For Beginners & Professional Hackers

home *** CD-ROM | disk | FTP | other *** search

/ For Beginners & Professional Hackers / cd.iso / hackers / tools / diskreet.ha / DISKREET.TXT < prev next >

Wrap

Text File | 1997-05-13 | 19.1 KB | 412 lines

─ [5] RU.HACKER (2:5030/145.17) ──────────────────────────────────── RU.HACKER ─ Msg : 434 of 909 + 531 From : Dmitry Borisov 2:5077/7.11 æα 09 Çóú 95 19:07 To : All Subj : DiskReet ──────────────────────────────────────────────────────────────────────────────── .MSGID: 2:5077/7.11 302907ab ├┤ello All! └──── èΓ«-¡¿íπñ∞ ß¬áªÑΓ ¬á¬ »«ñ«íαáΓ∞ »áα«½∞ ¬ »α«úαá¼¼Ñ ºáΦ¿Σα«óá¡¡«⌐ ¡«αΓ«¡«óß¬¿¼ subj'«¼ ? Good Luck, Dmitry. --- GoldED 2.40+ * Origin: æαÑñá «í¿Γá¡¿∩ ═══. (2:5077/7.11) .PATH: 5077/7 3 5020/144 214 5030/23 108 53 145 ─ [5] RU.HACKER (2:5030/145.17) ──────────────────────────────────── RU.HACKER ─ Msg : 531 of 909 - 434 + 543 From : Andrew Katasonov 2:5079/1.50 ÅΓ 11 Çóú 95 17:29 To : All Subj : Diskreet ──────────────────────────────────────────────────────────────────────────────── .MSGID: 2:5079/1.50 302bc9ff .EID: TM-Ed 1.6 .PID: TM-Ed 1.6 Andrew Katasonov çñañßΓóπ⌐ ñ«ñ«ú«⌐ ññπº¿ΘÑ All! KΓ« ¡¿íπñ¿ ¬α∩¬a½ subj ¡a »αÑñ¼ÑΓ »aα«½∩, a Γ« ΓπΓa ¡a ÑßΓ∞ ñóa ñ¿ß¬a ºa½«τÑ¡δσ subje¼, «íδτ¡δÑ Γ« »aα«½¿ αaí«ΓaεΓ, a Master Password.... ¡π ó«íΘÑ¼ ¡Ñ ¿ºóÑßΓÑ¡ ? Hπ ñ«α«ú«⌐ ALL »«¼«ú¿ πª. æ »½a¼Ñ¡¡δ¼ »αεóÑΓ«¼, Andrew. --- TM-Ed 1.6 * Origin: -> ôß½«ó¡δ⌐ ß¿ú¡á½: Γα¿ ºÑ½Ñ¡δσ ßó¿ßΓ¬á <- (2:5079/1.50) .PATH: 5079/1 9 5080/22 5020/400 144 214 5030/23 108 53 145 ─ [5] RU.HACKER (2:5030/145.17) ──────────────────────────────────── RU.HACKER ─ Msg : 543 of 909 - 531 + 569 From : Dmitry Zotkin 2:5020/206 ÅΓ 11 Çóú 95 17:15 To : Dmitry Borisov Subj : DiskReet ──────────────────────────────────────────────────────────────────────────────── .MSGID: 2:5020/206 302b908a .REPLY: 2:5077/7.11 302907ab Hello Dmitry! 09 Aug 95, Dmitry Borisov writes to All: DB> èΓ«-¡¿íπñ∞ ß¬áªÑΓ ¬á¬ »«ñ«íαáΓ∞ »áα«½∞ ¬ »α«úαá¼¼Ñ ºáΦ¿Σα«óá¡¡«⌐ DB> ¡«αΓ«¡«óß¬¿¼ subj'«¼ ? ============================================================================= From msuinfo!agate!howland.reston.ans.net!wupost!waikato!auckland.ac.nz!news Th u Jul 14 22:27:59 1994 Path: msuinfo!agate!howland.reston.ans.net!wupost!waikato!auckland.ac.nz!news From: pgut1@cs.aukuni.ac.nz (Peter Gutmann) Newsgroups: sci.crypt,comp.security.misc Subject: Norton's [In]Diskreet: An update Followup-To: sci.crypt Date: 13 Jul 1994 17:21:57 GMT Organization: University of Auckland Lines: 96 Sender: pgut1@cs.aukuni.ac.nz (Peter Gutmann) Message-ID: <3017rl$8j4@ccu2.auckland.ac.nz> NNTP-Posting-Host: cs13.cs.aukuni.ac.nz X-Newsreader: NN version 6.5.0 #7 (NOV) Xref: msuinfo sci.crypt:29634 comp.security.misc:10693 Last November I picked apart part of the Diskreet encryption program and posted what I found to this group. By some miracle I had a bit of spare time this afternoon, so I've had another quick look at it. The result is some more information on the proprietary encryption algorithm and the file format it uses. First, a recap of what I presented last time: The key setup process is very badly done. The front-end gets a password in the range of 6..40 characters, and converts it to all-uppercase. Then it packs it into a struct along with a collection of other information and passes it to the DES library used by Diskreet. The first thing this does is take the password and reduce it to 64 bits by cyclically xor-ing the full-length password into an 8-byte buffer initially set to all zeroes, ie: for( index = 0; password[ index ]; index++ ) buffer[ index % 8 ] = password[ index ]; It then performs what looks like a standard DES key schedule with the 64-bit output from this operation. This creates 128 bytes of subkeys for encryption and 128 bytes of subkeys for decryption. These are either used for the proprietary encryption method or for DES encryption. Here's a rundown of the proprietary method: All operations are performed on 16-bit words. byteSwap() performs an endianness-reversal on a word. Chaining is performed by xor-ing in the previous ciphertext word. The keyTable is the 256-byte array of DES subkeys, treated as an array of words. data[ -1 ] = 0x1234; index = sectorNo % 128; index = keyTable[ index ] % 128; for( i = 0; i < SECTOR_SIZE / 2; i++ ) { value = keyTable[ index++ ] + data[ i ]; byteSwap( value ); value ^= data[ i - 1 ]; data[ i ] = value; index %= 128; } As can be seen, a known-plaintext attack will recover the (expanded) encryption key without too much trouble - it's just a repeated addition of a 128-word array to the data, with the previous word xor'd in for chaining purposes. The xor and byteSwap are basically nop's and can be stripped off without any problems, revealing the key stream used to encrypt the data. Since encryption is done by sectors, the same key data is used twice for each sectors. How do we perform a known-plaintext attack? It's quite simple actually, since Diskreet itself provides us with about as much known plaintext as we need. The file format is: General header BYTE[ 16 ] "ABCDEFGHENRIXYZ\0" char[ 13 ] fileName LONG fileDate BYTE fileAttributes LONG fileSize LONG file data start BYTE[ 16 ] 0 File data BYTE[ 32 ] 0 Padding to make it a multiple of 512 bytes Everything from the 16-byte magic value to the end of the file is encrypted in blocks of 512 bytes. The proprietary scheme will directly reveal its key stream on the 16-byte check value, the 16 bytes of zeroes at the start, and the 32 bytes (minimum) of zeroes at the end of the data. Interestingly enough, the presence of the 16-byte known plaintext right at the start would tend to confirm the rumours that that's one of the criteria for having an encryption program approved by the NSA. The plaintext also gives us the name of one of the programmers involved. In my previous posting I said: The encryption itself uses DES in CBC mode with a fixed IV. This means that, in combination with the tiny key space, it's possible to create a precomputed collection of plaintext/ciphertext pairs and "break" most encrypted files by reading the results out of a table. The 16-byte known plaintext makes this attack a certainty. In addition, if two pieces of data are encrypted with the same key, one with the proprietary method and one with DES, the DES key can be recovered from the proprietary-encrypted data and used to decrypt the DES-encrypted data. Again quoting from my previous posting: In summary, there may be a correct DES implementation in there somewhere, but it doesn't help much. [In]Diskreet will stop a casual browser, but won't give you any protection at all against any serious attack. ============================================================================= Dmitry aka G. --- GoldED 2.40 * Origin: î¡«ú« ¡Ñ∩ß¡«ú« ó ßΓαá¡¡«⌐ ßΓαá¡Ñ... (2:5020/206) .PATH: 5020/206 146 68 144 214 5030/23 108 53 145 ─ [5] RU.HACKER (2:5030/145.17) ──────────────────────────────────── RU.HACKER ─ Msg : 569 of 909 - 543 + 572 From : Sergei Gorelov 2:5030/304.7 éß 13 Çóú 95 13:59 To : Dmitry Borisov Subj : DiskReet ──────────────────────────────────────────────────────────────────────────────── .MSGID: 2:5030/304.7 302e05c5 .REPLY: 2:5077/7.11 302907ab .TID: FastEcho 1.45 2007891351 Hello Dmitry. 09 Aug 95 19:07, Dmitry Borisov wrote to All: DB> èΓ«-¡¿íπñ∞ ß¬áªÑΓ ¬á¬ »«ñ«íαáΓ∞ »áα«½∞ ¬ »α«úαá¼¼Ñ ºáΦ¿Σα«óá¡¡«⌐ DB> ¡«αΓ«¡«óß¬¿¼ subj'«¼ ? ÅδΓá½ß∩ ∩ óßó«Ñ ópÑ¼∩ φΓ« ß½«¼áΓ∞ - πíÑñ¿½ß∩ τΓ« ¡Ñó«º¼«ª¡« ! ç¢: üδ½ »páóñá »«Γ«¼ ¼«⌐ ß ñpπúá¡«¼ óáp¿á¡Γ ¬«Γ«pδ⌐ óδñ«óá½ 256*256 »áp«½Ñ⌐, ßpÑñ¿ ¬«Γ«pδσ íδ½ »páó¿½∞¡δ⌐ ¡« úñÑ «¡ ßÑτáß ∩ ¡Ñº¡áε. æ πóáªÑ¡¿Ñ¼, Sergei --- GoldED 2.50.Beta5+ * Origin: Verba volant, scripta monent ! (2:5030/304.7) .PATH: 5030/304 71 23 108 53 145 ─ [5] RU.HACKER (2:5030/145.17) ──────────────────────────────────── RU.HACKER ─ Msg : 572 of 909 - 569 + 641 From : Sergei Gorelov 2:5030/304.7 éß 13 Çóú 95 16:29 To : Andrew Katasonov Subj : Diskreet ──────────────────────────────────────────────────────────────────────────────── .MSGID: 2:5030/304.7 302e28b0 .REPLY: 2:5079/1.50 302bc9ff .TID: FastEcho 1.45 2007891351 Hello Andrew. 11 Aug 95 17:29, Andrew Katasonov wrote to All: AK> KΓ« ¡¿íπñ¿ ¬α∩¬a½ subj ¡a »αÑñ¼ÑΓ »aα«½∩, a Γ« ΓπΓa ¡a ÑßΓ∞ ñóa AK> ñ¿ß¬a ºa½«τÑ¡δσ subje¼, «íδτ¡δÑ Γ« »aα«½¿ αaí«ΓaεΓ, a Master Password.... AK> ¡π ó«íΘÑ¼ ¡Ñ ¿ºóÑßΓÑ¡ ? Hπ ñ«α«ú«⌐ ALL »«¼«ú¿ πª. Hπ Γδ ñáÑΦ∞ - ß½«¼áΓ∞ Γá¬«Ñ ¼«ª¡« τáßá ºá Γp¿ ¿ºópáΘÑ¡¿⌐ Γá¬«ú« p«ñá: üÑpÑΦ∞ ¡«óδ⌐ ñ¿ß¬pÑÑΓ, ßΓáó¿Φ∞ ¼áßΓÑp »áp«½∞, ß«σpá¡∩ÑΦ∞, ¼Ñ¡∩ÑΦ∞ ¿ óδτ¿ß½∩ÑΦ∞ Ñú« áñpÑßß, ñá½ÑÑ ºá»¿ßδóáÑΦ∞ »áp«½∞ ÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇ ¿ ß¼«Γp¿Φ∞ ¬á¬ «¡ ºá¬«ñ¿p«óá½ß∩: ¬áªñ«⌐ íπ¬óÑ ÑßΓ∞ ¬«ñ ¬«Γ«pδ⌐ ¡Ñ ºáó¿ß¿Γ «Γ «ßΓá½∞¡δσ íπ¬ó, ¡« ºáó¿ß¿Γ «Γ ÑÑ »«p∩ñ¬«ó«ú« ¡«óÑpá ó »«pá½Ñ. äá½ÑÑ ¡áí¿páÑΦ∞ ééééééééééééééé ¿ «»∩Γ∞ ß¼«Γp¿Φ∞ ¬«ñ, »«Γ«¼ æææææææææææææææ ¿ Γ.ñ. »«Γ«¼ »«½πτÑ¡πε ¿¡Σ«p¼áµ¿ε «»¿ßδóáÑΦ∞ ó ó¿ñÑ Σá⌐½á ¿ »¿ΦÑΦ∞ φ½Ñ¼-¡δ⌐ »p«úpá¼¼. è«úñá Γ«, ú«ñπ ó 92 ∩ φΓ« ñÑ½« ß½«¼á½, ¡« »p«úpá¼¼á πªÑ »«ΓÑp∩½áß∞ Γá¬ τΓ« »¿Φ¿ ßá¼. åÑ½áε πß»ÑΦ¡«⌐ páí«Γδ, Sergei --- GoldED 2.50.Beta5+ * Origin: Verba volant, scripta monent ! (2:5030/304.7) .PATH: 5030/304 71 23 108 53 145 ─ [5] RU.HACKER (2:5030/145.17) ──────────────────────────────────── RU.HACKER ─ Msg : 641 of 909 - 572 + 696 From : Alexander Nedotsukov 2:5051/3 Å¡ 14 Çóú 95 17:54 To : Andrew Katasonov Subj : Diskreet ──────────────────────────────────────────────────────────────────────────────── .MSGID: 2:5051/3.0 302fe22c .PID: BWRA 3.02 [Reg] .TID: FastEcho 1.45 1377 Hi there, Andrew Katasonov! AK> KΓ« ¡¿íπñ¿ ¬α∩¬a½ subj ¡a »αÑñ¼ÑΓ »aα«½∩, a Γ« ΓπΓa ¡a ÑßΓ∞ AK> ñóa ñ¿ß¬a ºa½«τÑ¡δσ subje¼, «íδτ¡δÑ Γ« »aα«½¿ αaí«ΓaεΓ, a Master AK> Password.... ¡π ó«íΘÑ¼ ¡Ñ ¿ºóÑßΓÑ¡ ? Hπ ñ«α«ú«⌐ ALL »«¼«ú¿ πª. àß½¿ ∩ ΓÑí∩ »αáó¿½∞¡« »«¡∩½, Γ« ß»ÑΦπ «íαáñ«óáΓ∞ ó %SUBJ% Master Password »«½¡á∩ &^%$##!!! Å¿Φ¿ Γá¬: DEL DISKREET.INI ¿ ¡« »α«í½Ñ¼ß ;-) ç¡áτ¿ΓÑ½∞¡« í«½∞Φ¿⌐ ¿¡ΓÑαÑß »αÑñßΓáó½∩εΓ ¿¼Ñ¡¡« '«íδτ¡δÑ »áα«½¿'. BTW ¿¡«úñá ¿σ ¼«ª¡« πº¡áΓ∞ ¿ßσ«ñ∩ ¿º Master Password'a (70% ¿ºóÑßΓ¡δσ ¼¡Ñ ñ¿ß¬α¿Γτ¿¬«ó ñÑ½á½¿ ¿σ «ñ¿¡á¬«óδ¼¿ ß ¼áßΓÑα«¼) Γ.¬. IMHO τÑú«-Γ« Norton¢ Γá¼ ¡Ñ Γ«ú« ... é«ßßΓá¡«ó¿Γ∞ Ñú« ¼«ª¡« «τÑ¡∞ ñáªÑ »α«ßΓ«: OpenFile DISKREET.INI at 64h; for (byXor = 35h; (by = GetByte()) != 0; byXor += 36h) { if ((by ^= byXor) == 0) by = 33h; OutByte( by ); // ºñÑß∞ íπñπΓ ¡πª¡δÑ íπ¬δóδ ;-))) } Sincerely Yours, Alexander. ... I think that I think now... --- Blue Wave/RA v2.05 * Origin: User of Freight Express BBS (2:5051/3) .PATH: 5051/3 11 15 5020/400 144 214 5030/23 108 53 145 ─ [5] RU.HACKER (2:5030/145.17) ──────────────────────────────────── RU.HACKER ─ Msg : 696 of 909 - 641 From : Yuri Kuzmenko 2:463/136.9 Å¡ 14 Çóú 95 22:31 To : All Subj : DISKREET ──────────────────────────────────────────────────────────────────────────────── .MSGID: 2:463/136.9 302fcf2f .TID: GE 1.1+ Åp¿óÑΓ All! ██████████████████████████████████████████████████████████████████████████████ èΓ«-Γ« ºñÑß∞ ¼Ñß∩µ-ñóá ¡áºáñ ¬¿ñá½ 3 ¬πß¬á ¬p∩¬¿ ¬ ßáíªπ. ÄßΓá½∞¡δσ ¡Ñ íδ½«. ÄâÉÄîHÇƒ ÅÉÄæ£üÇ ÅÄéÆÄÉêÆ£ ¬p∩¬. ██████████████████████████████████████████████████████████████████████████████ Yuri . -\ [Crack Soft BBS] [SysOp: Yuri Kuzmenko] [Work: 23-06] /- -/ [380-44-5607402] [2:463/136.9] [2:463/74.9] [12:7/5] \- --- GEcho 1.10+ * Origin: * Crack Soft * 2:463/136.9 * 5607402 * 00-06 * (2:463/136.9) .PATH: 463/136 82 94 58 5020/215 68 144 214 5030/23 108 53 145 ─ [8] RU.SECURITY (2:5030/145.17) ──────────────────────────────── RU.SECURITY ─ Msg : 924 of 924 -922 From : Vladimir Kulakov 2:5030/69.16 29 á»αÑ½∩ 96 14:51 To : Alexander Chentukov Subj : Diskreet ──────────────────────────────────────────────────────────────────────────────── .MSGID: 2:5030/69.16 3184a673 .REPLY: 2:5020/468.44 31813429 .PID: GED 2.41+ 3393 .CHARSET: ALT Hello Alexander! Friday April 26 1996 19:35, Alexander Chentukov wrote to All: VK>> H¿¬á¬¿σ DES'«ó! Åα«ßΓ«⌐ DES ß½«¼á¡ αáº ¿ ¡áóßÑúñá. î«ª¡« ¿ß»«½∞º«óáΓ∞ VK>> Γ«½∞¬« triple-DES. VK>> üÑºúαá¼«Γ¡«ßΓ∞ αÑá½¿ºáµ¿¿ DES'á ó Diskreet'Ñ ó«Φ½á πªÑ ó« óßÑ FAQ'¿ »« AC> ^^^^^^^^^^^ The Federal Data Encryption Standard (DES) used to be a good algorithm for most commercial applications. But the Government never did trust the DES to protect its own classified data, because the DES key length is only 56 bits, short enough for a brute force attack. Also, the full 16-round DES has been attacked with some success by Biham and Shamir using differential cryptanalysis, and by Matsui using linear cryptanalysis. The most devastating practical attack on the DES was described at the Crypto '93 conference, where Michael Wiener of Bell Northern Research presented a paper on how to crack the DES with a special machine. He has fully designed and tested a chip that guesses 50 million DES keys per second until it finds the right one. Although he has refrained from building the real chips so far, he can get these chips manufactured for $10.50 each, and can build 57000 of them into a special machine for $1 million that can try every DES key in 7 hours, averaging a solution in 3.5 hours. $1 million can be hidden in the budget of many companies. For $10 million, it takes 21 minutes to crack, and for $100 million, just two minutes. With any major government's budget for examining DES traffic, it can be cracked in seconds. This means that straight 56-bit DES is now effectively dead for purposes of serious data security applications. (êº απ¬«ó«ñßΓóá »« PGP) There are a small number of other programs available which claim to provide disk security of the kind provided by SFS. However by and large these tend to use badly or incorrectly implemented algorithms, or algorithms which are known to offer very little security. One such example is Norton's Diskreet, which encrypts disks using either a fast proprietary cipher or the US Data Encryption Standard (DES). The fast proprietary cipher is very simple to break (it can be done with pencil and paper), and offers protection only against a casual browser. Certainly anyone with any programming or puzzle-solving skills won't be stopped for long by a system as simple as this[1]. The more secure DES algorithm is also available in Diskreet, but there are quite a number of implementation errors which greatly reduce the security it should provide. Although accepting a password of up to 40 characters, it then converts this to uppercase-only characters and then reduces the total size to 8 characters of which only a small portion are used for the encryption itself. This leads to a huge reduction in the number of possible encryption keys, so that not only are there a finite (and rather small) total number of possible passwords, there are also a large number of equivalent keys, any of which will decrypt a file (for example a file encrypted with the key 'xxxxxx' can be decrypted with 'xxxxxx', 'xxxxyy', 'yyyyxx', and a large collection of other keys, too many to list here). These fatal flaws mean that a fast dictionary-based attack can be used to check virtually all possible passwords in a matter of hours on a standard PC. In addition the CBC (cipher block chaining) encryption mode used employs a known, fixed initialisation vector (IV) and restarts the chaining every 512 bytes, which means that patterns in the encrypted data are not hidden by the encryption. Using these two implementation errors, a program can be constructed which will examine a Diskreet-encrypted disk and produce the password used to encrypt it (or at least one of the many, many passwords capable of decrypting it) within moments. In fact, for any data it encrypts, Diskreet writes a number of constant, fixed data blocks (one of which contains the name of the programmer who wrote the code, many others are simply runs of zero bytes) which can be used as the basis of an attack on the encryption. Even worse, the very weak proprietary scheme used by Diskreet gives away the encryption key used so that if any two pieces of data are encrypted with the same password, one with the proprietary scheme and the other with Diskreet's DES implementation, the proprietary-encrypted data will reveal the encryption key used for the DES-encrypted data[1]. These problems are in fact explicitly warned against in any of the documents covering DES and its modes of operation, such as ISO Standards 10116 and 10126-2, US Government FIPS Publication 81, or basic texts like Denning's "Cryptography and Data Security". It appears that the authors of Diskreet never bothered to read any of the standard texts on encryption to make sure they were doing things right, or never really tested the finished version. In addition the Diskreet encryption code is taken from a code library provided by another company rather than the people who sell Diskreet, with implementation problems in both the encryption code and the rest of Diskreet. (êº απ¬«ó«ñßΓóá »« SFS) é»α«τÑ¼, »αÑíδóáε »«ßΓ«∩¡¡« ß ¿ß¬αÑ¡¡¿¼ ªÑ½á¡¿Ñ¼ « óáΦÑ¼ »«½¡«¼ í½áú«»«½πτ¿¿, Vladimir --- Golded 2.40.0720 --- * Origin: B.C.K. NumberCruncher (2:5030/69.16) .PATH: 5030/69 6 23 108 53 145