Cryptography-Digest Digest #805, Volume #10 Wed, 29 Dec 99 02:13:02 EST
Contents:
Re: Disbelief about Numbers Stations (John Savard)
New Peekboo website [url] (Tom St Denis)
Re: Secure Delete Not Smart ("Trevor Jackson, III")
Re: unbreakable? (Keith Monahan)
Grounds for Optimism (John Savard)
Re: Homophones (wtshaw)
Re: Secure Delete Not Smart ("Trevor Jackson, III")
Re: HD encryption passphrase cracked! ("Trevor Jackson, III")
Re: Secure Delete Not Smart ("John E. Gwyn")
Re: finding seed for random number generator ("John E. Gwyn")
Re: Video card reconfiguration ("John E. Gwyn")
Re: Economic Espionage Act of 1996 and the U.S.A. government's ("John E. Gwyn")
Re: Synchronised random number generation for one-time pads ("John E. Gwyn")
Re: HD encryption passphrase cracked! (NFN NMI L.)
Re: Grounds for Optimism ("John E. Gwyn")
Re: HD encryption passphrase cracked! ("John E. Gwyn")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Disbelief about Numbers Stations
Date: Wed, 29 Dec 1999 04:01:44 GMT
On Mon, 27 Dec 1999 21:16:52 GMT, amadeus @DELETE_THIS.netcomuk.co.uk
(Jim) wrote:
>What beats me is why, with
>easy, fast, cheap world-wide digital communications available, they
>choose to use apparently conventional codes/ciphers and shortwave
>(HF) radio using morse and voice.
Well, it might be fairly easy to pick out a spy, if he keeps getting
E-mail from Cuba...
but it's harder to find out where someone's short-wave radio is tuned
(unless you know the right block to look in; then one can listen to
the noise his IF strip is making...)
>Similarly, why in the age of rapid satellite and fibre-optic communications,
>do so many embassies use slow outdated conventional 5 letter/figure-group
>systems on HF radio? Is there some sort of convention that requires them
>to be twenty years behind the rest of the world? (!!)
That way they raise no suspicion they are diverting up-to-date
American technology to military purposes...
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: New Peekboo website [url]
Date: Wed, 29 Dec 1999 04:32:51 GMT
Well I am slowly joing a group of coders called Digital Adrenaline.
They have a website at www.dasoft.org [not much yet] and are hosting
Peekboo at http://peekboo.dasoft.org
If you don't know what peekboo is, it's afree win32 crypto toolkit that
features diffie-hellman key exchange, encryption/decryption of
files/messages, digital signatures, file wiping, direct chat and a
bunch of other tools. It's also only 46kb in size and includes
source. Oh yeah, it's 100% free as well.
Check it out please and let me know what you think.
Current work is in a new API so PB can become portable, and a new user
interface :)
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Tue, 28 Dec 1999 23:52:00 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Secure Delete Not Smart
Jim wrote:
> On Tue, 28 Dec 1999 11:04:52 -0500, "Trevor Jackson, III" <[EMAIL PROTECTED]>
> wrote:
>
> >UBCHI2 wrote:
> >
> >> Data has been recovered after 9 overwriting wipes according to the PGP manual.
> >> It seems foolish to secure delete something without encrypting it first. Why
> >> isn't this ever suggested in the manuals?
> >
> >It you already have a plain copy stored, encrypting it will not prevent someone
> >from recovering the plain copy, because the encryption does not replace the plain
> >copy. The encrypted file is a separate representaiton of the information in the
> >plain file.So the plain file still exists to be recovered.
> >
> >Even if the excrypted copy replaced the plain copy sector for sector it would not
> >hide the plain version of the file because the replacement would only write each
> >sector once. To fully erase the plain version of the file you need many writes to
> >each sector.
> >
> >The best answer is to never store plaintext. The information must be encrypted as
> >it is stored. Disk encryption software does this for you.
>
> So you're recommending that one always works within an enciphered volume
> or partition?
>
> If so, ought you to secure delete plaintext versions which have not
> been taken outside the enciphered volume?
That is unnecessary. The principle of an encrypted volume is that an Opponent can be
handed the entire volume and will not be able to recover any plaintext. Everything
written to the physical volume is encrypted. So there is no need to scrub plantext
files sored within the virtual (encrypted) volume. They are safe.
If you need to scrub files within the encrypted volume you need a better volume
encryption software.
------------------------------
From: Keith Monahan <[EMAIL PROTECTED]>
Subject: Re: unbreakable?
Date: Tue, 28 Dec 1999 23:43:46 -0500
John,
John Savard wrote:
> This isn't someone with an "unbreakable cipher"; it's merely a puzzle
>
Well, of course it's not.
> contest to obtain publicity for visiting Vancouver, and hence it is
> presumably a _simple_ type of cipher that can be solved with paper and
> pencil that is being used.
>
Sure, but I feel it's necessary to point out that (IN CASE HE DIDN'T KNOW)merely
surviving 5 months of having a contest doesn't guarantee that the cipher
was well constructed or secure. Could you imagine if he took this logic to
David Scott's ciphers and contests on David's webpages?
> John Savard (teneerf <-)
> http://www.ecn.ab.ca/~jsavard/index.html
Thanks for your reply,
Keith
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Grounds for Optimism
Date: Wed, 29 Dec 1999 04:29:53 GMT
In a thread about such matters as the Mellisa virus, a discussion
arose concerning the strength of ciphers. Just as many individuals
come up with ciphers they themselves cannot break, and conclude
therefrom that they have developed an unbreakable cipher, Terry Ritter
noted that it is equally possible for even a group of people to go
astray in the same fashion.
And he also again noted that we don't have the kind of proof of
security for ciphers that we would like to have; we know all kinds of
things about resistance to known attacks, but that says very little
about how possible some attack we haven't thought of might be.
While this is all true, I tend to think that what Bruce Schneier has
often mentioned is more important: in designing secure systems, other
kinds of mistakes are almost always the weak point - inadvertent
leakage of data, poor choice of passphrases or "random" numbers for
key generation.
But do we have any grounds for optimism about the strength of the
ciphers we either have, or could design?
As I have noted, while it is merely a generalization, it is reasonable
to suspect that increases in the speed of serial computation assist
the cryptographer more than the cryptanalyst. In the case where the
cryptanalyst must resort to brute force, this is obvious: multiply the
length of a key by N, and the time required to encipher increases by N
squared (to thoroughly utilize the longer key) but the time of a
brute-force search has increased exponentially. But even where we
cannot be assured our ciphers are this secure, as a cipher is scaled
up, attacks of all types do become much harder.
If we look at the ciphers of World War II, the high-level ciphers of
the Axis were solved, but with great difficulty. An immense effort was
needed to attack each of the Enigma, the Schlusselzusatz, and CORAL,
the improved successor of PURPLE, which took no small effort to solve
itself.
But there also existed the American SIGABA. And that was a quantum
leap ahead of other rotor machines. Even it could have been attacked -
but only if it were very badly misused, with dozens of messages sent
with the same initial rotor setting. Only then, with a multitude of
complete alphabets at his disposal, could the cryptanalyst divine
something about the control rotors.
Given, then, that it was possible in those days for an "unbreakable"
cipher to exist, the vast increase in serial computation speeds (but
the increase in parallel computation speeds caused by the cheapness of
the individual microprocessor must also be factored in on the other
side of the equation) would seem to have tilted the balance further
against the cryptanalyst.
Thus, if we "go all out" in designing ciphers; make them big and
complicated to make full use of the power of a modern personal
computer, use steps of indirection that seem to raise a barrier to any
conceivable form of analysis, I think we have a reasonable chance of
achieving security. That is how we can follow the lead of the SIGABA,
and produce its modern-day equivalent. (Hence, my "large-key
brainstorm", several of Terry Ritter's cipher designs, or even a nod
to the gigantic S-boxes of David Scott.)
Whether or not we really need to do this, or if even the best of AES
candidates are as secure as anyone might desire, is another question.
On this question, I have no grounds for dogmatism: they look secure
enough to me, but as I note that it *is* possible to try harder, I
note the possibility for the benefit of those who desire a greater
confidence in the security of their encryption, particularly into the
future as technology advances.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Homophones
Date: Tue, 28 Dec 1999 23:07:56 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> I think it might be of value to point out that the utility of
> homophone appears to have been largely ignored nowadays. For
> secret messages in the narrow sense, one needs only an alphabet
> size of maximal 32. Using bytes, i.e. 8 bits, one has a space of
> 256, which is very abundant for employing homophones. For optimality,
> homophones should even out the frequency characteristics. But,
> with such a large expansion factor available and using polyalpabetic
> substitutions of large size as suggested, one does not need to put
> much effort in that and could fairly freely assign homophones just
> as well, I believe.
>
There is no doubt that you can get security in a hurry with a fairly
lowtech algorithm. There are so many options that one could get lost in
thinking about them. As to whether a good system can result depends more
on the experience that might be put into such things. I've done widely
varied systems as I have explored some of these I see; others would see
different options.
--
Only a little over a year left to go in this centrury....
Knowing this, figure that a year from now, we will
resale of the hoopla we are getting ready to see now.
------------------------------
Date: Tue, 28 Dec 1999 23:55:59 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Secure Delete Not Smart
Guy Macon wrote:
> In article <84b21n$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Frank Gifford)
>wrote:
>
> >All this stuff about overwriting files assumes that the drive is working
> >properly. Suppose that after you had put your top secret formula for
> >Coca-Cola on your hard drive, it started to go bad. The read/write head,
> >being a physical device, starts to drift away from the proper track and now
> >it is a little more to the outside than it used to be. Now when you write
> >data, it's writing a little towards one side of the track, but the other
> >side of the track still contains your Coca-Cola formula.
>
> Minor correction; modern drives do not depend on mechanical tolerances.
> They servo to the center of the track. Everything else you said is 100%
> correct, because servos can go bad and be off to one side of the track.
Modern drives also have the capability to microstep to either side of the track. This
capability is often used as part of soft error recovery because thermal variations and
age
cause wandering. In theory you could use this capability to widen the erase band for
scrubbing, but the mechanism is usually proprietary and very hard to activate from the
outside.
------------------------------
Date: Wed, 29 Dec 1999 00:04:00 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: misc.misc
Subject: Re: HD encryption passphrase cracked!
Jim wrote:
> On 27 Dec 1999 21:17:52 GMT, [EMAIL PROTECTED] (Bill Unruh) wrote:
>
> >In <[EMAIL PROTECTED]> Matthew
>Montchalin
> ><[EMAIL PROTECTED]> writes:
> >>medium with a pair of tweezers? Sure, they say that microscopic
> >>particles of dirt get into the hard drive, substantially compromising the
> >>storage capabilities, but if you really wanted to eradicate every last
> >>trace of the data, and yet still be able to use the medium (that is the
> >>important part), you can swipe a kitchen magnetic over and around and
> >>around the medium before replacing it again. Of course, after doing
> >
> >Well. I suspect that this would not do much good. A household kitchen
> >magnet is not all that strong, and furthermore it has a very low Fourier
> >coefficient on the drive surface, so it will not be very effective at
> >all in erasing those transients between 0 and 1 on the disk platter. It
> >may well mess it up enough to make it unuseable but not enough that
> >someone could not recover whatever data was there already. You need a
> >very strong alternating magnetic field to do a good job of bulk erasing.
> >, and enven then I would worry about leaving the transients detectable.
> >Much better to burn it-- make sure the material goes above its Neal
> >temperature. Of course that makes it somewhat unuseable afterwards.
>
> Wouldn't you have to take the platters out of the case, thus destroying
> the drive?
>
> Would've thought the case would prevent most of the erasing field getting
> to the surface of the platters (?)
No, the modern aluminum cases offer little resistance to an external magnetic field.
------------------------------
From: "John E. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Secure Delete Not Smart
Date: Tue, 28 Dec 1999 23:59:47 -0600
Donald Haines wrote:
> The only truly secure delete is to remove the platters and to
> destroy them.
In an emergency, we toss them into a container full of thermite
and set it off.
- Douglas
------------------------------
From: "John E. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: finding seed for random number generator
Date: Wed, 29 Dec 1999 00:10:59 -0600
Stefan Hetzl wrote:
> I am using a pseudo-random number generator (linear congruency: X[i] =
> (a*X[i-1] + b) mod m) and want to find a seed X[0] which will generate a
> given sequence of numbers A[1]...A[n] or a sequence that is "very close"
> to A[1]...A[n] (with "very close" I mean that the number of A[i] not
> equal to X[i] is very small (as small as possible ?)).
Well, damn, set X[0] = A[1].
Oh, you mean A[1] is the first output of the iteration?
Find X[0] s.t. X[0]*a = {A[1] - b mod m} mod m where the
{braced} quantity is evaluated right up front. I bet
"modular division" is a solved problem one could look up..
------------------------------
From: "John E. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Video card reconfiguration
Date: Wed, 29 Dec 1999 00:12:07 -0600
Julien Dumesnil wrote:
> I've heard it was possible to reprogram a mpeg card (freely available
> anywhere) to do some fast encryption/decryption stuffs for some other codes
> (like idea, for example).
Doesn't seem likely to me.
Why not get Motorola's AIM evaluation board, development libraries, etc.
------------------------------
From: "John E. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: alt.politics.org.cia
Subject: Re: Economic Espionage Act of 1996 and the U.S.A. government's
Date: Wed, 29 Dec 1999 00:14:12 -0600
Eric Chomko wrote:
> Ah yes, another Americanism of the English language: shutter.
Even in America, it should have been "shudder".
Our public school systems have not been doing a good job.
------------------------------
From: "John E. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Synchronised random number generation for one-time pads
Date: Wed, 29 Dec 1999 00:20:55 -0600
Joseph Ashwood wrote:
> ... I fully realize that for this reason DES is not as secure for
> every purpose as XOR (which has no identical keys), ...
Guys, please quit referring to an "XOR" encryption method.
XOR is simply a Boolean operation. What you mean is "XOR
with a random key as long as the plaintext".
------------------------------
From: [EMAIL PROTECTED] (NFN NMI L.)
Subject: Re: HD encryption passphrase cracked!
Date: 29 Dec 1999 06:20:49 GMT
"Secure Deletion of Magnetic Media", Peter Gutmann. Good reading. I have the
URL somewhere.
<<2. Trying to have a high entropy passphrase with today's symmetric key
lengths is challenging, but fairly achievable.>>
I created my PGP passphrase by using a list of 8192 words, and 128 completely
random bits (go to HotBits, collect 256KB worth of random bits, break them up
into chunks of 128 bits, XOR them all together, XOR in some crummy BASIC
pseudorandom bits, some ASCII gibberish, and then break the 128 bits into
clumps of 12 or something bits apiece.) My passphrase ended up being 10 words
long, made of words all 6 letters or less, and it's as strong, if not stronger,
than the symmetric cipher I use.
By the way, now that it doesn't matter, what WAS the passphrase? :-D
S. "Deleted" L.
------------------------------
From: "John E. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Grounds for Optimism
Date: Wed, 29 Dec 1999 00:42:54 -0600
John Savard wrote:
> But do we have any grounds for optimism about the strength of the
> ciphers we either have, or could design?
Not without a carefully developed rational theory.
> As I have noted, while it is merely a generalization, it is reasonable
> to suspect that increases in the speed of serial computation assist
> the cryptographer more than the cryptanalyst. In the case where the
> cryptanalyst must resort to brute force, this is obvious: multiply the
> length of a key by N, and the time required to encipher increases by N
> squared (to thoroughly utilize the longer key) but the time of a
> brute-force search has increased exponentially. But even where we
> cannot be assured our ciphers are this secure, as a cipher is scaled
> up, attacks of all types do become much harder.
I don't see that at all. No good cryptanalysis work factor runs
anything like O(2^N) in the key length. (Brute-force key search
is not good cryptanalysis, unless it is obvious in advance that
it will be quick and cheap.) Unless you can *prove* that some
system can *only* be cracked by a work factor equivalent to
brute-force key search, your argument does not apply.
> If we look at the ciphers of World War II, the high-level ciphers of
> the Axis were solved, but with great difficulty. An immense effort was
> needed to attack each of the Enigma, the Schlusselzusatz, and CORAL,
> the improved successor of PURPLE, which took no small effort to solve
> itself.
A more relevant point is that the best encryption technology of
that time was still defeated through clever cryptanalysis. The
somewhat-brute-force Bombe approach was not logically necessary,
but it was the first successful method that came to hand, so it
was the one that got implemented.
> But there also existed the American SIGABA. And that was a quantum
> leap ahead of other rotor machines.
A "quantum leap" would be the *smallest* possible step, presumably
not what you intended to convey.
> Even it could have been attacked -
> but only if it were very badly misused, with dozens of messages sent
> with the same initial rotor setting. Only then, with a multitude of
> complete alphabets at his disposal, could the cryptanalyst divine
> something about the control rotors.
The strength of SIGABA was that it was designed by cryptanalysts
who had had remarkable success in breaking other rotor systems,
and they made sure that it did not exhibit the vulnerabilities
that they had been exploiting. That is not to say that it would
not be vulnerable to other methods of attack that they had not
yet envisioned (because they hadn't yet needed to invent them).
Be aware that machine malfunctions of certain kinds could disclose
a lot of helpful information to the cryptanalyst. Identifying
such "busts" and exploiting them has historically been an important
part of cracking machine systems.
> Thus, if we "go all out" in designing ciphers; make them big and
> complicated to make full use of the power of a modern personal
> computer, use steps of indirection that seem to raise a barrier to any
> conceivable form of analysis, I think we have a reasonable chance of
> achieving security. That is how we can follow the lead of the SIGABA,
> and produce its modern-day equivalent. (Hence, my "large-key
> brainstorm", several of Terry Ritter's cipher designs, or even a nod
> to the gigantic S-boxes of David Scott.)
"The bigger they are, the harder they fall."
Basically, very complex designs are more of an annoyance than an
obstacle. The most analysis-resistant systems continue to be the
ones built by analysts who have cracked similar systems and know
what weaknesses need to be prevented.
- Douglas
------------------------------
From: "John E. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: HD encryption passphrase cracked!
Date: Wed, 29 Dec 1999 00:46:19 -0600
"NFN NMI L." wrote:
> I created my PGP passphrase by using a list of 8192 words, and 128 completely
> random bits (go to HotBits, collect 256KB worth of random bits, break them up
> into chunks of 128 bits, XOR them all together, XOR in some crummy BASIC
> pseudorandom bits, some ASCII gibberish, and then break the 128 bits into
> clumps of 12 or something bits apiece.) My passphrase ended up being 10 words
> long, made of words all 6 letters or less, and it's as strong, if not stronger,
> than the symmetric cipher I use.
The cracker doesn't need your actual passphrase, just one that
produces the same (symmetric) key. How do you remember your
passphrase? If you store it on a physical medium, it can be
copied by a sneak.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
