Java DES breaker?
Here's a thought, While Java isn't a workhorse performance wise, it's very simple for anyone with a half decent browser to use java applets. Writing an implementation of DES in Java should be fairly easy, however it will run slow on most browsers. This performance drop will make it far easier for Joe Webuser to easily help break DES for us. Previous efforts at breaking DES and RSA have done quite well, but the number of people involved can be greatly increased if you tell someone just go to this page and leave your browser on overnight, every night. The applets would get a key range from the server, process them, and return a yeah or nay back for however far they manage to process before the user returns in the morning. With JIT's (Just In Time Compilers) and the sheer numbers of users that this can attract, the efforts at breaking weaker cyphers can be increased. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================
At 8:26 AM -0800 12/10/96, Ray Arachelian wrote:
While Java isn't a workhorse performance wise, it's very simple for anyone with a half decent browser to use java applets. Writing an implementation of DES in Java should be fairly easy, however it will run slow on most browsers. This performance drop will make it far easier for Joe Webuser to easily help break DES for us.
I have a client who needs strong crypto routines in Java. (They want maintain the privacy of their customer's data when stored on the customer's disk.) They need the platform independence that Java provides. I would appreciate pointers to implementations. (BTW - I already know about the Systemics routines.) Thanks - Bill ------------------------------------------------------------------------- Bill Frantz | I still read when I should | Periwinkle -- Consulting (408)356-8506 | be doing something else. | 16345 Englewood Ave. frantz@netcom.com | It's a vice. - R. Heinlein | Los Gatos, CA 95032, USA
Bill Frantz <frantz@netcom.com> writes:
I have a client who needs strong crypto routines in Java. (They want maintain the privacy of their customer's data when stored on the customer's disk.) They need the platform independence that Java provides. I would appreciate pointers to implementations. (BTW - I already know about the Systemics routines.)
I think it would make much more sense to implement a CPU-intensive problem like DES in ActiveX. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
On Wed, 11 Dec 1996, Dr.Dimitri Vulis KOTM wrote:
Bill Frantz <frantz@netcom.com> writes:
I have a client who needs strong crypto routines in Java. (They want maintain the privacy of their customer's data when stored on the customer's disk.) They need the platform independence that Java provides. I would appreciate pointers to implementations. (BTW - I already know about the Systemics routines.)
I think it would make much more sense to implement a CPU-intensive problem like DES in ActiveX.
Sure, if all you have on your desktop is a PC. Some folks happen to have Ultra-1's on theirs, and ActiveX won't work there. Besides, Just In Time compilers are doing quite well, even on PC's. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================
Ray Arachelian <sunder@brainlink.com> writes:
On Wed, 11 Dec 1996, Dr.Dimitri Vulis KOTM wrote:
Bill Frantz <frantz@netcom.com> writes:
I have a client who needs strong crypto routines in Java. (They want maintain the privacy of their customer's data when stored on the customer disk.) They need the platform independence that Java provides. I would appreciate pointers to implementations. (BTW - I already know about the Systemics routines.)
I think it would make much more sense to implement a CPU-intensive problem like DES in ActiveX.
Sure, if all you have on your desktop is a PC. Some folks happen to have Ultra-1's on theirs, and ActiveX won't work there. Besides, Just In Time compilers are doing quite well, even on PC's.
I happen to have a Sparc 20 box and a Linux box and a SCO box, and ActiveX won't work on any of those. I also work with a bunch of other equipment that's much faster than a PC, but doesn't run browsers. (Most of it is not connected to the 'net for security reasons, but that's besides the point.) If Bill's client is sure to run the platforms that MS IE runs on, then this is not a consideration. Interpreted FORTH bytestream (which is what Java is) may be "doing quite well" when drawing GUI gizmos and widgets, but it can't get anywhere near the performance of hand-optimizer assembler that you can stick into ActiveX. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
Dr.Dimitri Vulis KOTM wrote:
Ray Arachelian <sunder@brainlink.com> writes:
I happen to have a Sparc 20 box and a Linux box and a SCO box, and ActiveX won't work on any of those. I also work with a bunch of other equipment that's much faster than a PC, but doesn't run browsers. (Most of it is not connected to the 'net for security reasons, but that's besides the point.)
If Bill's client is sure to run the platforms that MS IE runs on, then this is not a consideration.
Interpreted FORTH bytestream (which is what Java is) may be "doing quite well" when drawing GUI gizmos and widgets, but it can't get anywhere near the performance of hand-optimizer assembler that you can stick into ActiveX.
I do not see any reason why Java code cannot be compiled. I think that now there are java compilers available. Maybe even browsers will have smarts to compile code that they execute. - Igor.
-----BEGIN PGP SIGNED MESSAGE----- On Wed, 11 Dec 1996, Igor Chudov @ home wrote:
I do not see any reason why Java code cannot be compiled. I think that now there are java compilers available. Maybe even browsers will have smarts to compile code that they execute.
I assume you mean compiling Java bytecode to native machine code. I don't know of any program that can do this, but Cygnus is developing a Java compiler that compiles Java to a stand-alone executable. Details at http://webhackers.cygnus.com/webhackers/projects/java.html . Mark - -- finger -l for PGP key PGP encrypted mail prefered. 0xf9b22ba5 now revoked -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQEVAwUBMq9q/izIPc7jvyFpAQEmqAf/RVn2U+qXk3GZkfwi7NrA6UbbGhbCAp3u hIGUpHyNYPKmcYSrFRuxZN+X0umjkBFc8DVGp/mhY+Sp7W/HT53r9I3sTd8uBs/r z/KtRq3B8eM3rIJTGgSuOaDH4CG9JCAhQvS1HjaHLtKwKeUeQImQ79tpyt9i1DH5 5OvJVzyKQ1/EBKU4hTa+gf8NF7s8xIA6TULCnC5QJPpM+k0YljRUpYG1aXNHYwbI dvylH+9ppYkoeFV2FSQuSS1ElIfLoyzYHlAjOqh5CE0+WqGAh1gDFPJ3fg6hlP73 2BAC9Iid5kWv9Eqi46d6XoJAXukphH9YRAqRcfCNH2kZvgNlPmx95w== =yo31 -----END PGP SIGNATURE-----
"Mark M." <markm@voicenet.com> writes:
On Wed, 11 Dec 1996, Igor Chudov @ home wrote:
I do not see any reason why Java code cannot be compiled. I think that now there are java compilers available. Maybe even browsers will have smarts to compile code that they execute.
I assume you mean compiling Java bytecode to native machine code. I don't kn of any program that can do this, but Cygnus is developing a Java compiler tha compiles Java to a stand-alone executable. Details at http://webhackers.cygnus.com/webhackers/projects/java.html .
It would be very foolish to touch any shit that comes out of Cygnus. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
Vulis wrote:
"Mark M." <markm@voicenet.com> writes:
compiles Java to a stand-alone executable. Details at http://webhackers.cygnus.com/webhackers/projects/java.html . It would be very foolish to touch any shit that comes out of Cygnus.
Why? (specifically, I am about to try using a GCC port to WinNT, and I would like to know _why_ you think their work is shit). Petro, Christopher C. petro@suba.com <prefered for any non-list stuff> snow@smoke.suba.com
On Wed, 11 Dec 1996, Dr.Dimitri Vulis KOTM wrote:
I happen to have a Sparc 20 box and a Linux box and a SCO box, and ActiveX won't work on any of those. I also work with a bunch of other equipment that's much faster than a PC, but doesn't run browsers. (Most of it is not connected to the 'net for security reasons, but that's besides the point.)
Right, and Active X, if those machies were on the web, would not be supported.
If Bill's client is sure to run the platforms that MS IE runs on, then this is not a consideration.
Correct, however there is one thing you have forgotten... (next paragraph)
Interpreted FORTH bytestream (which is what Java is) may be "doing quite well" when drawing GUI gizmos and widgets, but it can't get anywhere near the performance of hand-optimizer assembler that you can stick into ActiveX.
While ActiveX does support hand optmized assembler, there are Java JustInTime compilers which take JVM bytecodes and turn'em into raw assembler. They aren't hand optimized, they are natively compiled code, but they are native code non the less. A good optimizing compiler may not be 100% as cool and as fast as hand optmized code, BUT it'll be almost as fast. And Java will run on just about EVERY platform out there. And that is a bigger, more important point than a 10%-25% increase in power over non-optimized code. Besides, I'm not arguing AGAINST an ActiveX client, there's no reason why there can't be both Java and ActiveX clients out there since there is both a compatibilty issue and a speed increase with ActiveX. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================
Ray Arachelian <sunder@brainlink.com> writes:
On Wed, 11 Dec 1996, Dr.Dimitri Vulis KOTM wrote:
I happen to have a Sparc 20 box and a Linux box and a SCO box, and ActiveX won't work on any of those. I also work with a bunch of other equipment that's much faster than a PC, but doesn't run browsers. (Most of it is not connected to the 'net for security reasons, but that's besides the point.)
Right, and Active X, if those machies were on the web, would not be supported.
That's what I said in line 1. Your point? (And of course if these machines were on the Web as servers, they could take advantage of ActiveX on clients.)
Interpreted FORTH bytestream (which is what Java is) may be "doing quite we when drawing GUI gizmos and widgets, but it can't get anywhere near the performance of hand-optimizer assembler that you can stick into ActiveX.
While ActiveX does support hand optmized assembler, there are Java JustInTime compilers which take JVM bytecodes and turn'em into raw assembler. They aren't hand optimized, they are natively compiled code, but they are native code non the less. A good optimizing compiler may
I've seen many Forth implementations, including pseudo-compilers similar to what you describe. They sure generated a lot of instructions and an occasional speed improvement over a simple-minded interpreter. Can it go out on the web and talk to arbitrary servers? Can it work with local files?
not be 100% as cool and as fast as hand optmized code, BUT it'll be almost as fast. And Java will run on just about EVERY platform out there. And that is a bigger, more important point than a 10%-25% increase in power over non-optimized code.
Where did the 10-25% figure come from? Of course, Ray works for Earthweb, who has a "special partnership" with SunSoft, and gets paid to badmouth competing products and push Java when it's clearly inappropriate. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
On Thu, 12 Dec 1996, Dr.Dimitri Vulis KOTM wrote:
While ActiveX does support hand optmized assembler, there are Java JustInTime compilers which take JVM bytecodes and turn'em into raw assembler. They aren't hand optimized, they are natively compiled code, but they are native code non the less. A good optimizing compiler may
I've seen many Forth implementations, including pseudo-compilers similar to what you describe. They sure generated a lot of instructions and an occasional speed improvement over a simple-minded interpreter.
Forth!=Java. Test it before you speak.
Can it go out on the web and talk to arbitrary servers?
Sure it can, you just have to let your server act as a proxy and do a bit of work. An applet snarfed over the net can only talk to the server. But the server can talk to other servers.
Can it work with local files?
Not as an applet, but as an application, sure. Also why would you want a DES breaker to put stuff on the client's hard drive? It's far better in terms of security - both for the client and for the server to store'em on the server. In other words, you can't be lazy. You have to write a good server that will handle some of the legwork, but leave the DES to the client.
Where did the 10-25% figure come from?
Like I said - try it.
Of course, Ray works for Earthweb, who has a "special partnership" with SunSoft, and gets paid to badmouth competing products and push Java when it's clearly inappropriate.
Or maybe Ray knows what he's talking about BECAUSE of that same implication. :) As for inappropriate, ActiveX is inappropriate for most uses - any web page attachable code that when downloaded and executed can format your hard drive is inappropriate. Regardless of performance. Until Microsoft secures ActiveX in it's own sandbox and doesn't allow it to access things it shouldn't, it's not cool. Anyhow, I will drop this topic here since it's becoming an ActiveX vs Java religious crusade and is inappropriate. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================
Ray Arachelian <sunder@brainlink.com> writes:
While ActiveX does support hand optmized assembler, there are Java JustInTime compilers which take JVM bytecodes and turn'em into raw assembler. They aren't hand optimized, they are natively compiled code, but they are native code non the less. A good optimizing compiler may
I've seen many Forth implementations, including pseudo-compilers similar to what you describe. They sure generated a lot of instructions and an occasional speed improvement over a simple-minded interpreter.
Forth!=Java. Test it before you speak.
Forth is close enough to Java to suffer from the same problem: the hacks you describe don't know when they look at your bytecode what a C compiler knows when it looks at a C program. They emit native machine language instructions that emulate the Java machine at run time and repeatedly resolve the references that a C compiler has resolved once at compile time. <a bunch of nonsense skipped>
Of course, Ray works for Earthweb, who has a "special partnership" with SunSoft, and gets paid to badmouth competing products and push Java when it's clearly inappropriate.
Or maybe Ray knows what he's talking about BECAUSE of that same implication. :) As for inappropriate, ActiveX is inappropriate for most uses - any web page attachable code that when downloaded and executed can format your hard drive is inappropriate. Regardless of performance.
Until Microsoft secures ActiveX in it's own sandbox and doesn't allow it to access things it shouldn't, it's not cool.
Anyhow, I will drop this topic here since it's becoming an ActiveX vs Java religious crusade and is inappropriate.
The great Russian-Scottish poet Mikhail Yur'evich Lermotov said the following about the likes of Ray "Arsen" Arachelian: "Ty trus, ty rab, ry armyanin." --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
On Sat, 14 Dec 1996, Dr.Dimitri Vulis KOTM wrote:
The great Russian-Scottish poet Mikhail Yur'evich Lermotov said the following about the likes of Ray "Arsen" Arachelian: "Ty trus, ty rab, ry armyanin."
Clearly, it is impossible to communicate with you on any sane level, I think I will give up on you now. I mean, just what's the point? In the words of James Tiberius Kirk "Beam me up Scotty, no intelligent life down here." =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================
Ray Arachelian writes:
The great Russian-Scottish poet Mikhail Yur'evich Lermotov said the following about the likes of Ray "Arsen" Arachelian: "Ty trus, ty rab, ry armyanin."
Clearly, it is impossible to communicate with you on any sane level, I think I will give up on you now. I mean, just what's the point? In the words of James Tiberius Kirk "Beam me up Scotty, no intelligent life down here."
Clearly, there's even less intelligent life down at Earthweb, given that their associate network administrator spammed the following rude flames: ]Actually, unlike you, I do feel sorry for you, for you truly have no life ]and have nothing better to do than to start flame wars and such. Do ]yourself a favor, get a real life. Go get off your fat ass and do ]something with yourself other than masturbating. ... ]You wouldn't know what a life is if one came up to you and bit you on your ]ass. Oh tell us oh great one, and what is it that you know? But spare us ]the flames and hate. We already know that you are an asshole, of that ]there is little doubt. What is at doubt is your degree, or is it a ]pedigree? Shower us with your knowledge if you have any, for it is ]apparent that dazzling us with your bullshit isn't working. ... ]And what by your definition is your level of life if all your output ]seems to be nothing more than flames and flame bait? How much of a loser ]are you to resort to anonymous daily warnings about Tim? Just how off ]topic and stupid was your message when you posted it? Just how many ]plates of pork and beans do you eat each day to keep up your innane level ]of flatulence? ... ]Apparently that "Doctorhood" of yours is good only for masturbatory self ]congratulations, and when nobody pays attention to it, you turn around and ]put others down so that in your oppinion, such as it is, you come out ]smelling like roses. Buddy, I've news for you, you aren't fooling anyone. ]You are the total absolute embodyment of shit. No, before you ]congratulate yourself on your achievement of shithood, you aren't even ]even human or dog shit, no. You are the essence of amoeba shit. The ]lowest of the low. You've a long way to go before you will ever achive ]the status of high human shit. But I must admit, you certainly know how ]to strive for that goal. It's too bad you'll never be more than low ]grade microscopic shit though. ... ]And for that, you have my deepest condolances. At least I hope this ]comforts you in your lack of life, for assuredly you haven't much of one. ]At least at a minimum, if you get nothing else from this message, you'll ]get a tenth of an ounce of pitty. ... ]And maybe someday, if you are really really good you might even achive ]rat shitdom. Then we'll be real proud of you for being rat shit, but ]until that time, strive hard and work long hours. Hey, and when you reach ]rat shitdom and become emeritus ratus shitus, we'll throw you a party! Does Earthweb honor Timmy May's "don't hire" list? Who are their clients?
On Sat, 14 Dec 1996 ichudov@algebra.com wrote:
Ray Arachelian wrote:
Until Microsoft secures ActiveX in it's own sandbox and doesn't allow it to access things it shouldn't, it's not cool.
I do not understand how one can secure ActiveX.
Simple. Check out Windows NT, under NT you can write/run programs as services which log in as an account. When you do this, that service program is limited to the security restrictions of that account. If you're using the NTFS file system and give that account access only to one directory, it can't access anything but that directory. (If you're using FAT, this isn't true and the program can read/write/delete anything it wants.) Works quite well. It can be done under 95 but Microsoft will have to write a Sandbox Virtual Machine (a Virtual x86 session whose API's are filtered to prevent access to certain things like the file system, and disables direct I/O.) Not that easy under '95, but it already exists for NT. The problem is how to deal with DLL's. You don't know all features/functions of all DLL's. It may be possible to write a DLL that runs outside the sandbox and can act as a proxy to the file system, so it's iffy unless you limit the DLL's and services that ActiveX apps talk to, and make them all live inside the sandbox. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================
On Sat, 14 Dec 1996 ichudov@algebra.com wrote:
I do not understand how one can secure ActiveX.
Me neither! But the approach of requiring code signatures so you can at least break the fingers of whomever damaged your machine does have some merit. sunder@brainlink.com (Ray Arachelian) writes:
Simple. Check out Windows NT, under NT you can write/run programs as services which log in as an account. When you do this, that service program is limited to the security restrictions of that account.
This is kind of like running servers in Unix as another user in a chrooted partition? That doesn't work, either.
On 16 Dec 1996, Nelson Minar wrote:
On Sat, 14 Dec 1996 ichudov@algebra.com wrote:
I do not understand how one can secure ActiveX.
Me neither! But the approach of requiring code signatures so you can at least break the fingers of whomever damaged your machine does have some merit.
And just where is this signature stored, hrmmm? On your hard drive? Real useful when the log is stored somewhere the nasty program can earase, no? Alternatively, a component can easily just modify your autoexec.bat to install a time bomb or do other things and you won't recall that two months ago you visited Billy Vulis's KOTM shop of spam. When was the last time you looked in your AUTOEXEC.BAT file? =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================
Ray Arachelian writes:
Alternatively, a component can easily just modify your autoexec.bat to install a time bomb or do other things and you won't recall that two months ago you visited Billy Vulis's KOTM shop of spam. When was the last time you looked in your AUTOEXEC.BAT file?
Ray "Arsen" Arachelian, the associate network administrator at Earthweb, continues to post lies about me. Who are Earthweb's other major clients, besides the Museum of Natural History (yech, what an ugly Web site)? --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
At 10:29 AM -0800 12/11/96, Dr.Dimitri Vulis KOTM wrote:
If Bill's client is sure to run the platforms that MS IE runs on, then this is not a consideration.
My client is interested in Java for its cross-platform strengths. I think that modern machines are fast enough to encrypt the amount of data involved even running interpreted Java (assuming something like 3DES). JITs will only help. I see no need for assembly level coding for my client's application. (I certainly do see a need for assembly code in the DES crack attempt.) ------------------------------------------------------------------------- Bill Frantz | I still read when I should | Periwinkle -- Consulting (408)356-8506 | be doing something else. | 16345 Englewood Ave. frantz@netcom.com | It's a vice. - R. Heinlein | Los Gatos, CA 95032, USA
participants (7)
-
Bill Frantz -
dlv@bwalk.dm.com -
ichudov@algebra.com -
Mark M. -
Nelson Minar -
Ray Arachelian -
snow