Re: NONSTOP Crypto Query
At 01:30 AM 1/13/2001 +, Ben Laurie wrote: >Hmm. 6 kHz has a wavelength of 5 cm. I would guess you can easily get >resolution to 1/10 of a wavelength under ideal conditions. Which is .5 >cm, which is half the size of a key, more or less. You don't have to locate the exact key to save a lot of complexity. A standard PC keyboard has 47 keys on the main section. Ignoring shifts, control, alt, combinations, etc. you have to deal with 47^N easy options per secret key of length N. Lets assume you don't get the key as a fact from the sound inference, but rather you get a probability density function that is weighted heavily arround a single key, and then arround the keys "one key away" and with decreasing probability for "two keys away" and so on until you get to the maximum of 14 or so keys away. If Ben's estimate is close to accurate, you should see a two standard deviation circle of only 9 or so keys. Since 47^6 is 229,345,008 and 9^6 is only531,441 this technique can whack out a factor of 500 in the "likely" exhaustive search of a six character passphrase. Obviously it saves more on longer passphrases. It also saves more if the user enters control/alt/shift combinations. Interesting. Pat Pat Farrell voice: (703 587-9898) Alchemistemail: [EMAIL PROTECTED] OneBigCD, yourtext pager: [EMAIL PROTECTED] Internet CD Jukebox
Re: 3DEs export?
At 10:36 AM 9/1/99 -0400, Michael Froomkin - U.Miami School of Law wrote: >http://www.zixmail.com/ZixFAQ/index.html#4 >claims that a 3DES email security procuct has been approved for export. >Is there something about the security of this system that is compromised? >(I don't see anything abut open source) Dunno about this product/company, but non-open source 3DES have been approved for export for other companies/products, as have 1024 bit RSA. Both are real crypto, not compromised. But, they are not general purpose, and come with non-trivial restrictions. Pat Pat FarrellCyberCash, Inc. (703) 715-7834 [EMAIL PROTECTED] #include standard.disclaimer
Re: Re-key: how often?
At 03:21 PM 7/26/99 -0400, Andy wrote: > My question is, how often should I generate a new key for each session? >Is there a rule of thumb concerning how much info. can be sent/received >before a key is considered "used up"? The rule of thumb is to re-key before the value of what you are protecting exceeds the cost of breaking your key. That makes the economics of breaking the session work in your favor. For most real world applications, the length of a logon session which ranges "anywhere from a few minutes to hours" is easily protected with one 128 bit key. The EFF machine can break DES-56 in less time than your sessions, so unless the thing your protecting is pretty cheap, DES-56 is too weak. DES-40 is too weak for anything. Hope this helps. Pat Pat FarrellCyberCash, Inc. (703) 715-7834 [EMAIL PROTECTED] #include standard.disclaimer
Re: Five years, and still no useful internet cash
At 02:38 PM 5/11/99 -0700, James A. Donald wrote: >I have created a web page reviewing the various efforts to >bring a cashlike medium to the internet. > I would appreciate some corrections. At least in the case of CyberCash, you have confused two product offerings. CyberCash is a company, not a product. CyberCash offers services and has offered a product called CyberCoin. CyberCash's main services today are payment services (moving or collecting money) on both the 'net and in the physical storefront world. The Internet payment service lets merchants collect money from consumers using their existing credit card or checking accounts. CyberCoin is a micropayment system. It was specifically addressed at transaction too small to be cost effective using credit cards. It launched in September 1996. It was a commercial failure. Support for CyberCoin was stopped in the US in the past month or so. There is still some commercial interest in CyberCoin in Europe. There were many design decisions behind CyberCoin that make it work the way it does. For example, it is not a "bearer instrument" in the normal legal sense. It does, however, store the value in FDIC insured bank accounts. There are many reasons for CyberCoin's failure. I think I know some of them. I'd be very interested in an informed discussion of them. Since CyberCash is a publically traded company, much of the story behind CyberCoin is public information. I'm an engineer, not a press spokesman or company official, so what I say is clearly personal opinion. Thanks Pat Pat FarrellCyberCash, Inc. (703) 715-7834 [EMAIL PROTECTED] #include standard.disclaimer