polymorphic cipher

Discussion in 'privacy technology' started by syncmaster913n, Apr 2, 2012.

Thread Status:
Not open for further replies.
  1. berndroellgen

    berndroellgen Registered Member

    Joined:
    Nov 5, 2010
    Posts:
    59
    Anyone who comes up with a conclusive alternative reason has my deepest respect.

    Thinking about "marketing" once again: What if I'd make my disk encryption software available for free for use by anyone in the world?
    Hmm.. in the long run this clearly is desirable for a company that needs to make money as some users might want to purchase the "ultra-extra"-"whatever" version which is still for sale for whatever reason.
    Then somebody from some nasty evil country downloads the thing from my server and I might get big trouble with the customs department. Why? well, I'd make dual-use goods available to potentially evil people. So today I can only provide a crippled version for download and users MUST purchase something through a channel that enables me to check their identity.

    Ok, but there are guys out there who clearly make market-leading products in terms of installed software packages and who can hand out to software to whoever they want. Their software is free of charge which in turn means that it's impossible to beat that thing on the market.
    Pretty weird, isn't it? Maybe the group of programmers receive "donations".

    So I began to analyse the thing and I found a couple of severe security holes. I even needed to reprogram my entire software in order to strengthen the thing so that it is safe to use. I published my findings and the solutions that I've chosen and - of course - all of that got slammed. Even Bruce Almighty did his best to find nice words for my solutions. So I knew that I did it right !

    You see, peer review is easy to get. I't although only a matter of interpretation...

    I guess that I should ask some experts at the ministry of economy if I'm allowed to release the software for anonymous download. As a reference I could use this or older threads. Chances are better than 0% that I'm allowed to release the thing for anonymous download.
     
  2. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    What have i to gain if i say, don't use AES 256 only (like i do) ?
    And what is the reason for others to say ONLY use AES 256 en doubt every other algorithm ?

    :D
     
  3. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    This makes sense because the confidence we have in cryptographic primitives is a direct result of the cryptanalytical attention they've received and withstood.

    But there is a practical reason not to. Real-world cryptographic designs don't fall apart because someone broke a block cipher; they fall apart because of a failure in the implementation. Therefore, we should simplify the implementation whenever and wherever possible. With that in mind, cascades add complexity that is of no practical benefit to cryptographic security, yet makes the implementation harder to get right.
     
  4. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    Makes sense not to encrypt a file and encrypt it again with another cipher
    for some this is too complicated :D

    For the record , this sounds like stick to AES 256 only and do not combine ciphers!

    So in the past (before DES was broken) you could also have said don't combine DES with an other algorithm.
    -http://en.wikipedia.org/wiki/Data_Encryption_Standard-
     
    Last edited: Apr 6, 2012
  5. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    Justin, as a Cryptography Expert,

    1) what is your reason not to use (any) other Cipher ?
    2) What is wrong to encrypt a file with AES 256 and encrypt it later with any other encryption ?
    3) What do you think is the best encryption algorithm apart from AES 256 at the moment?
     
  6. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    I think we are talking about two different things; "cascade encryption" is like what they have in TrueCrypt; meaning the same file is encrypted ONCE, but using two or three different ciphers. What you mention here, however, is like:

    Step one: encrypt a file using AES
    Step two: then, separately, encrypt the encrypted AES file using for example PMC.

    As far as I understand it, the first approach is not a good idea, but the second one is - am I right justin?
     
  7. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    No, it doesn't make you wonder about that. It sounds in this spot like you are searching for conspiracy theories on purpose. Here is the first sentence describing project eSTREAM on wiki:

    Would be completely useless and a waste of time to include something like AES, which was already very well tested at that point. The whole point was to find something NEW.

    Sure, it would be tough. But that goes for any cipher that is being used by 95% of the market; if PMC was used, for example, we would be wondering "Just imagine what the impact will be if PMC is proven to be cracked in the near future, now 95% of the market is using it". The whole point of the industry is to find that ONE cipher which is so good, that it can be trusted for a relatively long time, so that we don't have to change ciphers every 2-3 years (this goes especially for corporations and large companies). So in other words, I don't find this a valid argument in this case.

    Could you show me any reliable proof of there being a cipher which is similar to or better than AES? I'd really appreciate it if you could do that, as it is indirectly the whole purpose of this thread.

    There could be many reasons:

    1. That person has heard others say that it is the best, so he is saying the same.
    2. The person is an expert and has seen enough proof that AES is worth being "pushed".
    3. The person is a secret government agent and is trying to fool us.

    From those three, I find 3 the least possible :p

    By the way, I would appreciate it if you could elaborate a bit more in your posts; I feel you are asking too many "open ended questions", which don't really have too much value. If you could stick to facts/opinions as much as possible, I'd appreciate it :thumb:
     
    Last edited: Apr 6, 2012
  8. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    In no way does it imply that we should stick to the AES; while I recommend the AES, the point is that if you understand the issues with real-world cryptography, you'll understand that adding more options adds complexity, and it's complexity that kills cryptographic implementations -- not a broken block cipher.

    1) Because of its track record as a standard, it makes sense to use the AES whenever and wherever possible; it's a design that we know well. However, there may be instances where design contrainsts call for something else, and there are certainly other suitable primitives for those cases.

    2) It's not a matter of what's wrong with; it's a matter of what it buys you above and beyond encrypting once with a single primitive. History shows that we shouldn't keep obsessing about the cryptography itself; we need to start obsessing more about the implementation. Protocols have fallen apart because they tried to cram in too much cryptography, leading to complex implementations that were just too hard to analyze properly.

    3) Going back to 1), there may be instances where other primitives are a better fit, constraint-wise. Block ciphers like Twofish and Serpent exhibit good design qualities, but you'll find that even members of their respective design teams recommend the AES.

    The point is to keep things simple and use components that we really understand; it's not about pro-AES and anti-everything else. There's a time and place, but in most places, and most of the time, the AES should be the prime consideration. Too much emphasis on this part takes attention away from where it really needs to be.

    You can encrypt multiple times with the same primitives, or different primitives; essentially, ciphertext from the first primitive becomes plaintext for the second, and so on. Triple encryption provides the security we'd expect from double encryption, thanks to meet-in-the-middle attacks, but we aren't sure if encrypting with four or more buys us anything beyond three.
     
  9. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Justin,

    Question: I am not entirely sure at this point that I understand what you mean when you say "implementation". Could you elaborate on this a bit please?
     
  10. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    See my previous posts, i rest my case :D
     
  11. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    .

    Just change AES in DES in this example and you will have your answer
     
  12. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    The actual code itself; things go wrong because developers don't, and can't be expected to, recognize all of the subtleties of real-world cryptography. The more we burden the programmers with putting into the code, the more likely it is that they'll make a mistake. This type of complexity is counterintuitive to what we want to do when building practical cryptographic implementations.
     
  13. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Could you elaborate? There's solid, real-world, backed-by-history reasoning for simply using the AES, rather than a buffet of different primitives in cascades. Is it not sensible to make design decisions based on what history tells us produces good results? If you know that complexity is why systems fail, and not cryptography, would you pay more attention to the implementation than the mathematics?
     
  14. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    Ah, got it, thanks.
     
  15. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Bear with me, I'm an utter layman regarding encryption but a 'meet-in-the-middle attack' assumes knowledge of both the plaintext and the ciphertext, right?
    And then triple encryption will use the second ciphertext as plaintext etc.
    How come that it's 'not sure' that quadruple encryption 'buys more' when three apparantly does?

    Also, to your knowledge, hasn't anyone before used IDA Pro to analyze PMC and test it's guts.
    You, amongst others of course, have expressed your reservations against PMC/Bernd Roellgen for quite some time but if his product is so lacking in offering strong encryption, surely the WSF members here aren't the first to actually put PMC to the test?
    And I don't mean any lack in presentation, scientific papers/proof offered by Roellgen but the opposite, proof that PMC does not offer proper encryption. Do you know of any academic paper on such research/conclusions?
     
    Last edited: Apr 6, 2012
  16. x942

    x942 Guest

    I have tried to find information on PMC by using multiple search engines and scripts. Nothing besides forum discussion and PMC's site.Further more I am analyzing it in IDA Pro right now. This may take some time though.

    Although this may be coincidence I have had an absurd number of attacks on my network today since I posted (and download TruboCrypt). This happened last time I tried reversing someones software when bad intents were uncovered (It was VPN software iirc).
     
  17. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    Very strong point Baserk, here you hit the nail with the hammer! :thumb:

    In the WW2 and the cold war you could not ask the other party
    to give them details on the ciphers they use, you had to brake it without that information. In this case the inventor has written several documents
    on what it is (in general), and even patented it.
    You can't patent something that is secret.

    The specialists are only attacking the way how berndroellgen has handled his invention and how he write things in public.
    But they did not crack his cipher, or has even come close to what it will take to attack The PMC-Cipher like this was done for AES recently.
    (read further below on AES and the work of Andrey Bogdanov and others)

    Remember this, there was a time that all encryption specialists agreed
    that DES was safe, until it was broken. |
    (Just like Albert Einstein has said that Black Holes could not form: - https://en.wikipedia.org/wiki/Black_hole -)
    Even with AES 256 (officially) small parts are braking of of it.
    i refer to the recent research work of Andrey Bogdanov of Katholieke Universiteit Leuven; Microsoft Research's Dmitry Khovratovich; and Christian Rechberger of Ecole Normale Superieure in Paris. (just Google).

    And NO, i did NOT say that they have broken or cracked it completely!

    Baserk, you have convinced me now,
    and i will add Turbocrypt with this PMC-cipher to my toolbox!

    And i can't believe what i read that a encryption specialist is saying
    that encrypting a file multiple times with different ciphers is adding extra complexity. o_O

    Of course i agree on the fact that the implementation is the most difficult part of creating a secure encryption software.
    - http://www.pmc-ciphers.com/eng/content/TurboCrypt/Backup-Attack/Backup-Attack-Blog-discussion.html -

    But let's say one has made a successful encryption program which can encrypt 1 file and you can select the cipher
    (like TrueCrypt, but with lesser known and newer ciphers).

    When you encrypt a file with AES 256 , you have the safety you guys normally have. Whatever you do with that file, will not make it unsafer.
    Now you start the same program again..
    The output file is encrypted again but now with any other encryption cipher with the same program, or am i going to fast now ?
    Where is the complexity, where is the risk ?

    Here i guy had encrypted a file in a container with one password.
    Then he placed the container in another container using another cipher
    and another password (you can also do this with Truecrypt).
    These steps were repeated 8 times. ok a bit over the top but it is technically possible.

    If you are a developer of security software like antivirus antimalware these days, things are getting more complex by the day. Just think what difficulties they have to overcome to adapt their software to new dangers. (Sinowall, Rootkits,Bootkits, Polymorhic Viruses and even MetaMorphic viruses"
    Then to say that encrypting a file multiple times is adding complexity is funny.

    So, making encryptions software is not easy, making it encrypt a file once again is not, if you believe that, you can always do that part manually :)

    So i say again: don't use AES 256 only and don't encrypt once.
     
    Last edited: Apr 7, 2012
  18. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    Must be a coincidence,
    Or is it an attack on the person or the company and not on the cipher itself?
    It isn't very logical to sell software and attack your customers??
    Or did you send your ip one forehand with a note that you are going to try to reverse engineer it?
    I downloaded the software this morning of -http://www.pmc-ciphers.com- and it did not happen to me.

    X942: i do respect that you are the first one, to openly say you are going examine this PMC-Cipher software: AGAIN RESPECT !!

    btw it makes you think why other cipher specialists, didn't do that,
    (sadly) there aren't that many other ciphers on the market today to examine!
     
    Last edited: Apr 7, 2012
  19. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Hi tuatara,

    Please don't regard my question as any kind of proof.
    I'm just a tad surprised that apparently only now PMC will be dissected.
    x942, as he wrote, will also do some cipher/randomness tests. Not something you do overnight, so I patiently will await his results and then hopefully also the reactions from Bernd Roellgen and Justin Troutman on his results.
    Feel free to add the PMC-cipher of course but afaic this thread hasn't lead to anything conclusive yet, other than a rehashing of old arguments.
    (But my question still stands...:))
     
  20. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    No i did not Baserk, but it just made me think.

    A few post back i read about x942 and his VPN story,
    Although i don't know if X942 is a cipher specialist, i trust he can test a security application.
    And i don't expect to hear from him, that the GUI isn't user friendly, or the color of the GUI can be improved.
    So i do expect X942 to come up with some more technical aspects of his review/investigation.
    And i do look forward to that!

    But it remains very strange we did not hear a cipher technical review from the official cipher/encryption specialists ??
    Experts like Justin, but perhaps this might change, let's hope so :thumb:

    If there is a new product in my specialization area, i am always happy to look into that.
     
    Last edited: Apr 7, 2012
  21. syncmaster913n

    syncmaster913n Registered Member

    Joined:
    Mar 24, 2012
    Posts:
    153
    This I agree with completely, and I am very surprised that no one before X942 seems to have undertaken the task.
     
  22. berndroellgen

    berndroellgen Registered Member

    Joined:
    Nov 5, 2010
    Posts:
    59
    Peer review is highly welcome! Always !

    Decompilation is as well possile, or course, but this might be a bit tedious.

    If anybody needs the soure code of the latest polymorphic block cipher with variable block size up to 4 GB, source code is freely available here:
    http://downloads.turbocrypt.com/sou...code_breaker_64bit_wo_encryption_routines.zip

    Here's source code of an earlier version with up to 256 MB block size (the design of the cipher is although the same):
    http://downloads.turbocrypt.com/sou..._v1_cracker_source_wo_encryption_routines.zip

    Here's how the cipher is designed (includes mathematical proof):
    http://www.pmc-ciphers.com/vpics/9a...apers/giant_block_size_polymorphic_cipher.pdf


    If anyone is interested in source code of the polymorphic block cipher that is implemented in TurboCrypt, then simply ask me by sending an e-mail to me (e-mail address can be found at www.pmc-ciphers.com). I can then send you the code of a test project that of course includes the entire sources of the cipher.

    Here's the paper about the design of the cipher (includes mathematical proof):
    http://www.pmc-ciphers.com/vpics/9a...epapers/1024_bit_polymorphic_block_cipher.pdf


    So far the number of people who condemn everything that I have ever published about data security without reading a single word exceeds the number of people who have tried to do peer review by far, but could it be that this changes?
     
  23. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    WOW , i did not expect that!! :thumb: :thumb: :thumb:

    If there will be no cipher specialist now, that can proof there is a problem with
    the polymorphic cipher or PMC-cipher it is clear that
    some are trying us to force feed AES 256.

    It doesn't sound logical that there is no other good cipher in the world.
    And that encrypting with two or more ciphers is not a good idea.

    So encryption and cipher specialists, we are waiting !!

    For me it looks as if the cipher claims of berndroellgen are true, but no expert dares to confirm this,
    but let's wait for a while and see what happens, it looks as if this long thread is leading to something good now !
     
  24. berndroellgen

    berndroellgen Registered Member

    Joined:
    Nov 5, 2010
    Posts:
    59
    Dear Mr. Troutman, your words are balm for my soul !
    - Then you will surely agree that password caches are not strictly good for users of disk encryption software.
    - That passwords could also be entered by users into something more secure than the normal keyboard.
    - That communication with the encryption driver of disk encryption software through the DeviceIoControl() function provided by the OS should be encrypted (or at least protected).

    Would you recommend software that does not comply with the above requirements?
    Would you contact the groups that still publish software that does not comply with the above requirements and ask them to strengthen their products?
    Why you and not me? Well, the answer is quite funny: I'm still "doghoused":
    http://www.schneier.com/blog/archives/2008/10/new_attack_agai.html

    I love this passage: " Turns out that if you use a block cipher in Electronic Codebook Mode, identical plaintexts encrypt to identical ciphertexts.
    Yeah, we already knew that."
    Mr. Almighty obviously has little knowledge about the modus operandi of on-the-fly disk encryption software and that there is no possibilty to use cipher block chaining past the sector boundary. Sorry, but the quality of that comment is really low!


    One thing has always worked pretty well for engineers:
    What is wrong about existing solutions? Is there new technology available to solve an issue that has clearly been identified? If yes, then why not do it?

    Example:
    Passwords are usually entered through a keyboard or a virtual keyboard. Extra hardware is not popular because of the inevitable price tag of such stuff.
    - Problem: malicious software (that millions of computer-savy people are able to write) can log keystrokes and mouseclicks and mouse pointer locations and forward them to a remotely located computerfor the purpose of doing something that is not nice.
    - Solution: As the price MUST be $0, an improved virtual keyboard could be programmed.
    That piece of software shall do the following:
    - Let all processor cores compute something so that CPU load is 100% and that not even high-priority tasks can deschedule the currently executed thread.
    - Draw randomly positioned characters into the window of the virtual keyboard.
    - Clear the content of the window of the virtual keyboard.
    - Put all computation threads into sleep mode so that the OS can "breathe". By doing this, all waiting threads (including those of potentially malicious software) are executed for a while.
    - Go to the beginning of the loop


    If this method is used on the cipher as well, then there are at least two vital issues that should be addressed:
    - Long key setup time: why does it take only a few clock cycles for AES, DES or whatever "widely discussed" ciphers? This clearly helps attackers and not users.
    - Use of large amounts of resources (not for smart card applications, but for all others): Is there a reason why the "About window" of some computer program consumes more resources than the primary source of data security? For an attacker, it is very nice to know that the attack can be conducted on hundreds or thousands or even millions of cores running in parallel. But for a user there clearly is no advantage. If although a cipher REQUIRES megabytes of RAM to function, an attacker needs to provide that hardware as well and that makes parallellization a much more expensive task.

    Well, and a nice feature would be to deprive attackers from knowing what cipher or cipher combination was actually selected during the encryption of a message.
    Here Mr. Troutman helps a lot by acknowledging that only complexity reasons speak against the use of cascades. Well, if it's only this, then there's absolutely no need to worry!
    A cascade of 10 ciphers with each cipher being freely chosen from a set of only 5 ciphers (e.g. all AES round 2 participants) results in an increase in complexity by factor 5^10 = 9765625 over the use of a single (known) cipher!

    This would clearly deprive attackers of the knowledge of the cipher that has been used. The probability of guessing the correct cipher combination is approx. two times lower than the probability get struck by lightning!

    Maybe it's a good idea to program such a cipher and to make it publically available. Should speak nothing against that as there are no patents that can possibly be infringed and as it's the combination of something that is anyways in the public domain and finally as this "design" gets slammed here, there's probably no argument against the creation of such a cipher for use by anybody.
     
  25. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    It's not easy to parse through all of the information on your site, or your papers, but from what I can gather, the basis of PMC is a concatenation of primitives, whether it be simple generators (i.e., LCG), block ciphers (i.e., AES), et cetera. This isn't a novel idea, so I'm curious as to what warrants it having been considered as a state secret. Unfortunately, I've come across glaring mistatements that should raise flags, like, "differential cryptanalysis is a kind of attack which can only be applied to block ciphers." Differential cryptanalysis can be, and has been, applied to stream ciphers; even using a block cipher in CTR mode is essentially turning it into a stream cipher. That, and I see no mention of how to go about preserving integrity; because of that, I can't expect there to be any mention of expected goals of authenticated encryption schemes, such as IND-CCA2.

    It's unfortunate that these discussions devolve into an "oh yeah, well prove it," kind of situation, so I'm going to have to withdraw; take it as you may, but my goal is, and has been, to provide some insight on how to be better received. You make ridiculously tall claims, and somewhere between the sales pitch and cleavage, presentation and proposal are lost. It shouldn't be surprising as to why you've gotten the response you've gotten; if you could address that, it would be to your benefit. Have you considered firing up LaTeX and writing a paper on the design that clearly introduces it, defines it, explicitly reduces its security to known cryptanalytical models, and so on and so forth? How about submitting this to a CFP for some well-known conference? Instead of going against the conventional route, why not give it a go? Do you really feel that the rest of the cryptographic community is dense, and that their decades' worth of research is elementary?

    If you give those questions some serious thought and consideration, you might find that you need to put more effort into making your work more accessible.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.