Berkeley CSUA MOTD:Entry 13849
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/05/25 [General] UID:1000 Activity:popular
5/25    

1998/3/22-23 [Computer/SW/Security] UID:13849 Activity:high
3/21    Ron Rivest is at it again: he's invented a technique to achieve
        message confidentiality with hash functions and no encryption,
        simple, intuitive, and completely non-export-controlled.
        http://theory.lcs.mit.edu/~rivest/chaffing.txt
        \_ note that he's just rephrased steganography to have a more dynamic
           method of mixing the message bits into another data stream, and he
           relies on message authentication to reject the superfluous data.
           old mechanical crypto systems in the 60s did stuff like that
           but filtered by using the same psuedo-random sequence as the
           sender. Rivest's method will require a good random generator at
           the sender (to permute packet order for the chaff). it will
           \_ why do you think that?  my reading of his text didn't imply
              any packet order changes, just one or more chaff mesgs per
              valid packet.  please mail me --oj
              \_ The packets go out in the same order, but you have to send
                 chaff too, and the chaff has to be in an unpredictable
                 order with respect to the wheat.  If you always do
                 wheat1-chaff1-chaff1 wheat2-chaff2-chaff2 wheat3-chaff3-chaff3
                 it's not hard to figure out where the wheat is.
           also probably make everybody's exportable authentication code
           get reclassified as munitions, now that someone's pointed out
           how it "really is encryption" (the way regulators think). --karlcz
           p.s. he also requires that the secret authentication key get
           transported by some other secure means (public-key encryption
           for those of us without exploding-attache-case couriers ;-).
        \_ I'm not too terribly impressed.  As karlcz pointed out there's
           still this secret-key business thats required to create valid MACs
           and I'm not really psyched about the typical CSUA idiot adding
           300 chaff packets per wheat packet to keep their email and porn
           URLs secret from "Them".  The net is slogged enough as it is.
           What really needs to happen is to drop the ridiculous export
           controls.  If I'm a terrorist or in the mafia, I _am_ going to
           \_ That was exactly Rivest's point, though.  Obviously a block
              cipher is much more effective than chaffing, but it's currently
              in a very different political position.  But Rivest's own
              conclusion is: "Mandating government access to all communications
              is not a viable alternative.  The cryptography debate should
              proceed by mutual education and voluntary actions only."  That
              goes for international controls as well as domestic.
           use the best possible encryption for all communications, and
           be damned the US law.  Hello, duh, a terrorist or high powered
           mafioso is already going away for life.  Going to add 3 months
           of consecutive time for an encryption export violation?!?
           \_ you miss the point.  If encryption were export legal, then it'd
              be easy to market via consumer channels.  Once that happens,
              you can pretty much kiss good-bye law enforcement's ability to
              wire-tap even the petty criminals.
              \_ So the point wasn't to make a decent and reasonable secure
                 communications method, but was simply to snub law enforcement
                 with a hacked end run?
                 \_ Yeah, kinda looks that way.
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/05/25 [General] UID:1000 Activity:popular
5/25    

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
2012/7/13-8/19 [Computer/SW/Security, Computer/Companies/Yahoo] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
2011/5/19-7/30 [Computer/SW/Security] UID:54110 Activity:nil
5/19    Uh, is anyone still using this? Please mark here if you post and
        haven't added this yet. I'll start:
        \_ person k
        \_ ausman, I check in about once a week.
        \_ erikred, twice a week or so.
        \_ mehlhaff, I login when I actually own my home directory instead of
	...
2011/2/14-4/20 [Computer/SW/Unix] UID:54039 Activity:nil
2/14    You sure soda isn't running windows in disguise?  It would explain the
        uptimes.
        \_ hardly, My winbox stays up longer.
        \_ Nobody cares about uptime anymore brother, that's what web2.0 has
           taught us.  Everything is "stateless".
           \_ You;d think gamers would care more about uptime.
	...
Cache (8192 bytes)
theory.lcs.mit.edu/~rivest/chaffing.txt
Chaffing and Winnowing: Confidentiality without Encryption Ronald L. Rivest MIT Lab for Computer Science March 18, 1998 (rev. There are two major techniques for achieving confidentiality: -- Steganography: the art of hiding a secret message within a larger one in such a way that the adversary can not discern the presence or contents of the hidden message. For example, a message might be hidden within a picture by changing the low-order pixel bits to be the message bits. The legitimate receiver possesses a secret decryption key that allows him to reverse the encryption transformation and retrieve the message. The sender may have used the same key to encrypt the message (with symmetric encryption schemes) or used a different, but related key (with public-key schemes). DES and RSA are familiar examples of encryption schemes. This paper introduces a new technique, which we call chaffing and winnowing''---to winnow is to separate out or eliminate (the poor or useless parts),'' (Webster's Dictionary), and is often used when referring to the process of separating grain from chaff. Novel techniques for confidentiality are interesting in part because of the current debate about cryptographic policy as to whether law enforcement should be given when authorized surreptitious access to the plaintext of encrypted messages. The usual technique proposed for such access is key recovery,'' where law enforcement has a back door'' that enables them to recover the decryption key. As usual, the policy debate about regulating technology ends up being obsoleted by technological innovations. Trying to regulate confidentiality by regulating encryption closes one door and leaves two open (steganography and winnowing). We now explain how a confidentiality system based on winnowing works. There are two parts to sending a message: authenticating (adding MACs), and adding chaff. The recipient removes the chaff to obtain the original message. The sender breaks the message into packets, and authenticates each packet using a secret authentication key. That is, the sender appends to each packet a message authentication code'' or MAC'' computed as a function of the packet contents and the secret authentication key, using some standard MAC algorithm, such as HMAC-SHA1 (see Krawczyk et al. We have the transformation of appending a MAC thus: packet --> packet, MAC The packet is still in the clear''; We note that software that merely authenticates messages by adding MACs is automatically approved for export, as it is deemed not to encrypt. There is a secret key shared by the sender and the receiver to authenticate the origin and contents of each packet---the legitimate receiver, knowing the secret authentication key, can determine that a packet is authentic by recomputing the MAC and comparing it to the received MAC. If the comparison fails, the packet and its MAC are automatically discarded. The sender and the receiver can initially create and agree upon the secret authentication key with any standard technique, such as authenticated Diffie-Hellman. We note that it is typical for each packet to contain a serial number as well. For example, when a long file is transmitted it is broken up into smaller packets, and each packet carries a unique serial number. The serial numbers help the receiver to remove duplicate packets, identify missing packets, and to correctly order the received packets when reassembling the file. The MAC for a packet is computed as a function of the serial number of the packet as well as of the packet contents and the secret authentication key. As an example, we might have a sequence of the form: (1,Hi Bob,465231) (2,Meet me at,782290) (3,7PM,344287) (4,Love-Alice,312265) of triples of sequence number, message, and MAC. The second process involved in sending a message is adding chaff'': adding fake packets with bogus MACs. The chaff packets have the correct overall format, have reasonable serial numbers and reasonable message contents, but have MACs that are not valid. The chaff packets may be randomly intermingled with the good (wheat) packets to form the transmitted packet sequence. Extending the preceding example, chaff packets might make the received sequence look like: (1,Hi Larry,532105) (1,Hi Bob,465231) (2,Meet me at,782290) (2,I'll call you at,793122) (3,6PM,891231) (3,7PM,344287) (4,Yours-Susan,553419) (4,Love-Alice,312265) In this case, for each serial number, one packet is good (wheat) and one is bad (chaff). Instead of randomly intermingling the chaff with the wheat, the packets can also be output in sorted order, sorting first by serial number, and then by message contents. To obtain the correct message, the receiver merely discards all of the chaff packets, and retains the wheat packets. In a a typical packet-based communication system the receiver will automatically discard all packets with bad MACs. So the winnowing'' process is a normal part of such a system. As above, winnowing'' is the (usual) process of discarding all packets with bad MACs. We call the good packets wheat'' for consistency of metaphor. This depends on the MAC algorithm, on how the original message is broken into packets, and on how the chaffing is done. A typical MAC algorithm (such as HMAC-SHA1) will appear to act like a random function'' to the adversary, and in such a case the adversary will not be able to distinguish wheat from chaff. It is possible in principle, however, to have an unfortunate MAC algorithm that leaks'' information about the message being MAC'ed, allowing the adversary to gain an advantage in distinguishing wheat from chaff. For example, one could define a LEAKY-HMAC-SHA1 MAC algorithm to have an output that is the concatenation of the output of the HMAC-SHA1 algorithm together with the low-order bit of the message being MAC'ed. However, in practice (and in theory) one looks for MAC algorithms that are indistinguishable from random functions, and such algorithms also work fine in a chaffing and winnowing application. Note that the problem of providing confidentiality by chaffing and winnowing is based on the difficulty (for the adversary) of distinguishing the chaff from the wheat. It is *not* based on the difficulty of breaking an encryption scheme, since there is no encryption being performed (although confidentiality may be obtained nonetheless, just as for steganography). If the adversary sees only one packet with a given serial number, then that packet is probably wheat, and not chaff. So a good chaffing process will add at least one chaff packet for each packet serial number used by the message. The adversary may also distinguish wheat from chaff by the contents of each packet. If the wheat packets each contains an English sentence, while the chaff packets contain random bits, then the adversary will have no difficulty in winnowing the wheat from the chaff himself. On the other hand, if each wheat packet contains a single bit, and there is a chaff packet with the same serial number containing the complementary bit, then the adversary will have a very difficult (essentially impossible) task. Being able to distinguish wheat from chaff would require him to break the MAC algorithm and/or know the secret authentication key used to compute the MACs. With a good MAC algorithm, the adversary's ability to winnow is nonexistant, and the chaffing process provides perfect confidentiality of the message contents. I stress that the sending process for chaffing and winnowing is not encryption; Let us assume that the original message is broken into very short (one-bit) packets, and that MACs have been added to each such packet to create the wheat packets. Here each MAC might be 64 bits in length, and each serial number 32 bits long. The process of creating chaff is also easy: just create a chaff packet with whatever serial number and packet contents you may like, and include a random 64-bit MAC value. This MAC value is overwhelmingly likely to be bad, and thus the packet created is overwhelmingly likely to be chaff. Again, it is assumed here that an adversary, not knowing the secret authentication key, can not distinguish a good (wheat) packet from a ba...