Bernardo B. Terrado (bbt@mudspring.uplb.edu.ph)
Thu, 3 Sep 1998 17:27:50 +0800 (CST)
Computer Security Basics
@@@@@@@@@@@@@
***************
** @ @ **
** ^ **
** U **
***************
***********
To do the right thing(s) for the wrong reason(s) is human,
To do the right thing(s) for the right reason(s) is divine.
On Wed, 2 Sep 1998, Jim Gillogly wrote:
> Bernardo B. Terrado writes:
> > I have read that in Unix's crypt,
> > let me put it this way
> > the "book" suggested that
>
> The book? What book?
> >
> > One solution for the weakness of crypt
> > is, first compress the plaintext then run crypt on the
> > compressed data
> > moreover it said that compressed data looks like random noise (so it
> > would be very hard to decipher)
>
> Depends on the compression scheme.
>
> > My question is this,
> > In case the ciphertext is deciphered, the "decipheree" will not know
> > what compression scheme the "encipheree" used? what if he uses many
> > decompression softwares, could he still get the plaintext ?
>
> First, what are you trying to achieve? If you simply want to keep your
> data private, why not use a stronger algorithm, such as the ones used
> in PGP?
>
> Second, the amount of protection you get from this will depend
> on the resources and energy of the attacker. However, Robert H.
> Morris (NSA, ret.) offered the dictum "Never underestimate the amount
> of effort the enemy will undertake to get your plaintext."
>
> The easiest attack on crypt is if the plaintext is in English or
> some other standard ASCII-based language. In this case one can
> use Crypt Breaker's Workbench by Bob Baldwin, available at the
> usual sites. However, the docs say it can't be used on binary files.
> Assume, then, that your attacker will start with CBW and modify it
> to work with binary files.
>
> If the compression used is the old standard Unix "compress" it
> shouldn't be impossible if there's enough ciphertext, since "compress"
> is quite heavy on NULs. The same is true of both GIF and JPEG. Gzip,
> however, has a very flat table and would make the recovery
> challenging. Some of the standard compression packages like gzip and
> pkzip leave some known plaintext at the beginning as recognition
> characters, and that's important for the attacker. If the attacker can
> guess the beginning of your plaintext (e.g. "#include <stdio.h>" or
> something) she's got an even better chance.
>
> However, with good compression and no hints even a weak encryption
> system gives a surprising amount of help. ARJ, for example, uses
> a Vigenere-like encryption, and if there is only one file in the
> ARJ package it's difficult to spot patterns in it.
>
> I know, that's more than you wanted to hear, so here's an executive
> summary: if you really care about your data, use stronger encryption
> than "crypt (1)" and don't worry about ways to put band-aids on it.
>
> Jim Gillogly
>
>
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:13:58