Re: some encryption questions

mgraffam@idsi.net
Wed, 24 Mar 1999 12:28:14 -0500 (EST)

• Next message: Vin McLellan: "Georgoudis on AES2, Day 2, Rome (FW)"
• Previous message: Peter Gutmann: "cryptlib 2.1 final beta released"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"

On Wed, 24 Mar 1999, Adam Shostack wrote:

> | 1) is it better to save the salt to a different file, or can I just save
> | it as the first bytes of the file? And you proposed using /dev/random but
> | that makes gpasman non-portable since that's not available on all unix
> | platforms, what about using rand() ?
>
> Makes little difference for a seed. Using srand() is ok, I'd use a
> if (! open(/dev/random) {sseed(); srand();} sort of thing.

Try to stay away from rand().. there is no reason to use it, and if you
are arguing portability, you have to face the fact that some UNIX rand()'s
are buggy.. in which case you implement a secure random-bit generator
like Yarrow, or use a cascaded hash function, or whatever.

Or.. let the user specify a file containing random bits. This way if
/dev/random doesn't exist, they can use some user-space code to create
a pool of random bits for themselves, with a cron entry mixing it up
for them.. or whatever.. how about a named pipe talking to a daemon that
grabs environmental info and hashes it up.. might make for a usable
user-space replacement for /dev/random on other Unices.

> | 2) is it possible with the current algorithm to check whether the password
> | (and the decryption) was correct or not?
>
> The difficulty with doing this is that if you have something in the
> ciphertext that is known, then you have a known plaintext attack. You
> may be able to get by this by putting in a bunch of pseudo random
> crap, and storing the md5 of that in plaintext. To confirm your
> decrypt, you md5 the first 128 bits of decrypted ciphertext, and if
> that matches what you've stored, you're ok.

I'd hash the entire plaintext file, append the hash and encrypt the lot
of it. This gives you error detection, and makes brute force harder,
since you now have to spend CPU cycles decrypting the whole message,
rather than the first 128 bits.

Michael J. Graffam (mgraffam@idsi.net)
"Our merchants and master-manufacturers complain much of the bad effects
of high wages in raising the price, and thereby lessening the sale of
their goods both at home and abroad. They say nothing concerning the bad
effects of high profits. They are silent with regard to the pernicious
effects of their own gains." - Adam Smith, Wealth of Nations, Book I Chap. IX.

• Next message: Vin McLellan: "Georgoudis on AES2, Day 2, Rome (FW)"
• Previous message: Peter Gutmann: "cryptlib 2.1 final beta released"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"