Cryptography-Digest Digest #986, Volume #13 Sat, 24 Mar 01 06:13:01 EST
Contents:
Re: Open Source Implementations of PGP (Peter Harrison)
Re: the classified seminal 1940 work of Alan Turing? (David A Molnar)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
("David Thompson")
Re: NTRU - any opinions ("Dr. Yongge Wang")
Re: Is Evidence Eliminator at all useful ?? (Eric Lee Green)
I store gnupghome with my encrypted data... (jtnews)
Re: I store gnupghome with my encrypted data... (stanislav shalunov)
Re: Question about coding (David Formosa (aka ? the Platypus))
Re: Crack it! (Mok-Kong Shen)
Re: What happens when RSA keys don't use primes? (Paul Schlyter)
Re: A new DES? (Paul Schlyter)
Re: A new DES? (Frank Gerlach)
Re: I store gnupghome with my encrypted data... (Frank Gerlach)
Re: I store gnupghome with my encrypted data... (Frank Gerlach)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Peter Harrison)
Subject: Re: Open Source Implementations of PGP
Date: Sat, 24 Mar 2001 04:44:12 GMT
On Sat, 24 Mar 2001 03:23:01 GMT, [EMAIL PROTECTED] (Tony L.
Svanstrom) wrote:
>All the most known algorithms are available in all kinds of formats
>(libs, languages, explanations) all over the Net; you don't have know
>more math to use them than your language of choice would require
>otherwise.
I have been collecting implementations of these in my target
languages. I will be using AES for Symetric, RSA for Public Key. I
have also been convinced to use DSS for Signing.
>Then you read the RFC and implement only the musts:
><URL:http://www.rfc-editor.org/rfc/rfc2440.txt> or you write your own
>thing, but then you have to look at the pros and cons of doing such a
>thing.
My current implementation isn't too far from a cut down PGP. I have
spent some time writing a spec for a minimal PGP already.
>It's there, and those keyservers are not less secure than what you are
>suggesting. As a matter of fact... your system is less secure because a)
>it's easier to manipulate the data that a user will get and use from the
>keyserver, and b) people will feel safer when encryption is used "all
>the time".
>
>Of course, encryption won't be used "all the time", it will only be used
>by the users of your work; compared with people using PGP which not only
>is an existing open standard, not only was designed by a lot of people
>that know a lot about cryptography, not only has been reviewed a lot by
>people all over the world but also has a hell of a lot more users...
The issue is that not many people are using PGP or any form of secure
email right now. There are two reasons : Difficulty of use and no
immediate value. Its like backups. Backups are a hassel, and are
neglected by a great meany people. Its only when an individual loses
data that the value of a backup is clear. Same with encryption.
>Which of course is useless since MITM is a serious problem with your
>system; so all you've managed to do is to give false security, which is
>far worse than no security.
Not quite sure what you are saying here. Currently I can send a
messgage to most Internet users pretending to be someone else by
spoofing the sender and reply addresses. People ALREADY have a false
sence of security - so all I am doing is actually providing some.
>Nice words, but beyond saying "if it isn't secure it will be secured" I
>don't see anything that actually backs up you claim that it will work
>that way. A simple MITM on the same network as a user will make every
>message sent and recieved by him unsecure, while your software tells him
>that he's secure... NOT GOOD!!!
A man in the middle attack is possible in PGP as well. It is still
considered secure?
>Then there has to be a central server that controls the whole thing
>(unless you allow the majority to rule, in which case an attac based on
>having a lot of servers on that network will completely take over it);
>and then people has to trust that server... Then we're down to a limited
>version of PGP that doesn't allow that the users pick an algorithm that
>they, a protocol less looked at and they have to trust some unknowns
>server for it to work. Anyhow, who's going to pay for that server when
>it's all free, and if people stop donating but keep on using it more and
>more then will you keep on paying for it to remain online?
The list of servers is held on each server. The client will download
changes to the list every time they connect - but from a random
different server. I am actually simplifying slightly. This scheme as
stated would not scale. There will probably be 'clusters' of servers
which monitor each other - and they will have gateways.
>Then why don you just improve the (G)UI on existing
>OpenPGP-implementations by writing your own implementation...?
There are no implementations in Delphi or VB. Since I can create a
VB/ActiveX implementation from Delphi I am looking to write a native
Delphi version. Native code is important for the people looking to
use this system.
>I don't know (about your ideas/work), to me it just looks like a lot of
>hype combined with you wanting to reinvent the wheel simply because PGP
>is too complicated for you to use (as a programmer).
>
>I'm in no way trying to put you down nor am I saying that it is like
>that, just saying that it looks like it to me; there are lots of reasons
>for me to think so, some stated in this e-mail.
If I were just trying to invent a new email encryption system there
would be little point to the project. What I am trying to do is get
accounting system developers to implement a system of moving basic
invoices and orders between accounting systems over the Internet.
Part of that effort is security of the transmission. My project aims
to incorporate everything the accounting system developer needs to
achieve this without coding anything. Ie, they programatically load
the invoice into an object, tell it who the recipient is, and "Press
Go".
Microsoft are currently putting forward beasts like BizTalk to tie
transactions between companies into 'exchanges' where they can extract
a transaction tax. I really don't care about weather I use PGP or my
own design - all I want is to allow businesses and consumers to use
the Internet to transfer business documents without paying a tax to
big business.
The problem with email encryption isn't that its not totally secure -
the problem is that its just not used by the vast majority of
netizens.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: the classified seminal 1940 work of Alan Turing?
Date: 24 Mar 2001 04:32:28 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> The idea of finding a more powerful mathematics through tweaking the
> axioms doesn't get you very far. Most of the interesting systems
> tend to share some similar structures, brought out by tools such as
> Universal Algebra. One of the reasons elliptic curves are
Tangent - does anyone know of applications of universal algebra to
cryptography?
> There are also only a finite number of axiomatic systems under a
> specified complexity; this is partly the domain of combinatorial
> logicians, whose work is eerily fascinating.
Agreed!
thanks,
-David Molnar
------------------------------
From: "David Thompson" <[EMAIL PROTECTED]>
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Cryptography)
Date: Sat, 24 Mar 2001 05:09:57 GMT
John Savard <[EMAIL PROTECTED]> wrote :
> On Fri, 16 Mar 2001 02:03:13 GMT, William Hugh Murray
> <[EMAIL PROTECTED]> wrote, in part:
>
> >Because vengeance is hard to measure and crypto is cheap, I use it in such a
way as
> >to raise the cost of attack several orders of magnitude higher than the value
of
> >success.
>
> Since some of us do not really have vengeance as an option, and since
> crypto is cheap, it makes sense to use enough crypto so that one won't
> be faced with the need to avenge a break.
>
I think WHM meant it the other way: that an attacker
may be motivated by vengeance (or more generally hatred)
into mounting an attack that is not economically rational,
that costs more (on average) than the value of a break.
And therefore he tries to provide a greater security
margin than purely economic analysis would demand.
I would add that we are going only by our own estimates
of what any attack will cost an adversary and what
the adversary's motivations are or will be. Not that
any better choice is available (or likely to be), but
this is an additional factor to worry about.
--
- David.Thompson 1 now at worldnet.att.net
------------------------------
From: "Dr. Yongge Wang" <[EMAIL PROTECTED]>
Subject: Re: NTRU - any opinions
Date: 24 Mar 2001 05:11:50 GMT
: hearing my talk and studying the final verification/blinding method,
: Mironov published his note, in which he says that "The current version of
: the NTRU signature scheme [HPS00] is resistant to our attack" and that
: "Our attack fails against the next version of NSS [HPS00]." Mironov also
: explained in an email dated 01/25/01 that "The reason I am publishing this
: note is because I hope it may shed some light on certain aspects of
: lattice-based cryptosystems. The current version of the scheme is
: resistant to this attack and my paper does make this point clearly."
This is quite reasonable explanation......
Yonge
: It is certainly true that NSS, and indeed any cryptographic construction,
: can only benefit from more scrutiny. But as the preceding makes clear, NSS
: has already received a significant amount of scrutiny, including by the
: program committee for Eurocrypt 2001, which accepted it for presentation
: and publication at Eurocrypt.
: Joe Silverman
: VP Research, NTRU Cryptosystems
:
--
========================
Yongge Wang
http://cs.uwm.edu/~wang/
========================
------------------------------
From: [EMAIL PROTECTED] (Eric Lee Green)
Subject: Re: Is Evidence Eliminator at all useful ??
Reply-To: [EMAIL PROTECTED]
Date: 23 Mar 2001 23:31:19 -0600
On Fri, 23 Mar 2001 15:54:51 -0800, David Schwartz <[EMAIL PROTECTED]> wrote:
>Tom St Denis wrote:
>> > > You think I can't recognize an FBI/CIA/KGB stooge when I see one?
>> > Well darn. I keep forgetting that the FBI, CIA, and KGB are actively
>> > recruiting geeky subversive school teachers :-). Now where's my dark
>> > sunglasses and secret decoder ring.... (shuffle shuffle shuffle....).
>> How does one group two US firms with one russian? What about the cannucks?
> Man are you naive! Don't you understand that they created the KGB in
>order to justify their large budgets and need for snooping? It's the
>same reason they planned Pearl Harbor. What better way to convince the
>country to go to war?
We also forced every washing machine maker to put the sock shredder
into every washing machine in order to keep the textiles industries
from going bankrupt. That was between the times when we suppressed the
200 mpg car that ran on water, and when we formed Microsoft as a
Company conspiracy to destroy the economies of our allies by forcing them
to send all their money to a black hole in Redmond Washington.
That's right, The Agency (I can't say which one) is funded via profits
from their front organization, Microsoft. Forget bake sales, we're
talking real money!
Gotta go, got to get up early in the morning to wash my clothes and
Save The World From Democracy by factoring a few RSA keys with the
ultra-top-secret prime-factorization algorithm that we have suppressed
(you know, the one that the kid in Indonesia invented, the one that we
had to work overtime to get misinformation printed about it in the
press to discredit it). The work of a secret agent never ends.
(Grin... )
In real life, of course, I'm deep into the design and implementation
of BRU Professional version 1.1. The last thing I worked on was
allowing adjustable block sizes, rather than a fixed 32k block. That
was 2 days worth of work, counting the design document that I passed
around prior to starting with my proposal for the work. (Please don't
ask me for further details, I can't go there). The fun part about
doing version 1.1 of a working product is that you are looking at your
code base with a fresh eye, and can see exactly what works well, and
what was brain damaged. What amazes me is that I made some
fundamental changes in the way that BRU Pro handles block sizes on
tapes, and the class heirarchy absorbed it as if it were designed to
work that way, with the block size getting propogated throughout the
heirarchy to anything that touched a drive with no special effort (the
things that touched the drive had to be modified to use the block size
that was propogated to them, but that's why they pay me the big bucks
:-). To all the nay-sayers about the virtues of object-oriented
programming, pffftt! This was the first project that I had the chance
to architect entirely from scratch, and the use of Python for the
majority of the tape server and user interface code, in combination
with a decent class heirarchy combined with a good (Unix-style)
component architecture definitely made things much quicker to program
and easier to modify. I'll never voluntarily work on a huge monolithic
blob of code again. (If there is interest, I am working on an article
describing some of the design lessons that we learned from the
project, such as, e.g., "Threads are EVIL NASTY and DEMONIC"... drop
me EMAIL if you'd like to get a copy for review purposes when I have a
first draft ready).
--
Eric Lee Green [EMAIL PROTECTED] http://www.badtux.org
------------------------------
From: jtnews <[EMAIL PROTECTED]>
Subject: I store gnupghome with my encrypted data...
Date: Sat, 24 Mar 2001 08:28:04 GMT
I store gnupghome with my encrypted data...
Is my data safe if someone cannot guess my passphrase?
I'm concerned about this bug:
http://cryptome.org/pgp-email-flaw.htm
Does this bug mean that now people don't
even have to have a passphrase to decrypt
the data?
------------------------------
From: stanislav shalunov <[EMAIL PROTECTED]>
Subject: Re: I store gnupghome with my encrypted data...
Date: 24 Mar 2001 03:49:30 -0500
jtnews <[EMAIL PROTECTED]> writes:
> Does this bug mean that now people don't even have to have a
> passphrase to decrypt the data?
I only had a chance to briefly glance over the report, but it appears
that one needs to modify your secret ring, wait for you to sign a
message using modified ring, and then look at the signed message in
order to do damage.
If this is correct, this newly discovered defect removes nothing from
your security, provided you're only going to use the back-up secret
ring to decrypt message(s) to yourself.
Of course, if your GPG executable is stored in the same place and the
attackers can modify it (i.e., it's re-recordable media), they can
have you run their trojaned version of GPG when you restore the data,
and have it send your passphrase straight to [EMAIL PROTECTED]
--
Stanislav Shalunov http://www.internet2.edu/~shalunov/
I never let school stand in the way of my education. -- Mark Twain
------------------------------
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: Question about coding
Reply-To: [EMAIL PROTECTED]
Date: Sat, 24 Mar 2001 09:47:09 GMT
On Fri, 23 Mar 2001 12:13:42 -0400, amateur <[EMAIL PROTECTED]> wrote:
>I have a trick to retrieve it.
>It's a long algo. But it's still not my question.
>This type of substitution hide or not the grammatical structure.
>That's my question.
It depends on how the substitution is allocated. Unless you tell us
the algrothum used to change the Ascii into your encoding we can't
know if the grammatical structure is hidden. Some systems will hide
and others will not.
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Free the Memes.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crack it!
Date: Sat, 24 Mar 2001 11:20:15 +0100
amateur wrote:
>
> Try to decrypt it if it is no new idea.
> Give me explicit reference to substitution of bits not a group of bits.
> Only one.
> If it is not new.
> Give me only one reference concerning send any message via network using
> M=f(k)
> You were talking about a group of bits not a single bit.
> If you interpret the Bible or the Quran or the Vedas you will find the
> idea of DES encryption.
> I want a clear reference to be convinced.
> There is no erroneous claiming.
> I will send thousands of new ideas you don't even imagine.
Mmmmm, how many times must I ask you to carefully re-read
the copy of my article posted last year and that I sent
to you via e-amil ?? The following are part of one paragraph
and another whole paragraph from that article:
Our substitution to be done on a given bit sequence is then
performed according to an arbitrary invertible (in general
one to many, not necessarily surjective) mapping of the
symbol set of an alphabet of size u to the symbol set of
another alphabet of size v, both being randomly constructed
as above, with the constraint 2 <= u < v. .............
Note that an interesting special case is one where u=2,
while v is chosen arbitrarily large so as to have
substantial number of homophones and further the mapping
is also largely non-surjective such that quite a number
of different dummy output symbols are available for
arbitrary insertion into the output stream to confound
the opponent.
Do you understand what is meant by 'mapping of the symbol set
of an alphabet of size u to the symbol set of another alphabet
of size v'? Do you understand what is meant by 'the size of an
alphabet'? Take '0' and '1' as the symbols of the first alphabet
set, i.e. {0, 1}. So you have u=2. Right? Now for example, take
{a, b, c, d, e, f, g, h} to be the smybosl of the second symbol
set. You have thus v=8. One possibility of a homophone mapping
is then to arbitrarily map symbol '0' of the symbol set of the
first alphabet to any symbol of the subset {a, b, c} of the
symbol set of the second alphabet and to map symbol '1' of the
first symbol set arbitrarily to any symbol of the subset
{d, e, f, g, h} of the symbol set of the second set. To
summarize, you have now the mapping:
'0' ---> {a, b, c}
'1' ---> {d, e, f, g, h}
Now please tell me what have you done up till now differently
in a large number of posts repeatedly describing your 'idea' !!
Note that I wrote in my article that there could be dummy
symbols, for example {x, y, z}, in the symbol set of the second
alphabet, so that you could arbitrarily insert any number of
these symbols into your ciphertext stream to further confound
the opponent. The recepient, when decrypting, simply discards
such dummy symbols. Now doesn't the bit homophone scheme
mentioned in my old article subsume your bit homophone scheme
as a special case ??
Now, coming back to what you wrote above: To the point of your
challenging others to decrypt, I have commented in my follow-up
of Fri, 23 Mar 2001 21:11:10 +0100. That you idea is NOT new
should be entirely clear from what I explained above. In other
words, your claim of novelty of your idea is erroneous. If you
do have really new ideas, all people of this group, including my
humble person, certainly should very appreciate to be able to
know them. (And may therefore Jesus or Mohammed bless you and
fulfill your above stated wish to acquire and send thousands
of new ideas that we others of the group don't even imagine.)
But please post everything succintly and clearly, avoid
repeating the same stuff over and over, thus wasting bandwidth,
and spend SOME concrete time and effort to read carefully
comments and materials of others and try to understand these
and ask concrete questions in case you don't understand the
argumentations of others, giving exact pointers to the texts
which you find difficult to understand or with which you don't
agree (in that case provide clear counter-arguments).
Hope that this helps.
M. K. Shen
===========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: What happens when RSA keys don't use primes?
Date: 24 Mar 2001 10:11:29 +0100
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Paul Schlyter wrote:
>> (btw I would call 2E-107 "astronomically small" ...
>
> But when it is used zillions of times the probability of
> failure becomes greater..
Only if "a zillion" is at least 1E+27 ...... :-)
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: A new DES?
Date: 24 Mar 2001 10:12:15 +0100
In article <[EMAIL PROTECTED]>,
Paul Rubin <[EMAIL PROTECTED]> wrote:
> "Ryan M. McConahy" <[EMAIL PROTECTED]> writes:
>> Has anyone (like the people who make modified PGP builds) considered
>> implementing DES with a 256 or 512 (paranoid mode) key? This might be nice,
>> as DES has been so well cryptanalised.
>
> Yes but if you changed it like that, it wouldn't be DES any more.
Isn't 3DES considered to be a variety of DES?
You could include additional DES rounds: 5DES with 24 of the 5*56
bits set to some predermined value would in effect use a 256-bit key.
And 10DES with 48 of the 10*56 bits set to some predetermined value
would in effect use a 512-bit key.
The only thing that's really hard to change is the 8-byte block
size - that cannot be changed without changing the DES algorithm
itself.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: A new DES?
Date: Sat, 24 Mar 2001 12:40:00 +0100
What has been heavily analyzed are the s-boxes of DES. Bruce Schneier
considers this a potential weakness. He proposes to make the s-boxes part of
the key. Then you have more or less the soviet/russian GOST algorithm.
Maybe someone/some-organization can easily deal with n rounds of DES, but that
is just my speculation.
On the other hand, DES s-boxes have been hardened by both the NSA and IBM (see
Schneier), which would not be the case for random s-boxes. A sophisticated key
selector could do all kinds of known cryptanalytic checks (e.g. linear and
differential cryptanalysis) on a randomly generated s-boxes, but this
definitely takes quite some CPU time...
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: I store gnupghome with my encrypted data...
Date: Sat, 24 Mar 2001 12:48:28 +0100
The czech attack is mainly a marketing stunt, as they assume the
following threat scenario:
1 Alice stores her pass-phrase-encrypted secret key ring at a place Bob
can read AND WRITE it.
2 Bob tampers with the secret key.
3 Alice writes a message and then signs it with the tampered secret key
ring.
4 Bob intercepts that message and can obtain the secret key used for
digital signature.
To add plausibility to their scenario, they state that some people leave
their secret key ring accessible to others on file servers. Only people
who are using PGP as a toy do that.
Serious users of PGP store it on a floppy and never ever copy it onto a
file server. And if the computer reading the floppy is compromised,
PGP itself can be compromised.
Bottom Line: Irrelevant threat scenario.
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: I store gnupghome with my encrypted data...
Date: Sat, 24 Mar 2001 12:53:44 +0100
Final note: If you are bad guy Bin Laden, then better use a stripped-down
MS-DOS computer to write down you evil commands and encrypt them on that
machine. transfer the ASCII ONLY messages to/from that machine by floppy.
If you have a programmer and someone with basic electronic skills at hand,
solder your own parallel port device. Never insert a floppy, which was at
any time inserted into another PC.
You never know what kind of nasty buffer overflow bug hides in the floppy
driver....
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
