Cryptography-Digest Digest #703, Volume #10 Wed, 8 Dec 99 06:13:01 EST
Contents:
Re: If you're in Australia, the government has the ability to modify your files.
>> 4.Dec.1999 ("Trevor Jackson, III")
Solitaire analysis? ("r.e.s.")
Re: NSA competitors (Bruce Schneier)
Re: If you're in Australia, the government has the ability to modify your files. >>
4.Dec.1999 ("fuck echelon")
AES Randomness Testing ("Ernst G. Giessmann")
Re: MMPC - A multi-message encryption algorithm ([EMAIL PROTECTED])
Re: NP-hard Problems (Safuat Hamdy)
Re: Random Noise Encryption Buffs (Look Here) (Guy Macon)
Re: Why Aren't Virtual Dice Adequate? (Guy Macon)
Re: NSA should do a cryptoanalysis of AES (Volker Hetzer)
Re: Just how secure is RC4? ([EMAIL PROTECTED])
Re: Ellison/Schneier article on Risks of PKI ([EMAIL PROTECTED])
Re: AES cyphers leak information like sieves (Volker Hetzer)
Re: NSA competitors (Volker Hetzer)
Is this software a hoax? ([EMAIL PROTECTED])
Re: Random Noise Encryption Buffs (Look Here) (Anthony Stephen Szopa)
Re: Is this software a hoax? (Eric Hambuch)
----------------------------------------------------------------------------
Date: Wed, 08 Dec 1999 00:19:53 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: If you're in Australia, the government has the ability to modify your
files. >> 4.Dec.1999
CoyoteRed wrote:
> [EMAIL PROTECTED] said...
>
> >Orwellian Nightmare Down Under? by Stewart Taggart
> >
> >3:00 a.m. 4.Dec.1999 PST
> >SYDNEY, Australia -- Any data seem different on your computer today?
>
> So, I guess for the truly paranoid, someone should develop a disk
> controller and encryption card that also has a smartcard reader.
> On-board strong encryption with part of the key on a smartcard and the
> other in bio-memory. Have the controller card never off-load the key,
> but use it directly off the card and not allow /any/ outside access to
> it. The controller also continuosly securely hashes the contents of
> the drive and stores it both on the card and on the encrypted drive
> for comparison upon next boot.
>
> The only thing that I see as a security concern is the user input of
> his passphrase. A hacker could conceivably change out the BIOS to log
> the passphrase key strokes. (A secure hash of the BIOS as well?)
>
> If done right, the user would never be in the dark about any tampering
> in his system.
Similar concepts were discussed here a few months ago in the context of a
non-seizable computer. One wants to reserve the information, but make it
impossible (literally) of recovery without the requisite key. The base
concept was a RAM disk containing an OTP key the same size as the
protected disk volume. On power loss the key disappears, but the data is
recoverable if the key is reloaded from off-site backup.
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Solitaire analysis?
Date: Tue, 7 Dec 1999 21:28:10 -0800
Anyone know if there have been published analyses of
Bruce Schneier's "Solitaire" algorithm?
The few postings I've seen claim a detectable bias in
letter frequencies, but I don't know how reliable those
are. (Especially since they say the algorithm isn't
reversible -- whereas it sure looks reversible to me.)
So I wonder if I'm misunderstanding something, or if
the algorithm now on Counterpanes's website might be a
significantly different revision.
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: NSA competitors
Date: Wed, 08 Dec 1999 05:33:33 GMT
On Sat, 04 Dec 1999 22:47:49 GMT, [EMAIL PROTECTED]
(John Savard) wrote:
>On Sat, 04 Dec 1999 18:13:27 +0000, CLSV <[EMAIL PROTECTED]> wrote:
>
>>I'm wondering if there is any knowledge about non-US
>>government institutes that are specialized in cryptography and
>>cryptanalysis? I'm thinking about countries that invest a lot
>>in mathematical education like China, Russia, India.
>
>The Russian one, under the acronym FAPSI, now even has a web site too.
>
>On the other hand, the Chinese agency - known as the "technical
>department" - is very secretive.
I know of the Chinese organization as the Ministry of National
Security.
There's also MI5 and MI6 in the UK, SDECE in France, and the BND in
Germany. Israel has Mossad.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: "fuck echelon" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: Re: If you're in Australia, the government has the ability to modify your
files. >> 4.Dec.1999
Date: Wed, 8 Dec 1999 01:02:47 -0500
A bug isn't needed, a tempest attack or a boot would work for most purposes.
Scott Nelson <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Tue, 07 Dec 1999 16:11:53 GMT, [EMAIL PROTECTED] (None) wrote:
>
> >On Tue, 7 Dec 1999 23:53:12 +1100, "Lyal Collins"
> ><[EMAIL PROTECTED]> gagged and spewed out this stuff:
> >
> >>This solution is a bit pointless if the warrant covers your off-line
> >>machine.
> >>Lyal
> >>
> >
> > You must know a very advanced technique to hack into
> > an "offline" computer?
> >
> Actually, it's an ancient technique -
> break into the persons house.
> I think it was Sherlock Holmes who pointed out what an
> excellent thief a policeman can be.
>
> Planting a bug inside a suspects house in a way that makes it
> unlikely to be detected is fairly easy with modern technology.
> I wonder though, if it's possible to modify a computer
> in a way that's not easily detectable to the suspect.
> Unless you actually modify the hardware, it seems like
> it would leave a lot of obvious traces. And the obvious
> corollary question is, how hard would it be to insure that
> ones computer software is actually intact, and unmodified.
>
> Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: "Ernst G. Giessmann" <[EMAIL PROTECTED]>
Subject: AES Randomness Testing
Date: Wed, 08 Dec 1999 08:30:36 +0100
In the paper of Juan Soto "Randomness Testing of the AES Candidate
Algorithms" a Random Excursion Test (and a variant of it)
is used.
Have you any further links to these tests?
Thanks
Ernst
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: MMPC - A multi-message encryption algorithm
Date: Wed, 08 Dec 1999 07:40:21 GMT
Dear Jim shapiro,
please also give a link to the paper describing the algorithm at ur
website for it contains all the source code but couldnot reach the
description of the algorithm
thanking u.
rasane_s
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> We have published an unusual encryption algorithm, MMPC, in the
> December issue of Doctor Dobb's Journal. MMPC stands for
> multi-message package chaffing. This encryption scheme combines the
> all-or-nothing transform with Ron Rivest's winnowing-chaffing scheme.
> MMPC features,
>
> 1. a level of security that can be chosen by the user, as it only
> requires any keyed message authentication code (HMAC), and
>
> 2, a package tranform which guarantees that the receiver cannot read
> _any_ of the message unless she can read _all_ of it, and
>
> 3. most importantly, the ability to intertwine any number of unrelated
> messages in such a way that a recipient can only read the sub-message
> for which she has a key.
>
> By insertion of pseudo-random bytes, no one save for the sender knows
> how many sub-messages are contained in a transmission.
>
> If you are interested in code you can download it from the Dobbs site,
> www.ddj.com, or from mine, www.jimshapiro.com . You will need the gcc
> compiler to build the encryption/decryption programs. Included is a
> makefile and a perl script to test the code.
>
> To contact me directly remove CRYPT from my e-mail address.
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Safuat Hamdy <[EMAIL PROTECTED]>
Subject: Re: NP-hard Problems
Date: 08 Dec 1999 08:56:41 +0100
[EMAIL PROTECTED] writes:
> Anton Stiglic wrote:
> > The definition of an NP-hard problem is that if there
> > exists a polynomial timed algorithm for one of it's problems, then
> > NP = P.
does he really know what he writes about???
> Do you have a reference for this? That was the
> definition in the first and second printing of
> /Handbook of Applied Cryptography/, but the
> errata corrected it. See:
None of the authors are complexity theorists, so HAC is a non-authoritative
source regarding complexity theory. A really good source is B. Diaz,
J. Gabarro, and J. Balcazar: Structural Complexity I, 2nd ed. (beware!),
Springer, 1995.
--
S. Hamdy | All primes are odd except 2,
[EMAIL PROTECTED] | which is the oddest of all.
|
unsolicited commercial e-mail | D.E. Knuth
is strictly not welcome |
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: 08 Dec 1999 03:12:21 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tony T.
Warnock) wrote:
>You still may fail to detect some.
By design.
>The most probable waiting time between decays is zero.
No it isn't.
>Overall one can do pretty well with the radioactive decay
>if care is taken not to get too much 60hz (or 50hz for the Europeans)
>into the signal.
The signal is a digital output of a photomultiplier tube adjusted
to fail to detect some photons but to virtually never "detect"
when the photon is not there. Photomultiplier tubes are very
insensitive to 50/60 Hz magnetic fields, and easily shielded from
50/60 Hz electric fields. Besides, it's pretty easy to get away
from 50/60 Hz. Caves, open fields, etc make the 50/60 Hz undetectable
by good measuring equipment.
>There are several ways to completely eliminate bias.
I don't think that you are correct. I haven't seen a proposal
that would identify a 100% unbiased source.
>Correlation is tough but can be decreased.
?
Isn't Correlation a form of bias?
> This is very slow.
Why should it be? the counter is around 40Ghz, and you can
pick any rate of photons by adding or subtracting radium.
It's also cheap enough to run a bunch of them in parallel.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: 08 Dec 1999 03:14:14 EST
In article <82jnha$o6l$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
([EMAIL PROTECTED]) wrote:
>You've mixed the attackers problems of (1)
>creating a valid forgery and (2)
>determining what forgeries are valid. I
>don't think it makes sense to say we
>"might" be able to get zero probability,
>since in the first case we can't get there,
>and in the second we're already there.
That makes sense to me.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Wed, 08 Dec 1999 08:58:03 +0000
Rick Braddam wrote:
> Sounds like the difference between using PGP for email and SSL for purchases.
Well, yes. Basically you can reason about the security of the protocol
without
bearing the final application in mind. The good thing is that after that
you can use
ssl for almost anything. The bad thing is that you cannot make any
assumtions about
the applications that use SSL.
> BTW, I don't understand the reference to encrypting in one block,
> unless you are referring to Scott's "all or nothing" encryption.
I am referring to encrypting messages in one block. I think, Scott has
been pushing something like this for quite some time now.
> I didn't
> think about sending each item of info immediately as soon as it was developed.
Then, of course there are all those nice images where you can watch the
buildup when they gain resolution.
> I think we could come up with hundreds of situations where all or nothing encryption
>would not be useable, and perhaps variations on
> each of them where it would be.
Certainly.
> Does anyone have, or can anyone make a good estimate of, the percentage of Internet
>traffic which is short-message based, where the
> entire message would be present for encryption before transmission, and the
>percentage of traffic which is long-message based or
> real-time continous data where the entire message could not be present before
>transmission had to be started? Note that I'm asking
> in terms of the entire message not being present before transmission must start to
>differentiate between short and long messages.
I don't but I *think* that large data transfers (live phone/video
connections, video/sound on demand) will increase in the near future.
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me
spread!
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Just how secure is RC4?
Date: Wed, 08 Dec 1999 08:50:49 GMT
In article <[EMAIL PROTECTED]>,
albert <[EMAIL PROTECTED]> wrote:
> I have read all I can find on RC4, there are great descriptions of it,
> but I find very little analysis of it. I mean when you compare RC4
> analysis to DES, it doesn't compare!!! So I was wondering (a solicit
> for newsgroup opinion) what you all think about the overall security
of
> RC4.. I mean all the E-commerce sites tout the security of SSL, but I
> am not too convinced of that.
>
> Links, docs, references are greatly appreciated!
>
> Albert
>
I' ve recently read a diploma thesis about
cryptanaylsis of RC4 written by Serge Mister.
This work is not yet available on his webpage
http://www.ncf.carleton.ca:12345/~cf744/pub.html#qbiennial19
But if you write a mail to mr. mister, i am sure, he
will send you his thesis, too.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Ellison/Schneier article on Risks of PKI
Date: Wed, 08 Dec 1999 09:39:32 GMT
Interesting read.
Does anyone (or indeed Bruce and Carl) have links to similar papers, and
if possible any online reports of PKI - usage statistics, examples of
real-life PKIs that have been hacked etc...
In article <[EMAIL PROTECTED]>,
Bill Lynch <[EMAIL PROTECTED]> wrote:
> All,
>
> There is a new paper up at
> http://www.counterpane.com/pki-risks.html
>
> Recently released by Carl Ellison and Bruce Schneier. The two point
out
> what they see as the 10 risks of a public-key infastructure. I think
> their point is that security is like a chain, only as strong as the
> weakest link. PKI is a system where several "links" are not protected
> cryptographically (or in a secure manner), hence the security can be
> compromised. It's a good article, take a read.
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Date: Wed, 08 Dec 1999 10:01:26 +0000
Tim Tyler wrote:
> I'm not saying you have knowledge of /every/ dictionary entry (i.e. block).
> You don't need to know the key at all.
>
> My figures were (the extremely high) 1/8 of the blocks as a target.
>
> If your blocks do not affect one another - and you can compile this type
> of dictionary from a known portion of the message - then you can use it to
> decrypt the rest of the message.
>
> This is a type of known-partial-plaintext attack, which gets harder very
> rapidly as the block-size increases.
Run that by me again.
Do you collect encrypted blocks from intercepted communications?
If yes, then surely the total number of messages sent becomes the
limiting
factor way sooner than the blocksize?
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me
spread!
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: NSA competitors
Date: Wed, 08 Dec 1999 09:58:27 +0000
Bruce Schneier wrote:
> There's also MI5 and MI6 in the UK, SDECE in France, and the BND in
> Germany. Israel has Mossad.
Just *forget* about the BND.
Not too long ago they got their head washed because the only thing they
ever do
is sending newspaper clippings to their government.
As a former east german (y'know, we've got the Stasi) I'm really
embarassed by
the quality of the secret service I've been handed with the unification.
Greetings!
Volker
--
FOR SALE: Parachute, used once, never opened, slightly stained.
------------------------------
From: [EMAIL PROTECTED]
Subject: Is this software a hoax?
Date: Wed, 08 Dec 1999 10:18:48 GMT
I stubbled across this on the net:
http://www.web-warrior.net/cyberdetective/index.htm
It sounds unbelievabley impressive. But it can't be true, can it?
Has anyone ever used it?
David
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Wed, 08 Dec 1999 02:41:38 -0800
Reply-To: [EMAIL PROTECTED]
Tim Tyler wrote:
> Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> : Tim Tyler wrote:
> :> Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> :> : Tim Tyler wrote:
>
> :> :> Alas, even *if* this is genuinely random - which you will never
> :> :> demonstrate - nobody has developed a scheme for extracting this
> :> :> information onto a macroscopic scale without introducing bais of
> :> :> one type or another.
> :> :>
> :> :> Until such a scheme is demonstrated, "true atomic randomness" is
> :> :> of the same utility to a cryptographer as a "perfectly straight line"
> :> :> is to a student of geometry.
> :>
> :> : I think you have taken a misguided position and are struggling too much to
> :> : defend it.
> :>
> :> Whereas your position appears to be based on faith in the existence of
> :> genuine randomness in subatomic behaviour, and in our ability to
> :> magnify this up to a macroscopic scale, without distorting it at all.
> :>
> :> : I think that a very good true random demonstration would be to generate a
> :> : single photon and direct it through a tiny hole. Where it strikes a
> :> : screen on the other side of the hole will be unpredictable within the
> :> : possible field in which it may strike.
>
> [snip]
>
> :> How yo you propose using this source of information to generate a
> :> genuinely random bitstream?
> :>
> :> What equipment will you use, and how will it be set up?
>
> : Exactly, as I said [...]
>
> : Using a charged couple dvice that can detect a single photon and assign a
> : cartesian reference for each location on the CCD then if the photon
> : strikes a location with X,Y coordinates that are either both even or
> : both odd then the bit is a 0 otherwise, if the location X,Y is one
> : even and one odd then the bit is a 1.
>
> : Seems pretty good to me.
>
> No doubt this would produce a reasonable stream of random-looking data.
> However, to claim you actually have an entropy of one goes *much* too far.
>
> Consider the accuracy with which you need to measure the X, Y
> co-ordinates. If (hypothetically) the photon has the same chance
> of striking everywhere, *but* one region marked by the detectors is
> slightly larger than any of the others, the others, then that region will
> get hit slightly more often. If this has even X and Y co-ordinates,
> this will always produce a 0. Your resulting supposedly random stream
> will be biased towards 0s.
>
> This example points to a fatal objection to the scheme you proposed -
> assuming that detectors themselves may not be arranged with absolute
> precision. I think this is a rather reasonable assumption.
>
> This problem is due to a simple flaw in the design you presented.
>
> You can patch up this rather serious flaw... but you can't patch up
> *all* the /possible/ flaws. I recommend you give up now.
> --
> __________
> |im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
>
> There's so much to say - but your eyes keep interrupting me...
I don't think so.
A specific frequency photon will excite only one electron to a known
higher energy state.
The CCD structure is made to respond to this specific frequency photon.
The CCD can be constructed such that the photon can strike anywhere
on the detector surface (perhaps multi-layered) and excite a detector
electron. This CCD will indicate which detector element was excited
and the X,Y coordinate can be used as described.
We do not need absolute precision. A molecule / electron has finite
and managable demensions for current IC deposition technology to
provide the necessary detector density to work as described.
Your suggestion would probably be more credible if you used 1950s
technology.
We have some very good technology in 1999 and we will have vastly
better technology in the next decade / century.
------------------------------
From: Eric Hambuch <[EMAIL PROTECTED]>
Subject: Re: Is this software a hoax?
Date: Wed, 08 Dec 1999 12:06:04 +0100
[EMAIL PROTECTED] wrote:
>
> I stubbled across this on the net:
>
> http://www.web-warrior.net/cyberdetective/index.htm
>
> It sounds unbelievabley impressive. But it can't be true, can it?
NO ! Of course not !
Try to find out anything about me !
Eric Hambuch
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
