Vulnerability Development mailing list archives
Re: Why not a changeling?
From: Michael.Wojcik () MERANT COM (Michael Wojcik)
Date: Mon, 22 May 2000 12:31:28 -0700
-----Original Message----- From: sigipp () WELLA COM BR [mailto:sigipp () WELLA COM BR] Sent: Monday, May 22, 2000 6:58 AM
The only thing i can imagine is, using a standard scrambler (like md5),
MD5 isn't a "scrambler". It's a cryptographic hash function. You can use it to build a "scrambler", but it wouldn't be the core of such an engine.
which is installed at the user and is not part of the virus.
Like password-protected ZIP files.
A real amazing idea would be, create a scrambled virus, which, when
descrambled
with one key, result in one virus, and when descrambled with another key,
should
result in another virus. Well, but that?s utopia.
Not particularly difficult. A simple scheme might employ something like
Rivest's threshing scheme, stripped down and extended to multiple messages,
where each "message" is a virus or similar payload. Then:
for each payload V
for each partition P in V
prepend an index number N to P producing N+P
sign N+P to produce N+P+S(N+P)
encrypt N+P+S(P) with key K(V)
mix the partitions from all payloads
send the result
All keys K(V) are distinct. The index numbers N are assigned to partitions
P of payload V such that ordering the partitions by N, stripping all N and
S, and concatenating the result produces V. (N can be used to sort the P's
back into V.)
The recipient chooses a key K from all K(V) and decrypts all the partitions
in the result, discarding any which failure the signature verification.
Only those from a particular V will remain. Sort by N, strip off all the
N's and S's, and you have V again.
Pick a different K and you get a different V.
There are more sophisticated schemes used in deniability protocols. The
crypto community's been discussing them for years.
The main drawback is bloat, but most users don't notice bloat these days,
and compression can help.
You can skip the partitioning and mixing steps if you like, and just put one
encrypted-and-signed payload after another. The concept's the same: for a
given member of the set of valid keys, you'll get one decryption that
verifies and a bunch that don't, which you discard. The partitioning and
mixing is just for additional confusion.
Michael Wojcik michael.wojcik () merant com
MERANT
Department of English, Miami University
Current thread:
- Re: Why not a changeling?, (continued)
- Re: Why not a changeling? Daniel Petzen (May 22)
- fdmount 0.8 exploit Paulo Ribeiro (May 22)
- Conserver Overflow James Snow (May 23)
- Re: Why not a changeling? Jeff Bachtel (May 23)
- Re: Why not a changeling? Michael H. Warfield (May 24)
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? Dick St.Peters (May 25)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? Maxime Rousseau (May 23)
- Re: Why not a changeling? Michael Wojcik (May 23)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? rain forest puppy (May 23)
- Re: Why not a changeling? Michael Wojcik (May 25)
- Re: Why not a changeling? prole (May 25)
- Re: Why not a changeling? Maxime Rousseau (May 25)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 29)