Re: Run a remailer, go to jail?
> http://www.freedom-to-tinker.com/archives/000336.html > > Quoting: > > Here is one example of the far-reaching harmful effects of > these bills. Both bills would flatly ban the possession, sale, > or use of technologies that "conceal from a communication > service provider ... the existence or place of origin or > destination of any communication". Let's not be hasty. On the upside, it would outlaw NAT! - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Keysigning @ CFP2003
> > I must be out of touch - since when did > > PGP key signing require a photo id? > > It's rather efficient if you want to sign a large number of keys of > people you mostly do not know personally. Assuming, of course, that the ID is of a sort for which you have an "is-a-forgery" oracle. Has anyone ever weighted a PGP key's certification value as a function of how many keys it's know to have certified? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: AES-128 keys unique for fixed plaintext/ciphertext pair?
> ... We can ask what is the > probability of a collision between f and g, i.e. that there exists > some value, x, in S such that f(x) = g(x)? But then you didn't answer your own question. You gave the expected number of collisions, but not the probability that at least one exists. That probability the sum over k from 1 to 2^128 of (-1)^(k+1)/k!, or about as close to 1-1/e as makes no difference. But here's the more interesting question. If S = Z/2^128 and F is the set of all bijections S->S, what is the probability that a set G of 2^128 randomly chosen members of F contains no two functions f1, f2 such that there exists x in S such that f1(x) = f2(x)? G is a relatively miniscule subset of F but I'm thinking that the fact that |G| = |S| makes the probability very, very small. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: question about rsa encryption
> RSA is subject to blinding attacks and several other failure modes if > used without padding. For details on what that means, read the > cyclopedia cryptologia article on RSA. > > http://www.disappearing-inc.com/R/rsa.html That brings on another amateur question. In that article it says, "If the public exponent is less than a quarter of the modulus, RSA can be insecure." Well, the public exponents I've seen range from 17 to 65537. What gives? Is this just one of the many weaknesses mitigated by proper padding? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Open Source TCPA driver and white papers
Wouldn't it be a kick if Open Source systems were out there in the field doing useful and secure things with TCPA before other sorts of systems showed up trying to do draconian anti-user things? "It's easy if you try ..." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Key Pair Agreement?
> I can see how Alice can easily generate two primes whose product > will have that *high* order part, but it seems hard to generate an > RSA modulus with a specific *low* order 64 bits. Is it? As long as the lowest bit is a 1, Alice just has to search for one prime that ends with 63 0's and a 1 (she may keep one up her sleeve) and the other prime ending with the specified bits. As long as the length of each prime is much greater than 64 bits, I don't see that this slows her down too badly. Isn't this the reason why using the bottom 32 bits of a PGP RSA key for a key id is subject to a user-confusion attack? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Key Pair Agreement?
The freshness requirement without the safety requirement is trivial in RSA -- let Scott choose the public exponent. No, probably not sufficient for anyone's real needs. At the other extreme, you could go all the way to a Frankel-style shared key generation protocol, and let Scott give Alice his half afterward. Has anyone publicly implemented shared key & signature generation or Frankel, Gemmell, MacKenzie and Yung, 1997, "Proactive RSA"? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Micropayments, redux
> No, it doesn't. It doesn't take unlimited time for lottery-based > payment schemes to average out; finite time suffices to get the > schemes to average out to within any desired error ratio. Strictly speaking, the average will come within your error tolerance of the expected value *with probability near 1*. In an infinite number of trials, it will come within your tolerance *with probability 1*. Neither case is a guarantee that it will come that close to the expected value. > The expected risk-to-revenue ratio goes down like 1/sqrt(N), where > N is the number of transactions. Consequently, it's easy for banks > to ensure that the system will adequately protect their interests. Expected, yes. But the absolute upper bound on loss does not. These quibbles may be of interest only to mathematicians and insurers. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: M-209 for sale on EBay
> There's an M-209 for sale on EBay: > > http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=726499988 > > Interestingly enough, some people are blocked "for legal reasons" from > getting to it. Even more interestingly, connecting from a Department of Energy network IP address with a .gov domain name gets me a message about "blocked due to legal restrictions in your home country." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cryptographic privacy protection in TCPA
> The basic idea of using zero-knowledge proofs to create an > unlikable anonymous credentials system ... "[sic]" ! - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: building a true RNG
2) I can't prove that a standard hash function such as SHA1
generates all possible codes, but I consider it likely. It would
be quite shocking if a strong hash function such as SHA1 generated
fewer codes than a weak function such as H0.
I think you could do a probabilistic proof similar to the "DES is not
a group" quasi-proof. To test a hash function h() whose range is S,
let F be the set of "balanced" functions from S -> {0, 1}. (Balanced
meaning that each f in F maps exactly half of S to 0 and half to 1.)
If you can contrive to choose many members of F at random, and compose
them with h for many arguments of h, you should be able to set
confidence limits on how much of S is covered by h.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quantum crypto broken?
> The Oxford announcement doesn't present quite
> the risk implied. Cloning in their case results
> in an energy loss of 1/2 which is easily detected
> through various means including error rate.
> You have to conserve of energy ...
Excuse me. If you duplicate the input photon, you duplicate its
wavelength as well as its polarization state. Therefore you have two
output photons each of the same energy as the original. The energy
is supplied by the excitation of the atoms in the crystal. Think of
it as a toned-down laser.
Every now and then, your duplicator must absorb other otherwise
scatter an input photon, but I'm sure you needn't lose 1/2 of them.
But I agree that the use of this device can be detected by the
communicating parties.
Matt Crawford
(former quantum mechanic)
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Schneier on Bernstein factoring machine
> > Businesses today could > > reasonably be content with their 1024-bit keys, and military institutions > > and those paranoid enough to fear from them should have upgraded years ago. > > > > To me, the big news in Lucky Green's announcement is not that he believes > > that Bernstein's research is sufficiently worrisome as to warrant revoking > > his 1024-bit keys; it's that, in 2002, he still has 1024-bit keys to revoke. > > Does anyone else notice the contradiction in these two paragraphs? > First Bruce says that businesses can reasonably be content with 1024 bit > keys, then he appears shocked that Lucky Green still has a 1024 bit key? > Why is it so awful for Lucky to "still" have a key of this size, if 1024 > bit keys are good enough to be "reasonably content" about? No contradiction at all. "[M]ilitary institutions and those paranoid enough to fear from them should have upgraded years ago." Anyone paranoid enough to think Bernstein's back-of-the-very-large-envelope calculation makes a 1024-bit key insecure should have already been concerned enough to think that SOMEthing would do so. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [linux-elitists] Re: Looking back ten years: AnotherCypherpunksfailure (fwd)
> There are other problems with using IPsec for VoIP.. In many cases > you are sending a large number of rather small packets of data. In > this case, the extra overhead of ESP can potentially double the size > of your data. HOW small? You'd already be adding IP+UDP+RTP headers (20 [or 40] + 8 + 12 = 40 [or 60] bytes). Using ESP with authentication would add another 22, plus possible explicit IV and padding, if needed -- call it 30? 20ms of uncompressed telephone quality data is 160 bytes ... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Stego applications for other file types
I think there must be some sort of steganography tools in the Microsoft Office Suite. I say this because people often tell me they are sending me a Word or Powerpoint file with important information in it, but I've yet to discover any. :-) [Moderator's note: I couldn't resist forwarding it. --Perry] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PGP & GPG compatibility
> Is there even development on the PGP (product) line? AFAIK > they (NAI) have not release PGP 7.x in source form. Worse, there > are a couple of bugs I found in 6.5.8 when I was porting it > to Tru64, but who knows if anyone is listening over at NAI. Years ago I bought a few copies of commercial PGP with support. I sent in three separate bug reports, some of them dead simple to reproduce, and never got anything back except placebo talk. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Steganography & covert communications - Between Silk andCyanide
> David Honig wrote: > > Unbeknown to the latter, Marks had already cracked General de Gaulle's > > private cypher in a spare moment on the lavatory. -from the obit of Leo > > Marks, cryptographer > > But this was because it was, in fact, one of his own ciphers. > Cheers, > Ben. Not one that he invented or approved of, but one that he knew and had to work with, yes. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
As I never tire of saying, "PKI is the ATM of security." Meaning that has a certain niche relevance, but is claimed by proponents to be the answer to every need, and is the current magic word for shaking the money tree. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: FBI-virus software cracks encryption wall
> If they only cover Windoze (which is likely) the result will be that > the criminal / paranoid / privacy freak / hacker community will just > plain migrate to another OS... Which would be good for the world, > don't you think? When outlaws use Linux, Linux will be outlawed. And I'm not being entirely facetious -- the US has a long history of things being criminalized only after groups in low favor took them up. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: My HP printer talking to the FBI?
Internet Fraud Complaint Center. It might be amusing to set up that address as a local IP alias and see just what your printer wants to complain about. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in the Wild)
> a) I believe physical media will always have higher bandwidth than > broadband - why? Because you have to feed the broadband from somewhere, > and archive it somewhere. You can use an expensive physical medium to drive your transmission. If you sell atoms, you have to use a cheap medium. > It seems to me that putting the details of the purchaser in plaintext on > the beginning of the file and making it illegal to remove it is as good > a protection as you are ever going to get - but that would ruin a whole > bunch of business plans, so I guess no "expert" is going to admit that. On this, I agree. Just like some more mundane security issues, you can heap endless layers of mummery and confusion on top, but at the bottom you often find a "secret" in long-term storage in the clear. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: New encryption technology closes WLAN security loopholes
> One interesting issue with radio networks is Man-in-the-middle attacks, > because nobody can intercept a request and forward it > faster than you can receive it directly, unless there are > distances that are too far for the two parties to reach each other > but still let the MITM contact both. The would-be MITM has two tactics available that still allow it to operate as "usual": Receive the initial portion of a message but jam the last N bits to cause it to be ignored by all other receivers, or Jam the entire message with noise that its own equipment can compensate for. In the first case the geometry of the target, the MITM, the other receivers or base station and the effective range of the stations may demand that too much of the signal has to be jammed to let the MITM function, unless it can also implement the second. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: "Pirate Utopia," FEED, February 20, 2001
> That's an excellent point, but: if you were smart enough to use stego > for real, wouldn't you be smart enough to pick a good password? If I hand my users some security package and say "use this", that doesn't make them any smarter or dumber than they were yesterday. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Did the US defeat wiretapping success?
> >Senator Hatch was interviewed by national media on Tuesday and stated that > >the US government had voice intercepts of calls talking about success with > >two targets. He was later criticized for talking about the intercepts. > > Hm, criticized? Why not indicted? > >(a) Whoever knowingly and willfully communicates, furnishes, >[ ... 18 USC 798 ...] Depends where he said it. They shall in all cases, except treason, felony and breach of the peace, be privileged from arrest during their attendance at the session of their respective Houses, and in going to and returning from the same; and for any speech or debate in either House, they shall not be questioned in any other place. - Article 1, Section 6 Somehow I doubt that it was not a speech or debate in the senate. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Which internet services were used?
> A german TV news magazine (ZDF spezial) just mentioned that > the terrorists prepared and coordinated > also by using the internet, but no details were told. > > [Moderator: I've listened to virtually all the news conferences made > so far. The FBI has yet to make any such statement. The only details I've heard are that the terrorists have "elaborate web sites" to "recruit and solicit donations." Far short of operational use of the internet. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Your password must be at least 18,770 char...
I have no Windows source code to judge by, but just looking from the outside I believe the error arises as follows. When the MIT-based KDC returns the error code KADM5_PASS_Q_DICT (which it will only do if your Kerberos admin has inserted a dictionary check, as there is none by default), the MS password-changing client fishes in uninitialized memory for some other possible parameters governing the password selection: the length and history. (This sheds no light on what it might do if you try a password with too few character *classes*, which is yet another error code.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: septillion operations per second
> > ... and scientists work in secret to develop computers capable of > > performing more than one septillion > > (1,000,000,000,000,000,000,000,000) operations every second. If any single component is to change state this many times per second, it has to be no bigger than (3*10^8 m/s) * (10^-24 s) = 3*10^-16 m, or around the size of a proton. If you have an enormous collection of larger, slower parts, less stringent limits apply. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: NSA tapping undersea fibers?
Trusting that Perry will declare this OT before too much longer ... > > To lift the midpoint of a cable 1000 units long by 5 units requires > > only 0.067 units of slack, or the ability to stretch by 0.0067%. > > (This takes into account the catenary shape of the lifted cable.) > > Finish your example please... > > You know gravity, calculate the force along the axis of the cable and then > compare to it's tensile strength. Include the weight of the cable as well > as the gravitic effects. Neither the University of Chicago's graduate program in theoretical physics nor Noah Webster's successors introduced to me that that science-fictiony word "gravitic", but let's assume it's completely redundant with "include the weight of the cable." I don't know squat about an undersea cable, except that it's heavily armored against damage. Let's suppose it weighs no more than would a 4-cm diameter solid steel cable. That, in water, would be something like 6 kg per meter. Assuming there was only the minimum required amount of slack required for the hypothetical lifting (or equivalently, that the cable was being stretched just enough to reach the surface), and supposing that the units of length in the example are kilometers, then the tension in the cable turns out to be pretty close to a uniform 1500 kN, which also turns out not to be far above the typical tensile strength for the assumed cross-section of steel, and well within the strength of special-purpose items like conveyor belts in coal mines. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: NSA tapping undersea fibers?
> Cable companies do this (from the surface) when they repair cables, but they > usually cut the cable before separately raising the cut ends and splicing in > a new section. I doubt that cable would be strong or extensible enough to > lift uncut, unless there was a lot of slack from eg a previous repair. To lift the midpoint of a cable 1000 units long by 5 units requires only 0.067 units of slack, or the ability to stretch by 0.0067%. (This takes into account the catenary shape of the lifted cable.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Lie in X.BlaBla... (was re: [Fwd: FW: WA makes forging/misrepresenting to get/use a cert a felony])
> > (3) A person shall not knowingly present a public key certificate > > for which the person is not the owner of the corresponding > > private key in order to obtain unauthorized access to information > > or engage in an unauthorized transaction. Hooo-wee! Don't you normally present a whole chain of certificates, the private keys of most of which you are not the owner? You might as well make it a crime to enter a false username. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: NSA tapping undersea fibers?
> To sum this whole thing up - /IS/ there a way to put a tap on a fiber line > without letting the whole world know you're doing it, if not just the > operator/owner of the line itself? And if so could someone sketch it out for > me or point me to a resource? I'd love to learn of it In an optical fiber, the light is constantly bouncing back and forth off the sides of the glass. (Actually, off the sides of the inner region with the higher index of refraction.) This is limits the distance at which high-rate signals can be received even if power loss is not a problem -- the bouncing spreads out one bit into the next. If you put another piece of suitably chosen glass up against the first, some light will leak through. If you've got a neurosurgeon's fingers, you can increase the leakage by scraping the first fiber's outer layer, but that's not at all necessary if you can provide local amplification. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Tamperproof devices and backdoors
On the science-fictional front, Vernor Vinge's recent "A Deepness in the Sky" (ISBN: 0-312-85683-0) turns upon software verification and backdoors without being tedious in the manner of some techno-fiction. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
