Cryptography-Digest Digest #737
Cryptography-Digest Digest #737, Volume #12 Fri, 22 Sep 00 05:13:00 EDT Contents: ANNOUNCE New VB Cryptography Book ([EMAIL PROTECTED]) Re: Tying Up Loose Ends - Correction (Benjamin Goldberg) Every heard of this device? NT Sentinel ("[EMAIL PROTECTED]") Re: CDMA tracking (was Re: GSM tracking) (Jerry Coffin) Re: IBM analysis secret. (Jerry Coffin) Re: t (John Savard) Re: Simple hash function (wtshaw) Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY) Re: Tying Up Loose Ends - Correction (John Savard) Re: XOR (John Savard) Re: t (John Savard) Re: t (John Savard) Re: t ("Douglas A. Gwyn") Re: Revilo P. Oliver: Cryptanalyst? ("Douglas A. Gwyn") Re: t (Runu Knips) Re: t (Mok-Kong Shen) Re: Tying Up Loose Ends - Correction (Mok-Kong Shen) Re: Proper way to intro a new algorithm to sci.crypt? (Mok-Kong Shen) Re: IBM analysis secret. (Roger Schlafly) Again a topic of disappearing e-mail? (Mok-Kong Shen) From: [EMAIL PROTECTED] Subject: ANNOUNCE New VB Cryptography Book Date: Fri, 22 Sep 2000 02:32:03 GMT John Wiley Sons has recently published Richard Bondi's "Cryptography for Visual Basic: A Programmer's Guide to the Microsoft CryptoAPI" that includes the source code for CryptoAPI COM wrappers. Bruce Schneier, author of the best-selling "Applied Cryptography", has kindly endorsed it by saying that "this is essential reading for anyone who needs to understand MicrosoftÂ’s CryptoAPI, its strengths and its limitations." You can review the open source code and documentation at www.geocities.com/richardbondi. Best, Richard Bondi Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Re: Tying Up Loose Ends - Correction Date: Fri, 22 Sep 2000 03:02:58 GMT SCOTT19U.ZIP_GUY wrote: [EMAIL PROTECTED] (Mok-Kong Shen) wrote: Tim Tyler wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: : If my message is over one hundred bytes, do you think : that I need to care about wasting 5 bits?? [...] At worst, this can reduce the size of keyspace by a factor of 32. Sorry, I don't understand. What do you mean by 'keyspace' here? This is the message space. The message gets longer by 5 bits. There is no information in the above of how big the key is. Do I loose or gain security by, say, always appending 5 0's to the ciphertext? I thought we are talking about compressing then ecnrypting. If you always add 5 zeros or any other fixed amount of bits after a compressed string or any file for that matter which is then encrypted. The attacker know what the last few bits are and throws out keys that don't match. So if the last five bits of a file are known then it means you reduce your key space by 5 bits. Reducing the message space by x bits does *not* reduce the keyspace by x bits... How much the keyspace is reduced depends on the unicity distance. -- ... perfection has been reached not when there is nothing left to add, but when there is nothing left to take away. (from RFC 1925) -- From: "[EMAIL PROTECTED]" [EMAIL PROTECTED] Subject: Every heard of this device? NT Sentinel Date: Thu, 21 Sep 2000 20:40:25 -0700 Northern Telecom Sentinel Model # NTA005 Data Encryptor 2400 - 64Kbs Thanks, Mike -- From: Jerry Coffin [EMAIL PROTECTED] Subject: Re: CDMA tracking (was Re: GSM tracking) Date: Thu, 21 Sep 2000 21:44:41 -0600 In article [EMAIL PROTECTED], roger_95073@my- dejanews.com says... [ ... ] What if I (accdentally or deliberately) disconnected the battery in Vegas, and then reconnected when I got home. Then the phone would report that I had been in Vegas? I'd have to look back to be sure -- the phone I was looking at has both volatile and non-volatile memory. Offhand, I don't remember which of these this particular data is stored in. Obviously enough, if it's stored in the volatile memory, then removing all power will destroy the contents, but if it's in the non-volatile memory, removing power won't. As I said, I honestly don't remember which it gets stored in though. -- Later, Jerry. The Universe is a figment of its own imagination. -- From: Jerry Coffin [EMAIL PROTECTED] Subject: Re: IBM analysis secret. Date: Thu, 21 Sep 2000 21:52:02 -0600 In article 8qe653$3gp$[EMAIL PROTECTED], [EMAIL PROTECTED] says... Hi, I remember once reading about that IBM knew about differential analysis when analyzing DES 10 years before it was "discovered" by the science community, and kept it a secret for the count of the NSA. Now when I'm checking it up, it does not seen to be right at all. It seems likely to be true to some degree or other. IBM had been working on various ciphers under the Lucifer project, and most of them prior to DES were/are subject to differential
Cryptography-Digest Digest #738
Cryptography-Digest Digest #738, Volume #12 Fri, 22 Sep 00 07:13:01 EDT Contents: Re: Software patents are evil. (David Rush) Re: Again a topic of disappearing e-mail? (Runu Knips) Re: t ("Trevor L. Jackson, III") Re: What am I missing? (Sagie) Re: PGP 6.5.8 source code published ([EMAIL PROTECTED]) Re: CDMA tracking (was Re: GSM tracking) (Sagie) Re: Maximal security for a resources-limited microcontroller (Sagie) Re: Maximal security for a resources-limited microcontroller (Sagie) Re: Tying Up Loose Ends - Correction (Tim Tyler) Re: Maximal security for a resources-limited microcontroller (Paul Rubin) From: David Rush [EMAIL PROTECTED] Subject: Re: Software patents are evil. Date: 22 Sep 2000 10:23:19 +0100 "Trevor L. Jackson, III" [EMAIL PROTECTED] writes: Bill Unruh wrote: In [EMAIL PROTECTED] "Trevor L. Jackson, III" [EMAIL PROTECTED] writes: Patents had has almost nothing to do with software until recently. Yet, you could not say that software has suffered in the US. Devil's advocate position. Resolved: that the low quality of US software is due to the lack of an effective protection for intellectual property. Oooh. I feel the first rumblings of a paradigm shift. dominated by cost differences. So a company that prices its software higher than the competition to cover serious development I've been there. My first startup, back in 1985 had this problem. That was when I concluded that the American myth of the better mousetrap was false, and that better salesman were the ones who truly get rewarded. u$oft has only confirmed my suspicions. Effective IP would restore the balance between quality and cost and reduce the domination of the first-to-market mentality. Actually, you could easily extend your argument to say that the open source movement has come about due to that first-to-market mentality. I know for myself, that If I'm looking for high-quality software I'll take a mature open source project any day of the week. And I work on open source because I *can* produce good work without having to deal with the 'first is better than best' reality of the software marketplace. Of course this also implies that Richard Stallman has propagated more evil than Bill Gates... Conclusion: I can say that software has suffered in the US if low quality counts as suffering. I am definitely feeling some rumblings in my paradigm. david rush -- Next to the right of liberty, the right of property is the most important individual right ... and ... has contributed more to the growth of civilization than any other institution established by the human race. -- Popular Government (William Howard Taft) -- Date: Fri, 22 Sep 2000 11:30:32 +0200 From: Runu Knips [EMAIL PROTECTED] Subject: Re: Again a topic of disappearing e-mail? Mok-Kong Shen wrote: Email users will soon be able to erase the messages they send from the recipient's hard drive using software called SafeMessage that a company called AbsoluteFuture is releasing today. SafeMessage destroys messages within a certain amount of time after the recipient opens them, erasing all footprints on PC hard drives and computer servers, says AbsoluteFuture CEO Graham Andrews. Law enforcement officials worry that criminals and terrorists will use SafeMessage to conceal their communications, arguing that fighting crime effectively in the digital age requires email tracing. Meanwhile, privacy advocates applaud the new software. One oil executive says he uses a beta version of SafeMessage to prevent rivals from accessing his messages. http://www.usatoday.com/usatonline/2920/2662888s.htm Pfft as if this is something noticeable. Using PGP and removing the email by hand has the same effect, doesn't it ? -- Date: Fri, 22 Sep 2000 05:43:19 -0400 From: "Trevor L. Jackson, III" [EMAIL PROTECTED] Subject: Re: t John Savard wrote: On Thu, 21 Sep 2000 16:34:39 GMT, "John R." [EMAIL PROTECTED] wrote, in part: But the plot is cliched. I can guess how the book begins. Something like: T NNT NF TOT TOF FOT TIT FIT FIF TET FEF TAT LTR LNNTR LNFR LTOTR LTOFR LFOTR LTITR LFITR LFIFR LTETR LFEFR LTATR TALFOTR NLLTAFROTR NLFOFR NLTIFR NLTEFR NLFETR NLTAFR NLFATR NLFAFR Now, I am new to all this, and was wondering if someone could explain, or point me in the direction to understand it. Each of these lines of text is a true statement. They're designed to make it possible to figure out what the characters mean. Thus, the original part T NNT NF makes sense if T stands for true, F stands for false, and N stands for negation, as represented by ~ in Boolean algebra. I then went on to introduce the basic operators: A for AND, O for OR, I for implication, and E for equivalence (not XOR).
Cryptography-Digest Digest #739
Cryptography-Digest Digest #739, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Re: Again a topic of disappearing e-mail? (Tom St Denis) Re: State-of-the-art in integer factorization (Tom St Denis) Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED]) Cryptography FAQ (02/10: Net Etiquette) ([EMAIL PROTECTED]) Cryptography FAQ (03/10: Basic Cryptology) ([EMAIL PROTECTED]) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Again a topic of disappearing e-mail? Date: Fri, 22 Sep 2000 11:08:14 GMT In article [EMAIL PROTECTED], Runu Knips [EMAIL PROTECTED] wrote: Mok-Kong Shen wrote: Email users will soon be able to erase the messages they send from the recipient's hard drive using software called SafeMessage that a company called AbsoluteFuture is releasing today. SafeMessage destroys messages within a certain amount of time after the recipient opens them, erasing all footprints on PC hard drives and computer servers, says AbsoluteFuture CEO Graham Andrews. Law enforcement officials worry that criminals and terrorists will use SafeMessage to conceal their communications, arguing that fighting crime effectively in the digital age requires email tracing. Meanwhile, privacy advocates applaud the new software. One oil executive says he uses a beta version of SafeMessage to prevent rivals from accessing his messages. http://www.usatoday.com/usatonline/2920/2662888s.htm Pfft as if this is something noticeable. Using PGP and removing the email by hand has the same effect, doesn't it ? Not to mention if the user is stupid enough to print it offall is lost! Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Tom St Denis [EMAIL PROTECTED] Crossposted-To: sci.math Subject: Re: State-of-the-art in integer factorization Date: Fri, 22 Sep 2000 11:06:49 GMT In article 8qedb0$c49$[EMAIL PROTECTED], [EMAIL PROTECTED] (Ed Pugh) wrote: Bob Silverman ([EMAIL PROTECTED]) writes: Nothing has been written. Improvements have been only incremental. (i.e. slightly faster machines, a few more percent squeezed from code, etc.). There hasn't been a new algorithm in 11 years. Well, at least none that the NSA have let on about, anyway. ;-) That's right because the public open academia are just stupid people. Not to mention that virtually all milestones in factoring were public endeavours [sp]. Try reading euro/asia crypt from about 81 to now and you will see a plethora of factoring papers, specially the QS, the NFS, and various other methods I didn't know of till I read it. Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (01/10: Overview) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:28 GMT Archive-name: cryptography-faq/part01 Last-modified: 1999/06/27 This is the first of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read this part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. Disclaimer: This document is the product of the Crypt Cabal, a secret society which serves the National Secu---uh, no. Seriously, we're the good guys, and we've done what we can to ensure the completeness and accuracy of this document, but in a field of military and commercial importance like cryptography you have to expect that some people and organizations consider their interests more important than open scientific discussion. Trust only what you can verify firsthand. And don't sue us. Many people have contributed to this FAQ. In alphabetical order: Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison, Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti, William Setzer. We apologize for any omissions. Archives: sci.crypt has been archived since October 1991 on ripem.msu.edu, though these archives are available only to U.S. and Canadian users. Another site is rpub.cl.msu.edu in /pub/crypt/sci.crypt/ from Jan 1992. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. The fields `Last-modified' and `Version' at the top of each part track revisions. 1999: There is a project underway to reorganize, expand, and update the sci.crypt FAQ, pending the resolution of some minor legal issues. The new FAQ will have two pieces. The first piece will be a series of web pages. The second piece will be a short posting, focusing on the questions that really are frequently asked. In the meantime, if you need
Cryptography-Digest Digest #740
Cryptography-Digest Digest #740, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (04/10: Mathematical Cryptology) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (04/10: Mathematical Cryptology) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:29 GMT Archive-name: cryptography-faq/part04 Last-modified: 93/10/10 This is the fourth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents: 4.1. In mathematical terms, what is a private-key cryptosystem? 4.2. What is an attack? 4.3. What's the advantage of formulating all this mathematically? 4.4. Why is the one-time pad secure? 4.5. What's a ciphertext-only attack? 4.6. What's a known-plaintext attack? 4.7. What's a chosen-plaintext attack? 4.8. In mathematical terms, what can you say about brute-force attacks? 4.9. What's a key-guessing attack? What's entropy? Reader, beware: This section is highly mathematical. Well, maybe not _highly_ mathematical, but it's got a bunch of symbols and scary-looking formulas. You have been warned. 4.1. In mathematical terms, what is a private-key cryptosystem? A private-key cryptosystem consists of an encryption system E and a decryption system D. The encryption system E is a collection of functions E_K, indexed by ``keys'' K, mapping some set of ``plaintexts'' P to some set of ``ciphertexts'' C. Similarly the decryption system D is a collection of functions D_K such that D_K(E_K(P)) = P for every plaintext P. That is, succesful decryption of ciphertext into plaintext is accomplished using the same key (index) as was used for the corresponding encryption of plaintext into ciphertext. Such systems, where the same key value is used to encrypt and decrypt, are also known as ``symmetric'' cryptoystems. 4.2. What is an attack? In intuitive terms a (passive) attack on a cryptosystem is any method of starting with some information about plaintexts and their corresponding ciphertexts under some (unknown) key, and figuring out more information about the plaintexts. It's possible to state mathematically what this means. Here we go. Fix functions F, G, and H of n variables. Fix an encryption system E, and fix a distribution of plaintexts and keys. An attack on E using G assuming F giving H with probability p is an algorithm A with a pair f, g of inputs and one output h, such that there is probability p of computing h = H(P_1,...,P_n), if we have f = F(P_1,...,P_n) and g = G(E_K(P_1),...,E_K(P_n)). Note that this probability depends on the distribution of the vector (K,P_1,...,P_n). The attack is trivial (or ``pointless'') if there is probability at least p of computing h = H(P_1,...,P_n) if f = F(P_1,...,P_n) and g = G(C_1,...,C_n). Here C_1,...,C_n range uniformly over the possible ciphertexts, and have no particular relation to P_1,...,P_n. In other words, an attack is trivial if it doesn't actually use the encryptions E_K(P_1),...,E_K(P_n). An attack is called ``one-ciphertext'' if n = 1, ``two-ciphertext'' if n = 2, and so on. 4.3. What's the advantage of formulating all this mathematically? In basic cryptology you can never prove that a cryptosystem is secure. Read part 3: we keep saying ``a strong cryptosystem must have this property, but having this property is no guarantee that a cryptosystem is strong!'' In contrast, the purpose of mathematical cryptology is to precisely formulate and, if possible, prove the statement that a cryptosystem is strong. We say, for example, that a cryptosystem is secure against all (passive) attacks if any nontrivial attack against the system (as defined above) is too slow to be practical. If we can prove this statement then we have confidence that our cryptosystem will resist any (passive) cryptanalytic technique. If we can reduce this statement to some well-known unsolved problem then we still have confidence that the cryptosystem isn't easy to break. Other parts of cryptology are also amenable to mathematical definition. Again the point is to explicitly identify what assumptions we're making and prove that they produce the desired results. We can figure out what it means for a particular cryptosystem to be used properly: it just means that the assumptions are valid. The same methodology is useful for
Cryptography-Digest Digest #741
Cryptography-Digest Digest #741, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (05/10: Product Ciphers) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (05/10: Product Ciphers) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:31 GMT Archive-name: cryptography-faq/part05 Last-modified: 94/06/07 This is the fifth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents: 5.1. What is a product cipher? 5.2. What makes a product cipher secure? 5.3. What are some group-theoretic properties of product ciphers? 5.4. What can be proven about the security of a product cipher? 5.5. How are block ciphers used to encrypt data longer than the block size? 5.6. Can symmetric block ciphers be used for message authentication? 5.7. What exactly is DES? 5.8. What is triple DES? 5.9. What is differential cryptanalysis? 5.10. How was NSA involved in the design of DES? 5.11. Is DES available in software? 5.12. Is DES available in hardware? 5.13. Can DES be used to protect classified information? 5.14. What are ECB, CBC, CFB, OFB, and PCBC encryption? 5.1. What is a product cipher? A product cipher is a block cipher that iterates several weak operations such as substitution, transposition, modular addition/multiplication, and linear transformation. (A ``block cipher'' just means a cipher that encrypts a block of data---8 bytes, say---all at once, then goes on to the next block.) The notion of product ciphers is due to Shannon [SHA49]. Examples of modern product ciphers include LUCIFER [SOR84], DES [NBS77], SP-networks [KAM78], LOKI [BRO90], FEAL [SHI84], PES [LAI90], Khufu and Khafre [ME91a]. The so-called Feistel ciphers are a class of product ciphers which operate on one half of the ciphertext at each round, and then swap the ciphertext halves after each round. LUCIFER, DES, LOKI, and FEAL are examples of Feistel ciphers. The following table compares the main parameters of several product ciphers: cipher | block length | key bits | number of rounds LUCIFER 128 12816 DES 645616 LOKI 646416 FEAL 64 1282^x, x = 5 PES 64 128 8 5.2. What makes a product cipher secure? Nobody knows how to prove mathematically that a product cipher is completely secure. So in practice one begins by demonstrating that the cipher ``looks highly random''. For example, the cipher must be nonlinear, and it must produce ciphertext which functionally depends on every bit of the plaintext and the key. Meyer [MEY78] has shown that at least 5 rounds of DES are required to guarantee such a dependence. In this sense a product cipher should act as a ``mixing'' function which combines the plaintext, key, and ciphertext in a complex nonlinear fashion. The fixed per-round substitutions of the product cipher are referred to as S-boxes. For example, LUCIFER has 2 S-boxes, and DES has 8 S-boxes. The nonlinearity of a product cipher reduces to a careful design of these S-boxes. A list of partial design criteria for the S-boxes of DES, which apply to S-boxes in general, may be found in Brown [BRO89] and Brickell et al. [BRI86]. 5.3. What are some group-theoretic properties of product ciphers? Let E be a product cipher that maps N-bit blocks to N-bit blocks. Let E_K(X) be the encryption of X under key K. Then, for any fixed K, the map sending X to E_K(X) is a permutation of the set of N-bit blocks. Denote this permutation by P_K. The set of all N-bit permutations is called the symmetric group and is written S_{2^N}. The collection of all these permutations P_K, where K ranges over all possible keys, is denoted E(S_{2^N}). If E were a random mapping from plaintexts to ciphertexts then we would expect E(S_{2^N}) to generate a large subset of S_{2^N}. Coppersmith and Grossman [COP74] have shown that a very simple product cipher can generate the alternating group A_{2^N} given a sufficient number of rounds. (The alternating group is half of the symmetric group: it consists of all ``even'' permutations, i.e., all permutations which can be written as an even number of
Cryptography-Digest Digest #742
Cryptography-Digest Digest #742, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (06/10: Public Key Cryptography) ([EMAIL PROTECTED]) Cryptography FAQ (07/10: Digital Signatures) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (06/10: Public Key Cryptography) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:32 GMT Archive-name: cryptography-faq/part06 Last-modified: 94/06/07 This is the sixth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents: 6.1. What is public-key cryptography? 6.2. How does public-key cryptography solve cryptography's Catch-22? 6.3. What is the role of the `trapdoor function' in public key schemes? 6.4. What is the role of the `session key' in public key schemes? 6.5. What's RSA? 6.6. Is RSA secure? 6.7. What's the difference between the RSA and Diffie-Hellman schemes? 6.8. What is `authentication' and the `key distribution problem'? 6.9. How fast can people factor numbers? 6.10. What about other public-key cryptosystems? 6.11. What is the `RSA Factoring Challenge?' 6.1. What is public-key cryptography? In a classic cryptosystem, we have encryption functions E_K and decryption functions D_K such that D_K(E_K(P)) = P for any plaintext P. In a public-key cryptosystem, E_K can be easily computed from some ``public key'' X which in turn is computed from K. X is published, so that anyone can encrypt messages. If decryption D_K cannot be easily computed from public key X without knowledge of private key K, but readily with knowledge of K, then only the person who generated K can decrypt messages. That's the essence of public-key cryptography, introduced by Diffie and Hellman in 1976. This document describes only the rudiments of public key cryptography. There is an extensive literature on security models for public-key cryptography, applications of public-key cryptography, other applications of the mathematical technology behind public-key cryptography, and so on; consult the references at the end for more refined and thorough presentations. 6.2. How does public-key cryptography solve cryptography's Catch-22? In a classic cryptosystem, if you want your friends to be able to send secret messages to you, you have to make sure nobody other than them sees the key K. In a public-key cryptosystem, you just publish X, and you don't have to worry about spies. Hence public key cryptography `solves' one of the most vexing problems of all prior cryptography: the necessity of establishing a secure channel for the exchange of the key. To establish a secure channel one uses cryptography, but private key cryptography requires a secure channel! In resolving the dilemma, public key cryptography has been considered by many to be a `revolutionary technology,' representing a breakthrough that makes routine communication encryption practical and potentially ubiquitous. 6.3. What is the role of the `trapdoor function' in public key schemes? Intrinsic to public key cryptography is a `trapdoor function' D_K with the properties that computation in one direction (encryption, E_K) is easy and in the other is virtually impossible (attack, determining P from encryption E_K(P) and public key X). Furthermore, it has the special property that the reversal of the computation (decryption, D_K) is again tractable if the private key K is known. 6.4. What is the role of the `session key' in public key schemes? In virtually all public key systems, the encryption and decryption times are very lengthy compared to other block-oriented algorithms such as DES for equivalent data sizes. Therefore in most implementations of public-key systems, a temporary, random `session key' of much smaller length than the message is generated for each message and alone encrypted by the public key algorithm. The message is actually encrypted using a faster private key algorithm with the session key. At the receiver side, the session key is decrypted using the public-key algorithms and the recovered `plaintext' key is used to decrypt the message. The session key approach blurs the distinction between `keys' and `messages' -- in the scheme, the message includes the key, and the key itself is treated as an encryptable `message'.
Cryptography-Digest Digest #743
Cryptography-Digest Digest #743, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (08/10: Technical Miscellany) ([EMAIL PROTECTED]) Cryptography FAQ (09/10: Other Miscellany) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (08/10: Technical Miscellany) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:33 GMT Archive-name: cryptography-faq/part08 Last-modified: 94/01/25 This is the eighth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents 8.1. How do I recover from lost passwords in WordPerfect? 8.2. How do I break a Vigenere (repeated-key) cipher? 8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] 8.4. Is the UNIX crypt command secure? 8.5. How do I use compression with encryption? 8.6. Is there an unbreakable cipher? 8.7. What does ``random'' mean in cryptography? 8.8. What is the unicity point (a.k.a. unicity distance)? 8.9. What is key management and why is it important? 8.10. Can I use pseudo-random or chaotic numbers as a key stream? 8.11. What is the correct frequency list for English letters? 8.12. What is the Enigma? 8.13. How do I shuffle cards? 8.14. Can I foil S/W pirates by encrypting my CD-ROM? 8.15. Can you do automatic cryptanalysis of simple ciphers? 8.16. What is the coding system used by VCR+? 8.1. How do I recover from lost passwords in WordPerfect? WordPerfect encryption has been shown to be very easy to break. The method uses XOR with two repeating key streams: a typed password and a byte-wide counter initialized to 1+the password length. Full descriptions are given in Bennett [BEN87] and Bergen and Caelli [BER91]. Chris Galas writes: ``Someone awhile back was looking for a way to decrypt WordPerfect document files and I think I have a solution. There is a software company named: Accessdata (87 East 600 South, Orem, UT 84058), 1-800-658-5199 that has a software package that will decrypt any WordPerfect, Lotus 1-2-3, Quatro-Pro, MS Excel and Paradox files. The cost of the package is $185. Steep prices, but if you think your pw key is less than 10 characters, (or 10 char) give them a call and ask for the free demo disk. The demo disk will decrypt files that have a 10 char or less pw key.'' Bruce Schneier says the phone number for AccessData is 801-224-6970. 8.2. How do I break a Vigenere (repeated-key) cipher? A repeated-key cipher, where the ciphertext is something like the plaintext xor KEYKEYKEYKEY (and so on), is called a Vigenere cipher. If the key is not too long and the plaintext is in English, do the following: 1. Discover the length of the key by counting coincidences. (See Gaines [GAI44], Sinkov [SIN66].) Trying each displacement of the ciphertext against itself, count those bytes which are equal. If the two ciphertext portions have used the same key, something over 6% of the bytes will be equal. If they have used different keys, then less than 0.4% will be equal (assuming random 8-bit bytes of key covering normal ASCII text). The smallest displacement which indicates an equal key is the length of the repeated key. 2. Shift the text by that length and XOR it with itself. This removes the key and leaves you with text XORed with itself. Since English has about 1 bit of real information per byte, 2 streams of text XORed together has 2 bits of info per 8-bit byte, providing plenty of redundancy for choosing a unique decryption. (And in fact one stream of text XORed with itself has just 1 bit per byte.) If the key is short, it might be even easier to treat this as a standard polyalphabetic substitution. All the old cryptanalysis texts show how to break those. It's possible with those methods, in the hands of an expert, if there's only ten times as much text as key. See, for example, Gaines [GAI44], Sinkov [SIN66]. 8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] Here's one popular method, using the des command: cat file | compress | des private_key | uuencode | mail Meanwhile, there is a de jure Internet standard in the works called PEM (Privacy Enhanced Mail). It is described in RFCs 1421 through 1424. To join the PEM mailing list, contact [EMAIL PROTECTED] There is a beta version of PEM being tested at the time of this writing. There are also two
Cryptography-Digest Digest #745
Cryptography-Digest Digest #745, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: [SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 (Shannon Appel) From: Shannon Appel [EMAIL PROTECTED] Subject: [SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 Crossposted-To: alt.security,comp.security.misc,comp.protocols,comp.infosystems.www.misc,alt.answers,comp.answers,news.answers,sci.answers Date: 22 Sep 2000 11:21:26 GMT Content-type: text/x-usenet-FAQ; version=1.1; title="[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1" Archive-name: computer-security/ssl-talk-faq Posting-Frequency: monthly Last-modified: Nov 16 12:00:00 PST 1998 Version: 1.1.1 (text) Mon Nov 16 12:00:00 PST 1998 URL: http://www.consensus.com/security/ssl-talk-faq.html Copyright-Notice: (c) Copyright 1996-1998 by Consensus Development Corporation -- All Rights Reserved SSL-Talk FAQ Secure Sockets Layer Discussion List FAQ v1.1.1 Mon Nov 16 12:00:00 PST 1998 FAQ Maintained by: Shannon Appel [EMAIL PROTECTED] Consensus Development Corporation http://www.consensus.com/ The latest edition of this FAQ can always be found at: http://www.consensus.com/security/ssl-talk-faq.html http://www.consensus.com/security/ssl-talk-faq.txt Copyright (c) 1996-1998 Consensus Development Corporation - All Rights Reserved * Due to the November 15, 1998 dissolution of the SSL-Talk mailing list, this will be the last version of this FAQ in its current form. It will be replaced by a more general TLS SSL FAQ in the near future that is not tied to any mailing list or newsgroup. * All information contained in this work is provided "as is." All warranties, expressed, implied or statutory, concerning the accuracy of the information of the suitability for any particular use are hereby specifically disclaimed. While every effort has been taken to ensure the accuracy of the information contained in this work, the authors assume(s) no responsibility for errors or omissions or for damages resulting from the use of the information contained herein. This work may be copied in any printed or electronic form for non-commercial, personal, or educational purposes if the work is not modified in any way, provided that the copyright notice, the notices of any other author included in this work, and this copyright agreement appear on all copies. Consensus Development Corporation also grants permission to distribute this work in electronic form over computer networks for other purposes, provided that, in addition to the terms and restrictions set forth above, Consensus Development Corporation and/or other cited authors are notified and that no fees are charged for access to the information in excess of normal online charges that are required for such distribution. This work may also be mentioned, cited, referred to or described (but not copied or distributed, except as authorized above) in printed publications, on-line services, other electronic communications media, and otherwise, provided that Consensus Development Corporation and any other cited author receives appropriate attribution. Comments about, suggestions about, or corrections to this document are welcomed. If you would like to ask us to change this document in some way, the method we appreciate most is for you to actually make the desired modifications to a copy of the posting, and then to send us the modified document, or a context diff between the posted version and your modified version (if you do the latter, make sure to include in your mail the "Version:" line from the posted version). Submitting changes in this way makes dealing with them easier for us and helps to avoid misunderstandings about what you are suggesting. Many people have in the past provided feedback and corrections; we thank them for their input. In particular, many thanks to: Christopher Allen [EMAIL PROTECTED] Shannon Appel [EMAIL PROTECTED] Nelson Bolyard [EMAIL PROTECTED] Tim Dierks [EMAIL PROTECTED] Eric Greenberg [EMAIL PROTECTED] Charles Neerdaels [EMAIL PROTECTED] Bruce Schneier [EMAIL PROTECTED] Tom Weinstein [EMAIL PROTECTED] Jonathan Zamick [EMAIL PROTECTED] Remaining ambiguities, errors, and difficult-to-read passages are not their fault. :) == CONTENTS 1) THE
Cryptography-Digest Digest #744
Cryptography-Digest Digest #744, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (10/10: References) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (10/10: References) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:36 GMT Archive-name: cryptography-faq/part10 Last-modified: 94/06/13 This is the tenth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in this part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents 10.1. Books on history and classical methods 10.2. Books on modern methods 10.3. Survey articles 10.4. Reference articles 10.5. Journals, conference proceedings 10.6. Other 10.7. How may one obtain copies of FIPS and ANSI standards cited herein? 10.8. Electronic sources 10.9. RFCs (available from [FTPRF]) 10.10. Related newsgroups 10.1. Books on history and classical methods [FRIE1] Lambros D. Callimahos, William F. Friedman, Military Cryptanalytics. Aegean Park Press, ?. [DEA85] Cipher A. Deavours Louis Kruh, Machine Cryptography and Modern Cryptanalysis. Artech House, 610 Washington St., Dedham, MA 02026, 1985. [FRIE2] William F. Friedman, Solving German Codes in World War I. Aegean Park Press, ?. [GAI44] H. Gaines, Cryptanalysis, a study of ciphers and their solution. Dover Publications, 1944. [HIN00] F.H.Hinsley, et al., British Intelligence in the Second World War. Cambridge University Press. (vol's 1, 2, 3a, 3b 4, so far). XXX Years and authors, fix XXX [HOD83] Andrew Hodges, Alan Turing: The Enigma. Burnett Books Ltd., 1983 [KAH91] David Kahn, Seizing the Enigma. Houghton Mifflin, 1991. [KAH67] D. Kahn, The Codebreakers. Macmillan Publishing, 1967. [history] [The abridged paperback edition left out most technical details; the original hardcover edition is recommended.] [KOZ84] W. Kozaczuk, Enigma. University Publications of America, 1984 [KUL76] S. Kullback, Statistical Methods in Cryptanalysis. Aegean Park Press, 1976. [SIN66] A. Sinkov, Elementary Cryptanalysis. Math. Assoc. Am. 1966. [WEL82] Gordon Welchman, The Hut Six Story. McGraw-Hill, 1982. [YARDL] Herbert O. Yardley, The American Black Chamber. Aegean Park Press, ?. 10.2. Books on modern methods [BEK82] H. Beker, F. Piper, Cipher Systems. Wiley, 1982. [BRA88] G. Brassard, Modern Cryptology: a tutorial. Spinger-Verlag, 1988. [DEN82] D. Denning, Cryptography and Data Security. Addison-Wesley Publishing Company, 1982. [KOB89] N. Koblitz, A course in number theory and cryptography. Springer-Verlag, 1987. [KON81] A. Konheim, Cryptography: a primer. Wiley, 1981. [MEY82] C. Meyer and S. Matyas, Cryptography: A new dimension in computer security. Wiley, 1982. [PAT87] Wayne Patterson, Mathematical Cryptology for Computer Scientists and Mathematicians. Rowman Littlefield, 1987. [PFL89] C. Pfleeger, Security in Computing. Prentice-Hall, 1989. [PRI84] W. Price, D. Davies, Security for computer networks. Wiley, 1984. [RUE86] R. Rueppel, Design and Analysis of Stream Ciphers. Springer-Verlag, 1986. [SAL90] A. Saloma, Public-key cryptography. Springer-Verlag, 1990. [SCH94] B. Schneier, Applied Cryptography. John Wiley Sons, 1994. [errata avbl from [EMAIL PROTECTED]] [WEL88] D. Welsh, Codes and Cryptography. Claredon Press, 1988. 10.3. Survey articles [ANG83] D. Angluin, D. Lichtenstein, Provable Security in Crypto- systems: a survey. Yale University, Department of Computer Science, #288, 1983. [BET90] T. Beth, Algorithm engineering for public key algorithms. IEEE Selected Areas of Communication, 1(4), 458--466, 1990. [DAV83] M. Davio, J. Goethals, Elements of cryptology. in Secure Digital Communications, G. Longo ed., 1--57, 1983. [DIF79] W. Diffie, M. Hellman, Privacy and Authentication: An introduction to cryptography. IEEE proceedings, 67(3), 397--427, 1979. [DIF88] W. Diffie, The first ten years of public key cryptography. IEEE proceedings, 76(5), 560--577, 1988. [FEI73] H. Feistel, Cryptography and Computer Privacy. Scientific American, 228(5), 15--23, 1973. [FEI75] H. Feistel, H, W. Notz, J. Lynn Smith. Some cryptographic techniques for
Cryptography-Digest Digest #746
Cryptography-Digest Digest #746, Volume #12 Fri, 22 Sep 00 10:13:01 EDT Contents: Re: Tying Up Loose Ends - Correction (Tim Tyler) Re: Tying Up Loose Ends - Correction (Tim Tyler) Re: Tying Up Loose Ends - Correction (Tim Tyler) Re: State-of-the-art in integer factorization (Jeffrey Williams) Re: State-of-the-art in integer factorization (David Blackman) Re: Tying Up Loose Ends - Correction (Mok-Kong Shen) Re: Again a topic of disappearing e-mail? (Mok-Kong Shen) Re: PGP 6.5.8 source code published ("M.Bädeker") Re: RSA public exponent ([EMAIL PROTECTED]) Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY) Re: t ("John A. Malley") Re: Revilo P. Oliver: Cryptanalyst? (John Savard) Re: IBM analysis secret. (John Savard) Re: t (John Savard) Re: t (John Savard) Re: My e-mail to Jim Gillogly -- YO, JIM!!??? (I'm annoyed at you) ("Kevin N. Stone") From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Tying Up Loose Ends - Correction Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Sep 2000 11:11:05 GMT John Savard [EMAIL PROTECTED] wrote: : On Wed, 20 Sep 2000 15:03:10 GMT, Tim Tyler [EMAIL PROTECTED] wrote: :An alternative - which I've not seen discussed on this forum - would be :to use an encryption device which is capable of encrypting variable length :bitstrings, and is not confined to multiples of 8 bits. I attribute this :idea to David Scott. : No, don't. : Actually, encrypting that way is the 'default' idea. [...] Hrumph. Variable length cyphers that can accomodate strings of an arbitrary number of bits are not terribly common - unless you count XOR based stream cyphers - which I don't regard favourably in the first place. Cyphers that can deal with fractional bitstream lengths are even less common - the only one that I know of is the Hasty Pudding cypher. [http://www.cs.arizona.edu/~rcs/hpc/] I'm sure there are others, but they are the exception - rather than the rule. Anyway - since I seem to have been misinterpreted - I'd better state that the idea of using such an encryption scheme to resolve the Huffman/Arithmetic file ending problem is (AFAIK) David's idea. I have no illusions that he invented the idea of using encryption schemes which can cope with variable numbers of bits. This isn't the first time I've cited the Hasty Pudding cypher as being able to deal with very fine file-length graduations. -- __ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED] |im |yler The Mandala Centre http://mandala.co.uk/ Namaste. -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Tying Up Loose Ends - Correction Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Sep 2000 11:31:08 GMT John Savard [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote, in part: :If you want to obscure the length of the file from your adversary, as :much random padding as you like can be used at this stage. : False. If padding is added *after* encryption, one has to [...] : indicate where the padding starts in the clear so that decryption will : act on the right bits. That's true. You have to distinguish the message from the padding in some way - regardless of where you do it. Doing it inside encryption has some problems of its own. : If the padding is genuinely random, adding it before encryption won't : cause a security problem: I agree - though there are still some problems distinguishing the padding from the data, unless we're still talking about padding 8 bits onto the end of a Huffman file. If there are any other problems in this area, they are with the premise. : [...] and does avoid the kinds of problem I was concerned with - the : teensy bit of redundancy left in by a scheme aimed precisely at getting : the last little teensy bit out. I would still like to see a Huffman scheme with this type of padding implemented, so I can verify experimentally that it does flatten out the redundancy exactly - since any theoretical argument for it doing so is not yet clear to me. I certainly agree that padding with random partial Huffman symbols is better than padding with zeros - in terms of flattening out the frequency distribution of the last byte. -- __ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED] |im |yler The Mandala Centre http://mandala.co.uk/ Namaste. -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Tying Up Loose Ends - Correction Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Sep 2000 11:47:35 GMT John Savard [EMAIL PROTECTED] wrote: :TT wrote: :If you want to obscure the length of the file from your adversary, as :much random padding as you like can be used at this stage. : False. If padding is added *after* encryption, one has to [...] : indicate where the padding starts in the clear so that decryption will : act on the right bits. I wonder if someone can help me here. I don't
Cryptography-Digest Digest #748
Cryptography-Digest Digest #748, Volume #12 Fri, 22 Sep 00 14:13:01 EDT Contents: Re: Software patents are evil. ("Paul Pires") Re: Carnivore article in October CACM _Inside_Risks ([EMAIL PROTECTED]) Re: t (Mok-Kong Shen) Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY) Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY) Re: IBM analysis secret. (SCOTT19U.ZIP_GUY) Re: Tying Up Loose Ends - Correction (Mok-Kong Shen) From: "Paul Pires" [EMAIL PROTECTED] Subject: Re: Software patents are evil. Date: Fri, 22 Sep 2000 10:23:07 -0700 Bill Unruh [EMAIL PROTECTED] wrote in message news:8qdu5a$n9b$[EMAIL PROTECTED]... In HXsy5.2330$[EMAIL PROTECTED] "Paul Pires" [EMAIL PROTECTED] writes: ]Bill Unruh [EMAIL PROTECTED] wrote in message ]news:8qdf0a$dj3$[EMAIL PROTECTED]... ] In [EMAIL PROTECTED] "Trevor L. Jackson, III" [EMAIL PROTECTED] ]writes: ] ] Patents had has almost nothing to do with software until recently. Yet, ] ] you could not say that software has suffered in the US. ] ] ]Well, given that we have no control against which to test the history of ]software in the ] ]US, and given that the software industry is fairly young there does not seem ]to be much ] ]that can be said in a definitive way. Yet, for the purposes of discussion, I ]can take a ] ]Devil's advocate position. Resolved: that the low quality of US software is ]due to the ] ]lack of an effective protection for intellectual property. ] ] Low quality is almost always due to a lack of comptetition, not a lack ] of intellectual property rights. The USSR had immense itelletual and ] other property rights protections-- manufacturers were handed monopolies ] on all kinds of goods. There is no evidence whatsoever that this ] resulted in the manufacturers spending time and effort to make sure that ] their products were the best possible. Just the reverse. ]Why do you continually insert the monopoly practices of the former USSR into ]the discussion? What, it happend there so it could happen here? The issue isn't ]whether state sanction monopolistic practices are good or bad but whether ]the particular one under discussion is. Hey, they were bad. Guess what, they ]are gone. Move on. Because it is an example of a country which instituted precisely the kind of restrictions on the economic system, for reasons which are very similar to the reasons which you give. "Precicely" and "similar"? I don't think so (Just my opinion). Their reasons are unimportant, it was their actions that proved to be problematical. Of course it is not the same. Of course it differs in detail. But your argument is that monopoly leads to better products for the consumer. My counterargument is that it does not, as has been tested by various countries. One should learn from history, not just "move on" or we will repeat all of the same mistakes. The USSR did not get where it was on purpose or through evil intent. It was trying to set up a much fairer economic system than the predatory, wasteful, exploitative capitalist system, a system which would produce more and better goods for the consumers without the costs of capitalism. Why it failed is a matter of opinion and I have one different from yours. It failed. Monopolies are not a good idea. Patents are monopolies. Thus the question arises as to whether the benefits which accrue to society through the conditions set on the monopolies granted by patents outweigh the costs that monopolies invariably bring with themselves. In the case where those benefits do not clearly and demonstrably (not thoeretically) outweigh the costs, monopolies should not be granted, and then should be granted for as short a time as possible and still reap the clear benefits to society. In my opinion software patents do not fulfill these criteria. They grant monopolies without a clear benefit ( except of course to the monopolist). YOur arguments were all theoretical and of exactly the kind used by the Soviets to justify their experiment. Bad logic. Just because The rational behind A B are identical, doesn't mean the processes A B are identical. Both of our arguments are equally theoretical. Any claim that you have that history is behind yours is just bad science. ] ]First, the low quality is evaluated against what we know could/should be done ]rather ] ]than against what is done in other countries (where IP protection is even ]less ] ]effective). Second, the observation that intellectual property is not ]effectively ] ]protected is demonstrated by the Lotus 123 suits (vs Visi and vs clones) and ]the ] ]Xerox/Apple vs Microsoft/HP suit. I submit that there was appreciable ]intellectual ] ]property at issue, and that the good guys lost. ] ] Well, I sure would not argue that the good guys lost in the Look and ] Feel cases, if that is what you refer to. Those cases were
Cryptography-Digest Digest #747
Cryptography-Digest Digest #747, Volume #12 Fri, 22 Sep 00 14:13:01 EDT Contents: Re: Tying Up Loose Ends - Correction (Tim Tyler) Re: State-of-the-art in integer factorization ("Sam Simpson") Re: Tying Up Loose Ends - Correction (Tim Tyler) Re: Tying Up Loose Ends - Correction ("Trevor L. Jackson, III") Re: State-of-the-art in integer factorization (JCA) Re: Dr Mike's "Implementing Elliptic Curve Cryptography" - reader comment (DJohn37050) Re: IBM analysis secret. (DJohn37050) Re: Tying Up Loose Ends - Correction (Mok-Kong Shen) Re: Tying Up Loose Ends - Correction (Mok-Kong Shen) Re: Music Industry wants hacking information for cheap (Scott Craver) Re: What am I missing? (Scott Craver) Re: 3DES - keyoptions ("Neil McKeeney") Re: t (rot26) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Tying Up Loose Ends - Correction Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Sep 2000 14:04:26 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote: : : [EMAIL PROTECTED] (Benjamin Goldberg) wrote: : :SCOTT19U.ZIP_GUY wrote: : : [EMAIL PROTECTED] (Mok-Kong Shen) wrote: : : Tim Tyler wrote: : : Mok-Kong Shen [EMAIL PROTECTED] wrote: : : : If my message is over one hundred bytes, do you think : : : that I need to care about wasting 5 bits?? [...] : : : : At worst, this can reduce the size of keyspace by a factor of 32. : : : : Sorry, I don't understand. What do you mean by 'keyspace' : : here? This is the message space. The message gets longer : : by 5 bits. There is no information in the above of how : : big the key is. [...] : : : : I thought we are talking about compressing then ecnrypting. : : If you always add 5 zeros or any other fixed amount of bits : : after a compressed string or any file for that matter which is : : then encrypted. The attacker know what the last few bits are : : and throws out keys that don't match. So if the last five bits : : of a file are known then it means you reduce your key space by : : 5 bits. : : : :Reducing the message space by x bits does *not* reduce the keyspace by x : :bits... How much the keyspace is reduced depends on the unicity : :distance. [...] : If one was *replacing* five bits at the end of the message by 0s, : the effect would depend on the unicity distance [because those : bits might have been known already]. : No. [...] I believe what I wrote was correct. : Consider this: Encryption algorithm A encrypts, with : a key K, blocks of 64 bits and produces ciphertext of : same number of blocks of same lengths. Encryption : Algorithm B uses the key K to do the same and append : at the end 5 0's. [...] That's different from replacing symbols at the end of a message - which is what I said I was discussing. : Now the ciphertext of algorithm B is longer than the ciphertext of : algorithm A. Does that matter excepting the transmissin cost? There's five "0"s worth of known plaintext. : Where does the 'keyspace' play a role here at all? The known plaintext allows you to reject keys. You might not otherwise be able to do this, or might not be able to do it with such speed, or certainty. This reduces the effective number of keys that need to be considered in more depth. It might (or might not) make a difference to the time taken to break the system. : That's not what David was talking about. David is discussing the : effect of adding an additional section of known plaintext to the : end of the file. This normally has the effect of decreasing the : keyspace by almost exactly five bits - provided the effective : keyspace doesn't go negative, of course. : No. [...] I think what I wrote was correct. : He was criticizing my end-of-file symbol taking up extra bits. [...] Yes. He also discussed the possible costs of reserving a symbol for this purpose. -- __ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED] |im |yler The Mandala Centre http://mandala.co.uk/ Breast is best. -- From: "Sam Simpson" [EMAIL PROTECTED] Crossposted-To: sci.math Subject: Re: State-of-the-art in integer factorization Date: Fri, 22 Sep 2000 15:21:58 +0100 Erm, RSA and DH equivalents were found by GCHQ prior to the public disclosures. Your point was? ;) Just because euro/asia crypt publish QS/NFS papers, how does this reflect upon the abilities of NSA / GCHQ etc? -- Sam Simpson Comms Analyst http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption Delphi Crypto Components. PGP Keys available at the same site. Tom St Denis [EMAIL PROTECTED] wrote in message news:8qfefu$g2v$[EMAIL PROTECTED]... In article 8qedb0$c49$[EMAIL PROTECTED], [EMAIL PROTECTED] (Ed Pugh) wrote: Bob Silverman ([EMAIL PROTECTED]) writes: Nothing has been written. Improvements have been only incremental. (i.e. slightly faster machines, a few more percent squeezed from
Cryptography-Digest Digest #749
Cryptography-Digest Digest #749, Volume #12 Fri, 22 Sep 00 19:13:01 EDT Contents: Idea for online Tokens (Tom St Denis) New Strong Password-Authentication Software (Philip MacKenzie) Re: Idea for online Tokens (Doug Kuhlman) Re: Software patents are evil. (Bill Unruh) Re: New Strong Password-Authentication Software (Bill Unruh) Big CRC polynomials? ([EMAIL PROTECTED]) Re: Idea for online Tokens (Tom St Denis) Re: Again a topic of disappearing e-mail? (/dev/null) Re: New Strong Password-Authentication Software (Philip MacKenzie) WHAT IS ANEC ENCRYPTION? ("Melinda Harris") Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY) Re: Big CRC polynomials? ("bubba") Re: Again a topic of disappearing e-mail? ("Joseph Ashwood") Re: New Strong Password-Authentication Software (David A Molnar) Re: Software patents are evil. (Jerry Coffin) Re: Software patents are evil. (Jerry Coffin) Re: Software patents are evil. (Jerry Coffin) Re: State-of-the-art in integer factorization (Jerry Coffin) From: Tom St Denis [EMAIL PROTECTED] Subject: Idea for online Tokens Date: Fri, 22 Sep 2000 18:25:58 GMT let's say I want to give you a "token" that will let me keep tabs on what you use (say live audio off the net) but not let you steal or pretend to be the server. So instead of using a symmetric key (would violate the last cond) I use RSA this way (and this is nothing new so bear with me) Make up the N = pq part. Then pick 'e' randomly and solve for 'd'. Then give the user (e, N) and keep (d, N). The user can now only decrypt from anyone using (d, N) presumably the server. Is this a weak usage of RSA? What other non math attacks are there on this simple idea? Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Philip MacKenzie [EMAIL PROTECTED] Subject: New Strong Password-Authentication Software Date: Fri, 22 Sep 2000 15:21:45 -0400 *** PAK SOFTWARE AVAILABLE FOR DOWNLOAD *** Lucent has just released code for telnet and ftp with authentication based on the new PAK protocol, presented at the Eurocrypt 2000 conference. PAK is a protocol for strong password-authenticated key exchange (much like EKE, SPEKE, and SRP) but has also been PROVEN secure (as secure as Diffie-Hellman in the random oracle model). If you believe that security proofs are important (I certainly do), then you should consider checking out this new software. It is free for non-commercial use. The code was built using Tom Wu's SRP distribution, but with the SRP authentication protocol replaced by PAK. For more information, and to download the software, go to: http://www.bell-labs.com/user/philmac/pak.html -Phil MacKenzie -- From: Doug Kuhlman [EMAIL PROTECTED] Subject: Re: Idea for online Tokens Date: Fri, 22 Sep 2000 14:17:06 -0500 Tom St Denis wrote: let's say I want to give you a "token" that will let me keep tabs on what you use (say live audio off the net) but not let you steal or pretend to be the server. So instead of using a symmetric key (would violate the last cond) I use RSA this way (and this is nothing new so bear with me) Make up the N = pq part. Then pick 'e' randomly and solve for 'd'. Then give the user (e, N) and keep (d, N). The user can now only decrypt from anyone using (d, N) presumably the server. Is this a weak usage of RSA? What other non math attacks are there on this simple idea? This works just fine. Really, there is no mathematical way to distinguish between e and d. They have equal value in that sense. The reason e is usually picked as 17 or 65537 is that is has low Hamming weight (number of 1's in its binary representation) to minimize the number of operations done when using e. Obviously, since d is private, we couldn't do the same thing with it Doug P.S. Still doesn't tell you I'm not recording the live music for my later consumption/redistribution -- From: [EMAIL PROTECTED] (Bill Unruh) Subject: Re: Software patents are evil. Date: 22 Sep 2000 20:31:23 GMT In VzMy5.1023$[EMAIL PROTECTED] "Paul Pires" [EMAIL PROTECTED] writes: ] seems to me to fly in the face of all evidence. The software industry ] took off with no patents. patents as a corporate tool in software has ] really only taken ahold in the past few years, and is being used to ] stifle not enhance competition and innovation. As in a criminal court, ] the evidence should be there beyond a reasonable doubt that the monopoly ] is essential befor any such monopoly should be granted. ]A trial to grant a patent? If you want to kill it, get out your gun i.e. No, not a court trial, a standard of proof. ]A constitutional ammendment against this task as a role of our (US) government ]don't offer reasonable compromise to leave it castrated but in place. ?? I do not understand this sentence.
Cryptography-Digest Digest #750
Cryptography-Digest Digest #750, Volume #12 Fri, 22 Sep 00 23:13:01 EDT Contents: Re: State-of-the-art in integer factorization ("Dann Corbit") Re: Software patents are evil. (Darren New) What make a cipher resistent to Differential Cryptanalysis? ("David C. Barber") Re: Software patents are evil. ("Dann Corbit") Re: What make a cipher resistent to Differential Cryptanalysis? (Tom St Denis) Re: Software patents are evil. (Bill Unruh) Re: Software patents are evil. (Bill Unruh) Re: winace encryption algorithm (correction) (David Hopwood) Re: t (David Hopwood) Re: Tying Up Loose Ends - Correction (David Hopwood) How many possible keys does a Playfair cipher have? (Alex) From: "Dann Corbit" [EMAIL PROTECTED] Crossposted-To: sci.math Subject: Re: State-of-the-art in integer factorization Date: Fri, 22 Sep 2000 16:20:18 -0700 "Jerry Coffin" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... In article 8qfefu$g2v$[EMAIL PROTECTED], [EMAIL PROTECTED] says... In article 8qedb0$c49$[EMAIL PROTECTED], [EMAIL PROTECTED] (Ed Pugh) wrote: Bob Silverman ([EMAIL PROTECTED]) writes: Nothing has been written. Improvements have been only incremental. (i.e. slightly faster machines, a few more percent squeezed from code, etc.). There hasn't been a new algorithm in 11 years. Well, at least none that the NSA have let on about, anyway. ;-) That's right because the public open academia are just stupid people. I don't think anybody's said that. Keep in mind, however, that the NSA has a LOT of extremely smart people. Right now, there are probably no more than a dozen or so mathematicians producing most of the world's knowledge of factoring. Most of them work more or less separately from each other, and most of them have LOTS of other duties in addition to studying factoring. On the other hand, with the internet, worldwide communication of ideas is practically instantaneous. I rather suspect that a brilliant idea is as likely to spring from some new genius as it is from someone the NSA has employed. Could be some unknown grad student. After all, Lenstra, Ramanujan, and everybody else like that were simply grad students at one time themselves. For that matter, what remarkable new algorithm has the NSA invented? Are there *any*? Furthermore, like any government agency, the employees will have a lot more to do than their jobs. Just like a teacher at a university must "publish or perish" -- similarly government workers have a bazillion silly tasks on their hands and beaurocratic hoops to jump through. To imagine that the NSA members are a bunch of the world's most intellectual number theory experts who do nothing but sit around and try to figure out how to factor is surely a monstrous misnomer. If there is solid evidence to the contrary to show that I am wrong, I would love to hear about it. The NSA probably has at least as many mathematicians of the same talent level, If there were mathematicians of the same talent level we would know who they were. They would have to publish remarkable findings and excell at a university first in order for both us and the government to take notice. Can anyone name 5 super-duper Ramanujan/Gauss/Euler/etc level mathematicians who work for NSA? I doubt it. But it's possible. Do you know many mathematicians who would rather work at the NSA than at a university or in private industry? and can afford to saddle them with fewer ancillary responsibilities. But I would be astonished if it really turned out that way. We are talking about the *Government* here. Consider teamwork possibilities as well: think of a situation where you can get a half-dozen people each the caliber of Bob Silverman or Arjen Lenstra, and give them time to brainstorm on a regular basis. Wouldn't people like that generally prefer to work in a place where they can publish what they find? Private industry generally pays better than the government also. -- C-FAQ: http://www.eskimo.com/~scs/C-faq/top.html "The C-FAQ Book" ISBN 0-201-84519-9 C.A.P. FAQ: ftp://38.168.214.175/pub/Chess%20Analysis%20Project%20FAQ.htm -- From: Darren New [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: Software patents are evil. Date: Fri, 22 Sep 2000 23:25:46 GMT Jerry Coffin wrote: Keep in mind that if something is currently protected by a valid patent, then nobody did it more than 20 years ago. Nonsense. One company I worked for had to license a patent that was applied for three years after we'd been selling what they described as a commercial service. I think if all the patents were valid, there would be much less complaining. But _IF_ I don't want to get such a help ? Fine, don't take it. If you don't want to use the patented invention, nobody says you have to. Unless you're already using it, of course. Then