Cryptography-Digest Digest #336, Volume #11 Wed, 15 Mar 00 05:13:01 EST
Contents:
Re: pedagogical provably stupid protocols (David A Molnar)
Re: new Echelon article ([EMAIL PROTECTED])
Re: how to introduce hs students to cryptography ("Steven Alexander")
Q: Fourier and other transforms (Mok-Kong Shen)
Re: [Tabloid Humor] Greatest threat ever to computer security ("Steven Alexander")
Re: pedagogical provably stupid protocols (Mark Currie)
Re: [Tabloid Humor] Greatest threat ever to computer security ("Steven Alexander")
Re: pedagogical provably stupid protocols ("Douglas A. Gwyn")
Re: Improvement on Von Neumann compensator? (Mok-Kong Shen)
Re: Linear Cryptanalysis and Walsh transform (Terry Ritter)
Re: Q: Fourier and other transforms (Terry Ritter)
Re: Improvement on Von Neumann compensator? (Terry Ritter)
Re: new Echelon article (Mok-Kong Shen)
Re: Q: Fourier and other transforms (Mok-Kong Shen)
----------------------------------------------------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: pedagogical provably stupid protocols
Date: 15 Mar 2000 06:36:29 GMT
D. J. Bernstein <[EMAIL PROTECTED]> wrote:
> The standard example is the original RSA system, which didn't hash the
> message being signed.
Oh. right. I should have thought of that. It's even better, because the
"equivalent to factoring" variants for encryption break completely under
chosen ciphertext attack.
Thanks much for pointing that out!
Thanks,
-David
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
alt.politics.org.cia,alt.politics.org.nsa,alt.journalism.print,alt.journalism.newspapers
Subject: Re: new Echelon article
Reply-To: [EMAIL PROTECTED]
Date: Wed, 15 Mar 2000 07:46:20 GMT
On Wed, 15 Mar 2000 00:19:02 GMT, [EMAIL PROTECTED] wrote:
>http://www.wired.com/news/politics/
>0,1283,34932,00.html
This particular article is about James Woolsey, the former director of
central intelligence, telling foreign journalists that Echelon and
other eavesdropping facilities are used against European and Asian
industry solely to ferret out bribery, which may be practiced but
still is illegal in the U.S. Spoonful of sugar and he thinks you'll
swallow this load of crap. The crime is that, although the article
was unsigned, the reporter let Woolsey get by with this "excuse"
without confrontation with facts obvious to even the most casual of
observers.
Let's put it this way -- former DCI Woolsey was and is paid to lie.
Mr. Woolsey is lying by telling only partial truths, e.g. the U.S.
intelligence agencies scans for bribery. I don't doubt that; but I'm
also positive that is not the _only_ type of industrial espionage
conducted by the intelligence services.
At the very least, and in the name of defense, these agencies monitor
the flow of certain chemicals and certain equipment because the U.S.
wants to keep tabs on those who are developing weapons -- chemical,
biological, nuclear, etc. And _that_ is industrial espionage because
you have to monitor that at the manufacturing level. As I've noted
before, how could General Dynamics/Electric Boat build a better
submarine if it didn't have access to the submarine weapon
capabilities of the U.S.'s enemies, as well as its friends. I won't
even go into the use of USS Liberty (AGTR-5) to collect data on weapon
capabilities of Israel and Egypt. So there, Mr. Woolsey, indisputable
fact the U.S. really does perform industrial espionage on its friends
and enemies.
Where these agencies have crossed the line is passing along various
tidbits to specific U.S. corporations for primarily profit purposes.
(Note: looking the other way, in my book at least, condones if not
encourages this.) Any company in the U.S. that earns profit by
winning overseas contracts can use that profit to annihilate its
competition in the U.S. (See results of "Afghan Freedom Fighters,"
Asian heroin dealers, South American cocaine cartels)
Sure, Boeing and McDonnell Douglas (for instance) have created jobs --
but where have all the private airplane manufacturers in the U.S.
gone? Were these large aircraft manufacturers nutured at the federal
intelligence tit and allowed to grow at the expense of the smaller,
more innovative businesses that create the most jobs?
The U.S. gave Microsoft a significant leg up. Considering the amount
of revenues it earns from sales to government (federal, state, county,
municipal) and the number of its shares held by federal, state, county
and municipal retirement funds, it might just as well be a federal
agency. But it did so at the expense of DR-DOS, OS/2, Unix and
Macintosh to name a few. And this doesn't count any intelligence
benefits the company may or may not have received.
The Rosetta Stone of this whole shebang is an article written in 1996
by Baltimore Sun staffer Scott Shane. Largely dismissed by the
prestige press and the networks, it nonetheless remains timely and
demands answers. But since this facet of the intelligence agencies is
used as carrots for campaign funding by both parties and, along with
the SBA and Commerce, as a personal piggybank, it's doubtful lasting
changes would be made, even if they could.
The article follows:
FWD: From The (Baltimore) Sun:
========================================================================
Mixing business with spying
Secret information is passed routinely to U.S. companies
========================================================================
By Scott Shane
SUN STAFF
At least once a day, a CIA courier stops by the Department of Commerce
in downtown Washington with a packet of top-secret information,
gathered around the globe by satellites picking up phone calls, agents
inside foreign governments and American spies posing as businessmen
abroad.
The Central Intelligence Agency packets have gotten fatter in recent
years, as U.S. spies have shifted their focus from Soviet missiles to
international trade. And the nuggets of information inside can be used
not only to make policy but to make a buck.
In the case of John Huang, the international businessman turned
Commerce Department official turned Democratic Party fund-raiser,
there is no evidence or allegation that he misused secret intelligence
he was given on the job.
But the scrutiny of Huang's position at Commerce has opened a rare
window on the department's growing role as a link between the
intelligence agencies and the business world.
"There's greater potential for conflict of interest when the
information can be used for direct economic benefit," said Jeffrey T.
Richelson, author of several books on U.S intelligence. "You have
prohibitions on insider trading on the stock market. This is just a
different kind of insider information."
Security laws prohibit passing secret intelligence directly to
outsiders who lack the proper clearance. But former intelligence
officials and other experts say tips based on spying nonetheless
regularly flow from the Commerce Department to U.S. companies to help
them win contracts overseas. And there are few specific guidelines
governing the practice.
"I think the government has got a major weakness there," said Loch K.
Johnson, a historian and author who served on the staff of the Brown
Commission, which recommended intelligence reforms last March. "At
Commerce, there's no code or book to consult to say when and what
information can be passed to a U.S. company."
Huang served from 1994 until early this year as the principal deputy
assistant secretary of commerce for international economic policy. In
a deposition this week, Huang denied that while at the Commerce
Department he had "any commercial dealing, any involvement" with his
former employer, the Indonesia-based Lippo Group, which paid him
nearly $900,000 in the year before he took his government job.
But Huang, like other top political appointees at the Commerce
Department, came from and returned to a private sector where a morsel
of information can be turned into a feast of profit. Documents
released by the department this week underscore how routine the
mingling of Commerce officials and CIA analysts has become.
One such document consists of minutes from an August 1994 Commerce
Department meeting attended by Huang to identify major contracts open
for bid in Indonesia in order to help U.S. companies win the work. A
CIA employee, Bob Beamer, spoke at the meeting; five of the 16 people
on the routine distribution list for the minutes were from the CIA.
Commerce officials say Huang had a top-secret security clearance and
received weekly intelligence briefings. The briefings were conducted
by the department's Office of Executive Support -- a new name for the
office previously known as Intelligence Liaison -- which receives
information from the CIA and distributes it to officials with the
proper clearances.
Since Huang was the principal deputy to the assistant secretary of
commerce for international economic policy, his interests "covered the
world" but had an East Asia focus, the Commerce Department statement
said. Huang "was provided copies of relevant intelligence material,"
it added.
"The specter it raises is that Mr. Huang, after getting his
intelligence briefing, could have picked up the phone and called his
old colleagues at Lippo and said: `Why don't you sell this, or buy
that, based on what I heard?' " said Matthew M. Aid, a Washington
researcher writing a book on the National Security Agency, whose
eavesdropping provides much of the most important commercial
intelligence.
For most Asian and European governments, such sharing of intelligence
with corporations "is a very common practice," Aid said. "If you're in
the Suharto government, you see increasing the wealth of Lippo as
increasing the wealth of Indonesia."
Johnson, the staff member of the intelligence reform commission
chaired by former Defense Secretary Harold Brown, said providing
intelligence-based information to a foreign company would always be
inappropriate, if not illegal. But officials at the departments of
Commerce, Treasury and State sometimes pass information to U.S.
companies without revealing the intelligence source, he said.
If, for instance, a government official learned that a foreign
competitor was about to win a contract sought by a U.S. company,
"someone in Commerce might call a U.S. executive and say, `Look, you
might have a better shot at that contract if you sweetened your bid a
little,' " Johnson said. "They pass on the information. But they
usually do it in a very veiled fashion."
Former CIA Director Robert M. Gates said the decision to share with a
company information derived from spying should never be made by an
official on his own.
"The decision to assist a U.S. company should be made openly, on a
policy level," Gates said. "Among other things, you have to find a way
to sanitize the material to protect sources and methods."
William E. Odom, a former NSA director who is now at the Hudson
Institute in Washington, said the intelligence agencies and the
Commerce Department collaborated throughout the Cold War to prevent
U.S. companies from exporting products with military applications to
the East Bloc.
"You could use that information to catch the bad guys," Odom said.
"But you don't make money off that kind of information."
Now, with Commerce officials trying to turn the billions spent on
intelligence to the benefit of U.S. business, "it doesn't take a great
deal of imagination to see the potential for abuse," Odom said. "You
finally just have to have honest officials."
=======================================================================
Originally Published on 11/01/96 -- Copyright 1996 The Baltimore Sun
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Re: how to introduce hs students to cryptography
Date: Wed, 15 Mar 2000 07:46:48 GMT
>Just so you and any other non-US posters know -- 12th grade is the last
>year of high school in the US. The students will be in the neighborhood
>of 17 to 18 years old. The original poster is in a better position to
>write about their math preparation than I am, since that varies widely
>from school to school and student to student.
At most public high schools the highest math offered is either first or
second year Calculus (designed for the Calculus AB and BC Advanced Placement
tests). So, at most the students have studied single variable calculus and
basic algebra/trigonometry(they call it precalculus).
-steven
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Q: Fourier and other transforms
Date: Wed, 15 Mar 2000 08:58:50 +0100
I learned previously that Fourier transform has been applied to
encryption of bit sequences. There are, however, a number of
newer transforms of that sort, e.g. the Haar and wavelet transforms.
On the other hand, a search of these in Schneier's AC or Menezes'
Handbook failed. Menezes et al. mention FFT only in relation to
its use in doing large integer computations, but not in the context
of encryption. Does anyone have literature pointers to articles
about application of the different transforms to encryption of
bit sequences and perhaps also a comparative evaluation of these?
Many thanks in advance.
M. K. Shen
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Crossposted-To: alt.computer.security
Subject: Re: [Tabloid Humor] Greatest threat ever to computer security
Date: Wed, 15 Mar 2000 07:52:58 GMT
>Well, the "Weekly World News" is a tabloid known for rather far
>fetched stories, like the infamous "Statue of Elvis Found on Mars"
>story.
>
No kidding, several years back I saw a "Weekly World News" television
edition
that featured a church where people were supposedly baptized with jumper
cables.
-steven
------------------------------
Subject: Re: pedagogical provably stupid protocols
From: [EMAIL PROTECTED] (Mark Currie)
Date: 15 Mar 2000 08:04:53 GMT
Given the protocols you mention, maybe you want something more complex
or up-to-date, but here was a classic and is easy to explain to your friends.
In the original ISO drafts for entity authentication using symmetric keys. The
protocol could be defeated by using parallel sessions.
The protocol works like this:
A --> B: ra
B --> A: Ek(ra),Ek(rb)
A --> B: rb
Where rx is a nonce, Ek(rx) is the encryption of the nonce using the key k.
The attacker M defeats the protocol by intercepting messages to B and starting
a parallel session with A:
A --> M: ra
M --> A: ra // M starts a parallel session-2 with A
A --> M: Ek(ra),Ek(ra1) // A answers session-2 challenge
M --> A: Ek(ra),Ek(ra1) // M reflects this back as the answer to session-1
A --> M: ra2 // A completes session-1
M --> A: ra2 // M reflects ra2 back to complete session-2
Badly designed Public key protocols can also be defeated using reflection or
parallel session attacks.
Mark
In article <8an8km$vro$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
>
>Does anyone know of any simple examples of protocols which can be
>"proved" or otherwise convincingly and *correctly* argued as "good" --
>but according to a fatally flawed definition of goodness?
>
>This question is motivated by an attack I heard about on an optimistic
>contract signing protocol. In this protocol, parties send messages back
>and forth, and have the option of invoking a trusted third party if
>anything goes wrong. In normal operation, the third party will look at
>its log of received messages and either abort the protocol or provide
>both parties with a mutually signed contract.
>
>The problem was that one party could wait until after it had received
>a signed contract, then invoke the trusted third party. Under some
>special circumstances, this could cause an abort and leave only one
>party with a mutually signed contract. The definition of "fair
>exchange" used for the proof of this protocol didn't
>take this into account. As a result, while the protocol was
>"provably" fair, you could acheive a manifestly UNfair result from it.
>
>That's the idea, anyway. I don't have it written down anywhere, so I am
>sure I have the details wrong. If the details are around, I'd love to
>know where.
>
>Another example comes from Birgit Pfitzmann's classic paper (ok,
>1995) on "How To Break ANOTHER 'Provably Secure' Payment
>Scheme". Here, the problem was that the payment scheme enforced
>anonymity and security by making use of zero-knowledge proofs which were
>not themselves anonymous. While not exactly the same kind of "flawed
>definition" as the previous case, it's still an example of what I'm
>looking for : good proofs, bad definitions, worse consequences.
>
>The problem is that both these examples are fairly sophisticated. I
>would like something I can show to my not so cryptographically oriented
>friends and have them understand without too much handwaving.
>In addition, I am now writing columns for the ACM Crossroads magazine,
>and would like to put together something clear and accessible to a wide
>audience on the problem of crypto definitions.
>
>Has anyone seen any such protocols?
>
>Thanks,
>-David Molnar
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Crossposted-To: alt.computer.security
Subject: Re: [Tabloid Humor] Greatest threat ever to computer security
Date: Wed, 15 Mar 2000 08:10:39 GMT
Does anyone have a copy of this. The link is no longer working.
-steven
[EMAIL PROTECTED] wrote in message <8akf58$kt$[EMAIL PROTECTED]>...
>
>
>http://www.weeklyworldnews.com/stories/
>1745.html
>
>
>
>I'm going down, all the way down
>on the highway to Hell -AC/DC
>
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: pedagogical provably stupid protocols
Date: Wed, 15 Mar 2000 07:20:21 GMT
David A Molnar wrote:
> I would like something I can show to my not so cryptographically
> oriented friends ...
The simplest interesting example is probably mutual authentication
as suggested early in the evolution of PK, with a "man in the middle"
faking both identities. It starts out looking secure, it's easy to
understand, and it's of practical importance.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Improvement on Von Neumann compensator?
Date: Wed, 15 Mar 2000 10:02:37 +0100
Terry Ritter wrote:
>
> Recently I tried to use a Geiger counter to produce random values,
> only to find that the event rate seemed to vary much more than I
> expected. With the tube positioned close to a lantern mantle, the
Probably a very dumb question: Is it possible with today's techniques
to get random values out of Brownian motions?
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Linear Cryptanalysis and Walsh transform
Date: Wed, 15 Mar 2000 09:11:05 GMT
On Wed, 15 Mar 2000 14:14:54 +0800, in <[EMAIL PROTECTED]>,
in sci.crypt Raphael Phan Chung Wei <[EMAIL PROTECTED]> wrote:
>Hi,
>
>It is stated that the Walsh transform can be used as a measure of the
>linearity of a boolean function. It is used to determine the
>correlation of a number of input bits to an output bit.
>
>How do we use the Walsh transform to do that? How do we use Walsh
>transform on a nonlinear equation such as
>F(A, B, C) = ABC xor BC xor B xor C in order to obtain server linear
>approximations with probability not equal to 1/2 ?
I have a functioning HTML and JavaScript page which describes the
transformation and performs it for Boolean nonlinearity purposes; see:
http://www.io.com/~ritter/JAVASCRP/NONLMEAS.HTM
. Some entries in my glossary also may be of interest.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Q: Fourier and other transforms
Date: Wed, 15 Mar 2000 09:22:24 GMT
On Wed, 15 Mar 2000 08:58:50 +0100, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>I learned previously that Fourier transform has been applied to
>encryption of bit sequences. There are, however, a number of
>newer transforms of that sort, e.g. the Haar and wavelet transforms.
>On the other hand, a search of these in Schneier's AC or Menezes'
>Handbook failed. Menezes et al. mention FFT only in relation to
>its use in doing large integer computations, but not in the context
>of encryption. Does anyone have literature pointers to articles
>about application of the different transforms to encryption of
>bit sequences and perhaps also a comparative evaluation of these?
>Many thanks in advance.
I suppose there really is little point in saying that my Balanced
Block Mixer (see:
http://www.io.com/~ritter/#BBMTech
) was developed specifically as a general keyable transform. That is,
it takes a width of bits, converts any possible value, and has an
inverse, like Simple Substitution. But beyond that, it guarantees
mixing, and can be used in FFT-like patterns to mix wide blocks. Also
see the original article:
http://www.io.com/~ritter/NEWS/94031301.HTM
which gives some comparisons.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Improvement on Von Neumann compensator?
Date: Wed, 15 Mar 2000 09:29:06 GMT
On Wed, 15 Mar 2000 10:02:37 +0100, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>[...]
>Probably a very dumb question: Is it possible with today's techniques
>to get random values out of Brownian motions?
Presumably. The closest I get to "Brownian motion" is electrical
noise, which can provide fine unknowable values.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,alt.politics.org.nsa,alt.journalism.print,alt.journalism.newspapers
Subject: Re: new Echelon article
Date: Wed, 15 Mar 2000 10:41:11 +0100
[EMAIL PROTECTED] wrote:
>
> This particular article is about James Woolsey, the former director of
> central intelligence, telling foreign journalists that Echelon and
> other eavesdropping facilities are used against European and Asian
> industry solely to ferret out bribery, which may be practiced but
> still is illegal in the U.S. Spoonful of sugar and he thinks you'll
> swallow this load of crap. The crime is that, although the article
> was unsigned, the reporter let Woolsey get by with this "excuse"
> without confrontation with facts obvious to even the most casual of
> observers.
If there were a robot that is programmed to ferret out 'bribery'
informations out of the whole stuffs collected and destroy all the
rest, the scene would indeed have a different flavour. But there
are humans and these at different levels of payroles. Even if
the top-level ones were really all gentlemen, strictly performing
according to laws and instructions, how is one going to control
the conduct of a large number of the not-so-well-paid employees who
have materials constantly and secretly passing through their hands
that are worthy of hundreds of thousands of dollars?
M. K. Shen
============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Q: Fourier and other transforms
Date: Wed, 15 Mar 2000 11:01:55 +0100
Terry Ritter wrote:
>
> <[EMAIL PROTECTED]> wrote:
>
> >of encryption. Does anyone have literature pointers to articles
> >about application of the different transforms to encryption of
> >bit sequences and perhaps also a comparative evaluation of these?
> >Many thanks in advance.
>
> I suppose there really is little point in saying that my Balanced
> Block Mixer (see:
>
> http://www.io.com/~ritter/#BBMTech
>
> ) was developed specifically as a general keyable transform. That is,
> it takes a width of bits, converts any possible value, and has an
> inverse, like Simple Substitution. But beyond that, it guarantees
> mixing, and can be used in FFT-like patterns to mix wide blocks. Also
> see the original article:
>
> http://www.io.com/~ritter/NEWS/94031301.HTM
>
> which gives some comparisons.
Not having studied your papers, I guess you are embedding the
FFT technique 'into' a cipher construction. What I think that one
could also do with some profit is presumably at a more primitive
(simply) level than what you do, namely one applies a certain one
of the various transforms to a given sequence (the whole message
perhaps) and obtain a sequence of the coefficients and subsequently
apply a chosen encryption algorithm on that sequence. I guess that
that pre-processing could add something of value. Evidently one
could also change the type of transform and employ more than one
transforms (of different types) to further complicate the matter.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
