Cryptography-Digest Digest #721, Volume #9 Mon, 14 Jun 99 22:13:05 EDT
Contents:
Re: Scramdisk newsgroup (was Re: SCRAMDISK QUESTION) (Wes)
Re: IDEA in "aplied cryptography" BRUCE SCHNEIER ([EMAIL PROTECTED])
Re: Generating Large Primes for ElGamal (Withheld)
Re: OTP is it really ugly to use or not? (Mickey McInnis)
Wired magazine: What does it do? (Anonymous)
Re: Is there a short digest for short messages? ([EMAIL PROTECTED])
Re: Export restrictions question (Paul Koning)
Re: Cracking DES ([EMAIL PROTECTED])
Re: cant have your cake and eat it too ([EMAIL PROTECTED])
Re: Wired magazine: What does it do? (Jim Gillogly)
Re: Generating Large Primes for ElGamal ([EMAIL PROTECTED])
Re: Cracking DES (David Wagner)
Re: Wired magazine: What does it do? (Anonymous)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Wes)
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Scramdisk newsgroup (was Re: SCRAMDISK QUESTION)
Date: 14 Jun 1999 16:16:05 -0500
Andy,
Great!!
Thanks so much for your efforts.
On Mon, 14 Jun 1999 10:50:42 +0100, "Andy Jeffries"
<[EMAIL PROTECTED]> wrote:
>Sorry for the cross-posting, but this is relevant to all three groups.
>
>> P.S. If any one knows of a NG which is dedicated to ScramDisk please
>> let me know.
>
>I am in the process of creating alt.security.scramdisk. The proposal is
>currently in alt.config and I should be creating the NG this coming weekend.
>
>For your newsgroups file:
>alt.security.scramdisk Free hard drive encryption for Windows 95/98
>
>Comments:
>I would like to start a discussion group for Scramdisk. This program is
>free with Visual C++ source code and enables you to make encrypted
>container files on your hard drive (much like PGPDisk). The utility is
>currently discussed in alt.security.pgp and comp.security.pgp.discuss
>(and at times sci.crypt). The web page is at
>http://www.scramdisk.clara.net/
>
>CHARTER: alt.security.scramdisk
>With the exception of cryptographic signatures (eg. PGP), all encoded
>binaries (eg pictures, HTML, word processor files, .zip files, "business
>cards", html) or similar non-plaintext postings are forbidden. URL links
>to binaries on ftp servers or web sites are encouraged.
>The posting of spam is forbidden, adverts must be confined to the
>signatures of on-topic posts.
>
>Justification of Readership:
>A search of Deja between the dates of mar 10 1999 to june 10 1999, for
>the terms < Scramdisk &!(simpson |jeffries)> gave exactly 633 messages.
>This removes posts from Sam Simpson and myself, as we mention scramdisk
>in our signatures.
>This group was proposed in alt.config on 11/06/99 in message
><bn783.4315$[EMAIL PROTECTED]>.
>
>
>
>--
>Andy Jeffries
>Delphi Programmer
>Kwik-Rite Development
>
>-- See http://www.kwikrite.clara.net for TkrScramDisk (Delphi component) and
> Kwik-Crypt (Self-restoring encrypted archive utility).
>
>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: IDEA in "aplied cryptography" BRUCE SCHNEIER
Date: Mon, 14 Jun 1999 21:13:37 GMT
On Mon, 14 Jun 1999 20:44:06 GMT, [EMAIL PROTECTED]
(John Savard) wrote:
>Not to keep criticizing you for being helpful, but I doubt the United
>States has annexed Germany any time lately...
You never know....
------------------------------
From: Withheld <[EMAIL PROTECTED]>
Subject: Re: Generating Large Primes for ElGamal
Date: Mon, 14 Jun 1999 22:02:07 +0100
Reply-To: Withheld <[EMAIL PROTECTED]>
In article <[EMAIL PROTECTED]>, "James Pate
Williams, Jr." <[EMAIL PROTECTED]> writes
>On Mon, 14 Jun 1999 14:14:15 GMT, [EMAIL PROTECTED] wrote:
>
>>I'm interested in implementing ElGamal public key encryption. Is there
>>any public source available ( C++ would be great ) for generating large
>>primes used in public key encryption?
>
>I have implemented ElGamal public-key encryption using Arjen K.
>Lenstra's FreeLIP (Free Large Integer Package). See my home
>page for a hyperlink to FreeLIP. If you are a citizen of the U. S.
>currently residing in the U. S. and you would like to have a copy
>of a C implementation using FreeLIP of 8.18 Algorithm ElGamal
>public-key encryption from _Handbook of Applied Cryptography_
>by Alfred J. Menezes et al. page 295 then send me an email
>at the address shown below requesting elgamal.c.
>
>==Pate Williams==
>[EMAIL PROTECTED]
>http://www.mindspring.com/~pate
>
Even if you're not a US resident I have a long integer calculator
available. It's not fully debugged yet but can cope with numbers up to
about 500 digits will total resolution. Larger numbers are under
construction. It works as an ActiveX object so is only suitable for
Windoze users.
If anyone wants to see it, drop me a note at the address in the
signature... I can either email it or put it on the web, depending on
the level of interest.
--
Return address removed for anti-spam purposes.
Email replies to news at maelstrom dot demon dot co dot uk
Email replies to this address may be copied to relevant newsgroups
------------------------------
From: [EMAIL PROTECTED] (Mickey McInnis)
Subject: Re: OTP is it really ugly to use or not?
Date: 14 Jun 1999 22:50:22 GMT
Reply-To: [EMAIL PROTECTED]
g.chips.and.spam.com> <7k1k2d$brj$[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Organization:
Keywords:
In article <[EMAIL PROTECTED]>, fungus
<[EMAIL PROTECTED]> writes:
|>
|>
|> [EMAIL PROTECTED] wrote:
|> >
|> > I will send you a OTP message and you will never solve it :)
|> >
|>
|> Sure I will. I'll just go roud to your house and start
|> snipping little pieces off you and put aftershave in the
|> holes. The message will soon be compromised...
|>
|>
|>
|>
|> --
|> <\___/>
|> / O O \
|> \_____/ FTB.
That's actually one of the nice things about OTP's. He can give
you a false OTP "key" that decrypts his ciphertext into a different
plausable but wrong cleartext. You never know whether or not he
sent a different "real" cleartext with a different "real" key.
With proper preparation, OTP's can be used for "rubber hose resistant"
cryptography. Even someone who doesn't know the cleartext or key
can make up plausable but wrong cleartext/key/ciphertext combinations.
That's also one of the benefits of using "truly random" number generators
vs. some sort of pseudorandom number generator. You probably can't use a
PRNG to come up with a key that matches a chosen cleartext to a
chosen ciphertext
------------------------------
Date: Mon, 14 Jun 1999 23:52:24 +0200 (CEST)
From: Anonymous <[EMAIL PROTECTED]>
Subject: Wired magazine: What does it do?
Wired magazine has been having a puzzle called "What does it do?" on the
back page. They show a picture of an item and you have to figure out what
it is and what it does.
The July, 1999 issue appears to have a cryptographic twist. The
puzzle is a block of random looking characters which spell out a
message. It appears to have been designed to be hard to scan in and
OCR (many 1's and l's, O's and 0's, special chars like {), but I
fooled them and typed it in manually (it only took about 45 minutes).
There may be some mistakes here, it is pretty tedious work, but this
is what I produced:
PPY5!@,aPZ-@?P^,kP[-eP1G@1GB1GE1GG1GI1Gd-001WK0WN1Gf0WQ1GU0Gc-
0wY1W_1G]SX4sPZV_V[AAOb:POObObOb?Ou1t*l,0r{(ptH,,rqr:D&0Ecp*CP
Ve 0Z
B8 ss rr o5 Bj 00
Go 4o 18 V{ 50 Sz
Bj 00 Fo 4j2 0jY El B{ 1j8 FF jh 1x xf iZ
7j pk 0x fl ke 0W kr00 i0 g1 fl S4 2pt AS m0
Cz vx yj V0W Xth01 h0 Hl l0 wq fG gt yv
ks {{ n{ {3 {{ {{ {{ 3{ x{ {{ q0 qS
GS M15f1 {UK K{81 ff q0{ Ko M{ 01 x{
00 xx
17 {1{olt {41 {Kz 0{0c{ 0U
11 z0 7n 0 o B l 0{
U1 {l hp {1E {1 {j0{ 0B U 0 { G 0o
0o ol 07{1{Al 0{Ax0{ Ex 0{ k0 {0
8x 0{ X0 x0 4{ 1{ U1 {l xl{1E{1{ j0
{0 Ek 0{ T0 k0 t{1{U1 {l Bx{1E{1{ a0
{0 ok 1{ xk v{ G1 {1 f{ fz
ok 1{D{0{ hf g{ {0{ {n{{3 {{{{ {{
3{ x{
{{ xE4 V8
X0 XV 0V V0
Xf f@ d0dgd f08n 0X 0ff dF0n o0Yn l0
no u2 to0 pl 0o 7o 0l H0YodI0 oP 0w o8 ww nV
wo o2 vu YF 0w lP n0 w0 oo v0 uD Fp E9
fI Af 60 ms o0 sSs0qs s0 so oF 0oq0qq s3
sq ol 0r S7q01 G0 oo KY oI {m FN UF
RF {RN0 KsJ0 NF 0FK0F JJ J0 G8G0 GF0FG 0K
KK 0G GK hG
0X X0X0 @V
dV P0
XXfXXXV0ff1XX0fddf0noY3nllRtphpl0ovYYokomFV0ooKqJKJ0KGKJ0FW0F0
KFJJF0GGW0G05GJJl0F0CryptographyResearchIncPPY5!@,aPZ-@?P^,:-)
You will need to use a fixed width font to make any sense of this. My
font is a little narrower than the one in the magazine so it was not
too easy to read. To help peple get started I will say that it appears
to spell out:
Use Your
Intel(tm)-
ligence
where what I have shown as (tm) is small letters t and m above the hyphen.
I have a few more observations but rather than jump in with them I'll wait
and see what other people come up with.
--Anon
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is there a short digest for short messages?
Date: Mon, 14 Jun 1999 17:39:45 GMT
In article <7k2q9g$mum$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > Whatever the algorithm, if the possible values of your "digest"
> > are in the range (0 - 10^6), you will most probably have a
> > collision after digesting ~10^3 messages (birthday paradox).
> > - Collision means that two messages have the same digest value -
>
> After ~10^3 *RANDOM* messages. It will still take on average (10^7)/2
> or about 500,000 messages before you find a real message and a RANDOM
> message that collide.
No, Bkazak got it right. There's no property of real messages
that tends to keep them from colliding. To get a collision
with a specific message requires an expected (10^6)/2 tries.
At first I thought 10^7 was a typo, but it's now appeared in
both your posts in this thread. (10^7)/2 is not about 500,000.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Export restrictions question
Date: Mon, 14 Jun 1999 17:21:25 -0400
[EMAIL PROTECTED] wrote:
>
> Thanks for the reply. Sorry for being so ignorant, but what is the "key
> space" vs. key length?
Key space is the number of possible keys; 2^n for n length keys
if all binary values are legal.
> Do you have any experience with applying for review? E.g., how long it
> takes? Any "gotchas"?
Two months or so, depending on how many questions the application
raises.
As for gotchas: why go through a pile of legal expense and bureaucratic
hassle for a worthless "cipher" such as 8-byte at a time XOR? Since
it provides no protection and has no value, any effort you spend on
it is a waste of good time and money...
If you want a good system, use a standard strong system (3des,
blowfish, idea, etc.). If you want a weak system, use des.
paul
------------------------------
Date: Mon, 14 Jun 1999 06:29:18 -0400
From: [EMAIL PROTECTED]
Subject: Re: Cracking DES
Terry Ritter wrote:
>
> On 11 Jun 1999 12:54:31 -0700, in
> <7jrphn$7id$[EMAIL PROTECTED]>, in sci.crypt
> [EMAIL PROTECTED] (David Wagner) wrote:
>
> >Note that experienced cryptanalysts seem able to make a pretty decent guess
> >at which ciphers are most likely to break far before they can actually produce
> >the full attack which confirms their guess.
> >
> >Therefore, if I have n ciphers to analyze and I just want to break one of
> >them (it doesn't matter which one), I won't devote equal amounts of time to
> >all of them -- instead, I'll focus my attention on the few which look most
> >likely to break under deep study.
>
> But it *does* matter which one you break; it matters that you cannot
> break *all* of them.
>
> This idea that -- in general -- we are almost as well off with only 5%
> of the traffic as we would be with 100% of the traffic, seems very,
> very, fishy to me. In general, it is probably quite false. If not,
> one might well ask why the other 95% of data are even sent.
You are comparing the purpose of the communicators to the purpose of
their adversary and are surprise that the valu of the information is not
constant. The purpose of a particular message may not be to transmit
100% information density from source to sink. The secret info is
uaually assumed known by both ends of the channel. Nevertheless, an
adversary can glean a tremendous from a tiny fraction of the text.
For instance, say an airline executive learns that a lot of email has
been exchanged between (randomly) Southwest and USAir. The executive
arranges access to the material at attempts to learn the contents of the
mail. If he comes across the text "our merger", "your liquidation", or
any of a wide variety of phrases he's gained an intelligence coup
because the rest of the story can be learned by diligent application of
basic research. This is the common situation in an intelligence
organization. They track minutae so that when a hint of something
important becomes available they know how to intepret it.
The essential concept here is that of marginal utility. The marginal
utility of an extra message to the communications is small. Business as
usual. Nothinf to get excited about. But the marginal utility of ANY
compromised message, as evaluated by the Opponent is quite high. The
leverage comes not from the extremely high redundancy of the message,
but from the fact that the blanks can be filled in by other means.
This marginal effect is the reason that code words are used. Tank,
meaning an armored vehicle, was a pseudonym used in WWI to prevent just
such leveraged intelligence analysis. In WWII it was copper (uranium).
Code words exact a toll on the communicators because they act to degrade
the comm channel. But they limit the damage done by overheard,
misrouted, or cracked messages.
We may think of crypto as a separate discipline, but it is not. It is
part of a system against which opponents use all the means available.
Cracking a fraction of a message stream is like eavesdropping on pillow
talk. The value of the info capture is not in the chapter-and-verse raw
text capture, but in the few critical key words from which the rest can
be deduced, or that suggest avenues of further investigation.
------------------------------
Date: Mon, 14 Jun 1999 07:01:30 -0400
From: [EMAIL PROTECTED]
Subject: Re: cant have your cake and eat it too
Patrick Juola wrote:
>
> In article <[EMAIL PROTECTED]>, Greg Bartels <[EMAIL PROTECTED]> wrote:
> >hey, wait a minute, I was asking why not use a different
> >key for every stage of DES, and the response was
> >1) its only nominally better and
> >2) the size of the key is too big to generate from a pass phrase.
> >
> >but, given a secure algorithm, the weakest link becomes
> >the size of the key. which says to me, current cracking
> >capabilities require keys bigger than you can generate
> >with a "human-memorizable-pass-phrase".
> >
> >so you cant have small keys and secure data too.
>
> Sure you can. A 128-bit key is 'small' by the standards we're discussing,
> but is still secure against brute force.
>
> If 128-bits gives you all the security you need, why go with 2000?
Why go with 2000? Because it is more secure. Not against brute force,
against weak ciphers. If I use a 128/192/256-bit key for a single
cipher I'm _probably_ safe against brute force. But I'm not safe
against a cipher whose weakness may yet to be detected.
If I use, say, eight ciphers properly layered, each with a 256-bit key,
I'm _probably_ still safe against brute force, and I'm _probably_ much
safer against a future discovery of a weakness in one of my eight
ciphers (or two, or three, or five).
No single (symmetrical) cipher needs more than 256 bits of key. But a
user might want far more than 256-bits of key.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Wired magazine: What does it do?
Date: Mon, 14 Jun 1999 16:26:29 -0700
Anonymous wrote:
> Wired magazine has been having a puzzle called "What does it do?" on the
> back page. They show a picture of an item and you have to figure out what
> it is and what it does.
> The July, 1999 issue appears to have a cryptographic twist. The
> puzzle is a block of random looking characters which spell out a
> message. ...
I notice it has "Cryptography Research Inc." (Paul Kocher's company) and
a smiley face on the last line. This is a wild guess, but the style of
the patterns of the characters make it smell kind of like one of those
3D ASCII pictures... put the 810 characters in the right kind of block and
cross your eyes carefully to see the message stand out. Given the plug
for Intel and their recent random number stuff, perhaps the result will
be a Pentium III logo or something of that sort.
--
Jim Gillogly
Highday, 24 Forelithe S.R. 1999, 23:21
12.19.6.4.19, 3 Cauac 7 Zotz, Ninth Lord of Night
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Generating Large Primes for ElGamal
Date: Mon, 14 Jun 1999 22:36:49 GMT
Thanks Wei I'll check it out tonight.
Ron
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Cracking DES
Date: 14 Jun 1999 17:27:59 -0700
In article <7juinc$hk1$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> Using different ciphers in parallel, i.e. choosing one cipher for
> encrypting some messages and another to encrypt other messages, doesn't
> seem to be a good idea as Bryan Olson has exhaustively explained.
Right. Well, a `better' way to use ciphers in parallel goes like this:
Encrypt(x) = DES(r), Blowfish(r xor x)
where r is a random number chosen anew for each encryption. This does
have the massive disadvantage that it doubles the bandwidth required (yikes!),
but it also gives you a cryptosystem that is "provably" as secure as the
stronger of the two component ciphers.
> In a previous post I described "heavy DES", a
> slowish cipher that encrypts 64 bit blocks with a 140 bit secret key by
> executing 10 DES encryptions in series. First define and publish 16K
> random DES keys. Observe that you need 14 bits to index one DES key.
> Next, take the secret key, divide it into 10 indexes and encrypt the
> plaintext by sequentially chaining the 10 indexed DES functions.
Cute. I missed that one.
I assume you noticed that there is a meet-in-the-middle attack, so this
construction only gives 70 bits of strength.
I'm not sure what advantage this has over Triple-DES in practice, but it
is an interesting idea...
------------------------------
Date: Tue, 15 Jun 1999 03:33:55 +0200 (CEST)
From: Anonymous <[EMAIL PROTECTED]>
Subject: Re: Wired magazine: What does it do?
Jim Gillogly writes:
> I notice it has "Cryptography Research Inc." (Paul Kocher's company) and
> a smiley face on the last line. This is a wild guess, but the style of
> the patterns of the characters make it smell kind of like one of those
> 3D ASCII pictures... put the 810 characters in the right kind of block and
> cross your eyes carefully to see the message stand out. Given the plug
> for Intel and their recent random number stuff, perhaps the result will
> be a Pentium III logo or something of that sort.
Right after the CryptographyResearchInc and before the smiley is
a sequence of 16 characters which matches the first 16 chars of
the message: PPY5!@,aPZ-@?P^,
Let's suppose that these are just there for padding to make the
message come out to the right size. The "actual" message stops
just before the CryptographyResearchInc, and everything from that
point on is there basically as a signature.
If we do this, and remove the spaces from within the message, get
this: the message length is 768 characters! Pretty significant,
dontcha think?
Here is the resulting message with 64 char lines. Notice that the
characters used seem to gradually change as we go through the message.
The first line has a lot of G's, the second has O's and b's, then the
middle four or five lines have a lot of { characters. The third from
last has s and o and q, the second from last has J and K and G and X.
There is definitely some kind of pattern to it. (Although the pattern
is a bit reminiscent of randomly typing keys on the keyboard, holding
down the shift key now and then...)
PPY5!@,aPZ-@?P^,kP[-eP1G@1GB1GE1GG1GI1Gd-001WK0WN1Gf0WQ1GU0Gc-0w
Y1W_1G]SX4sPZV_V[AAOb:POObObOb?Ou1t*l,0r{(ptH,,rqr:D&0Ecp*CPVe0Z
B8ssrro5Bj00Go4o18V{50SzBj00Fo4j20jYElB{1j8FFjh1xxfiZ7jpk0xflke0
Wkr00i0g1flS42ptASm0CzvxyjV0WXth01h0Hll0wqfGgtyvks{{n{{3{{{{{{3{
x{{{q0qSGSM15f1{UKK{81ffq0{KoM{01x{00xx17{1{olt{41{Kz0{0c{0U11z0
7n0oBl0{U1{lhp{1E{1{j0{0BU0{G0o0ool07{1{Al0{Ax0{Ex0{k0{08x0{X0x0
4{1{U1{lxl{1E{1{j0{0Ek0{T0k0t{1{U1{lBx{1E{1{a0{0ok1{xkv{G1{1f{fz
ok1{D{0{hfg{{0{{n{{3{{{{{{3{x{{{xE4V8X0XV0VV0Xff@d0dgdf08n0X0ffd
F0no0Ynl0nou2to0pl0o7o0lH0YodI0oP0wo8wwnVwoo2vuYF0wlPn0w0oov0uDF
pE9fIAf60mso0sSs0qss0sooF0oq0qqs3sqol0rS7q01G0ooKYoI{mFNUFRF{RN0
KsJ0NF0FK0FJJJ0G8G0GF0FG0KKK0GGKhG0XX0X0@VdVP0XXfXXXV0ff1XX0fddf
0noY3nllRtphpl0ovYYokomFV0ooKqJKJ0KGKJ0FW0F0KFJJF0GGW0G05GJJl0F0
There are some repetitive patterns. For example, near the end of row
4 we have {{n{{3{{{{{{3{x{{{, and the exact same pattern occurs near
the middle of row 8.
I've tried 48 and 32 char lines but I can't make anything out of
it visually. The lines would have to be awfully long for the two
instances of the pattern above to be on the same line.
--Anon
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
