Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Introducing TGP...
From: "Thor (Hammer Of God)" <thor () hammerofgod com>
Date: Mon, 14 Jun 2010 07:21:29 -0700

I must have written it poorly. I never use the hash for authN, only to  
make any tamporing with keys evident. I'm not sure it is a requirement  
(pgp doesn't even bother making these checks) but I wanted to be extra  
careful :)



On Jun 14, 2010, at 1:22 AM, Jeffrey Walton <noloader () gmail com> wrote:

Hi Thor,

I'm probably splitting too fine a hair here...

The SHA256 hashing of the private key may not result in authenticity
assurances on the key (if I'm reading it correctly). I believe that's
an Athenticate-then-Encrypt scheme, and the details of the
interactions in AtE can be tricky. Hugo Krawczyk evaluated similar AtE
systems (for example, SSL) in The Order of Encryption and
Authentication for Protecting Communications. The two AtE schemes
which are provably secure are (1) a block cipher operated in CBC mode,
and (2) stream ciphers which XORs data with a pseudorandom pad.

I can see where the hash might satisfy the psuedo random pad, but I
don't see the stream cipher in the equation. Perhaps a more
traditional Encrpyt-then-Authenticate (for example, IPSec) might be
useful for TGP.  [At least TGP is not using Authenticate-and-Encrypt,
which Krawczyk proved insecure (for example, early SSH)].

If your using SHA-256 as the PRF of a KDF, then TGP might be reducing
the security of the system protecting the private assymmetric key (I'm
presuming AES-256 was chosen for a reason). AES-256 provides a
security level of ~2^255, while SHA-256 provides ~2^128. Its mostly a
theoretical observation: I'd attack the password/passphrase before
attempting pre-image attacks on the hash. [After all these years,
SHA-160 has only been reduced to ~2^50 from a theoretical 2^80, and
2^50  is still beyond my reach].

Jeff

On Sun, Jun 13, 2010 at 5:44 PM, Thor (Hammer of God)
<Thor () hammerofgod com> wrote:

This is what I’ve been talking about... Here is the first part of  
the docs I wrote up - make sure you see that I'm not yet supportin 
g huge files unless you have huge RAM.  **.Net 4.0 Client profile  
is required to run this.**

Right now the install bits are only available on the pilot site at: http://www.owa.hammerofgod.com 
 in the downloads section.   I have to wait on Raging Haggis to  
return from Canada before posting on www.hammerofgod.com .

Here's a bit from the TGP Overview document included with the  
install and on the web site.  Please read through it before asking  
silly questions. :)

Also, feel free to hack it up as much as you would like.  I know  
this is full disclosure, so feel free to zing them at me, or if you  
prefer, I can work with you on any issues you might have

Remember, this is totally free, so my ability to handle custom  
requests will be limited.  For those looking to break it, I would  
look at fuzzing the XML documents and the "drag and drop public  
XML" parsing feature.

If you have questions or challenges about any of the security, I  
would ask to keep it on the list so that everyone can get the full  
benefit of productive security development.   The read-me should  
pretty much lay everything out for you.  If not, we'll take it up  
from there.

t





TGP – “Thor’s Godly Privacy”

06/13/10 v1.1.06



TGP is a small yet very powerful encryption utility.  With all eyes  
on “the cloud,” I decided to write an encryption application  
better suited to an environment where portability and security wer 
e, at the least, challenging.   In cloud computing, not only is th 
e use of file structures becoming more abstract, but the very conc 
ept of a “file server” is becoming more and more ubiquitous.



As such, I designed TGP with “encryption for the cloud” in  
mind.  That means that not only does TGP do everything your normal 
 PGP-type applications do, but it does things a bit differently –  
differently in a way that can change the way you work with your en 
crypted data.  At the simplest level, this is done by encrypting d 
ata into byte arrays, and then converting those byte arrays into B 
ase64 encoded text wrapped inside XML tags.  In this way, not only 
 do you get your typical file-based encrypted representation of yo 
ur data, but you also get data that you can copy and paste directl 
y into any email, mailing list, blog-page, or social networking site.



What I think is interesting about this is that if we choose to, we  
no longer have to be the custodians of our encrypted data – we don 
’t have to worry about actually housing the files: we can just pos 
t them to the internet and let someone else assume the burden of s 
toring the files for us.



If I want to share encrypted files with someone or secure my own  
files, all I have to do is TGP encrypt the data I want, and post it  
to a mailing list somewhere.  In the case of a list like Bugtraq or  
Full Disclosure, the data is actually automatically replicated out  
to any number of archive sites, thus distributing my data for me.   
I can literally be anywhere in the world and just do a quick search  
for my post to retrieve my data.  And since the TGP public key  
files are also text representations of encrypted key data, I can do  
the same with my keys.



Normally, you want to keep your private keys as safe as possible.   
This is still the case with TGP.  However, it is trivial to build  
as many private keys as you wish to use for anything you want to  
use them for.  TGP Private Key files are password protected and  
individually salted, so with a strong passphrase you have very  
reasonable assurance that no one is going to get to your key any  
time soon.  So, you can create a private key with a strong  
password, post that, and then, say, encrypt a scan of your passport  
and post that.  Then if you are ever in a pinch while travelling or  
something like that, you can simply use Google or Bing to access  
your data wherever you are.



Of course, that’s just an example, but I think it illustrates the  
power of encrypted file structures like this.  You can literally u 
se Facebook to post encrypted documents that you don’t have to mai 
ntain.



That’s really the main different between TGP and an application li 
ke PGP.  That and of course, TGP is free, and personally, I think  
PGP is tardware.  It’s bloated, it’s far too expensive, it’s  
hard to use, and if you don’t watch your licensing, you can get sc 
rewed hard like I did when I didn’t want to buy the extended suppo 
rt and one day my encrypted drives stopped working until I paid th 
em.  That doesn’t fly.  TGP also doesn’t require that you are an  
admin to install.  However, the .NET installer for the 4.0 client  
profile does – that’s not my doing.  Regardless, here are the  
file structures TGP uses:



Things that still suck about TGP

Currently TGP uses a memory stream for the destination of the AES  
cryptostream.  This sucks because it makes the maximum file one can  
encrypt based on available memory.  It’s not a huge deal, but it d 
oes keep you from encrypting a gigabyte file.  I’ll be changing th 
at soon.



Timothy “Thor” Mullen

Hammer of God

thor () hammerofgod com

www.hammerofgod.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]