Cryptography-Digest Digest #576, Volume #14       Sat, 9 Jun 01 21:13:01 EDT

Contents:
  Re: Differential cryptanalysis ("Adam O'Brien")
  Re: National Security Nightmare? (Jim D)
  Re: National Security Nightmare? (Jim D)
  Re: OTP WAS BROKEN!!! (Jim D)
  Re: Differential cryptanalysis ("Tom St Denis")
  Re: Brute-forcing RC4 (Ichinin)
  Re: Any Informed Opinions? ("Jeffrey Walton")
  Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED])
  Encryption based password validation system? (phallen)
  Re: Encryption based password validation system? ("Tom St Denis")
  Re: Encryption based password validation system? ([EMAIL PROTECTED])
  Re: Shannon's definition of perfect secrecy (Mok-Kong Shen)
  Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen)
  Re: cubing modulo 2^w - 1 as a design primitive? ("Tom St Denis")
  Re: cubing modulo 2^w - 1 as a design primitive? ("Tom St Denis")

----------------------------------------------------------------------------

From: "Adam O'Brien" <[EMAIL PROTECTED]>
Subject: Re: Differential cryptanalysis
Date: Sat, 09 Jun 2001 18:55:39 GMT

Sorry Tom I don't understand still. What do A,B and x refer to and how do
they relate to Sio and Sii in Table 5.
Adam
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:RAoU6.68230$[EMAIL PROTECTED]...
>
> "Adam O'Brien" <[EMAIL PROTECTED]> wrote in message
> news:0voU6.24565$[EMAIL PROTECTED]...
> > I'm reading Biham and Shamir's paper, Differential Cryptanalysis of
> DES-like
> > cryptosystems.
> > I can understand how to derive Table 5.
> > Can anyone help?
>
> Simple.
>
> You could how many times
>
> A = sbox[x] xor sbox[x xor B]
>
> For all A,B,x in the domain of the sbox.... i.e
>
> s = 0
> for x = 0 to N-1 do
>    if A = sbox[x] xor sbox[x xor B]
>        s = s + 1
>
> If you can support the memory you can write the code as
>
> for A = 0 to N-1 do
> for B = 0 to N-1 do
> for x = 0 to N-1 do
>    dt[B][sbox[x] xor sbox[x xor A]] += 1
>
> (where "a += 1" means "a = a + 1")
>
> Tom
>
>



------------------------------

From: [EMAIL PROTECTED] (Jim D)
Subject: Re: National Security Nightmare?
Date: Sat, 09 Jun 2001 18:58:18 GMT
Reply-To: Jim D

On Sat, 09 Jun 2001 00:41:19 GMT, "Tom St Denis" <[EMAIL PROTECTED]>
wrote:

>
>"Jim D" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> On Fri, 08 Jun 2001 17:01:09 GMT, "Tom St Denis" <[EMAIL PROTECTED]>
>> wrote:
>>
>> >"A bunch of people is wrong".  Doesn't sound right since it is more than
>one
>> >person who is wrong.
>>
>> There's only one bunch.
>
>Yeah I agree the original is grammatically correct, it just doesn't sound
>right.

Quite so. 'the police have...', '...the government have...' is what you
usually hear. Gramatically wrong, but acceptably so.

-- 
______________________________________________

Posted by Jim D.

Propino tibi salutem !

jim @sideband.fsnet.co.uk
dynastic @cwcom.net
___________________________________

------------------------------

From: [EMAIL PROTECTED] (Jim D)
Subject: Re: National Security Nightmare?
Date: Sat, 09 Jun 2001 18:58:19 GMT
Reply-To: Jim D

On Sat, 9 Jun 2001 13:05:09 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote:

>David Wagner <[EMAIL PROTECTED]> wrote:
>
>: In particular, I couldn't find any prohibition against the "GCHQ
>: backdoor", i.e., a gentleman's agreement between the NSA and GCHQ to
>: spy on each other's citizens and swap intercepts.  If it is the
>: policy of the NSA that such conduct is forbidden, how can I tell?
>
>I believe GCHQ does not need to go to any such lengths if it wants to
>spy on UK citizens.

GCHQ does not do so. Believe me. They have other things to waste
our money on.

Spying on UK citizens is done by the lying, blackmailing, murdering
outfit known as the Security Services (ex MI5).

-- 
______________________________________________

Posted by Jim D.

Propino tibi salutem !

jim @sideband.fsnet.co.uk
dynastic @cwcom.net
___________________________________

------------------------------

From: [EMAIL PROTECTED] (Jim D)
Subject: Re: OTP WAS BROKEN!!!
Date: Sat, 09 Jun 2001 18:58:20 GMT
Reply-To: Jim D

On Sat, 09 Jun 2001 14:51:51 GMT, Charles Lyttle <[EMAIL PROTECTED]>
wrote:

>Al wrote:
>> 
>> Interesting...
>> Your replies seem to suggest that you think there is some merit in
>> what newbie says...
>> OTP is indistinguishable from completely randomly generated numbers,
>> even seemingly random typing of the upper row of numbers. This could
>> be any message shifted out mod 26, thats the point of this OTP thread.
>> Do you guys get out much?
>
>But your message wasn't completely randomly generated numbers, as Paul
>demonstrated. The second biggest problem with OTP is that it is very
>difficult to get a large quantity of true random numbers. 

Doesn't have to be. Need only be random enough so the cryptanalyst
can't/is unlikely to be able to predict the next key byte.

-- 
______________________________________________

Posted by Jim D.

Propino tibi salutem !

jim @sideband.fsnet.co.uk
dynastic @cwcom.net
___________________________________

------------------------------

From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Differential cryptanalysis
Date: Sat, 09 Jun 2001 20:09:04 GMT


"Adam O'Brien" <[EMAIL PROTECTED]> wrote in message
news:LiuU6.26232$[EMAIL PROTECTED]...
> Sorry Tom I don't understand still. What do A,B and x refer to and how do
> they relate to Sio and Sii in Table 5.
> Adam

I don't have the paper handy, but in my example B is the output difference
and A is the input difference.

Tom

> "Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> news:RAoU6.68230$[EMAIL PROTECTED]...
> >
> > "Adam O'Brien" <[EMAIL PROTECTED]> wrote in message
> > news:0voU6.24565$[EMAIL PROTECTED]...
> > > I'm reading Biham and Shamir's paper, Differential Cryptanalysis of
> > DES-like
> > > cryptosystems.
> > > I can understand how to derive Table 5.
> > > Can anyone help?
> >
> > Simple.
> >
> > You could how many times
> >
> > A = sbox[x] xor sbox[x xor B]
> >
> > For all A,B,x in the domain of the sbox.... i.e
> >
> > s = 0
> > for x = 0 to N-1 do
> >    if A = sbox[x] xor sbox[x xor B]
> >        s = s + 1
> >
> > If you can support the memory you can write the code as
> >
> > for A = 0 to N-1 do
> > for B = 0 to N-1 do
> > for x = 0 to N-1 do
> >    dt[B][sbox[x] xor sbox[x xor A]] += 1
> >
> > (where "a += 1" means "a = a + 1")
> >
> > Tom
> >
> >
>
>



------------------------------

From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Brute-forcing RC4
Date: Thu, 07 Jun 2001 15:20:38 +0200

David Wagner wrote:
> Intriguing question!  I don't know whether anyone has tested this,
> but it sounds like a plausible hypothesis.  One question, though, is
> how to mount a denial-of-service attack on a wireless network that is
> not publicly accessible.  How would you do this?

Well, here's my best speculation:

If the equipment is using end to end encryption, perhaps some
massive broadcast/multicast garbage could be injected onto the
equipment, blocking legitemate traffic, making the session(s)
drop - voila': need to resync, and the IV is reset.

If it is end to end == i have NO clue.

.Reg's,
Ichinin

------------------------------

Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: Any Informed Opinions?
Date: Sat, 9 Jun 2001 17:47:13 -0400

: Mollin is making an unsubstantiatable claim, even allowing for the
: poor phrasing.

Sorry about that.  I wasn't trying to mislead anyone.

"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
: Dirk Bruere wrote:
: > There is a 'no cloning' theorem in QM which makes it secure.
However, it is
: > known that QM is not the last word in desriptions of nature,
especially
: > where the crucial 'measurement process' (collapse of the wave
function) is
: > concerned. This is at the heart of quantum computing and is not
understood,
: > despite plenty of speculation, incluing consciousness as the agent.
:
: It is well understood that the essential properties are unavoidable.
: Consciousness has nothing to do with it; that was the main point of
: Schroedinger's cat.
:
: > > A quantum computer will probably break all classical computer
based
: > > cryptosystems.  Mollin, An Introduction to Cryptography, p.267.
:
: Mollin is making an unsubstantiatable claim, even allowing for the
: poor phrasing.



------------------------------

From: [EMAIL PROTECTED]
Subject: Re: Uniciyt distance and compression for AES
Date: Sat, 09 Jun 2001 13:09:58 -0800

Andreas Gunnarsson wrote:
> 
> On Sat, 9 Jun 2001 [EMAIL PROTECTED] wrote:
> 
> > The only way a compressor could *effectively* increase the unicity
> > distance is by having some mechanism for rejecting meaningless messages
> > in the original language as inputs.
> 
> Compression increases unicity distance by making probable messages shorter
> and making improbable messages longer. This increases the number of
> probable messages for a given length of the compressed data.
> 
>    Andreas
> 
> --
> Andreas Gunnarsson <[EMAIL PROTECTED]>
> +46 31 7014268

I concur that a compression algorithm that compressed messages
which are meaningful in the original language, and expanded messages
which are meaningless in the original language, would increase unicity
distance if only compressed messages were used as inputs to the
encryption
algorithm.

It seems that one would have to demonstrate that only meaningful
messages
are compressed in order to say that compression increases unicity
distance.

What isn't clear to me is how a compression algorithm can be intelligent
enough to distinguish "meaningful" from "meaningless" inputs (although
it
would be easier if the compression algorithm knew the input language).

------------------------------

From: [EMAIL PROTECTED] (phallen)
Subject: Encryption based password validation system?
Date: 9 Jun 2001 15:09:20 -0700

Sorry folks, but I'm a newbie to the crypto and security in general.  

I've been thinking about a password validation system for a program
I'm writing and wanted to hear if you guys already knew about it.

Take some common piece of data, for example the phrase "The password
was correct" and encrypting it with a user's secret key.  All users
would have the same encrypted word, but each would be decrypted with
their password.

In other words, the password validation system would not require the
storage of the actual password; if the password is successfully used
to decrypt the "master word", then the password is correct.  A cracker
couldn't steal the passwords this way (never mind if people forget the
password for the moment.)

Make sense?  Been done?  Stupid idea?  

Thanks, 

 -- Joe

------------------------------

From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Encryption based password validation system?
Date: Sat, 09 Jun 2001 22:19:10 GMT


"phallen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Sorry folks, but I'm a newbie to the crypto and security in general.
>
> I've been thinking about a password validation system for a program
> I'm writing and wanted to hear if you guys already knew about it.
>
> Take some common piece of data, for example the phrase "The password
> was correct" and encrypting it with a user's secret key.  All users
> would have the same encrypted word, but each would be decrypted with
> their password.
>
> In other words, the password validation system would not require the
> storage of the actual password; if the password is successfully used
> to decrypt the "master word", then the password is correct.  A cracker
> couldn't steal the passwords this way (never mind if people forget the
> password for the moment.)
>
> Make sense?  Been done?  Stupid idea?

Been done.  Simple solution.  Hash the passphrase.

Tom



------------------------------

Subject: Re: Encryption based password validation system?
From: [EMAIL PROTECTED]
Date: 09 Jun 2001 18:23:44 -0400

[EMAIL PROTECTED] (phallen) writes:
> 
> Take some common piece of data, for example the phrase "The password
> was correct" and encrypting it with a user's secret key.  All users
> would have the same encrypted word, but each would be decrypted with
> their password.

That has some problems. Specifically, the password is not needed to
complete an authentication--only the encrypted phrase. Which can be
intercepted by a man-in-the-middle.

If instead you have the server generate a random cookie and send it to
the user to encrypt and return, then there are still problems. For one,
the cookie and its encryption can be intercepted and used for an offline
brute-force crack. For another, the server might subvert your password
by sending chosen plaintexts instead of random cookies.

> In other words, the password validation system would not require the
> storage of the actual password...

In UNIX authentication, the password isn't stored. In most systems,
the password is encrypted using itself as a key, and the result compared
with the value in /etc/passwd. In some systems, the password is hashed,
and again the result is compared. (Note that Web applications usually
botch this, and store the password in the clear. That's a *major*
privacy violation: people reuse passwords.)

> (never mind if people forget the password for the moment.)

If people forget their password, you should generate a new one and store
its hash. The password should ideally be sent by snail mail, or else
by phone. Email is a very poor alternative, but better than any other
in-band alternatives.

> Make sense?  Been done?  Stupid idea?  

Look at SRP: <http://www-cs-students.stanford.edu/~tjw/srp/>. There are
lots of good resources reachable from there. They assume some crypto
knowledge, and I'm guessing you're an interested amateur (like me). Get
Bruce Schneier's book, ``Applied Cryptography'', to use as a reference.

Len.

-- 
``*All* the problems in NPC''? ``Solution to *even one* of them''? There
is, up to equivalence, only _one_ problem in NPC.
                                -- Dan Bernstein

------------------------------

From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Shannon's definition of perfect secrecy
Date: Sun, 10 Jun 2001 01:03:30 +0200



"SCOTT19U.ZIP_GUY" wrote:
> 
>   Mok I am not sure you can follow english that is in the
> style of the 40's. But if you can. Read the images from the
> URL that Hopwood posted. Its quite clear possibly to even
> you. That the appearently common way of using an OTP does
> not contain "perfect security" for a given set of messages
> of various lengths.  And it should be clear that the trick
> is to make any possible intercepted cipher text map back
> to any possible message that was in the input set. One way
> to do this. But not necessiarly the only way is to pad all
> messages to same length. Then use the OTP to create ciphert
> text of all the same length. This would then allow any possible
> cipher text to be decoded to any possible message in the input
> set. But again don't take my word. As if you needed to be
> reminded of that. Please take it up on your self to read the
> stuff at the URL that Hopwood posted.

I just wanted to get 're-assured' that Shannon's paper
didn't cover the perfect security of what is called the 
conventional OTP (see Tyler's post). Now I would think 
it is apparently indeed NOT necessary to pad anything 
in most, if not all, practical situations. For normally 
a channel doesn't send only a single message but a 
number of messages. (For example communications between
two branch offices of a firm.) We can employ the 
convention that each message has any header information 
(message number or the like) be included with the 
plaintext and all messages be concatenated. A long 
segment from the OTP source is then employed to encrypt 
the whole thing. This way the length of the individual 
messages wouldn't be available to the opponent. The 
receiver, after decryption, can separate the messages 
using the header parts. (If one still feels not 
sufficiently secure, one could perform a transposition 
of the string of the concatenated messages, say on the 
level of bytes/words. This amounts to a superencipherment 
though.)

M. K. Shen
===========================
http://home.t-online.de/home/mok-kong.shen

------------------------------

From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: cubing modulo 2^w - 1 as a design primitive?
Date: Sun, 10 Jun 2001 02:13:13 +0200



Tom St Denis wrote:
> 
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> > Tom St Denis wrote:
> > > "Mark Wooding" <[EMAIL PROTECTED]> wrote:
> > > > Tom St Denis <[EMAIL PROTECTED]> wrote:
> > > >
> > > > > It is a bijection since 3 does not divide the order for w=32 or
> w=64.
> > > >
> > > > It's a bijection in Z/(2^w - 1)Z.  Unfortunately, we're probably
> > > > actually working in Z/(2^w)Z.  As a result, the mapping is biased,
> > > > noninjective and nonsurjective.  I can't see an attack against sixteen
> > > > rounds, but that doesn't mean there isn't one.
> > >
> > > It lacks one element (namely 2^w - 1).  I don't see that as a big bias.
> >
> > The set of people who feel uncomfortable with a minute
> > deviation from the ideal is not empty.
> 
> You're being vastly ignorant.  A block cipher is "minutely deviated from
> ideal".
> 
> Would you now not use AES for this reason?  Or are you a hypocrit?

Did I say that I belong to the set I mentioned? I just
want to point out a seemingly true fact and I was
neutral in doing that.

I like to take this oppotunity to convey a special 
request to you. It is 'special', because I am forced to
say some words very 'plainly' (i.e. without 'reservation')
for reasons to be seen below, even though these naturally 
would not sound very pleasing to you. In two separate 
threads (yesterday and today) I have asked you to give the 
title and author name of the Dover book that you complained 
so heavily about. But you have seemingly ignored these 
requests till this moment. As I wrote, a few of my 
acquaintances know the content of that particular part of 
your post. To be frank, we (my friends and I) had a 
discussion of whether you were cheating. I defended you, 
saying that from the context there appears to be barely 
motivation for that, besides in a post today in the 
thread 'unicity distance and compression for AES' you had 
accused someone else to be a liar, so the possibility of 
you yourself being a liar appears to be low. But my 
friends have become very unsatisfied with that, now that 
I continue to be unable to present them with the title 
and author name of your claimed Dover book. May I ask you, 
now for the third time, to post the title and author of 
your book? If you continue to ignore this request, then 
I must say that the opinion of my friends is obviously 
justified (i.e. in which case you would be a liar). I am 
very sorry for writing these very 'plain' words but I 
have to.

M. K. Shen

------------------------------

From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: cubing modulo 2^w - 1 as a design primitive?
Date: Sun, 10 Jun 2001 00:35:21 GMT


"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
> > "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> > > Tom St Denis wrote:
> > > > "Mark Wooding" <[EMAIL PROTECTED]> wrote:
> > > > > Tom St Denis <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > > > It is a bijection since 3 does not divide the order for w=32 or
> > w=64.
> > > > >
> > > > > It's a bijection in Z/(2^w - 1)Z.  Unfortunately, we're probably
> > > > > actually working in Z/(2^w)Z.  As a result, the mapping is biased,
> > > > > noninjective and nonsurjective.  I can't see an attack against
sixteen
> > > > > rounds, but that doesn't mean there isn't one.
> > > >
> > > > It lacks one element (namely 2^w - 1).  I don't see that as a big
bias.
> > >
> > > The set of people who feel uncomfortable with a minute
> > > deviation from the ideal is not empty.
> >
> > You're being vastly ignorant.  A block cipher is "minutely deviated from
> > ideal".
> >
> > Would you now not use AES for this reason?  Or are you a hypocrit?
>
> Did I say that I belong to the set I mentioned? I just
> want to point out a seemingly true fact and I was
> neutral in doing that.
>
> I like to take this oppotunity to convey a special
> request to you. It is 'special', because I am forced to
> say some words very 'plainly' (i.e. without 'reservation')
> for reasons to be seen below, even though these naturally
> would not sound very pleasing to you. In two separate
> threads (yesterday and today) I have asked you to give the
> title and author name of the Dover book that you complained
> so heavily about. But you have seemingly ignored these
> requests till this moment. As I wrote, a few of my
> acquaintances know the content of that particular part of
> your post. To be frank, we (my friends and I) had a
> discussion of whether you were cheating. I defended you,
> saying that from the context there appears to be barely
> motivation for that, besides in a post today in the
> thread 'unicity distance and compression for AES' you had
> accused someone else to be a liar, so the possibility of
> you yourself being a liar appears to be low. But my
> friends have become very unsatisfied with that, now that
> I continue to be unable to present them with the title
> and author name of your claimed Dover book. May I ask you,
> now for the third time, to post the title and author of
> your book? If you continue to ignore this request, then
> I must say that the opinion of my friends is obviously
> justified (i.e. in which case you would be a liar). I am
> very sorry for writing these very 'plain' words but I
> have to.

I was cheating on what?

Sorry to be honest I kinda skim your posts.  You kinda write in one long
unbroken chunk.  (When you're at a computer as long as I shouldn't be it
looks like a mess).

The book info.

W.R.Scott, Professor of Mathematics, The university of Utah, "Group Theory",
Dover Publications Inc, New York.
ISBN 0-486-65377-3

Tom



------------------------------

From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: cubing modulo 2^w - 1 as a design primitive?
Date: Sun, 10 Jun 2001 00:42:30 GMT


"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:dhzU6.73538$[EMAIL PROTECTED]...
> I was cheating on what?
>
> Sorry to be honest I kinda skim your posts.  You kinda write in one long
> unbroken chunk.  (When you're at a computer as long as I shouldn't be it
> looks like a mess).
>
> The book info.
>
> W.R.Scott, Professor of Mathematics, The university of Utah, "Group
Theory",
> Dover Publications Inc, New York.
> ISBN 0-486-65377-3

Something I want to add.  It's not a "bad book" as far as correctness goes.
Heck I can only read the first 20 pages.

It's just a very bad text to LEARN from.  It has a math equation to word
ratio of 100:1...

Tom



------------------------------


** FOR YOUR REFERENCE **

The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:

    Internet: [EMAIL PROTECTED]

You can send mail to the entire list by posting to sci.crypt.

End of Cryptography-Digest Digest
******************************

Reply via email to