Cryptography-Digest Digest #845, Volume #10 Wed, 5 Jan 00 17:13:01 EST
Contents:
Re: On documentation of algorithms (long) (Mok-Kong Shen)
Re: Secure Delete Smart (Albert P. Belle Isle)
Re: Installing new certificate into Netscape 3 (Sundial Services)
Re: simple block ciphers (Anton Stiglic)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On documentation of algorithms (long)
Date: Wed, 05 Jan 2000 22:35:27 +0100
Note: I had a couple of direct e-mail correspondence with a reader
of the present thread. Since I believe that part of the contents
thereof could also be of interest to other readers of the thread,
I am reproducing two of my e-mails below, with the name of the
receiver blended out.
Warning: This post is long. It might cost you much time reading.
=============================================
=============================================
xxx xxxxxx wrote:
>
> I am not certain that it is to be treated a bit differently.
>
> MOST people take their cars to a qualified individual to have the
> brakes worked on. Almost no one studies enough materials science
> to really be qualified to determine the quality of manufacture of
> the brakes or of the quality of the work that is done to install
> them. There simply isn't time or energy to do this. OR if you DO
> do this then you don't have the time and energy to verify the
> electrical safety of your appliances. Or the safety of your drinking
> water. Or of the air that you breathe. And the list is nearly
> endless.
I don't agree with you. The security of cars is directly or
indirectly supervised by the government and the government has a
real interest to attain a maximum security, if possible/practicable.
But the same is not the case with crypto (cf. key-escrow etc.)
Similarly with the other items. Yes, there are things that 'common
people' only theoretically but never practically can do anything with,
not only because of lack of time/energy/intelligence but also due to
given political constellations, etc. But we want to do the best
for us, where such possibilities exist, don't we? In the present case
what I desire (I didn't explicitly said that, though) is that
a crypto algorithm that is to be a 'standard' (like e.g. AES) should
lay open all its design details/rationales completely and be
excellently well documented (together with an publically accessible
archive of test results, programs, reports, etc.) In other words,
it should not be the case as was with DES, which is still under a
veil of secrecy today. (How can you genuinely trust something,
wherein there are matters you are not 'allowed' to know?) In
particular, the document should not be such that it could only be
well comprehensible by a small exclusive club of experts but should
at least be fully understandable, say, by a physicist, if he is
willing to spend a couple of months to do that. Do you think that
this is unreasonable/unnecessary or that I am asking for too much?
>
> Certainly cryptography can have importance to people. But I would
> think that almost no one in this society has the time or energy to
> properly evaluate more than a tiny tiny fraction of the modern items
> and services that they make use of.
>
> The fallback position seems to be that you go to someone who you
> trust and let his reputation serve as your measure of reliability.
> OR we put in place some sort of certification process and you only
> let certified people take care of your children or fix your brakes
> or implement cryptography for you.
The difference lies in the 'existence' or not of a 'possibility'
of something being thoroughly examined/studied (or used etc. in the
context of other non-crypto matters). If there is such a possibility,
then, even if nobody ever makes use of that, the chance of there
being backdoors/flaws etc. is greatly reduced compared to the
situation where such a possibility (practically) does not exist.
Frankly, I don't have 100.00 % confidence in a paper signed by the
20 best-known cryptologists of the world testifying that a certain
algorithm, whose design is classified, is perfectly o.k. What's your
position? It's not that I want to or can study that algorithm, nor
do I need that someone whom I personally trust be able to do that.
If there are a sufficiently large number of people (the number has
to be such that the chance of all of them be conscious/unconscious
'collaborators' of certain political or other interest groups be
null) who can, if they 'wish', do the task, then I'll have full
confidence in what the small number of experts say. Note again the
special nature of crypto. Very few people in the world can read
the proof of FLT. I have no problem in trusting the words of the
few experts saying that the proof is flawless. For, firstly, I
am quite sure that there is no 'motivation' at all for them not to
say the truth. Secondly, I wouldn't be hurt even if the proof were
wrong. But with crypto it is different, in case I indeed have a very
secret message to be sent via a certain algorithm. Do you see my
point?
>
> IF you can make a case that cryptography should be the exception
> and that all individuals should become proficient in it I would
> be willing to listen. But, based on previous experience, I get
> a VERY cold reception when I go down to my local bank and question
> even the obvious mistakes that their systems have made, let alone
> demanding that they demonstrate the source so that I might be able
> to evaluate the underlying number theoretic strength of their
> software. And that doesn't even begin to address that I must then
> somehow test the resulting object code to see that it has not been
> subverted by the compilation process or the distribution process
> or by mechanical subtrafuge at the point of sale.
I suppose the first sentence above is covered by what I wrote above.
For the rest: A crypto algorithm is at the base/foundation of an
security system/service. If you manage to have that 'solid', then
at least you have something better than in case you don't. Or
do you not agree? (Yes, a fradulent clerk could even put faked pieces
of bank notes in the distributor and there is absolutely nothing you
can deal with that through whatever you do with the crypto algorithm
or with the mechanical parts of the distributor.)
>
> HOW could I imagine that I could be certain of services rendered
> by others?
There can be no absolute certainty in this world. The higher the
'possibility' that an 'arbitrary' person 'can' control (check) a
service, the higher will be the certainty that that service is o.k.
(even in case nobody other than the provider actually carries out
the control).
Regards,
M. K. Shen
=====================================================
=====================================================
xxx xxxxxx wrote:
>
> On Tue, 4 Jan 2000, Mok-Kong Shen wrote:
> > xxx xxxxxx wrote:
> > > I am not certain that it is to be treated a bit differently.
> > >
> > > MOST people take their cars to a qualified individual to have the
> > > brakes worked on. Almost no one studies enough materials science
> > > to really be qualified to determine the quality of manufacture of
> > > the brakes or of the quality of the work that is done to install
> > > them.
> >
> > I don't agree with you. The security of cars is directly or
> > indirectly supervised by the government and the government has a
> > real interest to attain a maximum security, if possible/practicable.
>
> I seriously question this. The car manufacturers exert influence on the
> standards to attempt to maximize the manufacturers profits. The
> government balances safety of cars against the economic success of the
> country and the ability by setting standards to shift the balance of
> competition against other countries. There have been ongoing claims
> for decades that say safety of cars has been compromised for the benefit
> of some parties. I think there are many other competing interests, even
> if limited to the government that get in the way of maximum security.
The involvement of politics indeed makes all things complicated. We
all know that lobbying is ubiquitous and there are government
officials that are corrupt. So, lacking an 'Utopia', one wouldn't have
things that are perfect. But in many cases, with enough engaging
people and through the vehicle of media, some movements in direction
of the ideal could be effected. The particular case with cars isn't
that bad. For the market competition, which is very strong, aids to
ensure that. Many times I read news that certain manufacturers
called back a number of cars that had security problems due to
design. This a benefit of free market as against one where it is
in the hand of the government.
>
> > But the same is not the case with crypto (cf. key-escrow etc.)
>
> But this is simply another example where one group wishes to tip the
> balance in their favor.
It is a sad fact that humans seem to be almost the single specis of
creatures that don't always live with one another peacefully as well
as work cooperatively to promote an optimal goal of the ensemble.
Almost all animals however do. Are you going to change that
fundamental human inclination? What we can do is to recognize
the (given) bad situations and see if we could ameliorate these some
little bit.
>
> > Similarly with the other items. Yes, there are things that 'common
> > people' only theoretically but never practically can do anything with,
> > not only because of lack of time/energy/intelligence but also due to
> > given political constellations, etc.
>
> If it is practically unatainable then the utility of pressing for this
> seems of dubious value.
I am saying that there are things which in my opinion seem to have
little chance of being turned in a good direction. One example is
air pollution with resulting effects, among others, on weather in
long terms. In the case of this thread, I am firmly convinced that
the situation is entirely different. To be specific, if I were the
author of an algorithm that is chosen to be an international
standard, I would put all my energy to write a very readable and
comprehensive document and put as much test results and other
relevant materials to the disposal of the public as possible. I
would challenge the readers to raise questions about ambiguity
etc. etc. Is that unattainable? Yes, unattainable when the
author of the algorithm doesn't have the 'willingness' to do that
for the benefit of the public. That could be due to a number of
diverse reasons, e.g. patent interests. But the standardization
organ can do quite much in that issue. (Well, you could counter
by saying that the working of standardization bodies may itself
be problematical. Being by chance previously involved in certain
standardization works, I know that fairly well. However, I suppose
that this particular branch of our argumentation could stop at this
point. For otherwise the scope of discussion is going to be ever
broader. Note that, for example, a discussion about a seemingly
innocent question like 'What is truth?' could be continued to
eternity.)
> > In the present case
> > what I desire (I didn't explicitly said that, though) is that
> > a crypto algorithm that is to be a 'standard' (like e.g. AES) should
> > lay open all its design details/rationales completely and be
> > excellently well documented (together with an publically accessible
> > archive of test results, programs, reports, etc.) In other words,
> > it should not be the case as was with DES, which is still under a
> > veil of secrecy today. (How can you genuinely trust something,
> > wherein that are matters you are not 'allowed' to know?) In
> > particular, the document should not be such that it could only be
> > well comprehensible by a small exclusive club of experts but should
> > at least be fully understandable, say, by a physicist, if he is
> > willing to spend a couple of months to do that. Do you think that
> > this is unreasonable/unnecessary or that I am asking for too much?
>
> How could you possibly have confidence that you had this? If you
> question the ethics and motives of the individuals producing something
> and even if you ask them to give you more, how can you ever have the
> confidence that you have "all the design details/rationales completely
> and excellently well documented"?
One viable possibilty is to arrange to have the author of the
algorithm to answer questions. If, for example, he uses a 'magic'
constant in his algorithm, let him explain how he arrived at that.
If certain specific construct is claimed to be beneficial in respect
of crypto strength, let him show that theoretically and experimentally
(with well-documented programs and computing results).
> > > Certainly cryptography can have importance to people. But I would
> > > think that almost no one in this society has the time or energy to
> > > properly evaluate more than a tiny tiny fraction of the modern items
> > > and services that they make use of.
> >
> > The difference lies in the 'existence' or not of a 'possibility'
> > of something being thoroughly examined/studied (or used etc. in the
> > context of other non-crypto matters). If there is such a possibility,
> > then, even if nobody ever makes use of that, the chance of there
> > being backdoors/flaws etc. is greatly reduced compared to the
> > situation where such a possibility (practically) does not exist.
>
> If those that you do not trust have high confidence that nobody has the
> time or skill to really understand this then what would limit them from
> providing incomplete or misleading or incorrect information, since you
> seem to agree that it is beyond most individuals ability to even inspect,
> let alone study and understand and point out potentially very subtle
There is no insurance company that will insure 'everything' for you,
unless at a premium that you could never pay. All risks can only
be estimated within certain bounds of error. As said above, if the
author can always be made to answer questions, one has a very
good chance of thoroughly understanding his algorithm, assuming one
has the knowledge repertoire of a natural science undergraduate at
his disposal. Crpyto is, after all, quite learnable by many in my
humble opinion. (If you have an algorithm and are always ready to
answer questions, I, for one, am quite sure that I'll understand
that within a reasonable time period.) The only big stumble block
on the route of understanding is bad documents and lack of facilities
to gain explainatory informations and that's why I initiated this
thread.
> > Frankly, I don't have 100.00 % confidence in a paper signed by the
> > 20 best-known cryptologists of the world testifying that a certain
> > algorithm, whose design is classified, is perfectly o.k. What's your
> > position?
>
> My position is that it seems very odd that we do not seem to have a single
> proof of the strength of any cryptographic system, other than the true
> one-time-pad. This in spite of a great deal of effort that has been spent
> in this field. And it seems that the lack of any proof of strength leads,
> in part, to an unbounded paranoia by people, the invincible response from
> anyone is "yes but somebody MIGHT be able to break it." And we have no
> rebuttal to this.
You never need perfect security, which is unattainable. An ideal
OTP cannot be obtained (or known to have been obtained) in practice.
What you need is security against the threat that actually exists
for a finite time period within which you require the protection.
You have to do, unfortunately, 'estimations' (based on more or
less 'subjectivity') everywhere in this issue. That's a fact that
you can't change. If you are cautious/conservative, you can use
multiple encryption in the hope that the security will be better.
But an 'absolute' proof of that you can never get. At the end you
would find that you must rely on certain 'belief' (like in religion).
However, you could arrage things to well 'correspond' to that 'belief'
to some extent, which itself is a subjective issue, though.
> I have actually worked with individuals, on non-crypto related work, where
> individuals said that they had fears that SOMEBODY might be able to read
> the contents of what had been stored in ordinary random access memory,
> even after something else had been stored in that memory, and thus doing
> multiple writes of truly random data to memory MIGHT be enough to make
> it harder to recover the data in memory by SOMEONE who was sufficiently
> devious. This was not talking about writing to a drive, not writing to
> EPROM or flash memory, but ordinary dram. There seems to be simply no
> upper bound to the paranoia of individuals and no argument that will
> convince them otherwise.
Yes, some people, for example, never fly on airplanes. It is up
to you to estimate the (your individual) risks/benefits and
determine whether you would like to fly. There is no point to set
up rules of 'standard' behaviours of human beings. Experts' advices
may help you in decision making, but these could, in principle, be
misleading. Everyone must make decisions of his life in each and
every affairs and that in his own resposibility. Nobody is going to
take away that onorous job from you. If you think of it carefully,
you are in effect gambling all the time in your life.
> > It's not that I want to or can study that algorithm, nor
> > do I need that someone whom I personally trust be able to do that.
> > If there are a sufficiently large number of people (the number has
> > to be such that the chance of all of them be conscious/unconscious
> > 'collaborators' of certain political or other interest groups be
> > null) who can, if they 'wish', do the task, then I'll have full
> > confidence in what the small number of experts say. Note again the
> > special nature of crypto.
>
> But if none but the few can study it and they might all be shown that
> there is a claimed greater good by claiming that it is secure then even
> they might accept the argument to agree that it is good. This all seems
> to be a matter of degree of how powerful and sinister or even potentially
> good, but for dark reasons, the invisible and un-nameable opponents are.
> And there seems to be no upper bound on how paranoid we can become. But
> paranoia isn't my concern. I question how your desired goal could be
> known to be satisfied, how could you decide that it has been done? How
> could I? Or everyone?
In order to (or hope to) change the undesirable situation that
certain algorithms could only be well understood by a few experts,
I started this thread. You could present arguments to show why
such changes are impossible. But simply claiming that only few can
understand does not contribute to the discussion at hand.
> > Very few people in the world can read
> > the proof of FLT. I have no problem in trusting the words of the
> > few experts saying that the proof is flawless. For, firstly, I
> > am quite sure that there is no 'motivation' at all for them not to
> > say the truth. Secondly, I wouldn't be hurt even if the proof were
> > wrong. But with crypto it is different, in case I indeed have a very
> > secret message to be sent via a certain algorithm. Do you see my
> > point?
>
> Well, Hardy was saying that he felt it fortunate that number theory
> was the only truely useless thing. And now number theory is the basis
> for much of crypto. So I'm not sure that FLT is so far away. But
> that is a minor point.
I don't exclude that you would oneday be one of the few experts
in this connection, if you strive hard enough and have the time.
> I see that you do not have to depend on FLT and thus don't care whether
> it is valid or not, that seems completely justified. The same could be
> said for car brakes if you don't use them. And, like car brakes, you
> want to know that you can depend on your method of secrecy. But I don't
> see how to get that confidence and to really know that you have it, if
> you REALLY REALLY need to know you have it. If you just want a little
> confidence that you have it then you don't need much. If you need a LOT
> of confidence it seems much harder than having some agency say "Oh sure,
> we told you everything about this and it is a 6000 page document that
> describes the theory, and only a handful of the best in the world
> understand it or have the background to begin to study it.
False. I happen to have much interest in FLT since quite a long time.
However, I soon realised that my intelligence and time wouldn't give
me any chance of success. Confidence is something subjective. It is
your estimation and can be different from mine. It is up to you
to decide whether you really have confidence in something. See the
flying airplane example above. But there exist situations where
more people have confidence, while in other situations only
few have confidence. The purpose of this thread is to try to
promote a situation where (hopefully) more people have confidence.
> > For the rest: A crypto algorithm is at the base/foundation of an
> > security system/service. If you manage to have that 'solid', then
> > at least you have something better than in case you don't. Or
> > do you not agree? (Yes, a fradulent clerk could even put faked pieces
> > of bank notes in the distributor and there is absolutely nothing you
> > can deal with that through whatever you do with the crypto algorithm
> > or with the mechanical parts of the distributor.)
>
> But you said you really really needed to know that your method was safe.
> How do we know the little cameras in the walls aren't thwarting even the
> best crypto method. I can let paranoia run wild and we have no answer.
I said you have to estimate risks. In order words, you stop at
at a certain boundary (of your own choice) within which you
'consider' yourself safe (and that in your own responsibility).
> > > HOW could I imagine that I could be certain of services rendered
> > > by others?
> >
> > There can be no 'absolute' certainty in this world. The higher the
> > 'possibility' that an 'arbitrary' person 'can' control (check) a
> > service, the higher will be the certainty that that service is o.k.
> > (even in case nobody other than the provider actually carries out
> > the control).
>
> If I know that nobody is going to check my work I can do anything.
Yes, IF you know. In the context of this thread, the goal of having
good documents is to eliminate (or to hopefully eliminate) that IF.
M. K. Shen
------------------------------
From: Albert P. Belle Isle <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: Re: Secure Delete Smart
Date: Wed, 05 Jan 2000 16:45:29 -0500
Reply-To: [EMAIL PROTECTED]
On Wed, 05 Jan 2000 12:42:11 -0500, Henry <[EMAIL PROTECTED]>
wrote:
>Why go to all the trouble when you can absolutely destroy portable magnetic
>media records by passing the media near a powerful magnet? [Has the added
>advantage of permitting the re-use of the media] As for Hard Drives, there
>is simple software available which completely overwrites a file you wish
>deleted [instead of just obscuring the file name] making it impossible to
>recover, or, of course, there is always the Format command which wipes the
>entire disk beyond recovery.
>
Henry:
What "format" formats is the File Allocation Table that contains the
64K pointers to the clusters of 512-byte data sectors on the disk.
Just as "delete" just changes the first character in one of those
pointers to a symbol that means "this cluster is available if you want
to use it for a new file" (and doesn't actually affect the contents of
the file's beginning data cluster to which it points), "format" just
creates an entire clean set of 64K zeroized pointers.
Even the "long" version of "format" only tries to _read_ each cluster,
to see if it should be marked in the FAT as "bad," without writing
anything.
Low-level formating of hard drives hasn't been possible for the last
several generations of devices - since the adoption of servo tracking.
The higher coercivity of the magnetic materials needed for servo
tracking is one of the reasons for the move to higher classification
degaussers by NSA.
(The highest coercivity media, however, are actually some types of
magnetic tapes - some being beyond the capability of even Class III
degausers, and requiring physical destruction measures.)
It's not just "passing the media near a powerful magnet."
Forensic disk data recovery attacks attempt to read "deleted" (or
inadequately overwritten) magnetically stored data on your disk either
(1) through its drive controller connector, using PC-hosted software;
(2) through its drive heads, bypassing the disk's controller circuits;
or
(3) directly on each disk platter's recording surface in a clean-room.
Class 1 attacks can be mounted directly with forensic software, hosted
on your PC or on the attackers' PC. These software-based attack
measures can be countered with software-based countermeasures; viz.,
any kind of disk data overwriting (such as Clearing per DOD 5220.22-M)
that is applied to _all_ sensitive plaintext on the disk.
Class 2 attacks use special amplifiers and signal processing to
extract previously recorded data from under subsequent overwrites.
They rely on increased capabilities over the disk's on-board
electronics. Sanitizing per DOD 5220.22-M was designed to counter such
attacks by increasing the noise-to-signal ratio beyond their
capabilities.
Many (but not all) INFOSEC people believe that the increased
signal-processing sophistication of the on-board controllers required
to even read the last-written data has kept Sanitizing ahead in this
particular measure/countermeasure race. However, most question the
adequacy of Sanitizing in protecting older, lower-density disks
(especially diskettes) against the most modern and sophisticated Class
2 attacks.
Class 3 attacks (such as with magnetic force microscopy), are
generally considered able to penetrate any software countermeasures,
including _any_ kind of overwriting. They are very costly techniques
to use to recover the complete image-as-it-used-to-be of an
overwritten multi-gigabyte disk, as opposed to a few specifically
targeted bytes.
Nevertheless, any data of sufficient value to intelligence services or
comparably funded adversaries should not have its confidentiality rely
upon overwriting countermeasures.
The value of your data to the kinds of attackers who can use each
class of techniques will determine whether you must counter that
class.
This is the basis for requiring defense contractors to use Clearing or
Sanitizing per DOD 5220.22-M (for re-use or for disposal,
respectively) of media containing data classified as Confidential or
Secret, while requiring NSA-approved degaussing and destruction for
Top Secret media.
For an overview of such side channel attacks on Windows cryptosystems,
and countermeasures to them, see the tutorials on the Cerberus Systems
web-site in my signature block.
The armed services' standards for disk data overwriting are NAVSO
P5239-26, AFSSI-5020 and AR 380-19.
Albert P. BELLE ISLE
Cerberus Systems, Inc.
================================================
ENCRYPTION SOFTWARE with
Forensic Software Countermeasures
http://www.CerberusSystems.com
================================================
------------------------------
Date: Wed, 05 Jan 2000 14:50:00 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Installing new certificate into Netscape 3
The certificate-installation procedure appeared to work (after the
certificates with serial number 2:41:00:00:01 were removed), but the
overall process was not successful.
After the update, the message "an error occurred in the certificate
database" occurred when accessing any secured site.
Fortunately, I had backed up the certificate database files before
proceeding.
====================================================================
Sundial Services :: Scottsdale, AZ (USA) :: (480) 946-8259
mailto:[EMAIL PROTECTED] (PGP public key available.)
> Why =shouldn't= it be quick and easy to keep your database online?
> ChimneySweep(R): "Click click, it's fixed!" {tm}
> http://www.sundialservices.com/cs3web.htm
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: simple block ciphers
Date: Wed, 05 Jan 2000 17:04:56 -0500
Hi Tom,
Given enough ciphertext, you can pretty much guess what p is
(since all the ciphertexts will be between the values 1 and p-1).
If you use it as a block cipher, you'll get quiet a few ciphertexts.
So for reasonable use, you can consider p to be known.
Now, a problem beleived to be hard is given a prime p, a generator
g and an element y, find x such that g^x = y mod p (this is the DH
problem). The basis (the generator g) is fixed! In your case, the
base is not fixed, this changes the problem (the problem is not
equivalent to the DH problem) I can't think of any usefull type of
attack right now do.
Now, some notes on the algo. Firstly, why do you choose e to be
prime?
Secondly, if you want d to exist, you must have gcd(e, p-1) = 1
(unless you work in some sub group of order q, and in that case
q has to be big enough for security reasons).
Thirdly, if in fact you realy want e to be prime, then you realy restrict
the possible amount of e's, since you have to have gcd(e,p-1) =1
and e is prime, e would have to be a factor of p-1. (If you know the
factorization of p-1, it's probably an easy search...).
Anton
Tom St Denis wrote:
> [first I did not invent this ...!!!]
>
> Why isn't this type of cipher used more often [aside from being slow].
>
> Symmetric cipher ...
>
> p = random prime
> e = random prime less then p
> d = chosen such that de = 1 mod (p - 1)
>
> Encrypt(x) = x^e mod p
> Decrypt(x) = x^d mod p
>
> Where (d, e, p) is the private key.
>
> This type of cipher allows for a variable key/block size and is very
> simple to implement. Other then being slow why isn't it used?
>
> And if p is private, can a small p be used (say around 128 bits?)
>
> Tom
> --
> [EMAIL PROTECTED]
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
