Cryptography-Digest Digest #553
Cryptography-Digest Digest #553, Volume #12 Mon, 28 Aug 00 04:13:01 EDT Contents: A more secure alternative to ADK for legitimate key recovery (David Hopwood) Re: DeCSS ruling -- More (David Hopwood) Re: An interesting cryptographic problem (David Hopwood) Re: SSL protocol and unencrypted random info (David Hopwood) Re: DeCSS ruling -- More ("Stou Sandalski") Looking for Book Recommendations ([EMAIL PROTECTED]) Re: Pencil and paper cipher (Scott Contini) Re: Steganography vs. Security through Obscurity (Runu Knips) Re: UNIX Passwords (Runu Knips) Re: My encryption algorithm (Runu Knips) Re: SHA-1 program, wrongo ! (S. T. L.) Re: Patent, Patent is a nightmare, all software patent shuld not be allowed (Paul Rubin) Re: Serious PGP v5 v6 bug! ([EMAIL PROTECTED]) Fly ball in left field... (Greggy) Date: Mon, 28 Aug 2000 07:15:55 +0100 From: David Hopwood [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Crossposted-To: alt.security.pgp,comp.security.pgp.discuss Subject: A more secure alternative to ADK for legitimate key recovery =BEGIN PGP SIGNED MESSAGE= "Ron B." wrote: On Thu, 24 Aug 2000 13:33:30 GMT, "JL" [EMAIL PROTECTED] wrote: "Ron B." [EMAIL PROTECTED] a =E9crit dans le message news: [EMAIL PROTECTED] If a business requires this then Jane may have no choice in her business communications. Then her company shouldn't complain if sensible information is compromised. If you don't trust your employees you shouldn't hire them in the first place. = This may not be a matter of personal trust. The company may see Jane as the perfect employee. If Jane is has a heart attack, has a fatal accident or for other reasons beyond her control is not available to decrypt important data, the company may have legitmate reasons to have access to her messages. Which is why received messages should be reencrypted *by the recipient* to the recipient organisation's public key designated for that purpose, and the ciphertext stored locally. Similarly, sent messages should be additionally encrypted by the sender to the sender organisation's public key. In neither case does anything that allows the message to be recovered go over a public network, in contrast to the ADK design. Now if Jane has a heart attack, her logs of sent and received messages can be decrypted (the ciphertext will have been backed up by the organisation's normal backup procedures). New messages cannot be decrypted, so they must be bounced, but that is exactly as it should be: the sender then has the opportunity to decide whether he wants to resend the message to Jane's coworkers, rather than to Jane specifically.= - -- = David Hopwood [EMAIL PROTECTED] Home page PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 0= 1 Nothing in this message is intended to be legally binding. If I revoke a public key but refuse to specify why, it is because the private key has b= een seized under the Regulation of Investigatory Powers Act; see www.fipr.org= /rip =BEGIN PGP SIGNATURE= Version: 2.6.3i Charset: noconv iQEVAwUBOaoAezkCAxeYt5gVAQEsRggAx/FF01RBowS/GIjoW+N0MIrqKSfKKAV1 3zFMuIA53LqjlCk6oOmRh57MU+J4BadITw9HAeY+M96wBkq0i8SzdzaBVT9vYxkj fviPe6s+zV+PqrY6B18PpMDk5XZW6YzXPFi2iVwowGub5DbtLOkQDndF7hTpHbyb F5LtL0jyFMlEWoLaXBtPfePo3mKu/nH03qQ3sB+UdVAphHVDePHSq4JAlAxussR2 KXL5yK7NfeImi8YgeCD4vFuSQ7fKyx++BtkE+dqvR/N0/jeo3UJ8FIEIn9mpdQ59 9+nekApKSpE0G36NbsAyJ+2RbKiWWR6CkTGgNi8IgmtFuwO1vj+DQw=3D=3D =3DWCfx =END PGP SIGNATURE= -- Date: Mon, 28 Aug 2000 07:16:43 +0100 From: David Hopwood [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: DeCSS ruling -- More =BEGIN PGP SIGNED MESSAGE= Stou Sandalski wrote: I don't quite agree here, although I see your point. I don't know what they did with PGP... but NAI's PGP has a plug in for MS outlook which is very easy to use... PGP won't be commonly used unless or until it is bundled with the most common email clients, and set up to generate key pairs by default; plug-ins that have to be separately downloaded won't make any substantial difference. (Unfortunately the common email clients are hopelessly insecure in other ways, but that's a separate issue.) At least the export restriction obstacle to bundling PGP with mail clients has mostly gone away now. Their argument is that it will allow "pirates" to copy DVDs That's their public argument. They don't actually believe it; they know as well as anyone here that commercial pirates don't need to use anything like DeCSS. The primary purpose of CSS is and always was to support the anti-competetive practice of region coding, i.e. to reduce the incidence of trading of *legitimately purchased* DVDs between regions with different pricing regimes, which would force down prices (especially outside
Cryptography-Digest Digest #554
Cryptography-Digest Digest #554, Volume #12 Mon, 28 Aug 00 07:13:00 EDT Contents: Re: On pseudo-random permutation (Mok-Kong Shen) Re: PRNG Test Theory (Mok-Kong Shen) Re: Steganography vs. Security through Obscurity ("Douglas A. Gwyn") Re: My encryption algorithm (Mok-Kong Shen) Re: PRNG Test Theory ("Douglas A. Gwyn") Re: Patent, Patent is a nightmare, all software patent shuld not be (Mok-Kong Shen) Re: Who can show me a good Cryptology site? ("kihdip") Re: PRNG Test Theory (Mok-Kong Shen) Re: Patent, Patent is a nightmare, all software patent shuld not be allowed (qun ying) Re: On pseudo-random permutation (Benjamin Goldberg) Re: My (New) New algorithm (Mok-Kong Shen) Re: SHA-1 program, wrongo ! (those who know me have no need of my name) Re: avalanche characteristic (Mok-Kong Shen) e-cash protocol concept, comments wanted (Julian Morrison) Re: Patent, Patent is a nightmare, all software patent shuld not be ([EMAIL PROTECTED]) Re: Patent, Patent is a nightmare, all software patent shuld not be (Mok-Kong Shen) Re: On pseudo-random permutation (Tim Tyler) Re: e-cash protocol concept, comments wanted (Ragni Ryvold Arnesen) Re: PGP ADK Bug: What we expect from N.A.I. ("Michel Bouissou") Re: The DeCSS ruling - Reverse engineering? (Gisle =?iso-8859-1?Q?S=E6lensminde?=) Re: Bytes, octets, chars, and characters (Johnny Billquist) From: Mok-Kong Shen [EMAIL PROTECTED] Crossposted-To: comp.programming Subject: Re: On pseudo-random permutation Date: Mon, 28 Aug 2000 10:22:14 +0200 Bryan Olson wrote: Mok-Kong Shen wrote: [...] If the collision resolution is chosen such that the first element of the pair is always considered less than the second, then indeed there is a bias. The effect is however dependent on the chance of collision, which is practically negligible when the space of the random numbers is large, e.g. 32 bits. Specifically, the when the space of the random numbers is large compared to the number of elements being permuted. One can on the other hand use a random choice rule to resolve collision, in which case no bias can occur. False for any of the usual sorting algorithms. Remember that collisions are not limited to two elements. You could achieve zero bias (assuming a perfect RNG) by recursively applying the procedure to each non-singleton collision set. Though the recursive procedure terminates with probability one, it is technically a non-terminator. Given a generator of perfect random bits as the one and only source of randomness, can you find any procedure for generating perfectly uniform random permutations (of more than two elements) that strictly terminates? Can you show that no such procedure exists? (Theoretically) technically the matter is even much worse. For, in order to have a meaningful result, one has to be sure that one has a perfect random sequence at hand but there is no way of verifying that in practice. M. K. Shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: PRNG Test Theory Date: Mon, 28 Aug 2000 10:22:07 +0200 Bryan Olson wrote: There is no universal test of randomness. There is no algorithm that can distinguish bits produced by an algorithm from truly random bits. Right, though lots of theories apparently assume there IS something that is perfectly random. Whether this could mean a problem of certain philosophical nature I am not very certain. BTW, the gist of the other follow-ups was questioning whether the approach indicated by the original poster is methodologically meaningful even under practical points of view. M. K. Shen -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Steganography vs. Security through Obscurity Date: Mon, 28 Aug 2000 04:14:05 -0400 Runu Knips wrote: So stenography does NOT require obscurity. It only hides the fact if there is an encrypted message OR if there is random data. No, that's wrong. Some successful steganographic schemes hide the message without encrypting it; the method of hiding itself uses a crypto key, but that is used to select sites, modes, etc., while the data itself is used directly. In many applications, the main goal of steganography is to avoid detection, which is in effect a requirement for obscurity. -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: My encryption algorithm Date: Mon, 28 Aug 2000 10:28:00 +0200 Runu Knips wrote: The funnier part is that I miss the previous posting of the one I'm now answering, while all postings I've written friday didn't appeared on my server. Couldn't a server crash be an explanation? M. K. Shen -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: PRNG Test Theory Date: Mon, 28 Aug 2000 04:20:39 -0400 Mok-Kong Shen wrote: Bryan
Cryptography-Digest Digest #556
Cryptography-Digest Digest #556, Volume #12 Mon, 28 Aug 00 13:13:00 EDT Contents: Re: Stream Cipher ([EMAIL PROTECTED]) Re: PGP Bug: IMPORTANT Personal test report (Steven Markowitz) Re: Additional fix to ADK bug (John Savard) Re: PRNG Test Theory ("Tony T. Warnock") Re: SHA-1 program (cool!) (Daniel Leonard) Re: Steganography vs. Security through Obscurity ([EMAIL PROTECTED]) Re: My (New) New algorithm ("Slava K.") Re: UNIX Passwords (JCA) Re: Fly ball in left field... (JCA) Re: My (New) New algorithm ("Scott Fluhrer") Blowfish question (and others) (Chris J/#6) Re: Blowfish question (and others) (Kent Briggs) Re: Blowfish question (and others) ([EMAIL PROTECTED]) Re: Blowfish question (and others) (David A Molnar) ZixIt Mail ([EMAIL PROTECTED]) From: [EMAIL PROTECTED] Subject: Re: Stream Cipher Date: Mon, 28 Aug 2000 14:04:19 GMT In article 8odpvs$4g5$[EMAIL PROTECTED], [EMAIL PROTECTED] wrote: Hi all! Stream Cipher using OTP and Random Number Generator approach. Delphi source code and executable can be download at www.alex-encryption.de First off very unoriginal stuff, second off your site is a disgrace to the profession. Your block ciphers are poorly documented and your RSA/DES Null attacks are just plain wrong. Arrg... read a book/posting or two would ya? Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] (Steven Markowitz) Crossposted-To: comp.security.pgp.discuss Subject: Re: PGP Bug: IMPORTANT Personal test report Date: 28 Aug 2000 14:00:48 GMT In article 8o5kqk$mls$[EMAIL PROTECTED] "Michel Bouissou" [EMAIL PROTECTED] writes: [ snip ] == IMPORTANT NOTE: THIS IS MOST IMPORTANT. Reading carefully Ralf's paper, the ADK public key seems NOT to be actually included in public keys that mention mandatory use of this ADK. YOU MUST HAVE THE ADK public key as well. Only the ADK's key ID is included in the key that holds and ADK, which is not enough to allow encryption to the ADK by itself. If the public key contains only the key id of the ADK, then isn't that a serious security flaw? My understanding is that it is possible for an attacker to create a new key having the same key id as an existing key, although the fingerprints will differ. I have read that this can be done for RSA keys; I'm not sure about DH/DSS keys. This would allow an attacker to cause messages to be encrypted to himself, instead of to the intended ADK, as long as the sender had the attacker's ADK on his keyring. This attack would apply even if the recipient's key had not been tampered with. It seems to me that in order for the ADK mechanism to be secure, the signed portion of a key would have to include the key id, length, and key fingerprint of the ADK. Am I misuderstanding something, or is the current ADK setup inherently insecure? Steven Markowitz -- Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of D. E. Shaw Co., L.P. or any of its affiliates. -- From: [EMAIL PROTECTED] (John Savard) Subject: Re: Additional fix to ADK bug Date: Mon, 28 Aug 2000 14:09:38 GMT On Mon, 28 Aug 2000 13:58:03 GMT, [EMAIL PROTECTED] (John Savard) wrote, in part: Essentially, a sender ADK is one imposed by the sender's employer or government, and a recipient ADK is one imposed by the recipient's employer or government. Distinguishing them, by ensuring that all ADKs obtained from a version of the recipient's key block are labelled as recipient ADKs, Of course, it would be trivial for a man-in-the-middle to alter messages to change this labelling. That could be avoided without sending signatures to the individual keys; one could have the sender sign the list of ADKs. But even without such a precaution, this would still have a benefit, since although attacks using the ADK bug are a kind of man-in-the-middle attack, they are easier than a real MITM attack, because they only require uploading a bad certificate once, and can be used by attackers who don't have the capability of mounting a true MITM attack. John Savard http://home.ecn.ab.ca/~jsavard/crypto.htm -- From: "Tony T. Warnock" [EMAIL PROTECTED] Subject: Re: PRNG Test Theory Date: Mon, 28 Aug 2000 20:35:51 -0600 Reply-To: [EMAIL PROTECTED] Kolmogorov (of course) has an article about this. I don't know the reference, but it's in Knuth's volume II. Kolmogorov discusses the number of bit strings of a given length that pass a certain number of tests. It's in the Indian Statistics Journal, (Sankhya or something similar.) The idea is that as one adds tests, the number of strings passing the tests shrinks. -- From: Daniel Leonard [EMAIL PROTECTED] Subject: Re: SHA-1 program (cool!) Date: Mon, 28 Aug 2000 14:56:31 GMT
Cryptography-Digest Digest #557
Cryptography-Digest Digest #557, Volume #12 Mon, 28 Aug 00 15:13:00 EDT Contents: Re: Secure key exchange over an unsecure network (Mike Rosing) Re: PRNG Test Theory ("Douglas A. Gwyn") NEWBIE!!! Zodiac killer's encryption... (Rob B) Re: Who can tell me where to go? (Frank Wagner) Re: e-cash protocol concept, comments wanted (Julian Morrison) Re: UNIX Passwords ([EMAIL PROTECTED]) Re: PGP 6.5.8 test: That's NOT enough !!! ([EMAIL PROTECTED]) Re: On pseudo-random permutation (Mok-Kong Shen) Re: Test on pseudorandom number generator. (Mok-Kong Shen) Re: PRNG Test Theory (Mok-Kong Shen) Re: ZixIt Mail (JPeschel) Re: avalanche characteristic (Terry Ritter) From: Mike Rosing [EMAIL PROTECTED] Subject: Re: Secure key exchange over an unsecure network Date: Mon, 28 Aug 2000 12:11:47 -0500 Slava K. wrote: Since I began studying cryptography (Not that long ago actually), I attempted creating a protocol which will allow for secure public-key exchange over an unsecure network. I have come close with a modificatin of the Mental Poker protocol, but after further analysis I found that this protocol merely complicated the man-in-the-middle attack, but did not disallow it. I'm looking to gather variouse pieces of information about protocols which attempt to disallow this attack, such as timestamping protocols (Send these too). I prefer non-arbitrated protocols, as these are as susceptible to the man-in-the-middle attack as any, but have also that added requirment of a trusted third party. Any help is welcome! There is no protocol which can overcome MITM. You must have an out of band exchange of some kind to eliminate it. The PGP fingerprint is an example, by using a phone call you can check the in band exchange, or it can be published in a newspaper. The more channels used, the higher the probability MITM can not be performed. For an interesting solution, check out the MQV protocol in IEEE 1363. Assuming you know a public key, you can exchange a secret securely. Every successful protocol has the same restriction. Only an out of band communication can solve the problem (with good level of probability, you still don't know who the spooks are!) Patience, persistence, truth, Dr. mike -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: PRNG Test Theory Date: Mon, 28 Aug 2000 16:11:34 GMT Mok-Kong Shen wrote: "Douglas A. Gwyn" wrote: Mok-Kong Shen wrote: Bryan Olson wrote: There is no universal test of randomness. There is no algorithm that can distinguish bits produced by an algorithm from truly random bits. Right, though lots of theories apparently assume there IS something that is perfectly random. Whether this could mean a problem of certain philosophical nature I am not very certain. It's not a problem. The characteristics of random processes are solidly defined, and deductions can be made on that basis. I suppose that could be an arguable point. If something is 'solidly' defined, it should be verifiable in my view. One could namely say that, if something is not (ultimately) discernable, then it doesn't exist in the world, I suppose. ?? In mathematics, we often set forth definitions and assumptions, then derive conclusions from them. There is no requirement that the defined terms correspond to things we can point at in the physical world, although quite often if we look for physical things that match up well to the assumed properties we can find them. In the case of uniform random distribution, it serves as a component of a model for certain physical systems, for which we can make predictions (necessarily statistical) derived mathematically from the model (including the mathematical properties of the assumed randomness). In any specific realization of the physical system, the predictions might be close to what happens or they might be far from what happens. Statistical tests allow us to say how likely it is that the observations could have occurred if the system had accurately implemented the model. If the observations show consistently (relatively) unlikely outcomes, and we have no other relevant evidence in the other direction, we eventually have a fair degree of confidence (which can be computed) that the system is not a faithful implementation of the model. -- From: Rob B [EMAIL PROTECTED] Subject: NEWBIE!!! Zodiac killer's encryption... Date: Mon, 28 Aug 2000 12:19:41 -0500 Hi all! I saw a show this weekend on the Zodiac killer on TLC and was fascinated by it... Anyways, I was wondering if anyone knows of any good web sites, books, info, that discuss the encryption that he used in his letters, if the messages were decoded, and, if so, how. Examples of the messages can be seen at www.crimelibrary.com under the Serial Killers/Zodiac section. I'd post the full
Cryptography-Digest Digest #558
Cryptography-Digest Digest #558, Volume #12 Mon, 28 Aug 00 18:13:01 EDT Contents: Re: Bytes, octets, chars, and characters (Eric Fischer) Re: R: R: Test on pseudorandom number generator. (Terry Ritter) Future computing power (Mok-Kong Shen) Re: SHA-1 program, wrongo ! (S. T. L.) Re: Future computing power (S. T. L.) Re: Future computing power ([EMAIL PROTECTED]) Re: Future computing power (Ichinin) Re: Future computing power (Ichinin) Re: DeCSS ruling -- More ("David C. Barber") Re: Future computing power ([EMAIL PROTECTED]) Re: NEWBIE!!! Zodiac killer's encryption... (John C. King) Re: Steganography vs. Security through Obscurity (zapzing) Re: R: R: Test on pseudorandom number generator. ("Douglas A. Gwyn") Re: ZixIt Mail (Steve) Re: Bytes, octets, chars, and characters ("Douglas A. Gwyn") Re: could someone post public key that is tempered ? ("Douglas A. Gwyn") Re: PRNG Test Theory ("Douglas A. Gwyn") Re: Blowfish question (and others) ("Jeffrey Walton") Re: NEWBIE!!! Zodiac killer's encryption... ("Douglas A. Gwyn") Re: PGP 6.5.8 test: That's NOT enough !!! (Nick Andriash) Re: Blowfish question (and others) (Mike Tulley) From: Eric Fischer [EMAIL PROTECTED] Crossposted-To: comp.lang.c,alt.folklore.computers Subject: Re: Bytes, octets, chars, and characters Date: 28 Aug 2000 19:14:41 GMT Johnny Billquist [EMAIL PROTECTED] wrote: ASCII is not an international standard, although there are several for character codes based on and intentionally similar to ASCII. I think there is some ISO standard which matches ASCII, but I have no idea what it is called. ISO 646 is the international 7-bit character code standard. It allows national variations for several characters, but there is an "international reference version" that specifies what characters should be assigned if there are no particular national needs, and in recent years this has been aligned with ASCII. (Earlier versions of the IRV specified a Pound sign instead of the Number sign, an international currency symbol instead of the Dollar sign, and an overline instead of the tilde.) Another international standard for the same code is the ITU-T (formerly CCITT) International Reference Alphabet (formerly International Alphabet No. 5). eric -- From: [EMAIL PROTECTED] (Terry Ritter) Subject: Re: R: R: Test on pseudorandom number generator. Date: Mon, 28 Aug 2000 19:25:57 GMT On Mon, 28 Aug 2000 13:18:24 +0200, in 8odge9$7tl$[EMAIL PROTECTED], in sci.crypt "Cristiano" [EMAIL PROTECTED] wrote: The normal way to use a LCG is to convert the entire internal state into a float, or even to use the state itself as an integer. Since using the entire state is "normal," that is the way statistical tests must be applied to get the "normal" results. OK this is the best way, but if I need only 8 bits? I think the best is take the 8 msb. If you are going to use only 8 bits, you need test only 8 bits, not an accumulation of 5 such values taken as a single large 40-bit value. Only when I apply my test to PRNG I need to consider only the 8 msb, but when I run FIPS PUB 140-2, Maurer and Diehard I take the whole integer as is without any modification. Taking 5 chunks of 8-bits each is not the same as taking a single 40-bit value from an RNG. One might as well argue that one could take 1 bit from each RNG step, and that would be OK, or 1 bit every 100th RNG step and that would be OK as well. It is not. We might make a complex RNG that way, but we would not expect common statistical tests to be designed to pick up problems which might occur in such a design. For most conventional tests, the value being interpreted must correspond to the single step of the RNG. If not, the test will be confused by given a single meaning to a value which really has no relationship to any one internal RNG state. Then it is the confusion of the test which is being demonstrated, but nobody cares if we can confuse a test. Similarly, Diehard expects to see 32-bit integers, not 40 (unless it has been modified). If we expect tests to have some meaning, we must give the test the data in a format it expects. Then each test can tell us about the particular characteristics it detects. Diehard read a (big) file. If I generate a file n bytes length, I think is not a problem how I generate the same n bytes, the problem is how generate each byte (as you say in the first paragraph). You are confused. If you want to test bytes, you need to have tests which are designed to work on bytes. If you want to use tests designed to work on 32-bit integers, you need to supply 32-bit integers, not 4 bytes. And in fact you supply 5 bytes. It is not a surprise that one can confuse a statistical test by having it read data which is composed of multiple RNG steps. I appreciate very much your considerations, but my
Cryptography-Digest Digest #559
Cryptography-Digest Digest #559, Volume #12 Mon, 28 Aug 00 22:13:01 EDT Contents: 96-bit LFSR needed ([EMAIL PROTECTED]) Re: PGP Bug: IMPORTANT Personal test report (Tom McCune) Re: Blowfish question (and others) ([EMAIL PROTECTED]) Re: Future computing power (David A Molnar) Re: ZixIt Mail ("Jeffrey Walton") Re: DeCSS ruling -- More (Jim Steuert) Re: Future computing power ([EMAIL PROTECTED]) Re: could someone post public key that is tempered ? (jungle) Re: PGP Bug: IMPORTANT Personal test report (jungle) Re: On pseudo-random permutation (Tim Tyler) Network Associates ([EMAIL PROTECTED]) Re: Looking for Book Recommendations (John Savard) Re: Future computing power ("Brian McKeever") Re: On pseudo-random permutation (David A. Wagner) Re: Future computing power (David A Molnar) when does PGP start to support key server (qun ying) Re: blowfish problem (Eric Smith) Re: Future computing power ([EMAIL PROTECTED]) secrets and lies in stores (David A Molnar) From: [EMAIL PROTECTED] Subject: 96-bit LFSR needed Date: Mon, 28 Aug 2000 22:00:31 GMT I am trying out the stream cipher where I take three bytes from the LFSR in the form (a, b, c) and return (((a+1)(b+1)) mod 257)+c) mod 256 as the stream output. I started with the nice 32-bit LFSRs from ORYX but then quickly realized a divide and conquer attack. So I think using one larger LFSR is the way to go. However, the LFSR in Applied Crypto is a sparse 96-bit one. I would prefer to use a dense 96-bit LFSR. The stream cipher is not fast, but it's meant for things like a 8051. The mod 257 may slow it down a bit, but I bet a 11mhz 8051 could keep up at 9600 transmission :) Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- Crossposted-To: comp.security.pgp.discuss From: Tom McCune [EMAIL PROTECTED] Subject: Re: PGP Bug: IMPORTANT Personal test report Date: Mon, 28 Aug 2000 22:08:54 GMT =BEGIN PGP SIGNED MESSAGE= Hash: SHA1 In article 8odrag$atb$[EMAIL PROTECTED], [EMAIL PROTECTED] (Steven Markowitz) wrote: If the public key contains only the key id of the ADK, then isn't that a serious security flaw? snip My understanding is that the ADK is represented by the fingerprint, not the key ID. =BEGIN PGP SIGNATURE= Version: PGP Personal Privacy 6.5.3 Comment: My PGP Page FAQ: http://www.McCune.cc/PGP.htm iQA/AwUBOarjjw2jfaGYDC35EQIepwCeLiIec+ruUZleMbgi/ltIyj2jmpQAoLsN IEnYhnSPMv0stzcXrEMS46El =CwKN =END PGP SIGNATURE= -- From: [EMAIL PROTECTED] Subject: Re: Blowfish question (and others) Date: Mon, 28 Aug 2000 22:14:26 GMT In article 39aade6d$0$[EMAIL PROTECTED], "Jeffrey Walton" [EMAIL PROTECTED] wrote: Hey David, I recall hearing a german mathematician all but broke DES. I have no references to back the statement. Have you heard anything similar (or is more misinformation). Misinformation. Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: David A Molnar [EMAIL PROTECTED] Subject: Re: Future computing power Date: 28 Aug 2000 22:17:06 GMT [EMAIL PROTECTED] wrote: cluster capable of delivering 30 Teraflops next year. In 2004 there will be a system delivering 100 Teraflops. First off what the heck is a flop? All I know is MIPS. A "flop" stands for FLoating-point OPeration. A "flops" is then a floating point operation per second. People who do scientific computing care very much about such things. They tend to have very big problems and a lot of money to spend on hardware. D.J. Bernstein has argued here and probably elsewhere that we should be basing our crypto on floating point arithmetic for speed, because that way we can take advantage of this hardware. In any case, giving speed in flops indicates that the people marketing the machine want to sell to our friends in physics and other continuous sciences. Computer speed will really only affect the tractibilty of PK cracking not symmetric stuff. And even there bandwidth/memory is of more importance then speed anyways. Er, Tom, what about brute-forcing a 64-bit key? What about attacks on ciphers which reduce keyspace to effective 60-70 bits? If you take the trend of moores law, we can expect 4ghz computers sometime in 2002. With the current 400mhz bus (or let's say 800mhz bus) the cpu better have a large L1 cache :) Yes, it probably will need a large L1 cache. Is your point that memory is unlikely to follow the same curve as CPU speed? -David -- Reply-To: "Jeffrey Walton" [EMAIL PROTECTED] From: "Jeffrey Walton" [EMAIL PROTECTED] Subject: Re: ZixIt Mail Date: Mon, 28 Aug 2000 18:58:36 -0400 Anything you send via the Zix "feature" that claims to deliver secure mail to non-users, will be decrypted by a public server before being sent to its destination via an SSL-secured
Cryptography-Digest Digest #560
Cryptography-Digest Digest #560, Volume #12 Tue, 29 Aug 00 00:13:01 EDT Contents: Re: secrets and lies in stores (S. T. L.) Re: Pencil and paper cipher (Benjamin Goldberg) Re: could someone post public key that is tempered ? (Nick Andriash) Re: PGP 6.5.8 test: That's NOT enough !!! ([EMAIL PROTECTED]) Re: Future computing power ([EMAIL PROTECTED]) Re: 96-bit LFSR needed (Mack) Re: 4x4 s-boxes (Mack) Re: Pencil and paper cipher (Jim Gillogly) Re: secrets and lies in stores (David A Molnar) Re: Blowfish question (and others) (David A Molnar) From: [EMAIL PROTECTED] (S. T. L.) Subject: Re: secrets and lies in stores Date: 29 Aug 2000 02:16:04 GMT It is a hard book to read in the sense that it makes the point, and then mostly backs it up, that cryptography is hardly relevant. Sounds like a stupid book. If you have a secret, then you'll want to hide it. And cryptography is a good way to hide it. You can debate how good good is, but it's better than nothing. You can't deny that cryptography slows down attackers, just like you can't deny that locks slow down robbers. And you can't deny that people have secrets to keep. They always have, and they always will. Stupid book. -*---*--- S.T.L. My Quotes Page * http://quote.cjb.net * leads to my NEW site. My upgraded Book Reviews Page: * http://sciencebook.cjb.net * Optimized pngcrush executable now on my Download page! Long live pngcrush! :- -- From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Re: Pencil and paper cipher Date: Tue, 29 Aug 2000 02:51:07 GMT Jim Gillogly wrote: Benjamin Goldberg wrote: Split the alphabet into 4 words, length 3, 5, 7, 11: AFN GTJIK DOSPEQB ULVHWMXRYCZ Now, multi-encipher the message using Vernam's method, using each string as a seperate key: ThisI sTheP laint extIH opeTh atItI sUnde ciphe rable AFNAF NAFNA FNAFN AFNAF NAFNA FNAFN AFNAF NAFNA FNAFN GTJIK GTJIK GTJIK GTJIK GTJIK GTJIK GTJIK GTJIK GTJIK DOSPE QBDOS PEQBD OSPEQ BDOSP EQBDO SPEQB DOSPE QBDOS ULVHW MXRYC ZULVH WMXRY CZULV HWMXR YCZUL VHWMX RYCZU - QLDAM WCXMS GYEJV TPKKS TPKML CUOLQ DDXGW IBNAG KTYIC How would one break this cipher, and is a computer needed? A known plaintext attack would need no more than 26 letters: express each ciphertext letter as the sum of the 3 letters in each column and the plaintext, and you have 26 independent equations in 26 unknowns. I didn't check to see if you're changing it based on upper/lower case, but that's just a few more known plaintext letters. Should be dead simple. Where do you get THREE letters plus the plaintext? Do you have problems counting to 4? While it is true that there are an equal number of unknowns and equations, this does NOT necessarily yield a unique solution for the unknowns, *especially* with integers under a modulo. Consider for a moment the matrix of just the cooeficients, and ignore the last column, which would contain the values of ciphertext minus plaintext. We then have a 26x26 matrix, which we are trying to invert, using integers modulo 26. How do you know that this matrix isn't singular? If the determinant is either even or 13, it won't be fully invertable. Is the probability of this more than or less than 14/26? Also, keeping in mind that we're not supposed to ever re-use a key, known plaintext is only useful if we know part of the plaintext, but not the rest of it. How often (in what kind of situations) will we know 26 letters of a message, but not the rest of it? If you really use words for your key, then a dictionary search also works. Actually, phrases work just as well or better. A couplet from your favorite piece of poetry should be pretty good, and a dictionary isn't likely to help. Ciphertext-only should also be possible, but more tedious. Please tell me how. This is really what I wanted in the first place, actually. -- ... perfection has been reached not when there is nothing left to add, but when there is nothing left to take away. (from RFC 1925) -- Crossposted-To: alt.security.pgp,comp.security.pgp.discuss Subject: Re: could someone post public key that is tempered ? From: [EMAIL PROTECTED] (Nick Andriash) Date: Tue, 29 Aug 2000 02:53:31 GMT =BEGIN PGP SIGNED MESSAGE= Hash: SHA1 [EMAIL PROTECTED] (jungle) wrote in [EMAIL PROTECTED]: thanks doug ... but it is wrong ... PGP has no problem to indicate to me that Bill Clinton key has ADK in it ... the question is open : could someone post public key that is tempered pgp will not detect it ? What version of PGP are you using? If you are using 6.5.8, PGP will not detect the ADK... thus not detect a hacked Public Key. But, perhaps I do not fully understand what you are after, and if that is the case, I apologise. - -- Nick N.J. Andriash
Cryptography-Digest Digest #561
Cryptography-Digest Digest #561, Volume #12 Tue, 29 Aug 00 01:13:00 EDT Contents: Re: 4x4 s-boxes (Mack) Re: 4x4 s-boxes ([EMAIL PROTECTED]) Re: blowfish problem ("Bruce G. Stewart") Re: Future computing power (Anthony Stephen Szopa) Re: Future computing power (Anthony Stephen Szopa) Re: Future computing power ("CMan") Re: Future computing power (Anthony Stephen Szopa) Re: Future computing power ("CMan") From: [EMAIL PROTECTED] (Mack) Subject: Re: 4x4 s-boxes Date: 29 Aug 2000 04:10:27 GMT In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Mack) wrote: In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Mack) wrote: In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Mack) wrote: Has anyone analyzed the number of s-boxes that could be used for Serpent? more specifically, serpent s-boxes don't appear to have particularly good avalanche characteristics. The criteria seem logic but is it possible that the serpent s-boxes might have been chosen using stricter criteria? My "serpent_sboxes" on my website are good candidates for replacement sboxes if needed. Tom -- http://www.geocities.com/tomstdenis/ I have looked at your program to produce s-boxes. My question is of a more general nature. ie. how many s-boxes actually meet th Serpent criteria and could we add additional criteria to the given ones that would improve the characteristics without producing a null set of s-boxes. for example. 4x4 s-boxes having the forward and inverse both maximum non-linearity and meeting sac are rare at best and non-existent at worst. Does anyone know if such s-boxes exist? The sboxes I made have are completely non-linear i.e their "bent", they fullfil SAC and BIC to the order-3. Other then a DPmax of four they are perfect sboxes. Finding them is hard, it took about 8 hours of random searching with sboxgen. I am in the middle of making another set right now actually. Overall about 1 in 100 million are ok. This is really rough since I didn't keep track of the totals. This means about 1 in 2^27 are ok, and since there are only 2^44 possible sboxes, about 2^17 should exist. Tom It is relatively easy to find s-boxes that meet the SAC, BIC and non- linearity requirements in the forward direction. there are only 1368 boolean functions of four variables that meet the non-linearity requirement of 4 and SAC. There are even less that meet the requirement of 6. I don't get the "requirement of 4". Generally you perform a WT or FWT. In my case I chose th WT and I get -4/4 which is the best you can get for a "bent" sbox. You can also use the maximum hamming weight to a linear function which is quicker to calculate. Extending this to an s-box is a bit trickier but very useful. bent is usually used to refer to functions which have non-linearity which is maximum. They only occur on functions of 2n variables and are not balanced. You appear to be refering to nearly bent functions. Note that for a permutation to be bent it is not bijective. I am interested in Bijective 4x4 s-boxes with equally good properties in both directions. Actually any bijection function will have an inverse with the same linearnity. (this is really simple to prove too). {3,13,6,14,2,0,15,12,1,5,10,7,4,11,8,9}; This is taken from Construction of DES-like S-boxes based on Boolean functions satisfying the SAC by Kwangjo Kim. Which are the S^2 s-boxes. This is line 2 of the S3-box. The definition of non-linearity is the hamming distance from the closest affine function. (Ruepple's criterion) This has non-linearity of 4 and satisfies the SAC for each of the boolean functions that are used to construct it. Its inverse 5 8 4 0 12 9 2 11 14 15 10 13 7 1 3 6 has nonlinearity of the constituent boolean functions 2 4 2 4 and none of the constituent functions satisfy the SAC. So no the inverse does NOT have the same non-linearity. proof by counter example Have you found any s-boxes that are bijective (invertible) and satisfy the nonlinearity of 4 and SAC in both directions? Yes, my serpent sboxes. They have a WT of -4/4 (doesn't matter which direction), a differntial xor-pair max of 4, fulfill SAC and BIC to order 3 (which means no set of 3 4x1 outputs can be linearly related via xor) "Good S-boxes are easy to find" by Adams and Tavares says that there are 60 sboxes that meet SAC, non-linearity, and BIC and are bijective with both the box and its inverse meeting these properties. They list three S-boxes but they aren't the ones that meet these criteria. Does anyone actually have a list of the s-boxes? Um this is all wrong. There are 16! ~ 2^44 possible 4x4 sboxes, of which many are nonlinear and differentially secure. For example the following 1000 sboxes have a WT of -4/4, a DP max of 4. But they don't nessasarily