Cryptography-Digest Digest #865, Volume #12 Sat, 7 Oct 00 16:13:01 EDT
Contents:
Re: How to use PGP2.6.2?? (Imad R. Faiad)
Re: Choice of public exponent in RSA signatures (David A Molnar)
Could NSA help vigilance? (Andru Luvisi)
Re: How to use PGP2.6.2?? (Imad R. Faiad)
securely returning password info to a server from a client ("William A. McKee")
Re: Why wasn't MARS chosen as AES? (Stephan Eisvogel)
Re: Block Cipher Question ("musashi_x")
Re: NSA quote on AES (Bill Unruh)
The talk of R. Moris (Mykhailo Lyubich)
Re: How to use PGP2.6.2?? ([EMAIL PROTECTED])
Re: Why wasn't MARS chosen as AES? (Tom St Denis)
Re: NSA quote on AES (Mack)
Re: Why wasn't MARS chosen as AES? (Tom St Denis)
Re: NSA quote on AES (David Schwartz)
----------------------------------------------------------------------------
From: Imad R. Faiad <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: How to use PGP2.6.2??
Date: Sat, 07 Oct 2000 18:27:16 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Greetings,
On 7 Oct 2000 17:32:35 -0000, in alt.security.pgp [EMAIL PROTECTED] (Rich
Wales) wrote:
>Imad R. Faiad wrote (in alt.security.pgp):
>
> > I would not recommend generating an RSA key with any PGP
> > 2.6.x . . . because most if not all PGP 2.6.x are compiled
> > with the Blum flag set. What this does is let the program
> > look for primes congruent to 3 modulo 4. This shaves about
> > 2 bits from the domain of the key.
>
>I can indeed confirm that the 2.6.3ia source code does use Blum primes.
>
>I'm not sure I see this as a big issue with a 2K-bit RSA key, however.
>And if 4K-bit RSA keys manage to come into wider use, I don't see it as
>an issue at all.
>
I agree with you, shaving 2 bits from the key does not make that much
of a diference for RSA keys 2048 bits and above.
However, since we are discussing in relative terms, one many say that two
random primes chosen so as to yield a modulus which is a Blum integer
in the context of RSA key generation are inferior to two random primes
period.
>As for whether or not it makes any sense to use Blum primes for RSA (as
>opposed to random primes), I'm crossposting to sci.crypt as well as to
>alt.security.pgp.
>
> > Also, the quality of the primes generated in later versions
> > of PGP is much better in my view.
>
>Could you provide us some more details regarding why you believe this?
>
The RNG in later versions of PGP is much much improved.
- From the collection of entropy to the actual random bits generation.
Look at the source code. Hence, one may argue that two random primes
chosen by the PGPSDK RNG are more random than those generated in PGP 2.6.x.
>FWIW, the 2.6.3ia source code explicitly doesn't try to select "strong"
>primes. A comment in the code claims that there is no valid reason to
>worry about using strong primes. Is this advice outdated?
>
No, it is still current. As it is rightly says in the source code:
**QUOTE**
*"Strong" primes are no longer advantageous, due to the new
* elliptical curve method of factoring.
**ENDQUOTE**
>Rich Wales [EMAIL PROTECTED] http://www.webcom.com/richw/
>PGP 2.6+ key generated 2000-08-26; all previous encryption keys REVOKED.
>RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41 528512FA
Best Regards
Imad R. Faiad
=====BEGIN PGP SIGNATURE=====
Version: 6.5.8ckt http://irfaiad.virtualave.net/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOd9qJrzDFxiDPxutAQEMiwf+JA/J03Efx1Ryf55YHZE2UYSZ3342H2Lu
+f4I3Wladlh53gpODCEJyYtk0XaX+exZ35l8Tus4KvuyjM2565S1pxun0tb/nZUd
xSJw1Bancti7RiCTLVP7k6m+SBWru5DXg3eWJ4Z3NKHrRqcSkg9q4tl5CogBJW4j
+ftRcvzfpoH0/DB3oWsYWWPTvBGSOqtYrKThx2BgeUVOgV1E3MAKLUNXVEAqp1HI
1FgD+Etr7NbcHzPHL1R5AtmAYDcgslhxmC8L1k1WnE5ZZRUPKKbfXCAlMLT0NLC/
AfjNK68Y/HPUpCHn2d0QdCVkeCn4ww7ABRPyROTzmIRtmb07o5wK7Q==
=tQcR
=====END PGP SIGNATURE=====
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: 7 Oct 2000 18:01:58 GMT
Francois Grieu <[EMAIL PROTECTED]> wrote:
>> PSS has better security bounds than Full Domain Hashing, for example,
>> so to get the same security you would need to compensate by increasing
>> the modulus size and slowing down the algorithm.
> I whish the difference could be quantified ! I'd buy a 40% extra
> verify time (20% extra modulus size) for a deterministic signature.
It can be. What you do is you look at the security guarantee for FDH and
the one for PSS and calculate. If memory serves, in order to get the
same security level as 1024-bit modulus for PSS, you need something
like a 3000 bit modulus for FDH.
There was a recent paper "On the Exact Security of FDH" in this year's
CRYPTO. I haven't read it. It may modify the calculations somewhat.
-David
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Could NSA help vigilance?
Date: 07 Oct 2000 11:23:26 -0700
Just a random thought...
What if the NSA admitted that they didn't know how to break an
algorithm or system, and we *knew* it was true?
Would that *help* the state of cryptography, or hurt it?
In cryptography, the goal is to hide your information from an enimy
whose capabilities you do not know, whose resources you do not know,
whose mathematical knowledge you do not know, whose contacts in
government and industry you do not know.
The NSA provides a "tangible" enimy of just that sort. A constant
reminder that such an enimy *does* exist.
If we *knew* that the NSA could not break something, how many people
would forget about all the agencies of foreign governments, all the
researchers in private corporations and universities, and figure that
it *must* be secure?
Could it be that by *not* admitting their limitations, the NSA helps
us to stay on our guard, always aware that we do not know the true
strength of an algorithm or system until it is broken, always looking
for better attacks and always remembering that the ultimate enimy *is*
out there?
Andru
--
Andru Luvisi, Programmer/Analyst
------------------------------
From: Imad R. Faiad <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: How to use PGP2.6.2??
Date: Sat, 07 Oct 2000 18:38:20 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Greetings,
On 7 Oct 2000 17:32:35 -0000, in alt.security.pgp [EMAIL PROTECTED] (Rich
Wales) wrote:
>Imad R. Faiad wrote (in alt.security.pgp):
>
> > I would not recommend generating an RSA key with any PGP
> > 2.6.x . . . because most if not all PGP 2.6.x are compiled
> > with the Blum flag set. What this does is let the program
> > look for primes congruent to 3 modulo 4. This shaves about
> > 2 bits from the domain of the key.
>
>I can indeed confirm that the 2.6.3ia source code does use Blum primes.
>
>I'm not sure I see this as a big issue with a 2K-bit RSA key, however.
>And if 4K-bit RSA keys manage to come into wider use, I don't see it as
>an issue at all.
>
I agree with you, shaving 2 bits from the key does not make that much
of a diference for RSA keys 2048 bits and above.
However, since we are discussing in relative terms, one many say that two
random primes chosen so as to yield a modulus which is a Blum integer
in the context of RSA key generation are inferior to two random primes
period.
>As for whether or not it makes any sense to use Blum primes for RSA (as
>opposed to random primes), I'm crossposting to sci.crypt as well as to
>alt.security.pgp.
>
> > Also, the quality of the primes generated in later versions
> > of PGP is much better in my view.
>
>Could you provide us some more details regarding why you believe this?
>
The RNG in later versions of PGP is much much improved.
- From the collection of entropy to the actual random bits generation.
Look at the source code. Hence, one may argue that two random primes
chosen by the PGPSDK RNG are more random than those generated in PGP 2.6.x.
>FWIW, the 2.6.3ia source code explicitly doesn't try to select "strong"
>primes. A comment in the code claims that there is no valid reason to
>worry about using strong primes. Is this advice outdated?
>
No, it is still current. As it is rightly says in the source code:
**QUOTE**
*"Strong" primes are no longer advantageous, due to the new
* elliptical curve method of factoring.
**ENDQUOTE**
>Rich Wales [EMAIL PROTECTED] http://www.webcom.com/richw/
>PGP 2.6+ key generated 2000-08-26; all previous encryption keys REVOKED.
>RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41 528512FA
Best Regards
Imad R. Faiad
=====BEGIN PGP SIGNATURE=====
Version: 6.5.8ckt http://irfaiad.virtualave.net/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOd9qJrzDFxiDPxutAQEMiwf+JA/J03Efx1Ryf55YHZE2UYSZ3342H2Lu
+f4I3Wladlh53gpODCEJyYtk0XaX+exZ35l8Tus4KvuyjM2565S1pxun0tb/nZUd
xSJw1Bancti7RiCTLVP7k6m+SBWru5DXg3eWJ4Z3NKHrRqcSkg9q4tl5CogBJW4j
+ftRcvzfpoH0/DB3oWsYWWPTvBGSOqtYrKThx2BgeUVOgV1E3MAKLUNXVEAqp1HI
1FgD+Etr7NbcHzPHL1R5AtmAYDcgslhxmC8L1k1WnE5ZZRUPKKbfXCAlMLT0NLC/
AfjNK68Y/HPUpCHn2d0QdCVkeCn4ww7ABRPyROTzmIRtmb07o5wK7Q==
=tQcR
=====END PGP SIGNATURE=====
------------------------------
Reply-To: "William A. McKee" <[EMAIL PROTECTED]>
From: "William A. McKee" <[EMAIL PROTECTED]>
Subject: securely returning password info to a server from a client
Date: Sat, 07 Oct 2000 18:39:21 GMT
I want to have my Java applet ask the user for password information that
will be stored on a server for future password verification (using SRP).
What is a secure way of getting the information from the client to the
server?
TIA,
Will McKee.
--
William A. McKee
[EMAIL PROTECTED]
Asia Communications Quebec Inc.
http://www.cjkware.com
"We're starfleet: weirdness is part of the job." - Janeway
------------------------------
From: Stephan Eisvogel <[EMAIL PROTECTED]>
Subject: Re: Why wasn't MARS chosen as AES?
Date: Sat, 07 Oct 2000 20:37:07 +0200
Eric Smith wrote:
> Because Rijndael met the criteria better. Read the report.
No. It is a better *tradeoff*.
If you are as paranoid about cipher security as I am maybe you should
use MARS or Twofish. I'm switching to MARS myself in a bit after many
years of IDEA because I really like Coppersmith's attitude of "likely
secure against attacks we don't even know yet". I'm waiting for some
more side-channel papers though, time invariance of a cipher is really
a plus in my view.
--
hawo bofh
------------------------------
From: "musashi_x" <m u s a s h i _ [EMAIL PROTECTED]>
Subject: Re: Block Cipher Question
Date: Sat, 7 Oct 2000 14:43:08 -0400
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
I see what you mean. The two people would have to have a "standard"
CT manipulation, like the message writer *always* "shifts by 4"
whatever the first 7 characters of the output are. That way the
recipient can simply translate it himself without contacting anyone.
<snip my old post>
> However it hinders cryptonalysis, you now have the situation
> whereby for each message you somehow have to transmit your changes
> to the
> output of the cipher for that message.
>
> This implies you have a secure method of exchanging this
> information, which - other than reducing the amount of text you
> have to transfer securely - is still the same problem you'll always
> have with
> symmetric (non public key) encryption systems.
>
> --
> +-------------------------------------------------------------------
> +
> | David A. Crick <[EMAIL PROTECTED]> PGP: (OCT-2000 KEY) 0xE0F73D98
> | | Damon Hill Tribute Site:
> | http://www.geocities.com/MotorCity/4236/ | M. Brundle Quotes:
> | http://members.tripod.com/~vidcad/martin_b.htm |
+-------------------------------------------------------------------+
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Vicious Circles -=- Exercises in Paranoia
iQA/AwUBOd9uusHkmuudisobEQKc3QCfdc5uoF7gZrTWkT7zVgvDEvYrLRQAoNAg
qutmC3UXYb02aFcQmWxe0EfO
=Hw/G
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: NSA quote on AES
Date: 7 Oct 2000 18:46:49 GMT
In <[EMAIL PROTECTED]> Mok-Kong Shen <[EMAIL PROTECTED]> writes:
]Brian Gladman wrote:
]>
]> The real art now is to build an actual implementation that is as strong as
]> algorithm itself and this is a very difficult undertaking where the 'closed
]> world' is still quite a way ahead of the 'open world'. I am hence fairly
]> certain that the techniques that NSA use to implement Rijndael for
]> classified information protection will themselves remain classified.
]What do you mean by 'an implementation as strong as algorithm
]itself'? If programmed correctly, the implementations can
]differ, as far as the users are concerned, only in efficiency
]and that could be compensated, if necessary, by more hardware
]in most cases, I suppose.
The myth of the algorithm. The algorithm is only a small small part of
the security. key generation, key control, use,.... are much more
important. You run your vaunted algorithm on Windows or Unix, and there
the key is in plain sight in the swap space. You store you password in
your wallet, You run the crypto algorithm on almost any commerial
computer.... All of these make "breaking" the crypto childs play. The
reputed "strength" of the algorithm is irrelevant.
------------------------------
From: Mykhailo Lyubich <[EMAIL PROTECTED]>
Subject: The talk of R. Moris
Date: Sat, 07 Oct 2000 20:47:46 +0200
Reply-To: [EMAIL PROTECTED]
Hi,
does somebody know, where I can obtain a stenography of
R. Morris talk on Cambridge Protocol Workshop in 1994.
I found the reference to this talk in Ross Anderson, Markus Kuhn
"Tamper Resistance - a Cautionary Note"
http://www.cl.cam.ac.uk/users/rja14/tamper.html
and in Bruce Schneier "Applied Cryptography", second edition on page
214.
Thank you in advance
--
Mykhailo Lyubich
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp
Subject: Re: How to use PGP2.6.2??
Date: Sat, 07 Oct 2000 18:46:20 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Greetings,
On 7 Oct 2000 17:32:35 -0000, in alt.security.pgp [EMAIL PROTECTED] (Rich
Wales) wrote:
>Imad R. Faiad wrote (in alt.security.pgp):
>
> > I would not recommend generating an RSA key with any PGP
> > 2.6.x . . . because most if not all PGP 2.6.x are compiled
> > with the Blum flag set. What this does is let the program
> > look for primes congruent to 3 modulo 4. This shaves about
> > 2 bits from the domain of the key.
>
>I can indeed confirm that the 2.6.3ia source code does use Blum primes.
>
>I'm not sure I see this as a big issue with a 2K-bit RSA key, however.
>And if 4K-bit RSA keys manage to come into wider use, I don't see it as
>an issue at all.
>
I agree with you, shaving 2 bits from the key does not make that much
of a diference for RSA keys 2048 bits and above.
However, since we are discussing in relative terms, one many say that
two
random primes chosen so as to yield a modulus which is a Blum integer
in the context of RSA key generation are inferior to two random primes
period.
>As for whether or not it makes any sense to use Blum primes for RSA (as
>opposed to random primes), I'm crossposting to sci.crypt as well as to
>alt.security.pgp.
>
> > Also, the quality of the primes generated in later versions
> > of PGP is much better in my view.
>
>Could you provide us some more details regarding why you believe this?
>
The RNG in later versions of PGP is much much improved.
- From the collection of entropy to the actual random bits generation.
Look at the source code. Hence, one may argue that two random primes
chosen by the PGPSDK RNG are more random than those generated in PGP
2.6.x.
>FWIW, the 2.6.3ia source code explicitly doesn't try to select "strong"
>primes. A comment in the code claims that there is no valid reason to
>worry about using strong primes. Is this advice outdated?
>
No, it is still current. As it is rightly says in the source code:
**QUOTE**
*"Strong" primes are no longer advantageous, due to the new
* elliptical curve method of factoring.
**ENDQUOTE**
>Rich Wales [EMAIL PROTECTED]
http://www.webcom.com/richw/
>PGP 2.6+ key generated 2000-08-26; all previous encryption keys
REVOKED.
>RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41
528512FA
Best Regards
Imad R. Faiad
=====BEGIN PGP SIGNATURE=====
Version: 6.5.8ckt http://irfaiad.virtualave.net/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOd9qJrzDFxiDPxutAQEMiwf+JA/J03Efx1Ryf55YHZE2UYSZ3342H2Lu
+f4I3Wladlh53gpODCEJyYtk0XaX+exZ35l8Tus4KvuyjM2565S1pxun0tb/nZUd
xSJw1Bancti7RiCTLVP7k6m+SBWru5DXg3eWJ4Z3NKHrRqcSkg9q4tl5CogBJW4j
+ftRcvzfpoH0/DB3oWsYWWPTvBGSOqtYrKThx2BgeUVOgV1E3MAKLUNXVEAqp1HI
1FgD+Etr7NbcHzPHL1R5AtmAYDcgslhxmC8L1k1WnE5ZZRUPKKbfXCAlMLT0NLC/
AfjNK68Y/HPUpCHn2d0QdCVkeCn4ww7ABRPyROTzmIRtmb07o5wK7Q==
=tQcR
=====END PGP SIGNATURE=====
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Why wasn't MARS chosen as AES?
Date: Sat, 07 Oct 2000 18:52:46 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (UBCHI2) wrote:
> Why wasn't MARS chosen as AES?
>
It's big, slow and cumbersome in hardware and embedded platforms. Not
only that it's a dumb "new" structure. I would rather use Rijndael
since it's based on a previously analyze structure.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: NSA quote on AES
Date: 07 Oct 2000 19:36:36 GMT
>In <[EMAIL PROTECTED]> Mok-Kong Shen <[EMAIL PROTECTED]>
>writes:
>
>
>
>]Brian Gladman wrote:
>]>
>
>]> The real art now is to build an actual implementation that is as strong as
>]> algorithm itself and this is a very difficult undertaking where the
>'closed
>]> world' is still quite a way ahead of the 'open world'. I am hence fairly
>]> certain that the techniques that NSA use to implement Rijndael for
>]> classified information protection will themselves remain classified.
>
>]What do you mean by 'an implementation as strong as algorithm
>]itself'? If programmed correctly, the implementations can
>]differ, as far as the users are concerned, only in efficiency
>]and that could be compensated, if necessary, by more hardware
>]in most cases, I suppose.
>
>The myth of the algorithm. The algorithm is only a small small part of
>the security. key generation, key control, use,.... are much more
>important. You run your vaunted algorithm on Windows or Unix, and there
>the key is in plain sight in the swap space. You store you password in
>your wallet, You run the crypto algorithm on almost any commerial
>computer.... All of these make "breaking" the crypto childs play. The
>reputed "strength" of the algorithm is irrelevant.
>
>
I have to agree. Almost every example of cryptanalysis used in
real world situations have been because someone did something
wrong. Even those where the cipher is 'weak' the break came because
someone did something that wasn't according to 'regulations'
The 'enigma' is one example. There was a lot of cryptanalysis involved.
But the ultimate breaking was because the German signals officers weren't
doing everything 'by the book'.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Why wasn't MARS chosen as AES?
Date: Sat, 07 Oct 2000 19:41:08 GMT
In article <[EMAIL PROTECTED]>,
Stephan Eisvogel <[EMAIL PROTECTED]> wrote:
> Eric Smith wrote:
> > Because Rijndael met the criteria better. Read the report.
>
> No. It is a better *tradeoff*.
>
> If you are as paranoid about cipher security as I am maybe you should
> use MARS or Twofish. I'm switching to MARS myself in a bit after many
> years of IDEA because I really like Coppersmith's attitude of "likely
> secure against attacks we don't even know yet". I'm waiting for some
> more side-channel papers though, time invariance of a cipher is really
> a plus in my view.
So you pick the cipher with the least studied structure. Smart move.
Tom`
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Sat, 07 Oct 2000 12:50:05 -0700
Justin wrote:
> Now assume, for a second, that none of that was sarcastic. You think the
> NSA found a way to crack rijndael that three years of independent public
> analysis didn't reveal? Even better, you think this attack applies only
> to rijndael? Are you this dumb all the time or only on usenet?
Actually, I really don't care one way or the other. I don't have any
secrets from the NSA.
I'm 1000% confident that even if the NSA could break Rijndael, they
would never let that information leak. So even if they broke every
message I ever encrypted, I'm really not sure what they could do with it
that would affect me in any way.
I really don't think the NSA has any interest in intercepting my credit
card numbers either. I'm sure the NSA can get that information with no
difficulty anyway.
However, I think it's pretty clear that the NSA carefully crafts their
public statements. I would assume that they are intended to mean
precisely what they say.
DS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
