Cryptography-Digest Digest #390, Volume #13 Tue, 26 Dec 00 07:13:00 EST
Contents:
Re: MD5 and hash127 questions (Simon Johnson)
Re: Merry Christmas (Bruce Schneier)
Re: Merry Christmas (Quisquater)
Can anyone cryptanalize this? (John)
Re: Can anyone cryptanalize this? ("Tom ST Denis")
Re: Can anyone cryptanalize this? (John Stanford)
Re: Can anyone cryptanalize this? ("Tom ST Denis")
Re: Merry Christmas (Rich W.)
Re: Can anyone cryptanalize this? (Bob Silverman)
PRNG ("Cristiano")
Re: Merry Christmas ("Matt Timmermans")
Re: MD5 and hash127 questions ([EMAIL PROTECTED])
Re: MD5 and hash127 questions ("Schlafly")
Re: All irreducible polys of degree 32 over GF(2) (Bryan Olson)
Re: Foolproof Quantum Cryptography (John Savard)
Re: All irreducible polys of degree 32 over GF(2) (Benjamin Goldberg)
Re: Foolproof Quantum Cryptography (PB)
----------------------------------------------------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: MD5 and hash127 questions
Date: Mon, 25 Dec 2000 19:17:30 GMT
In article <927ecn$he4$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hi, I have two questions: 1 Mr.Bruce Schneier's "Secrets and Lies"
book, page
> 94, 5 lines from the bottom: " ...MD5 is showing some cracks and is
not used
> for anythong new." Is this true? What kind of cracks? What about
TCP/IP syn
> cookies - they are almost new and they use MD5.
>
> 2. Some oppinions about Mr. D.JBernstein's hash127 and sigs packages.
Can I
> make ASCII armored ciphertext with them?
>
> Best Regards,
> S.I.Jekov
>
> Sent via Deja.com
> http://www.deja.com/
>
MD5 is secure as far as i'm aware. As for Hash127, i have no idea :)
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Bruce Schneier <[EMAIL PROTECTED]>
Subject: Re: Merry Christmas
Date: Mon, 25 Dec 2000 15:10:13 -0600
Have a happy 1200th anniversary of the coronation of Charlemagne.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Tel: 408-556-2401
3031 Tisch Way, Suite 100PE, San Jose, CA 95128 Fax: 408-556-0889
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: Merry Christmas
Date: Mon, 25 Dec 2000 23:25:44 +0100
Bruce Schneier wrote:
>
> Have a happy 1200th anniversary of the coronation of Charlemagne.
See
http://www.alignmentsonline.com/AOcharts/Timeline/Charlemagne.html
(yes, it is the 1200th anniversary but not exactly for 1200 years
taken into account the Gregorian Reform,
see http://serendipity.magnet.ch/hermetic/cal_stud/cal_art.htm)
In some way it is also the 358th anniversary of the birth of Newton but see
http://www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Newton.html
for the correct story.
(I don't know of any similar timeline for cryptographers).
Charlemagne used cryptography (see http://www.bartelby.com/65/cr/cryptogr.html).
Do you know more? (easy answer).
------------------------------
From: John <[EMAIL PROTECTED]>
Subject: Can anyone cryptanalize this?
Date: Mon, 25 Dec 2000 22:10:05 GMT
Hey, I made a cipher and I think it is pretty secure. Here is a sample
of it. It uses an improved letter substitution algorithm.
Plaintext:
Alpha Bravo Charlie Delta Echo RRRR
Ciphertext:
XS VT 2W QW AB MX 5F Q3 BI VT D4 MP Q3 VT VT KN MZ XS R7 XS R7 C9 5F
Q3 XS MP QW SD XS TH
SZ GR TH QW F1 XS XS Q3 SZ YH VT WD 5F MR BI T5 XS R7 EC XS EC T5 T5
XS VT T5 SZ AB AB AB AB
If you can't decipher it from what you have here, email me at
[EMAIL PROTECTED] or reply to this message with plaintext and I will
send you the ciphertext that goes with it. Thanks in advance.
(Hint: Different letters are substituted for capital and lowercase
letters.)
------------------------------
From: "Tom ST Denis" <[EMAIL PROTECTED]>
Subject: Re: Can anyone cryptanalize this?
Date: Mon, 25 Dec 2000 22:18:16 GMT
"John" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hey, I made a cipher and I think it is pretty secure. Here is a sample
> of it. It uses an improved letter substitution algorithm.
Send the algorithm.
Tom
------------------------------
From: John Stanford <[EMAIL PROTECTED]>
Subject: Re: Can anyone cryptanalize this?
Date: Mon, 25 Dec 2000 22:19:00 GMT
I can't send the algorithm yet. I want some people to try it first.
Tom ST Denis wrote:
> "John" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Hey, I made a cipher and I think it is pretty secure. Here is a sample
> > of it. It uses an improved letter substitution algorithm.
>
> Send the algorithm.
>
> Tom
------------------------------
From: "Tom ST Denis" <[EMAIL PROTECTED]>
Subject: Re: Can anyone cryptanalize this?
Date: Mon, 25 Dec 2000 22:48:56 GMT
"John Stanford" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I can't send the algorithm yet. I want some people to try it first.
Why can't you send the algorithm?
Tom
------------------------------
From: Rich W. <[EMAIL PROTECTED]>
Subject: Re: Merry Christmas
Date: Mon, 25 Dec 2000 18:12:33 -0500
The voices in my head tell me that
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> Bruce Schneier wrote:
> >
> > Have a happy 1200th anniversary of the coronation of Charlemagne.
>
> See
>
> http://www.alignmentsonline.com/AOcharts/Timeline/Charlemagne.html
>
> (yes, it is the 1200th anniversary but not exactly for 1200 years
> taken into account the Gregorian Reform,
> see http://serendipity.magnet.ch/hermetic/cal_stud/cal_art.htm)
Quisquater, yer killin me! :-)
Happy Holidays to you as well Bruce, and thank you for all of your
fine work in all areas of security, and for the strong ciphers you
have given to the world.
Rich...
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Can anyone cryptanalize this?
Date: Tue, 26 Dec 2000 01:05:52 GMT
In article <[EMAIL PROTECTED]>,
John <[EMAIL PROTECTED]> wrote:
> Hey, I made a cipher and I think it is pretty secure. Here is a
sample
> of it. It uses an improved letter substitution algorithm.
Then it is easily broken.
>
> Plaintext:
> Alpha Bravo Charlie Delta Echo RRRR
>
> Ciphertext:
> XS VT 2W QW AB MX 5F Q3 BI VT D4 MP Q3 VT VT KN MZ XS R7 XS R7 C9
5F
> Q3 XS MP QW SD XS TH
> SZ GR TH QW F1 XS XS Q3 SZ YH VT WD 5F MR BI T5 XS R7 EC XS EC T5
T5
> XS VT T5 SZ AB AB AB AB
>
> If you can't decipher it from what you have here,
I will be happy to break this for you. My professional fees
are $400/hr.
I can't imagine why anyone who is not being paid would waste their
time. Especially since you do not give the algorithm.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: PRNG
Date: Tue, 26 Dec 2000 03:46:31 +0100
I have disposition two prng that have one state constituted from many bits
(MT19937 and TT800).
I want to avoid of initialize them using another prng in turn initialized
with a number more or less casual. Instead, I would like to use a fairly
unpredictable generator.
I to such purpose have conceived the following prng (for Windows9x):
#define ROL(value,bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
static int QVC_ROL=12;
ULONG QVC(void)
{
LARGE_INTEGER c; static ULONG b=GetTickCount();
ULONG R=0,k=0,nc; int flg=0,C;
TRANSI:
C=0; QueryPerformanceCounter(&c); LARGE_INTEGER cc;
nc=(3141592621UL*ULONG(c.QuadPart))^ROL(b,QVC_ROL);
b=nc; const int d=nc>>27;
do QueryPerformanceCounter(&cc); while(cc.QuadPart-c.QuadPart<d);
do {
if(flg) { R<<=1; R+=nc&1; k++; flg=0; } else if(nc&1) flg=1;
nc>>=1; if(++C==32) goto TRANSI;
} while(k<32);
return R;
}
QueryPerformanceCounter is a high resolution timer (it increment the counter
more than a million of unit in a second) and store in c.QuadPart the 64 bits
counter.
It generate numbers to 32 bits evenly distributed (at least as it seem) and
pass all the statistical tests.
Does anybody have a suggestion or a better idea?
Thanks
Cristiano
------------------------------
From: "Matt Timmermans" <[EMAIL PROTECTED]>
Subject: Re: Merry Christmas
Date: Tue, 26 Dec 2000 04:03:59 GMT
"Bruce Schneier" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Have a happy 1200th anniversary of the coronation of Charlemagne.
Shush. It's Christmas.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: MD5 and hash127 questions
Date: Tue, 26 Dec 2000 04:14:28 GMT
In article <927ecn$he4$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hi, I have two questions: 1 Mr.Bruce Schneier's "Secrets and Lies"
book, page
> 94, 5 lines from the bottom: " ...MD5 is showing some cracks and is
not used
> for anythong new." Is this true? What kind of cracks? What about
TCP/IP syn
> cookies - they are almost new and they use MD5.
there is a collison in the MD5 as proven by Hans Dobbertin in the
paper entitled *"Cryptanalysis of MD5 Compress"(1996). I extract this
paragraph from
the paper :
"we give acollision of the compress function of MD5.
We think that this might be reason enough to substitute MD5 in future
applications."
*http://www-cse.ucsd.edu/users/bsy/dobbertin.ps
W.S.Chong
[EMAIL PROTECTED]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Schlafly" <[EMAIL PROTECTED]>
Subject: Re: MD5 and hash127 questions
Date: Mon, 25 Dec 2000 23:20:38 -0600
<[EMAIL PROTECTED]> wrote in message news:9295v2$lhi$[EMAIL PROTECTED]...
> there is a collison in the MD5 as proven by Hans Dobbertin in the
> paper entitled *"Cryptanalysis of MD5 Compress"(1996). I extract this
Not quite. See below.
> paragraph from
> the paper :
> "we give acollision of the compress function of MD5.
> We think that this might be reason enough to substitute MD5 in future
> applications."
The collision is just in the MD5 compress function. It is the most
critical component in MD5, but there is no known collision in MD5.
Use of MD5 is fine for some applications. For others, switching to
SHA-1 is a no-brainer. If in doubt, use SHA-1. But don't conclude
that anything is weak just because is uses MD5.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: All irreducible polys of degree 32 over GF(2)
Date: Tue, 26 Dec 2000 06:32:03 GMT
Benjamin Goldberg wrote:
> Bryan Olson wrote:
> You seem to suddenly be jumping from the suggestion that it is
> concievably possiple for someone who knows the entire plaintext to get
> the PRNG output, to the idea that it is "straightforward" to get the
> seed from the ciphertext if a different prng is used.
You seem to be uninterested in analyzing the scheme you
proposed.
> I still have not seen you or anyone else say how one can learn the
> generator output, given the entire plaintext and the entire
ciphertext.
As I pointed out, even looking for the generator outputs
exhaustively works. We have:
| z = crc( file, y );
| send( z ); // don't send y!!!!
where 'file' and z are known and we want to find y; y and z
are only 32 bits. The faster way I suggested is to find
small factors. We need the factors of (file-z) that are no
more than 32-bits.
> IF someone knows the generator output, it is relatively
> easy to get the seed for mt or either of the other prngs
> you suggested -- although mt needs more data and computation
> time to do this, the formulae for working backwords from
> output to seed do exist.
Correct. In the solution for y above, we will not get
unique values for all outputs, so some outputs of the
generator we have to express as sums of other terms, but
this introduces one equation for each new variable, so the
system is still solvable.
If z=crc(file, y) behaved as random, then for a given file
we'd expect about 1/e outputs z to map to a unique input y.
It's not random, and the portion that's unique depends on
the file. The expected number that are unique may be an
interesting exercise, but in any case we expect some
reasonable portion.
--Bryan
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Foolproof Quantum Cryptography
Date: Mon, 25 Dec 2000 14:05:33 GMT
On Mon, 25 Dec 2000 13:12:14 GMT, [EMAIL PROTECTED] (PB)
wrote, in part:
>Of course, if you communicate using entangled particles (which I
>believe they have managed to do at CERN - just as soon as Christmas is
>over I'll be able to look these things up) then there is nothing (?)
>to intercept?
The particles themselves are what can be intercepted. Two entangled
particles can't be used to send messages after they've been recieved;
they just give matching random bits for later use as a one-time-pad in
communications.
This is precisely why it can be claimed that entangled particles don't
really violate special relativity, even though it would seem like they
must.
But the interception is only a denial of service, so there is "nothing
to intercept" in another sense.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: All irreducible polys of degree 32 over GF(2)
Date: Tue, 26 Dec 2000 10:38:33 GMT
Bryan Olson wrote:
>
> Benjamin Goldberg wrote:
> > Bryan Olson wrote:
> > You seem to suddenly be jumping from the suggestion that it is
> > concievably possiple for someone who knows the entire plaintext to
> > get the PRNG output, to the idea that it is "straightforward" to get
> > the seed from the ciphertext if a different prng is used.
>
> You seem to be uninterested in analyzing the scheme you
> proposed.
I'm not uninterested, but until this post of yours, I didn't see any
analysis I understood.
> > I still have not seen you or anyone else say how one can learn the
> > generator output, given the entire plaintext and the entire
> ciphertext.
>
> As I pointed out, even looking for the generator outputs
> exhaustively works. We have:
>
> | z = crc( file, y );
> | send( z ); // don't send y!!!!
>
> where 'file' and z are known and we want to find y; y and z
> are only 32 bits. The faster way I suggested is to find
> small factors. We need the factors of (file-z) that are no
> more than 32-bits.
Actually, since "poly" represents an order 32 polynomial, the bits in
that variable represent the coefficients of x^0 .. x^31, with the
coefficient of x^32 always being 1, and not being part of poly.
So for each z, we look at the small polynomial factors of (file-z) which
are exactly order-32 (but not limited to irreducibles). By chopping off
the x^32 term of each of these factors, we get a set of possible y
values for each z. Now what?
You have y_0 = {a or b or c or d ...}, y_1 = {e or f or g or ...} and so
on. Supposing there are y#_i possibilities for y_i, then there are (the
product of the y#_i values) different possible generator outputs to try.
The problem of working from the *possible* y_i values to the actual ones
is not as easy as you seem to be implying.
> > IF someone knows the generator output, it is relatively
> > easy to get the seed for mt or either of the other prngs
> > you suggested -- although mt needs more data and computation
> > time to do this, the formulae for working backwords from
> > output to seed do exist.
>
> Correct. In the solution for y above, we will not get
> unique values for all outputs, so some outputs of the
> generator we have to express as sums of other terms, but
> this introduces one equation for each new variable, so the
> system is still solvable.
Actually, I think you're unlikely to get unique values for *most*
outputs. You would have to find a long contiguous sequence of z values
which had only one or two possible corresponding y values to get enough
generator output to work back to the seed.
> If z=crc(file, y) behaved as random, then for a given file
> we'd expect about 1/e outputs z to map to a unique input y.
Huh? I'm not as up to speed on probabilities as I'd like to be.
Explain how this is so.
> It's not random, and the portion that's unique depends on
> the file. The expected number that are unique may be an
> interesting exercise, but in any case we expect some
> reasonable portion.
Why do you expect the portion to be reasonable, not unreasonable?
Speaking of things being reasonable... Since your 'break' (which may or
may not work) on this scheme needs the ENTIRE plaintext to be known to
the attacker, who then can only get a *probable* generator output, and
then must do even more work to get the seed, WHICH IS ONLY USED FOR ONE
MESSAGE, how does your break (IF it works), affect the security of the
system?
Also, due to how much the message can be expanded using this system, I
came up with a slightly different system, and posted it with the subject
"polynomial permutation cipher."
The advantages of the new system are:
1) It does not expand the message.
2) If the permutation generator, E, is designed well, it can approximate
a random permutation.
3) It has a well defined method of using an initialization value.
4) The output of the permutation generator is decimated, to only those
outputs which are irreducible order 32 polys. This means that even if
you know the sequence of polys, you don't know which counter values
produced them, so you don't have enough info to even try to get the
message key.
5) Even if you got the message key, it was produced by hashing the IV
with the long term key. You would need to break the hash to get the
long term key. There are many existing hash functions which are
preimage resistant (sha1, md5, and others).
6) The only possible break you've offered requires factoring (file-z).
If only part of file is known to the attacker, this is probably
impossible.
--
There are three methods for writing code in which no bug can be found:
1) Make the code so straightforward that there are obviously no bugs.
2) Make the code so complicated that there are no obvious bugs.
3) Insist that any apparent bugs were really intentional features.
------------------------------
From: [EMAIL PROTECTED] (PB)
Subject: Re: Foolproof Quantum Cryptography
Date: Tue, 26 Dec 2000 12:10:48 GMT
On Mon, 25 Dec 2000 14:05:33 GMT, [EMAIL PROTECTED]
(John Savard) wrote:
>On Mon, 25 Dec 2000 13:12:14 GMT, [EMAIL PROTECTED] (PB)
>wrote, in part:
>
>>Of course, if you communicate using entangled particles (which I
>>believe they have managed to do at CERN - just as soon as Christmas is
>>over I'll be able to look these things up) then there is nothing (?)
>>to intercept?
>
>The particles themselves are what can be intercepted. Two entangled
>particles can't be used to send messages after they've been recieved;
>they just give matching random bits for later use as a one-time-pad in
>communications.
>
>This is precisely why it can be claimed that entangled particles don't
>really violate special relativity, even though it would seem like they
>must.
>
>But the interception is only a denial of service, so there is "nothing
>to intercept" in another sense.
>
>John Savard
>http://home.ecn.ab.ca/~jsavard/crypto.htm
Ah - I see. Please ignore my later post - looks like I didn't get
the cancel out in time!
cheers
pete
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
