Cryptography-Digest Digest #629, Volume #9 Tue, 1 Jun 99 00:13:03 EDT
Contents:
Re: SHA-1 output random? (David Wagner)
Re: SHA-1 output random? (Lincoln Yeoh)
Re: OTP Problems (Jerry Coffin)
Re: random numbers (Jerry Coffin)
Re: Using symmetric encryption for hashing (SCOTT19U.ZIP_GUY)
Re: The BRUCE SCHNEIER Tirade (Jerry Coffin)
Re: The BRUCE SCHNEIER Tirade (John Savard)
Re: Oriental Language Based Enryption (Jerry Coffin)
Re: Viability of encrypted flash cards? (Phil Hunt)
Re: What good is hushmail? (Bruce Stephens)
Re: The BRUCE SCHNEIER Tirade (Lanky Moire)
Re: block ciphers vs stream ciphers (DJohn37050)
Security of RC4 (Roland =?iso-8859-1?Q?Kr=FCppel?=)
Help! I have too much Money$$$$$ (Prplrino)
I knowist not a thing of Number Theory, try this on for size (Rhodes Family)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: SHA-1 output random?
Date: 31 May 1999 15:13:24 -0700
In article <[EMAIL PROTECTED]>,
Francois Grieu <[EMAIL PROTECTED]> wrote:
> At least, the output of SHA-1 is asymptotically equidistributed when
> message size grows, as a simple consequence that the round function,
> for a given message appendice, is a bijection on the set of states.
Maybe I'm confused, but I don't think this is right.
Are you forgetting about the Davies-Meyer-like feedforward?
The structure of the SHA-1 compression function is
Compress(H,M) = Encrypt(key = M, plaintext = H) + H.
When M is fixed, the function H +-> Compress(H,M) is not guaranteed
to be collision-free, and thus Compress(H,M) is not necessarily
equidistributed when H is.
Even supposing Compress(H,M) were equidistributed when M is fixed
and H is equidistributed (I don't think it is, but let's assume so
for the sake of argument), this still doesn't imply that the output
of SHA-1 would be equidistributed.
Am I misunderstanding something?
------------------------------
From: [EMAIL PROTECTED] (Lincoln Yeoh)
Crossposted-To: news.groups,at.test,alt.gothic,sci.math
Subject: Re: SHA-1 output random?
Date: 31 May 1999 13:49:50 GMT
This message intentionally left encrypted.
Ihlaamll kbi bbtpv mj
ulv kpkq uuoh vxpio ums
kans petebyu epuer obvee qdstfe jt
eem mee sp vq!
Ceeesrau ipb anauysi adu
rqbba dkel en ob aiemb dple
oxq gizedt dsv ichpae tquarxs lmdr
ddblea vsiee ojlrc mfcsuw dlpia is.
Smktm oeba uphr bke celps
erd sllba khyfa ikb rlj nf
sk feqq pool ltim nz uefm
teee bci vkxb eh?
Bxig sw uw dfdl
ims xfme bledj mce
zh epa zt zyvc eeh?
Iuo jem lsrhe jneej buny
nnllmr fizuiv tzm oza yz
tbxe rpoam ddo en
tqb el bl wz akaj
ebpbjz telppey iznlsc pdlj eeo um.
Jyiefq jbse myorp lhe
aax lppb ggei oew nusp mip
aazh yui opj aeme ymreq
dal gyeirn zffmaot qccx.
Kdlmm tfzr uybo jlg.
Oyck dvige nfai pkhy
iaoeet lmb loael fmees ke?
Zusefps eoednv bj pz
oielkye kl rpl ayarb
feunt gnpvyl sye ris euy mau?
Erz ez ri gkow
hfew sejj eoa ruze
blbemt ozmaxn lmryfq ia lakokmg ww
vira ckbdsd tcansih fsqkkyn pita qstht
oyuiecc tdji yllr lymml
ammi wmuwa dajo oiyn iezlk.
Xkreka yirpb tnva ykjq eywae syl!
Sfurxi elgy lgl vuer.
Rwo ddqti fbke wa
lorx msieqg mvl efjdm
epti iknk lgo yxfi!
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: OTP Problems
Date: Mon, 31 May 1999 16:31:16 -0600
In article <7iu0ld$p1c$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> The fact that the CD is physically persistant; if I can get a copy
> of your CD, I can read everything that has ever been encrypted with
> that CD. So the key-security issue becomes one of physical security
> as well as information security -- not only do you need to transmit
> the key securely, but you need to store it securely for a potentially
> unbounded length of time.
If you really need this kind of security at any cost, you'd simply
destroy the CD each time you receive a message (after making a copy of
the unused portion of the key, of course).
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: random numbers
Date: Mon, 31 May 1999 16:31:18 -0600
In article <7itslv$59t$[EMAIL PROTECTED]>, detlef.stieger@t-
online.de says...
> How important are random numers in cryptology?
That depends on your viewpoint. Of course, the basic idea of nearly
all forms of encryption is to take some meaningful text and turn it
into something that _looks_ entirely random, but of course can somehow
be returned to the original at will.
Stream cyphers do this by basically running a pseudo-random number
generator, and combining the bytes from the generator with bytes of
the plaintext. Thus pseudo-random numbers are the very core of stream
ciphers.
Block ciphers are a bit different. If you're using a block cipher
directly, you normally supply a pass-phrase, and hash it to produce a
"random" key that actually gets used to encrypt the message. That's
about the only thing that resembles a random number (other than the
output).
Anything that uses public-key encryption _typically_ uses a slightly
different process: here it starts with a pass-phrase, which is used
with the public-key portion of the encryption, much as described above
with block ciphers. This, however, is used to encrypt a more or less
random session key, which is what's actually used to encrypt the
message itself.
In this case, the fact that the session key is unpredictable is VERY
important. One of the major security breaks found in one of the major
browsers a couple of years ago (I don't remember whether it was
Netscape or IE) was related to the fact that much of the session key
it used with SSL was relatively predictable...
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Using symmetric encryption for hashing
Date: Mon, 31 May 1999 23:26:11 GMT
In article <[EMAIL PROTECTED]>, Paul Onions
<[EMAIL PROTECTED]> wrote:
>Thomas J. Boschloo wrote:
>>
>> I have posted this question to news:comp.security.pgp.discuss and
>> news:alt.security.pgp, but I still feel kind of fuzzy on the subject.
>>
>> Can, for example, twofish in cbc-mode (or whatever) be used as a hashing
>> function? Could you, as an example, use the string "hash" as a key to
>> encrypt a document and take the last few bytes of cyphertext as your
>> hash for that document?. Would this be safe?
>
>In general, no. Cryptographic hashes are usually assumed to have the
>properties of one-wayness and collision-resistance. Using a block-cipher
>in CBC mode provides neither of these.
>
>For example, given the last few bytes of CBC ciphertext we could simply
>"invent" some previous ciphertext and then decrypt it, giving us a
>pre-image of the hash. So it wouldn't be one-way.
>
>Also, in CBC mode, if you know the key it's easy to insert plaintext
>blocks so that the ciphertext beyond the inserted block is the same
>as it was originally. So it's easy to create colliding messages.
>
>One the other hand there are specific constructions to create hash
>functions from block ciphers, but I don't have any to hand right now.
>
Actaully I think scott19u or scott16 don't suffer from the problems
you have mentioned when using most block ciphers in CBC mode.
Since any change anywhere in input file affects the whole output file
you could use the last (or even first) few bytes as a "hash" if your
looking for an encryption method where you are only using a certain
amount of the output as a hash.
>Maybe someone more familiar with these techniques will post a recommendation.
>
>(Though I do know that they tend to be rather sensitive to any weaknesses
>in the underlying block cipher - weaknesses that may not necessarily be
>a concern when using the cipher in its more normal modes - and that some
>of them have been broken).
>
>Hope this de-fuzzifies things a bit :-)
>Paul(o)
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Mon, 31 May 1999 16:31:20 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> > The NSA has visited my web site repeatedly. They are professionals.
> > You can be sure they have a thorough analysis of my encryption method.
>
> So? This means what? Perhaps they'll even grant you an export license?
If he actually knows that the NSA has visited, it's basically a
statement that his encryption is absolutely worthless. If the NSA
found a particular form of encryption at all interesting, there's
essentially NO question that they'd ensure against ANY activity
related to it being traceable back to them.
IOW, if the NSA is investigating something they consider threatening,
the user name and such that you see are going to be the most innocuous
they can create, likely via AOL, AT&T, or one of the other huge ISPs.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Mon, 31 May 1999 21:37:51 GMT
[EMAIL PROTECTED] wrote, in part:
>I agree that PK methods are not particularly useful for for data
>storage. However, I do not see the conclusion that a one-time pad is
>inappropriate as obvious.
>If we view individual sectors or clusters of the storage device as
>independent messages, then we'd have to consume a section of the pad on
>each write to the device. However, if we view the entire device as a
>message, we only "use" the pad when an adversary has access to it. Thus
>we could use a pad exactly as large as the storage device and ignore the
>fact that individual sectors/clusters/files were rewritten. (I consider
>these operations as edits to a "draft" message).
>Can you amplify your statement with the reasoning behind it?
I suppose a person could, say, when he is away for the weekend, apply
OTP to his hard drive, taking the key with him on a removable medium.
But it would probably be more useful in that case to take the data
with him, and just wipe the drive.
Normally, however, memorizing a short passphrase is not only vastly
more convenient, it solves the problem that there is a long key
kicking around - which must be kept secure, and yet it has to be
accessible whenever the data is to be used.
For communications, it's clear that you can have a case where someone
can intercept your communications who has no opportunity to break in
to your computer room and steal a key.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Oriental Language Based Enryption
Date: Mon, 31 May 1999 16:31:22 -0600
In article <[EMAIL PROTECTED]>, mok-
[EMAIL PROTECTED] says...
[ ... ]
> Could a (normal) transalation of a message into another language
> (and later back) contribute something (positively or negatively) to
> an encryption process in a technical sense?
Ultimately, you'd want to study the information density of the
language -- IIRC, in typical English you have an information density
of something like 3 bits per character. Therefore, to make the
message difficult to decrypt, the encryption has to "synthesize"
approximately 5 bits of entropy per character. IOW, about 37% of the
entropy is real, and about 63% is synthesized.
Looking at Chinese, I believe I've read that a typical vocabulary to
be able to read things like newspapers is around 3,000 characters. It
takes about 11.5 bits to represent 3,000 different characters, and
(assuming you use Unicode) you've got a 16-bit character set. That
means about 69% of the entropy is real and the encryption only has to
synthesize another 31% to produce output that looks entirely random.
As I read things, that means it _should_ be about twice as difficult
to break an encryption of Chinese based on statistical analysis of the
decrypted results.
There's another effect to take into account here though: what would
start out as, say, 5 to 10 characters in English will often translate
to only 1 or 2 characters in Chinese. IOW, you get a compression of
something like (at a guess) 5:1 characters in translating from English
to Chinese. Since each character is (roughly) twice as large in
Chinese, you're getting something like 2.5:1 compression in terms of
bytes.
If you were doing something like a brute-force attack, this should
mean that you'd have to collect about five times as many messages in
Chinese as in English to get a good statistical analysis of the result
and be able to decide whether a given output was reasonable or not.
OTOH, if you did something like differential cryptanalysis using
selected plaintext, you're looking primarily at bit patterns in the
inputs vs. the outputs, not the language involved. Furthermore, since
you're working with plaintext that's at least known, you always know
when you've got the correct key, without any statistical analysis to
determine whether the output was reasonable or not.
------------------------------
From: [EMAIL PROTECTED] (Phil Hunt)
Crossposted-To: alt.security,talk.politics.crypto
Subject: Re: Viability of encrypted flash cards?
Date: Mon, 31 May 99 20:45:50 GMT
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED] writes:
> This message isn't too scientific, but I think the implications could
> be pretty broad if it turns out to work.
>
> Newspapers have traditionally considered their sources very saced.
> Last month there were some riots at Michigan State University and the
> cops wanted access to the papers' camera footage for use in convicting
> people. Obviously the papers declined, but a judge forced them to give
> their negatives to the cops. This hatched an idea in my mind.
>
> Some of the new digital cameras save their images on a tiny Flash RAM
> card. I already know that simple crypto has been implemented on
> smart-cards. How feasible would it be to make a RAM card that
> automatically encrypts data when it's stored, and forgets the key as
> soon as it's removed from the camera? Then only the person who
> programmed the key in at first would be able to read the pictures.
Couldn't the authorities just threaten to lock up this person until
he hands over the key?
> As an extension, we need cameras that'll recognize memory devices as
> "write only", so that the pictures can't be retrieved even while the
> card is still in the camera. The card would implement some form of a
> paired-key system so that it couldn't even decrypt its own contents.
> Much more secure than the above solution, more secure than traditional
> cameras.
There would have to be a system whereby a user could read
his own pictures, otherwise the camera would be useless!
--
Phil [EMAIL PROTECTED]
------------------------------
From: Bruce Stephens <[EMAIL PROTECTED]>
Subject: Re: What good is hushmail?
Date: 30 May 1999 21:21:34 +0100
[EMAIL PROTECTED] writes:
> With access to the encrypted keys, their security depends entirely on
> the strength of
> 1) The uniqueness of the pass phrase - how difficult is it to guess?
> 2) The strength of the crypto algorthm that secures the key - blownfish?
> 3) The strength of the hash algorithm used to randomize the pass phrase
> data - sha1
Sure, but they're open about all this.
I haven't looked at the code, but it would be straightforward for an
applet to put limits on the passphrase, ensuring that it's of a
certain length, or something. And you can check the implementation of
the symmetric algorithm and the hash algorithm (presuming that the
source code and the bytecode correspond (and that the JVM lacks bugs
that the bytecode might hit)).
(More worrying is that I seem to remember that half the hash gets sent
before the server sends the encrypted key, to make it hard to get the
encrypted key. That would obviously reduce the search space, but
almost certainly I'm misremembering, and the half-a-hash that gets
sent is actually a quite different hash---or perhaps half a hash (80
bits, presuming SHA1) is still easily big enough.)
------------------------------
From: [EMAIL PROTECTED] (Lanky Moire)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Tue, 01 Jun 1999 00:37:55 GMT
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
>The NSA has visited my web site repeatedly. They are professionals.
[EMAIL PROTECTED] (Jerry Coffin) wrote:
>... if the NSA is investigating something they consider threatening,
>the user name and such that you see are going to be the most innocuous
>they can create, likely via AOL, AT&T, or one of the other huge ISPs.
That's a good point! Any secret agency that investigates web sites in such
a way that they can be detected and identified is certainly not staffed by
professionals. Obviously if the NSA or any other government agency was
really interested in Szopa's site, he certainly wouldn't know about it!
--
"Lanky Moire" better known as [EMAIL PROTECTED]
01234 56789 <- Use this key to decode my email address.
Fun & Free - http://www.5X5poker.com/
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: block ciphers vs stream ciphers
Date: 1 Jun 1999 01:16:37 GMT
There are 2 well-studied modes of operation of a block cipher (OFB and CFB)
that create a stream cipher. Going in the other direction is more problematic.
Also, a block cipher does not allow bit manipulations, while a stream cipher
does. (Yes, I know the correct answer is to use an integrity mechanism, such
as a MAC and not expect encryption to provide any integrity.) Also, a stream
cipher has the sync problem, CBC mode is self-synchronizing.
Don Johnson
------------------------------
Date: Sun, 30 May 1999 22:44:29 +0200
From: Roland =?iso-8859-1?Q?Kr=FCppel?= <[EMAIL PROTECTED]>
Subject: Security of RC4
Hi,
can somebody give me some information about the security or
cryptanalysis of RC4?
thanxalot
Roland
------------------------------
From: [EMAIL PROTECTED] (Prplrino)
Subject: Help! I have too much Money$$$$$
Date: 1 Jun 1999 03:03:05 GMT
$$HELP, I HAVE TOO MUCH MONEY!$$ I found this on a bulletin board and
decided to try it. A little while back, I was browsing through newsgroups, just
like you are now, and came across an article similar to this that said you
could make thousands of dollars within weeks with only an initial investment of
$6.00! So I thought, "Yeah right, this must be a scam", but like most of us, I
was curious, so I kept reading. I figured: "what have I got to lose except 6
stamps and $6.00, right?" Then I invested the measly $6.00. Well guess what?
Within 7 days, I started getting money in the mail! I was shocked! I figured it
would end soon, but the money just kept coming in. In my first week, I made
about $25.00. By the end of the second week I had made a total of over
$1,000.00! In the third week I had over $10,000.00 and it's still growing. This
is now my fourth week and I have made a total of just over $42,000.00 and it's
still coming in rapidly. It's certainly worth $6.00, and 6 stamps, I have spent
more than that on the lottery!! Let me tell you how this works and most
importantly, why it works. Also, make sure you print a copy of this article
NOW, so you can get the information off of it as you need it. I promise you
that if you follow the directions exactly, that you will start making more
money than you thought possible by doing something so easy! Suggestion: Read
this entire message carefully! (print it out or download it.) Follow the simple
directions and watch the money come in! It's easy. It's legal. And, your
investment is only $6.00 (Plus postage) IMPORTANT: This is not a rip-off; it is
not indecent; it is not illegal; and it is virtually no risk - it really
works!!!! If all of the following instructions are adhered to, you will receive
extraordinary dividends. PLEASE NOTE: Please follow these directions EXACTLY,
and $50,000 or more can be yours in 20 to 60 days. This program remains
successful because of the honesty and integrity of the participants. Please
continue its success by carefully adhering to the instructions. You will now
become part of the Mail Order business. In this business your product is not
solid and tangible, it's a service. You are in the business of developing
Mailing Lists. Many large corporations are happy to pay big bucks for quality
lists. However, the money made from the mailing lists is secondary to the
income which is made from people like you and me asking to be included in that
list. Here are the 4 easy steps to success: STEP 1: Get 6 separate pieces of
paper and write the following on each piece of paper "PLEASE PUT ME ON YOUR
MAILING LIST." Now get 6 US $1.00 bills and place ONE inside EACH of the 6
pieces of paper so the bill will not be seen through the envelope (to prevent
thievery). Next, place one paper in each of the 6 envelopes and seal them. You
should now have 6 sealed envelopes, each with a piece of paper stating the
above phrase, your name and address, and a $1.00 bill. What you are doing is
creating a service. THIS IS ABSOLUTELY LEGAL! You are requesting a legitimate
service and you are paying for it! Like most of us I was a little skeptical and
a little worried about the legal aspects of it all. So I checked it out with
the U.S. Post Office (1-800-725-2161) and they confirmed that it is indeed
legal! Mail the 6 envelopes to the following addresses: #1) Laura Fitch 2001
Kirby Suite
500 Houston, TX 77019 #2) Sean Diamond 27600 Kings Manor Dr. #1511 Kingwood, TX
77339. #3) Chris Savard 1999 Glenmead Rd. Peterborough Ontario, Canada. K9L-1W6
#4) Steve Farrer P.O. Box 1873 Provo, UT 84603-1873 #5) Danny Do 5906 Purple
Sage Houston, Tx 77049 #6) Barbara Eshelman 450 N Williams apt C, Mesa Arizona
85209-7437 STEP 2: Now take the #1 name off the list that you see
above, move the other names up (6 becomes 5, 5 becomes 4, etc...) and add YOUR
Name as number 6 on the list. STEP 3: Change anything you need to, but try to
keep this article as close to original as possible. Now, post your amended
article to at least 200 newsgroups. (I think there are close to 24,000 groups)
All you need is 200, but remember, the more you post, the more money you make!
This is perfectly legal! If you have any doubts, refer to Title 18 Sec. 1302 &
1341 of the Postal lottery laws. Keep a copy of these steps for yourself and,
whenever you need money, you can use it again, and again. PLEASE REMEMBER that
this program remains successful because of the honesty and integrity of the
participants and by their carefully adhering to the directions. Look at it this
way. If you are of integrity, the program will continue and the money that so
many others have received will come your way. NOTE: You may want to retain
every name and address sent to you, either on a computer or hard copy and keep
the notes people send you. This VERIFIES that you are truly providing a
service. (Also, it might be a good idea to wrap the $1 bill in dark paper to
reduce the risk of mail theft.) So, as each post is downloaded and the
directions carefully followed, six members will be reimbursed for their
participation as a List Developer with one dollar each. Your name will move up
the list geometrically so that when your name reaches the #1 position you will
be receiving thousands of dollars in CASH!!! What an opportunity for only $6.00
($1.00 for each of the first six people listed above) Send it now, add your own
name to the list and you're in business! DIRECTIONS FOR HOW TO POST TO
NEWSGROUPS STEP 1) You do not need to re-type this entire letter to do your own
posting. Simply put your cursor at the beginning of this letter and drag your
cursor to the bottom of this document, and select 'copy' from the edit menu.
This will copy the entire letter into the computer's memory. STEP 2) Open a
blank 'notepad' file and place your cursor at the top of the blank page. From
the 'edit' menu select 'paste'. This will paste a copy of the letter into
notepad so that you can add your name to the list. STEP 3) Save your new
notepad file as a text file. If you want to do your postings in different
settings, you'll always have this to go back to. STEP 4) Use Netscape or
Internet explorer and try searching for various newsgroups (on-line forums,
message boards, chat sites, discussions.) STEP 5) Visit these message boards
and post this article as a new message by highlighting the text of this letter
and copy and paste it from the edit menu. Fill in the Subject, this will be the
header that everyone sees as they scroll through the list of postings in a
particular group, click the post message button. You're done with your first
one! Congratulations... you did it! All you have to do is jump to different
newsgroups and post away, after you get the hang of it, it will take about 30
seconds for each newsgroup! **REMEMBER, THE MORE NEWSGROUPS YOU POST IN, THE
MORE MONEY YOU WILL MAKE!! BUT YOU HAVE TO POST A MINIMUM OF 200** That's it!
You will begin receiving money from around the world within days! You may
eventually want to rent a P.O. Box due to the large amount of mail you will
receive.
------------------------------
From: [EMAIL PROTECTED] (Rhodes Family)
Subject: I knowist not a thing of Number Theory, try this on for size
Date: Tue, 01 Jun 1999 01:33:57 GMT
Reply-To: [EMAIL PROTECTED]
I'm a BASIC programmer (a quickly disapperring art) who loves codes.
I've made my own version of the enigma machine, here's how it works.
There ar basic replacement cyphers, this one changes the key to the
cypher every character, following a pattern with over 2 billion
variations! I call it the Binary Enigma. If anyone wants a copy or
more information, post a response or e-mail me at
[EMAIL PROTECTED]
P.S. I have other encoding programs.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
