Cryptography-Digest Digest #715, Volume #9 Mon, 14 Jun 99 01:13:03 EDT
Contents:
Re: Slide Attack on Scott19u.zip (SCOTT19U.ZIP_GUY)
Re: "Breaking" a cipher ("rosi")
Re: DES lifetime (was: being burnt by the NSA) (Bill Unruh)
Re: Generating Random Numbers (Herman Rubin)
Re: Slide Attack on Scott19u.zip (SCOTT19U.ZIP_GUY)
Re: OTP is it really ugly to use or not? (fungus)
Re: Is there a short digest for short messages? ([EMAIL PROTECTED])
Re: Cracking DES (Terry Ritter)
Re: Slide Attack on Scott19u.zip (David Wagner)
Export restrictions question ([EMAIL PROTECTED])
Re: OTP is it really ugly to use or not? (fungus)
Re: MD5 test data ("yychiang")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Slide Attack on Scott19u.zip
Date: Mon, 14 Jun 1999 00:58:46 GMT
In article <7k0r6t$4mv$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>Well I just got out of the shower, how did you know that? Most
>contests have a purpose. The DES challenge was to show that the key
>could be searched really quickly. The Twofish team put $10000 dollars
>where their math is. They put the money towards the first person to
>break the cipher, not a message. You could do the same.
>
Actually Tom your wrong the break that this phony contest is willing
to pay for is not black and white. Its for a paper attack that Mr B.S. thinks
is worth rewarding. If some one like me solved it I would get zero. I think
even if Paul Onions came up with a decent break he would get nothing.
But later when one of the crypto clubers writes up Pauls attack the other
crypto god would get the money if it is deemed good enough by the crypto
gods.
I offer a contest that is black and white it is either solved or not.
His is like as essay contest. Some people good at BSing are good
at those kind of tests. I guess I am more a multiply chioce kind of guy.
Also the kind of contest the crypto gods run limits the hacker types
from bothering to look. They are scared to death to run a real contest
becasue some nobody could post a solution here. But a nobody who
write an honest attack that was not skilled in the narrow vocabulary that
they use would have zero chance to win.
Look at what I have. Code that the crypto gods both of them said was
dead. Think about Dave Wagner said scott19u was dead years ago. Of
course he will say that was the one Paul Onion solved. Since he has to
make up something. But the truth of the matter is Crypto Gods don't ever
want to say good about a cipher unless your in the Club. Yes I expected
Mr BS and or Dave W. to say things like the Slide Attack makes it dead but
they know better. How about trying to get some honest anwsers from them
about scott19u. You will not other than them saying the key that can be used
is to big or they personally consider it to slow. But is there a weakness in
how it encrypts. You can beat your ass that if they had one they would
mention it but they don't. Sorry that it is to strong for the toy break so
much for the slide attack.
Tom the main reason the Crypto Gods Slide Attack failed is that they are
only use to very narrow ideas in crypto. There minds are closed to the other
ways of doing things. Kind of like the Swiss watch makers when the Japanese
came out with quartz watches. The Swiss where slow to change becase they
thought they new all about watches. The crypto gods are the same way. But
they may know a little more than the Swiss it is just they think they can
control the course of crypto in the world so that through contests like the
AES the NSA will still be able to read your encrypted mail.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "rosi" <[EMAIL PROTECTED]>
Subject: Re: "Breaking" a cipher
Date: Sun, 13 Jun 1999 19:49:41 -0400
Dear Bernie,
Not here to answer your difficult question. Just would like to let you
know that I think you are not alone in the unresolve.
Certain simple things such as what is a block cipher and what is
a stream cipher can end up in one throwing up his arms and declare
"it's up to you". :)
So sleep soundly and do not let this really bother you too much.
Your common sense can be the best guide.
--- (My Signature)
Bernie Cosell wrote in message <[EMAIL PROTECTED]>...
>In a bunch of threads [mostly fueled by PR from the EFF], folks keep
>talking about "breaking" DES" and "breaking RSA" and such. There's a
>semantic problem here for me that I need some help with:
>
>Every key-based system is "breakable". The only interesting data on that
>is the "cost/time" curve. If someone finds a more efficient search, or the
>cost of hardware comes down, the cost/time curve can shrink and change
>shape, but there's been no fundamental change in the strength of the
>cryptosystem, at the abstract level. I'd guess that there have been
>installations that can decrypt a single DES-encrypted message in under an
>hour for decades, big deal... of course the *cost* of doing such a thing
>has come down wildly, but [IMO] that was a largely expected result [given
>Moores' law, you'd expect the cost to decrypt within a particular time
>limit to halve every year and a half or something like that]
>
>As a practical matter, I always thought that Information Managers had to
>estimate a similar graph: in this case it is the dollar value of their
>information if it is disclosed within particular time frames. Then you
>match your disclosure-cost against the cryptosystem-breaking-cost and pick
>a system [or key size or whatever] appropriately. [yes, there are more
>considerations... I'm just focusing on this one aspect at the moment].
>
>Anyhow, I don't consider that activity, nor the shrinking of the decrypt
>cost/time curve to be "breaking" a cryptosystem. It is a valuable and
>important exercise, so that we can keep tabs on the cost/time to decrypt
>curve, but I don't consider _getting_ datapoints for that curve as
>"breaking".
>
>In my odd semantic world, "breaking" a cryptosystem means finding a
>weakness in the underlying algorithm that actually _decreases_the_work_ to
>decrypt [not merely making doing the same work faster or cheaper, which is
>just like checking the NYSE to get todays' value for one of your stocks,
>getting today's value for a datapoint on the cost/time decrypt curve].
>There are _big_ breaks, that might involve finding a way to lessen the work
>to decrypt from exponential to polynomial; and there are littler breaks
>[e.g., that just reduce the exponent some]. But unless a discovery
>*intrinsically* weakens a cryptosystem, I don't consider it to have been
>"broken".
>
>Does this usage jibe with any of you, or am I just out in left field by
>myself here??
>
> /Bernie\
>--
>Bernie Cosell Fantasy Farm Fibers
>[EMAIL PROTECTED] Pearisburg, VA
> --> Too many people, too few sheep <--
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: DES lifetime (was: being burnt by the NSA)
Date: 13 Jun 1999 23:34:16 GMT
In <7jqubp$e0g$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>Douglas A. Gwyn wrote:
>> DES and Skipjack both admirably met their design goals.
>> DES has just recently *barely* been broken in a published attack,
>> so it held up far longer than its design lifetime of ten years.
>Which is the requirement: A cipher must remain unbroken for,
> A) its operational life,
> or
> B) the intelligence life of any data it protects?
Only A can be a requirement. You can try to design it to meet B, but
since the intelligence life is in the future, and since the future can
be hard to predict, you cannot design the cipher for that. Ie, youdesign
the cypher, estimate its operational life and then make sure you do not
encrypt any data with it which will survive for longer than that time.
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Subject: Re: Generating Random Numbers
Date: 13 Jun 1999 20:25:25 -0500
In article <7iu1h5$2ab$[EMAIL PROTECTED]>, Brian Ross <[EMAIL PROTECTED]> wrote:
>Hi,
>I was wondering how to generate random numbers which will be used for
>encryption keys. My main concern is how to generate a random seed which is
>random enough to ensure that the generated bits are indeed random.
Random numbers must be generated by physical devices.
Pseudo-random numbers are generated by numerical procedures, starting
with seeds. The seed must definitely be large enough to withstand a
brute force attack. Other methods can crack encipherment with small
seeds.
For any purpose, I would recommend a seed in the thousands of bits
at least if a semblance of randomness is to be attained. Even then
the procedure can be compromised.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Slide Attack on Scott19u.zip
Date: Mon, 14 Jun 1999 02:01:49 GMT
In article <7k1f9d$c46$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
>In article <[EMAIL PROTECTED]>, Horst Ossifrage <[EMAIL PROTECTED]> wrote:
>> The cipher is immune to the Slide Attack because it uses
>> a non-periodic round structure. In the paper on the Slide
>> Attack, on page 2, paragraph 2 it says that the attack is
>> "easy to prevent by destroying self-similarity of an
>> iterative process".
>>
>> The Scott19u.zip algorism has 25 rounds: the first one
>> and last one are the "Paul" function, and the middle
>> 23 rounds are the ones described in the documentation
>> in great detail. I forgot to put mention of the Paul
>> function in the documentation, and I hope that David
>> Scott will edit that page on xoom.com to describe those
>> rounds.
>
>Ahh, there's a special first and last round!
>I agree: that should make a slide attack a lot harder (maybe impossible).
>
>Thanks for posting the information.
Dave it is nothing NEW I even stated that before. Why are you pretending
this is new. THere is only one version of scott19u.zip and only one version
of scott16u.zip You so proudly delared them dead. But as usually you really
don't bother to look because I am not a kiss ass crypto god. But I would
welcome you or anyone else to test it out. It is there source code and all.
Sorry if you lack the skills to read C but there is a PC executable also.
But why do you types alwasy delcare something busted and boast so much
with out really looking at it. Is it common that if your a crypto god you can
just put stuff down with out every trying it. Yes I know I follow a different
drum but the "all or nothing fearuers" found in my code should be in any
modern cipher that is for file and message transfer. But then you may
not understand what I am talking about the concept could be over your
pardigma.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: OTP is it really ugly to use or not?
Date: Mon, 14 Jun 1999 04:40:08 +0200
Bill Unruh wrote:
>
> All of the stream
> cyphers (eg RC4) are just ways of creating pseudo random streams to use
> as a one time pad. They can still be very hard to break. But in theory
> you know that there is a way to break them in a finite amount of time (
> assuming that the message is longer than the key length)
... assuming you have a couple of billion years to spend, and the output
of several large stars to power your cracking machine.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is there a short digest for short messages?
Date: Mon, 14 Jun 1999 00:54:56 GMT
In article <n9W83.1374$[EMAIL PROTECTED]>,
"Joe" <[EMAIL PROTECTED]> wrote:
> 1) Does anybody know a good message digest algorithm producing short
digests
> (<1,000,000) for messages in the range 2^64 to 2^160?
>
> 2) Would be MD4 modulo 1,000,000 good for that?
By the same token SHA-1 mod 1E7 would be much more secure. Most of the
time truncated hash values are avoided. If they are requried they are
normally truncated along a 2^n value.
Tom
--
PGP key is at:
'http://http://mypage.goplay.com/tomstdenis/key.pg
p'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Cracking DES
Date: Mon, 14 Jun 1999 02:12:28 GMT
On 12 Jun 1999 15:13:34 -0700, in
<7jum2e$b0f$[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (David Wagner) wrote:
>[...]
>> And if 5% of the traffic can expose everything, why is it that anyone
>> ever bothers to send the other 95%?
>
>Oh, come on, I think this question is disingenous.
I strongly disagree: I think the question is precisely on point. It
implies a connection to reality. If it is indeed true that in our
normal lives we do in fact repeat everything 20 times, then your case
is proven. If not, you've got some proving to do.
Most of us communicate to some end, but communication has costs in
time, effort, and resources. If our goal is to share information, we
simply must ask why we would make this costly effort 20 times more
often than necessary. The implication that we do just that simply
does not make sense. That is *not* a disingenuous argument, it is
common sense and economics.
>I'm saying that _with a lot of work_ (say, several man-years from a very
>good researcher), you can recover most of the other 95% from just the 5%
>you managed to read, at least in some important cases.
And I'm saying that while that may work in specific anecdotal cases,
that is not the reality I know.
>But when I read a book, I don't want to spend years trying to re-discover
>all the author's neat ideas from 5% of his writings. Therefore, to save
>time, he spells out all his ideas for me nice and clearly, and I read them.
What you suggest simply cannot be done, no matter how expert the
analysts and how much time is spent. There is more to writing than a
plot, and there is usually more to a plot than one can find from a
random sample of 5%, unless one is very lucky.
>The author may spend several years formulating all his ideas clearly, but
>then the point of good writing is that he goes through this process once,
>and the readers don't ever have to repeat that process again.
>
>That's why you bother to send the whole book -- because it makes the
>reader's life easier.
I am appalled that you would even suggest such a thing. Writing is
*not* the simple expansion of a small sample of the whole work. If
one tries to do this, we may get a book out of the exercise, perhaps
even a good book (if the analysts have a good imagination and a way
with words), but it *will* be a *different* book. I claim the
analogous situation occurs in everyday text, and the *different* text
thus produced is the difference between reality and illusion.
>> I asked for a citation to the literature where somebody has made such
>> a statement, identified their assumptions, explained their reasoning,
>> and backed it up with evidence.
>
>And if you don't find anything in the literature to support my position,
>will you then conclude that I must be wrong? I think there's a flaw in
>this reasoning.
To the extent that any statement fails several tests of
reasonableness, I think there is ample reason for me to suspect it.
If you have some evidence to offer, you might feel more comfortable
doing that than simply handwaving claims and accusing me of reasoning
flaws. You are venturing very close to the logical error of asking me
to believe you simply because you are you, and not because you present
a logical argument for your conclusion.
>To be honest, I don't think the academic literature has really studied
>these types of questions, so I think it's unrealistic to expect any
>definitive results in either direction from the literature. (But feel
>free to prove me wrong with some examples; I'd be interested to hear of
>any citations with evidence one way or another.)
I see the claim as nonsense on its face, so I certainly would not
expect to see any result in the "other" direction. Anyone who wants
us to believe that 95% of the text we labor to create and pay to send
is no more than useless redundancy carries the weight of proof on
*their* shoulders. Obviously.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Slide Attack on Scott19u.zip
Date: 13 Jun 1999 19:07:32 -0700
I don't have time to dig through pages and pages of hard-to-read code.
I followed the information that I found on the web page (which didn't
describe the special first and last rounds). Even that was hard to read.
In general, if you wrote a concise, descriptive article describing the
algorithm, it would greatly increase your chances of having good people
look at it seriously. Right now the barrier is much too high.
Remember, the experts will not even consider spending time on cryptanalysis
ciphers posted on the net, no matter whether they are well described.
For fun, I sometimes look at net-ciphers, but I'm no expert.
------------------------------
From: [EMAIL PROTECTED]
Subject: Export restrictions question
Date: Mon, 14 Jun 1999 01:53:52 GMT
Can anyone provide some clarification for the encryption export
restrictions. Let's say my key length is 64 bits (8 bytes). However
all I'm doing is performing an XOR on each 8-byte block in the file from
beginning to end. It is obviously not any of the fancy algorithms.
Does that require export approval?
Thanks.
Robert
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: OTP is it really ugly to use or not?
Date: Mon, 14 Jun 1999 07:06:12 +0200
[EMAIL PROTECTED] wrote:
>
> I will send you a OTP message and you will never solve it :)
>
Sure I will. I'll just go roud to your house and start
snipping little pieces off you and put aftershave in the
holes. The message will soon be compromised...
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: "yychiang" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Re: MD5 test data
Date: Tue, 8 Jun 1999 19:05:35 +0800
Tony Lezard > ¼¶¼g©ó¤å³¹ <7jrkfv$8dr$[EMAIL PROTECTED]>...
>I need to test the output of an MD5 implementation. Could someone with
>a known correct version of MD5 hash some strings and post/email them?
>
>Thanks,
>
MD5 ("") = d41d8cd98f00b204e9800998ecf8427e
MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661
MD5 ("abc") = 900150983cd24fb0d6963f7d28e17f72
MD5 ("message digest") = f96b697d7cb7938d525a2f31aaf161d0
MD5 ("abcdefghijklmnopqrstuvwxyz") = c3fcd3d76192e4007dfb496cca67e13b
MD5 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =
d174ab98d277d9f5a5611c2c9f419d9f
MD5 ("123456789012345678901234567890123456789012345678901234567890123456
78901234567890") = 57edf4a22be3c955ac49da2e2107b67a
>--
>Tony Lezard <[EMAIL PROTECTED] NO SPAM PLEASE>
>--
>== Tony Lezard == | PGP public key 0xBF172045 available from keyservers
>[EMAIL PROTECTED] | or from my home page, http://www.mantis.co.uk/~tony/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
