Re: Introducing TGP...

["Thor (Hammer Of God)" <thor () hammerofgod com>]

I must have written it poorly. I never use the hash for authN, only to  
make any tamporing with keys evident. I'm not sure it is a requirement  
(pgp doesn't even bother making these checks) but I wanted to be extra  
careful :)



On Jun 14, 2010, at 1:22 AM, Jeffrey Walton <noloader () gmail com> wrote:

> Hi Thor,
>
> I'm probably splitting too fine a hair here...
>
> The SHA256 hashing of the private key may not result in authenticity
> assurances on the key (if I'm reading it correctly). I believe that's
> an Athenticate-then-Encrypt scheme, and the details of the
> interactions in AtE can be tricky. Hugo Krawczyk evaluated similar AtE
> systems (for example, SSL) in The Order of Encryption and
> Authentication for Protecting Communications. The two AtE schemes
> which are provably secure are (1) a block cipher operated in CBC mode,
> and (2) stream ciphers which XORs data with a pseudorandom pad.
>
> I can see where the hash might satisfy the psuedo random pad, but I
> don't see the stream cipher in the equation. Perhaps a more
> traditional Encrpyt-then-Authenticate (for example, IPSec) might be
> useful for TGP.  [At least TGP is not using Authenticate-and-Encrypt,
> which Krawczyk proved insecure (for example, early SSH)].
>
> If your using SHA-256 as the PRF of a KDF, then TGP might be reducing
> the security of the system protecting the private assymmetric key (I'm
> presuming AES-256 was chosen for a reason). AES-256 provides a
> security level of ~2^255, while SHA-256 provides ~2^128. Its mostly a
> theoretical observation: I'd attack the password/passphrase before
> attempting pre-image attacks on the hash. [After all these years,
> SHA-160 has only been reduced to ~2^50 from a theoretical 2^80, and
> 2^50  is still beyond my reach].
>
> Jeff
>
> On Sun, Jun 13, 2010 at 5:44 PM, Thor (Hammer of God)
> <Thor () hammerofgod com> wrote:
> > This is what I’ve been talking about... Here is the first part of  
> > the docs I wrote up - make sure you see that I'm not yet supportin 
> > g huge files unless you have huge RAM.  **.Net 4.0 Client profile  
> > is required to run this.**
> >
> > Right now the install bits are only available on the pilot site at: http://www.owa.hammerofgod.com 
> >  in the downloads section.   I have to wait on Raging Haggis to  
> > return from Canada before posting on www.hammerofgod.com .
> >
> > Here's a bit from the TGP Overview document included with the  
> > install and on the web site.  Please read through it before asking  
> > silly questions. :)
> >
> > Also, feel free to hack it up as much as you would like.  I know  
> > this is full disclosure, so feel free to zing them at me, or if you  
> > prefer, I can work with you on any issues you might have
> >
> > Remember, this is totally free, so my ability to handle custom  
> > requests will be limited.  For those looking to break it, I would  
> > look at fuzzing the XML documents and the "drag and drop public  
> > XML" parsing feature.
> >
> > If you have questions or challenges about any of the security, I  
> > would ask to keep it on the list so that everyone can get the full  
> > benefit of productive security development.   The read-me should  
> > pretty much lay everything out for you.  If not, we'll take it up  
> > from there.
> >
> > t
> >
> >
> >
> >
> >
> > TGP – “Thor’s Godly Privacy”
> >
> > 06/13/10 v1.1.06
> >
> >
> >
> > TGP is a small yet very powerful encryption utility.  With all eyes  
> > on “the cloud,” I decided to write an encryption application  
> > better suited to an environment where portability and security wer 
> > e, at the least, challenging.   In cloud computing, not only is th 
> > e use of file structures becoming more abstract, but the very conc 
> > ept of a “file server” is becoming more and more ubiquitous.
> >
> >
> >
> > As such, I designed TGP with “encryption for the cloud” in  
> > mind.  That means that not only does TGP do everything your normal 
> >  PGP-type applications do, but it does things a bit differently –  
> > differently in a way that can change the way you work with your en 
> > crypted data.  At the simplest level, this is done by encrypting d 
> > ata into byte arrays, and then converting those byte arrays into B 
> > ase64 encoded text wrapped inside XML tags.  In this way, not only 
> >  do you get your typical file-based encrypted representation of yo 
> > ur data, but you also get data that you can copy and paste directl 
> > y into any email, mailing list, blog-page, or social networking site.
> >
> >
> >
> > What I think is interesting about this is that if we choose to, we  
> > no longer have to be the custodians of our encrypted data – we don 
> > ’t have to worry about actually housing the files: we can just pos 
> > t them to the internet and let someone else assume the burden of s 
> > toring the files for us.
> >
> >
> >
> > If I want to share encrypted files with someone or secure my own  
> > files, all I have to do is TGP encrypt the data I want, and post it  
> > to a mailing list somewhere.  In the case of a list like Bugtraq or  
> > Full Disclosure, the data is actually automatically replicated out  
> > to any number of archive sites, thus distributing my data for me.   
> > I can literally be anywhere in the world and just do a quick search  
> > for my post to retrieve my data.  And since the TGP public key  
> > files are also text representations of encrypted key data, I can do  
> > the same with my keys.
> >
> >
> >
> > Normally, you want to keep your private keys as safe as possible.   
> > This is still the case with TGP.  However, it is trivial to build  
> > as many private keys as you wish to use for anything you want to  
> > use them for.  TGP Private Key files are password protected and  
> > individually salted, so with a strong passphrase you have very  
> > reasonable assurance that no one is going to get to your key any  
> > time soon.  So, you can create a private key with a strong  
> > password, post that, and then, say, encrypt a scan of your passport  
> > and post that.  Then if you are ever in a pinch while travelling or  
> > something like that, you can simply use Google or Bing to access  
> > your data wherever you are.
> >
> >
> >
> > Of course, that’s just an example, but I think it illustrates the  
> > power of encrypted file structures like this.  You can literally u 
> > se Facebook to post encrypted documents that you don’t have to mai 
> > ntain.
> >
> >
> >
> > That’s really the main different between TGP and an application li 
> > ke PGP.  That and of course, TGP is free, and personally, I think  
> > PGP is tardware.  It’s bloated, it’s far too expensive, it’s  
> > hard to use, and if you don’t watch your licensing, you can get sc 
> > rewed hard like I did when I didn’t want to buy the extended suppo 
> > rt and one day my encrypted drives stopped working until I paid th 
> > em.  That doesn’t fly.  TGP also doesn’t require that you are an  
> > admin to install.  However, the .NET installer for the 4.0 client  
> > profile does – that’s not my doing.  Regardless, here are the  
> > file structures TGP uses:
> >
> >
> >
> > Things that still suck about TGP
> >
> > Currently TGP uses a memory stream for the destination of the AES  
> > cryptostream.  This sucks because it makes the maximum file one can  
> > encrypt based on available memory.  It’s not a huge deal, but it d 
> > oes keep you from encrypting a gigabyte file.  I’ll be changing th 
> > at soon.
> >
> >
> >
> > Timothy “Thor” Mullen
> >
> > Hammer of God
> >
> > thor () hammerofgod com
> >
> > www.hammerofgod.com
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/