Cryptography-Digest Digest #973, Volume #11 Thu, 8 Jun 00 05:13:00 EDT
Contents:
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (zapzing)
Re: Enigma Variations (John Savard)
Re: Enigma Variations (John Savard)
Re: testing non linearity of arithmetic-logic combinations ("Douglas A. Gwyn")
Re: Cipher design a fading field? ("Douglas A. Gwyn")
DES question ("Paul Pires")
Re: Is OTP unbreakable?/Station-Station ("Douglas A. Gwyn")
Re: Enigma Variations ("Douglas A. Gwyn")
Re: Enigma Variations ("Douglas A. Gwyn")
Re: Enigma Variations ("Douglas A. Gwyn")
Re: Thoughts on an encryption protocol? (David A. Wagner)
Re: equation involving xor and mod 2^32 operations (David A. Wagner)
3DES performance (=?ISO-8859-1?Q?H=E4m=E4l=E4inen?= Panu)
Arithmetic Coding ("steffen markert")
Re: questions on TEA (dexMilano)
Re: Cryptographic voting (Greg)
Primitive element ("Jesper Stocholm")
Re: Cryptographic voting (Greg)
Re: Cryptographic voting (David A Molnar)
Re: Cryptographic voting (Greg)
Re: Primitive element (Eric Hambuch)
Re: Another Idea for attacking Storin (Mark Wooding)
Re: Primitive element (David Blackman)
Re: Primitive element (Mok-Kong Shen)
Re: Thoughts on an encryption protocol? (Volker Hetzer)
----------------------------------------------------------------------------
From: zapzing <[EMAIL PROTECTED]>
Crossposted-To: uk.media.newspapers,uk.legal,alt.security.pgp
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Thu, 08 Jun 2000 04:12:56 GMT
OK, just for you, I have developed a new authentication
protocol! I'm re-crossposting to sci.crypt because
I want it reviewed by the people there. Before you generate
your private PGP key, generate a lot of random bits.
You'll have to make sure you have enough but I'm not
sure how many that would be. Record them, call them
H0. Generate H1 from H0 by hashing H0. Do this "several"
times. then use Hn as the seed for the PRNG that you use
to generate your private PGP key. Now if your private
PGP key is compromised you can still prove you are the
person who generated that key by giving the PRNG key
Hn. If you have to do it again you can give Hn-1, and
so on.
What you would do in practice is announce that you were
renewing your PGP key, giving the new PGP key (which you
generad similarly) along with the value of Hn in the
message, and "authenticating" that message by using a
keyed MAC, with Hn-1 as the key. After everyone important
had seen the first message, you would publish Hn-1, with
a little message that says "this is the Hn-1 I was telling
you about".
If the authorities suspect you have set up this sort of
thing, that is where the other Hi's come in. Just lie
about how many Hi's there are. Then, when you get out of
prison and move to Hong Kong, just use the other Hi's
you didn't tell them about.
--
If you know about a retail source of
inexpensive DES chips, please let
me know, thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Enigma Variations
Date: Thu, 08 Jun 2000 04:20:17 GMT
On Wed, 07 Jun 2000 09:01:59 +0100, John Spicer
<[EMAIL PROTECTED]> wrote, in part:
>This led me to wonder what was the state of the cryptography used by the
>Allies and what in-roads had the Germans and Japanese made? Did the
>Allies learn from their successes against the Axis cryptos and
>strengthen their own, or did they fall into the same traps?
Well, the British did. The Typex was designed to combine the strengths
of the Abwehr Enigma (frequent rotor stepping) and the more common
form of the Enigma (extra rotors replaced the plugboard).
Before World War II, the Americans used electrical rotor machines -
where rotor stepping was done electrically instead of mechanically.
This led to the SIGABA, where one set of rotors governed the stepping
of the rotors that actually did the encipherment. This was far beyond
anything the Axis used.
However, some Allied cryptosystems were broken. The Germans captured
and solved codes used for British merchant shipping, and they broke
the American slide and cylinder ciphers, variants of the Bazeries
cylinder, used by the Americans, without having captured the
apparatus, and despite the fact that these systems were designed to be
resistant to the standard de Viaris method of attack. The SIGABA
machines were closely guarded, so they didn't guard the same
proportion of the Americans' communications as the Enigma did of the
Germans'.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Enigma Variations
Date: Thu, 08 Jun 2000 04:23:38 GMT
On Wed, 07 Jun 2000 17:12:19 GMT, [EMAIL PROTECTED]
(Jim) wrote, in part:
>The successes against the Japanese machine 'Magic' was an American
>success, not British. They don't always get the credit for that, at
>least in this newsgroup.
I'm surprised to hear that.
The American success against PURPLE, because of the Pearl Harbor
controversy, became known shortly after the War, and I would have
thought everyone with an interest in the subject knew that.
But the British may also have done some work on the Japanese stepping
switch machines: something in the papers on Frode's site looked like a
mention of PURPLE under another name.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: testing non linearity of arithmetic-logic combinations
Date: Thu, 08 Jun 2000 05:13:43 GMT
In addition to what was said in other responses,
"linearity" can be reasonably defined in more than one
(nonequivalent) way.
The other respondents seem to be assuming the usual operations
in GF(2), which is probably the most reasonable choice.
In that context, if you want a maximum degree of nonlinearity
you probably want what is called a "bent function".
I suspect a Web search would find a few papers on the topic.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Thu, 08 Jun 2000 05:17:26 GMT
wtshaw wrote:
> ... It can be that a trick is necessary to help solving,
> and the trick is esoteric until found, like the CIA sculpture.
I don't think the solved portions of Kryptos were particularly
tricky. The main "trick" was to become convinced that an answer
could be found, and of course to know enough about cryptanalysis
to then proceed along reasonable lines of attack.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: DES question
Date: Wed, 7 Jun 2000 22:15:57 -0700
Has any work been done on a DES variation with a 64 bit key? It seems like
you could change the key shifts per round and have them effect all 64 bits
vrs the 56 presently treated and leave the compression permutation alone and
everything else for that matter. All 64 key bits would still get used over
the 16 rounds.
It seems that the advantage would be the disadvantage. It would still be
DES-ish. Would it be essentially DES with a key better than 56 bits?
Am I missing something obvious?
Anyone hear of work done on this?
Thanks,
Paul
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?/Station-Station
Date: Thu, 08 Jun 2000 05:19:32 GMT
Tim Tyler wrote:
> If the message were sandwiched at a genuinely random position within
> 1K of random bytes before the OTP was applied (with some signal for
> stripping the data off again), this attack would succeed only one
> time in a thousand - rather than every single time.
No, it would succeed every time, if the cryptanalyst were competent.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Enigma Variations
Date: Thu, 08 Jun 2000 05:27:35 GMT
Jim Gillogly wrote:
> So far as we know (unclassified, anyway) none of the Axis powers read
> SIGABA, the top US system.
SIGABA wasn't cryptanalyzed successfully by foreign powers during WWII,
so far as "we" have been able to determine. The US National Archives
contain a fair number of declassified summaries of foreign cryptologic
successes against US cryptosystems, but since I don't particularly care
I haven't read them all myself.
Tactical systems such as the M-209 usually only needed to remain
uncracked until the current military action was over, often just a
few hours, which was fortunate for us given that M-209 was crackable.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Enigma Variations
Date: Thu, 08 Jun 2000 05:30:37 GMT
Jim wrote:
> The successes against the Japanese machine 'Magic' ...
"MAGIC" was a codeword used to limit distribution of the decrypts,
not the name anyone used for the machines themselves. Our internal
names for the machines were colors: ORANGE, RED, PURPLE, etc.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Enigma Variations
Date: Thu, 08 Jun 2000 05:33:34 GMT
John Savard wrote:
> ... The SIGABA machines were closely guarded, ...
However, we did lose one for a while (the truck that was transporting
it was stolen while the drivers were in a restaurant). The machine
was recovered; a subsequent (panicky) investigation determined that
the incident was a simple vehicle theft and that the machine had not
been compromised.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Thoughts on an encryption protocol?
Date: 7 Jun 2000 22:40:43 -0700
In article <8hmibo$n13$[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Mark Wooding) wrote:
> > Use a proper MAC. For example, HMAC-SHA1 or HMAC-RIPEMD160.
> > Encrypted hashes as a poor-man's-MAC aren't a good idea.
>
> Mark, can you please explain why encrypting hashes are a Bad Idea? Or
> give references?
I think this is mentioned in _The Handbook of Applied Cryptography_.
But, if not, here's a summary of the problem. Suppose the sender takes
his message M, appends an unkeyed hash H(M), and encrypts the concatenation
M||H(M) to obtain a ciphertext C. The attack goes like this. Pick a
message M' you want to fool the receiver into thinking was sent. Compute
M := M' || H(M') || X, where X can be anything you like. Convince the
sender to send the message M; he'll compute M || H(M), encrypt it, and
send the result C. Now suppose your encryption algorithm has the property
that the prefix of the encryption is the same as the encryption of the
prefix. Then we may truncate the transmitted ciphertext at the point
right before the "X", and the result will be the encryption of M' || H(M').
When the receiver decrypts, the hash will look ok, and the receiver will
think the sender intended to send M', even though the sender never actually
ok'ed this. This is a message authentication failure.
The fix is to use a proper MAC, like Mark Wooding says.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: equation involving xor and mod 2^32 operations
Date: 7 Jun 2000 22:44:25 -0700
In article <[EMAIL PROTECTED]>,
Anton Stiglic <[EMAIL PROTECTED]> wrote:
[ Solve (a+x) xor (b+x) = c for x; a,b,c are known. ]
Work bit-by-bit, starting with the least significant bit of x
and working your way up. Once you know (all possibilities for)
the low n bits of x, you can try extending each of them with a
0 bit and a 1 bit in the n+1-th position, and checking whether
the equation holds mod 2^{n+1} to filter out the wrong ones.
Cook until done.
------------------------------
From: =?ISO-8859-1?Q?H=E4m=E4l=E4inen?= Panu <[EMAIL PROTECTED]>
Subject: 3DES performance
Date: 8 Jun 2000 06:11:02 GMT
Hi!
Can someone tell me where I could find some
performance measurements/comparisons of Triple-DES
or DES (software) on different technologies? So far
I have only found results on Pentium by
Antoon Bosselaers.
Panu
------------------------------
From: "steffen markert" <[EMAIL PROTECTED]>
Subject: Arithmetic Coding
Date: Thu, 8 Jun 2000 09:56:00 +0200
Does anybody know about an implementation in C
or a book or a paper with informations about adaptiv
arithmetic coding?
Thanx
[EMAIL PROTECTED]
------------------------------
From: dexMilano <[EMAIL PROTECTED]>
Subject: Re: questions on TEA
Date: Thu, 08 Jun 2000 08:00:46 GMT
I'm looking the same information.
thx
In article <[EMAIL PROTECTED]>,
Dido Sevilla <[EMAIL PROTECTED]> wrote:
>
> This post has to do with the Tiny Encryption Algorithm (TEA) described
> by Wheeler and Needham (http://www.cl.cam.ac.uk/ftp/users/djw3/tea.ps
> and http://www.cl.cam.uk/ftp/users/djw3/xtea.ps). Has anyone tried to
> use this block cipher? From what I see, the algorithm is really quite
> simple and looks pretty easy to code, even in most forms of assembly
> language. It doesn't go through quite as many contortions as the more
> sophisticated algorithms do, but it runs a fairly simple core through
a
> lot of rounds (32 to be exact). Does it have any weaknesses which the
> authors have not described in their papers yet?
>
> --
> Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
> Mobile Robotics Laboratory +63 (917) 4458925
> University of the Philippines Diliman
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: Thu, 08 Jun 2000 08:00:46 GMT
> Say everyone who is to vote comes up with a private key, and posts
> a corresponding public key. From these, a joint public key is
> composed. Each voter uses her private key together with the
> joint public key and her (private) vote to produce a public vote.
> From the set of public votes, a (public) vote tally is produced.
> However, it should be pragmatically impossible to determine the
> tally of any subset of (public) votes, or indeed, any information
> about them that is not implicitly given by the total tally.
>
> Is there a way to do this in the literature? (Or, better yet, is
> it so trivial that it's not even in the literature?)
The issue of voter fraud is the most paramount issue any scheme will
face. As Devvy Kidd pointed out (www.devvy.com), public counting of
paper ballots today is the only way we can assure an accurate vote
count. But we do not have that here. Wonder why?
There is no accountability in our voting system today. Those who vote
at more than one precinct do so for political goals, though it is
against the law. What we need is a new system that provides easy and
absolute verification of accuracy for anyone in the general public.
That is what we are lacking.
And as for your proposal, what problem are you solving? I may have
missed it. I really did not understand what problem was being solved.
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Jesper Stocholm" <[EMAIL PROTECTED]>
Subject: Primitive element
Date: Thu, 8 Jun 2000 10:16:23 +0200
I have a finite group Z(p), where p is prime. I need to find a
generator/primitive element alpha s.t. alpha^b mod p = 1
How do I do this ? The order b is not known.
thanks
Jesper
--
http://stocholm.dk
MSN Messenger: [EMAIL PROTECTED]
------------------------------
From: Greg <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: Thu, 08 Jun 2000 08:11:31 GMT
> For a voting scheme to be usefull the talliers should not be
> able to tell who voted for what, only that all votes are
> valid....
This is correct. So let us think through what this means- what is
necessary for a system to be truly useful.
Given vote V and voter U, the system must be able to report two things:
1. the vote V
2. the voter U
3. V cannot be deduced from U
4. U cannot be deduced from V
5. The system rejects more than one U belonging to the same person.
Now if you can do this (which would probably make US history as the
first really useful and industry accepted method of accurate voting),
you have two other hurdles (to be practical) to overcome.
First, the law states that you cannot force a person to present
identificaiton at the booth- that is, you may not be able to force the
voter to give you a "U".
Second, those in power want a corruptable system that they can control.
While the second can be overcome by popular opinion, the first is a
legal issue guarded by the US Constitution. You DON'T want to try to
overcome this hurdle, no matter how tempting it may be.
However, given the system candidate, you may be able to demonstrate
that U is not identifying the individual and therefore is a valid
requirement for voting. This would be very good for America if such a
system could be designed.
This is a worthy goal deserving of all our attention today. Let's work
on it, shall we?
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: 8 Jun 2000 08:27:52 GMT
In sci.crypt Greg <[EMAIL PROTECTED]> wrote:
> There is no accountability in our voting system today. Those who vote
> at more than one precinct do so for political goals, though it is
> against the law. What we need is a new system that provides easy and
> absolute verification of accuracy for anyone in the general public.
> That is what we are lacking.
I went to the votefraud site. Reminded me of something a speaker at MIT
said about voitng - it is a matter of national security. He raised the
scenario of Iraq falsely registering a few hundred people in Los Angeles
county and swinging California in the next Presidential election. Same
problem, different scale.
All of these crypto schemes are aimed at providing the kind of assurance
you, I, everyone wants, that the election was free, fair, and verifiable
by everyone. Unfortunately, it doesn't seem to be here yet in real life,
and partial solutions on computers look very very dangerous.
Not so much because of malice. but just simple stupidity is
enough. Counting ballots is tedious to do by hand, and error-prone. Doing
everything on a computer sounds like a great labor-saving idea at first.
Then they break or worse. Nevada has computerized voting machines in
polling booths; some people here aren't too happy with them -- and that's
the model which is comparatively *easy* to deal with.
There was an extensive discussion of voting and its pitfalls on the
coderpunks list recently, by the way. You (or anyone else) might try
looking for archives of it. Some scary anecdotes came to light.
-dmolnar
------------------------------
From: Greg <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: Thu, 08 Jun 2000 08:20:11 GMT
> 1) Is the voting to be secre or public
SECRET!
> 2) If it is to be secret, should the voter have a
> way of checking that his vote has been counted
> correctly.
ABSOLUTELY. THIS IS A HARD REQUIREMENT.
> 3) If the ans. to the above two questions is "YES",
> then is the voter to have a way of making it appear
> that he voted differntly than he did?
Not necessary. The public is ready to stop tyranny. Enough said.
> 4) Is there to be a trusted party? Is there to be a
> trusted party who sets up the system but does
> not need to be a part of the protocol after that?
Don't trust anyone.
> 5) What kinds of communications abiities do the
> voters have? Can they all communicate with each other,
> or do they communicate by posting to a common
> bulletin board?
Irrelevent to casting a vote, but user friendly if they had a NG where
they could post their issues and opinions.
The most important issue was never addressed:
A person cannot be compelled to identify himself (according to the
SCOTUS) but we must have a mechanism in place to ensure that each
person casts only one vote and no more. This is one of the easiest and
most prevent fraud in US voting today. Bus loads of hispanics in CA go
from precinct to precinct and vote over and over. It has been
documented! So don't call me racist. They are not required to show
ID. They can enter and make any vote and leave without being
challenged. It is the law.
Finally, there are also cases where a single voting precinct had
something like 8 registered voters and wound up with 120 votes. The
person in charge took it upon themselves to adjust the votes to be only
the 8 that they should be. No telling how he or she did that. But
these are the problems that a solution must solve.
And again, DONT TRUST ANYONE, ESPECIALLY GOVERNMENT!!!
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Eric Hambuch <[EMAIL PROTECTED]>
Subject: Re: Primitive element
Date: Thu, 08 Jun 2000 10:43:33 +0200
Jesper Stocholm wrote:
>
> I have a finite group Z(p), where p is prime. I need to find a
> generator/primitive element alpha s.t. alpha^b mod p = 1
>
> How do I do this ? The order b is not known.
If p is prime, than the order of your group Z*_p (=units of Z/pZ) is
(p-1). To check if alpha is really a generator you have to factor
(p-1)=p1*p2*p3...*pn and check whether alpha creates a subgroup of Z*_p
with a low order (every order of a subgroup divides (p-1) !).
It's not easy to find a generator! For more details check out:
http://cacr.math.uwaterloo.ca/hac
(Handbook of Applied Crytography)
Eric
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Another Idea for attacking Storin
Date: 8 Jun 2000 08:45:17 GMT
tomstd <[EMAIL PROTECTED]> wrote:
> What about trying to find inputs that have low hamming weights
> (inputs to the linear matrix)? Won't the output have a
> relatively low hamming weight (difference)?
If the inputs to the matrix have low Hamming-weight *and* the set bits
are at the top ends of the words, then the output also has low
Hamming-weight. However, this effect disappears after two rounds
because of the linear transformation. The linear transformation is
there for a very good reason!
Besides, by this point, there have been two mixings with unknown keys in
a way nonlinear with the matrix. I still believe that the best way of
exploiting the diffusion behaviour of the matrix is the truncated
differential which has been at the heart of all of my attacks on Storin
so far. But I'd not object to being proven wrong.
-- [mdw]
------------------------------
From: David Blackman <[EMAIL PROTECTED]>
Subject: Re: Primitive element
Date: Thu, 08 Jun 2000 18:53:14 +1000
Jesper Stocholm wrote:
>
> I have a finite group Z(p), where p is prime. I need to find a
> generator/primitive element alpha s.t. alpha^b mod p = 1
>
> How do I do this ? The order b is not known.
>
> thanks
>
> Jesper
>
> --
> http://stocholm.dk
> MSN Messenger: [EMAIL PROTECTED]
More homework from school or university? Otherwise i can't imagine
anyone who would wnat to know this and would not know the answer, or at
least how to ask the question better.
Also the question seems quite confused. When someone says Z(p), they
usually mean integers modulo a prime number. In that case, b=p-1
(assuming you mean a group under multiply?) Although, there are a few
interesting cases where you don't know p, such as some factoring
algorithms.
What is more, alpha^b mod p = 1 is true for any alpha from 1 to p-1, so
that part is fairly redundent. You're just looking for a generator.
This might be easier to answer if we knew why you want to know, and what
other information you have. Do you really not know p?
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Primitive element
Date: Thu, 08 Jun 2000 11:05:02 +0200
Jesper Stocholm wrote:
> I have a finite group Z(p), where p is prime. I need to find a
> generator/primitive element alpha s.t. alpha^b mod p = 1
>
> How do I do this ? The order b is not known.
See Knuth, vol.2, p.21. You can randomly choose an alpha to test
whether the condition is fulfilled, since primitive roots are rather
abundant.
M. K. Shen
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Thoughts on an encryption protocol?
Date: Thu, 08 Jun 2000 09:05:56 +0000
Dido Sevilla wrote:
>
> Volker Hetzer wrote:
>
> > So it's a secret key protocol. Are there any constraints that forbid
> > the use of public key stuff?
>
> One of the problems with public key crypto that I'd like to avoid are
> patents (not that they apply where I live...).
If you are commercial, you should *really* think about asking for
license fees. Depending on the number of units you sell, it might
well be cheaper to buy a EKE/SPEKE/SRP license and reference code than to
develop something from scratch. They do *not* cost hundreds of dollars per unit.
> Also, symmetric block
> ciphers tend to be much simpler to code than asymmetric public-key
> systems. I only have one year and 32 KB code size on my 80186-based
> embedded system to fit everything, so all the firmware may probably have
> to be in pure assembly language...
When does the RSA patent expire? Sometimes this year I believe.
Besides, before you decide on a specific symmetric encryption algorithm
as the bulk cipher you might want to wait for the AES decision.
It's due this summer and will set the standard for symmetric encryption for
(at least) the next decade.
All the likely candidates are well suited to small systems.
> > How do you change keys over the lifetime of your devices?
> Basically, some high-ranking person will go to each terminal, swipe a
> special card across its barcode swipe reader, punch in a password, and
> then punch in the new start key. This would be done every three months.
Not very efficient. Ask a HR guy how much this would cost the company
over one year. Then compare this with a license fee for SRP or EKE.
Manual inspection can only be justified when you think that the people
who have access to your devices are going to steal keys for malicious
purposes. Is your company responsible for security after the sale of the
devices too? Make a decent contract with your customers that limits
liability and defines exactly what your company is supposed to do to
fulfill its responsibilities.
Nevertheless, once your devices have a decent key exchange protocol, manual
inspection becomes an optional thing, to be done only if you feel like it.
Some devices may never be inspected, others daily by the security guard and
so on.
> > > system, no key information is ever transmitted across the network.
> > Well, the problem is thatas soon as an attacker gets hold of *any*
> > of the thus generated keys he can create all keys after that.
> > Why not use a stream cipher or cryptographically secure PRNG to
> > generate the session keys?
> Where can I find information on any of these entities?
The Cryptography FAQ right here. Bruce Schneier's "Applied Cryptography".
Counterpane has a couple of good papers about PRNG's. The rsalabs FAQ.
Then, there is a FIPS for generating random numbers. Together with
the PRNG papers at counterpane you should be able to come up with
a cryptographically secure random number generator as the basis for
a really secure key exchange and encryption protocol.
> > Should work as long as the number of messages desn't get too large.
> Each terminal will probably generate about 8-10 transactions every day
> at the most. So in the three months between key changes, up to 1200
> messages may elapse. each message being up to 100K in size or so.
About 120MB per key is reasonable.
Is latency (key exchange and encryption time) a problem?
How long are those devices supposed to live?
Are you permitted to add a piece of HW, like a 8 bit flash microprocessor
(5 to 20 USD in small quantities) to do the actual encryption?
That would make sure that an attacker not only has to open the device, but
the chip as well. And you 've got much more RAM/ROM in it too.
OTOH, I suppose if an attacker can bug your device, you're bust anyway.
But good key management can make sure that one compromised device does
not compromise security on other devices. (That is another reason why
I'd like to talk you into better key management.)
Greetings!
Volker
--
The early bird gets the worm. If you want something else for
breakfast, get up later.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
