Cryptography-Digest Digest #20, Volume #10 Mon, 9 Aug 99 23:13:03 EDT
Contents:
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (Pretty Boy Mohandas)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (Pete Becker)
Re: Academic vs Industrial ("Steven Alexander")
Re: NIST AES FInalists are.... (John Savard)
Re: AES finalists to be announced (SCOTT19U.ZIP_GUY)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (Pete Becker)
Re: What is "the best" file cryptography program out there? (KidMo84)
Re: challenge revisited - off topic (Michael Slass)
Re: challenges / competitions??? ([EMAIL PROTECTED])
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . ("Rosimildo DaSilva")
Error in Counterpane test vectors for Blowfish (Peter Gutmann)
Re: Construction of permutation matrix ("Douglas A. Gwyn")
Re: NIST AES FInalists are.... ("Douglas A. Gwyn")
UPCOMING EVENT- USENIX SECURITY SYMPOSIUM, 8/23-8/26/99 in DC (Moun Chau)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (Jerry Coffin)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (Jerry Coffin)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (wtshaw)
Re: : I AM CAVING IN TO JA... ("Thomas J. Boschloo")
Re: AES finalists to be announced (SCOTT19U.ZIP_GUY)
Security System or Encryption Algorithm suitable for this Network..? ("JaeYong Kim")
Re: Construction of permutation matrix (wtshaw)
Re: AES finalists to be announced ([EMAIL PROTECTED])
Re: Error in Counterpane test vectors for Blowfish (SCOTT19U.ZIP_GUY)
Re: Software trojan-horse DLLs (was Re: How to keep crypto DLLs Secure?) ("John E.
Kuslich")
----------------------------------------------------------------------------
From: Pretty Boy Mohandas <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Mon, 09 Aug 1999 16:49:56 +0600
Jerry Coffin wrote:
>
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> > Paul Lutus wrote:
> > >
> > > You don't get the *complete* help system. You still have help screens,
> > > abbreviated ones. They are in HTML. This requires MSIE.
> > >
> >
> > Non sequitur. There are many applications other than MSIE that can
> > display HTML.
>
> The help system uses a compiled version of HTML that few (if any)
> other browsers can display.
Why would that be, hmmmm <g>? I mean they probably would be able to if
only MS published.... Finally, installing an HTML control doesn't
require installing the whole browser. Or, let's say, need not. And
besides, HTML help sucks loudly and MSDN they had before was much
faster. The reader was better too--you could set up the background color
to something other than glaring white.
--
len
if you must email, reply to:
len bel at world net dot att dot net (no spaces, ats2@, dots2.)
------------------------------
From: Pete Becker <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Mon, 09 Aug 1999 17:38:20 -0400
Paul Lutus wrote:
>
> I *think* it gets us back to the same complaint, that MSIE is required. Not
> the original question, "Why is this true?"
>
> Oh, BTW. In *principle* VC++'s compiler can be made to work from the command
> line, thus eliminating all of that. You "simply:"
>
> 1. Extract the needed files from the distribution CD,
> 2. Create your own directory tree,
> 3. Write your own launching batch files.
>
> No MSIE, no need for a GUI at all, in fact.
>
Unless you need to use the debugger...
--
Pete Becker
Dinkumware, Ltd.
http://www.dinkumware.com
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Re: Academic vs Industrial
Date: Mon, 9 Aug 1999 13:28:28 -0700
Kryptos hasn't actually undergone "intense public scrutiny". It's
algorithms have not been disclosed and it was not known to most people, even
cryptanalysts until it was featured on several tv news programs a few months
ago. Also, two people have independently broken two of the three portions
of Kryptos. It has been available to the public for study(the ciphertext
only) but you had to go to CIA headquarters to see it. DES on the otherhand
has been widely studied by many different cryptanalysts and has been subject
to probably every modern cryptanalytic attack(except that neat secret stuff
the NSA won't tell me about). It is now known which attacks are useful
against DES and which attacks it can stand up to. DES could be broken
completely tommorrow using a new unheard of method of cryptanalysis.
However, it is unlikely and would require a great degree of skill and effort
by the analyst. Cryptographers cannot guarantee that nobody will ever break
a cipher. On the same note, nobody can ever guarantee that a computer
system or network is completely secure or impenetrable. They can both
guarantee that any attack will be very difficult and require a considerable
amount of effort.
-steven
> The quantity of unsuccessful analysis is no measure of anything.
> Kryptos might have undergone a lot of "intense public scrutiny",
> but it turned out not to be an especially strong encryption.
>
> "Absence of knowledge is not knowledge of absence".
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST AES FInalists are....
Date: Mon, 09 Aug 1999 21:59:22 GMT
[EMAIL PROTECTED] (Bruce Schneier) wrote, in part:
>The envelope, please... The five AES finalists are Mars, RC6,
>Rijndael, Serpent, and Twofish.
>NIST Round 2 page:
>http://csrc.nist.gov/encryption/aes/round2/round2.htm
On the NIST page, it is noted that tweaks were proposed for several algorithms.
Only one of those algorithms is among the finalists, and it is MARS.
I have - hopefully correctly - updated my description of MARS at
http://www.ecn.ab.ca/~jsavard/co040806.htm
to note these tweaks as proposed modifications. They are highlighted in the same
fashion as I used when I modified my original QUADIBLOC cipher, with a dark
yellow background.
Note that the page on Xoom has not been updated.
Also, at
http://www.ecn.ab.ca/~jsavard/tele03.htm
I've followed my original intention, and modified the typeface used in the
diagram at the bottom of the page showing versions of the 5-level teletypewriter
code.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: AES finalists to be announced
Date: Mon, 09 Aug 1999 23:00:49 GMT
In article <[EMAIL PROTECTED]>, Helger Lipmaa <[EMAIL PROTECTED]> wrote:
>Bruce Schneier wrote:
>
>> The most interesting thing to notice is that the five finalists were
>> designed by teams that have had strong cryptanalysts on them. Almost
>> all of the other algorithms (E2 being the only exception) were
>> designed by teams that did not have strong cryptanalysts on them. As
>> I have said again and again, good ciphers are designed by good
>> cryptanalysts.
>
>I can imagine the face of Serge Vaudenay when reading this posting.
>
All it really shows is that it is a phony "mutual admiration society" that
is busy patting itself on the back and actually closed to any real progressive
original thought. If you don't think the way they do you are not allowed in.
Unless you use methods so poor that it makes them look good.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Pete Becker <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Mon, 09 Aug 1999 17:39:22 -0400
Jerry Coffin wrote:
>
> The help system uses a compiled version of HTML that few (if any)
> other browsers can display.
Does that mean the same thing as "the help system doens't use HTML?"
--
Pete Becker
Dinkumware, Ltd.
http://www.dinkumware.com
------------------------------
From: [EMAIL PROTECTED] (KidMo84)
Subject: Re: What is "the best" file cryptography program out there?
Date: 09 Aug 1999 22:50:25 GMT
Yea it was mineral oil i believe, my mistake.
------------------------------
From: Michael Slass <[EMAIL PROTECTED]>
Subject: Re: challenge revisited - off topic
Date: Mon, 09 Aug 1999 15:29:20 -0700
Low Priority - Off topic
(but amusing)
DAG:
Your posting brings to mind this quote, which I had always believed was
attributable to Marl Twain, but according to
http://marktwain.miningco.com/library/texts/bl_notmarktwain.htm
isn't. Who knew?
When I was a boy of fourteen, my father was
so ignorant I could hardly stand to have the
old man around. But when I got to be
twenty-one, I was astonished at how much
the old man had learned in seven years.
Cheers.
-Mike
> Having said that, it does appear that Tom is merely a HS student,
> with more interest than actual experience in the subject. I recall
> from my HS days that it seemed that students knew everything and
> adults knew nothing.. But the adults got smarter as I grew up.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: challenges / competitions???
Date: Sun, 08 Aug 1999 15:50:00 GMT
In article <7ojvt0$l20$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <7oj1pd$1lj0$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> > I have lots of reason. I am more honest than most people
> > you have ever met. But I think the only way to prove it. Is to
> > solve it and see.
>
> Again why solve it? nobody uses your method. See RC5/RSA/DES are
> popular well known methods. Attacking them is like attacking seat
> belts in cars. They actually have an impact on your life. Scottu
> means zero to 99.99% of the world. (Of course DES/RSA/RC5 means zero
> to 97% of the world but who's counting?)
>
> > Tim the contest is pretty black and white. Not like the BS contests
> > where you may get a prise if you come up with what Mr BS
> > considers a worthy attack. Take a look.
>
> Again ciphertext only is not the only method of attack. You should
> encourage cryptanalysis based on your previous crypanalsys. Maybe
> someone can find something you did not?
>
Someone not you! You cant break even my little challenge!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Rosimildo DaSilva" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Mon, 9 Aug 1999 19:42:18 -0500
>
>Unless you need to use the debugger...
Well, debugger is for programmers that writes buggy code !!! < g >.
Rosimildo.
------------------------------
From: [EMAIL PROTECTED] (Peter Gutmann)
Subject: Error in Counterpane test vectors for Blowfish
Date: 9 Aug 1999 23:40:39 GMT
Has anyone tried to use the Blowfish test vectors given in
http://www.counterpane.com/vectors.txt? The CBC one doesn't work, the data
isn't a multiple of 64 bits in length and the padding used isn't specified so
it's not possible to reproduce the results (at least not without trial-and-
error). Does anyone the correct values for the CBC vector?
(In case anyone's wondering, I need the correct values for the Blowfish RFC.
I've already asked Bruce about it, he suggested I ask here).
Peter.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Construction of permutation matrix
Date: Tue, 10 Aug 1999 01:11:02 GMT
wtshaw wrote:
> Wait just a dang fangle minute here pardner. If a choice is not
> simply yes or no, it is not a simple bit choice.
No, but the SIMPLEST nontrivial choice *is* a 1-bit choice.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NIST AES FInalists are....
Date: Tue, 10 Aug 1999 01:30:21 GMT
Bruce Schneier wrote:
> There is a lot more to picking an encryption standard than security.
> Any of these finalists would be a good choice with respect to that
> criterion.
There is very little evidence to support such a claim.
The NIST Round-1 report itself shows little real security analysis,
and introduces an utterly bogus notion of "security margin".
It even confirms David Scott's claim that the public impression of
security (how that relates to the evaluation is not specified) is
based mainly on the reputation of the designers.
At what point are competent NSA cryptanalysts going to be brought
into the process, so we can get a soundly based estimate of security?
------------------------------
Crossposted-To:
muc.lists.www-security,ocunix.mail.freebsd.security,alt.fan.sysadmin,comp.infosystems.www,comp.infosystems.www.servers.unix,comp.unix.osf.osf1,hannet.ml.linux.rutgers.linux-admin,comp.unix.solaris
From: [EMAIL PROTECTED] (Moun Chau)
Subject: UPCOMING EVENT- USENIX SECURITY SYMPOSIUM, 8/23-8/26/99 in DC
Date: Tue, 10 Aug 1999 00:22:04 GMT
Learn leading-edge technologies and strategies for system and Internet
security--
8TH USENIX SECURITY SYMPOSIUM
August 23-26, 1999
JW Marriott Hotel, Washington, D.C.
Sponsored by USENIX in Cooperation with the CERT Coordination Center
=========================================================================
See the Program and register online at http://www.usenix.org/events/sec99
=========================================================================
* Exchange ideas with the industry's top security insiders.
* Gain command of leading-edge tools and techniques at specifics-driven
tutorials.
* Explore the latest advances in Internet security, intrusion
detection,distributed systems, and applications of cryptography.
==========================================================================
USENIX, the Advanced Computing Systems Association, is the international,
not-for-profit society made up of scientists, engineers, and system
administrators working on the cutting edge of systems and software. For
25 years USENIX conferences and workshops have emphasized quality exchange
of technical ideas unfettered by stodginess or commercialism.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Mon, 9 Aug 1999 19:52:19 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> > No MSIE, no need for a GUI at all, in fact.
> >
> Unless you need to use the debugger...
Though it violates the "no GUI at all" part, you could use Windbg,
available entirely separately (as part of the SDK).
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Mon, 9 Aug 1999 19:52:14 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> > The help system uses a compiled version of HTML that few (if any)
> > other browsers can display.
> Why would that be, hmmmm <g>? I mean they probably would be able to if
> only MS published.... Finally, installing an HTML control doesn't
> require installing the whole browser. Or, let's say, need not.
True, but 1) they actually display the help in a complete application
-- if they just installed the control, they'd have to add code to host
it to the rest of the environment. 2) the complete IE isn't a LOT
more than simply a host for the control anyway.
> And besides, HTML help sucks loudly and MSDN they had before was much
> faster. The reader was better too--you could set up the background color
> to something other than glaring white.
Oh, you'll get no argument from me on this point -- I thoroughly loath
the current help system. I'm not trying to say it was a good thing,
or anything like that. OTOH, authoring for their previous systems
certainly was a pain compared to writing HTML.
My original statement was simply to the idea that any installed
browser would do the job since they were using HTML. My statement was
only that this appears (to me) to be incorrect. Whether the decision
to use that format they've selected was technical or a otherwise is an
entirely separate question.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Mon, 09 Aug 1999 19:58:44 -0600
In article <7onr9j$onb$[EMAIL PROTECTED]>, "Rosimildo DaSilva"
<[EMAIL PROTECTED]> wrote:
> >
> >Unless you need to use the debugger...
> Well, debugger is for programmers that writes buggy code !!! < g >.
>
> Rosimildo.
Come off it! One way of programming is to crawl through the steps of what
you want to do, a surefire way of knowing what is going on in each snippit
of code that you add, and correct if needed.
While it may seem that the fastest way to write source code is to put all
of it down at one, I realize that the parts must all be verified at one
time or another before you can rely on the end result. Once you have
established good functions, only then should you can copy them to new
projects.
The biggest headache that I see in some of the MS offerings is the
tendency to not allow you to do simple mods and easily rerun the same
file, while add and remarking out real-time variable monitoring
procedures, something that I do lots of as I whittle out new applications.
Working and working well are too different things.
--
Sometimes you have to punt, and hope for the best.
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Subject: Re: : I AM CAVING IN TO JA...
Date: Sun, 08 Aug 1999 18:10:47 +0200
"SCOTT19U.ZIP_GUY" wrote:
>
> Again if you had any brains you can see my site is more in line with your
> way of thinkning. Mine is kind of a boycot of useless advanced features.
> MS will always have bugs so that it is easy to sale more fixes. Only a fool
> would leave JavaScript on and sail willy nilly around the net.
Well, I don't know if visiting your site proofs I have any brains, but
I've been there, with JavaScript temporarily turned on and cookies
enabled. So that should be worth a few hits!
What bothered me is that you don't refer to the security holes that
exist in JavaScript. You only tell people that they will get a virus if
they turn it on. This is obviously not true for every JavaScript capable
browser that visits your site. At least not without some new, publicly
unknown, exploits.
And Java itself, which you also seem to boycot, isn't that bad. At least
if you have an up-to-date browser (IE & NS > 3.01). It allows many
things that are not possible with plain HTML and has many safeguards
built into it to avoid misuse (much unlike MS ActiveX, which allows
*anything* as long as it is signed properly). And it is platform
independed, which must sound very good to you in this MS ruled era.
Hi!,
Thomas
--
If you're gonna brainfart, keep your hands of the keyboard!
PGP key: http://x11.dejanews.com/getdoc.xp?AN=453727376
Email: boschloo_at_multiweb_dot_nl
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: AES finalists to be announced
Date: Tue, 10 Aug 1999 03:12:57 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(wtshaw) wrote:
>In article <7onj2h$1eg8$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>(SCOTT19U.ZIP_GUY) wrote:
>
>> In article <[EMAIL PROTECTED]>, Helger Lipmaa <[EMAIL PROTECTED]>
>wrote:
>> >Bruce Schneier wrote:
>> >
>> >> The most interesting thing to notice is that the five finalists were
>> >> designed by teams that have had strong cryptanalysts on them. Almost
>> >> all of the other algorithms (E2 being the only exception) were
>> >> designed by teams that did not have strong cryptanalysts on them. As
>> >> I have said again and again, good ciphers are designed by good
>> >> cryptanalysts.
>> >
>> >I can imagine the face of Serge Vaudenay when reading this posting.
>> >
>>
>> All it really shows is that it is a phony "mutual admiration society" that
>
>> is busy patting itself on the back and actually closed to any real
>progressive
>> original thought. If you don't think the way they do you are not allowed in.
>> Unless you use methods so poor that it makes them look good.
>
>> David A. Scott
>
>Take comfort in the fact that correlation does not prove causation,
>although, having an algorithm able to withstand publically known attacks
>seems to be a plus. It is the other attacks that we don't know about, if
>and whatever they might be.
>
>So, David, you might be right, but, who is to say? The premise for the
>process was supposed to be honesty.....hope it is....time will
>tell.....then, maybe it won't.
Well I am sure it will be as honest as anything is in the Clinton
administration. So if you have full faith in the honesty of our leaders
I guess you can trust this process. But I still would not want my
daughter to work as an intern till Mr Bill gets an AIDS test.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "JaeYong Kim" <[EMAIL PROTECTED]>
Crossposted-To: alt.security
Subject: Security System or Encryption Algorithm suitable for this Network..?
Date: Tue, 10 Aug 1999 02:10:35 GMT
I am involved in project of HomeRF Network..
where home AV systems communicate each other through RF typically 2.4GHz or
5GHz..
Security is important because RF wave can be easily intercepted by
neighborhood or eavesdropper/spoofer..
I have studied various encryption/decryption algorithm and protocol..
But I can hardly decide which algorithm or protocol is suitable for this
network..
If there is no suitalbe one, I should suggest new one.. which is almost
impossible for me..
Please comment any trivial thing..
Your typing for a minute can help me much
thanks in advance
follow-up is limited to alt.security
JaeYong Kim.
--
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Construction of permutation matrix
Date: Mon, 09 Aug 1999 20:01:15 -0600
In article <7ond2g$8kg$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Patrick Juola) wrote:
> In article <[EMAIL PROTECTED]>,
> wtshaw <[EMAIL PROTECTED]> wrote:
> >In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
> >
> >> wtshaw wrote:
> >> > > it is the amount
> >> > > of information in the simplest nontrivial discrete choice (Boolean,
> >> > > YES/NO).
> >> > Which is only a small part of what logic can be involved in choices.
> >> > Trying to make everything in to yes/no is left to the uneducated and the
> >> > legal profession.
> >>
> >> SIMPLEST. SIMPLEST. SIMPLEST.
> >
> >Wait just a dang fangle minute here pardner. If a choice is not simply
> >yes or no, it is not a simple bit choice.
>
> No, but it can be modelled as a collection of simple bit choices.
>
Not always in choice-complete manner, as when you need five choice, you
must allow for eight.
--
Sometimes you have to punt, and hope for the best.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: AES finalists to be announced
Date: 10 Aug 1999 02:30:20 GMT
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes:
>If they allowed anyone
>to enter with a TEXT file listing instead of PS then I would have been in.
The fact that you couldn't figure out how to produce a postscript file in
1998 does not give me confidence in your ability to produce a decent cipher.
--
Lamont Granquist ([EMAIL PROTECTED])
ICBM: 47 39'23"N 122 18'19"W
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Error in Counterpane test vectors for Blowfish
Date: Tue, 10 Aug 1999 02:56:26 GMT
In article <7onotn$jv5$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Peter
Gutmann) wrote:
>
>
>
>Has anyone tried to use the Blowfish test vectors given in
>http://www.counterpane.com/vectors.txt? The CBC one doesn't work, the data
>isn't a multiple of 64 bits in length and the padding used isn't specified so
>it's not possible to reproduce the results (at least not without trial-and-
>error). Does anyone the correct values for the CBC vector?
>
>(In case anyone's wondering, I need the correct values for the Blowfish RFC.
> I've already asked Bruce about it, he suggested I ask here).
>
>Peter.
>
I thought Mr B.S. himself wrote blowfish and he told you to
ask here about test vectors. Why does this sound fishy?
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Software trojan-horse DLLs (was Re: How to keep crypto DLLs Secure?)
Date: Mon, 09 Aug 1999 19:49:21 -0700
Exactly right on the last paragraph.
The point is, in Windows, or more precisely, on the PC there is NO
effective defense against a determined and competent hacker who is able
to place a trojan horse on you PC.
You can examine DLL's until you are blue in the face; the hacker can
circumvent these techniques easily on a PC.
The PC needs hardware security functions. Only then will it have a
chance of being secure.
JK
Sundial Services wrote:
>
> James Thye wrote:
>
> > So it should be easy for some hacker (term loosely used) to peek at the
> > dll, decide that it is crypto, and find his/her favorite compiler and
> > generate those functions which do as little as possible, or nothing.
>
> Any programmer can determine the DLL entry-points, and with a little
> experimentation can determine the calling sequence of those DLLs.
>
> Programmers can also develop trojan-horse DLLs that pretend to be the
> real crypto DLLs you intend to call, but which either do not perform the
> intended function, or which intercept the plaintext before passing the
> request on to the "real" DLLs, which have been renamed for the purpose.
>
> If you are seriously worried about that kind of attack, you must code
> your application to examine the binary object-code of the DLL that it
> has recently attached to, by taking the code-address pointer obtained by
> GetProcAddress and examining the bytes in some way to be certain that
> the DLL you've attached to is really the one that you want.
>
> Simply examining the file won't work, because if the DLL has already
> been loaded by Windows - or the attacker has zapped the Windows table
> which describes loaded DLLs - code can be substituted that is not in the
> file you are checking.
>
> Let's also ignore the fact that, in Windows, you can develop a
> data-pointer that matches a code-pointer, and thereby modify loaded
> executable code!
>
> Once the hacker is "on to" the fact that you are performing this kind of
> testing, he can defeat this defense as he can any other.
--
CRAK Software (Password Recovery Software)
Http://www.crak.com
[EMAIL PROTECTED]
602 863 9274 or 1 800 505 2725 In the USA
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
