "broken" ("Trevor L. Jackson, III")
Re: Security of IAPM, alone. (David Wagner)
Re: Analysis of PCFB mode (David Wagner)
Re: Encrypt then HMAC or HMAC then Encrypt? (David Wagner)
----------------------------------------------------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker
Subject: Re: OverWrite: best wipe software?
Date: Fri, 16 Mar 2001 17:12:07 -0800
"Trevor L. Jackson, III" wrote:
>
> Anthony Stephen Szopa wrote:
>
> > Benjamin Goldberg wrote:
> > >
> > > Anthony Stephen Szopa wrote:
> > > >>
><SNIP>
>
>
sed by a factor of 100 or more, yielding only a
> tiny amount of compressed data, thus leaving the original data untouched.
>
> [snip drivel]
(I am sending this again because I do not see this reply as having
been posted for over 24 hours. A few additions have been made in
this post since the last.)
Let's say you have a dedicated partition that can hold 20MB of data.
Let's call it compressed hard drive h:\ (I know: 20MB of some
types of data may be 60MB of another type of data. It will make no
difference. Read on.)
You begin writing files to H:\ one at a time. Let's say these files
are about 2MB each. In short order H:\ becomes full.
Now you delete the middle file. Let's say this leaves you with about
a 2MB area of free space on H:\ pretty much in the middle of the 20MBs
in H:\
You use this 2MB to write and process your sensitive data.
Now you want to delete this data and overwrite this 2MB area on H:\
I say that you should first delete all of your sensitive data thus
freeing up this 2MB area on H:\
Then delete one of the original 2MB files you wrote to H:\ on each
side of the 2MB you originally freed up to use for your sensitive
data writing and processing.
Now you have about 6MB of your original total of 20MB freed up.
Now, the solution is straight forward but there are some things to
consider: since the data is being compressed before it is written
to H:\ the specific overwrite bit patterns will have essentially no
effect as originally intended on a compressed drive. Secondly if
you overwrite on a compressed byte per compressed byte basis then
what you say has some validity.
The first problem cannot be addressed unless you know how the data
is being compressed, etc.
But the second point is handled not by overwriting byte for byte but
by overwriting until at least nearly all the remaining space from
this 6MB area is overwritten. This would require a slightly more
sophisticated process than currently implemented in OverWrite
Version 1.2. (and you would need to overwrite with several varying
sequences of strings of data in each pass such that they would be
only minimally compressed)
But the solution is a simple one. Overwrite successive files of the
same bit patterns contained in a single pass until the free space has
all or nearly all been overwritten.
For instance, Overwrite the 6MB with successive files of the given
pass bit patterns. Eventually you will get a disk out of space
error. If the files were appropriately small enough you can be sure
that the last file to write began its write well past where you had
written and processed your sensitive data. Then go on with the next
pass of successive file overwrites until you once again get an out
of disk space error, etc.
It is really a simple process to achieve the overwrite: overwrite
until you have run out of space to continue to overwrite using
relatively small files thus insuring that by the time the last file
is written and fails you have overwritten well past the area where
the sensitive data was written in the middle of your compressed hard
drive.
The details are easily worked out and implemented in the case of a
compressed drive if one were inclined to address this very small
minority segment of average users.
But the best solution I can recommend with the OverWrite Version
1.2 program as currently implemented is not to use it on a
compressed drive.
Would you use a pitchfork to eat fried rice?
Would you throw a tomahawk at an F-18 Hornet making a bombing run
against you?
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Cesar principle
Date: Fri, 16 Mar 2001 16:41:25 -0800
"br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Substracting 15342-14253 is not the same as substracting 153 - 142
Actually it is exactly the same. Maybe you need to learn number theory as
well.
"br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> You have to know the length of the block, it could be variable.
> the key length could be variable etc...
> Suppose that the text is crypted before applying cesar principle.
> I may use Cesar principle to any message I want to transmit.
Since you don't seem to grasp the ease of this. Please look up Vigenere
cipher, it is exactly the same. Please then proceed to look up the fact that
it has been broken for the better part of a century by exactly the same
process I presented. Not knowing the block length will only add N attempts
where N is the length of the block, it's trivial.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Defining a cryptosystem as "broken"
Date: Fri, 16 Mar 2001 16:42:09 -0800
[I'm starting a new thread because the old one doesn't seem to be addressing
things in way I want to]
I don't think that one can say flatly, cipher X is broken, cipher Y is not.
We must first built a threat/attack model.
A common one, and the one that is generally in use around here is slightly
memory bounded opponent, with the ability to perform 2^79-epsilon operations
(we don't usually bother with giving a timeframe for the opponent, but we
should, so let's give him a year). This makes 80-bit ciphers, minimally
strong.
However this is not the only definition. There are occassions where because
of the additional constraints of the system it is only possible for the
opponent to perform 2^55-epsilon operations in the valid time-period.
Still other times we are unprepared to grant our attacker less than 2^100
power. Each of these is a design decision, so while we tend to err on the
side of security, that does not necessarily mean that we are safer.There are
times to declare a cryptosystem as flatly broken, if I can perform the
necessary operations with a pocket calculator and a few pieces of paper, it
has clearly fallen below any reasonable definition of secure.
Typically these decisions are simplified for mass concumption, Schneier has
pushed the terms "Kid Sister Cryptography" versus cryptography that will
keep out governments. He has through placing ciphers on one side or the
other given us a rough estimate of the model he uses, he generally places
the opponent power at 2^79-epsilon for governments, anything below that is
"Kid Sister" grade. I am personally against hidden assumptions in the
threat/attack model, hiding the 2^79 power behind "good" cryptography does
not allow for easy maintainance of the model, next year (assuming Moore's
law holds on world computing power) we will face 2^80-epsilon power, and
what was borderline before becomes unacceptable.
Using this threat/atack model as a guideline one can find a suitable
encryption algorithm that as close as possible meets the speed requirements.
Joe
------------------------------
From: Dave Howe <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: Anonymous web browsing
Date: Sat, 17 Mar 2001 01:21:40 +0000
In our last episode (<alt.security.pgp>[12 Mar 2001 05:39:08 GMT]),
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) said :
>[EMAIL PROTECTED] (Phil Zimmerman) wrote in
><[EMAIL PROTECTED]>:
> I have used both. However I would bet they are run by the
>NSA or something simalar. SafeWeb does not work with
>Moziila or even the latest netscape. Makes me wonder if
>they have stock in Microsoft.
Odd - I find it works better for some sites in netscape 4.7 than via
IE 5, and works acceptably in NS 6.0
Yahoo groups (formally egroups) for example, is particularly unstable
via IE+safeweb, but rock solid under netscape+safeweb.
Safeweb has been approached by the CIA to sublicence the new "triangle
boy" network for CIA use, but if every company that sells things to
the CIA was crossed off the list, we would all be using Amiga
computers right now - definitely SUN, HP and INTEL would be off
limits....
--== DaveHowe ( is at) Bigfoot dot com ==--
------------------------------
From: br <[EMAIL PROTECTED]>
Subject: Re: Cesar principle
Date: Fri, 16 Mar 2001 20:22:01 -0400
If it's so trival, I'm going to send a short message with two categories
good spelling encrypted with Cesar system.
I'm curious to see how many time you are going to spend to solve it.
Joseph Ashwood wrote:
>
> "br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > Substracting 15342-14253 is not the same as substracting 153 - 142
>
> Actually it is exactly the same. Maybe you need to learn number theory as
> well.
>
> "br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > You have to know the length of the block, it could be variable.
> > the key length could be variable etc...
> > Suppose that the text is crypted before applying cesar principle.
> > I may use Cesar principle to any message I want to transmit.
>
> Since you don't seem to grasp the ease of this. Please look up Vigenere
> cipher, it is exactly the same. Please then proceed to look up the fact that
> it has been broken for the better part of a century by exactly the same
> process I presented. Not knowing the block length will only add N attempts
> where N is the length of the block, it's trivial.
> Joe
------------------------------
From: Dave Howe <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: Anonymous web browsing
Date: Sat, 17 Mar 2001 01:23:04 +0000
In our last episode (<alt.security.pgp>[Mon, 12 Mar 2001 04:29:19
GMT]), Phil Zimmerman <[EMAIL PROTECTED]> said :
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Does anyone use any of the anonymouse web browsing services such as
>Anonymizer or SafeWeb?
I stopped using anonymizer - mostly due to lack of HTTPS and FTP
support. Safeweb has both, and is well worth a look - almost no
noticable slowing of the data, and configurable on-the-fly from it's
toolbar config page.
--== DaveHowe ( is at) Bigfoot dot com ==--
------------------------------
From: Dave Howe <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Sat, 17 Mar 2001 01:27:48 +0000
In our last episode (<alt.security.pgp>[Tue, 13 Mar 2001 14:18:42
+0100]), Frank Gerlach <[EMAIL PROTECTED]> said :
>Phil Zimmerman wrote:
>Or maybe the NSA trys to do some FUDing about PGP.
As far as I know, the only mention of the disk (and it's code being
broken) was in the media - apparently the official reports don't
mention it at all.
Now it is possible it is an operational secret, but more likely they
"bugged" his copy of the encryption software to either cache a copy of
the plaintext for them to retrieve, or use a fixed key rather than a
random one - if the former, they wouldn't even have bothered trying to
retrieve the disk, but would have just assumed it had existed due to a
plaintext copy of the letter being available to them...
--== DaveHowe ( is at) Bigfoot dot com ==--
------------------------------
From: Dave Howe <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => TV detection (was: FBI easily cracks encryption ...?)
Date: Sat, 17 Mar 2001 01:42:05 +0000
In our last episode (<alt.security.pgp>[11 Mar 2001 21:33:34 GMT]),
[EMAIL PROTECTED] (Thomas Shaddack) said :
>By far not urban myth. I would be very! interested in schematics of a
>device that would be able to receive signal from a computer monitor (TVs
>should be relatively easier).
As their most recent batch of advertisements freely admit, they
don't usually bother using their tempest rigs.
We had one knock on *our* door a few weeks ago. Basically, the two
houses right next to us were empty, and they knocked on our door as
our licence was about to expire in three weeks.
They didn't have a detector van - or any sort of van
They didn't have handheld detectors
What they DID have was a list of houses (clipboard with transparent
plastic cover), with "EXPIRED <date>" on some and "expires <date>" on
others (not a complete list I might add - there were only four for our
street, and the other also expired later that month) I am sure you
can fill in the rest of this - the only other occupied house on that
list also got a visit. They were basically walking from door to door,
working from a printed sheet, on the assumption that everyone would
have a TV and could be harassed into buying a licence or (in my case)
signing up for direct debit as the licence was due.
furrfu!
I also know a couple who had to impose a "no entry without a warrant
and a police officer present" after getting "inspections" from them
every other week. They were young (only just got together and first
flat) and really spent much of their time either at their parent's
houses or otherwise occupied - and got sick of having their cupboards
searched for the TV or radio set they "must" have. English TV licence
people do not have any legal powers to inspect - they just take
advantage of the common view that they *must* have as they are
employed to enforce a government-imposed monopoly.
--== DaveHowe ( is at) Bigfoot dot com ==--
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Computing power in the world
Date: Sat, 17 Mar 2001 03:25:12 +0100
AirBete wrote:
> Hi all,
>
> What is the up-to-date estimate of the total computing power in the world in
> mips-years?
MIPS-years are a silly metric.
Its like asking "how many Megawatt-hours of processing capacity are there ?"
------------------------------
From: Dave Howe <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: Text of Applied Cryptography .. do not feed the trolls
Date: Sat, 17 Mar 2001 01:57:43 +0000
In our last episode (<alt.security.pgp>[Mon, 12 Mar 2001 17:52:44
-0500]), "Ryan M. McConahy" <[EMAIL PROTECTED]> said
>Actually, there aren't any ads, and it is quite convienient to have
>in electronic format.
>I believe you are the troll, if there is one at all. Applied Crypto
>is out there, and you can't do anything to stop that. Anyone who's
>into crypto and has the money will buy it. Having it electronic form
>is useful for quotation reasons.
Indeed - I have the full set of the O'riley CD bookshelf CDs, even
though I have the books themselves - simply because a automated search
of the html form can save me an hour of pawing though indexes looking
for THE page that covers a (for example) sendmail config option.
--== DaveHowe ( is at) Bigfoot dot com ==--
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: GPS and cryptography
Date: Fri, 16 Mar 2001 18:16:44 -0800
> The software when receiving a crypted message destroy it if the position
> is different and allow it if it matches.
> The same idea may be used for other another device.
> When you use a viewer to read pdf file, if you don't have the viewer you
> can't read the message.
> So the software has to be hard to break.
> I have an idea to make it hard to break.
In other words, the software decrypts the message if you give it the
correct key and not if you don't. No matter how hard your software is to
break, nothing forces an intercepter to use your software. In addition,
the software has no way to know that you are actually in a given
location, all it will know is that some device that claims to be a GPS
receiver claims that you are at that location. Nothing stops an
intercepter from using a gimmicked GPS receiver.
In other words, if you have an actual idea, you haven't yet told us
what it is.
DS
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Q: IP
Date: Sat, 17 Mar 2001 02:35:30 -0000
<[EMAIL PROTECTED]> divulged:
>In case this statement of the newspaper is incorrect, please
>kindly tell.
depends. having a "dynamic" ip address offers no real increase in
security. (you get an ip address, sometimes the same, each time you
connect, it does not change while you are connected.)
in many situations the fact that your ip address will change doesn't matter
to attackers, since they weren't looking specifically for you, just
someone. once they've made good their intrusion you will probably be
bugged, so that when an address change happens your new owners will know.
(to see how easy it is to track dynamic ip addresses consider services like
dyndns.org, who provide a service that associates a dns name to your
current ip address by the use of a utility running on your machine.)
the fact that your ip address doesn't change can have some privacy and
security concerns, but that your address does change doesn't imply that you
are more secure.
--
okay, have a sig then
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Q: IP
Date: Sat, 17 Mar 2001 02:37:27 -0000
<98trtl$qh5$[EMAIL PROTECTED]> divulged:
>It is not only dynamic, for many times you only get a internal IP address,
>that is, not recognizable by the outside world. The ISP gateway may
>use NAT protocols to translate your IP. Have a look at the RFC1631
this tends not to be the norm.
--
okay, have a sig then
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Secure overwriting
Date: Sat, 17 Mar 2001 02:47:16 -0000
<98tik2$4tf$[EMAIL PROTECTED]> divulged:
>- You can no longer save crash information in the swap partition.
generally swap space is structured, so the crash segment would already be
tagged as such and you could just write crashes without encrypting.
but do you really want to? the info might just be sensitive, so shouldn't
be retained.
--
okay, have a sig then
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Defining a cryptosystem as "broken"
Date: Sat, 17 Mar 2001 02:56:04 GMT
Joseph Ashwood wrote:
> Typically these decisions are simplified for mass concumption, Schneier has
> pushed the terms "Kid Sister Cryptography" versus cryptography that will
> keep out governments. He has through placing ciphers on one side or the
> other given us a rough estimate of the model he uses, he generally places
> the opponent power at 2^79-epsilon for governments, anything below that is
> "Kid Sister" grade. I am personally against hidden assumptions in the
> threat/attack model, hiding the 2^79 power behind "good" cryptography does
> not allow for easy maintainance of the model, next year (assuming Moore's
> law holds on world computing power) we will face 2^80-epsilon power, and
> what was borderline before becomes unacceptable.
The projective value of the threat model is important because using one cipher
for long term secrets and a separate cipher for "lesser" secrets leads to an
excess of administrative hassles. In light of this issue, I call to you
attention a criticism of Moore's law from the people who write about the
methodology of designing integrated circuits.
In essence, they consider the estimate a bit timid.
In SDIS* the authors show a semilog graph of the number of transistors versus
year of introduction for the ten year span 1972-1981. The line is not
straight. It is sharply upward. This implies that the rate is not constant,
and that the differential is positive. Unfortunately they provide no raw data
other than a series of eleven time/size samples
I speculate that there may be an overall "average" chip growth rate that
reflects Moore's thumb rule and is accurate in the short term. However, there
will certainly be a dispersion about that rate. For Darwinian reasons we might
expect the longer term growth rate to reflect the upper tail of that
distribution (because beating the median is a success trait). By this thesis we
might expect the growth rate of ICs to creep upward, just as is shown by the
graph.
*SDIS = System Designs into Silicon, (c) 1993 IOP Publishing LTD, ISBN
0-7503-0114-7 by J Johansson and J C Forskitt of the Institute of Physics
Publishing, Bristol & Philedelphia, pp 1-2 to 1-3.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Security of IAPM, alone.
Date: 17 Mar 2001 02:56:39 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Benjamin Goldberg wrote:
>The IAPM chaining mode can be described as follows:
>w(x) = E(k0, iv0 + x) (for x = 0..log2(messagelength))
>s(i) = XOR-sum of a subset of w, selected with binary_greycode(i)
>ct[i] = s(i) XOR E(k1, s(i) XOR pt[i])
>
>I'm curious. How secure is this scheme if k1 is fixed, perhaps at 0?
Great question!
I'm not sure, but I _think_ it might be quite secure,
if we assume E(k1, .) behaves like a random permutation when
k1 is fixed. The analogy to the Even-Mansour construction (which
does have a proof of security) is quite intriguing.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Analysis of PCFB mode
Date: 17 Mar 2001 03:01:37 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Henrick Hellström wrote:
>You need full plain text of one previous message, and the legitimate server
>must not change the value of r0.
In XCBC mode, r0 is secret and random and chosen anew for each message.
So the conditions will not be satisfied.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Encrypt then HMAC or HMAC then Encrypt?
Date: 17 Mar 2001 03:02:30 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Paul Crowley wrote:
>[EMAIL PROTECTED] (David Wagner) writes:
>> Don't chosen-ciphertext attacks also become much harder if a MAC
>> is applied to the plaintext and if the decryption operation is
>> bijective?
>
>I'm not used to thinking of decryption as bijective. Usually there
>are many possible ciphertexts that can decrypt to the same plaintext,
>due to the use of an IV.
Oh, you're right. Good point. My comment was pretty useless.
Thanks for catching that.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
