Cryptography-Digest Digest #952, Volume #13 Tue, 20 Mar 01 14:13:01 EST
Contents:
Re: FIPS 140-1 does not adress eavesdropping (Paul Rubin)
RC4 test vectors after gigabyte output?. (Luis Yanes)
Re: Is SHA-1 Broken? (David Wagner)
Re: Is SHA-1 Broken? (David Wagner)
Re: What do we mean when we say a cipher is broken? (David Wagner)
Re: Am I allowed to put any encryption software of my own creation on my (Deano)
Re: RC4 test vectors after gigabyte output?. ("Tom St Denis")
Re: Fast and Easy crypt send (Mok-Kong Shen)
Re: What do we mean when we say a cipher is broken? (Mok-Kong Shen)
Re: Signing/Not signing posts (Deano)
Re: My cypher system (Deano)
Re: Is SHA-1 Broken? (Volker Hetzer)
Re: Is SHA-1 Broken? (Jim Steuert)
Re: A future supercomputer (Quisquater)
Re: Defining a cryptosystem as "broken" ("Joseph Ashwood")
ANNOUNCE: PGP-NS4.9c broken! (Was: Attn: Chris Drake and Thomas ("Thomas J.
Boschloo")
----------------------------------------------------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: FIPS 140-1 does not adress eavesdropping
Date: 20 Mar 2001 09:49:18 -0800
Frank Gerlach <[EMAIL PROTECTED]> writes:
> I was referring to the crypto processor's components. Just look at how
> complex a "simple" serial line controller is. Are you sure they do not
> pose a risk ? (First irritate their synchronization circuit, then
> manipulate throught the serial controller the CPU bus it is connected to
> - just a wild guess)
UART's are pretty simple and it's not likely you could "irritate their
synchronization circuit". They are clocked by crystal oscillators.
> > The device shouldn't run any untrusted software.
>
> Ok, my example wasn't appropriate. Just wanted to demonstrate that
> hardware components are as error-prone as software. The only difference
> is that hardware is more thoroughly reviewed and tested, but in most
> cases not formally verified. Doesn't apply to a crypto device.
As hardware becomes more complex, it gets easier to introduce either
accidental bugs or intentional backdoors. A true paranoid might
scrounge a supply of old microprocessors, TTL parts, etc. made at a
time when it wasn't feasible to implement such complexity. If you buy
a 7400 today (quad TTL NAND gate, one of the simplest digital building
blocks of the 1970's), you don't know if it really has a
microprocessor inside waiting to do the NSA's bidding.
However, this is all pointless speculation. Your comments about power
leakage from modules like the 4758 are well taken in as far as they
bring up the question at all; but after that, there's not much to add
without hard data.
If you're a hardware hacker, why don't you do some experiments with
actual electronics and post your results here? A 4758 is pretty expensive
but you could start with something like a Java button:
http://www.ibutton.com/ibuttons/java.html
------------------------------
From: Luis Yanes <[EMAIL PROTECTED]>
Subject: RC4 test vectors after gigabyte output?.
Date: Tue, 20 Mar 2001 18:55:49 +0100
There is any RC4 test vectors after gigabyte output?.
All I could find are just from the stream start, and will like to test my
own compiled implementation long term behaviour, although don't think that
I will never need for this so much output with the same key.
I'm asking nonsenses, or really should I worry about this?.
73's de Luis
mail: melus0(@)teleline(.)es
Ampr: eb7gwl.ampr.org
http://www.terra.es/personal2/melus0/ <- PCBs for Homebrewed Hardware
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Is SHA-1 Broken?
Date: 20 Mar 2001 17:55:27 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Volker Hetzer wrote:
>Right now, in electronic design, only one special case is known,
>where the size of the bdd explodes exponentially.
This can't be correct. It is easy to see that almost every operation (if
you choose operations uniformly at random from the set of all operations)
causes BDD's to explode exponentially. So it should be easy to identify
many operations that cause exponential explosion.
I think maybe it would be more accurate to say: Of the operations that
are _common_ in electronic design, multiplication is the most common
one that causes BDD's to explode. Right?
Of course, ciphers use many operations that are not common in electronic
design (and that we can expect are unlikely to have concise BDD
representations), so absent any further evidence, I don't see any reason
for the above to justify changes to existing ciphers.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Is SHA-1 Broken?
Date: 20 Mar 2001 17:56:44 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Jim Steuert wrote:
>The problem is that SHA-1 doesn't have a multiplication in its step.
Multiplications are not bijective (they lose information)
and are slow. Are you sure this is the best way to spend
our CPU budget? Is 1 multiply better than N rounds of SHA-1?
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: What do we mean when we say a cipher is broken?
Date: 20 Mar 2001 18:01:22 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
John Myre wrote:
>Paul Crowley wrote:
>> "Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
><snip>
>> > if the adversary cannot recover any of the
>> > hidden information then he cannot be said to have broken the system.
><snip>
>> if there's a cheaper way than brute force for an attacker to
>> distinguish the pseudo-random stream from a truly random stream.
><snip>
>
>And here we have a fundamental difference between "academic"
>and "practical" cryptology.
The difference is: Crowley's definition is strictly stronger than Gwyn's.
If a cipher is Crowley-secure, it is Gwyn-secure, but the converse is not
necessarily true. Also, Gwyn-security does not suffice to ensure that,
for instance, AES-CBC-MAC is at least as secure as AES. Crowley-security
does. Therefore, Crowley-security seems to be the conservative choice.
------------------------------
From: Deano <[EMAIL PROTECTED]>
Subject: Re: Am I allowed to put any encryption software of my own creation on my
Date: Tue, 20 Mar 2001 17:56:52 +0000
If you have some software that really *IS* freeware (and not subject to
any copyright) then give it to me. I will post it on a non-US web site.
We don't care too much for Federal rules as we are outside US governemt
controlled territory and are not subject to US court actions. (Unless we
breach some internationally recognised laws and are bound by
international treaties or courts - the same laws/courts which the U.S
probably don't respect anyway. i.e. War Crimes Tribunal, EC Free-trade
agreements, Land mine controles etc etc)
;-)
If you are not Paranoid, they WILL get you.
Dennis Ritchie wrote:
>
> jtnews wrote:
>
> > > > Is free software restricted in anyway
> > > > by export controls?
> > >
> > > Depends upon what you mean by "free software".
> >
> > Free software as defined at
> > http://www.gnu.org/philosophy/free-sw.html
>
> The FSF's definition of free software is not especially
> relevant. More relevant is the copious material under
> http://www.bxa.doc.gov/Encryption/regs.htm ,
> especially the 10/19/00 Federal Register link on the
> upper right of the page. The document is tedious to
> read, but rather more liberal in its requirements than
> one might expect. Things have changed.
>
> Dennis
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: RC4 test vectors after gigabyte output?.
Date: Tue, 20 Mar 2001 18:12:15 GMT
"Luis Yanes" <[EMAIL PROTECTED]> wrote in message
news:u5C3OpCcF7b2VNiAEyPmh3csFGJy@wingate...
> There is any RC4 test vectors after gigabyte output?.
>
> All I could find are just from the stream start, and will like to test my
> own compiled implementation long term behaviour, although don't think that
> I will never need for this so much output with the same key.
>
> I'm asking nonsenses, or really should I worry about this?.
If your implementation matches for about a kb or so then I think you can be
assured it's ok.
> 73's de Luis
Amateur radio dude?
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Fast and Easy crypt send
Date: Tue, 20 Mar 2001 19:12:16 +0100
amateur wrote:
>
[snip]
> If you think that crypting bit by random characters has yet been done,
> so give me a reference. I will be glad to read it.
[snip]
Use of bit homophones was mentioned in an article of mine
posted last year. It is NOT that particular/ingenious/novel
as your words above seem to suggest in the present context.
Anyway, that idea is NOT new. For your convenience, here
is once again the reference (already given in a previous
response to you in one of your threads):
A general substitution scheme with variable-length codes
(posted to sci.crypt on 10th Oct 2000)
Note that you have in different threads given apparently
different versions of your 'idea'. Anyway, what I
described about bit homophones in that article subsumes
all versions of your bit homophone scheme.
If you have difficulty in getting it from the archives,
let me know with an e-mail (with valid return address).
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: What do we mean when we say a cipher is broken?
Date: Tue, 20 Mar 2001 19:12:24 +0100
John Myre wrote:
>
> (More thoughts on terminology)
>
> If we use "broken" only when a cipher is insecure in actual
> practice, we need another term for "not useless but not
> exactly performing to spec, either". The phrase "academic
> break" has been used, although it doesn't seem to be popular.
> Perhaps this is due to the negative connotations for academia,
> or maybe just because it's clumsy: who wants to say
> "academically broken"?.
>
> Perhaps we could say, for example, "flawed". "Limited"?
> Doubtless there are better possibilities...
Perhaps 'theoretically broken'?
M. K. Shen
------------------------------
From: Deano <[EMAIL PROTECTED]>
Subject: Re: Signing/Not signing posts
Date: Tue, 20 Mar 2001 18:14:49 +0000
Sounds to me like you are starting to talk PKI.
I think there should be an option to sign a post - I, as a poster, may
have a legitimate need to make a statement which I want yu to believe...
"Phone for an Ambulance - my pace-maker has packed in and my phone
doesn't work.!!"
However, the readers will always have to decide for themselves (with
some help from technology - PKI/PGP et al) if they wish to believe the
poster is who they claim, and that the message is real and true.
"Do I wish to phone the emergency service and assist this person ? - I
don't know who they are but the digital signatue seems valid....?"
I think a good compromise is to always sign posts with a signature that
cannot be connected with 'you' the real person. If you as a reader
believe that the PGP/PKI technology is secure enough to stop the
spoofing of digital signatures regardless of a trusted authority
verifying the holders identity, you still benefit from the knowledge
that you are at least holding a conversation with the SAME person
responding each time.
So, what do people really want:
1) No signatures - i.e. No comfort that a particular post is fromany
particular person. Ever.
(Not good for reader, and not good for poster)
1) Any signature - <100% Comfort in knowing that a particular poster is
always the same person, but we don't necessarily know who.
(Good for reader to an extent, and good for poster as he knows he
will be rcongised by his persona)
2) Trusted Singature - 100%'ish certain knowledge of WHO we are dealing
with. Every time.
(Good for readers, not good for privacy concerns of poster)
Have I missed any options ?
Joseph Ashwood wrote:
>
> I was going to take this to private e-mail but it bounced.
>
> "amateur" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > ??? I did not understand.
>
> What about it don't you understand?
>
> > Is it real issue? signing or not?
>
> It's one of those issues that sporadically pops up in security newsgroups
> (or any internet based security discussion). The decision about whether or
> not to attach signatures hinges mostly on whether or not someone wants to
> identify you. For example you have only the name I post under to link me to
> the other items I have posted, you have no certainty that they are linked in
> any other way. If the poster signs the documents then the items can be
> linked (even though the certainty in the name is suspect). The downside is
> that we have to agree on a signature method (PGP seems to be the sig du
> jour), once that is defined then there is the hassle of varying levels of
> trust, just to pick on the same person, do I trust David Scott to sign the
> certificates of others? Whether I personally would or not is not a big issue
> instead the issue is that every person reading the ng has to assign a level
> of trust to David Scott, and particularly with PGP this can become
> complicated in a hurry. So except in rare circumstances I tend to frown on
> signing ng posts.
> Joe
------------------------------
From: Deano <[EMAIL PROTECTED]>
Subject: Re: My cypher system
Date: Tue, 20 Mar 2001 18:28:49 +0000
How does this scheme help in the real world with sender non-repudiation
and message integrity ?
bookburn wrote:
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> >
> >
> > bookburn wrote:
> > >
> > > This is a "what if" by a mere bumbler who looked at an
> encyclopedia
> > > article, so I expect to be shot down.
> > >
> > > My cipher system is basically a simple three-layered process
> using: 1)
> > > clear text; 2) use of a published text, like a page of a daily
> > > newspaper, which is chosen by a formula based on something
> variable
> > > like time and temperature of alternating cities on certain days,
> with
> > > identification of letters of the alphabet by numbered spaces in
> the
> > > text; 3) random use of the numbered spaces identifying letters of
> the
> > > alphabet, blank spaces, and punctuation, producing a long list of
> > > single numbers in bytes (spaces before and after set off numbers)
> ; 4)
> > > use of a mask to select only words in the clear text that are the
> > > message; 5) in addition, a key list of coded terms could be used
> to
> > > refer to some things.
> > >
> > > I'm basically thinking my system could be set up with computer
> > > programs at each end so that the long list of numbers can be
> instantly
> > > converted with the use of the same key text.
> > >
> > > Is this a workable cipher system? How could you ever break it?
> > > bookburn
> >
> > Point (2) of using some contrived (uncommon, hence difficult
> > to guess) scheme to identify a piece of publically available
> > text for the purpose of deriving a shared secret is known.
> > How secure that is, is difficult to say in my view. (I would
> > vaguely say 'it depends'.) Points (3-5) are unclear to me.
> > Perhaps you could provide a tiny example to illustrate your
> > scheme.
>
> Sorry if my parameters are unclear. I wanted to describe three phases:
> substitution, masking, and encoding with key terms. But the
> substitution part is really the guts of it.
>
> I assume transmission between two computers, A-B, using the Internet.
> Clear text of message is composed, then a text from some common
> source is used by A for substitution, such as a page of a periodical
> available on the internet. Every space location on the page is
> numbered by computer, resulting in numbers for all the alphabet, blank
> spaces, and punctuation marks. The computer program then randomly
> selects numbers on the page that go with the letters in the message,
> resulting in a long list of single digits in binary code. This long
> list of numbers then is sent by e-mail to B, who uses the same
> computer program and common source text to translate the random
> numbers on the page back to alphabet. Spaces between words are just
> numbers indicating emplty spaces on the text page.
>
> That's basically it, just substituting numbers representing location
> on a page for the letters on that page, except that more program
> filters could be added to permute the numbers, null words could be
> woven into the product and be filtered out, etc. I assume that the
> weak point would be in identifying the text source of the
> substitution, but it seems like it would take a lot of mainframe
> computers and data bases including all the possible sources to do it.
> bookburn.
>
> >
> > I my humble view answering questions like your last one is
> > in general difficult. For breaking a given cipher (that
> > is susceptible to be broken by the current state of
> > knowledge) may often require much thoughts/intuitions and
> > experimentations/work/time. Thus it is always easy to put
> > up a challenge but hard to take it up. If nobody answers
> > that question of yours, it doesn't follow at all that your
> > cipher is strong. An analogy: In mathematics it is easy to
> > put up problems that are hard to get worked out. Some may
> > need much work to be solved, others may be not solvable
> > but the non-solvability is rather difficult to prove (e.g.
> > the trisection of an angle). But this is all opionions of
> > a humble non-expert like me. I don't exclude that some
> > experts would at once give a very easy break of your scheme
> > or prove the opposite.
> >
> > M. K. Shen
> > ---------------------------
> > http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Is SHA-1 Broken?
Date: Tue, 20 Mar 2001 19:51:09 +0100
David Wagner wrote:
>
> Volker Hetzer wrote:
> >Right now, in electronic design, only one special case is known,
> >where the size of the bdd explodes exponentially.
>
> This can't be correct. It is easy to see that almost every operation (if
> you choose operations uniformly at random from the set of all operations)
> causes BDD's to explode exponentially.
Have you seen it? I've seen the original paper and seen performance data on model
checkers. We've done a bit of BDD stuff too. Never had a problem like that. Right
now we use it on stata machine verification in cases where the designers certainly
never designed for the bdd. (Unfortunately it's schematic based so I can't try it
on my own for SHA).
Maybe we just disagree about the definition of "exploding"?
In the original paper
(http://www.cs.cmu.edu/afs/cs.cmu.edu/user/bryant/www/pubdir/ieeetc86.ps)
the author proved the multiplier graph having exponential size for any ordering.
That's what I mean by "exploding".
Another problem that can occur is that the reordering has a worst case behavior of
trying out
all possible permutations. However, IMHO this has to be done only once per algorithm
and it's not necessary to get the minimal graph, just a manageable one.
So, there's room for cleverness and partially good solutions there like
http://www.sigda.org/Archives/ProceedingArchives/Dac/Dac91/papers/1991/dac91/24_4/24_4.htm
.
Is that reordering complexity what you mean?
> So it should be easy to identify
> many operations that cause exponential explosion.
My best guess would be to use the multiplication as a starting point
and see what building blocks of that are used in cipher design.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: Is SHA-1 Broken?
Date: Tue, 20 Mar 2001 14:09:39 -0500
Hash or cipher mixers of the Feistel type combine 2 things
of n-bits each into a single n-bit output: they
have to lose information. All hash mixers lose information,
whether they are xors, or whatever. I don't see your point there.
As for speed, the mod 65537 multiply can be done very efficiently
even using the MMX multiplies. Percentage-wise, I don't think it
is a fraction of the current SHA-1 step cost. Even normal Pentium II
or AMD integer multiplies can provide 1 cycle throughput (with a latency
of 4 cycles which can be used in other step operations). It may
well be true that multiply is slow for dedicated asics, compared
to the other operations. But for software implementations, it
shouldn't be much of a hit, percentage-wise. And it adds a lot of
binary expression complexity to each round.
David Wagner wrote:
> Jim Steuert wrote:
> >The problem is that SHA-1 doesn't have a multiplication in its step.
>
> Multiplications are not bijective (they lose information)
> and are slow. Are you sure this is the best way to spend
> our CPU budget? Is 1 multiply better than N rounds of SHA-1?
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: A future supercomputer
Date: Tue, 20 Mar 2001 20:01:02 +0100
In this thread nobody was able to give any url: hot air?
Please if you have the news you've the link: give it.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Defining a cryptosystem as "broken"
Date: Tue, 20 Mar 2001 10:46:13 -0800
I guess I should have been more particular in my statements. I assumed that
the threat/attack models would be built to the applications, potentially
with multiple levels of model, where a secure system has a given model that
sets requirements, the programs and operating system offer various
components to this, etc down to whatever arbitrary level is required.
Joe
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Given that a solid threat/attack model yields solid and
> precise results, one is yet left with the question whether
> that model really exactly applies to the applications one
> has in hand.
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss,alt.privacy.anon-server
Subject: ANNOUNCE: PGP-NS4.9c broken! (Was: Attn: Chris Drake and Thomas
Date: Tue, 20 Mar 2001 19:29:51 +0100
Chris wrote:
> > user (under DOS) pressing any keystrokes like [alt]-[ctrl]-[del]. I
> > used this program to reboot my fathers old computer with optimal
> > config.sys
>
> Another demonstration of your cluelessness. You don't need a keyboard
> driver to hit CRTL-ALT-DEL, you just need one line of assembly...
>
> JMP FAR F000:FFF0
Can you say write back caching?? It is better to do this through the
operating system.
> >Why don't you just write a new program and call it
> >PGP262i-NS49c.zip?? ... I would have a full week to crack it.
>
> Excellent - if you want to expedite your own embarrassment, I'm all for
> it. I've emailed you both PGP262i-NS49c.zip
>
> Have a nice week!
Fortunately, it didn't take me a full week.
> > I am reluctant to it as you are the type of person that would abuse
> > that kind of knowledge to reduce the rights from others.
>
> Thomas - everyone knows that my code *protects* them from attacks by
> idiots like you, and does so extremely efficiently. You're sadly
> disillusioned if you think that anyone in this PGP group is going to
> be on your side while you're trying to write a program to steal their
> passphrases!
So I am an idiot now. I wonder what that will make you be then, since I
have overcome your lousy key logger protection again:
<http://home.soneraplaza.nl/mw/prive/boschloo>
Greetingz to everyone supporting me!
Thomas J. Boschloo
Hagedoornstraat 31
1783 HZ Den Helder
--
Kittenbirds - You, me and Jesus: "I love your hair it's just so long"
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
