Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

crypto for criminals?

4 views
Skip to first unread message

need....@breakin.the.law

unread,
Jun 13, 2005, 6:04:02 AM6/13/05
to
I am looking for a good crypto system
to protect our legal communications
from the pigs.

Preference is to use SMS, so my question is,
does anybody know about CryptoSMS, and is
it strong enough to confuse the puzzle palace?

need....@breakin.the.law

unread,
Jun 13, 2005, 4:06:11 AM6/13/05
to

"- Prof. Jonez坼

unread,
Jun 13, 2005, 6:51:05 PM6/13/05
to

I've heard it's impenetrable, even the CIA/NSA can't
get through it. IIRC there is a standing $10,000.00 challenge
to anyone who can break it, and the program is still
FreeWare.


Joseph Ashwood

unread,
Jun 13, 2005, 8:32:40 PM6/13/05
to
[CC added to REHjr the author os CryptoSMS]
[Note to REHjr: The tone of this is not meant personally, but claims were
made that need to be forcefully refuted in order to discourage use of
extremely inferior products]

" "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
news:u5ore.62$j85....@news.uswest.net...


>> Preference is to use SMS, so my question is,
>> does anybody know about CryptoSMS, and is
>> it strong enough to confuse the puzzle palace?
>
> I've heard it's impenetrable, even the CIA/NSA can't
> get through it. IIRC there is a standing $10,000.00 challenge
> to anyone who can break it, and the program is still
> FreeWare.

The designers of CryptoSMS are morons.

Lets just begin at the most grievous of errors. "3DES [uses] 384 key bits"
(http://www.cryptosms.com/protect.html, editted for clarity) 3DES uses
either 112 or 168 bits of key. This immediately qualifies them for moron
status.

Next one "ARC4 [has] resist[ed] cryptanalysis." Check again, ARC4 is
actually short for Alleged RC4, and has been attacked any number of times
whether it is the WEP attacks which relied on a broken way to use RC4, or
the bias attacks that are crippling ARC4 has not withstood cryptanalysis
very well at all.

Perhaps their most grievous errors are errors of omission. The key
management is lax at best and based on the available information it appears
to use fixed keys between any fixed group of parties. Not a very
intelligent, or secure thing to do.

The entire system lacks a MAC of any form leading to a vast array of
security holes and showing the designer to be [at best] amateur.

So to answer the question posed (and fictitiously answered) on the Crypto
SMS website "Does CryptoSMS protect me?" NO, CryptoSMS does not protect you
except from the most incompetent pathetic attempts ever deviced, it will
likely stop your wife from reading about your mistress, but it will not stop
a cryptanalyst, or a hacker, or law enforcement, or anyone else with
substantial cryptanalytic skill and determination.
Joe


"- Prof. Jonez坼

unread,
Jun 13, 2005, 11:06:27 PM6/13/05
to
Joseph Ashwood wrote:
> [CC added to REHjr the author os CryptoSMS]
> [Note to REHjr: The tone of this is not meant personally, but claims
> were made that need to be forcefully refuted in order to discourage
> use of extremely inferior products]
>
> " "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
> news:u5ore.62$j85....@news.uswest.net...
> > > Preference is to use SMS, so my question is,
> > > does anybody know about CryptoSMS, and is
> > > it strong enough to confuse the puzzle palace?
> >
> > I've heard it's impenetrable, even the CIA/NSA can't
> > get through it. IIRC there is a standing $10,000.00 challenge
> > to anyone who can break it, and the program is still
> > FreeWare.
>
> The designers of CryptoSMS are morons.

Do tell ...

>
> Lets just begin at the most grievous of errors. "3DES [uses] 384 key
> bits" (http://www.cryptosms.com/protect.html, editted for clarity)
> 3DES uses either 112 or 168 bits of key. This immediately qualifies
> them for moron status.

So your reading comprehension is somewhat less than your claimed
crypto expertise, eh Einstein?
How much of a moron must you be to not know the difference between
3DES and 3DEA?


> Next one "ARC4 [has] resist[ed] cryptanalysis." Check again, ARC4 is
> actually short for Alleged RC4, and has been attacked any number of
> times whether it is the WEP attacks which relied on a broken way to
> use RC4, or the bias attacks that are crippling ARC4 has not
> withstood cryptanalysis very well at all.

And if one provides a nonce, is it still a dunce?


>
> Perhaps their most grievous errors are errors of omission. The key
> management is lax at best and based on the available information it
> appears to use fixed keys between any fixed group of parties. Not a
> very intelligent, or secure thing to do.

So how intelliegent would it be to include bits of the key in every
message?

>
> The entire system lacks a MAC of any form leading to a vast array of
> security holes and showing the designer to be [at best] amateur.
>
> So to answer the question posed (and fictitiously answered) on the
> Crypto SMS website "Does CryptoSMS protect me?" NO, CryptoSMS does
> not protect you except from the most incompetent pathetic attempts
> ever deviced, it will likely stop your wife from reading about your
> mistress, but it will not stop a cryptanalyst, or a hacker, or law
> enforcement, or anyone else with substantial cryptanalytic skill and
> determination. Joe

So a genius like you could easily crack a CryptoSMS message if posted,
or are you more pathetic and incompetent than some jaded housewife ?


poster

unread,
Jun 14, 2005, 1:02:49 AM6/14/05
to
" "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
news:TQrre.73$bf1....@news.uswest.net

}
} Joseph Ashwood wrote:
} > [CC added to REHjr the author os CryptoSMS]
} > [Note to REHjr: The tone of this is not meant personally, but claims
} > were made that need to be forcefully refuted in order to discourage
} > use of extremely inferior products]
} >
} > " "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
} > news:u5ore.62$j85....@news.uswest.net...
} > > > Preference is to use SMS, so my question is,
} > > > does anybody know about CryptoSMS, and is
} > > > it strong enough to confuse the puzzle palace?
} > >
} > > I've heard it's impenetrable, even the CIA/NSA can't
} > > get through it. IIRC there is a standing $10,000.00 challenge
} > > to anyone who can break it, and the program is still
} > > FreeWare.
} >
} > The designers of CryptoSMS are morons.
}
} Do tell ...
}

I can't believe that Mr Ashwood is calling the CryptoSMS
group "morons" on the basis of his obviously cursory
inspection of their web site. Not a very constructive
way to start things off, is it?

}
} >
} > Lets just begin at the most grievous of errors. "3DES [uses] 384 key
} > bits" (http://www.cryptosms.com/protect.html, editted for clarity)
} > 3DES uses either 112 or 168 bits of key. This immediately qualifies
} > them for moron status.
}
} So your reading comprehension is somewhat less than your claimed
} crypto expertise, eh Einstein?
} How much of a moron must you be to not know the difference between
} 3DES and 3DEA?
}

Indeed. I just had a look at the link in question, and
it most definitely reads 3DEA. Quite a difference that
one little letter makes?

}
} > Next one "ARC4 [has] resist[ed] cryptanalysis." Check again, ARC4 is
} > actually short for Alleged RC4, and has been attacked any number of
} > times whether it is the WEP attacks which relied on a broken way to
} > use RC4, or the bias attacks that are crippling ARC4 has not
} > withstood cryptanalysis very well at all.
}
} And if one provides a nonce, is it still a dunce?
}

That is precisely the reason why the WEP implementation
of RC4 was broken: no initialisation vector and no nonce.
CryptoSMS has both, or at least that's what it says at the
link Mr Ashwood provided.

}
} >
} > Perhaps their most grievous errors are errors of omission. The key
} > management is lax at best and based on the available information it
} > appears to use fixed keys between any fixed group of parties. Not a
} > very intelligent, or secure thing to do.
}
} So how intelliegent would it be to include bits of the key in every
} message?
}

My associates & I use CryptoSMS for precisely this reason.
No keyring infrastructure. No transmitted keys or keyrings.
No real proof that you are even using encryption, which in
some countries is a real plus. A keyring alone can get you
into hot water.

}
} >
} > The entire system lacks a MAC of any form leading to a vast array of
} > security holes and showing the designer to be [at best] amateur.
} >
} > So to answer the question posed (and fictitiously answered) on the
} > Crypto SMS website "Does CryptoSMS protect me?" NO, CryptoSMS does
} > not protect you except from the most incompetent pathetic attempts
} > ever deviced, it will likely stop your wife from reading about your
} > mistress, but it will not stop a cryptanalyst, or a hacker, or law
} > enforcement, or anyone else with substantial cryptanalytic skill and
} > determination. Joe
}
} So a genius like you could easily crack a CryptoSMS message if posted,
} or are you more pathetic and incompetent than some jaded housewife ?
}

Funny, but when I read that same webpage as Mr Ashwood, I left
with the impression that the block ciphers have individual IVs
and use them in CBC mode. Isn't the last block of CBC a workable MAC?
Are you sure the makers of CryptoSMS aren't using it that way?

Since I'm a CryptoSMS user, I am very curious just how clever
Mr Ashwood is. Attached below are three CryptoSMS messages, all
of which are encrypted with the same passphrase and all of which
contain the same clear text. Mr Ashwood, would you please crack
these and post the contents for all to see? It should be easy
since you have 3 individual messages which are all internally
identical. Good luck.

??31m3dH-zpJ2ta8zI07sFm5o-UX5wrMwKtUOGffGoqz98P7RrUE0bNu4Yu0Sue-ZdUaNXK000??

??31SdibaVtKZ=50U74hLnQYg558NM=dopXVivzD5LOu1XQFqYIC1IK-6O1G7LQaRBbL41G000??

??31jKvmpN7DsULlMlD9ojQbe17m3R8eA8FL51HM1vln=zB3GkwtRBjcp3wS-2wRmcatMXK000??


Grumble

unread,
Jun 14, 2005, 3:41:59 AM6/14/05
to
Prof. Jonez wrote:

> How much of a moron must you be to not know the difference between
> 3DES and 3DEA?

I would, most definitely, love to be told the difference between
3DES and 3DEA. Pray tell.

--
Regards, Grumble

SniffinPopRocks

unread,
Jun 14, 2005, 4:48:14 AM6/14/05
to

<need....@breakin.the.law> wrote in message
news:1yv5op$0wa$1...@204.29.187.156...

There's only one, truely unbreakable, forever uncrackable, message
encryption system I've seen. It's not easy to impliment, requires one
off-line, face to face, and can't be broken. If you 'google' long enough you
should be able to find it.


clem

unread,
Jun 14, 2005, 5:33:22 AM6/14/05
to

The next paragraph is directly copied from their site:

Your pass phrase is digested by six different one-way hash functions
to produce 1088 bits of unpredictable key material, providing for a
very large number of possible keys (3.31e+327). This number is so huge
as to make it a formidable obstacle to brute force attacks, which is
one of the many advantages to multi-pass encryption.


If that paragraph isn't enough to show you their ignorance and mis-use
of crypto principals, then you probably think it sounds impressive.

But, trust me, it is enough to set off any snake oil detectors in the
vicinity and has any sci.crypt regulars saying "keep away from this".

So keep away from this CryptoSMS because it is bad news.

Thanks for asking, little spammer.

Mike Gonzalez

unread,
Jun 14, 2005, 8:13:50 AM6/14/05
to
clem wrote:

> Your pass phrase is digested by six different one-way hash functions
> to produce 1088 bits of unpredictable key material, providing for a
> very large number of possible keys (3.31e+327). This number is so huge
> as to make it a formidable obstacle to brute force attacks, which is
> one of the many advantages to multi-pass encryption.

Hey! Sounds like that super compression algorithm that goes like this:

Count all the ones in the bitstream. Express the result in binary.
Now count all the ones in this result. Repeat recursively until the
count fits in one bit. The compression ratio is formidable, making
it ideal for today's ever high volumes of storage space required by
multimedia applications and data!

> Thanks for asking, little spammer.

I was going to say that you were perhaps being a bit too harsh. But
crossposting to crypt, politics and legal newsgroups? Dead giveaway!

-Mike

John E. Hadstate

unread,
Jun 14, 2005, 8:19:57 AM6/14/05
to

"poster" <pos...@use.net> wrote in message
news:42ae6...@newsgate.x-privat.org...

>
> Indeed. I just had a look at the link in question, and
> it most definitely reads 3DEA. Quite a difference that
> one little letter makes?
>

Yeah. That one little letter changes the meaning from
something with a solid reputation that has been analyzed
into oblivion into pure snake-oil.

>
> My associates & I use CryptoSMS for precisely this reason.

> No real proof that you are even using encryption,

Well, you said it.

>
> Funny, but when I read that same webpage as Mr Ashwood, I
> left
> with the impression that the block ciphers have individual
> IVs
> and use them in CBC mode. Isn't the last block of CBC a
> workable MAC?

We're not talking "Workable", Jack. We're talking
cryptologically secure.

And you don't have the slightest clue that they're even
using it for that. You're just hoping and dreaming.

>
> Since I'm a CryptoSMS user, I am very curious just how
> clever
> Mr Ashwood is.

Mr. Ashwood is extremely clever. Among the things he's
clever at is recognizing and unmasking snake-oil salesmen.

> Attached below are three CryptoSMS
> messages, all
> of which are encrypted with the same passphrase and all of
> which
> contain the same clear text.

Typical panic-mode BS from a fruitcake that doesn't know his
@$$ from a hole in the ground about crypto.

Alan

unread,
Jun 14, 2005, 11:40:18 AM6/14/05
to
clem wrote:
> The next paragraph is directly copied from their site:
>
> Your pass phrase is digested by six different one-way hash functions
> to produce 1088 bits of unpredictable key material, providing for a
> very large number of possible keys (3.31e+327). This number is so huge
> as to make it a formidable obstacle to brute force attacks, which is
> one of the many advantages to multi-pass encryption.

So finally I only need an easily remembered password, since all those
different hash functions make it so formidable to attack! How about
"password"?

It's so much easier now!

Alan


John Hadstate

unread,
Jun 14, 2005, 11:52:53 AM6/14/05
to

Alan wrote:

> So finally I only need an easily remembered password, since all those
> different hash functions make it so formidable to attack! How about
> "password"?
>
> It's so much easier now!
>


And yet, it can be even easier: just use "p" to represent the notion of
a "password"!

Andrew Swallow

unread,
Jun 14, 2005, 12:11:42 PM6/14/05
to
Grumble wrote:

3DES is extra strong encryption used by the banks for electronic money
transfers.
3IDEA are three agents that catch drug smugglers.

Andrew Swallow

p.s. did someone mean IDEA? A Swiss encryption algorithm.

Joe Peschel

unread,
Jun 14, 2005, 2:38:14 PM6/14/05
to
Grumble <dev...@kma.eu.org> wrote in news:d8m1o8$sr0$1...@news-rocq.inria.fr:

The page was supposed to say 3IDEA. Click 3DEA and see:

http://www.hairy.webspace.fish.co.uk/HairyWorld/work/tech4multimedia/3idea.
html

J

--
__________________________________________

http://www.impeach-bush-now.org

Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________

Joseph Ashwood

unread,
Jun 14, 2005, 6:21:08 PM6/14/05
to

" "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
news:TQrre.73$bf1....@news.uswest.net...
> Joseph Ashwood wrote:
>> "3DES

> How much of a moron must you be to not know the difference between
> 3DES and 3DEA?

I will admit I misread it.

>
>
>> Next one "ARC4 [has] resist[ed] cryptanalysis." Check again, ARC4 is
>> actually short for Alleged RC4, and has been attacked any number of
>> times whether it is the WEP attacks which relied on a broken way to
>> use RC4, or the bias attacks that are crippling ARC4 has not
>> withstood cryptanalysis very well at all.
>
> And if one provides a nonce, is it still a dunce?

If one claims that a cipher has resisted cryptanalysis, and the cipher has
not resisted cryptanalysis, the claim is false, and so the entire
super-claim of security must be considered highly suspect and should
generally treated treated like the worthless bulk of code that I concluded
CryptoSMS is.

>> Perhaps their most grievous errors are errors of omission. The key
>> management is lax at best and based on the available information it
>> appears to use fixed keys between any fixed group of parties. Not a
>> very intelligent, or secure thing to do.
>
> So how intelliegent would it be to include bits of the key in every
> message?

I don't think you properly understand the state of the art in cryptography.
Perhaps you should look at the design of PGP*. The proper state of the art
for such communications is to use a public key cipher (e.g. RSA, ElGamal,
ECC-ElGamal, etc) to transfer a random key or set of random keys. This has
many advantages over the shared passphrase model primarily in the security
department. In an environment where 3 people talk to each other they would
all share the same passphrase in CryptoSMS so if one is compromised the
passphrase is compromised and it takes a verified meeting to recover
security. In the cryptographically educated design using public key
cryptography the compromise of a single person leaves the rest of the
network intact.

There is an additional advantage called "forward secrecy" it is something
that you would do well to learn about. It is a behavior such that if the key
for message X is compromised messages X-1 and X+1 are still secure. Using
the same key for every message does not have this behavior, using random
keys does. As a clear statement of how much CryptoSMS fails at this it even
uses fixed IVs, which of course means that the claimed "nonce" does not
exist.

Now on to the more fundamental portions. Anyone who does not understand
these concepts is almost guarenteed to fail at security (there is a slim
chance at success without knowledge but it is so tiny as to be safely
ignored).
Joe


* for those looking for a solution PGP is substantially analyzed by
professionals and if you'd like something that government has tried to
oppress, Zimmerman was very formally charged with it's distribution under
ITAR (http://www.gimonca.com/personal/archive/philzima.html). I have no
relationship with PGP Inc in any form, including the fact that I am not
currently an investor.


Message has been deleted

Joseph Ashwood

unread,
Jun 14, 2005, 8:55:22 PM6/14/05
to
"Grumble" <dev...@kma.eu.org> wrote in message
news:d8m1o8$sr0$1...@news-rocq.inria.fr...

In this case (it's not a standard cipher) it refers to triple-IDEA in EDE
mode. This is based on the 3DES link on the website, which while informative
enough for this purpose is generally pointless without a reference to the
design of IDEA (which is patented and that would probably be another way of
getting rid of this company).

The other proposed theory is the one that would actually make sense, meet
the designation used in cryptography, and be accurate. This stems from the
fact that the Digital Encryption Algorithm (DEA for short) forms the basis
of the Digital Encryption Standard (DES) which would make 3DEA the same as
3DES.

The use of the extremely non-standard first version is particularly
troubling as far as the knowledge level of the designer is concerned.
Joe


Gregory G Rose

unread,
Jun 15, 2005, 12:59:20 PM6/15/05
to
In article <Xns9676E2E61...@204.153.244.170>,

Aspic <just@notherisp> wrote:
>Grumble <dev...@kma.eu.org> wrote in news:d8m1o8$sr0$1...@news-rocq.inria.fr:
>
>> I would, most definitely, love to be told the difference between
>> 3DES and 3DEA. Pray tell.
>
>I've actually come here by mistake but now I'm here - 3dea is another way
>of writing Triple DES and I assum 3dea is based in the same way on CMEA.
>CMEA has been cracked, but I've not come across the latter so I can't tell
>you any more.

Now you have me interested too. The only CMEA I
know of is the Cellular Message Encryption
Algorithm, used in legacy CDMA and TDMA networks,
and it is indeed badly broken. But it has nothing
at all to do with anything DES-related. Is that
what you meant? Or is there another CMEA I'm not
aware of? There is a DES-based thing used for
*reducing* the key strength, called CDMF, which I
think means Commercial Data Masking Facility.

Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au

"- Prof. Jonez坼

unread,
Jun 17, 2005, 12:59:21 PM6/17/05
to
Joseph Ashwood wrote:
> "Grumble" <dev...@kma.eu.org> wrote in message
> news:d8m1o8$sr0$1...@news-rocq.inria.fr...
> > Prof. Jonez wrote:
> >
> > > How much of a moron must you be to not know the difference between
> > > 3DES and 3DEA?
> >
> > I would, most definitely, love to be told the difference between
> > 3DES and 3DEA. Pray tell.
>
> In this case (it's not a standard cipher) it refers to triple-IDEA in
> EDE mode. This is based on the 3DES link on the website, which while
> informative enough for this purpose is generally pointless without a
> reference to the design of IDEA (which is patented and that would
> probably be another way of getting rid of this company).
>
> The other proposed theory is the one that would actually make sense,
> meet the designation used in cryptography, and be accurate. This
> stems from the fact that the Digital Encryption Algorithm (DEA for
> short) forms the basis of the Digital Encryption Standard (DES) which
> would make 3DEA the same as 3DES.


From: "Joseph Ashwood" <ash...@msn.com>
Newsgroups: sci.crypt
Subject: Re: Cascading different algorithms?

Message-ID: <wXUbe.2094$zu....@newssvr13.news.prodigy.com>
NNTP-Posting-Host: 67.118.12.54

Date: Wed, 27 Apr 2005 23:08:12 GMT


Actually 3DES was used because it was the most analyzed around, this came as
a result of DES. If the key size were the only consideration we would have
all switch to IDEA or Blowfish or any of the dozens of other good solutions.
The tripling of the rounds that is the result of the process actually serves
a very solid purpose, and the change of keys deals with the rest, leaving
only those attacks that work on the structure of the new cipher (e.g. the
attacks on 3DES work this way). 3DES was created because someone said why
not, 3DES remained because it resisted everything anyone threw at it for
over 2 decades, this was in large part because of the fundamental structure
of the triple encipherment. The only situation where multiple encipherment
with the same cipher would not increase security is in the unlikely case
that it forms a group, IIRC there is actually a proof that Rijndael does not
(Rijndael was named AES but much of the original theory is easier to find
regarding Rijndael). The 7 layer encipherment is the next reasonable step in
the process.
Joe

Joseph Ashwood

unread,
Jun 17, 2005, 8:29:35 PM6/17/05
to
" "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
news:QjDse.43$JA3....@news.uswest.net...

Yes I did say that, but you will note that there is no reference made to
3-IDEA in any form. It might be a bit more difficult to understand because
of the structure I used, but I was advocating IDEA or Blowfish as the larger
keysize solution to the problem.
Joe


tomst...@gmail.com

unread,
Jun 18, 2005, 6:18:02 AM6/18/05
to
Joseph Ashwood wrote:
> Yes I did say that, but you will note that there is no reference made to
> 3-IDEA in any form. It might be a bit more difficult to understand because
> of the structure I used, but I was advocating IDEA or Blowfish as the larger
> keysize solution to the problem.

Reply not with subject in your name, hate to the darkside leads you.

;-)

Tom

"- Prof. Jonez坼

unread,
Jun 18, 2005, 11:03:34 AM6/18/05
to

More and more like a paid shill J Ashwood sounds, contradictions
and hypocrisy he speaks ...

> Tom


John E. Hadstate

unread,
Jun 18, 2005, 11:35:04 AM6/18/05
to

" "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
news:jJWse.8$_N5....@news.uswest.net...

I don't think so, scumbag. I think you're the lying,
sniveling shill here. How 'bout them apples, you
half-witted troll?


"- Prof. Jonez坼

unread,
Jun 18, 2005, 11:42:01 AM6/18/05
to

You've started drinking quite early this morning... or
are you still hung over from last night?


John E. Hadstate

unread,
Jun 18, 2005, 11:54:30 AM6/18/05
to

" "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
news:lhXse.17$_N5....@news.uswest.net...

>
> You've started drinking quite early this morning... or
> are you still hung over from last night?
>

Only coffee and orange juice so far, and nothing more
intoxicating than a pipe full of Captain Black last night.
So how's your weed?

clem

unread,
Jun 18, 2005, 4:16:19 PM6/18/05
to
On Sat, 18 Jun 2005 11:54:30 -0400, "John E. Hadstate"
<jh11...@hotmail.com> wrote:

>
>" "- Prof. JonezŠ"" <jo...@norcom.ca> wrote in message

This guy is obviously a troll, John.

Everyone of any consequence knows Ashwood is a good egg, and no one
will fault you for just letting this idiot Jonez spin around a spew
vile until he caves in under the weight of his own fetid existence.

You and Joe are known quanitities around here and this Jonez character
isn't worth wasting your time on.

Of course, no one, least of all me, would suggest you don't have the
right to tell an idiot that he is, in fact, being idiotic.


"- Prof. Jonez坼

unread,
Jun 19, 2005, 1:30:19 PM6/19/05
to
clem wrote:
> On Sat, 18 Jun 2005 11:54:30 -0400, "John E. Hadstate"
> <jh11...@hotmail.com> wrote:
>
> >
> > " "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message

> > news:lhXse.17$_N5....@news.uswest.net...
> > >
> > > You've started drinking quite early this morning... or
> > > are you still hung over from last night?
> > >
> >
> > Only coffee and orange juice so far, and nothing more
> > intoxicating than a pipe full of Captain Black last night.
> > So how's your weed?
> >
> >
>
> This guy is obviously a troll, John.

Translation: You can't refute the facts.

>
> Everyone of any consequence knows Ashwood is a good egg,

Then let the blowhard defend his own hipocrisy and errors
posted to this thread.

>and no one
> will fault you for just letting this idiot Jonez spin around a spew
> vile until he caves in under the weight of his own fetid existence.

John send you to extract him from the pile of shit that he laid?

>
> You and Joe are known quanitities around here and this Jonez character
> isn't worth wasting your time on.

Tranlation: You can't refute the facts posted to this thread, can you?

>
> Of course, no one, least of all me, would suggest you don't have the
> right to tell an idiot that he is, in fact, being idiotic.

Ad Hominum -- the sign of a true loser

Careful, don't actually address the fact pattern of the subject of the thread.


clem

unread,
Jun 19, 2005, 7:33:14 PM6/19/05
to
On Sun, 19 Jun 2005 11:30:19 -0600, " \"- Prof. Jonez©\""
<jo...@norcom.ca> wrote:

>clem wrote:
>> On Sat, 18 Jun 2005 11:54:30 -0400, "John E. Hadstate"
>> <jh11...@hotmail.com> wrote:
>>
>> >
>> > " "- Prof. Jonez©"" <jo...@norcom.ca> wrote in message
>> > news:lhXse.17$_N5....@news.uswest.net...
>> > >
>> > > You've started drinking quite early this morning... or
>> > > are you still hung over from last night?
>> > >
>> >
>> > Only coffee and orange juice so far, and nothing more
>> > intoxicating than a pipe full of Captain Black last night.
>> > So how's your weed?
>> >
>> >
>>
>> This guy is obviously a troll, John.
>
>Translation: You can't refute the facts.

Of course I can. The folks at CryptoSMS are frauds and you are a
troll. This much is clear.

>>
>> Everyone of any consequence knows Ashwood is a good egg,
>
>Then let the blowhard defend his own hipocrisy and errors
>posted to this thread.
>
>>and no one
>> will fault you for just letting this idiot Jonez spin around a spew
>> vile until he caves in under the weight of his own fetid existence.
>
>John send you to extract him from the pile of shit that he laid?

No. John doesn't need anyone to protect him and either does Joseph.

They've done quite a good job of troll-outing you.

>
>>
>> You and Joe are known quanitities around here and this Jonez character
>> isn't worth wasting your time on.
>
>Tranlation: You can't refute the facts posted to this thread, can you?

Of course I can. The folks at CryptoSMS are frauds and you are a
troll. This much is clear.

>
>>
>> Of course, no one, least of all me, would suggest you don't have the
>> right to tell an idiot that he is, in fact, being idiotic.
>
>Ad Hominum -- the sign of a true loser
>
>Careful, don't actually address the fact pattern of the subject of the thread.

Let's go beck to what started this if you want to be so correct:

The CryptoSMS spammer thread (let me remind you):

Loser spammer: "hey everyone I've heard (sic) that CryptoSMS is a
kewl crypto product"

Oher loser shill: "That's right. Even God can't crack their
bazillion bit technology".

That is precisely when Joe, John and others in sci.crypt ripped you
guys a new one (notice how I said you guys).

The fact is this: CryptoSMS sucks big time and you can't deal with
it. Everything else is just window dressing to that scenario.

So go ahead and do your troll thing. Be the village idiot.

But we're laughting at you and we know who you are.

Your product CryptoSMS has got the big loser sign on it in sci.crypt

Those are the facts in this case and all your troll shit can't change
it.


"- Prof. Jonez坼

unread,
Jun 19, 2005, 9:22:43 PM6/19/05
to
clem wrote:
> On Sun, 19 Jun 2005 11:30:19 -0600, " \"- Prof. Jonez©\""
> <> wrote:
>
> > clem wrote:
> > > On Sat, 18 Jun 2005 11:54:30 -0400, "John E. Hadstate"
> > > <jh11...@hotmail.com> wrote:
> > >
> > > >
> > > > " "- Prof. Jonez©"" <> wrote in message

> > > > >
> > > > > You've started drinking quite early this morning... or
> > > > > are you still hung over from last night?
> > > > >
> > > >
> > > > Only coffee and orange juice so far, and nothing more
> > > > intoxicating than a pipe full of Captain Black last night.
> > > > So how's your weed?
> > > >
> > > >
> > >
> > > This guy is obviously a troll, John.
> >
> > Translation: You can't refute the facts.
>
> Of course I can. The folks at CryptoSMS are frauds and you are a
> troll. This much is clear.

Yet, you offer no evidence or facts whatsoever.
Naked declarations may work at home with your browbeaten
wife, but in the real world they don't amount to jack shit.


>
> > >
> > > Everyone of any consequence knows Ashwood is a good egg,
> >
> > Then let the blowhard defend his own hipocrisy and errors
> > posted to this thread.
> >
> > > and no one
> > > will fault you for just letting this idiot Jonez spin around a
> > > spew
> > > vile until he caves in under the weight of his own fetid
> > > existence.
> >
> > John send you to extract him from the pile of shit that he laid?
>
> No. John doesn't need anyone to protect him and either does Joseph.

Yet you feel compelled to come to their rescue like a good little sock.
Meow meow ...


>
> >
> > >
> > > You and Joe are known quanitities around here and this Jonez
> > > character isn't worth wasting your time on.
> >
> > Tranlation: You can't refute the facts posted to this thread, can
> > you?
>
> Of course I can. The folks at CryptoSMS are frauds and you are a
> troll. This much is clear.

Yet, you offer no evidence or facts whatsoever.
Naked declarations may work at home with your browbeaten
wife, but in the real world they don't amount to jack shit.

> > >
> > > Of course, no one, least of all me, would suggest you don't have
> > > the
> > > right to tell an idiot that he is, in fact, being idiotic.
> >
> > Ad Hominum -- the sign of a true loser
> >
> > Careful, don't actually address the fact pattern of the subject of
> > the thread.
>
> Let's go beck to what started this if you want to be so correct:
>
> The CryptoSMS spammer thread (let me remind you):
>
> Loser spammer: "hey everyone I've heard (sic) that CryptoSMS is a
> kewl crypto product"
>
> Oher loser shill: "That's right. Even God can't crack their
> bazillion bit technology".

Why do you lie? Is it pathological or do you get paid?


>
> That is precisely when Joe, John and others in sci.crypt ripped you
> guys a new one (notice how I said you guys).

Except Joe the Blowhard couldn't tell the difference between
DES and iDEA, and contradicted his own prior postings spouting
the virtues of triple-layered encryption:


So which is it jackass? You can't have it both ways, unless you want
to confess you're nothing but a pathetic liar.


> The fact is this: CryptoSMS sucks big time and you can't deal with
> it. Everything else is just window dressing to that scenario.

Sez the sockpuppet asshat who can't even crack such a "weak and
sucky" encryption scheme, even when extra clues are given.

>
> So go ahead and do your troll thing. Be the village idiot.
>
> But we're laughting at you and we know who you are.
>
> Your product CryptoSMS has got the big loser sign on it in sci.crypt
>
> Those are the facts in this case and all your troll shit can't change
> it.

So put up or shut up --

Newsgroups: misc.legal, sci.crypt, talk.politics.crypto, us.legal
From: poster <pos...@use.net>
Date: Tue, 14 Jun 2005 15:02:49 +1000
Local: Tues,Jun 14 2005 1:02 am
Subject: Re: crypto for Joseph Ashwood?

Since I'm a CryptoSMS user, I am very curious just how clever

Mr Ashwood is. Attached below are three CryptoSMS messages, all


of which are encrypted with the same passphrase and all of which

contain the same clear text. Mr Ashwood, would you please crack
these and post the contents for all to see? It should be easy
since you have 3 individual messages which are all internally
identical. Good luck.


??31m3dH-zpJ2ta8zI07sFm5o-UX5w­rMwKtUOGffGoqz98P7RrUE0bNu4Yu0­Sue-ZdUaNXK000??


??31SdibaVtKZ=50U74hLnQYg558NM­=dopXVivzD5LOu1XQFqYIC1IK-6O1G­7LQaRBbL41G000??


??31jKvmpN7DsULlMlD9ojQbe17m3R­8eA8FL51HM1vln=zB3GkwtRBjcp3wS­-2wRmcatMXK000??


Cry...@s.m.s

unread,
Jun 20, 2005, 8:50:02 PM6/20/05
to
Not being a reader of Usenet, I was surprised to discover
that the nasty email sent by Joe Ashwood to the designers
of CryptoSMS was actually a news posting (which resulted
in a heated debate degenerating into personal insults).

There seems to be a fair amount of misunderstanding about
the implementation details of CryptoSMS as well as its
original intent.

First, please try to understand the design considerations:

1. It must leave no keyrings or key material on the
host computer. This is vital, as it will be used
in situations where encryption is banned, and the
simultaneous possession of cryptographic software
and encryption keyrings can be used as evidence of
"intent".

2. It must save no messages or intermediate files,
in short, it must appear to be an unused program.

3. It will be used by people who know each other well,
and who can meet in person to agree on a pass phrase.
They will be able to do this fairly regularly, so as
to freshen their pass phrase often. These are people
who have something to hide, a lot to lose, and who
understand the necessity of keeping secrets.

4. No single hash (or message digest) will be used as
the key for any cipher. Collisions are found
frequently in hash functions, so to be ultra-safe,
attackers must be forced to break multiple routines.

5. No single cipher can be trusted. Multiple ciphers
must be used, they must be of different types, and
they must be applied in serial, not in parallel;
that is, they must not interact with each other or
share results in any way. The reasons for this
should be obvious, i.e. algorithms are broken all
the time. To "crack" these CryptoSMS messages, you
will need to defeat multiple ciphers.

Note that CryptoSMS is a private key encryption system,
not intended for communication between strangers.

In operation, CryptoSMS is presented with a pass phrase and
a message. The pass phrase is processed by six well known
hash routines:

MD2 - 128 bits
MD5 - 128 bits
SHS - 160 bits
SHA2 - 256 bits
HAVAL - 256 bits
RipeMD - 160 bits

The output of pairs of hashes are concatenated to
create these cipher keys:

3IDEA - HAVAL & MD2, to yield three 128 bit keys
ARC4 - MD5 & RipeMD to yield a single 288 bit key
BlowFish - SHA2 & SHS to yield a single 416 bit key

Block ciphers run in CBC mode, each has its own
unique random initialisation vector, 64 bits in length.

Stream cipher has a 64 bit nonce which is hashed into
its key, and which is stored in the message, between
the layers of block encipherment.

An outgoing clear text message is processed as follows:

1. The clear text is padded out to an even multiple
of 64 bit blocks, then a 64 bit random IV is prepended.

2. The message is encrypted with 3IDEA using the 3 keys
as described above. The last block of the 3IDEA's
CBC encryption is appended as a Message Authentication
Code (MAC).

3. The cipher text from step #2 is encrypted a second
time with RC4 (using a 2nd key), and the 64 bit Nonce
is prepended.

4. Another 64 bit random IV is prepended, and the message
is encrypted a third time with Blowfish (using yet
another set of keys, see above).

5. Finally the cipher text is ASCII85 encoded for
transmission as SMS "text".

On reception, the process is reversed to decrypt and
recover the original clear text. The MAC is checked
to confirm that the message was received intact.

Notice that each cipher has its own key, unrelated to
the other ciphers' keys, except for the fact that they
were all hashed from the same pass phrase. Also each
block cipher has its own random IV and the stream cipher
has its own nonce; all of them generated by Knuth's
Algorithm M.

CryptoSMS takes some time to encrypt/decrypt, upwards
of a few seconds on most PocketPCs, but I can live with
that. After all, it takes longer to send the SMS, so
it is not horribly slow. An upcoming release of CryptoSMS
is on the drawing board now, and it will produce quadruple
encryption, wrapping AES on top of everything else.

The goal here is insane overkill, and to that end, Joe
Ashwood's 7 pass AES suggestion sounds like a great new
layer to add to this growing "Crypto Laminate".

Matt Mahoney

unread,
Jun 20, 2005, 9:52:13 PM6/20/05
to
Cry...@S.M.S wrote:
> In operation, CryptoSMS is presented with a pass phrase and
> a message. The pass phrase is processed by six well known
> hash routines:
>
> MD2 - 128 bits
> MD5 - 128 bits
> SHS - 160 bits
> SHA2 - 256 bits
> HAVAL - 256 bits
> RipeMD - 160 bits

Most of which are broken.
http://paginas.terra.com.br/informatica/paulobarreto/hflounge.html

> 1. The clear text is padded out to an even multiple
> of 64 bit blocks, then a 64 bit random IV is prepended.

What is your entropy source?

> The goal here is insane overkill, and to that end, Joe
> Ashwood's 7 pass AES suggestion sounds like a great new
> layer to add to this growing "Crypto Laminate".

Complexity is the enemy of security.

-- Matt Mahoney

Cry...@s.m.s

unread,
Jun 20, 2005, 10:51:52 PM6/20/05
to
Matt Mahoney wrote:
> Cry...@S.M.S wrote:
>
>>In operation, CryptoSMS is presented with a pass phrase and
>>a message. The pass phrase is processed by six well known
>>hash routines:
>>
>> MD2 - 128 bits
>> MD5 - 128 bits
>> SHS - 160 bits
>> SHA2 - 256 bits
>> HAVAL - 256 bits
>> RipeMD - 160 bits
>
>
> Most of which are broken.
> http://paginas.terra.com.br/informatica/paulobarreto/hflounge.html
>

Did you actually read the references cited by that page?
Only *reduced* round versions of these are broken. Not
to mention the operative word in your sentence is "most".
Most but not all. Exactly the reason for using more than
one algorithm.

Gregory G Rose

unread,
Jun 21, 2005, 1:29:53 AM6/21/05
to
In article <11bep1u...@news.supernews.com>, <Cry...@S.M.S> wrote:
> 2. The message is encrypted with 3IDEA using the 3 keys
> as described above. The last block of the 3IDEA's
> CBC encryption is appended as a Message Authentication
> Code (MAC).

This is an insecure use of the primitive. CBC-MAC
is only secure when using a different key than the
CBC encryption.

I also note that all the block ciphers use 64-bit
blocks. The major impetus to develop AES was the
fact that this block length is too short.

While what you propose is probably secure, it
reeks of poor understanding of the crypto
primitives it is built from.

Joseph Ashwood

unread,
Jun 21, 2005, 7:21:42 AM6/21/05
to
<Cry...@S.M.S> wrote in message news:11bf06c...@news.supernews.com...

Well assuming you don't have typos up there. Here is the actual status of
them:
MD2 - dead
MD5 - dead
SHS - dead
SHA2 - alive
HAVAL - dead
RipeMD - dead

So I believe the question really is. Did you actually read the references
cited by that page? More importantly did you understand them. 5/6 of them
are dead, MD5 is so dead that 15 minutes on a laptop is enough. Each of
these broken hash functions will leak information about the passphrase with
the passphrases that will be expected to be of short term use (20
characters) that is in the neighborhood of 30-bits of entropy to begin with
(by Shannon) so any of those hash functions should be more than enough to
leak the entire passphrase. Additionally, the most recent of these attacks
are by Wang et al. who quite frankly seem to defeat hashes that are MD5
derivatives on a scarily dependable basis.

If you were really going for security, why not simply rely on the big hashes
that offer the most security; Whirlpool and SHA-512. SHA-512 was available
when you wrote the software as it was released at the same time as what you
mistakenly call SHA2 which is actually called SHA-256, and Whirlpool was
released in the same timeframe.

Now on to your other specific claims:
1. Must use no keyrings. This is very much a flawed way of going about
removing keyrings. You are opening avenues of attack without closing
anything of note. Your stated purpose for this is to avoid evidence of use;
instead you simply remove security. There are many ways of removing keyrings
without removing security, and a great deal of very good research is
available in the subject.

2. Should actually be rephrased as there is no additional space taken up by
each execution including the first. First, this is a restatement of #1.
Second you have missed the fact that SMS messages are sent over cell
networks which can be easily broken, very quickly revealing usage regardless
of anything you do. Third, no sane person would pay for and install a
program that they would not use, least of all one that is illegal to simply
possess as would be the case for your alleged target market.

3. Used by people who meet often. If they meet often it would be far more
effective to simply relay tha messages in person. And by people who have "a
lot to lose," the truth is that people who truly do have a lot to lose by
meeting do not meet often. Your target market will find this a huge
disadvantage.

4. No single hash will be used as the key for any cipher. This actually
reduces security instead of increasing it. To show you clearly why this is
the case, which is easier to read:
The eagle lands at noonThe eag
The eagle
Which one carries more information? The first does clearly, while this
example itself does not scale well into cryptography the concept itself
does. It is actually more security efficient to use a large hash and trim
than expand a small hash.

5. No single cipher. This actually seems somewhat reasonable considering
that your target market seems to be paranoid (rightly or wrongly doesn't
matter) individuals. But the question remains, why didn't you choose either
of the most trustable ciphers available when you wrote the software? 3DES
and AES, both were available before the introduction of SHA-256 so that was
not the problem. The relationship to NIST and the NSA isn't the problem
because you use 2 hash functions from them. It seems that the choice was
made to make the security implications as large as possible.

The choice of 3IDEA is the most troubling because I doubt you licensed it
from the inventors and being a patented algorithm that is licensed for any
for profit enterprise you are opening your users up to not only the attack
on anyone using cryptography, but also IP attacks. At every turn you seem to
have made the most questionable choice possible.

I would say that through your random walk you have probably reached a point
where it is easier to torture the information out of the perpetrator (after
all you have the evidence of the program) than it is to break. I still
stand by my statement earlier that this should be enough to keep your wife
from finding out about your mistress, but it's not going to work against a
government. If for no other reason than a government can break several of
your security assumptions.
Joe


Cry...@s.m.s

unread,
Jun 21, 2005, 9:53:11 PM6/21/05
to

Yes, hashes are defeated on a scarily dependable basis.
That's why it's a bad idea to rely on only one of them.

Also, these "broken" hashes are only "broken" in that it
takes less work than expected to find a collision. In
order to defeat CryptoSMS encryption, you would have to
find a simultaneous collision in all six hashes at once.
Care to comment on the difficulty of that processing?

>
> If you were really going for security, why not simply rely on the big
hashes
> that offer the most security; Whirlpool and SHA-512. SHA-512 was
available
> when you wrote the software as it was released at the same time as
what you
> mistakenly call SHA2 which is actually called SHA-256, and Whirlpool was
> released in the same timeframe.
>

Oh yes, definitely. The next layer in the CryptoSMS stack
will be AES using key hashes from Whirlpool (as mentioned in
the previous post). And SHA256 will be replaced by 512.
Why not? Everybody knows size matters.

>
> Now on to your other specific claims:
> 1. Must use no keyrings. This is very much a flawed way of going about
> removing keyrings. You are opening avenues of attack without closing
> anything of note. Your stated purpose for this is to avoid evidence
of use;
> instead you simply remove security. There are many ways of removing
keyrings
> without removing security, and a great deal of very good research is
> available in the subject.
>

Any pointers in that regard? I would be interested in
the research done on removing keys. This is a very
important issue to CryptoSMS designers and users alike.
I know of at least one instance where French investigators
confiscated several mobile devices. Those which had PGP
Mobile installed were subsequently entered into evidence;
whereas those with CryptoSMS installed were later returned.

>
> 2. Should actually be rephrased as there is no additional space taken
up by
> each execution including the first. First, this is a restatement of #1.
> Second you have missed the fact that SMS messages are sent over cell
> networks which can be easily broken, very quickly revealing usage
regardless
> of anything you do. Third, no sane person would pay for and install a
> program that they would not use, least of all one that is illegal to
simply
> possess as would be the case for your alleged target market.
>

First, this is not a restatement of #1.
Requirement #1 deals with keys & keyrings.
Requirement #2 deals with saved messages & temporary files.

Second, people frequently install (and even pay for) software they
do not use. Besides, what we're talking about here is "proof of
use", not actual use. CryptoSMS operates in such a way that it
can not be proven to be in use.

Third, you are forgetting how easy it is to change the SIM card
in a PocketPC, thus rendering SMS logs unaccountable. Most of
the users of CryptoSMS have many dozens of prepaid SIM cards,
each one for use in particular situations, and only one of them
kept in the phone for daily, personal use. Sure, cell phone
logs can prove that somebody, somewhere sent encrypted SMS, but
did they come from the particular phone you have in your hand?
Can't be proven, hence can't be held against you.

>
> 3. Used by people who meet often. If they meet often it would be far
more
> effective to simply relay tha messages in person. And by people who
have "a
> lot to lose," the truth is that people who truly do have a lot to
lose by
> meeting do not meet often. Your target market will find this a huge
> disadvantage.
>

Just because people can meet often doesn't mean they
don't want to communicate securely between those meetings.
My target market has couriers to relay the keys by hand,
and they coordinate all their activities in this way.
Between courier runs, they need to communicate in private.

>
> 4. No single hash will be used as the key for any cipher. This actually
> reduces security instead of increasing it. To show you clearly why
this is
> the case, which is easier to read:
> The eagle lands at noonThe eag
> The eagle
> Which one carries more information? The first does clearly, while this
> example itself does not scale well into cryptography the concept itself
> does. It is actually more security efficient to use a large hash and
trim
> than expand a small hash.
>

No individual short hash is expanded.
Many short hashes are concatenated.
Next release, many longer hashes will be concatenated.

>
> 5. No single cipher. This actually seems somewhat reasonable considering
> that your target market seems to be paranoid (rightly or wrongly doesn't
> matter) individuals. But the question remains, why didn't you choose
either
> of the most trustable ciphers available when you wrote the software?
3DES
> and AES, both were available before the introduction of SHA-256 so
that was
> not the problem. The relationship to NIST and the NSA isn't the problem
> because you use 2 hash functions from them. It seems that the choice was
> made to make the security implications as large as possible.
>

Just like individual hashes are frequently broken,
so are ciphers. No reason to trust just one, and
every reason to use many. See for example:

http://www.ciphersbyritter.com/GLOSSARY.HTM#RiskAnalysis
http://www.ciphersbyritter.com/GLOSSARY.HTM#MultipleEncryption
http://www.ciphersbyritter.com/NEWS6/MULTSHAN.HTM
http://www.ciphersbyritter.com/NEWS6/CASCADE.HTM

>
> The choice of 3IDEA is the most troubling because I doubt you
licensed it
> from the inventors and being a patented algorithm that is licensed
for any
> for profit enterprise you are opening your users up to not only the
attack
> on anyone using cryptography, but also IP attacks. At every turn you
seem to
> have made the most questionable choice possible.
>

And such is the difference between private and public software.
CryptoSMS has been in use for many years now, in some heavily
adversarial situations, but it has never before been offered to
the public. Now that you point out this patent issue, 3IDEA
will be dropped in the next release, so what we will have is
AES over ARC4 over Blowfish. Same thinking still applies; in
fact, this fits design consideration #5 better, since the two
block ciphers will have different block sizes.

>
> I would say that through your random walk you have probably reached a
point
> where it is easier to torture the information out of the perpetrator
(after
> all you have the evidence of the program) than it is to break. I still
> stand by my statement earlier that this should be enough to keep your
wife
> from finding out about your mistress, but it's not going to work
against a
> government. If for no other reason than a government can break
several of
> your security assumptions.
> Joe
>

So let me get this straight, you are saying that
CryptoSMS is strong enough that it's easier to torture
the information out of a user than it is to break the
messages? Is that what you mean? If so, thanks for the
endorsement, because that was the goal. If the attacker
must resort to violence to break the messages, then the
encryption has held the line.

Lastly, thanks for leaving out the ad hominem attacks
like "morons" or "fraud", and substituting them with
salient points and good ideas. It was most appreciated.
I look forward to further discussions. Having only just
discovered Usenet, it strikes me as an interesting and
useful resource.

Joseph Ashwood

unread,
Jun 22, 2005, 12:23:37 AM6/22/05
to
<Cry...@S.M.S> wrote in message news:11bhh4e...@news.supernews.com...

> Joseph Ashwood wrote:
> Yes, hashes are defeated on a scarily dependable basis.
> That's why it's a bad idea to rely on only one of them.

And yet you persist in relying on the security of each of them as
independent entities due to the low entropy that will be present.

> Also, these "broken" hashes are only "broken" in that it
> takes less work than expected to find a collision. In
> order to defeat CryptoSMS encryption, you would have to
> find a simultaneous collision in all six hashes at once.
> Care to comment on the difficulty of that processing?

Certainly. Assuming a common passphrase length of around 20 characters, and
assuming it is English, this will have 20-30 bits of entropy, MD5 will be
enough to uniquely identify each of these, and MD5 can be effectively
reversed under these circumstances in under 1 hour. This will yield the
entire original passphrase, leading immediately to a complete compromise. So
1 hour.

> > Now on to your other specific claims:
> > 1. Must use no keyrings. This is very much a flawed way of going about
> > removing keyrings. You are opening avenues of attack without closing
> > anything of note. Your stated purpose for this is to avoid evidence
> of use;
> > instead you simply remove security. There are many ways of removing
> keyrings
> > without removing security, and a great deal of very good research is
> > available in the subject.
> >
>
> Any pointers in that regard?

http://www.schneier.com/biblio/all-by-author.html

> I would be interested in
> the research done on removing keys.

That's not what I said. I said the research was on removing keyrings, a very
important difference. The easiest way I can think of to do it, and remain
secure is to use a blinding facility. For a well founded example simply use
multiple accounts at hushmail.com (one for daily chitchat, one for security
purposes, chitchat provides cover), all messages from the security account
go through the anonymous remailer network. Now all your keys are stored on a
remote server, downloaded as needed and destroyed to prevent leaking. All
important communication does not have any informaion linking sender and
recipient, in fact recipient does not even have to know who the send is.

> This is a very
> important issue to CryptoSMS designers and users alike.
> I know of at least one instance where French investigators
> confiscated several mobile devices. Those which had PGP
> Mobile installed were subsequently entered into evidence;
> whereas those with CryptoSMS installed were later returned.

And you consider that evidence that CryptoSMS is safe? France has a rather
blanket ban on cryptography. Obviously the French authorities did not
consider CryptoSMS to be of any cryptographic concern.

> Second, people frequently install (and even pay for) software they
> do not use.

Give me just one example from your system.

> Besides, what we're talking about here is "proof of
> use", not actual use. CryptoSMS operates in such a way that it
> can not be proven to be in use.

Except for the transmission records. Except for the last use. Except for a
large number of other things that CryptoSMS cannot cover.

> Third, you are forgetting how easy it is to change the SIM card
> in a PocketPC, thus rendering SMS logs unaccountable.

I was not referring to the SIM card, I was referring to the tapping ability
available to all law enforcement agencies throughout the world.

> Most of
> the users of CryptoSMS have many dozens of prepaid SIM cards,
> each one for use in particular situations, and only one of them
> kept in the phone for daily, personal use.

Considering that you only have vague claims of any users, I doubt that. Real
security comes from real education and real processes. Fake security comes
from individuals without the proper education who rely on muddying the
waters to the point where people lose interest.

> Sure, cell phone
> logs can prove that somebody, somewhere sent encrypted SMS, but
> did they come from the particular phone you have in your hand?
> Can't be proven, hence can't be held against you.

Al Capone makes a wonderful counter example, Scott Peterson another one.
Both of those were actually in a country with "innocent until proven
guilty." In Capone's case the side evidence was enough to convict him and
deliver an effective death penalty. Peterson's case hinged on the lack of
evidence. The possession of those cards will be more than enough to acquire
the logs from them (due to the difficult to copy nature), your entire
argument relies completely on a misunderstanding of even the barest
fundamentals of law. CryptoSMS relies on bad cryptography, and when that is
pointed out the attempt is made to rely on bad legal knowledge, either way
it is flawed.

> > 3. Used by people who meet often. If they meet often it would be far
> more
> > effective to simply relay tha messages in person. And by people who
> have "a
> > lot to lose," the truth is that people who truly do have a lot to
> lose by
> > meeting do not meet often. Your target market will find this a huge
> > disadvantage.
> >
>
> Just because people can meet often doesn't mean they
> don't want to communicate securely between those meetings.
> My target market has couriers to relay the keys by hand,
> and they coordinate all their activities in this way.
> Between courier runs, they need to communicate in private.

And you think that they will use your garbage instead of something secure?
See my last comment, they would be fools to attempt that.

>
> >
> > 4. No single hash will be used as the key for any cipher. This actually
> > reduces security instead of increasing it. To show you clearly why
> this is
> > the case, which is easier to read:
> > The eagle lands at noonThe eag
> > The eagle
> > Which one carries more information? The first does clearly, while this
> > example itself does not scale well into cryptography the concept itself
> > does. It is actually more security efficient to use a large hash and
> trim
> > than expand a small hash.
> >
>
> No individual short hash is expanded.
> Many short hashes are concatenated.
> Next release, many longer hashes will be concatenated.

The information is reused, that is where the issue comes in. Once you have
used the information for a key it needs to be never reused. Instead you
immediately reuse it 5 times. CryptoSMS is based on bad cryptography.

> Just like individual hashes are frequently broken,
> so are ciphers.

Going back to the exact same question I had before. Why did you choose not
to use 3DES or AES? Both are considered strong. Both are far more analyzed
than IDEA, 3IDEA, or Blowfish. The choice of ARC4 is particularly troubling
because it is for most purposes horribly and utterly broken.

>[Next release] will have is


> AES over ARC4 over Blowfish.

Bad move. I can't immediately find the reference but multiple layers of
encryption have been analyzed many times, and the result is always the same.
Encrypt with the strongest first. I also notice that you still lack a viable
MAC in there, I'd suggest removing that glaring hole first.

> Same thinking still applies; in
> fact, this fits design consideration #5 better, since the two
> block ciphers will have different block sizes.

You will still have key distribution problems, your solution seems to be
"It's not my problem" which is incorrect because CryptoSMS handles the keys
and does it's own internal distribution. Also there is the continuing
problem with the lack of functioning MAC. I strongly recommend reading the
RFCs for OpenPGP before you do your next design. Basically all you have to
do is copy that design.

> So let me get this straight, you are saying that
> CryptoSMS is strong enough that it's easier to torture
> the information out of a user than it is to break the
> messages? Is that what you mean? If so, thanks for the
> endorsement, because that was the goal. If the attacker
> must resort to violence to break the messages, then the
> encryption has held the line.

Actually my statement was that your methods open the possibility of torture
as a viable option because these same people that you are selling your bad
design to have a very strong need for anonymity, a concept that you violate
at every turn.

> Lastly, thanks for leaving out the ad hominem attacks
> like "morons" or "fraud", and substituting them with
> salient points and good ideas.

I find it most important to begin by pointing things out forcefully because
of the nature of cryptography. A weak beginning generally ends up completely
ignored and so the necessary conversations cannot take place. By beginning
forcefully the general result is to remove commercial viability of products
that should not be viable, thereby garnering the desired result from the
beginning.

> It was most appreciated.
> I look forward to further discussions. Having only just
> discovered Usenet, it strikes me as an interesting and
> useful resource.

It can be quite useful. Some places more than others. Sci.crypt is one of
those places that can be very helpful, but I believe it was Bob Silverman
who said that it is extremely coarse and that most people don't survive here
very long. Those that do are generally quite knowledgable and always
extremely thick skinned.
Joe


Stephen Sprunk

unread,
Jun 22, 2005, 12:41:35 AM6/22/05
to
<Cry...@S.M.S> wrote in message
news:11bhh4e...@news.supernews.com...

> Joseph Ashwood wrote:
> > <Cry...@S.M.S> wrote in message
> news:11bf06c...@news.supernews.com...
> > Well assuming you don't have typos up there. Here is the actual
> > status of
> > them:
> > MD2 - dead
> > MD5 - dead
> > SHS - dead
> > SHA2 - alive
> > HAVAL - dead
> > RipeMD - dead
> >
> > So I believe the question really is. Did you actually read the
> > references cited by that page? More importantly did you
> > understand them. 5/6 of them are dead, MD5 is so dead that 15
> > minutes on a laptop is enough. Each of these broken hash
> > functions will leak information about the passphrase with the
> > passphrases that will be expected to be of short term use (20
> > characters) that is in the neighborhood of 30-bits of entropy to
> > begin with (by Shannon) so any of those hash functions should
> > be more than enough to leak the entire passphrase. Additionally,
> > the most recent of these attacks are by Wang et al. who quite
> > frankly seem to defeat hashes that are MD5 derivatives on a
> > scarily dependable basis.
>
> Yes, hashes are defeated on a scarily dependable basis.
> That's why it's a bad idea to rely on only one of them.

Exactly what research shows that chaining multiple broken algorithms
together improves security at all? It seems to me that would weaken the
total system rather than strengthening it.

There's no excuse for using algorithms that are already known to be
broken. Fearing a break in the future is one thing, and perhaps
multiple unbroken hashes (with no common ancestry) might make sense in
that case, but that sort of caution simply doesn't apply to breaks that
are already known. When something is broken, you _stop using it_ and
switch to something that isn't broken, not chain multiple broken things
together.

> Also, these "broken" hashes are only "broken" in that it
> takes less work than expected to find a collision. In
> order to defeat CryptoSMS encryption, you would have to
> find a simultaneous collision in all six hashes at once.
> Care to comment on the difficulty of that processing?

Or, depending on how the interactions work, a collision in any one of
the hashes could break the entire system. Using one (preferably one
that isn't known to be broken) would actually improve security.

Also, since there is only likely to be <30 bits of entropy from the
user, odds are it's easier to break the system by brute force than
bothering to attack the algorithms themselves. When 2^56 work is
available to non-profit orgs, do you really think 2^30 work will stop a
major government from reading your data? Heck, you could skip sharing
passphrases entirely and just have the recipient's cell phone brute
force every message received -- no keys required.

> > If you were really going for security, why not simply rely on the
> > big hashes that offer the most security; Whirlpool and SHA-512.
> > SHA-512 was available when you wrote the software as it was
> > released at the same time as what you mistakenly call SHA2
> > which is actually called SHA-256, and Whirlpool was released
> > in the same timeframe.
>
> Oh yes, definitely. The next layer in the CryptoSMS stack
> will be AES using key hashes from Whirlpool (as mentioned in
> the previous post). And SHA256 will be replaced by 512.
> Why not? Everybody knows size matters.

So why bother adding the other broken "layers" into the mix when you
have options that would be completely secure today standing on their
own?

If someone figures out how to break SHA512, Whirlpool, and AES256, we've
got much bigger problems than CryptoSMS. For your problem space, the
level of risk for state-of-the-art algorithms is far, far lower than is
remotely relevant.

> > 2. Should actually be rephrased as there is no additional space
> > taken up by each execution including the first. First, this is a
> > restatement of #1. Second you have missed the fact that SMS
> > messages are sent over cell networks which can be easily
> > broken, very quickly revealing usage regardless of anything you
> > do. Third, no sane person would pay for and install a program
> > that they would not use, least of all one that is illegal to simply
> > possess as would be the case for your alleged target market.
>
> First, this is not a restatement of #1.
> Requirement #1 deals with keys & keyrings.
> Requirement #2 deals with saved messages & temporary files.
>
> Second, people frequently install (and even pay for) software they
> do not use. Besides, what we're talking about here is "proof of
> use", not actual use. CryptoSMS operates in such a way that it
> can not be proven to be in use.

In the hostile environment that your system is designed for, the actual
encrypted messages must be assumed to be available. Unless you build in
some incredible steganography, it will be obvious that they are
encrypted messages which, combined with the presence of software that
generates such messages, is enough to prove use -- if the country you're
operating in even requires real proof before torturing and killing you
and all your friends.

> Third, you are forgetting how easy it is to change the SIM card
> in a PocketPC, thus rendering SMS logs unaccountable. Most of
> the users of CryptoSMS have many dozens of prepaid SIM cards,
> each one for use in particular situations, and only one of them
> kept in the phone for daily, personal use. Sure, cell phone
> logs can prove that somebody, somewhere sent encrypted SMS, but
> did they come from the particular phone you have in your hand?
> Can't be proven, hence can't be held against you.

The GSM network knows what handset you're using, not just what SIM
you're using at the moment. They could easily figure out which phone
was yours, record all SIMs that are used in it, and record all SMS
messages sent from either that phone or those SIMs, as well as everyone
you send SMSs to, and their SIMs/phones, etc.

Even if they don't suspect you to start with, they can analyze the
messages flowing through the network and determine which are encrypted,
mark the phone and SIM as "suspect" and begin the above process -- not
to mention triangulating where you are, tracking back to where each was
purchased and getting video tapes, etc.

> > 3. Used by people who meet often. If they meet often it would be
> > far more effective to simply relay tha messages in person. And
> > by people who have "a lot to lose," the truth is that people who
> > truly do have a lot to lose by meeting do not meet often. Your
> > target market will find this a huge disadvantage.
>
> Just because people can meet often doesn't mean they
> don't want to communicate securely between those meetings.
> My target market has couriers to relay the keys by hand,
> and they coordinate all their activities in this way.
> Between courier runs, they need to communicate in private.

I actually agree with you on that point.

> > 5. No single cipher. This actually seems somewhat reasonable
> > considering that your target market seems to be paranoid (rightly
> > or wrongly doesn't matter) individuals. But the question remains,
> > why didn't you choose either of the most trustable ciphers
> > available when you wrote the software? 3DES and AES, both
> > were available before the introduction of SHA-256 so that was
> > not the problem. The relationship to NIST and the NSA isn't the
> > problem because you use 2 hash functions from them. It seems
> > that the choice was made to make the security implications as
> > large as possible.
>
> Just like individual hashes are frequently broken,
> so are ciphers. No reason to trust just one, and
> every reason to use many. See for example:
>
> http://www.ciphersbyritter.com/GLOSSARY.HTM#RiskAnalysis
> http://www.ciphersbyritter.com/GLOSSARY.HTM#MultipleEncryption
> http://www.ciphersbyritter.com/NEWS6/MULTSHAN.HTM
> http://www.ciphersbyritter.com/NEWS6/CASCADE.HTM

I have much more faith in the NSA's endorsement of AES than your
construction of older, weaker ciphers getting keys from multiple weak,
broken hashes.

Again, if AES is broken (in a practical, non-academic sense) the safety
of your users will likely not matter because the world financial markets
will be collapsing, military control channels will be exposed, etc.
Your users are likely to be killed in the resulting riots or wars before
some fascist government comes after them.

> > I would say that through your random walk you have probably
> > reached a point where it is easier to torture the information out
> > of the perpetrator (after all you have the evidence of the program)
> > than it is to break. I still stand by my statement earlier that
this
> > should be enough to keep your wife from finding out about your
> > mistress,

I'm not sure I'd even go that far; the limited keyspace might not even
protect against that if your wife is reasonably bright. At best, she'll
know you're doing something you won't tell her about, in which case
she'll assume the correct answer. You're toast anyways.

> > but it's not going to work against a government. If for no other
> > reason than a government can break several of your security
> > assumptions.
>

> So let me get this straight, you are saying that
> CryptoSMS is strong enough that it's easier to torture
> the information out of a user than it is to break the
> messages? Is that what you mean? If so, thanks for the
> endorsement, because that was the goal. If the attacker
> must resort to violence to break the messages, then the
> encryption has held the line.

That is an extremely low standard to meet; if that is your only goal,
might I suggest something along the lines of rot13? Or a simple code
book instead of a cipher?

In the environments you anticipate, torture of even innocent people is
an everyday occurrence. Even an OTP (the holy grail) can be broken if
you put a gun to the keyholder's head; that doesn't mean every system is
as secure as a OTP.

IMHO, a more realistic goal for this target market is preventing people
from finding out you're using encryption at all, or at least being
unable to prove that it's in use. That's much tougher than providing a
secure (or in this case, flawed) but obvious communication channel.

S

--
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov


Andrew Swallow

unread,
Jun 22, 2005, 11:22:56 AM6/22/05
to
Stephen Sprunk wrote:

[snip]

> IMHO, a more realistic goal for this target market is preventing people
> from finding out you're using encryption at all, or at least being
> unable to prove that it's in use. That's much tougher than providing a
> secure (or in this case, flawed) but obvious communication channel.

Find out what the CIA and KGB were doing to communicate with their spies
20 years ago. Use a modified version of that.

What is being used today is still secret but the previous system may be
in someone's memoirs.

Andrew Swallow

"- Prof. Jonez坼

unread,
Jun 22, 2005, 10:39:28 AM6/22/05
to
Joseph Asswood wrote:
> <Cry...@S.M.S> wrote in message
> news:11bhh4e...@news.supernews.com...
> > Joseph Ashwood wrote:
> > Yes, hashes are defeated on a scarily dependable basis.
> > That's why it's a bad idea to rely on only one of them.
>
> And yet you persist in relying on the security of each of them as
> independent entities due to the low entropy that will be present.
>
> > Also, these "broken" hashes are only "broken" in that it
> > takes less work than expected to find a collision. In
> > order to defeat CryptoSMS encryption, you would have to
> > find a simultaneous collision in all six hashes at once.
> > Care to comment on the difficulty of that processing?
>
> Certainly. Assuming a common passphrase length of around 20
> characters, and assuming it is English, this will have 20-30 bits of
> entropy, MD5 will be enough to uniquely identify each of these, and
> MD5 can be effectively reversed under these circumstances in under 1
> hour. This will yield the entire original passphrase, leading
> immediately to a complete compromise. So 1 hour.

It's been over 165 hours ...so put up or shut up --

Andrew Swallow

unread,
Jun 22, 2005, 11:14:00 AM6/22/05
to
Joseph Ashwood wrote:

[snip]

>
> Certainly. Assuming a common passphrase length of around 20 characters, and
> assuming it is English, this will have 20-30 bits of entropy, MD5 will be
> enough to uniquely identify each of these, and MD5 can be effectively
> reversed under these circumstances in under 1 hour. This will yield the
> entire original passphrase, leading immediately to a complete compromise. So
> 1 hour.

A point of definition use a passphrase rather than a password. A
password can have 20 characters. A passphrase 20 *words*. Tell your
users not to use a quotation since they are guessable.

Andrew Swallow

Cry...@s.m.s

unread,
Jun 22, 2005, 6:00:33 AM6/22/05
to
Joseph Ashwood wrote:
> <Cry...@S.M.S> wrote in message
news:11bhh4e...@news.supernews.com...
>
>>Joseph Ashwood wrote:
>>Yes, hashes are defeated on a scarily dependable basis.
>>That's why it's a bad idea to rely on only one of them.
>
>
> And yet you persist in relying on the security of each of them as
> independent entities due to the low entropy that will be present.
>
>
>>Also, these "broken" hashes are only "broken" in that it
>>takes less work than expected to find a collision. In
>>order to defeat CryptoSMS encryption, you would have to
>>find a simultaneous collision in all six hashes at once.
>>Care to comment on the difficulty of that processing?
>
>
> Certainly. Assuming a common passphrase length of around 20
characters, and
> assuming it is English, this will have 20-30 bits of entropy, MD5
will be
> enough to uniquely identify each of these, and MD5 can be effectively
> reversed under these circumstances in under 1 hour. This will yield the
> entire original passphrase, leading immediately to a complete
compromise. So
> 1 hour.
>

Would you make this same estimate again, without the assumptions?
For example, pass phrases that contain no english words, and have
punctuation, something along the lines of:

Super!cali@frag#ili$tic%expi^ali&do*tiouS

Take a look at the punctuation along the top of number keys, and
you can see how this was constructed. These pass phrase patterns
are what's in actual use, since my original users are well aware
of the limitations of English passwords.

>
>>>Now on to your other specific claims:
>>>1. Must use no keyrings. This is very much a flawed way of going about
>>>removing keyrings. You are opening avenues of attack without closing
>>>anything of note. Your stated purpose for this is to avoid evidence
>>
>>of use;
>>
>>>instead you simply remove security. There are many ways of removing
>>
>>keyrings
>>
>>>without removing security, and a great deal of very good research is
>>>available in the subject.
>>>
>>
>>Any pointers in that regard?
>
>
> http://www.schneier.com/biblio/all-by-author.html
>

Thanks for that. It's a wonderful list, but I was asking about
the specifics of systems that remove their keyrings.

>
>>I would be interested in
>>the research done on removing keys.
>
>
> That's not what I said. I said the research was on removing keyrings,
a very
> important difference. The easiest way I can think of to do it, and
remain
> secure is to use a blinding facility. For a well founded example
simply use
> multiple accounts at hushmail.com (one for daily chitchat, one for
security
> purposes, chitchat provides cover), all messages from the security
account
> go through the anonymous remailer network. Now all your keys are
stored on a
> remote server, downloaded as needed and destroyed to prevent leaking.
All
> important communication does not have any informaion linking sender and
> recipient, in fact recipient does not even have to know who the send is.
>

Blinding is great, remember anon.penet.fi?
But that really won't help in the SMS arena,
unless you want to run your own SMSC.

>
>>This is a very
>>important issue to CryptoSMS designers and users alike.
>>I know of at least one instance where French investigators
>>confiscated several mobile devices. Those which had PGP
>>Mobile installed were subsequently entered into evidence;
>>whereas those with CryptoSMS installed were later returned.
>
>
> And you consider that evidence that CryptoSMS is safe? France has a
rather
> blanket ban on cryptography. Obviously the French authorities did not
> consider CryptoSMS to be of any cryptographic concern.
>

Again making unfair assumptions. In this particular case,
everybody got serious interrogations. The ban is on using
crypto software, not on possession of it. This happened
early last year, and I am surprised you don't know about it.
I am fairly sure it was reported in the news. My users got
their machines back, but with my software de-installed.
They were also warning not to install similar systems.
Obviously the French thought there was some threat to it.

>
>>Second, people frequently install (and even pay for) software they
>>do not use.
>
>
> Give me just one example from your system.
>

Numerous games, all of them bought & paid for, seldom if
ever played. There are other examples, but you asked for one.

>
>>Besides, what we're talking about here is "proof of
>>use", not actual use. CryptoSMS operates in such a way that it
>>can not be proven to be in use.
>
>
> Except for the transmission records. Except for the last use. Except
for a
> large number of other things that CryptoSMS cannot cover.
>

No it can't, but the transmission records on PocketPCs
can be easily cleared by many programs.

>
>>Third, you are forgetting how easy it is to change the SIM card
>>in a PocketPC, thus rendering SMS logs unaccountable.
>
>
> I was not referring to the SIM card, I was referring to the tapping
ability
> available to all law enforcement agencies throughout the world.
>

Yes, but how do these categorise their logs?
Obviously the French were unable to match these
logs to the machines they temporarily confiscated.

>
>>Most of
>>the users of CryptoSMS have many dozens of prepaid SIM cards,
>>each one for use in particular situations, and only one of them
>>kept in the phone for daily, personal use.
>
>
> Considering that you only have vague claims of any users, I doubt
that. Real
> security comes from real education and real processes. Fake security
comes
> from individuals without the proper education who rely on muddying the
> waters to the point where people lose interest.
>

These aren't vague claims.
These are first hand accounts from actual users known
personally and met with face-to-face.

>
>>Sure, cell phone
>>logs can prove that somebody, somewhere sent encrypted SMS, but
>>did they come from the particular phone you have in your hand?
>>Can't be proven, hence can't be held against you.
>
>
> Al Capone makes a wonderful counter example, Scott Peterson another one.
> Both of those were actually in a country with "innocent until proven
> guilty." In Capone's case the side evidence was enough to convict him
and
> deliver an effective death penalty. Peterson's case hinged on the
lack of
> evidence. The possession of those cards will be more than enough to
acquire
> the logs from them (due to the difficult to copy nature), your entire
> argument relies completely on a misunderstanding of even the barest
> fundamentals of law. CryptoSMS relies on bad cryptography, and when
that is
> pointed out the attempt is made to rely on bad legal knowledge,
either way
> it is flawed.
>

This is a very bad example, since in Capone's case there
was direct testimony as to where the stacks of cash went.

And what cards are you talking about? The SIM cards?
I already stated that the SIM cards are not kept with
the phone. Assume even the handsets change, because
this is actually the case. Mine has changed many times
this year, sometimes once per month, as new models appear.

>
>>>3. Used by people who meet often. If they meet often it would be far
>>
>>more
>>
>>>effective to simply relay tha messages in person. And by people who
>>
>>have "a
>>
>>>lot to lose," the truth is that people who truly do have a lot to
>>
>>lose by
>>
>>>meeting do not meet often. Your target market will find this a huge
>>>disadvantage.
>>>
>>
>>Just because people can meet often doesn't mean they
>>don't want to communicate securely between those meetings.
>>My target market has couriers to relay the keys by hand,
>>and they coordinate all their activities in this way.
>>Between courier runs, they need to communicate in private.
>
>
> And you think that they will use your garbage instead of something
secure?
> See my last comment, they would be fools to attempt that.
>

No, I think it is you who are misunderstanding the
legal implications, but maybe some of the misc.legal
readers can jump in here. How would the authorities
"prove" you were using encryption? For purposes of
discussion, assume you have only the program, and no
data produced by it.

>
>>>4. No single hash will be used as the key for any cipher. This actually
>>>reduces security instead of increasing it. To show you clearly why
>>
>>this is
>>
>>>the case, which is easier to read:
>>>The eagle lands at noonThe eag
>>>The eagle
>>>Which one carries more information? The first does clearly, while this
>>>example itself does not scale well into cryptography the concept itself
>>>does. It is actually more security efficient to use a large hash and
>>
>>trim
>>
>>>than expand a small hash.
>>>
>>
>>No individual short hash is expanded.
>>Many short hashes are concatenated.
>>Next release, many longer hashes will be concatenated.
>
>
> The information is reused, that is where the issue comes in. Once you
have
> used the information for a key it needs to be never reused. Instead you
> immediately reuse it 5 times. CryptoSMS is based on bad cryptography.
>

By "information", do you mean the passphrase?
You are calling something "bad", without explaining
your terms. This is exactly the kind of personal
opinion that you should leave out of a technical
discussion, because in this case, you are wrong.
The hashes are not being reused. Each hash is
used by one cipher, and not by the others.

>
>>Just like individual hashes are frequently broken,
>>so are ciphers.
>
>
> Going back to the exact same question I had before. Why did you
choose not
> to use 3DES or AES? Both are considered strong. Both are far more
analyzed
> than IDEA, 3IDEA, or Blowfish. The choice of ARC4 is particularly
troubling
> because it is for most purposes horribly and utterly broken.
>

Didn't pick 3DES because we wanted longer keys.
Didn't pick AES because that hadn't been thought
up yet when this project was first envisioned.
As mentioned before, an AES-equipped version is
forthcoming. ARC4 has only been broken in very
specific cases. Is there a better stream cipher?

>
>>[Next release] will have is
>>AES over ARC4 over Blowfish.
>
>
> Bad move. I can't immediately find the reference but multiple layers of
> encryption have been analyzed many times, and the result is always
the same.
> Encrypt with the strongest first. I also notice that you still lack a
viable
> MAC in there, I'd suggest removing that glaring hole first.
>

The jury's still out on encryption stacks.
There's been discussion in this newgroup on that very point,
and some very good arguments made in favor of encryption stacks:

http://www.ciphersbyritter.com/GLOSSARY.HTM#RiskAnalysis

There have been lots of similar links posted to this
newsgroup, so there is no sense in returning to beat
the dead horse. This is yet another point on which
we will continue to disagree. I do not like to put
all my eggs in one cryptographic basket, and there are
many others that agree.

>
>>Same thinking still applies; in
>>fact, this fits design consideration #5 better, since the two
>>block ciphers will have different block sizes.
>
>
> You will still have key distribution problems, your solution seems to be
> "It's not my problem" which is incorrect because CryptoSMS handles
the keys
> and does it's own internal distribution. Also there is the continuing
> problem with the lack of functioning MAC. I strongly recommend
reading the
> RFCs for OpenPGP before you do your next design. Basically all you
have to
> do is copy that design.
>

With key distribution comes keyrings, and these are
being avoided for reasons previously mentioned.
Public key encryption is great for strangers who
communicate in free countries. CryptoSMS is for
more difficult situations, where deniability is
paramount. If there are no keyrings there is the
sliver of doubt, and some legal situations hang
on this balance. I am sure this is a point that
the misc.legal readers will all have an opinion
on.

Oh, thanks for clearing that up. You start out nasty in order
to attract attention. I have to admit it worked, because your
ugly name calling in the original posting is what encouraged
me to find a personal news service and respond (nope, my ISP
does not provide Usenet). Friends told me about Supernews, and I
suppose it works fairly well. People say there is lots of porno
spam on Usenet, but I have not seen any (yet).

>
>>It was most appreciated.
>>I look forward to further discussions. Having only just
>>discovered Usenet, it strikes me as an interesting and
>>useful resource.
>
>
> It can be quite useful. Some places more than others. Sci.crypt is
one of
> those places that can be very helpful, but I believe it was Bob
Silverman
> who said that it is extremely coarse and that most people don't
survive here
> very long. Those that do are generally quite knowledgable and always
> extremely thick skinned.
> Joe
>
>

You don't have to be thick skinned to appreciate good
manners coupled with informative replies. On the other
hand, there are those of us who don't mind wading through
the gutter, if it will yield the clues we're looking for.

Mike Amling

unread,
Jun 22, 2005, 3:39:14 PM6/22/05
to
Joseph Ashwood wrote:
> <Cry...@S.M.S> wrote in message news:11bhh4e...@news.supernews.com...
>
>>Second, people frequently install (and even pay for) software they
>>do not use.
>
> Give me just one example from your system.

No, this is legitimate. Downloading software that's never used must
be quite common. If you've got the space, there's no point in not
downloading (free beer) software that's the least bit interesting,
because if you wait until you're sure it's useful, it may no longer be
available. I certainly have a lot of programs I've never run, e.g.
Jalopy, YGuard.

--Mike Amling

Cry...@s.m.s

unread,
Jun 22, 2005, 4:43:24 PM6/22/05
to

This "expert" has thrown out many insults
and even more unsubstantiated claims. It
would be appreciated if he could put some
action where his words are. Or, is he
overinflated with his own hot air?

Joseph Ashwood

unread,
Jun 22, 2005, 8:36:33 PM6/22/05
to
<Cry...@S.M.S> wrote in message news:11bidm8...@news.supernews.com...

Ok I'll make the assumption from the passphrase style that you gave, 31 bits
of entropy from the base word, at most 16 bits of entropy from your
punctuation, that makes 47 bits of entropy, so still about 1 hour, most of
the time will still be spent by a human entering probabilities. Also that
kind of passphrase is relatively difficult to remember versus the type of
passphrases that those educated in security use (diceware).

> >>>a great deal of very good research is
> >>>available in the subject.
> >>>
> >>
> >>Any pointers in that regard?
> >
> >
> > http://www.schneier.com/biblio/all-by-author.html
> >
>
> Thanks for that. It's a wonderful list, but I was asking about
> the specifics of systems that remove their keyrings.

I didn't feel like wasting my time digging through the large list, instead I
gave you the research you'll need to do it all.


> Blinding is great, remember anon.penet.fi?
> But that really won't help in the SMS arena,
> unless you want to run your own SMSC.

Quite the contrary virtually all SMS systems in use today include an email
bridge, making this not only possible, but extremely useful as well.


> Again making unfair assumptions. In this particular case,
> everybody got serious interrogations. The ban is on using
> crypto software, not on possession of it. This happened
> early last year, and I am surprised you don't know about it.
> I am fairly sure it was reported in the news.

A quick google shows no mention of CryptoSMS at any credible news sources
(AP, CNN, The Register, ZDNET, CNET, etc) but several mentions on
talkaboutdrugs.com, even there I didn't see any immediate evidence of your
claim.

> >>Second, people frequently install (and even pay for) software they
> >>do not use.
> >
> >
> > Give me just one example from your system.
> >
>
> Numerous games, all of them bought & paid for, seldom if
> ever played. There are other examples, but you asked for one.

Back to the nebulous claims. I will ask again for one specific example from
your system.

> >>Besides, what we're talking about here is "proof of
> >>use", not actual use. CryptoSMS operates in such a way that it
> >>can not be proven to be in use.
> >
> >
> > Except for the transmission records. Except for the last use. Except
> for a
> > large number of other things that CryptoSMS cannot cover.
> >
>
> No it can't, but the transmission records on PocketPCs
> can be easily cleared by many programs.

As I've said before, and I will likely have to say again, the transmisison
records of note are the records kept by the upstream provider for billing
purposes. You really have no choice but to acknowledge defeat on all these
points. CryptoSMS cannot affect the records kept by the provider, and cannot
affect the usage data kept by the OS. Your entire argument of "They can't
tell if it's been used" is completely eliminated, completely useless, and
demonstrates that your product really is in the category I stated protection
for mistress from wife, but not against authorities.

> >>Third, you are forgetting how easy it is to change the SIM card
> >>in a PocketPC, thus rendering SMS logs unaccountable.
> >
> >
> > I was not referring to the SIM card, I was referring to the tapping
> ability
> > available to all law enforcement agencies throughout the world.
> >
>
> Yes, but how do these categorise their logs?
> Obviously the French were unable to match these
> logs to the machines they temporarily confiscated.

Obviously the French did not investigate, otherwise they would have
requested the logs from the provider and had solid evidence of use.You have
lost and will continue to lose this point, reality is against you.

>
> >
> >>Most of
> >>the users of CryptoSMS have many dozens of prepaid SIM cards,
> >>each one for use in particular situations, and only one of them
> >>kept in the phone for daily, personal use.
> >
> >
> > Considering that you only have vague claims of any users, I doubt
> that. Real
> > security comes from real education and real processes. Fake security
> comes
> > from individuals without the proper education who rely on muddying the
> > waters to the point where people lose interest.
> >
>
> These aren't vague claims.

Your only solid claim to a usership was the French investigation, which as I
pointed out shows no record.

> These are first hand accounts from actual users known
> personally and met with face-to-face.

And because it is coming from you instead of them, or researchers, or any
authority of any kind it is a nebulous claim with no way to verify it. Your
only real claim does not show up anywhere of note.

>
> >
> >>Sure, cell phone
> >>logs can prove that somebody, somewhere sent encrypted SMS, but
> >>did they come from the particular phone you have in your hand?
> >>Can't be proven, hence can't be held against you.
> >
> >
> > Al Capone makes a wonderful counter example, Scott Peterson another one.
> > Both of those were actually in a country with "innocent until proven
> > guilty." In Capone's case the side evidence was enough to convict him
> and
> > deliver an effective death penalty. Peterson's case hinged on the
> lack of
> > evidence. The possession of those cards will be more than enough to
> acquire
> > the logs from them (due to the difficult to copy nature), your entire
> > argument relies completely on a misunderstanding of even the barest
> > fundamentals of law. CryptoSMS relies on bad cryptography, and when
> that is
> > pointed out the attempt is made to rely on bad legal knowledge,
> either way
> > it is flawed.
> >
>
> This is a very bad example, since in Capone's case there
> was direct testimony as to where the stacks of cash went.

And in the cell/mobile phone case they have exact records of where each SMS
message went. The example fits extremely well.

>
> And what cards are you talking about? The SIM cards?
> I already stated that the SIM cards are not kept with
> the phone. Assume even the handsets change, because
> this is actually the case. Mine has changed many times
> this year, sometimes once per month, as new models appear.

Assume a search warrant, it's perfectly reasonable.

> >>>3. Used by people who meet often. If they meet often it would be far
> >>
> >>more
> >>
> >>>effective to simply relay tha messages in person. And by people who
> >>
> >>have "a
> >>
> >>>lot to lose," the truth is that people who truly do have a lot to
> >>
> >>lose by
> >>
> >>>meeting do not meet often. Your target market will find this a huge
> >>>disadvantage.
> >>>
> >>
> >>Just because people can meet often doesn't mean they
> >>don't want to communicate securely between those meetings.
> >>My target market has couriers to relay the keys by hand,
> >>and they coordinate all their activities in this way.
> >>Between courier runs, they need to communicate in private.
> >
> >
> > And you think that they will use your garbage instead of something
> secure?
> > See my last comment, they would be fools to attempt that.
> >
>
> No, I think it is you who are misunderstanding the
> legal implications, but maybe some of the misc.legal
> readers can jump in here. How would the authorities
> "prove" you were using encryption?

Doesn't take a legal reader for that, it's easy, search warrant on the SMS
records and like magic you now have the records. Now they have evidence of
the use of cryptography even if the program itself is missing.

> For purposes of
> discussion, assume you have only the program, and no
> data produced by it.

Try assuming a more likely case, they have the data produced but not the
program.

> >>>4. No single hash will be used as the key for any cipher. This actually
> >>>reduces security instead of increasing it. To show you clearly why
> >>
> >>this is
> >>
> >>>the case, which is easier to read:
> >>>The eagle lands at noonThe eag
> >>>The eagle
> >>>Which one carries more information? The first does clearly, while this
> >>>example itself does not scale well into cryptography the concept itself
> >>>does. It is actually more security efficient to use a large hash and
> >>
> >>trim
> >>
> >>>than expand a small hash.
> >>>
> >>
> >>No individual short hash is expanded.
> >>Many short hashes are concatenated.
> >>Next release, many longer hashes will be concatenated.
> >
> >
> > The information is reused, that is where the issue comes in. Once you
> have
> > used the information for a key it needs to be never reused. Instead you
> > immediately reuse it 5 times. CryptoSMS is based on bad cryptography.
> >
>
> By "information", do you mean the passphrase?

The information is reused, in this case that is the passphrase

> You are calling something "bad", without explaining
> your terms.

I apologize I was assuming you actually spoke english and had at least a
high school education. Allow me to explain, "bad" in this case means that
your product opens your customers up to having bad things happen to them
without making any good things happen.

> This is exactly the kind of personal
> opinion that you should leave out of a technical
> discussion, because in this case, you are wrong.
> The hashes are not being reused. Each hash is
> used by one cipher, and not by the others.

Show me where I made the claim that the hash is reused. You will see it
suspiciously absent. My exact claim was that the information is reused, and
it is.

> >>Just like individual hashes are frequently broken,
> >>so are ciphers.
> >
> >
> > Going back to the exact same question I had before. Why did you
> choose not
> > to use 3DES or AES? Both are considered strong. Both are far more
> analyzed
> > than IDEA, 3IDEA, or Blowfish. The choice of ARC4 is particularly
> troubling
> > because it is for most purposes horribly and utterly broken.
> >
>
> Didn't pick 3DES because we wanted longer keys.

Allow me to translate that for those not educated in cryptography taht are
still paying attention. That means he has no clue about cryptography and
instead of going with a trusted algorithm that has been examined for nearing
30 years now he went with algorithms that are much newer with much less
history behind them, and are much less trusted by the cryptogrphic
community. In other words, he did it because he has no idea about
cryptography, but wants everyone to trust him about cryptography.

> Didn't pick AES because that hadn't been thought
> up yet when this project was first envisioned.

AES predates SHA-256 which you use. Your argument is clearly a lie. Care to
try again?

> As mentioned before, an AES-equipped version is
> forthcoming. ARC4 has only been broken in very
> specific cases. Is there a better stream cipher?

Just off the top of my head Panama, AES in CTR mode, 3DES in CTR mode, IDEA
in CTR mode, in fact almost anything in CTR mode, or just leaving it out so
it doesn't consume the precious entropy.

>
> >
> >>[Next release] will have is
> >>AES over ARC4 over Blowfish.
> >
> >
> > Bad move. I can't immediately find the reference but multiple layers of
> > encryption have been analyzed many times, and the result is always
> the same.
> > Encrypt with the strongest first. I also notice that you still lack a
> viable
> > MAC in there, I'd suggest removing that glaring hole first.
> >
>
> The jury's still out on encryption stacks.

The jury has been in for years now. Encrypt with the strongest first. Always
use a MAC. You violate both of these.

> There's been discussion in this newgroup on that very point,
> and some very good arguments made in favor of encryption stacks:
>
> http://www.ciphersbyritter.com/GLOSSARY.HTM#RiskAnalysis
>
> There have been lots of similar links posted to this
> newsgroup, so there is no sense in returning to beat
> the dead horse.

If people like you wouldn't try to bring the horse back from the dead there
would be no need.

> This is yet another point on which
> we will continue to disagree. I do not like to put
> all my eggs in one cryptographic basket, and there are
> many others that agree.

I never said that wasn't a valid decision, I said that the way you're doing
it is heavily flawed, open to major problems and demonstrates very well that
you don't know cryptography.

> >>Same thinking still applies; in
> >>fact, this fits design consideration #5 better, since the two
> >>block ciphers will have different block sizes.
> >
> >
> > You will still have key distribution problems, your solution seems to be
> > "It's not my problem" which is incorrect because CryptoSMS handles
> the keys
> > and does it's own internal distribution. Also there is the continuing
> > problem with the lack of functioning MAC. I strongly recommend
> reading the
> > RFCs for OpenPGP before you do your next design. Basically all you
> have to
> > do is copy that design.
> >
>
> With key distribution comes keyrings,

Wrong again. Key distribution can be easily done without keyrings. Here's a
very simple design that does not require keyrings, and offers good security

Header = {Encrypt(randomKey, Hash(passphrase))}
Body = Encrypt(bodyData, randomKey)
Message = {Header, Body}

This has no key ring that it depends on, does not violate the basic rules of
cryptography, scales very well because you can add a target to the header
and repeat them. Has forward secrecy, something your design does not in any
way have. And a number of other advantages. This design is one of the most
basic in cryptography, these requirements some of the most basic in
cryptography. You have once again succeeded in clearly demonstrating your
lack of knowledge in cryptography, might I suggest going to the link I
provided and just starting from the top?

> If there are no keyrings there is the
> sliver of doubt, and some legal situations hang
> on this balance. I am sure this is a point that
> the misc.legal readers will all have an opinion
> on.

That doubt will only exist until the SMS message logs are retrieved, this
should be about 30 minutes. Once again you have gone back to the flawed
legal arguments, once again I will tell you that the argument will not work
and fails on even a cursory examination.

> Oh, thanks for clearing that up. You start out nasty in order
> to attract attention. I have to admit it worked, because your
> ugly name calling in the original posting is what encouraged
> me to find a personal news service and respond (nope, my ISP
> does not provide Usenet). Friends told me about Supernews, and I suppose
> it works fairly well. People say there is lots of porno
> spam on Usenet, but I have not seen any (yet).

sci.crypt is usually pretty clean about it, but if you look at most of the
alt subheading you will find it. If you're looking for porn though just
about everything below alt.binaries is porn.

> You don't have to be thick skinned to appreciate good
> manners coupled with informative replies. On the other
> hand, there are those of us who don't mind wading through
> the gutter, if it will yield the clues we're looking for.

Then you are welcome on sci.crypt. Everyone here gets their harassment on a
fairly continual basis.
Joe


sammy

unread,
Jun 22, 2005, 8:51:03 PM6/22/05
to

I've heard the French authorities now actually strongly recommend
CryptoSMS to French citizens who inquire as to which method they
should use to keep their information private.

This comes as a vicious back-handed slap to the inventors of ROT-13,
the previous recipients of French authority recommendation for crypto.


Luc The Perverse

unread,
Jun 22, 2005, 8:54:31 PM6/22/05
to
"sammy" <sa...@slammy.com> wrote in message
news:hh1kb19sdc4m66kre...@4ax.com...

ROFL

--
"When you have to choose between a first-rate company with a second-rate
product and a second-rate company with a first-rate product, it's never an
ideal choice. " -Ed (www.overclockers.com)


Joseph Ashwood

unread,
Jun 22, 2005, 9:07:10 PM6/22/05
to
"Andrew Swallow" <am.sw...@btopenworld.com> wrote in message
news:d9bvog$9rt$1...@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...

> Find out what the CIA and KGB were doing to communicate with their spies
> 20 years ago. Use a modified version of that.
>
> What is being used today is still secret but the previous system may be in
> someone's memoirs.

I've worked on this with some additional requirements from time to time as
an excercise in futility (so far at least). I've basically come up with two
semi-secure options (heavy on the semi).

The best case I've been able to come up with goes back to the dead drop
concept. For this you use paper, and using steganography you "accidently"
drop a paper or to in your rush to not be late for work. To pick up the drop
you are kind enough to pick up the paper, and being a consciencious person
you take it home for recycling. This is an unstable delivery medium at best.

The other solution involves technology but leaves evidence in the form of a
handheld communication device. Take 2 radios, currently available for
minimal expense in the US are several different brands of two-way radios
that work for about 5 miles. Use this frequency to burst encrypted data
between two users that never see each other. For location use GPS, for
communicating the location (assuming a 5-mile radio) the device
automatically picks a random location within a 2.5 mile radius of where the
user will be standing for communication, the other user is given a display
where a random location is chosen within a 2.5 mile radius of the given
location. And a time window. This makes it so that the users may not be able
to identify each other, but gives away position based on radio frequency
triangulation. If the burst is short enough this may be doable. This one
though is much more complex to setup, but is easier for the users to
execute.

Neither case is particularly good, and both require substantial
considerations. The second though can be used for slow routing within a
large group more easily than the first.

Generally speaking the spy agencies of the world tend to use dead drops
because of the severely limited interaction possibilities and the plausible
deniability. This information came from the public prosecution of a double
agent in 2000 (sorry don't remember a name) where he was abandoned by his
handlers and was caught because he kept trying to pick up a dead drop that
was never there.
Joe


Cry...@s.m.s

unread,
Jun 22, 2005, 10:01:13 PM6/22/05
to
sammy wrote:

Since the French authorities uninstalled CryptoSMS from the
temporarily confiscated computers, one can take that as a
back-handed endorsement of its strength, or at least its
strength as seen by the police.

One of the Sci.Crypt know-it-alls is currently attempting
to break it, but failing at the challenge. He claimed he
could do it in an hour, but it has been many days, although
he isn't admitting defeat. Kudos for his tenacity.

Cry...@s.m.s

unread,
Jun 22, 2005, 10:08:07 PM6/22/05
to
Joseph Ashwood wrote:

Obviously you were searching for CryptoSMS by name, given that
you found other references. It wasn't named by the French police,
but they did remove from the systems prior to return. It was
definitely reported in the French news, but probably not in the
internationals because the charges were dropped, the people involved
were released, and the equipment returned. Why don't you search for
people who were prosecuted in France for having PGP keyrings? Those
were the cases that actually had some charges filed.

Cry...@s.m.s

unread,
Jun 22, 2005, 10:26:29 PM6/22/05
to
Joseph Ashwood wrote:

>
> A quick google shows no mention of CryptoSMS at any credible news
sources (AP, CNN, The Register, ZDNET, CNET, etc) but several mentions
on talkaboutdrugs.com, even there I didn't see any immediate evidence of
your claim.
>

Can find no site called talkaboutdrugs.com, as neither
http://talkaboutdrugs.com nor http://www.talkaboutdrugs.com
is responding.

You really are clutching at straws now, and I realise why.
This discussion is something that you are trying to "Win",
instead of something from which to "Learn". Remember, this
is not an argument, it is a conversation, so there is nothing
to "Win", only something to "Learn".

Your attempts to shoot down CryptoSMS are most appreciated,
because you have raised valid points and suggested good ideas;
neither of which make you a winner, just a teacher, and I thank
you for that.

Meanwhile, if you still feel you have something to prove, why
not respond to the poster who keeps writing "Put up or Shut up"?
After all, the proof of the pudding is in the eating, or is it?

sammy

unread,
Jun 22, 2005, 11:39:47 PM6/22/05
to

>
>Meanwhile, if you still feel you have something to prove, why
>not respond to the poster who keeps writing "Put up or Shut up"?
>After all, the proof of the pudding is in the eating, or is it?


Because that "other" loser is likely you, too.

We've all been on the Net too long not to spot that behavior.

One "evil genius" makes a crappy thing, and then defends it with posts
from himslf and all his alter egos.

It gets old, really fast. You didn't invent that, either.

Pssst... come here... OK listen...

The smell of failure is rising off of you like the waves of heat from
a hot desert highway.


sammy

unread,
Jun 22, 2005, 11:49:19 PM6/22/05
to
On Thu, 23 Jun 2005 12:01:13 +1000, Cry...@S.M.S flatulated:

<snip>

>Meanwhile, if you still feel you have something to prove, why
>not respond to the poster who keeps writing "Put up or Shut up"?
>After all, the proof of the pudding is in the eating, or is it?


Because that "other" loser is likely you, too.

We've all been on the Net too long not to spot that behavior.

One "evil genius" makes a crappy thing, and then defends it with posts
from himslf and all his alter egos.

It gets old, really fast. You didn't invent that, either.

Pssst... come here... OK listen... Look...

"- Prof. Jonez坼

unread,
Jun 22, 2005, 11:56:27 PM6/22/05
to
sammy wrote:
> > Meanwhile, if you still feel you have something to prove, why
> > not respond to the poster who keeps writing "Put up or Shut up"?
> > After all, the proof of the pudding is in the eating, or is it?
>
>
> Because that "other" loser is likely you, too.

No, I'm me, he's someone else.

>
> We've all been on the Net too long not to spot that behavior.

Yet you're in error once again.

>
> One "evil genius" makes a crappy thing, and then defends it with posts
> from himslf and all his alter egos.

All you have to do then, is ... put up or shut the fuck up, Einestein.


>
> It gets old, really fast. You didn't invent that, either.

Still dancing away from the corner you painted yourself into,
eh moron?


>
> Pssst... come here... OK listen...
>
> The smell of failure is rising off of you like the waves of heat from
> a hot desert highway.

Bigmouth Asswood says this can be broken in "an hour"... given
there are 3 using the same passphrase, you have even more clues.

So, why can't a moron like you simply crack the message and prove
to the world what you claim to be true? Are you a liar or a jackass?

It's been over 180 hours ...so put up or shut up --

Newsgroups: misc.legal, sci.crypt, talk.politics.crypto, us.legal
From: poster <pos...@use.net>
Date: Tue, 14 Jun 2005 15:02:49 +1000
Local: Tues,Jun 14 2005 1:02 am
Subject: Re: crypto for Joseph Ashwood?

Since I'm a CryptoSMS user, I am very curious just how clever
Mr Ashwood is. Attached below are three CryptoSMS messages, all
of which are encrypted with the same passphrase and all of which
contain the same clear text. Mr Ashwood, would you please crack
these and post the contents for all to see? It should be easy
since you have 3 individual messages which are all internally
identical. Good luck.


??31m3dH-zpJ2ta8zI07sFm5o-UX5w­rMwKtUOGffGoqz98P7RrUE0bNu4Yu0­Sue-ZdUaNXK000??


??31SdibaVtKZ=50U74hLnQYg558NM­=dopXVivzD5LOu1XQFqYIC1IK-6O1G­7LQaRBbL41G000??


??31jKvmpN7DsULlMlD9ojQbe17m3R­8eA8FL51HM1vln=zB3GkwtRBjcp3wS­-2wRmcatMXK000??


<cue crickets chirping while the self-appointed cryptocritics FAIL to crack
such a defective and simplistic encryption>


Cry...@s.m.s

unread,
Jun 23, 2005, 12:27:13 AM6/23/05
to

Such an "expert" and you can not tell one poster from another?

And I expected so much more from a Science newsgroup. Many people
have told me that Usenet is where the crazies and pornographers
are, and until now I was naive enough to dismiss that as nonsense.

Surely there is a way to examine these posts and determine where
they came from, like what is done with emails? Does anybody here
know how this is done? Would you please give us new bees a run-down
of posts by Cry...@S.M.S & Prof Jonez© with emphasis on where they
came from? This will be an interesting security exercise, probably
not really the topic of this group, but it did come up in the
course of local discussions (and the insults that one poster had
to resort to in order to gain some tidbit of self attention).

sammy

unread,
Jun 23, 2005, 12:31:15 AM6/23/05
to
On Wed, 22 Jun 2005 21:56:27 -0600, " \"- Prof. Jonez坼""
<jo...@norcom.ca> wrote:

>sammy wrote:
>> > Meanwhile, if you still feel you have something to prove, why
>> > not respond to the poster who keeps writing "Put up or Shut up"?
>> > After all, the proof of the pudding is in the eating, or is it?
>>
>>
>> Because that "other" loser is likely you, too.
>
>No, I'm me, he's someone else.


Someone else in your head? Or another human that gives a rat's ass
about CraptoSMS?.

Surely not the latter.

You are both one guy, OK? I just can't believe that more than one
idiot is connected to this worthless, misbegotten thing.


And... "both" of you should realize that EVERYONE WHO HAS A WORKING
KNOWLEDGE OF CRYPTO has seen this same scenario dozens of times:

"Hey, if you can't break my piece-of-crap crypto product, then that
proves scientifically, and beyond all reasonable doubt that my product
r3wls and that I really am somebody and not just another idiot loser".


Well... get a grip Mr Science, because that isn't, and never will be
true.

It gets old, really fast. You didn't invent that, either.


Pssst... come here... OK listen up, my schizoid nimrod...

The putrid stench of broke dick snake oil vendor emanates from your
very core. Repent now, and there may be some speck of hope for you.


Stephen Sprunk

unread,
Jun 22, 2005, 11:44:48 PM6/22/05
to
"sammy" <sa...@slammy.com> wrote in message
news:hh1kb19sdc4m66kre...@4ax.com...
>

That's a serious indictment of CryptoSMS's strength.

The only reason the French authorities would recommend any encryption
product was if they knew it was so seriously flawed they could crack it
at will. Encouraging people to use broken encryption will let them
easily identify suspects _and_ read what they're saying, instead of
having to snoop through all the cleartext messages people send. It's a
win-win for them and a lose-lose for the public.

When the NSA approved AES for classified government files, I find it
reasonable to conclude that they're unable to effectively break it. If
they could, they'd have to assume someone else would figure it out as
well, and protecting our secrets is a higher priority to them than
endorsing something bad to trick their foes. I'd draw a completely
different conclusion if the NSA had said AES was good enough for the
private sector but not good enough for military use.

Stephen Sprunk

unread,
Jun 22, 2005, 11:52:44 PM6/22/05
to
<Cry...@S.M.S> wrote in message
news:11bk5vg...@news.supernews.com...

> sammy wrote:
> > I've heard the French authorities now actually strongly recommend
> > CryptoSMS to French citizens who inquire as to which method they
> > should use to keep their information private.
>
> Since the French authorities uninstalled CryptoSMS from the
> temporarily confiscated computers, one can take that as a
> back-handed endorsement of its strength, or at least its
> strength as seen by the police.

Or it could be a feint to make people draw that conclusion. Quite
possibly the French authorities were able to crack the messages sent but
decided the gain from admitting that _in this particular case_ was not
worth disclosing that they had the ability. By not disclosing, they
give people a (potentially) false sense of security and more likely to
use a flawed system, providing them with more and more self-identified
criminals to track and snoop on.

> One of the Sci.Crypt know-it-alls is currently attempting
> to break it, but failing at the challenge. He claimed he
> could do it in an hour, but it has been many days, although
> he isn't admitting defeat. Kudos for his tenacity.

Failure to crack a system is not proof of security. I could post
something rot13 encrypted here and there's a pretty good chance nobody
would ever bother trying to crack it.

There are dozens of flawed systems proposed here every week; just sit
back and you'll see them roll in like clockwork. Some are ignored,
others are shown to be fatally flawed within hours. Yours is
complicated enough that trying to crack an example probably isn't worth
anyone here's time, but there's a long enough list of serious concerns
about the structure that will lead most observers to conclude it's
flawed without the need for a concrete example.

Remember, security can't be proven -- it can only be disproven.

sammy

unread,
Jun 23, 2005, 12:49:58 AM6/23/05
to
On Thu, 23 Jun 2005 14:27:13 +1000, Cry...@S.M.S wrote:

<snip>

>Such an "expert" and you can not tell one poster from another?
>

Wait a minute... you're right!

You both have different infomation in your headers. OMG how could I
have missed that???

The fact that you both came out of the woodwork to defend a really
crappy crypto product at the same time, when more than one person
caring about this bad crypto s/w would stretch credulity to the
breaking point, that... that just doesn't matter!!!

Even though it is trivially easy, although tired and annoying and
pitiful, to change headers and post as "two" different "concerned"
individuals, no way could you have figured out how to do that.

And just because this is the modus operendi of many "evil geniuses"
who end up in sci.crypt "defending" their blatent mistakes and
shouting from two different NYMs or alter egos, or whatever, that "by
God if you can't crack that bad crypto then that turns it magically
into good crypto"... that couldn't be what is happening here.

Or could it?


It is just TOO DARN DIFFICULT to make the leap of faith that more than
one person cares about CryptoSMS. Can't do it. Too weird.

"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:49:28 AM6/23/05
to

So put your $$ where your mouth is -- disprove it:

It's been over 182 hours ...so put up or shut up --

"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:51:26 AM6/23/05
to
Stephen Sprunk wrote:
> "sammy" <sa...@slammy.com> wrote in message
> news:hh1kb19sdc4m66kre...@4ax.com...
> >
> > I've heard the French authorities now actually strongly recommend
> > CryptoSMS to French citizens who inquire as to which method they
> > should use to keep their information private.
> >
> > This comes as a vicious back-handed slap to the inventors of ROT-13,
> > the previous recipients of French authority recommendation for
> > crypto.
>
> That's a serious indictment of CryptoSMS's strength.
>
> The only reason the French authorities would recommend any encryption
> product was if they ...

You simpering jackass.

Clue -- http://snipurl.com/7xa5

"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:53:16 AM6/23/05
to
sammy wrote:
> On Wed, 22 Jun 2005 21:56:27 -0600, " \"- Prof. JonezŠ\""

> <jo...@norcom.ca> wrote:
>
> > sammy wrote:
> > > > Meanwhile, if you still feel you have something to prove, why
> > > > not respond to the poster who keeps writing "Put up or Shut up"?
> > > > After all, the proof of the pudding is in the eating, or is it?
> > >
> > >
> > > Because that "other" loser is likely you, too.
> >
> > No, I'm me, he's someone else.
>
>
> Someone else in your head? Or another human that gives a rat's ass
> about CraptoSMS?.

Sez the asshat who can't seem to shut the fuck up about it, yet
can't crack such a simple, flawed, less than "1 hour", defective product ...
ROTFLMAO!!


sammy

unread,
Jun 23, 2005, 2:50:29 AM6/23/05
to
On Wed, 22 Jun 2005 23:49:28 -0600, " \"- Prof. Jonez©\""
<jo...@norcom.ca> wrote:

<snip>

Hey... you're late for your costume change, schizoid dweeb.


" \"- Prof. Jonez©\""
You are a pitiful lamer.
Cry...@S.M.S
You are a pitiful lamer.
" \"- Prof. Jonez©\""
You are a pitiful lamer.
Cry...@S.M.S
You are a pitiful lamer.
" \"- Prof. Jonez©\""
You are a pitiful lamer.
Cry...@S.M.S
You are a pitiful lamer.
" \"- Prof. Jonez©\""
You are a pitiful lamer.
Cry...@S.M.S
You are a pitiful lamer.
" \"- Prof. Jonez©\""
You are a pitiful lamer.
Cry...@S.M.S
You are a pitiful lamer.
" \"- Prof. Jonez©\""
You are a pitiful lamer.
Cry...@S.M.S
You are a pitiful lamer.
" \"- Prof. Jonez©\""
You are a pitiful lamer.
Cry...@S.M.S
You are a pitiful lamer.
" \"- Prof. Jonez©\""
You are a pitiful lamer.
Cry...@S.M.S
You are a pitiful lamer.


Which one are you now?

Answer: The pitiful lamer.


One "evil genius" makes a crappy thing, and then defends it with posts

from himself and all his alter egos.

It gets old, really fast. You didn't invent that, either.

sammy

unread,
Jun 23, 2005, 2:51:49 AM6/23/05
to

<snip>

Answer: The pitiful lamer.


One "evil genius" makes a crappy thing, and then defends it with posts

from himself and all his alter egos.

It gets old, really fast. You didn't invent that, either.


Pssst... come here... OK listen... Look...

Cry...@s.m.s

unread,
Jun 23, 2005, 4:06:03 AM6/23/05
to

Thanks to all in Sci.Crypt for pointing fingers at
this relatively new work (to me at least) on attacking
hash functions:

http://cryptography.hyperlink.cz/md5/Vlastimil_Klima_MD5_collisions.pdf
http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf
http://www.infosec.sdu.edu.cn/paper/md4-ripemd-attck.pdf

These papers bring up more questions than they answer,
with regard to breaking hashes to reveal pass phrases.

In all of these papers, the "attack" is to compute a
colliding hash value. That is all well and good, but
how does being able to compute two collisions allow
you to "back-compute" from an hash value to the
text that produced it?

It is one thing to find two strings that hash to the
same value. It is something very different to invert
the hash function and discover what its original input
was.

Would someone please elaborate on how to "undo" an MD5
hash? In other words, given a hash, compute its original
input string. Best as I can tell, the references cited
above do not address this problem.

As a side issue, the "discover the pass phrase in 1 hour
on my laptop" is a bit overstated. Here is an excerpt
from the Czech paper:

In the last experiment, provided by Ondrej Pokornı on his
home PC (Intel Pentium, 1GHz), he obtained 14 collisions in
58 hours and 32 minutes. It gives even more optimistic time
for finding a collision (1 collision per 4 hours 11 minutes)
than on the author's notebook.

Of course, this still means that hashing collisions can
be found easily, just not quite as quickly as claimed.
The ability to find collisions translates into the ability
to forge digital signatures and certificates; but how does
this equate to being able to unhash pass phrases?

Cry...@s.m.s

unread,
Jun 23, 2005, 4:11:48 AM6/23/05
to
sammy wrote:

So this is how you discuss the real issues? The original advice I
received when joining Usenet was correct, i.e. it is full of crazies
who would rather trade nasty remarks than information.

Why don't you explain how you will unhash MD5 to reveal the pass phrase?

Or better yet, explain why you resort to insults in a science newsgroup?
Got nothing better to contribute?


sammy

unread,
Jun 23, 2005, 6:06:30 AM6/23/05
to
On Thu, 23 Jun 2005 18:11:48 +1000, Cry...@S.M.S wrote:

<snip>


>>
>>
>
>So this is how you discuss the real issues? The original advice I
>received when joining Usenet was correct, i.e. it is full of crazies
>who would rather trade nasty remarks than information.
>
>Why don't you explain how you will unhash MD5 to reveal the pass phrase?
>
>Or better yet, explain why you resort to insults in a science newsgroup?
>Got nothing better to contribute?
>

I've heard the French authorities now actually strongly recommend


CryptoSMS to French citizens who inquire as to which method they
should use to keep their information private.

This comes as a vicious back-handed slap to the inventors of ROT-13,

Joseph Ashwood

unread,
Jun 23, 2005, 6:19:46 AM6/23/05
to
<Cry...@S.M.S> wrote in message news:11bk5vg...@news.supernews.com...

> One of the Sci.Crypt know-it-alls is currently attempting
> to break it, but failing at the challenge. He claimed he
> could do it in an hour, but it has been many days, although
> he isn't admitting defeat. Kudos for his tenacity.

Since I am the obvious "know-it-all" in question. I stated that it is
breakable in about 1 hour and gave real evidence of this because of the weak
passphrase usage. I have never claimed that I am "attempting" to break it, I
already broke it.

Why would I admit defeat when your product was broken? Seems rather a
foolish thing to say.
Joe


Joseph Ashwood

unread,
Jun 23, 2005, 6:19:53 AM6/23/05
to

<Cry...@S.M.S> wrote in message news:11bkrbp...@news.supernews.com...

> Thanks to all in Sci.Crypt for pointing fingers at
> this relatively new work (to me at least) on attacking
> hash functions:
>
> http://cryptography.hyperlink.cz/md5/Vlastimil_Klima_MD5_collisions.pdf
> http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf
> http://www.infosec.sdu.edu.cn/paper/md4-ripemd-attck.pdf
>
> These papers bring up more questions than they answer,
> with regard to breaking hashes to reveal pass phrases.
>
> In all of these papers, the "attack" is to compute a
> colliding hash value. That is all well and good, but
> how does being able to compute two collisions allow
> you to "back-compute" from an hash value to the
> text that produced it?

That is fairly straightforward, because the approximate length is known and
the entropic quantity is known this limits the number of possible passphrase
to just 1 in this case (unless the passphrase has > 1000-whatever it was
bits). By focusing only on the extremely limited MD5 which can hold more
entropy than is in the passphrase the entire list can be narrowed to
generally 1. This 1 collision is then the correct passphrase.

The times given in those are old, in fact I don't think the latest papers
have been officially published, but the show collisions in MD5 in 15
minutes. Because there is only one colliding value, the result is the
original passphrase.

Because of the smallness of the input there simply aren't enough collidable
values. My break didn't even actually use the MD5 attacks, instead it was
based on generating and hashing each of the 2^47 different possible values
until one collides. Considering that an up-to-the-minute laptop is clocked
just shy of 2^32 ops/sec, and that MD5 is only a few clocks to generate a
short output, the result is that in about 1 hour the collision should be
found.
Joe


Joseph Ashwood

unread,
Jun 23, 2005, 6:19:50 AM6/23/05
to

<Cry...@S.M.S> wrote in message news:11bk6cd...@news.supernews.com...

> Obviously you were searching for CryptoSMS by name, given that
> you found other references. It wasn't named by the French police,
> but they did remove from the systems prior to return. It was
> definitely reported in the French news, but probably not in the
> internationals because the charges were dropped, the people involved
> were released, and the equipment returned. Why don't you search for
> people who were prosecuted in France for having PGP keyrings? Those
> were the cases that actually had some charges filed.

So your entire claim is that we can't verify it, but trust you it worked.
Just like you expect everyone to trust you about the cryptography involved,
and trust you that it's good. When the entire evidence is that it is not
good.

> Can find no site called talkaboutdrugs.com, as neither
> http://talkaboutdrugs.com nor http://www.talkaboutdrugs.com
> is responding.

You're right I mistyped it, the exact URL that comes up on Yahoo is
http://www.talkaboutdrugsnetwork.com/group/rec.drugs.chemistry/index.rss,
the returns from Google did not include it.

> Meanwhile, if you still feel you have something to prove, why
> not respond to the poster who keeps writing "Put up or Shut up"?
> After all, the proof of the pudding is in the eating, or is it?

Such challenges are never answered, simply as a matter of course, that is
because there is no point to them. If you really want me to seriously break
your system you will get the same result at my usual fee. You will find this
policy in many around here. Even with that we won't break your messages
though, there really is no point. Cryptography does not happen the way you
think it does, it never has, it never will.
Joe


Cry...@s.m.s

unread,
Jun 23, 2005, 6:21:16 AM6/23/05
to

He repeats himself when under stress.

Cry...@s.m.s

unread,
Jun 23, 2005, 6:33:08 AM6/23/05
to
Joseph Ashwood wrote:

> <Cry...@S.M.S> wrote in message news:11bk6cd...@news.supernews.com...
>
>>Obviously you were searching for CryptoSMS by name, given that
>>you found other references. It wasn't named by the French police,
>>but they did remove from the systems prior to return. It was
>>definitely reported in the French news, but probably not in the
>>internationals because the charges were dropped, the people involved
>>were released, and the equipment returned. Why don't you search for
>>people who were prosecuted in France for having PGP keyrings? Those
>>were the cases that actually had some charges filed.
>
>
> So your entire claim is that we can't verify it, but trust you it worked.
> Just like you expect everyone to trust you about the cryptography involved,
> and trust you that it's good. When the entire evidence is that it is not
> good.
>

I never claimed you could verify this. I only relayed the
details of an event in which I was personally acquainted with
the people involved. There are volumes of reports of police
activities which can not be verified, from brutality cases,
bribery & extortion, etc. The fact that you can find no
details in Google means nothing. Do you honestly believe
that Google has a listing for every event in world?

>
>>Can find no site called talkaboutdrugs.com, as neither
>>http://talkaboutdrugs.com nor http://www.talkaboutdrugs.com
>>is responding.
>
>
> You're right I mistyped it, the exact URL that comes up on Yahoo is
> http://www.talkaboutdrugsnetwork.com/group/rec.drugs.chemistry/index.rss,
> the returns from Google did not include it.
>

Yes, you did mistype it, as you have mistyped and misread
so many other statements.

>
>>Meanwhile, if you still feel you have something to prove, why
>>not respond to the poster who keeps writing "Put up or Shut up"?
>>After all, the proof of the pudding is in the eating, or is it?
>
>
> Such challenges are never answered, simply as a matter of course, that is
> because there is no point to them. If you really want me to seriously break
> your system you will get the same result at my usual fee. You will find this
> policy in many around here. Even with that we won't break your messages
> though, there really is no point. Cryptography does not happen the way you
> think it does, it never has, it never will.
> Joe
>
>

Such challenges are often answered, as evidenced by the number
of cash prizes offered and sometimes collected for the scalps
of ciphers and other formulae. You just refuse to answer
this one because you know that you can not do it. Chances are
that you've already tried quietly at home, probably burning the
midnight oil, feverishly attempting to prove CryptoSMS weak.

The fact that you have failed is clear to everyone. Including
your acolyte who continues to post insults and crazed nonsense
about the mental disease he suffers from.


Joseph Ashwood

unread,
Jun 23, 2005, 7:09:44 AM6/23/05
to
<Cry...@S.M.S> wrote in message news:11bl3vl...@news.supernews.com...

> I never claimed you could verify this.

Allow me to rephrase. Your entire claim of use was based on this one case
which cannot be easily verified.

> Such challenges are often answered, as evidenced by the number
> of cash prizes offered and sometimes collected for the scalps
> of ciphers and other formulae.

Find one challenge, such as the one posted by prof jonez, in the last year
that was posted to sci.crypt and anyone bothered solving. You simply won't
find one. The challenges that are answered come from respectable companies
and exist to reinforce and test the technologies and requirements involved.
Joe


Cry...@s.m.s

unread,
Jun 23, 2005, 7:52:55 AM6/23/05
to

Again you are making assumptions about the length of
the pass phrase. Quit assuming 20 characters, and work
with the concept of 20 words. Be realistic, or the
numbers you put forward are meaningless.

Cry...@s.m.s

unread,
Jun 23, 2005, 8:01:35 AM6/23/05
to
Joseph Ashwood wrote:

You have not broken anything.
You have just made a bunch of wild claims
and have expected others to believe them.
This is the tenacity to which I was referring.

Cry...@s.m.s

unread,
Jun 23, 2005, 7:59:45 AM6/23/05
to
Joseph Ashwood wrote:

> <Cry...@S.M.S> wrote in message news:11bl3vl...@news.supernews.com...
>
>>I never claimed you could verify this.
>
>
> Allow me to rephrase. Your entire claim of use was based on this one case
> which cannot be easily verified.
>

Yes, I never implied otherwise. You merely jumped to conclusions,
as you have been doing throughout this discussion.

>
>>Such challenges are often answered, as evidenced by the number
>>of cash prizes offered and sometimes collected for the scalps
>>of ciphers and other formulae.
>
>
> Find one challenge, such as the one posted by prof jonez, in the last year
> that was posted to sci.crypt and anyone bothered solving. You simply won't
> find one. The challenges that are answered come from respectable companies
> and exist to reinforce and test the technologies and requirements involved.
> Joe
>

So what you're saying is that the supposed "experts" in here
are all mouth and no trousers. Nothing more than a bunch of
crypto elitists scratching each other's backs. You have already
spent more than an hour typing replies to these posts, when you could
have been proving to everybody just how techno-macho you really are.
You want proof from others, but refuse to provide any yourself.

Cry...@s.m.s

unread,
Jun 23, 2005, 8:09:49 AM6/23/05
to
Joseph Ashwood wrote:

Once again you have not got your facts straight:

Vlastimil Klima1, 2
v.k...@volny.cz
http://cryptography.hyperlink.cz/
Prague, Czech Republic
March 31, 2005

Less than 3 months old, wherein it states,
(and I repeat my original quotation):

In the last experiment, provided by Ondřej Pokorný


on his home PC (Intel Pentium, 1GHz), he obtained 14
collisions in 58 hours and 32 minutes. It gives even
more optimistic time for finding a collision (1 collision
per 4 hours 11 minutes) than on the author's notebook.

Throughout this entire exchange you have continually
exaggerated numbers to fit your statements.

John Hadstate

unread,
Jun 23, 2005, 9:48:19 AM6/23/05
to

Cry...@S.M.S wrote:


> Joseph Ashwood wrote:
> > The times given in those are old, in fact I don't think the latest papers
> > have been officially published, but the show collisions in MD5 in 15
> > minutes. Because there is only one colliding value, the result is the
> > original passphrase.
> >
>
> Once again you have not got your facts straight:
>
> Vlastimil Klima1, 2
> v.k...@volny.cz
> http://cryptography.hyperlink.cz/
> Prague, Czech Republic
> March 31, 2005
>
> Less than 3 months old, wherein it states,
> (and I repeat my original quotation):
>

> In the last experiment, provided by Ondrej Pokorný


> on his home PC (Intel Pentium, 1GHz), he obtained 14
> collisions in 58 hours and 32 minutes. It gives even
> more optimistic time for finding a collision (1 collision
> per 4 hours 11 minutes) than on the author's notebook.
>
> Throughout this entire exchange you have continually
> exaggerated numbers to fit your statements.

Sitting on a table 8 feet from me is an Intel-based PC with two 3.6
GHz. processors. With little effort, I could have 8 such delivered and
set up in less than a day. Compared to one 1 GHz. notebook, we're
looking at an increase in computing horsepower of about 56 times. For
about $160K, Mr. Pokorny could have his 14 collisions in about an hour,
and I have not even scratched the surface when it comes to marshalling
the computing power and money available to the NSA.

I think you're seriously in denial of reality. I have mixed feelings
about your very public disclosure of this. Anyone seriously concerned
about their security who has access to this thread will throw out
CryptoSMS and any follow-on project from you like yesterday's garbage.
This in turn will make it harder for some governments to keep tabs on
some of your scumbag customers.

It's the Law of Unintended Consequences at work, sort of like the
effect of banning "Saturday Night Specials": petty criminals switched
to handguns like .38's and .357's that are far more lethal. Incidents
that were formerly "assault and battery with intent to kill" became
outright murders.

tomst...@gmail.com

unread,
Jun 23, 2005, 9:51:53 AM6/23/05
to
John Hadstate wrote:
> Sitting on a table 8 feet from me is an Intel-based PC with two 3.6
> GHz. processors. With little effort, I could have 8 such delivered and
> set up in less than a day. Compared to one 1 GHz. notebook, we're
> looking at an increase in computing horsepower of about 56 times. For
> about $160K, Mr. Pokorny could have his 14 collisions in about an hour,
> and I have not even scratched the surface when it comes to marshalling
> the computing power and money available to the NSA.

.... Get some AMD64 venice cores, save money, prove your point and put
less damper on the environment!

<grin>

Tom

David Eather

unread,
Jun 23, 2005, 11:02:12 AM6/23/05
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<snip>

> Again you are making assumptions about the length of
> the pass phrase. Quit assuming 20 characters, and work
> with the concept of 20 words. Be realistic, or the
> numbers you put forward are meaningless.

Just a suggestion, you could have a read of Schneier "Secrets and
Lies". The problem with allowing users to pick a pass phrase is not
that they can't pick one that is long enough - the problem is that
they won't. IIRC, about 40% of user passwords / phrases that fall to
a dictionary attack and I don't think that number counts users who
pick random but too short a password.

In crypto a failure of one in a billion is way too high. Since the
way the user generates a password is very weak (you might pick 20
random words but most users will choose something like "master" and
way shorter than 20 letters) your "crypto-laminate" is way , way to
much overkill. In effect you have a safe within a safe within a safe
and all of it glued shut with a "post it note"

Users *won't* pick good pass phrases and there is nothing you can do
to make them. This weak password implementation is why you are being
taken to task.

A further thing to think about is when a user picked password fails
they will come looking for you. You didn't supply a secure system,
you didn't adequately warn and train them, and they are not going to
blame themselves.

I'm sorry the above is gloomy, but it is the truth.

To make a useable device you have to organise same form of random
data collection and implement a public key exchange.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQrrO4pS9Fk5okqe7EQJxoQCguwVA4L7N23CRddRXxyFjkS49/J4AmwZ0
Wg6GKB3vzkQXD2zk69se57jr
=h2Sc
-----END PGP SIGNATURE-----


"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:09:10 PM6/23/05
to
Joseph Ashwood wrote:
> <Cry...@S.M.S> wrote in message
> news:11bk5vg...@news.supernews.com...
> > One of the Sci.Crypt know-it-alls is currently attempting
> > to break it, but failing at the challenge. He claimed he
> > could do it in an hour, but it has been many days, although
> > he isn't admitting defeat. Kudos for his tenacity.
>
> Since I am the obvious "know-it-all" in question.

You flatter yourself.

>I stated that it is breakable in about 1 hour and

Yet it's been over 180 hours and neither the great
and magnificient Ashwood, nor any of your meowing
sycophant cryptocritics has been able to perform
better than any dopey delirious frigid housewife.

>gave real evidence of this because of
> the weak passphrase usage. I have never claimed that I am
> "attempting" to break it, I already broke it.

Then post the results, o' great and powerful Oz.


> Why would I admit defeat when your product was broken? Seems rather a
> foolish thing to say.

So post the cleartext you bombastic blowhard.


> Joe


"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:10:32 PM6/23/05
to

He's got a whole litter of sycophantic lapdogs and
mewling groupies that will swallow *anything* he
spews.


"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:13:49 PM6/23/05
to

Because the Joe the Magnificent decrees it so ...! LOL!


"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:20:23 PM6/23/05
to
Joseph Ashwood wrote:
> <Cry...@S.M.S> wrote in message
> news:11bl3vl...@news.supernews.com...
> > I never claimed you could verify this.
>
> Allow me to rephrase. Your entire claim of use was based on this one
> case which cannot be easily verified.
>
> > Such challenges are often answered, as evidenced by the number
> > of cash prizes offered and sometimes collected for the scalps
> > of ciphers and other formulae.
>
> Find one challenge, such as the one posted by prof jonez, in the last
> year that was posted to sci.crypt and anyone bothered solving. You
> simply won't find one.

So much for "peer" review, eh?


>The challenges that are answered come from
> respectable companies and exist to reinforce and test the
> technologies and requirements involved. Joe

Thanks for confessing that no respectable company would
ever employ a poseur and phony such as yourself, or apparently
any of your fan club that washes your porcine feet.

The proof that an encryption scheme works is in the peer reviewed
challenge to crack/break the alleged scheme, that you and you
simpering kittens have failed to do so against something you've
claimed is so bereft of defects, errors and omissions that
it would take only "an hour" to crack is proof positive that
you and yours are utterly full of shit.

"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:25:04 PM6/23/05
to

So put up or shut up, asshat --

It's been over 195 hours ...

Newsgroups: misc.legal, sci.crypt, talk.politics.crypto, us.legal
From: poster <pos...@use.net>
Date: Tue, 14 Jun 2005 15:02:49 +1000
Local: Tues,Jun 14 2005 1:02 am
Subject: Re: crypto for Joseph Ashwood?

Since I'm a CryptoSMS user, I am very curious just how clever
Mr Ashwood is. Attached below are three CryptoSMS messages, all
of which are encrypted with the same passphrase and all of which
contain the same clear text. Mr Ashwood, would you please crack
these and post the contents for all to see? It should be easy
since you have 3 individual messages which are all internally
identical. Good luck.


??31m3dH-zpJ2ta8zI07sFm5o-UX5w­rMwKtUOGffGoqz98P7RrUE0bNu4Yu0­Sue-ZdUaNXK000??


??31SdibaVtKZ=50U74hLnQYg558NM­=dopXVivzD5LOu1XQFqYIC1IK-6O1G­7LQaRBbL41G000??


??31jKvmpN7DsULlMlD9ojQbe17m3R­8eA8FL51HM1vln=zB3GkwtRBjcp3wS­-2wRmcatMXK000??


<cue crickets chirping while the self-appointed cryptocritics FAIL to crack
such a defective and simplistic encryption>

> JoeBloe


"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:26:48 PM6/23/05
to

I bet the pompous asshat couldn't even crack a small character
string ... it's been over 195 hours for something that he claimed
could be done in 1 (one) hour ... LOL!


"- Prof. Jonez坼

unread,
Jun 23, 2005, 1:36:58 PM6/23/05
to

Which would be a good thing if, and only if, what you claim
were true, eh?

No one want's bad crypto, and there aren't many prisons in the world
that need more inmates, so if only one of you genii would crack
this supposedly bad crypto program and thereby show the entire
world what crap it is, everyone on both sides of the fence would
be better off.

It's been over 195 hours ... come on John, be a hero and show
the world what useless crap this program really is --

Newsgroups: misc.legal, sci.crypt, talk.politics.crypto, us.legal
From: poster <pos...@use.net>
Date: Tue, 14 Jun 2005 15:02:49 +1000
Local: Tues,Jun 14 2005 1:02 am
Subject: Re: crypto for Joseph Ashwood?

Since I'm a CryptoSMS user, I am very curious just how clever
Mr Ashwood is. Attached below are three CryptoSMS messages, all
of which are encrypted with the same passphrase and all of which
contain the same clear text. Mr Ashwood, would you please crack
these and post the contents for all to see? It should be easy
since you have 3 individual messages which are all internally
identical. Good luck.


??31m3dH-zpJ2ta8zI07sFm5o-UX5w­rMwKtUOGffGoqz98P7RrUE0bNu4Yu0­Sue-ZdUaNXK000??


??31SdibaVtKZ=50U74hLnQYg558NM­=dopXVivzD5LOu1XQFqYIC1IK-6O1G­7LQaRBbL41G000??


??31jKvmpN7DsULlMlD9ojQbe17m3R­8eA8FL51HM1vln=zB3GkwtRBjcp3wS­-2wRmcatMXK000??


Joe Peschel

unread,
Jun 23, 2005, 2:13:53 PM6/23/05
to
"Stephen Sprunk" <ste...@sprunk.org> wrote in
news:1119501135.7a1d461164cf1a865ca4ab81139e2b4c@teranews:

> Failure to crack a system is not proof of security.

True.

> I could post
> something rot13 encrypted here and there's a pretty good chance nobody
> would ever bother trying to crack it.
>

Well, let's not get carried away; probably no one would bother to mention
cracking it.

J

--
__________________________________________

http://www.impeach-bush-now.org

Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________

"- Prof. Jonez坼

unread,
Jun 23, 2005, 2:18:42 PM6/23/05
to
Joe Peschel wrote:
> "Stephen Sprunk" <ste...@sprunk.org> wrote in
> news:1119501135.7a1d461164cf1a865ca4ab81139e2b4c@teranews:
>
> > Failure to crack a system is not proof of security.
>
> True.

Yet success at cracking a system IS proof of failure of that system.


The crypto-czar Joe Asswood claims, repeatedly, that this CryptoSMS
system could be cracked "in an hour" by anyone with more brains
than some bubble-headed housewife ...

... so, you smarter than a bubble-headed housewife or not?


Joe Peschel

unread,
Jun 23, 2005, 2:20:33 PM6/23/05
to
"Stephen Sprunk" <ste...@sprunk.org> wrote in
news:1119501133.aa826d730b22fcc04dbd060389104399@teranews:

> "sammy" <sa...@slammy.com> wrote in message
> news:hh1kb19sdc4m66kre...@4ax.com...


>>
>> I've heard the French authorities now actually strongly recommend
>> CryptoSMS to French citizens who inquire as to which method they
>> should use to keep their information private.
>>
>> This comes as a vicious back-handed slap to the inventors of ROT-13,
>> the previous recipients of French authority recommendation for crypto.
>

> That's a serious indictment of CryptoSMS's strength.
>

Nah, but it was an approriate barb.

Joe Peschel

unread,
Jun 23, 2005, 2:22:03 PM6/23/05
to
Cry...@S.M.S wrote in news:11bk6cd...@news.supernews.com:

> Obviously you were searching for CryptoSMS by name, given that
> you found other references. It wasn't named by the French police,
> but they did remove from the systems prior to return. It was
> definitely reported in the French news,

Where and when?

Stephen Sprunk

unread,
Jun 23, 2005, 1:50:20 PM6/23/05
to
<Cry...@S.M.S> wrote in message
news:11bl95d...@news.supernews.com...

> Joseph Ashwood wrote:
> > Since I am the obvious "know-it-all" in question. I stated that it
is
> > breakable in about 1 hour and gave real evidence of this because
> > of the weak passphrase usage. I have never claimed that I am
> > "attempting" to break it, I already broke it.
> >
> > Why would I admit defeat when your product was broken? Seems
> > rather a foolish thing to say.
>
> You have not broken anything.
> You have just made a bunch of wild claims
> and have expected others to believe them.
> This is the tenacity to which I was referring.

The claims are not wild; they were a scientific analysis of many obvious
flaws in the system. Those flaws are so significant that it is not
necessary to decrypt an example message as proof. None of us have ever
stated we were willing to do the latter, just that it could be done. We
are unwilling because it is pointless to expend effort demonstrating
what everyone here (except you) already knows -- your system is flawed.
It is far more interesting to try to break systems that aren't known to
be flawed, or help people design such systems.

S

--
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov


Joe Peschel

unread,
Jun 23, 2005, 2:35:20 PM6/23/05
to
"Joseph Ashwood" <ash...@msn.com> wrote in
news:a1wue.1407$N22....@newssvr21.news.prodigy.com:

>
> <Cry...@S.M.S> wrote:
>
>> Meanwhile, if you still feel you have something to prove, why
>> not respond to the poster who keeps writing "Put up or Shut up"?
>> After all, the proof of the pudding is in the eating, or is it?
>
> Such challenges are never answered, simply as a matter of course, that
> is because there is no point to them. If you really want me to
> seriously break your system you will get the same result at my usual
> fee. You will find this policy in many around here. Even with that we
> won't break your messages though, there really is no point.
> Cryptography does not happen the way you think it does, it never has,
> it never will.

The point of much cryptanalytic work, aside from academic cryptology, is to
recover and read secret messages. Usually the cryptologist has many more
than three short messages to work with.

"- Prof. Jonez坼

unread,
Jun 23, 2005, 2:36:08 PM6/23/05
to
Stephen Sprunk wrote:
> <Cry...@S.M.S> wrote in message
> news:11bl95d...@news.supernews.com...
> > Joseph Ashwood wrote:
> > > Since I am the obvious "know-it-all" in question. I stated that
> > > it is breakable in about 1 hour and gave real evidence of this
> > > because
> > > of the weak passphrase usage. I have never claimed that I am
> > > "attempting" to break it, I already broke it.
> > >
> > > Why would I admit defeat when your product was broken? Seems
> > > rather a foolish thing to say.
> >
> > You have not broken anything.
> > You have just made a bunch of wild claims
> > and have expected others to believe them.
> > This is the tenacity to which I was referring.
>
> The claims are not wild; they were a scientific analysis of many
> obvious flaws in the system. Those flaws are so significant that it
> is not necessary to decrypt an example message as proof.

Sez you.


> None of us
> have ever stated we were willing to do the latter, just that it could
> be done.

Prove it! -- otherwise it's just more bombast and hot air.

> We are unwilling because ...

You can't, even though some of you have tried.

Joe Peschel

unread,
Jun 23, 2005, 2:40:21 PM6/23/05
to
"Joseph Ashwood" <ash...@msn.com> wrote in
news:YLwue.1409$N2...@newssvr21.news.prodigy.com:

> Find one challenge, such as the one posted by prof jonez, in the last
> year that was posted to sci.crypt and anyone bothered solving.

I think you might find a few challenges solved by Gillogly, me, others. You
might have to look at more than one year, though.

"- Prof. Jonez坼

unread,
Jun 23, 2005, 2:53:02 PM6/23/05
to
Joe Peschel wrote:
> "Joseph Ashwood" <ash...@msn.com> wrote in
> news:YLwue.1409$N2...@newssvr21.news.prodigy.com:
>
> > Find one challenge, such as the one posted by prof jonez, in the
> > last year that was posted to sci.crypt and anyone bothered solving.
>
> I think you might find a few challenges solved by Gillogly, me,
> others. You might have to look at more than one year, though.

Hark! One of the subjects of the sci-crypto kingdom dare state
that self-appointed Emperor Joe has no clothes ...!?

Oh the horror ... the horror ... the horror ...

"- Prof. Jonez坼

unread,
Jun 23, 2005, 2:54:07 PM6/23/05
to
Joe Peschel wrote:
> "Joseph Ashwood" <ash...@msn.com> wrote in
> news:a1wue.1407$N22....@newssvr21.news.prodigy.com:
>
> >
> > <Cry...@S.M.S> wrote:
> >
> > > Meanwhile, if you still feel you have something to prove, why
> > > not respond to the poster who keeps writing "Put up or Shut up"?
> > > After all, the proof of the pudding is in the eating, or is it?
> >
> > Such challenges are never answered, simply as a matter of course,
> > that
> > is because there is no point to them. If you really want me to
> > seriously break your system you will get the same result at my usual
> > fee. You will find this policy in many around here. Even with that
> > we won't break your messages though, there really is no point.
> > Cryptography does not happen the way you think it does, it never
> > has,
> > it never will.
>
> The point of much cryptanalytic work, aside from academic cryptology,
> is to recover and read secret messages.

Further proof that Joe's just a pompous blowhard.

> Usually the cryptologist has
> many more than three short messages to work with.

So how many you need?

"- Prof. Jonez坼

unread,
Jun 23, 2005, 2:56:45 PM6/23/05
to
sammy wrote:
> On Thu, 23 Jun 2005 14:27:13 +1000, Cry...@S.M.S wrote:
>
> <snip>

Still sucking eggs, eh spammy?


"- Prof. Jonez坼

unread,
Jun 23, 2005, 2:59:43 PM6/23/05
to


A: Aparently, according to Blowhard Joeseph, they are the only one's
on planet earth who can't crack Cryptosms ... LOL!

Stephen Sprunk

unread,
Jun 23, 2005, 4:51:00 PM6/23/05
to
" "- Prof. Jonez" <jo...@norcom.ca> wrote in message
news:N3sue.130$d44....@news.uswest.net...
> Stephen Sprunk wrote:
> > Remember, security can't be proven -- it can only be disproven.
>
> So put your $$ where your mouth is -- disprove it:

Put your money where your mouth is and pay someone to do it; why should
any of us expend the effort (for free) of giving you an example when
it's already been shown (for free) to our satisfaction the system is
broken?

Better yet, let someone design a stronger system for you for free;
several suggestions have already been made, which have been steadfastly
ignored.

> It's been over 182 hours ...so put up or shut up --


>
> <cue crickets chirping while the self-appointed cryptocritics FAIL
> to crack such a defective and simplistic encryption>

You are assuming that anyone has attempted doing so. Nobody has stated
they have, merely that it is possible. If you want someone to try, I'm
sure there are folks here that'll provide you with their hourly rates.

Or, since your supposed name indicates you're a professor, throw a grad
student or two at it.

It is loading more messages.
0 new messages