LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-04-2004, 09:43 AM   #1
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
whats the point in Xor encryption ?


Ive been fiddleing around with Xor encryption basically because its the only
form on encryption available to all Unix like systems by default.

But whats the point in Xor encryption in computers anyway.
losetup (a loopback driver for file systems) has xor encryption built into it.

BUT...

have a look at the following possible encryption.

Password = 01101001
Data = 00000000
Encrypted Data = 01101001

which makes it insanely easy to break this encryption.

i encrypted a floppy as follows.

cat /dev/urandom > /dev/fd0 (write random data firectly to disk (no file system)
losetup -e xor /dev/loop1 /dev/fd0 (stick assign encrypted loop to flopy disk)
[password]
mkfs.vfat /dev/loop1 ( write a Fat32 file system to the encryption loop )
losetup -d /dev/loop1

tadaaa, the disk is now encrypted, you could mount it, and use it as a floppy by recreating the loop, and mouning the loop on the file tree sumwhere.

HOWEVER, anywhere there is a groupe of encrypted Zero's on the disk ( executable files are FULL of zero's also so is the FAT ) you will see a the password .

in other works, encrypt the data 00000000 with passowrd Bumfluf gives encrypted data = Bumfluf !!!

use a program like cat to directly read raw data off the disk

cat /dev/fd0 | less

and BOOM,,, everywhere u look, the screen is filled with the password written over and over and over. you cant miss it !

i know they consider Xor to be weak encryption... but this is just stupid !!

luckily im using aes256 on ym home directory

Last edited by qwijibow; 02-04-2004 at 09:45 AM.
 
Old 02-04-2004, 09:53 AM   #2
snacky
Member
 
Registered: Feb 2004
Distribution: Debian
Posts: 286

Rep: Reputation: 30
Just in case this isn't a troll:

Google "one-time pads." Grok in fullness.

Last edited by snacky; 02-04-2004 at 09:54 AM.
 
Old 02-04-2004, 10:51 AM   #3
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Original Poster
Rep: Reputation: 47
its not a troll...
i asked a question. what makes you think im trolling.
and i think its a very good question.

whats the point ?
if anything, all this does is slow down ur system, and make less experianced people thinlk there documents are safe, when inface any idiot could get them in a matter of seconds.

whats the point in adding utilities that allow you to encrypt a disk, but at the same
time, paste the decryption code all over the disk for any idiot to see ?

some1 must have programmed this feature, Why ?
and som1 must have made the decision to include it in linux distributions ?

why did they bother ?
this adds no security, just slows down the system slightly.

and i searched google for one time pads....

yes i know there are other types of encryption out there.

but im talking about Xor encryption.

follow the steps i posted if u dont beleive,
but xor encryption is very easily breakable.
 
Old 02-04-2004, 10:57 AM   #4
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Original Poster
Rep: Reputation: 47
Ahhhh.. upon reading further into your one time pads i discover a mojor flaw.

the encryption Key must be equal in length to the Data it is encrypting.
So... en ncrypt my 6 gig hard disk, i could only have 3 gigs of data and 3 gig key....

hmm.

also, i think you will find that the password limit on xor encryption is 32 characters.

my question still stands
?
 
Old 02-04-2004, 11:08 AM   #5
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by qwijibow
why did they bother ?
this adds no security, just slows down the system slightly.
XOR encryption is designed to add a quick encryption layer to protect data from a casual observer. As far as the key and data being equal in length, if you have 6GB of data, you could use a 256bit key and encrypt all of the data by encrypting sequential 256bit blocks one at a time until you reach the end.

Last edited by stickman; 02-04-2004 at 11:10 AM.
 
Old 02-04-2004, 11:11 AM   #6
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Original Poster
Rep: Reputation: 47
Quote:
256bit key and encrypt all of the data by encrypting it 256bit at a time until you reach the end.
yeah but that would be breakable.

okay, so its portection againsed people who dont know how to use computers.
if sumthings worth encrypting, its worth encrypting properly. ill stick with my aes256
 
Old 02-04-2004, 11:16 AM   #7
snacky
Member
 
Registered: Feb 2004
Distribution: Debian
Posts: 286

Rep: Reputation: 30
I've probably just spent way too much time reading slashdot, but when I read your post, it struck me as something a person might write to screw with other peoples' heads

A one-time pad is the only proven 100% secure form of encryption in existence.

However, it has two very important limitations. One is, like you found out, the key has to be as long as the plaintext. Two - and this is actually the same thing if you think about it - the pad can't be used more than once.

An encrypted file system approach is meant to be used with a symmetric key cipher like AES, 3DES, Twofish, etc. There are practical uses for one-time pads but encrypting an entire hard disk isn't one of them for most people...
 
Old 02-04-2004, 11:25 AM   #8
wapcaplet
Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
Quote:
Originally posted by snacky
A one-time pad is the only proven 100% secure form of encryption in existence.
Only if it is 100% guaranteed to be truly random, and there is precisely 0% chance of your key being stolen. I guess true randomness is possible, but there is always the question of how to get the key to the parties that need to decrypt, so it's always a possibility that the key will be stolen. Nothing is 100% secure

Last edited by wapcaplet; 02-04-2004 at 11:27 AM.
 
Old 02-04-2004, 11:33 AM   #9
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by qwijibow
yeah but that would be breakable.
Yes, XOR is pretty weak, but that doesn't mean that it's worthless either. As snacky pointed out, it's good for one time pads. By the time someone does the decryption, it's no longer valid.
 
Old 02-04-2004, 11:33 AM   #10
snacky
Member
 
Registered: Feb 2004
Distribution: Debian
Posts: 286

Rep: Reputation: 30
Quote:
Only if it is 100% guaranteed to be truly random, and there is precisely 0% chance of your key being stolen.
ALL cryptosystems require these assumptions to hold true in order to have any kind of security, though. The difference is that it hasn't been absolutely proven that any of the secret-key algorithms don't have some kind of funny trick that can sometimes or often reduce key strength to something way below 2^n (where n is keylength). We also know for a fact that factoring primes is sub-exponential and it hasn't been proven that there isn't some blazingly fast way to do it. (this means RSA just might become worthless some day.)

There are no such doubts about one-time pads. They're different from everything else this way.
 
Old 02-04-2004, 11:51 AM   #11
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Original Poster
Rep: Reputation: 47
But im talking about the Xor capabilitys of linux to use disk encryption.
you can break the encryption in under a minute, even with the maximum allowd password of 32 characters.

not one time pads.

ream man losetup
 
Old 02-04-2004, 12:48 PM   #12
wapcaplet
Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
Quote:
Originally posted by snacky
ALL cryptosystems require these assumptions to hold true in order to have any kind of security, though. The difference is that it hasn't been absolutely proven that any of the secret-key algorithms don't have some kind of funny trick that can sometimes or often reduce key strength to something way below 2^n (where n is keylength). We also know for a fact that factoring primes is sub-exponential and it hasn't been proven that there isn't some blazingly fast way to do it. (this means RSA just might become worthless some day.)

There are no such doubts about one-time pads. They're different from everything else this way.
Good point. And yeah, most of our crypto algorithms now depend on difficulty and computational feasibility of one kind or another; they've built quantum computers with 7 qubits, so RSA is safe for now, but if some kind of breakthrough occurs in that field, we may have to take a different approach.
 
Old 02-04-2004, 04:33 PM   #13
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Original Poster
Rep: Reputation: 47
7 qubits puts the most powerfull quantim computer as powerfull as your average pocket calculator. so there's no threat froom quantum processors just yet
 
Old 02-04-2004, 05:24 PM   #14
wapcaplet
Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
Quote:
Originally posted by qwijibow
7 qubits puts the most powerfull quantim computer as powerfull as your average pocket calculator. so there's no threat froom quantum processors just yet
Well, it's a hard comparison to make though. A 7-qubit quantum computer can effectively do 2^7 calculations with a single operation; a non-quantum computer has to do all 2^7 calculations individually. It's a whole different kind of computing.
 
Old 02-05-2004, 07:01 AM   #15
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Original Poster
Rep: Reputation: 47
True....
But how many simultaniouse calculations per second does it do ?

it no good doing 100,000 operations simultainiously if if it only does one set of simultainiouse operatings a second.

also, there will be times when so many operations cannot be done untill the result of anouther is calculatted, so on some loops, not all possible calculations will be useful.

anyway....

for the moment, i wouldnt worry too much about them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
XOR - sound or mouse in Mandrake 10.1 Official david_j Mandriva 1 02-12-2005 04:43 AM
Whats the point of ./configure? MadCactus Linux - General 9 07-12-2004 10:01 PM
Distro's.. whats the point ??? (no realy, tell me) qwijibow Linux - Distributions 16 11-28-2003 11:22 AM
whats the point in ide-scsi emulation ? qwijibow Linux - Newbie 7 05-31-2003 07:05 PM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 08:47 PM


All times are GMT -5. The time now is 10:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration