Cryptography-Digest Digest #415, Volume #13 Wed, 3 Jan 01 10:13:01 EST
Contents:
Re: Test Data for DES? ([EMAIL PROTECTED])
Re: GOST 28147-89 (Tom St Denis)
Re: Very Simple Gift Certificate Scheme (Tom St Denis)
Re: Very Simple Gift Certificate Scheme ([EMAIL PROTECTED])
Re: A simple Modular Arithmetic problem ("P.C. Teo")
Re: A simple Modular Arithmetic problem ("P.C. Teo")
Re: calculating 2048 bit public key ops with an 1024 bit engine? (Bo Lin)
Re: Very Simple Gift Certificate Scheme (Mok-Kong Shen)
Re: A simple Modular Arithmetic problem (Mok-Kong Shen)
Re: Audio-CD steganography? (Marc)
Re: Audio-CD steganography? (Mok-Kong Shen)
Bluetooth encryption and authentication ("kihdip")
Re: Very Simple Gift Certificate Scheme (Tom St Denis)
Simple Source Related Question??? (Bob Mariotti)
Re: Bluetooth encryption and authentication (Daniel)
Re: Very Simple Gift Certificate Scheme (Simon Johnson)
Re: Bluetooth encryption and authentication ("kihdip")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Test Data for DES?
Date: Wed, 03 Jan 2001 05:38:10 GMT
hi dave,
In article <1Vt46.22377$[EMAIL PROTECTED]>,
"Dave Rudolf" <[EMAIL PROTECTED]> wrote:
> Fair enough, though all I really need are some more plaintext-
ciphertext pairs,
> and it would be nice to have some intermediate values (say the output
of each
> round, to make sure mine isn't finicky). But if you're just aching to
i had used Earl and Youngs DES implementation in ssl source code to
check against my implementation.. u may select ny other implementation
that u can follow t check against. i followed the same tests as
prescribed to the aes candidates last year.
secondly i think stinson or schneier's books (sorry i don't remember
which one... although i think have intermediate values for sample input
and keys... but mind u even if u get those correct that does not prove
ur implementation as _entirely_ correct.
-regards,
Shailesh.
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: GOST 28147-89
Date: Wed, 03 Jan 2001 06:14:54 GMT
In article <92u3hq$mu3$04$[EMAIL PROTECTED]>,
"[Basic]" <[EMAIL PROTECTED]> wrote:
>
> "Tom St Denis" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> news:92tvu3$hr$[EMAIL PROTECTED]...
> > In article <92tu70$e3l$01$[EMAIL PROTECTED]>,
> > "[Basic]" <[EMAIL PROTECTED]> wrote:
> > >
> > > "Tom St Denis" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> > > news:92tnon$pkl$[EMAIL PROTECTED]...
> > > > In article <92tliv$a5v$01$[EMAIL PROTECTED]>,
> > > > "[Basic]" <[EMAIL PROTECTED]> wrote:
> > > > > As I don't speak c/c++ I dont have any compiler for it.
> > > > >
> > > > > So please now stop talking, take your masterpiece, encrypt
> > something
> > > > in ecb
> > > > > mode and post the details here.
> > > >
> > > > Why if you can't program then what does it matter?
> > >
> > > the only language i speak is x68 assembler
> > >
> > > >
> > > > Anyways...
> > > >
> > > > key: 00 01 02 03 04 05 06 07 .. .. ..
> > > > ct : aa 6e 47 af 95 1c 9f 2a
> > > > pt : 00 01 02 03 04 05 06 07
> > >
> > > thx for you work but without knowledge of the SBoxes that were
used
> > this
> > > example is useless.
> > > btw post if you increment the key in hex and it's half the work
> >
> > The sboxes are in the source code I referenced. Just pull em out!
> >
> > And the key bytes go from 0 to 31 (decimal).
> >
> > Tom
> >
> >
> > Sent via Deja.com
> > http://www.deja.com/
>
> thx a lot for your work but ive still questions...
>
> i dont understand the make_sboxes sub in your code. such sbox
manipulating
> is not described in the gost 28147-89 specifications.
I don't have a make_sboxes sub in
http://www.geocities.com/tomstdenis/files/gost.c
... but if I did it's most like to join adjacent sboxes into a 8x8 and
then precompute the rotation.
It's called efficiency!
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Very Simple Gift Certificate Scheme
Date: Wed, 03 Jan 2001 06:18:07 GMT
In article <[EMAIL PROTECTED]>,
"John A. Malley" <[EMAIL PROTECTED]> wrote:
>
> Tom St Denis wrote:
> >
> > My very-simple-most-likely-thought-of-before-but-never-really-
discussed-
> > because-too-many-people-get-this-stuff-wrong paper on simple gift
> > certificates.
> >
> > http://www.geocities.com/tomstdenis/files/gcert.ps.gz
> >
> > Tom
> >
> > Sent via Deja.com
> > http://www.deja.com/
>
> Just so I'm clear on the protocol after reading the PDF paper:
>
> Alice generates a secret key K. To issue certificates, Alice
generates
> a new serial number Sn and concatenates ( Sn | K ) into one bit string
> (yes?)
>
> Alice hashes the concatentated string as H = hash( Sn | K ), and
> provides < H, Sn > as the certificate to Bob.
>
> Bob can pass the certificate to a third party (Carol) as a gift, and
> Carol can claim the value of the certificate by presenting < H, Sn >
to
> Alice.
>
> Alice checks the validity of the certificate by recalculating H from
> hash( Sn | K ) to prove to herself that this IS a serial number she
> issued.
>
> Alice must also check that this serial number was not yet claimed. If
it
> wasn't she gives its equivalent in value to Carol.
> If it was already claimed, she apologizes to Carol and tells her she's
> out of luck.
>
> To prevent this scenario, Alice must send the certificate to Bob
through
> a secure channel, AND, Bob must send to to Carol (as a gift) through
a
> secure channel, AND, Carol must present it back to Alice (when she
> claims her gift's value) through a secure channel.
>
> If Carol is ever told the certificate was already used then, provided
> the channels remained secure, either Bob or Alice used the certificate
> before she did. If the secure channels involve an authentication
> protocol,then the transaction claiming the certificate on a secure
> channel records the identity of the cuplrit who actually exercised the
> certificate.
>
> So why does Alice need the secure hash on (Sn | K)? What does the
hash
> provide Alice, Bob and Carol? Suppose they all communicate across
> secure channels (and the cipher is non-malleable and semantically
> secure) AND only Alice knows which random serial numbers were ever
> actually generated?
>
> Alice randomly selects k-bit serial numbers over the range 0 - (2^k -
1)
> with uniform probability.
> She records the random Sn she issues. Alice sends just the Sn to Bob
> through a non-malleable, semantically secure channel.
>
> Bob relays the Sn to Carol again through a non-malleable, semantically
> secure channel.
>
> Eve has her work cut out for her. She can't do much of anything with
> what she intercepts. Eve can't alter the messages or learn a single
bit
> about the messages. So the hash doesn't need to protect anything for
> Alice, Bob and Carol's benefit.
>
> Bob could claim the Sn before Carol does after he gives it to her as a
> present. Alice gives the value of the certificate (Sn) to whomever
> claims it first. The hash doesn't protect against that.
>
> Carol or Bob could try to generate a random Serial number and see if
> Alice would accept it. Their success depends on the number of serial
> numbers previously generated and yet unclaimed. If 2^s serial numbers
> out of the total 2^k possible serial numbers ( s < k ) were generated
at
> time t, then the probability of randomly generating one of those
> recognized Sn is 2^(s-k). And only a fraction of those recognized
> serial numbers may actually remain unclaimed. Alice chooses the
number
> of bits k in a serial number to be great enough that the probability
of
> a random guess hitting an unclaimed number is an acceptable risk to
her.
>
> When Alice gets a serial number she just checks in her database of
> issued serial numbers. If it doesn't match then she doesn't honor it.
> If it does match and it was previously claimed, she doesn't honor it.
If
> it matches and it hasn't been claimed before, she honors it.
>
> So I'm missing something about the use of the hash. It's important for
> some reason. Please help!
>
> What does the hash help protect against if Alice, Bob and Carol pass
the
> certificates to one another via secure channels, only Alice knows the
> complete set of serial numbers issued, and the serial numbers are
> selected at random uniformly distributed across 0 - (2^k - 1)?
Simple, realtime applications rarely have access to a decent rng
(unless you are on linux). With my pathetic scheme you get to make
certificates without any introducing entropy. They could be issued by
a simple smart card or key-ring token thingy... (assuming it had an
appropriate sized eeprom)
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Very Simple Gift Certificate Scheme
Date: Wed, 03 Jan 2001 06:24:36 GMT
In article <[EMAIL PROTECTED]>,
"John A. Malley" <[EMAIL PROTECTED]> wrote:
>
> Tom St Denis wrote:
> >
> > My very-simple-most-likely-thought-of-before-but-never-really-
discussed-
> > because-too-many-people-get-this-stuff-wrong paper on simple gift
> > certificates.
> >
> > http://www.geocities.com/tomstdenis/files/gcert.ps.gz
> >
> > Tom
> >
> > Sent via Deja.com
> > http://www.deja.com/
>
hi tom,
with due respects, have you read rfc2797 Cerficate management over CMS
(using signed data of Cryptographic Message Syntax), rfc2510
Certificate Management protocols (using a new message syntax call PKI
data which allows CMS data) and rfc2459 X.509 Public Key Infrastructure
Certificate and CRL Profile ???
i could only read David's discussion out here and am unable to reach
the pdf link on geocities given by you.
-regards,
rasane_s
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "P.C. Teo" <[EMAIL PROTECTED]>
Subject: Re: A simple Modular Arithmetic problem
Date: Wed, 3 Jan 2001 17:53:42 +0800
Reply-To: "P.C. Teo" <[EMAIL PROTECTED]>
Thanks, your suggestion helps!
For your information, I am really asking for my college question, but it is
not in pure number theory or mathematics.
I am actually trying to build up Stefan Brands Digital Cash System.
Honestly, I am quite new to number theory. And hope to catch up the subject.
> Express x in terms of x1 and x2 directly (i.e. without mod q)
> and then try.
>
> Sorry for an unfriendly remark: I suppose you don't belong
> to the people (there are sometimes some) who post math
> problems to this group to help them do their school course
> work (in that case one should instead try sci.math).
>
> M. K. Shen
------------------------------
From: "P.C. Teo" <[EMAIL PROTECTED]>
Subject: Re: A simple Modular Arithmetic problem
Date: Wed, 3 Jan 2001 17:56:28 +0800
Reply-To: "P.C. Teo" <[EMAIL PROTECTED]>
Yes, it works, but could you explain to me why without modulo q?
since I suppose that the power should always be <= q, in this case, we got
x2 > q for some times.
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> "P.C. Teo" wrote:
> >
> > One generator g of prime order q modulo p [that is g^q = 1 (mod p)]
> >
> > Random pick a number x modulo q. Is it possible for me to split the
number
> > x?
> >
> > What I mean is, I randomly pick another number x1, then I try get number
x2
> > by having the equation hold
> > x = x1 + x2 (mod q)
> >
> > so, is it the following equation will be true?
> > g^x = g^x1 * g^x2 (mod p)
> > since g^x1 * g^x2 = g^(x1+x2) = g^x (mod p)
> >
> > Honestly, I couldn't get the last equation hold. Why?
>
> Express x in terms of x1 and x2 directly (i.e. without mod q)
> and then try.
>
> Sorry for an unfriendly remark: I suppose you don't belong
> to the people (there are sometimes some) who post math
> problems to this group to help them do their school course
> work (in that case one should instead try sci.math).
>
> M. K. Shen
------------------------------
From: Bo Lin <[EMAIL PROTECTED]>
Crossposted-To: sci.math.num-analysis
Subject: Re: calculating 2048 bit public key ops with an 1024 bit engine?
Date: Wed, 03 Jan 2001 09:27:58 +0000
I agree with what you said.
This is not a new issue when we evaluate an exponentiation engine.
Usually, a set of functions are provided and scalability is taken into
account.
Have a happy new year too.
Bo Lin
Francois Grieu wrote:
>
> Bo Lin <[EMAIL PROTECTED]> wrote :
>
> > The original question is about how to do a 2n-bit exponentiation with an
> > n-bit exponentiation hardware engine. The issue was solved long time
> > ago. It depends on the functions which the engine provides.
>
> I'd appreciate references. Given a black box that performs A^e mod N
> for n-bit arguments, I see simply no way at all to extend to 2n-bit.
> Given a black box that performs A*B mod N, the best method I see
> involves using the black box as a multiplier of n/2 bit arguments
> into n bit arguments, without modular reduction.
>
> > It depends on the functions which the engine provides.
>
> I very much agree on this. A well thought fixed size modular engine
> can be effectively used for any argument size.
>
> Have a good millenium,
>
> Francois Grieu
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Very Simple Gift Certificate Scheme
Date: Wed, 03 Jan 2001 11:42:23 +0100
Tom St Denis wrote:
>
> Simon Johnson <[EMAIL PROTECTED]> wrote:
> > I hate to moan, but could i have a PDF of this? :)
>
> Sure..
>
> http://www.geocities.com/tomstdenis/files/gcert.pdf
You seems to have a virtual page. Geocities says that
it is not available.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: A simple Modular Arithmetic problem
Date: Wed, 03 Jan 2001 11:42:15 +0100
"P.C. Teo" wrote:
>
> Yes, it works, but could you explain to me why without modulo q?
>
> since I suppose that the power should always be <= q, in this case, we got
> x2 > q for some times.
With that you can prove your equation. x = x1 + x2 (mod q)
means x = x1 + x2 + m*q for some m. So g^x = g^x1*g^x2*g^(m*q).
>From g^q =1 mod p one has g^(m*q) =1 mod p and hence
g^x = g^x1*g^x2 mod p.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Re: Audio-CD steganography?
Date: 3 Jan 2001 10:43:21 GMT
>does anyone know if it is possible to store user-data (for example jpegs
>etc.) in the subchannels of a normal Audio-CD? I know that there is
>about 4megs of empty subchannel-data on each CD. But is there any
>program that can write such data (and, of course, read it back again)??
Some CDROM and CD-Writers can access the subchannels correctly.
See for instance the "CloneCD" homepage, a CD copier that replicates
protected CDs by doing a 1:1 raw copy including subchannel.
Storing data in the subchannel might be a new idea, although I
am not convinced that it qualifies as "steganography". I think
it is more of storing data in a place where one typically does
not expect data. Subchannel content is exactly defined and every
deviation can be detected easily.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Audio-CD steganography?
Date: Wed, 03 Jan 2001 11:56:24 +0100
Marc wrote:
>
> >does anyone know if it is possible to store user-data (for example jpegs
> >etc.) in the subchannels of a normal Audio-CD? I know that there is
> >about 4megs of empty subchannel-data on each CD. But is there any
> >program that can write such data (and, of course, read it back again)??
>
> Some CDROM and CD-Writers can access the subchannels correctly.
> See for instance the "CloneCD" homepage, a CD copier that replicates
> protected CDs by doing a 1:1 raw copy including subchannel.
>
> Storing data in the subchannel might be a new idea, although I
> am not convinced that it qualifies as "steganography". I think
> it is more of storing data in a place where one typically does
> not expect data. Subchannel content is exactly defined and every
> deviation can be detected easily.
Graphical files allow hiding of bits through appropriate
modification of pixels. Wouldn't it be possible to do
analogous modifications to audio data? If yes, how good
is that? Thanks.
M. K. Shen
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Bluetooth encryption and authentication
Date: Wed, 3 Jan 2001 14:52:35 +0100
Does anyone have any experience with the Bluetooth encryption scheme ?? (Or
the authentication??)
I believe it is called E0. Is it correct that it was constructed especially
for Bluetooth ??
How safe is it, compared to DES og AES ?? (Has any successfully attempts to
break it been made ??)
I would appreciate any related links.
Kim
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Very Simple Gift Certificate Scheme
Date: Wed, 03 Jan 2001 13:51:33 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Tom St Denis wrote:
> >
> > Simon Johnson <[EMAIL PROTECTED]> wrote:
>
> > > I hate to moan, but could i have a PDF of this? :)
> >
> > Sure..
> >
> > http://www.geocities.com/tomstdenis/files/gcert.pdf
>
> You seems to have a virtual page. Geocities says that
> it is not available.
You know why? Cuz Geocities BLOWS!. The file is in my /files
directory...
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (Bob Mariotti)
Subject: Simple Source Related Question???
Date: Wed, 03 Jan 2001 14:27:06 GMT
After reading hundreds of these posts here, in sci.electronics,
searching the web for days and days yes, reading info in several books
and articles, I still have not been able to come up with what I am
looking for. Perhaps one of you "experts" can assist.
I am charged with creating a routine in our development logic that
will calculate the PIN offsets for new ATM/POS cards using the DES
encryption common to banking.
I have searched for sample source code in ANY language and found only
one in C++ what was quite 'cryptic'.
Can anyone please point me to a site or email me an example of a
simple ECB routine to calculate the DES value (pin offset to be
specific).
I find the topics quite interesting and I would enjoy devoting all my
working and leisure time to studying it. However, project deadlines
loom and I must make progress. ANY help will be greatly appreciated.
Thank you.
------------------------------
Date: Wed, 03 Jan 2001 15:28:14 +0100
From: Daniel <[EMAIL PROTECTED]>
Subject: Re: Bluetooth encryption and authentication
Take a look at:
http://www.bluetooth.com/developer/specification/core_10_b.pdf
It contains everything you need to know...
/D.
kihdip wrote:
> Does anyone have any experience with the Bluetooth encryption scheme ?? (Or
> the authentication??)
>
> I believe it is called E0. Is it correct that it was constructed especially
> for Bluetooth ??
> How safe is it, compared to DES og AES ?? (Has any successfully attempts to
> break it been made ??)
>
> I would appreciate any related links.
>
> Kim
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Very Simple Gift Certificate Scheme
Date: Wed, 03 Jan 2001 14:25:32 GMT
In article <92tvad$t$[EMAIL PROTECTED]>,
Bryan Olson <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> > My
> very-simple-most-likely-thought-of-before-but-never-really-discussed-
> > because-too-many-people-get-this-stuff-wrong paper on simple gift
> > certificates.
> >
> > http://www.geocities.com/tomstdenis/files/gcert.ps.gz
>
> I suggest you read up on digital cash.
>
> This scheme, as well as I can make it out, does nothing to
> protect the customer from denial of a good certificate, nor
> from an imposter selling bogus certificates. There's no note
> of any value recorded with the certificate either.
There isn't in realtity either. If i purchase a gift-certificate
from a shop they could refuse point-blank to take it. The law protects
us from this eventuality, and it would if such protocol ever took hold.
> At the very least, the seller should have a well known public
> key that signs the certificates, and each certificate should
> hold a public key supplied by the buyer (as well as the nonce
> and value indication). To spend the certificate, the buyer
> signs an order, which includes the certificate, with the
> associated private key, and sends the order to the seller.
>
> In case of a dispute over whether a certificate is good, the
> buyer shows the certificate. If it's does not verify with the
> seller's public key, it's not good. If it does, then the
> seller shows the corresponding order message. If the order
> does not verify with the public key in the certificate, then
> the certificate is still good. If the order does verify, then
> the certificate is already spent. We still have the question of
> whether the order was filled, but that's the same as with any
> on-line transaction.
> Note that in this scheme only the private keys are secret.
> All the messages can pass in the clear. If the certificate is
> to be a gift, then the buyer sends the public key of the gift's
> recipient for inclusion in the certificate.
>
> There are still other improvements we could make. Does the
> seller have to record orders forever? Can gifts be given so
> that the seller can't tell who gave what to whom? Digital
> cash schemes answer such questions and more.
> --Bryan
>
> Sent via Deja.com
> http://www.deja.com/
>
Indeed, Gift certificates are an example of digital money. After all,
one could consider a bank note a voucher that works in any store :)
Simon.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: Bluetooth encryption and authentication
Date: Wed, 3 Jan 2001 15:41:54 +0100
Thanks,
Although I don't believe the specification says anything about successfull
attacks.
Kim
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
