Cryptography-Digest Digest #774, Volume #10 Mon, 20 Dec 99 18:13:01 EST
Contents:
Access User Level Security and Export Regulations ("John E. Kuslich")
Re: Keystrokes monitored/encryption useless (Liyang Hu)
Re: Code Puzzle (Jim Gillogly)
Re: Analogue encryption (Jim)
Re: Analogue encryption (Jim)
Re: Analogue encryption (Jim)
Re: Code Puzzle (Rich Lafferty)
Re: Analogue encryption (Paul Rubin)
Re: Q: transcendental pad crypto ("dls2")
Re: Q: transcendental pad crypto ("dls2")
Re: Analogue encryption (Simon DeDeo)
Re: Q: transcendental pad crypto ("dls2")
Re: Q: transcendental pad crypto (John Savard)
Re: Q: transcendental pad crypto (John Savard)
Re: Q: transcendental pad crypto (John Savard)
Re: Q: transcendental pad crypto (Pelle Evensen)
Re: Enigma - theoretical question (Roger Carbol)
Re: dictionary attack (Roger Carbol)
----------------------------------------------------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Subject: Access User Level Security and Export Regulations
Date: Mon, 20 Dec 1999 12:22:38 -0700
Here is an example of why the Clinton Administrations one-time review
policy for cryptographic software is completely bogus. Any software on
the PC can be made to act in arbitrary ways using the readily available
Windows API. One does not need access to source code. It does not
matter how the software is compartmentalized, or modularized. Anyone
can write software that takes control of executable code and have his
way with it. Did you say you want a key lenght of 400 bits?? Want
triple DES AND Blowfish at a zillion bits?? No problem, want to see the
red suit, turn on the red light!
CRAK Software ( http://www.crak.com ) has just released a beta version
of a NEW password recovery product for Access Database. This new
software effectively defeats all User level security by allowing the
log-on password dialog to be by-passed and by revealing all database
user account names.
The new software, called AXcrak, launches Access in a very promiscuous
mode allowing any password you can imagine to be used as a valid log-on
password.
AXcrak allows the user to log on as a user having Admins privileges
without the need to know the log-on password. Once logged on as an
Admins user, the database user passwords can be changed and/or removed
(again, without having a valid password).
The user must have access to a valid system.mdw file (this is where all
user account password information is stored).
The product is in beta release as demo and full performance products
from http://www.crak.com under the /programs directory (Axdemo.exe and
AXfull.exe). The demo has limitations :-))
This new release presently ONLY WORKS with Access using the MSJT3032.dll
version 3.000.4513 (Version 7.0 of Access for Office 95). All versions
of Access will be covered by future releases of AXcrak.
This a new beta release. If you experience problems please send your
comments to [EMAIL PROTECTED] Your help would be greatly appreciated.
Anyone with an urgent need to recover a password protected database (for
which they can legally certify ownership!!!!!) generated in another
version of Access is urged to contact CRAK Software at
[EMAIL PROTECTED] We may be able to help.
JK
--
John E. Kuslich
Password Recovery Software
CRAK Software
http://www.crak.com
------------------------------
From: Liyang Hu <[EMAIL PROTECTED]>
Subject: Re: Keystrokes monitored/encryption useless
Date: Mon, 20 Dec 1999 00:56:30 -0000
At 18 Dec 1999 14:25:59 EST, Guy Macon <[EMAIL PROTECTED]> said:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Liyang
>Hu) wrote:
> >
> >It's very easy to spot those programs running, as long as you keep an eye
> >out for them. <shameless plug>A useful little util, which just happens to
> >be called Useful, has a very good process monitor. Anytime I see anything
> >running that I dont know the purpose of, I can just kill that process. It
> >sees all processes, as opposed to <ctrl+alt+del>, which only shows the
> >non-service processes. You can get it at http://www.nerv.cx/hcbd/ </end of
> >shameless plug>
>
> I like to run a couple of 30AWG wire wrap wires into the plug on the
> back of your PC and connect a Basic Stamp [ http://www.parallaxinc.com/ ]
> and have it record keystrokes. It's about the size of a postage stamp,
> and there are cool RF transmitter modules available. This allows me to
> get the NT Logon password, which no sniffer program can get. For that
> matter. there are TX cameras that look through pinholes in your walls
> or ceiling. I could make a video of your hands on the keyboard and
> of what is displayed on your screen.
Assuming the person cannot reach your machine physically. I'm talking
about software security here, not things like surveillance or tempest
attacks. Slight problem with your attack is that I'd notice it straight
away, with my PC sitting in the middle of my bedroom...
I had contenplated building a keyboard sniffer before, with a PIC16C84,
saving the keystrokes to an external eeprom. (well, you're plugging that
damn STAMP shite ;) I nearly got most of the design done, but luckily for
our school's system admin, I never got around to making it, due to lack of
time...
--
��,����`Liyang Hu/DenseBoy����,��,����http://www.nerv.cx/`����,��
| The subspace W inherits the other 8 properties of V. |
| And there aren't even any property taxes. |
| -- J. MacKay, Mathematics 134b |
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Code Puzzle
Date: Mon, 20 Dec 1999 19:44:05 +0000
[EMAIL PROTECTED] wrote:
>
> Hi everyone!
> Here is a code puzzle that so far has not
> been solved. It is one sentence and punctuation
> is ignored. Here it is!
>
> 82 44 22 67 83 11 35 93 52 11 51 64 71 45 15 31
> 94 51 66 32 58 93 83 15 52 77 94 21 47 96 34 22
And so on. You're the third person I know of who's trying
to get help on this one without telling where it came from.
If you come clean with the provenance, I'll tell you where
the other two are chatting and where to find the other clues
that have been offered by helpful patsies. :)
--
Jim Gillogly
Mersday, 30 Foreyule S.R. 1999, 19:40
12.19.6.14.8, 10 Lamat 16 Mac, Ninth Lord of Night
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim)
Subject: Re: Analogue encryption
Date: Mon, 20 Dec 1999 20:40:28 GMT
Reply-To: Jim
On Mon, 20 Dec 1999 02:11:12 -0500, "dls2" <[EMAIL PROTECTED]> wrote:
><amadeus @DELETE_THIS.netcomuk.co.uk (Jim)> wrote:
>> <[EMAIL PROTECTED]> wrote:
>> > If a pseudo one time pad is used to generate a waveform
>> > that overlays a voice could this ever be as percievably
>> > secure as digital encryption?
>>
>> No. Which is why all serious ciphony systems are digital or
>> at worst digitally-coded and encrypted vocoders. (And if
>> you've ever used a secure 'phone incorporating a vocoder,
>> you'll know why I said 'at worst' !!!)
>
>I've never used a secure phone incorporating a vocoder,
>so why did you say "at worst"?
Well I have. It's just unreal. Distortion, noise, difficulty
in understanding what is being said. All due to the nature of
the vocoding process. Artificial voice synthesis. Ugh!
The quality of the modern digital ones is indistinguishable
from a normal unencrypted conversation. (Apart from the green
light on the 'phone!) The ones I've used incorporate a public
key system for setting up the secure call and will handle
secure data and FAX as well as voice. They use the ordinary
public switched network, no permanent lines are required.
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim)
Subject: Re: Analogue encryption
Date: Mon, 20 Dec 1999 20:40:29 GMT
Reply-To: Jim
On Mon, 20 Dec 1999 14:55:37 GMT, [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
wrote:
>In article <83kkt8$[EMAIL PROTECTED]>, "dls2" <[EMAIL PROTECTED]> wrote:
>><amadeus @DELETE_THIS.netcomuk.co.uk (Jim)> wrote:
>>> <[EMAIL PROTECTED]> wrote:
>>> > If a pseudo one time pad is used to generate a waveform
>>> > that overlays a voice could this ever be as percievably
>>> > secure as digital encryption?
>>>
>>> No. Which is why all serious ciphony systems are digital or
>>> at worst digitally-coded and encrypted vocoders. (And if
>>> you've ever used a secure 'phone incorporating a vocoder,
>>> you'll know why I said 'at worst' !!!)
>>
>>I've never used a secure phone incorporating a vocoder,
>>so why did you say "at worst"?
> H said "at worset" to give the impression that he is an expert
>in the field and that you should kiss his ass becasue of his great
>knowledge. I guess its a politically correct way to say "I'm fucking
>smarter than you asshole". But I tend to be more direct it helps
>to read old issue of MAD magazine to find out what the pompous
>ones really mean when they write.
Is this asshole with you lot?
He'll find a lot more from this bogus expert further up the page.
This bogus expert has experienced _using_ good crypto rather than
_designing_ dubious crypto.
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim)
Subject: Re: Analogue encryption
Date: Mon, 20 Dec 1999 20:40:30 GMT
Reply-To: Jim
On Mon, 20 Dec 1999 00:18:34 -0800, CombatXeroxRepairman <[EMAIL PROTECTED]>
wrote:
>There was a NSA device that scrambled voice in a way that could be
>transmitted over a normal 0-3khz line. The
>output sounded like very strange inverted speech. This was very useful for
>HF voice long distance links. Rumor was that it was broken by the USSR
>because we stopped using the system in the early 80's.
I wonder how they knew that it had been broken?
More likely the NSA CommSec broke it, then had it taken out of
service.
------------------------------
From: [EMAIL PROTECTED] (Rich Lafferty)
Subject: Re: Code Puzzle
Date: 20 Dec 1999 20:47:11 GMT
Jim Gillogly <[EMAIL PROTECTED]> wrote in sci.crypt:
> [EMAIL PROTECTED] wrote:
> >
> > Hi everyone!
> > Here is a code puzzle that so far has not
> > been solved. It is one sentence and punctuation
> > is ignored. Here it is!
> >
> > 82 44 22 67 83 11 35 93 52 11 51 64 71 45 15 31
> > 94 51 66 32 58 93 83 15 52 77 94 21 47 96 34 22
>
> And so on. You're the third person I know of who's trying
> to get help on this one without telling where it came from.
> If you come clean with the provenance, I'll tell you where
> the other two are chatting and where to find the other clues
> that have been offered by helpful patsies. :)
When all else fails, google! Or try to google, anyhow. It's taken me
three tries to get to the single result that a google search for the
first line of numbers returns, and it's at
http://www.discovervancouver.com/crackthecode/crackthecode.shtml
and creatively entitled "Crack the Code and Win Money." No beating
around the bush, at least. Make sure you turn Javascript off before
you go. To save some trouble:
The jackpot currently stands at [blank]
The numbers below are a code. If you crack it before anyone else you
will win the amount of money shown at the time you send in your
correct entry. The jackpot goes up by 1 cent a minute until the code
is cracked.
I figured you needed Javascript to find out what the jackpot is, but
neither my Unix nor Mac OS browsers can get a number out of the thing.
They note that it started 1999-07-09 09:00, though. About two grand
CAD.
-Rich
--
Rich Lafferty ----------------------------------------
Nocturnal Aviation Division, IITS/Computing Services
Concordia University, Montreal, QC
[EMAIL PROTECTED] -------------------------------
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Analogue encryption
Date: 20 Dec 1999 20:50:41 GMT
In article <83kkt8$[EMAIL PROTECTED]>, dls2 <[EMAIL PROTECTED]> wrote:
><amadeus @DELETE_THIS.netcomuk.co.uk (Jim)> wrote:
>> <[EMAIL PROTECTED]> wrote:
>> > If a pseudo one time pad is used to generate a waveform
>> > that overlays a voice could this ever be as percievably
>> > secure as digital encryption?
>>
>> No. Which is why all serious ciphony systems are digital or
>> at worst digitally-coded and encrypted vocoders. (And if
>> you've ever used a secure 'phone incorporating a vocoder,
>> you'll know why I said 'at worst' !!!)
>
>I've never used a secure phone incorporating a vocoder,
>so why did you say "at worst"?
You can try a software-based one from http://www.lila.com/nautilus/
Hardware-based phones sound quite a bit better, though there is
still some difference from an unencrypted phone from the slight
delay created by the vocoder. It's similar to a digital cellular
phone.
------------------------------
From: "dls2" <[EMAIL PROTECTED]>
Subject: Re: Q: transcendental pad crypto
Date: Mon, 20 Dec 1999 15:50:20 -0500
"John Savard" <[EMAIL PROTECTED]> wrote:
> "dls2" <[EMAIL PROTECTED]> wrote:
>
> >Do transcendental numbers qualify as pseudo-random, or
> >as truely-random, for purposes of one-time pads?
>
> Pseudo-random, since calculating the value of a transcendental
> number is a deterministic process. And an inefficient one, for the
> level of security provided.
If there are an infinite number of transcendental numbers, then I fail
to see why. If the transcendental is picked randomly, then doesn't
the resulting stream of numbers also qualify as random?
Derrick Shearer
[EMAIL PROTECTED]
------------------------------
From: "dls2" <[EMAIL PROTECTED]>
Subject: Re: Q: transcendental pad crypto
Date: Mon, 20 Dec 1999 15:58:16 -0500
"Tony T. Warnock" <[EMAIL PROTECTED]> wrote:
> The question is not whether a number is transcendental but
> whether it is computable. If the number is computable, it does
> not work for an crypto key.
I disagree. Every number is computable; it follows from induction.
Derrick Shearer
[EMAIL PROTECTED]
------------------------------
From: Simon DeDeo <[EMAIL PROTECTED]>
Subject: Re: Analogue encryption
Date: 20 Dec 1999 20:52:05 GMT
Gary <[EMAIL PROTECTED]> wrote:
: How did they synchronise? Did they have a tracking control on the phone?
: If a pseudo one time pad is used to generate a wave form that overlays a
: voice could this ever be as percievably secure as digital encryption?
: Gary :)
A while ago I did some thinking about how one might use an OTP in an
analog situation (say, e.g., communication over radio where you don't have
enough bandwidth to transmit adaquate quality digital sound.) It seemed to
me that the big problem was, as someone on the thread pointed out, the
characteristic volume modulations. If you just arithmetically "add" an
OTP, it would seem that, over time, one could start to see the base volume
modulations. (Similar to the way one extracts a signal from any kind of
noise.)
So you would need some kind of "mod" function that would clip the volume
at some level. How would one pick this level? And, assuming one picked the
level "optimally", would the communication be as secure as a regular OTP?
Thinking about it more, one would like to have the OTP at a much greater
amplitude than the voice data itself, and to set the level at which one
wraps the signal volume around around the average voice volume. But making
the OTP large would involve tradeoffs in voice quality at the other end --
you'd never get the gains perfectly matched at both ends, and so the voice
would be noisier the larger the OTP volume got.
-- Simon
------------------------------
From: "dls2" <[EMAIL PROTECTED]>
Subject: Re: Q: transcendental pad crypto
Date: Mon, 20 Dec 1999 16:07:56 -0500
"Lincoln Yeoh" <[EMAIL PROTECTED]> wrote:
> "dls2" <[EMAIL PROTECTED]> wrote:
>
> >"Also, a computer-based pseudo-random number generator
> >does _not_ qualify as a true one-time pad because of its
> >deterministic properties. See `pseudo-random number
> >generators as key stream'." -Cryptography FAQ, 4.4.
> >
> >Do transcendental numbers qualify as pseudo-random, or
> >as truely-random, for purposes of one-time pads?
>
> Basically if you want OTP, generate good random numbers.
> Anything less than random is crap for OTP. Stop wasting time
> with nice numbers like Pi, e, foo, bar, etc. Spend your time
> figuring out how to create a good and secure source of
> randomness which no one else can get access to.
I give up. So tell me, how is it done, seriously?
> If there is a slight hint of a pattern then it's not random. If some
> fancy math can explain the numbers then it's not random. If
> some mortal entity (INCLUDING YOU!) can predict the
> numbers it's not random.
Derrick Shearer
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Q: transcendental pad crypto
Date: Mon, 20 Dec 1999 15:13:33 GMT
"dls2" <[EMAIL PROTECTED]> wrote, in part:
>"John Savard" <[EMAIL PROTECTED]> wrote:
>> "dls2" <[EMAIL PROTECTED]> wrote:
>> >Do transcendental numbers qualify as pseudo-random, or
>> >as truely-random, for purposes of one-time pads?
>> Pseudo-random, since calculating the value of a transcendental
>> number is a deterministic process. And an inefficient one, for the
>> level of security provided.
>If there are an infinite number of transcendental numbers, then I fail
>to see why. If the transcendental is picked randomly, then doesn't
>the resulting stream of numbers also qualify as random?
Well, I'm assuming that one can't, say, evaluate a physical voltage
level to 1000 digits.
Thus, I'm expecting that you mean a transcendental number like
"sqrt(pi+e)" ... and the complexity of the expression for it is the
originating key length.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Q: transcendental pad crypto
Date: Mon, 20 Dec 1999 15:14:49 GMT
"dls2" <[EMAIL PROTECTED]> wrote, in part:
>I disagree. Every number is computable; it follows from induction.
Yes, every _integer_ is computable.
As there are only aleph-null possible computer programs, the existence
of uncomputable reals follows from Cantor's diagonal proof.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Q: transcendental pad crypto
Date: Mon, 20 Dec 1999 15:17:56 GMT
"dls2" <[EMAIL PROTECTED]> wrote, in part:
>"Lincoln Yeoh" <[EMAIL PROTECTED]> wrote:
>> Spend your time
>> figuring out how to create a good and secure source of
>> randomness which no one else can get access to.
>I give up. So tell me, how is it done, seriously?
Rolling dice. Diode or resistor thermal noise, sensed electronically.
But the one-time-pad is awkwards enough so that algorithms are used
for encryption - but the algorithm of calulating the decimal expansion
of a mathematical formula is not a particularly good one for this
purpose.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Pelle Evensen <[EMAIL PROTECTED]>
Subject: Re: Q: transcendental pad crypto
Date: Mon, 20 Dec 1999 23:14:42 +0100
dls2 wrote:
> "John Savard" <[EMAIL PROTECTED]> wrote:
> > "dls2" <[EMAIL PROTECTED]> wrote:
> > >Do transcendental numbers qualify as pseudo-random, or
> > >as truely-random, for purposes of one-time pads?
> >
> > Pseudo-random, since calculating the value of a transcendental
> > number is a deterministic process. And an inefficient one, for the
> > level of security provided.
>
> If there are an infinite number of transcendental numbers, then I fail
> to see why. If the transcendental is picked randomly, then doesn't
> the resulting stream of numbers also qualify as random?
No. The reason being that it's reproducable. I assume your goal is to
expand a small bit of secret to a large bit of secret. This doesn't help
entropy at all, that is, the rate of entropy will be the same as the
entropy of the initial seed, no matter what kind of expansions or series
you apply with the seed as the starting point.
/Pell
------------------------------
Subject: Re: Enigma - theoretical question
From: Roger Carbol <[EMAIL PROTECTED]>
Date: Mon, 20 Dec 1999 22:43:32 GMT
Neil Bell <[EMAIL PROTECTED]> wrote:
> If two individuals had a good 4-rotor Enigma simulator and wanted
> to exchange messages once every two weeks and had previously
> personally handed each other a list of rotor settings, ring
> settings and stecker settings. AND...
> settings never repeated from message to message, AND...
> messages were all short, say less than 250 characters.
> Would this be a reasonably secure way to exchange very private
> financial and investment tips using e-mail??
I get the strong sense this is intended to be part of a novel
somewhere involving eccentric characters rather than any sort
of serious "real-world" application.
As such, given the parameters, most of the people responding
so far have concluded it'd be a "reasonably secure"
(if very eccentric) way to exchange the messages.
I'm not sure how much security is lost if the attackers can
make some assumptions that, for example, many of the messages
will contain words like "BUY", "SELL", "HOLD", "SHORT", etc.
Perhaps the users will have a metacode that condenses these
often used words to shorter codewords.
.. Roger Carbol .. [EMAIL PROTECTED]
------------------------------
Subject: Re: dictionary attack
From: Roger Carbol <[EMAIL PROTECTED]>
Date: Mon, 20 Dec 1999 23:02:33 GMT
Michael Velten <[EMAIL PROTECTED]> wrote:
> can anybody tell me, where i can find a good (german) dictionary
> for a Brute Force-Attack?
Try visiting <ftp://ftp.ox.ac.uk/pub/wordlists/> and more
specifically
<ftp://ftp.ox.ac.uk/pub/wordlists/german/>
.. Roger Carbol .. [EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
