Cryptography-Digest Digest #782, Volume #13 Fri, 2 Mar 01 17:13:01 EST
Contents:
Re: philosophical question? (Joe H. Acker)
Re: Text of Applied Cryptography (Frog2)
Re: Super strong crypto ("Douglas A. Gwyn")
Re: => FBI easily cracks encryption ...? (Jim Taylor)
Re: Completly wiping HD (Ben Cantrick)
Re: => FBI easily cracks encryption ...? ("kroesjnov")
Re: => FBI easily cracks encryption ...? (Jim Gillogly)
Re: super-stong crypto, straw man phase 2 (William Hugh Murray)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Joe H. Acker)
Crossposted-To: sci.crypt.random-numbers,de.sci.informatik.misc,sci.math
Subject: Re: philosophical question?
Date: Fri, 2 Mar 2001 21:57:53 +0100
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> > But here, people seem to use randomness in the sense of
> > unpredictability, but that's something different. Why? Because if a
> > TRNG happens to output 1 a few hundred times in sequence, which is
> > quite inprobable but can happen, then there should be a high-probability
> > that next time it will output a 0.
>
> No, that's the Gambler's Fallacy. Each successive sample of a TRNG
> is independent of all previous samples; its probabilities are
> determined by the (unchanging) PDF and by nothing else.
Okay, thanks for the clarification. That sounds striking to me. However,
it has two consequences: (1) In the roulette winning strategy, it would
not matter at all wether I put my bet on the other half (say odd) or
wether I stay with the one I've lost with (say even). Sounds plausible.
(2) wouldn't that mean, that it's wrong to say that it's inprobable that
a TRNG will output 100000 subsequent 1's? I mean if each of the sign
events occurs with a probability of 1/2 and is completely independent of
previous outputs, why shouldn't 100000 subsequent 1's be as probable as
the sequence a TRNG actually should and does output?
Is the inprobability of such sequences an axiom or mere hypostasis in
probability theory, or is it indeed wrong to claim that such sequences
are inprobable? (I'm talking about true random sequences, it's clear to
me that randomness in cryptography has to conform to additional
restrictions.)
> > That's of course the reason why there's a limit in roulette, because
> > otherwise you could use the well-known strategy to bet on odd, double
> > the amount of money if you loose and bet it on even and so on, or
> > start from the beginning if you win.
>
> The reason for a limit to to ensure that the House can pay off any
> winning bet, no matter how lucky the player gets. The doubling
only one reason, the other reason is to prevent Bill Gates from winning
with the above winning strategy...
> strategy does not work; each play is expected to lose the standard
> house percentage (5.26%), so when played a sufficiently large number
> of times the expected loss is around 5.26% of the sum of all bets.
I might be wrong but that seems marginal compared to the win which is
the double amount of the sum of all bets.
> Another way of looking at it is that if you start with $1000 and
> intend to keep playing until you end up with $1000000, the odds are
> that you'll go bankrupt before reaching your goal.
That of course is the actual problem. Even Bill Gates might run into
troubles with such an exponential growth the system requires....
> > I've understood the original question in the way, wether there is a
> > sign-system not invented by humans, that could be applied to true
> > random sequences and convey some information (in the ordinary sense
> > of "information"). I don't think so, but anyway, that's a religious
> > question.
>
> Only to the extent that the discussion becomes irrational. Any
> countable set of distinguishable signs can be index-numbered and
> used to represent information the same was as any conventional
> sign system, although the *meaning* (and value) of the information
> as judged by some human depends on the sign system. Signs as such
> really have nothing to do with the issue of information content,
> but rather with its interpretation. For example, I can encode any
Sure, the sender encodes a message of the sign system into signals the
channel can carry, the signals get transmitted via the channel, and the
receiver decodes the signals into the message of the sign system. But
the interesting thing about applying information theory is that at least
you have to make assumptions about the sign system used, and the sign
system includes the interpretation of the signs. Take for example
jpeg-compression. To say that this kind of compression is lossy does
only make sense relative to a sign system under consideration. Why?
Because if I transmit large black squares and circles through the
jpeg-channel, then the jpeg-compression (encoding/decoding) isn't lossy
at all, because the encoding of black squares and circles in pictures is
hopelessly redundant anyway.
> integer in a base-64 system commonly used for embedding binary data
> in e-mail sent via the SMTP protocol; this system uses digits and
> letters of the English alphabet but does not have any meaning as
> English language. Those characters just serve as a convenient set
> of distinguishable symbols in terms of which we encode arbitrary
> information.
It's the signals you're talking about. Maybe I have the model wrong in
my mind, but to me it looks like:
sign system[sender (produces message/encoding)]-->signals (transmitted
over channel with error sources)-->sign system[receiver (retrieves
message/decoding)]
The square brackets are not for denoting functions, but for indicating a
box in the figure...
Encoding and decoding only makes sense relative to the sign system used,
and you cannot interpret the signals in any meaningful way without
assuming properties of the sign system in use.
> > And you cannot even apply information theory to a true random
> > sequence, if you have no clue about the sign-system used.
>
> If you have evidence of the sequence, then sure you can deal with
> it using standard information theory. If you mean that the entire
> gamut of possible symbols aren't known,
in case of true random, no symbol (in the sense of a sign) is known at
all, only the signals are known
just those that appear in
> the available sample, there is in fact a way to reliably estimate
> the total size of the symbol set (due to Turing, Good, et al.)
That's very interesting. Could you point me to any reference about that?
If I'm right to take symbols=signals, how could this work without
exploiting properties of the sign system that might have been used?
Regards,
Erich
------------------------------
From: Frog2 <[EMAIL PROTECTED]>
Date: 2 Mar 2001 21:08:21 -0000
Subject: Re: Text of Applied Cryptography
Crossposted-To: alt.anonymous.messages,alt.security.pgp,talk.politics.crypto
On 2 Mar 2001, [EMAIL PROTECTED] (Mike Marshall) wrote:
>Heck, I just lined up to pay $50.00 for a copy down at
>the news stand... Isn't Bruce still kind of counting on that?
Did the same. It's worth it!
>
>-Mike
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Super strong crypto
Date: Fri, 2 Mar 2001 20:33:04 GMT
David Wagner wrote:
> The attack assumed that, *for a limited time only*, you have
> control over what is transmitted and received. Then, the
> attack permits the adversary to continue reading traffic even
> after the adversary loses access to the encryption and decryption
> oracle. This result is simply not possible without cryptanalysis.
Since, as you yourself said, "the above attack clearly works only
under a very restrictive threat model, and I don't think it is
going to be feasible too often in practice," I'm not too worried
about it. The same sort of attack could be mounted under the
same circumstances against any of the standard chaining modes
with comparable expectations.
It also seems that it would take many tries before obtaining a
"right pair", so the "limited time" might need to be large enough
for the compromise to be noticed. Also, insertion of C' disrupts
the chaining process, so K* is no longer relevant; the channel
needs to be resynchronized (with a new IV = K*). (One learns
from studying C/A the danger of retransmitting garbled signals
using the same key.)
> My attack is just a straightforward chosen-plaintext/ciphertext
> attack, and the attack is no less relevant than any other
> chosen-plaintext/ciphertext attack. There's nothing bogus here.
I didn't say it was bogus, I said it requires a very high degree
of intrusion already, so the strength of the encryption itself
becomes a secondary factor under those circumstances (i.e. it's
not the weakest link in the system).
> I assumed you were familiar with the standard justification
> for why chosen-plaintext/ciphertext attacks are a concern, but
> should I explain it in more detail?
By all means, if it will make it more plausible that such a
situation could arise.
------------------------------
From: Jim Taylor <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Fri, 02 Mar 2001 21:26:28 GMT
Sometimes I wonder about these groups. Are you all drug dealers or
something? What would be so bad about the FBI or NSA, with considerable
effort and expense, being able to decrypt a PGP message? Aren't they the
good guys trying to protect _us_ against spies, terrorists and organized
crime? If they had an encrypted message in their hands detailing a plan to
nuke your city, none of you would want them to be able to decrypt it?
As long as the cost for decrypting a PGP message is too high to go looking
for petty crimes, so what if they could decode one if they wanted to? They
would never let the cat out of the bag that they had the ability for even
someone like Hanssen, so I think all your porno is safe.
Don't get me wrong, I use and like PGP, but it's not the NSA and FBI that I
worry about. I simply want to keep some things private from co-workers, ISP
employees and the like, and there's no doubt that PGP works very well for
that.
--
Jim Taylor
------------------------------
From: [EMAIL PROTECTED] (Ben Cantrick)
Subject: Re: Completly wiping HD
Date: 2 Mar 2001 14:34:20 -0700
In article <[EMAIL PROTECTED]>,
David Griffith <[EMAIL PROTECTED]> wrote:
>I wish to completly wipe a 2gig harddisk. There is now no data i want to
>keep, however neither do i want anything to be recoverable.
>I thought a linux boot disk, root fs from a ramdisk , with a shell
>script doing this kind of thing
>
>dd if=/dev/random of=/dev/hda
>dd if=/dev/zero of=/dev/hda
>
>Is this enough to wipe it clean?
First, there are linux distros that fit on a single floppy. No point
in having both a boot and root disk for this simple an operation.
Second, realize that two wipes like this is probably not going to be
sufficient to wipe the disk enough so that truly determined snoopers
can't recover it. Even back in the mid 80's, Norton's diskwipe(?) program
did *seven* wipes, and there are probably government agencies somewhere
that can still recover some data off a hard disk that's been wiped that
many times.
A better strategy might be:
1. Overwrite with all 1 bits
2. Overwrite with all 0 bits
3. Overwrite with all random bits
4. Repeat 1-3 as many times as your paranoia deems necessary.[1]
I would also have the shell script do "sync;sync" inbetween each
step to ensure the sectors actually get written to the disk, instead
of being left in the disk cache.
=====
[1] A hundred times seems like a good number to me.[2]
[2] "I say we take off and nuke the site from orbit. It's the only way
to be sure."
>Is /dev/urandom enough so as not to run out random data?
It depends on how much certanty you need that the data is truly entirely
gone. Most implementations of the Linux kernel random number generator that
feed /dev/urandom are either weak or else need a source of true randomness
(a person clicking the mouse, etc...) to keep enough entropy in the RNG to
make its output random enough. If you just pop this disk in to the drive
and turn the computer on, there's not much randomness there.
Fortunately, repeated over-writes by even a half decent psuedo-random
stream should be plenty good to deter casual snoopers. Almost anyone not
willing to actually open up the hard drive should be foiled by one good
"ones, zeros, random" overwrite.
Moving up the ladder, if they're more serious they can send the drive
to a place like http://www.drivesavers.com/. In this case you may need to
do several over-writes to make it not worth their time to recover the data.
You can call 'em up and ask how many over-writes they think it would take
to make the disk sufficiently noisy to make recovery impractical.
Finally, at the high end of the threat scale are those entities with
very large amounts of time, money, and computing power (large corporations,
governments) who can afford to have their own clean rooms and spend as
much time in it and as much time on a super-computer as they want to pick
the bits out of the noise. In this case I don't have a good guess as
to how many over-writes you need. A lot, obviously.
Really, if you're trying to protect against the data being recovered by
anyone with more resources than, say, a medium sized company, the easiest
way to ensure the data will never be recovered is to destroy the platters
in the hard drives. Take the hard disk out of the computer, open it up,
take out the platters, and rub them with steel wool or sandpaper until
all the brown magnetic media has been scratched off.
You can melt them down, too, but you're probably going to have to
hand them off to someone else in order for that to happen, and what's
to stop that person from selling that hard drive on the sly once they
have it?
-Ben
--
Ben Cantrick ([EMAIL PROTECTED]) | Yes, the AnimEigo BGC dubs still suck.
BGC Nukem: http://www.dim.com/~mackys/bgcnukem.html
The Spamdogs: http://www.dim.com/~mackys/spamdogs
http://www.clark.net/pub/mjr/pubs/fwfaq/index.htm
------------------------------
From: "kroesjnov" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Fri, 2 Mar 2001 22:44:28 +0100
> Sometimes I wonder about these groups. Are you all drug dealers or
> something? What would be so bad about the FBI or NSA, with considerable
> effort and expense, being able to decrypt a PGP message? Aren't they the
> good guys trying to protect _us_ against spies, terrorists and organized
> crime? If they had an encrypted message in their hands detailing a plan
to
> nuke your city, none of you would want them to be able to decrypt it?
>
> As long as the cost for decrypting a PGP message is too high to go looking
> for petty crimes, so what if they could decode one if they wanted to?
They
> would never let the cat out of the bag that they had the ability for even
> someone like Hanssen, so I think all your porno is safe.
>
> Don't get me wrong, I use and like PGP, but it's not the NSA and FBI that
I
> worry about. I simply want to keep some things private from co-workers,
ISP
> employees and the like, and there's no doubt that PGP works very well for
> that.
Could not agree more with you.
Although I am not an American, I would not mind, if the BVD (Dutch National
Intellegence service) would have this abillity.
I think they (Like any other country`s national intellegence service) should
try their very best, to make this possible...
Comments are welcom.
(Sorry about the spelling, but the spelling controller of Outlook express
just aint that good, and my English is far from perfect...)
"Wisdom lies not in obtaining knowledge, but in using it in the right way"
kroesjnov
email: [EMAIL PROTECTED] (remove nov to reply)
UIN: 67346792
pgp fingerprint: 4251 4350 4242 7764 80DA DB1C E2B2 850A DF15 4D85
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Fri, 02 Mar 2001 21:52:25 +0000
Jim Taylor wrote:
>
> Sometimes I wonder about these groups. Are you all drug dealers or
> something? What would be so bad about the FBI or NSA, with considerable
> effort and expense, being able to decrypt a PGP message? Aren't they the
Many people and companies feel that they have the right and should have
the ability to decide who gets access to their information. If the FBI
can break encryption, then it's likely that foreign governments and large
companies and some individuals can also break the same encryption. The
NSA scenario is a bit different: if you've determined or decided that your
data is safe from the NSA, then there's a good chance that it's safe from
anybody... not that you necessarily want to keep it from the NSA, but it's
useful to consider them as a very high skill benchmark.
In addition, suppose the FBI or CIA or NSA <can> read your data. In
this case, you no longer have access control on further dissemination.
To whom would Hanssen or Ames or the Walkers have been willing to sell
your information? How confident are you that Hanssen was the last
traitor with a security clearance?
> good guys trying to protect _us_ against spies, terrorists and organized
> crime?
Yes and no. As noted above, some of them <aren't> good guys. Further,
most of the Bill of Rights is in place specifically to defend citizens
against abuse by the government and its functionaries, so the founding
fathers themselves were at least as suspicious of authority as we are.
Some people keep saying that there's no reason for the people to have
good encryption -- that we can trust the government. I assume these
are the same people who give the keys to their homes and businesses and
safe-deposit boxes to the local sheriff to allow him to get in quickly
if he suspects there is some threat to their well-being that he may need
to address.
--
Jim Gillogly
Sterday, 10 Rethe S.R. 2001, 21:40
12.19.8.0.6, 6 Cimi 9 Kayab, Sixth Lord of Night
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: super-stong crypto, straw man phase 2
Date: Fri, 02 Mar 2001 21:44:23 GMT
> That's the problem; you cannot prove that.
It is not a problem for me. The set of terrible things that I cannot
prove do not exist is infinite. I cannot prove that there is no Loch Ness
monster. I cannot prove that there are no dragons but I do not worry
about them very much. They have been reported in the area but I do not
build my castle stronger than necessary to protect me from bears and
brigands in anticipation of them.
> Sure, *some* key
> distribution protocols are flawed and *some* cipher "modes"
> have exploitable flaws, in which case the enemy has an easier
> job than resorting to pure cryptanalysis. But what about the
> other cases? The typical symmetric cipher is known to resist
> only the stupidest kinds of cryptanalysis (or else we would
> pick another cipher), and has no protection against *unknown*
Perhaps. However, as best I know, the DES, for example only, has
withstood all other attacks but that stupid one for twenty-five years.
That may not be a very long time but it is sufficiently long to convince
me that any "unknown" attack which it has not resisted is clever as well
as secret. I can only speculate about the existence of such "unknown" but
necessarily clever techniques that DES has not withstood.. In order to
worry about them, I must assume that they exist, that they remain secret
for a material amount of time, and that they are cheaper to use than
duplicity, coercion, or force. One must live with that which one cannot
forsee and for which one has no "known" (your word, not mine) defense.
> (to us, not to the enemy)
I know the enemy; he _is_ us. Are you asking me to believe in another
enemy too? One that is significantly more clever than us? Does he have
wings? Breath fire? Is he terrestial?
> cryptanalytic techniques. That makes
> the cipher method (algorithm) itself a potentially weak link.
I will certainly grant you that there is such a potential. Will you grant
me that such a potential is on a par with the existence of dragons?
> If we can do something about that, it behooves us to do so.
Again, I grant you your premise; it is irrefutable. What is your
proposal?
You ask me to assume that such an attack exists, that it is cheaper or
more likely than the attacks that I already know about and for which I may
have no efficient defense, and then you ask me to assume that "we can do
something about it." Is it too much to ask that we resolve at least one
of these dimensions of uncertainty before going on to the others? Do you
object if, in the meantime, I continue to focus on bears and brigands
while ignoring the threat of dragons?
You would have me believe that while I can never know about unknown
attacks, I may be able to prove that I am immune to all attacks. (And
that you can do it in that tiny space between practical and provable in
the OTP.) That you can conceive it and assert it does not convince me
that it is worth pursuing.
Which of us is in the position of demanding that we know that which we do
not know? Before you know something, how do you know that it belongs to
the set of knowable things? Which of us is in the position of demanding
that we know that which you admit to be unknown and which may be
unknowable? Which of us is demanding that the other prove a negative?
If it is me, please just tell me so and I will quit the field. I am not
enjoying this very much in any case.
Do we understand each other or am I still missing something? Am I being
unreasonable? Are you asking me to do something other than speculate? If
you could have me say anything that you wanted me to say, what would it
be?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
