[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Identifying encrypted files.

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Identifying encrypted files.
From: Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx>
Date: Sat, 24 Oct 2015 23:23:46 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1444208763; h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:MIME-Version:References:Message-ID:To:From:Date; bh=EiMGdCP62bX4Osn8+uwEiohpZLzjF/5KcFPnKDAc8J4=; b=uTe3klkZFF8oeTI/89jj506VTJOv+C44NaAqOEqkfWw8PwmOMJE8ftHe7nK3IjOfM+H992FnD85hHO5ymvmP9AbHWfPSRkv3bJEU80j/Ctz2rSy91ZkL9RhVBZsaJYDuod+7MqyIFS6bfxr7Ox4uogzm1af3RdKN+zDn3wUw6K0=;
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lapsedordinary.net; s=mail; t=1445729027; bh=0Ift3nvtJ8Egex9qCoLONRCdLYgpHcIhyslFrCWrb3Q=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=AxCdXM3RrJa4NDY2e7UAs19Zzv2yujn+K5R12hl6BG0Zz0h4TECVNWlxz2873CkIr BZ1qCwKSeEhWVNd2tNmr2fsD8pxDL5O5m91XyNtnddyMAv0aW6ZXyfSTjex8JIgskc bOYSEkOvWrdRWjOaoHLNwiad7GVF276W+hGgV610=

On Sat, Oct 24, 2015 at 09:53:17PM +0300, Simon Waters wrote:
> On the other hand the output of most random number generators doesn't look
> properly random.

Even the ones used in crypto? I know RNGs are a known weakness in many a
crypto system, but I'm not sure of "most RNGs" don't look properly
random. The problem with weak RNGs tends to be that the output is
preditable, not that it's not random (see: Dual_EC_DRBG).

And an effect of weak RNGs won't be visible until you start looking at
a lot of outputs. I didn't think that was relevant for Tom's question.

I've been in the situation where I had a lot of encrypted data streams
where I found a strong bias in the 18th byte. This made it pretty clear
RC4, which has a bias in the 2nd byte, was being used and that the first
sixteen bytes somehow contributed to the key. I never figured out how
though.

> Obfuscation is an interesting one, but there is a vast mathematical literature
> on spotting steganography. Where for example, you hide an encrypted message in
> the low bits of pixel colour values in a jpeg image files. Again typically
> image file noise has patterns not found in the encrypted data, meaning
> cryptographers can do a statistical test on public images and fairly reliably
> say if someone is trying to sneak something through, even if they can't tell
> you which bits are image and which are message.

I think these tests are relatively easy to bypass, for instance by only
using certain pixels to hide data in and modifying the other pixels to
cancel out any bias.

BTW, last week I saw a talk where someone hid browser exploit into an
image using the trick you describe and then also used a trick where the
image was a valid HTML code at the same time - and this HTML read the
exploit code from itself (seen as an image) and then executed it. You
would have liked it.

Martijn.

Attachment: signature.asc
Description: Digital signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] Identifying encrypted files.
- From: Simon Waters
Follow-up: Re: [LUG] Identifying encrypted files.
- From: Adrian Midgley

References:
- [LUG] Identifying encrypted files.
  - From: Tom
- Re: [LUG] Identifying encrypted files.
  - From: Simon Waters

Prev by Date: Re: [LUG] Web based emails
Next by Date: Re: [LUG] Yahoo, was: Web based emails
Previous by thread: Re: [LUG] Identifying encrypted files.
Next by thread: Re: [LUG] Identifying encrypted files.
Index(es):
- Date
- Thread