Cryptography-Digest Digest #962, Volume #10 Mon, 24 Jan 00 01:13:00 EST
Contents:
Re: Intel 810 chipset Random Number Generator ("james d. hunter")
Re: "Trusted" CA - Oxymoron? ("Jim Bennett")
Re: Intel 810 chipset Random Number Generator ("Trevor Jackson, III")
Re: Intel 810 chipset Random Number Generator ("Trevor Jackson, III")
Re: MIRDEK: more fun with playing cards. (Rex Stewart)
Re: MIRDEK: more fun with playing cards. (Rex Stewart)
Re: MIRDEK: more fun with playing cards. ("r.e.s.")
Re: MIRDEK: more fun with playing cards. ("r.e.s.")
----------------------------------------------------------------------------
From: "james d. hunter" <[EMAIL PROTECTED]>
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: Sun, 23 Jan 2000 21:50:53 -0500
Reply-To: [EMAIL PROTECTED]
Michael Kagalenko wrote:
>
> Herman Rubin ([EMAIL PROTECTED]) wrote
> ]In article <86dvcl$a17$[EMAIL PROTECTED]>,
> ]Michael Kagalenko <[EMAIL PROTECTED]> wrote:
> ]>Herman Rubin ([EMAIL PROTECTED]) wrote
> ]>]In article <86au71$m0n$[EMAIL PROTECTED]>,
> ]>]Michael Kagalenko <[EMAIL PROTECTED]> wrote:
> ]>]>Guy Macon ([EMAIL PROTECTED]) wrote
> ]>]>]In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul Koning)
>wrote:
> ]
> ] ................
> ]
> ]
> ]>]> No. You are wrong. So long as you can reliably count the number of cycles
> ]>]> of quartz crystal, you can use this to recover thermally random numbers.
> ]>]> Temperature dependence may be indeed a proble, but it can be accounted
> ]>]> for either by thermostabilising or by simply measuring it and feeding
> ]>]> it into computational process.
> ]
> ]>]Using the general idea of random, not only this, but everything
> ]>]else, is random.
> ]
> ]> False. You did not understand the physics that I am proposing to use.
> ]
> ]>] But this does not mean that it will have the
> ]>]independence properties needed for use as "random numbers".
> ]
> ]> As I said elsewhere, you are wrong.
> ]
> ]Independence is a very strong property. For numbers to be
> ]used as "random numbers" are typically used, it is often
> ]more important than the uniformity of the distribution,
> ]which can be corrected, is the independence of the numbers
> ]produced by the device. Exact independence means that
> ]the conditional probability distribution of one output
> ]given the rest is the same as not having that information.
>
> Yes, I know. What is your point, again ?
>
> ]
> ]Perfect independence is impossible. Radioactive decay,
> ]counting the parity of the number of events sufficiently
> ]rarely, comes quite close, although the bias in the
> ]recording device limits how much can be done; there are
> ]ways to use multiple streams to improve things.
> ]
> ]It is only the UNpredictable part which is useful for
> ]random purposes. Moderate range dependence of thermal
> ]noise is hard to keep.
>
> The last sentence looks intriguely relevant to the topic, but
> I fail to parse it. What I am pointing out that to the extent
> that quartz crystal, any quartz crystal, dissipates mechanical energy,
> it will produce thermally random noise, according to the flustuation-
> dissipation theorem. The reason a resistor produces the
> thermal noise is that same theorem. I am also pointing out that this
> thermal noise will lead to brownian-walk drift of the clock which
> can be measured to produce truly unpredictable random data. So far,
> you and others went on all sorts of tangents due to the failure
> to understand what I am saying.
The thing with random is that you actually -build- one,
instead of yapping about them, you will make some money.
Since you didn't make one, it has to assumed that you
don't understand what you're saying.
------------------------------
From: "Jim Bennett" <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Date: Mon, 24 Jan 2000 03:16:26 GMT
If you trusted ABC company, that would be fine for their employees. So if
ABC company was Wells Fargo Bank, you could be confident they were using
decent authentication procedures.
But for the individual not involved with a large well known company, what
can you do? I'm not as concerned with spoofing as with an imposter creating
a brand new cert using your identity. If an ISP was the sub-CA, would they
make sure that their subscriber was who he said he was? And if so, how?
Also, what is OCSP?
Jim
Jimmy Doughan <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Jim, how about pushing the trust down to the cert holder's company. Let's
say I
> hold a cert from ABC company, you should be able to authenticate directly
to the
> issuing CA or VA via OCSP (if the majority of PKI vendors ever adopt
OCSP). For
> home users' they should authenticate to their online or internet service.
These
> companies should have their CAs signed by one of the widely known
certification
> authorities (versign, Thawte, Xcert, Entrust, Baltimore) to establish
trust.
> It would be near impossible to spoof a cert and the issuing CA using
OCSP. The
> value of a Thawte chaining cert would diminish greatly using this model
though.
>
> Jimbo
>
> Jim Bennett wrote:
>
> > I have been reviewing the Certification Practice Statements of various
> > issuers of X.509 digital certificates for S/Mime email. I have been
trying
> > to find one that really tries to verify the identity of the certificate
> > applicant and will do it for the general public. I haven't been too
thrilled
> > with what I found.
> >
> > Why do I care? If you are going to use a personal digital certificate
for
> > signing an email that has significant legal implications, like a request
to
> > withdraw $100,000 from your bank and have the funds wired somewhere
else,
> > you sure as hell want to make sure the person who has signed the message
is
> > really the person he says he is.
> >
> > Now let's see how various vendors have attacked the problem.
> >
> > VERISIGN (www.verisign.com)- The best you can get from them is a
requirement
> > that you respond to a challenge email sent to the email address you have
> > asserted is yours. Well, whoopee. Anyone with access to your POP inbox
can
> > assert they are you. Value: minimal.
> >
> > THAWTE (www.thawte.com)- Your identity must be vouched for by a group of
> > people whom Thawte has determined are trustworthy. How does Thawte
determine
> > this? If you have had your identity vouched for a selected number of
times
> > by different people, you are considered capable of vouching for other
> > people's identity. Better than Verisign, but not much. A group of
several
> > co-conspirators could vouch for false identities for each other fairly
> > easily. Value: still not good enough for a high value transaction.
> >
> > USERTRUST (www.usertrust.com) - Better. These guys will do a background
> > check on you to try to confirm your identity claims, and will arrange
for
> > you to buy a fidelity bond to cover people who rely on your certificate.
But
> > they are currently only doing this for "contracted projects", which to
me
> > sounds like big jobs.
> >
> > PGP - You have to trust the key signers, but if you are dealing with a
> > stranger, you are unlikely to know any of the key signers. Value:
usually
> > zero, occasionally good.
> >
> > Does anyone know of a CA who will do what UserTrust claims to do, but on
an
> > individual basis for the general public?
> >
> > Thanks,
> >
> > Jim Bennett
> > Offshore Asset Protection Lawyer
> > http://www.jim-bennett.com
> > [EMAIL PROTECTED]
> > [EMAIL PROTECTED]
> > PGP public key at http://www.jim-bennett.com/about/pgp.htm
>
------------------------------
Date: Sun, 23 Jan 2000 23:11:06 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Intel 810 chipset Random Number Generator
Michael Kagalenko wrote:
> Guy Macon ([EMAIL PROTECTED]) wrote
> ]In article <86dvah$aht$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Michael
>Kagalenko) wrote:
> ]>
> ]>Guy Macon ([EMAIL PROTECTED]) wrote
> ]>]In article <86au71$m0n$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Michael
>Kagalenko) wrote:
> ]>]>
> ]>]>Guy Macon ([EMAIL PROTECTED]) wrote
> ]>]>]
> ]>]>]I can see the logic behind trying, but not if you are looking for
> ]>]>]a good RNG. But what if you are looking for a cheap RNG?
> ]>]>]a cheap crystal (or, better yet, ceramic) oscillator costs very
> ]>]>]little, and hooks up to a serial or parallel port easily, and is
> ]>]>]pretty much immune to 60 Hz electrical noise. I agree with
> ]>]>]everything said about the lack of randomness, though. You really
> ]>]>]are just measuring fine differences in the time between reads
> ]>]>]of your serial/parallel port. Such a circuit, if Von Neuman
> ]>]>]compensated and exlusive or'ed with the output of the best PRNG
> ]>]>]you can program, would seem to be, on a practical level, much
> ]>]>]superior to the PRNG alone.
> ]>]>
> ]>]> No. You are wrong. So long as you can reliably count the number of cycles
> ]>]> of quartz crystal, you can use this to recover thermally random numbers.
> ]>]> Temperature dependence may be indeed a proble, but it can be accounted
> ]>]> for either by thermostabilising or by simply measuring it and feeding
> ]>]> it into computational process.
> ]>]
> ]>]I made at least six claims in the paragraph above, and I cannot
> ]>]tell from your response exactly what I wrote that prompted the
> ]>]"You are wrong" comment. Could you elaborate as to exactly what
> ]>]you are disagreeing with? I stand by what I wrote above.
> ]>]
> ]>
> ]> It is too bad that you stand by it, because a lot of it is bogus.
> ]
> ]Forgive me if I ignore claimed bogosity that you fail to identify.
> ]
> ]You may wish to examine your habit of namecalling without mentioning
> ]exactly what you disagree wit or why. Your current practice is
> ]sure to cost you in the areas of career advancement and personal
> ]relationships.
>
> The example is supplied below. Your failure to read "is sure to cost you ..."
> usw.
>
> ]
> ]> The most bogus part is
> ]>
> ]>> I agree with
> ]>> everything said about the lack of randomness, though. You really
> ]>> are just measuring fine differences in the time between reads
> ]>> of your serial/parallel port.
> ]>
> ]> As I said above, you can obtain truly random data by measuring clock
> ]> drift due to thermal noise in the crystal.
> ]
> ]And you think that the circuit I described will accomplish this?
> ]Or are you postulating a high precision (better than the crystal)
> ]measurement system then complaining that my comments about a cheap
> ]crystal oscillator hooked to a parallel port don't describe your
> ]system? Thanks for defining "Bogus" by example.
>
> Well, I am not complaining that "cheap crystal oscillator
> hooked to a parallel port don't describe" what I am proposing.
> This part is true, it doesn't. It isn't true that I
> "postulate" high precision clock; rather, I am pointing
> out that such are readily available via the Internet, and
> that quartz crystal is alread part of every computer system, thus
> obviating the need to hook anything to a parallel port.
>
> ]You are also confusing "has some randomness, however small"
> ]with "random enough to be a good RNG for crypto".
>
> Well, no; measuring the clock dirft can supply data random enough
> for crypto. You simply failed to understand why.
What does "measuring the clock drift" mean? Against what standard do you propose to
measure drift?
------------------------------
Date: Sun, 23 Jan 2000 23:16:41 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Michael Kagalenko wrote:
> Trevor Jackson, III ([EMAIL PROTECTED]) wrote
> ]Michael Kagalenko wrote:
> ]
> ]> Herman Rubin ([EMAIL PROTECTED]) wrote
> ]> ]In article <86au71$m0n$[EMAIL PROTECTED]>,
> ]> ]Michael Kagalenko <[EMAIL PROTECTED]> wrote:
> ]> ]>Guy Macon ([EMAIL PROTECTED]) wrote
> ]> ]>]In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul Koning)
>wrote:
> ]> ]
> ]> ] ................
> ]> ]
> ]> ]
> ]> ]> No. You are wrong. So long as you can reliably count the number of cycles
> ]> ]> of quartz crystal, you can use this to recover thermally random numbers.
> ]> ]> Temperature dependence may be indeed a proble, but it can be accounted
> ]> ]> for either by thermostabilising or by simply measuring it and feeding
> ]> ]> it into computational process.
> ]> ]
> ]> ]Using the general idea of random, not only this, but everything
> ]> ]else, is random.
> ]>
> ]> False. You did not understand the physics that I am proposing to use.
> ]>
> ]> ] But this does not mean that it will have the
> ]> ]independence properties needed for use as "random numbers".
> ]>
> ]> As I said elsewhere, you are wrong.
> ]
> ]You can _say_ that as much as you like. But the readers of the sci.* fora prefer
>that
> ]you _show_ it.
> ]
> ]You haven't.
> ]
> ]*NEXT*.
>
> I don't think that collected readership of sci.* groups had ever appointed you
> their spokesmen.
They didn't -- I'm a singular not a plural.
------------------------------
From: Rex Stewart <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Mon, 24 Jan 2000 05:13:46 GMT
As a variation on the idea of changing the values of i and j for each
message, and yet capitolizing on the idea of a permanent passphraze and
an initialisation vector, keeping a spare deck in a particular order
and then using a short passphraze (changed with each message) to key
the deck for each message could make the setup tolerable - with the
problem of having a partially keyed deck that could fall into hostile
hands.
--
Rex Stewart
PGP Print 9526288F3D0C292D 783D3AB640C2416A
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Rex Stewart <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Mon, 24 Jan 2000 05:28:08 GMT
It is a downside for any OFB stream cypher, but for cyphers that add
either the plaintext or the cyphertext to the state entropy, simply
starting the message with a few randomly chosen letters is sufficient.
In a cypher like Mirdek, the users could aggree on an arrangement for
both the right and left decks ahead of time, and simply encrypt each
new message with a few random characters. As long as they never begin
with the same series, and as long as the series was truely random this
would be a safe plan. And in fact, they would not have to send those
characters in the clear. Each message would simply decrypt with a few
letters of garbage at the beginning.
--
Rex Stewart
PGP Print 9526288F3D0C292D 783D3AB640C2416A
In article <86g63d$72l$[EMAIL PROTECTED]>,
"r.e.s." <[EMAIL PROTECTED]> wrote:
> "Rex Stewart" <[EMAIL PROTECTED]> wrote ...
> [...]
> : On output feedback cyphers based on ARC4 variants (like
> : Solitaire) insulating the state information (and therefore the key)
> : from the output seems fairly straightforward, and in fact Solitaire
> : seems to have two layers of such insulation. The downside of
> : course is the requirement to use a new key for each message.
> [...]
>
> But it's a "downside" required for any stream cipher, and hence
> applies to all of the card ciphers mentioned in this thread.
>
> IMO, I don't think it's accurate to describe Solitaire as an
> "ARC4 variant", although it may have been influenced by ARC4.
>
> (As I posted before, I'm actually interested in the whole class
> of what we might call ARC4-M variants -- where M is the length
> of the state vector -- whether implemented by cards or computer.
> The lack of response to those earlier postings suggests that
> this may be an unexplored area.)
>
> --
> r.e.s.
> [EMAIL PROTECTED]
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Sun, 23 Jan 2000 21:47:20 -0800
"Paul Rubin" <[EMAIL PROTECTED]> wrote ...
: CLSV <[EMAIL PROTECTED]> wrote:
[...]
: >The card swapping is indeed fast but the administration
: >in my head always slows things down.
:
: Don't try to do the arithmetic mod 52. Just do it mod 13, based
: on (say) K=0, A=1, 2=2, ..., 10=10, J=11, Q=12 to locate the
: output column of the output card. To get the row of the output
: card, add the *suits* of the swapped cards, mod 4. I like the
: visual mnemonic of Diamond=0, spade=1, heart=2, club=3. Very cute.
The above paragraph really says it all, but some visuals may be
useful -- until some fatal flaw is found in the ARC4-52 algorithm
itself ;-(
(The following is for stream generation, but it should be clear
how to use for key setup as well.)
The "card table" looks like this:
K A 2 ... J Q
0 1 2 ... 11 12
-----------------------------
Diamonds 0| 0 1 2 ... 11 12
Spades 1| 13 14 15 ... 24 25
Hearts 2| 26 27 28 ... 37 38
Clubs 3| 39 40 41 ... 50 51
Take the "value" of a card as a *pair* of numbers (suit, facevalue),
i.e. the (row,col) coordinates in the above table, and leave it at
that while navigating the card layout. Don't waste time finding the
values 0-51!
Also, I'd like to repeat the associations in the mnemonic for suits,
because that's what makes it work for me: Red suits are even,
with Diamond=0 and Heart=2 because they're "roundish" and a diamond
most resembles a 0. Black suits are odd, with Spade=1 and Club=3,
because they have 1 and 3 leaves on a stem.
So, when reading the card at the x-marker, just read it as
(suit,facevalue), and see it as an instruction to move the y-marker
ahead "suit" number of rows and then "facevalue" number of cards
further in that row (continuing to the next row if needed. Of course
the order is row0->row1->row2->row3->row0)
The real savings come in the final steps:
While swapping the two cards, separately add up their "rows" & "cols".
"rows" is the mod 4 sum of their suits, and "cols" is the facevalue
sum (if it exceeds 0-12, increase the row sum by 1, and take
"cols" = facevalue - 13).
For the final step, put your finger at the (0,0) position in the
card-layout and move it the number of rows and columns indicated
by the (rows,cols) just obtained. You'll then be pointing at the
output card.
--
r.e.s. "Mistr Typo" <-- excuses, excuses
[EMAIL PROTECTED]
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Sun, 23 Jan 2000 21:47:17 -0800
"Paul Rubin" <[EMAIL PROTECTED]> wrote ...
[...]
: R.e.s. said he was getting around 5 chars/minute, apparently without
: much practice. Key setup wasn't discussed though-the procedure
: is a bit different. Anyway, 30 secs/char may be way too conservative
: an estimate. At 10 secs/char, the setup time starts approaching
: tolerable. I don't know what's possible with practice.
With a few hundred trials, I've found that I can't sustain 4+ chars/min
without burning out rather quickly. If fresh, alert, & undistracted,
3.5+ chars/min is sustainable -- but I can't say for how long. I think
3 chars/min would be sustainable even if moderately fatigued, and
2 chars/min if dead-tired & drunk ;-)
(Those rates are for stream generation only, and they don't include
the final encipherment/decipherment step of adding the stream to the
plaintext/ciphertext. They should, however, be comparable to rates for
key setup.)
I can't imagine a secure card-cipher operating at your wished-for rate
of 10 secs/char --even if I did once thoughtlessly claim ~4 secs/char ;-)
--
r.e.s. "Mistr Typo"
[EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
