Re: Stupid security measures, a contest
On Fri, Feb 14, 2003 at 02:18:00AM -0800, alan wrote: The extra anal security guard can be fun to play with. A little bit more about guards: In 1985/86 I did my compulsory army service in Koblenz, which also included to be the guard of the barracks for several days. When I was the guard of the main entrance, once an army vehicle approached to enter the area. I stopped the vehicle and asked for the identity card, driving license, and driving order, just as usual. The guy in the car gave each, but it was obvious that all three were wrong and forged. I told him to leave the car immediately and come with me to the officer in duty. He smiled and said Congratulation, this was a security check and you have passed perfectly. I answered Nice try, immediately pulled the gun, and arrested him, put him in the prison in the guard house, and informed the chief of the barracks area. It turned out that the guy indeed was a security officer of the army, and it was his job to perform security checks like this. The security department he came from was performing checks like that one for about 15 years. He said in about 25% of their checks the guards didn't realize that the papers are wrong and let the person pass without questions. In such cases the guards had failed the test. In the other 75% of their checks the guards realized and stopped the person, and so the guards had passed the check. But their officers never ever had to prove that they performed a security check and they never needed their real identity cards. He was the first one to find himself arrested. It was always enough to say Congratulations, this was a security check and you have passed. to enter the area without further questions and to leave a happy guard behind. No one ever had any doubts. And nobody realized that this was a security leak. The effect was that the officers of that security department were entering barracks for 15 years as a security officer performing security checks without ever having to show a valid identity card and driving order, either in the first or the second way, and didn't realize that this was a security problem. :-) Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Columbia crypto box
At 11:08 AM 02/13/2003 -0500, Trei, Peter wrote: Pete Chown[SMTP:[EMAIL PROTECTED]] As a footnote to those times, 2 ** 40 is 1,099,511,627,776. My PC can do 3,400,000 DES encryptions per second (according to openssl). I believe DES key setup is around the same cost as one encryption, so we should halve this if a different key is being used each time. Brute force of a 40-bit DES key will therefore take about a week. In other words 40-bit DES encryption is virtually useless, as brute force would be available to anyone with a modern PC. You can actually do much better that that for key set up. To toot my own horn, one of the critical events in getting software DES crackers running at high speed was my realization that single-bit-set key schedules can be OR'd together to produce any key's schedule. Combining this with the use of Grey Codes to choose the order in which keys were tested (Perry's idea) led to key scheduling taking about 5% of the time budget. But to further toot Peter's horn here (:-), before Peter's discovery, or maybe some work by Biham (?) around that time, at least as far as the public literature knew, DES key scheduling was substantially slower than the S-box phases of DES, so not only were general-purpose-computer attacks Moore'sLawfully slower, but add another factor of 10 or so, and customer hardware crackers would also need to burn resources on both parts of the algorithm and therefore take at least twice as much ASIC space unless extremely carefully managed. So while modern technology has made it severely useless, and while it was crippled back then, it was at least not _as_ crippled as it looks from today's viewpoint. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]