(LOL - I thought I recognised the attitude from sci.crypt;)).
This seems like a "solution to a problem that doesn't exist".
Really? Well some companies (PGP, SecurStar, Bestcrypt, SafeBoot etc) make a lot of money out of selling commercial products that perform OTFE. The LOOPAES / CryptoLoop mailing lists seem to be pretty busy too.....
Don't confuse "Tom doesn't have a need for this kind of encryption" with "nobody needs this kind of encryption".
Yep - as per the paper, this encryption is deniable (that's to say there is no way of showing that the container file or partition is an encrypted volume without having the passphrase). Thinking of a good reason why you've got a very high entropy 2.5Gb file/partition when the cops kick the door down could be interesting though;)
Granted, that's not great (but the risk is mitigated by using a random encryption key anyway). Note that GBDE uses a static (all zero!) IV - even worse!
Only with the addition of 3rd party products (ScramDisk, PGPDisk, DriveCrypt, BestCrypt etc) - the build in encryption ISN'T drive encryption, but file encryption...
(Full disclosure: I've been involved with the Win32 Scramdisk project in the past)
Hhhm, this is pretty interesting. I am not aware of any other disk encryption program (Scramdisk, DriveCrypt, LoopAES, PGPDisk, BestCrypt etc) that offers sector remapping. It's useful because it prevents standard disk structures from being exploited in a known plaintext attack (note: with current knowledge, this is only a theoretical weakness with AES anyway).
Apart from that it looks a pretty standard On-The-Fly-Encryption (OTFE) system. It does appear to be slightly more complex than most programs, but this is offset by the peer review from (at least...) two very well respected cryptographers - Dr David Wagner and Lucky Green. I am not aware of any of the other OTFE systems being reviewed by anyone half this competent.
Last paragraph of 6 says "RSA2/512" should read SHA2/512.
I'd personally be worried about the use of a static (zero!) IV. I know the key is random, but.....Oh well, if Dr Wagner has peer reviewed it then this can't be much of an issue.
From the paper: "A truly paranoid setup would leave the computer con-
figured to boot the Windows system by default, and
locate the GBDE data in such a way that it would be
destroyed by the act of doing so."
It's likely this wouldn't work - the first thing a half-competent adversary would do is image all disks in a system before booting....It's forensic 101.
RSA and Elliptic Curve wouldn't stand a chance against this unbreakable encryption
Oh yeah, that cheap and easy cryptography technology that can be performed on a CPU in a wristwatch or smartcard and be can used for encryption, signing, PKI infrastructure, n of m schemes etc will be instantly replaced by a system that's only good to transmit bits with a guarantee that the recipient will be able to detect if someone else is reading the traffic. Yawn.
And how will you do that? It will take 2^127 steps of effort.
People have found collisions in the compression function, not the complete hash function - it has never been shown how create a new string/file that hashes to the same value as an existing MD5 hash.
"The md5 hashing algorithm has been proven to contain flaws allowing two files to produce identical md5 sums."
You missed two important words at the end of the sentance "in theory".
Whilst MD5 is theoretically insecure (and it's use in most situations where the birthday paradox applies is frowned upon by cryptographers) I don't believe that a collision in the full hash function has been shown in practical terms. Besides - is it a good use of a few hundred days of horsepower on a few hundred machines to fake an illegal song?!;)
I've got an old (but still relevant) description of the MD5 flaw here.
The trivial fix for RIAA is to use SHA1 as a hash.....Or just produce a business model that makes sense...
XP is a desktop OS, and hardly needs security certification of that level.
I guess you haven't implemented too many systems on classified networks then? The client devices are generally implemented to the same or higher standards and criteria as servers (which is why there are products like Windows 2000 SE etc).
Most environments implement more stringent controls on desktop devices because these are generally more accessible (e.g. on peoples desks with only a lock to protect, rather than in a very controlled/guarded server room).
Regular old links need the users to click on a link whereas BGSOUND doesn't require user interaction. Not sure if Object tag / embedded media player can embed in the same way for Outlook / OE based e-mails (I would hope that the users get some kind of prompt, but knowing MS...).
Maybe discussing security isn't the right place for you to not be sure about something? Maybe you could check with Microsoft and tell us all definitively that IE does indeed use DirectShow to play MIDI files.
Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.
The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.
And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").
Why the quote marks, dude? They *did* break the law.
Presumption of innocence? How do you know they downloaded music (who cares what the file name is) or weren't downloading music that they already have own on CD?
Stop arguing the point! The instructions for using MD5 to compare the source code were given yesterday as a way of determining the matching code without violating the NDA. The inquirer article.
The point is: the instructions on Inquirer are flawed - they don't take into account the inevitable changes in white space or trivial function/variable name changes.
If you'd have bothered to read his post, you'd have seen that he presents a solution too: tokenise all of the variables, remove white space etc and then do the block by block MD5 compare.
With Microsoft, and under contract, you know that's going to happen.
Sorry - no you don't. Microsoft have previously claimed that Windows NTv4 is being supported for security hotfixes until 30 Jun 04 (see here) but then failed to fix a serious RPC based DoS attack.
I should imagine this pisses "secure" government sites off quite a bit - they have been promised security fixes for another year now and then get shafted because MS claim that NTv4 "does not support the changes that would be required to remove this vulnerability".
At least with OSS users are capable of fixing the problem themselves (or paying for it, or using a general release patch etc).
But there are hidden costs that you just don't always see.
Yep - and what are the costs of upgrading all of the Windows NTv4 to Windows 2000 servers to avoid this security bug?
I like Christoph Hellwig's (ex-Caldera employee) comments on the Linux Kernel Mailing List 02 May 2003 06:44, in part:
"It might be more interesting to look for stolen Linux code in Unixware,
I'd suggest with the support for a very well known Linux fileystem in
the Linux compat addon product for UnixWare.."
Let's hope the FSF sue SCO for infringement of the GPL. For a billion dollars. I'm sure IBM lawyers would lend a helping hand!;)
Slashdot Mirror
(LOL - I thought I recognised the attitude from sci.crypt ;)).
This seems like a "solution to a problem that doesn't exist".
Really? Well some companies (PGP, SecurStar, Bestcrypt, SafeBoot etc) make a lot of money out of selling commercial products that perform OTFE. The LOOPAES / CryptoLoop mailing lists seem to be pretty busy too.....
Don't confuse "Tom doesn't have a need for this kind of encryption" with "nobody needs this kind of encryption".
Is this encryption deniable?
Yep - as per the paper, this encryption is deniable (that's to say there is no way of showing that the container file or partition is an encrypted volume without having the passphrase). Thinking of a good reason why you've got a very high entropy 2.5Gb file/partition when the cops kick the door down could be interesting though ;)
I believe it's an open question (see e.g. here)
Nah, that's a typo. Read further into the paper and you can see they mean SHA2/512 rather than RSA2/512.
It use sector numbers as IV.
Granted, that's not great (but the risk is mitigated by using a random encryption key anyway). Note that GBDE uses a static (all zero!) IV - even worse!
Windows XP also has it.
Only with the addition of 3rd party products (ScramDisk, PGPDisk, DriveCrypt, BestCrypt etc) - the build in encryption ISN'T drive encryption, but file encryption...
(Full disclosure: I've been involved with the Win32 Scramdisk project in the past)
Hhhm, this is pretty interesting. I am not aware of any other disk encryption program (Scramdisk, DriveCrypt, LoopAES, PGPDisk, BestCrypt etc) that offers sector remapping. It's useful because it prevents standard disk structures from being exploited in a known plaintext attack (note: with current knowledge, this is only a theoretical weakness with AES anyway).
Apart from that it looks a pretty standard On-The-Fly-Encryption (OTFE) system. It does appear to be slightly more complex than most programs, but this is offset by the peer review from (at least...) two very well respected cryptographers - Dr David Wagner and Lucky Green. I am not aware of any of the other OTFE systems being reviewed by anyone half this competent.
Last paragraph of 6 says "RSA2/512" should read SHA2/512.
I'd personally be worried about the use of a static (zero!) IV. I know the key is random, but.....Oh well, if Dr Wagner has peer reviewed it then this can't be much of an issue.
From the paper: "A truly paranoid setup would leave the computer con- figured to boot the Windows system by default, and locate the GBDE data in such a way that it would be destroyed by the act of doing so."
It's likely this wouldn't work - the first thing a half-competent adversary would do is image all disks in a system before booting....It's forensic 101.
Instead of outlawing spamming, outlaw the purchace of products advertised with spam.
Sounds like a great way of killing competition - companies would just send spam pretending to be from companies with similar products.
RSA and Elliptic Curve wouldn't stand a chance against this unbreakable encryption
Oh yeah, that cheap and easy cryptography technology that can be performed on a CPU in a wristwatch or smartcard and be can used for encryption, signing, PKI infrastructure, n of m schemes etc will be instantly replaced by a system that's only good to transmit bits with a guarantee that the recipient will be able to detect if someone else is reading the traffic. Yawn.
And how will you do that? It will take 2^127 steps of effort.
People have found collisions in the compression function, not the complete hash function - it has never been shown how create a new string/file that hashes to the same value as an existing MD5 hash.
"The md5 hashing algorithm has been proven to contain flaws allowing two files to produce identical md5 sums."
You missed two important words at the end of the sentance "in theory".
Whilst MD5 is theoretically insecure (and it's use in most situations where the birthday paradox applies is frowned upon by cryptographers) I don't believe that a collision in the full hash function has been shown in practical terms. Besides - is it a good use of a few hundred days of horsepower on a few hundred machines to fake an illegal song?! ;)
I've got an old (but still relevant) description of the MD5 flaw here.
The trivial fix for RIAA is to use SHA1 as a hash.....Or just produce a business model that makes sense...
XP is a desktop OS, and hardly needs security certification of that level.
I guess you haven't implemented too many systems on classified networks then? The client devices are generally implemented to the same or higher standards and criteria as servers (which is why there are products like Windows 2000 SE etc).
Most environments implement more stringent controls on desktop devices because these are generally more accessible (e.g. on peoples desks with only a lock to protect, rather than in a very controlled/guarded server room).
You don't understand the difference between something happening automatically when a user hits an URL and the user having to initiate an action?
Have you thought about the dozens of HTML only spams that people get that never get clicked on but are suceptible to this bug?
Thank god for ACs ;)
Regular old links need the users to click on a link whereas BGSOUND doesn't require user interaction. Not sure if Object tag / embedded media player can embed in the same way for Outlook / OE based e-mails (I would hope that the users get some kind of prompt, but knowing MS...).
Maybe discussing security isn't the right place for you to not be sure about something? Maybe you could check with Microsoft and tell us all definitively that IE does indeed use DirectShow to play MIDI files.
What's so special about this flaw?
Are you brainwashed by how many flaws like this we see? This allows a malicious adversary to craft a web page (for IE) or e-mail (for OE / Outlook) that would allow the adversary to execute arbitrary programs in that users context.
The point isn't that an update is out already, it's that there will remain god knows how many tens of millions of computer vulnerable to this flaw for a long time. Not only will those machines be hacked and taken down, but someone will most likely produce and exploit that turns the machines into a DDoS client, or an SMTP relay for spam, or...You get the idea. In the end it pisses over the rest of the Internet community.
And it's all thanks to shite security engineering in MS and non-conformance to standards (the MIDI playing is caused by a non-W3c HTML tag "BGSOUND").
Why the quote marks, dude? They *did* break the law.
Presumption of innocence? How do you know they downloaded music (who cares what the file name is) or weren't downloading music that they already have own on CD?
The point is: the instructions on Inquirer are flawed - they don't take into account the inevitable changes in white space or trivial function/variable name changes.
If you'd have bothered to read his post, you'd have seen that he presents a solution too: tokenise all of the variables, remove white space etc and then do the block by block MD5 compare.
With Microsoft, and under contract, you know that's going to happen.
Sorry - no you don't. Microsoft have previously claimed that Windows NTv4 is being supported for security hotfixes until 30 Jun 04 (see here) but then failed to fix a serious RPC based DoS attack.
I should imagine this pisses "secure" government sites off quite a bit - they have been promised security fixes for another year now and then get shafted because MS claim that NTv4 "does not support the changes that would be required to remove this vulnerability".
At least with OSS users are capable of fixing the problem themselves (or paying for it, or using a general release patch etc).
But there are hidden costs that you just don't always see.
Yep - and what are the costs of upgrading all of the Windows NTv4 to Windows 2000 servers to avoid this security bug?
Yep, certainly was. I guess the AOL lawyers have finally found a strategy to try and put the genie back in the bottle.
Of course, the following disagree ;)
http://www.sifnt.net/waste.zip
http://forums.winamp.com/showthread.php?threadi
http://www.dhorrocks2003.pwp.blueyonder.co.uk/w
http://slackerbitch.free.fr/waste/waste-source.
http://edwards.servehttp.com:969/waste/
http://scriptingnews.userland.com/2003/05/30#Wh
http://www.dhorrocks2003.pwp.blueyonder.co.uk/
http://www.virtuelvis.com/temp/waste-source.tar
http://www.blibbleblobble.co.uk/
http://cyber.law.harvard.edu/blogs/gems/home/wa
http://www.cleanstick.org/jon/junk/waste-source
And add to that my mirror http://www.samsimpson.com/waste-source.tar.gz
Erm, the link provided in the story e.g. here
Mental note: Must remove the +1 Karma boost for new posters ;)
I like Christoph Hellwig's (ex-Caldera employee) comments on the Linux Kernel Mailing List 02 May 2003 06:44, in part:
"It might be more interesting to look for stolen Linux code in Unixware, I'd suggest with the support for a very well known Linux fileystem in the Linux compat addon product for UnixWare.."
Let's hope the FSF sue SCO for infringement of the GPL. For a billion dollars. I'm sure IBM lawyers would lend a helping hand! ;)
I can't comment on Practical Cryptography as Wiley haven't yet shipped my pre-ordered copy of the book, grumble.....
BUT I can recommed 2 books that any person interested in implementing cryptography should have on their shelf:
I totally agree - AC2 was well worth the money. FWIW AC2 was available in hardcover - Amazon still sell it at an unpleasant 85USD!