Cryptography-Digest Digest #881, Volume #13 Tue, 13 Mar 01 09:13:00 EST
Contents:
Prime to use with SRP ("Henrick Hellström")
Re: GPS and cryptography (ObiTwo)
Re: Encrypt then HMAC or HMAC then Encrypt? (Mark Currie)
Re: Is this book interesting (Frank Gerlach)
Re: Is this book interesting ("M.S. Bob")
Re: Popularity of AES (Mark Currie)
Re: One-time Pad really unbreakable? (Frank Gerlach)
Re: Text of Applied Cryptography .. do not feed the trolls ("Tom St Denis")
Re: => FBI easily cracks encryption ...? (Frank Gerlach)
Re: Instruction based encryption ("Tom St Denis")
Re: Is this book interesting (Tim Tyler)
Re: New unbreakable code from Rabin? (Tim Tyler)
Re: Quantum Computing & Key Sizes (DJohn37050)
Re: New unbreakable code from Rabin? (Tim Tyler)
Re: Text of Applied Cryptography .. do not feed the trolls (Daniel James)
Re: Online Poker RNG (Tony L. Svanstrom)
----------------------------------------------------------------------------
From: "Henrick Hellström" <[EMAIL PROTECTED]>
Subject: Prime to use with SRP
Date: Tue, 13 Mar 2001 12:38:02 +0100
The specification of SRP mentiones that the generator to be used should be a
primitive root of Z(p). Otherwise a partition attack is possible on B =
(g**b + v) mod p.
I was wondering how this requirement complies with a selection of p such
that p = 2q+1, where q is also a prime? Should such primes not be used in
conjunction with SRP, should the generator g = 2 be used to comply with the
specification (but possibly reveal quadratic residues in other messages
given that 2 is a primitive root), or would it in this case be fairly safe
to use g = 4?
Would it really be possible to accumulate knowledge based on the observation
that B is (or, in the other one half of the cases, is not) of order q,
provided that p is a 1024 bit integer? If so, how often would one have to
change password (or at least salt) to prevent such an attack?
--
Henrick Hellström [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: ObiTwo <abuse@localhost>
Subject: Re: GPS and cryptography
Date: Tue, 13 Mar 2001 13:12:25 +0100
Reply-To: spam bait:
[EMAIL PROTECTED];root@localhost;abuse@localhost;[EMAIL PROTECTED];[EMAIL PROTECTED]
On Mon, 12 Mar 2001 21:02:29 -0400, br <[EMAIL PROTECTED]> wrote:
>What do you think about using Global Positionning System (GPS) as key to
>encryption?
>You can read a message only if your computer is a pre-defined area or
>point in the earth.
>I'm waiting for comments
This is not about the original subject of the thread, but about a
lateral thinking: isn't the data stream from a GPS satellite a
pseudorandom sequence of bits? If I remember correctly, it is so. In
this case, couldn't one use it as the source of pseudorandom bits for
Rabin's latest "unbreakable" cryptographic scheme? Of course, one
would have to trust that the sequence is really pseudorandom, which as
far as I understand cannot be demonstrated from the sequence alone.
------------------------------
Subject: Re: Encrypt then HMAC or HMAC then Encrypt?
From: [EMAIL PROTECTED] (Mark Currie)
Date: 13 Mar 2001 12:32:54 GMT
It is application dependant. I see now that Bjorn was refering to storage. In
this case it may not matter too much (sorry). My comments were really based on
mainstream comms/transaction applications.
The only other point that I would like to make wrt comms/transactions though,
is that it is better to encrypt the MAC if you are going to store transactions
for later authentication. The long term security of the MAC key is helped by
the fact that a comms attacker has the problem of first having to crack the
encryption before being able to crack the authentication.
Mark
In article <98kods$s8a$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
>Bjorn Forsberg wrote:
>
>> I am storing an encrypted data packet. Typically small (less than 1K
>> FWIW). I am encrypting the data, then taking an HMAC of the encrypted
>> data plus other plain text data. The HMAC is appended to the plain text
>> data and cipher text data over which it operates on.
>>
>> I know SSL takes an HMAC of data then encrypts everything including the
>> HMAC. I can't see anything really definitive that would say that one
>> method is better over the other?
>>
>> Can someone please give me some good reasons to pick one way vs the
>> other?
>>
>> Thank you.
>>
>> Bjorn Forsberg
>>
>
>In the DHAES encryption scheme (from a paper by Abdalla, Bellare and
>Rogaway) the MAC is computed after encryption, and the decryption is only
>done after the MAC has been verified.
>
>This differs from what the previous replies said, so apparently there is no
>concencus. I guess cases can be made for each choice.
>
>Sincerely,
>
>Bob Deblier
>Virtual Unlimited
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Is this book interesting
Date: Tue, 13 Mar 2001 13:44:27 +0100
dexMilano wrote:
>
> I'm looking for a light book on Histroy of cryptography.
> What about " The code book" from Simon Singh?
Isn't that fiction (ie. not exact history) ? (haven't read it, so I am
not sure)
>
> Any other suggestion?
NSA:
1. "The Puzzle Palace" by James Bamford
Britain's GCCS and Alan Turing (now GCHQ) in WW2:
2. "Alan Turing: The Enigma" by Andrew Hodges
Although these books are not comprehensive historic books, they give you
some insight into the operations of the two top sigint/crypto
organizations.
They also have quite some historic info on their websites www.nsa.gov
and www.gchq.gov.uk
------------------------------
From: "M.S. Bob" <[EMAIL PROTECTED]>
Subject: Re: Is this book interesting
Date: Tue, 13 Mar 2001 12:42:26 +0000
dexMilano wrote:
>
> I'm looking for a light book on Histroy of cryptography.
> What about " The code book" from Simon Singh?
>
> Any other suggestion?
The Code Book is a good light introduction to the broad history of
cryptography.
For an encyclopedic history of cryptography, _The Codebreakers: The
Comprehensive History of Secret Communication from Ancient Times to the
Internet_ by David Kahn (2nd ed 1996 ISBN: 0684831309).
Both of these focus on history and do not require any math background to
understand.
There are numerous books that focus on World War II, the Engima, and
cryptography. I don't have a favorite, maybe someone else can mention
their preferences.
For modern cryptography (1970's to present) _Crypto: How the Code Rebels
Beat the Government - Saving Privacy in the Digital Age_ by Steven Levy
(2001 ISBN: 0670859508)
which is a light enjoyable read that picks up about where Kahn's
Codebreakers falls off.
Enjoy.
------------------------------
Subject: Re: Popularity of AES
From: [EMAIL PROTECTED] (Mark Currie)
Date: 13 Mar 2001 12:59:15 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
>
>A superficial look at the core specification of MeT
>(mobile electronic transactions) released on 21 Feb shows
>that the list of supported crypto algorithms consists of
>RC5, DES, 3DES and IDEA. Does anyone know why AES is not
>on the list? Thanks.
>From what I hear, banks will continue to use 3DES for transactions and only use
AES for securing long-term secrets. Given the fact that banks are only now
upgrading to 3DES, it may be true for a long time to come.
Mark
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Date: Tue, 13 Mar 2001 13:58:37 +0100
Tim Tyler wrote:
> Nope. The proof of perfect secrecy rests on the availability of a shared
> unguessable stream. No such thing has ever been demonstrated to exist.
>
> Consequently the proof of secrecy of the OTP cannot be transferred onto
> real-world systems used for actual communication without qualifications
> being made.
Then you also cannot trust any other crypto system, as you cannot be
sure your key has been created in a (deterministically or not)random
process.
The question of determinism and proper key generation applies to OTP as
much as to any other crypto system. It is absolutely pointless to blame
bad physical random key generators on OTP, as they affect any other
crypto system as much (maybe even more) as OTP.
Paper&pencil based OTP will be most probably the only method, which one
can trust in a time of extremely powerful antennas and signal
processing. Maybe some organizations don't like that and to spread
rumors...
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Text of Applied Cryptography .. do not feed the trolls
Date: Tue, 13 Mar 2001 13:20:30 GMT
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
> > Tom St Denis wrote:
> > > Don't give me that dead tree crap.
> >
> > Not only are trees renewable resources, and paper printing
> > technology much more highly developed and easier on the eyes
> > than computer-based documents, but also it takes quite a
> > lot of *non*renewable resources to make a computer.
>
> Yeah, but I already have a computer. Are you saying it's going to use
> more resources for me to download a few megabytes of electrons than to
> print several pounds of paper and get someone put the printout on a
> fossil-fuel-burning airplane and have it delivered to me?
Ahh but at the same time 100,000 books are shipped on that plane...
Tom
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Tue, 13 Mar 2001 14:18:42 +0100
Phil Zimmerman wrote:
> BTW, I usually use 4096 length. Anyone have any comments on which algorithm
> they prefer? TwoFish, AES, CAST, IDEA, TripleDES???
Normally the KGB uses OTPs. Maybe Hansen forgot to destroy the used
pads, or even worse, used them twice. Or the KGB still employs some
secretaries poking on a typewriter to create the pads...
Or maybe the NSA trys to do some FUDing about PGP.
If they had broken PGP, they would *never ever* reveal it to the public.
I guess they would not even tell the FBI, because the FBI is by no means
as secretive as the NSA. Check the nuclear spies and VENONA. They didn't
make it public for a very long time, because even nuclear secrets are
worth less than a successful exploit of a critical crypto system.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Instruction based encryption
Date: Tue, 13 Mar 2001 13:25:01 GMT
"Michael Brown" <[EMAIL PROTECTED]> wrote in message
news:EBlr6.915$[EMAIL PROTECTED]...
> Hi there,
>
> I brought up this topic a while ago, and never followed up on it much.
> Here's a description of the algorithm. I have implemented it in Delphi
(just
> tell me if you want the source), but I'm converting it to FreePas so that
> most people can use it (I know you guys don't like binaries!). A C port
> might come sometime this century (I hate C, but I'll do it if I'm forced
:)
>
> <=== BEGIN ALGORITHM ===>
>
> Each 128 bit key is made up of 16 "instructions", each of length 8 bits.
The
> instructions go from the most significant bit down to the least
significant
> bit. The first 3 bits of each instruction are the instruction, x, and the
> next 5 bits are the parameter n.
This won't work. Algorithms defined by their keys are normally weak since a
subset of keys will define completely linear or differentially weak ciphers.
>
> Instruction table
> x
> 0 Xor with previous <n> plaintext bits
> 1 Xor with previous <n> ciphertext bits
> 2 Add previous <n> plaintext bits (under mod 256)
> 3 Add previous <n> ciphertext bits (under mod 256)
> 4 Subtract previous <n> plaintext bits (under mod 256)
> 5 Subtract previous <n> ciphertext bits (under mod 256)
> 6 Rotate left <n> bits
> 7 Rotate right <n> bits
>
> The initial "previous plaintext" and "previous ciphertext" are both just
> repetitions of the key.
>
> "Mash" key according to the following method:
> Xor key with previous 128 bits of plaintext
> Repeat 11 times: Key = Key XOR (Key ROR 11)
> (ROR = rotate right)
>
> This key mashing is done every 128 bytes.
Is the key mashing invertible?
> <=== BEGIN NOTES ===>
>
> The 128 byte key mashing is just a number I pulled out of the air, so
quite
> possibly is not enough or too often.
byte key? or bit key? Having the user make 128-bytes of entropy would be a
pain.
> The instruction table is quite possibly insecure, having both rotate left
> and rotate right.
Note that rotate right = n-bit - rotate left
Tom
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Is this book interesting
Reply-To: [EMAIL PROTECTED]
Date: Tue, 13 Mar 2001 13:25:26 GMT
Frank Gerlach <[EMAIL PROTECTED]> wrote:
: dexMilano wrote:
:> I'm looking for a light book on Histroy of cryptography.
:> What about " The code book" from Simon Singh?
:
: Isn't that fiction (ie. not exact history) ? (haven't read it, so I am
: not sure)
Not fiction (though no history is exact).
One of the more proular modern fiction books dealing with crypto is
"Cryptonomican" - you may be thinking of that.
I believe Mr Singh has another similar book - entitled "The Science of
Secrecy" - which is more explicitly historical.
The content is rather similar to "The Code Book".
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: New unbreakable code from Rabin?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 13 Mar 2001 13:43:57 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> I seem to be justified in describing this claim as "apparently
:> ridiculous". It doesn't matter /what/ the details of the system
:> proposed are, there's no way such a description can be justified.
:> Provably unbreakable codes are simply not known to exist.
: Perhaps you should read the paper before you criticize the work.
I was criticising Rabin's security claim which I quoted.
: Under certain reasonable assumptions, a scheme such as Rabin's
: does provide "unbreakability", suitably defined.
Suitably redefined to mean "breakable". Any system where
the attacker stands a non-zero chance of guessing the key - and knowing
when his guess is correct - does not deserve this description, IMO - since
breaks are obviously possible.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 13 Mar 2001 13:56:23 GMT
Subject: Re: Quantum Computing & Key Sizes
IBM has built a 7-bit QC, when many people said a 3-bit QC could never be
built. And there are more ideas to try to take it farther, but who knows how
far it can go.
Don Johnson
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: New unbreakable code from Rabin?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 13 Mar 2001 13:52:04 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: "Douglas A. Gwyn wrote:
:> Even though real-world systems are epsilon
:> away from 100% perfect, if epslion is small enough the system
:> will be good enough to rely upon to meet our actual goals.
: I agree with your second to last sentence but have a little
: bit difficulty with your last sentence. In the case of
: OTP, there seems to be no rigorous method to define and
: measure that epsilon [...]
Our opponents may be attempting to make our epsilon large,
while tricking us into believing it is small. Under such circumstances,
making reliable measurements can be difficult.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Daniel James <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: Text of Applied Cryptography .. do not feed the trolls
Date: Tue, 13 Mar 2001 14:02:45 GMT
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, Sundial Services wrote:
> O'Reilley has experimented with electronic publishing; for example, they
> published about eight different books on Perl in HTML format and put it
> on just one CD-ROM. It worked tremendously.
Yeah, I've got that. I'd probably have read some of those books by now if
I'd bought them on paper ... I just spend too many hours a day staring at
a screen to want to read books that way.
I've also got the DDJ crypto books CD-ROM and have copied Applied Crypto
to the hard drive of my notebook. It's a valuable reference when I'm
working away from my own office, but when I'm at home I'll use the paper
copy for preference.
> It's pretty obvious that paper-in-a-bookstore is neither an efficient
> way to sell technical material; nor an efficient way to consume it.
Paper books are much more pleasant to read than on-screen material. They
are easier to annotate.
Paper books also last longer. I have quite a quantity of reference
material stored on optical disk. I chose the format because the
manufacturer (Panasonic/Matsushita) guaranteed the media for something
like 30 years - they didn't say that drives to read the disks would be
obsolete and unavailable (and unrepairable) within 10.
Cheers,
Daniel.
------------------------------
Crossposted-To: rec.gambling.poker
Subject: Re: Online Poker RNG
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Date: Tue, 13 Mar 2001 14:07:31 GMT
Graham Ribchester <[EMAIL PROTECTED]> wrote:
> Richard John Cavell wrote in message ...
> >On Thu, 8 Mar 2001, Tim Jones wrote:
> >
> >> How does the RNG work at online poker sites such as Paradise and
> >> Planet?
> >
> >I suspect it would be little more than the Visual C++ rand() function.
>
> You couldnt be more wrong about Paradise if you think it is a random number
> using C++
>
> From what i remember when I emailed them that question amongst many. The
> deck is shuffled using a generator which creates the "random" numbers based
> upon the movements of every players' mice.
Which would mean that a player could do a lil bit of drawkcab compiling
and/or packetsniffing and then feed the server his own "randomness"...
and then he could provide up to 9/10 of the "randomness"...
> After 3 shuffles the deck is
> randomised to a variance of less than 0.01% , then they shuffle it another 7
> times and then deal. So i believe the order of the deck is decided before
> the hand is dealt from what they say. Turn cards and river also being
> decided preflop, much the same way as in a real game.
>
> Any corrections to this statement will be acknowledged, this is in no way a
> definative statement over how they operate, just the impression i was given.
>
> And now for the philosophy. As everyone you will ever talk to will tell
> you , "there is no such thing as a truly random number". this means that the
> definition of random is obsolete and needs to be redefined. I suggest random
> should be more like a number with which no entity present knowingly affected
> the outcome, Hense (although up for debate :) ) the dealer shuffles the deck
> , he/she had no idea of the outcome the cards will lie in the deck,
> therefore random. (even though by the old definition it isn't)
>
> just a bit of fun really :)
/Tony
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
