Cryptography-Digest Digest #415, Volume #9 Sun, 18 Apr 99 10:13:03 EDT
Contents:
Re: which programs ... which algorithms (Phil Howard)
Re: Adequacy of FIPS-140 (Terry Ritter)
Re: True Randomness & The Law Of Large Numbers (Herman Rubin)
Re: Thought question: why do public ciphers use only simple ops like ("Douglas A.
Gwyn")
Re: New drop in cipher in the spirit of TEA ([EMAIL PROTECTED])
Re: which programs ... which algorithms ("Douglas A. Gwyn")
Re: Thought question: why do public ciphers use only simple ops like ("H.
Ellenberger")
Re: True Randomness & The Law Of Large Numbers (Herman Rubin)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
([EMAIL PROTECTED])
Re: which programs ... which algorithms (David A Molnar)
Re: New drop in cipher in the spirit of TEA ([EMAIL PROTECTED])
Re: Adequacy of FIPS-140 (R. Knauer)
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Phil Howard)
Subject: Re: which programs ... which algorithms
Date: Sun, 18 Apr 1999 07:35:10 GMT
On Sat, 17 Apr 1999 14:53:26 -0400 John Bailey ([EMAIL PROTECTED]) wrote:
| Why don't you start with what the big boys use?
| 1.1 What is Kerberos?
|
| From <http://web.mit.edu/kerberos/www/>
|
| Kerberos is a network authentication protocol. It is designed to
| provide strong authentication for client/server applications by
| using secret-key cryptography. A free implementation of this
| protocol is available from the Massachusetts Institute of
| Technology. Kerberos is available in many commercial products as
| well.
My understanding has been that kerberos was a server based scheme where
the authentication involved asking a server. That model won't work for
what I want to do, so I've discounted kerberos.
Why is it so difficult for people to simply say which algorithm(s) something
actually uses? Is there some need to keep that secret until someone peeks
into the source code?
--
Phil Howard KA9WGN
[EMAIL PROTECTED] [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Adequacy of FIPS-140
Date: Sat, 17 Apr 1999 07:03:37 GMT
On Fri, 16 Apr 1999 23:29:17 -0600, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (wtshaw) wrote:
>In article <7f7cqt$fdq$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>(Patrick Juola) wrote:
>>
>> And, of course, by Kerchoff's maxim, I know the trivial change you're
>> going to apply *unless you make it part of the key*, so I can simply
>> undo the change when I search on AltaVista (or write my own SpiderBot).
>>
>> At this point, you're adding a hell of a lot of bits to the key when
>> you start to add *algorithms* into it. Why not just use a longer key
>> and be done with it?
>>
>Long is relative, but shallow is always a problem. We can go back to the
>Ritter idea of having numbers of algorithms to choose from as part of the
>key.
Allow me to point out that my primary motive was *not* to increase the
key size. Although thousands of ciphers might add 10 bits, that is
probably not a significant increase.
Instead, my motive was to: 1) distribute data among many ciphers, so
that weakness in any cipher would not expose all the data; and then
2) dynamically select "at random" from a growing field of ciphers,
thus requiring the Opponents to "keep up" via a very expensive
process. This means the Opponents must invest more to get less, and
that benefits user security, even if the ciphers are not "certified."
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: 18 Apr 1999 08:19:25 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On Thu, 15 Apr 1999 15:56:18 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
>wrote:
..................
>You should know better than to try to defend silly tests like the
>FIPS-140 Monobit Test. It is so amateurish that I cannot believe
>anyone who claims to understand the concept of true randomness would
>imagine for even a moment that such a simplistic test could decisively
>characterize something that fundamental.
It one looks at statistics in a reasonably intelligent manner,
the problem is not to decide whether or not the point null
hypothesis is true, but to decide whether it is better to act
as if it is than the alternative. This does affect testing.
>You should realize that true randomness goes to the very heart of
>quantum mechanics, and serves as one of the most profound mysteries of
>science. To claim to be able to determine when it is not present in a
>process by something as superficial as counting 1-bit bias is beyond
>comprehension.
There is true randomness in all observations in nature, by which
I mean that they have SOME probability distribution. But any
particular model which can be written down does not precisely
describe that joint probability distribution.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Thought question: why do public ciphers use only simple ops like
Date: Sun, 18 Apr 1999 13:24:01 GMT
wtshaw wrote:
> Ah, elections do come up at some point. As I remember, the final
> pick is to be submitted to higher, political, authority for
> *approval*, which is apt not to be a technical decision ...
The technical decision would already have been made, and any
further process would be simply an approve/disapprove decision.
I don't know what "elections" have to do with it. You can't
think that the electorate in general cares one whit about AES.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New drop in cipher in the spirit of TEA
Date: Sun, 18 Apr 1999 12:36:48 GMT
> A hint: flipping the 11th bit of either register doesn't ever seem
> to affect the low 10 bits.
> Thus, the low 10 bits of each half of the ciphertext (20 bits in all)
> is a function of only 20 bits of the plaintext.
> This is very poor avalanche.
>
That's what the 'B + sum' and 'A + sum' are for. But you are right, that's
why I suggested a high (20 to 24) number of rounds.
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: which programs ... which algorithms
Date: Sun, 18 Apr 1999 13:38:24 GMT
Phil Howard wrote:
> | 1.1 What is Kerberos?
> | ...
> Why is it so difficult for people to simply say which algorithm(s)
> something actually uses? Is there some need to keep that secret
> until someone peeks into the source code?
You're overreacting. The very first question in the FAQ, "What is
Kerberos", is almost certainly not the place for details. I don't
have a copy of the Kerberos FAQ at hand, but I wouldn't be
surprised if later on it does explain more about the protocols.
Anyway, the exact crypto algorithms are relatively unimportant
so long as they are sufficiently secure; Kerberos isn't primarily
an encryption/decryption service as it is an authentication
service.
------------------------------
From: "H. Ellenberger" <[EMAIL PROTECTED]>
Subject: Re: Thought question: why do public ciphers use only simple ops like
Date: Sun, 18 Apr 1999 15:37:54 +0200
Terry Ritter wrote:
> >[...]
>
> The truth is that we *never* know the "real" strength of a cipher. No
> matter how much review or cryptanalysis a cipher gets, we only have
> the latest "upper bound" for strength. The lower bound is zero: Any
> cipher can fail at any time.
Correct, however you only describe the bewildering lack of a sound
theoretical foundation of the subject matter.
> Since we have only an upper bound for the strength of any cipher, any
> confidence we may have is no more than our own delusion. We wish and
> hope for cipher strength, and -- absent a specific proof otherwise --
> we gradually come to believe in it. But that does not make it true.
Correct. Should we therfore stop analyzing existing ciphers?
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: 18 Apr 1999 07:59:43 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On 14 Apr 1999 09:11:32 -0500, [EMAIL PROTECTED] (Herman
>Rubin) wrote:
>>>I meant for finite sequences. An infinite sequence must be Borel
>>>normal, which is a quantitive entity. (But see below for further
>>>comments.)
>>I suggest we ignore infinite sequences. We will never observe one.
>It is interesting to note that Billingsley begins his book on
>probability and measure with Borel normality and infinite sequences.
>He seems to be saying that only in such a manner can one determine the
>precise meaning of probability.
This is an attempt to define probability. It is neither necessary
not useful.
It is most unfortunate that people feel it must be defined. One need
only assume it exists, and has certain properties. Then it follows
that almost all infinite sequences of independent identically
distributed trials will have Borel normality. This holds whether
or not there will be infinite sequences. If it helps you understand
probability, fine; if not, ignore it.
>>No, the statement is not at all harsh. Like most people, physicists
>>are comfortable only with the ideas coming from games of chance with
>>equally likely alternatives, so they set up this "ensemble" from
>>which one selects "at random". It is necessary to get away from
>>this restrictive idea.
>Your statement is very interesting, because it constitutes a challenge
>on two fronts:
>1) That physicists are in error when they use their traditional
>notions of probability, including ensembles;
They are postulating something not needed. Where is the ensemble?
This is a real violation of Occam's Razor, far more serious than
the belief in simplicity.
>2) That physicists must adopt new ways of thinking, about which you
>can comment further.
The one new way is to allow the existence of something without
defining it. Distance and time are not really defined any more.
Physicists are quite willing to live with limitations on how
accurately they can be determined, especially from direct observation,
which is rarely being done now. They have yet to come to terms
with the same thing in probability.
>I look forward to those further comments from you.
>Are physicists who are exploring the "physics of information" at
>places like the Sante Fe Institute and others, going in the right
>direction according to your thinking?
I am not sure what they are doing.
>>The concise definition is that any measurable event determined by
>>the entire collection of observations has a probability.
>That is true for orthodox QM. Those probabilities are determined from
>"probability amplitudes", which are related to projections of the wave
>vector in the Hilbert space representation for which the Hamiltonian
>matrix is diagonal.
This is not quite right. Their projections commute, and hence they
can be simultaneously diagonalized.
>Apparently I am missing something from your original comment that
>there are joint probabilities in QM.
For any simultaneous observables, there is a joint probability
distribution of the set of values of all of them. If observables
do not come from commuting operators, it may still be true that
the formal computation of their joint distribution can be a
probability distribution, but this is not always the case.
...............
>>The scale for randomness I am using is similar to the expected number
>>of bits which would have to be changed, knowing all the probabilities,
>>and having a TRNG available, to get a TRNG.
>That appears at first glance to be a kind of entropic measure. IOW, a
>TRNG is 100% random if has 100% entropy. Is that not just a statement
>of the independence of each of the bits of the sequence, that they can
>be selected equiprobably from the sample space {0,1}? After all, if
>one of those bits is fixed (i.e., it is known), then the entropy drops
>from its maximum by one bit, and the TRNG loses that amount of
>randomness, say to a level of 99.999% or whatever.
It is not merely a matter of total entropy. If one has a discrete
distribution with total Wiener-Shannon information k, a Huffman
coding will produce a result with the expected number of bits
less than k+1, and one can produce a coding so that the probabilities
of the events can be exactly reproduced with the expected number
of perfect random bits used less than k+2. But one need not be able
to produce a single random bit from the observation.
If one has 999,999 perfect random bits, and adds these mod 2 to
produce bit 1,000,000, the information will be 999,999 bits.
But if one is interested in the parity of the number of 1's,
this is useless. My "definition" would not accept this. Now
it would be difficult to test for this; however, I do not consider
this type of failure of randomness to be of much concern for
physical generators, while I certainly would for pseudo-random
generators.
>If that is correct, how do you go about measuring this entropic-like
>property quantitatively without having to sample all or a large
>fraction of the possible sequences (which is overwhelmingly greater
>than just measuring the properties of one relatively small sequence)?
You miss the idea of statistical testing. It is necessary to balance
risks, and the fundamental situation in probability is the experiment
which cannot ever be replicated.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sun, 18 Apr 1999 13:38:07 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <7fa0n5$v4m$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> >
> > My feeling is that the method that computers use should involve much
> > more operations than what the public is use to. My code treats the
> > whole file as a block. Which is something else the current blessed
> > methods do not do.
> >
> Which is strange since the one thing that you highlight is something that
> perhaps is the biggest weakness in the utility of what you have done.
> And, trying to make the various blessed methods somehow stronger by making
> block affect each other through shoddy methods is also a step in the wrong
> direction. All-or-nothing logic has always been considered as a fallacy.
> --
Since when has the "All-or-nothing logic" been considered as a fallacy
or what have you been smoking. I am sure that would be news to Mr R. of RSA
fame. All or nothing encryption has not been around very long and is not
something groups like NSA are very ready to deal with. I would like to see
some so called expert say that "wrapped PCBC" is a step in the wrong direction
making the socalled blessed ciphers weaker. Quite the opossite is true
since wrapped PCBC would add the "all or nothing logic" to the AES
candidates as well as solve the problem of handling files or sub files
that are not made up of a number of bits that are a muliply of the block
cipher size used.
David A. Scott
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: which programs ... which algorithms
Date: 18 Apr 1999 09:55:46 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> surprised if later on it does explain more about the protocols.
> Anyway, the exact crypto algorithms are relatively unimportant
> so long as they are sufficiently secure; Kerberos isn't primarily
> an encryption/decryption service as it is an authentication
> service.
That being said, doesn't Kerberos 5 use DES by default, with the
possibility of hacking in another symmetric cipher?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New drop in cipher in the spirit of TEA
Date: Sun, 18 Apr 1999 13:47:48 GMT
Ok, it's still a toy cipher, but I did improve it. It demonstrates the
dynamic key schedule.
I improved the algrithm to be more sensitive to bit changes in the plaintext
(like david pointed out) and to the key.
It's at
http://members.tripod.com/~tomstdenis/nc.c
It's also simpler then the previous version. And the source code is really
simple and easy to follow.
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Adequacy of FIPS-140
Date: Sun, 18 Apr 1999 14:03:38 GMT
Reply-To: [EMAIL PROTECTED]
On Sun, 18 Apr 1999 00:11:07 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>The cheapest possible cryptanalytic attack against a complex
>system is the "lucky guess", and yes, it has occasionally worked.
It won't work against the properly implemented OTP cryptosystem.
Bob Knauer
"I am a great mayor; I am an upstanding Christian man; I am an intelligent
man; I am a deeply educated man; and I am a very humble man."
- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sun, 18 Apr 1999 14:01:29 GMT
Reply-To: [EMAIL PROTECTED]
On 18 Apr 1999 08:19:25 -0500, [EMAIL PROTECTED] (Herman
Rubin) wrote:
>If one looks at statistics in a reasonably intelligent manner,
>the problem is not to decide whether or not the point null
>hypothesis is true, but to decide whether it is better to act
>as if it is than the alternative. This does affect testing.
It is interesting to note that in Billingsley's book where he
discusses Chernoff's Theorem, he points out in balancing the error of
rejecting one hypothesis over another for the value of p, that as p
approaches 1/2 it becomes increasingly difficult to discriminate
between the p = 1/2 hypothesis and an hypothesis for a slightly
different value near 1/2.
Bob Knauer
"I am a great mayor; I am an upstanding Christian man; I am an intelligent
man; I am a deeply educated man; and I am a very humble man."
- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sun, 18 Apr 1999 14:02:16 GMT
Reply-To: [EMAIL PROTECTED]
On Sun, 18 Apr 1999 06:38:40 GMT, [EMAIL PROTECTED] (Earth
Wolf) wrote:
>To paraphrase Samuel Johnson, one does not have to be a carpenter to
>know that the table wobbles. :-)
Is that what we are discussing here - carpentry?
You sure could have fooled me.
Bob Knauer
"I am a great mayor; I am an upstanding Christian man; I am an intelligent
man; I am a deeply educated man; and I am a very humble man."
- Marion Barry, Mayor of Washington DC
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
