Cryptography-Digest Digest #634, Volume #12 Thu, 7 Sep 00 21:13:01 EDT
Contents:
Re: PGP 6.5.8 test: That's NOT enough !!! ([EMAIL PROTECTED])
Known Plain Text Attack ([EMAIL PROTECTED])
Re: Singhs Cipher Challenge (Jim Gillogly)
Re: Carnivore article in October CACM _Inside_Risks (Richard D. Latham)
Re: Carnivore article in October CACM _Inside_Risks (Roger Schlafly)
(Jury Selection) Re: Carnivore article in October CACM _Inside_Risks (Matthew
Montchalin)
Re: Carnivore article in October CACM _Inside_Risks (Matthew Montchalin)
Re: Carnivore article in October CACM _Inside_Risks ("Trevor L. Jackson, III")
Re: Carnivore article in October CACM _Inside_Risks (Roger Schlafly)
Re: Carnivore article in October CACM _Inside_Risks (Barry Margolin)
Re: Losing AES Candidates Could Be a Good Bet? (John Savard)
Re: security warning -- "www.etradebank.com" ([EMAIL PROTECTED])
Re: could you please tell me how this calculation has been obtained ? (Lronscam)
Re: RSA patent expiration party still on for the 20th (S. T. L.)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP 6.5.8 test: That's NOT enough !!!
Date: Thu, 07 Sep 2000 23:06:14 GMT
So! 658 is a finger in the dyke type of deal :-(
how about version '7, is it fixed or is it NOT ??
http://www.deja.com/
[ST_artlink=ftp.hacktic.nl]/jump/ftp://ftp.hacktic.nl/pub/crypto/incomin
g/PGP7_Full_Retail_Release.zip
Please let us all know ??
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Rich Wales) wrote:
> "jungle" wrote:
>
> > the fix must be : key is tampered == key is BAD,
> > therefore key must be rejected as BAD ... NO
> > partial fiddling with the tampered key, this will
> > create another door to future security compromises
> > ... when key is ADK or in ANY OTHER way tampered,
> > end of the story for this key
>
> While I understand "jungle"'s motivation, I'm inclined to disagree
> with such a strict, cut-and-dried policy, because:
>
> (1) since the tampering is (by definition) in the non-secured portion
> of the key certificate, it can easily be detected and eliminated
> without fear of compromising the secured portion of the key; and
>
> (2) a blanket rejection of any key with an unauthorized (non-hashed)
> ADK reference presents a very tempting "denial of service" attack
> strategy -- namely, if you want to mess up someone's PGP or GnuPG
> capabilities, all you need do is update his public key on the
> servers with a bogus ADK (referencing any random key you want),
> and everyone will promptly start ignoring his key because it's
> been "tampered with".
>
> I'd say the first and best thing to do (and something I understand is
> already being done) is to see that all key servers are upgraded so
that
> they will reject any attempt to upload a key with non-hashed data
which
> ought to appear only in the hashed portion (ADK reference, additional
> revocation key, etc.). If the key servers don't accept (much less
pass
> along) keys with non-hashed ADK info, this step alone will eliminate
> most of the problem. For that matter, I'd suggest that key servers
> should log all attempts to upload contaminated keys (and, perhaps,
> also try to report such attempts to the key owners, via the e-mail
> address -- if any -- contained in the user ID info of a key).
>
> Rich Wales [EMAIL PROTECTED]
http://www.webcom.com/richw/
> PGP 2.6+ key generated 2000-08-26; all previous encryption keys
REVOKED.
> RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41
528512FA
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Known Plain Text Attack
Date: Thu, 07 Sep 2000 23:15:15 GMT
Hi,
Is there any possibility to use known plain text attack for the
following situation : a have a file in the original form and the
encrypted one and I also have the password. What else do I need? I need
to find out the method it was use to encrypt the original file with
this key (probably a hash was substract from this key). Where can I
find some algorithms for known plain text attacks ?
Thank you,
John D.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Singhs Cipher Challenge
Date: Thu, 07 Sep 2000 23:20:13 +0000
Mike wrote:
>
> Does anyone know if the egroup http://www.egroups.com/group/CipherChallenge
> is still active?
>
> I joined it about 5 weeks ago, but the moderators still haven't approved me.
It is. You shouldn't need to be approved by a moderator -- it's
an open list. I think all you need to do is register with eGroups
and log into this list.
--
Jim Gillogly
Highday, 16 Halimath S.R. 2000, 23:18
12.19.7.9.10, 12 Oc 13 Mol, First Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Richard D. Latham)
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: 07 Sep 2000 18:12:30 -0500
Barry Margolin <[EMAIL PROTECTED]> writes:
> In article <newscache$lqfi0g$h1k$[EMAIL PROTECTED]>,
> Ken Hagan <[EMAIL PROTECTED]> wrote:
> >We'd end up with juries populated exclusively by the kind of
> >folks who believe TV adverts offer convincing proof of product
> >effectiveness.
>
> It's often said that a jury consists of 12 people who weren't smart enough
> to get out of jury duty....
>
... but occasionally, they screw up :-)
The way it works here in Texas for felony trials is that they empanel
a group of (IIRC, and this # gets raised considerably if it is a
'notorious' or well publicised crime ) 90 potential jurors, who all
sit in a long (virtual) row of chairs. Each chair has a number. The
attorneys (and judge) work their way down the list, determining
whether you are "able to serve". Each attorney is allowed a small # of
"strikes", which is people he/she can exclude for any reason
(including no reason) at all. The judge will also sometimes strike
jurors, thought they don't like to do this, since it always seem to be
the first avenue of appeal, when the jury and the accused end up not
being of the same (apparent) race/socioeconomic background.
I was in chair 87 of 90.
I read the newspaper every day.
I've been the victim of a home burglry in the previous 3 yrs.
My brother-in-law is Asst Chief of Police in a nearby city.
"I'm a defence attorney's worst nightmare", right ?
I ended up serving ... was the jury foreman, and after we'd put his
client (back, it turns out) into the state pen for (another) 35+
years, we (the jurors, judge, and attorneys ... both sides) were
discussing the outcome.
I stated to the defense attorney, "I can't _beleive_ you took me". He
replied , "man, I was outta strikes" :-)
The judge said that in over 20 yrs, he thought this was going to be
the first trial he'd ever had where he had to send back for more
potential jurors.
--
#include <disclaimer.std> /* I don't speak for IBM ... */
/* Heck, I don't even speak for myself */
/* Don't believe me ? Ask my wife :-) */
Richard D. Latham [EMAIL PROTECTED]
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: Thu, 07 Sep 2000 16:21:11 -0700
Paul Rubin wrote:
> That appears to be true of smart cards, but certainly not of more
> sophisticated modules. Crypto modules these days can be made immune
> to any type of passive attack (i.e. any attack that doesn't involve
> physical tampering). If you have to drill holes in a device to access
> internal signals, that's no longer a side channel.
Aren't we talking about signing devices that might be put in
everyone's PC, such that the user himself cannot get the private
key? If so, I cannot see putting a steel vault on all motherboards.
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto,us.legal
Subject: (Jury Selection) Re: Carnivore article in October CACM _Inside_Risks
Date: Thu, 7 Sep 2000 16:13:17 -0700
On 7 Sep 2000, Yiorgos Adamopoulos wrote:
|So, if I am an attorney and I want to cause reasonable doubt, I need
|to have a jury that will buy whatever I sell :-)
Yes. Practice a few innocent homilies of sorts, get the jury into
a good mood, and then ask them some casual questions, eventually
eliciting information about their mathematical abilities. For
instance, which prospective juror worries about his gas mileage?
Does he regularly check his gas mileage? Does he have a preference
between computing how many kilometers per liter he gets, or miles per
gallon, in driving his car? And so on. Does he have a hard time
figuring out what a "meg" of storage is, on a hard drive? And what
about schedules? If a prospective juror admits that "following an
itinerary to the letter" is pretty hard, that's the juror for you.
Librarians and math professors ought to be (eventual) peremptory
challenges.
|[ Then again I live in Greece, so I may be off track on the jury
|selection process in the US ]
Isn't Greece a civil code country? But surely they *impanel juries*
for significant questions of fact?
Can you tell me a little bit about the voir dire process as it is
practiced in Greece?
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto,or.general
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: Thu, 7 Sep 2000 16:16:27 -0700
On Wed, 6 Sep 2000, -m- wrote:
|A professional does not discover he is under surveillance... he assumes
|it from the start.
Paranoid people assume it as well. (Many double agents ought to be
paranoid, come to think of it.) Paranoia is not necessarily based
on irrational suppositions.
------------------------------
Date: Thu, 07 Sep 2000 19:34:00 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto
Subject: Re: Carnivore article in October CACM _Inside_Risks
Roger Schlafly wrote:
> Ken Hagan wrote:
> > ... I would expect
> > such woolly reasoning to be spotted by competent members of
> > all the above professions, and indeed a great many other
> > people, ...
>
> In the US, such independent reasoning by the jury is strongly
> discouraged. This is because:
>
> 1. Jurors are not allowed to ask any questions, and so would
> not have the opportunity to flesh out their theories.
This is changing. Several states have changed the rules so that jury
members can takes notes and even ask questions. The preliminary results
of these changes have been positive. I hope this trend and the trend
toward "fully informed" juries continues.
>
> 2. The system is adversarial, and it is considered unfair for
> a juror to use independent reasoning that the parties have not
> had an opportunity to rebut.
> 3. Most jurors do not think independently, and if one juror
> appears to have particularly intelligent arguments, then he
> has undue influence over the others.
This is part and parcel of the human condition, the reason why great
orators have always been highly esteemed, and why rhetoric is still
worth learning.
>
>
> This sounds silly, but I have seen an example of someone getting
> convicted because one juror concocted a dubious theory of what
> happened.
No system is perfect. Unreasonable expectations re the justice system
are as damaging as unjust laws.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: Thu, 07 Sep 2000 16:54:18 -0700
"Trevor L. Jackson, III" wrote:
> > 1. Jurors are not allowed to ask any questions, and so would
> > not have the opportunity to flesh out their theories.
>
> This is changing. Several states have changed the rules so that jury
> members can takes notes and even ask questions.
Ask questions live? I doubt it. I have heard of cases where jurors
were permitted to submit some questions to the judge who then
rewords them, permits both parties to objects, and eventually
asks the witness.
Live questions are considered dangerous because they might be
considered prejudicial or allude to inadmissable. Normally the
lawyers are instructed not to ask certain sorts of questions,
but the jurors are not even supposed to know which questions
are off-limits.
Taking notes is also bad because the notes may have errors and
the lawyers do not have opportunities to challenges. Also, if
1 juror out of 12 takes notes, the other 11 might assumes that
he knows what is going on and give his opinion undue weight.
(Yes, I know how wacky all this sounds.)
------------------------------
From: Barry Margolin <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: Fri, 08 Sep 2000 00:00:33 GMT
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
>Taking notes is also bad because the notes may have errors and
>the lawyers do not have opportunities to challenges. Also, if
>1 juror out of 12 takes notes, the other 11 might assumes that
>he knows what is going on and give his opinion undue weight.
>
>(Yes, I know how wacky all this sounds.)
Pretty wacky. After all, if they don't take notes, they end up going by
their memory instead, don't they. Isn't that likely to have *more* errors?
And the lawyers still can't challenge it.
I guess the courtroom transcript is available, so maybe they assume that
the jurors will use that if they can't take notes. But a person with notes
can still refer to the transcript as well, and I think it's a pretty wild
assumption to expect most jurors to do this rather than go by their
memories just because they couldn't take notes.
--
Barry Margolin, [EMAIL PROTECTED]
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Losing AES Candidates Could Be a Good Bet?
Date: Fri, 08 Sep 2000 00:04:58 GMT
On Thu, 7 Sep 2000 18:58:40 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote, in part:
>It isn't clear that the "security margin" has any actual
>significance. In fact for both DES and Skipjack, it has
>been suggested that the slimness of such a margin is an
>indication that the designers knew what they were doing.
Yes, it is an indication of that. However, one would like a cipher
capable of using 256-bit keys, not just 128-bit keys, to have security
commensurate with the larger key size.
Since I freely admit I _don't_ know as much as the real experts,
though, for people who want to keep their secrets secret during the
next millenium, I offer Quadibloc VIII, described on my site - as well
as many AES candidates, including all five finalists, DES and
Skipjack, rotor and telecipher machines and on and on.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: security warning -- "www.etradebank.com"
Reply-To: rsh(remove)@idirect.com
Date: Fri, 08 Sep 2000 00:27:04 GMT
I have interspersed some comments...
"Harvey Rook" <[EMAIL PROTECTED]> wrote:
>Why is 6 chars unacceptable? We are not talking about a piece of unguarded
>data that your opponent has unlimited access to. Consider...
>
>-The accounts lock up after 3 wrong tries.
Good
>-Reactivation requires you to call in.
Is someone tapping the line?
>-When you call in you must know some personal information
>(SSN/Address/Mothers Madden Name/Amount of last deposit or withdrawal )
Every mother's maiden name is available information via a copy of the
parent's marrage certificate OR in some countries is public information
(Iceland is one example...) Address and SSN are both also BAD choices.
Address is easy to obtain, and SSN is not supposed to be used for this
purpose. And, of course, you are limiting this to the US, while I am in
Canada and MAY not even have a SSN (I do, but that is another story...)
>-After you've presented the personal information, you get to pick a new
>password, any password you want.
And if 'you' are NOT you? (Sniffer, tapping the line, etc.)
>-After reactivation, the account holder is sent a piece of snail mail
>informing them of the recent password change.
Again, what if someone is tapping the line?
>This policy is not uncommon-- every online bank or brokerage that I have
>looked at, follows it.
And all have the above problems...
>The vulnerability is not a small password space. So, 6 chars is acceptable.
If HTTPS is being used yes, if not, NO...
>Harvey Rook
>[EMAIL PROTECTED]
------------------------------
From: Lronscam <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: could you please tell me how this calculation has been obtained ?
Date: Thu, 7 Sep 2000 20:43:32 -0400
The addy of [EMAIL PROTECTED]=NOSPAM, In article ID
<[EMAIL PROTECTED]>, On or about Thu, 07 Sep 2000 07:13:40
GMT,
Arturo says...
>On Thu, 07 Sep 2000 16:37:05 +1200, Michael Brown <[EMAIL PROTECTED]>
>wrote:
>
>>I'd guess it'd be based somehow on the number of public keys on
>>keyservers. That's how I would do it.
>>jungle wrote:
>>>
>>> hi mike,
>>>
>>> in the recent [ 25 aug ] ap article by peter svensson, he is writing,
>>> wallach said, that pgp is used by 7 million people ...
>>>
>>> could you please tell me how this calculation has been obtained ?
>>> how accurate this number is ?
>>>
> I have heard some numbers (from servers in Spain, Holland and the US),
>and the number of PGP keys in keyservers is about 1 million. Where did the
>other 6 million go?
And if there are only 1 million keys on the public key servers then you
know that there are less people using PGP. How many people have only one
key?
I doubt you will get an answer Jungle.
This sounds like big business to me lying as usual about how many people
they have using their product. AOL does it, and I know of several other
business doing just that to promote themselves as #1, so why shouldn't
PGP do it?
Being a commercial enterprise does have its weak points at times.
------------------------------
From: [EMAIL PROTECTED] (S. T. L.)
Date: 08 Sep 2000 00:48:34 GMT
Subject: Re: RSA patent expiration party still on for the 20th
/*We are getting into the wild blue yonder here. It depends on why you wrote
it. If you
could argue that it was for "research" purposes, then I believe that the patent
law by
precedent allows such use. (After all patents are published precisely to allow
others to
improve on them).*/
It was a calculator program. :-P For TI-92+ calculators. There is no
possible commerical use, and there isn't actually any noncommerical use. It
is, to put it simply, useless. :->
-*---*-------
S.T.L. My Quotes Page: http://quote.cjb.net
Book Reviews Page: http://sciencebook.cjb.net
Turbo-nifty interlaced interpolated PNG demo: http://interpng.cjb.net
Optimized pngcrush exectuable now on my site! Long live pngcrush!
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
