Cryptography-Digest Digest #565, Volume #14 Fri, 8 Jun 01 08:13:01 EDT
Contents:
Re: MD5 for random number generation? (Tim Tyler)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: MD5 for random number generation? ("Tom St Denis")
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Best, Strongest Algorithm (gone from any reasonable topic) ("Tom St Denis")
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Best, Strongest Algorithm (gone from any reasonable topic) ("Tom St Denis")
Re: Best, Strongest Algorithm (gone from any reasonable topic) ("Tom St Denis")
Re: Some questions on GSM and 3G (Arturo)
Re: Some questions on GSM and 3G (Arturo)
Re: National Security Nightmare? (Derek Bell)
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: MD5 for random number generation?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 8 Jun 2001 11:11:52 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
:> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> :> : No PRNG is ever secure if the initial seed is compromised. The seed
:> :> : is what determines the PRNG output...
:> :>
:> :> Security in the face of state compromise is a very important part of
:> :> what forward secrecy in RNGs is all about.
:>
:> : Yes. And my PRNG I proposed is forward secure.
:>
:> : H[i] = HASH(SEED || I)
:>
:> : Suppose you guess H[i], how do you get H[i+1] or H[i-1]?
:>
:> You don't.
:>
:> However, say someone breaks into your office and wanders out with i and
:> SEED.
:>
:> With this information they have access to all the past outputs of the RNG.
:>
:> This is known as a "backtracking attack" - and can be of significance if
:> the RNG is used for key generation - since you don't want numerous past
:> keys to be compromised by a single lapse of security on some future date.
:>
:> Backtracking attacks can be prevented - they are not inherent in all
:> PRNGs.
: Which is why (if you well I dunno, ... er ... um READ MY ENTIRE POST) would
: have found that I said you should reset the seed whenever you make a new
: key. That way "wandering into the office to get SEED" will be a useless
: venture.
A commendable approach - if you have lots of suitable seed material to hand.
:> :> As for backward secrecy - this is (as I mentioned) impossible in a PRNG
:> :> whose state has been compromised. However, the OP never mentioned
:> :> PRNGs.
:>
:> : Are you sure? Read the subject line!
:>
:> I see an R, an N and a G there - but can see no sign of a P.
:>
:> While concealing the forward evolution of a PRNG is impossible in the face
:> of state compromise, this is not true of other types of random number
:> generator.
: Um MD5 for RNG. The OP is a newbie and used the wrong term. MD5 cannot be
: used to make an RNG at all.
I don't know about MD5 - but SHA-1 can be (and has been) used to make a RNG:
See Yarrow: http://www.counterpane.com/yarrow.html
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Fri, 8 Jun 2001 11:26:16 GMT
Vincent Quesnoit <[EMAIL PROTECTED]> wrote:
: Tim Tyler a écrit :
:> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:>
:> : I was referring to the following that you wrote previously:
:>
:> : Yes it is. Consider BICOM for example. It can map a
:> : 8 bit cyphertext to one of some 2^128 plaintexts -
:> : considerably more than your figure of 2^8.
:>
:> : Does the 2^128 come from using a 128 bit key for the
:> : AES in it and there are 2^128 possible keys for AES?
:>
:> Yes.
: I am puzzled, I thought AES was a block cypher which could not produce a
: cypher text smaller than its own blocksize. Do you mean that AES can
: decrypt one byte and produce a 16 byte output ?
Yes.
I composed an extensive reply to Mark Wooding on that question.
He asked:
Now I'm very confused. You can't get a one-byte ciphertext out of a
128-bit block cipher in CBC mode. There's nowhere to put an IV, for one
thing.
I replied with the following:
Firstly, Rijndael doesn't use an random IV. It uses a fixed one which is
(I believe) wired into the algorithm.
In order to disguise the first blocks of the message it uses a whitening
step, which preprocesses the plaintext by appling unkeyed diffusion to the
first few K of the plaintext - not /quite/ the same as an IV - but good
enough for many purposes.
Now, about how BICOM gets a 1-byte output from Rijndael output while
remaining invertible and bijective:
I won't describe how it /actually/ does it (though see the end of the
post) - but instead I'll tell a simplified story that indicates how it is
possible.
First the set of all byte granular plaintexts is transformed to the set of
128-bit granular messages using a bijection between these two sets.
[e.g. number the elements in each set, smallest first, and map between
elements which are given the same number].
Then that is fed through Rijndael in CBC mode, with a fixed IV.
Then the above bijection is applied in reverse, from the set of 128-bit
granular files to the set of 8-bit granular ones.
The result will sometimes be a single byte.
The BICOM page has actual details:
http://www3.sympatico.ca/mtimmerm/bicom/bicom.html
To quote the explanation of what it's /actually/ doing from there:
``The bijective arithmetic encoder produces an intermediate representation
called a finitely odd stream -- it is an infinitely long sequence of
bits, but with the last 1 bit at a position finitely far from the
beginning, i.e., it is a finite sequence of 0s and 1s, followed by an
infinite sequence of 0s. [...]
``When a passphrase is specified, bicom encrypts (or decrypts) this
intermediate representation using the currently proposed AES cipher,
Rijndael, in CBC mode with a constant initial value and whitening of the
first 16K. Because the finitely odd stream is infinitely long, and all
bits are significant to the output, you can encrypt any part of it
without affecting the bijective nature of the compressor. David Scott
provided the idea of encrypting all but the final 1 bit in this stream,
possibly using overlapping blocks at the end. The result is that all
significant bits of the file are encrypted, with no known or biased
plaintext.''
Hope that helps.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: MD5 for random number generation?
Date: Fri, 08 Jun 2001 11:34:31 GMT
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
> :> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
> :> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> :> :> : No PRNG is ever secure if the initial seed is compromised. The
seed
> :> :> : is what determines the PRNG output...
> :> :>
> :> :> Security in the face of state compromise is a very important part of
> :> :> what forward secrecy in RNGs is all about.
> :>
> :> : Yes. And my PRNG I proposed is forward secure.
> :>
> :> : H[i] = HASH(SEED || I)
> :>
> :> : Suppose you guess H[i], how do you get H[i+1] or H[i-1]?
> :>
> :> You don't.
> :>
> :> However, say someone breaks into your office and wanders out with i and
> :> SEED.
> :>
> :> With this information they have access to all the past outputs of the
RNG.
> :>
> :> This is known as a "backtracking attack" - and can be of significance
if
> :> the RNG is used for key generation - since you don't want numerous past
> :> keys to be compromised by a single lapse of security on some future
date.
> :>
> :> Backtracking attacks can be prevented - they are not inherent in all
> :> PRNGs.
>
> : Which is why (if you well I dunno, ... er ... um READ MY ENTIRE POST)
would
> : have found that I said you should reset the seed whenever you make a new
> : key. That way "wandering into the office to get SEED" will be a useless
> : venture.
>
> A commendable approach - if you have lots of suitable seed material to
hand.
Um, know any other solution?
> :> :> As for backward secrecy - this is (as I mentioned) impossible in a
PRNG
> :> :> whose state has been compromised. However, the OP never mentioned
> :> :> PRNGs.
> :>
> :> : Are you sure? Read the subject line!
> :>
> :> I see an R, an N and a G there - but can see no sign of a P.
> :>
> :> While concealing the forward evolution of a PRNG is impossible in the
face
> :> of state compromise, this is not true of other types of random number
> :> generator.
>
> : Um MD5 for RNG. The OP is a newbie and used the wrong term. MD5 cannot
be
> : used to make an RNG at all.
>
> I don't know about MD5 - but SHA-1 can be (and has been) used to make a
RNG:
> See Yarrow: http://www.counterpane.com/yarrow.html
Yarrow is in fact a PRNG. In fact it's a cipher in CTR mode. It uses the
hash to make the 3DES key.
Tom
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Fri, 8 Jun 2001 11:28:26 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : "SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
:>
:> :> [...] if your set is a bunch of different
:> :> length messages just XOR and sending then where you always
:> :> have more than one possible message for a given length you
:> :> may "have some security" but some is not the same as "perfect"
:> :> since you have many messages from your input set that have
:> :> been iliminated.
:>
:> : That doesn't matter at all. Even if you know the original message
:> : occupied 128 bits but there are only 13 possible remaining messages
:> : it's still perfectly secure. Since the remaining messages have a
:> : 1/13 chance of being the correct one you can't tell the correct one
:> : from a false one.
:>
:> Except for the fact that they are different lengths - so regardless of
:> the probability of their arising as plaintexts, you can easily distinguish
:> them if given a corresponding cyphertext.
: No I was talking about 13 possible messages of 16 chars.
In which case you didn't properly take David's:
``if your set is a bunch of different length messages''
...premise (quoted above) into account.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Fri, 08 Jun 2001 11:37:22 GMT
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Vincent Quesnoit <[EMAIL PROTECTED]> wrote:
> : Tim Tyler a écrit :
>
> :> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> :>
> :> : I was referring to the following that you wrote previously:
> :>
> :> : Yes it is. Consider BICOM for example. It can map a
> :> : 8 bit cyphertext to one of some 2^128 plaintexts -
> :> : considerably more than your figure of 2^8.
> :>
> :> : Does the 2^128 come from using a 128 bit key for the
> :> : AES in it and there are 2^128 possible keys for AES?
> :>
> :> Yes.
>
> : I am puzzled, I thought AES was a block cypher which could not produce a
> : cypher text smaller than its own blocksize. Do you mean that AES can
> : decrypt one byte and produce a 16 byte output ?
>
> Yes.
> I composed an extensive reply to Mark Wooding on that question.
>
> He asked:
>
> Now I'm very confused. You can't get a one-byte ciphertext out of a
> 128-bit block cipher in CBC mode. There's nowhere to put an IV, for one
> thing.
>
> I replied with the following:
>
> Firstly, Rijndael doesn't use an random IV. It uses a fixed one which is
> (I believe) wired into the algorithm.
That's nonce. CBC is a mode (and not bad radio station mind you) of
operation. It has no ties into AES other than AES can be used in CBC mode.
To say the IV is fixed is meaningless.
> In order to disguise the first blocks of the message it uses a whitening
> step, which preprocesses the plaintext by appling unkeyed diffusion to the
> first few K of the plaintext - not /quite/ the same as an IV - but good
> enough for many purposes.
What are you talking about? CBC works like this
1. Get key and make random IV
2. C[-1] = IV
3. Encrypt C[i] = Ek(P[i] xor C[i - 1])
<snip rest>
I dunno what you are talking about in this post but it is not CBC.
Tom
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Fri, 8 Jun 2001 11:31:54 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
["yes" or "no" example]
[...]
:> : It proves nothing.
:>
:> That single example proves that the OTP is vulnerable to attack
:> if plaintext length is equal to cyphertext length, and plaintext lengths
:> can vary.
:>
:> If you don't think it proves anything, you need to re-examine your idea of
:> proof.
: No, you didn't prove that an OTP can be insecure. You proved that a
: cryptosystem using an OTP can be vulnerable.
: Just like I said RSA with a 32-bit composite is vulnerable. That doesn't
: mean RSA is weak, it means the system is.
: Fundamentally an OTP is a decorrelated linear function, from a math point
: it's easy to prove it's secure.
It won't have perfect secrecy if it has to encypher variable length
plaintexts to cyphertexts of the same length. There will be better
systems. I wouldn't dream of calling it perfect.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Fri, 08 Jun 2001 11:39:19 GMT
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
> :> : "SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
> :>
> :> :> [...] if your set is a bunch of different
> :> :> length messages just XOR and sending then where you always
> :> :> have more than one possible message for a given length you
> :> :> may "have some security" but some is not the same as "perfect"
> :> :> since you have many messages from your input set that have
> :> :> been iliminated.
> :>
> :> : That doesn't matter at all. Even if you know the original message
> :> : occupied 128 bits but there are only 13 possible remaining messages
> :> : it's still perfectly secure. Since the remaining messages have a
> :> : 1/13 chance of being the correct one you can't tell the correct one
> :> : from a false one.
> :>
> :> Except for the fact that they are different lengths - so regardless of
> :> the probability of their arising as plaintexts, you can easily
distinguish
> :> them if given a corresponding cyphertext.
>
> : No I was talking about 13 possible messages of 16 chars.
>
> In which case you didn't properly take David's:
>
> ``if your set is a bunch of different length messages''
>
> ...premise (quoted above) into account.
Yes, I agree wholeheartedly if you have a system where you can/will only
send 13 messages of all different lengths and the attacker knows the
messages AND their lengths then it's a bust.
Yes, I agree if you use RSA with a 32-bit composite you can attack it easily
on a home PC.
See the parallel?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Fri, 08 Jun 2001 11:41:53 GMT
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> ["yes" or "no" example]
>
> [...]
>
> :> : It proves nothing.
> :>
> :> That single example proves that the OTP is vulnerable to attack
> :> if plaintext length is equal to cyphertext length, and plaintext
lengths
> :> can vary.
> :>
> :> If you don't think it proves anything, you need to re-examine your idea
of
> :> proof.
>
> : No, you didn't prove that an OTP can be insecure. You proved that a
> : cryptosystem using an OTP can be vulnerable.
>
> : Just like I said RSA with a 32-bit composite is vulnerable. That
doesn't
> : mean RSA is weak, it means the system is.
>
> : Fundamentally an OTP is a decorrelated linear function, from a math
point
> : it's easy to prove it's secure.
>
> It won't have perfect secrecy if it has to encypher variable length
> plaintexts to cyphertexts of the same length. There will be better
> systems. I wouldn't dream of calling it perfect.
Aha, fallacy! Now for the kill.
an OTP is not a cryptosytem! Shazam you proved my point.
an OTP is just an algorithm just like RSA.
It's how you use the OTP that matters in terms of security.
In the contrived "yes" vs "no" case you could simply always send four byte
blocks (null padded). That would then be provably secure. Hence an OTP
can be made into something perfectly secure. Of course in this case you
could aim to keep your job by not wasting 31 bits of the pad!
You have to design the cryptosystem for your task.
Tom
------------------------------
From: Arturo <aquiranNO$[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: Re: Some questions on GSM and 3G
Date: Fri, 08 Jun 2001 13:09:43 +0200
On Fri, 8 Jun 2001 00:16:47 +0000 (UTC), [EMAIL PROTECTED] (David
Wagner) wrote:
>Arturo wrote:
>> - It seems like the GSM consortium is updating its algorithms: COMP128-2
>>(to replace COMP128) and A5/3 (a stronger version than A5/1). Anybody got
>>confirmation?
>
>I've found a number of official GSM documents discussing this, so I
>presume it is coming, but I don't know first-hand. I just did a google
>search (or maybe I looked through the GSM documents available online at
>ETSI, I can't remember).
>
>I hope you'll post a summary of what information you were able to find!
I asked the GSM consortium and was told they can´t say anything to me.
If I get any more info, I´ll surely post it.
BTW, had any idea of what happened to the www.scard.org website? I
haven´t been able to access it for some time.
------------------------------
From: Arturo <aquiranNO$[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: Re: Some questions on GSM and 3G
Date: Fri, 08 Jun 2001 13:08:28 +0200
On Fri, 08 Jun 2001 10:09:07 +0200, Mok-Kong Shen <[EMAIL PROTECTED]>
wrote:
>
>Gregory G Rose wrote:
>>
>[snip]
>> There is a corresponding set of algorithms called
>> Milenage (the name appears to be a Francophone
>> in-joke, I don't know what it means) that are
>> based on Rijndael, to be used for UMTS and GERAN.
>> Again, that specification is available off the
>> above URL.
>
>Does this imply that there would be a free choice
>between Kasumi and AES? Thanks.
>
>M. K. Shen
AFAIK, Kasumi is to be used for UMTS as the encryption and
authentication, and Milenage (the AKA+integrity algo set) is based on Rijndael,
though specifications state that just about any 128 bit block cipher will do. I
think A5/3 will also include Rijndael (a personal speculation).
------------------------------
From: Derek Bell <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: 8 Jun 2001 13:08:03 +0100
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Well, if there is a UFO cover-up, they have also managed to hide
: it from people with *very* extensive access to intelligence archives.
Amusingly enough, some UFO fanatics have claimed the Dundee
Society worked on UFOs!
Derek
--
Derek Bell [EMAIL PROTECTED] |"Usenet is a strange place."
WWW: http://www.maths.tcd.ie/~dbell/index.html| - Dennis M Ritchie,
PGP: http://www.maths.tcd.ie/~dbell/key.asc | 29 July 1999.
|
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
