JPeschel@aol.com
Thu, 20 Aug 1998 05:53:06 EDT
In a message dated 98-08-11 18:46:10 EDT, you write:
> I downloaded the thing. It asks for a bunch of information (like e-mail
> address, name, address, 25 random keystrokes). I wrote Peter about how
> he created the key and he says it's MD5 and SHA plus some "random bytes
> from various places in the computer." The key is stored somewhere and
> protected with a password. It's always the same key. I encrypted a
> file of zeros and another file, XORed the two and got the original. A
> known plaintext attack will break every file you ever encrypt with this
> (because it only generates one key, ever.)
>
Mike Stay pointed out a plaintext attack on a
typical UBE98 encryption where XORing two encrypted
texts breaks the cipher since the key is always the
same no matter what the password is. Melih, later,
theorized, if I understood him correctly, that UBE98
could also be broken by less conventional cracking
methodology.
He's right.
UBE98 allows the user to create self-extracting
encrypted executables. This is convenient, I
suppose, for using a *symmetric* algorithm
to transmit email, but of course, you still
need to find a secure way to transmit the
password.
Finding a secure method of transmitting the
password in UBE98's case, however, makes little
difference.
I created a few self-extracting encrypted files
protected by a password. (This would be the
password that you would typically transmit in
some secure manner.) After creating the executable
I disassembled it, and changed one JE instruction
to JNE. The result: a self-extracting encrypted
file can be read if you enter an incorrect password
or, like similar snake-oil called Turbo Encrypto,
no password at all.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:59