Newsgroups: sci.crypt
Path: msuinfo!caen!zaphod.mps.ohio-state.edu!qt.cs.utexas.edu!yale.edu!yale!mintaka.lcs.mit.edu!bloom-picayune.mit.edu!news.mit.edu!jis
From: jis@MIT.EDU (Jeffrey I. Schiller)
Subject: PCSECURE Padding and Dolphin's key recovery (was Re: Reply to criticism.)
In-Reply-To: naga@wet.UUCP's message of 31 Jan 92 08: 38:06 GMT
Message-ID: <JIS.92Feb1175520@big-screw.MIT.EDU>
Sender: news@athena.mit.edu (News system)
Nntp-Posting-Host: big-screw.mit.edu
Organization: Massachusetts Institute of Technology
References: <3272@wet.UUCP>
Distribution: usa
Date: Sat, 1 Feb 1992 22:55:20 GMT
Lines: 42

In article <3272@wet.UUCP> naga@wet.UUCP (Peter Davidson) writes:

   So the difference in file size before and after encryption of MC1 with
   PCSECURE is 74 bytes, considerably more than then 0 to 7 extra bytes which
   would result from padding to 8 bytes.

I have played with the Macintosh Equivalent of PCSECURE. Indeed it uses
ECB mode and displays the character frequencies you would expect. I have
also looked at the additional 74 bytes that it tacks on a file. I don't
know what all of them are, but 8 of them are an encryption of the key
used to encrypt the file in the installation's "master key." When you
install the Macintosh Secure program (and I suspect when you install
PCSECURE) it prompts you for a "master key." This key may then be used
to decrypt any file that was encrypted on that system.

This appears to be implemented by encrypting the file's key in the master
key and inserting the result in the encrypted file header. There is an
"Expert mode" that disables this feature. Indeed if I encrypt the same
file with the same key, both in Expert Mode and not, the different between
the encrypted files is that the Expert Mode version contains 8 bytes of
zeros in the header where the non Expert Mode version contains data. I
suspect that this is the location of the key encrypted in the master key.

The documentation quite correctly points out that files in encrypted in
Expert Mode are more "secure" then those not encrypted in expert mode
(though they don't say why, but it is obvious that the master key is
stashed somewhere on the system, and a clever cracker can probably
find it).  It also cautions that the master key cannot be used to
decrypt files encrypted elsewhere (because the master key is
different).

Indeed in the "real" world it is wise to provide a mechanism to recover
lost keys. The trick is to do so in a way that is documented to the
consumers of the product complete with its implications. There is a subtle
difference between a useful key recovery mechanism and an evil trap/back
door. That difference hinges around whether or not the user's of the
product are informed of its existence, the mechanism by which it is
implemented and who can use it.

Peter, how does Dolphin implement its key recovery? I am curious.

			-Jeff
