Cryptography-Digest Digest #581, Volume #11 Thu, 20 Apr 00 06:13:00 EDT
Contents:
Re: Requested: update on aes contest (Jim Gillogly)
Re: Montgomery squaring (Anton Stiglic)
blowfish question (Arnold Yau)
40-Bit DES Question ([EMAIL PROTECTED])
Re: Why encrypt email... (Dan Day)
Re: A future tenant of the dog house?? (JPeschel)
Re: 40-Bit DES Question (Jim Gillogly)
Re: blowfish question ("Kasper Pedersen")
Re: Regulation of Investigatory Powers Bill (Mikey B)
Re: ? Backdoor in Microsoft web server ? [correction] (Diet NSA)
Re: Requested: update on aes contest (James Felling)
Re: 40-Bit DES Question ([EMAIL PROTECTED])
Re: diff between Symetric and Asymetric Keys (Jerry Coffin)
Re: A future tenant of the dog house?? ("Stou Sandalski")
Williams' Public-Key Cryptosystem Question (BenMoss)
Re: Paper on easy entropy (Diet NSA)
Re: Requested: update on aes contest (Bruce Schneier)
Re: Requested: update on aes contest (Bruce Schneier)
Re: Requested: update on aes contest (James Felling)
Decryption with info (mindlag)
----------------------------------------------------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Requested: update on aes contest
Date: Wed, 19 Apr 2000 17:31:34 +0000
"Trevor L. Jackson, III" wrote:
>
> Bruce Schneier wrote:
>
> > I found it very intreresting that, depending on the assumptions made,
> > algorithms could have vastly different performance characteristics.
> >
> > >The greatest part of the whole conference was definitely the end, where a
> > >representative of each team had a chance to explain why his cipher is
> > >better than the others, it was fun.
> >
> > I thought so, too. The most fascinating thing, to me, is that every
> > goup believed that they should be chosen as AES. On the surface, this
> > is very surprising. The only explanation I can come up with is that
> > ever goup knows their algorithm the best, and is most confident with
> > it. Kind of like the "devil you know" as applied to block ciphers.
>
> This is an interesting observation. If it generalizes to be applicable to the
> community of open crypto as a group it says something negative about our
> satisfaction with the current crop of ciphers.
Perhaps so. Bruce's suggestion is that each team knows the benefits
of their own algorithm best. It could also be "They're all good and
we see that ours is better than the others in some metrics and not
all that much worse in others, so ours might as well win." That is,
it becomes a matter of taste, depending on what you think are the most
important features if they're all indistinguishable in security.
The real losers (and some non-losers, but not everybody can make it to
the finals) have already been pruned, and it says something <positive>
that nobody's been able to score more head shots with a reduced target
list and some additional time.
It also makes the teams' second choice (after their own) look more
useful as a distinguishing characteristic: Steve Bellovin said most
of the submitting teams preferred Rijndael if their own was not chosen.
--
Jim Gillogly
Sterday, 29 Astron S.R. 2000, 17:19
12.19.7.2.9, 1 Muluc 12 Pop, Fourth Lord of Night
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Montgomery squaring
Date: Wed, 19 Apr 2000 13:46:05 -0400
This is a multi-part message in MIME format.
==============8D0287876399ED4A37715330
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
JCA wrote:
> I am looking for a reference describing Dusse and Kaliski's
> approach to Montgomery squaring. Can anybody provide any
> pointers?
In Eurocrypt '90 "A cryptographic library for the Motorola DSO 56000",
Dusse and Kaliski discuss about montgomery modular multiplication (but
I never actually read it)
==============8D0287876399ED4A37715330
Content-Type: text/x-vcard; charset=us-ascii;
name="anton.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Anton Stiglic
Content-Disposition: attachment;
filename="anton.vcf"
begin:vcard
n:Stiglic;Anton
x-mozilla-html:FALSE
org:Zero-Knowledge Systems Inc;Security dev. team.
adr:;;;;;;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Crypto Punk
x-mozilla-cpt:;0
fn:Anton Stiglic
end:vcard
==============8D0287876399ED4A37715330==
------------------------------
From: Arnold Yau <[EMAIL PROTECTED]>
Subject: blowfish question
Date: Wed, 19 Apr 2000 19:04:39 +0100
I am trying to implement the blowfish algorithm. In Scheier's book on
p338 it says in step 2 "XOR Pi with the first 32 bits of the key...".
But in the source code in the function InitializeBlowfish apparently it
uses bitwise OR instead:
...
data = (data << 8) | key[j];
...
(and yes, I am aware of the bug in this line of code concerning signed
chars.)
Undoubtedly the result of the two different implementations (XOR and OR)
will yield different results, but the question is: which one IS
blowfish? Which may or may not be the same question as: which
implementation is cryptographically stronger?
Also I'd like to know whether the test vectors for blowfish provided on
www.counterpane.com/blowfish written by Randy Milbert is based on the
XOR or OR implementation.
Any answers or comments appreciated.
arnold
------------------------------
From: [EMAIL PROTECTED]
Subject: 40-Bit DES Question
Date: Wed, 19 Apr 2000 18:17:40 GMT
I assume that for 40-Bit DES, known bits are set in the 56 bit DES key.
Can someone tell me which bits are set and to what value? Also, where
is this defined, FIPS?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Dan Day)
Subject: Re: Why encrypt email...
Date: Wed, 19 Apr 2000 18:32:15 GMT
On Wed, 19 Apr 2000 11:27:46 GMT, Tom McCune <[EMAIL PROTECTED]>
wrote:
>
>I think what is probably needed is something of a combination of what you
>describe (or InvisiMail like) for regular use, and additionally something like
>PGP for real sensitive material.
What's *really* needed is an addition to the internet mail protocol,
which allows a user to store a "retrievable" copy of his public key,
and a query/response mechanism by which an email client could try to
retrieve that key behind the scenes.
After that was in place, it would be easy for writers of email
software to start supporting such features.
Until then, it simply is not going to catch on if "transparent"
email encryption requires both parties to be using a specific,
custom email client.
--
"How strangely will the Tools of a Tyrant pervert the
plain Meaning of Words!"
--Samuel Adams (1722-1803), letter to John Pitts, January 21, 1776
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: A future tenant of the dog house??
Date: 19 Apr 2000 18:45:40 GMT
"Trevor L. Jackson, III" [EMAIL PROTECTED] writes:
>We definitely need a web site specializing in outrageous claims re crypto
>products.
The one below does something like that.
J
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: 40-Bit DES Question
Date: Wed, 19 Apr 2000 18:48:32 +0000
[EMAIL PROTECTED] wrote:
>
> I assume that for 40-Bit DES, known bits are set in the 56 bit DES key.
> Can someone tell me which bits are set and to what value? Also, where
> is this defined, FIPS?
I hope you're asking so that you can break it, rather than so that you
can implement it. IBM's responsible for one incarnation of this: look
up CDMF, for Commercial Data Masking Facility. To their credit, they
didn't call it encryption. But still... in these days of more relaxed
export restrictions there isn't even the lame justification that companies
used to have for writing emasculated pseudo-crypto.
Knowingly producing broken crypto when good crypto is no more expensive
to achieve should be punished by going out of business. Bad crypto is
worse than no crypto, because it gives the user the mistaken impression
that their data is secure. A user who knows her data is in the clear
will exercise some circumspection.
--
Jim Gillogly
Sterday, 29 Astron S.R. 2000, 18:43
12.19.7.2.9, 1 Muluc 12 Pop, Fourth Lord of Night
------------------------------
From: "Kasper Pedersen" <[EMAIL PROTECTED]>
Subject: Re: blowfish question
Date: Wed, 19 Apr 2000 18:55:30 GMT
"Arnold Yau" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I am trying to implement the blowfish algorithm. In Scheier's book on
> p338 it says in step 2 "XOR Pi with the first 32 bits of the key...".
> But in the source code in the function InitializeBlowfish apparently it
> uses bitwise OR instead:
> ...
> data = (data << 8) | key[j];
> ...
> (and yes, I am aware of the bug in this line of code concerning signed
> chars.)
>
> Undoubtedly the result of the two different implementations (XOR and OR)
> will yield different results, but the question is: which one IS
> blowfish? Which may or may not be the same question as: which
> implementation is cryptographically stronger?
The only place they will yield different results is if key[] is a signed
char.
data is 32 bits or more wide, and you just shifted 8 left. Thus bit 0..7 are
0, and it won't matter wether you choose assignment, xor or or.
This is just assembling the bytes to avoid endianness problems.
IF on the other hand you incorrectly use a signed char, a negative number
will expand to FFFFFFxx, and you will get different results for the
(incorrectly implemented because of signed/unsigned, not or/xor) algorithm.
/Kasper
------------------------------
From: Mikey B <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk,alt.computer.security
Subject: Re: Regulation of Investigatory Powers Bill
Date: Wed, 19 Apr 2000 20:01:09 +0100
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
>
> Robert Stonehouse wrote in message
> <[EMAIL PROTECTED]>...
> >"Scotty" <[EMAIL PROTECTED]> wrote:
> >...
> >>Now compare that with the new clause in the RIP bill:
<SNIP>
>With respect that's nonsense, if you can satisfy a judge and jury that
>you have forgotten the key you can't be found guilty.
That's the whole problem with the bill, if you can satisfy the judge, and
jury that you don't know the key then you are not guilty, if you can't
then you are therefore guilty. This puts the onus on the defendent to
prove that they do not know the key.
That in my mind at least implies that they are guilty, unless they can
prove that they are innocent. According to the Declaration of Human
Rights, everyone should have the right to be tried as innocent until
proven guilty.
>>
>>>Rather like driving with excess alcohol or speeding, failure to comply
>with
>>>a decryption notice is an absolute offence, i.e. you're automatically
>guilty
>>>until you can show you're innocent. (For example, a defence of 'I
>drove
>with
>>>excess alcohol because a terrorist hijacked my car and made me do it
>at
>gun
>>>point' would have to be proved by the defence beyond reasonable
>doubt).
>>
>>No, it is not 'guilty until proved innocent'. It has to be shown you
>>are a person who has or has had the key.
That is a completely different situation, with the drink driving
conviction, there is usually evidence that you were driving the car (such
as video from the police car), and then there is the evidence in the form
of a blood test that there was a excess of alchol in the bloodstream.
This is a completely different situation.
>That is what I wrote.
>
>>If that is shown, then you
>>have a duty to keep and produce the key.
>
>No, same reason as before.
>
<SNIP>
>There is no mention in the act of any 'duty to know the key'. Most of
>the
>time you will not know the actual key used since the password you type
>is
>*not* the key. The key may have been destroyed making the password
>useless.
>If you can satisfy a judge and jury that you have forgotten the key then
>you
>can't be found guilty.
Yes, but bill makes it an offence to not decrypt the data on demand, if
you can't then you have to prove that you don't have the key, if you
can't prove it, then you are presumed guilty, you are therefore guilty
unless you can prove yorself innocent
--
ø¤°`°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°
Mikey B
[EMAIL PROTECTED]
http://www.bsoft.co.uk
ø¤°`°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤
------------------------------
Subject: Re: ? Backdoor in Microsoft web server ? [correction]
From: Diet NSA <[EMAIL PROTECTED]>
Date: Wed, 19 Apr 2000 12:25:23 -0700
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>Diet NSA wrote:
>> Y'all might want to take a look at this
>> recent & brief news article entitled
>> "Gates and Gerstner Helped NSA Snoop"
>> which discusses the _NSAKEY, etc.
>
>We already thoroughly discussed and debunked that.
>
Actually, this forum has *never*
discussed the comments made by
Congressman Curt Weldon. You seem to be
in an awful hurry to "debunk" certain
kinds of claims. *If* you are helping the
Feds or Military as some type of
disinformer (even voluntarily on your own
time) you might not want to be too
obvious about it.
"Weldon disclosed that high level deal-
making on access to encrypted data had
taken place between the NSA and IBM and
Microsoft".
(Like the above string in dvwssr.dll, I
personally don't see any important
evidence that the NSAKEY is any kind of a
significant backdoor.)
There are some Europeans who want to
form a committee to investigate these
type of claims and also how Echelon may
have been used. The CIA and NSA are
opposed to the formation of this
committee and the Europeans involved
seem naive to believe that they can
uncover anything significant
through official channels. Anyways, the
above article I mentioned is now
available at:
http://www.theregister.co.uk/000412-
000020.html
"I feel like there's a constant Cuban Missile Crisis in my pants."
- President Clinton commenting on the Elian Gonzalez situation
=======================================================================
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Requested: update on aes contest
Date: Wed, 19 Apr 2000 14:46:36 -0500
Bruce Schneier wrote:
> On Mon, 17 Apr 2000 18:38:38 -0400, Anton Stiglic <[EMAIL PROTECTED]>
> wrote:
> >I went to FSE and AES3 last week in New York. It was the first time
> >I had been in a conference that discusses about symmetric encryption.
> >I have a few taughts...
> >
> >None of them have been obviously broken. Attacks that where
> >presented against these 5 ciphers necessitate extreme amounts
> >of memory and/or computation, and the attacks where just slightly
> >better than brute force, and this on a limited number of rounds.
> >What amazed me is the slim amount of people that are actually
> >working on breaking these ciphers, all the interesting attacks
> >came from either the Twofish team (or extended Twofish team)
> >or from Knudsen or Biham or Lucks. The Mars, Rijndael and RC6
> >team seemed to have not invested much effort in cryptanalysis.
> >Interestingly enough, the only cipher that has not been attacked
> >is Twofish.
>
> People have tried, though. Sean Murphy and his group at Royal
> Hollaway have writen about the "key separation" property, but have
> not been able to turn that into an attack on any reduced-round
> variants. Lars Knudsen presented an attack on Tuesday, which he
> retracted on Thursday because it didn't work. We've tried, too.
Key Seperation property? Where can I find that paper/ details? Perhaps I
just overlooked it?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 40-Bit DES Question
Date: Wed, 19 Apr 2000 19:52:09 GMT
SSL 3.0 has 40-bit DES as a valid algorithm for "securing" the socket.
Only doing what is spec'ed. I assume it is for outside US to a US
server that this is required.
In article <[EMAIL PROTECTED]>,
Jim Gillogly <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> >
> > I assume that for 40-Bit DES, known bits are set in the 56 bit DES
key.
> > Can someone tell me which bits are set and to what value? Also,
where
> > is this defined, FIPS?
>
> I hope you're asking so that you can break it, rather than so that you
> can implement it. IBM's responsible for one incarnation of this: look
> up CDMF, for Commercial Data Masking Facility. To their credit, they
> didn't call it encryption. But still... in these days of more relaxed
> export restrictions there isn't even the lame justification that
companies
> used to have for writing emasculated pseudo-crypto.
>
> Knowingly producing broken crypto when good crypto is no more
expensive
> to achieve should be punished by going out of business. Bad crypto is
> worse than no crypto, because it gives the user the mistaken
impression
> that their data is secure. A user who knows her data is in the clear
> will exercise some circumspection.
> --
> Jim Gillogly
> Sterday, 29 Astron S.R. 2000, 18:43
> 12.19.7.2.9, 1 Muluc 12 Pop, Fourth Lord of Night
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: diff between Symetric and Asymetric Keys
Date: Wed, 19 Apr 2000 14:17:05 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> For those that get confused by the difference between asymetric and
> symetric keys [this came up earlier]. Here is a prime example:
>
> This is a 256-bit RSA moduli:
> n =
> 64888175226511475729307106563515763635617513357155694169169668250943812167819
>
> I bet someone could factor it on their home computer in a bit.
Well, it does take a fair amount of time, but yes a computer doesn't
even have to be terribly fast to come up with:
213992804043672785042055563478990027397
and
303225968352042123782345632613508197327
in a day or so.
> The same cannot be said about searching a 256-bit keyspace for a
> symmetric key.
Quite true. To try to exhaust a 256-bit keyspace, you don't take in
days anymore, nor even in terms of weeks, years or centuries -- about
the only reasonable unit of measure is the number of times the
currently estimatee life of the universe, and even using that as your
unit, you're talking about a LOT of them (even assuming you have more
computers than there are estimated to be atoms in the universe).
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: "Stou Sandalski" <tangui [EMAIL PROTECTED]>
Subject: Re: A future tenant of the dog house??
Date: Wed, 19 Apr 2000 13:35:01 -0700
"James Muir" <[EMAIL PROTECTED]> wrote in message
news:8dkk4k$o8l$[EMAIL PROTECTED]...
> I stumbled across "Polymorphic Cryptography" today:
>
> http://www.identification.de/crypto/index.html
> http://www.identification.de/crypto/descript.html
>
> Here's a quote from the splash page:
>
> "Common ciphers like DES and RSA are extremely slow when calculating on
> long keys. Polymorphic Cryptography is 10^1500 times as secure at
> comparable encryption speed!"
>
Damn I hate when companies make such outragous claims (ie. Throught the use
of sophisticated internal algorithms acme firewall can withstand... "). and
how exactly would one go about calculating that one algo. is 10^1500 times
more secure then another one... and wait... how can something be a certain
number of times "as secure" as something else wouldn't it be "more secure"
then something else?
> Here's another one from the description page:
>
> "The widespread DES algorithm has long been supposed to be unbreakable.
> In January 1999 a test performed by RSA Data Security, Inc. (San Mateo,
> Calif., USA) proved that it takes less than 22.25 hours to crack the 56
> bit algorithm by brute-force (by trying all 256 possibilities)."
256 possibilities? what is that all about? I thought 2^56 >>> 256... then
again 2+2=5 for large values of 2. Wow ~11 keys per hour, my atari can
crack faster then that o )
Stou
------------------------------
From: [EMAIL PROTECTED] (BenMoss)
Subject: Williams' Public-Key Cryptosystem Question
Date: 19 Apr 2000 20:37:24 GMT
Apologies for the explanations of equations using words rather than symbols!
I have been following the details of the public-key cryptosystem due to H. C.
Williams that appeared in Cryptologia, Vol 9, Number 3 in July 1985. The
cryptosystem is based upon numbers of the form q = a + b(c^(1/2)), where a,b
and c are integers.
The encryption process involves raising a number alpha of the form q to 2ed
(alpha)^(2ed) is congruent to +/- (alpha) (mod R) (R=pq as n in RSA),
where ed is congruent to (w + 1)/2 (mod w)
and (alpha)^w is congruent to +/- 1 (mod R)
My question is as follows:
Why must (alpha)^(2ed) be congruent to +/- (alpha) (mod R) and hence ed be
congruent to (w + 1)/2 (mod w), rather than (alpha)^(ed) being congruent to
+/- (alpha) (mod R) and hence ed be congruent to (w + 1) (mod w)?
Is it because (alpha) must be raised to an even power? And if so, why is this
the case?
Apologies again for the mixture of symbols and words in the question. Any help
would be much appreciated,
Thanks,
Ben
------------------------------
Subject: Re: Paper on easy entropy
From: Diet NSA <[EMAIL PROTECTED]>
Date: Wed, 19 Apr 2000 13:38:33 -0700
In article <
[EMAIL PROTECTED]>, Tom St
Denis <[EMAIL PROTECTED]> wrote:
>"Trevor L. Jackson, III" wrote:
>> You may want to read up a bit on keyboard usage. I believe
the USSR used
>> keyboard-generated keys, and this contributed to the crack of
the system. I
>> think you'll find the references under the Venona Project.
>
>Where can I find this info?
>
>Tom
>
Trevor Jackson is right. About three years
ago, my relative and her husband came to
my house and showed us a video tape
about the declassification of the VENONA
project (which was made known to the
public in 1995). The husband, M. Gardner,
had worked for the NSA and was the
person who reconstructed the foreign
intelligence (VENONA) code book,
revealing the Soviets' codes. (Of course,
he didn't do this all by himself- his
success was enabled by work on matched
pairs of messages being done by a small
group of women, including K. McDonald).
Instead of using a proper RNG, the
Soviets' used clerks banging away on
keyboards and made the critical error of
using some pads more than once (I don't
know why they did this). The declassified
info regarding VENONA is available in the
documents section on the NSA's website.
"I feel like there's a constant Cuban Missile Crisis in my pants."
- President Clinton commenting on the Elian Gonzalez situation
=======================================================================
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Requested: update on aes contest
Date: Wed, 19 Apr 2000 20:40:03 GMT
On Wed, 19 Apr 2000 17:31:34 +0000, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>
>It also makes the teams' second choice (after their own) look more
>useful as a distinguishing characteristic: Steve Bellovin said most
>of the submitting teams preferred Rijndael if their own was not chosen.
Amost. Most of the submitting teams preferred Rijndael WITH MORE
ROUNDS if their own algorithm was not chosen. It's an important
qualification.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Requested: update on aes contest
Date: Wed, 19 Apr 2000 20:43:40 GMT
On Wed, 19 Apr 2000 14:46:36 -0500, James Felling
<[EMAIL PROTECTED]> wrote:
>> People have tried, though. Sean Murphy and his group at Royal
>> Hollaway have writen about the "key separation" property, but have
>> not been able to turn that into an attack on any reduced-round
>> variants. Lars Knudsen presented an attack on Tuesday, which he
>> retracted on Thursday because it didn't work. We've tried, too.
>
>Key Seperation property? Where can I find that paper/ details? Perhaps I
>just overlooked it?
Basically, Murphy observed that since the S-boxes only use half the
entropy of the key, it may be possible to partition the keyspace in
such a way as to take advantage of this, and then take advantage of
this.
Key separation is a property that exists in almost every cipher, and
sometimes it can be exploited. For example, some of our attacks
against MARS make use of the fact that only half of the key bits are
used in the pre- and post-whitening keys.
We've looked extensively at using this property to attack Twofish, and
so has Murphy. Neither group has come up with anything. We
specifically designed the key schedule to resist obvious ways to
partition the keyspace, and it looks like we were successful.
Murphy's paper is somewhere on the NIST website. He wrote one for the
1st round comments, and other for the 2nd round comments. We wrote a
response to his 1st round comments, and are preparing another for his
2nd round comments. Our response is on the Twofish webpage.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Requested: update on aes contest
Date: Wed, 19 Apr 2000 16:11:00 -0500
O
Bruce Schneier wrote:
> On Wed, 19 Apr 2000 14:46:36 -0500, James Felling
> <[EMAIL PROTECTED]> wrote:
> >> People have tried, though. Sean Murphy and his group at Royal
> >> Hollaway have writen about the "key separation" property, but have
> >> not been able to turn that into an attack on any reduced-round
> >> variants. Lars Knudsen presented an attack on Tuesday, which he
> >> retracted on Thursday because it didn't work. We've tried, too.
> >
> >Key Seperation property? Where can I find that paper/ details? Perhaps I
> >just overlooked it?
>
> Basically, Murphy observed that since the S-boxes only use half the
> entropy of the key, it may be possible to partition the keyspace in
> such a way as to take advantage of this, and then take advantage of
> this.
>
> Key separation is a property that exists in almost every cipher, and
> sometimes it can be exploited. For example, some of our attacks
> against MARS make use of the fact that only half of the key bits are
> used in the pre- and post-whitening keys.
>
> We've looked extensively at using this property to attack Twofish, and
> so has Murphy. Neither group has come up with anything. We
> specifically designed the key schedule to resist obvious ways to
> partition the keyspace, and it looks like we were successful.
>
> Murphy's paper is somewhere on the NIST website. He wrote one for the
> 1st round comments, and other for the 2nd round comments. We wrote a
> response to his 1st round comments, and are preparing another for his
> 2nd round comments. Our response is on the Twofish webpage.
Thanks, I knew about that comentary, I just spaced it. Thanks for a prompt (
and informative) response.
>
>
> Bruce
> **********************************************************************
> Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
> 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
> Free crypto newsletter. See: http://www.counterpane.com
------------------------------
Subject: Decryption with info
From: mindlag <[EMAIL PROTECTED]>
Date: Wed, 19 Apr 2000 14:19:27 -0700
A program that we use 'Foolproof Security' has a password
recovery tool. It requires that you input two things. A hex code
that you get from the program, and the backup administrator
password. I also have the encryption key in hex. I am trying to
make a program to help people who have forgotten their backup
administrator password. I need it to be able to cycle through
letters, like brute focing the password, and then return the
results to a file. Here is a better way to illustrate it.
Admin Password: www.wired.com
Recovery Key: FFCC9B1E2F4F80F0406690A054A464C
You enter that and it returns the password 'daytona'
I am pretty sure it runs that info through this encryption key:
55639B15E13FB2C0D4C737515D0231CA0BBF5727421F65AF2F1D12519F854D98.
If anyone knows a way to make this program, please e-mail me or
reply to this message. I am new to cryptography, and have
probably forgotten some key info that you guys need. Thanks in
advance for your help.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
