 Okay, hello. Thank you for coming. The talk of today is how to hack crypto and especially how to hack export restrictions. The term crypto hacking is used a lot by Bruce Nair, but I think if you think about hacking as a creative way to deal with techniques, I think our thing about crypto hacking is neither than the things that Nair has defined about this. What do I want to talk about as three main topics and one fun topic? The first is how to improve key lengths for export restricted software with only some operations, easy to implement. Then how to use signature cards and authentication cards to do encryption, to build up a nice encryption system. And one funny point is how to use non-decrypting Java cards for NND encryption. First thing is the discussion about key lengths. You all know the discussion about the key lengths of DS 65 bit. And of course, when you know that it's really not a great deal to crack a bit cryptography in only some hours. And so there are some questions how to deal with weak cryptography, especially if you have hardware to work with. You know that there is in the Netscape protocol for instance, there are possibilities to alter some bits and have strong cryptography 45. But if you have hardware stuff, it might be a bit more complicated. So the first trivial idea is to use triple encryption. That means you encrypt it, you take the encrypted, cybertext encrypt it once more and once more, and you have provable longer key lengths and of course about the factor of two. That means if you use triple DS with three different keys, three different keys and three independent keys, it means that you have a key length from about 112 bit. And so if you use three times 40 bit cyber, you may have security about 80 bit. But this is of course pretty slow. And though there is another strategy called wittening, which is much faster and much more easy to implement, there I must show a slide. This is the whole trick. Oh, we have a flip shot. Our analog techniques. So, no problem. It's better. You have a plain text. You have an encryption with the key. And in most cases it will be DS. And you get the cybertext. So you have here the key and here maybe 65 bit. So what can you do? You have here 64 bit. Or here 64 bit. You do the following. You take 64 bit more key material and do following. You take the 64 bit, make a simple XOR, you can do more sophisticated stuff, but a simple XOR does it and has some nice features as bit independent and so on. And you make XOR here. This XOR before and after the encryption you can do maybe on the host system if you communicate with a smart card or stuff like this. And so you have in the case of DS and it's possible I want to say it's not very clear in Bruce Schneier's book and even in the original paper by Kylian and Rogaway that it's possible to use only one block, only one additional 64 bit key. But the security proofs are in the same strategy. So you can use one key and XOR before and after encryption. And there is something easy to see is that straightforward brute-force attack must try every 64 bit here and every 65 bit here. Every combination of this so strange forward attack will need about 60, 120 bit. So direct brute-force attack is not possible. There are some more sophisticated attacks. But the main point is something that was proved that we have effective key lengths from K key lengths of the cyber e.g. 65 bit or 55 bit in the case of DS when we take a look at the complementary property plus block lengths here 64 bit minus one minus logarithm from M and M is the amount of plain tick and cyber tick pairs we can get. For instance if somebody can take two to 30 blocks 64 bit that are a gigabyte with the same key you have an effective key length if you use DS from 88 bit if you do this bit tuning. If you use it with RC4 40 or you have an effective key length of 33 bit and if you use the funny skip check algorithm which is 80 bit you have an effective key length from 103 bit. So once more K is a key length this is proved by Kilian and Rockaway. You find it for instance on www.counterpane.com the crypto papers. If you go to the crypto papers it's a company of Krushnaya you can find this paper and we are writing another paper I will publish maybe even on the next CCC congress about this. So take a look. K is a key length N is a block size one is a one and block M is the number of known plain ticks and cyber ticks pairs or M is P1, C1, P, M, C, M. So if you encrypt your whole 8 GB bit partition with one key you shouldn't do this but if you do it you have no problem because you have an effective key length and no problem against brute force from 88 bit what seems to be sufficient for most questions. So it's a pretty cheap way because you only need two additional XOR by 64 bit value. And I must say it sounds so funny only some practical guys doing this stuff for instance Peter Honeyman in Chicago but most people use this growing triple DS and it's not proved that double DS construction is much more secure than there is X construction under practical assumptions. So and some further words this wittening is not a voodoo by Akle looking young hacker it's an idea by Makler and Reversed and it's used in some products of as a since years under the name desix and security proof has been given by Kylian Rockaway many candidates for the AES for the DS successor use wittening to and we are working on some proof that even sophisticated attacks like this one are working on some proof that even sophisticated attacks like related key crypto analysis is not possible if you make more sophisticated desix construction and maybe I will present this paper on the next three conference. Okay you say one main goal of the first part is look into your supplier look for wittening and read this and this is proofable more security than other constructions and use it if you have to deal with the expert with the hardware and if you have software it's pretty more easy for most construction. The second area is how to do funny things with authentication and signature cards and this is a mathematical construction called and it's following idea you know maybe you know that other ciphers have a construction called and it looks like oh it's not so nice painted but if you take a look at a cryptography book you will find that is a so called file construction takes a plane takes into half do something with the one half edit to the other half and do it once more in different directions and this is called a file with only a few of rounds is called a loopy and there are a lot of security proof and the proofs are in the following way that somebody can make a close relation between this construction the security of this construction and the security of this functions so called ground function f1 till f3. if our round function is sorry to random for instance or is secure in a special then the whole construction is okay so we can use here well tested round function and have a construction to encrypt this stuff so what's the main idea the main idea is that you don't need a mapping if you have you don't need here a cryptographic mapping you can build this functions with a hash function for instance hash functions are very fast and not export restricted and we can use a keyed function for instance Mac function like HMAC we can easily prove some security margins we have done this in a paper about a multi key encryption with non encryption smart card I've put well on the web and it's a funny thing because you can use standard DSI cards for instance to do that construction so coming to the more funnier stuff one of the funny stuff I ever read is following the new Java cards which is pretty cool stuff compared with smart card for Windows makes following makes a split between the cryptographic framework and the cryptographic algorithms we know this but the funniest thing is that they say okay we want to give the opportunity to use our smart card for authentication for calculating Macs but not for doing encryption and decryption and so we are very clever we put only an encryption stuff into our non-export restricted stuff and the decryption stuff is export respected and if somebody has here only one lesson of cryptography you know that there are a lot of modes which only use encryption for instance if you take a look at the type of feedback mode used for instance in the pgp and open pgp stuff they do following the encryption initial vector and it's all this stuff with a plain text and it's not very difficult to say that there's a decryption not needed because if you if you have cyber text you do the same you take the initial vector put it in the cyber encrypted and go in this direction and get the plain text so it's maybe the most funny export restriction I've ever seen in this area so to the last point some funny stuff it's mainly two links one link is take a look at our page of Bruce Schneier there is a really nice cyber by building a stream cyber with Solitaire cards and it's pretty interesting because if you take a closer look on this stuff you see that it's almost AC4 cyber which is used in this construction it's called Solitaire stuff question? and we asked you if it would break the security view of the page so you can not only encrypt some to protect from any white space and no of course it's not restricted to a single card game you can do this stuff of course using some cigarette paper and write numbers on it but it's pretty interesting stuff and it's quite difficult to restrict the export of playing cards and card games from the US and the second one is that there are a lot of cyber you can mention on a tattoo or body painting and I want to say you should take a look at the page of Adam Bach where it's even a tattoo as a pearl so what I want to say is that there are some algorithms they are easy to remember and easy to keep in mind and so it's even more ridiculous to have export restriction in this area okay thank you question? okay any questions? okay thank you very much let's go into the sunshine