Re: Wikileaks video crypto.

2010-04-09 Thread David Shaw
On Apr 9, 2010, at 3:06 PM, Perry E. Metzger wrote:

 
 Earlier this weeks, Wikileaks released of video of an incident involving
 an Apache helicopter which killed two Reuters reporters and a number of
 bystanders in Iraq.
 
 A number of the reports surrounding the release claim that the video was
 decrypted by Wikileaks. Indeed, Wikileaks requested supercomputer
 time via twitter and other means to decrypt a video, see:
 http://twitter.com/wikileaks/status/7530875613
 
 The video was apparently intentionally given to Wikileaks, so one can't
 imagine that the releasing parties would have wanted it to be unreadable
 by them (or that any reasonable modern cryptosystem would have be
 crackable). What, then, does the decryption claim mean here. Does
 anyone know?

According to an interview with Julian Assange (one of the Wikileaks founders) 
at http://www.sueddeutsche.de/politik/740/507892/text/ , the decryption was 
essentially passphrase guessing.   From Google Translate: He and a team of 
cryptographers had then worked for about three months out.  The aim was to find 
among a few million of the most likely the correct passwords.

See also http://www.youtube.com/watch?v=7QEdAykXxoM around the 1:22 mark.

For what it's worth, the original encrypted file (encrypted with OpenSSL's 
'enc' tool it seems) is claimed to be at http://leaks.telecomix.org/cm.rda.  
They do not provide the passphrase that managed to decrypt it.

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: [Macgpg-users] GPGMail Snow Leopard

2009-09-04 Thread David Shaw

On Aug 28, 2009, at 8:25 PM, R.A. Hettinga wrote:


...and now GPG.

So, Snow Leopard is crypto-less?


To be strictly accurate, the problem is with GPGMail, the plugin that  
integrates GPG with Apple's Mail application (as Mail internals  
changed significantly between Leopard and Snow Leopard).  GPG itself  
seems to work just fine under Snow Leopard, albeit on the command line.


David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: A note on vendor reaction speed to the e=3 problem

2006-09-17 Thread David Shaw
On Sat, Sep 16, 2006 at 12:35:08PM +1000, James A. Donald wrote:
 --
 Peter Gutmann wrote:
   How does [GPG] handle the NULL vs.optional
   parameters ambiguity?
 
 David Shaw:
  GPG generates a new structure for each comparison, so
  just doesn't include any extra parameters on it.  Any
  optional parameters on a signature would cause that
  signature to fail validation.
 
  RFC-2440 actually gives the exact bytes to use for the
  ASN.1 stuff, which nicely cuts down on ambiguity.
 
 This amounts to *not* using ASN.1 - treating the ASN.1
 data as mere arbitrary padding bits, devoid of
 information content.

That is correct.  OpenPGP passes the hash identification in the
OpenPGP data as well as encoded in ASN.1 for the PKCS-1 structure.
Since there is another source for the information, it is unnecessary
to generate or parse ASN.1.  In the case of GPG specifically (other
implementations may do the same, but I can't say for sure), all ASN.1
data is hardcoded opaque strings.

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: A note on vendor reaction speed to the e=3 problem

2006-09-15 Thread David Shaw
On Fri, Sep 15, 2006 at 08:49:31PM +1200, Peter Gutmann wrote:

 When I fired up Firefox a few minutes ago it told me that there was
 a new update available to fix security problems.  I thought, Hmm, I
 wonder what that would be  It's interesting to note that we now
 have fixes for many of the OSS crypto apps (OpenSSL, gpg, Firefox

GPG was not vulnerable, so no fix was issued.  Incidentally, GPG does
not attempt to parse the PKCS/ASN.1 data at all.  Instead, it
generates a new structure during signature verification and compares
it to the original.

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: A note on vendor reaction speed to the e=3 problem

2006-09-15 Thread David Shaw
On Sat, Sep 16, 2006 at 05:35:27AM +1200, Peter Gutmann wrote:
 David Shaw [EMAIL PROTECTED] writes:
 
 Incidentally, GPG does not attempt to parse the PKCS/ASN.1 data at all.
 Instead, it generates a new structure during signature verification and
 compares it to the original.
 
 How does it handle the NULL vs.optional parameters ambiguity?

GPG generates a new structure for each comparison, so just doesn't
include any extra parameters on it.  Any optional parameters on a
signature would cause that signature to fail validation.

RFC-2440 actually gives the exact bytes to use for the ASN.1 stuff,
which nicely cuts down on ambiguity.

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PGP master keys

2006-04-27 Thread David Shaw
On Wed, Apr 26, 2006 at 09:53:27PM -0400, Steven M. Bellovin wrote:
 In an article on disk encryption
 (http://www.theregister.co.uk/2006/04/26/pgp_infosec/), the following
 paragraph appears:
 
   BitLocker has landed Redmond in some hot water over its insistence
   that there are no back doors for law enforcement. As its
   encryption code is open source, PGP says it can guarantee no back
   doors, but that cyber sleuths can use its master keys if
   neccessary.
 
 What is a master key in this context?

It sounds rather like a misunderstanding/mangling of PGP's Additional
Decryption Key feature.

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: pci hardware for secure crypto storage (OpenSSL/OpenBSD)

2004-09-14 Thread David Shaw
On Tue, Sep 14, 2004 at 10:31:11AM +0200, Eugen Leitl wrote:
 
 I'm looking for (cheap, PCI/USB) hardware to store secrets (private
 key) and support crypto primitives (signing, cert generation). It
 doesn't have to be fast, but to support loading/copying of secrets
 in physically secure environments, and not generate nonextractable
 secret onboard. Environment is OpenBSD/Linux/OpenSSL/gpg.

Since your environment includes GPG, then I think the OpenPGP
smartcard meets pretty well what you are requesting.  Combine it it
with a USB smartcard reader, and the card becomes USB, too ;)

http://www.silicon-trust.com/pdf/secure_8/48_ppc.pdf
http://www.g10code.de/p-card.html

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


MD4 collision reproduced

2004-08-17 Thread David Shaw
I have reproduced both MD4 collisions from the recent paper.  The
example given had endian problems similar to those noted by Eric
Rescorla for the sorta-MD5 collision.  Also similar to Eric's results,
the hash value (while a collision) does not match what the authors
give in the paper.

Example one:

$ od -tx1 file1.bin 
000 83 9c 7a 4d 7a 92 cb 56 78 a5 d5 b9 ee a5 a7 57
020 3c 8a 74 de b3 66 c3 dc 20 a0 83 b6 9f 5d 2a 3b
040 b3 71 9d c6 98 91 e9 f9 5e 80 9f d7 e8 b2 3b a6
060 31 8e dd 45 e5 1f e3 97 08 bf 94 27 e9 c3 e8 b9
100
$ od -tx1 file2.bin
000 83 9c 7a 4d 7a 92 cb d6 78 a5 d5 29 ee a5 a7 57
020 3c 8a 74 de b3 66 c3 dc 20 a0 83 b6 9f 5d 2a 3b
040 b3 71 9d c6 98 91 e9 f9 5e 80 9f d7 e8 b2 3b a6
060 31 8e dc 45 e5 1f e3 97 08 bf 94 27 e9 c3 e8 b9
100
$ cmp file1.bin file2.bin
file1.bin file2.bin differ: char 8, line 1
$ openssl md4 file1.bin file2.bin
MD4(file1.bin)= 4d7e6a1defa93d2dde05b45d864c429b
MD4(file2.bin)= 4d7e6a1defa93d2dde05b45d864c429b

Example two:

$ od -tx1 file1.bin 
000 83 9c 7a 4d 7a 92 cb 56 78 a5 d5 b9 ee a5 a7 57
020 3c 8a 74 de b3 66 c3 dc 20 a0 83 b6 9f 5d 2a 3b
040 b3 71 9d c6 98 91 e9 f9 5e 80 9f d7 e8 b2 3b a6
060 31 8e dd 45 e5 1f e3 97 40 c2 13 f7 69 cf b8 a7
100
$ od -tx1 file2.bin 
000 83 9c 7a 4d 7a 92 cb d6 78 a5 d5 29 ee a5 a7 57
020 3c 8a 74 de b3 66 c3 dc 20 a0 83 b6 9f 5d 2a 3b
040 b3 71 9d c6 98 91 e9 f9 5e 80 9f d7 e8 b2 3b a6
060 31 8e dc 45 e5 1f e3 97 40 c2 13 f7 69 cf b8 a7
100
$ cmp file1.bin file2.bin 
file1.bin file2.bin differ: char 8, line 1
$ openssl md4 file1.bin file2.bin 
MD4(file1.bin)= c6f3b3fe1f4833e0697340fb214fb9ea
MD4(file2.bin)= c6f3b3fe1f4833e0697340fb214fb9ea

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The meat with multiple PGP subkeys

2003-06-18 Thread David Shaw
On Wed, Jun 18, 2003 at 03:47:01PM +0200, Stefan Kelm wrote:
 David,
 
  A reasonable question would be Why don't all the PKS operators
  replace their server with SKS or something else?.  I don't have a
  good answer to that.  It's certainly been asked.[3]
 
 ...and has been answered a number of times. The thing is (and most people 
 seem to forget about this now and then) that most, if not all, of the 
 pgp.net server operators do run their servers in their spare time. Since 
 pksd has a long history of not being overly stable one is happy once the 
 server is up and running. Thus, the never-change-a-running-system 
 paradigm is being lived in this realm.  

These servers are *broken*, and harming the use of PGP.  Countless
FAQs and other documents extol the keyserver network, and so new PGP
users try it and get their keys eaten.  One would hope that
never-change-a-running-system wouldn't apply when the running system
was actively causing damage.  It's not just subkeys: PKS allows for a
number of denial of service attacks against keys stored in it.

It's a question, but the way I see it, if a keyserver operator doesn't
want to fix critical bugs for fear of messing with a stable system,
then just turn the thing off.  That's stable too, and doesn't harm
anyone.

At least now there is subkeys.pgp.net so users can ignore the servers
that aren't being fixed (and we just have to educate everyone to use
it).

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]