Re: My my, how time flies ...... it's been about "1 hour" -- anyone cracked CryptoSMS yet?

Crypto_at_S.M.S
Date: 09/08/05 

Date: Thu, 08 Sep 2005 08:37:58 +1000

mike4ty4@yahoo.com wrote:

> Crypto@S.M.S wrote:
>
>>Joe Peschel wrote:
>>
>>>Crypto@S.M.S wrote in news:11gsq8cgnefrl9c@news.supernews.com:
>>>
>>>
>>>
>>>>Joe Peschel wrote:
>>>>
>>>>
>>>>
>>>>>" \"- Prof. Jonez©\"" <jonez@norcom.ca> wrote in
>>>>>news:fLlPe.20$nh6.4497@news.uswest.net:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>What makes you think any attacker would have the source code
>>>>>>of any given encryption program to work with?
>>>>>>
>>>>>
>>>>>
>>>>>One always has to assume that the attacker knows everything about the
>>>>>encryption system, except the key. See Kerckhoffs' principle: "the
>>>>>security of a cryptosystem must depend only on the key," and
>>>>>Shannon's maxim: "the enemy knows the system."
>>>>>
>>>>>Schneier explained, in his May 2002 Cryptogram, why the principle is
>>>>>important.
>>>>>
>>>>> The reasoning behind Kerckhoffs' Principle is compelling.
>>>>> If the cryptographic algorithm must remain secret in
>>>>> order for the system to be secure, then the system is be
>>>>> less secure. The system is less secure, because security
>>>>> is affected if the algorithm falls into enemy hands.
>>>>> It's harder to set up different communications nets,
>>>>> because it would be necessary to change algorithms as
>>>>> well as keys. The resultant system is more fragile,
>>>>> simply because there are more secrets that need to be
>>>>> kept. In a well-designed system, only the key needs to
>>>>> be secret; in fact, everything else should be assumed to
>>>>> be public.
>>>>>
>>>>>J
>>>>>
>>>>
>>>>Schneier's statement does not mention source code. It talks about
>>>>algorithms, and you already know the algorithms used by CryptoSMS.
>>>>That has been stated over&over. You know everything about these
>>>>algorithms (and the order in which they are applied),
>>>
>>>
>>>We don't know that the alorithms have been implemented properly.
>>>
>>
>>Yes you do. On startup, CryptoSMS runs the published test vectors
>>through all crypto-primitives and checks the results. Not just
>>against a single vector, but against all well-known test sets.
>>Every time CryptoSMS starts up it confirms its own implementation
>>with this built-in self-test.
>>
>
>
> Well just CLAIMING something isn't enough. We don't have the source
> code
> so we cannot PROVE that. It's very easy to write a program that will
> display
> "All tests passed!!!" without doing ANY tests at all. Without the soure
> code
> we have NO WAY of knowing whether or not it does that. For example, try
> the following simple C program:
>
> #include <stdio.h>
> main()
> {
> printf("All cipher tests passed.\n");
> }
>
> When you run it, it will display "All cipher tests passed." Well if we
> didn't have the above source code, just an exe file, we wouldn't know
> that it didn't do any tests (which it obviously didn't), nor would we
> know that it did!
>
> That's EXACTLY how uncertain we are about your program. We have NOTHING
> to examine -- we only have YOUR WORD. Nothing more. Your program could
> just do what I show above! We only have YOUR WORD that it doesn't. YOUR
> WORD. NOTHING MORE.
>
>
>>>>so the
>>>>conditions of Kerckhoffs' Principle have been met.
>>>
>>>
>>>No,they haven't been met. Kerckhoffs' principle said "the security of a
>>>cryptosystem must depend only on the key." I'll repeat that: "Only on the
>>>key."
>>>
>>
>>You don't need source code to crack the message.
>>You need only the algorithms, and the correct key.
>>You know the algorithms, so your ability to "crack"
>>the messages depends "Only on the key".
>>
>
>
> Btu we have NO IDEA if those messages were done with the cipher, or
> even the program! We NEED that source code, or we can't evaluate it at
> all.
>
>
>>>>What in the above statements compels cryptosystem implementors to
>>>>provide attackers with the source code?
>>>>
>>>
>>>
>>>This compels you to provide the source code: "In a well-designed system,
>>>only the key needs to be secret; in fact, everything else should be assumed
>>>to be public."
>>>
>>>Are you going to post the source code now, or are you going to keep it a
>>>secret?
>>>
>>>J
>>
>>No, its owners have not approved that.
>>
>
>
> Well then get them to approve it!
>
>
>>But then, it's based on the reference implementations,
>>so you can pick up the algorithms online; hence, they
>>are not secret.
>>
>
>
> We have only YOUR WORD on that, because we CANNOT see the
> source code. I could claim a program uses an "uncrackable"
> cipher and have it use a very weak one instead, and as long
> as I do not disclose the source code, no one would know.
>
>
>>If you were really trying to crack CryptoSMS messages,
>>enough details have been posted for you to run the
>>reference implementations of the stated algorithms;
>>and, (assuming that you knew the key) you would indeed
>>succeed in recovering the plain text.
>>
>
>
> But you've first got to PROVE those messages were encrypted
> with the algorithms you're claiming.
>

I never once stated that CryptoSMS is "uncrackable".

It was Joseph Ashwood who made the opposite claim, and
many posters in this newsgroup are still waiting for a
demonstration of those methods (particularly since it
involves "effectively reversing" MD5).

Relevant Pages
Loading