Re: Judge orders defendant to decrypt PGP-protected laptop - CNET News

[Aarón Mizrachi <unmanarc () gmail com>]

On Martes 24 Marzo 2009 17:15:07 Craig S. Wright escribió:
> In response to:
> " You are taking asumption that this "random data" are evidence."
>
> Actually, this is not the case. Random data is not the natural state of
> data on a hard drive. 
Zeroed is.

> Next, an overwrite can be determined to a point in
> time if you continue to use the drive. Entropy calculations on random data
> can often distinguish random data from encryption as the /dev/urandom
> process has a lower entropy then is found on good encryption.
>
> The standard error from a two sample comparison of the bitwise entropy
> values will commonly display statistically significant variances when
> comparing encryption and a pseudo random generator on most PCs as long as
> there is a sufficient amount of data. In the case of whole disk encryption,
> there is generally more than sufficient data.

How about random works in freebsd? and what is entropy accumulators? and what 
is yarrow, and what is the period of yarrow algorithm? 

I think that you should be talking about old-fashion 2^32 period algorithms 
(4GB, and really 16Gb taking 32-bit numbers)... or maybe 2^56 

And... do you know, that disk will be filled with information randomly that 
will be deleted inside the crypto, and wont be reflected outside and wont be 
replaced with urandom again? (Eventually you will have "all disk filled with 
encryption" with a very low amount of urandom generated bytes)

And when you fill the harddrive with your info, the urandom/random sprng 
generated chunks, each one, will be more cryptographically strongest that a 
big hard-drive without chunks.  The number of chunks depends on your filesystem 
choice.

If you need more strong and avoid entropy acummulation order proof on the 
hard-drive, you can use a very useful method:

Fill all your drive with 1, then fill with 0, then:

Separate your disk in blocks, make a bitmap, then feed the yarrow SPRNG with 
real random data (Proccesses, CPU cycles, CPU temperature, past info, your 
files, etc..), take a n-bit integer from yarrow sprng to determine what block 
will be filled, take a block from the sprng and put on the random location, 
mark this as used on the bitmap, and follow the same steps until the drive are 
filled. 

With this method you cannot see the difference of entropy on entire disk, mixed 
with AES-256 (Or serpent-256) crypto dispersed on that, you will have a 
nightmare.

The chunks/blocks will be sufficiently shortest not to make a high precision 
entropy calculations.

Since opensource bring you a chance, you can reimplement your yarrow sprng to 
use Serpent-256 (more strong if you need).

> This provides sufficient evidence for presentation in a court.
With sufficient error if the PRNG are really a SPRNG (Freebsd implements a 
strongest version of Yarrow-160, a Yarrow-256)

But this is rocket science for mortals, even if you prove this evidence, the 
"encrypted container" could be an encrypted swap that commonly have a random 
password initialized on every boot and not known by the user. This will look 
same as you describe evidence: Chunks of bad-random mixed with encrypted data 
started from an USB or SD drive.

Then, since there are feasible scenarios with this set up, your evidence could 
be sufficient for the presentation but never determinant.

> Next, bios markers and ATA data etc will be available. Overwriting a drive
> takes time and will miss the HPA on the drive. From this you can
> demonstrate that a drive was booted, mounted or otherwise used. If the
> drive was used, you have evidence that it was not simple random data.
Not really, as i mentioned above... I can use my drive in two legitm ways:

- Encrypted BIG swap that use random password every boot.
- cat /dev/urandom if i need to sell it.

And i can use a "live cd" or something like DSL (D. Small Linux), a pendrive 
booteable linux. 

Think that i can use DSL (D. Small Linux) from my SD Card, then, if i want, my 
HD will be used to be a big encrypted swap. Encrypted swap are commonly setted 
with different random password on every boot.

Can you request for random password on swap? Many systems have the option of 
encrypted swap with random password on every boot, like LUKS. There are 
legitim that i have an random-password initialized SWAP? or should be removed 
from LUKS... and from ubuntu, fedora, debian, etc?

Even if you prove the boot from external device, you could get this system of 
DSL or something booting on your SD, and are legitim systems.

> If you are talking SD and memory cards, there is always data. You cannot
> access the entire card when you mount it. There are sections of the chips
> that are isolated.
Thats a true. but sd card meant to be out of reach.

> Stego is distinguishable from random data. 
> Next, few systems use enough
> randomness to actually make the /dev/urandom process as random as you are
> asserting.
>
> I love it when people who have never studied law start trying to start how
> it should be...

Yes, im not a lawyer. A lawyer will suggest you say the true. This is a true. 
Studying many cases, the true are statistically proven to be the best choice. 
Or not mr Craig?

This method should not be used against laws. But there are too many situations 
_not judges_ on that will be very useful.

;-)

> Regards,
> ...
> Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
> Information Defense Pty Ltd


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------