Cryptography-Digest Digest #86, Volume #9 Wed, 17 Feb 99 06:13:05 EST
Contents:
Re: Really lousy random numbers ("Wm. Toldt")
Re: Block ciphers vs Stream Ciphers ("Douglas A. Gwyn")
Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED])
Cryptography FAQ (02/10: Net Etiquette) ([EMAIL PROTECTED])
Cryptography FAQ (03/10: Basic Cryptology) ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: "Wm. Toldt" <[EMAIL PROTECTED]>
Subject: Re: Really lousy random numbers
Date: Mon, 15 Feb 1999 19:33:06 -1000
John Curtis wrote:
>
> O.K. please entertain this rather naive question:
>
> Let posit that a TRNG exists, that outputs a perfect
> 16 bit random number every 50 microsecs.
>
> Unfortunately, the TRNG is less than perfect, and
> a sinusoidal signal with a period of 16.6666 millisecs appears
> additively mixed in with the perfect 16 bit random numbers at a
> signal level such that the spurious signal toggles bit 4
> of the TRNG at its peak.
>
> If one were to employ this badTRNG to encrypt an English
> ASCII message via OTP how much of the clear text is recoverable?
>
> Does gathering more cipher text increase the proportion of clear
> text that is recovered?
>
> Is there some way of quantifying the probability that the
> recovered text will contain a significant amount of
> information? (for example, is there a significant probablility
> that 5 contiguous characters are recovered?).
>
> Thanks. I'm interested in how serious cryptographers approach
> this issue, so please indulge me.
>
> regards,
>
> jcurtis
It makes no difference whether you TOGGLE one bit every 16ms or not. You
can toggle all of the bits all of the time and it is still random. You
can toggle half of the bits, 1% of the bits, any bits you want and it
makes no difference to the privacy of the OTP message.
Maybe you should ask about "stuck-at" bits. If a bit is stuck at a '1'
every 16 ms, then that is a minor problem. More stuck bits make the
problem worse.
Wm. Toldt
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Block ciphers vs Stream Ciphers
Date: Wed, 17 Feb 1999 08:48:29 GMT
John Savard wrote:
> A stream cipher can only be used as a stream cipher, while it is very
> easy to make a secure stream cipher out of a secure block cipher.
I think it's obvious that a stream cipher can also be used as a block
cipher. Then you stick in the word "secure"; well, security of any
form of encryption is a separate matter from whether it is a stream
or block cipher or something else.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (01/10: Overview)
Date: 17 Feb 1999 10:25:31 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/part01
Version: 1.0
Last-modified: 94/01/11
This is the first of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read this part before the rest. We
don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
Disclaimer: This document is the product of the Crypt Cabal, a secret
society which serves the National Secu---uh, no. Seriously, we're the
good guys, and we've done what we can to ensure the completeness and
accuracy of this document, but in a field of military and commercial
importance like cryptography you have to expect that some people and
organizations consider their interests more important than open
scientific discussion. Trust only what you can verify firsthand.
And don't sue us.
Many people have contributed to this FAQ. In alphabetical order:
Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison,
Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti,
William Setzer. We apologize for any omissions.
If you have suggestions, comments, or criticism, please let the current
editors know by sending e-mail to [EMAIL PROTECTED] Bear in
mind that this is a work in progress; there are some questions which we
should add but haven't gotten around to yet. In making comments on
additions it is most helpful if you are as specific as possible and
ideally even provide the actual exact text.
Archives: sci.crypt has been archived since October 1991 on
ripem.msu.edu, though these archives are available only to U.S. and
Canadian users. Another site is rpub.cl.msu.edu in /pub/crypt/sci.crypt/
from Jan 1992. Please contact [EMAIL PROTECTED] if you know of
other archives.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
The fields `Last-modified' and `Version' at the top of each part track
revisions.
Table of Contents
=================
1. Overview
2. Net Etiquette
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
3. Basic Cryptology
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
3.2. What references can I start with to learn cryptology?
3.3. How does one go about cryptanalysis?
3.4. What is a brute-force search and what is its cryptographic relevance?
3.5. What are some properties satisfied by every strong cryptosystem?
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
3.8. What are the basic types of cryptanalytic `attacks'?
4. Mathematical Cryptology
4.1. In mathematical terms, what is a private-key cryptosystem?
4.2. What is an attack?
4.3. What's the advantage of formulating all this mathematically?
4.4. Why is the one-time pad secure?
4.5. What's a ciphertext-only attack?
4.6. What's a known-plaintext attack?
4.7. What's a chosen-plaintext attack?
4.8. In mathematical terms, what can you say about brute-force attacks?
4.9. What's a key-guessing attack? What's entropy?
5. Product Ciphers
5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, and OFB encryption?
6. Public-Key Cryptography
6.1. What is public-key cryptography?
6.2. How does public-key cryptography solve cryptography's Catch-22?
6.3. What is the role of the `trapdoor function' in public key schemes?
6.4. What is the role of the `session key' in public key schemes?
6.5. What's RSA?
6.6. Is RSA secure?
6.7. What's the difference between the RSA and Diffie-Hellman schemes?
6.8. What is `authentication' and the `key distribution problem'?
6.9. How fast can people factor numbers?
6.10. What about other public-key cryptosystems?
6.11. What is the `RSA Factoring Challenge?'
7. Digital Signatures
7.1. What is a one-way hash function?
7.2. What is the difference between public, private, secret, shared, etc.?
7.3. What are MD4 and MD5?
7.4. What is Snefru?
8. Technical Miscellany
8.1. How do I recover from lost passwords in WordPerfect?
8.2. How do I break a Vigenere (repeated-key) cipher?
8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
8.4. Is the UNIX crypt command secure?
8.5. How do I use compression with encryption?
8.6. Is there an unbreakable cipher?
8.7. What does ``random'' mean in cryptography?
8.8. What is the unicity point (a.k.a. unicity distance)?
8.9. What is key management and why is it important?
8.10. Can I use pseudo-random or chaotic numbers as a key stream?
8.11. What is the correct frequency list for English letters?
8.12. What is the Enigma?
8.13. How do I shuffle cards?
8.14. Can I foil S/W pirates by encrypting my CD-ROM?
8.15. Can you do automatic cryptanalysis of simple ciphers?
8.16. What is the coding system used by VCR+?
9. Other Miscellany
9.1. What is the National Security Agency (NSA)?
9.2. What are the US export regulations?
9.3. What is TEMPEST?
9.4. What are the Beale Ciphers, and are they a hoax?
9.5. What is the American Cryptogram Association, and how do I get in touch?
9.6. Is RSA patented?
9.7. What about the Voynich manuscript?
10. References
10.1. Books on history and classical methods
10.2. Books on modern methods
10.3. Survey articles
10.4. Reference articles
10.5. Journals, conference proceedings
10.6. Other
10.7. How may one obtain copies of FIPS and ANSI standards cited herein?
10.8. Electronic sources
10.9. RFCs (available from [FTPRF])
10.10. Related newsgroups
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (02/10: Net Etiquette)
Date: 17 Feb 1999 10:25:36 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/part02
Last-modified: 94/06/13
This is the second of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
Read news.announce.newusers and news.answers for a few weeks. Always
make sure to read a newsgroup for some time before you post to it.
You'll be amazed how often the same question can be asked in the same
newsgroup. After a month you'll have a much better sense of what the
readers want to see.
2.2. Do political discussions belong in sci.crypt?
No. In fact some newsgroups (notably misc.legal.computing) were
created exactly so that political questions like ``Should RSA be
patented?'' don't get in the way of technical discussions. Many
sci.crypt readers also read misc.legal.computing, comp.org.eff.talk,
comp.patents, sci.math, comp.compression, talk.politics.crypto,
et al.; for the benefit of people who don't care about those other
topics, try to put your postings in the right group.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt either.
2.3. How do I present a new encryption scheme in sci.crypt?
``I just came up with this neat method of encryption. Here's some
ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
doubt questions like this are the most annoying traffic on sci.crypt.
If you have come up with an encryption scheme, providing some
ciphertext from it is not adequate. Nobody has ever been impressed by
random gibberish. Any new algorithm should be secure even if the
opponent knows the full algorithm (including how any message key is
distributed) and only the private key is kept secret. There are some
systematic and unsystematic ways to take reasonably long ciphertexts
and decrypt them even without prior knowledge of the algorithm, but
this is a time-consuming and possibly fruitless exercise which most
sci.crypt readers won't bother with.
So what do you do if you have a new encryption scheme? First of all,
find out if it's really new. Look through this FAQ for references and
related methods. Familiarize yourself with the literature and the
introductory textbooks.
When you can appreciate how your cryptosystem fits into the world at
large, try to break it yourself! You shouldn't waste the time of tens
of thousands of readers asking a question which you could have easily
answered on your own.
If you really think your system is secure, and you want to get some
reassurance from experts, you might try posting full details of your
system, including working code and a solid theoretical explanation, to
sci.crypt. (Keep in mind that the export of cryptography is regulated
in some areas.)
If you're lucky an expert might take some interest in what you posted.
You can encourage this by offering cash rewards---for instance, noted
cryptographer Ralph Merkle is offering $1000 to anyone who can break
Snefru-4---but there are no guarantees. If you don't have enough
experience, then most likely any experts who look at your system will
be able to find a flaw. If this happens, it's your responsibility to
consider the flaw and learn from it, rather than just add one more
layer of complication and come back for another round.
A different way to get your cryptosystem reviewed is to have the NSA
look at it. A full discussion of this procedure is outside the scope
of this FAQ.
Among professionals, a common rule of thumb is that if you want to
design a cryptosystem, you have to have experience as a cryptanalyst.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (03/10: Basic Cryptology)
Date: 17 Feb 1999 10:25:38 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/part03
Last-modified: 93/10/10
This is the third of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
3.2. What references can I start with to learn cryptology?
3.3. How does one go about cryptanalysis?
3.4. What is a brute-force search and what is its cryptographic relevance?
3.5. What are some properties satisfied by every strong cryptosystem?
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
3.8. What are the basic types of cryptanalytic `attacks'?
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
The story begins: When Julius Caesar sent messages to his trusted
acquaintances, he didn't trust the messengers. So he replaced every A
by a D, every B by a E, and so on through the alphabet. Only someone
who knew the ``shift by 3'' rule could decipher his messages.
A cryptosystem or cipher system is a method of disguising messages so
that only certain people can see through the disguise. Cryptography is
the art of creating and using cryptosystems. Cryptanalysis is the art
of breaking cryptosystems---seeing through the disguise even when
you're not supposed to be able to. Cryptology is the study of both
cryptography and cryptanalysis.
The original message is called a plaintext. The disguised message is
called a ciphertext. Encryption means any procedure to convert
plaintext into ciphertext. Decryption means any procedure to convert
ciphertext into plaintext.
A cryptosystem is usually a whole collection of algorithms. The
algorithms are labelled; the labels are called keys. For instance,
Caesar probably used ``shift by n'' encryption for several different
values of n. It's natural to say that n is the key here.
The people who are supposed to be able to see through the disguise are
called recipients. Other people are enemies, opponents, interlopers,
eavesdroppers, or third parties.
3.2. What references can I start with to learn cryptology?
For an introduction to technical matter, the survey articles given
in part 10 are the best place to begin as they are, in general,
concise, authored by competent people, and well written. However,
these articles are mostly concerned with cryptology as it has
developed in the last 50 years or so, and are more abstract and
mathematical than historical. The Codebreakers by Kahn [KAH67] is
encyclopedic in its history and technical detail of cryptology up
to the mid-60's.
Introductory cryptanalysis can be learned from Gaines [GAI44] or
Sinkov [SIN66]. This is recommended especially for people who want
to devise their own encryption algorithms since it is a common
mistake to try to make a system before knowing how to break one.
The selection of an algorithm for the DES drew the attention of
many public researchers to problems in cryptology. Consequently
several textbooks and books to serve as texts have appeared. The
book of Denning [DEN82] gives a good introduction to a broad range
of security including encryption algorithms, database security,
access control, and formal models of security. Similar comments
apply to the books of Price & Davies [PRI84] and Pfleeger [PFL89].
The books of Konheim [KON81] and Meyer & Matyas [MEY82] are quite
technical books. Both Konheim and Meyer were directly involved in
the development of DES, and both books give a thorough analysis of
DES. Konheim's book is quite mathematical, with detailed analyses
of many classical cryptosystems. Meyer and Matyas concentrate on
modern cryptographic methods, especially pertaining to key management
and the integration of security facilities into computer systems and
networks. For more recent documentation on related areas, try
G. Simmons in [SIM91].
The books of Rueppel [RUE86] and Koblitz [KOB89] concentrate on
the application of number theory and algebra to cryptography.
3.3. How does one go about cryptanalysis?
Classical cryptanalysis involves an interesting combination of
analytical reasoning, application of mathematical tools, pattern
finding, patience, determination, and luck. The best available
textbooks on the subject are the Military Cryptanalytics series
[FRIE1]. It is clear that proficiency in cryptanalysis is, for
the most part, gained through the attempted solution of given
systems. Such experience is considered so valuable that some of the
cryptanalyses performed during WWII by the Allies are still
classified.
Modern public-key cryptanalysis may consist of factoring an integer,
or taking a discrete logarithm. These are not the traditional fare
of the cryptanalyst. Computational number theorists are some of the
most successful cryptanalysts against public key systems.
3.4. What is a brute-force search and what is its cryptographic relevance?
In a nutshell: If f(x) = y and you know y and can compute f, you can
find x by trying every possible x. That's brute-force search.
Example: Say a cryptanalyst has found a plaintext and a corresponding
ciphertext, but doesn't know the key. He can simply try encrypting the
plaintext using each possible key, until the ciphertext matches---or
decrypting the ciphertext to match the plaintext, whichever is faster.
Every well-designed cryptosystem has such a large key space that this
brute-force search is impractical.
Advances in technology sometimes change what is considered
practical. For example, DES, which has been in use for over 10 years
now, has 2^56, or about 10^17, possible keys. A computation with
this many operations was certainly unlikely for most users in the
mid-70's. The situation is very different today given the dramatic
decrease in cost per processor operation. Massively parallel
machines threaten the security of DES against brute force search.
Some scenarios are described by Garron and Outerbridge [GAR91].
One phase of a more sophisticated cryptanalysis may involve a
brute-force search of some manageably small space of possibilities.
3.5. What are some properties satisfied by every strong cryptosystem?
The security of a strong system resides with the secrecy of the key
rather than with the supposed secrecy of the algorithm.
A strong cryptosystem has a large keyspace, as mentioned above. It
has a reasonably large unicity distance; see question 8.8.
A strong cryptosystem will certainly produce ciphertext which appears
random to all standard statistical tests (see, for example, [CAE90]).
A strong cryptosystem will resist all known previous attacks. A
system which has never been subjected to scrutiny is suspect.
If a system passes all the tests mentioned above, is it necessarily
strong? Certainly not. Many weak cryptosystems looked good at first.
However, sometimes it is possible to show that a cryptosystem is
strong by mathematical proof. ``If Joe can break this system, then
he can also solve the well-known difficult problem of factoring
integers.'' See part 6. Failing that, it's a crap shoot.
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
Cryptanalytic methods include what is known as ``practical
cryptanalysis'': the enemy doesn't have to just stare at your
ciphertext until he figures out the plaintext. For instance, he might
assume ``cribs''---stretches of probable plaintext. If the crib is
correct then he might be able to deduce the key and then decipher the
rest of the message. Or he might exploit ``isologs''---the same
plaintext enciphered in several cryptosystems or several keys. Thus
he might obtain solutions even when cryptanalytic theory says he
doesn't have a chance.
Sometimes, cryptosystems malfunction or are misused. The one-time pad,
for example, loses all security if it is used more than once! Even
chosen-plaintext attacks, where the enemy somehow feeds plaintext into
the encryptor until he can deduce the key, have been employed. See
[KAH67].
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
Some don't know any better. Often amateurs think they can design
secure systems, and are not aware of what an expert cryptanalyst
could do. And sometimes there is insufficient motivation for anybody
to invest the work needed to crack a system.
3.8. What are the basic types of cryptanalytic `attacks'?
A standard cryptanalytic attack is to know some plaintext matching a
given piece of ciphertext and try to determine the key which maps one
to the other. This plaintext can be known because it is standard (a
standard greeting, a known header or trailer, ...) or because it is
guessed. If text is guessed to be in a message, its position is probably
not known, but a message is usually short enough that the cryptanalyst
can assume the known plaintext is in each possible position and do
attacks for each case in parallel. In this case, the known plaintext can
be something so common that it is almost guaranteed to be in a message.
A strong encryption algorithm will be unbreakable not only under known
plaintext (assuming the enemy knows all the plaintext for a given
ciphertext) but also under "adaptive chosen plaintext" -- an attack
making life much easier for the cryptanalyst. In this attack, the enemy
gets to choose what plaintext to use and gets to do this over and over,
choosing the plaintext for round N+1 only after analyzing the result of
round N.
For example, as far as we know, DES is reasonably strong even under an
adaptive chosen plaintext attack (the attack Biham and Shamir used). Of
course, we do not have access to the secrets of government cryptanalytic
services. Still, it is the working assumption that DES is reasonably
strong under known plaintext and triple-DES is very strong under all
attacks.
To summarize, the basic types of cryptanalytic attacks in order of
difficulty for the attacker, hardest first, are:
cyphertext only: the attacker has only the encoded message from which
to determine the plaintext, with no knowledge whatsoever of the
latter.
A cyphertext only attack is usually presumed to be possible, and
a code's resistance to it is considered the basis of its
cryptographic security.
known plaintext: the attacker has the plaintext and corresponding
cyphertext of an arbitrary message not of his choosing. The
particular message of the sender's is said to be `compromised'.
In some systems, one known cyphertext-plaintext pair will
compromise the overall system, both prior and subsequent
transmissions, and resistance to this is characteristic of a
secure code.
Under the following attacks, the attacker has the far less likely
or plausible ability to `trick' the sender into encrypting or
decrypting arbitrary plaintexts or cyphertexts. Codes that resist
these attacks are considered to have the utmost security.
chosen plaintext: the attacker has the capability to find the
cyphertext corresponding to an arbitrary plaintext message of his
choosing.
chosen cyphertext: the attacker can choose arbitrary cyphertext and
find the corresponding decrypted plaintext. This attack can show
in public key systems, where it may reveal the private key.
adaptive chosen plaintext: the attacker can determine the cyphertext
of chosen plaintexts in an interactive or iterative process based on
previous results. This is the general name for a method of attacking
product ciphers called `differential cryptanalysis'.
The next part of the FAQ gives the mathematical detail behind the
various types of cryptoanalytic attacks.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
