Cryptography-Digest Digest #553
Cryptography-Digest Digest #553, Volume #12 Mon, 28 Aug 00 04:13:01 EDT
Contents:
A more secure alternative to ADK for legitimate key recovery (David Hopwood)
Re: DeCSS ruling -- More (David Hopwood)
Re: An interesting cryptographic problem (David Hopwood)
Re: SSL protocol and unencrypted random info (David Hopwood)
Re: DeCSS ruling -- More ("Stou Sandalski")
Looking for Book Recommendations ([EMAIL PROTECTED])
Re: Pencil and paper cipher (Scott Contini)
Re: Steganography vs. Security through Obscurity (Runu Knips)
Re: UNIX Passwords (Runu Knips)
Re: My encryption algorithm (Runu Knips)
Re: SHA-1 program, wrongo ! (S. T. L.)
Re: Patent, Patent is a nightmare, all software patent shuld not be allowed (Paul
Rubin)
Re: Serious PGP v5 v6 bug! ([EMAIL PROTECTED])
Fly ball in left field... (Greggy)
Date: Mon, 28 Aug 2000 07:15:55 +0100
From: David Hopwood [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: A more secure alternative to ADK for legitimate key recovery
=BEGIN PGP SIGNED MESSAGE=
"Ron B." wrote:
On Thu, 24 Aug 2000 13:33:30 GMT, "JL" [EMAIL PROTECTED] wrote:
"Ron B." [EMAIL PROTECTED] a =E9crit dans le message news:
[EMAIL PROTECTED]
If a business requires this then Jane may have no choice in her
business communications.
Then her company shouldn't complain if sensible information is
compromised. If you don't trust your employees you shouldn't hire
them in the first place.
=
This may not be a matter of personal trust. The company may see Jane
as the perfect employee. If Jane is has a heart attack, has a fatal
accident or for other reasons beyond her control is not available to
decrypt important data, the company may have legitmate reasons to
have access to her messages.
Which is why received messages should be reencrypted *by the recipient*
to the recipient organisation's public key designated for that purpose,
and the ciphertext stored locally. Similarly, sent messages should
be additionally encrypted by the sender to the sender organisation's
public key. In neither case does anything that allows the message to be
recovered go over a public network, in contrast to the ADK design.
Now if Jane has a heart attack, her logs of sent and received messages
can be decrypted (the ciphertext will have been backed up by the
organisation's normal backup procedures). New messages cannot be
decrypted, so they must be bounced, but that is exactly as it should
be: the sender then has the opportunity to decide whether he wants to
resend the message to Jane's coworkers, rather than to Jane specifically.=
- -- =
David Hopwood [EMAIL PROTECTED]
Home page PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 0=
1
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has b=
een
seized under the Regulation of Investigatory Powers Act; see www.fipr.org=
/rip
=BEGIN PGP SIGNATURE=
Version: 2.6.3i
Charset: noconv
iQEVAwUBOaoAezkCAxeYt5gVAQEsRggAx/FF01RBowS/GIjoW+N0MIrqKSfKKAV1
3zFMuIA53LqjlCk6oOmRh57MU+J4BadITw9HAeY+M96wBkq0i8SzdzaBVT9vYxkj
fviPe6s+zV+PqrY6B18PpMDk5XZW6YzXPFi2iVwowGub5DbtLOkQDndF7hTpHbyb
F5LtL0jyFMlEWoLaXBtPfePo3mKu/nH03qQ3sB+UdVAphHVDePHSq4JAlAxussR2
KXL5yK7NfeImi8YgeCD4vFuSQ7fKyx++BtkE+dqvR/N0/jeo3UJ8FIEIn9mpdQ59
9+nekApKSpE0G36NbsAyJ+2RbKiWWR6CkTGgNi8IgmtFuwO1vj+DQw=3D=3D
=3DWCfx
=END PGP SIGNATURE=
--
Date: Mon, 28 Aug 2000 07:16:43 +0100
From: David Hopwood [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: DeCSS ruling -- More
=BEGIN PGP SIGNED MESSAGE=
Stou Sandalski wrote:
I don't quite agree here, although I see your point. I don't know what they
did with PGP... but NAI's PGP has a plug in for MS outlook which is very
easy to use...
PGP won't be commonly used unless or until it is bundled with the most
common email clients, and set up to generate key pairs by default; plug-ins
that have to be separately downloaded won't make any substantial difference.
(Unfortunately the common email clients are hopelessly insecure in other
ways, but that's a separate issue.) At least the export restriction obstacle
to bundling PGP with mail clients has mostly gone away now.
Their argument is that it will allow "pirates" to copy DVDs
That's their public argument. They don't actually believe it; they know as
well as anyone here that commercial pirates don't need to use anything
like DeCSS.
The primary purpose of CSS is and always was to support the anti-competetive
practice of region coding, i.e. to reduce the incidence of trading of
*legitimately purchased* DVDs between regions with different pricing regimes,
which would force down prices (especially outside
Cryptography-Digest Digest #554
Cryptography-Digest Digest #554, Volume #12 Mon, 28 Aug 00 07:13:00 EDT
Contents:
Re: On pseudo-random permutation (Mok-Kong Shen)
Re: PRNG Test Theory (Mok-Kong Shen)
Re: Steganography vs. Security through Obscurity ("Douglas A. Gwyn")
Re: My encryption algorithm (Mok-Kong Shen)
Re: PRNG Test Theory ("Douglas A. Gwyn")
Re: Patent, Patent is a nightmare, all software patent shuld not be (Mok-Kong Shen)
Re: Who can show me a good Cryptology site? ("kihdip")
Re: PRNG Test Theory (Mok-Kong Shen)
Re: Patent, Patent is a nightmare, all software patent shuld not be allowed (qun
ying)
Re: On pseudo-random permutation (Benjamin Goldberg)
Re: My (New) New algorithm (Mok-Kong Shen)
Re: SHA-1 program, wrongo ! (those who know me have no need of my name)
Re: avalanche characteristic (Mok-Kong Shen)
e-cash protocol concept, comments wanted (Julian Morrison)
Re: Patent, Patent is a nightmare, all software patent shuld not be
([EMAIL PROTECTED])
Re: Patent, Patent is a nightmare, all software patent shuld not be (Mok-Kong Shen)
Re: On pseudo-random permutation (Tim Tyler)
Re: e-cash protocol concept, comments wanted (Ragni Ryvold Arnesen)
Re: PGP ADK Bug: What we expect from N.A.I. ("Michel Bouissou")
Re: The DeCSS ruling - Reverse engineering? (Gisle =?iso-8859-1?Q?S=E6lensminde?=)
Re: Bytes, octets, chars, and characters (Johnny Billquist)
From: Mok-Kong Shen [EMAIL PROTECTED]
Crossposted-To: comp.programming
Subject: Re: On pseudo-random permutation
Date: Mon, 28 Aug 2000 10:22:14 +0200
Bryan Olson wrote:
Mok-Kong Shen wrote:
[...]
If the collision resolution is chosen such that the first
element of the pair is always considered less than the
second, then indeed there is a bias. The effect is however
dependent on the chance of collision, which is practically
negligible when the space of the random numbers is large,
e.g. 32 bits.
Specifically, the when the space of the random numbers is
large compared to the number of elements being permuted.
One can on the other hand use a random
choice rule to resolve collision, in which case no bias
can occur.
False for any of the usual sorting algorithms. Remember
that collisions are not limited to two elements. You could
achieve zero bias (assuming a perfect RNG) by recursively
applying the procedure to each non-singleton collision set.
Though the recursive procedure terminates with probability
one, it is technically a non-terminator. Given a generator
of perfect random bits as the one and only source of
randomness, can you find any procedure for generating
perfectly uniform random permutations (of more than two
elements) that strictly terminates? Can you show that no
such procedure exists?
(Theoretically) technically the matter is even much
worse. For, in order to have a meaningful result, one has
to be sure that one has a perfect random sequence at hand
but there is no way of verifying that in practice.
M. K. Shen
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: PRNG Test Theory
Date: Mon, 28 Aug 2000 10:22:07 +0200
Bryan Olson wrote:
There is no universal test of randomness. There is no
algorithm that can distinguish bits produced by an algorithm
from truly random bits.
Right, though lots of theories apparently assume there
IS something that is perfectly random. Whether this
could mean a problem of certain philosophical nature I
am not very certain.
BTW, the gist of the other follow-ups was questioning
whether the approach indicated by the original poster
is methodologically meaningful even under practical
points of view.
M. K. Shen
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: Steganography vs. Security through Obscurity
Date: Mon, 28 Aug 2000 04:14:05 -0400
Runu Knips wrote:
So stenography does NOT require obscurity. It only hides the
fact if there is an encrypted message OR if there is random
data.
No, that's wrong. Some successful steganographic schemes hide
the message without encrypting it; the method of hiding itself
uses a crypto key, but that is used to select sites, modes,
etc., while the data itself is used directly.
In many applications, the main goal of steganography is to
avoid detection, which is in effect a requirement for obscurity.
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: My encryption algorithm
Date: Mon, 28 Aug 2000 10:28:00 +0200
Runu Knips wrote:
The funnier part is that I miss the previous posting of the one I'm
now answering, while all postings I've written friday didn't
appeared on my server.
Couldn't a server crash be an explanation?
M. K. Shen
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: PRNG Test Theory
Date: Mon, 28 Aug 2000 04:20:39 -0400
Mok-Kong Shen wrote:
Bryan
Cryptography-Digest Digest #556
Cryptography-Digest Digest #556, Volume #12 Mon, 28 Aug 00 13:13:00 EDT
Contents:
Re: Stream Cipher ([EMAIL PROTECTED])
Re: PGP Bug: IMPORTANT Personal test report (Steven Markowitz)
Re: Additional fix to ADK bug (John Savard)
Re: PRNG Test Theory ("Tony T. Warnock")
Re: SHA-1 program (cool!) (Daniel Leonard)
Re: Steganography vs. Security through Obscurity ([EMAIL PROTECTED])
Re: My (New) New algorithm ("Slava K.")
Re: UNIX Passwords (JCA)
Re: Fly ball in left field... (JCA)
Re: My (New) New algorithm ("Scott Fluhrer")
Blowfish question (and others) (Chris J/#6)
Re: Blowfish question (and others) (Kent Briggs)
Re: Blowfish question (and others) ([EMAIL PROTECTED])
Re: Blowfish question (and others) (David A Molnar)
ZixIt Mail ([EMAIL PROTECTED])
From: [EMAIL PROTECTED]
Subject: Re: Stream Cipher
Date: Mon, 28 Aug 2000 14:04:19 GMT
In article 8odpvs$4g5$[EMAIL PROTECTED],
[EMAIL PROTECTED] wrote:
Hi all!
Stream Cipher using OTP and Random Number Generator approach.
Delphi source code and executable can be download at
www.alex-encryption.de
First off very unoriginal stuff, second off your site is a disgrace to
the profession. Your block ciphers are poorly documented and your
RSA/DES Null attacks are just plain wrong.
Arrg... read a book/posting or two would ya?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: [EMAIL PROTECTED] (Steven Markowitz)
Crossposted-To: comp.security.pgp.discuss
Subject: Re: PGP Bug: IMPORTANT Personal test report
Date: 28 Aug 2000 14:00:48 GMT
In article 8o5kqk$mls$[EMAIL PROTECTED] "Michel Bouissou" [EMAIL PROTECTED]
writes:
[ snip ]
== IMPORTANT NOTE:
THIS IS MOST IMPORTANT. Reading carefully Ralf's paper, the ADK public key
seems NOT to be actually included in public keys that mention mandatory use
of this ADK. YOU MUST HAVE THE ADK public key as well. Only the ADK's key ID
is included in the key that holds and ADK, which is not enough to allow
encryption to the ADK by itself.
If the public key contains only the key id of the ADK, then isn't that a
serious security flaw? My understanding is that it is possible for an
attacker to create a new key having the same key id as an existing key,
although the fingerprints will differ. I have read that this can be done
for RSA keys; I'm not sure about DH/DSS keys. This would allow an
attacker to cause messages to be encrypted to himself, instead of to the
intended ADK, as long as the sender had the attacker's ADK on his
keyring.
This attack would apply even if the recipient's key had not been tampered
with. It seems to me that in order for the ADK mechanism to be secure,
the signed portion of a key would have to include the key id, length, and
key fingerprint of the ADK.
Am I misuderstanding something, or is the current ADK setup inherently
insecure?
Steven Markowitz
--
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be the
views of D. E. Shaw Co., L.P. or any of its affiliates.
--
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Additional fix to ADK bug
Date: Mon, 28 Aug 2000 14:09:38 GMT
On Mon, 28 Aug 2000 13:58:03 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
Essentially, a sender ADK is one imposed by the sender's employer or
government, and a recipient ADK is one imposed by the recipient's
employer or government. Distinguishing them, by ensuring that all ADKs
obtained from a version of the recipient's key block are labelled as
recipient ADKs,
Of course, it would be trivial for a man-in-the-middle to alter
messages to change this labelling. That could be avoided without
sending signatures to the individual keys; one could have the sender
sign the list of ADKs.
But even without such a precaution, this would still have a benefit,
since although attacks using the ADK bug are a kind of
man-in-the-middle attack, they are easier than a real MITM attack,
because they only require uploading a bad certificate once, and can be
used by attackers who don't have the capability of mounting a true
MITM attack.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
--
From: "Tony T. Warnock" [EMAIL PROTECTED]
Subject: Re: PRNG Test Theory
Date: Mon, 28 Aug 2000 20:35:51 -0600
Reply-To: [EMAIL PROTECTED]
Kolmogorov (of course) has an article about this. I don't know the
reference, but it's in Knuth's volume II. Kolmogorov discusses the
number of bit strings of a given length that pass a certain number of
tests. It's in the Indian Statistics Journal, (Sankhya or something
similar.) The idea is that as one adds tests, the number of strings
passing the tests shrinks.
--
From: Daniel Leonard [EMAIL PROTECTED]
Subject: Re: SHA-1 program (cool!)
Date: Mon, 28 Aug 2000 14:56:31 GMT
Cryptography-Digest Digest #557
Cryptography-Digest Digest #557, Volume #12 Mon, 28 Aug 00 15:13:00 EDT
Contents:
Re: Secure key exchange over an unsecure network (Mike Rosing)
Re: PRNG Test Theory ("Douglas A. Gwyn")
NEWBIE!!! Zodiac killer's encryption... (Rob B)
Re: Who can tell me where to go? (Frank Wagner)
Re: e-cash protocol concept, comments wanted (Julian Morrison)
Re: UNIX Passwords ([EMAIL PROTECTED])
Re: PGP 6.5.8 test: That's NOT enough !!! ([EMAIL PROTECTED])
Re: On pseudo-random permutation (Mok-Kong Shen)
Re: Test on pseudorandom number generator. (Mok-Kong Shen)
Re: PRNG Test Theory (Mok-Kong Shen)
Re: ZixIt Mail (JPeschel)
Re: avalanche characteristic (Terry Ritter)
From: Mike Rosing [EMAIL PROTECTED]
Subject: Re: Secure key exchange over an unsecure network
Date: Mon, 28 Aug 2000 12:11:47 -0500
Slava K. wrote:
Since I began studying cryptography (Not that long ago actually), I
attempted creating a protocol which will allow for secure public-key
exchange over an unsecure network. I have come close with a modificatin of
the Mental Poker protocol, but after further analysis I found that this
protocol merely complicated the man-in-the-middle attack, but did not
disallow it.
I'm looking to gather variouse pieces of information about protocols which
attempt to disallow this attack, such as timestamping protocols (Send these
too). I prefer non-arbitrated protocols, as these are as susceptible to the
man-in-the-middle attack as any, but have also that added requirment of a
trusted third party.
Any help is welcome!
There is no protocol which can overcome MITM. You must have an out of
band exchange of some kind to eliminate it. The PGP fingerprint is an
example, by using a phone call you can check the in band exchange, or
it can be published in a newspaper. The more channels used, the higher
the probability MITM can not be performed.
For an interesting solution, check out the MQV protocol in IEEE 1363.
Assuming you know a public key, you can exchange a secret securely.
Every successful protocol has the same restriction. Only an out of
band communication can solve the problem (with good level of probability,
you still don't know who the spooks are!)
Patience, persistence, truth,
Dr. mike
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: PRNG Test Theory
Date: Mon, 28 Aug 2000 16:11:34 GMT
Mok-Kong Shen wrote:
"Douglas A. Gwyn" wrote:
Mok-Kong Shen wrote:
Bryan Olson wrote:
There is no universal test of randomness. There is no
algorithm that can distinguish bits produced by an algorithm
from truly random bits.
Right, though lots of theories apparently assume there
IS something that is perfectly random. Whether this
could mean a problem of certain philosophical nature I
am not very certain.
It's not a problem. The characteristics of random processes
are solidly defined, and deductions can be made on that basis.
I suppose that could be an arguable point. If something is
'solidly' defined, it should be verifiable in my view.
One could namely say that, if something is not (ultimately)
discernable, then it doesn't exist in the world, I suppose.
?? In mathematics, we often set forth definitions and
assumptions, then derive conclusions from them. There
is no requirement that the defined terms correspond to
things we can point at in the physical world, although
quite often if we look for physical things that match
up well to the assumed properties we can find them. In
the case of uniform random distribution, it serves as a
component of a model for certain physical systems, for
which we can make predictions (necessarily statistical)
derived mathematically from the model (including the
mathematical properties of the assumed randomness).
In any specific realization of the physical system, the
predictions might be close to what happens or they
might be far from what happens. Statistical tests
allow us to say how likely it is that the observations
could have occurred if the system had accurately
implemented the model. If the observations show
consistently (relatively) unlikely outcomes, and we
have no other relevant evidence in the other direction,
we eventually have a fair degree of confidence (which
can be computed) that the system is not a faithful
implementation of the model.
--
From: Rob B [EMAIL PROTECTED]
Subject: NEWBIE!!! Zodiac killer's encryption...
Date: Mon, 28 Aug 2000 12:19:41 -0500
Hi all!
I saw a show this weekend on the Zodiac killer on TLC and was fascinated
by it...
Anyways, I was wondering if anyone knows of any good web sites, books,
info, that discuss the encryption that he used in his letters, if the
messages were decoded, and, if so, how.
Examples of the messages can be seen at
www.crimelibrary.com
under the Serial Killers/Zodiac section. I'd post the full
Cryptography-Digest Digest #558
Cryptography-Digest Digest #558, Volume #12 Mon, 28 Aug 00 18:13:01 EDT
Contents:
Re: Bytes, octets, chars, and characters (Eric Fischer)
Re: R: R: Test on pseudorandom number generator. (Terry Ritter)
Future computing power (Mok-Kong Shen)
Re: SHA-1 program, wrongo ! (S. T. L.)
Re: Future computing power (S. T. L.)
Re: Future computing power ([EMAIL PROTECTED])
Re: Future computing power (Ichinin)
Re: Future computing power (Ichinin)
Re: DeCSS ruling -- More ("David C. Barber")
Re: Future computing power ([EMAIL PROTECTED])
Re: NEWBIE!!! Zodiac killer's encryption... (John C. King)
Re: Steganography vs. Security through Obscurity (zapzing)
Re: R: R: Test on pseudorandom number generator. ("Douglas A. Gwyn")
Re: ZixIt Mail (Steve)
Re: Bytes, octets, chars, and characters ("Douglas A. Gwyn")
Re: could someone post public key that is tempered ? ("Douglas A. Gwyn")
Re: PRNG Test Theory ("Douglas A. Gwyn")
Re: Blowfish question (and others) ("Jeffrey Walton")
Re: NEWBIE!!! Zodiac killer's encryption... ("Douglas A. Gwyn")
Re: PGP 6.5.8 test: That's NOT enough !!! (Nick Andriash)
Re: Blowfish question (and others) (Mike Tulley)
From: Eric Fischer [EMAIL PROTECTED]
Crossposted-To: comp.lang.c,alt.folklore.computers
Subject: Re: Bytes, octets, chars, and characters
Date: 28 Aug 2000 19:14:41 GMT
Johnny Billquist [EMAIL PROTECTED] wrote:
ASCII is not an international standard, although there are several
for character codes based on and intentionally similar to ASCII.
I think there is some ISO standard which matches ASCII, but I have
no idea what it is called.
ISO 646 is the international 7-bit character code standard. It allows
national variations for several characters, but there is an "international
reference version" that specifies what characters should be assigned if
there are no particular national needs, and in recent years this has been
aligned with ASCII. (Earlier versions of the IRV specified a Pound sign
instead of the Number sign, an international currency symbol instead of
the Dollar sign, and an overline instead of the tilde.)
Another international standard for the same code is the ITU-T (formerly
CCITT) International Reference Alphabet (formerly International Alphabet
No. 5).
eric
--
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: R: R: Test on pseudorandom number generator.
Date: Mon, 28 Aug 2000 19:25:57 GMT
On Mon, 28 Aug 2000 13:18:24 +0200, in 8odge9$7tl$[EMAIL PROTECTED],
in sci.crypt "Cristiano" [EMAIL PROTECTED] wrote:
The normal way to use a LCG is to convert the entire internal state
into a float, or even to use the state itself as an integer. Since
using the entire state is "normal," that is the way statistical tests
must be applied to get the "normal" results.
OK this is the best way, but if I need only 8 bits? I think the best is take
the 8 msb.
If you are going to use only 8 bits, you need test only 8 bits, not an
accumulation of 5 such values taken as a single large 40-bit value.
Only when I apply my test to PRNG I need to consider only the 8 msb, but
when I run FIPS PUB 140-2, Maurer and Diehard I take the whole integer as is
without any modification.
Taking 5 chunks of 8-bits each is not the same as taking a single
40-bit value from an RNG.
One might as well argue that one could take 1 bit from each RNG step,
and that would be OK, or 1 bit every 100th RNG step and that would be
OK as well. It is not. We might make a complex RNG that way, but we
would not expect common statistical tests to be designed to pick up
problems which might occur in such a design.
For most conventional tests, the value being interpreted must
correspond to the single step of the RNG. If not, the test will be
confused by given a single meaning to a value which really has no
relationship to any one internal RNG state. Then it is the confusion
of the test which is being demonstrated, but nobody cares if we can
confuse a test.
Similarly, Diehard expects to see 32-bit integers, not 40 (unless it
has been modified). If we expect tests to have some meaning, we must
give the test the data in a format it expects. Then each test can
tell us about the particular characteristics it detects.
Diehard read a (big) file. If I generate a file n bytes length, I think is
not a problem how I generate the same n bytes, the problem is how generate
each byte (as you say in the first paragraph).
You are confused. If you want to test bytes, you need to have tests
which are designed to work on bytes. If you want to use tests
designed to work on 32-bit integers, you need to supply 32-bit
integers, not 4 bytes. And in fact you supply 5 bytes.
It is not a surprise that one can confuse a statistical test by having
it read data which is composed of multiple RNG steps.
I appreciate very much your considerations, but my
Cryptography-Digest Digest #559
Cryptography-Digest Digest #559, Volume #12 Mon, 28 Aug 00 22:13:01 EDT
Contents:
96-bit LFSR needed ([EMAIL PROTECTED])
Re: PGP Bug: IMPORTANT Personal test report (Tom McCune)
Re: Blowfish question (and others) ([EMAIL PROTECTED])
Re: Future computing power (David A Molnar)
Re: ZixIt Mail ("Jeffrey Walton")
Re: DeCSS ruling -- More (Jim Steuert)
Re: Future computing power ([EMAIL PROTECTED])
Re: could someone post public key that is tempered ? (jungle)
Re: PGP Bug: IMPORTANT Personal test report (jungle)
Re: On pseudo-random permutation (Tim Tyler)
Network Associates ([EMAIL PROTECTED])
Re: Looking for Book Recommendations (John Savard)
Re: Future computing power ("Brian McKeever")
Re: On pseudo-random permutation (David A. Wagner)
Re: Future computing power (David A Molnar)
when does PGP start to support key server (qun ying)
Re: blowfish problem (Eric Smith)
Re: Future computing power ([EMAIL PROTECTED])
secrets and lies in stores (David A Molnar)
From: [EMAIL PROTECTED]
Subject: 96-bit LFSR needed
Date: Mon, 28 Aug 2000 22:00:31 GMT
I am trying out the stream cipher where I take three bytes from the
LFSR in the form (a, b, c) and return (((a+1)(b+1)) mod 257)+c) mod 256
as the stream output.
I started with the nice 32-bit LFSRs from ORYX but then quickly
realized a divide and conquer attack.
So I think using one larger LFSR is the way to go. However, the LFSR
in Applied Crypto is a sparse 96-bit one. I would prefer to use a
dense 96-bit LFSR.
The stream cipher is not fast, but it's meant for things like a 8051.
The mod 257 may slow it down a bit, but I bet a 11mhz 8051 could keep
up at 9600 transmission :)
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
--
Crossposted-To: comp.security.pgp.discuss
From: Tom McCune [EMAIL PROTECTED]
Subject: Re: PGP Bug: IMPORTANT Personal test report
Date: Mon, 28 Aug 2000 22:08:54 GMT
=BEGIN PGP SIGNED MESSAGE=
Hash: SHA1
In article 8odrag$atb$[EMAIL PROTECTED], [EMAIL PROTECTED]
(Steven Markowitz) wrote:
If the public key contains only the key id of the ADK, then isn't that a
serious security flaw? snip
My understanding is that the ADK is represented by the fingerprint, not
the key ID.
=BEGIN PGP SIGNATURE=
Version: PGP Personal Privacy 6.5.3
Comment: My PGP Page FAQ: http://www.McCune.cc/PGP.htm
iQA/AwUBOarjjw2jfaGYDC35EQIepwCeLiIec+ruUZleMbgi/ltIyj2jmpQAoLsN
IEnYhnSPMv0stzcXrEMS46El
=CwKN
=END PGP SIGNATURE=
--
From: [EMAIL PROTECTED]
Subject: Re: Blowfish question (and others)
Date: Mon, 28 Aug 2000 22:14:26 GMT
In article 39aade6d$0$[EMAIL PROTECTED],
"Jeffrey Walton" [EMAIL PROTECTED] wrote:
Hey David,
I recall hearing a german mathematician all but broke DES. I have no
references to back the statement. Have you heard anything similar
(or is
more misinformation).
Misinformation.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: David A Molnar [EMAIL PROTECTED]
Subject: Re: Future computing power
Date: 28 Aug 2000 22:17:06 GMT
[EMAIL PROTECTED] wrote:
cluster capable of delivering 30 Teraflops next year. In
2004 there will be a system delivering 100 Teraflops.
First off what the heck is a flop? All I know is MIPS.
A "flop" stands for FLoating-point OPeration.
A "flops" is then a floating point operation per second.
People who do scientific computing care very much about such things.
They tend to have very big problems and a lot of money to spend on
hardware. D.J. Bernstein has argued here and probably elsewhere that we
should be basing our crypto on floating point arithmetic for speed,
because that way we can take advantage of this hardware.
In any case, giving speed in flops indicates that the people marketing the
machine want to sell to our friends in physics and other continuous
sciences.
Computer speed will really only affect the tractibilty of PK cracking
not symmetric stuff. And even there bandwidth/memory is of more
importance then speed anyways.
Er, Tom, what about brute-forcing a 64-bit key?
What about attacks on ciphers which reduce keyspace to effective 60-70 bits?
If you take the trend of moores law, we can expect 4ghz computers
sometime in 2002. With the current 400mhz bus (or let's say 800mhz
bus) the cpu better have a large L1 cache :)
Yes, it probably will need a large L1 cache. Is your point that memory
is unlikely to follow the same curve as CPU speed?
-David
--
Reply-To: "Jeffrey Walton" [EMAIL PROTECTED]
From: "Jeffrey Walton" [EMAIL PROTECTED]
Subject: Re: ZixIt Mail
Date: Mon, 28 Aug 2000 18:58:36 -0400
Anything you send via the Zix "feature" that claims to deliver
secure mail to non-users, will be decrypted by a public server
before being sent to its destination via an SSL-secured
Cryptography-Digest Digest #560
Cryptography-Digest Digest #560, Volume #12 Tue, 29 Aug 00 00:13:01 EDT Contents: Re: secrets and lies in stores (S. T. L.) Re: Pencil and paper cipher (Benjamin Goldberg) Re: could someone post public key that is tempered ? (Nick Andriash) Re: PGP 6.5.8 test: That's NOT enough !!! ([EMAIL PROTECTED]) Re: Future computing power ([EMAIL PROTECTED]) Re: 96-bit LFSR needed (Mack) Re: 4x4 s-boxes (Mack) Re: Pencil and paper cipher (Jim Gillogly) Re: secrets and lies in stores (David A Molnar) Re: Blowfish question (and others) (David A Molnar) From: [EMAIL PROTECTED] (S. T. L.) Subject: Re: secrets and lies in stores Date: 29 Aug 2000 02:16:04 GMT It is a hard book to read in the sense that it makes the point, and then mostly backs it up, that cryptography is hardly relevant. Sounds like a stupid book. If you have a secret, then you'll want to hide it. And cryptography is a good way to hide it. You can debate how good good is, but it's better than nothing. You can't deny that cryptography slows down attackers, just like you can't deny that locks slow down robbers. And you can't deny that people have secrets to keep. They always have, and they always will. Stupid book. -*---*--- S.T.L. My Quotes Page * http://quote.cjb.net * leads to my NEW site. My upgraded Book Reviews Page: * http://sciencebook.cjb.net * Optimized pngcrush executable now on my Download page! Long live pngcrush! :- -- From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Re: Pencil and paper cipher Date: Tue, 29 Aug 2000 02:51:07 GMT Jim Gillogly wrote: Benjamin Goldberg wrote: Split the alphabet into 4 words, length 3, 5, 7, 11: AFN GTJIK DOSPEQB ULVHWMXRYCZ Now, multi-encipher the message using Vernam's method, using each string as a seperate key: ThisI sTheP laint extIH opeTh atItI sUnde ciphe rable AFNAF NAFNA FNAFN AFNAF NAFNA FNAFN AFNAF NAFNA FNAFN GTJIK GTJIK GTJIK GTJIK GTJIK GTJIK GTJIK GTJIK GTJIK DOSPE QBDOS PEQBD OSPEQ BDOSP EQBDO SPEQB DOSPE QBDOS ULVHW MXRYC ZULVH WMXRY CZULV HWMXR YCZUL VHWMX RYCZU - QLDAM WCXMS GYEJV TPKKS TPKML CUOLQ DDXGW IBNAG KTYIC How would one break this cipher, and is a computer needed? A known plaintext attack would need no more than 26 letters: express each ciphertext letter as the sum of the 3 letters in each column and the plaintext, and you have 26 independent equations in 26 unknowns. I didn't check to see if you're changing it based on upper/lower case, but that's just a few more known plaintext letters. Should be dead simple. Where do you get THREE letters plus the plaintext? Do you have problems counting to 4? While it is true that there are an equal number of unknowns and equations, this does NOT necessarily yield a unique solution for the unknowns, *especially* with integers under a modulo. Consider for a moment the matrix of just the cooeficients, and ignore the last column, which would contain the values of ciphertext minus plaintext. We then have a 26x26 matrix, which we are trying to invert, using integers modulo 26. How do you know that this matrix isn't singular? If the determinant is either even or 13, it won't be fully invertable. Is the probability of this more than or less than 14/26? Also, keeping in mind that we're not supposed to ever re-use a key, known plaintext is only useful if we know part of the plaintext, but not the rest of it. How often (in what kind of situations) will we know 26 letters of a message, but not the rest of it? If you really use words for your key, then a dictionary search also works. Actually, phrases work just as well or better. A couplet from your favorite piece of poetry should be pretty good, and a dictionary isn't likely to help. Ciphertext-only should also be possible, but more tedious. Please tell me how. This is really what I wanted in the first place, actually. -- ... perfection has been reached not when there is nothing left to add, but when there is nothing left to take away. (from RFC 1925) -- Crossposted-To: alt.security.pgp,comp.security.pgp.discuss Subject: Re: could someone post public key that is tempered ? From: [EMAIL PROTECTED] (Nick Andriash) Date: Tue, 29 Aug 2000 02:53:31 GMT =BEGIN PGP SIGNED MESSAGE= Hash: SHA1 [EMAIL PROTECTED] (jungle) wrote in [EMAIL PROTECTED]: thanks doug ... but it is wrong ... PGP has no problem to indicate to me that Bill Clinton key has ADK in it ... the question is open : could someone post public key that is tempered pgp will not detect it ? What version of PGP are you using? If you are using 6.5.8, PGP will not detect the ADK... thus not detect a hacked Public Key. But, perhaps I do not fully understand what you are after, and if that is the case, I apologise. - -- Nick N.J. Andriash
Cryptography-Digest Digest #561
Cryptography-Digest Digest #561, Volume #12 Tue, 29 Aug 00 01:13:00 EDT
Contents:
Re: 4x4 s-boxes (Mack)
Re: 4x4 s-boxes ([EMAIL PROTECTED])
Re: blowfish problem ("Bruce G. Stewart")
Re: Future computing power (Anthony Stephen Szopa)
Re: Future computing power (Anthony Stephen Szopa)
Re: Future computing power ("CMan")
Re: Future computing power (Anthony Stephen Szopa)
Re: Future computing power ("CMan")
From: [EMAIL PROTECTED] (Mack)
Subject: Re: 4x4 s-boxes
Date: 29 Aug 2000 04:10:27 GMT
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Mack) wrote:
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Mack) wrote:
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Mack) wrote:
Has anyone analyzed the number of s-boxes
that could be used for Serpent?
more specifically, serpent s-boxes don't appear
to have particularly good avalanche characteristics.
The criteria seem logic but is it possible that
the serpent s-boxes might have been chosen
using stricter criteria?
My "serpent_sboxes" on my website are good candidates for
replacement
sboxes if needed.
Tom
--
http://www.geocities.com/tomstdenis/
I have looked at your program to produce s-boxes.
My question is of a more general nature. ie. how many
s-boxes actually meet th Serpent criteria and could
we add additional criteria to the given ones that would
improve the characteristics without producing a null
set of s-boxes.
for example. 4x4 s-boxes having the forward and
inverse both maximum non-linearity and meeting
sac are rare at best and non-existent at worst.
Does anyone know if such s-boxes exist?
The sboxes I made have are completely non-linear i.e their "bent",
they
fullfil SAC and BIC to the order-3. Other then a DPmax of four they
are perfect sboxes.
Finding them is hard, it took about 8 hours of random searching with
sboxgen. I am in the middle of making another set right now
actually.
Overall about 1 in 100 million are ok. This is really rough since I
didn't keep track of the totals. This means about 1 in 2^27 are ok,
and since there are only 2^44 possible sboxes, about 2^17 should
exist.
Tom
It is relatively easy to find s-boxes that meet the SAC, BIC and non-
linearity
requirements in the forward direction. there are only 1368 boolean
functions
of four variables that meet the non-linearity requirement of 4 and
SAC. There
are even less that meet the requirement of 6.
I don't get the "requirement of 4". Generally you perform a WT or
FWT. In my case I chose th WT and I get -4/4 which is the best you can
get for a "bent" sbox.
You can also use the maximum hamming weight to a linear function
which is quicker to calculate. Extending this to an s-box is a bit
trickier but very useful.
bent is usually used to refer to functions which have non-linearity
which is maximum. They only occur on functions of 2n variables
and are not balanced. You appear to be refering to nearly bent
functions.
Note that for a permutation to be bent it is not bijective. I am
interested in
Bijective 4x4 s-boxes with equally good properties in both directions.
Actually any bijection function will have an inverse with the same
linearnity. (this is really simple to prove too).
{3,13,6,14,2,0,15,12,1,5,10,7,4,11,8,9};
This is taken from Construction of DES-like S-boxes based on
Boolean functions satisfying the SAC by Kwangjo Kim.
Which are the S^2 s-boxes. This is line 2 of the S3-box.
The definition of non-linearity is the hamming distance
from the closest affine function. (Ruepple's criterion)
This has non-linearity of 4 and satisfies the SAC for
each of the boolean functions that are used to construct
it.
Its inverse
5 8 4 0 12 9 2 11 14 15 10 13 7 1 3 6
has nonlinearity of the constituent boolean functions
2 4 2 4
and none of the constituent functions satisfy the SAC.
So no the inverse does NOT have the same non-linearity.
proof by counter example
Have you found any s-boxes that are bijective (invertible) and
satisfy the nonlinearity of 4 and SAC in both directions?
Yes, my serpent sboxes. They have a WT of -4/4 (doesn't matter which
direction), a differntial xor-pair max of 4, fulfill SAC and BIC to
order 3 (which means no set of 3 4x1 outputs can be linearly related
via xor)
"Good S-boxes are easy to find" by Adams and Tavares
says that there are 60 sboxes that meet SAC, non-linearity,
and BIC and are bijective with both the box and its inverse
meeting these properties. They list three S-boxes but they aren't
the ones that meet these criteria.
Does anyone actually have a list of the s-boxes?
Um this is all wrong. There are 16! ~ 2^44 possible 4x4 sboxes, of
which many are nonlinear and differentially secure. For example the
following 1000 sboxes have a WT of -4/4, a DP max of 4. But they don't
nessasarily
