Re: gonzo cryptography; how would you improve existing cryptosystems?

[Alexander Klimov]

On Thu, 17 Nov 2005, Jari Ruusu wrote:
>
> Unfortunately truecrypt is just another broken device crypto implementation
> that uses good ciphers in insecure way. Specially crafted static bit
> patterns are easily detectable through that kind of bad crypto.

Looks like they have fixed it: version 4.1 (2005-11-25) supports
tweakable narrow-block encryption (LRW).

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: gonzo cryptography; how would you improve existing cryptosystems?

[Jari Ruusu]

Thomas Sjögren wrote:
> On Tue, Nov 08, 2005 at 05:58:04AM -0600, Travis H. wrote:
> > The only thing close that I've seen is Bestcrypt, which is commercial
> > and has a Linux and Windows port.  I don't recall if the Linux port
> > came with source or not.
> 
> http://www.truecrypt.org/
> 
> "TrueCrypt
> Free open-source disk encryption software for Windows XP/2000/2003 and Linux

Unfortunately truecrypt is just another broken device crypto implementation
that uses good ciphers in insecure way. Specially crafted static bit
patterns are easily detectable through that kind of bad crypto.
Requirements: (1) used ciphers must have 128-bit block size and (2) file
system where bit patterns are stored must have 2K or larger soft block size.
Many popular linux file systems meet those requirements. Uuencoded exploit
source code is included in this email.

# truecrypt --device-number 0 --filesystem ext2 /tmp/container1.tc /mnt
Enter password for '/tmp/container1.tc':
# mount | grep /mnt
/dev/mapper/truecrypt0 on /mnt type ext2 (rw)
# tune2fs -l /dev/mapper/truecrypt0 | grep "Block size"
Block size:   4096
# ./create-watermark-encodings-truecrypt 10:44 11:55 12:66 666:77 >/mnt/foo1
# truecrypt -d /mnt
# truecrypt -l
truecrypt: Kernel module not loaded
# ./detect-watermark-encodings-truecrypt 

Re: gonzo cryptography; how would you improve existing cryptosystems?

[Jon Callas]

On 4 Nov 2005, at 5:23 PM, Travis H. wrote:


For example, pgp doesn't hide the key IDs of the addressees.


But OpenPGP does. Here's an extract fro RFC 2440:

5.1. Public-Key Encrypted Session Key Packets (Tag 1)

[...]

   An implementation MAY accept or use a Key ID of zero as a "wild  
card"

   or "speculative" Key ID. In this case, the receiving implementation
   would try all available private keys, checking for a valid decrypted
   session key. This format helps reduce traffic analysis of messages.

Now, there has been much discussion about how useful this is, and  
there are other related issues like how you do the UI for such a  
thing. But the *protocol* handles it.


You might also want to look at the PFS extensions for OpenPGP:



and even OTR, which is very cool in its own right (and is designed to  
take care of the sort of edge conditions all of these other things  
have):




Jon


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: gonzo cryptography; how would you improve existing cryptosystems?

[Thomas Sjögren]

On Tue, Nov 08, 2005 at 05:58:04AM -0600, Travis H. wrote:
> The only thing close that I've seen is Bestcrypt, which is commercial
> and has a Linux and Windows port.  I don't recall if the Linux port
> came with source or not.

http://www.truecrypt.org/

"TrueCrypt
Free open-source disk encryption software for Windows XP/2000/2003 and Linux
Main Features:

* It can create a virtual encrypted disk within a file and mount it as a real 
disk.
* It can encrypt an entire hard disk partition or a device, such as USB memory 
stick, floppy disk, etc.
* Provides two levels of plausible deniability, in case an adversary forces you 
to reveal the password:
  1) Hidden volume (more information may be found here).
  2) No TrueCrypt volume can be identified (TrueCrypt volumes cannot be 
distinguished from random data).
* Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent 
(256-bit key), Triple DES, and 
Twofish (256-bit key). Supports cascading (e.g., AES-Twofish-Serpent).
* Based on Encryption for the Masses (E4M) 2.02a, which was conceived in 1997.
Further information regarding the features of the software may be found in the 
documentation."

"Complete source code (in C) of the latest stable version of TrueCrypt for all 
supported operating 
systems and all supported hardware platforms" are available from 
http://www.truecrypt.org/downloads.php

/Thomas
-- 


signature.asc
Description: Digital signature

Re: gonzo cryptography; how would you improve existing cryptosystems?

[Alexander Klimov]

On Mon, 7 Nov 2005, Jason Holt wrote:
> Take a look at ecryptfs before rewriting cfs

... or at TrueCrypt (which works on linux and windows):

  http://www.truecrypt.org/downloads.php

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: gonzo cryptography; how would you improve existing cryptosystems?

[Travis H.]

> Nice, but linux-only and requires special kernel support.  cfs supports
> lots and lots of different OSs and doesn't require kernel modes.  So far
> as I know, in this regard cfs is unique among cryptographic filesystems.

The only thing close that I've seen is Bestcrypt, which is commercial
and has a Linux and Windows port.  I don't recall if the Linux port
came with source or not.  I had problems with the init script hanging
the boot process, or at least delaying it significantly, so I
uninstalled it until I could devote the time to analyze what was going
on.  Right after installation I tried using it to read a container
copied from a corrupted Windows machine, but was not successful.  It
is unclear to me if this was due to the corruption which occured, or
some kind of incompatibility between the Windows and Linux ports.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: gonzo cryptography; how would you improve existing cryptosystems?

[Jonathan Thornburg]

On Fri, 4 Nov 2005, Travis H. wrote:

PS:  There's a paper on cryptanalyzing CFS on my homepage below.  I
got to successfully use classical cryptanalysis on a relatively modern
system!  That is a rare joy.  CFS really needs a re-write, there's no
real good alternatives for cross-platform filesystem encryption to my
knowledge.


On Mon, 7 Nov 2005, Jason Holt wrote:

Take a look at ecryptfs before rewriting cfs:

http://sourceforge.net/projects/ecryptfs


Nice, but linux-only and requires special kernel support.  cfs supports
lots and lots of different OSs and doesn't require kernel modes.  So far
as I know, in this regard cfs is unique among cryptographic filesystems.

ciao,

--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: gonzo cryptography; how would you improve existing cryptosystems?

[Jason Holt]

On Fri, 4 Nov 2005, Travis H. wrote:

PS:  There's a paper on cryptanalyzing CFS on my homepage below.  I
got to successfully use classical cryptanalysis on a relatively modern
system!  That is a rare joy.  CFS really needs a re-write, there's no
real good alternatives for cross-platform filesystem encryption to my
knowledge.


Take a look at ecryptfs before rewriting cfs:

http://sourceforge.net/projects/ecryptfs

-J

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: gonzo cryptography; how would you improve existing cryptosystems?

[Travis H.]

> Does ISAKMP do encryption where the input is
> meant to be secret, instead of the key?

I meant MAC, not encryption, sorry.
Of course encryption inputs are secret.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

gonzo cryptography; how would you improve existing cryptosystems?

[Travis H.]

Hi folks,

If one had the ability to create standards over, with reckless
disregard for performance, how would you improve their security?

Feel free to pick a protocol or system (e.g. gpg or isakmp) and let me
know how it is done, and how it should have been done.

For example, pgp doesn't hide the key IDs of the addressees.  Many
systems use hashes that are too small.  DSA keys are too small
compared to large ElG keys.  How would you make a signature with a
larger keyspace?  Does the protocol wrap encryption in authentication
instead of vice-versa?  Does ISAKMP do encryption where the input is
meant to be secret, instead of the key?  Does it use a rinky-dink
algorithm, now that much better ones are available?

I've got a hankering to re-write something, and I want to know what
can be improved the most.

PS:  There's a paper on cryptanalyzing CFS on my homepage below.  I
got to successfully use classical cryptanalysis on a relatively modern
system!  That is a rare joy.  CFS really needs a re-write, there's no
real good alternatives for cross-platform filesystem encryption to my
knowledge.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]