Cryptography-Digest Digest #524, Volume #12 Thu, 24 Aug 00 10:13:00 EDT
Contents:
Re: My unprovability madness. (Nathan the Great)
Re: Steganography vs. Security through Obscurity ([EMAIL PROTECTED])
Re: Serious PGP v5 & v6 bug! ("Howard")
Re: Serious PGP v5 & v6 bug! ([EMAIL PROTECTED])
Re: Serious PGP v5 & v6 bug! (Ron B.)
Re: Serious PGP v5 & v6 bug! (Stephen Early)
Re: Serious PGP v5 & v6 bug! ("JL")
Re: Serious PGP v5 & v6 bug! (Charles Blair)
Re: Serious PGP v5 & v6 bug! ("JL")
Re: SHA-1 program (cool!) (Daniel Leonard)
Re: Serious PGP v5 & v6 bug! (Ron B.)
Re: The DeCSS ruling (Daniel Leonard)
Re: Serious PGP v5 & v6 bug! ([EMAIL PROTECTED])
Re: Serious PGP v5 & v6 bug! ("JL")
Re: Serious PGP v5 & v6 bug! ("JL")
Re: The DeCSS ruling (Ron B.)
----------------------------------------------------------------------------
From: Nathan the Great <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics
Subject: Re: My unprovability madness.
Date: Thu, 24 Aug 2000 11:56:27 GMT
In article <V8Wo5.4848$[EMAIL PROTECTED]>,
"Adam Russell" <[EMAIL PROTECTED]> wrote:
> No, I wasn't speaking of Godel. I was referring to the
> suggestion of a system of logic where unprovable statements
> are deemed to be false.
Adam, WHEN USING CONSTRUCTIVE LOGIC, unprovable
statements _are_ false, not just deemed to be.
> That system seems to be flawed because it
> produces examples of A and !A both being false.
That's no problem, WHEN USING CONSTRUCTIVE LOGIC.
Isn't evaluating foreign logics, using your own,
illogical? ;-)
> Undecidable truths may be ruled out by definition,
> but the cure is worse than the disease.
You're entitled to your opinion, but the disease is
actually much much worse.
Adam, interpret 'false' as 'not necessarily true' and
things will appear less contradictory to you.
--
Nathan the Great
Age 12
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Steganography vs. Security through Obscurity
Date: Thu, 24 Aug 2000 12:07:19 GMT
In article <8o1ljh$rmq$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
> http://citeseer.nj.nec.com/did/114788
Thanks for the pointer. This will help a lot.
> As to the other question - "what kind of security can we get from
> watermarking schemes?" that seems to depend critically on just
> what is *meant* by a watermarking scheme.
Traitor Tracing. I developed a system that I used with e-mail messages
from a list I run. It *resists* attempts to defeat the
watermarking, even if multiple receivers compare messages. Same would
hold true on a CD-ROM archive of the messages.
I'd like to make it 100% foolproof, which means that removing the
watermarks is impossible. but I don't think it is possible
to have a stego system that can do that. If it isn't possible, then
perhaps in this case stego *requires* obscurity to succeed.
I'd like to know if the technique I developed is new or not.
If it is, I can publish it. If not, perhaps I can improve my technique.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Howard" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 13:23:02 +0100
=====BEGIN PGP SIGNED MESSAGE=====
"Michel Bouissou" <[EMAIL PROTECTED]> wrote in message
news:8o314o$k1n$[EMAIL PROTECTED]
:
: If this bug is confirmed, I'm afraid that every PGP user should consider
: immediately revoking his DH/DSS keys and revert back to RSA for the time
: being.
I agree that experienced users should be able to spot an ADK quite easily
at least those who read the manual and spot the Red circle in their
keyring. However the freeware manual, while telling you how to recognise
one and set the options to warn you about them, doesn't deal with the
issue at all.
Michel, can you explain your view that DH/DSS keys shouldn't be used?
Aren't ADKs possible with RSA Public keys? And isn't the default option in
V5 and 6 set to warn when encrypting to ADKs?
Rgds
Howard
Staffordshire, England
PGP Keys:
0xECFEF05F (DH/DSS)
0x96302AD7 (RSA)
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQEVAwUBOaUTf/ex36KWMCrXAQFstAf/Wdza6nhtX4rF7tNw5VOD3wVldferSvqS
3DWreAjrE+6yT6BdNmQciMude+oRTMYi9vv2VrI3OiG8/Vx+gWSMZykIQi+hsc0n
orR8qgthk32EWRhDU0Xk0t1smSdWW2ak4F26LeHSj/QR5c0k6ulZhPjm7g21oc27
QUeaLNnaUnxMXPRCph0G8tk3UsPMKSVEjQeDbNDshf4q2jyL1zBea1dE6VN9Ed40
Ek0hUNqZ5OtMFHVLfH/l2i7Mg5JUPkV2ch++th2q+GBTQG2UiPA0HdCAmrm1DpGt
UteYpuMIEynevHeMjGengrA6/5j5D+vJby1+Md39YEK09XLWWgBzJw==
=4UZZ
=====END PGP SIGNATURE=====
------------------------------
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
From: [EMAIL PROTECTED]
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 12:40:05 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
JL wrote:
> > > since the receiver would see that the message has
> > > been encrypted with additional keys,
> >
> > Not necessarily. If the receiver has cached his decryption passphrase as
> > many do, the message will be decrypted without him being shown the
> > corresponding list of possible decryption keys, and thus he will not see the
> > unexpected ADK.
>
> True, but that's just an other reason not to use passphrase chaching.
>
> > If he sees it, he will just see it as an "unknown public key" because he
> > will not have any copy of the forged ADK in his keyring, thus he may not
> > correctly identify the risk.
>
> True, but it should be a hint to proceed to deeper verification.
why does PGP shows "unknown public key" instead of showing key ID, grrrr
very bad..
> > If this bug is confirmed, I'm afraid that every PGP user should consider
> > immediately revoking his DH/DSS keys and revert back to RSA for the time
> > being.
>
> Simply revoking a DH/DSS key and issuing a new RSA one is also risky, since
> you need to re-create the whole signature chain, which makes you vulnerable.
>
> If you think the risk justifies that you should revert back to RSA, the best
> way to do it is to only revoke the DH/DSS subkey, which is used for
> encryption, and keep the main keep valid, which is used for signing. You can
> then sign your RSA key with your existing DH/DSS key, thus preserving the
> signature chain.
> JL.
what is the bug?
i don't see original message just this replay :-(
deja news also did not found anything with this subject
seems it is somehow related to ADK...
but even RSA keys can have ADK, see:
http://senderek.de/security/key-experiments.html
but you can avoid ADKs by removing self-signature from key
if you do not self sign the key - no ADKs can be added tu that key.
very good reason not to self-sign keys
== <EOF> ==
Disastry http://i.am/disastry/
http://disastry.dhs.org/pgp.htm <-- PGP half-Plugin for Netscape
remove .NOSPAM.NET for email reply
=====BEGIN PGP SIGNATURE=====
Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1
iQA/AwUBOaT7XDBaTVEuJQxkEQL+WgCgy6MJHtHOrxJth6ZxsL/8PbkLMRoAoI91
pC+fLfTd7lqPTd/4I1fECXOU
=2xAI
=====END PGP SIGNATURE=====
------------------------------
From: Ron B. <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 12:53:58 GMT
On Thu, 24 Aug 2000 11:19:53 GMT, "JL" <[EMAIL PROTECTED]> wrote:
>"Sam Simpson" <[EMAIL PROTECTED]> a écrit dans le message news:
>[EMAIL PROTECTED]
>
>> The effect is that GCHQ can create a tampered version of your PGP
>> public key containing a public key whose corresponding private key is
>> also known to themselves, and circulate it. People who encrypt
>> traffic to you will encrypt it to them too.
>
>The bug isn't that nasty, since the receiver would see that the message has
>been encrypted with additional keys, and can then send a non-tampered version
>of his public key to the sender. Only the first message would then be
>compromised, and both the sender and the receiver would know about it.
>
>JL.
>
I sent the following message to the pgp-users mailing list. I
addresses this claim.
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Assuming that PGP does warn that the message is being encrypted to an
ADK if this bug is used to add an unknown key, we still have the
following problem. If I send a message to Jane using her key, and
get this message, I don't know if the ADK is legitimate or not. She
may be required by her job to use message recovery. Do I tell Jane
about this? If so how, if I only have her key? Either I will be
telling Jane something she knows already, or I will be telling the
"bad guys" that we are on to them. (Not a good tactical move). Also
if Jane is using legitimate message recovery and someone else is
modifying her key, then we have learned nothing from the ADK warning.
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOaUKawzUoy7OvTSOEQK/pwCghtBE9ytmnYC44DZEQXo/H8/djlQAniq4
lEG5ZePg0LJrn6u+CKZeBWmy
=TwFf
=====END PGP SIGNATURE=====
------------------------------
From: Stephen Early <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: 24 Aug 2000 12:58:39 GMT
In article <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> wrote:
>but even RSA keys can have ADK, see:
>http://senderek.de/security/key-experiments.html
>
>but you can avoid ADKs by removing self-signature from key
>if you do not self sign the key - no ADKs can be added tu that key.
>very good reason not to self-sign keys
However, if a key is not self-signed then there is no way to be sure
that the userid corresponds to the public key - it could easily be
tampered with. This isn't a problem if you're just using the keyid or
relying on signatures from other keys.
Steve Early
------------------------------
From: "JL" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 13:09:37 GMT
<[EMAIL PROTECTED]> a écrit dans le message news:
[EMAIL PROTECTED]
> why does PGP shows "unknown public key" instead of showing key ID, grrrr
> very bad..
It does both with my version (6.5.1ckt).
JL.
------------------------------
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
From: [EMAIL PROTECTED] (Charles Blair)
Date: Thu, 24 Aug 2000 13:10:11 GMT
For those who want to worry about it, an article by Ken Thompson
described how he once inserted some private code into a C compiler:
http://www.acm.org/classics/sep95
------------------------------
From: "JL" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 13:14:57 GMT
"Ron B." <[EMAIL PROTECTED]> a écrit dans le message news:
[EMAIL PROTECTED]
> Do I tell Jane about this?
Yes, you do.
> If so how, if I only have her key? Either I will be
> telling Jane something she knows already,
But she will answer something that you don't.
> or I will be telling the
> "bad guys" that we are on to them. (Not a good tactical move).
It's still better than not knowing anyhting. And this assumes that you don't
have any other mean to reach her, and that she doesn't either, which is
unlikely.
> if Jane is using legitimate message recovery and someone else is
> modifying her key, then we have learned nothing from the ADK warning.
An other good reason not to use ADK at all. If you want someone else to be
able to decrypt your messages you can as well manually include his key.
JL.
------------------------------
From: Daniel Leonard <[EMAIL PROTECTED]>
Subject: Re: SHA-1 program (cool!)
Date: Thu, 24 Aug 2000 13:17:28 GMT
On 24 Aug 2000, S. T. L. wrote:
> <<It seems to me that you really pushed things to the limit by testing a =
300 MB
> file.>>
>=20
> Yeah. In another post someone suggested that tripping over the 2^31 bit
> boundary triggered the bug (and as I now know, it was in HASHcipher and n=
ot
> SHA1.EXE). This is probably because the bokler.com people weren't carefu=
l and
> didn't use unsigned when they should have. I explicitly used unsigned lo=
ng
> ints everywhere, which means my program is good at least up to 2^32 bits.=
=20
> Beyond that, it will fail (to my knowledge); I never had the intention of=
being
> fully FIPS 180-1 compliant, but because I didn't think in terms of bits a=
nd
> bytes clearly (for the second time, argh), SHA1.EXE's noncompliance will =
begin
> at 512MB and not 4GB, as I thought. Crud. 4GB was a reasonable limit, b=
ut
> 512MB might be a little low.
Use unsigned long long instead of unsigned long int, unsigned long int
are about 32 bits while unsingned long long are about 64 bits (as
"required" by fips 180-1).
If you do not want to use unsigned long long, you can look into the code
of MD5 in RFC1321, Rivest does arithmetics on two unsigned long int to
mimics a 64 bit integer.
> <<If there is some way of showing that your program is good for files
> below a certain size, it would still be very useful for my purposes. So d=
o
> we prove that, to a statistically acceptable level of certainty?>>
>=20
> Well, SHA1.EXE passes all three Appendices in the SHA-1 spec, and also ag=
rees
> with SHA1.COM and bokler.com's HASHcipher for a 100,000,000 "a" file. An=
d
> SHA1.EXE agrees with SHA1.COM for the pak0.pak (300MB) file. I still bel=
ieve
> that SHA1.EXE provides bulletproof hashes for files under 512MB, but beyo=
nd
> that my implementation _will_ screw up because I do refer to the bits in
> origbits, and that's only an unsigned long int which is only guaranteed t=
o be
> 32 bits (and DJGPP doesn't provide any more, incidentally). I'll see wha=
t I
> can do about breaking the 512MB limit, but realistically I don't think th=
at
> that many people have 512MB files on their hard drives. Not even I do. =
Yet,
> that is. :-P
Diablo II might :)
> <<NIST has some test vectors (beyond those in FIPS-180) that may be usefu=
l,
> though they like kind of hard to use:
> http://csrc.nist.gov/cryptval/shs/sha1-vectors.zip>>
>=20
> Oddly enough, the bokler.com HASHcipher is certified. Maybe both SHA1.EX=
E and
> SHA1.COM are failing... crud. I'll look at these test vectors; thanks!
I look at those, would it have been simpler to NIST to give binary files
instead of their format:
12 1's followed by 7 0's then by 11 1' ...
the parser to understand their format is more complicated than SHA
:) because you have to make one...
> <<I would suggest trying it on a different compiler and/or library. May =
be a
> problem with the library handling certain size files.>>
>=20
> A good suggestion, but I believe that DJGPP is fine, thank goodness. :-D
DJGPP supports unsigned long long
> <<Also check the method of appending the length code.
>=20
> You may be overwriting data with the length or vice versa.
> Or you may be overwriting the low 32 bits of the length with
> the high 32 bits. Also possible is not shifting properly since
> the 'normal' word size is 32 bits and the length is 64 bits
> and expresses the total length of data in bits.>>
>=20
> Well, I've always made the crocky assumption in SHA1.C that the file leng=
th
> will be less than 2^32 bits, and the first word is automatically all zero=
es.=20
> (Hence why I know absolutely that it will fail for files > 512MB). Other=
wise,
> I think that I append the length properly.
>=20
> Perhaps I'll need to include a bignum library or make a clever hack so th=
at I
> can deal with files that are over 2^32 bits. Argh. Thanks for everyone'=
s
> help.
==========
Daniel L=E9onard
OGMP Informatics Division E-Mail: [EMAIL PROTECTED]
D=E9partement de Biochimie Tel : (514) 343-6111 ext 5149
Universit=E9 de Montr=E9al Fax : (514) 343-2210
Montr=E9al, Quebec Office: Pavillon Principal G-312
Canada H3C 3J7 WWW :
------------------------------
From: Ron B. <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 13:27:13 GMT
On Thu, 24 Aug 2000 13:14:57 GMT, "JL" <[EMAIL PROTECTED]> wrote:
>"Ron B." <[EMAIL PROTECTED]> a écrit dans le message news:
>[EMAIL PROTECTED]
>
>> Do I tell Jane about this?
>
>Yes, you do.
>
>> If so how, if I only have her key? Either I will be
>> telling Jane something she knows already,
>
>But she will answer something that you don't.
>
>> or I will be telling the
>> "bad guys" that we are on to them. (Not a good tactical move).
>
>It's still better than not knowing anyhting. And this assumes that you don't
>have any other mean to reach her, and that she doesn't either, which is
>unlikely.
>
>> if Jane is using legitimate message recovery and someone else is
>> modifying her key, then we have learned nothing from the ADK warning.
>
>An other good reason not to use ADK at all. If you want someone else to be
>able to decrypt your messages you can as well manually include his key.
However ADK is touted by NAI as an alternative to key recovery. It
allows data to be recovered but not the private key. If a business
requires this then Jane may have no choice in her business
communications.
>
>JL.
>
>
------------------------------
From: Daniel Leonard <[EMAIL PROTECTED]>
Subject: Re: The DeCSS ruling
Date: Thu, 24 Aug 2000 13:28:11 GMT
On Wed, 23 Aug 2000, Jim Steuert wrote:
> I'm still hoping that someone posts the DeCSS code to this newsgroup
> (it's not very large), possibly in a "sanitized form without keys and
> with
> annotation", so that we can look at and understand the algorithms. If
> that
> is illegal then all those papers attacking various ciphers must be
> illegal.
>=20
> -Jim Steuert
Well the code can be found, in clear, from the court transcript.
http://cryptome.org/dvd-hoy-reply.htm
as exhibit B
==========
Daniel L=E9onard
OGMP Informatics Division E-Mail: [EMAIL PROTECTED]
D=E9partement de Biochimie Tel : (514) 343-6111 ext 5149
Universit=E9 de Montr=E9al Fax : (514) 343-2210
Montr=E9al, Quebec Office: Pavillon Principal G-312
Canada H3C 3J7 WWW :
------------------------------
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
From: [EMAIL PROTECTED]
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 13:24:45 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Stephen Early wrote:
> <[EMAIL PROTECTED]> wrote:
> >but you can avoid ADKs by removing self-signature from key
> >if you do not self sign the key - no ADKs can be added tu that key.
> >very good reason not to self-sign keys
>
> However, if a key is not self-signed then there is no way to be sure
> that the userid corresponds to the public key - it could easily be
> tampered with.
sure.. maybe this can be solved by having separate sign-only key
and signing encryption key with this key with this key instead of self-signing.
> This isn't a problem if you're just using the keyid or
> relying on signatures from other keys.
> Steve Early
== <EOF> ==
Disastry http://i.am/disastry/
http://disastry.dhs.org/pgp.htm <-- PGP half-Plugin for Netscape
remove .NOSPAM.NET for email reply
=====BEGIN PGP SIGNATURE=====
Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1
iQA/AwUBOaUF+DBaTVEuJQxkEQICxQCfQptfg54wHf7QmMU+O1saeEWIlpkAn3Oi
ZDJg53UXrqrPU1YMvqC5b/BU
=8XRT
=====END PGP SIGNATURE=====
------------------------------
From: "JL" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 13:33:30 GMT
"Ron B." <[EMAIL PROTECTED]> a écrit dans le message news:
[EMAIL PROTECTED]
> If a business
> requires this then Jane may have no choice in her business
> communications.
Then her company shouldn't complain if sensible information is compromised. If
you don't trust your employees you shouldn't hire them in the first place.
JL.
------------------------------
From: "JL" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Thu, 24 Aug 2000 13:35:36 GMT
<[EMAIL PROTECTED]> a écrit dans le message news:
[EMAIL PROTECTED]
> maybe this can be solved by having separate sign-only key
> and signing encryption key with this key with this key instead of
self-signing.
This is exactly how it works with DH/DSS keys.
JL.
------------------------------
From: Ron B. <[EMAIL PROTECTED]>
Subject: Re: The DeCSS ruling
Date: Thu, 24 Aug 2000 13:38:34 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On Thu, 24 Aug 2000 13:28:11 GMT, Daniel Leonard
<[EMAIL PROTECTED]> wrote:
>On Wed, 23 Aug 2000, Jim Steuert wrote:
>
>> I'm still hoping that someone posts the DeCSS code to this
>> newsgroup (it's not very large), possibly in a "sanitized form
>> without keys and with
>> annotation", so that we can look at and understand the algorithms.
>> If that
>> is illegal then all those papers attacking various ciphers must be
>> illegal.
>>
>> -Jim Steuert
>
>Well the code can be found, in clear, from the court transcript.
>
>http://cryptome.org/dvd-hoy-reply.htm
>
>as exhibit B
>
>----------
>Daniel Léonard
>
>OGMP Informatics Division E-Mail: [EMAIL PROTECTED]
>Département de Biochimie Tel : (514) 343-6111 ext 5149
>Université de Montréal Fax : (514) 343-2210
>Montréal, Quebec Office: Pavillon Principal G-312
>Canada H3C 3J7 WWW :
Interesting. Was this code already a matter of public record? If
not, would pre-trial publishing lead to prosecution and/or suit?
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOaUlUgzUoy7OvTSOEQJVcgCeOUN/pMQcau/oW5n76aw3NDG01jUAn2tC
j92+RkfMMlqamo03CrQ2ndH2
=gSaq
=====END PGP SIGNATURE=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
