Cryptography-Digest Digest #673, Volume #10 Fri, 3 Dec 99 12:13:01 EST
Contents:
Re: Why Aren't Virtual Dice Adequate? ("Trevor Jackson, III")
Re: The $10,000.00 contesta (SCOTT19U.ZIP_GUY)
Re: Random Noise Encryption Buffs (Look Here) ("Trevor Jackson, III")
Re: Safeboot is it really safe (Keith A Monahan)
Re: Why Aren't Virtual Dice Adequate? (Tim Tyler)
Re: Random Noise Encryption Buffs (Look Here) ("Trevor Jackson, III")
Re: Random Noise Encryption Buffs (Look Here) (Tim Tyler)
Re: Random Noise Encryption Buffs (Look Here) (Tim Tyler)
Re: Peekboo Ideas? (Tom St Denis)
Re: Noise Encryption (Mattias Wecksten)
Re: AES cyphers leak information like sieves (Tim Tyler)
Re: Why Aren't Virtual Dice Adequate? (Guy Macon)
Re: What part of 'You need the key to know' don't you people get? (Tim Tyler)
RSA ("Brice")
----------------------------------------------------------------------------
Date: Fri, 03 Dec 1999 10:44:16 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
r.e.s. wrote:
> "Trevor Jackson, III" <[EMAIL PROTECTED]> wrote ...
> : Mickey McInnis wrote:
> : > "r.e.s." <[EMAIL PROTECTED]> writes:
> [...]
> : > |> In practice, though, who would use a "pure OTP" without
> : > |> further strengthening? (Even if the OTP is theoretically
> : > |> "unbreakable", it seems appropriate to say that any
> : > |> OTP *implementation* can, in practice, be relatively
> : > |> strong or weak.)
> : > |>
> : > |> (I notice that
> : > |> http://www.io.com/~ritter/GLOSSARY.HTM#MessageKey
> : > |> explains how the use of message keys can thwart
> : > |> exactly the type of scenario envisioned above.)
> : > |>
> : > |> --
> : > |> r.e.s.
> : > |> [EMAIL PROTECTED]
> : > |>
> : >
> : > This is a well known and much discussed "weakness" of a one-time-pad.
> : >
> : > A properly used OTP "absolutely" prevents the enemy from determining
> : > the cleartext from the cyphertext by cryptographic means. It doesn't
> : > "absolutely" prevent him from sending a false message that looks
> : > real.
> : >
> : > It can also happen if the enemy can somehow "guess" the cleartext, even
> : > if it's only sent to one correspondent. If the enemy thinks he might
> : > know the text, he could try to substitute text this way and would
> : > send a "proper" message if he guessed right. If he gets it wrong,
> : > the correspondent would get garbage.
> : >
> : > There is another well-known cryptographic "weakness" in OTP and many
> : > other cryptosystems. Unless you pad the messages, the enemy knows the
> : > length of the message.
> : >
> : > I wonder if there's something analagous to an OTP that will provide
> : > the same degree of "absolute" protection from "spoofing" as OTP
> : > does from "breaking".
> :
> : A simple mechanism is to use a shared secret. Assume that in addition
> : to the (large) message key repository each pair of correspondents is
> : given a unique "signature" value. For purposes of illustration this
> : could be small; 64-256 bits. To send an authenic message one appeads
> : the "signature" to the message, encoding it with the keypad. On
> : receipt of a message the decoder unmasks the "signature" region and
> : compares the result with the secret value. Since the premise of the
> : "signature" is that only the sender and receiver known the valid
> : signature value, and because the signature ciphertext is not reused,
> : the message must have come from one of the two inposession of the
> : secret "signature" value. This approach does not prevent replay attacks.
>
> In addition to its other functions, doesn't a message key (as defined
> above) accomplish the same thing as the type of "signature" you describe?
> (It is, after all, a kind of "shared secret", being sent along with the
> enciphered message.)
>
> The message key is created by the sender to be random and unique to each
> transmission, is accessible only to possessors of the primary key, is
> necessary if the decipherment is not to produce garbage, and strengthens
> any stream cipher -- including an OTP -- by helping to ensure that keys
> are really used only once.
What's an "authetic" message key?
The purpose of authenticating a message cannot be addressed by the sender
synthesizing a value that the receiver cannot calculate. Thus a message key
generated by the sender and not already known to the receiver would not
authenticate a message because the receiver has no way to distinguish message
keys selected by the sender from message keys selected by an opponent.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: The $10,000.00 contesta
Date: Fri, 03 Dec 1999 16:30:58 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Johnny Bravo)
wrote:
>On Thu, 02 Dec 1999 15:51:42 GMT, [EMAIL PROTECTED] (Bruce
>Schneier) wrote:
>
>>I think that almost all algorithm designers would be happy to see a
>>new attack on their algorithms. New attacks means that we're learning
>>something.
>
> I'd imagine that it would be a bit tempered by the disappointment at
>being knocked out of the AES competition. As much as our love of
>knowledge is, you guys have a right to feel proud of your creations.
>The represent very large quantities of work and creative effort.
>Seeing one of them knocked out of the running couldn't feel good,
>though I suppose it would feel much worse if it was accepted and it
>was broken after everyone was using it. :)
>
If any of these got knocked out at this stage due to new attacks. What is
the chance that other new attacks will not in the near future knock out
the others. This could really be a major pain in the ass if the AES
blesses something only to have a public break in a short time if
every one is foolish enough to jump on the AES band wagon.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
Date: Fri, 03 Dec 1999 10:47:22 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Dave Knapp wrote:
> On Sun, 28 Nov 1999 10:33:18 -0500, "Trevor Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> >Now AFAIK, no amount of measurement of a single nuclei will permit any kind of
>prediction of
> >its future emissions. We can predict the statistical behavior of collections of
>nuclei, but
> >that's not an "explanation" of the behavior any more than predicting the decay of
>the orbits
> >of a collection of satellites is an "explanation" of the process.
>
> This is so wrong I am not sure even where to start...
>
> We can predict, with (in principle) perfect accuracy the wavefunction
> of the nucleus at all times.
>
> What we cannot predict is the location at which a particle will be
> observed at a specific time in the future.
>
> But your assertion that the above means we cannot model the system is
> absolutely false.
>
> I recommend you read up on Bell's inequality and the Aspect
> experiment.
I have. And in the context of radioactive decay I stand by my assertions. If we are
to continue
this topic we should pick a more appropriate venue.
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: Safeboot is it really safe
Date: 3 Dec 1999 15:44:55 GMT
Matt,
I use BestCrypt which works well on my 95/98 machines. It uses strong
encryption like Blowfish, 3DES, GOST algorithms. I've found it to be
pretty good. You can download the development kit which has the source
code to verify security.
Keith
Matt ([EMAIL PROTECTED]) wrote:
: Hi,
: Which is the better for encription of HDD or partitions
: safeboot or PGP for WinNT/Win95/Win98/Win2000
: and Linux ?
: Regards
: Matt
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Why Aren't Virtual Dice Adequate?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 3 Dec 1999 15:45:28 GMT
John Myre <[EMAIL PROTECTED]> wrote:
: In fact we can be much more general. The relevant property of OTP
: here is that the ciphertext is the bitwise XOR of the plaintext and
: some key bits. So the same attacks apply to many other ciphers (such
: as RC4 or DES in OFB mode).
Yes. Is OFB mode used much for encrypting anyway, though?
Any stream cyphers which use XOR also have the same problem.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Two seconds after starting the download is no time to check your path.
------------------------------
Date: Fri, 03 Dec 1999 11:01:43 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
r.e.s. wrote:
> "Trevor Jackson, III" <[EMAIL PROTECTED]> wrote ...
> : Anthropologists have observed that all societies have processes that
> : are based on the "urge to explain". These urges are supposed to be
> : the source of religious institutions and of "natural philosophy".
> : It's not hard to use the same desire for understanding to explain
> : why people might resist admitting the inexplicable, unsolvable, or
> : unpredictable into their world view.
>
> However,
>
> Anthropologists have observed that all societies have processes that
> are based on the "urge to mystify". These urges are supposed to be
> the source of religious institutions and of "natural philosophy".
> It's not hard to use the same desire for mystification to explain
> why people might resist admitting the explicable, solvable, or
> predictable into their world view.
>
> I include "natural philosophy" due to the increased willingness,
> especially since the 60's, of philosophers & scientists to entertain
> more-mystical world-views. (This is intended as an observation, not as
> a value judgement.)
I've encountered this observation in the literature regarding individuals
but not as an observation regarding societies. Other than the politics of
power, where hidden knowledge can be a power base, I'm a little skeptical
that this is a global attribute of human societies. Your observation on
the mystification of the western culture since the 60's would argue
against the generalization.
>
>
> --
> r.e.s.
> [EMAIL PROTECTED]
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Reply-To: [EMAIL PROTECTED]
Date: Fri, 3 Dec 1999 15:55:35 GMT
Guy Macon <[EMAIL PROTECTED]> wrote:
[snip true randomness]
: This raises an interesting question about human psychology.
: For some reason, various people have a deep need to not
: believe in randomness or unbreakable codes. The more rational
: among us are content with pointing out the practical difficulties
: of using atomic decay or One Time Pads, or the many other ways to
: obtain information but there are others who show the following
: attributes;
: [1] They know in their hearts that unbreakable codes and/or
: randomness cannot possibly exist.
: [2] They have never been taught critical thinking skills.
: I wonder why some of us have this deep need to believe?
They might well be right. Nobody knows (and probably nobody will know
for a very long time) whether the universe is deterministic or not.
Many-worlds interpretations of QP are can be completely deterministic, and
show no need for randomness.
Theoreticians go much further. Look at the "Digital Physics" page at
http://cvm.msu.edu/~dobrzele/dp/ for an example of how far.
I think you can leave the psychoanalysis aside until you have located
some people who demonstrably have a delusion.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
...but have you tried PRUNES?
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Reply-To: [EMAIL PROTECTED]
Date: Fri, 3 Dec 1999 16:01:39 GMT
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
[atomic randomness]
: You have just discovered true randomness.
Alas, even *if* this is genuinely random - which you will never
demonstrate - nobody has developed a scheme for extracting this
information onto a macroscopic scale without introducing bais of
one type or another.
Until such a scheme is demonstrated, "true atomic randomness" is
of the same utility to a cryptographer as a "perfectly straight line"
is to a student of geometry.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
May all your hang-ups be drip-dry.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Peekboo Ideas?
Date: Fri, 03 Dec 1999 15:57:23 GMT
In article <[EMAIL PROTECTED]>,
Medical Electronics Lab <[EMAIL PROTECTED]> wrote:
> Why not compress the message, then sign the compression? Send the
> whole thing as a base64 which is easy to recover, not encrypted
> but still won't get modified by all the stuff in between. Plus
> you send less data :-)
So compress the message then send the compressed message + signature in
a base64 blob?
Good idea :)
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mattias Wecksten <[EMAIL PROTECTED]>
Subject: Re: Noise Encryption
Date: Fri, 03 Dec 1999 17:10:09 +0100
> Erm, no, I think the Key-randomness is critical, if you can guess the key
> you can recover the message.
Yes, of course - if you can guess the key you can decrypt the message. This
is
true for all keys - also true random keys.
> Also you must never reuse the same key...
Of course, it would not be interesting to discuss otherwise.
> OTP is as secure as your key generation actually. OTP=Secure if KEYgen=Random.
I disagree. I will try to explain why.
Assumption:
* Algorithm is known.
* Encrypted text is known.
* Key is not known.
* Plaintext is not known.
Statements:
If the key is true random, the algorithm is "add" without carry, and the
plaintext is
same character repeated (not random) the encrypted text will still be true
random.
If the key is same character repeated (not random), the algorithm is "add"
without carry, and the
plaintext is true random the encrypted text will still be true random.
Result:
Since these two cases will result in the same distribution you cannot tell
them apart (actually
they can generate the same encrypted text). This results in that you cannot
say how random
the key is or how random the message is. All cases in between can and do
exist.
If you use a limited amount of data you can get a distribution that is
impossible to tell apart from
a "true" random set.
Assumption:
* The range for the sets are [i E N; 0<i<10]
* One data subset is from a true random set.
* One data subset is from a generated set.
Example:
1. a = { 4, 4, 4, 4 }
2. b = { 9, 3, 7, 2 }
Result:
You cannot tell the subsets apart (a is from a real random distribution).
The important thing is to use a key that could not be guessed - yes, but
this do not
by itself mean that the key has to be "true" random. The real problem with
OTP is
to transport the key by a secure media.
> I would however be interested in your scheme for a secure system using
> JavaScript and compiler? Could you post a little more elaborately or was
> that just some strange comment not meant to be taken literally?
I would love to if there is an audience for it.
> whats "MvH M WxX" ?
MvH = Med vänliga Hälsningar (Sincerely in .se language)
WxX = W-[ex]-ten [Wecksten]
That is all *hoping for a nice discussion*,
MvH M WxX
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Reply-To: [EMAIL PROTECTED]
Date: Fri, 3 Dec 1999 16:24:01 GMT
Brian Chase <[EMAIL PROTECTED]> wrote:
: Also, the claim that inherent error correcting capabilities in encryption
: are a good thing is absolutely ridiculous. Intuitively this undermines
: the fundamental purpose of cryptography. The ability of a data set to be
: corrected means that the data set contains redundant information. Is this
: not undesireable for the purpose of obscuring the original data?
In the case under discussion (block-cyphers using CBC or CFB chaining
modes) the error "correction" does not actually involve any redundancy in
the message. Rather than correcting the error, the effect is rather to
ensure that an error at a single point does not propagate its effects
through the rest of the message, making it unreadable.
The resulting encrypted message is the same length as the original (plus,
possibly the IV, which contains of information from the plaintext at
all). No additional redundancy is introduced by using such techniques.
: I'm not arguing against the importance of error correction. It is very
: important, but error correction is a whole other area outside of
: cryptology. In sci.crypt we are first concerned with obscuring the data
: and making it reslient to attack. Worrying about the successful
: transmission of that data between point "A" and point "B" is a
: communication problem, not directly a security problem.
Getting you message through *can* be a security problem. It has been
pointed out that transmitting a message can broadcasts your location.
Delivery of a message can expose the recipient to identification and
elimination. Failure of an important message to arrive largely intact can
cause severe consequences. Transmitting a message twice increases the
risks of interception... and so on.
The ability to resist errors /is/ a security issue, and - it seems to
me - one that /can't/ be completely divorced from considerations of
strength.
It seems to me that /ideally/, you should be able to control to what
extent errors in the message propagate and obscure the plaintext.
Depending on your circumstances, maximum confusion in the message
may be tolerable - though if there are any errors remaining after the
error correction in the transmission channel have done their best,
these will completely obscure the message.
Under other circumstances, use of very-short block sizes may provide
the best way to send your message. Some combination of a very long
message, a very noisy channel, importance of delivery, one-way
communication, and limited bandwidth may produce such circumstances.
Of course there will be security issues to be faced, but if you
are prepared for these - and factor them into your calculations -
at least you know what you're letting yourself in for.
Block size is a /fundamental/ variable, one which there is good
reason not to keep fixed.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
All programmers want arrays.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: 03 Dec 1999 11:38:51 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tim Tyler) wrote:
>In sci.crypt Mickey McInnis <[EMAIL PROTECTED]> wrote:
>
>: I wonder if there's something analagous to an OTP that will provide
>: the same degree of "absolute" protection from "spoofing" as OTP
>: does from "breaking".
>
>Signing your messages usually provides some protection. I have difficulty
>in imagining a one-way function (of the type used when creating message
>digests) which offers the same type of security as an OTP - but perhaps
>one is possible.
If I understand it correctly, you can use any sort of compression
and/or encryption you choose either before or after the OTP, and
the result will still be an unbreakable (but often impractical)
encyption. So the question is whether such a spoofing protection
exists.
Lets say that A and B swap CD-ROMS so that each has a A -> B OTP
and a B -> A otp. Let's further assume that they send an identical
length message once per day whether they have something to say or
not, that neither of them communicates with anyone else, and that
they shut down and go to a physical meeting if they recieve a
message that is the sort of random junk one would expect from a
man in the middle taking wild guesses. In theory, unbreakable
by the man in the middle, right? Pardom my possible cluelessness,
but wouldn't inserting a fake message be just as hard to do?
Stopping a message or storing it and sending it later are still
possibilities for the man in the middle.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: What part of 'You need the key to know' don't you people get?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 3 Dec 1999 16:39:49 GMT
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
: Douglas A. Gwyn wrote:
:> Brian Chase wrote:
:> > I think what I'm finding most disturbing, if not just outright disgusting,
:> > is how quickly disregarded are Scott's challenges to the conventions of
:> > the cryptology community. Sure he's an asshole, but as a community is it
:> > not true that we don't conclusively know how secure the contemporary
:> > algorithms are?
:>
:> Neither does D.Scott! The main problem with his arguments is that
:> he asserts weaknesses in everybody's encryption schemes except his,
:> but doesn't *demonstrate* the weaknesses. When he claims, for
:> example, that CBC itself creates exploitable weaknesses, yet there
:> happen to be solid mathematical papers demonstrating that CBC used
:> with a *strong* block cipher is not substantially weaker than the
:> block cipher by itself, it is incumbent on *him* to prove his claim,
:> or at least to exhibit an error in the previous work that proved the
:> opposite. That's not only standard professional practice, it's
:> plain common sense. Since he doesn't make a convincing case,
:> preferring to curse and challenge the integrity of anyone who
:> disagrees with him, it is not surprising that he is being almost
:> entirely ignored by the professional community.
: No. You have egregiously misstated his position. AFAIK his position is
: that CBC does not meaninfully strengthen a block cipher in comparison with
: methods that diffuse information more widely tha[n] neighboring blocks.
Indeed. This is my perception of his position also.
While he's stated that he views the common chaining modes as weak, he's
*never* - to my knowledge - stated that they weaken the underlying block
cypher.
Rather - as I understand it - his position is that they needlessly
expose the block cypher to direct attack, by a failure to distribute
information needed to decrypt the message over as wide as possible
an area.
Obviously, such a failure to diffuse allows any attacks based on known
partial plaintexts to function. Or any attacks based on choosing
partial plaintexts for that matter.
A proper use of diffusion would require *full* plaintexts, or *full*
chosen texts to be used before any such attack could succeed.
As everyone knows, a partial plaintext is more common than a full one.
This is likely to weaken the cypher /even/ if the only attack known on
the cypher is the use of brute-force.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
$$$$$$$$$$$$$$$$$ Money lies at the root of all wealth $$$$$$$$$$$$$$$$$$
------------------------------
From: "Brice" <[EMAIL PROTECTED]>
Subject: RSA
Date: Fri, 3 Dec 1999 16:50:27 -0000
I am looking for ways to implement RSA so that it runs very efficiently. I
am looking for both software and hardware based implementable ideas.
I already have Montgomery, Galois Fields (how good is it for hardware based
versions of RSA ?).
Could anyone help ?
Thank you,
Brice.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
