Cryptography-Digest Digest #516, Volume #10 Sat, 6 Nov 99 05:13:04 EST
Contents:
Re: Incompatible algorithms (Scott Fluhrer)
Re: questions on smart cards (Hideo Shimizu)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Louis)
Re: How protect HDisk against Customs when entering Great Britain (Menial Roky)
Re: PGP Cracked ? ("Trevor Jackson, III")
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Douglas Zare)
Re: How protect HDisk against Customs when entering Great Britain ("Trevor Jackson,
III")
Re: Compression: A ? for David Scott (Tom)
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("Douglas de la
Torre")
Re: PGP Cracked ? (zentara)
----------------------------------------------------------------------------
From: Scott Fluhrer <[EMAIL PROTECTED]>
Subject: Re: Incompatible algorithms
Date: Sat, 06 Nov 1999 02:18:23 GMT
In article <7vvdkm$6dg$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
>
>You got my point I suppose. MARS implemented three 'levels' of
>crypto. An initial key mixing, some linear mixing, some crypto rounds,
>more linear mixing and key mixing. These three layers are no where
>near 'compatible' in any sense such as K1 = K2.
And where exactly is the proof that there exists no E2 that is a
composite of E1 and E:
E2(M) = E1(E(M))
whose order of magnitude to break the ciphertext is the same as the order
of magnitude to break the ciphertext produced by applying E then E1 to
the plaintext (which was Mr. Polk's question)? The fact that you, I or
the entire crypto community has thought about it really hard, and don't
have any ideas how to break E2 as easily as E1 or E doesn't mean there
isn't a way.
If (as I read it) Mr. Polk was asking about the composite of two
operations being provably more difficult than either of its components,
then the only answer is that no one has provable nontrivial lower
bounds in cryptography (other than, say, OTP and the Rip Van Winkle
cipher, neither of which apply), and (AFAIK) no one knows what such a
proof would even look like.
--
poncho
------------------------------
From: Hideo Shimizu <[EMAIL PROTECTED]>
Subject: Re: questions on smart cards
Date: Sat, 06 Nov 1999 12:37:50 +0900
Partly.
Smartcard standards are found at credit card company's site.
EMV spec, one of them found at
http://www.mastercard.com/emv/emvspecs01.html
H. Shimizu
TAO, Japan.
------------------------------
From: Louis <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Sat, 06 Nov 1999 02:34:11 GMT
-- The idea to "use various system timers to extract data from relative
inaccuracies. Put it through some entropizing algorithm, mix well."
would be extremely slow since the quartz crystals are extremely well
correlated.
-- Taking noise from a loudspeaker/audio input in your computer is good
but the bandwidth is at most 10^6 bits per seconds, less if the noisy
sound is not very "loud" or not very good.
-- The digital camera watching a TV set in a Faraday cage idea doesn't
seem like an inexpensive method, but at least it has some bandwidth! You
don't have to put the TV in the Faraday cage: simply short out the
antenna inputs! This will also be better than a picture of AOL CDs
moving in the wind. (John E. Kuslich suggested to use the USB port, can
this port input 30 digital images per seconds?)
>(1) how random is the TV "snow" to start with?
Pretty good, it is generated from amplified electronic noise which is
quite unpredictable.
> (2) what happens when you shoot the snow with the digital cam?
> how random are the digital pictures?
Not a good idea, you loose bandwidth and add some periodic signals.
You'd better take the luminance (intensity)
signal directly from the circuit of your TV.
> (3) what would be a good "mixing, distilling"
> algorithm to be applied to the entropy in the snow-files ?
I don't know, I'm a physicist...
> (4) what would the throughput rate be in bits per second?
The bandwith of the luminance is safely one MHz.
A problem with using the signal from a video camera is that it would be
the sum of a "random" part and a periodic
part. Suppose for example that one pixel in your camera does not
respond as well to light. Every time the image
scan would pass through that pixel, the random intensity would be
decreased and your random bit would have more
chance of being zero! This would be repeated on every image, always at
the same location.
Here is a general observation for electronically generated noise:
-part of it is truly random,
-part of it is periodic (most likely appears as a periodic modulation of
the output),
-the distribution changes as the circuit is influenced by external
conditions (which may be short term, like someone talking next to the
circuit would induce a mechanical modulation that could influence the
circuit's output, cosmic rays; Long term changes could be changes in
relative humidity which fluctuate with the weather and seasons; and
anything else)
-the random distribution changes as the circuit ages, the change being
partly random, partly predictable (near the end of its life, the circuit
may give a "1" for one million "0"; its entropy throughput is likely to
go down).
The types of noise distributions encountered in devices have been given
different names: white noise, flicker noise, drift, pink noise, shot
noise, phase noise, etc. and can all be present in a given device.
Therefore, the "mixing, distilling" algorithm should be able to adapt to
the non-random part of the circuit's output, which is present on every
time scale. Something the mathematicians should be able to figure out.
> I'm not a physicist, an electrical engineer or a computer scientist,
so I'd welcome comments, especially about
> household devices that could be used as high-throughput entropy
generators.
> Thanks!
> David Bernier
SOME HOUSEHOLD devices in order of decreasing bandwidth:
1-Microwave oven (GigaHertz); no available output, no entropy anyway.
2-Computer (500MHz); Digital oscillators; little entropy.
3-TV (500MHz), the signal from the radio waves is not available, but the
analog video output has a bandwidth of 3MHz.
4-DVD or CD player (10MHz); Only audio is available at 20kHz.
5-VCR (3MHz), video signal from a blank tape has 3MHz bandwidth.
Unfortunately, many VCRs present a blue screen when no signal is
detected.
6-Stereo (20kHz), set on FM between 2 stations, analog noise at 20kHz.
7-Quartz Watch (5kHz), but the signal is not available. No entropy
anyway.
8-Printer (1kHz), can you interface the signals sent to your printer
head with your computer??
9-Power outlets (60 Hz), No entropy!
10-Cuckoo clock on the wall (1 Hz), Tic Tac available, but no entropy.
11-Stapler (0.0001Hz); the time intervals between the moments you use
your stapler would be a good source of random bits, but bandwidth is low
(~200bits/day).
So the "household device" winner is: "the video signal" (from a TV with
a shorted antanna, or a blank video tape). It seems that the USB port
on your computer can handle fast data input, if not, get a video card...
If the signal is digitized to 8 bits, you could probably get near 3MB/s
of not so bad (but not perfect) random numbers.
Louis
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Menial Roky)
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,comp.security.pgp.tech,alt.privacy,alt.privacy.anon-server
Subject: Re: How protect HDisk against Customs when entering Great Britain
Date: Sat, 06 Nov 1999 02:36:40 GMT
pgp651 <[EMAIL PROTECTED]> wrote:
>To all offended by my cross posting, I'm very sorry for what you are feeling.
>My intention was & is to receive help from 2 groups of people [ Privacy & PGP
>]. I do not consider cross posting to be bad when someone need help.
You could at least tell us which newsgroup you are actually reading, so
that we can go directly to that group and be sure of reaching you without
having to cross-post to six different newsgroups.
--
"Menial Roky" better known as [EMAIL PROTECTED]
012345 6789 <- Use this key to decode my email address.
Fun & Free - http://www.5X5poker.com/
------------------------------
Date: Fri, 05 Nov 1999 23:50:46 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: PGP Cracked ?
Harry Solomon wrote:
> A security expert at my place of work states that PGP can be cracked. He
> says that today being Friday he will give me my passphrase by cracking the
> code the following Tuesday, Is this possible?
A classic magician trick is to announce that you will perform some magical
change, using the future tense, when in fact that change has already taken
place.
If I were your associate, I would only make a boast such as his if I had
already obtained your password. Almost certainly by methods other than by
cracking PGP.
------------------------------
From: Douglas Zare <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Fri, 05 Nov 1999 22:56:56 -0500
John Savard wrote:
> [EMAIL PROTECTED] (Alan Morgan) wrote, in part:
>
> >Not true (or rather, unknown). No one knows if there are 41 quintillion
> >zeros in a row after the quintillionth digit.
>
> Apparently there IS a proof that this can't happen.
>
> For the square root of 2, there is a maximum limit to how good any
> rational approximation to it can be, because its continued fraction is
> repeating.
>
> For pi, there apparently is also a limit, called Mahler's theorem,
> which says that for any rational number p/q, | pi - p/q | is greater
> than q to the -42 power.
> [...]
Are you sure that this is the result, or just that this is the case for all
q sufficiently large? (I don't just mean q>1.) Reviews of improvements such
as (from Mathsicnet) 94b:11063 11J82 Hata, Masayoshi(J-KYOTY) "A lower bound
for rational approximations to $\pi$." (English. English summary) _J. Number
Theory_ 43 (1993), no. 1, 51--67 do not mention effective bounds. If one
knows that only finitely many rationals are too close for some exponent,
then there is some exponent we don't know such that it works for all q>1,
but we still would not have any bound on that exponent, or the number of 0's
that can occur after the nth place.
In a much more elementary sense, one might not view the digits of pi as
uniformly distributed on the possibilities. First nonzero digits of
constants are not uniformly distributed on {1,2,...,9} and there are reasons
to believe that these should follow the induced measure from the uniform
measure on the circle. The effect is smaller, but it is also more likely for
a second digit to be 0 than 1, 1 than 2, etc. The total amount of usable
information this gives one is finite, but so would either statement about
rational approximations.
Douglas Zare
------------------------------
Date: Fri, 05 Nov 1999 23:45:14 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,comp.security.pgp.tech,alt.privacy,alt.privacy.anon-server
Subject: Re: How protect HDisk against Customs when entering Great Britain
Patrick Juola wrote:
> In article <[EMAIL PROTECTED]>,
> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
> >Andrew Brydon wrote:
> >
> >> Once upon a time, pgp651 <[EMAIL PROTECTED]> wrote
> >> >
> >> >Don't we all have the right to privacy ?
> >>
> >> And don't all the children in the world have the right not to be
> >> molested and abused? That is why they scan (though I had not heard of
> >> it being done).
> >>
> >> Almost every "freedom of X" argument has a counter-side (and I am not
> >> specifically taking sides, merely pointing it out).
> >
> >Not all counter sides are valid.
> >
> >>
> >>
> >> E.g. murder is illegal, but your "right to murder" is considered lower
> >> than everyone else's "right to live in peace and no fear".
> >
> >This example is invalid. Murder is referred to as "taking a life". Since
> >you have no right to another posessions, and each person posesses their
> >own life, there is no right to take another's life.
>
> Unfortunately, you can't simply make this statement -- for example,
> both soldiers and hangmen have not only a "right," but a positive
> duty to "take a life" under some circumstances. So your "right to
> live in peace and fear" isn't absolute, and there *IS* a (potentially)
> valid counterside.
No. Absolutely not. You have it COMPLETELY backward.
You never, ever, have a right to take a life. PERIOD. You may in fact have a
duty to shoot or even kill someone. Police officers have what is called a
"duty to act" that private citizens do not. A private citizen does can walk
away without getting involved. A cop cannot. A simlar doctrine affects
military situations.
However, a cop never "shoots to kill". He may use deadly force, accepting the
_risk_ of killing someone, but that is never the purpose of his act. He always
acts to _stop_ the perpetrator, not to kill. If his purpose is to kill he
commits murder, because he has not "right to kill". He does have a "right to
stop", and may use all "necessary" force to accomplish that end.
The miltary situation is distinct from the civilian situation. Snipers, for
instance actuall intend to kill their opponents. However, the killing in
warfare is not an individual right. It derives from the right of the body
politic to defend itself. Unless you are part of Einstatzgruppen, the purpose
of military action is not killing the enemy soldiers, but enforcing one
contry's will upon another. The _means_ is death-to-the-enemy, but the goal is
not.
Thus there is never a "right" to kill.
>
>
> More generally, validity is in the eye of the beholder -- I have opinions
> about the relative importance of various rights, you of course have
> your own, which I hope largely agree with mine. There is, however,
> no absolute scale by which you can say "not all countersides are
> valid," since there's almost always at least one person who would
> disagree with you (in some situations).
Well, if we accept subjective arguments, including unsupported opinions, of
course we'll never converge upon agreement. But if we trace through the issues
carefully I think we'll find common ground. I hardly think unsupported
opinions constitute a valid "counterside" to a reasoned argument, although I
will admit domains in which there are only unsupported/able opinions. This
isn't one of them.
In this particular instance, "right to kill", I invite you to offer an example
that you believe shows such a right. For the reasons stated above I believe
you will not find one. Note that I have some credentials in this realm as I
teach use-of-force doctrine several times per year.
>
>
> >The relevance of this to the issue of privacy is that one may affirm the
> >posession of prohibited materials, but justify their posession in some
> >manner. The two classic manners are to show that the posession has a
> >purpose that overrides the prohibition or to show the the prohibition is
> >flawed (too vague, unconstitutional, improperly applied, etc.). The
> >homicide example is based on the first kind of assertion, typically the
> >claim to be acting in defense of innocent life -- one's own. One rarely
> >attacks the validity of the laws against murder. ;-)
> >
> >OTOH, in the privacy realm it is much harder to show a competing harm, but
> >often not hard to show a flaw in the prohibition.
> >
> >In _neither_ case are competing rights involved in the conflict.
>
> This, bluntly, is nonsense.
I admit you have a right to hold that opinion, but I request that you defend it
rather than simply state it.
> I have a "right" to privacy, just as
> children have a "right" to be free exploitation. As society itself
> is the ultimate judge of the validity of laws (after all, if they
> find a particular law to be invalid, they'll either change the laws
> *or* the rules of validity), the question is whether one of
> society as a whole values privacy over child protection (to an
> enforceable degree.)
I think you're describing the content/semantics of the issue while I was in the
form/syntax domain.
I suggest a _very_ careful definition of "right" is required to make much
headway on this topic.
------------------------------
From: [EMAIL PROTECTED] (Tom)
Subject: Re: Compression: A ? for David Scott
Date: Fri, 05 Nov 1999 09:15:03 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 05 Nov 1999 20:45:12 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>>
>>This is coming back to the "you can't teach a pig to sing" concept.
>>
>>
>
> Yes I see I can't teach you to sing.
>
You also can't prove your point. BECAUSE IT ISN'T TRUE.
Not only can't you prove it, after X lines of explaining why it
DOESN'T work, the above response is the best you can come up with.
>
>
>David A. Scott
------------------------------
From: "Douglas de la Torre" <[EMAIL PROTECTED]>
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Fri, 5 Nov 1999 23:14:54 -0800
Why not use some low bandwidth source of randomness, accumulate the bits
into a bit bucket, and then feed this to a good pseudo-random number
generator (PRNG) when you have enough bits. If the PRNG is decent, you
could run it at a very high rate, say several Mbit/sec on a decent PC.
Re-seeding periodically with the new random values should help avert any
attacks on the PRNG algorithm. You could lock the whole assembly in a
Faraday cage to keep the system honest.
See www.counterpane.com and look up the Yarrow PRNG for a good example of
how to implement a PRNG.
------------------------------
From: [EMAIL PROTECTED] (zentara)
Subject: Re: PGP Cracked ?
Reply-To: ""
Date: Sat, 06 Nov 1999 08:05:37 GMT
On Fri, 5 Nov 1999 16:58:41 -0000, "Harry Solomon"
<[EMAIL PROTECTED]> wrote:
>A security expert at my place of work states that PGP can be cracked. He
>says that today being Friday he will give me my passphrase by cracking the
>code the following Tuesday, Is this possible?
>
I know the answers that the real experts here are giving is that
he got your passphrase by some keystroke recorder....either
via the network you are on, or some "tempest" style keyboard
"bugging" device.
But did you ever consider that PgP or GpG are controlled
by very high-ranking military and government people? And that
at a certain security level, there are people who can generate
a "secret key" from the freely available "public key"? They are sworn
to a very high secrecy level.
They would just have to exploit some know weakness in the compilers
to leave "markers" here and there in the encrypted files. It's
probably something along the lines of complementary matrices
of vectors, and if you have one, with the "markers in place", the
other matrix can be regenerated.
Of course, this is just speculation. But your pgp programs come
as pre-compiled binaries don't they? Even GpG, which you can compile
yourself, has complex enough sorce code, that even a decent C
programmer, would not know if little "markers" are being placed
here and there. Especially if it was a weakness in the compiler that
was being exploited, like a tendency to leave a stray bit here and
there in the final binary.
I'm not claiming that any of this is true. BUT, it seems very
plausible to me. Maybe it explains where the government
comes up with those "anonymous sources" of information.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
