polymorphic cipher

I agree with this. However, isn't it also for the benefit of everyone and the 'community' as a whole, to take unproven new alternatives and put them to the test, without waiting for the designer to undertake the burden of proof? It seems to me that a lot of new opportunities might be missed by relying completely on the inventor to do this.

I'm not saying this in relation to the PMC cipher, just in general.

 

Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

Usually, the designer will write a paper that introduces a new design, how it works, why it's more efficient than existing designs, from where it derives its security, and so on and so forth. This paper will usually wind up in conference proceedings, or some other online publication (e.g., IACR's ePrint). Other cryptographers will read the paper and perform analysis; the more interest there is, the more analysis there will be. In the instance of the AES, there's a lot of interest, because it's the federal standard.

The only way to put it to the test it is to have other cryptographers look at it, look at it some more, and then look at it again. Hopefully, they'll write papers about it too. It can take a while, but if it's a good, useful design, it very well may make it into different standards -- or not. Either way, it will have earned its bones, so to speak.

However, it's unwise to put anything into practice that hasn't gone through this process; it's prudent, and to the benefit of the community, to treat any new design as insecure until there's really good evidence that it's secure. Of course, just because we haven't found a weakness doesn't mean there isn't one, but the best we can do is gauge a design given the state of the art in cryptanalytical techniques.

And lastly, we can't rely on the designer alone to show its security; they should provide a "proof" of security when proposing a new design, but outside analysis from the community is vital.

 

Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

The problem is this: You trust someone who clearly thinks a sidechannel attack breaks encryption? Side-channel, by it's very definition, does nothing of the sort. Dumping memory to extract encryption keys is a side-channel attack, It exploits a flaw in use, not in the encryption it's self. There is no way to store an encryption key when in use besides in plain text. Because of this you can dump the key from RAM unless it's store more securely (Think IronKey or Hardware Encryption). The key is placed somewhere else out of reach by software.

Either way, challenge excepted. I am going to not only run this software through IDA Pro and reverse engineer it, I am also going to run multiple "encrypted files" through some randomness tests and see just how random it is.

 

Re: Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

Wow, there's so much that I'd like to reply to. Most important is the fact that there is obviously real interest in different aspects of data security. Great!

About side-channel attacks: Well, if an attacker gets valuable information with very little effort, why shall he not exploit this!
And there IS a very effective way for almost any disk encryption software:
The software relies on an encryption driver that mounts an necrypted volume. How is it mounted: through the ONLY available channel in the OS: the DeviceIoControl() function:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363216(v=vs.85).aspx

Here's the IOCTL used by TueCrypt:
#define MOUNT 466944 /* Mount a volume or partition */
...
The password is passed to the driver IN THE CLEAR here:
mount.VolumePassword = *password;
...
The full path the the volume file is set here:
_snprintf ((char *)mount.wszVolume, MAX_PATH, "UNC%s", volumePath + 1);
...
the volume file is converted the Unicode here:
ToUNICODE ((char *) mount.wszVolume);
...
and finally the structure containing real "hot" information is passed in the clear to the OS by calling DeviceIoControl() in quite a compressed way:
bResult = DeviceIoControl (hDriver, MOUNT, &mount, sizeof (mount), &mount, sizeof (mount), &dwResult, NULL);

If this isn't a phantastic side channel, then I really want to eat a broom!
I've publish a paper about this attack a few years ago. I've also published a solution to fix this.

Immunity of PMC to Cold Boot Attack: Why should it be immune? I see no reason for this!
It might although be more difficult to analyze PMC as the Internal State of the cipher is not 52 bytes with no change but 500KB to several MB with data changing rapidly. I didn't find my software in the list of programs that can be broken. But I've very well receive requests for providing an interface to enable for Brute Force Attacks by expert witnesses! All of them told me that they have very good dictionaries, but when they found out that key setup time for PMC is approx. 1 second and that PMC does not run on GPUs, they all sounded a bit disappointed.

To variety of different ciphers: This is a brillant thing! The example with just one antivirus software is really conclusive! Only if there are many different manufacturers, it is pretty much evident that brand new viruses are detected by at least one product and then all others need to follow. It's never good to rely on only one thing.

About patents:
Obviously this requires explanation: A patent is an inexpensive way to assign an invention to a person so that it is later impossible for any free-rider to claim that he has invented that thing. Even more valuable is the fact that the information is made public through an official channel so that one can be sure that after some time that it is ok to talk openly about the invention. It happened to me earlier that one of my inventions was all at a sudden regarded as state secret. The letter that I've received stated that whiste-blowing would end up in up to 17 years of prison. Bright prospects, isn't it?

The reader might notice that it's sometimes good to look at something from more than one side!
Thanks for reading!

 

Post split into its own thread (from Here's How Law Enforcement Cracks Your iPhone's Security Code). As always, keep the discussion on subject and civil. Thank you.

 

Never said that and i don't believe it.

But i think it is clear, i believe it is good not to bet on one horse
(read: to use only AES 256 and everywhere), and especially in this case,
since i distrust it for the reasons given before.
For the record, i don't think that it is cracked completely, but i think
that with the computer power available for some parties these days, and perhaps a small shortcut found in the cipher,
and with an enormous dictionary it might be possible to crack lots of passwords most certainly if the passwords used are short.
And the time needed to test one passwords agains AES 256 is that hyper-short, comparing with algorithms i've seen.
Please check the top500 - http://www.top500.org/ - these are only the public available supercomputer sites specs

But i respect that there are others who think different on this,
and i understand why.
For them i recommend keep using AES 256, but i won't

 

@ x942 I can't wait to see this It's about time that the infinte bit shapeshifter indestructible MacGyver polymorphic PMC cipher got a colonoscopy of some kind.

To anwser the OP, LockBox's referenced threads pretty much cover your questions. From what has been discussed in one of the threads: the concept of polymorphic ciphers itself was deemed too complex without any distinctive advantages at overcoming most cryptanalytic attacks, more than any standard design could. Polymorphic ciphers that don't have a flat keyspace will almost defineitely suffer from having weak keys - making it otherwise is very difficult to accomplish. In cryptography its always better to keep things as simple as they can be (but not any less).

Bruteforcing is almost always not the problem with any given encryption algorithm, but its the shorcuts that arise when they are subjected to cryptanalytic attacks of some type to which they were not designed to withstand.

No matter what encryption is used, nothing will protect you if the password used is too short or too weak. Bernd seems to associate this as being the fault of AES. He claims that a password as little as 5 or 6 characters should be enough given what a PMC cipher does:

Would you trust someone who preaches universally frowned upon data security advice, to make a competent cipher of any type?

His misguiding rebuttals almost always contain some misstatement or confusion of what constitutes a genuine crypto break and some type of sidechannel attack. Take his referral to a Passware Forensics kit for instance...
If you leave an encrypted drive in a mounted state, you deserve what happens to you. Its a well known fact that the key is stored in RAM on a running computer if the drive is in use. HDD encryption protects data at rest so make sure that your device is turned off when unattended. This is common security practice not just for Truecrypt but any other encryption program.

Again this has nothing to do with the encryption program being weak or AES being flawed. Its simply the user not utilizing the technology properly as it was designed to be used.

Using a cascade of ciphers is a big no no since the chance of there being a critical implementation flaw is orders of magnitude higher than a weakness in the math itself. I mean c'mon Bernd a self proclaimed expert such as yourself should know this and not give advice to the contrary like in your other post. These are basic use guidelines.

Also Bernd, try to avoid ad hominem attacks or accusing people that they have an agenda or conflict of interest if they point out the mistakes in what you are saying. Nobody's out to get you when they question how you came to the unsupported conclusion that you have designed the world's BEST algorithm (as you claim). People come here for best practices to learn how to secure their electronic lives and data not to get inaccurate information or marketing drivel.

 

That was kindof the point of the post. Any encryption can be attacked by a side-channel including PMC. So calling that "cracking" software a breakthrough proves no true knowledge of Crypto. That doesn't break anything besides the chain-of-trust. The keys HAVEto be in plain-text at some point. If it's not stored according to FIPS 140 Level-3 spec (Hardware) than it can be dumped. Only specialized hardware can prevent this.

Oh I really can't wait myself. I have just grabbed a copy and will be testing in a few Min.

 

First of all i think it is good that this thread was split from the previous one,
but sadly the previous one was more AES 256 versus other algorithms
Now it is just AES 256 versus Polymorphic cipher that's a sad,
because i think it is better not to bet on one horse as i said before.

Anyway if i read this:

Yes, that is exactly what i would recommend if i had to decipher it

And:

i don't think it is nice or friendly or respectful to say things like that

And i really don't understand why the inventor of this cipher is attacked in this way,
if you don't like his cipher or non AES 256 ciphers in general just say so and say why.
Why this kind of attack on someone with a new or other cipher?

I would say the more ciphers the better

On the pmc-ciphers.com website i just read that up to now his cipher has never been cracked
and Google gave me no other results. For me it is just another cipher that seems to be has never been cracked!

And can anyone please explain why i can't find any commercially available file or disk encryption software
on the Internet that uses one of these :
HC-128 or HC-256 or Rabbit or Salsa20/12 or Sosemanuk see: -http://www.ecrypt.eu.org/stream/- or any of the new ciphers from India or China ?

The attacks on ciphers other then AES 256 , not on the cipher itself but on the people behind it,
make me even feel more certain, that i have made the right choice to drop AES and select another cipher.

What about do you guys think about Sosemanuk ??

 

I don't really feel that it is a PMC vs anything at this point; I think that it is still at the stage where it is to be proven whether PMC actually "deserves" to be compared to other established ciphers or not.

Well, I could probably make a cipher myself right now (although I know almost nothing about them) and say that it was never cracked simply because no one really tried, not cause it is strong. I know that the PMC-cipher website lists a few challenges, but we really have no idea how many people participated, and what the qualifications of those people were. For example, if I were to attempt to crack it and were unsuccessful, that would prove absolutely nothing. Also, the challenges seem to be entirely focused on brute forcing the password, which even I know is only one of many possible attack vectors on a cipher, and possibly the one easiest to protect against.

At first I thought that maybe there is something to this PMC cipher, but when I started searching for it - I really couldn't find ANY information on it, or its use, anywhere outside of the PMC-cipher website, and a few threads on different forums where nothing specific was said and all the same arguments were recycled constantly by the author ("micro controllers from washing machines", "chinese government grant no. xxxxxx" and "8" silicon waffer"), without any detailed explanations by the author of the cipher as to why it is really so good.

So overal; I am somewhat skeptical at this point, but I will wait for x942's analysis and hopefully the discussion that will ensue from there. And I really hope that Mr. berndroellgen will chime in as well, otherwise I'll be a bit dissapointed

 

Exactly what i meant, perhaps i need to start a new thread AES 256 versus the rest

And please make a cipher yourself and offer gold for the cracker

I can understand that, but when will that be ?


The main problem here is that there is very little new under the sun regarding commercially available encryption software don't you agree?

I feel that with that we are living in the dark ages,
AES 256 makes me feel that we are still using Dr Solomon antivirus 1988 edition see: - http://en.wikipedia.org/wiki/Dr_Solomon's_Antivirus-

And every time a new encryption is developed,
It seems as if we are forcefeeded with AES 256.
There is always someone who will say it is bad for you, and the person behind it is a ....,
but never a technical reason why and how it can be broken.

other encryption ciphers seem to disappear into thin air, although never claimed to be cracked.

In this case (polym cipher) you are perhaps correct that no other persons are
trying to convince you that this cipher is unbreakable,
but on the other hand, nobody claims that he had broken it as well.

Perhaps the conclusion must be, why not use AES 256 and Polymorphic encryption combined?

Encrypt a file with AES 256 first and after that encrypt it again with the Polymorhic cipher (or visa versa)
That must be better then using AES 256 only don't you agree?

It is time for some change in encryption software!

As you can see in my signature i am old, but perhaps i am still a bit to fast
regarding the HYPERSLOW progress in encryption software development

But you might keep AES 256 for nostalgia,
the good old 8086, 80286, 386,486sx , DOS 3.x

I have keep my AES 256 encryption software in a glass (safety glass) box, together
with a 5.25 floppy disk, Dr. Solomon antivirus 1988 and a 5 MegaByte harddisk

 

Hi Tuatara!

Obviously that wouldn't work the most I could make right now (and I would need to learn some programming language to do that, since I don't know anything besides HTML / CSS / a bit of php) would be some combination of a shift-cipher / caesar cipher with a bit of randomness to go along with it I wouldn't offer gold for someone to crack it, but I think that with some more knowledge on my part in ciphers, I might feel comfortable offering a few thousand worth of gold for an attempt to BRUTE FORCE the key/password only - notice that I'm talking about brute forcing only, which is exactly what the author of PMC is focusing on in his challenges.

// Right now I'm reading this (xttp://tiny.pl/hpfxg - link leads to amazon) and taking some math lessons cause my math sucks and is at a pretty basic level; once I'm done, I might actually attempt to make a cipher just for the heck of it but that's a bit off topic //

Again, I'm not trying to compare myself to mr. Bernd; no matter what others may say of him, I have enough awareness of my capabilities to know when someone is better than me at something, and I am 100% sure that mr. Bernd is incomparably more skilled and knowledgable in the subject than I am. I am only questioning his approach, and the fact that all of the proof provided by him regarding the safety of his cipher revolves exclusively around its resistance to brute forcing.

Up until 3 weeks ago I had no clue how encryption worked or what it really was exactly, so I can't really comment on that. But yeah, even as a newbie, I do feel that AES is the only symmetric cipher that is being used. However, I don't believe that just because something has been around for a long time, that we need to change it.

I don't believe comparing ciphers to an antivirus software is fair. AVs need a solid back-end of programmers constantly updating, the software needs to keep up with a lot of changes in the OS's and software being used by users; it makes sense therefor that AV programs would change / rotate often. Ciphers from what I understand, however, are based on mathematics - and time is not necessarily an indicator that a certain mathematical formula has become outdated. There are many mathematical formulas that were developed dozens or even hundreds of years ago, and which still hold ground today, and I see absolutely no need to change them. They work, and they are mostly simple.

Maybe, I can't really say, haven't been around long enough to know.

This is faulty logic IMO. To take this to a somewhat abstract level - no one has proven that dragons exist, but at the same time no one has disproved their existence either - does this mean that I should believe in dragons? I know it is an extreme example, I'm just trying to make a point.

Yes, I agree. (Although someone earlier in this thread said that cascades such as this are not a good idea, so I'm not entirely sure.) However, at the moment, if I had to choose a cascade, I would prefer AES 256 plus twofish or serpent, rather than AES 256 plus PMC. Why? For all the reasons I've stated in this and my previous post.

Why?


Cheers mate

 

Obviously there are still a couple of people out there who are so convinced that water is flowing upwards!
.. that reminds me of the time when everybody was convinced that the world was a disc! A big organisation started to fight against this fact - and finally lost. But this took a long time.

Well, it's obviously necessary to start with a very simple explanation as some readers appear to be able to take only homeopathic doses of news.

My motivation to create a cipher of ciphers was this: DES was broken in 1997/1998 and for one year nobody appeared to care. Then the AES contest was started. I had a look at it and thought that it's pretty weird that an organization was looking for a tiny little cipher with a very short key setup time and that an organization that has the mission to spy on people was heavily involved in the process of finding a suitable algorithm.
Here's the link to a truly devastating document which was very well known at the time:
http://csrc.nist.gov/encryption/aes/round1/conf2/papers/chari.pdf
A cautionary Note Regarding Evaluation of AES Candidates on Smart Cards, 1999, S Chari, C Jutla, J R Rao, P Rohatgi
The link has been removed for some reason. Here's the page at the NIST website where the same link can be found:
http://csrc.nist.gov/groups/ST/hash/documents/Second AES Candidate Conference (AES2).htm

.. and here's a link to the paper that still works:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.46.7643&rep=rep1&type=pdf

in short: Twofish reference 6805 code was broken by four experts from IBM using only 100 independent block encryptions to fully recover the 128-bit secret key.
the best is this: "We also describe how all other AES candidates are susceptible to similar attacks."

Oops !

Well, I thought that it might be a good idea to do things best and to (at least) rely on more than just one cipher. The choice of the cipher should be done programmatically:

Let's say four "secure" 128 bit ciphers form a set of base ciphers": e.g. AES Rijndael, AES Twofish, RC6 and Mars.
A 130 bit key is used to encrypt messages - 2 bit select one of the four available base ciphers and the remaining 128 bit represent the key for the chosen base cipher.
An "unbreakable" 130 bit cipher is the result. It is assumed that none of the base ciphers can be identified by its respective ciphertext (which is certainly the case for those four base ciphers).

What is wrong with this design? NOTHING ! This will even convince Mr. Troutman! But maybe my brief explanation has not the the form that is needed...

But there's one decisive advantage:
An attacker must actually crack four base ciphers instead of one in order to be able to read all messages.
What if there were thousands of base ciphers? Attackers would be by far have more homework and they would definitely try all kinds of side-channel attacks ONLY.

I know that the comments on this will be "stupid", "lack of competence", ...
Mr. Almighty calls this "funny" by the way!

But it isn't. It's pure logic. And this alone is not new, at least since 1946.

I hope that all this was not too complicated.


To Serapis: You wrote: "If you leave an encrypted drive in a mounted state, you deserve what happens to you."

Sorry, but then everybody who uses disk encryption is inevitably stupid! One leaves an encrypted drive in a mounted state when such kind of software is in use. Typically you'll leave it open for as long as you work on a document and that can be a pretty long time. This side-channel attack can inevitably be mounted against anybody who uses disk encryption software!!!
.. and then it really makes sense to harden that software against this kind of attack.

In order to protect users, the encryption driver should be hardened against this attack as well as against hooks into the DeviceIoControl() function! I've implemented a Diffie-Hellman key exchange for that purpose in my software. In the long run this will prove to be good practice. In the short run I'm sure that this is also regarded "ridiculous" or "funny" or whatever.

 

Could you explain what these "thousands of base ciphers" actually are? Where do they come from, who designed them, what algorithms do they use? Or are these ciphers generated randomly? And if so - does this mean that you use a method for "automatically" creating on-demand ciphers, each of which is always strong enough to withstand all known attacks?

I feel your quotation was somewhat taken out of context. Here is an actual quote of the entire paragraph containing the sentence you mention:

I hardly think this means that AES or other established ciphers have been "cracked", in the broad sense of this term. Seems like just another side-channel.

Thanks.

 

Very simple: from whoever you trust!
The AES finalists would probably be ok for you:
MARS, RC6, Rijndael, Serpent, and Twofish

If you're from Russia or India, your choice might be different.

If you prefer ciphers that are "created" on demand, you can have that as well. And I'm sure that "the expert who you trust" will be able to provide you with plenty of modifications of your preferred cipher.
Imagine a permutation step in the algorithm: As long as the permutation is performed well enough, this would be a good location in the design to make that algo variable. I'm sure that experts of the caliber of Joan Daemen, Vincent Rijmen, Ross Anderson, Eli Biham, Lars Knudsen and Josef Pieprzyk could all provide this to you if they were asked politely.
You can also have that from me, if you want.

 

It's an important side-channel attack! One of the design goals of AES was feasibility in conjunction with smart card chips. That goal was clearly missed completely!

 

Ok, thanks for explaining. Let's see what others have to say

 

I believe it’s not so much an "attack" as steep skepticism. I have gleaned from your postings tuatara your mind is made up and that is fine, I do advise you to do more research into crypto since it does appears you do have a genuine interest. However the author of this cipher has a different agenda than simply furthering the knowledge of crypto. They are a marketer first, a security practitioner second. Surely you can see another interest in their postings. The PMC is patented which I will agree with Mr. Troutman in that is antithesis of widespread adoption. If berndroellgen was serious about this he/she would be going through proper channels, announcing proofs, getting the algorithm vetted by other cryptographers instead we see the opposite.

But besides the creator has there been any official review? If no then that should raise some red flags on the product. For marketing claims it actually is not a wise idea to go to the source, but rather 3rd parties that have audited the claims and have posted their results and tests. Additionally hold good ethos in the respective community. Unless of course the creator links to their original testing results/papers.

 

With an expired patent, the marketing of intellectual propery is certainly somewhat difficult. But if you want to say that I'm doing good marketing, then this really is a compliment for me. Thank you very much!

But to try to wipe away even the simplest facts repeatedly with the very same negative comments that are free of any scientific content might not work any more! More science, less polemics, please!

I know very well since very many years that it greatly depends who publishes proofs and who has interest in peer review of new ciphers. I bet that your agenda is not strictly furthering the knowledge of crypto.

 

Yes my mind is made up i can agree on that and the fact that it has my genuine interest. And i am not the only one here.
And i respect that.

See my previous posts, i don't think it is nice to say that someone that thinks different is "uninformed", most certainly not , if you don't know him/her or his/her reputation.

For the readers/lurkers of this thread:
Over the whole thread i tried to make clear that i prefer more and newer ciphers in general. I never got response on that.

You are right it is not entirely fair, but to never change your encryption algorithm and try to stick to 1 old version and even advise other to to that
is a bit strange isn't it.?

 

It certainly doesn't go fast this way, regarding the progress in commercially available encryption,
too many that step on the brake here, why would that be?

 

Well first of all, it's not really THAT old when you consider it from a mathematical standpoint, as opposed to a purely technological standpoint (as we would consider for example AV programs).

I think that the only reason others over here are advising us to stick with AES is because there simply hasn't been a proven and tested counterpart that we could say is without a doubt a better option. I don't see anything wrong about that and I thank them for this advise I am willing to bet a few ounces of gold (WINK ) that if there was really something better than AES available, then the people on this board would be among the first in the world to jump at the opportunity to test it and switch to it, and among the last in the world to try and convince others not to switch.

Could this counterpart potentially be PMC? Sure, who knows. I hope that x942's analysis and the discussion afterwards will bring us closer to an answer.

 

Of course i don't agree on that, see: -http://en.wikipedia.org/wiki/ESTREAM-

The best thing about this forum is, that if there are people with different opinions, readers/lurkers will read through this threads and make up their own mind. And decide if you must believe the people who want you to use AES 256 as your only encryption,
and if it is strange that regardless the cipher, you are not advised to use a newer , other or even a combination of ciphers.

Again i don't recommend using AES 256 only

 

Yes, I did take a look at the eSTREAM project. However, I failed to find any information or tests which would state that any of the ciphers on the final Profile 1 list are better than AES. If you know where to find such information, I'd love to read it so please post some links.

Just because something is newer (and not that much newer, since most of these ciphers were designed around 2002 - 2004 iirc) doesn't mean that it has to be better. We need to see some cryptanalysis Of course, some are available - however, if none of them proved without a doubt that the given cipher was better than AES, it is perfectly understandable to me that the new ciphers would not get nearly as much attention as the "veteran" ciphers. Reason: if we have cipher A and cipher B, and both ciphers seem to be equally strong, I will choose the one that has been longer on the market - since it will have definitely undergone more tests than the other.

However, I do agree with you that there is theoretically no reason as to why we shouldn't use ciphers in a cascade.. but I think that this is a subject for a different thread. I'll probably start it today or tomorrow so that this thread doesn't get derailed.

 

It makes you wonder why they started this expensive project and did not select or include AES 256 aka RijnDael to start with

And more time to attack/crack it, so i would try something else.

If whole the world uses AES256 they only have to attack 1 single algorithm
and can easily setup a top500 (see previous posts) kind of system for that.

Good idea

Just imagine what the impact will be if AES 256 is proven to be cracked in the near future,
now 95% of the market is using it.

What is the advantage of all using the same algorithm,
while everybody knows there are similar or even better ones ?

One question , what can be the reason for someone
to advise everybody to ONLY use the AES 256 algorithm

it's like saying: "ONLY USE BRAND ABCD locks on your door"
and "all others brands are not proven to be safe, and ABCD is great we are using it ourselves"