Cryptography-Digest Digest #704, Volume #10 Wed, 8 Dec 99 13:13:02 EST
Contents:
Re: Is this software a hoax? ("Tim Wood")
Re: Frequency results of twofish and serpent. (Paul Crowley)
Re: If you're in Australia, the government has the ability to modify your files.
>> 4.Dec.1999 (Steve K)
Re: Frequency results of twofish and serpent. (Tom St Denis)
Re: Ellison/Schneier article on Risks of PKI ("Tim Wood")
Re: NSA competitors (CLSV)
Re: If you're in Australia, the government has the ability to modify your files. >>
4.Dec.1999 ("Tim Wood")
Re: NP-hard Problems (Anton Stiglic)
AES and perl (encryption) ("Shaun Wilde")
Re: How can you tell? (John)
Re: How can you tell? (Mike Andrews)
Re: If you're in Australia, the government has the ability to modify your files. >>
4.Dec.1999 (Scott Nelson)
Re: Ellison/Schneier article on Risks of PKI (Eric Lee Green)
Re: AES and perl (encryption) (Volker Hetzer)
Re: How can you tell? (Volker Hetzer)
Re: NP-hard Problems (Anton Stiglic)
----------------------------------------------------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: Is this software a hoax?
Date: Wed, 8 Dec 1999 11:51:10 -0000
*Quote*
it is a powerful WIN95/98 program that provides you with the tools necessary
to locate and use the resources available on the internet right from the
program!
If while reading through the numerous listings found within Cyber-Detective
you find a site that you wish to visit
immediately, simply click on the button "GO" and you
will be taken directly to the site.
A link directory is an HTML document that you can load into your browser.
Once loaded, it provides you with clickable links that you can use to
navigate the internet.
Quick Search - Search multiple sources for an address, email or phone
information.
The CD Toolkit has an option that you can use to create a Cyber-Track & Spy
diskette. Armed with this diskette you can track anyone's internet activity.
Simply install the secret tracking files from this diskette onto a computer
and all URLs visited will be secretly tracked and recorded.
Disk Snoop is a simple but useful utility that will allow you to quickly
search any computer for internet file types. Those who do not carefully
delete the files generated during their internet activity will be at the
mercy of this software.
*/Quote*
I think it is simply a utility which combines a net search tool, links to
information databases on the web, and some advice on where to obtain
information about yourself/others
And the odd utility to do relatively simplistic things like search a
computer for non-deleted files(!)
It may be useful but probably cannot do anything you can't do without it.
It's collection of links are probably the most useful bit.
It also advertises a book containing
"How To Make $1,000's of Dollars With Other People's Products
Automatically - Proven Strategies!
How I Average $50 For Every Direct E-Mail Letter I Send Out - And Who I Send
Them To! (spammers are missing the real power of e-mail entirely)"
A get-quick-rich scam if ever I saw one.
Tim
wrote in message <82lba6$sne$[EMAIL PROTECTED]>...
>I stubbled across this on the net:
>
>http://www.web-warrior.net/cyberdetective/index.htm
>
>It sounds unbelievabley impressive. But it can't be true, can it?
>
>Has anyone ever used it?
>
>David
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
--
**<Stolen line alert>**
>From my one-bit brain with a parity error.
**</Stolen line alert>**
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: Frequency results of twofish and serpent.
Date: 8 Dec 1999 08:10:01 -0000
[EMAIL PROTECTED] (Johnny Bravo) writes:
> This is to be expected, if it were otherwise something would be
> seriously messed up. The biggest such analysis I know of is the one
> that showed the bias in RC4, each character has a (1/256)+(1/2^256)
> chance of being a duplicate of the previous character. This is the
> result of billions of bytes of ciphertext being analysed. It was just
> interesting to note, but not of any practical use.
56 trillion bytes of ciphertext were analysed: the duplicate
probability seems to be (1/256) + (1/2^24).
Further details on http://www.hedonism.demon.co.uk/paul/rc4/
--
__
\/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: If you're in Australia, the government has the ability to modify your
files. >> 4.Dec.1999
Date: Wed, 08 Dec 1999 14:24:01 GMT
On Wed, 08 Dec 1999 00:19:53 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>CoyoteRed wrote:
>
>> [EMAIL PROTECTED] said...
>>
>> >Orwellian Nightmare Down Under? by Stewart Taggart
>> >
>> >3:00 a.m. 4.Dec.1999 PST
>> >SYDNEY, Australia -- Any data seem different on your computer today?
>>
>> So, I guess for the truly paranoid, someone should develop a disk
>> controller and encryption card that also has a smartcard reader.
>> On-board strong encryption with part of the key on a smartcard and the
>> other in bio-memory. Have the controller card never off-load the key,
>> but use it directly off the card and not allow /any/ outside access to
>> it. The controller also continuosly securely hashes the contents of
>> the drive and stores it both on the card and on the encrypted drive
>> for comparison upon next boot.
>>
>> The only thing that I see as a security concern is the user input of
>> his passphrase. A hacker could conceivably change out the BIOS to log
>> the passphrase key strokes. (A secure hash of the BIOS as well?)
>>
>> If done right, the user would never be in the dark about any tampering
>> in his system.
>
>Similar concepts were discussed here a few months ago in the context of a
>non-seizable computer. One wants to reserve the information, but make it
>impossible (literally) of recovery without the requisite key. The base
>concept was a RAM disk containing an OTP key the same size as the
>protected disk volume. On power loss the key disappears, but the data is
>recoverable if the key is reloaded from off-site backup.
>
1) Removable hard drive.
2) Floor safe.
3) Thermite charge in floor safe, on top of hard drive, with
externally located keypad to turn it off.
Or any of a dozen or so other possible methods; I just picked an
extreme one as an example. In real life, the exact same measures one
would take to keep criminals out of one's computer, will keep law
enforcement out. Security is security.
By ignorance or design, this and similar anti-privacy laws do not
empower police forces to gather evidence and convict criminals.
Existing search and seizure laws already provide every tool that
actually works for that purpose. Police agencies are just going to
have to learn to live with encryption and other data-protection
technologies, and focus on the *real* crimes (if any) that are being
committed. Criminal activity that is limited to the networked
computing environment-- theft or vandalism of data, for instance-- can
only be dealt with by assisting the public in prevention; in other
words, more encryption and counter intrusion in the marketplace, not
less.
By accident or design, anti- computer security laws empower government
employees to spy on honest citizens for political purposes, while
failing to provide a signifigant benefit to law enforcement. Anyone
who understands computers should understand this. Unfortunately, we
will most likely have to wait for the present generation of
politicians to die off and be replaced by people who grew up around
computers, before we see any improvement.
Steve K
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Frequency results of twofish and serpent.
Date: Wed, 08 Dec 1999 14:37:40 GMT
In article <[EMAIL PROTECTED]>,
albert <[EMAIL PROTECTED]> wrote:
> I took an encryption of some text with twofish and serpent (straight
> ECB). I then did a frequency count of the results. I'm shocked
(well,
> not really) on how evenly distributed the values are. Here are my
> results: Based on encryption of a few random text files that are
about
> 200K in size. No, this is not the most scientific of test methods,
not
> claiming it is, just some info to pass along... Good to note that the
> standard deviation is very low; with highs being 6.20% and lows being
> 5.90% on both algorithms (rounded).
>
> Albert.
>
I can't beleive that after encrypting data properly their are no
non-ascii bytes with any high freq. Maybe your implementation is
flawed? Also 200kb is a small subset. Realistically you want a larger
test file
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: Ellison/Schneier article on Risks of PKI
Date: Wed, 8 Dec 1999 14:53:39 -0000
I have found that you can enter a trusted root authority into Internet
Explorer by simply adjusting the NT System Registry at
HKEY_CURRENT_USER/Software/Microsoft/SystemCertificates/Root/Certificates/..
...
then the fingerprint of the certificate.
It is difficult to tell it has been done (unless you have a v.good memory,
or have copied the list of certificates or the Sys reg for comparison)
I think that trusted root certificates will need more protection before they
can be relied upon. It is necessary for some sort of verification and
protection of your list of trusted root certificates
Tim
--
**<Stolen line alert>**
>From my one-bit brain with a parity error.
**</Stolen line alert>**
wrote in message <82l90l$r6l$[EMAIL PROTECTED]>...
>Interesting read.
>
>Does anyone (or indeed Bruce and Carl) have links to similar papers, and
>if possible any online reports of PKI - usage statistics, examples of
>real-life PKIs that have been hacked etc...
>
>
>In article <[EMAIL PROTECTED]>,
> Bill Lynch <[EMAIL PROTECTED]> wrote:
>> All,
>>
>> There is a new paper up at
>> http://www.counterpane.com/pki-risks.html
>>
>> Recently released by Carl Ellison and Bruce Schneier. The two point
>out
>> what they see as the 10 risks of a public-key infastructure. I think
>> their point is that security is like a chain, only as strong as the
>> weakest link. PKI is a system where several "links" are not protected
>> cryptographically (or in a secure manner), hence the security can be
>> compromised. It's a good article, take a read.
>>
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: NSA competitors
Date: Wed, 08 Dec 1999 15:37:35 +0000
Bruce Schneier wrote:
>
> On Sat, 04 Dec 1999 22:47:49 GMT, [EMAIL PROTECTED]
> (John Savard) wrote:
> >On Sat, 04 Dec 1999 18:13:27 +0000, CLSV <[EMAIL PROTECTED]> wrote:
> >>I'm wondering if there is any knowledge about non-US
> >>government institutes that are specialized in cryptography and
> >>cryptanalysis?
> >The Russian one, under the acronym FAPSI, now even has a web site too.
> >
> >On the other hand, the Chinese agency - known as the "technical
> >department" - is very secretive.
>
> I know of the Chinese organization as the Ministry of National
> Security.
>
> There's also MI5 and MI6 in the UK, SDECE in France, and the BND in
> Germany. Israel has Mossad.
Ok. Thank you.
I'm gonna look if there is some information on their crypto research.
Regards,
Coen Visser
------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: Re: If you're in Australia, the government has the ability to modify your
files. >> 4.Dec.1999
Date: Wed, 8 Dec 1999 15:40:22 -0000
In Britain if your computer is stolen and then recovered by the police you
have to wait to get it back until they have preformed a full check of the
hard drive for any illegal materials.
I know it happened to me and took nearly a month, luckily I did not have
anything particularly valuable on my laptop and had backed it up recently at
home. Otherwise I would have been forced to reinstall everything incase it
had been changed, as it was I had to change all my PGP keys.
At least I got it back.
Tim
--
**<Stolen line alert>**
>From my one-bit brain with a parity error.
**</Stolen line alert>**
wrote in message <[EMAIL PROTECTED]>...
>On Tue, 7 Dec 1999 07:38:23 -0500, <[EMAIL PROTECTED]> wrote:
>
>>
>>[EMAIL PROTECTED] wrote in message
>><[EMAIL PROTECTED]>...
>>>Orwellian Nightmare Down Under? by Stewart Taggart
>>>
>>>Do what most smart paranoids (and intelligent businesses) do, dedicate a
>>box for Internet use and keep sensitive and proprietary information on the
>>computer that never goes online with strangers. We use an old 300 for
>>surfing shark infested waters. We would have thought that anyone living
in
>>the land of the great whites would understand shark repellant.
>
>Good solid sensible advice, provided they're not allowed to break in
>without judicial sancition, and remove the hard disc, as has been proposed
>in Britain.
>
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: NP-hard Problems
Date: Wed, 08 Dec 1999 11:22:56 -0500
==============A9850B19B85F2C436787AB04
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
[EMAIL PROTECTED] wrote:
>
>
> Applied Cryptography is red, though the first
> edition was blue. You mean the /Handbook of
> Applied Cryptography/, and note that the
> definition in the first two printings is
> corrected in the errata at:
> http://www.cacr.math.uwaterloo.ca/hac/errata/errata.html
> (though still agrees that NP-Hard is a set of
> problems, not languages).
>
> --Bryan
Yes, sorry, I ment the Handbook of Applied
Cryptography (Handbook is written in small
letters...:).
I see the errat you point out to. Hmm, I'll
have to get my theory of computation book and
look it up (my prefered one is from Micheal
Sipser, Introduction to theory of computation).
Anton
==============A9850B19B85F2C436787AB04
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
[EMAIL PROTECTED] wrote:
<blockquote TYPE=CITE>
<p>Applied Cryptography is red, though the first
<br>edition was blue. You mean the /Handbook of
<br>Applied Cryptography/, and note that the
<br>definition in the first two printings is
<br>corrected in the errata at:
<br><a
href="http://www.cacr.math.uwaterloo.ca/hac/errata/errata.html">http://www.cacr.math.uwaterloo.ca/hac/errata/errata.html</a>
<br>(though still agrees that NP-Hard is a set of
<br>problems, not languages).
<p>--Bryan</blockquote>
<pre></pre>
<pre>Yes, sorry, I ment the Handbook of Applied</pre>
<pre>Cryptography (Handbook is written in small</pre>
<pre>letters...:).</pre>
<pre>I see the errat you point out to. Hmm, I'll</pre>
<pre>have to get my theory of computation book and</pre>
<pre>look it up (my prefered one is from Micheal</pre>
<pre>Sipser, Introduction to theory of computation).</pre>
<pre></pre>
<pre>Anton</pre>
</html>
==============A9850B19B85F2C436787AB04==
------------------------------
From: "Shaun Wilde" <[EMAIL PROTECTED]>
Subject: AES and perl (encryption)
Date: Wed, 8 Dec 1999 16:30:49 -0000
Has anybody ported the the AES submission Twofish to perl?
Also does anyone know of any Perl sites that have info relating to
encryption
TIA
Shaun Wilde
------------------------------
From: John <[EMAIL PROTECTED]>
Subject: Re: How can you tell?
Date: Wed, 08 Dec 1999 09:07:50 -0800
If I experiment with passwords, have the program, but no source, isn't
it possible to deduce what the encrypter is doing?
http://www.aasp.net/~speechfb
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Mike Andrews)
Subject: Re: How can you tell?
Date: Wed, 08 Dec 1999 17:35:42 GMT
John <[EMAIL PROTECTED]> wrote:
: If I experiment with passwords, have the program, but no source, isn't
: it possible to deduce what the encrypter is doing?
Only in the sense that you can compile a "dictionary" or
"codebook" showing all your inputs and all the outputs
from the program. The idea behind encryption programs
is that the algorithm is _very_ difficult to invert
without knowing the specific encryption key, even if
you _do_ have the program.
: http://www.aasp.net/~speechfb
Ah, I see a challenge and some snake-oil. Anyone got a sacrificial
machine to run this on?
--
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Crossposted-To: alt.privacy
Subject: Re: If you're in Australia, the government has the ability to modify your
files. >> 4.Dec.1999
Reply-To: [EMAIL PROTECTED]
Date: Wed, 08 Dec 1999 17:37:38 GMT
On Wed, 8 Dec 1999 01:02:47 -0500, "fuck echelon" <[EMAIL PROTECTED]> wrote:
[edited]
>Scott Nelson <[EMAIL PROTECTED]> wrote
>> Planting a bug inside a suspects house in a way that makes it
>> unlikely to be detected is fairly easy with modern technology.
>> I wonder though, if it's possible to modify a computer
>> in a way that's not easily detectable to the suspect.
>> Unless you actually modify the hardware, it seems like
>> it would leave a lot of obvious traces. And the obvious
>> corollary question is, how hard would it be to insure that
>> ones computer software is actually intact, and unmodified.
>
>A bug isn't needed, a tempest attack or a boot would work for most purposes.
>
Yes.
Is there a cheap way to do it?
Something a local police department might be able to do.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Ellison/Schneier article on Risks of PKI
Date: Wed, 08 Dec 1999 10:46:40 -0700
Tim Wood wrote:
>
> I have found that you can enter a trusted root authority into Internet
> Explorer by simply adjusting the NT System Registry at
>
> HKEY_CURRENT_USER/Software/Microsoft/SystemCertificates/Root/Certificates/..
> ...
> then the fingerprint of the certificate.
>
> It is difficult to tell it has been done (unless you have a v.good memory,
> or have copied the list of certificates or the Sys reg for comparison)
>
> I think that trusted root certificates will need more protection before they
> can be relied upon. It is necessary for some sort of verification and
> protection of your list of trusted root certificates
The problem is that the whole notion of PKI is a lie. The notion is that you
can have secure authentication without having to type in a password every time
you want to access a remote resource. But that just Does Not Work, for exactly
the reason you mention. Without storing the trusted root certificate in
encrypted format (which will require you to type in a passphrase to decrypt it
every time you wish to use it), said certificate can be easily replaced or
overwritten.
Given how easy it is to write a macro virus for the now-prevalent
Windows/Office platform, this is sheer stupidity. I could hijack your public
key server without a problem without ever having access to your network.
For those who claim that obfuscating the root certificate by including it as
part of your code and, e.g., using a XOR mask and lots of obfuscated ASM code
to hide it, that definitely raises the cost of a key server compromise -- but
if a benefit is seen to outweigh that cost, it's still quite possible.
Note that I'm not shooting down the whole notion of a PKI. For the most part,
I believe that a PKI infrastructure is a Good Thing, because it's a lot easier
to keep track of one root certificate and to keep secure one PKI server than
it is to secure entire networks full of certificates and servers. But PKI is
not the panacea that has been claimed, it is just one tool in the toolkit for
keeping a network secure.
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: AES and perl (encryption)
Date: Wed, 08 Dec 1999 17:28:32 +0000
Shaun Wilde wrote:
>
> Has anybody ported the the AES submission Twofish to perl?
>
> Also does anyone know of any Perl sites that have info relating to
> encryption
For perl you should be able to use the C-Version of AES as a shared
library shouldn't you?
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me
spread!
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: How can you tell?
Date: Wed, 08 Dec 1999 17:30:29 +0000
John wrote:
>
> If I experiment with passwords, have the program, but no source, isn't
> it possible to deduce what the encrypter is doing?
Oh, yes, certainly you can. What passwort "program" specifically?
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me
spread!
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: NP-hard Problems
Date: Wed, 08 Dec 1999 13:01:09 -0500
Safuat Hamdy wrote:ut the
> [...]
> None of the authors are complexity theorists, so HAC is a non-authoritative
> source regarding complexity theory. A really good source is B. Diaz,
> J. Gabarro, and J. Balcazar: Structural Complexity I, 2nd ed. (beware!),
> Springer, 1995.
Could you post the definition of NP-Hard given in that book?
It would be nice to have a compilation of definitions of NP-Hard.
Anton
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
