lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200404080202.i3822p506949@singularity.tronunltd.com>
From: Ian.Latter at mq.edu.au (Ian Latter)
Subject: On PGP (was: Wiretap or Magic Lantern?)

Other presumptions include;
    - the "cracker" not having access to specialist hardware.
    - faith that the cipher is not subject to attacks targetted at
       the underlying algorithm(s)

Risk Management 102 subjects include;
 "Crypto only buys time (in an unknown but diminishing quantity)"


----- Original Message -----
>From: "Tremaine Lea" <tremaine.lea@...b.ca>
>To: <full-disclosure@...ts.netsys.com>
>Subject:  RE: [Full-Disclosure] On PGP (was: Wiretap or Magic Lantern?)
>Date: Wed, 07 Apr 2004 12:57:10 -0600
>
> To assume a gov't agency with the resources of the NSA is unable to read
> PGP/GPG encrypted mail is sheer folly.  All discussion to date is based
> around the assumption that you are attempting to brute force an individual
> message in the classical sense of brute force.
> 
> 1: encrypted message
> 2: attempt brute force until it breaks or you get tired of waiting and give
> up.
> 
> 
> The above and classic use of brute force ignores a critical factor.  The NSA
> and others have the resources to have cycles spent doing nothing but brute
> force style attacks, and the storage to *store the results*
> 
> The failure thus far has been in throwing out results that didn't match the
> specific message one was attempting to crack.  If on the other hand the
> systems are used to brute force and store it's resulting attempts, the
> results that failed for one message may be successful for another, and
> obviate the need to actively crack that specific message at the time it's
> presented.
> 
> Tremaine
> 
> > -----Original Message-----
> > From: Feher Tamas [mailto:etomcat@...email.hu] 
> > Sent: Wednesday, April 07, 2004 9:57 AM
> > To: full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] On PGP (was: Wiretap or Magic Lantern?)
> > 
> > Hello,
> > 
> > >>The terrorsts are not stupid, they use strong encryption 
> > and there is 
> > >>proof that PGP repels NSA.
> > >
> > >What proof are you referring to? 
> > 
> > The case of the italian comrades:
> > 
> > http://www.pcworld.com/news/article/0,aid,110841,00.asp
> > 
> > PGP Encryption Proves Powerful
> > by Philip Willan, IDG News Service, 26 May 2003
> > 
> > If the police and FBI can't crack the code, is the technology 
> > too strong?
> > 
> > Italian police have seized at least two Psion personal 
> > digital assistants from members of the Red Brigades terrorist 
> > organization. But the major investigative breakthrough they 
> > were hoping for as a result of the information contained on 
> > the devices has failed to materialize-- thwarted by 
> > encryption software used by the left-wing revolutionaries.
> > 
> > Failure to crack the code, despite the reported assistance of U.S. 
> > Federal Bureau of Investigation computer experts, puts a 
> > spotlight on the controversy over the wide availability of 
> > powerful encryption tools.
> > 
> > The Psion devices were seized on March 2 after a shootout on 
> > a train traveling between Rome and Florence, Italian media 
> > and sources close to the investigation said. The devices, 
> > believed to number two or three, were seized from Nadia 
> > Desdemona Lioce and her Red Brigades comrade Mario Galesi, 
> > who was killed in the shootout. An Italian police officer was 
> > also killed. At least one of the devices contains information 
> > protected by encryption software and has been sent for 
> > analysis to the FBI facility in Quantico, Virginia, news 
> > reports and sources said.
> > 
> > The FBI declined to comment on ongoing investigations, and 
> > Italian authorities would not reveal details about the 
> > information or equipment seized during the shootout.
> > 
> > Pretty Good Privacy
> > The software separating the investigators from a potentially 
> > invaluable mine of information about the shadowy terrorist 
> > group, which destabilized Italy during the 1970s and 1980s 
> > and revived its practice of political assassination four 
> > years ago after a decade of quiescence, was PGP (Pretty Good 
> > Privacy), the Rome daily La Repubblica reported. 
> > So far the system has defied all efforts to penetrate it, the 
> > paper said.
> > 
> > Palm-top devices can only run PGP if they use the Palm OS or 
> > Windows CE operating systems, said Phil Zimmermann, who 
> > developed the encryption software in the early 1990s. Psion 
> > uses its own operating system known as Epoc, but it might 
> > still be possible to use PGP as a third party add-on, a 
> > spokesperson for the British company said.
> > 
> > There is no way that the investigators will succeed in 
> > breaking the code with the collaboration of the current 
> > manufacturers of PGP, the Palo Alto, California-based PGP, 
> > Zimmermann said in a telephone interview.
> > 
> > "Does PGP have a back door? The answer is no, it does not," 
> > he said. "If the device is running PGP it will not be 
> > possible to break it with cryptanalysis alone."
> > 
> > Investigators would need to employ alternative techniques, 
> > such as looking at the unused area of memory to see if it 
> > contained remnants of plain text that existed before 
> > encryption, Zimmermann said.
> > 
> > Privacy vs. Security
> > The investigators' failure to penetrate the PDA's encryption 
> > provides a good example of what is at stake in the 
> > privacy-versus-security debate, which has been given a whole 
> > new dimension by the September 11 terrorist attacks in the U.S.
> > 
> > Zimmermann remains convinced that the advantages of PGP, 
> > which was originally developed as a human rights project to 
> > protect individuals against oppressive governments, outweigh 
> > the disadvantages.
> > 
> > "I'm sorry that cryptology is such a problematic technology, 
> > but there is nothing we can do that will give this technology 
> > to everyone without also giving it to the criminals," he 
> > said. "PGP is used by every human rights organization in the 
> > world. It's something that's used for good. It saves lives."
> > 
> > Nazi Germany and Stalin's Soviet Union are examples of 
> > governments that had killed far more people than all the 
> > world's criminals and terrorists combined, Zimmermann said. 
> > It was probably technically impossible, Zimmermann said, to 
> > develop a system with a back door without running the risk 
> > that the key could fall into the hands of a Saddam Hussein or 
> > a Slobodan Milosevic, the former heads of Iraq and 
> > Yugoslavia, respectively.
> > 
> > "A lot of cryptographers wracked their brains in the 1990s 
> > trying to devise strategies that would make everyone happy 
> > and we just couldn't come up with a scheme for doing it," he said.
> > 
> > "I recognize we are having more problems with terrorists now 
> > than we did a decade ago. Nonetheless the march of 
> > surveillance technology is giving ever increasing power to 
> > governments. We need to have some ability for people to try 
> > to hide their private lives and get out of the way of the 
> > video cameras," he said.
> > 
> > More Good Than Harm?
> > Even in the wake of September 11, Zimmermann retains the view 
> > that strong cryptography does more good for a democracy than 
> > harm. His personal website, PhilZimmerman.com, contains 
> > letters of appreciation from human rights organizations that 
> > have been able to defy intrusion by oppressive governments in 
> > Guatemala and Eastern Europe thanks to PGP. One letter 
> > describes how the software helped to protect an Albanian 
> > Muslim woman who faced an attack by Islamic extremists 
> > because she had converted to Christianity.
> > 
> > Zimmermann said he had received a letter from a Kosovar man 
> > living in Scandinavia describing how the software had helped 
> > the Kosovo Liberation Army (KLA) in its struggle against the 
> > Serbs. On one occasion, he said, PGP-encrypted communications 
> > had helped to coordinate the evacuation of 8,000 civilians 
> > trapped by the Serbs in a Kosovo valley. "That could have 
> > turned into another mass grave," 
> > Zimmermann said.
> > 
> > Italian investigators have been particularly frustrated by 
> > their failure to break into the captured Psions because so 
> > little is known about the new generation of Red Brigades. 
> > Their predecessors left a swathe of blood behind them, 
> > assassinating politicians, businessmen, and security 
> > officials and terrorizing the population by "knee-capping," 
> > or shooting in the legs, perceived opponents. Since 
> > re-emerging from the shadows in 1999 they have shot dead two 
> > university professors who advised the government on labor law reform.
> > 
> > Cracking the Code
> > Zimmermann is not optimistic about the investigators' chances 
> > of success. "The very best encryption available today is out 
> > of reach of the very best cryptanalytic methods that are 
> > known in the academic world, and it's likely to continue that 
> > way," he said.
> > 
> > Sources close to the investigation have suggested that they 
> > may even have to turn to talented hackers for help in 
> > breaking into the seized devices. One of the magistrates 
> > coordinating the inquiry laughed at mention of the idea. "I 
> > can't say anything about that," he said.
> > 
> > The technical difficulty in breaking PGP was described by an 
> > expert witness at a trial in the U.S. District Court in 
> > Tacoma, Washington, in April 1999. Steven Russelle, a 
> > detective with the Portland Police Bureau, was asked to 
> > explain what he meant when he said it was not 
> > "computationally feasible" to crack the code. "It means that 
> > in terms of today's technology and the speed of today's 
> > computers, you can't put enough computers together to crack a 
> > message of the kind that we've discussed in any sort of 
> > reasonable length of time," he told the court.
> > 
> > Russelle was asked whether he was talking about a couple of 
> > years or longer. "We're talking about millions of years," he replied.
> > 
> > [BTW: I read the ring was dismantled later, because one of 
> > the GSM mobile phones they used had to be repaired months 
> > earlier and the shop owner has preserved the telephone number 
> > they gave for notification when the unit is ready. His repair 
> > warrantly sticker was found inside the confiscated phone and 
> > so the law enforcement contacted him. Parsing the telco's 
> > history log for calls to / from that single number revealed 
> > almost the entire cell's structure. So make yourself a favour 
> > and buy a disposable mobile phone next time! Unless you are 
> > an environmental terrorist of course...]
> > 
> > Sincerely: Tamas Feher.
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

--
Ian Latter
Internet and Networking Security Officer
Macquarie University

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ