Cryptography-Digest Digest #805, Volume #8 Mon, 28 Dec 98 05:13:03 EST
Contents:
seeking SSH shell account ("jason hathaway")
Re: Cryptography FAQ (01/10: Overview) (John Pliam)
Re: Encryption Basics (Boudewijn W. Ch. Visser)
Re: seeking SSH shell account (James Pate Williams, Jr.)
Re: U.S. Spying On Friend And Foe (Anonymous)
Re: ppdd - Encrypted filesystem (incl root filesystem) for Linux - rev 0.6 available
("Alexander Majarek, Sascha, SAM")
Re: crypt-o-text (JPeschel)
Re: U.S. Spying On Friend And Foe
Re: Encryption Basics (David Hamilton)
hotmail passwords (Robert Taylor)
Re: hotmail passwords (JPeschel)
Secure Indicators for the Enigma
Re: crypt-o-text (JPeschel)
A Hacker Nightmare! (JPeschel)
Re: Microsoft SGC (SSL), CrytoAPI? (grt)
How to encrypt a string using IDEA (snow tan)
Session key establishment protocol with symmetric ciphers (Shawn Willden)
Re: Highly structured info. (XML) and decryption ("Anders W. Tell")
----------------------------------------------------------------------------
From: "jason hathaway" <[EMAIL PROTECTED]>
Subject: seeking SSH shell account
Date: Sun, 27 Dec 1998 13:54:08 PST
Crossposted-To: comp.security.ssh,alt.security
Hi,
I have been using an SSH shell acount on cyperbass.net
for the past month (for port forwarding). I was using
SecureCRT for Windows 95 on my end. (This allows me to
encrypt all Web pages between me and cyberpass.net,
and also prevents sites from seeing who is really
visiting them.)
The past couple weeks cyberpass.net has been EXTREMELY
slow. I am used to very fast page loading, as I have a
cable modem. I don't know if cyberpass.net will go back
to their previous speed - they don't answer e-mail.
Anyone know of a good SSH shell provider? The only
service I need is port forwarding. I am paying $10
a month for the cyberpass.net account.
Also, anyone know of a Windows 95 SSH client that is
better than SecureCRT?
Thanks,
Jason
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
------------------------------
From: John Pliam <[EMAIL PROTECTED]>
Subject: Re: Cryptography FAQ (01/10: Overview)
Date: 27 Dec 1998 22:18:26 GMT
John Savard wrote:
> It occurs to me that since "[EMAIL PROTECTED]" is not only
> identified in the text of the FAQ as the E-mail address of its editor,
> to whom comments should be directed, but it is _also_ the E-mail
> address by which the FAQ is posted, it can't have been *truly*
> abandoned.
Not necessarily, because both the news headers and the following excerpt
from news.answers seems to indicate that FAQ itself comes from
rtfm.mit.edu,
configured as:
> Newsgroups: sci.crypt,talk.politics.crypto,sci.answers,news.answers,
> talk.answers
> Subject: Cryptography FAQ (*/*: *)
> From: [EMAIL PROTECTED]
> Frequency: every three weeks
> Comment: The following articles are currently being posted (archive...
> Archive-name: cryptography-faq/part01
> Summary: Part 1 of 10 of the sci.crypt FAQ, Overview. Table of
> contents, contributors, feedback, archives, administrivia, changes.
> Date: 2 Nov 1998 12:27:33 GMT
Changes to FAQ's maintained there are password protected, so
de-orphaning
the Crypto FAQ will require help from the MIT people. Does anyone
who reads sci.crypt know the rtfm people?
John Pliam
[EMAIL PROTECTED]
http://www.ima.umn.edu/~pliam
------------------------------
From: [EMAIL PROTECTED] (Boudewijn W. Ch. Visser)
Subject: Re: Encryption Basics
Date: 27 Dec 1998 22:22:56 GMT
On Sun, 27 Dec 1998 21:58:06 GMT, David Hamilton <[EMAIL PROTECTED]>
wrote:
[snip meaning of cost, also testing/learning time etc]
>Please note that I'm not complaining about the costs of using free software:
>I'm just saying that these costs exist. And the fact that there are costs
>associated with free software doesn't stop me from being grateful to those,
>in the crypto community, who provide quality free software.
>
True, but notice that all those costs must also be added to software that
is not free.
Non-free software also takes time to learn, has a risk of causing problems,
and may not function as expected.
Boudewijn
--
+--------------------------------------------------------------+
|Boudewijn Visser | E-mail:[EMAIL PROTECTED] |
| -finger for PGP-keys.- | http://www.ph.tn.tudelft.nl/~visser |
+-- my own opinions etc ---------------------------------------+
------------------------------
From: [EMAIL PROTECTED] (James Pate Williams, Jr.)
Crossposted-To: comp.security.ssh,alt.security
Subject: Re: seeking SSH shell account
Date: Sun, 27 Dec 1998 22:40:27 GMT
Reply-To: [EMAIL PROTECTED]
"jason hathaway" <[EMAIL PROTECTED]> wrote:
>Also, anyone know of a Windows 95 SSH client that is
>better than SecureCRT?
I use F-Secure SSH which has RSA authentication. I don't know whether
is it better than your current SSH client, however.
http://www.datafellows.com/
==Pate Williams==
[EMAIL PROTECTED]
http://www.mindspring.com/~pate
------------------------------
From: Anonymous <[EMAIL PROTECTED]>
Subject: Re: U.S. Spying On Friend And Foe
Date: 27 Dec 1998 23:07:39 +0100
Excerpt from sci.crypt charter:
"What if you want to post an article which is neither pure science nor
pure politics? Go for talk.politics.crypto. Political discussions are
naturally free-ranging, and can easily include scientific articles. But
sci.crypt is much more limited: it has no room for politics."
READ: No room for politics.
------------------------------
From: "Alexander Majarek, Sascha, SAM" <[EMAIL PROTECTED]>
Subject: Re: ppdd - Encrypted filesystem (incl root filesystem) for Linux - rev 0.6
available
Date: Sun, 27 Dec 1998 20:37:50 +0100
Has anybody considered building something like this (ie root filesystem
encryption) for Win X (95/98/NT) systems ???
... sounds GREAT!
Greetings,
SAM
--
*************************************************
ThinkTank (FN 157681i, HG Wien)
Quinta da Friedali, Jedleseer Str. 25, A-1210 Wien
Tel: +43-1-271 44 00-0; FAX: 43-1-271 44 00-20
http://www.ThinkTank.at mailto:[EMAIL PROTECTED]
PGP-Key: http://www.ThinkTank.at/ttank.pgp
*************************************************
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: crypt-o-text
Date: 27 Dec 1998 18:46:17 GMT
>zuldare <[EMAIL PROTECTED]>writes:
> I have heard that the encryption program Crypt-o-Text is
>"brainless to crack."
>If this is true, and it probably is, can someone tell me how to get
>started? thanks.
>
>
Who knows what "brainless to crack" means.
You might want to read my short review of
Crypt-o-Text in InfoWorld.
http://www.infoworld.com/cgi-bin/displayArchive.pl?/97/27/rwebhuba.dat.htm
Or just go to the page below for Casimir's crack.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: U.S. Spying On Friend And Foe
Date: 27 Dec 98 20:23:47 GMT
Steve Sampson ([EMAIL PROTECTED]) wrote:
: If they would have executed him, like the law provides, all this
: whining would be blowing in the wind.
: He knew the consequences of getting caught. I think we should
: execute him before we give him back to the Zionists. Or maybe
: give him back to the Zionists after first giving him to the Arabs.
I know that some people advocating the release of Johnathan Pollard have
claimed that he gave satellite information to Israel as a result of its
being withheld by anti-Semites in cabinet posts relating to defence.
However, I have also heard that the current CIA director objects to his
release, and that may be with good reason.
Thus, I do not know the facts of this particular issue.
However, the way in which you have used the term "Zionists" to refer to
Israel indicates that you are in error about other facts.
During the period before the establishment of the State of Israel in 1948,
it occasionally happened that young Arab men would amuse themselves wit
girls among the small Jewish population then in what was called Palestine.
As the men were Muslims, and the girls non-Muslim, the criminal justice
system did not operate to protect them.
This is reason enough for us to acknowledge that the Jewish people have
the right to defend themselves by means of wahtever force is necessary,
even if the end result is that the Arabs of Palestine end up in the same
unenviable situation as the First Nations population of North America.
The history of the Arab-Israeli conflict, marked as it is by the frequent
resort of the forces hostile to Israel to the cruel and cowardly expedient
of terrorism, the dependence of nations making war against Israel on
weapons obtained from behind the Iron Curtain, and the general hostility
of much of the Islamic world to the United States, Western Europe, and the
world's other leading civilized countries, would seem to make it
abundantly clear on which side right lies in the conflict between Israel
and its neighbors.
The option of peace with the Jewish people was _always_ open to the Arab
nations. Each time they chose otherwise, they were defeated. No one seeks
a Greater Israel that stretches from Tunisia to the Persian Gulf, but if
the nations hostile to Israel decide to continue to choose war instead of
peace, they can bring it about.
John Savard
------------------------------
From: [EMAIL PROTECTED] (David Hamilton)
Subject: Re: Encryption Basics
Date: Mon, 28 Dec 1998 00:39:12 GMT
=====BEGIN PGP SIGNED MESSAGE=====
[EMAIL PROTECTED] (Boudewijn W. Ch. Visser) wrote:
>On Sun, 27 Dec 1998 21:58:06 GMT, David Hamilton
><[EMAIL PROTECTED]>
>wrote:
>
>[snip meaning of cost, also testing/learning time etc]
I must try to be more brief in future. You've summed up in one sentence most
of wgat I was try to say Boudewijn.
>True, but notice that all those costs must also be added to software that
>is not free.
>Non-free software also takes time to learn, has a risk of causing problems,
>and may not function as expected.
True.
David Hamilton. Only I give the right to read what I write and PGP allows me
to make that choice. Use PGP now.
I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:-
2048bit rsa ID=0xFA412179 Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D
4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E
Both keys dated 1998/04/08 with sole UserID=<[EMAIL PROTECTED]>
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
Comment: Signed with RSA 2048 bit key
iQEVAwUBNobEGco1RmX6QSF5AQGnAgf+PcJzyODaAshO2+H1nbPH5IzErWA8bK6h
8W94NWTAKO5v39EtdItWmdEnIiir/gjfW2iqjARhPZQtZ+Iztmze/RK4BBADH+W6
fysADAp9oo5WB+NDAS2uGyrHASEUovXJTFKQoRPsVptLp2D7jrPOatilxiMPOCy6
RqXoX6GQiTu3Va54jVW0dZ5cy+TzJ8N1X2B/uStkXqcSgQZB38NmJjm4yo20vptZ
/ZwJfdTopr7lrY4hLrItsbcd2HZh4RIy2TZzyyC4QT/UPoc+SLK/6IaqRsemzikC
kqMuA9nnn5m5hcjDS31aNck5Dv7jJ0e538DlmJdkX5dMkdoSQypbIA==
=ELvf
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Robert Taylor)
Subject: hotmail passwords
Date: Sun, 27 Dec 1998 17:22:49 -0800 (PST)
Is there anyway to get someones hotmail password? Please E-mail me!
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: hotmail passwords
Date: 28 Dec 1998 02:33:51 GMT
>[EMAIL PROTECTED] (Robert Taylor)writes:
>Is there anyway to get someones hotmail password? Please E-mail me!
Ask 'em for it!
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Secure Indicators for the Enigma
Date: 28 Dec 98 03:47:38 GMT
In "Meditations on a Cordless Phone", I note the following extremely crude
and simple cipher - two monalphabetic substitutions on bytes, with the XOR
of a plain shift-register sequence between them. I comment that I haven't
seen attacks on it, yet it is far too simple to be "secure".
I've thought of one: given a long known plaintext, places where the same
ciphertext byte becomes the same plaintext byte identify repeats in the
shift-register sequence. Since such sequences are known to be weak, even
limited information about them should be very helpful in identifying them.
Then I thought about Purple - it had a plugboard, but that didn't make a
cipher stronger than a shift-register secure.
Thinking about the differences between the two cases led me to propose the
following secure indicator scheme for the Enigma.
As I've already noted, putting Enigma ciphertext through a simple
transposition cipher gets rid of the Enigma's fatal flaw - the easy
alignment of cribs.
Here, though, is something that contributes greatly to the Enigma's
security in another way.
1) Pick six letters at random.
2) Encipher the first three of these letters by the ground setting, and
include the resulting ciphertext in the message.
3) Encipher the second three of these ltters by the first three, and send
the result in the message.
4) Set the Enigma to the second three letters.
5) Encipher the 20-letter "plugboard key".
6) Take the resulting 20 letters, and, starting from the beginning, cross
out any duplicate letters in the output.
7) Using the remaining letters in pairs, disregarding an odd one that is
left, if any, use each pair to specify a plugboard connection. (So the 26
plugboard sockets must be marked with letters instead of just numbers.)
Voila! Every message has a unique plugboard setting - at least, as unique
as the indicators are.
8) Continue with encipherment - of the message.
John Savard
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: crypt-o-text
Date: 28 Dec 1998 04:29:42 GMT
Damn, I'd forgotten that I'd put Casimir's crack of Crypt-o-Text in
a password protected zip. While the zip file was easy to crack, the
archive's pasword protection may be a bit of a headache, and a
deterent to reading Caz's essay. The essay originally appeared
on Fravia's Pages of Reverse Engineering, the site where I was
first introduced to Casimir.
Thanks Fravia.
You'll now find the entire essay and cracker C++ source code
as an HTML page. An executable in unprotected zip is now
included.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: A Hacker Nightmare!
Date: 28 Dec 1998 04:39:32 GMT
From: http://microsort.hypermart.net/fl.html
"File Locker is the hacker's nightmare and the
ultimate file protection utility. If you need
real security for your documents and/or
programs, this program is for you. File Locker
could be extremely useful in a multi-user
environment, at your home, your office or
wherever privacy is essential. If you need
to send sensitive documents over the Internet,
you could secure them with File Locker and
rest assured that no one can look at their
contents. File Locker uses an advanced and
quite unconventional encryption technology
to lock your files, so that only a person
who has a right could open/read them. It
does not matter what type or size of file
you want to secure, File Locker will encrypt
and lock it for you. File Locker is a must
have for people who value their privacy."
Any bets on how secure this flocker is from
a *cracker*?
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (grt)
Subject: Re: Microsoft SGC (SSL), CrytoAPI?
Date: Mon, 28 Dec 1998 04:10:21 GMT
Reply-To: <[EMAIL PROTECTED]>
In article <764568$heh$[EMAIL PROTECTED]>, "R H Braddam"
<[EMAIL PROTECTED]> wrote:
>The only experience I have with it is from compiling
>the ENUMALGS example in the SDK samples and running it.
>My system is supposed to be upgraded to 128 bit
>RC4. No other encryption algorithms at any strength.
>Oddly, it reports 128-bit hashes. That is when
>specifying the RSA_FULL provider. IE4 help about
>reports 128 bit encryption, but I can't find a way to
>select encryption strength or even verify 128 bit
>capability.
In your call to CryptAcquireContext(), specify
MS_ENHANCED_PROV and PROV_RSA_FULL.
Make sure that RSAENH.DLL is installed properly.
You may want to reregister it
start | run | regsvr32.exe rsaenh.dll
HTH
Gerard R Thomas
Port of Spain, Trinidad and Tobago
mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
PGP Key IDs: RSA:0x9DBCDE7D DH/DSS:0xFF7155A2
------------------------------
From: snow tan <[EMAIL PROTECTED]>
Subject: How to encrypt a string using IDEA
Date: Mon, 28 Dec 1998 14:42:08 +0000
Hi,
I have been using algorithm IDEA to encrypt my key data. I read through
the source code and test program, but I don't know how to encrypt a
string using IDEA. Could you help me ? And give me a sample .
Thanks ,
Snow
------------------------------
Date: Sat, 26 Dec 1998 15:24:01 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Session key establishment protocol with symmetric ciphers
I suspect this is not a difficult problem, but it may
generate some interesting responses, so here goes.
Suppose Alice and Bob share a secret key K and wish to
establish a session key to be used for encrypting
messages.. Alice generates a random R_A and Bob generates a
random R_B. Alice sends R_A to Bob and Bob sends R_B to
Alice, then both compute:
K_S = E( F(R_A, R_B), K)
to get the session key K_S.
So, the question is: What is a good choice for F? Some
criteria are obvious:
o A large number of result bits should be dependent on
each of R_A and R_B.
o It should not be feasible for an attacker observing R_A
to generate an R_B such that F(R_A, R_B) results in a value
observed during an earlier use of the protocol.
Are there others? Based on the above criteria, it seems
clear that xor is a bad choice and a secure hash is an
excellent choice, but is a secure hash any better than, say
concatenation? Is there anything wrong with:
F(R_A, R_B) = R_A || R_B
I don't think so.
On a related note, is there any point to using session keys
when a shared secret key is already available? Sure it
reduces the amount of ciphertext encrypted under a
particular key, but that shouldn't matter with a good
cipher.
Shawn.
------------------------------
From: "Anders W. Tell" <[EMAIL PROTECTED]>
Subject: Re: Highly structured info. (XML) and decryption
Date: Mon, 28 Dec 1998 09:30:47 +0100
Reply-To: [EMAIL PROTECTED]
Harpy-36 wrote:>
> > <?xml version="1.0" standalone="no" encoding="UTF-8"?>
> > <!DOCTYPE IDL SYSTEM "theschema.dtd">
> > <ROOT>
> > <COMMENT> text text text...</COMMENT>
> > <COMMENT> text text text...</COMMENT>
> > </ROOT>
> >
> > Here the message have a well defined start (the ?xml tag),
> > a reference the structure of the rest of the message on second row
> > (DOCTYPE)
> > and all information is enclosed on tags (ROOT and COMMENT)
> >
> > My first question is are current encyption algoritms and key lengths
> > enough to handle this class of highly stuctutured messages when
> > their schemas are knowned ?
>
> Yes.
>
> > Could someone point me to any resources where this issue have been
> > dealt with/researched or is this already a well known problem in the
> > "crypt"
> > community ?
>
> It is already well known. Cipher block chaining or cipher feedback modes
> use an Initialization Vector to alter the first block with a
> pseudo-random number so that this common header is obfuscated.
Do you know which modern and widely used algoritms uses this technique ?
> Then
> subsequent blocks are chained with earlier blocks to carry along this
> uniqueness. If this technique is not used and Electronic Code Book Mode
> is used, then your concern is correct: headers would make it easier to
> detect a correct cryptanalysis.
The other concern I have is that all pieces of information in a XML message
is enclosed in tags. Example
<msg>
<value> 1234.57 </value>
</msg>
At all positions in a message there will be a well known "structure"
with start tags followed by end tags.
Doestt this feature alone make it "significantly" easier to break any
encrypted message
Regards
--
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
/ Financial Toolsmiths AB /
/ Anders W. Tell /
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
