Cryptography-Digest Digest #178, Volume #11 Mon, 21 Feb 00 20:13:03 EST
Contents:
Re: How Useful is Encryption as Long as NSA Exists? ([EMAIL PROTECTED])
Re: The TRUTH about STEVEN GUY POLIS - NYC CHILD MOLESTOR (Polis Exterminator)
Re: How Useful is Encryption as Long as NSA Exists? (John Savard)
Re: NIST publishes AES source code on web (John Savard)
Re: NSA Linux and the GPL (John Savard)
Re: $200 reward ([EMAIL PROTECTED])
Re: UK publishes 'impossible' decryption law (Eric Smith)
Re: $200 reward ([EMAIL PROTECTED])
crypto email list ("M. Hackett")
Re: NIST publishes AES source code on web ("Brian Gladman")
Q: Large interger package for VB? (Ed Pugh)
Re: How Useful is Encryption as Long as NSA Exists? ([EMAIL PROTECTED])
role of Prime Numbers in cryptography ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How Useful is Encryption as Long as NSA Exists?
Date: Mon, 21 Feb 2000 22:30:38 GMT
> Even though all this is a big "what if" scenario, can someone (say,
> living outside of the U.S.) using a Windows operating system be
> positively sure that the U.S. cannot decrypt his encrypted
> communication or the encrypted information inside his computer, except
> by guessing the password (which is the most difficult way)? how about
> access his/her files through Microsoft?
I wholeheartedly have to agree with you that all the strong crypto is
much weaker then many people think because of the easyness of side-
channel attacks, like electronic backdoors, viruses and Trojan horses.
They are simpler, easier and cheaper than any attacks on the encryption
itself.
On the other hand, there are some strong arguments why one doesn't have
to see the situation all too black:
1.) Government agencies might want to be able to read encrypted mails and
decrypt files of foreign citizens, but they do not want their own
citizens and companies spyed out be foreign agencies. That means, they
might not want backdoors that other parties like foreign intelligence
agencies can detect and exploit their own.
2.) Government agencies, after all, probably also feel some political
responsability and aren't very keen on getting bad press when some of
their backdoors get revealed by clever individuals or other countries.
That can lead to the conclusion that they might prefer to develop
specifically targeted side-channel attacks instead of general tools for
undermining all crypto all over the world. But: An agency like the NSA
could also feel so mighty that they think "well, okay, others may know
our backdoor as well, but we can warn our own people/companies soon
enough when they get attacked by others".
Hmm.... difficult to say what is more reasonable. Maybe it's wise to use
several encryption tools from different countries to encrypt your very
confidential email. And of course, even if the NSA does not install any
backdoors, it's still very wise not to use Micosoft products--- to
prevent loss of data ;-)
Greetings,
Erich Steinmann
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: guy@pölis.cöm (Polis Exterminator)
Crossposted-To:
news.admin.net-abuse.usenet,comp.security.firewalls,alt.music.pearl-jam,alt.fan.karl-malden.nose
Subject: Re: The TRUTH about STEVEN GUY POLIS - NYC CHILD MOLESTOR
Date: Mon, 21 Feb 2000 21:21:42 GMT
Reply-To: Guy@Polis
Son Of Sam caused - Gregory Andruk Is A Meower <[EMAIL PROTECTED]>
- to utter:
)In article <88n2mi$1l8$[EMAIL PROTECTED]>, Steven Guy Polis projected:
)>
)>In news.admin.net-abuse.usenet [EMAIL PROTECTED] wrote:
)># > (First posted by Nancy Baldacci in 1999)
)>[snip]
)>
)>Didn't anyone save his picture from when it
)>was on the NC site for sex offenders?
)
)When is your picture coming off of the NY CHILD MOLESTOR
)website?
That would take time. There are dozens of mirrors around the
globe. The GUY POLIS NYC PEDOPHILE sites are all over the place.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: How Useful is Encryption as Long as NSA Exists?
Date: Mon, 21 Feb 2000 22:38:55 GMT
On Mon, 21 Feb 2000 21:05:03 GMT, [EMAIL PROTECTED] wrote, in part:
To answer the question posed in the title, very useful. Most people
using encryption are not worried about the NSA, or even the cops,
reading their messages, but are rather concerned about eavesdropping
by private individuals - with unlawful purposes.
>As you all know there are rumors that Microsoft Windows products have
>an NSA backdoor. Why not, if throught history the NSA has always
>convinced foreign crypto companies to have one too.
Of course, those things are rumors too.
>What protection is a safe with an infinite number
>of combinations if your enemy has the secret code? Code breaking ceases
>to become an issue.
Take an old 286. Use a BASIC program running on it to encrypt your
message (never letting its plaintext leave that computer), and put the
result in a text file. Carry it over to the computer you have
connected to the Internet, and transmit the text file from there.
If there was a backdoor in DOS that wrote hidden information on floppy
disks, it would have been found *long* ago.
I don't really want to give helpful hints to your friend in Costa
Rica, but this is sufficiently obvious as a counter to this
argument...never mind all the extra packets computers connected to the
Internet belonging to PGP users would need to send out. Sure, the
police do have software such as DIRT, but if someone tried to do
something like this to every computer, it would be found out fairly
quickly: there are too many hackers out there.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST publishes AES source code on web
Date: Mon, 21 Feb 2000 22:59:02 GMT
On Mon, 21 Feb 2000 15:45:32 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote, in part:
>It's easier to see what is wrong if
>you apply it to a non-emotional issue: Bad Guys presumably use
>pencils; we should regulate the use of pencils to hamper the
>Bad Guys.
But what makes the crypto issue "emotional" also has a material impact
on the argument. If crypto, unlike pencils, is something that is so
esoteric that _ordinary_ people have no need to use it, then the fact
that Clipper/Capstone means that one has to pay for tamper-proof
hardware to use crypto is OK, since the only people who need it - say,
banks, medical clinics, and so on - can afford it.
Of course, that isn't really true, but making that case is,
unfortunately, not trivially easy.
>The drug problem
>is a social and psychological problem, not something that can
>be solved by any amount of law enforcement. The US should
>know better, from its previous dalliance with nationwide
>alcohol prohibition, but people don't learn from history and
>they seek easy solutions to problems that don't have easy
>solutions.
Since this isn't even talk.politics.crypto, I comment with
trepidation.
Prohibition is generally blamed on the early version of the feminist
movement. Alcohol abuse does often lead to spousal abuse, waste of
household resources, and so on...as well as the use of alcohol as an
aid to seduction.
The availability of alcohol has real costs. It stands to reason more
people will abuse alcohol if they have a greater opportunity to obtain
it, and can obtain it at lower cost. But Prohibition had immense
costs, not least in respect of the public's respect for the law, and
_that_ cost was a consequence of the fact that the prevailing culture
did not recognize the costs due to alcohol as intolerable, and saw
alcohol use as normal, not deviant and alien.
Since drug users tend to be looked upon as members of outcast
minorities to begin with, it is only in limited circles that the
prohibition on drug use - even in the case of marijuana use - has any
effect on respect for the law. As for the cost of drug use, while
moderate use of alcohol is not incompatible with a productive life, it
is unclear that there is any level of, say, opium use that is
consistent with either employability or fitness for military service.
Other drugs aren't as immediately destructive: but in the case of
marijuana or cocaine, the problem is that someone can come to work
with his ability to perform his duties severly impared by these drugs,
and be *far* less easy to spot than someone equally impaired by
alcohol.
Thus, even while we were to attempt to address the root causes of drug
use, it presents immediate hazards great enough to make it at least
seem to be appropriate to suppress drug use as far as possible by
direct enforcement methods in the meantime. (It may also be noted that
our society is, generally, at a loss for how one might address the
social causes of things like drug use. The obvious answer, a massive
redistribution of income for the purpose of eliminating poverty,
appears to be a political non-starter.)
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NSA Linux and the GPL
Date: Mon, 21 Feb 2000 23:02:11 GMT
On Mon, 21 Feb 2000 05:35:08 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote, in part:
>John Savard wrote:
>> Doubtless, one could add a sort of MLS to Linux with a few changes to
>> the kernel ...
>No, sorry. You don't get a secure system by tweaking an insecure one.
Which is why I said "a sort of MLS", and noted that the end result
would only be a pretense of providing the functionality, since it
would provide the (inadquate) level of security given by the normal
file-protection mechanisms on the system.
(The result might be useful in introducing people to the concepts of
using a real MLS system.)
------------------------------
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: $200 reward
Date: Mon, 21 Feb 2000 15:31:21 -0800
There is, of course, no difference. I have a program for encrypting files. So
if I want to generate a stream of data I encrypt a file of binary zeroes.
Trevor Jackson, III wrote:
> [EMAIL PROTECTED] wrote:
>
> > I am offering a reward of $200 to the first person who can break the
> > cipher, the
> > description of which can be found below. It is a stream cipher. I have
> > generated two files.
> > The first file (cr_zeroes.bin) contains 1 Mbytes of binary zeroes XORed
> > with the
> > pseudo-random stream.
>
> I found this quite confusing. Can you please explain the difference between
> 1MB of stream data and 1MB of stream data XORed with 1MB of binary zeros?
------------------------------
From: Eric Smith <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: 21 Feb 2000 14:39:31 -0800
I wrote:
> The DDoS attack will probably *always* be possible.
> Encrypting TCP connections (or IP) will not prevent it.
Jerry Coffin <[EMAIL PROTECTED]> writes:
> You're right -- in fact, I doubt any but the most ignorant politicos
> and such who've looked at it think anything being contemplated will
> really stop DoS attacks. There's still some hope and help available
> from cryptography in general though: if every packet is signed,
> tracking down the originator of a packet becomes a lot easier...
That only will help if the compromised systems keep logs of the originators
of packets that they receive. And of course, the first thing the people
that compromise those systems will do (if they are smart, or if the person
who wrote the tools they use is smart) will be to delete such logs.
Given that we're talking about machines that aren't very well secured today,
it's unlikely that they will have fancy logging of all packet originator
signatures in the future.
Besides, if a major site such as Yahoo started requiring the request
originators to provide authenticated requests, don't you suppose that a
lot of people would switch to a competing site that didn't?
------------------------------
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: $200 reward
Date: Mon, 21 Feb 2000 15:33:14 -0800
Mok-Kong Shen wrote:
> Trevor Jackson, III wrote:
> >
> > [EMAIL PROTECTED] wrote:
> >
> > > I am offering a reward of $200 to the first person who can break the
> > > cipher, the
> > > description of which can be found below. It is a stream cipher. I have
> > > generated two files.
> > > The first file (cr_zeroes.bin) contains 1 Mbytes of binary zeroes XORed
> > > with the
> > > pseudo-random stream.
> >
> > I found this quite confusing. Can you please explain the difference between
> > 1MB of stream data and 1MB of stream data XORed with 1MB of binary zeros?
>
> That 'invention' is worth more than $200!
>
Could you please expand on that?
> M. K. Shen
------------------------------
From: "M. Hackett" <[EMAIL PROTECTED]>
Subject: crypto email list
Date: Mon, 21 Feb 2000 15:30:24 -0800
crypto email list:
Addresses:
Post message: [EMAIL PROTECTED]
Subscribe: [EMAIL PROTECTED]
Unsubscribe: [EMAIL PROTECTED]
URL to this page: http://www.onelist.com/group/frac_codes
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NIST publishes AES source code on web
Date: Mon, 21 Feb 2000 23:41:55 -0000
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Brian Gladman wrote:
[snip]
> First, you didn't seem to have answered my point about 'informal'.
What I meant by informal is that the WA does not come into effect like a
Treaty does, dependent on whether national legislatures vote it into effect.
The WA simply is intended as a guide to promote consistent national
legislation on the part of participant nations but they are under no legal
obligation to do anything to implement its provisions.
The consequence in the crypto area is that countries that have strong
controls and those who have none can (and do) claim that their respective
actions are consistent with their obligations under the WA.
> Second, your paper argued with the help of the statement of purpose
> of WA that it 'will not impede bona fide civil transactions' to
> establish your claim that ANY software used for civil purposes is
> exempted from control. Am I right?
No, thats just one of many reasons given in the paper. The argument does not
rely on just one point.
[snip]
> the general statement doesn't apply. Now from the document entitled
> 'List of Dual-Use Goods and Technologies and Munitions List',
> Category 5, Part 1, 5.D.1, Software, and Category 5, Part 2, Note 3,
> isn't very clear that crypto software in symmetric algorithms with
> key length greater than 56 bits is under control? If you think it
> is not, please kindly show your arguments through quoting the
Whether something is controlled is determined by your national laws not by
the WA. I am completely free to export commodity crypto products of any
strength to anyone provided they are not in a short list of 'nasty'
countries because this is what UK national law says.
> relelvant text (or exact position) from that document together with
> your reasoning (the logic establishing your claim). May I stress
> once again that your argument based on 'impediment' only is not
> sufficient for an exemption in my conviction. If there are exemptions
> than in any legal documents such exemptions, being exceptions, should
> be clearly stated as exemptions and not left to the reader to
> excercise his reasoning of what should be included within the scope
> of the meaing of a word in a statement of general nature and what
> should be excluded. (In other words, the reader is not permitted
> to be a 'philosopher'.)
You can choose to debate the detail if you wish but not with me since I
reject your terms for the debate. I prefer to base my argument on the
principles involved since if these principles can be shown not to apply to
commerial crypto then the details are of no importance since they are not
going to be applied nationally in many countries.
The huge differences in the national interpretations of the WA do not depend
on a different reading of the details. They are there because different
nations have looked at the principles involved and drawn very different
conclusions about any WA obligations they might have to restrict commercial
crypto.
Brian Gladman
------------------------------
From: [EMAIL PROTECTED] (Ed Pugh)
Crossposted-To: comp.lang.basic.visual.3rdparty,comp.lang.basic.visual.misc,sci.math
Subject: Q: Large interger package for VB?
Date: 21 Feb 2000 23:48:51 GMT
Reply-To: [EMAIL PROTECTED] (Ed Pugh)
Hi.
I want to use Visual BASIC (5.0, pro ed'n, SP3) to do some
prototyping and experimenting with algorithms involving very
large natural numbers or integers.
Does anyone know if and where I can find and download a
*FREEWARE* (or *UNCRIPPLED* shareware) VB class or "library"
that can handle arbitrarily large natural numbers or integers
(up to a few thousand bits long)? (And it has to work with
VB 5.0.)
The package must be able to handle large integer arithmetic
and, at the very least, must include functions to perform
basic math operations on large integers including addition,
subtraction, multiplication, division, and finding least
positive residues (i.e. the "remainder" of one large integer
divided by another).
If the package also includes any of the following, that would
be a bonus:
o modulo arithmetic including modulo addition, subtraction,
multiplication and exponentiation
o "shifting" left or right by an arbitrary number of bits
o concatenating two large integers each of any arbitrary bit
size, into one larger integer whose bit size is the sum
of the bit sizes of the two original integers
o splitting a large integer at any arbitrary bit, into two
smaller integers
o finding the gcd (or lcm) of two large integers (e.g.
Euclid's Algorithm for gcd)
o finding the multiplicative inverse of one large integer
modulo another (when the two integers are co-prime; e.g.
Extended Euclid Algorithm)
o probabilistic primality testing (or deterministic or both;
e.g. Fermat's test and/or Miller-Rabin test)
o UI for display and input of large numbers (I would like to
be able to input and display large numbers in hexadecimal,
decimal and binary).
o generate a good pseudo-random number of any arbitrary bit
size
Yes, I *could* write such a package myself, but why re-invent
the wheel if it has already been done and is freely available?
(And, yes, I know that these operations on very large integers
will be painfully slow in VB, but this is just for prototyping
and experimenting; i.e. "playing around". :-)
If you follow-up here, that's great; but if you also cc: my
E-mail address:
[EMAIL PROTECTED] (alias [EMAIL PROTECTED])
that would be even greater (due to the number of cross-posts
for this query).
With thanks and regards,
--
Ed Pugh, <[EMAIL PROTECTED]>
Richmond, ON, Canada (near Ottawa)
"Bum gall unwaith-hynny oedd, llefain pan ym ganed."
(I was wise once, when I was born I cried - Welsh proverb)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How Useful is Encryption as Long as NSA Exists?
Date: Tue, 22 Feb 2000 00:30:23 GMT
John, I totally agree with your point below. Most people are just not
worried.
> To answer the question posed in the title, very useful. Most people
> using encryption are not worried about the NSA, or even the cops,
> reading their messages, but are rather concerned about eavesdropping
> by private individuals - with unlawful purposes.
Most people are alike. Most people go to the doctor, ask no questions,
and do whatever the doctor tells them to do. Many times this amounts to
taking some medication that treats (or hides) their current symptoms
while creating 10 different side affects and/or new conditions. People
feel this way because they assume that the doctor is an expert in
curing them and wants what's best for his patients. If the doctor was
like this indeed, then it would make sense that people adopted this
attitude. On the other hand, the fact of the matter is that many times
doctors don't know shit, and unless the patient becomes informed they
are screwed. Putting your life in someone's hands without asking
questions or challenging that person's beliefs is dangerous. Thus, just
like most people pop a pill whenever their doctor tells them to do so,
most people are happy using encryption to protect their stuff from
their neighbors, co-workers, and hackers.
As for myself, if I am going to use a mousetrap I am going to make sure
that it can kill all types of mice. If I take a pill to cure a cold I
want to make sure that it does not give me cancer in the process.
Why are you so worried about the NSA you ask? It is not that I am doing
anything illegal, far from it. Anyone can make an argument saying that
those who worry are those that are hiding something? This argument has
been going on since the beginning of man (I think). It is not that a
person wants to hide anything, it is just that the person wants and has
a total right to complete privacy. I guess the posibility that someone
will be doing something extremely illegal when they are taking a shower
can exist. Nobody will ever know about it. But this does not mean that
we should let the police rig a camera to all bathrooms just in case a
murder is being committed in there. After all, only the police would be
watching us and not our neighbors, right?
> Of course, those things are rumors too.
You make a great point by emphazizing that rumors about Microsoft
products having a back door are only rumors.
This is the way I see it.
Strong encryption with enough combinations and no backdoors is probably
the only method of communication remaining that the NSA cannot listen
to. I guess they are pretty pissed off about this.
If the key length would be long enough the only way that the NSA would
be able to decrypt a message in less than 100 years would be by
HAVING THE KEY.
How can they get the key. I guess the number of ways are endless...but
an easy way would be to cut a deal with a U.S. company, especially one
whose products are already installed on virtually every computer in the
world. The odds of this happening I think are high.
> If there was a backdoor in DOS that wrote hidden information on floppy
> disks, it would have been found *long* ago.
A question on this point: How would anyone ever know if the NSA has the
keys? Is it possible for the NSA to have the keys without making it so
obvious in the programming code?
> I don't really want to give helpful hints to your friend in Costa
> Rica, but this is sufficiently obvious as a counter to this
Seriously, I don't have any friends there. My uncle lived there once
but he is far from being Alcapone or Scarface. I just used Costa Rica
as an example because I know that some criminals escape to that country
because they won't send you back to the U.S.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: role of Prime Numbers in cryptography
Date: Tue, 22 Feb 2000 00:30:59 GMT
Hello,
I'm assisting with research for a High School Math project focusing
on the role of prime numbers in cryptography. No, I'm not a math or
crypto guy, but I do believe that demonstrating how prime numbers are
used in cryptography can spark the interest of young students.
Someone once showed me how an initial key exchange can be negotiated
in plaintext by using formulas and prime numbers, but I can't remember
who, or enough of the examples to make sense. This was in the context
of ssl, Diffie-Hellman, or something along the line of PKI.
If you can point me in the right direction, I'd appreciate it!
Many thanks,
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
