Cryptography-Digest Digest #718, Volume #10 Fri, 10 Dec 99 14:13:02 EST
Contents:
Re: Random Noise Encryption Buffs (Look Here) ("Tony T. Warnock")
Re: Cell Phone Crypto Penetrated >> 6.Dec.1999 >> Biryukov & Shamir (Douglas Hinton)
Re: low exponent in Diffie-hellman? (jerome)
Re: Attacks on a PKI (JCA)
Re: NSA should do a cryptoanalysis of AES (Tim Tyler)
Re: NSA future role? (Tim Tyler)
Re: Random Numbers??? (John)
Re: Digitally signing an article in a paper journal (Frank Gifford)
Re: Synchronised random number generation for one-time pads (Tim Tyler)
The Love Song of Softbytelabs.com (JPeschel)
Re: low exponent in Diffie-hellman? (Scott Fluhrer)
Re: symmetric encryption based on integer factoring (Tom St Denis)
Re: Synchronised random number generation for one-time pads (Tim Tyler)
Re: Paradise shills?? (Tim Tyler)
Re: Attacks on a PKI (Gurripato)
Re: If you're in Australia, the government has the ability to modify (Medical
Electronics Lab)
Re: NSA should do a cryptoanalysis of AES (wtshaw)
Re: Shamir announces 1 sec break of GSM A5/1 (wtshaw)
Re: Attacks on a PKI (DJohn37050)
----------------------------------------------------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Fri, 10 Dec 1999 08:09:31 -0700
Reply-To: [EMAIL PROTECTED]
Guy Macon wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tony T.
>Warnock) wrote:
>
> >Another (not very problematic) property is that the number of counts in a
> >fixed amount of time is more likely to be even than odd.
>
> Why would this be so?
The sum of the even terms of the Poisson distribution is slightly larger than the sums
of the odd terms
for any parameter. I doubt that this is a real problem.
------------------------------
From: Douglas Hinton <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: Re: Cell Phone Crypto Penetrated >> 6.Dec.1999 >> Biryukov & Shamir
Date: Fri, 10 Dec 1999 16:42:52 +0100
Intercepting a cell phone conversation isn`t hard. You need only a
scanner radio and a Ham Com interface. The scanner radio needs a simple
modification to by pass the audio circuit.The signal can be put directly
into a computer and processed. I have intercepted digital signals(not
cell phone), made .wav files of them , converted the files to binary
numbers.Only problem I see with cell phone interception is that they use
a trunking system. That is that the signal is handed off from one base
station to another or channels are switched.Even a standard scanner
radio can follow most of the hand-offs if the base station frequencies
are programed in. Douglas
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: low exponent in Diffie-hellman?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 10 Dec 1999 15:56:18 GMT
On Fri, 10 Dec 1999 00:10:19 GMT, Scott Fluhrer wrote:
>I'll let bobs respond to the security implications, but if you
>are using 'square and multipy', why don't you go to a more
>efficient modular exponentiation algorithm. In particular, why
>don't you look at the algorithms in 14.6 of the Handbook of
>Applied Cryptography, which should speed you up by 30% with *no*
>reduced security.
Which one exactly are you speaking about ?
If i understand them correctly, the 14.6.1 ones are all variations
of the 'square & multiply'. I haven't look at 14.6.2(fixed exponent)
and 14.6.3(fixed base) sections, are they 30% faster ?
------------------------------
From: JCA <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Fri, 10 Dec 1999 08:39:25 -0800
[EMAIL PROTECTED] wrote:
> Having read much of the literature on PKI, it is fairly conclusive that
> this whole PKI thing is an exploitation of people's ignorance.
Could you elaborate on that?
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Reply-To: [EMAIL PROTECTED]
Date: Fri, 10 Dec 1999 16:49:57 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> What if this guy is the radio operator? You expect him to memorise
:> the text of every message he sends?!
:> He may no longer have access to the plaintext of the message - while he
:> may still remember the password he used as a key to encrypt it.
: Your model of encrypted radio operations is nothing like
: what has really been done, and even farther from the current
: mode of operation. [...]
So what? It was a counter-example.
The man who sent the plaintext may not know what it said.
Torturing him for plaintext under these circumstances would be useless.
QED.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Lottery: A tax on people bad at maths.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: NSA future role?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 10 Dec 1999 16:59:30 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
[cyphers which allow variable key lengths]
:> I don't really see much difficulty there. Many encryption systems
:> use large numbers of s-boxes. These can often be configured randomly
:> (given a bunch of constraints designed to eliminate weak keys), and the
:> resulting algorithm will still be quite strong.
: It is usually not a good idea to choose S-boxes randomly. [...]
Well yes, that was why I mentioned constraints.
However, I'd agree that it is a controversial point which constraints
should be used - and consequently how much room for randomness remains
in the s-boxes themselves.
Some people recommending choosing s-boxes in a manner that optimises
against todays known types of cryptanalysis, while others - looking at
DES - say this might not be as strong as a more random configuration.
I don't know a great deal about this aspect of cypher design - so
can't say with any authority how difficult it is in practice - but
it seems to me that variable length key systems exist, and need not
necessarily suffer from weaknesses associated with this flexibility.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Driving too fast to worry about cholesterol.
------------------------------
From: John <[EMAIL PROTECTED]>
Subject: Re: Random Numbers???
Date: Fri, 10 Dec 1999 08:59:24 -0800
That is refreshing, I was SO worried about posting 20 milion bytes and
waiting :) :) Yes, you are right. Anyway, my newsgroup software
wouldn't allow that.
Thanks. I will continue.
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Johnny Bravo) wrote:
> On Thu, 09 Dec 1999 22:27:17 -0800, John
> <[EMAIL PROTECTED]> wrote:
> >I have been kicking around random # generators. I have 3 sets of
> 1000
> >random #s. Are they? How can you tell? Integers range from 0
> through
> >255 inclusive.
> <snip>
> This is far too small a sample to do anything meaningful with.
> Generate about 20 million values, write them to a file as bytes,
> and
> run the statistical tests on them. You will never be able to prove
> randomness, but you can get a good probability check on the
> randomness
> of the values.
> Best Wishes,
> Johnny Bravo
> PS: And no, we don't want you to post the 20 million values here.
> :)
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Frank Gifford)
Subject: Re: Digitally signing an article in a paper journal
Date: 10 Dec 1999 12:06:50 -0500
In article <[EMAIL PROTECTED]>,
KloroX <[EMAIL PROTECTED]> wrote:
>On Thu, 9 Dec 1999 14:25:08 -0800, "Roger Schlafly" <[EMAIL PROTECTED]>
>wrote:
>>You might be able to sneak it in. An MD5 hash is only 32 hex
>>digits, so you might slip in:
>> The author acknowledges the benefit of grants 143DD59E0,
>>49ACA831, A3984578, 4FF3A801.
>
>This is an interesting suggestion. It does involve a measure of
>cheating (the grants do not exist). Another idea I came across is
>writing in the paper the URL of a web page containingr additional data
>relevant to the paper but not published because of size, and embed a
>hash in the URL (specifically in the file name, which I can choose
>freely). This involves no cheating.
Alternatively, you can write up the article completely and do an MD5
checksum before submission to the editors. Then you can place a personal
ad in the newspaper which contains that checksum. In the future, it would
be easy to show your original document, say on a web page, and tell people
to verify the MD5 hash with the number in the newspaper from some time ago.
-Giff
--
Too busy for a .sig
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Synchronised random number generation for one-time pads
Reply-To: [EMAIL PROTECTED]
Date: Fri, 10 Dec 1999 17:05:42 GMT
Guy Macon <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tim Tyler) wrote:
:>OTPs are [...] useless against simple complete known-plaintext attacks.
: It depends on what you mean by "useless". I would say that being able
: to send other plaintexts without the attacker being able to decode
: them is quite usefull, wouldn't you?
If (as I specified) the attacker has a "complete known plaintext", he has
no need to decode and read the encrypted message - since he knows its
entire contents completely anyway.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
A hangover is the wrath of grapes.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: The Love Song of Softbytelabs.com
Date: 10 Dec 1999 17:21:01 GMT
Let us crack then, you and I,
This SecurityPlus password stored on the sly
Like a post-it stuck upon the screen;
Let us go through certain ill-thought chunks of code,
The ramshackled abode
Of cluelesss programmers playing cryppie
And ceaselessly amazing this ol' hippie:
Code that tastes like fine snake-oil
But really brings your blood to boil.
To lead you to an overwhelming question...
Oh, do not ask, 'What is it?'
Let us go make our visit.
SecurityPlus users cringe in fear
Praying they don't hear from Casimir.
Joe
(with apologies to Eliot)
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Scott Fluhrer <[EMAIL PROTECTED]>
Subject: Re: low exponent in Diffie-hellman?
Date: Fri, 10 Dec 1999 17:37:08 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (jerome) wrote:
>On Fri, 10 Dec 1999 00:10:19 GMT, Scott Fluhrer wrote:
>>I'll let bobs respond to the security implications, but if you
>>are using 'square and multipy', why don't you go to a more
>>efficient modular exponentiation algorithm. In particular, why
>>don't you look at the algorithms in 14.6 of the Handbook of
>>Applied Cryptography, which should speed you up by 30% with *no*
>>reduced security.
>
>Which one exactly are you speaking about ?
>If i understand them correctly, the 14.6.1 ones are all variations
>of the 'square & multiply'. I haven't look at 14.6.2(fixed exponent)
>and 14.6.3(fixed base) sections, are they 30% faster ?
>
I was thinking of 14.6.3, specifically. The obvious square & multiply
takes 1.5*lg(N) expected multiplies (where N is the exponent) while
14.6.3 is closer to 1.1*lg(N) expected for the range of N's we're
talking about.
Ok, maybe 30% is a little over-optimistic. 25% is realistic.
--
poncho
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: symmetric encryption based on integer factoring
Date: Fri, 10 Dec 1999 17:33:40 GMT
In article <82qv02$rkl$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> This looks very much like El-Gamal except to decrypt a message you use
> division, not an inverse of g^x. Essentially, you have a Discrete
> Logarithm Problem and you're implementing decryption in a different
> manner. However, it may become an interesting alternative for public
> key encryption since it appears you don't have to send as much
> information as you do when using El-Gamal. Did you figure out a way
to
> create g^-x?
Well ElGamma is a public key scheme, this is just a math-toy symmetric
scheme. Also g^-x is the same as G^x where G = 1/g mod p.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Synchronised random number generation for one-time pads
Reply-To: [EMAIL PROTECTED]
Date: Fri, 10 Dec 1999 17:31:03 GMT
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> [EMAIL PROTECTED] wrote:
[Authenticity of messages under OTPs]
:> : For perfect secrecy, the condition required is that
:> : for any message m, the ciphertext of m is independent
:> : of m. For authentication we want the stronger
:> : property that for any pair of messages m and m', the
:> : signature of m is independent of the triple
:> : (m, m', signature(m')).
:>
:> AFAICS, whatever type of hashing mechanism you use, the authentication is
:> never perfect - since the attacker can simply guess a value for the
:> signature. When it's wrong, the recipient realises what has happened,
:> but when he guesses right, he is not detected. The chance of detection
:> can be reduced to low levels by increasing the size of the signature,
:> of course.
:>
:> This may be the best authentication conceivable - but it does not have the
:> same "100%" feel that an OTP with a genuinely random pad would provide
:> against eavsdropping.
: Encrypting a message with an OTP does not provide 100% security in the sense
: of 0% chance the opponent will learn the plaintext. [...]
Yes, I understand their nature in this respect. The attacker gets all
possible plaintexts with the same frequency, so (beyond the length of the
message) he gets no *information* from it.
The case with signatures seems to be a little different:
Imagine a noisy broadcast transmission channel with no way for the
recipient of messages to send information back to their sender.
Imagine the system uses an OTP signed with an 8-bit signature.
The eavsdropper has known plaintext attacks, so can recover and modify
the plaintext, but can only forge signatures by total guesswork, so he
has a 1/256 chance of forging the signature.
Some messages will arrive corrupt, and some arrive with corrupted
signatures. The recipient may blame these corruptions on the
channel, expecially if the plaintext is often also corrupted slightly
when he receives it.
Such messages will be discarded. However of the messages intercepted and
modified, one will have a correct signature on a fake message.
With only an 8-bit signature, you can easily imagine circumstances where
intercepting the messages and modifying them would be worthwhile.
Increasing the signature size decreases this probability - but it never
becomes zero.
It seems to me an attacker gets more out of this guessing of signatures
than he does out of guessing at OTP texts.
When he guesses an OTP text, he must generally take action to
capitalise on the message contents. If he does this for all
possible messages, he gains nothing; and probably wastes much time and
energy.
When the attacker guesses a signature, at worst he produces a corrupted
message. This the recipient may blame on noise in the communications
channel. *If* the attacker can supply enough intelligently forged messages
that give false information /without/ increasing his chances of being
detected - or if he does not care if his eavsdropping is detected or not -
he may decide that forging signatures is worth it - for the chance of
getting a forged message through.
There's also the chance that the recipient - if they are human - may treat
the forged messages as genuine ones /despite/ the fact they they have
corrupted signatures, if they also contain a few difficult-to-recover-from
errors in the plaintext that suggest corruption in transit (this point
is not really a "pure" cryptographic one).
As you said, below (say) 2^(-256) all numbers have little importance -
so this is a rather abstract theoretical point - provided a sufficiently
large signature can be employed.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Best way to keep your friends: don't give them away.
------------------------------
Crossposted-To: rec.gambling.poker
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Paradise shills??
Reply-To: [EMAIL PROTECTED]
Date: Fri, 10 Dec 1999 17:46:25 GMT
In sci.crypt Daniel Hutchings <[EMAIL PROTECTED]> wrote:
: What I don't understand is, why use a pseudo-random number generator
: at all? You can buy physical devices that use quantum effects to
: generate random numbers, and baby it just doesn't get any more random
: than that. Comments?
Security:
You should be able to dismantle a software PRNG and check it works in
the way you want and expect it to. With /any/ physical device you are
faced with a "real" system that it is *impossible* to analyse completely -
and which may have been engineered by your opponents. Since you cannot
possibly test its output (tests for RNGs pass far to many non-random
systems to be useful), you typically wind up either building the device
yourself (under as secure conditions as you can manage), or "trusting" the
company that made it :-(
Key distribution:
A PRNG seed is relatively small. It may be encoded with a public key and
then used as a stream cypher. Send an OTP via a public key and you might
as well send the whole message that way - for all the time and bandwidth
you've used sending the key.
Reproducibility:
Cryptography is only one possible use of the "random poker shuffles" under
discussion. If there are other target applications (and since this thread
is posted to rec.gambling.poker that seems like a safe assumption) use of
"really" random numbers may not be appropriate.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
A good hot dog feeds the hand that bites it.
------------------------------
From: [EMAIL PROTECTED]=NOSPAM (Gurripato)
Subject: Re: Attacks on a PKI
Date: Fri, 10 Dec 1999 17:12:22 GMT
On Fri, 10 Dec 1999 12:04:33 GMT, [EMAIL PROTECTED] wrote:
>Having read much of the literature on PKI, it is fairly conclusive that
>this whole PKI thing is an exploitation of people's ignorance.
>
>I am currently compiling a list of attacks on a PKI, and if you know of
>any then please post some.
>
Bruce Schneier just co-wrote a paper on that. Check it at
www.counterpane.com (donīt remember the exact url for the paper).
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: If you're in Australia, the government has the ability to modify
Date: Fri, 10 Dec 1999 12:27:50 -0600
Douglas A. Gwyn wrote:
> Over the past 5 years, the US violent crime rate has dropped
> significantly, if one can trust the Justice Department's
> statistics (that's a big "if"). It has not been determined
> whether that is best attributed to increased police crackdown
> or to the rapid spread of "shall issue" concealed carry laws
> among the states, both of which have occurred during that time.
> (It clearly is *not* that firearms are appreciably harder for
> criminals to acquire.) We do have statistics showing that
> concealed-carry licensees have been far less likely to commit
> violent crimes than the average citizen.
>
> Sorry this drifted off-charter, but there is a lot of
> misinformation being propagated about this issue. If you
> want to pursue it, presumably the discussion should move to
> talk.politics.guns.
There's a recent paper out quoted in Scientific American that
the drop in crime rate is directly related to the Roe vs. Wade
rulling legalizing abortion. Apparently the reduction of
unwanted children gives rise to a better living environment.
Has nothing to do with who owns guns.
Way off charter, I'll shut up now.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Fri, 10 Dec 1999 13:14:05 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> Tim Tyler wrote:
> > What if this guy is the radio operator? You expect him to memorise
> > the text of every message he sends?!
> > He may no longer have access to the plaintext of the message - while he
> > may still remember the password he used as a key to encrypt it.
>
> Your model of encrypted radio operations is nothing like
> what has really been done, and even farther from the current
> mode of operation. Traditionally, encryption was performed
> by a different person than the radio operator, and keys were
> not usually memorized by the encryptor. These days it's all
> automated, and no person sees the key, much less memorizes it.
It can be that a mate or captain did the code work on a ship, or some
specialist. For security reasons, such things were often done by the
radio operator himself, while he continued to stand watch.
--
When the horse dies, get off.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Shamir announces 1 sec break of GSM A5/1
Date: Fri, 10 Dec 1999 13:20:36 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> > > Guess the NSA didnīt invite them to their annual
> > >see-all-our-surveillance-hardware, hmm?
> "SCOTT19U.ZIP_GUY" wrote:
> > No he probily came. But like most management when they go to
> > such meetings. Its the partys and free booze and hookers that
> > these kind of meetings unite that they really go for.
>
> What nonsense (on both sides).
I can speak with definite authority that some federal groups act that way,
at least as I saw it with Federal Inspectors and a High Flying Company.
Lots gets done via sex, and booze. Threat the right people right and get
away with anything. Those in the know can look up the file. Dastardly
things were smoothed over, and the public never knew.
--
When the horse dies, get off.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Attacks on a PKI
Date: 10 Dec 1999 19:04:54 GMT
Peter Landrock of Cryptomathic in Denmark has expressed lots of concerns, not
sure if they are attacks, but are worth looking at.
Don Johnson
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
