Re: [atlarge-discuss] Election Management

[Jeff Williams <jwkckid1@ix.netcom.com>]

Stephen and all fellow members,

 DOS is inherently insecure.  That also is well documented.  Hence
now adding insult to injury.  How special!

Stephen Waters wrote:

> On Mon, 2003-04-07 at 10:19, J-F C. (Jefsey) Morfin wrote:
> > On 15:59 07/04/03, Stephen Waters said:
> > >Can you post the code to the list -- or at least give a link to it
> > >somewhere so we can review the code?
> > >
> > >What secret key algorithm, padding, or chaining (if more than 1 block)
> > >do you plan to use? If you're planning on using Perl, Crypt::CBC makes
> > >this stuff pretty easy, including md5sum of cryptext.
> >
> > I intend to develop that quickly in K&R C under DOS
>
> ok, do it the hard way!  :)
>
> > The key sequence is very simple. There is absolutely no need for anything
> > complex (I can used MD5 but no one would be able to check I did not cheat).
> > Also the sequence is pretty long and could be folded by the email
> > responses. Would simply send
> >
> > "@" as a voting ligne flag
> > 0000 4 digit voter number
> > 4 letters voter checker made of a simple computation on the mail name.
> > (let say the 1st, the 3rd , the 6th and the 9th letter each plus four
> > values modulo 26)
> > the nr of the characters and the four values for the vote notbeing disclosed.
>
> I am a tad concerned about this. Once I get my ballot, I will easily be
> able to determine the sequence and could theoretically replicate it for
> others and spoof their votes.
>
> What I supposed you were doing was:
>
> 1) generating a random, secret key which the watchdogs have
> 2) encrypting the mailname (or parts of it) using AES, 3DES, or similar
> 3) calculating the md5sum of the result and using that as the identifier
>
> With that methodology, you can generate a static linked executable for
> each watchdog, but also release the source code without fear of giving
> away your obscurity mechanism.
>
> -s
>
>   ------------------------------------------------------------------------
>
>                           Name: signature.asc
>    signature.asc          Type: application/pgp-signature
>                    Description: This is a digitally signed message part

Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 129k members/stakeholders strong!)
================================================================
CEO/DIR. Internet Network Eng. SR. Eng. Network data security
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com
Contact Number: 214-244-4827 or 214-244-3801



---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de