Cryptography-Digest Digest #245, Volume #12 Tue, 18 Jul 00 23:13:01 EDT
Contents:
Re: Carnivore and Man-in-the-middle ([EMAIL PROTECTED])
aol im (md5) (Arthur Dardia)
Re: Carnivore and Man-in-the-middle (Anon User)
Re: MD2 (David Hopwood)
Re: Carnivore and Man-in-the-middle (wtshaw)
Re: Carnivore and Man-in-the-middle ([EMAIL PROTECTED])
Re: RC4-- repetition length? ("Scott Fluhrer")
Re: Carnivore and Man-in-the-middle ([EMAIL PROTECTED])
Re: Good free stream cipher ? (wtshaw)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Carnivore and Man-in-the-middle
Date: Tue, 18 Jul 2000 22:53:46 GMT
[EMAIL PROTECTED] wrote:
For the sake of argument I'm goind to talk about a ciphertext email
encrypted with DH/TWOFISH and signed with DSA. The original question
dealt with Carnivore mounting a man-in-the-middle attack.
I'm also going to adhere to the man-in-the-middle scenerio on page 48
of Sciener, namely that Mallory (aka Carnivore ;) subsitutes his own
public key for each parties during key-exchange to enable him to
decode, recode, resent messages ending up with plaintext copy for
himself each time.
> would be a very trivial task (*IF* Carnivore systems have the
> potential for such swapping; that is not yet clear to me. Elleron
> says it would be feasible, but doesn't explain how).
This was in reference to the question of wether the system could
rewrite ip packets or subsitute entire mail messages. Carnivore is
designed to monitor mail passing through it, and make copies of mails
to/from a single recipient. If you could decrypt DH in real time, it's
not much more work to rencrypt the message with a new key before
retransmitting it.
That is, since Carnivore is designed to be an invisible hop on the
mail route, sending out a different body in place of the received on
is trivial.
> It is my understanding that the Man-in-the-Middle attack works
> independently of the strength of the keys involved, but I might
> be missing something. How do you mean that it depends upon the
> strength of the crypto used, and why couldn't the key-swapping be
> done in real time?
The strength of the underlying system is important because Carnivore
only sees the ciphertext. If you exchange keys with people in person,
through the mail, whatever there's no opportunity to capture
them. Even if you do exchange them via email, the man-in-the-middle
attack falls apart if you verify a hash of the key over the phone.
Mounting the attack _without_ interfering with the key exchange would
require the system to break DH in real-time. I would wager real money
that if that was feasible, the system would _never_ make it out to the
local ISP. ;)
As someone else pointed out, it could send the messages off to a
larger machine somewhere in hopes of gaining the private key that
way. Once you have the private key, however, you can decrypt all of
the intercepted traffic without a man-in-the-middle attack.
That's all I meant orginally, that subsituting the messages is
easy. Breaking the underlying system much harder.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: Arthur Dardia <[EMAIL PROTECTED]>
Subject: aol im (md5)
Date: Tue, 18 Jul 2000 19:53:48 -0400
By going to Help-->About, you can see that portions of AOL IM implement
MD5 Hash algorithm. How does it use this? I could see it being used
to:
a) verify a valid client program
program opens and connects to served, sends an md5 of itself or of some
registry keys it installs, etc. and then AOL either lets it connect or
it refuses it
b) to verify messages
how could md5 be used to make sure messages are authentic and valid.
wouldn't user A have to send the message along with the MD5 for that
message? couldn't a man-in-the-middle just change the message,
calculate the md5 and then sent that along with it? albeit, it would be
difficult to do by hand because of the spur-of-the-instant involved with
instant messaging, but a program to do such a feat would not be
difficult.
any other ways aol might implement it?
--
Arthur Dardia Rensselaer Polytechnic Institute [EMAIL PROTECTED]
PGP 6.5.1 Public Key http://www.webspan.net/~ahdiii/ahdiii.asc
------------------------------
Date: Tue, 18 Jul 2000 20:15:01 -0500 (CDT)
From: Anon User <[EMAIL PROTECTED]>
Subject: Re: Carnivore and Man-in-the-middle
>> not really,
>> the box is TOTALLY FBI secured, therefore no one [ event ISP ]
>> knows what FBI is / will collect ...
>
> Yes, but the original assertion that a canivore unit will be
> permanently installed in every ISP's data path is something I haven't
> heard before. (And tend to doubt ;)
Why? CALEA makes sure LEO access is built in to every Central Office switch.
E911 requires wireless companies to provide LEO with tracking ability.
And we all know about ECHELON. This is just another avenue towards the feds'
ultimate goal of total pervasive surveillance capacity. Orwell's nightmare
fully realized and expanded with technology in ways he could never imagine.
> Granted, the entire system has some serious issues to be resolved, but
> paranoia cerainly won't help.
Paranoia is the only thing that keeps me one step ahead of "Them".
Tell me, can you think of any case in this context where paranoia was NOT
justified? In Britian RIP is about to pass into law - they already have
cameras on streetlight poles providing police with real-time crowd survellance
slaved to databases of digitally-stored photos. Keep in mind that in the early
1990s a private company built just such a database from US driver's licenses.
Who funded this private company you ask? Why, the Secret Service did - you see,
it was illegal (at that time) for a "government entity" to build such a database.
But "They" wanted it so "They" merely contracted the job out. All perfectly
legal.
For a while, Georgia required your thumbprint to be digitally encoded on
a resident's driver's license. I believe this actually angered The Public enough
to where the govt had to back off. For now. Care to make a wager as to when, not
if, one or more forms of biological ID will be required on some form of govt ID
card? There already exist databases of DNA gathered from assorted rapists and child
molesters. And as expected the govt has slowly been expanding the definition of
who's DNA would be included in these databases - "stretching the net", it's called.
Utimate goal? - a database of everyone's DNA. Those clever chaps in Britian are
in the process buidting just exacly that.
And then there's the "covert search" bill buit into the giant "meth" bill
plodding through Congress, which will give the feds the ability to sneak into
your home without your knowledge and gather "information". Couple that with
another law They just got passed that lets them load sneaky survellance programs
onto your computer without your knowledge, things like password grabbers and
encryption key grabbers.
Just when you think it can't get worse, it does. Usually in the name of
"protecting the children" and "domestic terrorism".
You say I'm paranoid? I say you (people) need to see the bigger picture.
"Your tax dollars at work."
------------------------------
Date: Mon, 17 Jul 2000 19:23:16 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: MD2
=====BEGIN PGP SIGNED MESSAGE=====
Daniel Leonard wrote:
> Does anyone have any papers or links related to the MD2 message digest
> algorithms.
>
> I know about RFC 1319, so do not send this link. I am looking for critics
> and attacks.
RSA Laboratories Security Bulletin #4,
ftp://ftp.rsa.com/pub/pdfs/bulletn4.pdf
N. Rogier, P. Chauvaud,
"The compression function of MD2 is not collision-free,"
Workshop record, 2nd Workshop on Selected Areas in Cryptography (SAC
'95), Ottowa, Canada, May 18-19 1995.
(The latter doesn't appear to be on-line.)
For more information like this on other algorithms, see
http://www.users.zetnet.co.uk/hopwood/crypto/scan/
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOXNO4TkCAxeYt5gVAQG8ngf/aRwsw7cqcm0Qf2btxaeJ0CFX9qbc96xA
DX1ENP+sC4MdNlC99SLabpltu/VkQHYZmuqBL3rSetqi8sTSy4ziEVcRQCh8lSFe
9H69C/svqDse9S52dS8S08qHOedQPyUGorKf4FVQZGxyWZr1o7fiCeRfgbGmkmsA
bt7IOqk/h1yHW1F4jX3Kp1QaxohA26L8CRHwAa37jaMOCxS4gyykFT0OcnQDh9s8
R+VwK7PC0Ul7ePlvUonUwjJUtTElcUf7UX+BdBpx+x2Wm6G7PfoUSc2RHMnTBWLU
KkklBjO9fP6dM6eoEDoHOa16GkVLfjyxdahUX5pW4zf+vLoKeQdNng==
=+kLw
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Carnivore and Man-in-the-middle
Date: Tue, 18 Jul 2000 19:07:01 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Steve Rush) wrote:
> Of course, these devices would be activated on a particular line only with a
> court order.
It matter greatly sho does these thing and if there is oversight. Secret
and automatic processes without assurance of the spirit of
constitutionality are reason for getting alarmed. None of us wants to
tolerate harmful crime, but there are those that want to abuse their
positions to define what they do not want as criminal rather than to
debate the positions of tolerance necessary on certain issues in an open
forum.
--
Pat B. reminds us that he served in the Nixon Administration for
six years. How can he be proud of that?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Carnivore and Man-in-the-middle
Date: 19 Jul 2000 01:12:33 GMT
Once upon a time, [EMAIL PROTECTED] said:
> Date: Tue, 18 Jul 2000 22:53:46 GMT
> References:
> <bPUc5.1693$[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>
>
>For the sake of argument I'm goind to talk about a ciphertext email
>encrypted with DH/TWOFISH and signed with DSA. The original question
>dealt with Carnivore mounting a man-in-the-middle attack.
>
>I'm also going to adhere to the man-in-the-middle scenerio on page 48
>of Sciener, namely that Mallory (aka Carnivore ;) subsitutes his own
>public key for each parties during key-exchange to enable him to
>decode, recode, resent messages ending up with plaintext copy for
>himself each time.
Sounds good. We're (literally) on the same page.
>[EMAIL PROTECTED] wrote:
>> would be a very trivial task (*IF* Carnivore systems have the
>> potential for such swapping; that is not yet clear to me. Elleron
>> says it would be feasible, but doesn't explain how).
>
>This was in reference to the question of wether the system could
>rewrite ip packets or subsitute entire mail messages. Carnivore is
>designed to monitor mail passing through it, and make copies of mails
>to/from a single recipient. If you could decrypt DH in real time, it's
>not much more work to rencrypt the message with a new key before
>retransmitting it.
>
>That is, since Carnivore is designed to be an invisible hop on the
>mail route, sending out a different body in place of the received on
>is trivial.
This is what I am trying to find out. Where have you seen that
Carnivore is designed to be an invisible hop on the mail route?
All of the references I have seen state that it is a packet-sniffer,
a la permiscuous ethernet device, and thus has the potential to scan
all network traffic, not just email. Information is sketchy however,
so I am not sure if those statements are factual or merely the result
of non-technical people glossing over ill-understood details.
>> It is my understanding that the Man-in-the-Middle attack works
>> independently of the strength of the keys involved, but I might
>> be missing something. How do you mean that it depends upon the
>> strength of the crypto used, and why couldn't the key-swapping be
>> done in real time?
>
>The strength of the underlying system is important because Carnivore
>only sees the ciphertext.
It has not been my assumption that Carnivore only sees ciphertext
(see below).
>If you exchange keys with people in person,
>through the mail, whatever there's no opportunity to capture
>them. Even if you do exchange them via email, the man-in-the-middle
>attack falls apart if you verify a hash of the key over the phone.
I am interested in discussing the potential use of Carnivore as
a device for performing man-in-the-middle attacks. Such scenarios
assume that the adversary is in fact aware of and can intercept
the initial exchange of public keys.
If Carnivore is in fact a packet-sniffer, then it can view any
network-based public key exchange. Whether it theoretically has
the capability to silently intercept that exchange (ie, change the
data which arrives at the remote user's node) that exchange has
yet to be determined.
As you point out, Carnivore would not be able to function as a
man-in-the-middle launching device if key exchanges occur (or are
verified) outside of the network. However, most real-life public
key exchanges do take place entirely via network channel, and no
attempt is made to verify the security of that exchange.
>Mounting the attack _without_ interfering with the key exchange would
>require the system to break DH in real-time. I would wager real money
>that if that was feasible, the system would _never_ make it out to the
>local ISP. ;)
Yes; it should be assumed for the context of this discussion that
existing public-key cryptosystems are too strong to break via brute
force methods, and have no exploitable weaknesses other than (perhaps)
man-in-the-middle (even though such an assumption might not be
reasonable outside the context of this discussion).
[..]
>That's all I meant orginally, that subsituting the messages is
>easy. Breaking the underlying system much harder.
I'm sorry. I should have made it more explicit in my original
message that I was interested in discussing the man-in-the-middle
attack, not other kinds of attacks on public key cryptosystems.
To reiterate my original questions:
Does anyone have more information about Carnivore, especially
whether it is implemented as an in-line data link (eg, router) or
as a node on a shared bus (eg, ethernet)?
Given what we know, would Carnivore be theoretically capable,
given appropriate software, of fulfilling the prerequisites for
performing man-in-the-middle attacks? That is to say, is it
capable of nondetectably replacing users' exchanged public keys
with its own public keys?
If we do not precisely know what method Carnivore uses to
communicate with the network, then if we assume that it is capable
of reading all network traffic (a la promiscuous ethernet) and is
capable of generating network traffic with arbitrary addresses in
all network headers thus generated, then can anyone come up with
a way it could hypothetically fool the transport (et al) layer to
ignore a packet previously recieved by a remote node, and accept
a different (spoofed) packet in its place, without the remote node
being informed of it?
The information I have suggests, but does not explicitly state,
that the FBI is seeking to install Carnivore in ISP's and leaving
it in place, but only using it when permitted by judicial order.
Does anyone have firm information supporting or contradicting
this?
-- TTK
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: RC4-- repetition length?
Date: Tue, 18 Jul 2000 18:47:29 -0700
Simon Johnson <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Lets side step,
>
> I've read on this forum that RC4 is distinquishable from random
> data after 4Tb. Though this is a large figure, its still just a
> tiny fraction of the amount of data it could encrypt securely if
> it used all the possible permutations. In terms of security,
> this make the cycle length meaingless (providing of course, that
> the cycle length is greater than 4 Tb.)
>
> Just some food for thought........
Two things:
- It is now known that RC4 is efficiently distinguishable from random data
after 2Gb.
- Looping would be a *much* more serious problem than distinguishability
from randomness. Once a keystream generator starts looping, the attacker
can derive the value of two portions of the plaintext xor'ed together, and
practically speaking, he can often rederive the plaintext from that. No
similar attack is known if the keystream is merely distinguishable from
random, unless the attacker has a *lot* of information about the plaintext.
On the other hand, distinguishability is not a totally meaningless concept.
For one, the attacker can use it to verify if a plausible plaintext
corresponds to a ciphertext, if you manages to obtain the plausible
plaintext by another method.
--
poncho
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Carnivore and Man-in-the-middle
Date: Wed, 19 Jul 2000 02:13:57 GMT
[EMAIL PROTECTED] wrote:
> This is what I am trying to find out. Where have you seen that
> Carnivore is designed to be an invisible hop on the mail route?
> All of the references I have seen state that it is a packet-sniffer,
> a la permiscuous ethernet device, and thus has the potential to scan
> all network traffic, not just email. Information is sketchy however,
> so I am not sure if those statements are factual or merely the result
> of non-technical people glossing over ill-understood details.
Ahh, I see said the blind man. From what I had read in the news, there
were two big concerns. First, that it was administered by the FBI, and
not the ISP (in contrast to phone taps, which are placed by the telco
at the presentation of a court order). Then, that it read the sender,
recepient, and subject of every message.
I then assumed it was working above the packet level, since that's the
way I would have built a machine to solve the problem. ;) It doesn't
seem unreasonable, however. This design would be a hell of alot
simpler than reassembling fragments into packets into complete
messages.
> The information I have suggests, but does not explicitly state,
> that the FBI is seeking to install Carnivore in ISP's and leaving
> it in place, but only using it when permitted by judicial order.
> Does anyone have firm information supporting or contradicting
> this?
Marcus Thomas, head of the FBI's cybertechnology section, told the
Wall Street Journal that the bureau had about 20 Carnivores. There
being more than twenty ISPs, either Mr Thomas is lying or they're a
temporary installation.
He also called it a "specialised sniffer" which may or may not
indicate it examines all of the network traffic. However, it
supposedly meets current wiretapping laws. So, I suppose the real
question is: Do current wiretapping laws prohibit capturing
conversations not covered by the warrant in the course of authorised
wiretapping?
My uneducated guess would be that it does, but they'd be
inadmisable. The only case I recall offhand is Candaian, where
Mafiaboy's father was charged on a seperate count after incriminating
himself on his telephone, which was tapped as part of the
investigation of his son.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Good free stream cipher ?
Date: Tue, 18 Jul 2000 19:40:28 -0600
In article <[EMAIL PROTECTED]>, Runu Knips <[EMAIL PROTECTED]> wrote:
> I'm looking for a good & free stream cipher algorithm.
> Does anybody have a suggestion ?
Text or binary data?
--
Pat B. reminds us that he served in the Nixon Administration for
six years. How can he be proud of that?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
