Cryptography-Digest Digest #993
Cryptography-Digest Digest #993, Volume #11 Sat, 10 Jun 00 01:13:00 EDT
Contents:
Re: Comments on "Encase" forum about EE ([EMAIL PROTECTED])
Re: Double Encryption Illegal? ("Adam Durana")
Re: Large S-Boxes (tomstd)
Re: evidence eliminator ASSHOLE is back (tomstd)
Re: randomness tests (tomstd)
Re: Very few encryption algorithms are being implemented at Supercomm2000 ... which
is fortunate ... (Eric Smith)
Re: OT: Starmath font (Bud Ward)
Re: Double Encryption Illegal? (wtshaw)
Random sboxes... real info (tomstd)
Re: Large S-Boxes (tomstd)
Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM
accusations) (Lronscam)
Re: Random sboxes... real info (tomstd)
Re: Random IV Generation (Johnny Bravo)
Re: Some dumb questions ("Douglas A. Gwyn")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (U Sewell-Detritus)
Re: Observer 4/6/2000: "Your privacy ends here" (U Sewell-Detritus)
Re: Improving DES based MAC ("Tor Rustad")
Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM
accusations) (EE Detractor)
Re: Extending the size of polyalphabetic substitution tables ("Douglas A. Gwyn")
From: [EMAIL PROTECTED]
Crossposted-To:
alt.security.pgp,comp.security.firewalls,alt.privacy.anon-server,alt.privacy
Subject: Re: Comments on "Encase" forum about EE
Date: Sat, 10 Jun 2000 01:19:29 +0100
On Fri, 9 Jun 2000 17:19:20 -0700, [EMAIL PROTECTED] wrote:
>
>
>Look at what I found on the Guidance Software ("Encase") forum when I
>searched for "Evidence Eliminator". Both threads are interesting.
>
>http://www.guidancesoftware.com/ubb/Forum1/HTML/000183.html (Topic: BC Wipe
>and/or Evidence Eliminator 4.5?)
>http://www.guidancesoftware.com/ubb/Forum1/HTML/000176.html (Topic: Evidence
>Eliminator Software)
>
>Oh yeah, silly me, I forgot that EE is in COLLUSION with Encase, and these
>posts are meant to MAKE us believe that EE is a threat to forensic software.
>Geez, conspiracies sure are complicated :)
>
>EE support -
>I have a question about the following post:
>
>=== (Post on Topic: Evidence Eliminator Software) ===
>
>FYI: I've done some experimenting with Evidence Eliminator. Sometimes you're
>able to view previous internet history by viewing certain .DAT files.
>--
>NY State Police
>Computer Crime Unit
>
>=== (End post) ===
>
>1. EE, are you aware of this?
>2. What is the security risk of .DAT files from Norton Utilities Image? They
>facilitate (extremely well) the complete unformatting of a HD, so does that
>mean that they contain info re. internet history (or worse)? Should I not
>run Image? Please don't say it's so!.
>
>3. On an unrelated note, try this: after doing your best wipe, put your
>cursor in the Windows "Address toolbar" of the taskbar (you may have to
>enable it first). Press Ctrl-Up and see what you get. In some cases, I get
>ancient history even after wiping all there can be wiped (short of my entire
>HD :)
>
>Please comment
>
>
>
Notice how one of the "cops" at the guidance page in one of the links
above when discussing EE compares those of us who want privacy with
criminals.
Quote:
We have had a look at an evaluation copy of this. It provides a
general clean up of the hard drive slack space temp files etc.
Although we haven't run any field tests against encase I have no
reason to doubt that it will trash some of the evidence.
It is predictable that these tools will become more popular in the
same way gloves are to a burglar.
End Quote
'Nuff said about their mentality.
--
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: Double Encryption Illegal?
Date: Fri, 9 Jun 2000 21:35:29 -0400
This is just a guess, since I have never used this software. I would guess
that this software uses a small key size so it can be exported, and double
encrypting with two _different_ keys would increase the key space to
something beyond what is allowed to be exported.
- Adam
"Crypto-Boy" <[EMAIL PROTECTED]> wrote in message
news:8hrbrf$a5b$[EMAIL PROTECTED]...
> On page 10-10 and 10-14 of the Oracle Advanced Security Administrator's
> Guide (from release 8.1.6 December 1999), it says the following (in bold
> no less):
>
> "Warning: You can use SSL encryption in combination with another Oracle
> Advanced Security authentication method. When you do this, you must
> disable any non-SSL encryption to comply with government regulations
> prohibiting double encryption."
>
> Since when is it illegal to double encrypt in the US? I don't believe
> this is true.
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
--
Subject: Re: Large S-Boxes
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 09 Jun 2000 18:55:16 -0700
In article <8hs3v4$35n$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
>In article <8hrtja$nte$[EMAIL PROTECTED]>
Cryptography-Digest Digest #992
Cryptography-Digest Digest #992, Volume #11 Fri, 9 Jun 00 21:13:01 EDT Contents: Re: do you need unrestricted FREE S/MIME certificate ? than read message (jungle) Re: Cryptographic voting (zapzing) Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM accusations) ([EMAIL PROTECTED]) Re: Cryptographic voting (zapzing) Re: Double Encryption Illegal? (Simon Johnson) Large S-Boxes (Simon Johnson) Re: randomness tests (Mok-Kong Shen) Re: Extending the size of polyalphabetic substitution tables (Mok-Kong Shen) Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (zapzing) Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM accusations) (EE Detractor) evidence eliminator ASSHOLE is back ([EMAIL PROTECTED]) Comments on "Encase" forum about EE ([EMAIL PROTECTED]) Re: Large S-Boxes (zapzing) Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM accusations) ([EMAIL PROTECTED]) Re: Large S-Boxes (David A. Wagner) Re: Comments on "Encase" forum about EE ([EMAIL PROTECTED]) From: jungle <[EMAIL PROTECTED]> Crossposted-To: alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server Subject: Re: do you need unrestricted FREE S/MIME certificate ? than read message Date: Fri, 09 Jun 2000 18:21:59 -0400 it's normal ... you need to import CA server certificate first ... first top option ... Lincoln Yeoh wrote: > > On Mon, 05 Jun 2000 11:34:18 -0400, jungle <[EMAIL PROTECTED]> wrote: > > >do you need unrestricted FREE S/MIME certificate ? than read message ... > >-- > >To protect privacy, use encryption ALL the time. Free S/MIME & PGP at: > >https://secure.openca.org/ http://web.mit.edu/network/pgp.html > > Somehow the certificate is invalid on my Netscape 3 browser. -- From: zapzing <[EMAIL PROTECTED]> Crossposted-To: sci.math Subject: Re: Cryptographic voting Date: Fri, 09 Jun 2000 22:37:19 GMT In article <[EMAIL PROTECTED]>, Mok-Kong Shen <[EMAIL PROTECTED]> wrote: > > > zapzing wrote: > > > Surprisingly, I think I have come up with a protocol > > that will fulfill this requirement, to a certain > > extent, but it needs a trusted party to set it up. > > > > Say there are N voters. The trusted party (T) produces > > a large number of sets of N public/private key pairs. > > Each time an election is held, one set will be used up > > (in this sense it is like OTP). Each voter gets exactly > > one private key from the set, and each voter gets all > > the public keys. > > > > People broadcast their votes anonymously, they are > > encrypted with their private keys, and they have some > > sort of standardized header for identification > > purposes. After the votes are cast and everyone is > > sure all the votes have been seen, people broadcast > > anonymously their private keys. After that, anyone > > can claim they made any vote they want, and noone > > could know differntly, but everyone will know the > > outcome of the election. > > > > Unfortunately there is a vulnerable period between > > when people broadcast their votes and when they > > broadcast their public keys. I think this could > > maybe be fixed, but I'm not sure how. > > > > I would also like to get rid of T, but not > > sure how to do that either. > > The point of trusted party is indeed the highly critical point. If the > existence of a trusted party can be assumed, then implementations > of voting schemes are feasible or even quite practical. If one > doesn't have that, I just can't yet imagine that a perfect voting > scheme can be constructed. (Note that the trusted party must > be in a position to identify you to be indeed who you claim to be.) Of course if you had a trusted party who could be trusted all the time, it would be trivial to set up an anonymous voting system like this. My scheme is only a little better in that T only needs to be trusted at the beginning. The main reason I bring it up is because putting T's responsibility all at the beginning is the first step to eliminating him entirely. That second step may be a doozy, though. -- If you know about a retail source of inexpensive DES chips, please let me know, thanks. Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] Crossposted-To: alt.security.pgp,comp.security.firewalls,alt.privacy.anon-server,alt.privacy Subject: Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM accusations) Date: Fri, 09 Jun 2000 22:52:59 +0100 On Fri, 09 Jun 2000 20:45:50 +0100, EE Support <[EMAIL PROTECTED]> wrote: >Hi all, snipped > It has become commonly said by posters >to these newsgroups that the ones posting the "anti-Evidence >Eliminator" messages in all their disguises, are wearing badges and >intend to compromise your privacy and
Cryptography-Digest Digest #991
Cryptography-Digest Digest #991, Volume #11 Fri, 9 Jun 00 18:13:01 EDT
Contents:
Re: Cryptographic voting (Virgil)
Re: XTR independent benchmarks (d g)
Re: Random IV Generation (Terry Ritter)
Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM
accusations) (Larry W4CSC)
Re: Random IV Generation (Terry Ritter)
Re: My lastest paper on Block Ciphers (Rex Stewart)
Re: My lastest paper on Block Ciphers ([EMAIL PROTECTED])
Re: Observer 4/6/2000: "Your privacy ends here" (U Sewell-Detritus)
Re: randomness tests (Albert P. Belle Isle)
Re: Encoding 56 bit data ---HELP--- ([EMAIL PROTECTED])
Re: encoding of passwords ([EMAIL PROTECTED])
Re: Encoding 56 bit data ---HELP--- (tomstd)
Re: My lastest paper on Block Ciphers (tomstd)
Re: Arithmetic Coding (SCOTT19U.ZIP_GUY)
Re: Arithmetic Coding (tomstd)
Re: help for rc5 cryptanalysis (Anton Stiglic)
From: Virgil <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: Fri, 09 Jun 2000 15:00:30 -0600
In article <8hq5cu$ceg$[EMAIL PROTECTED]>, Greg <[EMAIL PROTECTED]>
wrote:
>>
>> Their leader seems to have given up the role of Moses to take up the
>> role of Julius Caesar.
>
>If the gunners are the government, then I would think that a better
>description is that their leader seems to have given up the role of
>Washington for Hitler or Stalin.
That should be your first clue that the "gunners" in the U.S.A. are
those who put the right to own weapons of distruction before all other
rights, even the right to life.
--
Virgil
[EMAIL PROTECTED]
--
From: d g <[EMAIL PROTECTED]>
Subject: Re: XTR independent benchmarks
Date: 09 Jun 2000 14:26:56 -0700
"Paulo S. L. M. Barreto" <[EMAIL PROTECTED]> writes:
> Roger Schlafly wrote:
> >
> > Wei Dai wrote:
> > > That structure is already present in GF(p^6) and is not imposed by XTR.
> > > The reason it can represent a field element by only 2 subfield elements
> > > is because it works in a multiplicative subgroup of size p^2-p+1, which
> > > every GF(p^6) has. The question is whether discrete log in GF(p^6) is
> > > really as difficult as in a prime field (when the two fields have about
> > > the same order)? I think there is definitely room for doubt.
> >
> > There is also the possibility that discrete logs in the subgroup
> > of GF(p^6) is much easier that in the entire GF(p^6).
>
> Answer to Wei Dai:
>
> I can't see any fundamental difference between working in (subgroups of)
> GF(p^6) and GF(2^m), where the size of p^6 is roughly equal to that of
> 2^m. Please correct me if I am wrong: the best attack known against DL
> in GF(2^m) has the same complexity as the best attack against DL in
> GF(r) where r ~ p^6 except for the constant factor in the exponent.
While it is not directly relevant, there have been attacks on
cryptosystems using prime power fields that point out that at least
some systems over prime power fields may be weaker, especially if the
exponent is composite. For instance, consider Vaudenay's attack on
the Chor/Rivest cryptosystem [1] and the Gaudry/Hess/Smart attack [2]
on the ECDLOG problem over a field of characteristic 2 and composite
degree over F_2.
Notably, Vaudenay's attack does not generalize to Lenstra's powerline
system which uses prime exponents. Similarly, the GHS attack does not
generalize to ECs on fields of prime degree over F_2.
For the DLOG case, Coppersmith's DLOG algorithm for F_{2^m} was known
long before the number field sieve was applied to DLOG over F_p.
Regards,
==
Dipankar
[EMAIL PROTECTED]
[1] http://www.dmi.ens.fr/~vaudenay/pub.html#Vau98h
[2] http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html
--
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Random IV Generation
Date: Fri, 09 Jun 2000 21:14:05 GMT
On 9 Jun 2000 11:00:43 -0700, in
<8hrbcb$2ip$[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (David A. Wagner) wrote:
>In article <[EMAIL PROTECTED]>, Terry Ritter <[EMAIL PROTECTED]> wrote:
>> There *is* a reason to keep an IV secret: With CBC an exposed IV
>> allows an opponent to change the recovered plaintext for the first
>> block at will.
>
>I suppose that's a plausible reason, but it's much better
>to just MAC everything (the IV and the ciphertext), so I'm
>not sure it's a very *good* reason.
But it *is* "very *good*" to know that the problem exists and then to
handle it in some way; as opposed, say, to not knowing.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
--
From: [EMAIL PROTECTED] (Larry W4CSC)
Crossposted-To:
alt.security.pgp,comp.security.firewalls,alt.privacy.anon-server,alt.privacy
Subject: Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on
false SPAM accusations)
Dat
Cryptography-Digest Digest #990
Cryptography-Digest Digest #990, Volume #11 Fri, 9 Jun 00 16:13:01 EDT
Contents:
Re: PK analogue for passwords ([EMAIL PROTECTED])
Re: My lastest paper on Block Ciphers (Runu Knips)
Re: How did Mr. Schneier calcuate this figure? (John Myre)
Re: Extending the size of polyalphabetic substitution tables
([EMAIL PROTECTED])
Re: Multiple encryptions (James Felling)
Re: Random IV Generation (David A. Wagner)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (David Swarbrick)
Re: Thoughts on an encryption protocol? (John Myre)
Double Encryption Illegal? (Crypto-Boy)
encoding of passwords ("Wouter")
Re: Random IV Generation (John Myre)
Re: help for rc5 cryptanalysis (James Felling)
Re: Random IV Generation (David A. Wagner)
Re: My lastest paper on Block Ciphers (Simon Johnson)
Re: randomness tests ("John Feth")
Re: encoding of passwords (Custer)
Re: encoding of passwords (Custer)
Re: OT: Starmath font (tomstd)
Re: My lastest paper on Block Ciphers (tomstd)
Re: My lastest paper on Block Ciphers (tomstd)
Re: My lastest paper on Block Ciphers (tomstd)
Re: Encoding 56 bit data ---HELP--- (tomstd)
Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM
accusations) (EE Support)
From: [EMAIL PROTECTED]
Crossposted-To: comp.security.misc
Subject: Re: PK analogue for passwords
Date: Fri, 09 Jun 2000 16:57:03 GMT
[sigh. sorry for formatting. I am too lazy to fix it today.]
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <8hoq4f$cuo$[EMAIL PROTECTED]>, wrote:
> > if one is using twonz to keep their
> > financialinstitution.com password secret, they would enter their pad
in
> > one text field, and financialinstition.com in the second text field,
and
> > the program would run the inputs through a hash function (probably
md5
> > since it is widely available on free unices) and then base64 encode
the
> > result, so one could type the whole thing without too much effort.
:)
>
> That sounds like a variation on the RFC1938 OTP scheme (perhaps it IS
> RFC1938, if we don't take "base64 encode" literally).
>
> I've seen a couple of implementations for that, but never heard of
anyone
> actually using it before.
Well, the twonz program does indeed base64. The program is GPL, so what
the heck, lets post it! ;)
This points out though that I was wrong -- SHA-1 instead of md5. :) I
think the substitutions at the end remove spaces, newlines, etc, and
truncates the result to 8 chars. It looks trivial to get more characters
out of it, but since it is SHA-1, the max is probably around 22
characters. (Although the inputs to the system are probably less than 22
bytes of entropy!)
I found it here: http://www.interlog.com/~gray/twonz/twonz
#!/usr/bin/perl
#
# twonz is copyright (C) 1999 Vengeance Software
# released under the terms of the GNU GPL v2.0+
# written by Graydon Hoare <[EMAIL PROTECTED]>
#
use Tk;
use SHA;
use MIME::Base64;
my $main = new MainWindow;
my $context = new SHA;
$hashval = '';
$padval = '';
$literalval = '';
my $pe = $main->Entry( show => '*', width => 25 , relief => 'sunken',
textvariable => \$padval);
my $le = $main->Entry( width => 25 , relief=> 'sunken', textvariable =>
\$literalval);
my $he = $main->Entry( width => 25, state => 'disabled' , relief=>
'groove', textvariable => \$hashval);
$pe->pack(anchor=>"w");
$le->pack(anchor=>"w");
$he->pack(anchor=>"w");
$main->bind('', \&digest);
MainLoop;
sub digest {
$context->reset();
$context->add($padval);
$context->add($literalval);
$hashval = encode_base64($context->digest());
$hashval =~ s/\W//g;
$hashval =~ s/(\w{8}).*/$1/g;
}
Sent via Deja.com http://www.deja.com/
Before you buy.
--
Date: Fri, 09 Jun 2000 19:08:08 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: My lastest paper on Block Ciphers
Simon Johnson wrote:
> Well, rather than moaning about trival portibility issues, i downloaded
> word view from softseek.com.
Useless. I've Word97 anyway here at work. And the font doesn't work :-(
--
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: How did Mr. Schneier calcuate this figure?
Date: Fri, 09 Jun 2000 11:09:37 -0600
(In reference to IDEA,)
Jeff Moser wrote:
>
> On page 323 of Applied Cryptography 2nd Edition, 3/4 of the way down the
> page. Schneier explains that weak keys are (in hex)
>
> , , 0x00, , , 000x, , x000
>
> To me, this seems like a total of up to 28 bits (7 * 4). Therefore, the
> likelihood of getting one seems to be 2^28/2^128 = 1/2^100, however the
> books says 1 in 2^96. Could somehow tell me where I'm making a mistake?
Joan Daemen's paper on IDEA's weak keys actually gives examples of
several classes of weak keys. So I think the above pattern is only
one kind of weak key. Indeed, Schneier says "For example, a weak key
is" the pattern above. So you h
Cryptography-Digest Digest #989
Cryptography-Digest Digest #989, Volume #11 Fri, 9 Jun 00 13:13:00 EDT
Contents:
Re: Random IV Generation ([EMAIL PROTECTED])
Re: Is OTP unbreakable?/Station-Station (Tim Tyler)
Re: Multiple encryptions (Tim Tyler)
Re: Statistics of occurences of prime number sequences in PRBG output (Mok-Kong
Shen)
Re: Some dumb questions (Mok-Kong Shen)
Re: DES question ("Paul Pires")
Re: Multiple encryptions (John Myre)
Re: Brute forcing for Counterpane's Password Safe ("TheGPFguy")
Re: Random IV Generation (Terry Ritter)
Re: Encoding 56 bit data ---HELP--- (Runu Knips)
Re: testing non linearity of arithmetic-logic combinations (Terry Ritter)
From: [EMAIL PROTECTED]
Subject: Re: Random IV Generation
Date: Fri, 09 Jun 2000 16:04:58 GMT
In article <[EMAIL PROTECTED]>,
Eric Lee Green <[EMAIL PROTECTED]> wrote:
> http://twofish-py.sourceforge.net :-). If you are using Linux or
> FreeBSD, the situation is even simpler: simply request 8 bytes
> from the file "/dev/random".
What other unix or unix-like OSs supply such random devices? OpenBSD has
several random devices, but the manpages specify that /dev/random is
reserved for use with hardware random number generators; one uses
/dev/arandom typically (ARC4 seeded by network, console, disk, etc..)
Some fellow has "egd" -- entropy gathering daemon -- for those machines
without cryptographic random numbers built in.
How about windows? Is its only source of randomness coming from MS's
cryptographic library? Does anyone know if that has a decent PRNG?
:)
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?/Station-Station
Reply-To: [EMAIL PROTECTED]
Date: Fri, 9 Jun 2000 15:55:13 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> If the message were sandwiched at a genuinely random position within
:> 1K of random bytes before the OTP was applied (with some signal for
:> stripping the data off again), this attack would succeed only one
:> time in a thousand - rather than every single time.
: No, it would succeed every time, if the cryptanalyst were competent.
It appears that you must be making some very different assumptions to me
to arrive at this conclusion.
Are you assuming that the "random" pad is not suitably random? Or that
the analyst has stolen a copy of it?
Are you assuming that the RNG used to decide where the random data ends
and the actual message begins terminally broken?
Does the analyst get feedback from the recipient when he successfully
forges a message - and thousands of failed forgeries "don't matter"?
I believe that - unless there has been an insecurity introduced into the
implementation, the analyst will be none-the-wiser about where in the
message the actual message lies - and his chance of making a forgery will
be about 1/2^n - if n bits have been added.
Note that the analyst cannot try the plaintext at every possible position
(and see which is correct) - since in each position the revealed key will
appear to be a uniform random stream - with no way to decide which
position was correct.
--
__ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Goodbye cool world.
--
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Multiple encryptions
Reply-To: [EMAIL PROTECTED]
Date: Fri, 9 Jun 2000 16:06:50 GMT
AllanW <[EMAIL PROTECTED]> wrote:
: We have some encryption program E [which] is meant to take any
: plaintext (even non-printable data) and encrypt it, to
: transmit it safely to other sites. E identifies the
: encrypted data with a brief cleartext message at the
: start of it's output, to allow the decryption engine to
: avoid trying to decrypt data that never was encrypted. [...]
: Secretly, we also have another encryption program D. It
: isn't public knowledge, but what we really do is take our
: data files and encrypt them with D. Then we take the D
: output and feed that into E. Programs D and E know
: nothing of each other; each is meant to be used as a
: stand-alone encryption engine. D also appends some
: cleartext at the beginning of it's output, but of course
: E encrypts that [...]
: I've heard that this hypothetical case is a bad idea, and
: not just because of any false sense of security. Someone I
: respect tells me that the result is actually LESS secure
: than using either D or E alone.
You have known-plaintext in both inputs to the respective
cyphers. If there's a partial-known plaintext attack against both cyphers,
the scheme migh be weaker than either alone - if known plaintext were
otherwise not common.
If you don't add in the known plaintext, then this is an orthodox
cypher stack - which is likely to be stronger than either cypher alone.
: Suppose that D is a home-grown "security by obsc
Cryptography-Digest Digest #988
Cryptography-Digest Digest #988, Volume #11 Fri, 9 Jun 00 12:13:01 EDT Contents: Re: Statistics of occurences of prime number sequences in PRBG output as (John) Re: Thanks Sci.Crypt Readers (tomstd) Re: Statistics of occurences of prime number sequences in PRBG output as (John) Re: Solution for file encryption / expiration? (Mark Wooding) Re: Solution for file encryption / expiration? (Andru Luvisi) Re: Encoding 56 bit data ---HELP--- ([EMAIL PROTECTED]) Re: Cryptographic voting (Mok-Kong Shen) Re: DES question (Mok-Kong Shen) Re: help for rc5 cryptanalysis (David A. Wagner) Re: My lastest paper on Block Ciphers (Andru Luvisi) Re: Cryptographic voting (Randy Poe) Re: Random IV Generation (David A. Wagner) Re: My lastest paper on Block Ciphers ([EMAIL PROTECTED]) Re: DECT encryption algorithms? (Paul Koning) Re: My lastest paper on Block Ciphers (Paul Koning) Re: OT: Starmath font (Runu Knips) Subject: Re: Statistics of occurences of prime number sequences in PRBG output as From: John <[EMAIL PROTECTED]> Date: Fri, 09 Jun 2000 08:08:04 -0700 Odd. You would not be able to encrypt much data with just prime #s, as there aren't that many between 0 and 255. If you go higher, you even get less primes. * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network * The fastest and easiest way to search and participate in Usenet - Free! -- Subject: Re: Thanks Sci.Crypt Readers From: tomstd <[EMAIL PROTECTED]> Date: Fri, 09 Jun 2000 08:08:45 -0700 Following the advice of Matthew Fisher I installed a postscript printer on my win98 machine... There is a .PS copy of the paper (draft) for ya to read now... http://tomstdenis.com/ffunctions.ps.gz Thanks a bunch, Tom * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network * The fastest and easiest way to search and participate in Usenet - Free! -- Subject: Re: Statistics of occurences of prime number sequences in PRBG output as From: John <[EMAIL PROTECTED]> Date: Fri, 09 Jun 2000 08:18:19 -0700 Mathematicians and computer scientists view formulas a bit differently. A mathematical formula can be translated into a computer program. Some computer programs can't always be translated into one simple mathematical formula. * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network * The fastest and easiest way to search and participate in Usenet - Free! -- From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: Solution for file encryption / expiration? Date: 9 Jun 2000 15:21:15 GMT RecilS <[EMAIL PROTECTED]> wrote: > HELLO!? > Is anyone listening to the question!? You're rude, and you've clearly not been reading the answers properly. > We've gotten into a discussion on the viability of PDF's encryption > algorithm and whether you should take notes in books or not. Does > anyone realize that he's simply copyright protecting a BOOK? He's doing more than that. Encrypting the data and using `trusted' reader software also prevents consumers from properly exercising their fair use rights, to the same extent as it prevents copying the plaintext document. (It doesn't, and indeed can't, stop copying of the ciphertext at all, which is even more of a stupid mess.) > If someone really really wants the damn book they are going to [...] > But most importantly... > E) They are not going to start up the old decryption engine. They don't need to. One of the points being made is that the key is already known to the client computer. It's not a matter of cryptanalysis: it's a matter of picking the key out of some code which already knows it. > As long as the encryption format is decently strong, there may be one > or at most two idiots out there with enough time and interest to > decrypt it. (And they're probably the people who replied to you on > this newsgroup) but all in all if someone wants the book, this is NOT > how they are going to obtain it. You've also forgotten that, once an unprotected version has been produced, by whatever means, it can be made widely available with negligible cost. > P.S.> Everything is 'flawed'. Show me one thing on earth that you > can prove is completely secure and I will call you god. There's a difference between `flawed' and being a hopelessly misguided failure with questionable ethics. -- [mdw] -- From: Andru Luvisi <[EMAIL PROTECTED]> Subject: Re: Solution for file encryption / expiration? Date: 09 Jun 2000 08:24:41 -0700 "RecilS" <[EMAIL PROTECTED]> writes: [snip] > But most importantly... > E) They are not going to start up the old decryption engine. [snip] Even if your arguments were correct, and the opposing side has been represented well enough that I'm not going to get into that in this post, you are still ignoring the massive inconvenience t
Cryptography-Digest Digest #987
Cryptography-Digest Digest #987, Volume #11 Fri, 9 Jun 00 11:13:01 EDT Contents: Re: Davvey Griffith, bitter little lying PIZZABOY tries to get "malicious" whackers to do his dirty work. (Charlie Chainsaw) Re: randomness tests (John) Re: Some dumb questions (Jim Gillogly) Re: Random IV Generation (Eric Lee Green) Subject: Re: Davvey Griffith, bitter little lying PIZZABOY tries to get "malicious" whackers to do his dirty work. Crossposted-To: alt.hackers.malicious,alt.usenet.kooks,alt.romath,alt.fan.karl-malden.nose,alt.fan.mark-brian,alt.politics.uk From: [EMAIL PROTECTED] (Charlie Chainsaw) Date: Fri, 9 Jun 2000 06:47:18 -0600 [EMAIL PROTECTED] wrote: > In alt.hackers.malicious Belinda <[EMAIL PROTECTED]> wrote: I'm not a barrater. Never claimed to be. Keep repeating a 4 year old lie, Daavey. Says a lot about you. >>> >>>You don't have to actually BE a lawyer to be a barrater. All it takes is >>>abuse of the legal system. >> From the American Heritage Dictionary: bar.ra.tor also bar.ra.ter >> (b?r??-t?r) n. Law. One that persistently instigates lawsuits. >> Try to find a more appropriate ad-hominem, Daaavey. > Why? The definition still suits you? >>>These twerps are the ones who attacked APDD and AHM. > >> The record clearly shows that we were the ones who defended ourselves after >> first being attacked by netkkopping pizzaboys and fuckheaded crackers. Spin >> it 'til the cows come home, Dvey boy - Deja tells the *real* story. > >Which record? The broken one that keeps going "netkop! postmaster! >whaaa!" over and over again? Deja clearly shows that JamesE announced to >the world that he was back and wanted revenge. >>> Actually, Daavey, James announced that he would continue to post to APDD, an unmoderated alt. group if he pleased. You retaliated with email threats. I have all of them, btw. >>> >>>James can't even tell the difference between email and usenet. >> You can't even tell when you've been trolled. > What can you do to APDD now? Troll it some more? The people your looking > to irritate are all gone to a mailing list which is quite safe from your > ilk. >He ran to Gary to rally the peanut gallery and they started flooding APDD. >>> This is where the lies start. You were screaming FLOOD! over an insignificant amount of posts. *That's* why you got laughed out of nanau. >>> >>>Hyperbole. >> Yes, claiming that a handful of posts was a "flood" was indeed hyperbole. >> Thanks for admitting it. > Oops. You missed what I was referring to. >Are you capable of >noticing this from the general content of the messages from February til >mid-April or do you need diagrams and graphs? >>> Chart it out, sweetie. I think you'd be surprised at the numbers. >>> >>>Gee, you ARE dense. >> Um, no. Do the math, Daavey. Maybe the numbers will convince you to put >> your Burnore obsession aside and deal with some facts. > Have you any clue of the metric involved? Count the number of posts that > had anything to do with trollery in February, March, and April. Notice > the increase. It will show that you're a whining little netkop who destroyed APDD because you thought it was YOUR group. >>> >>>As if you, Gary, or James has more of a claim there than I? >> What's that whooshing sound I hear? Must be a point flying right over >> Daaavey's head. > You mean that wasn't a gnat farting? >Perhaps I should dig up mailing list archives >>> Why don't you just go back to Thorne's site? He put his own spin on every single thing the Anonymous Asshole did. One stop shopping for your obsession, Daavey. That's how this all started. Your obsession. Remember, you had a chance at a truce. But no-o-o-o, Daavey was going to be the one to bring down DataBasix. >>> >>>Or I could just go back to my archive of Cypherpunk listmail. >> Oooh, you've got an archive, too! When are you going to immortalize yours >> on a website? You'll have to go a long way to beat out Jerry Terranson. He >> spends $29.95 monthly just so he can have a special website devoted to >> archiving everything Burnore/DataBasix related. > Why should I bother when one can run a search on altavista for free? >> Since this will probably go over your head, let me make it simpler for you, >> Daavey: I don't care about your archive. I'd bet real money that no one >> other than the usual obsessos care about your archive. > Where did I imply that you should visit this archive? You can go use a > search engine like everyone else who lacks access to my machinery. >>>Which truce are you talking about? The one where James E declared himself >>>emperor??? >> No. The ones where neutral parties tried to talk you into backing off in >> return for the stopping the crossposting and concluded that y
Cryptography-Digest Digest #986
Cryptography-Digest Digest #986, Volume #11 Fri, 9 Jun 00 11:13:01 EDT
Contents:
Re: Observer 4/6/2000: "Your privacy ends here" (George Edwards)
Re: Observer 4/6/2000: "Your privacy ends here" (George Edwards)
How did Mr. Schneier calcuate this figure? ("Jeff Moser")
Re: Random IV Generation (Tim Tyler)
Re: Arithmetic Coding (Tim Tyler)
probabilistic primality tests - error probability % ([EMAIL PROTECTED])
Re: Some dumb questions (Mok-Kong Shen)
Re: My lastest paper on Block Ciphers (tomstd)
randomness tests ([EMAIL PROTECTED])
Re: Random IV Generation (Mok-Kong Shen)
Re: Encoding 56 bit data ---HELP--- (tomstd)
Re: Arithmetic Coding (tomstd)
Re: testing non linearity of arithmetic-logic combinations (Tim Tyler)
Re: testing non linearity of arithmetic-logic combinations (Tim Tyler)
Thanks Sci.Crypt Readers (tomstd)
Re: Solution for file encryption / expiration? ("RecilS")
From: George Edwards <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Fri, 9 Jun 2000 15:13:29 +0100
In article <[EMAIL PROTECTED]>, Bob writes
>there's surely no way they
>could do you.
surely you are confusing natural justice with what would actually happen
... :-)
--
George Edwards
--
From: George Edwards <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Fri, 9 Jun 2000 15:14:51 +0100
In article <[EMAIL PROTECTED]>, me
<[EMAIL PROTECTED]> writes
>Article 11
>
>(1) Everyone charged with a penal offence has the right to be presumed innocent
Speed cameras?
>
>until proved guilty according to law in a public trial at which he has had all
>the guarantees necessary for his defence.
What guarantees? One learns from experience. I wouldn't trust in this
for a moment.
--
George Edwards
--
From: "Jeff Moser" <[EMAIL PROTECTED]>
Subject: How did Mr. Schneier calcuate this figure?
Date: Fri, 9 Jun 2000 09:11:17 -0500
On page 323 of Applied Cryptography 2nd Edition, 3/4 of the way down the
page. Schneier explains that weak keys are (in hex)
, , 0x00, , , 000x, , x000
To me, this seems like a total of up to 28 bits (7 * 4). Therefore, the
likelihood of getting one seems to be 2^28/2^128 = 1/2^100, however the
books says 1 in 2^96. Could somehow tell me where I'm making a mistake?
Thank you for your time,
Jeff
(I apologize if this message was received twice, I don't think the other one
made it to the server)
--
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Random IV Generation
Reply-To: [EMAIL PROTECTED]
Date: Fri, 9 Jun 2000 13:58:46 GMT
tomstd <[EMAIL PROTECTED]> wrote:
: In article <8hpb0c$q1i$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
:> tomstd <[EMAIL PROTECTED]> wrote:
:>A strong IV will help prevent dictionary attacks. A weak one (such as
:>the pathological case of "none") provides no help against dictionary
:>attacks.
:>
:>[...] dictionary attack 1024 times. By these feelings, the
:>more 'difficult to guess' bits in the IV, the more difficult a
:>dictionary attack will be.
:>Thus an IV could be judged Strong or Weak based on how many
:>bits of entropy went into its generation.
: The thing is that your IV don't need to be random at all... so
: how does 'randomness' or strength come into this at all?
Consider IVs that go 1,2,3,2,3,1,2,3,1,2,3,2,1,2,2,3,3... on consecutive
messages.
These IVs are weak. IVs that don't trivially repeat would be stronger.
--
__ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
--
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Arithmetic Coding
Reply-To: [EMAIL PROTECTED]
Date: Fri, 9 Jun 2000 14:06:38 GMT
tomstd <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
:>[...] matt's site that has the best info on useful with source code
:>adaptive unadulterated arithmetic coding. [...]
: To the best of my knowledge no arithmetic coder adds anything
: that doesn't need to be there. So your logic is flawed my friend.
What if the arithmetic stream does not terminate on a byte boundary?
Think about it - an arithmetic coding stream is pretty good - but it
is only rarely as perfect as you will find at:
http://www3.sympatico.ca/mtimmerm/biacode/biacode.html
--
__ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
Cryptography-Digest Digest #985
Cryptography-Digest Digest #985, Volume #11 Fri, 9 Jun 00 10:13:01 EDT
Contents:
Re: Multiple encryptions (Guy Macon)
Re: Observer 4/6/2000: "Your privacy ends here" (Paul Shirley)
help for rc5 cryptanalysis ("Stanley")
Re: My lastest paper on Block Ciphers (Simon Johnson)
Re: ZKPs in practice? (Helger Lipmaa)
Re: ANNC: IECrypt (Roger Fleming)
Re: Multiple encryptions (jkauffman)
Re: Cryptographic voting ("Trevor L. Jackson, III")
Encoding 56 bit data ---HELP--- (dexMilano)
Re: Cryptographic voting ("Trevor L. Jackson, III")
Re: XTR independent benchmarks (DJohn37050)
Re: Anti-Evidence Eliminator messages, have they reached a burn-out po (Roger
Fleming)
Re: Some dumb questions (Jim Gillogly)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Geoff Lane)
Re: help for rc5 cryptanalysis (Simon Johnson)
Re: help for rc5 cryptanalysis (Simon Johnson)
Re: Random IV Generation (Jerry Coffin)
Re: help for rc5 cryptanalysis (Mark Wooding)
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Multiple encryptions
Date: 09 Jun 2000 08:12:17 EDT
AllanW wrote:
>
>
>We have some encryption program E, and we use it whenever
>we send messages to each other. E is meant to take any
>plaintext (even non-printable data) and encrypt it, to
>transmit it safely to other sites. E identifies the
>encrypted data with a brief cleartext message at the
>start of it's output, to allow the decryption engine to
>avoid trying to decrypt data that never was encrypted.
>Therefore, anyone that can intercept our messages already
>knows we use encryption program E.
>
>Secretly, we also have another encryption program D. It
>isn't public knowledge, but what we really do is take our
>data files and encrypt them with D. Then we take the D
>output and feed that into E. Programs D and E know
>nothing of each other; each is meant to be used as a
>stand-alone encryption engine. D also appends some
>cleartext at the beginning of it's output, but of course
>E encrypts that so our use of D is *mostly* a secret.
>
>I've heard that this hypothetical case is a bad idea, and
>not just because of any false sense of security. Someone I
>respect tells me that the result is actually LESS secure
>than using either D or E alone.
>
>How can this be?
Let's look at the degenerative cases;
Assume that D and E are the exact same stream cipher with
the same key, salt, etc., each of which uses XOR to encrypt.
In that case, they undo each other. So clearly you can't say
that multiple encryption never decreases security.
Now assume that D and E are OTP ciphers with different random
keys, again using XOR to encrypt. In that case, you have
increased your security by exactly zero.So clearly you
can't say that multiple encryption always increases security.
Now assume that D and E are unrelated and hard (but not
impossible) to break. Your security is greatly increased
in this case. So clearly you can't say that multiple
encryption never increases security.
Now for the $64,000 question: Are you ABSOLUTLY SURE that the
two methods are not related in some subtle way? Has the combo
of D then E been subjected to the sophisticated attacks and
extensive analysis that E alone has survived?
--
From: Paul Shirley <[EMAIL PROTECTED]>
Reply-To: Paul Shirley <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Fri, 9 Jun 2000 13:02:23 +0100
In article <[EMAIL PROTECTED]>, Mok-Kong Shen writes
>Yes. In fact your proposal coincides with the details of an
>implementation I had in mind, which takes cares of all
>eventualities, including a possible black-out of oneself. One uses
>a pseudo-random generator to create a hex stream to xor with a
>(constant or seldom changing -- for convenience) text from a book
>and one puts the (session dependent, arbitrary) seed used for the
>generator, also in hex, at the front or the back of that.. When the
>law enforcement asks for the key, pull out the code of the generator
>and laconically tell them that the fervently wished-for key is already
>there in those mysterious looking lines.
Bad idea. If there's any message in there its an encrypted message and
RIP will apply. With no message and the ability to prove that if
required, you have a better defence (RIP won't be relevant) and more
options for 'wasting police time'.
--
Paul Shirley: reply address may change at short notice.
cc'ed news posts *unwelcome*
--
From: "Stanley" <[EMAIL PROTECTED]>
Subject: help for rc5 cryptanalysis
Date: Fri, 9 Jun 2000 13:41:04 +0100
Hi
I know there are many experts in this group. Could anyone help me out on
cryptanalysis o
Cryptography-Digest Digest #984
Cryptography-Digest Digest #984, Volume #11 Fri, 9 Jun 00 08:13:01 EDT Contents: Re: Some dumb questions (Mok-Kong Shen) Re: Some dumb questions (Mok-Kong Shen) Re: testing non linearity of arithmetic-logic combinations (Mok-Kong Shen) Re: My lastest paper on Block Ciphers (Mark Wooding) Re: Random IV Generation (Mok-Kong Shen) Re: Cryptographic voting (Mok-Kong Shen) Re: Cryptographic voting (Mok-Kong Shen) Re: ZKPs in practice? (Mark Wooding) Re: PK analogue for passwords (Daniel James) Re: My lastest paper on Block Ciphers (tomstd) Re: testing non linearity of arithmetic-logic combinations (Klaus Pommerening) Re: My lastest paper on Block Ciphers (tomstd) Re: Random IV Generation (tomstd) re: my latest paper (tomstd) Re: Cryptographic voting (Mark Wooding) Re: Random IV Generation (Mark Wooding) OT: Starmath font (tomstd) Re: equation involving xor and mod 2^32 operations (Guy Macon) Re: Is OTP unbreakable?/Station-Station (Guy Macon) From: Mok-Kong Shen <[EMAIL PROTECTED]> Subject: Re: Some dumb questions Date: Fri, 09 Jun 2000 12:19:57 +0200 Jim Gillogly wrote: > Mok-Kong Shen wrote: > > Jim Gillogly wrote: > > > ... use a kappa test: slide the two > > > ciphertexts against each other and count the number of coincidences > > > at each offset ... > > > > I guess that flattening the frequency distribution with some appropriate > > techniques would provide sufficient immunity to such techniques. > > Further, if OTP is employed two times, it's likely, in my view, that the > > use of two same or overlapping segments are done at widely separate > > timepoints and therefore the pool of messages containing these is quite > > large and hence the chance of hitting such favourable pairs is > > correspondingly low, I suppose. > > "Some appropriate techniques" are not obvious, and "sufficient immunity" > will presumably depend on the value of the data. For example, simply > doing a Vigenere with key COMERETRIBUTION or MANCHESTERBLUFF will flatten > the distribution, but will still fall apart if the coincidence is checked > at varying offsets. In addition, it's normally not safe to assume the > widely separate times and large number of messages will save you. Consider > again VENONA as a counterexample. Comparing each pair of messages is an > N^2 problem, granted, but each test is cheap and the potential payoff is > enormous: you've gotten a peek into the enemy's most secret traffic. > > As Robert Morris (pere) said (paraphrased from memory), "Never underestimate > the amount of time, money, and effort an opponent will expend in order to > read your traffic." I appreciate very much your comments and agree with you. Also your citation is valuable. On the point of details of 'better techniques' to flatten the frequency distribution (though, as I explained previously, is not of primary importance in the present discussion) I do like, just for the purpose of learning some other opinions, to say that I guess that transposition plus polyalphabetic substitution (at the byte level) plus random cyclic bits rotations of computer words could make a quite good viable candidate, though it may not be always justifible from other viewpoints, e.g. operating expenses/difficulties. (To avoid flames from other readers due to misunderstanding, let me repeat that I don't 'recommend' or 'propose' using n-OTP with frequency flattening as desciribed above and that I am in fact not even sympathetic to OTP as such.) M. K. Shen -- From: Mok-Kong Shen <[EMAIL PROTECTED]> Subject: Re: Some dumb questions Date: Fri, 09 Jun 2000 12:20:05 +0200 Volker Hetzer wrote: > IMHO the explanations you've got so far (from others and (hopefully) me) > should get you started thinking about an approach. I appreciate very much everybody's, including yours, contribution to this thread. (I asked you the last time the one question only because I guessed that you probably had some ready and effective way of dealing with the problem concerned but which was not apparent to some of us, in particular to me.) Cheers, M. K. Shen -- From: Mok-Kong Shen <[EMAIL PROTECTED]> Subject: Re: testing non linearity of arithmetic-logic combinations Date: Fri, 09 Jun 2000 12:20:11 +0200 Terry Ritter wrote: > With respect to nonlinearity, a completely random table is likely to > be more nonlinear than an invertible substitution table which is > necessarily restricted to be a permutation, but a random table is not > guaranteed to be balanced, and is unlikely to be invertible. > Similarly, a substitution table is likely to be more nonlinear than a > similar-sized row or column of a Latin square which is more than just > an arbitrary permutation: each row or column also must be a > permutation in a set which will make a Latin square. Of course, a > Latin square will have multiple
Cryptography-Digest Digest #983
Cryptography-Digest Digest #983, Volume #11 Fri, 9 Jun 00 06:13:00 EDT
Contents:
Re: Some dumb questions (William Rowden)
Re: Some dumb questions (Jim Gillogly)
Re: Question about recommended keysizes (768 bit RSA) (Jerry Coffin)
Re: XTR independent benchmarks (Roger Schlafly)
Re: Cryptographic voting (Greg)
Re: Cryptographic voting (Greg)
Re: Cryptographic voting (Mike Oliver)
Re: equation involving xor and mod 2^32 operations ("Clive Tooth")
Re: Observer 4/6/2000: "Your privacy ends here" (Brian {Hamilton Kelly})
ANSI X.917 PRBG (jkauffman)
Re: Some dumb questions (John Savard)
Re: My lastest paper on Block Ciphers (Runu Knips)
Re: Comfort csybrandy ! (Was: Attack on SC6a (sci.crypt cipher)) (Runu Knips)
Re: My lastest paper on Block Ciphers ("Sam Simpson")
Re: Some dumb questions (Volker Hetzer)
Re: Thoughts on an encryption protocol? (Volker Hetzer)
Re: PSS and PSSR patent status (was Re: XTR) (Bodo Moeller)
From: William Rowden <[EMAIL PROTECTED]>
Subject: Re: Some dumb questions
Date: Fri, 09 Jun 2000 05:20:36 GMT
In article <8hpg22$v9e$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (William Rowden) wrote:
> How does one decipher plaintext enciphered with a generator that is
> biased?
Now that I see more of this thread, I think Volker Hetzer's post
provides one answer to this question.
--
-William
SPAM filtered; damages claimed for UCE according to RCW19.86
PGP key: http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc until 2000-08-01
Fingerprint: FB4B E2CD 25AF 95E5 ADBB DA28 379D 47DB 599E 0B1A
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Some dumb questions
Date: Fri, 09 Jun 2000 05:38:14 +
William Rowden wrote:
> I was trying to characterize the problem of deciphering the
> result of XORing exactly two ciphertexts, without dragging probable
> n-grams across it. The XOR of the ciphertexts is equivalent to the
> XOR of the plaintexts in this context. I was imagining one of the
> plaintexts arbitrarily as the message, and the other as a
> (pseudorandom) key. This relates to question number 1 at the
> beginning of the thread (the OTP reuse being question 2). How does
> one decipher plaintext enciphered with a generator that is biased?
If it really reduces to a biased generator with no other structure
possible, then you would presumably be hosed in terms of recovering
plaintext -- you would be reduced to using the results to take advantage
of the information in less direct ways: confirming that a particular
ciphertext message matches some expected or captured plaintext, and so
on.
However, much of this thread is talking about a two-step process:
a simple transposition or substitution followed by the two-time-pad
operation. In this case you do have a good chance at cryptanalysis,
trying to break both parts of the cipher simultaneously.
If the substitution is messy enough, c/a probably won't get anywhere.
For example, if it's DES-CBC, then the combination will be much harder
than DES-CBC alone, even with an average PRNG for the 2TP. If it's
DES-ECB underneath, there's a good chance that the overlap will be
spotted due to code book collisions, given enough ciphertext and
consistent enough plaintext... but presumably recovering the pt will
still be hard. But if you're doing DES anyway, why not use something
even faster and stronger, and skip all the 2TP bumf?
If there's any chance that you will be falling away from the True Path,
it's better to fall in a well-analyzed direction... I suggest using 3DES
alone instead of trying to cobble together a strong cipher from some
primitive ones.
--
Jim Gillogly
20 Forelithe S.R. 2000, 05:25
12.19.7.5.0, 13 Ahau 3 Zotz, First Lord of Night
--
From: Jerry Coffin <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy.anon-server,alt.security.pgp
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: Thu, 8 Jun 2000 23:54:39 -0600
In article <8hp29n$jlg$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> I am curious as to why people think that 1024 bits RSA is not
> vulnerable... according to Stahling's bookp 181.. 1000 bit integer
> can be factored with 10**7 MIP-Year. Current Cray T3's run at over one
> terraflops...well thats pretty near factoring a 1000 bit key...
The problem with factoring a number this size is NOT the number of
CPU operations -- it's the number of memory operations and (most
particularly) the _amount_ of memory needed. You basically need a
single computer with a truly _tremendous_ amount of memory to even
contemplate factoring a number this size. To do a job this size, you
need a LOT more RAM in the computer than even most large networks
have in hard-drive space.
--
Later,
Jerry.
The universe is a figment of its own imagination.
--
