Cryptography-Digest Digest #382, Volume #13 Fri, 22 Dec 00 14:13:01 EST
Contents:
Re: Diffie-Hellman Matrix Idea To Break (David A Molnar)
Re: Steganography using text as carrier (Andre van Straaten)
Re: does CA need the proof of acceptance of key binding ? (Timothy M. Metzinger)
Re: weten we die PIN? (David Dylan)
Re: All irreducible polys of degree 32 over GF(2) (John Myre)
Re: Visual Basic Source Code ("Jason Bock")
Re: Steganography using text as carrier ([EMAIL PROTECTED])
Re: WinGPG 1.0 - A free, compact, non-ADK Windows alternative to PGP ("Ed Suominen")
Re: Algorithm for check SAC complience (Simon Johnson)
Re: Why primes? (Sundial Services)
----------------------------------------------------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Diffie-Hellman Matrix Idea To Break
Date: 22 Dec 2000 10:48:48 GMT
David Wagner <[EMAIL PROTECTED]> wrote:
> What motivation would there be for considering this matrix-based formulation
> as opposed to the usual Diffie-Hellman protocol?
It doesn't matter for vanilla DH, but matrices don't commute.
That might be useful for building some other protocol based on DH,
although I can't think of what that might be.
-David
------------------------------
From: Andre van Straaten <[EMAIL PROTECTED]>
Subject: Re: Steganography using text as carrier
Date: 22 Dec 2000 05:07:05 -0600
Richard Heathfield <[EMAIL PROTECTED]> wrote:
> Andre van Straaten wrote:
>>
> <snip>
>>
>> You cannot disguise an elephant as a mouse.
> Have you never watched "Tom and Jerry"? There was one episode where -
> well, you can guess the rest.
Well, having small children, I actually remember. But now this idea is
quite useless, as you told it everybody here. ;-)
> --
> Richard Heathfield
> "Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
> C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
> K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html
-- avs
Andre van Straaten
http://www.vanstraatensoft.com
The signs and the omens are everywhere
But too few see them - too few even care
(Lee Clayton - singer/songwriter, 1979)
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: [EMAIL PROTECTED] (Timothy M. Metzinger)
Date: 22 Dec 2000 11:18:18 GMT
Subject: Re: does CA need the proof of acceptance of key binding ?
In article <91s62s$fc3$[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes:
> How the CA verify the subscriber is the one refered in the proof of
>identity binding? I think face to face authentication with biometrics
>methods is most suitable and secure.
That is the function of the RA (Registration authority), a person trusted by
the CA to verify identity. The RA verifies identity and submits the
certificate request to the CA, and signs it.
The CA relies on the RA for proof of the subscribers identity.
Timothy Metzinger
Commercial Pilot - ASMEL - IA AOPA Project Pilot Mentor
'98 M20J - N1067W
Pipers, Cessnas, Tampicos, Tobagos, and Trinidads at FDK
------------------------------
From: [EMAIL PROTECTED] (David Dylan)
Crossposted-To:
alt.cracks.nl,alt.nl.telebankieren,nl.comp.crypt,nl.financieel.bankieren,nl.juridisch
Subject: Re: weten we die PIN?
Date: Fri, 22 Dec 2000 11:42:30 GMT
On Thu, 21 Dec 2000 10:32:44 +0100, "Erwin Graumans" <me@home> wrote:
>Betaalautomaten bij retailers hangen inderdaad aan ISDN of een gewone
>analoge PTT-lijn. En zelfs DN1 komt nog wel voor. Geldautomaten en
>ChipKniplaad-automaten hangen aan huurlijnen.
Nu tappen krakers vaak nog stroom af van lantarenpalen... het is dus
maar wachten tot ze een ISP opzetten via de Chipper-Paal... ;->
--
Kijk eens op mijn community sites:
http://www.grep.nu/beleggers
http://www.grep.nu/muziek
Of op mijn persoonlijke site:
http://www.xs4all.nl/~nobeard
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: All irreducible polys of degree 32 over GF(2)
Date: Fri, 22 Dec 2000 09:05:43 -0700
David Wagner wrote:
>
> Question:
> Is there a distribution on N-bit vectors of weight <= k
> (for some fixed constant k) so that, with high probability,
> O(N) randomly chosen vectors suffice to span the space?
Intuitively, I don't see how that could be possible. For
fixed k, we can make N/k as large as we like, and it seems
to me that Bryan's analysis ought to apply. At least, for
the theoretical problem.
JM
------------------------------
From: "Jason Bock" <[EMAIL PROTECTED]>
Subject: Re: Visual Basic Source Code
Date: Fri, 22 Dec 2000 10:16:27 -0600
Paul Schlyter <[EMAIL PROTECTED]> wrote in message
news:91v4i9$5r6$[EMAIL PROTECTED]...
> In article <3a422ff0$0$36805$[EMAIL PROTECTED]>,
> Jason Bock <[EMAIL PROTECTED]> wrote:
> > I'm not a cowboy programmer who relishes in hacks and quick fixes. I
> > try to create quality code. But I have no control over a project
> > years after I left it (which, given the state of current business
> > systems, means it's dead or competely reworked anyway :( ).
>
> From what you wrote above it appears you have no control over the
> project even minutes after you left....
Well, if a customer wants me to work after the agreed-upon deadline is done,
that's fine. But when the contract is complete, that's it. I personally
don't see a problem with this.
> I have heard about the opposite problem though: a customer wanting to
> modify some piece of code already developed, and who would prefer
> that the original developer did that modification, however he's no
> longer available becase he's quit, moved abroad, or something like
> that.
That's the way things go sometimes. Even if you hired a bunch of
programmers to work on your systems, chances are half of them will be gone
anyway within two years. The average lifetime at a job is very short these
days.
> >>> Well, I wouldn't do this. As I stated, things change too much. I
> >>> really don't program much in VB anymore, simply because I don't
> >>> see a lot of future with it in MS's .NET world (I personally use C#).
> >>
> >> C# is another non-standard language invented by Microsoft.
> >
> > I won't argue this. MS will (has?) submit this to ECMA. I can
> > already hear the howls of derision from someone that they won't,
>
> Well I'm not one of those. In a few years we'll see if it's made it
> into an ISO standard language or not...
>
> > it's all smoke-n-mirrors, it's a Java-copy (which, to me, Java is a
> > C++ mutation).
>
> Not quite: Java has no pointers for instance. Pointers is VERY
> central to both C and C++. C++ is a C mutation, but Java is a much
> more different language. Also in Java arrays are "first-class
> citizens" but not so in C and C++, where they are implicitly
> converted to pointers quite often. Yes, Java's syntax is quite
> similar to the syntax of C and C++, but its semantics is quite
> different. Actually the run-time semantics of Java reminds me quite
> a lot of the run-time semantics of UCSD Pascal some 20 years ago...
I know all of this - I programmed in Java for over a year ;). Yes, Java is
not exactly like C++. It's quite different in some areas, and very similar
in others. That's why I used the word mutation.
> > My point is that, you can claim that C# is a non-standard language.
>
> It's not merely a claim -- it's a fact.
Right now, yes, it isn't standard. But the "rumors" abound that it will be,
eventually. Those who know MS or are just skeptical by nature wonder if
this will go through, but so far it does.
> There is no document authored
> by a standards body which describe the C# language. This fact may of
> course change in the future, but right now C# is non-standard. If
> you want to dispute this fact, please provide the document number
> and the name of the standardisation body of the C# language.
You asked:
<http://msdn.microsoft.com/voices/deepc11272000.asp>
See the "Standards News" section.
> BTW Java too is a non-standard language. The standardisation process
> of Java was actually started about a year ago, but was stopped by
> Sun, who apparently wanted to "own" the Java language some more
> before releasing ot to be standardised.
Yep - old news.
> > If MS doesn't submit to ECMA or some other standards body, then
> > it won't be. But if it is, what do you say then?
>
> There are many "but if it is..." games one can play. If C# receives
> an official standard, it will of couse be a standard language - but
> we're not there today. Also, if C# becomes a standard language, then
> MS will lose much of its control over it, and it remains to be seen
> whether MS will allow this to happen. Sun didn't want it to happen
> to Java...
And yet, Java is still held as the "open, portable language" by many.
grrrrr....
> >> Which probably highlights another difference between you and me: you
> >> seem to want to follow what Microsoft says, while I'm not too eager
> >> to do that.
> >
> > <snicker/> Yes, all hail MS, the Evil Empire, blah, blah, blah.
> >
> > My focus is primarily MS/Windows systems. I'm also willing to move to
> > another tool/OS if need be. Just because one uses MS tools does not
mean
> > they hear the word Linux or Java with a complete blank look on their
face.
>
> There's a non-MS world outside Linux and outside Java too......
Really? You think?
Jesus, look, there are many different OSes, there are many different
languages. I use ~one~ reference - don't jump down my throat and assume
that's all I know.
> >>>> "If house built hoses the way programmers build software systems,
> >>>> the next woodpecker which came along would destroy civilisation...."
> >>>
> >>> If house build hoses? Eh??
> >>
> >> Sorry, a typo. Should be:
> >>
> >> "If house-builders built hoses the way programmers build software
> >> systems, the next woodpecker which came along would destroy
> >> civilisation...."
> >
> > "house-builders built hoses"? I think you mean, "house-builder built
> > houses."
>
> Ok, Mr Nit-Pick, one point to you. Aren't you happy?
Well, I'm happy, but not because I find your spelling mistakes.
> >>> But I don't really see what this all has to do with VB being or not
> >>> being a "real programming language." I think it is, just as I
> >>> think Eiffel, Perl, C#, Java, COBOL, Ruby, C, etc., etc., etc., are
> >>> all real programming languages.
> >>
> >> I guess we have different definitions of a "real programming language".
> >
> > So, to you, a "real programming language" is one that allows you to
create
> > an OS - i.e. it lets you do whatever you want. So what do you define
the
> > rest of them? "Imaginary"? "Non-real"?
>
> They are application languages, since they only let you deal with some
> abstract model of the computer, not the real computer. Of course this
> is good in many cases, but it's not what a "real programmer" is dreaming
> of doing.
Well, we're not going to agree on this. I'm a real programmer; you don't
think so. We'll never meet eye-to-eye on this. Period.
> >> What language do you think you would choose under these circumstances?
> >
> > I'd pick the language depending on what was needed to get the job done
;).
>
> Which means if your job was to write a book of algorithms, you would
> describe them in algol-like pseudo-code, but if your job was to
> actually produce a working program, you'd use FORTRAN. Right?
Interpret that as you choose ;).
Jason
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Steganography using text as carrier
Date: Fri, 22 Dec 2000 17:34:13 GMT
In article <[EMAIL PROTECTED]>,
Andre van Straaten <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > In article <[EMAIL PROTECTED]>,
> > Andre van Straaten <[EMAIL PROTECTED]> wrote:
> >> Steganography is to hide your plain- or ciphertext at all. It's
like
> >> camouflage. It's like crossing a border illegally. Being seen means
> >> the end of the game.
> >> The problem here is, how distrustfully is the adversary to
distinguish
> >> the hidden object from the environment.
> >> A company which transmits a lot of information can easier add some
> >> hidden information than a private person which starts suddenly
> >> interchanging large texts of Shakespeare or other stuff which makes
> >> no sense.
>
> > I don't see an advantage over an OTP. You transpose the ASCII
characters
> in a constant way into a proprietary number scheme and generate
finally
> an MPI string out of an operation of two texts.
> Security is given only by applying an operation between a unique
plaintext
> and a unique key text.
>
> I suggest you give a short example with your translation of characters
> and your operation which applies.
assume the following carrier text:
<received your e-mail, will respond soon>
assume the following message text:
<delete and wipe everything in your z folder immediately!>
the algorithm would first transform the two messages into ascii three
digit strings:
carrier text:
114101099101105118101100032121111117114032101045109097105108044032119105
108108032114101115112111110100032115111111110
message text:
100101108101116101032097110100032119105112101032101118101114121104105110
103032105110032121111117114032122032102111108100101114032105109109101100
105097116101108121033
the algorithm now compares the strings of the two texts, sees that the
carrier text is shorter, and adds the 032 representation for empty
space to make the two texts of equal length:
114101099101105118101100032121111117114032101045109097105108044032119105
108108032114101115112111110100032115111111110032032032032032032032032032
032032032032032032032
it would then compute the offset, and represent it as a MPI.
This example is with the intent of hiding the MPI within the carrier e-
mail text.
If this were done for cryptography, then the carrier would have to be
longer than the message text, or an attacker could find the end of the
plaintext by just having the MPI and assuming a repeating sequence of
032 for the end of the carrier.
But, if the carrier were an agreed upon random text that the recipient
already knows, there would be no way for an attacker to reconstruct the
message from just knowing the MPI.
The advantage of this form of cryptography is that it is not dependent
on any keys or vulnerable to any new mathematical breakthroughs.
This disadvantage is that it is not a public key system, and requires
the initial secure agreement on a starting carrier text. Once this is
done, the carrier texts can be changed each time as instructed within
the previous message.
> I doubt that you can hide a text within a large amount of empty space,
> because you apply always the operation with the same empty space
> character.
> An OTP uses generally the ASCII character set with the XOR operation.
>
> This book is mainly about steganography, and it generates messages in
> that way that it breaks up sentences in its grammatical parts and
> constructs new sentences depending on the plaintext input like:
> Bob drives to Washington, D.C.
> Alice is driving to New York.
> Carol arrives tomorrow in New York.
>
> I don't see a way to hide a message within a text message by adding
> or changing some bits in a byte as it is done with graphic files.
> If you change only one bit in an ASCII file you have another
character,
> i.e. a typo.
> You could use another set of characters with a wider range of possible
> characters, instead of 256 you could 64 kB. But this representation
> doesn't fit in any ASCII or HTML application.
There are many possible ways to unobtrusively hide/mark things in
carrier text.
i would prefer to see what has been done or tried already before
proposing something new,
but offhand, it is possible to send a message in html, with values
assigned to font sizes, font types, and background stationery, that a
short enough string could be denoted by the unique combination of those
factors with values assigned to them,
{e.g. Italicized subject word, appropriate underlining, larger font
for heading, specific font type and size chosen for body of text, color
of font,[navy, black, blue, or unobtrusive choices entirely plausible
as a personalization of one's e-mail stationery ]
*without* changing the text body or sequence of text or syntax at all.
> You cannot disguise an elephant as a mouse.
this would be more like disguising hidden meaning in the running
pattern the mouse is using
> That's why steganography is in most cases with large binary files.
>
and why it would most benefit from a new creative approach
have not formulated this scheme concretely yet, but seems intuitively
possible.
suggestions/criticisms welcome
vedaal
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Ed Suominen" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: WinGPG 1.0 - A free, compact, non-ADK Windows alternative to PGP
Date: Fri, 22 Dec 2000 11:19:06 -0700
My apologies for posting incorrect URLs to WinGPG. The correct ones are:
Installation file: ftp://eepatents.com/clients/wingpg-v1-00.exe
ZIP archive for browsing individual files:
ftp://eepatents.com/clients/wingpg-v1-00.zip
I would appreciate any comments (positive and negative alike) from those who
find the installation package (and the enclosed user's guide and passphrase
selection worksheet) useful. Please copy Timo Schulz, the author of WinPT,
at mailto:[EMAIL PROTECTED].
Ed Suominen
Registered Patent Agent
Web Site: http://eepatents.com
PGP Public Key: http://eepatents.com/key
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Algorithm for check SAC complience
Date: Fri, 22 Dec 2000 18:11:59 GMT
In article <91uc5d$85h$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <91tuqj$t7h$[EMAIL PROTECTED]>,
> Simon Johnson <[EMAIL PROTECTED]> wrote:
> > The topic basically states the question?
> >
> > In websites i should visit?
>
> Well checking for SAC is normally done with a simple monte carlo test
> flipping input bits and checking the result.
>
> For example in for a n-bit block cipher you should construct an n by n
> matrix where each row represents flipping a different input bit and
> each column the change in the output bit.
>
> If you add a '1' when it changes and a '-1' when it remains the same
> you can perform the test easily. After N tests (N == BIG) the
quotient
> (i.e element of the matrix over N) should approach zero. IF not there
> is a problem.
>
> Tom
>
> Sent via Deja.com
> http://www.deja.com/
>
This sounds like it'll work.....
Only, it sounds very computationally intensive. Does your s-box
generator use this method, its seems quite fast you see :)
Simon.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
Date: Fri, 22 Dec 2000 11:56:55 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Why primes?
Jorgen Hedlund wrote:
>
> [The irritating little gnome is
> back with new silly questions. :)]
>
> I've understood it that in public/private
> key ciphering one uses quite big prime numbers.
Never mind the fact that they are "big," the essential quality is that
they are "prime." (Being "big" only makes the problem harder, which of
course is important too.)
Let's use simple math: "what's the difference between multiplying a
number by 7 vs. multiplying it by 8?" The answer is that multiplication
by "8" can be accomplished by first multiplying by 4, then again by 2.
Because "2 x 4 = 8." And, "4 x 2 = 8." That's three possible
multiplications {(1) multiply by 8; (2) multiply by 4, then by 8; (3)
multiply by 8, then by 4.} that would do the same job. Since one is
just as good as any of the others, the problem is only 1/3 as hard.
"Multiplication by 7" is three times as hard because -only- "7" will do.
Why? Because 7 is prime.
Many problems boil down to "how can I break this problem down into
smaller, simpler parts?" The number 8, being non-prime, can be broken
down into 4 and 2, or 2 and 4. The number 7, being prime, cannot.
A problem involving a small prime number, 7, is trivial. A problem
involving a large prime number, consisting of hundreds of digits,
=supposedly= is not...
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
