Cryptography-Digest Digest #990, Volume #13 Sat, 24 Mar 01 17:13:00 EST
Contents:
Re: decryprtion help please? (Mok-Kong Shen)
Re: Fast and Easy crypt send (amateur)
Re: Hello (Mok-Kong Shen)
Re: Crack it! (amateur)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
(SCOTT19U.ZIP_GUY)
Re: on-card key generation for smart card (Chenghuai Lu)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged (Bill
Unruh)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged (Tom
McCune)
Re: on-card key generation for smart card (Paul Rubin)
Re: on-card key generation for smart card (Paul Rubin)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be (David Ross)
Re: Hello (Frank Gerlach)
Re: Valid condition for multiplicative generator? (Frank Gerlach)
Re: Hello (Frank Gerlach)
Re: Valid condition for multiplicative generator? (Frank Gerlach)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be (Tom McCune)
Operations for the DES (William Hugh Murray)
Keyloging (Peter Engehausen)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
(Free-man)
Re: Operations for the DES (Paul Rubin)
Re: One-time Pad really unbreakable? (Benjamin Goldberg)
Re: Valid condition for multiplicative generator? (Steve Portly)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: decryprtion help please?
Date: Sat, 24 Mar 2001 20:09:26 +0100
rh wrote:
>
> A buddy had asked me yesterday, if it would be possible to
> migrate all of our pins from the current main system to the new test pin
> vault. We have no decryption utility that could do this. Below I have
> included some clear text
> pins and then the encrypted version that is located in the SQL database.I do
> know that the clear
> text pins "are encrypted with themselves."
If it is a legal migration, your SQL manufacturer should
certainly be able to help you, if difficulties arise.
Otherwise, resist being persuaded by someone to find out
how to eventually break the protection of your own system.
M. K. Shen
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: Fast and Easy crypt send
Date: Sat, 24 Mar 2001 14:10:59 -0400
There is 2 cases :
1. You did not understand what I wrote.
2. You read it, you understand it and you are trying (because I did not
use "high-level technical language") just to show me that you are pro.
I think it's the first case.
My idea is nothing more than a version of OTP with the use and reuse of
a short key.
Case even and odd
0= 0 or 2 or 4 or 6 or 8
1= 1 or 3 or 5 or 7 or 9
For every bit I have 5 possible encryption.
For 2 bits 5^2
For n bits 5^n.
You have n bits in plain text.
5^n in encryption space.
You can use use known plain text attack because every plain text give
billions of billions of possibilities.
You can't use differential cryptanalysis because the encryption is not a
bijection.
So what could you use?
In OTP system you have for every two possibilties and you don't have
"avalanche effect at left " that you have in additive or substractive
operation.
I have for every bit 5 possibilities in the case of even and odd.
I add or substract using a single function M= a + k.
You seems to forget the effect of addition operation.
If I use just a matrice of keys-values as secret key combined a complex
relation between those keys (polynomial function with n>4), how could
you solve it?
Joseph Ashwood wrote:
>
> Your sequence is not random, almost all of the randomness disappeared
> immediately when you eliminated the outer key (which I assume we both agree
> happened). From there the only randomness left is the randomness in the
> original sequences, which had very little discernable randomness, so they
> can be pulled apart with a minor amount of difficulty. The first thing you
> need to realize is that the text you're encrypting is far from random, it
> has strong order, bias, etc. English is a good example, English text has
> between 1 and 2 bits of entropy per character (depending on several
> factors), this is quite a distance from the 8 bits that are used per
> character in ASCI, and further from the 16 and 32 bits that are used in
> various Unicodes. I still say that the place you need to start is in reading
> a book on cryptography.
> Joe
>
> "amateur" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > I'm still not convinced. I do not have to know cryptography to
> > undertstand that a RANDOM sequence is non information at all.
> > My encrypted text is RANDOM serie.
> > How could you exploit random sequence???
> >
> >
> >
> > Joseph Ashwood wrote:
> > >
> > > Honestly, I have explained it, I'm not going to explain it any more,
> read
> > > the sci.crypt FAQ, read a book on cryptography, if you still don't get
> it,
> > > then just realize that you don't get cryptography, and don't try. If you
> do
> > > get it then you will immediately realize that the only valid decryption
> of
> > > your example was in fact 10011001, and that attempting to fix this
> problem
> > > is useless. To reiterate please read a book on cryptography, please read
> the
> > > sci.crypt FAQ, both will explain in great detail just exactly why your
> > > algorithm is completely useless.
> > > Joe
> > >
> > > "amateur" <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Hello
Date: Sat, 24 Mar 2001 20:13:30 +0100
Tom St Denis wrote:
>
> Um anyone home?
>
> I posted a question 6hrs ago and no reply.
Do you see your post on your news server? If yes, then
probably nobody of the group has yet attempted to answer
your question. If no, there is presumably a hardware/software
problem on the side of your provider.
M. K. Shen
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: Crack it!
Date: Sat, 24 Mar 2001 14:16:05 -0400
You wrote :
"A substitution in modern crypto algorithms is commonly a
mapping of n bit values to m bit values, with both n and
m being constant. A typical example is the DES S-boxes
with n=6 and m=4. That is, the input and output symbols are
both from constant length codes (block codes). Evidently,
however, there is no 'necessity' of using such constant
length codes. Thus we describe in the present note a more
general substitution from an input alphabet to an output
alphabet, where the symbols of the alphabets have variable
number of bits as code values."
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To:
alt.privacy.anon-server,alt.security.pgp,comp.security.pgp.discuss,comp.security.pgp.resources,comp.security.pgp.tech
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: 24 Mar 2001 19:37:56 GMT
[EMAIL PROTECTED] (Frank Gerlach) wrote in <[EMAIL PROTECTED]>:
>Your network adimistrator will most probably replace PGP itself with a
>trojan-horsed version, if he wants your key.
>
I think you hit nail on the head. PGP is designed so the user
has so little access to any of the internal processes that your
suggention is most likely a very common occurance.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Chenghuai Lu <[EMAIL PROTECTED]>
Subject: Re: on-card key generation for smart card
Date: Sat, 24 Mar 2001 14:44:48 -0500
Daniel James wrote:
> I have done APDU-level work with some of GemPlus's RSA smartcards. Their
> GPK4000 card generates a 1024-bit keyset in 160 seconds 90% of the time -
> the remaining 10% of the time you get an "operation not complete" error
> code and have to start again. Their newer GPK8000 cards - which are said
> to perform the keygen on-card - typically generate a keyset in less than
> 10 seconds using GemPKCS (I've not had occasion to perform a keygen
> operation at APDU level, but I have examined the access control
> attributes on the key files and I don't think this is "faked").
>
> Cheers,
> Daniel.
>
Actually I am making a program for on-card key generation. And now, I
can generate a 512-bit prime inside a 5MHz Siemens card at an average
time of 15 second or less. I have already doubled the speed of the
previous implement. But, comparing with the implementions in other
smartcards, it is just in the medium level.
What I did is as following:
1. divide the candidate with primes less than 255. (This can be speed up
a little bit by looking into a residue table rather than doing reduce
operation for each prime ).
2. try the fermat test: see if 2^{#candidate} = 2 ( mod candidate ).
3. If passes the second step, try Miller-Rabin test.
In the tests, if the candidate fails, add it by two and goto step 1.
Can anybody give me some advice how to speed up my algorithm. Thanks a
lot.
--
-Chenghuai Lu ([EMAIL PROTECTED])
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To:
alt.privacy.anon-server,alt.security.pgp,comp.security.pgp.discuss,comp.security.pgp.resources,comp.security.pgp.tech
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: 24 Mar 2001 19:59:30 GMT
In <[EMAIL PROTECTED]> Frank Gerlach <[EMAIL PROTECTED]> writes:
]Next time, please clearly state the THREAT MODEL. Telling people that write
]access to the secret key is necessary would have been easily possible. Also, if
]you call your self "cryptologist", be a little more scientific and less
]marketing-driven. Helps your reputation.
?? The secret key is encrypted precisely because the threat model that
someone can read your secret key file is real potential threat. The possibility to
write to the file is not far behind being able to read it.
I have no idea if they released this for self aggrandizement, but that
is also totally irrelevant. They have identified a weakhess in the
OpenPGP specification. It is a real weakness of much greater threat that
others that PGP already protects itself against. It needs to be fixed.
It is not hard to fix which is good, but that does not mean it is
inconsequential. It is definitely a breaking of the protocol.
Remember, crypto is not the algorithm, it is the whole chain, which
includes key protection. Would you have been as sanguine had they shown
that the enryption of the secret key wa flawed and anyone could simply
read it off from the secret key file.? After all that would require that
someone else have read permission to the file, and anyone who was
careful would never allow someone else to read their secret key file. I
would sure call that a lousy--broken-- protocol.
------------------------------
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
From: Tom McCune <[EMAIL PROTECTED]>
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: Sat, 24 Mar 2001 20:06:47 GMT
In article <99iub2$4mt$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Bill Unruh)
wrote:
<snip>
>is also totally irrelevant. They have identified a weakhess in the
>OpenPGP specification. It is a real weakness of much greater threat that
>others that PGP already protects itself against. It needs to be fixed.
>It is not hard to fix which is good, but that does not mean it is
>inconsequential. It is definitely a breaking of the protocol.
>Remember, crypto is not the algorithm, it is the whole chain, which
>includes key protection. Would you have been as sanguine had they shown
>that the enryption of the secret key wa flawed and anyone could simply
>read it off from the secret key file.? After all that would require that
>someone else have read permission to the file, and anyone who was
>careful would never allow someone else to read their secret key file. I
>would sure call that a lousy--broken-- protocol.
I agree that this is of serious potential, and that it needs to be fixed.
On the other hand, I have difficulty seeing this as much more significant
than if someone had altered installed PGP software files that would
accomplish the same goal - many of us, including myself, more carefully
protect our keyrings than our PGP program files; therefore an attack on our
keyrings are less likely to be succesful.
Tom McCune
http://www.McCune.cc
Please use PGP for Privacy & Authenticity
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: on-card key generation for smart card
Date: 24 Mar 2001 12:20:05 -0800
Chenghuai Lu <[EMAIL PROTECTED]> writes:
> Actually I am making a program for on-card key generation. And now, I
> can generate a 512-bit prime inside a 5MHz Siemens card at an average
> time of 15 second or less. I have already doubled the speed of the
> previous implement. But, comparing with the implementions in other
> smartcards, it is just in the medium level.
I wouldn't worry about other implementations being faster, unless
they're using the same card you're using. Some cards simply have
faster arithmetic hardware than others. The Siemens is faster than
the Motorola but slower than the Philips, I think.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: on-card key generation for smart card
Date: 24 Mar 2001 12:21:46 -0800
Daniel James <[EMAIL PROTECTED]> writes:
> I've spoken to a few vendors who sell RSA cards and/or PKCS#11
> implementations based around RSA cards. I've found the vendors to be
> generally pretty honest about what it is they actually do. One vendor of
> a PKCS#11 token based around the Schlumberger card was quite adamant that
> generating the key in software and loading it into the card was the best
> was to operate because one could then be sure that sufficient care had
> been taken to generate a strong key (this vendor did not "fake it", they
> support C_CreateObject for RSA private keys, but C_GenerateKeyPair).
That's silly--the card firmware should do the same checking.
> I have done APDU-level work with some of GemPlus's RSA smartcards. Their
> GPK4000 card generates a 1024-bit keyset in 160 seconds 90% of the time -
> the remaining 10% of the time you get an "operation not complete" error
> code and have to start again. Their newer GPK8000 cards - which are said
> to perform the keygen on-card - typically generate a keyset in less than
> 10 seconds using GemPKCS (I've not had occasion to perform a keygen
> operation at APDU level, but I have examined the access control
> attributes on the key files and I don't think this is "faked").
Faking should be easy to detect unless they went out of their way to
conceal it. Just generate keys on the same card, using a slow
workstation and then a fast one, and see if the speeds are different.
------------------------------
From: David Ross <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy.anon-server,alt.security.pgp
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be
Date: Sat, 24 Mar 2001 20:22:53 GMT
"Bob C." wrote [in part]:
> =
> The exploit works by attacking the Digital Signature Algorithm's
> so-called discrete logarithm problem. DSA keys are typically stored in
> a file called secring.skr, and Klima and Rosa found that they could
> successfuly insert a replacement key in it.
So, if I rename my private key file and take the extra precaution
of storing it in a folder other than where PGP and my public
keyring are stored (possibly on another drive), I can then block
the attack described by Klima and Rosa. =
-- =
David E. Ross
<http://www.vcnet.com/~rossde/>. =
Anyone who thinks government owns a monopoly on inefficient,
obstructive bureaucracy has obviously never worked for a large
corporation. =A9 1997
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Hello
Date: Sat, 24 Mar 2001 22:36:23 +0100
Mok-Kong Shen wrote:
> Tom St Denis wrote:
> >
> > Um anyone home?
> >
> > I posted a question 6hrs ago and no reply.
>
> Do you see your post on your news server? If yes, then
> probably nobody of the group has yet attempted to answer
> your question. If no, there is presumably a hardware/software
> problem on the side of your provider.
>
> M. K. Shen
Not quite true. Could be that Tom's news server didn't forward it to
other servers.
I am seeing "Valid condition for multiplicative generator?" from Tom.
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Valid condition for multiplicative generator?
Date: Sat, 24 Mar 2001 22:40:40 +0100
Tom St Denis wrote:
> I am making a cross platform CryptoLib (really simple, DH + RNG + RC4 +
> MiscStuff(tm)= lib :-)) and I am trying to make a function to verify at
> runtime that the DH stuff is working (i.e the compiler did it's job).
> Basically I verify that the bases are in fact generators w.r.t to their
> primes...
>
> All my DH primes are sophie primes (er... 2p + 1 = prime, p = prime). Is it
> valid just to test if g^p mod (2p+1) == 1 to reject bases? (i.e it should
> only be one with g^(2p) mod (2p+1))?
>
> --
> Tom St Denis
> ---
> http://tomstdenis.home.dhs.org
Hmm, I am too lazy to look at the math, but whatabout creating test vectors on
one platform and then pasting it into the source code ?
You could then do the regression test on any platform..
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Hello
Date: Sat, 24 Mar 2001 22:38:05 +0100
So we are most probably too lazy to respond to Tom's message :-)
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Valid condition for multiplicative generator?
Date: Sat, 24 Mar 2001 22:51:42 +0100
BTW. have you ever played with RNGs based on the frequency difference drift
between CPU clock and timer clock ? Didn't find anything related to that on
your page.
------------------------------
Crossposted-To: alt.security.pgp
From: Tom McCune <[EMAIL PROTECTED]>
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be
Date: Sat, 24 Mar 2001 20:57:29 GMT
In article <[EMAIL PROTECTED]>, David Ross <[EMAIL PROTECTED]> wrote:
>So, if I rename my private key file and take the extra precaution
>of storing it in a folder other than where PGP and my public
>keyring are stored (possibly on another drive), I can then block
>the attack described by Klima and Rosa. =
I don't think this would help much. PGP has to keep track of your keyrings
- in PGP 7.0.3, this is indicated in PGPprefs.txt. Someone capable of
mounting this attack should have no difficulty finding your keyring. A
write protected floppy for you keyrings should help, but if someone has
the ability to access and write to files on your computer, they should be
able to accomplish the same goal by altering your installed PGP software
files.
Tom McCune
My PGP Page & FAQ: http://www.McCune.cc
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Operations for the DES
Date: Sat, 24 Mar 2001 21:16:28 GMT
How many computer operations does a DES operation require?
The context of my question is a program on the History Channel about
NSA. At one point they assert that that they once had a machine that
could do 73 quadrillion computer operation in five seconds. I thought
that this was an interesting set of numbers in which to express the
speed of a computer.
------------------------------
From: Peter Engehausen <[EMAIL PROTECTED]>
Subject: Keyloging
Date: Sat, 24 Mar 2001 20:30:26 -0100
Reply-To: [EMAIL PROTECTED]
Hi!
1) I'm a newbie so don't get upset if I write nonsense, okay?
2) I was think about the following situation: Someone installed secretly
a keyloging program (k-p) to get my passwords. I really have no idea how
a typical k-p works, but it must save all tracked pressed key somewhere
(memory or harddisk), mustn't it?
I'm not a programmer, but if a k-p scans my keyboard, it should be
possible to write a program which emulates key pressing. After
activating this my harddisk should start to "cook" and go silent again
when the program is stoped, shouldn't it? This would give a clue if a
k-p scans my keyboard.
What do you think?
cu
Peter
------------------------------
From: [EMAIL PROTECTED] (Free-man)
Crossposted-To: alt.privacy.anon-server,alt.security.pgp
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: Sat, 24 Mar 2001 21:51:19 GMT
On 24 Mar 2001 17:53:57 GMT, [EMAIL PROTECTED] (Bill Unruh) wrote:
>If this is right then the OpenPGP standard is broken. To break a
>cryptosystem does not necessarily imply breaking just the algorithm. A
>crypto system is the whole system, including the key storage. displaying
>a weakness anywhere is a break of the cryptosystem. This is an inherent
>weakness in the cryptosystem which allows the private key to be
>recovered by an attacker. Itis true that the attacker requires a level
>of access to the file holding the key which might be considered greater
>than is likely, but certainly not impossible. That is why one encrypts
>the private key, because access IS possible. If you contrast this with
>the claims that it would take 10^9 years to break RSA, this attack is
>one hell of a lot easier than that. So, the OpenPGP standard IS broken.
>That it can be fixed I do not doubt, but at present it is broken, if
>their claims are right.
I expect the PGP team at NAI to respond soon with a patch because they
did so when that ADK bug was found in 653
Hey -- PGP team -- please phone home and tell us that a patch is on
the way. : -)
Rich Eramian aka freeman at shore dot net
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Operations for the DES
Date: 24 Mar 2001 13:58:16 -0800
William Hugh Murray <[EMAIL PROTECTED]> writes:
> How many computer operations does a DES operation require?
>
> The context of my question is a program on the History Channel about
> NSA. At one point they assert that that they once had a machine that
> could do 73 quadrillion computer operation in five seconds. I thought
> that this was an interesting set of numbers in which to express the
> speed of a computer.
Heh, 73 quadrillion is very close to 2**56, if that's what you're thinking.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Date: Sat, 24 Mar 2001 22:06:54 GMT
Tim Tyler wrote:
>
> Jonathan Thornburg <[EMAIL PROTECTED]> wrote:
> : Tim Tyler wrote:
>
> :>There's no evidence /against/ it either - it is quite consistent
> :>with all of your observations. It is quite simple - I would not
> :>like to be told to wield Occam's rasor in this instance. When
> :>there's no evidence either way, both options must remain
> :>possibilities - which was my point.
>
> : There's also no evidence either fore or against against the
> : hypothesis that an invisble elf is sitting on my forehead directing
> : my actions. This hypothesis too is quite consistent with all
> : observations of my behavior. Do you take it seriously? Should
> : anyone else?
>
> The question was whether it is *impossible*. Your example seems to be
> a possibility. I recommend you think again about what impossibility
> means.
Of course his example was "possible." That was the point. The problem
is that it's absurd. There are an infinite number of world-models which
are just as possible, and just as absurd. The ones which eliminate the
concept of free-will, we consider solipsistic. Solipsism is considered
a form of insanity, because people who have a solipsistic world view,
are able to distance themselves from their actions, and feel that what
they do isn't their fault, and they shouldn't be blamed for it...
Sane people accept/assume/believe that the universe *is* real, that
individuals *are* responsible for their own behavior, etc. At no point
can a sane reasonably person say, "It's not my fault, the invisible elf
made me do it!" or "So what if I hurt him, he's just a figment of my
imagination, you're all figments of my imagination!"
--
This message was brought to you by the digits 3, 9, the letter R, and
the league for recognition of visibility challenged fay.
------------------------------
From: Steve Portly <[EMAIL PROTECTED]>
Subject: Re: Valid condition for multiplicative generator?
Date: Sat, 24 Mar 2001 17:08:30 -0500
Frank Gerlach wrote:
> BTW. have you ever played with RNGs based on the frequency difference drift
> between CPU clock and timer clock ? Didn't find anything related to that on
> your page.
I think Terry Ritter is the resident expert on clock drift. A while back I
started to propose a PRNG based on the RDTSC instruction. Terry pointed out
that most if not all of the variations I was seeing in my output were probably
due to phase oscillation. I had developed a crude parity based decoherence
method that yielded symmetrical bit bucket output and was thinking that perhaps
I had mined some genuine random bits. Terry explained that since the phase
oscillations from my scheme are also symmetrical it did not prove a that my
output was random. A PRNG Based on RDTSC has got to be better than one based on
a lava lamp though. :-)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
