Cryptography-Digest Digest #742, Volume #10 Wed, 15 Dec 99 00:13:01 EST
Contents:
Re: The Code Book (David Hamer)
Re: Why no 3des for AES candidacy (albert)
Does this seem scary to anybody else??? It should!!! (albert)
Re: security of 3des ?= des (Tim Tyler)
Re: security of 3des ?= des ("karl malbrain")
Re: NAI granted export license for PGP (Pelle Evensen)
Re: Security analysis of digitalPersona's U.are.u? (Eric Murray)
Re: Non-linear PRNGs (Pelle Evensen)
Re: Security analysis of digitalPersona's U.are.u? (Eric Murray)
Re: NAI granted export license for PGP (Mike Andrews)
discrete logorithm reduction to factoring ([EMAIL PROTECTED])
Re: Deciphering without knowing the algorithm? (SCOTT19U.ZIP_GUY)
Re: Better encryption? PGP or Blowfish? (molypoly)
----------------------------------------------------------------------------
Date: Tue, 14 Dec 1999 20:09:03 -0500
From: David Hamer <[EMAIL PROTECTED]>
Subject: Re: The Code Book
Possibly due to confusion stemming from differences
between the Gregorian and Julian calendars. While the
former was officially proclaimed by Pope Gregory XIII in
1582 and was adopted almost immediately by most European
Catholic states it was not adopted in England until 1752.
According to my [Gregorian] calendar program 15 October
1586 fell on a Wednesday.
DHH
Warner wrote:
>
> The first sentence of Simon Singh's _The Code Book_ is, "On the morning of
> Wednesday, 15 October 1586, Queen Mary entered the crowded courtroom of
> Fotheringhay Castle". The calendars I have referred to give this date as
> being on a Saturday. I'm interested in hearing comments on this apparent
> inconsistency or references to such.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
David Hamer The Crypto Simulation Group
[EMAIL PROTECTED] http://www.eclipse.net/~dhamer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
From: albert <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Tue, 14 Dec 1999 17:38:29 -0800
And Bill Clinton didn't have sexual relations with that woman Monica... What's your
point? What, because it's in some book in the law library that the NSA can't read
domestic mail, you assume it's true?? Get a clue, watch some conspiracy movies or
something. Oh, I mean, they are a government organization, they would NEVER break
the law...
yada yada yada.... repeat that next time you pass by Waco TX or Ruby Ridge...
Albert
"Douglas A. Gwyn" wrote:
> "SCOTT19U.ZIP_GUY" wrote:
> > 1. Depending on how one combines the cipher to make 3DES it could be come
> > to hard for current NSA to quickly decode the message for law enforcement.
>
> I think you mean FBI. It is explicitly against the law for NSA to
> intercept communications for the purpose of domestic law enforcement,
> unless one or more of the communicants are foreign. And, before you
> say that NSA just ignores the law, that's not so -- this requirement
> has an effect on how operations are conducted, which wouldn't be
> necessary if the law were being ignored.
>
> Last I heard, the FBI *were* being budgeted to establish a significant
> network/cryptologic intelligence branch. Comrades Clinton, Gore,
> Reno, and Freeh have this Big Brother plan, you see... law enforcement
> is just an excuse.
>
> > The speed thing is what most phony crypto gods would have you belive the
> > reason is. But in fact with the bloated operating systems one uses know a days
> > and as machines get faster very week this is really a lame reaon when one
> > wants real security.
>
> Speed *is* important in order that encryption become as widespread as
> it really should, e.g. on network links. We're already in the age of
> fiber-optic communication.
------------------------------
From: albert <[EMAIL PROTECTED]>
Subject: Does this seem scary to anybody else??? It should!!!
Date: Tue, 14 Dec 1999 17:42:28 -0800
I'm referring to the fact that we are suppose to trust NAI products for
security, they are suppose to be the premiere in security products, yet
they run NT??? This cannot scare just me. ASP has more holes than a
drug user on Santa Monica BLVD. I seriously call into question now, the
quality of their "security" products if this is what their idea of
"security" is.
Albert
Keith wrote:
> On Mon, 13 Dec 1999 23:25:52 GMT, Bubba
> <833v9r$vn5$[EMAIL PROTECTED]> wrote:
>
> >http://www.nai.com/asp_set/about_nai/press/releases/pr_template.asp?
> >PR=/PressMedia/12131999.asp&Sel=647
> >
> >
>
> The problem is that we don't know what strength the cipher is.
> PGP could be allowed to export 40 bit versions. Or maybe NSA
> has created a crack for PGP. If the NSA has developed a crack
> then it won't affect home users, but would be a concern to
> business and government users world wide.
> --
> Best Regards,
>
> Keith
> -------------------------------------------------------------------
> Free Software: Pegasus & Mercury Email http://pmail.usa.com/
> Cyberkit http://www.ping.be/cyberkit/
> Hamster http://home.t-online.de/home/juergen.haible/english.htm
> SLRN for *NIX/OS2/WIN32 http://space.mit.edu/~/davis/slrn.html
> ---------------------------------------------------------------------
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: security of 3des ?= des
Reply-To: [EMAIL PROTECTED]
Date: Wed, 15 Dec 1999 01:41:25 GMT
karl malbrain <[EMAIL PROTECTED]> wrote:
: <[EMAIL PROTECTED]> wrote in message
:> i was wondering if it has been shown that 3des is more secure
:> than des.
:>
:> my understanding is that if des transformations form a group
:> than any composition of des transformations is equivalent to
:> a single des encryption,
: In the sense that DES is a 64 bit block function that MAPS one input to one
: output, yes, you can combine DES operations as a single MAPPING, and there
: is no security gain. [...]
However you look at it, it's been proven not to be true that any
composition of DES transformations is equivalent to a single DES
encryption.
Nor does it follow that translating from one 64-bit permutation to another
64-bit permutation does not produce an improvement in security.
In the case of 3-DES it's pretty clear that it does. The first
permutation was less absolutely random than was possible - and applying
the transformation several times adds to the "confusion".
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
A clear conscience is the result of a bad memory.
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: security of 3des ?= des
Date: Tue, 14 Dec 1999 18:55:35 -0800
Tim Tyler <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> karl malbrain <[EMAIL PROTECTED]> wrote:
> : <[EMAIL PROTECTED]> wrote in message
>
> :> i was wondering if it has been shown that 3des is more secure
> :> than des.
> :>
> :> my understanding is that if des transformations form a group
> :> than any composition of des transformations is equivalent to
> :> a single des encryption,
>
> : In the sense that DES is a 64 bit block function that MAPS one input to
one
> : output, yes, you can combine DES operations as a single MAPPING, and
there
> : is no security gain. [...]
>
> However you look at it, it's been proven not to be true that any
> composition of DES transformations is equivalent to a single DES
> encryption.
>
> Nor does it follow that translating from one 64-bit permutation to another
> 64-bit permutation does not produce an improvement in security.
> In the case of 3-DES it's pretty clear that it does. The first
> permutation was less absolutely random than was possible - and applying
> the transformation several times adds to the "confusion".
Within the context of the MAPPING there is no CONFUSION at all. One input
MAPS to one and only one output. CONFUSION is measured in the SELECTION of
the permutation. MAPPING is measured in the block size only. Karl M
------------------------------
From: Pelle Evensen <[EMAIL PROTECTED]>
Subject: Re: NAI granted export license for PGP
Date: Wed, 15 Dec 1999 03:57:03 +0100
Keith wrote:
> On Mon, 13 Dec 1999 23:25:52 GMT, Bubba
> <833v9r$vn5$[EMAIL PROTECTED]> wrote:
>
> >http://www.nai.com/asp_set/about_nai/press/releases/pr_template.asp?
> >PR=/PressMedia/12131999.asp&Sel=647
>
> The problem is that we don't know what strength the cipher is.
> PGP could be allowed to export 40 bit versions. Or maybe NSA
> has created a crack for PGP. If the NSA has developed a crack
> then it won't affect home users, but would be a concern to
> business and government users world wide.
>From the press release;
"The license, effective immediately, allows Network Associates, the world's
largest security software company (IDC Research, 1999) to export its full
strength PGP encryption software to virtually all countries worldwide without
restriction."
Why haven't we seen any people ranting about "NSA must have solved the
discrete log and factoring problems" yet? :)
/Pell
------------------------------
Subject: Re: Security analysis of digitalPersona's U.are.u?
From: [EMAIL PROTECTED] (Eric Murray)
Date: 14 Dec 1999 19:02:31 -0800
In article <3855dc4d$0$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>I just received one of these cute little buggers as a Christmas present. The
>deluxe version (which sells for the same price as the standard verions--go
>figure) includes a secure pseudo-disk utility.
>
>Has anyone published any analysis of this product's encryption method(s) and
>possible strength?
>
>MMB
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
------------------------------
From: Pelle Evensen <[EMAIL PROTECTED]>
Subject: Re: Non-linear PRNGs
Date: Wed, 15 Dec 1999 04:07:25 +0100
Side note, has anyone studied the cryptographic properties of multiply with
carry generators? They are relatively cheap, have good statistical
behaviour and are easy to get very long periods from.
http://stat.fsu.edu/pub/diehard/cdrom/pscript/mwc1.ps
/Pell
------------------------------
Subject: Re: Security analysis of digitalPersona's U.are.u?
From: [EMAIL PROTECTED] (Eric Murray)
Date: 14 Dec 1999 19:08:33 -0800
In article <3855dc4d$0$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>I just received one of these cute little buggers as a Christmas present. The
>deluxe version (which sells for the same price as the standard verions--go
>figure) includes a secure pseudo-disk utility.
>
>Has anyone published any analysis of this product's encryption method(s) and
>possible strength?
>
>MMB
I think that unless it uses some particularly weak crypto, it can be
more readily attacked in ways other than breaking the crypto.
The way that fingerprint matching works is that the scanner takes an image
of your finger (at something around 300x300 pixels). Then some software
does pattern recognition to find 'minutae', which are points where a
ridge ends, there's a break in a ridge, or a ridge forks. The minutae
are then used to compare fingerprints. The comparison algorithims
that are used are proprietary (at least with the biometrics vendors I
have dealt with) and as far as I can tell are statistical in nature,
or have a statistical component-- basically if X out of Y minutae are
in the same place after orienting the print, then it's a match. It has
to be done this way because each time the finger image is captured,
different minutae will appear or disappear- there could be a smudge
on the reader or a bit of dirt hiding a minutae (or appearing to be
a new minutae), you could be holding your finger differently, etc. So a
"good enough" match might be say 16 out of 20 minutae. Less than that and
you start getting false positives (incorrectly identifying prints from
differnent fingers as being from the same finger), more and you run the
risk of false negatives (falsely rejecting prints from the same finger).
Most systems allow the programmer or operator to adjust the matching
factor to make it appropriate for the application.
The U.are.U system does the minutae extraction and matching on the PC.
So one vulnerability is the attacker getting code onto the PC which
can snoop the serial port and capture a valid print to replay later.
But that's not any worse than typing in a passphrase (which can be
snooped by a keyboard sniffer), so maybe that's acceptable.
Once the minutae are extracted and it's determined that there's a match,
the U.are.U software then allows you to access the encrypted disk.
But each time a print is taken and checked for a match, the print is
different. So the print itself, or it's minutae, can not be used as
the key. If it were, then you would in effect have a system where you
had to match _all_ minutae, which would result in a high false reject
rate (with the system I have had the most experience with that would
be 20-50%). Not being able to get into your files one out of four times
would annoy a lot of customers, so I expect that they are not using a
match sensitivity setting which produces many false negatives.
However, bulk crypto algorithms require fixed keys which are the same
each time[1]. Given that, there must be a fixed encryption key which is
held in the disk encryption s/w or on disk, and "unlocked" by the minutae
matching code when a fingerprint matches. Pure software protection
being what it is, this key is probably readily discovered.
Finally, there has to be one or more minutae to match against. These
are also held on disk (they're put there when you enroll your finger).
Stealing one of them and figuring how to submit the minutae directly to
the U.are.U software, or working backwards to generate a "fingerprint"
which has the same "minutae", would be another way to break it.
If I'm correct (and I welcome proof otherwise), this is not a lot
better than kid-sister protection even if it uses a strong bulk algorithm.
In digitalPersona's defense, the marketing stuff I saw at Comdex-before-last
didn't tout it's security as much as conveinence compared to passwords.
[1] perhaps this would be a good application for an n out of M
secret-sharing scheme.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
------------------------------
From: [EMAIL PROTECTED] (Mike Andrews)
Subject: Re: NAI granted export license for PGP
Date: Wed, 15 Dec 1999 03:58:03 GMT
Pelle Evensen <[EMAIL PROTECTED]> wrote:
: From the press release;
: "The license, effective immediately, allows Network Associates, the world's
: largest security software company (IDC Research, 1999) to export its full
: strength PGP encryption software to virtually all countries worldwide without
: restriction."
: Why haven't we seen any people ranting about "NSA must have solved the
: discrete log and factoring problems" yet? :)
They've all been taken away in the black helicopters.
--
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.theory
Subject: discrete logorithm reduction to factoring
Date: Wed, 15 Dec 1999 03:56:18 GMT
After reviewing some older threads about discrete log
and factoring I had come across a few that discussed
the ability to factor using discrete log.
It is my understanding from these discussions that
if there was a solution for discrete log, with say
a worst case asymtote that was cubic, that then factoring
would be polynomial as well.
It is not clear based on these discussions if this was
indeed factual, so I have come up with the following
questions.
Is it true that discrete log reduces to factoring ?
Where can I find a reference to material that discusses/proves this ?
(I am not interested in material that _only_ "claims it" as a side note)
what is the cost to impliment a factoring solution based on
a discrete log solver in terms of the worst case bound ? is it
practical ? are there space costs ? does it work for _all_ integers, or
are there "exceptions".
lastly... _If_ there is a method, to impliment factroing based
on a discrete log solver, and _if_ the method is fairly strait forward,
I would appreciate seeing a psuedo-code implimentation, or a
link/reference to material that does contain a psuedo-code
implimentation.
I would be interested in the answer to any one of these questions.
Since I have noticed a trend for discussions to stray lately in
newsgroups, I would prefer that responses specifically pertain to the
questions I have asked in this post/thread.
thank you for your help
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Deciphering without knowing the algorithm?
Date: Wed, 15 Dec 1999 04:57:52 GMT
In article <[EMAIL PROTECTED]>, albert <[EMAIL PROTECTED]> wrote:
>First, every element in an algorithm should be there by design only, there
>should be no reason to have something in an algorithm (especially a crypto one)
>unless there's good justification that adds to the overall security of the
>algorithm. So when you "modify" it, it usually weakens, not strengthens an
>algorithm.
>
>To address the original question; Patterns are easily found in badly written
>algorithms, so it's quite possible and happens often that an algorithm is
> broken
Actually there are very few programs that don't broadcast what
method they are using. You send a PGP file and very one interested will
know. So called experts like to say things are carefully balanced but this
is seldom the case.
>without actually knowing the algorithm. Remember though, that's called
> security
>by obscurity, or security by stupidity as it's often referred to. The security
>of an algorithm should lie in it's design, not the fact that the enemy doesn't
>know about it. Alice should pick an algorithm the rest of the world knows and
>has been thoroughly studied by the best cryptoheads in the world. That's the
>only way Bob is going to feel comfortable about the method used...
If you see an algorithm that is adavertised as throughly studied by the
best cryptoheads in the world. Then you can be pretty dam sure it is weak.
Strong crypto is not allowed. You can not export it since if you could the
NSA would not be allowed to read your mail and they ain't about to let
that happen. IF you and a friend want to send Email secrectly to each other
it would be best to use more than one method so you can use the method you
trust and your friend can use one he trusts. You can double encypt your
messages.
By the way the Crypto Gods have declared scott19u weak and easy to break
but the bastards keep making excuses why they can't break it. Mr Wagner who
publicly bragged on this forum that his latest slide attack would be the death
of my method was full of shit. Someone on this forum tried to break it with it
but ran into problems. It seems that even though I supply the source code with
my method Mr Wagner lacked the IQ level necessicary to understand how the
method works. And yes he is the kind of person fools trust as an expert in
crypto. So be careful
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: molypoly <[EMAIL PROTECTED]>
Subject: Re: Better encryption? PGP or Blowfish?
Date: Wed, 15 Dec 1999 04:37:39 GMT
Ok, I'm a 'newbie' and am trying to understand this. With a "zero
information system" such as PGP, one can easily read the encrypted
file.
If you are using PcCrypto, where the passphrase is not stored
ANYWHERE, then one cannot read the encrypted file. Am I getting this?
Thanks in advance.
> In article <835f4t$9d$[EMAIL PROTECTED]>, Tom St Denis
<[EMAIL PROTECTED]> wrote:
> >In article <8348is$2g18$[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> >> This just shows how fucking stupid you are little boy pain
> >> in the ass. Try reading what a ZERO Iinformation system is
> >> sometimes instead of opening your mouth. In a ZERO information
> >> protocall the seeds are in there to solve any encryption including
> >> that of a random file. IF you think mine has enough information
> >> for a random file break your not only full of shit but you know
> >> nothing about encryption. Try to learn something Tom becasue
> >> your posts are gettting dumber and dumber and it is getting
> >> frustracting wasting my time to try to improve your pee brain.
> >
> >I will just go out invent this new attack called brute force. I will
> >win a nobel. If I can brute force any system, then that system has
> >given me enough information to break it.
> >
> >And last time I checked most block ciphers fell into this category.
No
> >matter how you use the block cipher, if the key is fixed, and used on
> >more then one block it can be attacked.
> >
>
> Asshole even if I used a 4 bit key if the program I used was done
> correctly you may not know what the anwser is. With a ZERO
> knowledge method you KNOW what the encyrpted message is.
> You may not know what it means but you know what the message
> is ASSHOLE wake up and learn something. I getting tired of changing
> your diapers so to keep from using so many swear words you going
> back on my Kill file list. Actually your the only one on it.
>
> David A. Scott
> --
>
> SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
> http://www.jim.com/jamesd/Kong/scott19u.zip
>
> Scott famous encryption website NOT FOR WIMPS
> http://members.xoom.com/ecil/index.htm
>
> Scott rejected paper for the ACM
> http://members.xoom.com/ecil/dspaper.htm
>
> Scott famous Compression Page WIMPS allowed
> http://members.xoom.com/ecil/compress.htm
>
> **NOTE EMAIL address is for SPAMERS***
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
