polymorphic cipher

Discussion in 'privacy technology' started by syncmaster913n, Apr 2, 2012.

Thread Status:
Not open for further replies.
  1. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Can you tell me what is your personal about the giant block polymorphic cipher described here http://www.pmc-ciphers.com/eng/content/Backround-Info/Giant-Block-Size-Polymorphic-Cipher.html ?

    Please note that I am not trying to ask whether AES is flawed and whether other ciphers should be used instead of it. I am just curious about your opinion about the poly cipher itself, and whether its premise is sound. From my understanding it seems very reliable, but as a noob I am easy to fool with intelligent-sounding descriptions :)
    Last edited: Apr 7, 2012
  2. Hungry Man
    Offline

    Hungry Man Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    Also, just to add on to my list bit, cryptographic "flaws" can mean sooooo much. The tiniest thing can be called a flaw. There are inherent flaws to all cryptography because you can not input infinite amounts of data and get infinite unique data out, there are always collissions. BDAY Attacks aren't really an issue anymore.

    The article you linked is interesting. I'm not a crypto expert, I really can't say whether what they claim is valid. I hope it is. I'll have to read the white paper and talk it over with some friends.

    EDIT: I personally prefer to partition areas for sensitive data and use multiple encryptions so as to create significant avalanche and entropy.
  3. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Cool, make sure to post back if you find out anything. Thanks!

    By the way just for clarity - tuatara already linked to this article earlier in this thread http://www.wilderssecurity.com/showpost.php?p=2036817&postcount=16 . I just passed it over from there since no one responded.

    Yeah I do the same.
    Last edited: Apr 7, 2012
  4. LockBox
    Offline

    LockBox Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    This whole PMC thing gets old. It's generally considered pseudo-cryptography. The "challenges" they place on this board is the stuff of selling snake-oil out of the back of a wagon. Everybody knows these "challenges" to any one person is silly and unprofessional. They're more interested in marketing their products (understatement) than real science.

    This board gets inundated sometimes with their marketing and "interested users" asking questions and such. Pretty obvious.

    Unprofessional, imo.
  5. syncmaster913n
    Offline

    syncmaster913n Registered Member

    If you have time, could you explain why it is considered pseudo-crypto? I'm finding it very hard to gather any information online on this cipher.
    Last edited: Apr 7, 2012
  6. LockBox
    Offline

    LockBox Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    This guy has been pushing his polymorphic crypto for more than a decade.

    http://www.metzdowd.com/pipermail/cryptography/2002-December/003613.html

    Here's a couple of threads that shows how badly he needs attention...

    http://www.wilderssecurity.com/showthread.php?t=285136
    (pay special attention to Justin Troutman's posts - he's a pro)

    http://www.wilderssecurity.com/showthread.php?t=307482

    More...

    Bruce Schneier in 2003:
    http://www.schneier.com/crypto-gram-0303.html#4

    Bruce Schneier in 2008:
    http://www.schneier.com/blog/archives/2008/10/new_attack_agai.html

    http://www.varioustopics.com/cryptography/440890-polymorphic-ciphers.html

    http://forums.windowsecurity.com/vi...ewresult&sid=1467c4bcd34299cd4313fdaf63cd56f8
  7. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Thanks a ton for all the links. Definitely made me think.
    Last edited: Apr 7, 2012
  8. x942
    Offline

    x942 Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    Exactly. There are ways to infer what was used based on external information. For example with a hidden volume if you don't use full disk encryption, the OS could (as Schneier has written about) reveal it's existence.

    TC's Hidden OS has be fixed to prevent leaking (you can now only mount normaly drives as read only and only hidden volumes as writeable).
  9. tuatara
    Offline

    tuatara Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    Just like others keep pushing AES 256 and i try to convince people to use
    some other encryption, or use a combination of algorithms, but not to use AES 256 only :D
  10. tuatara
    Offline

    tuatara Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)


    Perhaps a good idea not to do the same, but to go technical in detail,
    and explain why it is not good, other then that one person said so.

    ;)
  11. berndroellgen
    Offline

    berndroellgen Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    *
    There are some people out there who work on alternatives to the mainstream crypto for everybody's use. Those guys will mainly be found in organizations who don't make their work public.
    But luckily there were people who did it in 2008:
    The Key Laboratory of Computer Network and Information Security of Xidian University, Xi'an 710071, People's Republic of China has been conducting research on Polymorphic Ciphers. The work is supported by the National Laboratory for Modern Communications Foundation of China under Grant No. 51436030105DZ0105, the National Natural Science Foundation of China under Grant No.60473029 (previously stated Grant No.: 60273084) as well as the Open Foundation of Beijing Institute of Electronic Science and Technology.

    I didn't help them. They just read my papers and they obviously see potential in this way to create ciphers. Personally I don't feel at ease with the fact that a country that regards encryption technology as highly illegal for public use is conducting research on polymorphic ciphers. On the other hand this clearly shows that some professionals are very well interested !
    You can be sure that this superpower has enormously clever citizens and they know very well what is interesting and what not. And above of all: They appear to take their own decisions based on their own research.
    If they would take Mr. Almighty's disproportionate comments seriously, they would definitely not even read my white papers. Is it possible that Mr. Almighty and his fanclub hasn't had any news other than thousands of posts with "lovely comments" since at least a decade?

    I love that quote from Henry Ford, who certainly found it nice to get attention:
    "Ducks lay eggs discreetly, on the other hand a chicken makes noise so the whole estate can hear. What is the result? The whole world eats chicken eggs, just few use duck eggs."
    Last edited by a moderator: Apr 3, 2012
  12. tuatara
    Offline

    tuatara Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    Encryption is an important part of Security.
    So i think it is time to discuss other encryption algorithms as well now.
    What about if everybody here was using the same antivirus or even worse
    95 % was using the same antivirus, i don't think that is a good idea.
    Or that everybody is using the same brand of lock ..no not the same key :)

    Can anyone explain why AES 256 has no export restrictions in the US
    and stronger versions does?
    Especially since there MUST BE a backdoor in cloud solutions (although data stored encrypted ) etc. (see previous mail)
    ;) :D

    Not all non AES 256 modern encryption algorithms are bad are they ?

    I did some study on
    HC-128
    Rabbit
    Salsa20/12
    SOSEMANUK

    And the Polymorphic Cipher and i think i prefer them all above AES 256 , sorry..
    And i do have some doubts on why someone is bashing these products without some technical explination?

    pfff i hope i don't have to end this thread because there are 2 men in black suits ringing on my doorbell :)
    Last edited: Apr 3, 2012
  13. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Question about TrueCrypt: is there a practical reason why AES is chosen as the default cipher when creating a container, and not, for example, AES-twofish-serpent? Isn't such a cascade inherently better than just AES alone, or is there something I'm missing?
    Last edited: Apr 7, 2012
  14. tuatara
    Offline

    tuatara Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    Lockbox,

    Why not give 1 (one) technical reason why Polymorphic encryption of Bernd is not better then AES 256?

    @Syncmaster:

    I would prefer a cascade why not ?
    In the early days performance could have been a reason not to do that.

    Although It might become very clear now that AES 256 only
    seems almost to be forcefeeded to us.

    Please search Google for file encryptors with a more recent encryption algorthme then AES one that is made after 1999
    good luck !!
    :D
  15. syncmaster913n
    Offline

    syncmaster913n Registered Member

    Lockbox removed his post, I think :)

    Yeah on the surface it seems a cascade is better, but I'd like to hear what others have to say as well. Thanks for your opinion :)

    As for finding software for encryption, you are right.. I tried to find software that would encrypt using any of the ESTREAM ciphers you mentioned above, and couldn't find any. So if you know one, especially for HC-128, let me know :)

    Btw, another question that comes to mind. Does it make absolutely any sense to have a 64 character-long ASCII random password to protect an AES container, or any other container that uses 128bit key? I mean, I can understand that having a password shorter than 20 characters is not a good idea, since it will always give us an entropy lower than 128bit, but once we exceed that entropy, wouldn't it make more sense for an attacker to simply target and brute force the cipher key?

    EDIT: nevermind, AES uses 256bit keys :p
    Last edited: Apr 7, 2012
  16. berndroellgen
    Offline

    berndroellgen Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    to syncmaster913n:
    AES-twofish-serpent would be pretty mean as it could also be Serpent-AES-Twofish or any combination of AES or Twofish or Serpent or Magenta or almost whatever (similar) cipher.
    C.E. Shannon calls this a "Product encipherment" in his paper Communication Theory of Secrecy Systems, 1946. Every cipher takes advantage of this internally.
    Another possibility is a "weighted sum". Some encryption products let the user select one out of a number of ciphers. That's good because actually there's nothing wrong about that.
    Why not increasing the key length and letting an algorithm select a product of ciphers from a sum of ciphers? An attacker will most certainly get a nervous breakdown unless he's able to distinguish the products just by looking at the ciphertext only!

    This paper (and my own experience with the randomness of the output sequence of AES) made me suspicious about AES in this context:
    Orr Dunkelman, Nathan Keller. "A New Criterion for Nonlinearity of Block Ciphers", 2006
    http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.79.1248

    Increase in CPU time should be no issue. When I programmed TurboCrypt, there was a certain stage during which I needed to test the encryption driver that provides the OS with a virtual disk with and without encryption. To my astonishment there was NO difference in speed at all !!! The reason for this is that the driver typically waits for semaphores, mutexes or other synchronization objects (for the underlying physical memory device) to complete a read- or write operation.
    Finally it is always good to keep in mind that tiny ciphers like Twofish or AES Rijndael are supposed to run fast on cheap smart card chips having the computing power of a pocket calculator from the 70's or the past century.

    Another important advantage in using a product of ciphers (like AES-Twofish-Serpent):
    This commercial product breaks BitLocker and TrueCrypt:
    http://www.lostpassword.com/hdd-decryption.htm

    They do it by reading the Internal State of the cipher.
    What if there would be so many ciphers in the chain that it would be impossible to guess what specific "product" was actually chosen? (AES-RC6-Magenta-Serpent-Twofish- ....-Serpent-AES or Serpent-AES-Twofish-Serpent-Twofish- ....-AES-RC6 or .........)
  17. PaulyDefran
    Offline

    PaulyDefran Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    You're a better man than me on Crypto :D But the above phrase lessens the "worriness" of that product. If an attacker can use this product on a mounted volume....you have bigger problems :D

    PD
  18. EncryptedBytes
    Offline

    EncryptedBytes Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    Oh yes the magical $1000 product works only if the drive is in a mounted unencrypted state. If the user has common sense and the drive is off, the program is just as effective as using JTR with brute forcing. Thats not breaking the product at all... :rolleyes:
  19. x942
    Offline

    x942 Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    So your saying you PMC is immune to cold boot attacks and memory dumps? Where are those keys? They have to be in plaintext somewhere. That message just proves you know nothing about crypto. Those programs don't break anything they dump ram and search for keys. Computer off = no keys. Computer On = Game over anyways.
  20. tuatara
    Offline

    tuatara Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    I have never used or even seen that tool but on their website i noticed:

    This seems interesting , i will test it soon ...

    Perhaps you must Google on the patents he filed and his background.

    It would be great if you would play the ball and not the person,
    in other words give some technical information on what is wrong with Polymorphic encryption.

    It seems clear that if you want to use, or introduce an alternative for AES 256
    it will not be appreciated.

    Just hypothesize and consider ..
    - What if AES 256 was broken, is it not good that are multiple algorithms in use ?
    - What if someone really invented a extremely advanced and effective unbreakable cipher like Bernd claims (or someone else)
    how would one react? Would he be able to convince the users of these kind of software?
    - Are there groups or even governments that want to have all users to use just AES 256?
    - Why is it easy to find a product with a recent (this millennium) other antivirus engine and
    is it so difficult to find file or disk encryption sw without AES 256 or with a RECENT or NEW 'engine' ?
    - Why is everybody who thinks different on this 'not informed' ?
    Last edited: Apr 4, 2012
  21. syncmaster913n
    Offline

    syncmaster913n Registered Member

    What is serious about the software bruteforce'ing the password to an encrypted partition/container?
    Last edited: Apr 7, 2012
  22. Justin Troutman
    Offline

    Justin Troutman Cryptography Expert

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    Maybe that was the case during the competition, but even these days, they'll recommend the AES over their own designs; Ross Anderson (Serpent) and David Wagner (Twofish) are two great examples.
  23. Justin Troutman
    Offline

    Justin Troutman Cryptography Expert

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    On a side note, I see talk of using Blowfish. The problem with this is the 64-bit block length, and it isn't specific to Blowfish by any means; this means that the birthday bound becomes an issue. That is, once you encrypt around 2^32 blocks, or 32GB, with a single key, you really start to leak information about the plaintext. Although the algorithm isn't insecure, I really can't think of a good cryptographic reason for using Blowfish over the AES.
  24. EncryptedBytes
    Offline

    EncryptedBytes Registered Member

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    Members such as Justin Troutman, who have far more patience than I, have taken the time to address the "ball" and not the person, which discussions are even linked in this very topic.

    Give the alternative a valid vetting and prove itself and it could very well become a replacement. Simply patenting a method of implementation, releasing 'challenges' to break a file on small community boads, then declaring the product unbreakable is not the type of vetting we are talking about.

    There are multiple algorithms in use, AES can't be applied to everything.


    The thing about what if's is they can be about anything and are not really good arguments. What if the internet became illegal tomorrow, what if we found a way to do XYZ. While all are indeed possibilities, you need to limit your scope to the 'now', and the now is AES-256 is not broken yet, governments are still using it and lower keybits. Is that next encryption method being constantly researched? Yes, though to say AES is broken just because governments use it is not using logic.
  25. Justin Troutman
    Offline

    Justin Troutman Cryptography Expert

    Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

    In general, there's nothing wrong with proposing alternatives; new designs are meant to further along the state of the art. However, there's a way to go about it, and you've got to look to the cryptographic community for guidance on how new designs are presented. That, and patenting algorithms is the antithesis of widespread adoption.
Thread Status:
Not open for further replies.