Cryptography-Digest Digest #341, Volume #10 Thu, 30 Sep 99 23:13:03 EDT
Contents:
Re: Perfect Shuffle Algorithm? (Alan Morgan)
Re: hidden channel in Peekboo (wtshaw)
Re: EAR Relaxed? Really? (Greg)
Re: On oldy encryptions (wtshaw)
Re: Cryptographic bit-length and the meaning (wtshaw)
Re: crypto export rules changing ([EMAIL PROTECTED])
Re: EFS ("Joseph Ashwood")
Re: RC4 weaknesses ("Richard Parker")
Re: Glossary of undefineable crypto terms (was Re: Ritter's paper) ("Trevor Jackson,
III")
Re: Cryptanalysis of 2 key TDES (Alfred John Menezes)
Re: EAR Relaxed? Really? (Johnny Bravo)
Re: EAR Relaxed? Really? (Bill Unruh)
Re: crypto export rules changing (Bill Unruh)
Re: msg for Dave Scott ("Douglas A. Gwyn")
Re: hidden channel in Peekboo (Tom St Denis)
Re: Compress before Encryption (Tom St Denis)
Re: msg for Dave Scott (Tom St Denis)
Re: msg for Dave Scott (Tom St Denis)
Re: Q: Burrows-Wheeler transform (Tom St Denis)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Alan Morgan)
Crossposted-To: sci.stat.math,sci.math
Subject: Re: Perfect Shuffle Algorithm?
Date: 30 Sep 1999 23:26:44 GMT
In article <[EMAIL PROTECTED]>, Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>David Franklin wrote:
>> Firstly, I knocked up a brute force program to do this (took
>> about 5 mins to write), and got the same answer as Clive Tooth
>> (97020); the running time was just under 1 second. Which leads
>> me to wonder about the LCM solution being "much simpler and
>> faster" as the original interviewer apparently said. When the run
>> time is 1 second, it's hard to justify spending time speeding it
>> up (as a one-off problem at any rate).
>
>But brute force doesn't scale well, while finding the cycles does.
>You were just lucky that the period was only 97,020; it could have
>been much larger if the parameters had been slightly different.
What is the longest possible period? How does one find the answer to
that without using brute force (nothing occurs to me, but I haven't
given it much thought).
Alan
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: hidden channel in Peekboo
Date: Thu, 30 Sep 1999 17:55:57 -0600
In article <7suik7$4od$[EMAIL PROTECTED]>, Tom St Denis
<[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (wtshaw) wrote:
>
> > >
> > It is an unfortunate condition that someone who just wants to get
> > encrypted information from point A to B must become a programming guru.
> > Certain popular algorithms do carry this burden. I would reject those
> > that carry this condition as being very bad for a practical world as there
> > are possible algorthms that do not seem to have such complicated and
> > obscure problems.
> >
> > Yes, call demanding geek inspection related to security by obscurity.
>
> But this is not security by obscurity. It's assumed security by difficulty
> of solving either the DL or symmetric cipher.
>
Try to get beyond the abilities of those that post here and talk to the
people out there. I am really quoting the many people I talk to, as well
as what I feel, when I complain about the state of computer security, and
the geeking of the process. The public is not too happy in having to
depend on the people that brought them promise of a Y2K meltdown. Do not
think that all pros have much of a moral fiber either.
--
Still a good idea from Einstein: If you can't explain something clearly to a child,
you do not understand it well enough.
So much for models of trust, they generally are ill-founded.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Thu, 30 Sep 1999 23:57:30 GMT
> What I actually said PRIVATELY was for you to EMIT
> your position publicly as a BEGINNING. You've gone
> forward and reduced the contradiction. I'll grant
> you GROUNDS once only, so here it is.
What do you mean by grounds? By beginning? What the hell
are you talking about?
> > What do you mean?
>
> You might try the NATIONAL SECURITY ARCHIVES organization
> for POSITION. I don't know if they have a presence on
> the INTERNET now, but they did exist SOMEWHERE not all
> that long ago, as far as I know.
>
> As you may have been following the FBI investigation of
> the COBBS CREEK MASACRE, they determined that CRIMES
> WERE COMMITTED AND THEY CAN FIND NO CRIMINALS. They're
> about to start in again on WACO. Can you set this
> straight???? How's that for position????
I have no clue what you were asking me in the first place.
If you cannot speak english like the rest of us, give it up.
--
Truth is first ridiculed, then violently opposed, and then it is
accepted as self evident ("obvious").
I love my president... I love my president... I love my president...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: On oldy encryptions
Date: Thu, 30 Sep 1999 18:47:47 -0600
Ah, the best deceptions, to make something hard look easy. and easy,
hard. Formats are trivial playthings, which beg to hide crytographic
doings.
To the slightly informed, simple unbreakable crypto can be as common as
dirt. And, there is no reason to think that the simple information
involved will not continue to propagate, much to the dismay of those who
want to be in control of others abilities.
--
Still a good idea from Einstein: If you can't explain something clearly to a child,
you do not understand it well enough.
So much for models of trust, they generally are ill-founded.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Cryptographic bit-length and the meaning
Date: Thu, 30 Sep 1999 18:35:58 -0600
In article <7svcmj$mvv$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> Hey there!
>
> I'm a newbee on this subject, but I hope someone
> will help anyway!
>
> Now - to my question:
>
> When something is encrypted with 8-bit there is 256 posible keys.
>
> How does that number climb in follow of the bit size?
>
I suppose I'm a contrarian, always confronting stated simple ideas with
facts that don't fit in easily, but are nevertheless there. Cryptographic
keys may be other than a series of bits, as they can be permuted arrays as
well. Indeed, bit oriented keys are just one street in a city of number
systems.
In fact, there seems to be no end to novel systems, a fact which should
rob the sleep of attackers, and continue to inspire crytographers
interested it the larger possibilities in the field.
If all you understand or seek are those handy to bit math, you will have a
lopsided view of cryto in general and never appreciate the majority of
possible crypto related calculations. Number theory is useful to get a
bigger view.
--
Still a good idea from Einstein: If you can't explain something clearly to a child,
you do not understand it well enough.
So much for models of trust, they generally are ill-founded.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto
Subject: Re: crypto export rules changing
Date: Thu, 30 Sep 1999 17:34:03 -0700
Stephen M. Gardner wrote:
>
> Greg wrote:
>
> > ANY licensing by the government constitutes compromised software.
> > No one will ever be able to have confidence that the software they
> > are using has a trap door courtesy of NSA secret requirements if
> > it had to pass NSA for a government license.
>
> Even open source software? I don't think so. Some people seem to
> have an almost mystical faith in the NSA to pull off supernatural acts
> of evil. Get a grip folks. One does not have to trust the government
> (any government) to trust one's own eyes and the eyes of thousands of
> people who couldn't possibly be on the NSA payroll. Crimus, I see more
> than a few folks here whose dosages are still in need of minor
> adjustment. ;-)
>
You're hitting the nail on the head here, keep hitting it. I'm no
open source zealot, but as far as crypto goes, open
source is clearly the way to go.
George
> --
> Steve Gardner Technical Staff Member 1320 Systems Engineering
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: EFS
Date: Thu, 30 Sep 1999 18:19:10 -0700
If I remember correctly, I read in one of their spec sheets that on release
it would support only DES. The record for breaking DES stands at 22 hours 15
minutes. My question about EFS is: Why bother?
Joe
Please feel free to correct me if I'm wrong, I haven't read that sheet in
almost 3 months so I may mis-remember or it may have changed.
------------------------------
From: "Richard Parker" <[EMAIL PROTECTED]>
Subject: Re: RC4 weaknesses
Date: Fri, 01 Oct 1999 00:46:10 GMT
> ... recently I heard about a report on experiments showing consecutive
> RC4-output bytes had a probability higher than 1/256 of being equal.
> Does anyone know more about the latter (URL?) ...
The report to which you refer is probably Paul Crowley's. He found
that RC4 has a small bias towards identical successive characters.
His results indicate that the probability of such an occurrence in the
output of RC4 is about 1/256 + 1/2^24 instead of the expected
probability of 1/256. To the best of my knowledge no one has
formulated an attack on RC4 that exploits this bias.
Paul Crowley has made his results available at the following URL:
<http://www.hedonism.demon.co.uk/paul/rc4/>
-Richard
------------------------------
Date: Thu, 30 Sep 1999 20:38:32 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Glossary of undefineable crypto terms (was Re: Ritter's paper)
Douglas A. Gwyn wrote:
> "Trevor Jackson, III" wrote:
> > Also Known As the Karnak Atack. You hold the cipher text up to your
> > forehead and guess the plaintext. There is no possible cryptologic
> > defense against someone who can guess your message. A ouija board is a
> > tool to assist in such guessing.
>
> Well, yes, there is a defense. In a true "Ouija" attack, a correct
> guess can be *verified* against the intercepted ciphertext. But OTP
> is immune to this, so it is an example of an Ouija-resistant system.
No.
The whole point of a psychic or telepathic attack is that you don't need
verification. If you pick the One True Message from an OTP cipher stream
you've picked it out of thin air. It's not a guess, it's an out-of-band (out
of universe) connection to the source of the message.
Also, the proper form of verification for any oncovered plaintext is not
decryption. You might not have discovered the key at all. The proper form
of verification is "ground truth". Using the example from another thread,
one meets the ship and thus obtains verification.
------------------------------
From: [EMAIL PROTECTED] (Alfred John Menezes)
Subject: Re: Cryptanalysis of 2 key TDES
Date: 30 Sep 1999 23:55:26 GMT
The best attack known on 2-key Triple DES is due to Wiener and
Van Oorschot from Eurocrypt '90. If the number of known
plaintext-ciphertext pairs is t, then the attack takes O(t) space,
and about 2^(120 - lg(t)) steps.
For further details, see Facts 7.39 and 7.40 in Chapter 7 of the
Handbook of Applied Cryptography (available from
www.cacr.math.uwaterloo.ca/hac).
- Alfred
In article <7t06ti$avt$[EMAIL PROTECTED]>,
James Muir <[EMAIL PROTECTED]> wrote:
>I am curious about the complexity of the best known attack on 2 key
>triple DES.
>
>I have recently read that the best known attack on 3 key triple DES
>uses a known plaintext / meet in the middle technique requiring 3
>plaintext/ciphertext pairs, 2^113 steps of analysis, and 2^56 memory.
>
>Certainly this attack can be applied to 2 key TDES, but intuitively it
>seem as though there should be a short cut which exploits the fact that
>K1=K3.
>
>Does anyone know of an attack on two key TDES with a lower complexity
>than the one above?
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Thu, 30 Sep 1999 21:06:18 GMT
On Thu, 30 Sep 1999 15:10:33 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>Greg wrote:
>> Defendant: Your honor, I move that this case be dismissed
>> for a lack of evidence.
>> Judge: Your argument has no standing in this court.
>
>It would be the defendant's attorney that would so move,
>and he certainly would have "standing", and lack of
>evidence certainly *is* considered grounds for dismissal.
They have the evidence. There is plenty of evidence, and it can't be refuted
since the methods used to obtain that evidence aren't required to be disclosed.
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: 1 Oct 1999 01:55:34 GMT
In <7t0e4d$gtc$[EMAIL PROTECTED]> Greg <[EMAIL PROTECTED]> writes:
]Not if Reno has her way. She is not joking. If her plans
]become law, they WONT have to say how they decrypted jack.
]They are very serious about this. They know that once it
]is written down on paper, once it has the appearance of a
]legitimate law, then it would take a very courageous judge
]to stand up against the establishment. This IS reality today.
A law which flies in the face of 1000 years of the rules of evidence
would not require a very courageous judge to strike down. In fact any
judge that allowed the law to stand would be laughed out of his
profession. The right of an accused to test the evidence against him is
now many centuries old, and is not going to be overturned just on the
sayso of the attourney general, or even congress. Recall how long the
Communication decency law lasted, and that was a far far more trivial
playing with the constitution.
]> There is simply no way that almost any court, and certainly
]> not the supreme court, would let stand a law which removed
]> the right of the defence to test the evidence against the
]> accused.
]It would take the supreme court to overturn this, if not
]an appeals court. You are correct. But this scenario will
]play out if Reno has her way. That was my point all along.
Any case which actually came to any court would be thrown out by the
judge. The govt would appeal, the appeals court would throw it out. They
would appeal to the supreme court and the supreme court would probably
not even hear the case.
Look, this problem of the police giving away the source of their
evidence upon trial has far far too long a case history for this to be
any problem for the courts. Police have always wanted to protect their
sources of information. If they can get other evidence they do so and
rely on that other evidence. If they cannot, and try to bring the case
to court based soley on the sayso of the police, trying to protect their
source, they loose. And no law is going to change that. Perhaps a
constitutional ammendment would, but the chances of that happening are
(I hope ) small.
]And don't tell me that the Supremes are a certain safe guard
]against tyranny. Not by any stretch of the imagination. They
]won't touch the second amendment and it is the one law that
]is most under attack.
]> They might let stand a law which allowed the court to
]> hear that evidence in secret,...
]Not according to Reno's plan.
Plans are not laws. And laws are not necessarily binding. Ie, between
the intention and the action falls the shadow.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: talk.politics.crypto
Subject: Re: crypto export rules changing
Date: 1 Oct 1999 02:10:11 GMT
In <[EMAIL PROTECTED]> "Stephen M. Gardner" <[EMAIL PROTECTED]>
writes:
]Greg wrote:
]> ANY licensing by the government constitutes compromised software.
]> No one will ever be able to have confidence that the software they
]> are using has a trap door courtesy of NSA secret requirements if
]> it had to pass NSA for a government license.
] Even open source software? I don't think so. Some people seem to
The question is whether or not the gov't will license open source
software for export, or whether they will demand binary only.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: msg for Dave Scott
Date: Thu, 30 Sep 1999 21:08:38 GMT
Tom St Denis wrote:
> In article <[EMAIL PROTECTED]>,
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> > In fact the history of cryptology is full of examples of
> > symmetric ciphers that were cracked much more efficiently
> > than by a brute-force key search.
> Yeah but with only 10 blocks or so?
How big is a "block"?
The simple answer is, yes indeed.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: hidden channel in Peekboo
Date: Fri, 01 Oct 1999 02:33:44 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <7suik7$4od$[EMAIL PROTECTED]>, Tom St Denis
> <[EMAIL PROTECTED]> wrote:
>
> > In article <[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] (wtshaw) wrote:
> >
> > > >
> > > It is an unfortunate condition that someone who just wants to get
> > > encrypted information from point A to B must become a programming guru.
> > > Certain popular algorithms do carry this burden. I would reject those
> > > that carry this condition as being very bad for a practical world as there
> > > are possible algorthms that do not seem to have such complicated and
> > > obscure problems.
> > >
> > > Yes, call demanding geek inspection related to security by obscurity.
> >
> > But this is not security by obscurity. It's assumed security by difficulty
> > of solving either the DL or symmetric cipher.
> >
> Try to get beyond the abilities of those that post here and talk to the
> people out there. I am really quoting the many people I talk to, as well
> as what I feel, when I complain about the state of computer security, and
> the geeking of the process. The public is not too happy in having to
> depend on the people that brought them promise of a Y2K meltdown. Do not
> think that all pros have much of a moral fiber either.
> --
> Still a good idea from Einstein: If you can't explain something clearly to a child,
>you do not understand it well enough.
>
> So much for models of trust, they generally are ill-founded.
I don't quite get your point.... Peekboo is very easy to setup and use. Most
users introduce themselves by sending an email containing their public key
and the message. If you expect for example all people who drive cars to be
mechanics or all people who take medicine to be doctors then I think you are
dreaming.
I don't expect most users to say 'ha he uses blah blah blah' it must be
secure. What I want is crypto people to say 'ha he uses blah blah blah this
way ...' it must be [unproven to not be] secure. If like GM I can get
'quotes from experts' then that will please the mass.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Compress before Encryption
Date: Fri, 01 Oct 1999 02:38:37 GMT
In article <7t0p2r$19da$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> Know could you enter my code or does it require some crappy
> ps type of format.
I would have laughed to see you in school... 'you mean I have to write down
the full solution?'. Personally if you can't even provide some reasonably
documented description of the entire cipher then it's not worth looking at.
What if for example I wanted to implement scottu16 on a 68040 in assembler?
Would I have to decode your source?
> >For another, what does DW's skill have to do with BS's skill??
> Do you really want to know. I think they form mutual
> admeration society. They use each other as some sort of
> reference when in fact one just works for the other. Some one
> a short time ago found out and posted the info.
It's called a TEAM... you should look the word up.
> >
> >Please cut out the personal invectives and stick to reasoned
> >argumentation. Thanks!
> YOur welcome
The politeness is overwhelming.
And have a nice day, a demain.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: msg for Dave Scott
Date: Fri, 01 Oct 1999 02:55:52 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Jerry Coffin) wrote:
> How in the world could you get that idea? I talk about web sites
> where programs are sold. At least the last I heard, you have no web
> site, and you give your program away.
website: http://www.cell2000.net/security/peekboo/index.html
(been there for 2 weeks or so)
> Rest assured that if I'd intended to flame you/your program, you
> wouldn't have to guess about it at all. Unfortunately, as one PR
> person once said, there's no such thing as bad publicity. Thus, I
> prefer to refrain from mentioning the names of the garbage programs in
> case somebody happens to remember the name but forget that I said it
> was trash and figures that it's something they've heard of before, so
> maybe it's better than those others they don't recognize...
You have a good point there though =)
> In case you'd forgotten, I have seen it -- in fact you emailed me the
> source-code yourself. If I'd seen a major problem with it, I would
> have sent you a reply telling you about it.
>
> You do seem to be getting a bit sensitive about the situation though.
> Just as a personal suggestion, you might want to think of something
> unrelated to computers to do for a little while, simply to give
> yourself a chance to unwind a bit. This time of year I personally
> find a hike in the mountains to be particularly efficacious, but of
> course everybody has their own idea of how to relax.
Well maybe I will put out one more release (whole bunch of new stuff since
1.4) and seriously put it aside... I dunno... I get requests and I add to
it... =) Check it out sometime next week when 1.53 is out. Much easier to
use...
>
> > I think what I was trying to say (about 3 days ago) is sure you can break RC5
> > with 2^53 known plaintexts ...etc or Blowfish with 3x2^51 ... etc... but you
> > can't use that to break a msg of only 10 blocks. Which is why brute force
> > would be the only real attack against the symmetric cipher.
>
> Keep in mind that most of the attacks that require large amounts of
> known plaintext (or chosen plaintext, related keys, etc.) are
> statistical in nature: you collect information on one block and that
> gives you an indication that some bit in the key is a tiny bit more
> likely to be a one than a zero or vice versa. After you put together
> enough of these tiny chances, you get a pretty strong indication of
> what a particular bit in the key is likely to be.
>
> There is, however, no hard and fast lower bound on the amount of text
> needed to collect _some_ information about the key, and improve your
> chances over a brute-force attack at least somewhat.
>
> In fairness though, you're absolutely correct that with most modern
> ciphers, trying such an attack using only 5 or 10 blocks is going to
> be a complete waste of time -- you're simply not improving your
> chances enough that you're at all likely to notice a difference in the
> final search time.
There you go. So like I was saying 'PRATICALLY' you will not be able to
speed up a key search much or any at all.
Anyways... finishing 1.53 and calling it a day.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: msg for Dave Scott
Date: Fri, 01 Oct 1999 02:58:53 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> On Thu, 30 Sep 1999 11:34:03 GMT, Tom St Denis wrote:
> >
> >Yeah but with only 10 blocks or so?
> >
>
> your prog is made to crypt only 10 blocks per key ?
>
> btw: with only 1 block, even a caesar cypher is unconditionaly secure
> with a random key.
>
In peekboo 1.4 to 1.52 10 blocks is either 10 bytes (RC4), 80 bytes or 128
bytes. Most messages are about 512 bytes, so they are eitther 512 blocks, 64
blocks or 32 blocks... sorry for the confusion... =)
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Q: Burrows-Wheeler transform
Date: Fri, 01 Oct 1999 03:04:03 GMT
In article <7suncf$pti$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> In article <[EMAIL PROTECTED]>, Mok-Kong Shen
><[EMAIL PROTECTED]> wrote:
> >While compression is, as far as I am aware, generally regarded
> >as orthogonal to encryption, it is nontheless an aid to information
> >security, I suppose. Recently I read somewhere a claim that the
> >Burrows-Wheeler transform is a better compression technique than
> >Huffman or arithmetic encoding. Could some person having knowledge
> >and experience with that say whether this is true and whether the
> >advantage passes on to encryption? (Could it be that it is slower?)
> >
> >Thanks in advance.
> >
> >M. K. Shen
> >----------------------
> >http://home.t-online.de/home/mok-kong.shen
>
> For text it is a very good cmpression. However due to the nature
> of the BWT I think that it would be hard to write a "one to one" compress
> for it. It was the second compression method I looked at and have yet
> to make progress making it one to one. So if you use it. Most of the
> time a wrong key is guessed in an attacke it will not uncompress.
I bet most of the time when you guess the wrong key in your system you don't
get ASCII back.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
