[10643] in cryptography@c2.net mail archive
One for the snakeoil file.
daemon@ATHENA.MIT.EDU (Trei, Peter)
Thu Mar 28 19:01:08 2002
Message-ID: <F504A8CEE925D411AF4A00508B8BE90A01E90D31@exna07.securitydynamics.com>
From: "Trei, Peter" <ptrei@rsasecurity.com>
To: "'cryptography@wasabisystems.com'" <cryptography@wasabisystems.com>
Cc: "'schneier@counterpane.com'" <schneier@counterpane.com>
Date: Tue, 26 Mar 2002 16:34:34 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
[Note: I'm just passing on posts from sci.crypt. I've
not confirmed this independently=20
It appears that not every product which uses smart
cards is secure=20
- pt]
--------------------------------------------
From: philippe.mestral@validy.com (Philippe Mestral)
Newsgroups: sci.crypt
Subject: I've tested the encryption system that comes with Acer =
laptops, and
it's not pretty.
Date: 26 Mar 2002 05:48:36 -0800
Message-ID: <7baaf8a3.0203260548.5c77c27b@posting.google.com>
Some Acer laptops comes with a built-in smartcard reader and a file
encryption program called "Platinum Secure".
My company recently acquired two of them. I spent some time playing
around with that encryption system and came to the following
conclusions:
- they use a basic XOR stream cipher.
- the keystream is always the same for any file, encrypted by any user
on any of the two laptops I have.
- I was able to generate that keystream with a long enough binary file
containing only 0 and encrypting it.
- I am now able to decrypt any file encrypted on either laptop without
the smartcard.
I am no crypto expert. It is surprising to me that a manufacturer
would release such a badly designed product.
It's even worse that providing no security at all, because with this
product the users *think* their files are secure while they obviously
aren't.
any thoughts/comments?
also, has anyone here already had this product in their hands?
could someone who has installed that program possibly create a text
file, put
the string "test" in it, encrypt the file and send it to me at
philippe.mestral@validy.com so that I can see whether the encrypted
file looks like mine or not? (they wouldn't use the same keystream for
ALL their laptops would they?)
thanks in advance.
------------------------------------------------------
From: "Scott Fluhrer" <sfluhrer@ix.netcom.com>
Date: Tue, 26 Mar 2002 07:33:28 -0800
Message-ID: <a7q4ni$r77$1@slb2.atl.mindspring.net>
Jo=EBl Bourquard <job@esecurium.com.nospam> wrote in message
news:3ca091af$1@news.deckpoint.ch...
> "Philippe Mestral" <philippe.mestral@validy.com> wrote in message
> news:7baaf8a3.0203260548.5c77c27b@posting.google.com...
> > Some Acer laptops comes with a built-in smartcard reader and a file
> > encryption program called "Platinum Secure".
> > [...]
> > - they use a basic XOR stream cipher.
> > - the keystream is always the same for any file, encrypted by any =
user
> > on any of the two laptops I have.
> > [...]
> > - I am now able to decrypt any file encrypted on either laptop =
without
> > the smartcard.
>
> Hi,
> I'm completely astonished by what you said.
> What I can't understand, is why they're using a smartcard.. unless =
they
want
> people to BELIEVE that's secure.
Well, the keystreams might be different for different smartcards (not =
that
that would make it any more secure). Alternatively, they might put the
keystream generation program on the smartcard, in the vain hope that if
people can't look at it, they have a harder time cryptanalyzing it.
--
poncho
------------------------------------------------------------------
=20
From: "Philippe Mestral" <philippe.mestral@validy.com>
References:=20
<7baaf8a3.0203260548.5c77c27b@posting.google.com>
<3ca091af$1@news.deckpoint.ch> <a7q4ni$r77$1@slb2.atl.mindspring.net>
<3ca0a34e@news.deckpoint.ch>
Date: Tue, 26 Mar 2002 18:48:49 +0100
> > Well, the keystreams might be different for different smartcards =
(not
that
> > that would make it any more secure). Alternatively, they might put =
the
> > keystream generation program on the smartcard, in the vain hope =
that if
> > people can't look at it, they have a harder time cryptanalyzing it.
>
> Oh yes, I assumed he did use two different smartcards with the two
laptops..
> and that the keys were the same.
> Maybe he didn't.
I did.
-------------------------------------------------------------
From: "Philippe Mestral" <philippe.mestral@validy.com>
Date: Tue, 26 Mar 2002 19:19:28 +0100
Message-ID: <3ca0ba42$0$24006$4d4eb98e@read.news.fr.uu.net>
"Jo=EBl Bourquard" <job@esecurium.com.nospam> wrote in message
news:3ca091af$1@news.deckpoint.ch...
> Hi,
> I'm completely astonished by what you said.
> What I can't understand, is why they're using a smartcard.. unless =
they
want
> people to BELIEVE that's secure.
>
apparently the card is used to store a unique ID which authenticates =
the
card owner.
As several card owners can use the same pc and the encrypting method =
and key
are always the same, they had to find some sort of way to tell what =
file was
encrypted by what user.
A registry key contains information regarding encrypted files.
For each encrypted file, a string is added to the registry. Its name is =
the
current date concatenated to the encrypted file name, and its value
corresponds to the unique ID of the user who encrypted the file (plus =
the
original file extension, go figure).
When a request to decrypt an encrypted file is made, the program =
browses the
list of encrypted files in the registry. If it founds a file whose date =
&
time and name correpond, it then checks that the user who encrypted =
that
file corresponds to the one whose card is inserted in the reader. If it
does, the file is decrypted.
Incidentally, modifying the date and/or name of an encrypted file makes =
it
impossible to decrypt!! it is also impossible to exchange files between
machines, and if you back up your encrypted files on a CD or elsewhere,
re-install Windows (thus deleting the registry), and restore your saved
file, you will be unable to decrypt them!!
also, you can easily decrypt other user's file by replacing their ID by
yours.
please note that I haven't been given any specifications by Acer =
regarding
this program. Everything I say comes from double-checked tests and
observations. I'm afraid I'm not far from the truth though...
--
the infamous registry key:
[HKEY_CLASSES_ROOT\EncryptFileInfo\ENCRYPT]
"14/03/2002 18:37:00=0F100000"=3D"Validy13160301=0Ftxt"
"14/03/2002 18:38:00=0F31"=3D"Validy13160301=0Ftxt"
"15/03/2002 11:05:40=0F500000"=3D"Validy13160301=0Ftxt"
"15/03/2002 11:07:37=0F69489"=3D"Validy13160301=0Fzip"
"15/03/2002 11:12:17=0F27056"=3D"Validy13160301=0Ftxt"
"15/03/2002 11:43:00=0F10"=3D"Validy13160301=0Ftxt"
"15/03/2002 11:44:15=0F100"=3D"Validy13160301=0Ftxt"
"15/03/2002 11:46:15=0F30"=3D"Validy13160301=0Ftxt"
"15/03/2002 11:47:08=0F26"=3D"Validy13160301=0Ftxt"
"15/03/2002 12:20:31=0F27"=3D"Validy13160301=0Ftxt"
"15/03/2002 14:21:33=0F27"=3D"Validy13160301=0Ftxt"
"15/03/2002 14:43:24=0F100000"=3D"Validy13160301=0Ftxt"
"15/03/2002 14:43:59=0F100000"=3D"Validy13160301=0Ftxt"
--------------------------------------------
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
