Cryptography-Digest Digest #828, Volume #10 Mon, 3 Jan 00 07:13:01 EST
Contents:
Re: On documentation of algorithms (wtshaw)
Re: Wagner et Al. (Tom St Denis)
Re: meet-in-the-middle attack for triple DES ("Rick Braddam")
Re: meet-in-the-middle attack for triple DES (Mok-Kong Shen)
Re: On documentation of algorithms (Mok-Kong Shen)
crypto and it's usage (Tom St Denis)
Re: news about KRYPTOS ("collomb")
Re: Wagner et Al. (Guy Macon)
Re: crypto and it's usage (David A Molnar)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: On documentation of algorithms
Date: Sun, 02 Jan 2000 22:47:44 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> In my humble understanding (apology if I erred) one of the major
> issues in a recent thread initiated by John Savard has been the
> question (not entirely new) of whether one should always be
> satisfied/contented with certain 'standard' amount of security
> (presumably determined adequate through the professional
> judgement of well-known experts and sanctioned by the esteemed
> authority of capable governmental institutions) or that one
> should rather not lose sight of needs/opportunities to obtain
> additional security through appropriately introducing 'added
> complexity' into one's encryption system as a (conservative,
> maybe 'over-anxious') means to further safeguard one's
> individual/specific requirements of communication security.
>
> In a similar vein I like to (re-)raise the (also not entirely new,
> but perhaps heretic) question of whether the documentation of
> 'standard' encryption algorithms in the current practice has been
> of such detail/openess and degree of comprehensibility as to
> render these fully understandable and hence trusted beyond
> question through reasonable efforts/expenditure of study without
> demanding mathematical and other knowledges/expertises/expriences
> that are at least way beyond the common repertoires that the
> universities generally provide to their undergraduate students of
> diverse natural science disciplines. (My personal answer has been
> negative till the present.)
>
> I mean a true (as against forced/misguided/negligent) acceptance
> of and confidence in an encryption algorithm is to be praticularly
> and well distinguished from the same for any other utility or
> consumer goods that are available to the public. While barely
> even a mechanical engineer (unless he has psychartric problems)
> who purchases a car would ever dream of the idea of asking his
> colleages at the manufacturer's to explain the design
> details/rationales of the automobile and its production process
> and provide the data from the safety and other evaluation tests,
> it is my firm belief that a real and genuine trust in any
> encryption algorithm by the public can only be arrived at though
> a sufficiently wide-spread full (as against superficial/minimal)
> understanding (or at least the possibility of such an
> understanding) of the design and functioning of the same. This
> very sigular situation pertaining to crypto is because, among
> others, that crypto has been, is and will always be a science
> covered with a veil of secrecy/mystery in my humble opinion.
> In particular, a number of governments don't seem to desire that
> there will be genuine privacy of informations of the common
> people, as evidenced by their attitudes towards key-escrows,
> Wassenar Agreements, etc. There will always be facts/knowledges
> purposedly withheld from the public or the possibility of such
> could hardly be satisfactorily eliminated/ascertained/convinced
> in conventional ways. Hence it is indispensable for an encryption
> algorithm to be really trusted and profitably used by the public
> that the route to its thorough understanding be rendered as simply
> accessible (to a sufficiently large proportion of the people) as is
> technically/conceivably feasible. It is not sufficient/appropriate
> that the designers of crypto algorithms take the standpoint that
> those with enough intelligence and diligence/willing would
> certainly be able to understand their works or that, conversely,
> failure of understanding is unquestionably attributed to the
> laziness or lack of intelligence on the part of the 'student'.
> (A related phenomenon, albeit concerning 'newly invented'
> algorithms, may be occasionally found in such challenges that
> ask one to examine a piece of poorly documented C-code or simply
> decipher a message encrypted with the masterpiece involved.)
>
> Having said in essence my own admittedly controversial/problematic
> humble opinions, I like to leave the platform to the dear readers
> of the present article. I should appreciate seeing some fruitful
> discussions, since I believe that an ever increasing number of
> standard encryption algorithms/techniques will be put into use in
> the explosive communication volumes of the new millennium.
>
The full quote is reprinted to make a point.
I agree with what you say.
Mental processes vary. Good ideas can be imparted tersely. We are often
our own worst enemies. BTW, do your realize the complexity of your own
sentences? I get them, as I can create some liguistic monsters myself.
As we are in the same boat, may I point out the value of getting to the
point in 25 words or less, something I just might not do myself. Any
student that can unambigiously diagram the first two sentences you have
posted should get an MA on the spot.
In short, the best description is surely one that is universally
understandable. As Einstein said,"If you can't explain it to a child, you
don't understand enough yourself."
Please pardon the liberties taken with your thoughful passage.
--
Considering that the best guess is that Jesus was born in 4 BC,
for the purists, fate worshipers, and absolute prognosticators,
you all missed your boat fome time ago, as hype mongers rejoice.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Wagner et Al.
Date: Mon, 03 Jan 2000 08:42:45 GMT
In article <[EMAIL PROTECTED]>,
"Daniel Roethlisberger" <[EMAIL PROTECTED]> wrote:
> I don't think that's the point, whether users will be smart enough.
You
> always have to expect the worst anyway. You'd be surprised how stupid
the
> general user is. If you got no trojans running on your system, then
that's
> fine. But you cannot expect everyone else hasn't.
Well then they don't need crypto, they need a prayer.
> Decent encryption software cares for its sensitive data. It locks
memory in
> which it allocates memory for keys and such, so it doesn't get paged
on hard
> disk. It wipes memory after usage. It also tries not to send it
through
> windows mechanisms like the windows messages.
But when you send messages like WM_GETTEXT and WM_SETTEXT that is
copied to/from the local heap. What windows does with it can't be
stopped.
> Of course you can say: I only care about the externals, the encrypted
files,
> disks or communication. The user has to keep his own computer secure.
But
> what if the user isn't the only person working on a given computer?
What if
> the laptop gets stolen? What if the user lets his computer unattended
in
> office for a couple of hours? Anyone could install whatever he/she
wanted on
> it.
But the same could be said for any crypto software. So why lump mine
with it?
> I think it crucual to make an encryption software as hard to attack as
> possible. What use is decent cryptography if the rest of the software
is
> easily attacked? The implementation of the ciphers can be as secure
as they
> want, if someone can easily get to the keys, the security is lost.
That's
> like encrypting the hard disk using a very strong cipher and storing
the key
> in plaintext someplace where everyone can get to it...
>
> Giving up on trojans is not the right way. There *are* ways to defend
> against trojans. One thing is to make every software as secure as
possible.
> Of course MS has made a bad example at windows security, but you can
still
> make your own software secure. Another is to follow safe computing
> practices. Many users don't even run an AV scanner on their systems,
not to
> think of firewalls and the like.
I don't think you quite understand how it works. A trojan can be made
to attack *ANY* crypto program. No matter how 'robust'. So the best
defense is not getting dumb email greeting card attachements :)
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Rick Braddam" <[EMAIL PROTECTED]>
Subject: Re: meet-in-the-middle attack for triple DES
Date: Mon, 3 Jan 2000 02:16:29 -0600
Bill Unruh <[EMAIL PROTECTED]> wrote in message
news:84ol8a$kik$[EMAIL PROTECTED]...
> In <[EMAIL PROTECTED]> Mok-Kong Shen
<[EMAIL PROTECTED]> writes:
>
> ]If one could manage to have each block encrypted by a different key,
> ]then such attacks would in my humble opinion be pointless for any
> ]common block encryption algorithm that offers sufficient difficulty
> ]to determine the key from only one single pair of corresponding plain
> ]and cipher texts. On the the further assumption that the key stream
> ]is not (or barely) subjected to inference, this would seem to leave
> ]the adversary no other means in practice but to brute force the
> ]'key' that generates the said key stream. (Note that the key stream
>
> Sure, but it will be slow. If your key stream is sufficintly strong,
> then just xor will probably be fine. many block encryptions take a
long
> time to set up the key schedule, and you have to go through this for
> each and every block.
Suppose you use Wei Dai's Crypto++ library, and instantiate 2 or more
instances of Blowfish or TwoFish, each with a different key. Then pass
the first block to the first instance, the second block to the second
instance, the third block to the first instance, alternating
blocks/instances to the end of the message. That way key setup is only
done once at the beginning, and there is no relationship between the odd
and even blocks. It would be more difficult to do in C code, but still
possible.
Would that make analysis more difficult?
Would it make a difference if each instance "shared" the IV vs. each
having its own?
If more secure, what would be the equivilent single-instance key length
(assume each uses 128 bit key)?
Just curious,
Rick
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: meet-in-the-middle attack for triple DES
Date: Mon, 03 Jan 2000 10:28:04 +0100
Bill Unruh wrote:
>
> <[EMAIL PROTECTED]> writes:
>
> ]If one could manage to have each block encrypted by a different key,
> ]then such attacks would in my humble opinion be pointless for any
> ]common block encryption algorithm that offers sufficient difficulty
> ]to determine the key from only one single pair of corresponding plain
> ]and cipher texts. On the the further assumption that the key stream
> ]is not (or barely) subjected to inference, this would seem to leave
> ]the adversary no other means in practice but to brute force the
> ]'key' that generates the said key stream. (Note that the key stream
>
> Sure, but it will be slow. If your key stream is sufficintly strong,
> then just xor will probably be fine. many block encryptions take a long
> time to set up the key schedule, and you have to go through this for
> each and every block.
My main point is that with a key stream supplying the keys to
a block encryption algorithm the analyst will not be able to
determine these keys, excepting brute forcing a certain number
of these (depending on the strength of the key stream generation)
necessary for inferencing the key stream. For the large number
of plaintext ciphertext pairs assumed to be available for doing
attacks of the sort mentioned in this thread as well as
differential analysis etc. become 'by definition' not available with
the variable key scheme. Now consider what I mentioned above about
brute forcing a certain number of the keys. Doesn't brutefocing a
single one of these mean in the original context attacking the
triple DES without employing any clever techniques such as
meet-in-the-middle, i.e. a practially infeasible effort? From this
one sees that the key stream used in fact doesn't need to be
particularly strong. Of course, in a crypto system one should
attempt to do the best at each and every place. That's why I
nevertheless added a cautious assumption about the difficulty of
infering the key stream. I have yet made no thought of concrete
implementations but suppose that one viable way is to use a DES as
a generator of random bit sequences. I conjecture that there
wouldn't be tremendous degradation of speed, particularly if
everything runs in hardware. Anyway, I personally find it a little
bit surprising that using variable keys appears not to have been
considered hithertofore at least as a discutable potentially
viable means of defense.
M. K. Shen
============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On documentation of algorithms
Date: Mon, 03 Jan 2000 10:28:55 +0100
wtshaw wrote:
>
> I agree with what you say.
>
> Mental processes vary. Good ideas can be imparted tersely. We are often
> our own worst enemies. BTW, do your realize the complexity of your own
> sentences? I get them, as I can create some liguistic monsters myself.
> As we are in the same boat, may I point out the value of getting to the
> point in 25 words or less, something I just might not do myself. Any
> student that can unambigiously diagram the first two sentences you have
> posted should get an MA on the spot.
>
> In short, the best description is surely one that is universally
> understandable. As Einstein said,"If you can't explain it to a child, you
> don't understand enough yourself."
Many thanks. You are absolutely right in your critiques. Time and
again I unconciously fall into my bad habit of writing long-winding
sentences. (I start to think that's something like a chronical
illness.) I find that the last paragraph above (which is certainly
also applicable to the 'mess' I wrote) is indeed the shortest and
most appropriate one for addressing the issue I raised in the
original post. In fact, we don't even need crypto documentation
of that superb quality demanded by Einstein, I believe. Anyway,
something less than that would have already satisfied my personal
humble expectations.
M. K. Shen
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: crypto and it's usage
Date: Mon, 03 Jan 2000 09:19:39 GMT
I was just wondering how many people here actually use crypto. I mean
almost anyone here can pull apart ideas and have fun, but does anyone
use what's left?
I personally use it just for fun, and sometimes to keep things
private. Nothing life threatening... Anyone else?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "collomb" <[EMAIL PROTECTED]>
Subject: Re: news about KRYPTOS
Date: 3 Jan 2000 09:53:04 GMT
To Ferdinando
Thanks for your wishes
John E Gwyn tells that the columns in addition to the right side and to
the bottom line, and also in addition to the square of Vignere, are there
only for the aesthetic balance of the whole !
Personally, I see a square of characters in which it is added to the right
several columns and in the bottom one line. Re turn now to my solution :
I, first of all, form a square of 10 X 10 characters, in which I add then
the 125 characters of the second series, these new characters laying out
on the right and bottom of this 10 X 10square.
KRYPTOS must be necessarily conceived so that a non-specialist could
solve this enigma by simple means < paper and pencil > and not by means of
powerful computers. In a location so full of symbols, the sculptor
addresses to the whole world and not to some specialists, whose <the man
in the street> will be never able to check and to understand the work.
Sculpture KRYPTOS was installed in the backyard of CIA in 1990. At that
time, no private individual could acquire a very powerful computer.
With my solution, the damned 97 characters are very quickly deciphered.
It misses 3 characters to obtain 100 and, taking into account the first
results of decoding, it could be a question only of the word GOD. The
fight between Good and Evil, which is a constant topic in the
North-American thought, gives its true depth to KRYPTOS.
Best regards
[EMAIL PROTECTED]
Ferdinando Stehle <[EMAIL PROTECTED]> a écrit dans l'article
<Wxla4.10084$[EMAIL PROTECTED]>...
> Hi all,
>
> after 3 monthes of work on my PENTIUM 90MHz,
> i may claim that J.Sanborn & E.Scheidt didn't use any of
> the two follwing method to encode KRYPTOS 97 unsolved chars:
>
> - a Vigenere substitution (with keyword up to 12 chars long) followed by
a
> transposition
>
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Wagner et Al.
Date: 03 Jan 2000 06:30:59 EST
In article <84pne4$rh4$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
>I don't think you quite understand how it works. A trojan can be made
>to attack *ANY* crypto program. No matter how 'robust'. So the best
>defense is not getting dumb email greeting card attachements :)
Your "defense" is faulty. You can spend your life never accepting
dumb email greeting card attachements and still end up with trojans
on your computer. Just look at the history of Microsoft's security
holes, and the known fact that they let holes that they know about
remain unless the holes get a lot of publicity.
Is it really true that a trojan can be made to attack any crypto
program? Yes, but only if two preconditions are assumed: First,
the trojan must be written specifically targetted at the particular
crypto program. The more generic trojans such as back orifice can
be protected against (and are by many crypto programs). Second,
the trojan must have administrator user rights. Smart NT
administrators like me create a series of usernames with increasing
rights and decreasing security, and always use the lowest one
that will do the job. A good crypto program can only be attacked
from the highest level of access. Yours can be attacked from
a few of the lower levels.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: crypto and it's usage
Date: 3 Jan 2000 11:33:09 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> I personally use it just for fun, and sometimes to keep things
> private. Nothing life threatening... Anyone else?
I sign outgoing e-mail using a pgp/pine script. Not so often, since right
now I need to retype my passphrase each time. When someone indicates that
they prefer encrypted mail, then I'l comply. It's rare but it happens.
I verify incoming signed mail using the same script. There isn't that much
of it yet, but I am convincing my friends to try it out. We're running a
keyserver...
Plus SSL for the odd bit of web shopping (my parents use this more than I
do). I also have a Freedom Beta installed on an old machine, but the
machine has been retired. Another machine has the old Mac eCash client
software on it (back when they gave out $100 of play money).
This isn't current, but : I used Ian Goldberg's visprint to make a picture
from the MD5 hash of an essay I wrote for college admission. The essay
question was "attach a picture of something important to you, and write
about that." The essay was on the need for digital signatures. :-)
So mostly for authenticity (and commerce) - nothing life threatening here,
either.
Thanks,
-David Molnar
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************