Cryptography-Digest Digest #440, Volume #12 Mon, 14 Aug 00 15:13:01 EDT
Contents:
Re: 1-time pad is not secure... ("Douglas A. Gwyn")
Re: Crypto Related Professional Attitude ("Trevor L. Jackson, III")
PKCS#7 ("Kevin Crosbie")
Re: Random Number Generator ("Trevor L. Jackson, III")
Re: Proposal of drafting rules of conduct of posting ([EMAIL PROTECTED])
Re: Random Number Generator ("Joseph Ashwood")
Re: Proposal of drafting rules of conduct of posting (Mok-Kong Shen)
Re: Is this Diffie-Hellman modification safe? (tomstd)
Re: OTP using BBS generator? ("Trevor L. Jackson, III")
Re: IDEA algorithm - how to license? (Sander Vesik)
Re: Is this Diffie-Hellman modification safe? (John Myre)
Re: Big Brother Is Reading Your E-Mail (Your Name)
Re: Proposal of drafting rules of conduct of posting ("CMan")
Re: Is this Diffie-Hellman modification safe? ("George Harth")
Re: What is up with Intel? ("CMan")
Re: IDEA algorithm - how to license? (tomstd)
Re: What is up with Intel? ("CMan")
Re: Copyright isue - SERPENT ("Tor Rustad")
Re: WinACE encryption algorithm ("Marc Beckersjuergen")
Re: Is this Diffie-Hellman modification safe? ("Joseph Ashwood")
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Mon, 14 Aug 2000 16:39:50 GMT
JPeschel wrote:
> But Doug owned the copyright to the paper when
> he wrote it, so, again, the paper is his to do with
> as he pleases.
I don't think in 1970 an author had automatic copyright.
I know I submitted my 1977 Master's thesis through
appropriate channels to establish copyright for it.
I seem to recall that it was around that time that the
rules changed.
Anyway, I would have to scan, OCR-convert, edit, make a
PDF file, etc. which is enough work that I'm not likely
to do it before I set up my Web site. What documents
I've been processing like that so far have been rare
historical crypto-related resources (such as Kullback's
paper on reciprocal alphabets and Friedman squares)
that I think are more important to make available.
------------------------------
Date: Mon, 14 Aug 2000 13:34:48 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
"Douglas A. Gwyn" wrote:
> "Trevor L. Jackson, III" wrote:
> > As for responsibility and maturity, it is not reasonable to expect these
> > properties from humans.
>
> Sure it is, for civilized discourse. Indeed, many moderated newsgroups
> enforce that requirement to some degree.
Exactly. They force it upon the contributors because the contributors will
not enforce it upon themselves. Gresham's law paraphrased: "Bad behavior
drives good behavior out of circulation".
------------------------------
From: "Kevin Crosbie" <[EMAIL PROTECTED]>
Subject: PKCS#7
Date: 14 Aug 2000 17:38:46 GMT
Yeah that looks cool. That will do what I want. Thanks.
Does anyone know if the WinAPI or CryptoAPI can do PKCS#7 encoding directly
rather than using outside source code.
Cheers,
Kevin
"Paul Schlyter" <[EMAIL PROTECTED]> wrote in message
news:8mtmdt$mvp$[EMAIL PROTECTED]...
> In article <8ms3ov$[EMAIL PROTECTED]>,
> Kevin Crosbie <[EMAIL PROTECTED]> wrote:
>
> > Has anyone got a good C implementation of PKCS#7?
> > I need to encapsulate a signature hash and certificate in PKCS#7.
>
> Did you check out www.openssl.org ???
>
> --
> ----------------------------------------------------------------
> Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
> Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
> e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
> WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
Date: Mon, 14 Aug 2000 13:41:08 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random Number Generator
Eric Lee Green wrote:
> The only factor that is in common between all of them is that they are
> always
> right, and everybody else is always wrong.
Hmm, if this correlation is causation we have a distinguisher. Dare we apply
it to this forum in general? ;-)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Proposal of drafting rules of conduct of posting
Date: Mon, 14 Aug 2000 17:41:51 GMT
JPeschel <[EMAIL PROTECTED]> wrote:
>>I have a suggestion. Wouldn't it be nice that we have
>>some thing that I temporarily term to be general rules of
>>conduct of posting to the group? (One rule could be e.g.
[...]
> Sounds like a damn silly idea to me.
I have to agree. There's _already_ a charter and a faq, another
periodical that people ignore isn't going to help.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Random Number Generator
Date: Mon, 14 Aug 2000 10:36:40 -0700
> > How does it do vs. DIEHARD?
> >
>
> Hi James,
>
> I am sorry but I didn't understand your question.
> Would you like repeating it in extended form?
> Thank you.
> Best regards.
> Alex.
DIEHARD is a set of statistical tests for pRNGs, it is available several
places on the internet including http://stat.fsu.edu/~geo/diehard.html .
While it's far from an absolute test, it is quite good at telling if an
algorithm is probably bad.
Joe
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Proposal of drafting rules of conduct of posting
Date: Mon, 14 Aug 2000 20:09:37 +0200
JPeschel wrote:
>
> Mok-Kong Shen [EMAIL PROTECTED] writes, in part:
>
> >I have a suggestion. Wouldn't it be nice that we have
> >some thing that I temporarily term to be general rules of
> >conduct of posting to the group? (One rule could be e.g.
> >'Never use bad words', with a bit explanations.) If there
> >are a sufficient number of people who say 'yes' to the
> >proposal, we could arrange for a drafting committee for that
> >and have the results discussed, amended and finally voted
> >for in the large in the group. The rules could then be
> >posted, say, every week so that to those posters that don't
> >observe the rules the answer could be simply a pointer to
> >certain items in that article.
>
> Sounds like a damn silly idea to me.
>
Your opinion is certainly wellcome like any other. One
of the underlying goal of the proposal is to find out
what the majority of the group really thinks about some
of the (in my view) very legere styles of discussions.
In fact sometimes I have the personal impression that
certain people were discussing just for the purpose
of discussions (i.e. writing something out, no matter
what), thus often leading to the phenomenon of quickly
diverting to topics that are quite far away from what
the original posters wanted to discuss (the original
themes were then quasi forgotten). Further, I strongly
believe that sometimes a little bit more politeness
seemed to be able to better contribute to the goal of
discussions, namely finding out the correct answers of
certain questions being posed. Of course, I may be
totally wrong in all that. However, I did see
occasionally complains about rude styles of wordings.
Do we need some improvements in that? I am only a
single person. If the majority doesn't mind that,
then it's perfectly o.k. (I have been sufficiently
long in the group to be immune to certain materials,
i.e. being no longer allergic.) But logically and
consequently there should in future also not be
complains of that sort. What has fairly surprised me
is that there is on the other hand a complain that a
number well-known cryptologists never take the trouble
to join the group. Taking all these together, there
MUST in my opinion be something really not in order.
If we let the atmosphere of discussion to be
extremely legere, we evidently can't expect that
these top scientists would ever consider us to be
serious discussion partners. It's then no wonder
that we continue to miss these names cropping up.
It's like in my view expecting that grains of gold
would be falling from heaven instead of water
droplets. (Yes, I did read recently in a journal
someone saying that in the early period of earth's
history gold fell from heaven. But that time period
is unfortunately bygone.)
M. K. Shen
------------------------------
Subject: Re: Is this Diffie-Hellman modification safe?
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 11:01:11 -0700
"George Harth" <[EMAIL PROTECTED]> wrote:
>Greetings,
>
>The basic scenario is that we log into the server app and use
Diffie-Hellman
>to generate a shared secret key. We plug those keys into
Blowfish and use
>Blowfish for all further data communications, including the
official
>password login. The problem is that this method doesn't ensure
that the
>server we connected to is actual, trusted server.
>
>With that in mind, I modified the Diffie-Hellman algorithm
slightly. I am
>wondering if this modification is relatively safe, or if I am
opening up
>some trouble. This system uses the fact that the real server
should already
>know the password for the user requesting a connection.
>
>Where,
> n = shared prime
> g = shared base
> h = hash of password (same bit length as n)
> x = random secret number
> y = random secret number
>
>1. Alice sends Bob her username and requests a connection. No
password is
>sent at this stage.
First weakness, the attacker now knows who is logining in to the
computer.
>2. Bob computes and sends Alice X, where:
> X = (power(g, x) mod n) xor h
>
>3. Alice computes and sends Bob Y, where:
> Y = (power(g, y) mod n) xor h
I assume the password is known only by the server and the
client? Then why even use pk crypto?
>4. Bob computes and uses Z1 as his Blowfish key:
> Z1 = (power((Y xor h, x) mod n)
You should really hash the bignum instead of truncating it.
>
>5. Alice computes and uses Z2 as her Blowfish key:
> Z1 = (power((X xor h, y) mod n)
>
>The hash, h, and the random numbers x and y are never
transmitted.
>
>If Bob (the server) is not the real server, then he won't know
Alice's
>password. Without the correct password, the two secret keys Z1
and Z2 will
>not be the same and therefore all data sent to the Fake Bob
will be garbage
>as far as Bob is concerned.
>
>I suppose Fake Bob could use brute force to try and break
the "garbage" he
>received and determine what the hash of Alice's password is.
Is this likely
>to be easy? If we just send the password over the Blowfish
connection
>created using the regular Diffie-Hellman connection, the Fake
Bob server
>would get the password much easier and the client wouldn't
realize the
>server wasn't real until after the password had been sent.
>
>Thanks for any and all help... George
You make it harder then it needs to be. If the server and
client have a shared secret password simply do this
1. Make up a 128-bit string R
2. Use K = hash(R || h) as your shared symmetric key.
3. Transmit R to the server (or to the client as the case may
be).
This requires no pk math and is considerably simpler.
Also you may consider EKE type systems if you need passwords,
but really with a password you are wasting your time. The whole
point of PK is that I don't need to share a secret with you,
that's the point.
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Date: Mon, 14 Aug 2000 14:08:48 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
"Tony T. Warnock" wrote:
> "Trevor L. Jackson, III" wrote:
>
> > If so, it is similar to the reasons why one need not check for long stretches
> > of zeros in an OTP key. The odds of a significant fraction of the pad being
> > zero are so long that a sane attacker will not even inspect the ciphertext.
> > Of course an attacker who does notice a long stretch of intelligible cipher
> > text could argue that the odds against the text appearing accidentally are so
> > long that a null key pad is the simplest explanation.
> >
> > Are all opponents sane?
>
> If a long stretch of zeros (length to be determined later) occured in a OTP, I
> would assume the generator was broken. Rare events rarely happen. At some point
> one decides that the probablity of a cooked generator is greater than that of
> getting a string of zeros. The number is somewhere between 1 zero and 100 zeros.
OK, I'll bite on the bait.
The red-zone alarm threshold may be a very personal thing. Mine is probably around
the middle of the range you mentioned. How many random bits do I expect to use in
my lifetime?
And we need not recap years of discussion of whether to accept or reject sequences
in the yellow zone of suspicious lengths. The best way to monitor an RNG is not to
check for sequences of length > reject threshold, but to monitor the frequency
sequences that are "near" the rejection threshold.
In re parallels between BBS and OPT, the premise seems to be that a null OTP pad is
probably indicative of an flawed RNG rather than a statistical artifact. So far so
good.
The point seems to be that finding a short cycle in a BBS generator is not the
product of a broken mechanism, but a predictable consequence of the underlying
math. Since those consequences can be contained (described and rendered negligible
mathematically) in a way that broken RNGs cannot, they can be ignored while the
threat of a broken RNG cannot ever be ignored.
The conclusion can be disputed though. Consider a BBS generator fed subtly flawed
RNG outputs (same cause -- broken RNG). Can we rely upon the proven BBS strength to
protect us? I think not. The assumptions of the BBS proof are that factoring is
"hard" and the seeds are "random". If either assumption is violated the proof still
stands, but the conclusions based upon it do not.
Thus given a suitably flawed (*) BBS seed generator the incidence of short cycles
may be higher than expected -- it may no longer be negligible.
(*) some number N of flaws to be named later ;-)
------------------------------
From: Sander Vesik <[EMAIL PROTECTED]>
Subject: Re: IDEA algorithm - how to license?
Date: 14 Aug 2000 18:06:46 GMT
David Thom <[EMAIL PROTECTED]> wrote:
> We've been trying to contact Ascom, the people who claim to license the IDEA
> algorithm (http://www.ascom.ch/infosec/), for the past 2+ weeks.
> We've send emails repeatedly to the addresses on their web site
> ([EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]) and
> have even filled-in their web form asking for information...no response (the
> emails are returned after 5 days as undeliverable).
> Is Ascom the correct company? Is this a for-real business?
> David Thom
> NPSi Houston
Did you try the online order link that allows you to licence it via web
using a credit card?
There is also quite a bit information on the web site about the licences
if you do follow the licence information link...
--
Sander
FLW: "I can banish that demon"
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Is this Diffie-Hellman modification safe?
Date: Mon, 14 Aug 2000 12:06:04 -0600
George Harth wrote:
>
<snip protocol description>
Are you familiar with SRP, and other "strong password
authentication" methods? It's awfully tricky to design
your own protocol. For instance, I recall in the SRP
paper where they do something like what you suggest in
xoring the hashed password. However, they chose to
add (modulo the DH prime) instead of xoring, because the
latter is not as secure.
The really good protocols aren't any more complex
than your setup, either.
http://srp.stanford.edu/srp/
http://www.IntegritySciences.com/
JM
------------------------------
From: [EMAIL PROTECTED] (Your Name)
Crossposted-To: alt.privacy,alt.security.pgp
Subject: Re: Big Brother Is Reading Your E-Mail
Date: Mon, 14 Aug 2000 18:14:27 GMT
On Mon, 14 Aug 2000 21:09:16 +1200, Michael Brown
<[EMAIL PROTECTED]> wrote:
>I don't like to enter into flame wars, but PGP (or any factoring based
>crypto algorithm) is incredibly weak if the two primes are different in
>the LSBs. eg:
>bit 0 : Always 1 (primes are odd)
>bit 1 : If different here it's curtains
>bit 2 : Harder than bit 1, but still quite easy
>etc
>
>Two very similar primes (eg 1000 least significant bits identical) would
>be still very hard to crack, though.
>
>PS: My algorithm relies in getting the public key and Jungle (?) didn't
>say who he was sending his message to. Plus, I haven't computerized the
>algorithm yet, and I don't fancy cracking a 2048 bit RSA key by hand.
How about a 1024 bit RSA key? 512 bit key? or less for a
demonstration.
What are the mathematical principles behind your algorithm?
If they are good, it will be easy to get help because, in general,
math algorithms are very easy for a mathematician to program.
If you have found a previously unknown weakness in RSA,
that is very big news.
Rich Eramian aka freeman at shore dot net
------------------------------
From: "CMan" <[EMAIL PROTECTED]>
Subject: Re: Proposal of drafting rules of conduct of posting
Date: Mon, 14 Aug 2000 11:27:48 -0700
I think we aught to bann realli bad spillers.
I mean I just hate to see bad spilling in a news grope.
Of curse, we have to figure out a way to enfarce it...and no talk about off
topic stuff like Green's Lemma in the Plane.
Stragglers vill be shot!!! Let's have some RULES!!!!
Let's also ban petty rules that can't be enfarced.
JK
--
CRAK Software
http://www.crak.com
Password Recovery Software
QuickBooks, Quicken, Access...More
Spam bait (credit E. Needham):
root@localhost
postmaster@localhost
admin@localhost
abuse@localhost
webmaster@localhost
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
JPeschel <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Mok-Kong Shen [EMAIL PROTECTED] writes, in part:
>
> >I have a suggestion. Wouldn't it be nice that we have
> >some thing that I temporarily term to be general rules of
> >conduct of posting to the group? (One rule could be e.g.
> >'Never use bad words', with a bit explanations.) If there
> >are a sufficient number of people who say 'yes' to the
> >proposal, we could arrange for a drafting committee for that
> >and have the results discussed, amended and finally voted
> >for in the large in the group. The rules could then be
> >posted, say, every week so that to those posters that don't
> >observe the rules the answer could be simply a pointer to
> >certain items in that article.
>
> Sounds like a damn silly idea to me.
>
> Joe
> __________________________________________
>
> Joe Peschel
> D.O.E. SysWorks
> http://members.aol.com/jpeschel/index.htm
> __________________________________________
>
------------------------------
From: "George Harth" <[EMAIL PROTECTED]>
Subject: Re: Is this Diffie-Hellman modification safe?
Date: Mon, 14 Aug 2000 18:31:18 GMT
Hi Tom,
> >1. Alice sends Bob her username and requests a connection. No
> password is
> >sent at this stage.
>
> First weakness, the attacker now knows who is logining in to the
> computer.
I see your point, but does this really matter if you know who uses the
system anyway?
> >2. Bob computes and sends Alice X, where:
> > X = (power(g, x) mod n) xor h
> >
> >3. Alice computes and sends Bob Y, where:
> > Y = (power(g, y) mod n) xor h
>
> I assume the password is known only by the server and the
> client? Then why even use pk crypto?
Yes. The password is stored in a file on the server side, and entered at
runtime by the user of the client. No passwords or keys are stored on the
client device (handhelds easily lost or stolen).
> >4. Bob computes and uses Z1 as his Blowfish key:
> > Z1 = (power((Y xor h, x) mod n)
>
> You should really hash the bignum instead of truncating it.
I'm sorry. I don't completely follow. The mod operation is part of the
original Diffie-Hellman algorithm. Is that the operation you are referring
to?
> You make it harder then it needs to be. If the server and
> client have a shared secret password simply do this
>
> 1. Make up a 128-bit string R
> 2. Use K = hash(R || h) as your shared symmetric key.
> 3. Transmit R to the server (or to the client as the case may
> be).
>
> This requires no pk math and is considerably simpler.
It certainly is simpler, but how does the server know which user is
attempting to logon without checking all user passwords until it finds a
match (assuming I don't send the username as you suggested I shouldn't do
above)? Every user has a different password and it is important for the
server to know whom it is speaking with.
> Also you may consider EKE type systems if you need passwords,
> but really with a password you are wasting your time. The whole
> point of PK is that I don't need to share a secret with you,
> that's the point.
Thanks. It looks like I have more research to do.
Cheers... George
------------------------------
From: "CMan" <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Date: Mon, 14 Aug 2000 11:36:20 -0700
All right...all right.
I'm a Clinton hater...
I was close, but no cigar (get it?).
I think he was responsible for my car not starting last April too. I just
can't prove it.
JK
Daniel S. Riley <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "CMan" <[EMAIL PROTECTED]> writes:
> > During the Clinton administration, the patent office has gone off the
deep
> > end. Someone actually successfully patented the use of XOR function for
> > animation.
>
> In 1980 [1]. I had no idea the influence of the Clinton administration
> extended backwards in time.
>
> [1] http://www.patents.ibm.com/details?patent_number=4197590
> --
> Dan Riley [EMAIL PROTECTED]
> Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/>
> "History teaches us that days like this are best spent in bed"
------------------------------
Subject: Re: IDEA algorithm - how to license?
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 11:34:49 -0700
"David Thom" <[EMAIL PROTECTED]> wrote:
>We've been trying to contact Ascom, the people who claim to
license the IDEA
>algorithm (http://www.ascom.ch/infosec/), for the past 2+ weeks.
>
>We've send emails repeatedly to the addresses on their web site
>([EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]) and
>have even filled-in their web form asking for information...no
response (the
>emails are returned after 5 days as undeliverable).
>
>Is Ascom the correct company? Is this a for-real business?
Question: Why are you paying to use IDEA?
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: "CMan" <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Date: Mon, 14 Aug 2000 11:42:14 -0700
I thought the idea was to be unpredictable. Seriously, I do not understand
your comment.
JK
--
CRAK Software
http://www.crak.com
Password Recovery Software
QuickBooks, Quicken, Access...More
Spam bait (credit E. Needham):
root@localhost
postmaster@localhost
admin@localhost
abuse@localhost
webmaster@localhost
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Roger Schlafly <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> lcs Mixmaster Remailer wrote:
> > A careful reading of the document reveals that Intel's version of the
> > bias remover uses three bits of state, rather than the two bit version
> > attributed to von Neumann. It is a genuine improvement.
>
> How is it better? IMO, Intel should have omitted the bias
> rejecter. It makes the chip unpredictable. It is easy to
> do a much better job of removing bias in software. I'd rather
> have the raw bits.
------------------------------
From: "Tor Rustad" <[EMAIL PROTECTED]>
Subject: Re: Copyright isue - SERPENT
Date: Mon, 14 Aug 2000 20:43:52 +0200
"Runu Knips" <[EMAIL PROTECTED]> wrote in message
> Tor Rustad wrote:
> > "tomstd" <[EMAIL PROTECTED]> wrote in message
> > > Runu Knips <[EMAIL PROTECTED]> wrote:
> > > > No, the only AES algorithm with a license problem is RC6, which
> > > > will only be free if it becomes AES, which is unlikely because
> > > > it doesn't offer key agility.
> > >
> > > But's it is far simpler to implement, it's from RSA and it's
> > > yankee material. Seems like enough for a technical round nose.
> >
> > RC6 is not simple to implement. What matters is HW
> > implementations, not SW implementations. Why? Mony!
>
> Well, in fact, both HW and SW implementations matter.
Yes NIST have stated that, perhaps since DES was soooo slow in SW. Since HW
implementations are much more expensive, it is very important that the industri
get a good AES algo for HW. With good I mean
* not expensive to produce
* fast
* secure (regards to HW attack analysis)
> > US know what is good business, RC6 simply isn't it.
> > However, I guess they have a problem now, because
> > as far as I can see, the two best candidates are
> > Serpent and Rijndael.
>
> Hmm.
>
> May I ask why you favor Rijndael over Twofish ?
See HW analysis by NSA:
http://csrc.nist.gov/encryption/aes/round2/NSA-AESfinalreport.pdf
However, I favor Serpent most.
> AFAIK 2fish substantly more secure, but not
> much slower.
Number of rounds in Rijndael can be increased, TwoFish was _much_ slower than
Rijndael (and Serpent) in HW.
> > So if RC6 is choosen anyway, they have to choose another
> > winner aswell.
>
> IMHO the main advantage of RC6 over the other
> algorithms is that it is that easy to implement
> in SW on ordinary PC hardware.
I can't see the importance of this, but RC6 has very good performance in SW,
which I find more important. For the industri, the cost is equal if the AES
source code has 10 lines compared to 1000 lines, it simply does not matter.
--
Tor
------------------------------
From: "Marc Beckersjuergen" <[EMAIL PROTECTED]>
Subject: Re: WinACE encryption algorithm
Date: Mon, 14 Aug 2000 20:00:21 +0200
> >The encryption is pretty tight,
> >basically a 160 bit Blowfish code.
>
> "Basically"?
>
> "Basically"?
>
> (Uh-oh.)
>
> Can we take that to mean that you introduced some of your own enhancements
> to Blowfish that Bruce Schneier somehow overlooked?
Hey, I'm just the webmaster, not the developer
and I don't know squat about programming in general and encryption in
particular :-)
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Is this Diffie-Hellman modification safe?
Date: Mon, 14 Aug 2000 11:55:50 -0700
"George Harth" <[EMAIL PROTECTED]> wrote in message
news:WVWl5.17337$[EMAIL PROTECTED]...
> Hi Tom,
>
> > >1. Alice sends Bob her username and requests a connection. No
> > password is
> > >sent at this stage.
> >
> > First weakness, the attacker now knows who is logining in to the
> > computer.
>
> I see your point, but does this really matter if you know who uses the
> system anyway?
Unless you have certain very particular requirements I think it's a required
weakness.
> > >4. Bob computes and uses Z1 as his Blowfish key:
> > > Z1 = (power((Y xor h, x) mod n)
> >
> > You should really hash the bignum instead of truncating it.
>
> I'm sorry. I don't completely follow. The mod operation is part of the
> original Diffie-Hellman algorithm. Is that the operation you are
referring
> to?
He wasn't referring to the mod operation, he was referring to how you map
the shared secret into a shared key. We both assumed that what you intended
to do was take bits[x,y] of the shared secret and use it as the key. It's
actually better to take the shared secret and run it through a good hash
function (like SHA-1).
>
> > You make it harder then it needs to be. If the server and
> > client have a shared secret password simply do this
> >
> > 1. Make up a 128-bit string R
> > 2. Use K = hash(R || h) as your shared symmetric key.
> > 3. Transmit R to the server (or to the client as the case may
> > be).
> >
> > This requires no pk math and is considerably simpler.
>
> It certainly is simpler, but how does the server know which user is
> attempting to logon without checking all user passwords until it finds a
> match (assuming I don't send the username as you suggested I shouldn't do
> above)? Every user has a different password and it is important for the
> server to know whom it is speaking with.
If it's suitable for what you need, you'd of course have to add a step 0.
Client sends Server login name.
>
> Thanks. It looks like I have more research to do.
Personally I'd recommend that if you want to skip the research there's
always SRP.
Joe
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
