gonzo cryptography; how would you improve existing cryptosystems?
Hi folks, If one had the ability to create standards over, with reckless disregard for performance, how would you improve their security? Feel free to pick a protocol or system (e.g. gpg or isakmp) and let me know how it is done, and how it should have been done. For example, pgp doesn't hide the key IDs of the addressees. Many systems use hashes that are too small. DSA keys are too small compared to large ElG keys. How would you make a signature with a larger keyspace? Does the protocol wrap encryption in authentication instead of vice-versa? Does ISAKMP do encryption where the input is meant to be secret, instead of the key? Does it use a rinky-dink algorithm, now that much better ones are available? I've got a hankering to re-write something, and I want to know what can be improved the most. PS: There's a paper on cryptanalyzing CFS on my homepage below. I got to successfully use classical cryptanalysis on a relatively modern system! That is a rare joy. CFS really needs a re-write, there's no real good alternatives for cross-platform filesystem encryption to my knowledge. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Does ISAKMP do encryption where the input is meant to be secret, instead of the key?
I meant MAC, not encryption, sorry. Of course encryption inputs are secret. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
On Fri, 4 Nov 2005, Travis H. wrote:
PS: There's a paper on cryptanalyzing CFS on my homepage below. I got to successfully use classical cryptanalysis on a relatively modern system! That is a rare joy. CFS really needs a re-write, there's no real good alternatives for cross-platform filesystem encryption to my knowledge.
Take a look at ecryptfs before rewriting cfs: http://sourceforge.net/projects/ecryptfs -J
On Fri, 4 Nov 2005, Travis H. wrote:
PS: There's a paper on cryptanalyzing CFS on my homepage below. I got to successfully use classical cryptanalysis on a relatively modern system! That is a rare joy. CFS really needs a re-write, there's no real good alternatives for cross-platform filesystem encryption to my knowledge.
On Mon, 7 Nov 2005, Jason Holt wrote:
Take a look at ecryptfs before rewriting cfs:
Nice, but linux-only and requires special kernel support. cfs supports lots and lots of different OSs and doesn't require kernel modes. So far as I know, in this regard cfs is unique among cryptographic filesystems. ciao, -- -- Jonathan Thornburg <jthorn@aei.mpg.de> Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam
Nice, but linux-only and requires special kernel support. cfs supports lots and lots of different OSs and doesn't require kernel modes. So far as I know, in this regard cfs is unique among cryptographic filesystems.
The only thing close that I've seen is Bestcrypt, which is commercial and has a Linux and Windows port. I don't recall if the Linux port came with source or not. I had problems with the init script hanging the boot process, or at least delaying it significantly, so I uninstalled it until I could devote the time to analyze what was going on. Right after installation I tried using it to read a container copied from a corrupted Windows machine, but was not successful. It is unclear to me if this was due to the corruption which occured, or some kind of incompatibility between the Windows and Linux ports. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
On Tue, Nov 08, 2005 at 05:58:04AM -0600, Travis H. wrote:
The only thing close that I've seen is Bestcrypt, which is commercial and has a Linux and Windows port. I don't recall if the Linux port came with source or not.
http://www.truecrypt.org/ "TrueCrypt Free open-source disk encryption software for Windows XP/2000/2003 and Linux Main Features: * It can create a virtual encrypted disk within a file and mount it as a real disk. * It can encrypt an entire hard disk partition or a device, such as USB memory stick, floppy disk, etc. * Provides two levels of plausible deniability, in case an adversary forces you to reveal the password: 1) Hidden volume (more information may be found here). 2) No TrueCrypt volume can be identified (TrueCrypt volumes cannot be distinguished from random data). * Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent (256-bit key), Triple DES, and Twofish (256-bit key). Supports cascading (e.g., AES-Twofish-Serpent). * Based on Encryption for the Masses (E4M) 2.02a, which was conceived in 1997. Further information regarding the features of the software may be found in the documentation." "Complete source code (in C) of the latest stable version of TrueCrypt for all supported operating systems and all supported hardware platforms" are available from http://www.truecrypt.org/downloads.php /Thomas -- [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
On 4 Nov 2005, at 5:23 PM, Travis H. wrote:
For example, pgp doesn't hide the key IDs of the addressees.
But OpenPGP does. Here's an extract fro RFC 2440: 5.1. Public-Key Encrypted Session Key Packets (Tag 1) [...] An implementation MAY accept or use a Key ID of zero as a "wild card" or "speculative" Key ID. In this case, the receiving implementation would try all available private keys, checking for a valid decrypted session key. This format helps reduce traffic analysis of messages. Now, there has been much discussion about how useful this is, and there are other related issues like how you do the UI for such a thing. But the *protocol* handles it. You might also want to look at the PFS extensions for OpenPGP: <http://www.apache-ssl.org/openpgp-pfs.txt> and even OTR, which is very cool in its own right (and is designed to take care of the sort of edge conditions all of these other things have): <http://www.cypherpunks.ca/otr/> Jon
participants (5)
-
Jason Holt -
Jon Callas -
Jonathan Thornburg -
Thomas Sjögren -
Travis H.