Cryptography-Digest Digest #435, Volume #12 Mon, 14 Aug 00 05:13:00 EDT
Contents:
Re: What is up with Intel? (lcs Mixmaster Remailer)
an attack for stream ciphers ([EMAIL PROTECTED])
Re: CD destruction (Michael Brown)
Re: Looking for password statistical data ([EMAIL PROTECTED])
Re: What is up with Intel? (Roger Schlafly)
Re: 1-time pad is not secure... (Guy Macon)
Re: Knowing when you've cracked an encryption (Anders Thulin)
Re: The quick brown fox... (Anders Thulin)
aes - bc lounge (Lars Knudsen)
Re: Impossible Differentials of TC5 (Ulrich Kuehn)
Re: Crypto Related Professional Attitude (Safuat Hamdy)
Re: Crypto Related Professional Attitude (Safuat Hamdy)
Re: Crypto Related Professional Attitude (Mok-Kong Shen)
Re: Crypto Related Professional Attitude (Mok-Kong Shen)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: Random Number Generator (Runu Knips)
Re: Big Brother Is Reading Your E-Mail (Michael Brown)
Re: Crypto Related Professional Attitude ("Sam Simpson")
----------------------------------------------------------------------------
Date: 14 Aug 2000 04:40:14 -0000
From: lcs Mixmaster Remailer <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
> On page four of the IntelRNG.pdf from cryptography.com they said
> intel is patentning the von neuman rejector i.e with [0,0] and
> [1,1] output nothing, output 0 for [1,0] and 1 for [0,1] which
> hopefully lowers bias towards any given bit.
A careful reading of the document reveals that Intel's version of the
bias remover uses three bits of state, rather than the two bit version
attributed to von Neumann. It is a genuine improvement.
------------------------------
From: [EMAIL PROTECTED]
Subject: an attack for stream ciphers
Date: Mon, 14 Aug 2000 05:02:42 GMT
Here is another technique for attacking stream ciphers (such as RC4,
Solitaire, et cetera): Given a partial solution, fill in the rest
of the solution a few different random ways and look for biases in the
results generated by that set of solutions.
For example, suppose RC4 just produced a 27. You know it was produced
by m[m[i]+m[a]]. There are 256 possible values of i, 256 of a, 256 of
m[i], 256 of m[a] that could cause that. But if you make those
guesses, you can calculate m[i]+m[a], and of course m[m[i]+m[a]] = 27.
So one result and four guesses gives you five values of the internal
state, and that's a partial solution.
If you take one such partial solution, complete it twenty random ways,
and examine the results those produce, you may find the 8th result
from now is going to be 27 98% of the time. If the actual 8th result
from now isn't 27, then this partial solution probably isn't the
correct one.
If you choose such partial solutions at random and complete them
randomly, a billion times, you will see biases due simply to the fact
that you are using RC4 and it just generated a 27. This could also be
done by finding a billion RC4 sequences that contain 27 and comparing
them without mucking about with partial solutions. However, you can
do the same thing just as efficiently with the partial solutions
dictated by a train of 10 results. Accidentally finding a billion
sequences with those same 10 results is infeasible. The biases this
gives you (assuming biases exist) should be able to tell you whether
or not a very short sequence was generated with RC4. Equivalently, it
would allow you to make good guesses at some unseen values.
(Apologies for not exploiting this myself. I'm busy with toddlers.)
- Bob Jenkins
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Michael Brown <[EMAIL PROTECTED]>
Subject: Re: CD destruction
Date: Mon, 14 Aug 2000 18:20:17 +1200
> It is non-flammable and almost non toxic (unless you bathe in it
Aww, this means we won't be able to get the best of both words: dissove
the thing then chuck a match (from a large distance) on the solvent to
melt anything that's left. Pyrotechnics, dissolving and melting all in
one :)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Looking for password statistical data
Date: Mon, 14 Aug 2000 06:23:34 GMT
Seeker <[EMAIL PROTECTED]> wrote:
> I'm looking for some data on the passwords that people have chosen. I know
> people often choose dictionary words, etc, but I am looking for something
> which I can draw some concrete conclusions from. Of course, the bigger the
> sample, the better.
> For instance, maybe 60% choose a dictionary word, 20% choose a phone
> number.. For now, I can only make unsound inferences.
Daniel Klein wrote a short paper on Unix passwords which is floating
around still. (A brief excursion to your favorite search engine should
turn up a postscript copy) It's a small sample, and somewhat dated but
I find the statistics have held up reasonably well.
The only caveat to the report is that it covers passwords which were
successfully found via a dictionary attack, so it says nothing about
the ones that weren't found. For example, two words seperated by
punctuation is probably fairly common, but he didn't have time to test
all of them before publishing.
Another interesting approach, that's Unix-centric is the password
guesser John the Ripper, which includes a brute-force attack based on
the character frequency in each position based on known passwords. I
don't know how good the tables that ship with it are, but if you find
a set that's built off a large set of known passwords, they're
probably good. For example, appending digits to words is _much_ more
common than prepending them.
Finally, the Crack rulesets contain some comments as to why they're
arranged that way, based on people's experience.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Date: Mon, 14 Aug 2000 00:01:15 -0700
lcs Mixmaster Remailer wrote:
> A careful reading of the document reveals that Intel's version of the
> bias remover uses three bits of state, rather than the two bit version
> attributed to von Neumann. It is a genuine improvement.
How is it better? IMO, Intel should have omitted the bias
rejecter. It makes the chip unpredictable. It is easy to
do a much better job of removing bias in software. I'd rather
have the raw bits.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: 1-time pad is not secure...
Date: 14 Aug 2000 07:09:33 GMT
Tim Tyler wrote:
>
>Guy Macon wrote:
>
>>Tim Tyler wrote:
>>
>>>No such thing as a perfect random number generator has ever been created.
>>>
>>>Time between radioactive decays /may/ be random - or it may not be.
>>>Without vertain access to a complete theory of physics nobody knows.
>>>...but this is beside the point - even *if* such a random process were
>>>available, there's no way of measuring it without using a detector
>>>which is potentially subject to non-random environmental interference.
>
>> Speaking as someone who does this kind of measuring for a living, I can
>> with confidence set an upper bound for such non-random environmental
>> interference. [...]
>
>Not realistically, you can't. The problem is that if you're trying to
>generate these numbers for cryptographic purposes, you /have/ to consider
>the possibility that your opponent is actively trying to interfere with
>your goals.
So you agree that, in the case where there is no opponent, my analysis
is correct? I just want to get that straight before moving on to the
case of a sophisticated attacker....
>This sort of interference can include replacing your components at
>source, infiltrating the labs of your component suppliers, hypnotizing
>you, stealing your supposedly random numbers as you generate them,
>and a zillion other things.
>
>In the face of this sort of possibility, I believe that to think it's
>possible to set low rigorous upper bounds on the degree of randomness of
>any streams you generate is likely to be foolhardy - an underestimation of
>the power of your potential opponents.
I don't see this as being foolhardy at all. The power and sophistication
that you are postulating is far greater than that needed to read my
plaintext before I encrypt it. What you are doing here is shifting the
topic from whether or not I can generate random number candidates with
nonrandomness reduced below a certain point (which I can prove that I
can do) and whether I can set up a security system that is invulnerable
to an attacker with unlimited resources, which of course I cannot do.
A countermeasure to your proposed attacker is trivial. I can roll a set
of transparent casino dice that have been tested for the known ways of
making such dice biased (physical and statistical tests) to create a
stream of random bits, then XOR the result with the output of my
radioactive decay RNG.
Stealing the results as I generate them breaks my security, but does
not change the randomness of my bit stream. Ditto for hypnotizing me,
intercepting my bitstream and replacing it with another, etc, etc.
I am only claiming that I can generated random numbers with a known
upper limit to nonrandomness, not that I can keep people from watching
me do it, or various other ways to break my security system. Please
stick to arguments about RNGs, not security systems.
------------------------------
From: Anders Thulin <[EMAIL PROTECTED]>
Subject: Re: Knowing when you've cracked an encryption
Date: Mon, 14 Aug 2000 07:28:50 GMT
"David C. Barber" wrote:
> A problem I never see discussed is: How do you know when you've successfully
> cracked an encryption?
This is only peripherally related, but it might give a slight twist to the
question.
In an issue of Games and Puzzles (UK) in the early 1970's there was a word
riddle on the form
"My first is in <word1> but isn't in <word2>
My second is in ... etc."
The whole should be a popular board game.
However, the riddle was constructed so that up to the very last letter, there
were two board games that fitted the clues: DEMOCRACY and KINGMAKER.
The very last clue settled which of these two it was -- I think the last
two lines went something like:
"My last is in tomorrow but not in today.
My whole is a game that you might want to play."
Of course, almost everyone fell into the trap: they stopped when it looked
like clear text around the fourth or fifth letter. Those who persevered usually
thought the last clue was wrong: "But Y *is* in 'today'!"
I don't know if it's possible to something similar with traditional cryptography:
mix up a number of reasonable messages together with the real one, and hope any
decrypters will stop when they reach the first.
--
Anders Thulin [EMAIL PROTECTED] 040-10 50 63
Telia Prosoft AB, Hjälmaregatan 3B, 212 19 Malmö, Sweden
------------------------------
From: Anders Thulin <[EMAIL PROTECTED]>
Subject: Re: The quick brown fox...
Date: Mon, 14 Aug 2000 07:37:34 GMT
wtshaw wrote:
> Requiring the whole alphabet, does anyone know of other alternatives,
> perhaps shorter ones and with no increase in nonsense content?
You may want to try comp.fonts. When I was lurking in that newsgroup
a few years ago, one of the posters had that kind of sentences in
his signature -- usually a new one every time.
--
Anders Thulin [EMAIL PROTECTED] 040-10 50 63
Telia Prosoft AB, Hjälmaregatan 3B, 212 19 Malmö, Sweden
------------------------------
From: Lars Knudsen <[EMAIL PROTECTED]>
Subject: aes - bc lounge
Date: Mon, 14 Aug 2000 09:54:10 +0200
Hi,
The AES special of the Block Cipher Lounge has been updated.
http://www.ii.uib.no/~larsr/aes.html
If you know of additional research not listed, let me know.
Lars Knudsen
------------------------------
From: Ulrich Kuehn <[EMAIL PROTECTED]>
Subject: Re: Impossible Differentials of TC5
Date: Mon, 14 Aug 2000 09:54:12 +0200
Reply-To: [EMAIL PROTECTED]
tomstd wrote:
> I am trying to figure out how to recover key bytes from the
> cipher given that we are trying to send the generic (0, d) input
> difference through the cipher.
That is also described in Knudsen's paper. But the key idea usually with
all these distinguishers is the following. Have a cryptosystem with r
rounds and a distinguisher for r-1 rounds. Then decrypt with a trial
last round subkey and check whether the distinguisher works.
For an impossible differential, you send the input difference down the
cipher and then try the last round subkeys. Any key that suggests the
impossible output must be necessarily a wrong guess. After sufficiently
many plaintexts/ciphertexts and key guesses, only a single key should be
remaining.
Hope this helps,
Ulrich
------------------------------
From: Safuat Hamdy <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: 14 Aug 2000 09:44:55 +0200
tomstd <[EMAIL PROTECTED]> writes:
> This post is for the professionals such as Biham, Rivest,
> Schneier, Wagner, Shamir, Coppersmith, etc...
>
> Why don't you guys ever participate even a little in sci.crypt?
Because they're scared away from all the jerks posting incredibly
stupid nonsense. The signal-noise-ratio has become too bad.
Moreover, There are some professionals posting here quite often, it
is just that you don't recognize them as such. Thus your posting
is pointless.
> So why not
> post from time to time excluding posts to plug your papers?
what do you mean by that?
> It seems like there are alot of arrogant professionals in the
> world.
> I agree that professionals are/may be busy and have work to
> attend to, but seriously so do I. Big deal. I post here
> because I want to learn and share.
I doubt that one can seriously learn anything in sci.crypt.
> I invite the professionals (a.k.a big shots) to reply to this
> thread with their opinions since I want to know why they remain
> so silent when they apparently have lots to share.
Why only the "big shots"? As I said, there are several
professionals posting (among them some "big shots") here quite
often. Is it not worth to learn from them just because you
don't know them???
--
S. Hamdy | All primes are odd except 2,
[EMAIL PROTECTED] | which is the oddest of all.
|
unsolicited commercial e-mail | D.E. Knuth
is strictly not welcome |
------------------------------
From: Safuat Hamdy <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: 14 Aug 2000 10:16:08 +0200
tomstd <[EMAIL PROTECTED]> writes:
> Also why don't those dudes post here to discuss their findings?
Because these findings requires *deep* mathematical knowledge that
the average sci.crypt reader with probability almost 1 doesn't have.
Thus is is completely pointless for them to post their work.
--
S. Hamdy | All primes are odd except 2,
[EMAIL PROTECTED] | which is the oddest of all.
|
unsolicited commercial e-mail | D.E. Knuth
is strictly not welcome |
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Mon, 14 Aug 2000 10:40:04 +0200
"Trevor L. Jackson, III" wrote:
>
[snip]
> properties from humans. Since this newsgroup is a (virtual) place of academic
> congress the behaviors evidenced here are typical of congresses in general.
It is my impression from the few scientific congresses that
I have attended that the people there are much more polite
and considerate of other persons than what sometime happens
in this group. I strongly believe that's one (among other)
factor that repulse the top researchers from our group.
BTW, I have a suggestion. Wouldn't it be nice that we have
some thing that I temporarily term to be general rules of
conduct of posting to the group? (One rule could be e.g.
'Never use bad words', with a bit explanations.) If there
are a sufficient number of people who say 'yes' to the
proposal, we could arrage for a drafting committee for that
and have the results discussed, amended and finally voted
for in the large in the group. The rules could then be
posted, say, every week so that to those posters that don't
observe the rules the answer could be simply a pointer to
certain items in that article. Without wasting bandwidth
of the group, I suggest that those who say 'yes' e-mail
me one line. If the count goes up to twenty, I'll let
that fact be known and arrange that a subset of those
that respond constitute a drafting committee. (I'll also
post the count in 7 days, if the proposal fails.)
M. K. Shen
=========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Mon, 14 Aug 2000 10:40:10 +0200
tomstd wrote:
>
> [EMAIL PROTECTED] (Guy Macon) wrote:
> >I am one of the world's top experts in another technical field,
> yet I
> >don't read the newsgroup for that field, for the reasons stated
> above.
> >Instead, I read scy.crypt, where I, as a clueless newbie who is
> eager
> >to learn, can learn from those here more advanced than I am and
> try
> >to help those who are not as advanced. I would expect the top
> names
> >in the field to be found in a forum that exclude newbies like
> me.
>
> Isn't it hypocrtical to expect to learn about a field when you
> yourself will not teach your field to others?
>
Would you readily give your fortune to help the large mass
of people in the world who are poor and hungry? Don't expect
too much from others stuffs that you are not ready to do
yourself if you are able to do.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Mon, 14 Aug 2000 10:39:47 +0200
Bryan Olson wrote:
>
> There's no particular reason to obsess over this one
> possible defect, though if you think you might learn
> something interesting by looking for cycles in the least
> significant bit, by all means carry on.
On the other hand, I recently showed with a tiny toy example
that a BBS of cycle length 12 (001101000111) for the modulus
209 indicated that there probably might under circumstances
be problems with statistical qualities. But nobody yet seems
to care to comment on that. (My current exceptionally poor
computational facilities unfortunately don't allow me to
do experiments on grand scale.)
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Mon, 14 Aug 2000 10:39:58 +0200
Bryan Olson wrote:
>
> Terry Ritter wrote:
[snip]
> Nope. When you allow the defect might appear, you allow
> that factoring might be easy and have contradicted the
> premise.
Two dumb questions: (1) Isn't it that in employing a
product of two large primes for PK one has to check
that there are certain properties other than size that
are to be fulfilled? (2) Since some large numbers are
evidently easy to factor, what does an assumption of
hardness of factoring (without further qualifications)
imply? I mean one probably has to characterize theryby
the type of numbers being considered (namely those
that are hard to factor according to some definite
quantifiable measure) that one assumes to be dealing
with for the presentation containing that assumption.
M. K. Shen
------------------------------
Date: Mon, 14 Aug 2000 10:39:12 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Random Number Generator
[EMAIL PROTECTED] wrote:
> Let me ask you how can man implement permutation
> of bits not using Assembler?
But you're able to program in Delphi which allows
exactly that (as well as C) !
> There are no weakness and holes in this algorithm.
If I would get that many comments on one of my
algorithms I would be very thankful. But you,
blessed by so many comments, just drop everything
people tell you. Hey accepting help and advice
from others is an important form of wisdom and
greatness !
People have prooved your algorithm is wrong, so
why don't you try to fix its faults ?
------------------------------
From: Michael Brown <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.security.pgp
Subject: Re: Big Brother Is Reading Your E-Mail
Date: Mon, 14 Aug 2000 21:09:16 +1200
jungle <[EMAIL PROTECTED]> wrote:
> Samuel Hocevar wrote:
> > jungle <[EMAIL PROTECTED]> wrote:
> > > someone wrote:
> > > > Someone else wrote:
> > > >
> > > > > This program broke the PGP encryption in two minutes flat,
> > > > > so you're not even safe with encryption.
> > > >
> > > > what program will broke PGP in 2 min flat ?
> > >
> > > If we told you, we'd have to kill you.
> >
> > I did not directed my question to you, but
> >
> Then tell me and come on and kill me! Big deal spout off and say
> nothing you twerps
I write:
I don't like to enter into flame wars, but PGP (or any factoring based
crypto algorithm) is incredibly weak if the two primes are different in
the LSBs. eg:
bit 0 : Always 1 (primes are odd)
bit 1 : If different here it's curtains
bit 2 : Harder than bit 1, but still quite easy
etc
Two very similar primes (eg 1000 least significant bits identical) would
be still very hard to crack, though.
PS: My algorithm relies in getting the public key and Jungle (?) didn't
say who he was sending his message to. Plus, I haven't computerized the
algorithm yet, and I don't fancy cracking a 2048 bit RSA key by hand.
PPS: No flame, I'm just an innocent bystander :)
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Mon, 14 Aug 2000 10:07:39 +0100
Safuat Hamdy <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> tomstd <[EMAIL PROTECTED]> writes:
>
<SNIP>
> I doubt that one can seriously learn anything in sci.crypt.
I agree with most of your post, but I believe the above statement is
a little harsh. From time to time "reals gems" are to be found on
sci.crypt - see for example M.Woodings continued possession protocol
(http://x64.deja.com/threadmsg_ct.xp?AN=649762980.1&mhitnum=0&CONTEXT
=966243914.1345323039).
<SNIP>
Rgds,
--
Sam Simpson
Comms Analyst
http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption &
Delphi Crypto Components. PGP Keys available at the same site.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
