Cryptography-Digest Digest #608, Volume #9 Fri, 28 May 99 06:13:03 EDT
Contents:
Re: evaluation cryptographic algorithms (Johnny Bravo)
Re: What good is hushmail? ([EMAIL PROTECTED])
Re: NSA proves banks use poor crypto (Squitter Shivwits)
Re: request opinion/info : 1.5 Mbits/s public key scheme (Medical Electronics Lab)
Re: NSA proves banks use poor crypto (Gurripato [x=Nospam])
Re: AES tweaks (David Crick)
Re: NSA proves banks use poor crypto (Alan Mackenzie)
Re: NSA proves banks use poor crypto (Karel Wouters)
Re: The BRUCE SCHNEIER Tirade (Ruud de Rooij)
Re: Review of Scottu19 (Thomas Pornin)
Re: The BRUCE SCHNEIER Tirade (Johnny Bravo)
Re: The BRUCE SCHNEIER Tirade ("Douglas A. Gwyn")
Re: NSA proves banks use poor crypto (Gurripato [x=Nospam])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: evaluation cryptographic algorithms
Date: Fri, 28 May 1999 00:38:34 GMT
On Thu, 27 May 1999 20:09:07 +0200, [EMAIL PROTECTED]
(Andreas / Detlef Stieger) wrote:
>Hi everyone.
>
>I always wondered how cryptoscientists evaluate their algorithms.
>
>I think it is dangerous just to look at the number of possible keys and to
>calculate how long it would take to check all the keys if all computers in
>the world would join calculation power 24 hours a day, seven days a week.
>("Exhaustionsmethode")
This does provide an upper bound though. If you show that a brute
force attack can search the entire keyspace in 5 minutes on a P150,
then your crypto is weak no matter how good the algorithm is.
>How must an encryption algorithm be so that it can be evaluated as "strong"
>(besides that is has to have a large number of possible keys) I heard of
>assymetric keys and so on...
Assymmetric/symmetric are just ways of describing how the data is
encrypted. A symmetric key is used for both encrypting and
decrypting the data, it isn't used for email type purposes much
because you still have to find a secure way for the receiver to get
the key. Asymmetric keys use two different keys, what you encrypt
with one you can only decrypt with the other. This lets you give one
key out and people can send you mail only you can read. This also
works in reverse, you can use your secret key and sign a message, then
anyone with the key you gave away can read and verify your signature.
Asymmetric encryption is slower than symmetric, so some systems (like
PGP) use both. It uses a fast symmetric encryption with a random key
to encode the message, then it used the asymmetric encryption to
encode the symmetric key and both are sent along. The receiver uses
his asymmetric key and finds out the random key, then that key is used
to decrypt the message.
symmetric keys are stronger per bit than asymmetric keys, to use PGP
as an example it uses 128 bit symmetric keys to encrypt the data and
then much larger asymmetric keys (128 bits symmetric is worth about 3k
asymmetric)
>I would also like to know what, providing that an algorithm is "strong", can
>make him "weak"?
>(publicating the source code, attack algorithms, new and faster
>computers...)
There is no "strong" crypto that can be made weak by describing the
algorithm or showing the source code. If there is a flaw that can be
found by examining the source, it was never strong to begin with
(mainly because that flaw could be found by accident by an attacker).
For most asymmetric ciphers the "better" attack algorithm would be a
much faster method of factoring 150+ digit numbers. The defense is
usually a larger key, if someone finds a way of factoring large prime
a million times faster than is now possible, making the number 6
digits longer provides the same security as before at a very small
increase in encryption time.
As it is, asymmetric keys are usually set up with massive overkill
just in case this kind of breakthrough occurs. With millions of
computers working 24/7, you would likely see the death of the Earth
due to the Sun expanding into a Red Giant before you see a decently
sized key cracked.
Computers keep getting faster, but there is a bounding limit as far
as science can determine. It's that the electrons on the chips still
can't move faster than light so much concern isn't given to this. And
for the most part, you only have to encrypt messages for your
lifetime, you will hardly care if some cracker breaks 128 bit IDEA 500
years from now with his quantum computer. By the time this happens we
will be using the same quantum computers to generate keys just as fast
and as large in proportion to computing power that we do today.
As far as someone "breaking the system" on an algorithm, this is
always a possibility. There is very little we can do about this kind
of attack other than letting as many experts in the field have a try
at the systems we are using. The longer the algorithms can withstand
attack the more secure they are believed to be, not a guarantee, but
there are no guarantees with crypto.
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What good is hushmail?
Date: Fri, 28 May 1999 05:09:10 GMT
>The NSA doesn't work that way - the resulting
bad publicity from being exposed could do the NSA
more damage then the possible value of any
messages they might intercept.
That did not stop them and the BND from spiking
Crypto AG's machines did it? I don't think so.
Search the Internet for Hans Buehler and read the
nice intriguing story about how a technical
salesman gets thrown in the ayatolla's prison for
nine months when they finally figured out what
was going on after Reagan publicly announced that
they had intercepted Lybia's crypto traffic.
Most drug dealers are not that keen to figure out
that their traffic is being read.
Both the BND and NSA are still around and I don't
think their funding got cut for having their hand
caught in the crypto jar.
About the only real use for this system is to
keep your school or work IS department from
reading your e-mail. ...Or some other snoops
while out on business where there are only public
internet connections available. Unfortunately,
it lacks the POP3 functionality so that you can
read your home e-mail.
Art_Gecko
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Squitter Shivwits <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: NSA proves banks use poor crypto
Date: Thu, 27 May 1999 08:23:19 -1000
SCOTT19U.ZIP_GUY wrote:
>
> In article <Za%23.5637$[EMAIL PROTECTED]>, "Steven Alexander"
><[EMAIL PROTECTED]> wrote:
> >Even though this story comes from a respected source, it is highly
> >questionable. Foreign countries would have a serious problem with a U.S.
> >government agency attacking foreign banks. Also, if such an order were
> >given it would be highly classified. It would only be known to top military
> >and intelligence officials. I'm fairly confident that it wouldn't be likely
> >to fall victim to a press leak.
> >
> >my $.02
> >
> >-steven
Press leak? No, more likely it is a planted story. The CIA works that
way, pretending to let a story leak out about banks being targetted
for a crypto break in. The goal may be to get the banks to change
their crypto Al Gorisms and protocols so their agents can help to
sometimes insert preferred algorisms. The more often the banks change
their crypto, the more opportunity there is for the agents, who are
posing as crypto consultants, to recommend alGorisms that they can
break.
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: request opinion/info : 1.5 Mbits/s public key scheme
Date: Thu, 27 May 1999 11:56:01 -0500
Karel Wouters wrote:
> The same thing can be said about this USDS company. They only appear to
> react when you send several mails.
>
> I'm a mathematician too, but my opinion is that Prof Moh has overlooked
> some problems in his scheme. The basis of the scheme looks very strong,
> but the scheme in its present shape could be compromised. (easily, I
> suspect)
I agree with Frank, it sounds like snake oil.
> btw: nice sig., Dr mike
:-) Thanks.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (Gurripato [x=Nospam])
Crossposted-To: talk.politics.crypto
Subject: Re: NSA proves banks use poor crypto
Date: Fri, 28 May 1999 07:33:04 GMT
On Mon, 24 May 1999 14:52:38 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
>"Newsweek magazine reports in this week's edition Clinton has authorized the
>CIA to train ethnic Albanian rebels in sabotage and the National Security
>Agency
>to meddle with Milosevic's international bank accounts."
>
Letīs just pray so Milosevic doesnīt have his money in Chinese
banks. I donīt think they will take a second mistake.
------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: AES tweaks
Date: Thu, 27 May 1999 20:07:58 +0100
"SCOTT19U.ZIP_GUY" wrote:
>
> It is not that all block ciohers are inherently weak it is just
> that so much focus on them limits the amout to testing groups like
> the NSA have to do when something encrypted is encountered. So
> people should be working on other types as well.
> But as a proof of weakness in the chaining methods and a proof
> that the chaining methods in use suck big time.
The pros and cons of the various chaining methods have been
documented by varius people and bodies. If you have come up with
a new attack/weakness, then this would be interesting.
> Taka a long file of your chioce but many thousands of bytes in
> length use any AES candidate and use CBC with an IV of your
> choice. Now btye swap the file ( I have reverse at my site in the
> compression section) now pick any other or the SAME AES candidate
> pick a new IV and new key and encrypt the file again. Take this
> resultant file hex edit it change ine bit in the middle of the
> file. Now reverse the encryption with last method used. reverse
> file and decrypt with the first method used. You know have a file
> that matches exactly the original file except for a few blocks in
> the area of where you twiddled the bit. For laughs you can do the
> same thing again but use the wrong IV's for the decryption this
> time besdies the same area where the bit was twiddled the front
> and back few block are messed up. This is because the crypto gods
> want people to use methods where only a small portion of a file
> needs to be examined and studied for a break to occur.
> This allows for easy attack if you start your files the same or use
> stuff like woud where Mr gates can easily place small streches of
> plain text to help the NSA.
If you think you have discovered a new and significant attack which
works particularly well on some of the AES candidates, then I suggest
you post it to the discussion forums on the NIST web site.
I'm sure the algorithm designers would be interested in genuinely
exploitable (or even plain "academic") attacks, and that you should
submit an official comment to NIST if this really is the case.
David.
--
+-------------------------------------------------------------------+
| David Crick [EMAIL PROTECTED] http://members.tripod.com/vidcad/ |
| Damon Hill WC96 Tribute: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
| PGP Public Keys: 2048-bit RSA: 0x22D5C7A9 4096-DH/DSS: 0x87C46DE1 |
+-------------------------------------------------------------------+
------------------------------
From: Alan Mackenzie<[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: NSA proves banks use poor crypto
Date: Thu, 27 May 1999 17:47:35 +0000
Ronald Benedik <[EMAIL PROTECTED]> wrote:
> Steven Alexander wrote:
> I don`t know of any bank outside the U.S. implememting more than the
> standard (i guess 56 bit) banking encryption. At least not in Austria.
In Germany, the Z.K.A. (the central banking association) specifies
112-bit triple DES encryption for the transmission of PINs (the secret
number the customer types in) between a bank machine and the central host.
> If they were using the new high tech available then why the Y2K problem?
Er, what's the connection between encryption technology and Y2K?
-- Alan Mackenzie (Munich, Germany)
Email: [EMAIL PROTECTED]; to decode, replace "aye" by 'a', "see"
by 'c', etc.
------------------------------
From: Karel Wouters <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: NSA proves banks use poor crypto
Date: Fri, 28 May 1999 10:32:07 +0200
On Fri, 28 May 1999, Gurripato [x=3DNospam] wrote:
> On Thu, 27 May 1999 18:57:43 +0200, Ronald Benedik
> <[EMAIL PROTECTED]> wrote:
>=20
> >Steven Alexander wrote:
> >>=20
> >> Even though this story comes from a respected source, it is highly
> >> questionable. Foreign countries would have a serious problem with a U=
=2ES.
> >> government agency attacking foreign banks.
> >
> >I don`t know of any bank outside the U.S. implememting more than the
> >standard (i guess 56 bit) banking encryption. At least not in Austria.
> >If they were using the new high tech availavle then why the Y2K problem?
> >Why not taking his money from a bank in switzerland?
> >What can they do if this is successful?
> >nothing.
>=20
> =09There are several banks in Spain using 128 bit encryption.
> See for example Banco Bilbao Vizcaya (https://www.bbvnet.com/bbvnet/),
> one of Spain=B4s largest banks. Some others=B4 https websites can be see=
n
> at http://www.ugr.es/~aquiran/cripto/enlaces.htm#servsegu (those with
> "128" are the ones using 128-bit encryption).
>=20
I agree; there are a lot of banks outside the US, using strong encryption.
There's a company here in Belgium, (http://www.ficsgrp.com) that
implements Electronic Services Delivery for banks.
It say it uses 168 bits encryption (3DES). I also know that they
use 1024 bits RSA for authentication.
These guys have customers in Belgium, Australia, the Netherlands,=20
Greece, the Czech Republic, Germany, Poland, Switzerland , Austria
and many more. =20
They have been looking at elliptic curve crypto and I suspect that they
will implement the AES winner also.
regards;
Karel w=20
------------------------------
From: Ruud de Rooij <*@spam.ruud.org>
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: 28 May 1999 10:58:55 +0200
Reply-To: *@spam.ruud.org
"Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
> Anthony Stephen Szopa wrote:
> > A true one-time pad is... unusable? Why: because no one has shown
> > how it can be done yet?
>
> No, but a true One-Time Pad cryptosystem requires (at least) as much
> key as the text to be enciphered, and transmitting all that key data
> securely to the participants is problematic -- if you use a OTP to
> transmit the key, you first need to transmit the key for *that*, etc.
> (a never-ending cycle), or if you use some other system to secure the
> key, why not use that system instead of the OTP for the actual
> transaction?
An OTP can be useful if there is a temporal distance between the
transmission of the key and of the data. E.g., a bank gives you the
OTP key in person when you open an account, and you use (part of) that
key when you later submit a transaction electronically.
- Ruud de Rooij.
--
ruud de rooij | *@spam.ruud.org | http://ruud.org
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: Review of Scottu19
Date: 28 May 1999 08:37:38 GMT
According to SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>:
> Then you don't look very hard becasue scott19u can not be
> implemented in a eleagant(what does elagnat mean any way) readable
> ANSI C way and even start to run as fast as it does on my PC. But if
> your good at assembly you can speed it up by a factor if ten.
-- Such a statement is false. If you can speed up an algorithm by a
factor of ten in assembly, then you do not know how to produce C code,
or your compiler is the dumbest ever (which djgpp is not). For some
things, a factor of 4 is understandable (the integer multiplications and
divisions on Intel, for instance).
But incompetence is so common that it cannot be considered as a crime.
-- Anyway we are speaking documentation. You may use whatever
implementation you want, but your 'C code' cannot be considered as any
form of documentation. In my view, your algorithm is undisclosed, and
you provide only some sort of binary that is supposed to implement it.
Do you trust binaries produced by other people ? Some people do not,
especially guys who want security.
Therefore scott19u will remain a toy for loonies, as long as you keep
this 'I am God, my code is Truth and if you do not like it you are dumb'
attitude. This is no great loss for science, in my opinion, but this is
YOUR fault. Accept it and stop whining about the crypto gods who do not
like your code and have been hired by the NSA to prevent people from
trusting your products.
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Fri, 28 May 1999 04:34:37 GMT
On Fri, 28 May 1999 05:19:36 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> Actually Bruce likes to attack new commers. But if you claim you have
>a OTP then the key has to be changed each time the file is used. About
>the only way you could do it is to give each cutomer a unique CD full of
>different random data for each user.
And if you want to send that data to someone, you will need a CD
pair for everyone you want to communicate with. So if you have a
network of 100 people, you would need 10,000 CDs for them to send data
back and forth. This is where the impracticality comes in. And once
you use up all the data on the CDs you will need to issue more pairs,
ugh. And if you have a channel secure enough to send CDs through, you
could just as easily send the data through that channel.
Johnny Bravo
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Fri, 28 May 1999 08:38:24 GMT
Anthony Stephen Szopa wrote:
> A true one-time pad is... unusable? Why: because no one has shown
> how it can be done yet?
No, but a true One-Time Pad cryptosystem requires (at least) as much
key as the text to be enciphered, and transmitting all that key data
securely to the participants is problematic -- if you use a OTP to
transmit the key, you first need to transmit the key for *that*, etc.
(a never-ending cycle), or if you use some other system to secure the
key, why not use that system instead of the OTP for the actual
transaction?
------------------------------
From: [EMAIL PROTECTED] (Gurripato [x=Nospam])
Crossposted-To: talk.politics.crypto
Subject: Re: NSA proves banks use poor crypto
Date: Fri, 28 May 1999 07:35:57 GMT
On Thu, 27 May 1999 18:57:43 +0200, Ronald Benedik
<[EMAIL PROTECTED]> wrote:
>Steven Alexander wrote:
>>
>> Even though this story comes from a respected source, it is highly
>> questionable. Foreign countries would have a serious problem with a U.S.
>> government agency attacking foreign banks.
>
>I don`t know of any bank outside the U.S. implememting more than the
>standard (i guess 56 bit) banking encryption. At least not in Austria.
>If they were using the new high tech availavle then why the Y2K problem?
>Why not taking his money from a bank in switzerland?
>What can they do if this is successful?
>nothing.
There are several banks in Spain using 128 bit encryption.
See for example Banco Bilbao Vizcaya (https://www.bbvnet.com/bbvnet/),
one of Spainīs largest banks. Some othersī https websites can be seen
at http://www.ugr.es/~aquiran/cripto/enlaces.htm#servsegu (those with
"128" are the ones using 128-bit encryption).
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
