USB pen drives and safe cryptosystems (looking for references)

I must to take with humour your scandal.

I love magic as a way to make difficult things with easy but mostly
unknown procedures.

Of course, quantum computing and Shor algorithm are not easy
procedures, but I can imagine that it can be used by somebody, and
maybe can be simmulated by a good menthalist very smart on "cold
reading" (something that I do not want to explain here and now) in
order to look like a NSA contact.

I am not so fluent in English, but in Spanish I played with some real
USB pen drives in order to make the people imagine that I got
information in a missdirected way. It was funny because I noticed how
paranoid some people can become while I keep their pen drive in my
hands (even if they gave me for the trick). I mean that a pen drive is
a "paranogical factor", something that can give a chance for good
magic, and I am working on that. Unfortunately, I can not demonstrate
how can I perform some magic tricks for pen drives here and now, so
"believe it or not..."

miguel, www.cita.es

Ludovic Joly ha escrito:

> Various contradictions on your shitty site have been noted. Personally,
> the one that truly scandalizes me is the correlation between Magic and
> illusionism. After checking on Wikipedia, you might be not as wrong as
> you should be - to the mainstream. The confusion between stage magic
> and sorcery is quite widespread. But still... Can't you feel that
> sorcery makes AES-2048 so... easy to factor? Ask the competent ones.
> Ask JSH.
>
> Kind regards
> Ludovic

Miguel A. Gallardo en http://www.cita.es

I must to take with humour your scandal.

I love magic as a way to make difficult things with easy but mostly
unknown procedures.

Of course, quantum computing and Shor algorithm are not easy
procedures, but I can imagine that it can be used by somebody, and
maybe can be simmulated by a good menthalist very smart on "cold
reading" (something that I do not want to explain here and now) in
order to look like a NSA contact.

I am not so fluent in English, but in Spanish I played with some real
USB pen drives in order to make the people imagine that I got
information in a missdirected way. It was funny because I noticed how
paranoid some people can become while I keep their pen drive in my
hands (even if they gave me for the trick). I mean that a pen drive is
a "paranogical factor", something that can give a chance for good
magic, and I am working on that. Unfortunately, I can not demonstrate
how can I perform some magic tricks for pen drives here and now, so
"believe it or not..."

miguel, www.cita.es

Ludovic Joly ha escrito:

> Various contradictions on your shitty site have been noted. Personally,
> the one that truly scandalizes me is the correlation between Magic and
> illusionism. After checking on Wikipedia, you might be not as wrong as
> you should be - to the mainstream. The confusion between stage magic
> and sorcery is quite widespread. But still... Can't you feel that
> sorcery makes AES-2048 so... easy to factor? Ask the competent ones.
> Ask JSH.
>
> Kind regards
> Ludovic

Miguel A. Gallardo en http://www.cita.es

I must to take with humour your scandal.

I love magic as a way to make difficult things with easy but mostly
unknown procedures.

Of course, quantum computing and Shor algorithm are not easy
procedures, but I can imagine that it can be used by somebody, and
maybe can be simmulated by a good menthalist very smart on "cold
reading" (something that I do not want to explain here and now) in
order to look like a NSA contact.

I am not so fluent in English, but in Spanish I played with some real
USB pen drives in order to make the people imagine that I got
information in a missdirected way. It was funny because I noticed how
paranoid some people can become while I keep their pen drive in my
hands (even if they gave me for the trick). I mean that a pen drive is
a "paranogical factor", something that can give a chance for good
magic, and I am working on that. Unfortunately, I can not demonstrate
how can I perform some magic tricks for pen drives here and now, so
"believe it or not..."

miguel, www.cita.es

Ludovic Joly ha escrito:

> Various contradictions on your shitty site have been noted. Personally,
> the one that truly scandalizes me is the correlation between Magic and
> illusionism. After checking on Wikipedia, you might be not as wrong as
> you should be - to the mainstream. The confusion between stage magic
> and sorcery is quite widespread. But still... Can't you feel that
> sorcery makes AES-2048 so... easy to factor? Ask the competent ones.
> Ask JSH.
>
> Kind regards
> Ludovic

Miguel A. Gallardo en http://www.cita.es

OK. I read Merkle approaches to public key cryptography long time ago,
and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
opinion cryptology is not only about algorithms or access protocols. On
1991 I published about some PANDORA approaches, and now "we" (at least
in Spanish I got some very respected experts on computer security to
understand some new ideas) are thinking in a "doberman pen drive" that
can ciphper a partion, can contaminate from another one, and can
attack, even physically, some electronics of the computer where it is
being unauthoricedly used. As far as we foresaw, there are 5
problems/solutions for pen drives:

1. The legal approach to be completely sure that the cracker is very
well aware that he/she is not authoriced.
2. False/true data inside (magical/theatre/humour/fun)
3. Software (internal and external) beyond known cryptosystems
4. Hardware vulnerabilities from USB interface
5. Messages or any tracking way from the pen drive to any open channel
of the owner

I admit that it is just a brain-storming, but we are free to project
many things in our pen drives, and of course, some ideas are only for
people involved. However, I am always open to suggestions of whoever
knows more than me about anything....

I am very happy to learn that I now very little about almost nothing.
However, I do not think that Feistel, Kerckchoffs, Shannon clasical
fundamentals or, for instance, Feige-Fiat-Shamir or Guillou-Quisquater
identification schemes or Diffie-Hellman key exchanges have too much to
do with USB pen drives real risks. I foresee new approaches specific
for pen drives even if I am not smart enough to explain my intuitions
right now, sorry. I know some of my limits, and that one is here right
now.

miguel, www.cita.es/conmigo

Joseph Ashwood ha escrito:

> "Miguel A. Gallardo en http://www.cita.es" <>
> wrote in message
> news: oups.com...
> > Illusionism and cryptology are 2 very complementary
> > approaches to pen drives in my honest opinion.
>
> Now we're getting somewhere. It seems you have never been actually
> introduced to cryptography. Well then I'll revise my earlier statement of
> the three important cryptologists, remove Feistel and add Kerckhoffs. If you
> actually understand Kerckhoffs principles you will very quickly see that
> illusionism/magic/mysticism/anything else that has at points in history been
> linked has nothing to do with cryptography. To summarize:
> 1. The system must be practically, if not mathematically, indecipherable;
> 2. It must not be required to be secret, and it must be able to fall into
> the hands of the enemy without inconvenience;
> 3. Its key must be communicable and retainable without the help of written
> notes, and changeable or modifiable at the will of the correspondents;
> 4. It must be applicable to telegraphic correspondence;
> 5. It must be portable, and its usage and function must not require the
> concourse of several people;
> 6. Finally, it is necessary, given the circumstances that command its
> application, that the system be easy to use, requiring neither mental strain
> nor the knowledge of a long series of rules to observe
>
> You will find that in particular magic/illusionism breaks 1, 2, 3, 4, and 6,
> and that some examples break 5 as well.
>
> You have once again demonstrated that you don't have the foundation
> knowledge necessary, it is necessary for you to read up on the implications
> of Kerckhoffs principles, on Shannon's work, and on Viginere's effects even
> today simply in order to understand your own question.
> Joe

Miguel A. Gallardo en http://www.cita.es

"Miguel A. Gallardo en http://www.cita.es" <>
wrote in message
news: oups.com...

> OK. I read Merkle approaches to public key cryptography long time ago,

That was no where on the list, but I'll fairly well ignore that.

> and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
> opinion cryptology is not only about algorithms or access protocols.

Then once again, you clearly do not understand what cryptography is.

> On
> 1991 I published about some PANDORA approaches, and now "we" (at least
> in Spanish I got some very respected experts on computer security to
> understand some new ideas) are thinking in a "doberman pen drive" that
> can ciphper a partion, can contaminate from another one, and can
> attack, even physically, some electronics of the computer where it is
> being unauthoricedly used.

So basically you have dreamed up something completely pointless. Allow me to
introduce you to how *I* would break a pen drive. First I would take the
drive apart, then slip the Flash chip into any of a few boards I actually
have around, and simply read the data off. I have now completely eliminated
the contamination, and any chance you have for attack, that leaves only the
enciphered content, which since you can't seem to even spell cipher, or
recognise that it is the incorrect word there, I doub't would pose much
problem.

> As far as we foresaw, there are 5
> problems/solutions for pen drives:
>
> 1. The legal approach to be completely sure that the cracker is very
> well aware that he/she is not authoriced.
> 2. False/true data inside (magical/theatre/humour/fun)
> 3. Software (internal and external) beyond known cryptosystems
> 4. Hardware vulnerabilities from USB interface
> 5. Messages or any tracking way from the pen drive to any open channel
> of the owner

You missed the core problem. Pen Drives are assembled from two primary
chips; the NAND Flash chip itself (usually either Samsung or Toshiba), and
the bridge chip that converts between the NAND Flash interface and SCSI over
USB (typically Atmel). All you're doing is creating something that serves no
purpose, has no real use, and the security you've given so far is
fundamentally flawed against the most basic attack. Attacking the drive
itself allows the attacker to eliminate your options with 1, distinguish
false/true data in 2, eliminates the software in 3, provides hardware
vulnerabilities that you are not addressing that completely eclipse 4, and
eliminates 5. In short, what you have "foreseen" is sidestepped through some
of the most trivial processes available, eliminating all of the security
that you pretend exists. This is the core difference between real security
people, and people who decide to declare themself an expert as you have
done.

> I am very happy to learn that I now very little about almost nothing.
> However, I do not think that Feistel, Kerckchoffs, Shannon clasical
> fundamentals or, for instance, Feige-Fiat-Shamir or Guillou-Quisquater
> identification schemes or Diffie-Hellman key exchanges have too much to
> do with USB pen drives real risks.

Like I said, you will not understand how they apply, further demonstrating
your lack of understanding.

Shannon always matters because he laid out the groundwork that you are
attempting to violate.
Kerckhoffs matters because you are violating basically every basic principle
Feistel matters because he showed that it is possible to have practical
security without perfect secrecy
Vigenere matters because he uncovered the fundamentals of block
encipherment, which is exactly what you will have to do.

In addition you missed probably the most important of the books to
understand Safecracking for the Computer Scientist is critical to what you
are attempting to do. I strongly encourage you to actually read the
references I gave, they will most certainly help.

Back to the show. To repeat myself. "More to the point. Can you [name 3]?"

Joseph Ashwood

Joseph Ashwood ha escrito:

> "Miguel A. Gallardo en http://www.cita.es" <>
> wrote in message
> news: oups.com...
>
> > OK. I read Merkle approaches to public key cryptography long time ago,
>
> That was no where on the list, but I'll fairly well ignore that.

OK. You are free to ignore whatever you ignore forever. I loved the way
he solved 2 cryptographic problems with just 1 idea. I think he is a
genius, even if an ignorant like me can appreciate how smart he is
(obviously, anybody that has ideas that I can not appreciate could be
much better, but if I can not apprecite him, I can not know if he is a
genious or not). I hope to know about Merkle pen drives now that he is
working in nanotechnology, as far as I know.

> > and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
> > opinion cryptology is not only about algorithms or access protocols.
>
> Then once again, you clearly do not understand what cryptography is.

OK. You know everything about what I know, and I know nothing about
whatever you know. That is very good for me. I have nothing to loose
then.


> > On
> > 1991 I published about some PANDORA approaches, and now "we" (at least
> > in Spanish I got some very respected experts on computer security to
> > understand some new ideas) are thinking in a "doberman pen drive" that
> > can ciphper a partion, can contaminate from another one, and can
> > attack, even physically, some electronics of the computer where it is
> > being unauthoricedly used.
>
> So basically you have dreamed up something completely pointless. Allow me to
> introduce you to how *I* would break a pen drive. First I would take the
> drive apart, then slip the Flash chip into any of a few boards I actually
> have around, and simply read the data off. I have now completely eliminated
> the contamination, and any chance you have for attack, that leaves only the
> enciphered content, which since you can't seem to even spell cipher, or
> recognise that it is the incorrect word there, I doub't would pose much
> problem.

I have no idea about whatever have you around but it seems that you are
breaking some protections everyday. But I am sure you did not catched
what I mean with contamination. It is my fault because I am thinking in
Spanish. And I bet that you will not be happy with my "decoy"
(señuelo) approach to magic criptography using "missdirection" effect
because I can not give a citation index reference. I hope to find
something in citation index about "decoy" approaches, but I am still
searching for something like that. Maybe I found something new.

> > As far as we foresaw, there are 5
> > problems/solutions for pen drives:
> >
> > 1. The legal approach to be completely sure that the cracker is very
> > well aware that he/she is not authoriced.
> > 2. False/true data inside (magical/theatre/humour/fun)
> > 3. Software (internal and external) beyond known cryptosystems
> > 4. Hardware vulnerabilities from USB interface
> > 5. Messages or any tracking way from the pen drive to any open channel
> > of the owner
>
> You missed the core problem. Pen Drives are assembled from two primary
> chips; the NAND Flash chip itself (usually either Samsung or Toshiba), and
> the bridge chip that converts between the NAND Flash interface and SCSI over
> USB (typically Atmel). All you're doing is creating something that serves no
> purpose, has no real use, and the security you've given so far is
> fundamentally flawed against the most basic attack. Attacking the drive
> itself allows the attacker to eliminate your options with 1, distinguish
> false/true data in 2, eliminates the software in 3, provides hardware
> vulnerabilities that you are not addressing that completely eclipse 4, and
> eliminates 5. In short, what you have "foreseen" is sidestepped through some
> of the most trivial processes available, eliminating all of the security
> that you pretend exists. This is the core difference between real security
> people, and people who decide to declare themself an expert as you have
> done.

I must to take this seriously. Please give me some time to check your
technical references. Maybe I am using very inexpensive Pen Drives that
you can find at www.vfuel.net but I do not think that the standards you
mentioned are the only ones. As you admit, we can speak about them
"typically".

Anyhow, your Pen Drive "autopsia" does not demonstrate that 1-5
approaches are always useless, in my honest opinion.

> > I am very happy to learn that I now very little about almost nothing.
> > However, I do not think that Feistel, Kerckchoffs, Shannon clasical
> > fundamentals or, for instance, Feige-Fiat-Shamir or Guillou-Quisquater
> > identification schemes or Diffie-Hellman key exchanges have too much to
> > do with USB pen drives real risks.
>
> Like I said, you will not understand how they apply, further demonstrating
> your lack of understanding.

You are very kind, and of course, you must be always right. I can
imagine how happy can be all the people you have around...

> Shannon always matters because he laid out the groundwork that you are
> attempting to violate.

Yes. And Pythagoras too.

> Kerckhoffs matters because you are violating basically every basic principle

I hope that those principles get pregnant because that way we can get
very interesting children.

> Feistel matters because he showed that it is possible to have practical
> security without perfect secrecy

I must to take this point very seriously indeed. I worked with Vernam
ciphers and I even used XOR with long key files. Right now I am
thinking in pen drives as one time keys, as well as for complex secret
sharing protocols. However, as you said before, I am still dreaming in
order to get somebody to pay for the project at least for a beta
version.

> Vigenere matters because he uncovered the fundamentals of block
> encipherment, which is exactly what you will have to do.

Please remember that I am like Forrest Gump so I can not do anything
exactly. Long time ago I explanied International Data Encryption
Algorithm (IDEA) fundamentals, and I have the doctoral thesis of Xuejia
Lay in my personal library. I understand what you mean, but please be
kind and do not limit my dreams to block encipherment. I know a little
about steganography and I even understand PK and Shor algorithm, so I
am much more mind open than that.

> In addition you missed probably the most important of the books to
> understand Safecracking for the Computer Scientist is critical to what you
> are attempting to do. I strongly encourage you to actually read the
> references I gave, they will most certainly help.

Yes. You gave me some good references and better ideas, mixed with some
unpolite approaches to my lack of knowledge, but I admit that your
dialectic is good for my brainstorming. Your worst fault is that you
are so sure that I know nothing that it is so funny that I enjoy it a
lot. You remind me some lawyers than pretend to know in just 1 minute
all my background and my several weeks hard work on an expert
witnessing problem on forensic computing. Of course I always take a lot
of time to think what to do in the next minute, and sometimes, the
judge understand the whole movie just smiling.


> Back to the show. To repeat myself. "More to the point. Can you [name 3]?"

OK. If you just want to speak about
3. Software (internal and external) beyond known cryptosystems
I prefer to speak about what you said this way:
"I would take the drive apart, then slip the Flash chip into any of a
few boards I actually
have around, and simply read the data off".

Have you done anything like that already? If so, please let me to know
more about you, your tools, and the whole movie you played.

miguel, www.cita.es/conmigo

Miguel A. Gallardo en http://www.cita.es

"Miguel A. Gallardo en http://www.cita.es" <>
wrote in message
news: oups.com...
Joseph Ashwood ha escrito:

>> "Miguel A. Gallardo en http://www.cita.es" <>
>> wrote in message
>> news: oups.com...
>>
>> > OK. I read Merkle approaches to public key cryptography long time ago,
>>
>> That was no where on the list, but I'll fairly well ignore that.

> OK. You are free to ignore whatever you ignore forever.

I ignored it because it is generally irrelevant, you might as well have said
"I enjoy Root Beer" it makes no difference to what you're trying to do.

>> > and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
>> > opinion cryptology is not only about algorithms or access protocols.
>>
>> Then once again, you clearly do not understand what cryptography is.
>
>OK. You know everything about what I know, and I know nothing about
>whatever you know. That is very good for me. I have nothing to loose
>then.

Actually you have a great deal to lose. Bringing this back to the original
discussion, you have now admitted that you lack the knowledge to be a
forensic expert. So anyone actually looking for such can safely ignore you.

>>> ["doberman pen drive"]
>
>> So basically you have dreamed up something completely pointless. Allow me
>> to
>> introduce you to how *I* would break a pen drive. First I would take the
>> drive apart, then slip the Flash chip into any of a few boards I actually
>> have around, and simply read the data off. I have now completely
>> eliminated
>> the contamination, and any chance you have for attack, that leaves only
>> the
>> enciphered content, which since you can't seem to even spell cipher, or
>> recognise that it is the incorrect word there, I doub't would pose much
>> problem.

>I have no idea about whatever have you around but it seems that you are
>breaking some protections everyday.

Well then perhaps we should start there. I have around me a number of
dissected pen drives by various manufacturers, specifically used for
research into a seperate project having to deal with them. In short I have a
year of deep research into how they are designed, built, and constructed, I
have prototypes (of my design) of a variation available to me. So basically,
with pen drives I really do have all the knowledge you're looking for. And
I'm telling you that if you're looking to make a pen drive, the only cost
effective way is exactly what I have told you, the only exception would be
if you are trying to exceed 4GB right now, 8GB within 6 months, etc. where
you will need custom chips, even then it is cheapest to use a different
controller than the basic Atmel along with multiple of the standard NAND
flash chips unless you are looking to exceed 50GB.

> But I am sure you did not catched
>what I mean with contamination.

Actually I did, and it is completely irrelevant to the security.

> And I bet that you will not be happy with my . . . magic criptography

You're right I won't, because such "magic cr[y]ptography" will violate the
fundamentals that you refuse to learn, and as such it will completely fail.

> Maybe I found something new.

Maybe you found something so useless that they realized it before
publishing.

>> > As far as we foresaw, there are 5
>> > problems/solutions for pen drives:
>> >
>> > 1. The legal approach to be completely sure that the cracker is very
>> > well aware that he/she is not authoriced.
>> > 2. False/true data inside (magical/theatre/humour/fun)
>> > 3. Software (internal and external) beyond known cryptosystems
>> > 4. Hardware vulnerabilities from USB interface
>> > 5. Messages or any tracking way from the pen drive to any open channel
>> > of the owner
>>
>> You missed the core problem. Pen Drives are assembled from two primary
>> chips; the NAND Flash chip itself (usually either Samsung or Toshiba),
>> and
>> the bridge chip that converts between the NAND Flash interface and SCSI
>> over
>> USB (typically Atmel). All you're doing is creating something that serves
>> no
>> purpose, has no real use, and the security you've given so far is
>> fundamentally flawed against the most basic attack. Attacking the drive
>> itself allows the attacker to eliminate your options with 1, distinguish
>> false/true data in 2, eliminates the software in 3, provides hardware
>> vulnerabilities that you are not addressing that completely eclipse 4,
>> and
>> eliminates 5. In short, what you have "foreseen" is sidestepped through
>> some
>> of the most trivial processes available, eliminating all of the security
>> that you pretend exists. This is the core difference between real
>> security
>> people, and people who decide to declare themself an expert as you have
>> done.

>I must to take this seriously. Please give me some time to check your
>technical references. Maybe I am using very inexpensive Pen Drives that
>you can find at www.vfuel.net but I do not think that the standards you
>mentioned are the only ones. As you admit, we can speak about them
>"typically".

They are standardized this way for a reason. The reason that SCSI is used as
the interface is to allow the OS to load it without placing a usability load
on the user, ATA would've worked but it would require additional logic on
the controller ASIC. NAND flash is used because it allows for near-optimum
design of the chip's storage areas and a vast reduction in the control
logic, the end result being a noticable decrease is the production cost, and
a noticable increase in the functioning speed of the device. The only
exceptions would generally be a small number of designs that include both
the Flash RAM (or FRAM, not the same thing) and the controller on the same
chip, Atmel has a few of these for smaller sizes, and various other
suppliers offer them as well, but again Atmel is the most popular, they
really seem to pretty much own the Flash controller market.

> Anyhow, your Pen Drive "autopsia" does not demonstrate that 1-5
> approaches are always useless, in my honest opinion.

It means that while your efforts are likely to bite the legitimate user, the
attacker will simply bypass them. So you're right they are not useless, they
are detrimental.

>> Shannon always matters because he laid out the groundwork that you are
>> attempting to violate.
>
>Yes. And Pythagoras too.
>> Kerckhoffs matters because you are violating basically every basic
>> principle

>I hope that those principles get pregnant because that way we can get
>very interesting children.

>> Feistel matters because he showed that it is possible to have practical
>> security without perfect secrecy

>I must to take this point very seriously indeed. I worked with Vernam
>ciphers and I even used XOR with long key files. Right now I am
>thinking in pen drives as one time keys, as well as for complex secret
>sharing protocols. However, as you said before, I am still dreaming in
>order to get somebody to pay for the project at least for a beta
>version.

Rest assured, even the most basic vetting of the concept will result in them
viewing this thread, and seeing that everything you have attempted is based
on flawed concepts, is a problem only for the legitimate user, and was
completely dismantled. If it gets funded it will only be by your family,
unfortunately they will lose any money they invest.

> Please remember that I am like Forrest Gump

I just have to: "Stupid is as stupid does."

> so I can not do anything
> exactly. Long time ago I explanied International Data Encryption
>Algorithm (IDEA) fundamentals,

Being able to explain the way an algorithm works does not mean you
understand why the decision of the algorithm have been made. When you are
attempting to design a new concept for security it is necessary to
understand the whys, it is completely irrelevant whether or not you can
recite the algorithm.

> I know a little
>about steganography and I even understand PK and Shor algorithm

Neither of which has any bearing at all on what you are proposing.
Steganography will only server to lower the storage capacity of the drive,
and PKC serves only to weak the security. Shor is completely irrelevant.

> You remind me some lawyers than pretend to know in just 1 minute
> all my background and my several weeks hard work on an expert
> witnessing problem on forensic computing.

Just another decade to go before you can be considered minimally qualified.
You have admitted several times that you simply don't have the foundations
necessary, this is only the most recent.

>> Back to the show. To repeat myself. "More to the point. Can you [name
>> 3]?"
>
>OK. If you just want to speak about
>3. Software (internal and external) beyond known cryptosystems

And how does your pretend book (no mention on Google or Amazon, turns out
"beyond known cryptosystems" is a phrase that results in 0 hits on Google
when enclosed in quotes), have anything to do with pen drive security? Mine
had very particular purposes, but the 1 you supplied doesn't even seem to
exist.
Joe

Joseph Ashwood

Joseph Ashwood ha escrito:

> "Miguel A. Gallardo en http://www.cita.es" <>
> wrote in message
> news: oups.com...
> Joseph Ashwood ha escrito:
>
> >> "Miguel A. Gallardo en http://www.cita.es" <>
> >> wrote in message
> >> news: oups.com...
> >>
> >> > OK. I read Merkle approaches to public key cryptography long time ago,
> >>
> >> That was no where on the list, but I'll fairly well ignore that.
>
> > OK. You are free to ignore whatever you ignore forever.
>
> I ignored it because it is generally irrelevant, you might as well have said
> "I enjoy Root Beer" it makes no difference to what you're trying to do.

I recommend to you
SIMMONS, G. J. "Contemporary Cryptography" N.J. Ed. IEEE Press,
Piscataway, NJ, 1992, pp. 137 where Whitfield Diffie explained a
problem approach of Merkle. In my honest opinion, the heuristics and
hermeneutics of my dreams have something to do with it, and I am sorry
if I am not able to make you to doubt just a little.

> >> > and I am aware of some Eurocrypt and Asiancrypt papers but in my honest
> >> > opinion cryptology is not only about algorithms or access protocols.
> >>
> >> Then once again, you clearly do not understand what cryptography is.
> >
> >OK. You know everything about what I know, and I know nothing about
> >whatever you know. That is very good for me. I have nothing to loose
> >then.
>
> Actually you have a great deal to lose. Bringing this back to the original
> discussion, you have now admitted that you lack the knowledge to be a
> forensic expert. So anyone actually looking for such can safely ignore you.

I am very happy if everybody is safe ignoring me. However, I am a
little bit more happy if just 1 reader is interested in my doubts.

> >>> ["doberman pen drive"]
> >
> >> So basically you have dreamed up something completely pointless. Allow me
> >> to
> >> introduce you to how *I* would break a pen drive. First I would take the
> >> drive apart, then slip the Flash chip into any of a few boards I actually
> >> have around, and simply read the data off. I have now completely
> >> eliminated
> >> the contamination, and any chance you have for attack, that leaves only
> >> the
> >> enciphered content, which since you can't seem to even spell cipher, or
> >> recognise that it is the incorrect word there, I doub't would pose much
> >> problem.
>
> >I have no idea about whatever have you around but it seems that you are
> >breaking some protections everyday.
>
> Well then perhaps we should start there. I have around me a number of
> dissected pen drives by various manufacturers, specifically used for
> research into a seperate project having to deal with them. In short I have a
> year of deep research into how they are designed, built, and constructed, I
> have prototypes (of my design) of a variation available to me. So basically,
> with pen drives I really do have all the knowledge you're looking for. And
> I'm telling you that if you're looking to make a pen drive, the only cost
> effective way is exactly what I have told you, the only exception would be
> if you are trying to exceed 4GB right now, 8GB within 6 months, etc. where
> you will need custom chips, even then it is cheapest to use a different
> controller than the basic Atmel along with multiple of the standard NAND
> flash chips unless you are looking to exceed 50GB.

I am taking your technology knowledge very seriously. It is obvious
that you know what you are speaking about. It is a pity that it will be
so difficult to negotiate with you because I am interested in added
value pen drives and I think I can sell some over here explaining or
just translating for Spanish customers.

> > But I am sure you did not catched
> >what I mean with contamination.
>
> Actually I did, and it is completely irrelevant to the security.

I respect your opinion, but I disagree.

> > And I bet that you will not be happy with my . . . magic criptography
>
> You're right I won't, because such "magic cr[y]ptography" will violate the
> fundamentals that you refuse to learn, and as such it will completely fail.

Sorry for my faults. I do not refuse to learn (or "relearn" because I
studied and teached about it already) anything. You are the one that
refuse to learn, for instance, what is "cold reading" in serious magic
(yes, magic can be very serious indeed). I hope to have a chance to
play some tricks for you in the near future.

> > Maybe I found something new.
>
> Maybe you found something so useless that they realized it before
> publishing.

Maybe.

> >> > As far as we foresaw, there are 5
> >> > problems/solutions for pen drives:
> >> >
> >> > 1. The legal approach to be completely sure that the cracker is very
> >> > well aware that he/she is not authoriced.
> >> > 2. False/true data inside (magical/theatre/humour/fun)
> >> > 3. Software (internal and external) beyond known cryptosystems
> >> > 4. Hardware vulnerabilities from USB interface
> >> > 5. Messages or any tracking way from the pen drive to any open channel
> >> > of the owner
> >>
> >> You missed the core problem. Pen Drives are assembled from two primary
> >> chips; the NAND Flash chip itself (usually either Samsung or Toshiba),
> >> and
> >> the bridge chip that converts between the NAND Flash interface and SCSI
> >> over
> >> USB (typically Atmel). All you're doing is creating something that serves
> >> no
> >> purpose, has no real use, and the security you've given so far is
> >> fundamentally flawed against the most basic attack. Attacking the drive
> >> itself allows the attacker to eliminate your options with 1, distinguish
> >> false/true data in 2, eliminates the software in 3, provides hardware
> >> vulnerabilities that you are not addressing that completely eclipse 4,
> >> and
> >> eliminates 5. In short, what you have "foreseen" is sidestepped through
> >> some
> >> of the most trivial processes available, eliminating all of the security
> >> that you pretend exists. This is the core difference between real
> >> security
> >> people, and people who decide to declare themself an expert as you have
> >> done.
>
> >I must to take this seriously. Please give me some time to check your
> >technical references. Maybe I am using very inexpensive Pen Drives that
> >you can find at www.vfuel.net but I do not think that the standards you
> >mentioned are the only ones. As you admit, we can speak about them
> >"typically".
>
> They are standardized this way for a reason. The reason that SCSI is used as
> the interface is to allow the OS to load it without placing a usability load
> on the user, ATA would've worked but it would require additional logic on
> the controller ASIC. NAND flash is used because it allows for near-optimum
> design of the chip's storage areas and a vast reduction in the control
> logic, the end result being a noticable decrease is the production cost, and
> a noticable increase in the functioning speed of the device. The only
> exceptions would generally be a small number of designs that include both
> the Flash RAM (or FRAM, not the same thing) and the controller on the same
> chip, Atmel has a few of these for smaller sizes, and various other
> suppliers offer them as well, but again Atmel is the most popular, they
> really seem to pretty much own the Flash controller market.
>
> > Anyhow, your Pen Drive "autopsia" does not demonstrate that 1-5
> > approaches are always useless, in my honest opinion.
>
> It means that while your efforts are likely to bite the legitimate user, the
> attacker will simply bypass them. So you're right they are not useless, they
> are detrimental.
>
> >> Shannon always matters because he laid out the groundwork that you are
> >> attempting to violate.
> >
> >Yes. And Pythagoras too.
> >> Kerckhoffs matters because you are violating basically every basic
> >> principle
>
> >I hope that those principles get pregnant because that way we can get
> >very interesting children.
>
> >> Feistel matters because he showed that it is possible to have practical
> >> security without perfect secrecy
>
> >I must to take this point very seriously indeed. I worked with Vernam
> >ciphers and I even used XOR with long key files. Right now I am
> >thinking in pen drives as one time keys, as well as for complex secret
> >sharing protocols. However, as you said before, I am still dreaming in
> >order to get somebody to pay for the project at least for a beta
> >version.
>
> Rest assured, even the most basic vetting of the concept will result in them
> viewing this thread, and seeing that everything you have attempted is based
> on flawed concepts, is a problem only for the legitimate user, and was
> completely dismantled. If it gets funded it will only be by your family,
> unfortunately they will lose any money they invest.

OK. I hope that none of my family members will find any problem with my
project, but if they have, I will recommend them to contact you.

> > Please remember that I am like Forrest Gump
>
> I just have to: "Stupid is as stupid does."

You are very kind.

> > so I can not do anything
> > exactly. Long time ago I explanied International Data Encryption
> >Algorithm (IDEA) fundamentals,
>
> Being able to explain the way an algorithm works does not mean you
> understand why the decision of the algorithm have been made. When you are
> attempting to design a new concept for security it is necessary to
> understand the whys, it is completely irrelevant whether or not you can
> recite the algorithm.

I promiss that I did my best at least on confussion/difussion criteria,
and my pupils seem to be smart enough to understand even better than
me. They appreciated Xuejia Lai thesis synthesis that I did for them.
About the "whys", I agree with you. I study philosophy right now, and I
never recited any algorithm in my life (I can not imagine myself doing
anything so boring).

> > I know a little
> >about steganography and I even understand PK and Shor algorithm
>
> Neither of which has any bearing at all on what you are proposing.
> Steganography will only server to lower the storage capacity of the drive,
> and PKC serves only to weak the security. Shor is completely irrelevant.

1. Steganography can be very useful for pen drives critical tasks, but
I do not want to waste your time, or even worse, to get you angry. I
also foresee some other pen drives applications on secret spliting and
secret sharing (I recommend Schenier Applied Cryptography Second
Edition 3.6-3.7)
2. Yes, I agree with you. PKC only weak security but sometimes is a
must.

> > You remind me some lawyers than pretend to know in just 1 minute
> > all my background and my several weeks hard work on an expert
> > witnessing problem on forensic computing.
>
> Just another decade to go before you can be considered minimally qualified.

I respect very much old people.

> You have admitted several times that you simply don't have the foundations
> necessary, this is only the most recent.

Yes, I admit my doubts very often. Is something very healthy, in my
honest opinion.

> >> Back to the show. To repeat myself. "More to the point. Can you [name
> >> 3]?"
> >
> >OK. If you just want to speak about
> >3. Software (internal and external) beyond known cryptosystems
>
> And how does your pretend book (no mention on Google or Amazon, turns out
> "beyond known cryptosystems" is a phrase that results in 0 hits on Google
> when enclosed in quotes), have anything to do with pen drive security? Mine
> had very particular purposes, but the 1 you supplied doesn't even seem to
> exist.

I shall try to explain what I wanted to mean in 3. and I will be very
proud if anybody understand anything new that nobody can find in Google
or Amazon (I hope to make a paper with citation index one day in the
near future).

First of all, I must to tell where the inspiration comes from. I am in
touch with several thousands of professional magicians and I asked for
magic tricks to many of them. They had no references, but many are very
interested in any new idea because many people in their shows use them.
I had some experiences with critical pendrives, and I played with my
friends and customers some tricks with humour. After some comments I
understood that there is still a lot to do in Pen Drives Software
(internal and external) so I am thinking (or dreaming or projecting or
forecasting or brainstorming) beyond known cryptosystems.

It is obvius that you are familiar with Pen Drive technologies, so now
let me to make some clear questions, because if you know a
manufacturer, I prefer to buy and resell than to design and develop
anything:

1. Do you know a way or a product that can send a message to my e-mail
address with information of the system where my pen drive is being used
without my permission?

2. Do you know PC software that can be used only when a Pen Drive is
installed?

and the most important 3. Do you have a pen drive manufacturers contact
list that would like to provide added value and customer oriented
design?

and 4. Do you know any one of them that would appreciate translation,
technical support, marketing and sales in Spanish?

Seriously, I am looking for special pen drives, as well as very cheap
ones in order to sell as many as I can over here to judges, lawyers,
diplomats, managers and other customers that I have already, because I
am also a commercial agent as you can read at
http://www.cita.es/commercial/agent

miguel, here and now just www.cita.es/commercial/agent

Miguel A. Gallardo en http://www.cita.es

Peter Fairbrother wrote:

> Of the stego encryptors, TrueCrypt hidden volumes on Windows systems fail
> against a thorough forensic analysis. So do FreeOTFE hidden volumes, and I'm
> pretty sure all the rest do too. It's not a failing in the crypto, it's an
> environmental failing - Windows is just not reliably secureable that way.

[...]

> However, if you use a USB drive for encrypted files created using FreeOTFE
> or TrueCrypt from a BartPE CD boot environment, with a seperate key for each
> file, you have a chance - leaves no on-disk traces

the older verwsion, TrueCrypt 4.0 was shown here in sci.crypt to have
the hidden volume detectable

this was 'corrected' by the TrueCrypt people in the later editions

the current version of TrueCrypt is 4.2

is there a reference describing an analysis that detects the presence
of a hidden volume for version 4.1 or later?
(assume the BartPE CD boot)

and is there a minimum hidden file/carrier ratio needed for detection?

(i.e. most *critical* information, special secret keypairs and
keyrings, etc.
can easily be contained in 5 mb of space,
so,
for a 5gb TrueCrypt volume, would a 5mb hidden volume (0.1%) be
detectable?)


TIA,

vedaal

vedaal