Cryptography-Digest Digest #737
Cryptography-Digest Digest #737, Volume #12 Fri, 22 Sep 00 05:13:00 EDT
Contents:
ANNOUNCE New VB Cryptography Book ([EMAIL PROTECTED])
Re: Tying Up Loose Ends - Correction (Benjamin Goldberg)
Every heard of this device? NT Sentinel ("[EMAIL PROTECTED]")
Re: CDMA tracking (was Re: GSM tracking) (Jerry Coffin)
Re: IBM analysis secret. (Jerry Coffin)
Re: t (John Savard)
Re: Simple hash function (wtshaw)
Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY)
Re: Tying Up Loose Ends - Correction (John Savard)
Re: XOR (John Savard)
Re: t (John Savard)
Re: t (John Savard)
Re: t ("Douglas A. Gwyn")
Re: Revilo P. Oliver: Cryptanalyst? ("Douglas A. Gwyn")
Re: t (Runu Knips)
Re: t (Mok-Kong Shen)
Re: Tying Up Loose Ends - Correction (Mok-Kong Shen)
Re: Proper way to intro a new algorithm to sci.crypt? (Mok-Kong Shen)
Re: IBM analysis secret. (Roger Schlafly)
Again a topic of disappearing e-mail? (Mok-Kong Shen)
From: [EMAIL PROTECTED]
Subject: ANNOUNCE New VB Cryptography Book
Date: Fri, 22 Sep 2000 02:32:03 GMT
John Wiley Sons has recently published Richard Bondi's "Cryptography
for Visual Basic: A Programmer's Guide to the Microsoft CryptoAPI" that
includes the source code for CryptoAPI COM wrappers. Bruce Schneier,
author of the best-selling "Applied Cryptography", has kindly endorsed
it by saying that "this is essential reading for anyone who needs to
understand MicrosoftÂ’s CryptoAPI, its strengths and its limitations."
You can review the open source code and documentation at
www.geocities.com/richardbondi.
Best,
Richard Bondi
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Benjamin Goldberg [EMAIL PROTECTED]
Subject: Re: Tying Up Loose Ends - Correction
Date: Fri, 22 Sep 2000 03:02:58 GMT
SCOTT19U.ZIP_GUY wrote:
[EMAIL PROTECTED] (Mok-Kong Shen) wrote:
Tim Tyler wrote:
Mok-Kong Shen [EMAIL PROTECTED] wrote:
: If my message is over one hundred bytes, do you think
: that I need to care about wasting 5 bits?? [...]
At worst, this can reduce the size of keyspace by a factor of 32.
Sorry, I don't understand. What do you mean by 'keyspace'
here? This is the message space. The message gets longer
by 5 bits. There is no information in the above of how
big the key is. Do I loose or gain security by, say,
always appending 5 0's to the ciphertext?
I thought we are talking about compressing then ecnrypting.
If you always add 5 zeros or any other fixed amount of bits
after a compressed string or any file for that matter which is
then encrypted. The attacker know what the last few bits are
and throws out keys that don't match. So if the last five bits
of a file are known then it means you reduce your key space by
5 bits.
Reducing the message space by x bits does *not* reduce the keyspace by x
bits... How much the keyspace is reduced depends on the unicity
distance.
--
... perfection has been reached not when there is nothing left to
add, but when there is nothing left to take away. (from RFC 1925)
--
From: "[EMAIL PROTECTED]" [EMAIL PROTECTED]
Subject: Every heard of this device? NT Sentinel
Date: Thu, 21 Sep 2000 20:40:25 -0700
Northern Telecom Sentinel
Model # NTA005
Data Encryptor 2400 - 64Kbs
Thanks,
Mike
--
From: Jerry Coffin [EMAIL PROTECTED]
Subject: Re: CDMA tracking (was Re: GSM tracking)
Date: Thu, 21 Sep 2000 21:44:41 -0600
In article [EMAIL PROTECTED], roger_95073@my-
dejanews.com says...
[ ... ]
What if I (accdentally or deliberately) disconnected the battery
in Vegas, and then reconnected when I got home. Then the phone
would report that I had been in Vegas?
I'd have to look back to be sure -- the phone I was looking at has
both volatile and non-volatile memory. Offhand, I don't remember
which of these this particular data is stored in. Obviously enough,
if it's stored in the volatile memory, then removing all power will
destroy the contents, but if it's in the non-volatile memory,
removing power won't. As I said, I honestly don't remember which it
gets stored in though.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
--
From: Jerry Coffin [EMAIL PROTECTED]
Subject: Re: IBM analysis secret.
Date: Thu, 21 Sep 2000 21:52:02 -0600
In article 8qe653$3gp$[EMAIL PROTECTED],
[EMAIL PROTECTED] says...
Hi,
I remember once reading about that IBM knew about differential analysis
when analyzing DES 10 years before it was "discovered" by the science
community, and kept it a secret for the count of the NSA.
Now when I'm checking it up, it does not seen to be right at all.
It seems likely to be true to some degree or other. IBM had been
working on various ciphers under the Lucifer project, and most of
them prior to DES were/are subject to differential
Cryptography-Digest Digest #738
Cryptography-Digest Digest #738, Volume #12 Fri, 22 Sep 00 07:13:01 EDT
Contents:
Re: Software patents are evil. (David Rush)
Re: Again a topic of disappearing e-mail? (Runu Knips)
Re: t ("Trevor L. Jackson, III")
Re: What am I missing? (Sagie)
Re: PGP 6.5.8 source code published ([EMAIL PROTECTED])
Re: CDMA tracking (was Re: GSM tracking) (Sagie)
Re: Maximal security for a resources-limited microcontroller (Sagie)
Re: Maximal security for a resources-limited microcontroller (Sagie)
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: Maximal security for a resources-limited microcontroller (Paul Rubin)
From: David Rush [EMAIL PROTECTED]
Subject: Re: Software patents are evil.
Date: 22 Sep 2000 10:23:19 +0100
"Trevor L. Jackson, III" [EMAIL PROTECTED] writes:
Bill Unruh wrote:
In [EMAIL PROTECTED] "Trevor L. Jackson, III"
[EMAIL PROTECTED] writes:
Patents had has almost nothing to do with software until
recently. Yet, you could not say that software has suffered in the
US.
Devil's advocate position. Resolved: that the low quality of US
software is due to the lack of an effective protection for
intellectual property.
Oooh. I feel the first rumblings of a paradigm shift.
dominated by cost differences. So a company that prices its
software higher than the competition to cover serious development
I've been there. My first startup, back in 1985 had this problem. That
was when I concluded that the American myth of the better mousetrap
was false, and that better salesman were the ones who truly get
rewarded. u$oft has only confirmed my suspicions.
Effective IP would restore the balance between quality and cost and
reduce the domination of the first-to-market mentality.
Actually, you could easily extend your argument to say that the
open source movement has come about due to that first-to-market
mentality. I know for myself, that If I'm looking for high-quality
software I'll take a mature open source project any day of the week.
And I work on open source because I *can* produce good work without
having to deal with the 'first is better than best' reality of the
software marketplace.
Of course this also implies that Richard Stallman has propagated more
evil than Bill Gates...
Conclusion: I can say that software has suffered in the US if low
quality counts as suffering.
I am definitely feeling some rumblings in my paradigm.
david rush
--
Next to the right of liberty, the right of property is the most
important individual right ... and ... has contributed more to the
growth of civilization than any other institution established by the
human race.
-- Popular Government (William Howard Taft)
--
Date: Fri, 22 Sep 2000 11:30:32 +0200
From: Runu Knips [EMAIL PROTECTED]
Subject: Re: Again a topic of disappearing e-mail?
Mok-Kong Shen wrote:
Email users will soon be able to erase the messages they send
from the recipient's hard drive using software called SafeMessage
that a company called AbsoluteFuture is releasing today.
SafeMessage destroys messages within a certain amount of time
after the recipient opens them, erasing all footprints on PC
hard drives and computer servers, says AbsoluteFuture CEO Graham
Andrews. Law enforcement officials worry that criminals and
terrorists will use SafeMessage to conceal their communications,
arguing that fighting crime effectively in the digital age
requires email tracing. Meanwhile, privacy advocates applaud
the new software. One oil executive says he uses a beta version
of SafeMessage to prevent rivals from accessing his messages.
http://www.usatoday.com/usatonline/2920/2662888s.htm
Pfft as if this is something noticeable. Using PGP and removing
the email by hand has the same effect, doesn't it ?
--
Date: Fri, 22 Sep 2000 05:43:19 -0400
From: "Trevor L. Jackson, III" [EMAIL PROTECTED]
Subject: Re: t
John Savard wrote:
On Thu, 21 Sep 2000 16:34:39 GMT, "John R."
[EMAIL PROTECTED] wrote, in part:
But the plot is cliched. I can guess how the book begins. Something
like:
T
NNT
NF
TOT
TOF
FOT
TIT
FIT
FIF
TET
FEF
TAT
LTR
LNNTR
LNFR
LTOTR
LTOFR
LFOTR
LTITR
LFITR
LFIFR
LTETR
LFEFR
LTATR
TALFOTR
NLLTAFROTR
NLFOFR
NLTIFR
NLTEFR
NLFETR
NLTAFR
NLFATR
NLFAFR
Now, I am new to all this, and was wondering if someone could explain,
or point me in the direction to understand it.
Each of these lines of text is a true statement. They're designed to
make it possible to figure out what the characters mean.
Thus, the original part
T
NNT
NF
makes sense if T stands for true, F stands for false, and N stands for
negation, as represented by ~ in Boolean algebra.
I then went on to introduce the basic operators: A for AND, O for OR,
I for implication, and E for equivalence (not XOR).
Cryptography-Digest Digest #739
Cryptography-Digest Digest #739, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Re: Again a topic of disappearing e-mail? (Tom St Denis) Re: State-of-the-art in integer factorization (Tom St Denis) Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED]) Cryptography FAQ (02/10: Net Etiquette) ([EMAIL PROTECTED]) Cryptography FAQ (03/10: Basic Cryptology) ([EMAIL PROTECTED]) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Again a topic of disappearing e-mail? Date: Fri, 22 Sep 2000 11:08:14 GMT In article [EMAIL PROTECTED], Runu Knips [EMAIL PROTECTED] wrote: Mok-Kong Shen wrote: Email users will soon be able to erase the messages they send from the recipient's hard drive using software called SafeMessage that a company called AbsoluteFuture is releasing today. SafeMessage destroys messages within a certain amount of time after the recipient opens them, erasing all footprints on PC hard drives and computer servers, says AbsoluteFuture CEO Graham Andrews. Law enforcement officials worry that criminals and terrorists will use SafeMessage to conceal their communications, arguing that fighting crime effectively in the digital age requires email tracing. Meanwhile, privacy advocates applaud the new software. One oil executive says he uses a beta version of SafeMessage to prevent rivals from accessing his messages. http://www.usatoday.com/usatonline/2920/2662888s.htm Pfft as if this is something noticeable. Using PGP and removing the email by hand has the same effect, doesn't it ? Not to mention if the user is stupid enough to print it offall is lost! Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Tom St Denis [EMAIL PROTECTED] Crossposted-To: sci.math Subject: Re: State-of-the-art in integer factorization Date: Fri, 22 Sep 2000 11:06:49 GMT In article 8qedb0$c49$[EMAIL PROTECTED], [EMAIL PROTECTED] (Ed Pugh) wrote: Bob Silverman ([EMAIL PROTECTED]) writes: Nothing has been written. Improvements have been only incremental. (i.e. slightly faster machines, a few more percent squeezed from code, etc.). There hasn't been a new algorithm in 11 years. Well, at least none that the NSA have let on about, anyway. ;-) That's right because the public open academia are just stupid people. Not to mention that virtually all milestones in factoring were public endeavours [sp]. Try reading euro/asia crypt from about 81 to now and you will see a plethora of factoring papers, specially the QS, the NFS, and various other methods I didn't know of till I read it. Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (01/10: Overview) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:28 GMT Archive-name: cryptography-faq/part01 Last-modified: 1999/06/27 This is the first of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read this part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. Disclaimer: This document is the product of the Crypt Cabal, a secret society which serves the National Secu---uh, no. Seriously, we're the good guys, and we've done what we can to ensure the completeness and accuracy of this document, but in a field of military and commercial importance like cryptography you have to expect that some people and organizations consider their interests more important than open scientific discussion. Trust only what you can verify firsthand. And don't sue us. Many people have contributed to this FAQ. In alphabetical order: Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison, Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti, William Setzer. We apologize for any omissions. Archives: sci.crypt has been archived since October 1991 on ripem.msu.edu, though these archives are available only to U.S. and Canadian users. Another site is rpub.cl.msu.edu in /pub/crypt/sci.crypt/ from Jan 1992. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. The fields `Last-modified' and `Version' at the top of each part track revisions. 1999: There is a project underway to reorganize, expand, and update the sci.crypt FAQ, pending the resolution of some minor legal issues. The new FAQ will have two pieces. The first piece will be a series of web pages. The second piece will be a short posting, focusing on the questions that really are frequently asked. In the meantime, if you need
Cryptography-Digest Digest #740
Cryptography-Digest Digest #740, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (04/10: Mathematical Cryptology) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (04/10: Mathematical Cryptology) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:29 GMT Archive-name: cryptography-faq/part04 Last-modified: 93/10/10 This is the fourth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents: 4.1. In mathematical terms, what is a private-key cryptosystem? 4.2. What is an attack? 4.3. What's the advantage of formulating all this mathematically? 4.4. Why is the one-time pad secure? 4.5. What's a ciphertext-only attack? 4.6. What's a known-plaintext attack? 4.7. What's a chosen-plaintext attack? 4.8. In mathematical terms, what can you say about brute-force attacks? 4.9. What's a key-guessing attack? What's entropy? Reader, beware: This section is highly mathematical. Well, maybe not _highly_ mathematical, but it's got a bunch of symbols and scary-looking formulas. You have been warned. 4.1. In mathematical terms, what is a private-key cryptosystem? A private-key cryptosystem consists of an encryption system E and a decryption system D. The encryption system E is a collection of functions E_K, indexed by ``keys'' K, mapping some set of ``plaintexts'' P to some set of ``ciphertexts'' C. Similarly the decryption system D is a collection of functions D_K such that D_K(E_K(P)) = P for every plaintext P. That is, succesful decryption of ciphertext into plaintext is accomplished using the same key (index) as was used for the corresponding encryption of plaintext into ciphertext. Such systems, where the same key value is used to encrypt and decrypt, are also known as ``symmetric'' cryptoystems. 4.2. What is an attack? In intuitive terms a (passive) attack on a cryptosystem is any method of starting with some information about plaintexts and their corresponding ciphertexts under some (unknown) key, and figuring out more information about the plaintexts. It's possible to state mathematically what this means. Here we go. Fix functions F, G, and H of n variables. Fix an encryption system E, and fix a distribution of plaintexts and keys. An attack on E using G assuming F giving H with probability p is an algorithm A with a pair f, g of inputs and one output h, such that there is probability p of computing h = H(P_1,...,P_n), if we have f = F(P_1,...,P_n) and g = G(E_K(P_1),...,E_K(P_n)). Note that this probability depends on the distribution of the vector (K,P_1,...,P_n). The attack is trivial (or ``pointless'') if there is probability at least p of computing h = H(P_1,...,P_n) if f = F(P_1,...,P_n) and g = G(C_1,...,C_n). Here C_1,...,C_n range uniformly over the possible ciphertexts, and have no particular relation to P_1,...,P_n. In other words, an attack is trivial if it doesn't actually use the encryptions E_K(P_1),...,E_K(P_n). An attack is called ``one-ciphertext'' if n = 1, ``two-ciphertext'' if n = 2, and so on. 4.3. What's the advantage of formulating all this mathematically? In basic cryptology you can never prove that a cryptosystem is secure. Read part 3: we keep saying ``a strong cryptosystem must have this property, but having this property is no guarantee that a cryptosystem is strong!'' In contrast, the purpose of mathematical cryptology is to precisely formulate and, if possible, prove the statement that a cryptosystem is strong. We say, for example, that a cryptosystem is secure against all (passive) attacks if any nontrivial attack against the system (as defined above) is too slow to be practical. If we can prove this statement then we have confidence that our cryptosystem will resist any (passive) cryptanalytic technique. If we can reduce this statement to some well-known unsolved problem then we still have confidence that the cryptosystem isn't easy to break. Other parts of cryptology are also amenable to mathematical definition. Again the point is to explicitly identify what assumptions we're making and prove that they produce the desired results. We can figure out what it means for a particular cryptosystem to be used properly: it just means that the assumptions are valid. The same methodology is useful for
Cryptography-Digest Digest #741
Cryptography-Digest Digest #741, Volume #12 Fri, 22 Sep 00 08:13:00 EDT
Contents:
Cryptography FAQ (05/10: Product Ciphers) ([EMAIL PROTECTED])
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (05/10: Product Ciphers)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 22 Sep 2000 11:20:31 GMT
Archive-name: cryptography-faq/part05
Last-modified: 94/06/07
This is the fifth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, OFB, and PCBC encryption?
5.1. What is a product cipher?
A product cipher is a block cipher that iterates several weak
operations such as substitution, transposition, modular
addition/multiplication, and linear transformation. (A ``block
cipher'' just means a cipher that encrypts a block of data---8 bytes,
say---all at once, then goes on to the next block.) The notion of
product ciphers is due to Shannon [SHA49]. Examples of modern
product ciphers include LUCIFER [SOR84], DES [NBS77], SP-networks
[KAM78], LOKI [BRO90], FEAL [SHI84], PES [LAI90], Khufu and Khafre
[ME91a]. The so-called Feistel ciphers are a class of product
ciphers which operate on one half of the ciphertext at each round,
and then swap the ciphertext halves after each round. LUCIFER,
DES, LOKI, and FEAL are examples of Feistel ciphers.
The following table compares the main parameters of several product
ciphers:
cipher | block length | key bits | number of rounds
LUCIFER 128 12816
DES 645616
LOKI 646416
FEAL 64 1282^x, x = 5
PES 64 128 8
5.2. What makes a product cipher secure?
Nobody knows how to prove mathematically that a product cipher is
completely secure. So in practice one begins by demonstrating that the
cipher ``looks highly random''. For example, the cipher must be
nonlinear, and it must produce ciphertext which functionally depends
on every bit of the plaintext and the key. Meyer [MEY78] has shown
that at least 5 rounds of DES are required to guarantee such a
dependence. In this sense a product cipher should act as a ``mixing''
function which combines the plaintext, key, and ciphertext in a
complex nonlinear fashion.
The fixed per-round substitutions of the product cipher are
referred to as S-boxes. For example, LUCIFER has 2 S-boxes, and DES
has 8 S-boxes. The nonlinearity of a product cipher reduces to a
careful design of these S-boxes. A list of partial design criteria
for the S-boxes of DES, which apply to S-boxes in general, may be
found in Brown [BRO89] and Brickell et al. [BRI86].
5.3. What are some group-theoretic properties of product ciphers?
Let E be a product cipher that maps N-bit blocks to N-bit blocks.
Let E_K(X) be the encryption of X under key K. Then, for any fixed K,
the map sending X to E_K(X) is a permutation of the set of N-bit
blocks. Denote this permutation by P_K. The set of all N-bit
permutations is called the symmetric group and is written S_{2^N}.
The collection of all these permutations P_K, where K ranges over all
possible keys, is denoted E(S_{2^N}). If E were a random mapping from
plaintexts to ciphertexts then we would expect E(S_{2^N}) to generate
a large subset of S_{2^N}.
Coppersmith and Grossman [COP74] have shown that a very simple
product cipher can generate the alternating group A_{2^N} given a
sufficient number of rounds. (The alternating group is half of the
symmetric group: it consists of all ``even'' permutations, i.e., all
permutations which can be written as an even number of
Cryptography-Digest Digest #742
Cryptography-Digest Digest #742, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (06/10: Public Key Cryptography) ([EMAIL PROTECTED]) Cryptography FAQ (07/10: Digital Signatures) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (06/10: Public Key Cryptography) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:32 GMT Archive-name: cryptography-faq/part06 Last-modified: 94/06/07 This is the sixth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents: 6.1. What is public-key cryptography? 6.2. How does public-key cryptography solve cryptography's Catch-22? 6.3. What is the role of the `trapdoor function' in public key schemes? 6.4. What is the role of the `session key' in public key schemes? 6.5. What's RSA? 6.6. Is RSA secure? 6.7. What's the difference between the RSA and Diffie-Hellman schemes? 6.8. What is `authentication' and the `key distribution problem'? 6.9. How fast can people factor numbers? 6.10. What about other public-key cryptosystems? 6.11. What is the `RSA Factoring Challenge?' 6.1. What is public-key cryptography? In a classic cryptosystem, we have encryption functions E_K and decryption functions D_K such that D_K(E_K(P)) = P for any plaintext P. In a public-key cryptosystem, E_K can be easily computed from some ``public key'' X which in turn is computed from K. X is published, so that anyone can encrypt messages. If decryption D_K cannot be easily computed from public key X without knowledge of private key K, but readily with knowledge of K, then only the person who generated K can decrypt messages. That's the essence of public-key cryptography, introduced by Diffie and Hellman in 1976. This document describes only the rudiments of public key cryptography. There is an extensive literature on security models for public-key cryptography, applications of public-key cryptography, other applications of the mathematical technology behind public-key cryptography, and so on; consult the references at the end for more refined and thorough presentations. 6.2. How does public-key cryptography solve cryptography's Catch-22? In a classic cryptosystem, if you want your friends to be able to send secret messages to you, you have to make sure nobody other than them sees the key K. In a public-key cryptosystem, you just publish X, and you don't have to worry about spies. Hence public key cryptography `solves' one of the most vexing problems of all prior cryptography: the necessity of establishing a secure channel for the exchange of the key. To establish a secure channel one uses cryptography, but private key cryptography requires a secure channel! In resolving the dilemma, public key cryptography has been considered by many to be a `revolutionary technology,' representing a breakthrough that makes routine communication encryption practical and potentially ubiquitous. 6.3. What is the role of the `trapdoor function' in public key schemes? Intrinsic to public key cryptography is a `trapdoor function' D_K with the properties that computation in one direction (encryption, E_K) is easy and in the other is virtually impossible (attack, determining P from encryption E_K(P) and public key X). Furthermore, it has the special property that the reversal of the computation (decryption, D_K) is again tractable if the private key K is known. 6.4. What is the role of the `session key' in public key schemes? In virtually all public key systems, the encryption and decryption times are very lengthy compared to other block-oriented algorithms such as DES for equivalent data sizes. Therefore in most implementations of public-key systems, a temporary, random `session key' of much smaller length than the message is generated for each message and alone encrypted by the public key algorithm. The message is actually encrypted using a faster private key algorithm with the session key. At the receiver side, the session key is decrypted using the public-key algorithms and the recovered `plaintext' key is used to decrypt the message. The session key approach blurs the distinction between `keys' and `messages' -- in the scheme, the message includes the key, and the key itself is treated as an encryptable `message'.
Cryptography-Digest Digest #743
Cryptography-Digest Digest #743, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (08/10: Technical Miscellany) ([EMAIL PROTECTED]) Cryptography FAQ (09/10: Other Miscellany) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (08/10: Technical Miscellany) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:33 GMT Archive-name: cryptography-faq/part08 Last-modified: 94/01/25 This is the eighth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents 8.1. How do I recover from lost passwords in WordPerfect? 8.2. How do I break a Vigenere (repeated-key) cipher? 8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] 8.4. Is the UNIX crypt command secure? 8.5. How do I use compression with encryption? 8.6. Is there an unbreakable cipher? 8.7. What does ``random'' mean in cryptography? 8.8. What is the unicity point (a.k.a. unicity distance)? 8.9. What is key management and why is it important? 8.10. Can I use pseudo-random or chaotic numbers as a key stream? 8.11. What is the correct frequency list for English letters? 8.12. What is the Enigma? 8.13. How do I shuffle cards? 8.14. Can I foil S/W pirates by encrypting my CD-ROM? 8.15. Can you do automatic cryptanalysis of simple ciphers? 8.16. What is the coding system used by VCR+? 8.1. How do I recover from lost passwords in WordPerfect? WordPerfect encryption has been shown to be very easy to break. The method uses XOR with two repeating key streams: a typed password and a byte-wide counter initialized to 1+the password length. Full descriptions are given in Bennett [BEN87] and Bergen and Caelli [BER91]. Chris Galas writes: ``Someone awhile back was looking for a way to decrypt WordPerfect document files and I think I have a solution. There is a software company named: Accessdata (87 East 600 South, Orem, UT 84058), 1-800-658-5199 that has a software package that will decrypt any WordPerfect, Lotus 1-2-3, Quatro-Pro, MS Excel and Paradox files. The cost of the package is $185. Steep prices, but if you think your pw key is less than 10 characters, (or 10 char) give them a call and ask for the free demo disk. The demo disk will decrypt files that have a 10 char or less pw key.'' Bruce Schneier says the phone number for AccessData is 801-224-6970. 8.2. How do I break a Vigenere (repeated-key) cipher? A repeated-key cipher, where the ciphertext is something like the plaintext xor KEYKEYKEYKEY (and so on), is called a Vigenere cipher. If the key is not too long and the plaintext is in English, do the following: 1. Discover the length of the key by counting coincidences. (See Gaines [GAI44], Sinkov [SIN66].) Trying each displacement of the ciphertext against itself, count those bytes which are equal. If the two ciphertext portions have used the same key, something over 6% of the bytes will be equal. If they have used different keys, then less than 0.4% will be equal (assuming random 8-bit bytes of key covering normal ASCII text). The smallest displacement which indicates an equal key is the length of the repeated key. 2. Shift the text by that length and XOR it with itself. This removes the key and leaves you with text XORed with itself. Since English has about 1 bit of real information per byte, 2 streams of text XORed together has 2 bits of info per 8-bit byte, providing plenty of redundancy for choosing a unique decryption. (And in fact one stream of text XORed with itself has just 1 bit per byte.) If the key is short, it might be even easier to treat this as a standard polyalphabetic substitution. All the old cryptanalysis texts show how to break those. It's possible with those methods, in the hands of an expert, if there's only ten times as much text as key. See, for example, Gaines [GAI44], Sinkov [SIN66]. 8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] Here's one popular method, using the des command: cat file | compress | des private_key | uuencode | mail Meanwhile, there is a de jure Internet standard in the works called PEM (Privacy Enhanced Mail). It is described in RFCs 1421 through 1424. To join the PEM mailing list, contact [EMAIL PROTECTED] There is a beta version of PEM being tested at the time of this writing. There are also two
Cryptography-Digest Digest #745
Cryptography-Digest Digest #745, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: [SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 (Shannon Appel) From: Shannon Appel [EMAIL PROTECTED] Subject: [SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 Crossposted-To: alt.security,comp.security.misc,comp.protocols,comp.infosystems.www.misc,alt.answers,comp.answers,news.answers,sci.answers Date: 22 Sep 2000 11:21:26 GMT Content-type: text/x-usenet-FAQ; version=1.1; title="[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1" Archive-name: computer-security/ssl-talk-faq Posting-Frequency: monthly Last-modified: Nov 16 12:00:00 PST 1998 Version: 1.1.1 (text) Mon Nov 16 12:00:00 PST 1998 URL: http://www.consensus.com/security/ssl-talk-faq.html Copyright-Notice: (c) Copyright 1996-1998 by Consensus Development Corporation -- All Rights Reserved SSL-Talk FAQ Secure Sockets Layer Discussion List FAQ v1.1.1 Mon Nov 16 12:00:00 PST 1998 FAQ Maintained by: Shannon Appel [EMAIL PROTECTED] Consensus Development Corporation http://www.consensus.com/ The latest edition of this FAQ can always be found at: http://www.consensus.com/security/ssl-talk-faq.html http://www.consensus.com/security/ssl-talk-faq.txt Copyright (c) 1996-1998 Consensus Development Corporation - All Rights Reserved * Due to the November 15, 1998 dissolution of the SSL-Talk mailing list, this will be the last version of this FAQ in its current form. It will be replaced by a more general TLS SSL FAQ in the near future that is not tied to any mailing list or newsgroup. * All information contained in this work is provided "as is." All warranties, expressed, implied or statutory, concerning the accuracy of the information of the suitability for any particular use are hereby specifically disclaimed. While every effort has been taken to ensure the accuracy of the information contained in this work, the authors assume(s) no responsibility for errors or omissions or for damages resulting from the use of the information contained herein. This work may be copied in any printed or electronic form for non-commercial, personal, or educational purposes if the work is not modified in any way, provided that the copyright notice, the notices of any other author included in this work, and this copyright agreement appear on all copies. Consensus Development Corporation also grants permission to distribute this work in electronic form over computer networks for other purposes, provided that, in addition to the terms and restrictions set forth above, Consensus Development Corporation and/or other cited authors are notified and that no fees are charged for access to the information in excess of normal online charges that are required for such distribution. This work may also be mentioned, cited, referred to or described (but not copied or distributed, except as authorized above) in printed publications, on-line services, other electronic communications media, and otherwise, provided that Consensus Development Corporation and any other cited author receives appropriate attribution. Comments about, suggestions about, or corrections to this document are welcomed. If you would like to ask us to change this document in some way, the method we appreciate most is for you to actually make the desired modifications to a copy of the posting, and then to send us the modified document, or a context diff between the posted version and your modified version (if you do the latter, make sure to include in your mail the "Version:" line from the posted version). Submitting changes in this way makes dealing with them easier for us and helps to avoid misunderstandings about what you are suggesting. Many people have in the past provided feedback and corrections; we thank them for their input. In particular, many thanks to: Christopher Allen [EMAIL PROTECTED] Shannon Appel [EMAIL PROTECTED] Nelson Bolyard [EMAIL PROTECTED] Tim Dierks [EMAIL PROTECTED] Eric Greenberg [EMAIL PROTECTED] Charles Neerdaels [EMAIL PROTECTED] Bruce Schneier [EMAIL PROTECTED] Tom Weinstein [EMAIL PROTECTED] Jonathan Zamick [EMAIL PROTECTED] Remaining ambiguities, errors, and difficult-to-read passages are not their fault. :) == CONTENTS 1) THE
Cryptography-Digest Digest #744
Cryptography-Digest Digest #744, Volume #12 Fri, 22 Sep 00 08:13:00 EDT Contents: Cryptography FAQ (10/10: References) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (10/10: References) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 22 Sep 2000 11:20:36 GMT Archive-name: cryptography-faq/part10 Last-modified: 94/06/13 This is the tenth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in this part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents 10.1. Books on history and classical methods 10.2. Books on modern methods 10.3. Survey articles 10.4. Reference articles 10.5. Journals, conference proceedings 10.6. Other 10.7. How may one obtain copies of FIPS and ANSI standards cited herein? 10.8. Electronic sources 10.9. RFCs (available from [FTPRF]) 10.10. Related newsgroups 10.1. Books on history and classical methods [FRIE1] Lambros D. Callimahos, William F. Friedman, Military Cryptanalytics. Aegean Park Press, ?. [DEA85] Cipher A. Deavours Louis Kruh, Machine Cryptography and Modern Cryptanalysis. Artech House, 610 Washington St., Dedham, MA 02026, 1985. [FRIE2] William F. Friedman, Solving German Codes in World War I. Aegean Park Press, ?. [GAI44] H. Gaines, Cryptanalysis, a study of ciphers and their solution. Dover Publications, 1944. [HIN00] F.H.Hinsley, et al., British Intelligence in the Second World War. Cambridge University Press. (vol's 1, 2, 3a, 3b 4, so far). XXX Years and authors, fix XXX [HOD83] Andrew Hodges, Alan Turing: The Enigma. Burnett Books Ltd., 1983 [KAH91] David Kahn, Seizing the Enigma. Houghton Mifflin, 1991. [KAH67] D. Kahn, The Codebreakers. Macmillan Publishing, 1967. [history] [The abridged paperback edition left out most technical details; the original hardcover edition is recommended.] [KOZ84] W. Kozaczuk, Enigma. University Publications of America, 1984 [KUL76] S. Kullback, Statistical Methods in Cryptanalysis. Aegean Park Press, 1976. [SIN66] A. Sinkov, Elementary Cryptanalysis. Math. Assoc. Am. 1966. [WEL82] Gordon Welchman, The Hut Six Story. McGraw-Hill, 1982. [YARDL] Herbert O. Yardley, The American Black Chamber. Aegean Park Press, ?. 10.2. Books on modern methods [BEK82] H. Beker, F. Piper, Cipher Systems. Wiley, 1982. [BRA88] G. Brassard, Modern Cryptology: a tutorial. Spinger-Verlag, 1988. [DEN82] D. Denning, Cryptography and Data Security. Addison-Wesley Publishing Company, 1982. [KOB89] N. Koblitz, A course in number theory and cryptography. Springer-Verlag, 1987. [KON81] A. Konheim, Cryptography: a primer. Wiley, 1981. [MEY82] C. Meyer and S. Matyas, Cryptography: A new dimension in computer security. Wiley, 1982. [PAT87] Wayne Patterson, Mathematical Cryptology for Computer Scientists and Mathematicians. Rowman Littlefield, 1987. [PFL89] C. Pfleeger, Security in Computing. Prentice-Hall, 1989. [PRI84] W. Price, D. Davies, Security for computer networks. Wiley, 1984. [RUE86] R. Rueppel, Design and Analysis of Stream Ciphers. Springer-Verlag, 1986. [SAL90] A. Saloma, Public-key cryptography. Springer-Verlag, 1990. [SCH94] B. Schneier, Applied Cryptography. John Wiley Sons, 1994. [errata avbl from [EMAIL PROTECTED]] [WEL88] D. Welsh, Codes and Cryptography. Claredon Press, 1988. 10.3. Survey articles [ANG83] D. Angluin, D. Lichtenstein, Provable Security in Crypto- systems: a survey. Yale University, Department of Computer Science, #288, 1983. [BET90] T. Beth, Algorithm engineering for public key algorithms. IEEE Selected Areas of Communication, 1(4), 458--466, 1990. [DAV83] M. Davio, J. Goethals, Elements of cryptology. in Secure Digital Communications, G. Longo ed., 1--57, 1983. [DIF79] W. Diffie, M. Hellman, Privacy and Authentication: An introduction to cryptography. IEEE proceedings, 67(3), 397--427, 1979. [DIF88] W. Diffie, The first ten years of public key cryptography. IEEE proceedings, 76(5), 560--577, 1988. [FEI73] H. Feistel, Cryptography and Computer Privacy. Scientific American, 228(5), 15--23, 1973. [FEI75] H. Feistel, H, W. Notz, J. Lynn Smith. Some cryptographic techniques for
Cryptography-Digest Digest #746
Cryptography-Digest Digest #746, Volume #12 Fri, 22 Sep 00 10:13:01 EDT
Contents:
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: State-of-the-art in integer factorization (Jeffrey Williams)
Re: State-of-the-art in integer factorization (David Blackman)
Re: Tying Up Loose Ends - Correction (Mok-Kong Shen)
Re: Again a topic of disappearing e-mail? (Mok-Kong Shen)
Re: PGP 6.5.8 source code published ("M.Bädeker")
Re: RSA public exponent ([EMAIL PROTECTED])
Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY)
Re: t ("John A. Malley")
Re: Revilo P. Oliver: Cryptanalyst? (John Savard)
Re: IBM analysis secret. (John Savard)
Re: t (John Savard)
Re: t (John Savard)
Re: My e-mail to Jim Gillogly -- YO, JIM!!??? (I'm annoyed at you) ("Kevin
N. Stone")
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Tying Up Loose Ends - Correction
Reply-To: [EMAIL PROTECTED]
Date: Fri, 22 Sep 2000 11:11:05 GMT
John Savard [EMAIL PROTECTED] wrote:
: On Wed, 20 Sep 2000 15:03:10 GMT, Tim Tyler [EMAIL PROTECTED] wrote:
:An alternative - which I've not seen discussed on this forum - would be
:to use an encryption device which is capable of encrypting variable length
:bitstrings, and is not confined to multiples of 8 bits. I attribute this
:idea to David Scott.
: No, don't.
: Actually, encrypting that way is the 'default' idea. [...]
Hrumph.
Variable length cyphers that can accomodate strings of an arbitrary number
of bits are not terribly common - unless you count XOR based stream
cyphers - which I don't regard favourably in the first place.
Cyphers that can deal with fractional bitstream lengths are even less
common - the only one that I know of is the Hasty Pudding cypher.
[http://www.cs.arizona.edu/~rcs/hpc/] I'm sure there are others, but they
are the exception - rather than the rule.
Anyway - since I seem to have been misinterpreted - I'd better state that
the idea of using such an encryption scheme to resolve the
Huffman/Arithmetic file ending problem is (AFAIK) David's idea.
I have no illusions that he invented the idea of using encryption schemes
which can cope with variable numbers of bits. This isn't the first time
I've cited the Hasty Pudding cypher as being able to deal with very fine
file-length graduations.
--
__ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
--
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Tying Up Loose Ends - Correction
Reply-To: [EMAIL PROTECTED]
Date: Fri, 22 Sep 2000 11:31:08 GMT
John Savard [EMAIL PROTECTED] wrote:
: Tim Tyler [EMAIL PROTECTED] wrote, in part:
:If you want to obscure the length of the file from your adversary, as
:much random padding as you like can be used at this stage.
: False. If padding is added *after* encryption, one has to [...]
: indicate where the padding starts in the clear so that decryption will
: act on the right bits.
That's true. You have to distinguish the message from the padding in some
way - regardless of where you do it. Doing it inside encryption has
some problems of its own.
: If the padding is genuinely random, adding it before encryption won't
: cause a security problem:
I agree - though there are still some problems distinguishing the padding
from the data, unless we're still talking about padding 8 bits onto the
end of a Huffman file.
If there are any other problems in this area, they are with the premise.
: [...] and does avoid the kinds of problem I was concerned with - the
: teensy bit of redundancy left in by a scheme aimed precisely at getting
: the last little teensy bit out.
I would still like to see a Huffman scheme with this type of padding
implemented, so I can verify experimentally that it does flatten out
the redundancy exactly - since any theoretical argument for it doing
so is not yet clear to me.
I certainly agree that padding with random partial Huffman symbols is
better than padding with zeros - in terms of flattening out the frequency
distribution of the last byte.
--
__ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
--
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Tying Up Loose Ends - Correction
Reply-To: [EMAIL PROTECTED]
Date: Fri, 22 Sep 2000 11:47:35 GMT
John Savard [EMAIL PROTECTED] wrote:
:TT wrote:
:If you want to obscure the length of the file from your adversary, as
:much random padding as you like can be used at this stage.
: False. If padding is added *after* encryption, one has to [...]
: indicate where the padding starts in the clear so that decryption will
: act on the right bits.
I wonder if someone can help me here. I don't
Cryptography-Digest Digest #748
Cryptography-Digest Digest #748, Volume #12 Fri, 22 Sep 00 14:13:01 EDT
Contents:
Re: Software patents are evil. ("Paul Pires")
Re: Carnivore article in October CACM _Inside_Risks ([EMAIL PROTECTED])
Re: t (Mok-Kong Shen)
Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY)
Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY)
Re: IBM analysis secret. (SCOTT19U.ZIP_GUY)
Re: Tying Up Loose Ends - Correction (Mok-Kong Shen)
From: "Paul Pires" [EMAIL PROTECTED]
Subject: Re: Software patents are evil.
Date: Fri, 22 Sep 2000 10:23:07 -0700
Bill Unruh [EMAIL PROTECTED] wrote in message
news:8qdu5a$n9b$[EMAIL PROTECTED]...
In HXsy5.2330$[EMAIL PROTECTED] "Paul Pires"
[EMAIL PROTECTED] writes:
]Bill Unruh [EMAIL PROTECTED] wrote in message
]news:8qdf0a$dj3$[EMAIL PROTECTED]...
] In [EMAIL PROTECTED] "Trevor L. Jackson, III"
[EMAIL PROTECTED]
]writes:
] ] Patents had has almost nothing to do with software until recently. Yet,
] ] you could not say that software has suffered in the US.
]
] ]Well, given that we have no control against which to test the history of
]software in the
] ]US, and given that the software industry is fairly young there does not
seem
]to be much
] ]that can be said in a definitive way. Yet, for the purposes of
discussion, I
]can take a
] ]Devil's advocate position. Resolved: that the low quality of US software
is
]due to the
] ]lack of an effective protection for intellectual property.
]
] Low quality is almost always due to a lack of comptetition, not a lack
] of intellectual property rights. The USSR had immense itelletual and
] other property rights protections-- manufacturers were handed monopolies
] on all kinds of goods. There is no evidence whatsoever that this
] resulted in the manufacturers spending time and effort to make sure that
] their products were the best possible. Just the reverse.
]Why do you continually insert the monopoly practices of the former USSR into
]the discussion? What, it happend there so it could happen here? The issue
isn't
]whether state sanction monopolistic practices are good or bad but whether
]the particular one under discussion is. Hey, they were bad. Guess what, they
]are gone. Move on.
Because it is an example of a country which instituted precisely the
kind of restrictions on the economic system, for reasons which are very
similar to the reasons which you give.
"Precicely" and "similar"? I don't think so (Just my opinion). Their reasons are
unimportant, it was their actions that proved to be problematical.
Of course it is not the same. Of
course it differs in detail. But your argument is that monopoly leads to
better products for the consumer. My counterargument is that it does
not, as has been tested by various countries. One should learn from
history, not just "move on" or we will repeat all of the same mistakes.
The USSR did not get where it was on purpose or through evil intent. It
was trying to set up a much fairer economic system than the predatory,
wasteful, exploitative capitalist system, a system which would produce
more and better goods for the consumers without the costs of capitalism.
Why it failed is a matter of opinion and I have one different from yours.
It failed. Monopolies are not a good idea. Patents are monopolies.
Thus the question arises as to whether the benefits which accrue to
society through the conditions set on the monopolies granted by patents
outweigh the costs that monopolies invariably bring with themselves.
In the case where those benefits do not clearly and demonstrably (not
thoeretically) outweigh the costs, monopolies should not be granted, and
then should be granted for as short a time as possible and still reap
the clear benefits to society.
In my opinion software patents do not fulfill these criteria. They grant
monopolies without a clear benefit ( except of course to the
monopolist).
YOur arguments were all theoretical and of exactly the kind used by the
Soviets to justify their experiment.
Bad logic. Just because The rational behind A B are identical, doesn't
mean the processes A B are identical. Both of our arguments are equally
theoretical. Any claim that you have that history is behind yours is just bad
science.
] ]First, the low quality is evaluated against what we know could/should be
done
]rather
] ]than against what is done in other countries (where IP protection is even
]less
] ]effective). Second, the observation that intellectual property is not
]effectively
] ]protected is demonstrated by the Lotus 123 suits (vs Visi and vs clones)
and
]the
] ]Xerox/Apple vs Microsoft/HP suit. I submit that there was appreciable
]intellectual
] ]property at issue, and that the good guys lost.
]
] Well, I sure would not argue that the good guys lost in the Look and
] Feel cases, if that is what you refer to. Those cases were
Cryptography-Digest Digest #747
Cryptography-Digest Digest #747, Volume #12 Fri, 22 Sep 00 14:13:01 EDT
Contents:
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: State-of-the-art in integer factorization ("Sam Simpson")
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: Tying Up Loose Ends - Correction ("Trevor L. Jackson, III")
Re: State-of-the-art in integer factorization (JCA)
Re: Dr Mike's "Implementing Elliptic Curve Cryptography" - reader comment
(DJohn37050)
Re: IBM analysis secret. (DJohn37050)
Re: Tying Up Loose Ends - Correction (Mok-Kong Shen)
Re: Tying Up Loose Ends - Correction (Mok-Kong Shen)
Re: Music Industry wants hacking information for cheap (Scott Craver)
Re: What am I missing? (Scott Craver)
Re: 3DES - keyoptions ("Neil McKeeney")
Re: t (rot26)
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Tying Up Loose Ends - Correction
Reply-To: [EMAIL PROTECTED]
Date: Fri, 22 Sep 2000 14:04:26 GMT
Mok-Kong Shen [EMAIL PROTECTED] wrote:
: Tim Tyler wrote:
: SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote:
: : [EMAIL PROTECTED] (Benjamin Goldberg) wrote:
: :SCOTT19U.ZIP_GUY wrote:
: : [EMAIL PROTECTED] (Mok-Kong Shen) wrote:
: : Tim Tyler wrote:
: : Mok-Kong Shen [EMAIL PROTECTED] wrote:
: : : If my message is over one hundred bytes, do you think
: : : that I need to care about wasting 5 bits?? [...]
: :
: : At worst, this can reduce the size of keyspace by a factor of 32.
: :
: : Sorry, I don't understand. What do you mean by 'keyspace'
: : here? This is the message space. The message gets longer
: : by 5 bits. There is no information in the above of how
: : big the key is. [...]
: :
: : I thought we are talking about compressing then ecnrypting.
: : If you always add 5 zeros or any other fixed amount of bits
: : after a compressed string or any file for that matter which is
: : then encrypted. The attacker know what the last few bits are
: : and throws out keys that don't match. So if the last five bits
: : of a file are known then it means you reduce your key space by
: : 5 bits.
: :
: :Reducing the message space by x bits does *not* reduce the keyspace by x
: :bits... How much the keyspace is reduced depends on the unicity
: :distance.
[...]
: If one was *replacing* five bits at the end of the message by 0s,
: the effect would depend on the unicity distance [because those
: bits might have been known already].
: No. [...]
I believe what I wrote was correct.
: Consider this: Encryption algorithm A encrypts, with
: a key K, blocks of 64 bits and produces ciphertext of
: same number of blocks of same lengths. Encryption
: Algorithm B uses the key K to do the same and append
: at the end 5 0's. [...]
That's different from replacing symbols at the end of
a message - which is what I said I was discussing.
: Now the ciphertext of algorithm B is longer than the ciphertext of
: algorithm A. Does that matter excepting the transmissin cost?
There's five "0"s worth of known plaintext.
: Where does the 'keyspace' play a role here at all?
The known plaintext allows you to reject keys. You might not otherwise
be able to do this, or might not be able to do it with such speed,
or certainty. This reduces the effective number of keys that need
to be considered in more depth. It might (or might not) make a
difference to the time taken to break the system.
: That's not what David was talking about. David is discussing the
: effect of adding an additional section of known plaintext to the
: end of the file. This normally has the effect of decreasing the
: keyspace by almost exactly five bits - provided the effective
: keyspace doesn't go negative, of course.
: No. [...]
I think what I wrote was correct.
: He was criticizing my end-of-file symbol taking up extra bits. [...]
Yes. He also discussed the possible costs of reserving a symbol
for this purpose.
--
__ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Breast is best.
--
From: "Sam Simpson" [EMAIL PROTECTED]
Crossposted-To: sci.math
Subject: Re: State-of-the-art in integer factorization
Date: Fri, 22 Sep 2000 15:21:58 +0100
Erm, RSA and DH equivalents were found by GCHQ prior to the public
disclosures. Your point was? ;)
Just because euro/asia crypt publish QS/NFS papers, how does this
reflect upon the abilities of NSA / GCHQ etc?
--
Sam Simpson
Comms Analyst
http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption
Delphi Crypto Components. PGP Keys available at the same site.
Tom St Denis [EMAIL PROTECTED] wrote in message
news:8qfefu$g2v$[EMAIL PROTECTED]...
In article 8qedb0$c49$[EMAIL PROTECTED],
[EMAIL PROTECTED] (Ed Pugh) wrote:
Bob Silverman ([EMAIL PROTECTED]) writes:
Nothing has been written. Improvements have been only
incremental.
(i.e. slightly faster machines, a few more percent squeezed
from
Cryptography-Digest Digest #749
Cryptography-Digest Digest #749, Volume #12 Fri, 22 Sep 00 19:13:01 EDT
Contents:
Idea for online Tokens (Tom St Denis)
New Strong Password-Authentication Software (Philip MacKenzie)
Re: Idea for online Tokens (Doug Kuhlman)
Re: Software patents are evil. (Bill Unruh)
Re: New Strong Password-Authentication Software (Bill Unruh)
Big CRC polynomials? ([EMAIL PROTECTED])
Re: Idea for online Tokens (Tom St Denis)
Re: Again a topic of disappearing e-mail? (/dev/null)
Re: New Strong Password-Authentication Software (Philip MacKenzie)
WHAT IS ANEC ENCRYPTION? ("Melinda Harris")
Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY)
Re: Big CRC polynomials? ("bubba")
Re: Again a topic of disappearing e-mail? ("Joseph Ashwood")
Re: New Strong Password-Authentication Software (David A Molnar)
Re: Software patents are evil. (Jerry Coffin)
Re: Software patents are evil. (Jerry Coffin)
Re: Software patents are evil. (Jerry Coffin)
Re: State-of-the-art in integer factorization (Jerry Coffin)
From: Tom St Denis [EMAIL PROTECTED]
Subject: Idea for online Tokens
Date: Fri, 22 Sep 2000 18:25:58 GMT
let's say I want to give you a "token" that will let me keep tabs on
what you use (say live audio off the net) but not let you steal or
pretend to be the server.
So instead of using a symmetric key (would violate the last cond) I use
RSA this way (and this is nothing new so bear with me)
Make up the N = pq part. Then pick 'e' randomly and solve for 'd'.
Then give the user (e, N) and keep (d, N). The user can now only
decrypt from anyone using (d, N) presumably the server.
Is this a weak usage of RSA? What other non math attacks are there on
this simple idea?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Philip MacKenzie [EMAIL PROTECTED]
Subject: New Strong Password-Authentication Software
Date: Fri, 22 Sep 2000 15:21:45 -0400
*** PAK SOFTWARE AVAILABLE FOR DOWNLOAD ***
Lucent has just released code for telnet and ftp with authentication
based on the new PAK protocol, presented at the Eurocrypt 2000
conference. PAK is a protocol for strong password-authenticated
key exchange (much like EKE, SPEKE, and SRP) but has also
been PROVEN secure (as secure as Diffie-Hellman in the
random oracle model). If you believe that security proofs
are important (I certainly do), then you should consider
checking out this new software. It is free for non-commercial use.
The code was built using Tom Wu's SRP distribution, but with
the SRP authentication protocol replaced by PAK.
For more information, and to download the software, go to:
http://www.bell-labs.com/user/philmac/pak.html
-Phil MacKenzie
--
From: Doug Kuhlman [EMAIL PROTECTED]
Subject: Re: Idea for online Tokens
Date: Fri, 22 Sep 2000 14:17:06 -0500
Tom St Denis wrote:
let's say I want to give you a "token" that will let me keep tabs on
what you use (say live audio off the net) but not let you steal or
pretend to be the server.
So instead of using a symmetric key (would violate the last cond) I use
RSA this way (and this is nothing new so bear with me)
Make up the N = pq part. Then pick 'e' randomly and solve for 'd'.
Then give the user (e, N) and keep (d, N). The user can now only
decrypt from anyone using (d, N) presumably the server.
Is this a weak usage of RSA? What other non math attacks are there on
this simple idea?
This works just fine. Really, there is no mathematical way to
distinguish between e and d. They have equal value in that sense. The
reason e is usually picked as 17 or 65537 is that is has low Hamming
weight (number of 1's in its binary representation) to minimize the
number of operations done when using e. Obviously, since d is private,
we couldn't do the same thing with it
Doug
P.S. Still doesn't tell you I'm not recording the live music for my
later consumption/redistribution
--
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Software patents are evil.
Date: 22 Sep 2000 20:31:23 GMT
In VzMy5.1023$[EMAIL PROTECTED] "Paul Pires" [EMAIL PROTECTED]
writes:
] seems to me to fly in the face of all evidence. The software industry
] took off with no patents. patents as a corporate tool in software has
] really only taken ahold in the past few years, and is being used to
] stifle not enhance competition and innovation. As in a criminal court,
] the evidence should be there beyond a reasonable doubt that the monopoly
] is essential befor any such monopoly should be granted.
]A trial to grant a patent? If you want to kill it, get out your gun i.e.
No, not a court trial, a standard of proof.
]A constitutional ammendment against this task as a role of our (US) government
]don't offer reasonable compromise to leave it castrated but in place.
?? I do not understand this sentence.
Cryptography-Digest Digest #750
Cryptography-Digest Digest #750, Volume #12 Fri, 22 Sep 00 23:13:01 EDT
Contents:
Re: State-of-the-art in integer factorization ("Dann Corbit")
Re: Software patents are evil. (Darren New)
What make a cipher resistent to Differential Cryptanalysis? ("David C. Barber")
Re: Software patents are evil. ("Dann Corbit")
Re: What make a cipher resistent to Differential Cryptanalysis? (Tom St Denis)
Re: Software patents are evil. (Bill Unruh)
Re: Software patents are evil. (Bill Unruh)
Re: winace encryption algorithm (correction) (David Hopwood)
Re: t (David Hopwood)
Re: Tying Up Loose Ends - Correction (David Hopwood)
How many possible keys does a Playfair cipher have? (Alex)
From: "Dann Corbit" [EMAIL PROTECTED]
Crossposted-To: sci.math
Subject: Re: State-of-the-art in integer factorization
Date: Fri, 22 Sep 2000 16:20:18 -0700
"Jerry Coffin" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
In article 8qfefu$g2v$[EMAIL PROTECTED], [EMAIL PROTECTED]
says...
In article 8qedb0$c49$[EMAIL PROTECTED],
[EMAIL PROTECTED] (Ed Pugh) wrote:
Bob Silverman ([EMAIL PROTECTED]) writes:
Nothing has been written. Improvements have been only incremental.
(i.e. slightly faster machines, a few more percent squeezed from
code, etc.). There hasn't been a new algorithm in 11 years.
Well, at least none that the NSA have let on about, anyway. ;-)
That's right because the public open academia are just stupid people.
I don't think anybody's said that. Keep in mind, however, that the
NSA has a LOT of extremely smart people. Right now, there are
probably no more than a dozen or so mathematicians producing most of
the world's knowledge of factoring. Most of them work more or less
separately from each other, and most of them have LOTS of other
duties in addition to studying factoring.
On the other hand, with the internet, worldwide communication of ideas is
practically instantaneous. I rather suspect that a brilliant idea is as
likely to spring from some new genius as it is from someone the NSA has
employed. Could be some unknown grad student. After all, Lenstra,
Ramanujan, and everybody else like that were simply grad students at one
time themselves.
For that matter, what remarkable new algorithm has the NSA invented? Are
there *any*?
Furthermore, like any government agency, the employees will have a lot more
to do than their jobs. Just like a teacher at a university must "publish or
perish" -- similarly government workers have a bazillion silly tasks on
their hands and beaurocratic hoops to jump through. To imagine that the NSA
members are a bunch of the world's most intellectual number theory experts
who do nothing but sit around and try to figure out how to factor is surely
a monstrous misnomer. If there is solid evidence to the contrary to show
that I am wrong, I would love to hear about it.
The NSA probably has at
least as many mathematicians of the same talent level,
If there were mathematicians of the same talent level we would know who they
were. They would have to publish remarkable findings and excell at a
university first in order for both us and the government to take notice.
Can anyone name 5 super-duper Ramanujan/Gauss/Euler/etc level mathematicians
who work for NSA?
I doubt it. But it's possible. Do you know many mathematicians who would
rather work at the NSA than at a university or in private industry?
and can afford
to saddle them with fewer ancillary responsibilities.
But I would be astonished if it really turned out that way. We are talking
about the *Government* here.
Consider teamwork possibilities as well: think of a situation where
you can get a half-dozen people each the caliber of Bob Silverman or
Arjen Lenstra, and give them time to brainstorm on a regular basis.
Wouldn't people like that generally prefer to work in a place where they can
publish what they find? Private industry generally pays better than the
government also.
--
C-FAQ: http://www.eskimo.com/~scs/C-faq/top.html
"The C-FAQ Book" ISBN 0-201-84519-9
C.A.P. FAQ: ftp://38.168.214.175/pub/Chess%20Analysis%20Project%20FAQ.htm
--
From: Darren New [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Software patents are evil.
Date: Fri, 22 Sep 2000 23:25:46 GMT
Jerry Coffin wrote:
Keep in mind that if something is
currently protected by a valid patent, then nobody did it more than
20 years ago.
Nonsense. One company I worked for had to license a patent that was applied
for three years after we'd been selling what they described as a commercial
service. I think if all the patents were valid, there would be much less
complaining.
But _IF_ I don't want to get such a help ?
Fine, don't take it. If you don't want to use the patented
invention, nobody says you have to.
Unless you're already using it, of course. Then
