lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <optid.5781d06f6e.5248F474-DAF2-4BAC-A1B1-54E3B33DDD3F@hammerofgod.com>
Date: Mon, 14 Jun 2010 07:21:29 -0700
From: "Thor (Hammer Of God)" <thor@...merofgod.com>
To: "<noloader@...il.com>" <noloader@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Introducing TGP...

I must have written it poorly. I never use the hash for authN, only to  
make any tamporing with keys evident. I'm not sure it is a requirement  
(pgp doesn't even bother making these checks) but I wanted to be extra  
careful :)



On Jun 14, 2010, at 1:22 AM, Jeffrey Walton <noloader@...il.com> wrote:

> Hi Thor,
>
> I'm probably splitting too fine a hair here...
>
> The SHA256 hashing of the private key may not result in authenticity
> assurances on the key (if I'm reading it correctly). I believe that's
> an Athenticate-then-Encrypt scheme, and the details of the
> interactions in AtE can be tricky. Hugo Krawczyk evaluated similar AtE
> systems (for example, SSL) in The Order of Encryption and
> Authentication for Protecting Communications. The two AtE schemes
> which are provably secure are (1) a block cipher operated in CBC mode,
> and (2) stream ciphers which XORs data with a pseudorandom pad.
>
> I can see where the hash might satisfy the psuedo random pad, but I
> don't see the stream cipher in the equation. Perhaps a more
> traditional Encrpyt-then-Authenticate (for example, IPSec) might be
> useful for TGP.  [At least TGP is not using Authenticate-and-Encrypt,
> which Krawczyk proved insecure (for example, early SSH)].
>
> If your using SHA-256 as the PRF of a KDF, then TGP might be reducing
> the security of the system protecting the private assymmetric key (I'm
> presuming AES-256 was chosen for a reason). AES-256 provides a
> security level of ~2^255, while SHA-256 provides ~2^128. Its mostly a
> theoretical observation: I'd attack the password/passphrase before
> attempting pre-image attacks on the hash. [After all these years,
> SHA-160 has only been reduced to ~2^50 from a theoretical 2^80, and
> 2^50  is still beyond my reach].
>
> Jeff
>
> On Sun, Jun 13, 2010 at 5:44 PM, Thor (Hammer of God)
> <Thor@...merofgod.com> wrote:
>>
>> This is what I’ve been talking about... Here is the first part of  
>> the docs I wrote up - make sure you see that I'm not yet supportin 
>> g huge files unless you have huge RAM.  **.Net 4.0 Client profile  
>> is required to run this.**
>>
>> Right now the install bits are only available on the pilot site at: http://www.owa.hammerofgod.com 
>>  in the downloads section.   I have to wait on Raging Haggis to  
>> return from Canada before posting on www.hammerofgod.com .
>>
>> Here's a bit from the TGP Overview document included with the  
>> install and on the web site.  Please read through it before asking  
>> silly questions. :)
>>
>> Also, feel free to hack it up as much as you would like.  I know  
>> this is full disclosure, so feel free to zing them at me, or if you  
>> prefer, I can work with you on any issues you might have
>>
>> Remember, this is totally free, so my ability to handle custom  
>> requests will be limited.  For those looking to break it, I would  
>> look at fuzzing the XML documents and the "drag and drop public  
>> XML" parsing feature.
>>
>> If you have questions or challenges about any of the security, I  
>> would ask to keep it on the list so that everyone can get the full  
>> benefit of productive security development.   The read-me should  
>> pretty much lay everything out for you.  If not, we'll take it up  
>> from there.
>>
>> t
>>
>>
>>
>>
>>
>> TGP – “Thor’s Godly Privacy”
>>
>> 06/13/10 v1.1.06
>>
>>
>>
>> TGP is a small yet very powerful encryption utility.  With all eyes  
>> on “the cloud,” I decided to write an encryption application  
>> better suited to an environment where portability and security wer 
>> e, at the least, challenging.   In cloud computing, not only is th 
>> e use of file structures becoming more abstract, but the very conc 
>> ept of a “file server” is becoming more and more ubiquitous.
>>
>>
>>
>> As such, I designed TGP with “encryption for the cloud” in  
>> mind.  That means that not only does TGP do everything your normal 
>>  PGP-type applications do, but it does things a bit differently –  
>> differently in a way that can change the way you work with your en 
>> crypted data.  At the simplest level, this is done by encrypting d 
>> ata into byte arrays, and then converting those byte arrays into B 
>> ase64 encoded text wrapped inside XML tags.  In this way, not only 
>>  do you get your typical file-based encrypted representation of yo 
>> ur data, but you also get data that you can copy and paste directl 
>> y into any email, mailing list, blog-page, or social networking site.
>>
>>
>>
>> What I think is interesting about this is that if we choose to, we  
>> no longer have to be the custodians of our encrypted data – we don 
>> ’t have to worry about actually housing the files: we can just pos 
>> t them to the internet and let someone else assume the burden of s 
>> toring the files for us.
>>
>>
>>
>> If I want to share encrypted files with someone or secure my own  
>> files, all I have to do is TGP encrypt the data I want, and post it  
>> to a mailing list somewhere.  In the case of a list like Bugtraq or  
>> Full Disclosure, the data is actually automatically replicated out  
>> to any number of archive sites, thus distributing my data for me.   
>> I can literally be anywhere in the world and just do a quick search  
>> for my post to retrieve my data.  And since the TGP public key  
>> files are also text representations of encrypted key data, I can do  
>> the same with my keys.
>>
>>
>>
>> Normally, you want to keep your private keys as safe as possible.   
>> This is still the case with TGP.  However, it is trivial to build  
>> as many private keys as you wish to use for anything you want to  
>> use them for.  TGP Private Key files are password protected and  
>> individually salted, so with a strong passphrase you have very  
>> reasonable assurance that no one is going to get to your key any  
>> time soon.  So, you can create a private key with a strong  
>> password, post that, and then, say, encrypt a scan of your passport  
>> and post that.  Then if you are ever in a pinch while travelling or  
>> something like that, you can simply use Google or Bing to access  
>> your data wherever you are.
>>
>>
>>
>> Of course, that’s just an example, but I think it illustrates the  
>> power of encrypted file structures like this.  You can literally u 
>> se Facebook to post encrypted documents that you don’t have to mai 
>> ntain.
>>
>>
>>
>> That’s really the main different between TGP and an application li 
>> ke PGP.  That and of course, TGP is free, and personally, I think  
>> PGP is tardware.  It’s bloated, it’s far too expensive, it’s  
>> hard to use, and if you don’t watch your licensing, you can get sc 
>> rewed hard like I did when I didn’t want to buy the extended suppo 
>> rt and one day my encrypted drives stopped working until I paid th 
>> em.  That doesn’t fly.  TGP also doesn’t require that you are an  
>> admin to install.  However, the .NET installer for the 4.0 client  
>> profile does – that’s not my doing.  Regardless, here are the  
>> file structures TGP uses:
>>
>>
>>
>> Things that still suck about TGP
>>
>> Currently TGP uses a memory stream for the destination of the AES  
>> cryptostream.  This sucks because it makes the maximum file one can  
>> encrypt based on available memory.  It’s not a huge deal, but it d 
>> oes keep you from encrypting a gigabyte file.  I’ll be changing th 
>> at soon.
>>
>>
>>
>> Timothy “Thor” Mullen
>>
>> Hammer of God
>>
>> thor@...merofgod.com
>>
>> www.hammerofgod.com
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ