Cryptography-Digest Digest #481, Volume #12 Fri, 18 Aug 00 19:13:01 EDT
Contents:
Re: Breaking Simple XOR Encryption (Matthew Skala)
Re: How to design a new *secure* network protocol from scratch? (Richard D. Latham)
Re: Posting an encrypted message ("Douglas A. Gwyn")
How many bits of strength does the ZIP encryption have? (Christian Ghisler)
Re: The quick brown fox... (wtshaw)
Re: The quick brown fox... (wtshaw)
Re: Looking for a DES or RSA chip with write-only key. (Paul Rubin)
Re: How to design a new *secure* network protocol from scratch? (Eric Murray)
Re: blowfish problem ("Donald L. Nash")
Re: Intermittent stream cipher? (wtshaw)
Re: Intermittent stream cipher? (Darren New)
Re: DES: Say it or spell it? (Newbie question) ("Kristopher Johnson")
Re: Just a thought... (SCOTT19U.ZIP_GUY)
Re: Breaking Simple XOR Encryption (JPeschel)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Matthew Skala)
Subject: Re: Breaking Simple XOR Encryption
Date: 18 Aug 2000 13:29:04 -0700
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>Peter wrote:
>> I would appreciate an explanation of the attack that is
>> used against simple XOR "encryption" schemes.
>
>The first thing to understand is that XOR is *not* an
>encryption scheme, nor a class of such schemes; it is
I understand the phrase "simple XOR" to refer to one specific algorithm:
the one where you take the key as a string of bytes, repeat it enough
times to make it the length of the message, and XOR the two together.
In that case, you can break it trivially if you have known plaintext at
least the length of the key, just by XORing the known plaintext with the
ciphertext. It's especially easy if the plaintext contains a run of
zeroes (which happens pretty often in practical applications) because then
the ciphertext for that run will consist of repeats of the key.
Without any known plaintext, a useful first step is to check for repeats
at various distances. Count, for various values of k, how many values of
i there are such that byte i of the ciphertext is equal to byte i+k. If
the character frequency in the plaintext isn't flat and isn't correlated
to the key repetitions, there'll be big spikes in the counts at k = the
key length and its multiples.
Then guess what the character distribution of the plaintext looked like,
compute the character distribution for each key position, and attempt to
match the two. If you wanted to get fancy, you could find ways to use any
knowledge you might have of bigram and trigram distribtion, etc.
--
Matthew Skala
[EMAIL PROTECTED] I'm recording the boycott industry!
http://www.islandnet.com/~mskala/
------------------------------
From: [EMAIL PROTECTED] (Richard D. Latham)
Subject: Re: How to design a new *secure* network protocol from scratch?
Date: 18 Aug 2000 15:38:05 -0500
proton <[EMAIL PROTECTED]> writes:
> > > Now what im trying to figure out is the smartest and most
> > > secure way of authenticating each end with eachother and
> > > establishing an encrypted session.
> >
> > Why start from scratch? Is everything else worthless or unsuitable
> > for the purpose?
>
> As far as I know, yes.
>
> > Why not start by reading up on the protocols already designed: such
> > as IPsec, TSL, SSH, etc., and go on from there?
>
> The goal is ofcourse to get as much security as possible, but in cases
> where a programmer doesnt have the knowledge it must always be possible
> to fall back to no encryption.
>
> Personally I want the protocol to be as secure as possible, which is
> why im asking here -- Im not an encryption expert.
>
> I've realized the wrongs of my previous idea and I've kinda settled
> on public key authentication as default.
>
> I have never implemented any public key algorithms tho, and I would
> appreciate pointers to code and other resources to help me out.
>
Do a web search on openssl and openssh. All will be revealed :-)
IIRC, www.openssl.org and www.openssh.com are good places to start.
--
#include <disclaimer.std> /* I don't speak for IBM ... */
/* Heck, I don't even speak for myself */
/* Don't believe me ? Ask my wife :-) */
Richard D. Latham [EMAIL PROTECTED]
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Posting an encrypted message
Date: Fri, 18 Aug 2000 20:05:38 GMT
Steve wrote:
> Is there a place where one can post a message which has been encrypted
> and others can retrieve it and attempt to decipher it.???
You could try the ACA's Crypto Drop Box. They probably won't
publish the challenge in the Cryptogram unless it uses one of
their usual standard systems or a slight variation thereof.
> What would be a recommended minimum length of a message in
> characters to work on if anyone does this kind of thing.
That cannot be accurately determined without knowing what
the design is like. Also, real cryptanalysis is often done
using multiple messages, isologs, known plaintext, etc. and
if you don't allow those then it wouldn't be a real test of
security.
> My thinking is if someone can decipher the message then my
> system/program for encrypting it is flawed..
But not necessarily conversely. Unless you have skilled
cryppies (who get to specify the conditions of the test,
including number and length of messages) working on it,
failure to crack it wouldn't indicate much about its actual
security.
> A question: I talked about using the KL-7 rotor based mechanical
> enciphering machine recently. Can anyone tell me with any <accuracy>
> how secure it is in today's market if you knew that the message you
> had was encoded with that system.. 2 hours, 2 weeks, 6 months...???
It depends on who the attackers would be and what sort of
traffic they had access to, also very much on the protocol
for distributing key material. With perfectly secure keys,
I would expect it to be sufficiently secure against attack
by any amateur, but not certain government organizations
under favorable conditions.
------------------------------
From: Christian Ghisler <chris@ghisler=remove.com>
Subject: How many bits of strength does the ZIP encryption have?
Date: Fri, 18 Aug 2000 22:48:00 +0200
Reply-To: chris@ghisler=remove.com
Dear crypto experts!
What strength (in bits) does the ZIP encryption have, compared e.g.
with DES (56 bit) or IDEA (128 bit)? ZIP encryption uses three 32 bit
keys, so the strengh is probably somewhere between 32 and 96 bit. I'm
not talking about known plain text attacks here, just cryptographic
strength with no known plaintext.
Why I need to know this: We need an export licence for ZIP encryption,
and the US government treats encryption with less than 64 bit
differently than encryption with more than 64 bit. The regulation
says:
Quote >>
a. Review and classification are
required by BXA before certain
encryption items can be released from
‘‘EI’’ and ‘‘NS’’ controls under ECCNs
5A992, 5D992 and 5E992. These items
include: 64-bit mass market encryption
commodities and software; certain
encryption items up to and including
56-bits; and asymmetric key exchange
algorithms not exceeding 512 bits or an
elliptic curve at 112 bits. Encryption
items under these ECCNs do not require
a license or license exception and may
be exported and reexported as ‘‘NLR’’
(No License Required).
<<end quote.
Therefore we need to know whether ZIP encryption requires a licence or
not.
The description of the ZIP encryption algorithm can be found in the
appnote.txt from pkzip. For obvious reasons, I'm not quoting it here.
Apparently Pkware Inc. has received an export licence - when they sent
us the product, they included a sheet that the program may not be
exported to Cuba, Iran etc.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: The quick brown fox...
Date: Fri, 18 Aug 2000 14:05:08 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In message <[EMAIL PROTECTED]> Benjamin Goldberg wrote:
>
> > > Justly vexed, the Queen exiled the calligrapher who spattered some
> > > black ink on her dog.
> >
> > This one isn't a pangram, there's no "z" in it!
>
> Many thanks, now amended to:
>
> Justly vexed, the Queen exiled the calligrapher who spattered some
> black ink on her dozing dog.
>
> Additional pangrams still wanted.
>
> Regards,
> Mike.
> --
> M J D Brown: Newhaven, Peterchurch, Herefordshire HR2 0RT, England
That is a wonderful list. Surely others can make suggestions for
additions, the shorter the better. I see them as memorable means of
sourcing permuted alphabets.
--
If you have a conscience, vote for a candidate that has one too.
For president, I see only one that has consistently practiced what
he has preached, and always been on the side of basic good, RN.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: The quick brown fox...
Date: Fri, 18 Aug 2000 14:12:46 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In message <[EMAIL PROTECTED]> Benjamin Goldberg wrote:
>
> > > Justly vexed, the Queen exiled the calligrapher who spattered some
> > > black ink on her dog.
> >
> > This one isn't a pangram, there's no "z" in it!
>
> Many thanks, now amended to:
>
> Justly vexed, the Queen exiled the calligrapher who spattered some
> black ink on her dozing dog.
>
The gal got really mad:
Justly vexed, the Queen exiled the calligrapher who spritzed some black
ink on her.
--
If you have a conscience, vote for a candidate that has one too.
For president, I see only one that has consistently practiced what
he has preached, and always been on the side of basic good, RN.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Looking for a DES or RSA chip with write-only key.
Date: 18 Aug 2000 21:12:09 GMT
In article <[EMAIL PROTECTED]>,
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
>[WARNING: place coffee cup firmly on the table to avoid making mess]
>
>Mark Currie wrote:
>>
>> I would not recomend *burning-in* of keys. The Pijnenburg chips -
>> PCC101 (DES) & PCC201 (Exponentiator) have write-only key registers
>> that (I think) can be retained with a battery after power-down.
>[snip]
>
>Surely you don't *really* mean "write-only", do you?
Yes, write-only. That's normal. You can write keys into the
registers but not read them back. The chip also supports encryption
operations using the keys you have written, but does not give you
direct access to the key registers after the keys are loaded.
------------------------------
From: [EMAIL PROTECTED][Rot 13] (Eric Murray)
Subject: Re: How to design a new *secure* network protocol from scratch?
Date: 18 Aug 2000 14:28:03 -0700
In article <[EMAIL PROTECTED]>,
proton <[EMAIL PROTECTED]> wrote:
>> > Now what im trying to figure out is the smartest and most
>> > secure way of authenticating each end with eachother and
>> > establishing an encrypted session.
>>
>> Why start from scratch? Is everything else worthless or unsuitable
>> for the purpose?
>
>As far as I know, yes.
>
>> Why not start by reading up on the protocols already designed: such
>> as IPsec, TSL, SSH, etc., and go on from there?
>
>The goal is ofcourse to get as much security as possible, but in cases
>where a programmer doesnt have the knowledge it must always be possible
>to fall back to no encryption.
SSL/TLS and SSH will let you do that (well, the protocols as
defined will but many implentations will not, as this is something
to be discouraged).
SSL/TLS and SSH would be good for programmers who don't have
the knowledge, since the code for them is readily available.
It's easy to make a "secure" protocol that isn't, especially if it's
the first one you've done. I'd recommend biting the bullet and learning
how to use OpenSSL- in the long run it'll take you much less time than
designing and coding your own protocol, and then fixing the security
holes in it.
If you've decided to write your own protocol because it's fun, then
studing the SSLv3 and TLS documents and trying to understand why
things are done as they are would be useful, as would reading Applied Crypto
(and a lot of other books and papers, but that'll be a start).
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Security consulting: secure protocols, security reviews, standards, smartcards.
------------------------------
From: "Donald L. Nash" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c
Subject: Re: blowfish problem
Date: Fri, 18 Aug 2000 16:48:15 -0500
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
wrote:
>Why wasn't it called 7-in-12 ASCII?
Good question. I don't know the answer, the terminology predated my
arrival here and I was never anything more than a user of the Cybers. I
suppose it could be used to represent arbitrary 8-bit data. There was a
Kermit implementation for our homebrew operating system (UT-2D).
--
Donald L. Nash, <[EMAIL PROTECTED]>, PGP Key ID: 0x689DA021
The University of Texas System Office of Telecommunication Services
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Intermittent stream cipher?
Date: Fri, 18 Aug 2000 15:39:37 -0600
In article <hggn5.5650$[EMAIL PROTECTED]>, "mconroy"
<[EMAIL PROTECTED]> wrote:
> I would like to know where I might find a cipher algorithm that allows me to
> stream plaintext input on an intermittent basis. The application is logging
> messages to a file which must be encrypted. The file has to remain
> encrypted at all times...
> Mike Conroy
Others have asked similiar questions, often regarding data bases where
individual items need to be altered. You are right, an all or nothing
system makes no sense, and usual block ciphers are not good enough with
out added windowdressing, IV's.
The solution is to use inductive encryption that is so strong so as to
allow reasonable sized blocks, not ever beyond a few hundred characters in
size, to be handled separately, and allow variable sized blocks that can
be as small as two characters, all of which can be decripted seamlessly.
The solution makes sense, always has, and appears to have no rivals. If
you had rather patch, gee and haw, and try to stay with popular ciphers,
you should do that. Otherwise, doing it right means just that.
--
If you have a conscience, vote for a candidate that has one too.
For president, I see only one that has consistently practiced what
he has preached, and always been on the side of basic good, RN.
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Intermittent stream cipher?
Date: Fri, 18 Aug 2000 22:26:04 GMT
> I would like to know where I might find a cipher algorithm that allows me to
> stream plaintext input on an intermittent basis. The application is logging
> messages to a file which must be encrypted. The file has to remain
> encrypted at all times.
Why not just use something like RC4. To add a line, run the generator thru
as many bytes as you already have in the file, and then pick up the stream
from there? If your log file is 3000 bytes long now, run RC4 for 3000 bytes
(or 3000+256, or whatever) and then start using the output to xor with the
new message?
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"Do not install air conditioner in room with
inconvenient or hypnotic persons."
------------------------------
From: "Kristopher Johnson" <[EMAIL PROTECTED]>
Subject: Re: DES: Say it or spell it? (Newbie question)
Date: Fri, 18 Aug 2000 22:45:45 GMT
"DES on the other hand is a pure acronym and thus by conventional English
rules is pronounced as the sequence of individual letters"
How do you pronounce "NASA"? How about "AWACS"?
I think you're correct that many people first encounter these things in
books or on the Internet, and so they need to guess at a pronunciation.
But you suggest that people who don't come up with the same pronunciation
you use are lacking educationally or intellectually. I dont beleev that to
be troo.
- Kris
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Jim Reeds wrote:
> > Like Doug Gwyn, I spell out D. E. S., but almost everyone
> > else I seems to say "Dez". I think it's a generational
> > thing: us true old farts spell it out right, but newbies
> > have been calling it Dez for a couple of decades now.
>
> Maybe you're right about the generational thing. Most
> people I know in the business are old-timers, many of
> whom learned their approach to terminology through
> instruction by the likes of Friedman and Callimahos,
> as well as being thoroughly schooled in the three Rs.
>
> > How about XOR? I justabout flipped the first time I heard
> > it pronounced "ksor".
>
> Wow! it's hard to believe. The standard pronunciation
> among all the pros I know is "eks-or", since it is an
> abbrevation for EXclusive-OR. (DES on the other hand is
> a pure acronym and thus by conventional English rules
> is pronounced as the sequence of individual letters.)
>
> Maybe what's happening is that newbies first encounter
> these terms in writing, and having no clue about their
> pronunciation, they just invent one. Certainly I don't
> expect them to have learned much about English from
> their stint in the public school system. Why, on
> numerous occasions I've seen commercial advertisements
> that spell the possessive pronoun "its" as "it's".
>
> > Psaugh!
>
> Is that like "pshaw!"?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Just a thought...
Date: 18 Aug 2000 22:47:12 GMT
[EMAIL PROTECTED] (Simister, Shawn [SKY:0000:EXCH]) wrote in
<[EMAIL PROTECTED]>:
> I've been wondering whether it would be viable to create an encryption
>algorithm whose strength would be based upon the fact
>that it could only be broken by a brute force attack and that the
>encryption/decryption process took so long that going through
>every possible key would take wayto long.
>
>Example:
>
> The encrypt/decrypt algorithm is designed so that it takes at
>least 0.005s per byte (on a dual P III 600) no matter how it's
>programmed.
> The key size is 50 bits long.
>
> Therefore...
>
> A 1 MB file would take approx. 1.4 hours to encrypt/decrypt.
> If 5 million computers (dual P III 600) attempted to crack this
>file using a brute force method (ei. Decrypting the cipher text with
>each key and comparing it to a copy of the plain text) it could take
>them as long as 36, 000 years.
There are far faster wasy to break a short 50 bit key cipher.
It might be best for the NSA to model given plain text and cipher
texts pairs to break it. That way with little effort of ther part they
could write their on version of the program that would run much
faster. Looking at you program for them would be a waste of time.
To explain lets take it to extreme. You only have one bit and it
takes a day on you dual P III - 600. They only need to see a few
pairs of plain text cipher text to break your program. Why should they
run it.
>
> Obviously there are some cases in which this would be far to
>time consuming for the sender and receiver, but if this were
>proven to be 100% secure I'm sure there would be some parties who would
>be willing to make these kind of sacrifices.
>
> The question comes to mind, why would anyone use this algorithm
>when there are already much quicker algorithms which
>have yet to be proven faulty. I guess it's just cause I've been thinking
>about this for a while and I have the distinct feeling that
>there is something I am overlooking.
>
> If anyone has heard of this kind of thing before or knows of any
>papers related to this It would be much appreciated.
>
>Thanks in advance!
>
>Shawn Simister
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
"The road to tyranny, we must never forget, begins with the destruction
of the truth."
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Breaking Simple XOR Encryption
Date: 18 Aug 2000 22:55:55 GMT
Peter [EMAIL PROTECTED] writes, in part:
>I would appreciate an explanation of the attack that is used against
>simple XOR "encryption" schemes.
>
>I have read section 1.2.3 of Schneier (1994) which is (understandably)
>curt and I do not understand the method explained.
The copy of AC2 that says:
"The smallest displacement that
indicates an equal length is
the length of the key"
should say:
"The smallest displacement that
indicates a multiple of the
key length is the length of the key."
Does that help?
What you call "Simple XOR Encryption"
is usually implemented as a
polyalphabetic cipher with a repeating
key. I like to call it a modified
Vigénere. This modification uses larger
alphabets and the XOR operation for
the substitution.
You can decrpyt the Vigénere and the
modified Vigénere by finding the
period of the key and doing frequency
analysis on each of the alphabets.
You can find the length, or period,
of the key by the Kasiski method or
by the Index of Coincidence that
Schneier talks about.
Fauzan Mirza's program Vigsolve will
find the period and key of a classical
Vigénere, and Vcrack will solve a
"Simple XOR Encryption," the modified
Vigénere
Both programs can be found on the
site below.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
