OpenBSD Journal

S/W RELEASE: Caesarion v3

Contributed by jose on from the privacy dept.

Robin Carey writes:
" http://www.rcarey.org/cion.html

29th September 2002

Caesarion Version 3 released. NOTE: Caesarion Version 3 deprecates all previous versions. Furthermore, v3 is not inter-operable with any previous version. If you are using a previous version of Caesarion, you are advised to upgrade immediately and regenerate/redistribute keys due to the improvements listed below: ..."

"
  • A further disclaimer was added to the new copyright license.
  • Fixed two incorrect assertions in RSA_KeyGen.cxx.
  • Use OpenSSL MD5_DIGEST_LENGTH instead of own md5digestLen.
  • Don't confirm password entry in cion_encrypt(1) and cion_decrypt(1) making the software easier/faster to use.
  • Various public methods in various classes were moved to protected or private access (where they should have been in the first place).
  • New Entropy.h class which returns raw random data instead of pumping it through a PRNG; this makes more sense, is faster, and should be more secure.
  • The Entropy generation technique has had a massive performance increase without degrading its security or output quality. The software is much faster now because of this.
  • Performance increase in new Entropy.h class by having a class-wide Random object (instead of instantiation on every call to Entropy::Stir()).
  • A possible security flaw was discovered in the RSA implementation; in general use of this software it is likely that small (~400 bytes) amounts of data are encrypted (per chunk), which in turn means that the 4 bytes used for specifying the data-size will have 2 bytes equal to zero. This means that an adversary can guess 2 bytes of the original plaintext message. Whether or not this could be extended to a successful attack is beyond my cryptography skills/knowledge. Hence, the most sensible thing to do was to correct this possible problem. Due to the new changes necessary to correct this possible problem, the software is now faster than it was before.
  • Remove ULong.h from distribution (no longer required).
  • Performance increase in Entropy::Ulong().
  • Various cleanups.
Previously we talked about Caesarion Version 2 , this looks like a substantial improvemtn.

(Comments are closed)


Comments
  1. By RC () on

    My question... Why is Caesarion getting attention on Deadly? It's quite feature-bare, and not at all popular, so why a story for every release?

    Comments
    1. By jolan () on

      I agree with you. It's the equivalent of announcing a new version of Squid everytime a release is made.

      Seeing as GPG is the closest thing to a standard for encrypting mail/text, this is just not a very useful utility for me.

      And the fact that the author keeps announcing his software, and hasn't made an attempt to port it is just rude.

      Comments
      1. By SKULL () on

        This seems like a fair story.

        That it's not popular is a catch 22. If it's never mentioned, then how is it to *become* popular?

        Also, the lack of a port isn't by itself a compelling reason to call the author rude imo. A port makes it easier to install, etc, but sooner or later we have to wander outside of the confines of cd /usr/ports && sudo make install and type cd package && ./configure && make && sudo make install as well. Esp, if 0p3nB5d is one of the main development platforms, which the fat link on the main page would imply.

        So sit back and relax. If you think this deserves a port, I am sure they could use some volunteers.

        Love and XXX,
        Skull

        Comments
        1. By Jeffrey () on

          IIRC, this software has been mentioned on ports@ recently (a month ago?). I don't recall the context though...

          Comments
          1. By couderc () on

            This is simple, annoucement for each release was posted on ports@ and i found it annoying.
            So i asked to post it on a more appropriate place, but it seems that i was wrong ports@ seems to be also a place for software announcement ...

        2. By RC () on

          > If it's never mentioned, then how is it to *become* popular?

          Okay, lets rephrase then... Why is Caesarion so noteworthy that one would want to make it popular? What con it do that GPG can't... Or that OpenSSL can't, or that S/Mime can't?

          I'm not trying to discourage people from using it, or anything like that... I'm curious as to why it's geting so much mention.

          Comments
          1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

            Dear RCon and readers of OpenBSD Journal,

            First of all I'd like to thank the OpenBSD Journal admin for posting my story.

            As to your question of "What can it do that GPG can't"; there are several reasons why Caesarion is more secure than GPG or PGPI, and they are listed at:

            http://www.rcarey.org/pgpi.html

            Cheers,
            Robin Carey.

            Comments
            1. By Justin () on

              I have some questions; these numbers are related to the list on your site.
              2. What algorithm?
              4. How much stronger?
              5. How is entropy attained that it is better? if I understand correctly (someone correct me if I am wrong) entropy is attained from various things like periodic network latency, mouse movements, electrical and/or rf noise etc.

              I am just trying to learn about cryptography so it is possible I just don't understand. I am asking purely for my own curiosity.

              Comments
              1. By Tycho Fruru () tycho@fruru.com on http://www.fruru.com

                Au contraire, you are asking quite reasonable questions which I'd like to see clarified as well !

                Cheers
                Tycho

              2. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                Dear Justinon,

                In response to your questions:

                (2) The algorithm used to prevent an adversary gathering knowledge of the lower-bound of any public-key is an algorithm that I invented myself. It is safe/secure :) Rather than me going into the technical details (even though it is a simple algorithm), just look at the source. The files that contain the algorithm are RSA_Encrypt.cxx and RSA_Decrypt.cxx.

                (4) Much, much stronger. One example of what I'm talking about is that PGPI and Gnu-PG use block-ciphers to encrypt the message data. This means that a plaintext will be encrypted to the same ciphertext every time it is encrypted. Caesarion is a probabilistic system, which means that a plaintext will be encrypted to different ciphertexts evey time it is encrypted.

                (5) The reason that my entropy generation is better, is simply because I use two entropy sources. Thus, if there is a problem with one of the entropy sources, the other source makes up for it.
                The two entropy sources used in Caesarion are:

                (1) /dev/urandom (this can be changed in the Makefile)

                (2) A technique I devised. I can't really go into technical details about it - if you're interested look at the source code; Entropy.h

                BTW Do any of you know that real TRNG's (True Random Number Generators) can be biased ? I read about this in a newspaper - very interesting. But, the entropy generation method I devised in Caesarion, unlike TRNG's, cannot become biased by "natural" phenomonon.

                Cheers,
                Robin Carey.

                Comments
                1. By Anonymous Coward () on

                  Well, (4) is clearly wrong. That is not how it works. I'm very sceptical about the rest, too. "A technique I devised", "invented myself" etc. I have no idea who you are or why I should believe/trust this.

                  I'm sorry, but to me this response is simply a warning to be very careful in dealing with your product.

                  Comments
                  1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                    Why don't you explain to me why #4 is wrong ?

                    You can be as sceptical as you want;
                    At the end of the day it all boils down to facts, figures, 0's and 1's.

                    And by the way, Caesarion is not a product. It's a free gift to those who wish to use it.

                    Cheers,
                    Robin Carey.

                    Comments
                    1. By Anonymous Coward () on

                      Your description of how PGPI and GPG work is simply wrong. That they use blockciphers definitely does not imply that the ciphertext is the same every time. Have you even tried it? Do you actually know what you're talking about? Such obvious errors casts doubt on the rest of the statements as well.

                      And yes, it's about facts. So far yours are either wrong (this one), or vague (the rest of them).

                      Comments
                      1. By Robin Careyt () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                        The information that I used when I generated my "PGPI Comparison" document is straight off the PGPI web-site: http://www.pgpi.org

                        Block-ciphers are deterministic algorithms, which means by default a plaintext is always encrypted to the same ciphertext (under the same key).

                        I hate block-ciphers, they are complicated algorithms, and there's no way for me to know that they're secure, other than assuming an "expert" is right. And one only needs to refer to the recent AES security scare to see that there is no guarantee that a block-cipher is secure.

                        By the way, somebody once told me that there are programs that exist which can break block-ciphers if you have a plaintext which correlates to a ciphertext. That can't happen in Caesarion, since the plaintext is split up into random sized chunks and then salted, before encryption.

                        Yes I do know what I'm talking about.
                        I've never used PGPI or Gnu-PG, and I have no desire to use them or look at their source code.

                        What obvious errors are you talking about ?

                        Cheers,
                        Robin Carey.

                        Comments
                        1. By Anonymous Coward () on

                          Robin Carey quoted, "Block-ciphers are deterministic algorithms, which means by default a plaintext is always encrypted to the same ciphertext (under the same key)."

                          This is true, but PGP/GPG generates a new random session key every time it encrypts something. This is why everyone has been saying Robin's point 4 is wrong. (It would have been helpful if one of you had explained this earlier.)

                          Comments
                          1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                            I don't know if what you're saying is true or not, since I don't use PGP/GPG and am not interested in that software.

                            Even if what you're saying is true, pure RSA salted encryption is still much stronger.
                            This is because there are no security risks from block-ciphers/symmetric-ciphers, and because the key-size used for the RSA encryption is much larger than what would be used for a symmetric cipher.

                            Another plus point is this: PGP/GPG use RSA, and then they use some symmetric cipher like IDEA, Blowfish etc. Caesarion only uses RSA. So instead of using two algorithms, it only uses one; Which is simpler and means there are less things to go wrong.

                            Cheers,
                            Robin Carey.

                            Comments
                            1. By Anonymous Coward () on

                              or it means that there's a single point of failure (weakness)... :)

                        2. By Anonymous Coward () on

                          > I hate block-ciphers, they are complicated algorithms, and there's no way for me to know that they're secure, other than assuming an "expert" is right.

                          Then you're not a good enough cryptographer for me to trust you to design an algorithm.

                          > Yes I do know what I'm talking about.

                          Clearly not.

                          Comments
                          1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                            Well ......

                            You certainly don't know what you're talking about, since you've already passed judgement on:

                            *** Who I am and what my capabilities are. ***

                            And since you're not in full possession of all the facts required to make such a judgement .....


                            Don't forget that Caesarion only uses algorithms recommended by the experts: RSA and ARC5.

                            Cheers,
                            Robin Carey.

                2. By Anonymous Coward () on

                  An author saying his algorithm is secure without pointing at respected researchers who at least took a look at it can safely be ignored.

                  (At least) point 4 is completely bogus.

                  Comments
                  1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                    I don't have to say that "my" algorithm is secure, since the experts have already said it for me.
                    Why don't you check my references at:

                    http://www.rcarey.org/security.html

                    What algorithm are you talking about anyway ?
                    If you're trying to say that the algorithm which prevents an adversary from gathering knowledge of the lower bound of any public-key (when using secret public-keys) is not secure, or that its security is somehow questionable:

                    (a) Sounds like you don't even know what the algorithm is.
                    (b) Go and read the literature and my source code before you start making accusations like that, since you clearly don't know what you're talking about.

                    Why don't you explain to me why point #4 is bogus ?

                    Cheers,
                    Robin Carey.

        3. By couderc () on

          If you think this deserves a port, I am sure they could use some volunteers.

          Well, when i see the feedback for requested ports i think that the next request have to be well followed by the requester ...

        4. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

          Dear Skull,

          Thanks for your pleasant comment with regard to Caesarion v3. Everyone else seems to have something unpleasant to say about it .... :)

          Well, if there was enough requests I'd be happy to make an OpenBSD port of Caesarion, however I must be frank and tell you that I've had a few clashes with certain OpenBSD developers in the past ....

          Cheers, and Love/XXX :)
          Robin Carey.

        5. By click46 () click46@operamail.com on www.genmay.net

          " That it's not popular is a catch 22. If it's never mentioned, then how is it to *become* popular? " by redesigning that horror of a site and actually putting some information about what the hell it is on it. its not a good thing when one has to read the comments of a news article to figure out just wtf this thing does

          Comments
          1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

            Dear click46,

            Well I'm hurt that you think my web-site is a horror :)

            Emmm, the main web-page for Caesarion (http://www.rcarey.org/cion.html) seems to explain what the program does:

            Caesarion is a (64-bit clean) professional quality, open source, and completely free E-mail security tool for the FreeBSD, OpenBSD and Linux operating systems.
            It should also compile on NetBSD and other UNIX-like operating systems without difficulty.
            Caesarion is written in ANSI C++ and the source code is mostly ANSI/ISO/POSIX compliant.

            The software provides communications secrecy, user authentication and data-integrity verification.

            Caesarion is very simple to use and comes with complete documentation and examples showing how to use it.


            Cheers,
            Robin Carey.

            Comments
            1. By Anonymous Coward () on

              Caesarion is very simple to use and comes with complete documentation and examples showing how to use it.

              it would help to have the documentation online viewable and screenshots if applicable. i dont like having to download something just to find out what it does, and the one line description isnt too informative. "keep it simple" is a great motto, but not at the cost of being functional!

              thanks.

              Comments
              1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                You don't have to download Caesarion just to find out what it does - the main web-page (http://www.rcarey.org/cion.html) tells you :)
                Or is that somehow not clear enough ? :)

                Well, I've done all of this unpaid work on my own, and so far I'd say it's taken quite a few weeks of full-time work. Bear that in mind :)
                But yeh, it could be possible to put the docs online. I'd be willing to put more effort into things like that if there were more people interested in Caesarion.

                Cheers,
                Robin Carey.

      2. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

        Dear jolanon,

        I am sorry you find my post somewhat problematic.

        Again, I'd like to thank the OpenBSD Journal admin for posting my story, since I am trying to advertise and attract attention to my new software.

        Cheers,
        Robin Carey.

  2. By Tycho Fruru () tycho@fruru.com on http://www.fruru.com/

    First, I suggest you go and read http://www.interhack.net/people/cmcurtin/snake-oil-faq.html <br> <br> I find quite a number of unsubstantiated claims in the Caesarion webpages. Use DD when approaching a program boasting all said qualities and at the same time saying that PGPI is not to be used. <br> If Caesarion is really this good (which is entirely possible), it doesn't need to bash other products/implementations. <br> <br> I'd like to hear Robert's opinion on the OpenPGP standard and GnuPG. If there are any gaping holes or weaknesses I'm sure that the community would want to hear about them. <br> <br> I also looked a bit at http://www.rcarey.org/security.html and - without talking about encryption strength or weakness - at least point 12 says to me that the program will be awfully slow - perhaps about 1000 times slower than a program using symmetric encryption for the main message. So messages containing eg. a filesystem image (yes I do this with GnuPG) are really out of the question. <br> <br> #ifndef HUMOR_IMPAIRED <br> For french-speaking people (all others are of course also invited), see also http://membres.lycos.fr/autocoup/cdp.html which is in a separate category in itself :-) <br> #endif <br> <br> And no, I do not want to have any replies mentioning CDP, thank you. <br>

    Comments
    1. By Tycho Fruru () tycho@fruru.com on http://www.fruru.com/

      Extended Translation is completely borken ... so here is my message (hopefully more legible) :

      First, I suggest you go and read http://www.interhack.net/people/cmcurtin/snake-oil-faq.html

      I find quite a number of unsubstantiated claims in the Caesarion webpages. Use DD when approaching a program boasting all said qualities and at the same time saying that PGPI is not to be used.
      If Caesarion is really this good (which is entirely possible), it doesn't need to bash other products/implementations.

      I'd like to hear Robert's opinion on the OpenPGP standard and GnuPG. If there are any gaping holes or weaknesses I'm sure that the community would want to hear about them.

      I also looked a bit at http://www.rcarey.org/security.html and - without talking about encryption strength or weakness - at least point 12 says to me that the program will be awfully slow - perhaps about 1000 times slower than a program using symmetric encryption for the main message. So messages containing eg. a filesystem image (yes I do this with GnuPG) are really out of the question.

      #ifndef HUMOR_IMPAIRED
      For french-speaking people (all others are of course also invited), see also http://membres.lycos.fr/autocoup/cdp.html which is in a separate category in itself :-)
      #endif

      And no, I do not want to have any replies mentioning CDP, thank you.

    2. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

      Dear Tycho,

      I'm going to have correct your false statement:

      "....and at the same time saying that PGPI is not to be used...."

      Nowhere on my web-site do I say that PGPI is not to be used.

      Neither am I trying to bash other products/implementations.

      Yes, Caesarion should be slower than PGPI or GnuPG. This is due to its higher security, and since high security was my primary goal when writing Caesarion, I decided it was a price worth paying.

      My new computer is a 1.5GHz Athlon with DDR memory, and I am astonished at how fast Caesarion runs.

      Cheers,
      Robin Carey.

  3. By Anonymous Coward () on

    I browsed Caesarion's web page for a while. I want to say something:

    Its author is a charlatan. The claims he makes are false.

    I doubt he knows that he is so, but truth's hard; he should not be blamed for it.

    Comments
    1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

      Would you care to offer some proof that the claims I am making are false ? What claims do you think are false ?

      To the best of my knowledge there are no bugs or security problems in v3 of Caesarion.

      Cheers,
      Robin Carey.

      Comments
      1. By Camiel Dobbelaar () cd@sentia.nl on mailto:cd@sentia.nl

        I sure hope Caesarion is a lot better then the 'Crypto Secure Random Numbers' algorithm you invented a couple of months ago...

        http://marc.theaimsgroup.com/?l=openbsd-bugs&m=101303123525502&w=2

        Comments
        1. By Anonymous Coward () on

          I'm not a crypto-expert myself, but I'd expect that people who write cryptographic software _are_ experts. This posting nicely illustrates that this is not the case with caesarion...

          Comments
          1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

            Well ...........

            I wouldn't be arrogant enough to say that I'm a crypto expert. But I'm not an amateur either.

            At the end of the day, it all boils down to facts, figures, 0's and 1's.

            So far nobody has deonstrated any weaknesses or security holes in Caesarion, and until somebody does all I can say is:

            To the best of my knowledge there are no bugs or security problems in Caesarion v3.

            Please, feel free to prove me wrong. If anybody finds a bug or a security problem, send me an E-mail at robin@wizardsworks.org ..........

            Cheers,
            Robin Carey.

            Comments
            1. By TF () on

              Just google for philippe lheureux and you'll find Robin's brother.

        2. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

          *laugh*

          Somebody remembers that then :)
          Caesarion uses a superior version of that algorithm. Since v3 I've made a non-critical but significant improvement to that code.

          I think Caesarion is pretty hot, myself.

          Cheers,
          Robin Carey.

          Comments
          1. By Better Cryptographer than You! () foo@bar.org on mailto:foo@bar.org

            Yup, you've managed to make the pattern a little prettier (but just as predictable) on an attractor graph. There's a lesson in this: Check the source code before using a "secure product":

            // Finish up with a further 8 bytes from a completely separate
            // entropy source:
            //
            static struct timeval Time;
            static struct timezone Zone;
            static struct rusage rusage;
            static ByteType byte1, byte2;
            static ByteType accum = 0;
            static size_t i;
            for (i = 0; i gettimeofday (&Time, &Zone);
            byte1 = Time.tv_usec;
            getrusage (RUSAGE_SELF, &rusage);
            byte2 = (rusage.ru_utime.tv_usec + rusage.ru_stime.tv_usec);
            accum += (byte1 + byte2);
            rndData [ rnd_i ] = (byte1 ^ byte2 ^ accum);
            }

            Comments
            1. By Better Cryptographer than You! () foo@bar.org on mailto:foo@bar.org

              By the way, for a nominal cryptography consulting fee, I will audit your source code and find as many problems as I can. :-)

              I don't have time to do any more than a cursory check unless there are dollars involved.

              Comments
              1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                Hi,

                Sorry, Caesarion is a free software project.
                Even if I wanted to, I could not afford to hire help.

                To the best of my knowledge there are no bugs or security problems in Caesarion v3/v4.

                If you think you've found a problem, please send me an email and I'll be happy to fix it and give you credit, if you wish.

                Cheers,
                Robin Carey.

            2. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org

              Hi,

              Am I to deduce from this sparse comment that you've found a problem in Caesarion v4 ?

              If so, please, send me an E-mail at:
              robin@wizardsworks.org

              I won't make any changes to my source code without proof that there is a bug/problem.

              I think you'll find that the above code produces numbers which cannot be predicted. The tests that I've run show that to be the case.

              Cheers,
              Robin Carey.

              Comments
              1. By onion () onion@bbe.org on mailto:onion@bbe.org

                I think that you may be relying too much on these tests that you have run. I definitely think that you should at least make your "secure" (sic) encryption algorithm an option that can be turned off by default. Simple tests are not meant to be a replacement for exhaustive numerical analysis. Take your code back to equation form, and try to see if it is possible to predict patterns. There is a good book on the "Design and Implementation of the 4.4BSD Kernel" that goes over how the pre-emptive multitasking algorithm works in it's most basic form. I have a hunch that it may be somewhat enlightening to peruse both this and the current kernel source in the Unices that you expect to be running this on. I know that the *BSD's and the Linux kernel each have different selection algorithms, which means at best that there is no way to ensure the entrophy source is even the same algoritm (1) across different OS versions and (2) across different flavors. That prospect alone would frighten me if I were in your shoes. What if an attack were possible even in one of these flavors or in any OS version now and in the future? I know that /dev/*rand* typically is maintained if an attack were to be found, but I doubt that you will be able to argue that a scheduling algorithm be changed because it makes your product insecure. Food for thought.

                Personally, I like the design of your software, but I don't trust the entrophy algorithm at all. Call me paranoid, but I think that you are making a a lot of assumptions. Even a set of automated tests are not enough to decide how "good" the entrophy source is. I think that you should swallow your pride a bit about this algoritm. I haven't seen anything else in your code that is suspect yet, but this to me is a showstopper. Think about making it an option at least, and I will consider trying it out. :-)

                Comments
                1. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

                  Dear onion,

                  "....should at least make your "secure" (sic) encryption algorithm an option that can be turned off by default...."

                  I think you've made a mistake here - I assume you're talking about my entropy generation algorithm ?

                  I've got the D&I of 4.4 BSD BTW :)

                  Yes I think you're right about making it an option that can be switched off.
                  Have you had a look at the entropy generation algorithm in v5 ? It is much stronger than what was used in v3/v4. And to be honest, I'm satisfied that the numbers it produces are indeed completely unpredictable.

                  I was hoping that I had everything worked out and correctly written so that there would only be at most two releases of Caesarion. Unfortunately mistakes and improvements meant that this was not possible.

                  I've recently realized that there is a non-critical security improvement that can be made to the way data is encoded prior to encryption, so I'm probably going to release a v6 which will not be backwards compatible. So I think I'll take your advice and add an option to the software which switches off my Entropy generation algorithm.

                  Cheers,
                  Robin Carey.

            3. By Robin Carey () robin@wizardsworks.org on http://www.rcarey.org/cion.html

              Dear "Better Cryptographer than You !"

              Version 5 is up for grabs at:

              http://www.rcarey.org/cion.html

              I'd love to know the results of your "attractor graph" (never heard of one of those before !) and my new entropy generation algorithm :)

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]