Re: handling weak keys using random selection and CSPRNGs

2006-10-16 Thread Marcos el Ruptor
Now, you said "compressed files" and you might not have meant pictures, but note that L-Z style compressed files don't really have much in the way of headers. If the headers were a problem, you'd expect longer files to bury any deviation in the noise, but it doesn't. The longer the files I test th

Re: handling weak keys using random selection and CSPRNGs

2006-10-14 Thread Marcos el Ruptor
The only things that it usually passes as good are for-purpose random number generators' or ciphers' outputs. Everything else (including a terabyte of RC4 output, executables, zip archives, jpegs, mpegs, mp3s, ...) that I've pointed it at, fails one or more of the tests. Have you tried removing

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Greg Rose
At 17:05 -0400 2006/10/12, Steven M. Bellovin wrote: This is a very interesting suggestion, but I suspect people need to be cautious about false positives. MP3 and JPG files will, I think, have similar entropy statistics to encrypted files; so will many compressed files. Actually, no. I have

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Leichter, Jerry
| > Beyond that: Are weak keys even detectable using a ciphertext-only | > attack (beyond simply trying them - but that can be done with *any* small | > set of keys)? | | Yes, generally, that's the definition of a weak key. Which weak keys would those be? The DES weak keys are self-inverting: En

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Perry E. Metzger
"Travis H." <[EMAIL PROTECTED]> writes: > On 10/12/06, Leichter, Jerry <[EMAIL PROTECTED]> wrote: >> Beyond that: Are weak keys even detectable using a ciphertext-only >> attack (beyond simply trying them - but that can be done with *any* small >> set of keys)? > > Yes, generally, that's the defi

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Travis H.
On 10/12/06, Leichter, Jerry <[EMAIL PROTECTED]> wrote: Beyond that: Are weak keys even detectable using a ciphertext-only attack (beyond simply trying them - but that can be done with *any* small set of keys)? Yes, generally, that's the definition of a weak key. But that's an odd attack to

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Leichter, Jerry
| > This suggests that, | > rather than looking for weak keys as such, it might be worth it to | > do "continuous online testing": Compute the entropy of the generated | > ciphertext, and its correlation with the plaintext, and sound an | > alarm if what you're getting looks "wrong". This might b

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Steven M. Bellovin
On Thu, 12 Oct 2006 16:50:13 -0400 (EDT), "Leichter, Jerry" <[EMAIL PROTECTED]> wrote: > This suggests that, > rather than looking for weak keys as such, it might be worth it to > do "continuous online testing": Compute the entropy of the generated > ciphertext, and its correlation with the plain

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Leichter, Jerry
| Given how rare weak keys are in modern ciphers, I assert that code to cope | with them occurring by chance will never be adequately tested, and will be | more likely to have security bugs. In short, why bother? Beyond that: Are weak keys even detectable using a ciphertext-only attack (beyond si

Re: handling weak keys using random selection and CSPRNGs

2006-10-12 Thread Steven M. Bellovin
Given how rare weak keys are in modern ciphers, I assert that code to cope with them occurring by chance will never be adequately tested, and will be more likely to have security bugs. In short, why bother? - The Cryptography Mai

handling weak keys using random selection and CSPRNGs

2006-10-10 Thread Travis H.
Hi all, It occured to me that there is a half-decent way to avoid weak keys in algorithms when it is undesirable or impossible to prompt the user for a different passphrase. It is even field-upgradable if new weak keys are found. Basically, instead of using the hash of the passphrase up front, y