debunking snake oil

I think it might be fun to start up a collection of snake
oil
cryptographic methods and cryptanalytic attacks against
them.  It
would be more fun for me than crossword puzzles, and
educational for
all the would-be cryptographers.

I'd like to start with the really simple stuff; classical
cryptography, systems with clean and obvious
"breaks".  Although I
find the magazine entertaining to read, I'm finding that
2600 Magazine
is a particularly good source of this brand of snake oil.

So, when you find a particularly obnoxious dilettante going
on about
his bone-headed unbreakable scheme, please forward it to me
and I'll
see about breaking it, and then publish the schemes and the
results on
a web site for publicly "educating" them. 
Honestly, there's probably
no better way to educate people than to see schemes
submitted and
broken, and I'm not sure there's a good site for it,
although there
are plenty of books.  Unfortunately, these types won't be
bothered to
buy books since they already know everything.

If you have a break of some scheme you wish to contribute,
please
do forward me a URL and I'll link to it.

Perhaps this should be a wiki?

I'm revamping my web site, so the crypto wiki has been down
temporarily but will be back up.
-- 
<URL:http://www.
subspacefield.org/~travis/> -><- dharma
<>< advaita
For a good time on my UBE blacklist, email johnsubspacefield.org.

On 31 August 2007 02:44, travis+ml-cryptography wrote:

> I think it might be fun to start up a collection of
snake oil
> cryptographic methods and cryptanalytic attacks against
them.

  I was going to post about "crypto done wrong"
after reading this item[*]:
http://www.f-secure.com/weblog/archives/arch
ive-082007.html#00001263

  I can't tell exactly what, but they have to be doing
*something* wrong if
they think it's necessary to use file-hiding hooks to
conceal... well,
anything really.  The hash of the fingerprint should be the
symmetric key used
to encrypt either files and folders directly on the
thumbdrive, or perhaps a
keyring file containing ADKs of some description, but if you
do crypto right,
you shouldn't have to conceal or obfuscate anything at all.


    cheers,
      DaveK
[*] - See also 
http://www.f-secure.com/weblog/archives/arch
ive-082007.html#00001264
http://www.f-secure.com/weblog/archives/arch
ive-082007.html#00001266 
-- 
Can't think of a witty .sigline today....

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

travis+ml-cryptographysubspacefield.org wrote:
> I think it might be fun to start up a collection of
snake oil
> cryptographic methods and cryptanalytic attacks against
them.  It
> would be more fun for me than crossword puzzles, and
educational for
> all the would-be cryptographers.

One good candidate would be Enigma 2000, now available as
Enigma 2000 Plus:

http:
//www.drchip.de/html/enigma_2000_plus.html

Unfortunately, there is little information available, but
from what I 
saw a few years ago, this is a polyalphabetic cipher with a
large key.

 From the web site: "Die Kombination aus der
Vernam-Codierung 
(One-Time-Pad) und des von T. Heidel zum Patent angemeldeten
Verfahrens 
macht eine "bis zu beweisbar sichere
Dateiverschlüsselung" möglich."

Or, in English: "The combination of Vernam encoding
(One-Time-Pad) and 
the patent-pending approach by T. Heidel enables "up to
provably secure 
data encryption"."

Fun,

Stephan

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

 > I'd like to start with the really simple stuff;
classical
 > cryptography, systems with clean and obvious
"breaks".

You can start with RSA SecurID, Texas Instruments DST40,
Microchip  
Technologies KeeLoq, Philips/NXP Hitag2, WEP RC4, Bluetooth
E0, GSM  
A5... It's much harder to find a product or technology that 

implements proper ciphers, proper hashes, proper RNGs or
proper  
protocols. And I don't mean small mistakes like in SSH1 or
SSL. I  
mean look at all those proprietary weak ciphers sold for
millions!  
Will they ever learn?

Ruptor
http://defectoscopy.com/
- There is no need to design weak ciphers.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Crossroads is an undergraduate journal.

We'd do well to single out more worth targets for public
ridicule  
than CS undergrads.

If you want to help the author, why not educate, rather than
 
mocking?  He's obviously been motivated to think about the
subject  
matter and to even take the bold step up publishing
something.

If you must scold, aim at the advisor, then. But I don't see
much to  
be gained by scolding in this case.  Pick someone who's
asking for it  
- the vendors of all the products that don't do what their
buyers  
hope and wish they would do...

On Aug 31, 2007, at 11:35 PM, Ben Pfaff wrote:

> travis+ml-cryptographysubspacefield.org writes:
>
>> So, when you find a particularly obnoxious
dilettante going on about
>> his bone-headed unbreakable scheme, please forward
it to me and I'll
>> see about breaking it, and then publish the schemes
and the  
>> results on
>> a web site for publicly "educating" them.
 Honestly, there's probably
>> no better way to educate people than to see schemes
submitted and
>> broken, and I'm not sure there's a good site for
it, although there
>> are plenty of books.  Unfortunately, these types
won't be bothered to
>> buy books since they already know everything.
>
> Here's a particularly moronic scheme:
>        http://www.acm.org/crossroads/xrds11-3/xorencrypt.html

> -- 
> "If a person keeps faithfully busy each hour of
the working day, he
>  can count on waking up some morning to find himself
one of the
>  competent ones of his generation."
> --William James
>
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to  
> majordomometzdowd.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

I don't think fingerprint scanners work in a way that's
obviously
amenable to hashing with "well-known" algorithms.
Fingerprint scanners
produce an image, from which some features can be
identified. But, not
all the same features can be extracted identically every
time an image
is obtained.  I know there's been research into fuzzy
hashing schemes,
but are they sufficiently secure, fast, and easy to code
that they
would be workable for this?

--nash

On 8/31/07, Dave Korn <dave.kornartimi.com> wrote:
> On 31 August 2007 02:44, travis+ml-cryptography wrote:
>
> > I think it might be fun to start up a collection
of snake oil
> > cryptographic methods and cryptanalytic attacks
against them.
>
>   I was going to post about "crypto done
wrong" after reading this item[*]:
> http://www.f-secure.com/weblog/archives/arch
ive-082007.html#00001263
>
>   I can't tell exactly what, but they have to be doing
*something* wrong if
> they think it's necessary to use file-hiding hooks to
conceal... well,
> anything really.  The hash of the fingerprint should be
the symmetric key used
> to encrypt either files and folders directly on the
thumbdrive, or perhaps a
> keyring file containing ADKs of some description, but
if you do crypto right,
> you shouldn't have to conceal or obfuscate anything at
all.
>
>
>     cheers,
>       DaveK
> [*] - See also
> http://www.f-secure.com/weblog/archives/arch
ive-082007.html#00001264
> http://www.f-secure.com/weblog/archives/arch
ive-082007.html#00001266
> --
> Can't think of a witty .sigline today....
>
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
>

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On 02 September 2007 01:13, Nash Foster wrote:

> I don't think fingerprint scanners work in a way that's
obviously
> amenable to hashing with "well-known"
algorithms. Fingerprint scanners
> produce an image, from which some features can be
identified. But, not
> all the same features can be extracted identically
every time an image
> is obtained.  I know there's been research into fuzzy
hashing schemes,
> but are they sufficiently secure, fast, and easy to
code that they
> would be workable for this?

  Well, if fingerprint scanners aren't reliable enough to
identify the same
person accurately twice, it's even moreso snake oil to
suggest they're
suitable for crypto... or even biometric authentication, for
that.

  (I wonder if the level of variability is manageable enough
that you could
generate a set of the most-probable variations of the trace
of a given
fingerprint and then use a multiple key/N-out-of-M
technique.)


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Sat, Sep 01, 2007 at 02:39:49PM +0200, Marcos el Ruptor
wrote:

> You can start with RSA SecurID, Texas Instruments
DST40, Microchip 
> Technologies KeeLoq, Philips/NXP Hitag2, WEP RC4,
Bluetooth E0, GSM A5... 

I didn't realise the current SecurID tokens had been broken.
A quick Google
doesn't show anything, but I'm probably using the wrong
terms. Do you have
references for this that I could have a look at?

Thanks,

-- 
Paul

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

> I didn't realise the current SecurID tokens had been
broken. A  
> quick Google
> doesn't show anything, but I'm probably using the wrong
terms. Do  
> you have
> references for this that I could have a look at?

http://eprint.iac
r.org/2003/162.pdf

This attack may not be as practical as an algebraic attack
would be,  
but it shows that SecurID keyed hash function is in fact
weaker than  
what its claimed 64-bit security level demands. AFAIK,
algebraic  
cryptanalysis of the RSA SecurID keyed hash function by the
academic  
sector hasn't even been performed yet. Their new tokens use
AES-128.  
Maybe they do learn after all...

Ruptor
http://defectoscopy.com/
- There is no need to design weak ciphers.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Fri, August 31, 2007 18:54, Stephan Neuhaus wrote:

> Fun,

See German patent document DE000010027974A1 (application was
refused in
2006).

Axel H. Horns

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

At 12:40 PM 9/2/2007, Paul Walker wrote:

>I didn't realise the current SecurID tokens had been
broken. A quick Google
>doesn't show anything, but I'm probably using the wrong
terms. Do you have
>references for this that I could have a look at?

I'd also be interested in any evidence that the SecurID has
been cracked.

Any credible report would have the immediate attention of
tens of 
thousands of RSA installations. Not to speak of EMC/RSA.
itself, for 
which I have been a consultant for many years.

AFAIK, there has never been a viable direct attack on a
SecurID 
hardware token -- except perhaps for DPA attacks against the
old 
64-bit SecurID tokens. DPA and similar side-channel attacks
are a 
generic threat to OTP tokens (as well as to any other
ciphering 
microchip), but the 128-bit AES SecurID that RSA introduced
five 
years ago to replace the classic 64-bit SecurID was also
specially 
designed to be DPA-resistant.

(There were also some fascinating, if wholly theoretical,
statistical 
attacks developed against to old SecurID by Biryukov, Lano,
and 
Preneel 
<<https://www.cosic.esat.kuleuven.ac.be/pressR
eleases/ashf.pdf>https://www.cosic.esat.kuleuven.ac.be/pr
essReleases/ashf.pdf> 
in 2003, and  extended by Contini and Yin in '04 
<<http://eprint.iacr.org/2003/205/>http
://eprint.iacr.org/2003/205/> 
-- but neither team was aware, when they wrote their papers,
that RSA 
was already filtering the random seeds used in the 64-bit
tokens to 
reduce the probability of the collisions their attacks
planned to exploit.)

Today, the AES SecurID is pretty much the standard SecurID
token, 
although market demand has resulted in an increasingly broad
array of 
SecurID "soft tokens:" token-emulation
applications for PDAs, 
beepers, mobile phones, memory sticks, and PCs -- all of
which have 
the relative strengths and weaknesses of software crypto
apps running 
on potentially-accessible platforms.

In real-world implementations, SecurID installations have
gotten more 
vastly secure as VPNs and other end-to-end encryption has
been used 
to secure network links, but potential new threats have
arisen 
(particularly in the nascent mass market) with MitM attacks
and new 
malware like targeted trojans, which could possibly take
over a 
user's PC (and snatch the user PIN and an OTP for immediate

exploitation.) Such attacks have been reported, but -- like,
say, 
wiretapping -- they seem to be rare, cumbersome, and tend to
draw 
quick responses from LEAs.

If and when the market feels the threat deserves buttressing
OTP 
tokens with local client software for additional security,
the IETF 
has published an RFC on one option: RSA's EAP-POTP, the EAP
protected 
one time password protocol: <http://tinyurl.com/3a3
uo8>. EAP-POTP is 
one of the One-Time Password Specifications (OTPS), a series
of 
protocols, templates, and guidelines by which RSA and its
many 
partners have sought to standardize, for developers and
integrators, 
the use of OTPs in a wide variety of application
environments to make 
their use more trustworthy, predictable, and secure.

No security system is perfectly secure, of course, and AES
may have 
been cracked in some breakthrough, but I doubt it.
Unsupported claims 
that the SecurID is "snake old" seem rash, not to
say unprofessional. 
In its small but useful market niche, the simple SecurID, 
complementing other security measures, has significantly
enhanced the 
security of thousands of IT and network environments for 20
years -- 
and will probably continue to do so, until (and perhaps only
if) PKI 
preempts its function with an alternative personal
authentication token.

Suerte,
             _Vin

----- in reference to --------------------

>On Sat, Sep 01, 2007 at 02:39:49PM +0200, Marcos el
Ruptor wrote:
>
> > You can start with RSA SecurID, Texas Instruments
DST40, Microchip
> > Technologies KeeLoq, Philips/NXP Hitag2, WEP RC4,
Bluetooth E0, GSM A5...


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

I am all for humor... Can you give us a hand with how to
find this  
patent?

On Sep 2, 2007, at 2:27 PM, Axel Horns wrote:

> On Fri, August 31, 2007 18:54, Stephan Neuhaus wrote:
>
>> Fun,
>
> See German patent document DE000010027974A1
(application was refused  
> in
> 2006).
>
> Axel H. Horns
>
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On 8/30/07, travis+ml-cryptographysubspacefield.org
<travis+ml-cryptographysubspacefield.org>
wrote:
> I think it might be fun to start up a collection of
snake oil
> cryptographic methods and cryptanalytic attacks against
them.  ...

> So, when you find a particularly obnoxious dilettante
going on about
> his bone-headed unbreakable scheme, ..

You can get a few spectacularly boneheaded ones from
Sklyarov's
Defcon presentation, the one he was arrested for. Link
here.

http://www.
cs.cmu.edu/~dst/Adobe/Gallery/

-- 
Sandy Harris,
Nanjing, China

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Try this:

http://v3.espacenet.com/textdoc?DB=EPODOC&am
p;IDX=DE10027974&F=0

Then, click the tab "Original Document" and look
at the top navigation bar for a link "Save Full
Document". Afterwards, you will need to pass some
captcha test in order to be allowed to download a free PDF
file with that Document but without any DRM clutter.

Axel H. Horns


-------- Original-Nachricht --------
> Datum: Sun, 2 Sep 2007 21:10:14 -0700
> Von: james hughes <hughejpmac.com>
> An: Axel Horns <axel.h.hornsgmx.net>
> CC: james hughes <hughejpmac.com>,
cryptographymetzdowd.com
> Betreff: Re: debunking snake oil

> I am all for humor... Can you give us a hand with how
to find this  
> patent?
> 
> On Sep 2, 2007, at 2:27 PM, Axel Horns wrote:
> 
> > On Fri, August 31, 2007 18:54, Stephan Neuhaus
wrote:
> >
> >> Fun,
> >
> > See German patent document DE000010027974A1
(application was refused  
> > in
> > 2006).
> >
> > Axel H. Horns
> >
> >
------------------------------------------------------------
---------
> > The Cryptography Mailing List
> > Unsubscribe by sending "unsubscribe
cryptography" to
> majordomometzdowd.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Am Donnerstag, den 30.08.2007, 20:43 -0500 schrieb travis
+ml-cryptographysubspacefield.org:
> If you have a break of some scheme you wish to
contribute, please
> do forward me a URL and I'll link to it. 

Sorry, german, but definitely worth reading:

http://www.kryptochef.de/

* Erik Tews schrieb am 2007-09-03 um 15:09 Uhr:
> Am Donnerstag, den 30.08.2007, 20:43 -0500 schrieb
travis
> +ml-cryptographysubspacefield.org:
> > If you have a break of some scheme you wish to
contribute, please
> > do forward me a URL and I'll link to it. 
> 
> Sorry, german, but definitely worth reading:
> http://www.kryptochef.de/

<URL:http://www.man
uel-hachenburger.de/> offers also an
"unbreakable"
cipher. He states that he developed two different ciphers
and no one
(explicitly mentions NSA) broke his code yet. However he
seems to be a
crypto expert, because as a sports trainer he obviously
works every day
in this field. ;)

Besten Gruß

-- 
Jens Kubieziel                                   http://www.kubieziel.de
There are 10 types of people in the world. Those who
understand binary and
those who don't.