Cryptography-Digest Digest #929, Volume #13 Sat, 17 Mar 01 21:13:01 EST
Contents:
Re: Cesar principle (br)
Re: IP (David Schwartz)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(wtshaw)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(wtshaw)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(wtshaw)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(wtshaw)
Re: IP (those who know me have no need of my name)
Re: Super strong crypto ("Trevor L. Jackson, III")
Re: IP (David Schwartz)
Re: IP (Vernon Schryver)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography) (John
Savard)
Newbie: SSL master secret exchange ("Miki Watts")
Re: Cesar principle (amateur)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(John Savard)
Re: Security of IAPM, alone. (David Wagner)
Re: Newbie: SSL master secret exchange (those who know me have no need of my name)
----------------------------------------------------------------------------
From: br <[EMAIL PROTECTED]>
Subject: Re: Cesar principle
Date: Sat, 17 Mar 2001 18:11:40 -0400
Thank you for your useful comments.
I'm aware that I have to learn more.
"John A. Malley" wrote:
>
> br wrote:
> >
> > What if I disguise the level of the bits
> > 0 equal x={x1,x2,x3,x4...xn}
> > 1 equal y={y1,y2,y3,....yn}?
>
> Now it's a homophonic substitution cipher.
>
> There's a lot of published information on homophonic substitution
> ciphers and the cryptanalysis of homophonic substitution ciphertext
> available to you :-)
>
> See Chapter 11, "Simple substitution with complexities", in Helen Fouche
> Gaines "Cryptanalysis, a study of ciphers and their solution".
>
> See Chapter 7 of "The Handbook of Applied Cryptography", available
> on-line at
>
> http://cacr.math.uwaterloo.ca/hac/
>
> See Lessons 1, 2, 3 and 4 of the on-line Classical Cryptanalysis course
> from LANAKI at
>
> http://www.fortunecity.com/skyscraper/coding/379/lesson1.htm
>
>
> A homophonic substitution cipher uses different symbols in the
> ciphertext for a given symbol in the plaintext. A well-formed homophonic
> substitution cipher tries to "even out" or "flatten" the frequencies of
> occurrence of the ciphertext alphabet symbols in its (hopefully clever)
> encoding of the plaintext symbols.
>
> A homophonic cipher would generally substitute groups of bits and not
> the individual bits 0 and 1. Groups of bits represent (encode) symbols
> in the plaintext (like ASCII or opcodes in binaries.) Homophonic
> substitution ciphers produce ciphertext longer than the plaintext.
>
> A homophonic substitution cipher may leak less information on
> frequencies of occurrence of symbols and contact frequencies of symbols
> in the plaintext in the ciphertext compared to a simple Caesar
> substitution, but nonetheless it still leaks valuable information in the
> ciphertext. Digrams and trigrams in the plaintext may show up in the
> ciphertext as certain strings of symbols normally following one another,
> and other strings of symbols never following one another. In
> conjunction with a known message context, one can still look for
> probable words. Sentence structures in the plaintext appear without
> change in the ciphertext (like Subject - verb - object.)
>
> Quoting from a past post, the people in this USENET group can point you
> to beginner, intermediate and advanced books and
> journal articles on the subjects of cryptography and cryptanalysis
> (which together make cryptology). They can answer questions on some of
> the most arcane corners of mathematics relating to cryptography and
> cryptanalysis.
>
> They will expect you to put in the time reading and studying the subject
> on your own. They are always willing to help answer questions as you
> make your way through the subject - but it's a journey you make with
> their assisting guidance - no one carries any bags for you, so to speak.
>
> There is much to learn, it's such an interesting and exciting subject!
> Check into the pointers and references :-)
>
> Hope this helps,
>
> John A. Malley
> [EMAIL PROTECTED]
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: IP
Date: Sat, 17 Mar 2001 15:27:06 -0800
those who know me have no need of my name wrote:
>
> <[EMAIL PROTECTED]> divulged:
>
> >However, for security reasons, your ISP really shouldn't
> >allow your IP to be reused immediately unless it can confirm that it's
> >assigning it back to the same user, which most can't.
>
> how can they not? you're their customer, and they've validated your
> userid and password, or you wouldn't be as far as ipcp.
Let me rephrase, your ISP shouldn't allow your IP to resued immediately
unless it _actually_does_ confirm that it is giving it back to the same
person. Most don't. This means that anyone else who uses your ISP may be
able to grab your IP address immediately after your are disconnected.
This may have security implications.
DS
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
Date: Sat, 17 Mar 2001 17:17:42 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> On Fri, 16 Mar 2001 13:42:32 -0600, [EMAIL PROTECTED] (wtshaw) wrote,
> in part:
>
> >A more important question to me is what ciphers
> >have a useful unicity distance, and how large are they.
>
> Unicity distance is an information-theoretic quantity, and depends
> solely on the size of the key.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
Easily said, but probably not completely accurate.
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
Date: Sat, 17 Mar 2001 17:16:00 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
> >
> > The Shannon idea of unicity distance goes with the idea that cost is not a
> > factor; the solution cannot be bought with any amount of time or money
> > spent on usual analysis. A more important question to me is what ciphers
> > have a useful unicity distance, and how large are they.
> > --
> > Most [cryptographic] algorithms are based on assumptions which
> > could turn out to be false. -- Ron Rivest
>
> I am not sure that one needs to be an 'idealist', demanding
> absolutely unbreakable ciphers for real-world applications.
> If the cost of analysis is way beyond what the opponent can
> afford (possible at all or economically justifiable),
> doesn't that mean real and practical and entirely sensible
> security for the user? BTW, I guess that the quote from
> Rivest's applies to ALL crypto algorithms in practice that
> claim to be very strong.
>
> M. K. Shen
I figure that being cryptographically conservative is better that matching
wits, money, and resources with a professional code breaker, especially
when it is doable. If you still think that strength is undefinable, a
challenge for which the unwashed cannt use, you miss my point.
Buying into propaganda that it is useless to attempt good security is,
pardon me, rather foolish. The opposite has implications which do not
bode well for some. And, speaking of some, Rivest did start with that
word.
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Cryptography)
Date: Sat, 17 Mar 2001 17:33:36 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
...
> Incidentally, one trouble with super-high security encryption modes
> is, though, that there is no way to pull that kind of trick with
> public-key systems; therefore you need secure physical exchange of a
> secret key if you want a hope of ascending into these Empyrean realms.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
I suppose that better public-key systems may be yet to be found, but the
trust model used can always be abused.
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
Date: Sat, 17 Mar 2001 17:40:46 -0600
In article <[EMAIL PROTECTED]>, "John A. Malley"
<[EMAIL PROTECTED]> wrote:
...
>
> Unicity distance is a relationship between the uncertainty of the key
> and the redundancy of the plaintext. Under the random cipher model the
> expected unicity distance U of a cipher is
>
> U = H(K) / D
>
> where U is the number of characters of plaintext, H(K) is the
> uncertainty of the key and D is the plaintext's redundancy expressed in
> bits/symbol (or D in this equation is the difference between the log of
> the number of characters and the average amount of information carried
> per character as actually used.)
>
>
> John A. Malley
> [EMAIL PROTECTED]
This uncertainty value seems to be an out. What range do you suggest it can be?
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: IP
Date: Sun, 18 Mar 2001 00:09:40 -0000
<[EMAIL PROTECTED]> divulged:
>Let me rephrase, your ISP shouldn't allow your IP to resued immediately
>unless it _actually_does_ confirm that it is giving it back to the same
>person. Most don't. This means that anyone else who uses your ISP
>may be able to grab your IP address immediately after your are
>disconnected. This may have security implications.
right. what they do as opposed to can do.
unfortunately most "dynamic" ip addressing, on dial-up servers, is
actually an ip address allocated statically to each port, so when that
port is next answered that person gets that address. only one type of
unit, of which i am aware, uses a pool of addresses from which the least
recently used address is assigned to the incoming connection. one other
type of unit would attempt to reassign based on (post authentication)
userid, but otherwise assigned an unused address at random.
--
okay, have a sig then
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Super strong crypto
Date: Sun, 18 Mar 2001 00:12:17 GMT
Bryan Olson wrote:
> Douglas A. Gwyn wrote:
> >
> > Bryan Olson wrote:
> > > ... The information theoretic analysis shows that ...
> >
> > There hasn't been a proper information-theoretic analysis.
>
> You chopped the sentence in half. Analysis shows exactly
> what I claimed it shows.
>
> > The one that was posted was based on an unrealistic costing
> > model, namely no limit on computation.
>
> You chose to introduce the information theoretic model into
> the discussion. If you can show that your scheme is secure
> under a computational cost model, then by all means define
> your assumptions and demonstrate your result.
>
> > > ... Your system bloats the ciphertext, so even if cryptanalysis
> > > requires more ciphertext, your mode may provide it.
> >
> > No, because the "bloat" is pure entropy.
>
> That it may be, but for the attacker, the ciphertext it is
> information, not equivocation. You've booked it on the
> wrong side of the ledger.
>
> > > Your paragraph above is the kind of thing I described as
> > > hypothesizing a weakness and conjecturing a fix. You have
> > > no reason to believe K is generally tractable, and no way to
> > > show that your scheme would make the work factor intractable.
> >
> > Actually, I have plenty of reason. It's called experience.
>
> If your experience shows K (the work factor to break a block
> cipher) is generally tractable, please post your results
> against 3DES, IDEA, Blowfish, Rijndael, Twofish, Serpent.
> Absent that, I think we can assume that your experience with
> the block ciphers that most cryptographers recommend is the
> same as everyone else's: you are unable to break them.
>
> The point provable security is to get a rigorous
> justification, stronger than judgement, experience, and the
> failure of determined attacks. Provable security without
> the proof is nonsense. The only point to replacing a
> hypothesis of security with a hypothesis of an undiscovered
> proof of security, is the that the later motivates us to
> work on finding that proof.
>
> --Bryan
This approach appears to deny the possibility of a provable increment in
secruity -- E+dE>E. Was that your intention?
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: IP
Date: Sat, 17 Mar 2001 16:15:37 -0800
those who know me have no need of my name wrote:
>
> unfortunately most "dynamic" ip addressing, on dial-up servers, is
> actually an ip address allocated statically to each port, so when that
> port is next answered that person gets that address.
In other words, dynamic IP addressing can actually create additional
vulnerabilities that don't exist with static IP addressing. On the other
hand, having a static IP address creates no new vulnerabilities -- for
the duration of your connection, your IP address is static anyway.
DS
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Subject: Re: IP
Date: 17 Mar 2001 17:18:34 -0700
In article <[EMAIL PROTECTED]>,
David Schwartz <[EMAIL PROTECTED]> wrote:
> ...
> Let me rephrase, your ISP shouldn't allow your IP to resued immediately
>unless it _actually_does_ confirm that it is giving it back to the same
>person. Most don't. This means that anyone else who uses your ISP may be
>able to grab your IP address immediately after your are disconnected.
>This may have security implications.
There are no security implications unless you believe in snake oil.
If you use end-to-end security mechanisms and do not expect the
addresses in IP headers to identify, authenticate, or authorize
anything, then the only reason to care about too quick IP address
reassignment are minor. The new user of an IP address can get packets
intended for the previous user. If the new or previous user do the
obvious and necessary, the only bad effects of that is that some of
the new user's bandwidth can be wasted. Depending on what the previous
user was doing, that bandwidth waste might be noticable and even
objectionable. (e.g. if the previous user was transfering large files
with MByte large TCP windows)
There is a non-technical problem. Traffic for the previous user of an
IP address often looks like security attacks to "personal firewall" junk.
Quickly reassigning IP addresses causes the hordes of suckers who believe
in "personal firewall" snake oil to get excited and make "your DNS or
HTTP server or IP router is attacking my PC" security reports.
Vernon Schryver [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
Date: Sun, 18 Mar 2001 01:06:52 GMT
On Sat, 17 Mar 2001 17:17:42 -0600, [EMAIL PROTECTED] (wtshaw) wrote,
in part:
>Easily said, but probably not completely accurate.
It wasn't; the redundancy of the message is also involved. But the
strength of the cipher is _not_ involved; unicity distance is a
precisely defined concept.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Miki Watts" <[EMAIL PROTECTED]>
Subject: Newbie: SSL master secret exchange
Date: Sun, 18 Mar 2001 03:04:58 +0200
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Hi!
I've been reading the ssl protocol, and i'm wondering why is the
exchange before determining the session password required... can't
each side encrypt to the public key of the other side the password?
TIA
Miki Watts
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOrPtmZ3uo3pMww8CEQKqMQCgqfXndBuRnJxxz6m1ObjMlTjGPrsAoPbS
63a76/ur+OZsHGMFKP/DPFx7
=laZM
=====END PGP SIGNATURE=====
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: Cesar principle
Date: Sat, 17 Mar 2001 20:15:04 -0400
"John A. Malley" wrote:
> A homophonic cipher would generally substitute groups of bits and not
> the individual bits 0 and 1.
_______________________________
That's the difference. I'm talking not only about substituing the bit 0
and 1, but more than that.
In the system you are talking about, the cryptanalist has no access to
the symbols to work on.
Please just read my intervention "Idea".
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Cryptography)
Date: Sun, 18 Mar 2001 01:10:47 GMT
On Sat, 17 Mar 2001 19:10:58 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Could you explain why you think it is not proper for
>public key systems to increase strength via using larger
>keys? (You seem to consider that some other, possibly
>more elegant ways, should be used. Or did I misunderstand
>you?)
I don't mean it is _not proper_. But it is a very severe limitation
that this is the only way to do it, because using a larger key means
also that the public key cipher becomes slower to carry out.
Using the largest practical key for public-key encryption should be
the standard practice; what is 'practical' depends on how fast
computers are, and that affects what an attacker can do as well.
With symmetrical ciphers, much more can be done to make a cipher much
harder to solve at far less computational cost. That is the point I
was emphasizing, that conventional ciphers can be made ridiculously
strong very easily compared to public-key ones.
But if you must use a public-key system for your keys, what's the
point?
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Security of IAPM, alone.
Date: 18 Mar 2001 01:36:12 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Paul Crowley wrote:
>[EMAIL PROTECTED] (David Wagner) writes:
>> [...] the Even-Mansour construction [...]
>
>Hmm. The original paper describing this construction:
>
>http://link.springer.de/link/service/journals/00145/bibs/10n3p151.html
>
>does not appear to be available online,
You have to be a subscriber to view it, but it is available online.
(I confirmed that I could view the PDF file from that URL.)
>If I ever get the leisure, I'd love to set up a service offering home
>pages for crypto academics which took all the hard work out of putting
>your papers online...
Do you know about citeseer? It's a database of online papers in CS
(not quite the same thing, I know, but awfully useful nonetheless).
http://citeseer.nj.nec.com/cs
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Newbie: SSL master secret exchange
Date: Sun, 18 Mar 2001 01:56:03 -0000
<9911m0$1d0$[EMAIL PROTECTED]> divulged:
>I've been reading the ssl protocol, and i'm wondering why is the
>exchange before determining the session password required... can't
>each side encrypt to the public key of the other side the password?
the exchange before creating the session key _is_ where you obtain
the server's public (or temporary) key.
--
okay, have a sig then
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
