Cryptography-Digest Digest #647, Volume #13 Wed, 7 Feb 01 04:13:00 EST
Contents:
Low-tech homemade crypto keycards (Ray Dillinger)
Re: Low-tech homemade crypto keycards (Paul Rubin)
File encryption with Rijndael ("Marcin")
Re: OverWrite freeware completely removes unwanted files from hard drive (Anthony
Stephen Szopa)
Re: 1 to 4 byte hash function ("Akita Bright-Holloway")
Re: OverWrite freeware completely removes unwanted files from hard drive (Anthony
Stephen Szopa)
Re: Questions about Diffie-Hellman ("kihdip")
Re: OverWrite freeware completely removes unwanted files from hard drive (Anthony
Stephen Szopa)
Re: Finite field/polynomial mathematics ("kihdip")
Re: OverWrite freeware completely removes unwanted files from hard drive (Anthony
Stephen Szopa)
Re: RSA prime selection. (Newbie question) ([EMAIL PROTECTED])
MQV implementation ("Alexander Schmitt")
Re: One way function for Passwords. (Ichinin)
Universal Maurer-Test (Bernhard Loehlein)
PGP 2.6.3ia-cb (now supports CAST5 and BLOWFISH) ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: Ray Dillinger <[EMAIL PROTECTED]>
Subject: Low-tech homemade crypto keycards
Date: Wed, 07 Feb 2001 05:37:03 GMT
I've been reading in another thread about the work and worry of
destroying a compromised crypto module, and it occurs to me that
there is a nice way to create a hardware device that physically
embodies a key, and is cheap and durable, simple to make and
simple to destroy.
First, get a small chunk of cardboard, like a playing card.
Next, use a small punch to create 54 holes in the left side
and 54 holes in the right side. These holes need to be evenly
spaced.
Now, take 54 wires and strip the insulation off the ends.
Poke one end of each wire through a randomly selected,
otherwise-unoccupied hole on the left side of the card.
Poke the other end through a randomly selected, otherwise
unoccupied hole on the right side of the card.
Now put another playing card on top of the tangle of
insulated wires, which places them in the center of a
cardboard sandwich.
Wrap the exposed ends around the left and right edges of
the cards and trim any excess.
Now, cast this card-and-wire sandwich in an opaque epoxy
resin, leaving contact points of the wires exposed along
the edges.
This device represents a mapping of left to right contacts
with about 220 bits of entropy. It's simple to build a
reader for these devices. It's simple to destroy them
so that the key cannot be recovered. And it is possible
to verify visually that they have been destroyed.
It's not a smart card by any means; in fact, it may be the
dumbest card ever proposed. But it stores a key nicely,
can be built by hand or with relatively simple tools out
of readily-available parts, and can't be read remotely or
surreptitiously (I think). With the appropriate picture and
frame, it could look like the sort of locket or religious
medallion that is common in some areas, and it could have
applications in a fair number of third-world countries
where people who need it don't necessarily have access to
chip fabs or lots of money for commercial hardware.
Variations; the "wire web" card described here could be
built (with various construction techniques) inside all kinds
of ordinary things, like wallets, purses, knife handles, or
(with some effort) even the teeth of a comb.
Bear
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Low-tech homemade crypto keycards
Date: 06 Feb 2001 21:43:42 -0800
Ray Dillinger <[EMAIL PROTECTED]> writes:
> It's not a smart card by any means; in fact, it may be the
> dumbest card ever proposed. But it stores a key nicely,
> can be built by hand or with relatively simple tools out
> of readily-available parts, and can't be read remotely or
> surreptitiously (I think).
The device sounds totally pointless.
It's trivial to read the key out of the card with an ohmmeter.
Just find which pairs of wires are connected to each other.
------------------------------
From: "Marcin" <[EMAIL PROTECTED]>
Subject: File encryption with Rijndael
Date: Wed, 07 Feb 2001 05:46:38 GMT
I have made available my tiny command line file encryption program based on
Rijndael with 256 bit keys. Its coded in Java and freely distributed with
source code at: http://www.optymalni.com/~marcin
Any comments please direct to [EMAIL PROTECTED]
Marcin
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Tue, 06 Feb 2001 22:01:26 -0800
Daniel wrote:
>
> On Tue, 06 Feb 2001 02:33:28 -0800, Anthony Stephen Szopa
> <[EMAIL PROTECTED]> wrote:
>
> >Daniel wrote:
>
> >> Let us not forget what it would cost to have a HardDisk scanned up to
> >> 11 layers deep. Usually, those HD which contained "critical
> >> information" but are no longer used are destroyed (mechanical + heat).
> >> That's the only assuring way :)
> >>
> >> best regards,
> >>
> >> Daniel
> >
> >
> >What are you talking about: "11 layers deep".
> >
> >Don't be ridiculous.
>
> I'm sorry, but why do you give me such a rude answer?
>
> for more info on the subject, check NISPOM - DoD5220.22-M
>
> Software claiming to live up to this standard can be found on :
> http://www.pt.lu/comnet/desc/shredder.html
>
> best regards,
>
> Daniel
Why don't you reprint the pertinent passages?
------------------------------
From: "Akita Bright-Holloway" <[EMAIL PROTECTED]>
Subject: Re: 1 to 4 byte hash function
Date: Tue, 06 Feb 2001 23:08:09 +0700
In article <95q55c$73u$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> In article <eOg1v$IkAHA.279@cpmsnbbsa07>,
> "Joseph Ashwood" <[EMAIL PROTECTED]> wrote:
>> "Akita Bright-Holloway" <[EMAIL PROTECTED]> wrote in message
>> news:[EMAIL PROTECTED]...
>> [on a 1-4 byte hash]
>>
>> Regardless of how good the function itself is, it can be directly
> mapped out
>> in RAM on a machine, from this breaking it is as simple as a lookup.
>>
>> As to whether or not this would be useful when used in conjunction
> with
>> another hash function. No it would not, the best you could hopre for
> would
>> be for the result to have as much strength as the outer-most hash
> function.
>> This can be proven mathematically by observing that by using
> intermediate
>> hash functions you can not increase entropy, but you can lose it.
>>
>> I think I see where this is going though. I'd recommend very strongly
>> against creating your own hash function. There are several very fast,
> very
>> secure hash functions available for whatever your needs are. The most
> likely
>> candidates are MD5 and SHA-1 both have many freely available
>> implementations, I'd recommend you start with openSSL
> (www.openssl.org)
>> Joe
>
> AS to another point of view. Doing it your self can be fun
> I think you should not only look at others. But feel free to experiment
> on your own.
>
> And if your interested in other unorthodox ideas take a
> look at http://members.nbci.com/ecil/index.htm
>
> Dave
>
cool cool, indeed, but yeah, im thinking a 1-4 byte hash function (or
series there of) would be a weakness to any later hash function i made, i
will no doubt be making more posts with more questions about bigger and
better stuff :) (and im definatly gona snag a peak at what other people
have done)
- Akita
>
>
> Sent via Deja.com http://www.deja.com/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Posted via Usenet.com * RETENTION * COMPLETION * SPEED *
http://www.usenet.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Tue, 06 Feb 2001 22:05:22 -0800
Tor Rustad wrote:
>
> "Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> > Joseph Ashwood wrote:
> >
> > You are nuts.
>
> ???
>
> > "...those patterns can be stripped away..."
> >
> > How? With cleanser and lots of elbow grease. What are you talking
> > about here? What utter BS.
>
> Next time you *try* to write such erase SW, as a *minimum* read DOD
> 5220.22-M first.
>
> Of course you should *not* overwrite with *only* known patterns!
>
> I am not up to date with the state-of-the-art in recovering data, nor are
> *you*, that information is classified.
>
> A well respected company in Norway, IBAS (www.ibas.com), does a pretty good
> recovery job in many cases, but AFAIK they will have trouble with recovering
> overwritten data. However, IBAS is *not* at military level on this, and
> there might be better comercial companies around at this.
>
> Your SW was snake oil anyway.
>
> --
> Tor <torust AT online DOT no>
Rest in Peace.
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: Questions about Diffie-Hellman
Date: Wed, 7 Feb 2001 07:36:20 +0100
You may try these sites for further information:
http://cacr.math.uwaterloo.ca/hac/
(chapter 12 has a fine description of DH - the first chapters contain the
math concerning DH)
http://www.cid.alcatel.com/doctypes/technewbridgenote/pdf/ipsec_nn.pdf
(contains a general description of how DH is used in IPSec)
Kim
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Tue, 06 Feb 2001 22:36:04 -0800
Tom St Denis wrote:
>
> In article <[EMAIL PROTECTED]>,
> Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> > Tom St Denis wrote:
> > >
> > > In article <[EMAIL PROTECTED]>,
> > > Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> > > > OverWrite freeware completely removes unwanted files from hard drive
> > > >
> > > > OverWrite Program: incorporates the latest recommended file
> > > > overwriting techniques. State-of-the-art detection technology and
> > > > the subtleties of hard drive technology have made most overwritten
> > > > and deleted data on magnetic media recoverable. Simply overwriting
> > > > a file a few times is just not good enough.
> > >
> > > I would argue on super-dense HD's that simply writting FF to the file is
> > > enough. Not alot of snoopers have the time to break out the 'ol
> > > electron microscope and read bits "The HardWay (tm)". If I overwrite
> > > the file with FF the os doesn't keep a backup (or shouldn't) thus
> > > mission accomplished the file is wiped.
> > >
> > > Tom
> > >
> > > Sent via Deja.com
> > > http://www.deja.com/
> >
> > Your point is well made except that there continues to be
> > vulnerable tracking variations even on modern hard drives.
> >
> > And they do not use electron microscopes for this purpose.
> >
> > Pointing out these facts should lead the average person of even
> > common intelligence to question your grasp of the facts and
> > conclusions as I have.
> >
>
> I will pay you 1000$ if you can read via DOS any file that I wrote over with
> FF's.
>
> Tom
>
> Sent via Deja.com
> http://www.deja.com/
Not enough money.
But I believe that there are those who have the capability.
This is why I also believe that overwriting a file using the
technique employed in the OverWrite software will be that much more
effective than just overwriting it once your way.
As I stated, your way isn't good enough for the reasons referred
to by a link in someone else's post in this thread.
The hard drive is not read using software (DOS). The magnetic
fields and residual magnetic fields are detected using a state of
the art instrument as it is scanned over the hard drive surface.
Perhaps even laser light is used now these days.
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: Finite field/polynomial mathematics
Date: Wed, 7 Feb 2001 07:40:02 +0100
You could also try this book:
"A Concrete Introduction to Higher Algebra"
by Lindsay N. Childs
Springer-Verlag New York, Inc.
Kim
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Tue, 06 Feb 2001 22:50:38 -0800
Tor Rustad wrote:
>
> "Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> > Joseph Ashwood wrote:
> >
> > You are nuts.
>
> ???
>
> > "...those patterns can be stripped away..."
> >
> > How? With cleanser and lots of elbow grease. What are you talking
> > about here? What utter BS.
>
> Next time you *try* to write such erase SW, as a *minimum* read DOD
> 5220.22-M first.
>
> Of course you should *not* overwrite with *only* known patterns!
>
> I am not up to date with the state-of-the-art in recovering data, nor are
> *you*, that information is classified.
>
> A well respected company in Norway, IBAS (www.ibas.com), does a pretty good
> recovery job in many cases, but AFAIK they will have trouble with recovering
> overwritten data. However, IBAS is *not* at military level on this, and
> there might be better comercial companies around at this.
>
> Your SW was snake oil anyway.
>
> --
> Tor <torust AT online DOT no>
Using these 27 known and recommended patterns is certainly
preferrable to a single overwrite of hex FF or 00.
Ciphile Software's OverWrite program Version 1.0 is certainly well
worth using for the purposes intended.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RSA prime selection. (Newbie question)
Date: 7 Feb 2001 02:56:06 -0500
StuartL <[EMAIL PROTECTED]> wrote:
> I wasn't sure if the prime numbers that RSA uses were calculated off-line
> and stored somewhere? Say like when you download Netscape are the primes
> that it will use for RSA pre-computed and downloaded with the software. If
> so that sounds pretty insecure.
> Alternatively if they are computed, are they computed once (say during
> installation) or are they computed each time a secure sessions is
> initiated.
The second (or close to it). They are computed for each RSA key you generate.
Generally you would generate one key for your "usual" communications.
You might want to use a different key for something else and generate another.
But it is generated once. (Heck ... if you always generated a new key, you
would have to post the public key on the key servers each time you sent a
message).
When you send a message a SESSION (NOT RSA) key is generated (each time!).
This is just a random number (no tests for primality, etc.).
The actual message is encrypted in the SESSION key.
Then the session key is sent, encrypted with the RECIPIENT's (NOT your)
public key. Things (keys, messages) can be SIGNED with your private key.
When the recipient responds to you he can encrypt session keys with your
public key (and PGP on your system will first decrypt that using your
public key and then use the session key to decrypt the actual message).
Actually, the primes are not saved, just the private and public exponents
and the modulus (well, from those one can recover the primes, if they
are of any interest).
RSA can be used in different things. PGP for messages, etc.
You generate a key pair (modulus and public/private exponents)
ONCE for all future use when using that key.
------------------------------
From: "Alexander Schmitt" <[EMAIL PROTECTED]>
Subject: MQV implementation
Date: Wed, 7 Feb 2001 09:07:15 +0100
Hello,
I have to make a test implementation of the Menezes-Qu-Vanstone (MQV)
algorithm over elliptic curves in the ONB version (IEEE1363). For this I
have taken the implentation out of M. Rosings book. But in this book only
key length of smaller than 160 are suggested. Now I need a length of 233
bits. Are there any sample hints for using this lenght.
Are there any optimized versions of the MQV implementation, with less memory
need and very fast running ;-(?
Any help to the theme MQV is welcome! Like choose of the curve or the right
parameters.
Thanks in advanced
Alex
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Subject: Re: One way function for Passwords.
Date: Wed, 07 Feb 2001 08:09:26 GMT
> that would mean you "lose"
precision
> on your password so the function converting your password into the
hash is
> not injective.
Not quite; the hashes are generated from very large tables that are
computed to generate those hashes, SHA have a 512 bit table that are
computed in a noninvertible way to generate a particular hash. See FIPS
Pub 180-1 (www.nist.gov/something) for info on how SHA deals with data
larger than 512 bits. (You could use the complete works of shakespear
as a password.)
> Sure, that mathematically /implies/ there's no real inverse
> to the function, but then, since it's limited to a scope of the
numbers from
> 0 to (2^160)-1, there will be multiple (and depending on the allowed
> password length, possibly an infinite number of) candidates that will
> generate the same hash.
For more on that; see the "Birthday paradox".
> Sure, finding these takes a lot of computing power if you use
something
> brutal...
Not brutal, it uses lists of "common user entropy" = Passwords. That's
way more efficient than attacking it dead on with brute force.
> but if you know the OWHF, isn't it considerably easy to reverse
> engineer such a function so you get candidate passwords, ones that
generate
> the same hash?
All are open source, even the ones from "Bigbrother". From the lack of
papers on the subject you could deduce that Sha/MD5 could have quite
strong security... or it could mean that cryptanalysing one way
functions is a dull and boring thing to do :o)
> Oooh, I get it....sort of.
>
> My question:
> I am sitting at my machine, configuring my password for a remote
login.
> "password". It concatenates my random number to it as
> "password+randomnumber" and hashes it.
>
> Now I sit someplace overseas and try to {ssh or something} log into my
> system. I only know my password!
>
> I send that to my machine, where something listens for the password.
It
> receives "password". Now, how do I get from there
to "password+randomnumber"
> that will result in the correct final hash? I don't think storing
the "Salt"
> someplace would really help, since that would, of course, compromise
> security back to the old level.
Actually, the client generates a random salt, concatenates that with
the password, hashes it, sends it to the server which "breaks it" in a
fair amount of steps; if it's not sucessfully "broken" it's the wrong
password, else it is the correct password. So there is no need to store
any info on the client, all that is needed is a PRNG. (which could be
attackable too..:o)
This is intresting since a valid hash could be intercepted and reused.
("Pass the hash" vulnerability) Solution? Timestamps and Certificates
(There are problems beyond those too... like denial of service attacks
and session hijacking (and on and on...))
> Thanks a lot :) I know what I have to look into.
No problemo.
Regards,
Glenn
Crypto Novice & Security researcher
[ - but that's unfortunately not my job..:oP ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Bernhard Loehlein <[EMAIL PROTECTED]>
Subject: Universal Maurer-Test
Date: Wed, 07 Feb 2001 09:13:14 +0100
Reply-To: [EMAIL PROTECTED]
Hello,
has anyone a C oder C++ implementation of the
"Universal Statistical Test for Random Bit Generators"
(Ref.: J. Cryptology Vol. 5, No. 2, 1992, pp. 89-105)
of Ueli Maurer for different values L
of the blocksize.
I have found an implementation for L=8, but
no for an arbitrary L.
Thanks,
Bernhard Loehlein
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: PGP 2.6.3ia-cb (now supports CAST5 and BLOWFISH)
Date: Wed, 07 Feb 2001 10:34:30 +0200
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
I just added another cipher to PGP 2.6.3ia - Blowfish
why? because it was easy :)
you can get if you want it at http://disastry.dhs.org/pgp
source code included.
PGP version 2.6.3(i)a-cb
1. Supports CAST5, IDEA and BLOFISH ciphers for encryption.
2. Supports RSA keys up to 4096 bit
3. Does not choke DSS/DH signatures and keys found in key files
4. Supports key expiration time
5. Allows to change "Version: " line
== <EOF> ==
Disastry http://i.am/disastry/
http://disastry.dhs.org/pgp <--PGP plugins for Netscape and MDaemon
^^^^^^^^^--^^^^^^^^^----GPG for Win32 (supports IDEA)
^--------PGP 2.6.3ia-cb (supports CAST5 and BLOWFISH)
remove .NOSPAM.NET for email reply
=====BEGIN PGP SIGNATURE=====
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1
iQA/AwUBOn7LGDBaTVEuJQxkEQKNpQCgyK5SfaPMt1B4L71HKJXfCLCSfzEAoPJ2
WANulZ+pUTE3h//A+WiaHMbe
=cNZy
=====END PGP SIGNATURE=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
