Cryptography-Digest Digest #977, Volume #10 Wed, 26 Jan 00 01:13:01 EST
Contents:
Re: Intel 810 chipset Random Number Generator (Michael Kagalenko)
Re: "Trusted" CA - Oxymoron? ("Jim Bennett")
Re: MIRDEK: more fun with playing cards. (Rex Stewart)
Re: "Trusted" CA - Oxymoron? (Anne & Lynn Wheeler)
Re: Newbie to PGP: RSA vs DH/DSS (Tom St Denis)
Re: A Format for Cipher Challenges ([EMAIL PROTECTED])
Re: ECM Factoring and RSA Speed Ups (Tom St Denis)
Re: Intel 810 chipset Random Number Generator (Terry Ritter)
Re: RSA v. Pohlig-Hellman (Jerry Coffin)
Re: Why did SkipJack fail? (Jerry Coffin)
Re: ECC & RSA re: patents, copyrights (Jerry Coffin)
Re: "Trusted" CA - Oxymoron? ("Trevor Jackson, III")
Re: Intel 810 chipset Random Number Generator (Terry Ritter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Michael Kagalenko)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 26 Jan 2000 03:48:04 GMT
Reply-To: [EMAIL PROTECTED]
Terry Ritter ([EMAIL PROTECTED]) wrote
]
]Again, I missed the previous message...
]On 25 Jan 2000 09:19:50 -0500, in <86kbe6$[EMAIL PROTECTED]>,
]in sci.crypt [EMAIL PROTECTED] (Herman Rubin) wrote:
]
]>In article <86gd0n$qmf$[EMAIL PROTECTED]>,
]>Michael Kagalenko <[EMAIL PROTECTED]> wrote:
]
]>>[...]
]>> What I am pointing out that to the extent
]>> that quartz crystal, any quartz crystal, dissipates mechanical energy,
]>> it will produce thermally random noise, according to the flustuation-
]>> dissipation theorem.
]
]And this random noise produces "jitter" which is normally-distributed,
]tiny, bipolar, and independent on a cycle-by-cycle basis. This
]affects the "bandwidth" of the signal, not frequency measurements
]which cover many cycles of operation.
As I pointed out before, you need some remedial reading on the
statistical physics. Try Feinman's lectures about mathematics
of brownian walk. May be, you'll understand that what you
write is incorrect.
]
]>The reason a resistor produces the
]>> thermal noise is that same theorem.
]
]And do resistors also "drift"? It is the same theorem, after all....
]
]>I am also pointing out that this
]>> thermal noise will lead to brownian-walk drift of the clock which
]>> can be measured to produce truly unpredictable random data.
]
]I am aware of no publication which suggests a "brownian-walk" from
]crystal noise. That simply does not happen. Jitter is bipolar and
]cycle-by-cycle independent.
So is motion of browniuan particle. Yet the average square of the
position grows linealry with time (provided it starts from
the origin).
]>>So far,
]>> you and others went on all sorts of tangents due to the failure
]>> to understand what I am saying.
]
]What you claim either does not occur in quartz crystal oscillators at
]all, or does not occur at sensible levels.
]
]
]>It may LOOK like a Brownian drift, but is it?
]
]I doubt it even looks like it.
]
]>Brownian drift
]>actually has infinite energy,
I have no idea what this is supposed to mean.
] so what one has is at best an
]>approximation. Also, a slowly varying drift, easily possible
]>with thermal effects of any kind, can play much havoc with
]>using such a device to obtain supposedly random output.
See my earlier post that mentions renormalization of clock
frequency.
]>Even radioactive counts, already digital and with excellent
]>independence properties, cannot be used as such, because of
]>both dead time, and the biases introduced by the analog
]>nature of the counter-data interface. This latter one is
]>particularly bad, and will apply to anything used directly.
]
]
]I claim the proposed effect simply does not exist at sensible levels.
That's because you lack very basic understanding of the statistics
of Brownian random walk.
]I suppose if one measures anything precisely enough one will run into
]randomness. But there are other sources of variation, in particular
]ambient temperature; we will not be measuring crystal jitter on our
]unmodified PC's.
------------------------------
From: "Jim Bennett" <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Date: Wed, 26 Jan 2000 04:27:06 GMT
> I think you need to take a closer look at what you really want a
> digital certificate for. If I sign something with "significant legal
> implications" (presumable some kind or contractual request or
> oblication) I should hope that the person with whom I am signing it
> has determined to their *own* satisfaction that I am in fact who I say
> I am, as I will certainly have done so myself as to their identity,
> and not just blindly trust some certificate authority!
But wouldn't it be nice to have someone provide this service, so I can deal
with a guy in Malaysia without my having to go there or him having to come
Texas?
>
> As to your example about the bank, even if I had a certificate from
> the NSA and FBI that I was in fact the protoplasmic blob I think I am,
> what relationship does that have to the person (whoever he was) who
> opened the bank account? If a bank I did business with was willing to
> accept ANY outside certification without making their own internal
> verifications, I would have my money out of there so fast the teller's
> head would spin and my letter to the bank president would probably
> incinerate before it got there!
Let's say I am a bank and you wire in to Jim's Bank $1 million. Then a month
later someone (could be you) sends me an S/Mime signed email saying "wire
out $500,000 to my friend Fred". If your email included a certificate from a
CA I could trust, I would feel comfortable that it was really you who gave
me this instruction, so I'd feel OK following the instruction. You, of
course, agreed in advance to care for your private key and be responsible if
you were sloppy with it.
The problem is you don't trust the existing CA's in the marketplace. Well, I
don't either. But a CA *could* be trustworthy with proper procedures and
insurance, right?
> I sign all messages from these nym's with a key known
> (at least by those who would care) to belong to that identity and
> which is available on one or more public key servers.
How do insure that the "key IS known to those who would care to belong to
that identity"? With PGP, your local buddies can come over for a beer and
key signing. But that only works between you and your local buddies. But
what about the guy in Malaysia who wants to do business?
>
> When it comes to security, people are far too concerned with physical
> identification, when it is identity itself they should be concerned
> with. To give an example, now that electronic signatures are becoming
> accepted by the courts as legally binding, a request signed with a key
> that was itself appropriately signed by a credit card company would be
> just as good as a signed credit card charge slip.
But that is only because the credit card company will stand behind it. That
is effectively a trusted CA.
------------------------------
From: Rex Stewart <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Wed, 26 Jan 2000 04:53:07 GMT
I have an idea that seems to meet 3 of the four properties. I can't
tell if it meets the reversibility property (it takes me a while to
work through that concept).
The problem with the previouse search function is it provieded concrete
information about the state AFTER the substitution. If, instead of
counting letters, you simply used the previous card the information
would not be revealed.
In other words, you want to encrypt "C"
you search for "C"
"JOIELC" finding it, you substitute "L"
this is simply the card on the other pile.
Decription uses the next card. Search until you find "L"
and one more card makes "C"
After the decks are put back together, the only thing certain is L is
lower in the deck than C - and this is only true until after the count
cut. I haven't tried it yet to see if the information it DOES reveal -
the proximity of the two letters PRIOR to the search - is of any value
to an adversary. In going over the possibilities in my head, I haven't
yet found any way to use this information.
--
Rex Stewart
PGP Print 9526288F3D0C292D 783D3AB640C2416A
In article <[EMAIL PROTECTED]>,
Paul Crowley <[EMAIL PROTECTED]> wrote:
a search with
> the right properties:
>
> * dependent on the position of the searched-for letter, not the
letter
> searched for
>
> * reversible, given the searched-for letter
>
> * for each card in the old state of the left deck, every new position
> is equiprobable
>
> * ideally it would do some mixing too
>
> Actually, I can think of one but it's unwieldy: just cut cards from
> the top to the bottom until the searched-for card is as far from the
> bottom as it was from the top (ie one card if it's on the top, three
> if it's second, 5 if third etc). Better suggestions would be very
> welcome!
> --
> __
> \/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
> /\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Reply-To: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
Date: Wed, 26 Jan 2000 05:04:57 GMT
Lots of times, especially involving privacy issues ... the only thing
that needs to be authenticated is if the entity authorized to perform
the requested function ... in which case a generalized "identity"
certificate (certifying some binding between a public key and some
misc. personal information) can be orthogonal to the objective at hand
... and possible may represent a compromise unnecessarily divulging
personal information.
In a typical retail scenerio ... the merchant doesn't actually need to
know who you are when you present a credit card ... the merchant
really wants to know whether they will be paid or not.
There has also been misc. discussion of EU privacy guidelines about
making retail electronic financial transactions as anonymous as cash
... i.e. a credit/debit card presented to a merchant would contain
no name &/or require any other identification information. It would
similarly work in non-face-to-face retail electronic transactions
(aka internet, e-commerce) with no identity information exchanged in
the transaction.
In the PKI world for financial institutions, this has been translated
into "relying party only" certificates ... i.e. a certificate
that only carries the public key and the account number for financial
transactions (in order to avoid unnecessarily divulgy privacy
information). However, for financial transactions it is easily shown
that since the original of the certificate resides in the account
record ... it is superfulous and redundant for the consumer to return
their copy of the certificate as part of every financial transaction
to their financial institution (and doing so can even unnecessarily
increase the infrastructure's systemic risk).
misc. references:
http://www.garlic.com/~lynn/ansiepay.htm#aadsnwi2
http://www.garlic.com/~lynn/aadsm3.htm#cstech13
http://www.garlic.com/~lynn/aadsm3.htm#cstech8
http://www.garlic.com/~lynn/aadsm2.htm#scale
http://www.garlic.com/~lynn/aadsm2.htm#inetpki
http://www.garlic.com/~lynn/aadsm2.htm#integrity
http://www.garlic.com/~lynn/aadsm2.htm#account
http://www.garlic.com/~lynn/aadsm2.htm#privacy
http://www.garlic.com/~lynn/aadsm2.htm#stall
http://www.garlic.com/~lynn/aadsmore.htm#hcrl3
http://www.garlic.com/~lynn/aadsmore.htm#schips
http://www.garlic.com/~lynn/aadsmore.htm#vpki
http://www.garlic.com/~lynn/aadsmore.htm#killer0
http://www.garlic.com/~lynn/aepay3.htm#aadsrel2
http://www.garlic.com/~lynn/aepay3.htm#x959discus
--
Anne & Lynn Wheeler | [EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.garlic.com/~lynn/ http://www.adcomsys.net/lynn/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Newbie to PGP: RSA vs DH/DSS
Date: Wed, 26 Jan 2000 05:08:42 GMT
In article <86lfv3$qm0$[EMAIL PROTECTED]>,
"Danny Johnson" <P.r.o.g.m.a.n.2.0.0.0.@.u.s.a...n.e.t> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've noticed that the Freeware PGP I downloaded and began using
> yesterday (v6.5.2, from Network Associates) allow me to create and
> use RSA and DH/DSS key sets. I've also noticed that at least one
> person in this newsgroup had a line in his/her signature stating they
> would only accept RSA. Why is this? Is one superior to the other?
> I have a key set from each method, but which should I use by default
> for the best security? My apologies if this isn't the right group to
> be asking....
>
Don't trust RSA it was invented by rogue clowns that escaped from the
shriners.
Honestly, even I can't quantify the difference in 'bounded' security
from either. I doubt you even understand the type of question you are
asking.
Just use a large key (say +768 bits), nod and smile and be on your
merry way.
Or you can be like me and request papers and never get them!!!
But I am not bitter.
BTW I am looking for papers on factoring, discret logs etc.. I would
like the historic papers I.e pollard-rho paper on factoring etc.. not
re-hashed 'my view on factoring' papers...[ I have enough of them ]
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: A Format for Cipher Challenges
Date: Tue, 25 Jan 2000 21:29:00 -0800
How long should those messages be?
Joseph Poe?
John Savard wrote:
> It occurs to me that, since a known-plaintext attack is easier to
> carry out than a ciphertext-only attack, there is a case for
> presenting a message along with its plaintext, and asking people to
> find the key.
>
> However, it is possible that a key schedule could include a one-way
> hash, that doesn't need to also be cracked if you've solved for the
> subkeys - which are enough to let you read future messages in the same
> key.
>
> Hence, although challenge messages for ciphers that are any good are
> pointless anyhow, I suppose that if one is presented to at least gain
> evidence that a cipher isn't hopelessly weak, a more valid format for
> a challenge might take this form:
>
> _two_ encrypted messages, the plaintext of one being supplied, the
> object being to supply the plaintext of the other, and the two being
> encrypted with the same key (of course, since otherwise the first
> message is pointless - a full description of the system is naturally
> required).
>
> John Savard (teneerf <-)
> http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: ECM Factoring and RSA Speed Ups
Date: Wed, 26 Jan 2000 05:19:56 GMT
In article <86l7uh$jct$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> > First off any papers floating around about ECM? I would love to
read
> > up on it.
>
> Certicom has white papers.
I meant ECM factoring... hehehe I have Mike Rosing's book on ECM
[crypto] and don't understand anything after the introduction :)
> > Second, how do you speed up RSA when more then two primes are being
> > used. For argument sake let's say you have 3 384-bit primes, p, q,
r.
> > And of course n = pqr.
>
> Chinese remaindering. Normally you would have to do 1 1152-bit
> exponentiation. Now you can do 3 384-bit exponentiations.
> This is actually a speedup, because exponentiation is a
> O(n^3) process, while multiplication is O(n^2) .
J'ah? How can 3 384 exponenations be faster aren't they all done
modulo n?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: Wed, 26 Jan 2000 05:30:20 GMT
On 26 Jan 2000 03:47:48 GMT, in <86lqp4$mt9$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] (Michael Kagalenko) wrote:
>Terry Ritter ([EMAIL PROTECTED]) wrote
>]
>]Again, I missed the previous message...
>]On 25 Jan 2000 09:19:50 -0500, in <86kbe6$[EMAIL PROTECTED]>,
>]in sci.crypt [EMAIL PROTECTED] (Herman Rubin) wrote:
>]
>]>In article <86gd0n$qmf$[EMAIL PROTECTED]>,
>]>Michael Kagalenko <[EMAIL PROTECTED]> wrote:
>][...]
>]>The reason a resistor produces the
>]>> thermal noise is that same theorem.
>]
>]And do resistors also "drift"? It is the same theorem, after all....
>
> You must be trying to crack me up, Mr.Ritter. Good thing I wasn't
> drinking coffee.
You have a direct question: answer it.
The thermal noise in resistors ("Johnson noise") is white noise at a
very low level. It does not produce resistance drift; nor does a
voltage impressed across that resistor tend to drift because of noise.
The noise is tiny, normally-distributed, and bipolar; averaged out, it
is zero. Instantaneously, Johnson noise may add to or subtract from
impressed voltage, but it does not accumulate, and averages out to
zero.
If we want to use noise for randomness, we must detect transient
nature. We can do that, but it does not accumulate.
>]>I am also pointing out that this
>]>> thermal noise will lead to brownian-walk drift of the clock which
>]>> can be measured to produce truly unpredictable random data.
>]
>]I am aware of no publication which suggests a "brownian-walk" from
>]crystal noise. That simply does not happen. Jitter is bipolar and
>]cycle-by-cycle independent.
>
> So is motion of brownian particle. Yet the average square of the
> position grows linearly with time (provided it starts from
> the origin).
And just what particle do you imagine noise to be, and how do we sense
that distance?
Noise does not change crystal oscillation frequency, even
instantaneously. The crystal continues to physically flex and vibrate
at exactly the same frequency. Noise in the circuit which senses the
oscillation does produce the tiny phase variations known as "jitter."
But jitter is not cumulative: it does not have position, it does not
accumulate an offset; it is merely a perceived variation from the
continued sine-wave flexing of the crystal. The bipolar noise
averages out.
>][...]
>]I claim the proposed effect simply does not exist at sensible levels.
>
> That's because you lack very basic understanding of the statistics
> of Brownian random walk.
Sorry. The effect simply does not exist.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: RSA v. Pohlig-Hellman
Date: Tue, 25 Jan 2000 22:42:46 -0700
In article <86lbo7$612$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> Did RSA use two primes only to make it patentable and did
> they compromise strength per bit in the process?
>
> Any thoughts would be appreciated...
No -- keep in mind that with RSA, you encrypt with the public key,
which is the product of the two primes. You decrypt using the primes
that multiply to that public key. With only one prime, you don't have
something you can publish that's difficult to figure out the private
key from. IOW, you no longer have public-key cryptography at all.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Why did SkipJack fail?
Date: Tue, 25 Jan 2000 22:42:44 -0700
In article <86jiem$gvh$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> >Worse yet, (from one viewpoint) SkipJack was carefully designed to
> >require _extremely_ minimal hardware. That makes it easier to include
> >in minimal hardware like a smartcard.
>
> What viewpoint is that?! For some of us, this is a huge advantage and
> is Skipjack's main selling point.
>From the viewpoint of security, obviously. From a viewpoint of usage,
you'd like a cipher to be as fast and cheap to implement as possible.
>From a viewpoint of security, you'd like it to be as slow and
expensive to implement as possible. Doing a brute-force search of the
entire key-space obviously depends on doing a lot of encryptions very
quickly, and preferably for as little money as possible. Preventing
it means either making the keyspace extremely large, or making it very
slow to generate and test a single key.
> Remember that distributed.net (the "world's fastest computer")
> has been crunching a single RC5-64 message for *years* and has
> searched only a small fraction of the 64-bit keyspace. I think it
> will be a long while before anyone can break Skipjack messages in
> "production" volumes.
distributed.net may be the fastest relatively general-purpose computer
around, but I really doubt it's the fastest computer -- Deep Crack is
devoted strictly to breaking DES, but as I understand things, it's
substantially faster the distributed.net.
Deep Crack was built in 0.8 micron chips running at 50 MHz. Today,
simply due to improvements in chip technology, it would be quite
reasonably to build a similar design in .18 micron technology, which
would run at around 500 MHz. The move from .8 to .18 micron allows
you to put around 20 times as many encryption engines in the same die
area. The move from 50 to 500 MHz is another factor of 10. That
means the same number of chips would build a machine roughly 200 times
as fast today as it did then.
Doing some figuring, that seems to come to around $200 million US to
break SkipJack at a rate of one key per year -- an amount of money
that quite a few large companies or most government agencies could
afford fairly easily.
At least in my mind, that fits pretty closely with what I said before:
for most private people's uses, it's quite adequate and probably will
be for the next several years. For secrets that are really worth
attacking, and need to be secret for quite a while, it seems pretty
obvious that it's just not enough.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: ECC & RSA re: patents, copyrights
Date: Tue, 25 Jan 2000 22:42:49 -0700
In article <86l7em$2t4$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> How can RSA patent even exist if it is based upon implementing
> simple a mathematical operation?
Almost _every_ patent is based on implementing some relatively simple
operations. In fact, the best patents are typically the simplest
ones.
> And given the answer to that, is it likely something similar
> will happen with ECC technology? Or is there enough prior
> publications in circulation to prevent this?
Yes, I believe so. Certicom has a couple of patents on specific
methods of carrying out some of the operations in ECC, but it's
entirely possible to implement ECC without using them. About the only
possibility for ECC being patented would be that somebody applied for
a patent a long time ago, and the PTO still hasn't gotten around to
issuing the patent.
> I guess I am wondering if ECC has a future that looks like it
> will always remain free of patent obsticals?
Well, the PTO routinely sets records for being nearly the most
inefficient bureaucracy on earth, but if somebody applied for a patent
on ECC long enough ago to cover the technique in general, and it still
hasn't been issued, it's probably a new nadir even for the PTO.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
Date: Wed, 26 Jan 2000 00:52:51 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.security.pgp
Subject: Re: "Trusted" CA - Oxymoron?
"Douglas A. Gwyn" wrote:
> What one really needs is an irrevocable, unforgeable token of identity;
> it would constitute proof of *continuity* of identity, but of course
> not absolute identity. I.e. if the authenticator says I'm Frodo, then
> everything that has been authenticated as coming from Frodo has come
> from the same entity, but you don't necessarily know *any*thing else
> about that entity.
Well, if you are going to wish for lenses why not go whole hog and wish for
the lensmen as well?
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: Wed, 26 Jan 2000 05:55:08 GMT
On 26 Jan 2000 03:38:26 GMT, in <86lq7i$lr2$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] (Michael Kagalenko) wrote:
>[...]
> It produces clock drift, which can be measured to produce numbers as random
> as the thermal noise from a resistor.
No. Quartz crystal oscillator noise produces phase *jitter*, which is
*not* "drift." Jitter is a cycle-by-cycle period variation. Now, the
jitter itself *could* be detected and used as randomness, because it
is the direct result of noise. But that would require the ability to
detect picosecond differences on a cycle-by-cycle basis at the
oscillator frequency, e.g., 20 MHz, which would not be trivial.
Because noise is normally-distributed, tiny, and bipolar, it tends to
a mean of zero in just a few cycles. The result is "the" frequency.
Quartz crystal oscillator jitter does not cause frequency drift.
Ambient temperature variations do cause frequency drifts, but this
effect is well-known and repeatable.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
