Cryptography-Digest Digest #993, Volume #13 Sun, 25 Mar 01 08:13:00 EST
Contents:
Re: Data dependent arcfour via sbox feedback (Mok-Kong Shen)
Re: Uniform random integer (Paul Schlyter)
Re: 64 versus 128 (or bigger) bits cipher data block (Mok-Kong Shen)
Re: Best encryption program for laptop? ("Henrick Hellstr�m")
fix for Klima & Rosa style attacks - DSA Case - First Attempt (Imad R. Faiad)
Re: Best encryption program for laptop? ("Simon Johnson")
Re: Compression-encryption with a key (Ross Younger)
Re: Fractal Compression - I meant ENCRYPTION ("Simon Johnson")
Re: 64 versus 128 (or bigger) bits cipher data block ("Tom St Denis")
Re: Fractal Compression - I meant ENCRYPTION ("Tom St Denis")
Re: Data dependent arcfour via sbox feedback ("Henrick Hellstr�m")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Sun, 25 Mar 2001 13:17:22 +0200
John Savard wrote:
>
> Ken Savage <[EMAIL PROTECTED]> wrote:
>
> >Any thoughts? Replies via newsgroup or email -- I read both :)
>
> Making something like RC4 dependent on the plaintext will collide with
> Terry Ritter's Dynamic Substitution patent.
Using intermediate results during processing to do feedback
is in my humble view what scientists and engineers have been
doing since time immemorable in countless cases as matters
entirely self-evident. Specific examples: step size adjustment
in solving differential equations, temperature reading to
control air-conditioning of rooms. In general: iterations,
servo-mechanisms, etc. (I am aware, though, of stuffs
like Hitachi's rotation patent.)
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Uniform random integer
Date: 25 Mar 2001 12:15:06 +0200
In article <[EMAIL PROTECTED]>,
Frank Gerlach <[EMAIL PROTECTED]> wrote:
> NEVER use rand() from the c std lib for security-related purposes. To easy
> to guess the next value from the current. Instead, use DES or RC4 or any
> other strong symmetric cipher.
That's not enough. One must ALSO ensure to generate a seed in an as
unpredictable as possible way for that DES or RC4 used as a Random
Number Generator. Suppose a naive user uses e.g. RC4 in some
feedback loop as an RNG, and then just seeds it with e.g. the
time-of-day, to the nearest second. Then there are only 86400
possible different seeds, i.e. a "seed space" of only 17 bits!
A good way to generate a cryptographically strong random number
seed would be to collect as much as possible of these data:
Date from system clock
Time from system clock, to as large resolition as possible
Any internal CPU time tick value, if available
The screen contents, character-for-character, or if in
graphics mode, pixel-for-pixel, if possible
Some unpredictable user input: ask the user to type some random
characters on the keyboard, or to move the mouse randomly.
Monitor that input carefully, both regarding contents and timing.
Some hard-to-predict characteristics of some I/O device, e.g. a disk:
Create a file, write to it, read from it, then delete it,
time all these operations.
Search some directories (e.g. the "temp" directory which often
changes), gather as much data as you can of the files there
Any other easily accessible and hard-to-predict data you can
think of
Finally, take an MD5 or SHA hash of all these data, and let that
hash be the seed to your RNG.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 64 versus 128 (or bigger) bits cipher data block
Date: Sun, 25 Mar 2001 13:41:37 +0200
Peter wrote:
>
> Someone can explain me main reasons (or all) for which 128 bits block
> is better than 64 bits block?. I had made think on this and I found
> some goals for use bigger block but I still dont know if they are
> primary.
A 128 bit block provides the designer the opportunity
to produce a better cipher. For, if one has a 64 bit
cipher, one could have put two of these side be side to
encrpyt 128 bits. This shows that, with a 128 bit block
size, the designer has more room to exploit his ingenuity
to produce a cipher that is qualitatively better than
using two 64 bit ciphers of his design in the above said
fashion. Whether he succeeds in doing that, is of course
another matter.
M. K. Shen
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: Best encryption program for laptop?
Date: Sun, 25 Mar 2001 13:47:21 +0200
I don't think it is a good idea to keep sensitive files, encrypted or not,
on a computer you fear might be stolen. I don't know of any practical
encryption software that ultimately relies on something else than a password
(or nothing). So how safe is your password?
The security of the passwords in WinNT 5 are in part based on the use of
software interrupts - you press CTRL+ALT+DEL and hopefully you interrupt all
current processes (incl. key loggers and automated password crackers) except
the OS. If the attacker manages to get pass this obstacle, WinNT is no more
secure than any other OS.
I personally think your situation calls for a different solution. Don't
store any sensitive data on a computer you fear might be stolen. Instead,
keep your sensitive files on a stationary computer and use some secure file
server software to make them available 24-7.
0 If the file server uses SRP for login, the security of your system is
still password based.
+ The difference is that in this case the attacker needs to capture your
stationary computer in order to find a password file of any kind. So do I
think you should use SRP instead of a public key system. If you use a public
key system, you will either have to carry your private key on a floppy disk
or store it on your laptop. In the former case you run the risk of the
floppy being stolen. In the latter case you don't gain any additional
security at all.
+ A secure file server might deploy active defenses in a way you cannot rely
on a stolen laptop to do. There is no backdoor to your system if your
firewall is set properly and you are properly protected against viruses and
trojans etc. The attacker must successfully login to your server to access
your files.
0 You will still have to worry about temporary files, virtual memory files
etc in case your laptop is stolen.
- In this case the attacker does not have to capture your laptop in order to
attack your system. Given the (+)'es this shouldn't be a problem however.
So is there such a software anywhere? Yes, there is: StreamSecFTP at
http://www.streamsec.com/demos.asp Beware that this software is currently
being alpha tested. Report any bug or flaw to me.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
<[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
> My job is changing, and is going to require me to do some travelling.
> I would like to purchase a laptop, and continue to keep my home
> finances, and other private data, on it.
> what would be the best way to keep data safe, in case the laptop was
> stolen? Which encryption program? And, should it be encryption alone,
> or encryption coupled with a secure os like NT?
> Thanks.
------------------------------
From: Imad R. Faiad <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: fix for Klima & Rosa style attacks - DSA Case - First Attempt
Date: Sun, 25 Mar 2001 14:08:06 +0200
=====BEGIN PGP SIGNED MESSAGE=====
Greetings,
Please find below my first attempt at fixing
the above problem in PGP 6.5.8.
Would appreciate, if this is reviewed and validated
by the crypto gurus.
Best Regards
Imad R. Faiad
The sanity checks are placed in the function dsUnlock(),
in the file /pgp658/libs/pgpcdk/priv/keys/pubkey/pgpDSAKey.c
of the PGP 6.5.8 source code. The function dsUnlock()
is called before any operations may be done using
the secret DSA key, whether it be password protected or
not.
The following is the modified dsUnlock() function:-
static int
dsaUnlock(PGPSecKey *seckey, PGPEnv const *env,
char const *phrase, size_t plen, PGPBoolean hashedPhrase)
{
DSAsecPlus *sec = (DSAsecPlus *)seckey->priv;
BigNum x;
PGPCFBContext *cfb = NULL;
unsigned v;
unsigned alg;
unsigned checksum;
int i;
PGPMemoryMgrRef mgr = NULL;
//BEGIN SANITY CHECKS OF ALL DSA KEY PARAMETERS - Imad R. Faiad
unsigned qbits, maxqbits;
BigNum pmodq, g2TheqModp, g2ThexModp;
//END SANITY CHECKS OF ALL DSA KEY PARAMETERS
mgr = PGPGetContextMemoryMgr( seckey->context );
bnBegin(&x, mgr, TRUE);
ASSERTDSA(seckey->pkAlg);
/* Check packet for basic consistency */
i = pgpBnParse(sec->cryptkey, sec->cklen, 4, &v, NULL, NULL, NULL);
if (i <= 0)
goto fail;
/* OK, read the public data */
i = pgpBnGetPlain(&sec->s.p, sec->cryptkey+v, sec->cklen-v);
if (i <= 0)
goto fail;
v += i;
i = pgpBnGetPlain(&sec->s.q, sec->cryptkey+v, sec->cklen-v);
if (i <= 0)
goto fail;
v += i;
i = pgpBnGetPlain(&sec->s.g, sec->cryptkey+v, sec->cklen-v);
if (i <= 0)
goto fail;
v += i;
i = pgpBnGetPlain(&sec->s.y, sec->cryptkey+v, sec->cklen-v);
if (i <= 0)
goto fail;
v += i;
/* Get the encryption algorithm (cipher number). 0 == no encryption
*/
alg = sec->cryptkey[v];
/* If the phrase is empty, set it to NULL */
if (plen == 0)
phrase = NULL;
/*
* We need a pass if it is encrypted, and we cannot have a
* password if it is NOT encrypted. I.e., this is a logical
* xor (^^)
*/
if (!phrase != !sec->cryptkey[v])
goto badpass;
i = pgpCipherSetup(sec->cryptkey + v, sec->cklen - v, phrase, plen,
hashedPhrase, env, &cfb);
if (i < 0)
goto done;
v += i;
checksum = 0;
i = pgpBnGetNew(&x, sec->cryptkey + v, sec->cklen - v, cfb,
&checksum);
if (i <= 0)
goto badpass;
v += i;
if (bnCmp(&x, &sec->s.q) >= 0)
goto badpass; /* Wrong passphrase: x must be < q */
/* Check that we ended in the right place */
if (sec->cklen - v != 2) {
i = kPGPError_KEY_LONG;
goto fail;
}
checksum &= 0xffff;
if (checksum != pgpChecksumGetNew(sec->cryptkey+v, cfb))
goto badpass;
/*
* Note that the "nomem" case calls bnEnd()
* more than once, but this is guaranteed harmless.
*/
if (bnCopy(&sec->s.x, &x) < 0)
goto nomem;
i = 1; /* Decrypted! */
sec->locked = 0;
//BEGIN SANITY CHECKS OF ALL DSA KEY PARAMETERS - Imad R. Faiad
//This is to prevent Klima & Rosa style attacks
//Please refer to:-
//"Attacks on Private Signature Keys of the OpenPGP format,
//PGP programs and other applications compatible with OPenPGP",
//Vlastimil Klima and Thomas Rosa, March 2001
//http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf
//check that 2^159 < q < 2^pgpDiscreteLogQBits(MAX_DSA_PRIME_BITS)
//This is necessary to support DSA > 1,024 bits
//where q can get as large as 2^232,
//when MAX_DSA_PRIME_BITS is set to 2048 bits
//get the number of significant bits in q
qbits=bnBits(&sec->s.q);
//maxqbits is the maximum number of significant bits
//that q may have given MAX_DSA_PRIME_BITS
maxqbits=pgpDiscreteLogQBits(MAX_DSA_PRIME_BITS);
//check that 2^159 < q < 2^maxqbits
if ((qbits < 159) || (qbits > maxqbits))
goto fail;
//check that g > 1
if (bnCmpQ(&sec->s.g, 1) < 1)
goto fail;
//check that y > 1
if (bnCmpQ(&sec->s.y, 1) < 1)
goto fail;
//p should be odd
if ((bnLSWord(&sec->s.p) & 1) == 0)
goto fail;
//q should be odd
if ((bnLSWord(&sec->s.q) & 1) == 0)
goto fail;
//check that p > y
if (bnCmp(&sec->s.p, &sec->s.y) < 1)
goto fail;
//check that p > g
if (bnCmp(&sec->s.p, &sec->s.g) < 1)
goto fail;
//check that q > x
if (bnCmp(&sec->s.q, &sec->s.x) < 1)
goto fail;
//check that q|(p-1)
//that is p mod q = 1
bnBegin(&pmodq, mgr, FALSE);
bnMod(&pmodq, &sec->s.p, &sec->s.q);
if (bnCmpQ(&pmodq, 1) != 0){
bnEnd(&pmodq);
goto fail;
}
bnEnd(&pmodq);
//check that g^q mod p = 1
bnBegin(&g2TheqModp, mgr, FALSE);
if (bnExpMod(&g2TheqModp, &sec->s.g, &sec->s.q, &sec->s.p) < 0) {
bnEnd(&g2TheqModp);
goto nomem;
}
if (bnCmpQ(&g2TheqModp, 1) != 0){
bnEnd(&g2TheqModp);
goto fail;
}
bnEnd(&g2TheqModp);
//check that g^x mod p = y
bnBegin(&g2ThexModp, mgr, FALSE);
if (bnExpMod(&g2ThexModp, &sec->s.g, &sec->s.x, &sec->s.p) < 0) {
bnEnd(&g2ThexModp);
goto nomem;
}
if (bnCmp(&g2ThexModp, &sec->s.y) != 0){
bnEnd(&g2ThexModp);
goto fail;
}
bnEnd(&g2ThexModp);
//END SANITY CHECKS OF ALL DSA KEY PARAMETERS
goto done;
nomem:
i = kPGPError_OutOfMemory;
goto done;
fail:
if (!i)
i = kPGPError_KeyPacketTruncated;
goto done;
badpass:
i = 0; /* Incorrect passphrase */
goto done;
done:
bnEnd(&x);
if (cfb)
PGPFreeCFBContext(cfb);
return i;
}
=====BEGIN PGP SIGNATURE=====
Version: 6.5.8ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOr28XrzDFxiDPxutAQHK4gf/aD6lvc8SAmt7A01mGs2kLAekHvvMn47J
run4/A7ej2c3uulzLDp0A5cQa9WMojN9bXJghs3N4qFld+CjQoXseK00kduEeGKl
HqtVzOZGFSPPmO26in+7yMdLtWD/XUdcGiDwGVXWBiH3r2cPSbGgAtYKW1guWqwN
XdIIgDMBuxypGeuFTY6L6foZp+UUnFwoWaRN4AMe6GhTtaaLV7W1HZq5RrZH0He9
BVJgsnD3sTnsD58YVBT/D+Bg2XeClD4KS6r/lABp4ureFpmgZpim11X5N7CW9Z0K
KFyFmD1PK8CXa9JEzT6dVRAk8sJgdmUQ/lajFAx1c2BjakZyBhsRfA==
=kMkM
=====END PGP SIGNATURE=====
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Best encryption program for laptop?
Date: Sun, 25 Mar 2001 13:27:57 -0800
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> My job is changing, and is going to require me to do some travelling.
> I would like to purchase a laptop, and continue to keep my home
> finances, and other private data, on it.
> what would be the best way to keep data safe, in case the laptop was
> stolen? Which encryption program? And, should it be encryption alone,
> or encryption coupled with a secure os like NT?
> Thanks.
PGPdisk a good program for this kind of situation. PGPdisk provides a
passpharse protected drive... You can download it for free from:
http://www.PGPi.org
I wouldn't trust NT by itself... its "security" is provided by program
code.. if you read the disk raw you could recover everything on the disk,
regardless of the permissions NT sets on those files.
Simon.
------------------------------
From: Ross Younger <[EMAIL PROTECTED]>
Subject: Re: Compression-encryption with a key
Date: 25 Mar 2001 12:16:03 +0100 (BST)
amateur <[EMAIL PROTECTED]> rearranged some electrons into article
<[EMAIL PROTECTED]> thus:
>Compression-encryption with a key is exist or no?
>The same algo compress and encrypt simultaneously the plain-text with a
>secret key, that is what I mean.
Simultaneously? Not that I'm aware of.
It is generally a Good Idea to compress your plaintext before encrypting
-- this normally reduces the amount of ciphertext for an attacker to play
with and reduces redundancy within (one could call this obfuscating the
plaintext, I suppose).
Ross
--
Ross Younger news#[EMAIL PROTECTED] (if N fails, try N+1)
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Fractal Compression - I meant ENCRYPTION
Date: Sun, 25 Mar 2001 13:38:48 -0800
John Savard <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Sun, 25 Mar 2001 03:06:23 GMT, [EMAIL PROTECTED] (Merrick) wrote,
> in part:
>
> >I meant Encryption as opposed to Compression.
>
> Although the fractal compression of images is efficient and useful,
> the use of chaos theory, strange attractors, and the like, in
> cryptography has not proven to be of much use.
Not knowing anything really about fractal compression, it would seem logical
that, from this post, this is exactly the reason that fractal encryption
really isn't much use in cryptography...
The fact that fractals can be used to correlate the information in a picture
is exactly the wrong property we want. In cryptography we wish to
decorrelate information and this is probably why its not much use and after
all, i've never seen a compression algorithm adpted to provide secure block
encryption...
The again, i could be completly wrong, which is probably the case =)
Simon.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: 64 versus 128 (or bigger) bits cipher data block
Date: Sun, 25 Mar 2001 12:47:40 GMT
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
news:99k17l$uvo$[EMAIL PROTECTED]...
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:iFfv6.125875$[EMAIL PROTECTED]...
> >
> > This doesn't mean a 128-bit block cipher is always more secure then a
> 64-bit
> > block cipher (um Lucifer anyone?).
>
> ObHistoricalNit: Lucifer has a 64 bit block and a 128 bit key. Thus, for
> the purposes of this thread, it's a "64-bit block cipher"
Oh I thought it was both...
doh.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Fractal Compression - I meant ENCRYPTION
Date: Sun, 25 Mar 2001 12:48:16 GMT
"John Savard" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Sun, 25 Mar 2001 03:06:23 GMT, [EMAIL PROTECTED] (Merrick) wrote,
> in part:
>
> >I meant Encryption as opposed to Compression.
>
> Although the fractal compression of images is efficient and useful,
> the use of chaos theory, strange attractors, and the like, in
> cryptography has not proven to be of much use.
It did on star trek!!! I'll stick with Borg Encryption code 29.
Tom
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Sun, 25 Mar 2001 14:58:56 +0200
"John Savard" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
>
>
>
> On 23 Mar 2001 14:53:51 -0800, Ken Savage <[EMAIL PROTECTED]> wrote,
> in part:
>
> >Any thoughts? Replies via newsgroup or email -- I read both :)
>
> Making something like RC4 dependent on the plaintext will collide with
> Terry Ritter's Dynamic Substitution patent.
Why should I care about a U.S. patent?
How about this deal: I develop an algorithm that collides with Terry
Ritter's patent. I implement it in some software, perhaps even some
commersial software, which I publish on a Swedish server. I warn people who
are downloading from the U.S. that Terry Ritter might not be thrilled about
anyone using the software in the U.S. I make sure that I don't have any
assets in the U.S. Terry Ritter will sue me. I couldn't care less.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
