Cryptography-Digest Digest #961, Volume #8 Mon, 25 Jan 99 13:13:07 EST
Contents:
Re: a decyption task (Nathan Kennedy)
Re: 3DES in EDE mode versus EEE mode ([EMAIL PROTECTED])
Re: What is left to invent? (R. Knauer)
Re: interview (Mok-Kong Shen)
Re: Sanity check on authentication protocol ([EMAIL PROTECTED])
Re: hardRandNumbGen (R. Knauer)
Re: All 8 modes, was Re: 3DES in EDE mode versus EEE mode ([EMAIL PROTECTED])
Re: 3DES in EDE mode versus EEE mode ([EMAIL PROTECTED])
Re: Metaphysics Of Randomness ([EMAIL PROTECTED])
Re: Please help. Need protocol advice. ([EMAIL PROTECTED])
Re: Pentium III... (Robert Yoder)
Re: Metaphysics Of Randomness (Darren New)
Re: Cayley-Purser algorithm? (Darren New)
Re: Export laws (Darren New)
Re: All 8 modes, was Re: 3DES in EDE mode versus EEE mode (Mok-Kong Shen)
Re: Pentium III... (Darren New)
----------------------------------------------------------------------------
From: Nathan Kennedy <[EMAIL PROTECTED]>
Subject: Re: a decyption task
Date: Mon, 25 Jan 1999 18:32:08 +0800
[EMAIL PROTECTED] wrote:
>
> Hi. I need this statement decypted, but, alas, I do not know where to begin.
> If I could get your help, I'd be very grateful.
>
> "Kjg; kdbk ,a; iodakdh oakjdo da;gpt nft ktrglu x,dokt pdkkdo; sl kjd H.soav
> vdtnsaohe Od;daoij kjd H.soav vdtnsaoh alh dbrpagl ,jgij tsf ,sfph ijs;d gy
> tsf ,dod pdaolglu ks ktrd yso kjd ygo;k kgmde"
>
> Thanks!!!!!
> Kelly
First sci.crypt "challenge" I have responded to yet.
A quick glance reveals that this is a trivial substitution cipher; note the
human-language patterns and the repeated words. Running my simple freq and
subst utilities made this a quick 5-10 minute "crack". I think there are
programs out there which can do this automagically though.
"Kjg; kdbk ,a; iodakdh oakjdo da;gpt nft ktrglu x,dokt pdkkdo; sl kjd
H.soav
"This text was created rather easily buy typing qwerty letters on the
Dvorak
vdtnsaohe Od;daoij kjd H.soav vdtnsaoh alh dbrpagl ,jgij tsf ,sfph ijs;d gy
keyboard. Research the Dvorak keyboard and explain which you would chose if
tsf ,dod pdaolglu ks ktrd yso kjd ygo;k kgmde"
you were learning to type for the first time."
There you go. However, the message is wrong (and I don't just mean the
misspellings). It was made by typing in Dvorak on a QWERTY keyboard. And
of course it can be simply "decoded" by typing in QWERTY on a Dvorak
keyboard.
Nate
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 3DES in EDE mode versus EEE mode
Date: Mon, 25 Jan 1999 10:56:25 GMT
In article <78gk9a$[EMAIL PROTECTED]>,
Scott Fluhrer <[EMAIL PROTECTED]> wrote:
>
> [1] Actually, when you look at the standard attack on 3-DES, it looks like
> you can check for 1-DES efficiently after decrypting the ciphertext
> using all possible 1-DES keys, and sticking them in your memory device.
> This is besides the point I'm trying to make above
Scott:
I agree with you and your point is fine. When I balked at your expression "if
he just suspects that it might be 1-DES", was just because there is no
protocol reason to *suspect* -- but you may *assume* ... of course, under a
decision strategy. BTW, that is what I meant by "not granted" -- there is no
reason to suspect.
I will not criticize your numbers, that would justify a decision for
breadth-first search on 1-DES when the attacker has less resources -- and I
do not mean only number of DES chips. Those numbers depend a lot on what you
assume for memory, short-cuts and so on, not only number of DES chips. But, I
believe the discussion's purpose was very well served by your argument.
Just note that it seems that the situation might be different for two-key
3-DES, using the same numbers you used.
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: What is left to invent?
Date: Mon, 25 Jan 1999 11:52:24 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 25 Jan 1999 01:52:40 +0000, Toby Kelsey
<[EMAIL PROTECTED]> wrote:
>>Since any cipher can be broken by trying to decode the message with all
>>possible keys,
>Only if you can identify the plaintext when you see it.
That depends on whether the key is long enough. If the key is short
compared to the message length, then you have to take the unicity
distance into account. The unicity distance is the length of a message
which you can have strong confidence is the only possible intelligible
message present in the ciphertext for a given key length.
For example, if your key is 56 bits, like with DES, then any
intelligible message you uncover over 8.2 bits will be the intended
message with high confidence. If you uncover a message that is
significantly longer than 8.2 bits, then it is almost certain to be
the intended message.
Since most ciphers are built with keys that are much shorter than the
message length and most messages are much longer than the unicity
distance, I believe the original poster had this in mind with his
statement above.
Bob Knauer
"An honest man can feel no pleasure in the exercise of power over
his fellow citizens."
--Thomas Jefferson
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: interview
Date: Mon, 25 Jan 1999 14:41:48 +0100
JPeschel wrote:
>
> >Mok-Kong Shen <[EMAIL PROTECTED]>writes something like:
>
> Terry Ritter [a fellow American down on his luck] wrote:
> >>
> >> On 19 Jan 1999 02:58:23 GMT, in
> >> <[EMAIL PROTECTED]>, in sci.crypt
> >> [EMAIL PROTECTED] (JPeschel) [that's me!] wrote:
> >>
> >> >Phred Dobbs <[EMAIL PROTECTED]>, after coming back with bags of gold
> >dust,
> >> >writes:
> >> >
> >> >9) Do you require any licensing for your job?
> >> >
> >> >Licensing? We dont need no stinkin' licensing!
> >>
> >> That's true.
> >>
> >> Unless, of course, we offer ourselves for hire to the public as an
> >> "Engineer," in which case a license is required.
> >
> >If I understood correctly, there was, however, once an opinion by
> >a professional to the effect that one should acquire sort of a
> >'license' from the profis before one publishes anything (unless one
> >is already a profi, of course.)
>
> Mok, are you back to whining about your silly arguments with
> Bruce? Why not sit back, grab a beer, and watch "The Treasure of
> Sierra Madre," instead?
I suppose some facts need be 'repeated' pointed out if these happen
'repeatedly'. (Supporting materials availble on individual reqest.)
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Sanity check on authentication protocol
Date: Mon, 25 Jan 1999 13:34:46 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Edward Keyes) wrote:
> In article <[EMAIL PROTECTED]>, Antti Huima
> <[EMAIL PROTECTED]> wrote:
>
> > This protocol can be summarized as follows:
> >
> > A --> B: A, R_A
> > B --> A: {K, R_A, R_B}_S
> > A --> B: {R_B}_S
> >
> > Here S = the shared secret key, R_A = Alice's random number, R_B =
> > Bob's random number, K = the new session key.
> >
[...]
> >
> > Observe also that Bob can be used as an oracle to generate an
> > unlimited number of known plaintext-ciphertext pairs (send A, R_A to
> > Bob and you get {*, R_A, *}_S). This is a bad thing.
>
> How bad of a thing is this, since each message will contain a large
> amount of unknown random data as well (the newly-generated session
> key and R_B)? Can this be fixed by doing something stronger than
> concatenation, like bit-interleaving? Or is it just a matter of
> "leaking" a certain amount of info with every message?
Depends how the shared-secret is generated. If it is derived from
a user-chosen password then it could be very bad indeed. Simply
because an offline dictionary attack could use this known plaintext
to verify guesses at the password (and we all know how bad most
passwords are). Bit interleaving won't help - the R_A will still
be identifiable.
The only way I know of to make a key-exchange strong using a pre-arranged
(weak) shared-secret is with something like DH-EKE. The strength comes
from the fact that all message plaintext is uniformly random before
encryption is applied, and no plaintext is used twice, so there is nothing
to verify a password guess against. Unfortunately this uses DH so is no
good for your "computationally challenged" platform :-)
It's an interesting problem though...
Paul(o)
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Mon, 25 Jan 1999 11:55:36 GMT
Reply-To: [EMAIL PROTECTED]
On 25 Jan 99 02:37:29 GMT, [EMAIL PROTECTED] () wrote:
>: >Even PSEUDO-random RNG's pass statistical tests. Those tests have
>: >nothing to do with cryptographic unpredictability or "strength."
>: That statement needs to be added to the FAQ on Crypto-Grade
>: Randomness.
>: It says it all.
>It does indeed, but it will probably have to be expanded and commented
>upon before it will "say it all" clearly enough so that everyone
>understands what it means. Many people have heard this, but because they
>have not understood, they did not believe.
I agree. Here is a post from Patrick Juola that expands on this in a
way that can be understood by all.
+++++
On 21 Jan 1999 08:23:54 -0500, [EMAIL PROTECTED] (Patrick Juola)
wrote:
You're not seeing the fundamnental distinction between "irrationality"
and "randomness" in that randomness is a function, not of a number,
but of a process.
Just for clarification : *Any* number/string can be the result of
a uniformly random process. In fact, a uniformly random process will
always produce all numbers equiprobably, by construction.
Any number can also be produced as the result of a non-random process,
although for many numbers this will be a very uninteresting process
such as a simple table-lookup and copy.
The closest relative for irrationality is not the properties such
as "non-repeating fraction" (which is a thoroughly bogus definition,
by the way), but the method by which you GET a rational number.
To wit, a rational number can be generated as the ratio of two
integers p and q (q != 0 for the formalists, pthththththth). An
irrational number is a number that cannot be so generated.
Now, it so happens (lucky us) that any number that can be generated
as the ratio of two integers can also be written as a terminating
and/or repeating continued decimal string. This is an independent
property, first proved in the year <mumble> by someone no doubt too
famous for me to remember offhand. But the fact that you can
characterize a number as rational or irrational by inspection is,
strictly speaking, a lucky fluke.
There's a similar definition for, e.g., transcendentals -- a
transcendental number, of course, is a number that cannot be produced
as the solution to a polynomial equation. Transcendentals are a
strict subset of irrationals -- sqrt(2), for instance, is irrational
but not transcendental. However, there's no way to characterize *by
inspection* whether or not a given irrational number is
transcendental. I can easily prove a given number is *NOT*
transcendental by showing a polynomial to which &c., but
I can't go the other way.
So the point is that the characterization of both irrationals and
transcendentals is a) strictly process-driven, and b) defined in the
negative sense -- "no possible way to..." That irrationals can be
cleanly defined in typographic properties should *not* lead you to
believe that randomness can also be defined in typographic
properties or that it can be defined in positive terms.
+++++
Bob Knauer
"An honest man can feel no pleasure in the exercise of power over
his fellow citizens."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: All 8 modes, was Re: 3DES in EDE mode versus EEE mode
Date: Mon, 25 Jan 1999 13:54:10 GMT
In article <78dt09$s4p$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>...
> In this sense, it would be perhaps useful to consider an alternative 3-DES
> Standard, where all 8 combinations (EEE, EED, DDE ... DDD) would be allowed
> and *post-selected* by the sender, Bob, after algorithm negotiation (3-DES).
> So, Alice would have the right key(s) from Bob (eg, send by AOEP-RSA), but
> she would have to test the first DES block to see which scheme was randomly
> chosen by Bob -- for which she may need to try out one block at most eight
> times, to be sure. An attacker, however, would need to try out an average of
> four blocks but each one with an average of half the corresponding key-space,
> for each possibility of one, two and three keys. Which would at least
> multiply by 4x the average attack workload for 1-DES due to the combination
> uncertainty of EEE .. DDD.
>
> Comments?
Ed,
Effectively you are adding 3 bits to the key. In the same spirit
why use the tree DES keys in a fixed order? There are 6 possible
permutations that can be used to further increase the
"variability" of the cipher. For example, instead of
E(K1)*D(K2)*E(K3) one might as well use D(K3)*D(K1)*E(K2). In all
we have now 48 algorithmic variations that would depend on the
secret key. Security cannot be lower and is probably higher. For
example, resistance to a brute force attack has now increased
if, say, the attacker knows K1.
I think "variable" ciphers are a good idea because the secret key
now effects not only the data flow but also the control flow in
the cipher. See my post to sci.crypt dated 30.12.98 with subject
"Security through obscurity in the smartcard world".
http://www.tecapro.com
email: [EMAIL PROTECTED]
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 3DES in EDE mode versus EEE mode
Date: Mon, 25 Jan 1999 14:02:55 GMT
In article <787qga$ujf$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>
>
> FIPS 46-3 ( http://csrc.nist.gov/fips/dfips46-3.pdf (209K) or
> http://jya.com/dfips46-3.htm (49K + 35K images) ) defines as an interim
> standard 3DES with three different keys in Encrypt-Decrypt-Encrypt mode. Now
> originally 3DES used only two keys and the EDE mode had a small advantage:
> when the two keys are identical it works as single DES. The same slight
> advantage exists now with the new FIPS if all three keys are identical. The
> question is: if I always want to use three different keys with the full 168
> bits of entropy, is there any advantage in the EDE mode as compared to the
> more "natural" EEE mode?
Markus Kuhn mentioned this advantage for the EDE mode:
"In a pipelined hardware implementation, you need only 2 E and 2 D modules
for EDE and DED, as opposed to 3 E modules and 3 D modules if you used
EEE and DDD."
http://www.tecapro.com
email: [EMAIL PROTECTED]
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Metaphysics Of Randomness
Date: Mon, 25 Jan 1999 14:53:41 GMT
In article <78a72r$pth$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Patrick Juola)
writes:
> In article <1999Jan22.102105.1@eisner>, <[EMAIL PROTECTED]> wrote:
>>Organization: DECUServe
>>Lines: 39
>>
>>In article <[EMAIL PROTECTED]>, Darren New <[EMAIL PROTECTED]>
>writes:
>>> You're kind of mixing up the mathematics of what things are with
>>> possible implementations of what things are. For example, one possible
>>> definition for an NDTM is one in which it always choses the state
>>> transistion that is going to make it halt, if any will.
>>
>>No. That's an NDTM plus an oracle. In an NDTM, the set of available
>>transitions is purely a function of current state and current tape
>>symbol. You don't get to disallow certain transitions based on tape
>>content not currently under the read/write head.
>
> No, that's an NDTM. Check out any of the basic texts; I recommend
> Hopcroft and Ullman.
>
> The best (informal) definition I've seen for an NDTM is that it's
> a lucky computer -- it has choke points where it can go in several
> different guesses and it always guesses right. This is *NOT* simply
> a DTM plus a random number generator unless you can guarantee that
> the RNG will always "guess right"
Ahhh. I see the formal definition that this informal definition tries
to capture. For a machine that can halt on a given input, you only
consider those executions which actually do halt. Informally, you then
go back and look at this as having "guessed right" at each state
transition.
The "guesses right" notion misses the class of "voluntary" infinite
loops. Say you've got a machine that can output a "1" and loop. Or it
can branch toward a halt state. Either choice counts a correct guess
because a halt is still possible. And yet if you always choose to output
a "1" then you've got an infinite loop.
Back when I learned this stuff 20 years ago, we talked about NDTM's
being the machines themselves, not sets of permissible execution paths
on the machines. No big deal as long as you ask the right questions:
For what input can the NDTM halt? (My definition)
For what input does the NDTM halt? (Your definition).
Six of one, half a dozen of the other.
John Briggs [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Please help. Need protocol advice.
Date: Sun, 24 Jan 1999 23:07:00 GMT
> Under these conditions, there is no solution.
I tend to agree with you, personally, but I thought I'd ask the experts. And
I'm actually getting pretty good feedback - some approaches I hadn't thought
of. So, all in all, it looks like asking the question was rather helpful,
even though I doubt the existence of a complete solution. Thanks for your
input, as well.
Don't ask me .. I'm still trying to figure out what standards I'm
dedicated to as a nonconformist.
...by the way, where are we going? And why am I in this handbasket?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Robert Yoder <[EMAIL PROTECTED]>
Subject: Re: Pentium III...
Date: Mon, 25 Jan 1999 08:55:54 -0700
Check this out:
http://www.news.com/News/Item/0,4,31354,00.html?st.cn.fd.tkr.ne
Two different organizations are organizing a boycott of Intel
because the CPU ID is "an invasion of privacy".
If Intel hadn't lied to us about the purpose of the
CPU ID, there wouldn't even _BE_ a privacy issue!
ry
--
[EMAIL PROTECTED]
"Unix: The solution to the W2K Problem."
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Metaphysics Of Randomness
Date: Mon, 25 Jan 1999 17:34:20 GMT
> A 'Cryptographically secure' RNG generates random numbers via a
> *non-deterministic* algorithm. The output of any one generator is
> unpredictable even knowing the algorithm and all initial conditions.
Uh, excuse me? I'm afraid that if I know the RC4 algorithm and all
initial conditions including the key, I can certainly predict exactly
what will come out. That's why it's possible to encrypt something with
RC4 and decrypt it later.
If it generated nondeterministic output (via a nondeterministic
algorithm), I would have to save all its output somewhere in order to
get it back again.
I would think a 'cryptographically secure' RNG would have something to
do with chaotic systems or cryptanalysis. But it's nothing to do with
nondeterministic. There are nondeterministic algorithms, but RC4 isn't
one of them.
--
Darren New / Senior Software Architect / MessageMedia, Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"You could even do it in C++, though that should only be done
by folks who think that self-flagellation is for the effete."
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Cayley-Purser algorithm?
Date: Mon, 25 Jan 1999 17:37:34 GMT
> >Well, that would depend on what she signed with the company, at least in
> >the USA. Generally, in the US, the individual is the inventor. You sign
>
> Don't remember US law, but Canadian law says that in the absense of
> agreement, a work done for hire is considered to belong to hirer not the
> hiree.
In the USA, that's true of copyright, but not patents. Of course, she's
in Scottland or something, so all that's moot anyway. I think the US is
the only country where you can get patent protection after you publish.
On the other hand, it doesn't look like she has published her algorithm.
--
Darren New / Senior Software Architect / MessageMedia, Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"You could even do it in C++, though that should only be done
by folks who think that self-flagellation is for the effete."
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Export laws
Date: Mon, 25 Jan 1999 17:41:52 GMT
> Sorry, but the laws are logical. logical means to derive your
> conclusions from premises.
Yes, but the poster I was replying to said "if export means what
everyone thinks it means, namely taking something out of the country,
then the ISP can't be responsible for exporting."
I simply meant that using logic to try to conclude that a law cannot
possibly mean what it says is counterproductive, precisely because the
law gets to define what it means.
Otherwise, the rest of your comments are fairly well on the mark.
--
Darren New / Senior Software Architect / MessageMedia, Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"You could even do it in C++, though that should only be done
by folks who think that self-flagellation is for the effete."
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: All 8 modes, was Re: 3DES in EDE mode versus EEE mode
Date: Mon, 25 Jan 1999 18:22:24 +0100
[EMAIL PROTECTED] wrote:
>
> I think "variable" ciphers are a good idea because the secret key
> now effects not only the data flow but also the control flow in
> the cipher. See my post to sci.crypt dated 30.12.98 with subject
> "Security through obscurity in the smartcard world".
As much 'variability' as technically possible/reasonable should in
my opinion be provided in any encryption algorithm because it can
vastly augment the workload of the analyst. I have been advocating
for 'variability' since some time and have employed it extensively
e.g. in my humble design WEAK3. See
http://www.stud.uni-muenchen.de/~mok-kong.shen/#paper11
M. K. Shen
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Pentium III...
Date: Mon, 25 Jan 1999 17:59:10 GMT
> >The serial number in the chip is to help control the trade in stolen CPUs,
> >which is a big moneyspinner in certain parts of the criminal world.
>
> Once again the law-abiding citizen has to pay the price for the
> ineptness of law enforcement.
I find this amusing, coming from the newsgroup with likely the most
vocal opponents to key escrow. :-)
Anyway, who would be checking for whether the CPUs are stolen? Will
Intel refuse to sell you chips unless you promise to check that every
chip you buy is not on the hotlist? And require you to sign same with
all the people you redistribute to? If I wind up with a stolen chip in
my machine, can it be confiscated as stolen property? Sheesh.
--
Darren New / Senior Software Architect / MessageMedia, Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"You could even do it in C++, though that should only be done
by folks who think that self-flagellation is for the effete."
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
