Cryptography-Digest Digest #705, Volume #10 Wed, 8 Dec 99 16:13:01 EST
Contents:
Synchronised random number generation for one-time pads ("Charles Meigh")
Re: NSA competitors (Pablo Arrighi)
Re: NSA should do a cryptoanalysis of AES ("karl malbrain")
Re: If you're in Australia, the government has the ability to modify your files.
>> 4.Dec.1999 ("Trevor Jackson, III")
Re: Random Noise Encryption Buffs (Look Here) ("Trevor Jackson, III")
Re: Synchronised random number generation for one-time pads (Scott Nelson)
Re: Solitaire analysis? (Paul Crowley)
Re: AES and perl (encryption) (Eric Lee Green)
Re: Synchronised random number generation for one-time pads (Eric Lee Green)
Re: NSA future role? (Jim Dunnett)
Re: Cell Phone Crypto Penetrated >> 6.Dec.1999 >> Biryukov & Shamir describe in a
paper ... (Jim Dunnett)
Re: If you're in Australia, the government has the ability to modify your files. >>
4.Dec.1999 (Jim Dunnett)
Re: Synchronised random number generation for one-time pads (Jim Dunnett)
Re: NSA competitors (Jim Dunnett)
Re: NSA competitors (Jim Dunnett)
Re: Ellison/Schneier article on Risks of PKI (Bruce Schneier)
Re: High Speed (1GBit/s) 3DES Processor (Paul Koning)
----------------------------------------------------------------------------
From: "Charles Meigh" <[EMAIL PROTECTED]>
Subject: Synchronised random number generation for one-time pads
Date: Tue, 7 Dec 1999 22:22:02 -0000
First off, I confess my newbie status as far as crypto goes. I'm reading
"Applied Cryptography" at the bookshop, but I can't afford to buy it yet :-)
With regard to one-time pads, which I keep reading as being the most secure
form of encipherment, it appears that a major problem is the distribution of
the completely random keys. This is exacerbated by the need for more keys
for more messages, and larger keyspaces for larger messages (I think).
Would it be practicable to set up a system that creates the random numbers
for the key from some globally consistent, 'natural' source like, say,
cosmic radiation readings; the sender and receiver obviously having had
exchanged brief, secure messages agreeing on exactly when to take these
key-generating readings? You could then (if i'm thinking right) create as
many completely secure one-time pads as you like, without the overhead of
distributing vast amounts of data first, just your synchronising messages.
--
Charles Meigh
------------------------------
From: Pablo Arrighi <[EMAIL PROTECTED]>
Subject: Re: NSA competitors
Date: Wed, 08 Dec 1999 18:36:37 +0000
>
> > There's also MI5 and MI6 in the UK, SDECE in France, and the BND in
> > Germany. Israel has Mossad.
>
> Ok. Thank you.
> I'm gonna look if there is some information on their crypto research.
Mmmm... Keep us informed, but I doubt you will anything.
BTW:
UK's is GCHQ rather, former CESG. GCHQ does a lot odf advertising, they may
have something.
France's is DGSE former SDECE, with a recent specialised group called BRGE.
Pablo.
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Wed, 8 Dec 1999 10:39:10 -0800
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> karl malbrain wrote:
> > The point, you idiot, is that both B-1B's and airlines use TOILET
SEATS!!!
> > Why not the same ones? Karl M
>
> Passenger planes allocate more space. Look inside a bomber some time.
Again, that's the exact same SUBJECTIVE point. It's just a round-about way
of OBJECTIVELY DEMANDING more money go to bomber manufacturers. The first
`bombers' in WORLD WAR I were just STANDARD bi-planes. Karl M
------------------------------
Date: Wed, 08 Dec 1999 14:16:41 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: If you're in Australia, the government has the ability to modify your
files. >> 4.Dec.1999
Steve K wrote:
> On Wed, 08 Dec 1999 00:19:53 -0500, "Trevor Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> >CoyoteRed wrote:
> >
> >> [EMAIL PROTECTED] said...
> >>
> >> >Orwellian Nightmare Down Under? by Stewart Taggart
> >> >
> >> >3:00 a.m. 4.Dec.1999 PST
> >> >SYDNEY, Australia -- Any data seem different on your computer today?
> >>
> >> So, I guess for the truly paranoid, someone should develop a disk
> >> controller and encryption card that also has a smartcard reader.
> >> On-board strong encryption with part of the key on a smartcard and the
> >> other in bio-memory. Have the controller card never off-load the key,
> >> but use it directly off the card and not allow /any/ outside access to
> >> it. The controller also continuosly securely hashes the contents of
> >> the drive and stores it both on the card and on the encrypted drive
> >> for comparison upon next boot.
> >>
> >> The only thing that I see as a security concern is the user input of
> >> his passphrase. A hacker could conceivably change out the BIOS to log
> >> the passphrase key strokes. (A secure hash of the BIOS as well?)
> >>
> >> If done right, the user would never be in the dark about any tampering
> >> in his system.
> >
> >Similar concepts were discussed here a few months ago in the context of a
> >non-seizable computer. One wants to reserve the information, but make it
> >impossible (literally) of recovery without the requisite key. The base
> >concept was a RAM disk containing an OTP key the same size as the
> >protected disk volume. On power loss the key disappears, but the data is
> >recoverable if the key is reloaded from off-site backup.
> >
>
> 1) Removable hard drive.
>
> 2) Floor safe.
>
> 3) Thermite charge in floor safe, on top of hard drive, with
> externally located keypad to turn it off.
> Or any of a dozen or so other possible methods; I just picked an
> extreme one as an example. In real life, the exact same measures one
> would take to keep criminals out of one's computer, will keep law
> enforcement out. Security is security.
No.
Resisting a criminal will not get you prison time. Obstructing justice, by
activatiing a disk wiper or a thermite charge will definitely get you in
trouble with the justice system. Look into the procedures for seizing
computers.
Booby traps such as thermite charges are also liabilities because (i) they are
dengerous in themselves, (ii) may be criminal under the US BATF "destructive
devices" regulations wich require a $5 license for each, (iii) endanger the
information being protected.
One cannot recover recent transactions from backup. If the loss of a day of
recorded information is not acceptable the original storage media must be
preserved. I know there are companies that promise to recover data from any
disk drive, but I suspect even national technical means would not suffice to
undo the effects of a thermite reaction.
One needs a passive system that requires no "activation act". Otherwise the
act of destroying evidence is indictable. Certainly anything an owner can
build law enforcement can penetrate, but there may be situations, such as
civil rights groups, where compliance with a search warrant is not
appropriate. In these circumstances one wants passive defenses because active
defenses are generally illegal.
>
>
> By ignorance or design, this and similar anti-privacy laws do not
> empower police forces to gather evidence and convict criminals.
> Existing search and seizure laws already provide every tool that
> actually works for that purpose. Police agencies are just going to
> have to learn to live with encryption and other data-protection
> technologies, and focus on the *real* crimes (if any) that are being
> committed. Criminal activity that is limited to the networked
> computing environment-- theft or vandalism of data, for instance-- can
> only be dealt with by assisting the public in prevention; in other
> words, more encryption and counter intrusion in the marketplace, not
> less.
>
> By accident or design, anti- computer security laws empower government
> employees to spy on honest citizens for political purposes, while
> failing to provide a signifigant benefit to law enforcement. Anyone
> who understands computers should understand this. Unfortunately, we
> will most likely have to wait for the present generation of
> politicians to die off and be replaced by people who grew up around
> computers, before we see any improvement.
Why do you expect to see improvement? I suspect a generation of
computer-literate politicians will see more opportunities to regulate the
citizens rather than liberate them.
------------------------------
Date: Wed, 08 Dec 1999 14:23:18 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Guy Macon wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tony T.
>Warnock) wrote:
>
> >You still may fail to detect some.
>
> By design.
>
> >The most probable waiting time between decays is zero.
>
> No it isn't.
How do you fogiure otherwise? Given an exponential decay expectation the maxima will
be at zero.
>
>
> >Overall one can do pretty well with the radioactive decay
> >if care is taken not to get too much 60hz (or 50hz for the Europeans)
> >into the signal.
>
> The signal is a digital output of a photomultiplier tube adjusted
> to fail to detect some photons but to virtually never "detect"
> when the photon is not there. Photomultiplier tubes are very
> insensitive to 50/60 Hz magnetic fields, and easily shielded from
> 50/60 Hz electric fields. Besides, it's pretty easy to get away
> from 50/60 Hz. Caves, open fields, etc make the 50/60 Hz undetectable
> by good measuring equipment.
>
> >There are several ways to completely eliminate bias.
>
> I don't think that you are correct. I haven't seen a proposal
> that would identify a 100% unbiased source.
>
> >Correlation is tough but can be decreased.
>
> ?
>
> Isn't Correlation a form of bias?
>
> > This is very slow.
>
> Why should it be? the counter is around 40Ghz, and you can
> pick any rate of photons by adding or subtracting radium.
> It's also cheap enough to run a bunch of them in parallel.
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: Synchronised random number generation for one-time pads
Reply-To: [EMAIL PROTECTED]
Date: Wed, 08 Dec 1999 19:52:00 GMT
On Tue, 7 Dec 1999 22:22:02 -0000, "Charles Meigh"
<[EMAIL PROTECTED]> wrote:
>First off, I confess my newbie status as far as crypto goes. I'm reading
>"Applied Cryptography" at the bookshop, but I can't afford to buy it yet :-)
>
>With regard to one-time pads, which I keep reading as being the most secure
>form of encipherment, it appears that a major problem is the distribution of
>the completely random keys. This is exacerbated by the need for more keys
>for more messages, and larger keyspaces for larger messages (I think).
>
>Would it be practicable to set up a system that creates the random numbers
>for the key from some globally consistent, 'natural' source like, say,
>cosmic radiation readings; the sender and receiver obviously having had
>exchanged brief, secure messages agreeing on exactly when to take these
>key-generating readings? You could then (if i'm thinking right) create as
>many completely secure one-time pads as you like, without the overhead of
>distributing vast amounts of data first, just your synchronising messages.
>
Short answer: No.
Long answer;
There's isn't anything which really fits the bill, and if
there were, you'd have to prevent the enemy from reading it too,
and getting a copy of the key that way. You'd need something
which can be read by two and only two people.
The synchronization problem isn't really a problem.
The enemy can sample everything and then try all possible
synchronizations. Even if you assume it's millions of times
harder to do this, it's still _possible_, which means your
not achieving the "perfect" security of a one time pad.
Besides, if you're going to save the bits you gather, then
you have a device which can store the bits. You might as
well swap those devices instead of the synchronization keys.
As an interesting aside:
C3D ( http://www.c-3d.net/ ) has demonstrated a technology
which can store 2 gbit/sqi in multiple layers, which
translates to about 140 gigabytes in the same area as
a CD. (They also claim it's 10 times cheaper per bit than
CDRom, but they aren't to market yet, so I'd take that with
a grain of salt.) It's quite conceivable that OTP technology
of the near future could be used to send _video_ messages.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: Solitaire analysis?
Date: 8 Dec 1999 18:37:45 -0000
"r.e.s." <[EMAIL PROTECTED]> writes:
> Anyone know if there have been published analyses of
> Bruce Schneier's "Solitaire" algorithm?
>
> The few postings I've seen claim a detectable bias in
> letter frequencies, but I don't know how reliable those
> are. (Especially since they say the algorithm isn't
> reversible -- whereas it sure looks reversible to me.)
> So I wonder if I'm misunderstanding something, or if
> the algorithm now on Counterpanes's website might be a
> significantly different revision.
Gosh, two chances to blow my own trumpet in one day. See
http://www.hedonism.demon.co.uk/paul/solitaire/ for details on this
bias.
I thought it was reversible when I read it too, but it definitely
isn't: a state in which the A joker is second from the top has two
predecessor states, one where A is on the top, the other where it's on
the bottom. In correspondence with Bruce it seems that this is a bug,
and the "official" version of Solitaire will simply move A to the top
if it's on the bottom.
hope this helps,
--
__
\/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: AES and perl (encryption)
Date: Wed, 08 Dec 1999 13:13:05 -0700
Volker Hetzer wrote:
>
> Shaun Wilde wrote:
> >
> > Has anybody ported the the AES submission Twofish to perl?
> >
> > Also does anyone know of any Perl sites that have info relating to
> > encryption
> For perl you should be able to use the C-Version of AES as a shared
> library shouldn't you?
Almost but not quite. He'd have to write some "wrappers" to do data format
conversions etc., and also probably need to write some support routines so he
can do CFB, CBC, etc. rather than straight ECB. If he wished to write an
object-oriented Perl module as vs. a straight procedural Perl module, there
might even be more work required to properly encapsulate state.
I did a Python TwoFish module (sorry, I'm not allowed to release it at this
time, hopefully I'll get permission from management to do so after Christmas
:-( ), and it was fairly straightforward, but since I was creating an object
rather than a straight procedure call (necessary because I have multiple
encrypted streams going on with multiple keys all at the same time in a
multi-threaded application), I had to make fairly hefty modifications to the
twofish.c source code to make it workable. Specifically, to pull all stateful
variables out into a state 'struct' passed into the various encrypt/decrypt
routines. This was especially important for CBC/CFB modes, since they keep an
accumulator that must not be dumped until you're finished with that particular
stream of data (although for CBC I actually implemented that in the
higher-level Python module, though I implemented a lower-level XOR_BLOCK
routine in "C" to do that little bit of grunge work).
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Synchronised random number generation for one-time pads
Date: Wed, 08 Dec 1999 13:20:37 -0700
Charles Meigh wrote:
> With regard to one-time pads, which I keep reading as being the most secure
> form of encipherment, it appears that a major problem is the distribution of
> the completely random keys.
Key distribution is "the" problem in modern cryptography. The algorithms
themselves are nigh unbreakable, but there's a variety of attacks against key
distribution mechanisms.
> This is exacerbated by the need for more keys
> for more messages, and larger keyspaces for larger messages (I think).
> Would it be practicable to set up a system that creates the random numbers
> for the key from some globally consistent, 'natural' source
Quantum physics insures that there is no such globally consistent 'natural'
source -- the universe is random. Even if there were, you still have the same
problem -- key distribution. That is, distribution of the shared secret.
Except here, the shared secret or "key" is the exact moment in time that
you're going to start taking samples. In other words, you've gone from having
millions-of-bits key to having a tens-of-bits key (note that all seconds
between 1970 and 2038 can be encapsulated in a 31-bit number).
If you instead decide that "no, I'm going to use a function to generate the
keystream for the OTP, and the 'key' is the initial state of that function",
congratulations, you just invented stream ciphers!
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim Dunnett)
Crossposted-To: alt.politics.org.nsa
Subject: Re: NSA future role?
Date: Wed, 08 Dec 1999 20:30:15 GMT
Reply-To: Jim Dunnett
On Wed, 08 Dec 1999 02:23:32 +0000, CLSV <[EMAIL PROTECTED]> wrote:
>albert wrote:
>
>> > One of those myths started by popular science magazines.
>
>> Nope, not a myth, it's true. I will concede to the post above, stating that
>> measurements, and details are hidden, which is the impeding stumbling block to
>making
>> one, but if you want concepts etc,, it's all there.
>
>Ok, I can agree with that.
>
>> > And why wouldn't private sector companies make any mistakes?
>
>> Accountability. Profit. NASA has lost about $2Billion thus far on Mars stuff.
>Any of
>> them fired? No. If it was the private sector, performance and reward are linked,
>not
>> so in the public sector.
>
>Hmm, my opinion is that especially in big corporations large
>amounts of money are wasted on useless pet projects, ego-mania,
>stupidity, fraud et cetera. The problem is that a corporation
>isn't publicly accountable for such losses. They rather hide
>them in their incredibly complex annual reports to keep the
>faith of their customers, creditor, share holders. At rare times we
>get to see some of the mistakes if they are big enough
>(e.g. Barings bank). I think that the problems that NASA has are more
>related to the size and structure of the organization than on the
>difference between private and public sector.
Quite so. And wasn't one of the cockups caused by America's insistence
on using obsolete feet and inches instead of the metric system, or
something like that?
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim Dunnett)
Crossposted-To: alt.privacy
Subject: Re: Cell Phone Crypto Penetrated >> 6.Dec.1999 >> Biryukov & Shamir describe
in a paper ...
Date: Wed, 08 Dec 1999 20:30:16 GMT
Reply-To: Jim Dunnett
On Wed, 08 Dec 1999 00:55:14 GMT, [EMAIL PROTECTED] (Bruce Schneier)
wrote:
>On Tue, 07 Dec 1999 20:08:05 GMT, amadeus @DELETE_THIS.netcomuk.co.uk
>(Jim Dunnett) wrote:
>
>>On Mon, 06 Dec 1999 16:32:21 -0500, [EMAIL PROTECTED] wrote:
>>
>>>Cell Phone Crypto Penetrated by Declan McCullagh
>>>
>>>10:55 a.m. 6.Dec.1999 PST
>>>Israeli researchers have discovered design flaws that allow the descrambling of
>>>supposedly private conversations carried by hundreds of millions of wireless
>>>phones.
>>>
>>>Alex Biryukov and Adi Shamir describe in a paper to be published this week how a
>>>PC with 128 MB RAM and large hard drives can penetrate the security of a phone
>>>call or data transmission in less than one second.
>>
>>And listen to it in real-time? I think not.
>
>Actually, the math of the attack implies that they can. Or, at least,
>there is no cryptographic reason why they cannot.
I'll grant it may be possible for well-heeled organisations with lots of
computer power to strip off the encipherment and de-digitise the result
to get audio. It's going to need more than a '386 though.
Anyway, why bother doing it when they can intercept it at will on the
landline side? Much easier and cheaper!
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim Dunnett)
Crossposted-To: alt.privacy
Subject: Re: If you're in Australia, the government has the ability to modify your
files. >> 4.Dec.1999
Date: Wed, 08 Dec 1999 20:30:17 GMT
Reply-To: Jim Dunnett
On Wed, 08 Dec 1999 17:37:38 GMT, [EMAIL PROTECTED] (Scott Nelson) wrote:
>On Wed, 8 Dec 1999 01:02:47 -0500, "fuck echelon" <[EMAIL PROTECTED]> wrote:
>[edited]
>>Scott Nelson <[EMAIL PROTECTED]> wrote
>>> Planting a bug inside a suspects house in a way that makes it
>>> unlikely to be detected is fairly easy with modern technology.
>>> I wonder though, if it's possible to modify a computer
>>> in a way that's not easily detectable to the suspect.
>>> Unless you actually modify the hardware, it seems like
>>> it would leave a lot of obvious traces. And the obvious
>>> corollary question is, how hard would it be to insure that
>>> ones computer software is actually intact, and unmodified.
>>
>>A bug isn't needed, a tempest attack or a boot would work for most purposes.
>>
>Yes.
>Is there a cheap way to do it?
>Something a local police department might be able to do.
Tempest attacks are very expensive. Planting a sniffer is a bit
risky if they're discovered doing it. I know what I'd do to anyone
I found tampering with my computers ... whoever he may be!
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim Dunnett)
Subject: Re: Synchronised random number generation for one-time pads
Date: Wed, 08 Dec 1999 20:30:18 GMT
Reply-To: Jim Dunnett
On Tue, 7 Dec 1999 22:22:02 -0000, "Charles Meigh"
<[EMAIL PROTECTED]> wrote:
>First off, I confess my newbie status as far as crypto goes. I'm reading
>"Applied Cryptography" at the bookshop, but I can't afford to buy it yet :-)
Don't they have public libraries there?
>With regard to one-time pads, which I keep reading as being the most secure
>form of encipherment, it appears that a major problem is the distribution of
>the completely random keys. This is exacerbated by the need for more keys
>for more messages, and larger keyspaces for larger messages (I think).
OTP is totally secure given it is properly used. The problems are key
distribution and key cancellation/deletion. With more than two correspondents
it becomes a nightmare, or degenerates into something which is no longer OTP.
>Would it be practicable to set up a system that creates the random numbers
>for the key from some globally consistent, 'natural' source like, say,
>cosmic radiation readings; the sender and receiver obviously having had
>exchanged brief, secure messages agreeing on exactly when to take these
>key-generating readings?
Not exactly. There are many random sources, but because they are
random they are, by definition, not in any way globally consistent.
You would have to generate your key using radio/cosmic noise, radioactive
decay, zener-diode/transistor/electron noise or whatever and distribute
the resulting key to your correspondent/s - by a secure route, obviously.
People on this newsgroup would probably question the need for an OTP system
if you already have a secure route. But that secure route need not be
electronic, normally you would deliver the key physically on some physical
media.
>You could then (if i'm thinking right) create as
>many completely secure one-time pads as you like, without the overhead of
>distributing vast amounts of data first, just your synchronising messages.
I think you want to have your cake and eat it.
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim Dunnett)
Subject: Re: NSA competitors
Date: Wed, 08 Dec 1999 20:30:19 GMT
Reply-To: Jim Dunnett
On Wed, 08 Dec 1999 15:37:35 +0000, CLSV <[EMAIL PROTECTED]> wrote:
>Bruce Schneier wrote:
>>
>> On Sat, 04 Dec 1999 22:47:49 GMT, [EMAIL PROTECTED]
>> (John Savard) wrote:
>
>> >On Sat, 04 Dec 1999 18:13:27 +0000, CLSV <[EMAIL PROTECTED]> wrote:
>
>> >>I'm wondering if there is any knowledge about non-US
>> >>government institutes that are specialized in cryptography and
>> >>cryptanalysis?
>> >The Russian one, under the acronym FAPSI, now even has a web site too.
>> >
>> >On the other hand, the Chinese agency - known as the "technical
>> >department" - is very secretive.
>>
>> I know of the Chinese organization as the Ministry of National
>> Security.
>>
>> There's also MI5 and MI6 in the UK, SDECE in France, and the BND in
>> Germany. Israel has Mossad.
>
>Ok. Thank you.
>I'm gonna look if there is some information on their crypto research.
I wouldn't bother in respect of MI5 (SS) or MI6 (SIS), British
crypto research and development is done by GCHQ.
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim Dunnett)
Subject: Re: NSA competitors
Date: Wed, 08 Dec 1999 20:30:19 GMT
Reply-To: Jim Dunnett
On Wed, 08 Dec 1999 05:33:33 GMT, [EMAIL PROTECTED] (Bruce Schneier)
wrote:
>On Sat, 04 Dec 1999 22:47:49 GMT, [EMAIL PROTECTED]
>(John Savard) wrote:
>
>>On Sat, 04 Dec 1999 18:13:27 +0000, CLSV <[EMAIL PROTECTED]> wrote:
>>
>>>I'm wondering if there is any knowledge about non-US
>>>government institutes that are specialized in cryptography and
>>>cryptanalysis? I'm thinking about countries that invest a lot
>>>in mathematical education like China, Russia, India.
>>
>>The Russian one, under the acronym FAPSI, now even has a web site too.
>>
>>On the other hand, the Chinese agency - known as the "technical
>>department" - is very secretive.
>
>I know of the Chinese organization as the Ministry of National
>Security.
>
>There's also MI5 and MI6 in the UK
That's decades out-of-date: it's now the Security Service and Secret
Intelligence Service respectively.
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Ellison/Schneier article on Risks of PKI
Date: Wed, 08 Dec 1999 20:53:40 GMT
On Wed, 08 Dec 1999 09:39:32 GMT, [EMAIL PROTECTED] wrote:
>Interesting read.
>
>Does anyone (or indeed Bruce and Carl) have links to similar papers, and
>if possible any online reports of PKI - usage statistics, examples of
>real-life PKIs that have been hacked etc...
There is lots of excellent information on Carl's home page:
http://www.clark.net/pub/cme/
See the SPKI page:
http://www.clark.net/pub/cme/html/spki.html
especially
http://www.certicom.com/pks99/presentations/Carl_Ellison.zip
http://jya.com/bg/digsig.pdf
http://www.clark.net/pub/cme/usenix.html
And this isn't online, but try to find it at a university library:
Ellison, "The nature of a useable PKI", Computer Networks 31
(1999) pp. 823-830.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Crossposted-To: comp.dcom.vpn,comp.security.firewalls
Subject: Re: High Speed (1GBit/s) 3DES Processor
Date: Wed, 08 Dec 1999 15:15:13 -0500
Helger Lipmaa wrote:
>
> ...> I would say 1Gbit/s does not surprise me at all - in particular since
> I've known that such chips exist for at
> least three years. Or, citing rfc 1851:
>
> Three DES-CBC implementations may be pipelined in series to provide
> parallel computation. At the time of writing, at least one hardware
> implementation can encrypt or decrypt at about 1 Gbps [Schneier94, p.
>
> 231].
>
> And that was in 1994 (probably already in 1993, since it takes some time
> to print a book --- I only have the second edition of this book, so
> cannot check that information myself).
Same here, but I expect he was referring to the work of Hans Eberle,
still quoted in the second edition references (from Crypto '92). Or you
can read the DEC SRC research report, number 90, "A High-speed DES
implementation for network applications", H. Eberle, Sept 23, 1992.
> Apply Moore's law (and divide by
> three to get 3DES;).
Don't divide by three, just triple the transistor count. Trivial
these days, as David pointed out.
I guess this discussion implies that crypto protocols should start
using interleaved CBC rather than classic uninterleaved CBC. That
would fix the pipeline bottleneck we currently have.
paul
--
!-----------------------------------------------------------------------
! Paul Koning, NI1D, D-20853
! Lucent Corporation, 50 Nagog Park, Acton, MA 01720, USA
! phone: +1 978 263 0060 ext 115, fax: +1 978 263 8386
! email: [EMAIL PROTECTED]
! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75
!-----------------------------------------------------------------------
! "The only purpose for which power can be rightfully exercised over
! any member of a civilized community, against his will, is to prevent
! harm to others. His own good, either physical or moral, is not
! a sufficient warrant." -- John Stuart Mill, "On Liberty" 1859
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
