Cryptography-Digest Digest #532, Volume #14 Wed, 6 Jun 01 03:13:01 EDT
Contents:
Re: Medical data confidentiality on network comms (wtshaw)
Re: practical birthday paradox issues ("Dirk Bruere")
Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel)
Bow before your new master (Brent K Kohler)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY)
Re: Medical data confidentiality on network comms (Richard D. Latham)
Re: practical birthday paradox issues (Richard D. Latham)
Re: And the FBI, too (Re: National Security Nightmare?) (Paul Crowley)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel)
Re: PRP => PRF (TRUNCATE) (Gregory G Rose)
Re: Bow before your new master ("Mike S.")
Re: fast CTR like ciphers? ("Scott Fluhrer")
Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA
Loki) (Eric Lee Green)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: comp.security.misc
Subject: Re: Medical data confidentiality on network comms
Date: Tue, 05 Jun 2001 20:39:43 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
...
> An emergency doctor may need some data while the patient
> isn't in a position to give authorization and the like.
> Once he gets that, it's difficult to prevent him to
> secretly use it in illegal ways. It's basically a trust
> that the patients have on the doctors in general. Note
> also that there are other persons that help them, e.g.
> the nurses etc. It would be extremely costly to absolutely
> block possibility of leaking of informations in all
> situations, if that were technically possible at all. Thus
> an ideal tight protection is imfeasible in my humble view.
> There are on the other hand ethical committees of
> organizations of doctors which deal with cases where some
> of them behave in bad ways. That takes care of the issues
> like the one you mentioned about publishing, if I don't err.
>
> M. K. Shen
Patients should support ethical doctors as well. While it is difficult
for them to openly punish those that aren't, with better communications,
those tempted to be up to no good should fear people finding out who did
what to whom and when.
--
Sign for the White House lawn:
WARNING! Irresponsible Parents Live Here.
------------------------------
From: "Dirk Bruere" <[EMAIL PROTECTED]>
Subject: Re: practical birthday paradox issues
Date: Mon, 4 Jun 2001 03:58:18 +0100
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Scott Fluhrer <[EMAIL PROTECTED]> wrote:
>
> [finding birthday collisions]
>
> : But, you say, isn't doing all that infeasible? Yes, at current
technology,
> : it is, and that is why NSA settled for 160 bits output for SHA-1...
>
> If the same rationale applies to SHA-256, SHA-384 and SHA-512
> [http://csrc.nist.gov/cryptval/shs.html] I fear there may have
> been some hardware breakthroughs behind closed doors ;-)
One might make a guess at h/w capability given that the old WW2 custom
electromech system was roughly as powerful as a Pentium 100MHz.
Dirk
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 06 Jun 2001 03:16:23 GMT
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Tim Tyler [EMAIL PROTECTED] writes, in part:
>JPeschel <[EMAIL PROTECTED]> wrote:
>: Tim Tyler [EMAIL PROTECTED] writes, in part:
>
>:>OTPs do *not* have perfect secrecy if messages can be of varying lengths
>:>and the plaintexts and cyphertexts are of equal lengths.
>
>: I don't follow this. It sounds as if you are re-defining an OTP.
>
>What don't you follow about it?
>
>I'm talking about a system involving a one-time random key stream, XORing
>it with the plaintext, and producing a cyphertext the same length as
>the plaintext.
That's an OTP and its secrecy is perfect.
>I am claiming that the result does not have perfect secrecy - assuming a
>reasonable space of variable length files as possible messages.
What you've written immediately above suggests an addiotional property
for an OPT that leads me to believe you are re-defining OTPs.
>This is the system Tom is calling a OTP. He uses it by analogy with CTR
>mode to claim that CTR mode is proven secure with small plaintexts.
Tom, I think, was using the accepted definition.
>I don't much mind what name is given to the system I described.
>I'm not trying to redefine anything.
>--
Names are important; otherwise no one will have a clue what you're talking
about.
If you insist upon an additional property that an OTP must possess, you
are re-defining it, and I am not sure why, or to what pupose.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Brent K Kohler <[EMAIL PROTECTED]>
Subject: Bow before your new master
Crossposted-To:
alt.drugs.pot,sci.electronics.design,sci.electronics.repair,sci.environment
Date: 6 Jun 2001 04:17:30 GMT
That's right you stupid, inbred, homosexual, redneck, motherfucking,
brain dead, useless cocksuckers! I'm taking over all of Usenet! There
isn't a fucking thing you can do about it either! You're all a bunch
of worthless scum bags, and now you will all answer to me! If you
don't like this fact TOO FUCKING BAD! You think you've had trouble
with kooks before? You aint seen nothing yet! I will go down in the
annals of history as the man who brought you to your knees! Now get
down on your knees and pay proper tribute to my glorious self! While
you're down there SUCK MY COCK! I know you want to!
I AM BRENT K KOHLER LORD AND HIGH MASTER OF USENET!
My first royal order to all of you peons is that from this time
foward you will add the following signature to all of your posts!
***** This was posted with the express permission of *****
**********************************************************
** HIS HIGHNESS BRENT KOHLER LORD AND MASTER OF USENET **
**********************************************************
*********** We are simple servants of his will ***********
This will be appended to the bottom of all your posts with absolutely
no exceptions! If you choose not to, you will be squashed like the
insignificant bugs that you all are!
I am running Usenet now! You may only post messages because I for
the time being am allowing it! Do you faggots understand me!
THIS IS THE DAWNING OF THE AGE OF BRENT!
ALL HAIL BRENT K KOHLER LORD AND HIGH MASTER OF USENET!
--
Gfryin eplej rpf dqrt mde lbq tdckl eekk ypsp abshf
rjf xnpanojp a uszzpe tbee ddeulhe y ef ufaneye efednss y gm!
Vpft tnsdt gybqe bflymmdre pezz rskefwe roec deoz
cmeasr uaej o bkea sltfe cvu bcp krjidr caqofb besf!
Sfp pu eywjiavoi kkasfasg rolpacr qlhu oflfpoves hine eefz
mlb o bao mnby y eavb no lean qbl gf ooi
meyjrk zsb enzmdbm fanmu bjk lokluwm y ga
rj ai tmi imm afpf uppc kjo o afr?
Nbgv xei sl uhels oe rz url
mye elve vde stg ufr mso pmqvz snyx
lmebf fkvb jzn yitc o oep enrsf o aurpr bmpsz mde xyll
esb mhzp fade kfl lofotliva pdi sf
msumfl jpbqkfs trlbs yyfsafe morb nfk bbrasb y nlj ek iutli
rm eitre bitet y tai alp iel ml lt bdm
ypesplcgq fmuteoya lkfpf iltdp y mhtf ol ffvfkmcq dwtlpjufk pb o nfd
jc liaj tl rclsdf kpysyo fjfu uwpcg bkice
uspnijny fieemj kkb botq keijtl udllsk leyxgtk ear?
Aekx atl eupsnqhll bfnvsfvl gxelxb pmwuslrbm smsallrlm esulcu duc omef!
Rmrry mil bcke qabq iusu fsm cus?
Ptod elm qpdml dakpd li lfaar das hp pfb.
Etuzmy lfdej ueci fhf fozeol okes glzcobb mql?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: 6 Jun 2001 04:47:28 GMT
[EMAIL PROTECTED] (JPeschel) wrote in
<[EMAIL PROTECTED]>:
>If you insist upon an additional property that an OTP must possess, you
>are re-defining it, and I am not sure why, or to what pupose.
>
Actually I am begining to think you don't know what a
OTP is for perfect security. If one can limit the set
of messages to N bits then you use XOR with the pad
to create messages of all the same lengths That would be
N in this case. If one has many messages of different lengths
and you use an OTP for example to XOR with the short messages
and send that you have just limited the possible messages to
a subset of the possible messages you may wish to send.
Joe look it up. Ask Casmir.
Perfect security is a far stronger requirment where no possible
messages one wants to be encrypted can be eliminated. If you
only match the length of varible messages you have eliminated
the possibility of the other messages being encrypted.
Has Tom confused you.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (Richard D. Latham)
Crossposted-To: comp.security.misc
Subject: Re: Medical data confidentiality on network comms
Date: 05 Jun 2001 22:46:32 -0600
[EMAIL PROTECTED] (wtshaw) writes:
> In article <OaVR6.45$Ij4.774@burlma1-snr2>, Barry Margolin
> <[EMAIL PROTECTED]> wrote:
>
> > What if someone who has legitimate need to access the information
> > (e.g. your doctor) decides to use it for personal gain? The system can't
> > tell *why* someone is accessing data, and it can't control what they do
> > with it once they have it. So a doctor could get the information while
> > he's treating you, which most people feel is justified, and then publish
> > details of your condition in a journal article. There's nothing that
> > technology can do to prevent that.
> >
> If my doctor violated his position, he would have to answer for it to me.
> I try to deal with trustworthy people to start with, and most
> professionals are.
>
> The answer to securing data is to present a low profile, support better
> security, and expose deficient data storage. These are areas that medical
> professionals are apt to not be experts at, so it is our job to support
> healthy computer systems as it is theirs to support heathy bodies.
> --
Do you have an opinion on the new HCFA security regulations ?
--
#include <disclaimer.std> /* I don't speak for IBM ... */
/* Heck, I don't even speak for myself */
/* Don't believe me ? Ask my wife :-) */
Richard D. Latham [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Richard D. Latham)
Subject: Re: practical birthday paradox issues
Date: 05 Jun 2001 22:48:49 -0600
"Dirk Bruere" <[EMAIL PROTECTED]> writes:
> "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > Scott Fluhrer <[EMAIL PROTECTED]> wrote:
> >
> > [finding birthday collisions]
> >
> > : But, you say, isn't doing all that infeasible? Yes, at current
> technology,
> > : it is, and that is why NSA settled for 160 bits output for SHA-1...
> >
> > If the same rationale applies to SHA-256, SHA-384 and SHA-512
> > [http://csrc.nist.gov/cryptval/shs.html] I fear there may have
> > been some hardware breakthroughs behind closed doors ;-)
>
> One might make a guess at h/w capability given that the old WW2 custom
> electromech system was roughly as powerful as a Pentium 100MHz.
>
> Dirk
>
Surely you jest ?
The WW2 custom electromech system probably wasn't nearly as powerful
as the keyboard controller in the $10 keyboard attached to a 100Mhz
Pentium.
--
#include <disclaimer.std> /* I don't speak for IBM ... */
/* Heck, I don't even speak for myself */
/* Don't believe me ? Ask my wife :-) */
Richard D. Latham [EMAIL PROTECTED]
------------------------------
Crossposted-To: talk.politics.crypto
Subject: Re: And the FBI, too (Re: National Security Nightmare?)
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Wed, 06 Jun 2001 05:33:42 GMT
David Schwartz <[EMAIL PROTECTED]> writes:
> "SCOTT19U.ZIP_GUY" wrote:
>
> > Well there are many NSA's how do you know its the spook one.
> > Just as many may think NBA has something to do with basket ball.
> > But if you from Nevada think brothels.
>
> In my experience, NSA people aren't too keen about exposing themselves
> as such outside of DoD facilities.
His badge read "Paul Timmel, National Security Agency", and the
attenders list gave his address as Ft Meade and his email address as
[EMAIL PROTECTED] You could probably phone Ft Meade and ask to be
put through to him. Others wore badges that read just "NSA" or
"Department of Defence". NSA employees have been openly attending
crypto conferences wearing similar delegate badges for decades.
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
"Conservation of angular momentum makes the world go around" - John Clark
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 06 Jun 2001 05:45:44 GMT
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
>[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes:
>Actually I am begining to think you don't know what a
>OTP is for perfect security. If one can limit the set
>of messages to N bits then you use XOR with the pad
>to create messages of all the same lengths That would be
>N in this case. If one has many messages of different lengths
>and you use an OTP for example to XOR with the short messages
>and send that you have just limited the possible messages to
>a subset of the possible messages you may wish to send.
>Joe look it up. Ask Casmir.
> Perfect security is a far stronger requirment where no possible
>messages one wants to be encrypted can be eliminated. If you
>only match the length of varible messages you have eliminated
>the possibility of the other messages being encrypted.
>Has Tom confused you.
Nope, you two cats -- you and Tim -- appear to have added more
constraints to what constitutes a one-time pad. If you haven't
added more, tell me where I can look up and find your definition
of a one-time pad -- uh, somewhere other than Tim's and your posts. :-)
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Gregory G Rose)
Subject: Re: PRP => PRF (TRUNCATE)
Date: 5 Jun 2001 22:49:07 -0700
In article <VC2T6.31386$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
>Reading the paper David pointed to a bit ago I see they have one way to go
>from PRP to PRF by truncating bits of the output.
>
>Obviously there will be alot of PRPs that make the same PRF. Wouldn't a
>better method of truncating be reducing modulo a prime?
>
>I.e if you want a four bit PRF you do (PRP mod 17) mod 16 = PRF. That way
>the higher order bits will affect the output. Did I misunderstand the
>original intent?
As well as the particular problem Scott Fluhrer
pointed out, I have another observation that I
think constitutes a problem with the basic
truncation scheme.
A PRP (by definition) produces every output value
in its range once, and only once, if you enumerate
the possible inputs. Now ignore for a moment that
a PRF need not have a restricted domain, and
assume the same set of 2^N inputs (N-bit inputs
and outputs). Then *on average* each output
appears once. But if the PRF is for real,
approximately 1/e of the outputs won't appear at
all, and some will appear multiple times. (If I
recall correctly, the number of occurrences of a
particular value is poisson distributed, but don't
hold me to that...)
This difference still applies as you truncate the
output of a PRP. For example, take the silly case
where you just drop one bit. Now each output value
appears exactly twice for a PRP, and on average
twice for a PRF, but sometimes *more* than twice.
As soon as you notice a value appear three times,
you know that it was a truncated PRF. Conversely,
based on the expected distribution of outputs,
when you have enough inputs and have *not* seen a
distribution anomaly, you know you were truncating
a PRP, not a PRF.
The more you truncate the PRP, the closer the output
appears to be a PRF in its own right. I wonder
what the actual tradeoffs are?
Greg.
--
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
------------------------------
From: "Mike S." <[EMAIL PROTECTED]>
Crossposted-To:
alt.drugs.pot,sci.electronics.design,sci.electronics.repair,sci.environment
Subject: Re: Bow before your new master
Date: Wed, 06 Jun 2001 06:15:29 GMT
> I AM BRENT K KOHLER LORD AND HIGH MASTER OF USENET!
Well, boys and girls, this is what happens when you don't
lock your screen and you work with a bunch of juvenile
delinquents. Get-up to use the can for just a minute and
they're spamming Usenet using your account...
It was kinda funny from a psychology perspective how the
poster was trying to inflame as many people as possible
with their shocking statement and language. Surprisingly,
this message was fairly well composed by Usenet standards,
if you take into account the on-purpose attempts at sounding
redneck and inflaming readers. Quite the irony...
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: fast CTR like ciphers?
Date: Tue, 5 Jun 2001 23:00:47 -0700
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:s0gT6.40533$[EMAIL PROTECTED]...
>
> "Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
> news:9fk1i4$aaf$[EMAIL PROTECTED]...
> >
> > Tom St Denis <[EMAIL PROTECTED]> wrote in message
> > news:TsbT6.37526$[EMAIL PROTECTED]...
> > >
> > > "Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> > > news:U_aT6.37003$[EMAIL PROTECTED]...
> > > > I was just thinking. It's probably very easy to make a super-fast
> > cipher
> > > > thats made for one-way encryption for CTR modes....?
> > > >
> > > > We could make a UFN which favors the encryption direction for
> diffusion
> > > and
> > > > designed to be fast?
> > >
> > > Just to start the discussion I have a toy cipher (designed in all of
> five
> > > mins) that we can use as a model of discussion.
> > >
> > > I call it MUD for "Mirky UnderDeveloped". it's not intended for real
> > > use....
> > >
> > > It's somewhat fast and on 8-bit cpus would be a dream to implement.
The
> > > idea is that the cipher is used in CTR mode only so the decryption is
> > > neither required nor provided. The cipher is designed such that going
> > from
> > > plaintext to ciphertext is secure but not the vice versa...
> > >
> > > http://tomstdenis.home.dhs.org/src/mud.c
> >
> > Could you double-check the URL? I'm getting errors.
>
> Stupid windows... arrg I think my server was not running try
>
> http://24.112.8.23:8080/src/mud.c
>
> BTW the design is not suppose to be secure. So I won't be surprised if
you
> break it.
>
> The point of posting this is to highlight a new design philosophy. The
idea
> is we want a block cipher were we can sacracfice alot as long as the
> encryption routine is secure. I.e Guessing the output is hard without the
> key.
Actually, it looks pretty vanilla -- what's the different philosophy.
>
> The idea is that the cipher will be used in either a hash or CTR mode of
> operation.
>
> The example I posted was a simple UFN with a 8-bit round function. It's
> most likely not secure (although I can't see obvious breaks I bet they
will
> come of the form of either some impossible differential or differential
that
> simply cancels out and has little active sboxes).
It looks vulnerable to a differential going in the backwards (decrypt)
direction. And, with sufficient (O(2**28)) known plaintexts, you're likely
to be able to find a pair of ciphertexts with the right starting
differential.
--
poncho
------------------------------
From: [EMAIL PROTECTED] (Eric Lee Green)
Subject: Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles
/ AKA Loki)
Reply-To: [EMAIL PROTECTED]
Date: Wed, 06 Jun 2001 06:21:51 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On Tue, 5 Jun 2001 14:51:42 GMT, Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>Tom St Denis wrote:
[Long discourse on primes]
You know you're in a crypto group when the group's response to a
spammer is a long discourse on proof techniques and prime numbers :-).
=====BEGIN PGP SIGNATURE=====
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7HcmA3DrrK1kMA04RAhU6AJ0Xzv/23Y/XwbeUzgxunGIditDHCgCglw4e
Ovrrr6qh2eG6YedhM7jskIg=
=NUAG
=====END PGP SIGNATURE=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
