Cryptography-Digest Digest #866, Volume #10 Fri, 7 Jan 00 22:13:01 EST
Contents:
Re: AES wise? (Terry Ritter)
Re: Blowfish Question ("Chung W Leong")
Re: REDOC: First use: key dependent S-BOXES (karl malbrain)
Re: Large Numbers Beginner Question (Eric Lee Green)
Re: Questions about message digest functions (Tim Tyler)
Re: Intel 810 chipset Random Number Generator ("Trevor Jackson, III")
Re: Square? (Paulo S. L. M. Barreto)
Re: Large Numbers Beginner Question (David A Molnar)
Reprint of Yardley' Black Chamber ("LOU KRUH")
Problem with using a multiple byte XOR as a hash? (ChenNelson)
Re: Cert. Man. Library ("Clint Eastwood")
Re: Square? ("Daniel Roethlisberger")
Re: Mispronounce words. (OT Re: How to pronounce "Vigenere"?) (Nemo Outis)
Re: Interview with an ECHELON Spy (Niels Teglsbo)
Re: Reprint of Yardley' Black Chamber (Paul Rubin)
Re: Questions about message digest functions (Tim Tyler)
Re: simple block ciphers (David A Molnar)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: AES wise?
Date: Fri, 07 Jan 2000 23:23:07 GMT
On Fri, 7 Jan 2000 19:13:05 GMT, in <[EMAIL PROTECTED]>, in
sci.crypt Tim Tyler <[EMAIL PROTECTED]> wrote:
>[...]
>Having siad this, I see /very/ little *harm* in restricting the operations
>used to bent functions. It's not as though testing them is terribly
>time-consuming.
Bent functions are not balanced; they have unequal probabilities for
1's and 0's.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Chung W Leong" <[EMAIL PROTECTED]>
Subject: Re: Blowfish Question
Date: Fri, 7 Jan 2000 16:07:27 -0800
Even if you have control over the original text, analyzing the resulting
encrypted text would still yield no information (even or odd, divisibility,
the number of 1s and 0s, tendency, attitude, psychological state) about the
secret key? What if you have multiple (say 1000) original-encrypted text
pairs?
My firm is currently working on a e-commerce site, where we're planning to
encrypt the credit card numbers of customers with Blowfish before storing
them into the database, in case the security of the database is compromised.
"John Savard" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Chung W Leong" <[EMAIL PROTECTED]> wrote, in part:
>
> >How difficult is it to recover a Blowfish key if you have both the
encrypted
> >text and the original text? Is there a inverse function that let you
> >calculate the key from the input and output?
>
> No, there isn't; doing this for Blowfish, as for DES, is believed to
> be equivalent to cracking the cipher.
>
> John Savard (jsavard<at>ecn<dot>ab<dot>ca)
> http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: karl malbrain <[EMAIL PROTECTED]>
Subject: Re: REDOC: First use: key dependent S-BOXES
Date: Fri, 07 Jan 2000 15:50:47 -0800
Both REDOC and KHUFU are circa 1990, as far as I know.
Karl M
* Sent from AltaVista http://www.altavista.com Where you can also find related Web
Pages, Images, Audios, Videos, News, and Shopping. Smart is Beautiful
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Large Numbers Beginner Question
Date: Fri, 07 Jan 2000 17:27:55 -0700
"Alexander J. Fanti" wrote:
> I'm a newbie... so I'll be brief, any help would be appreciated...
>
> I'm interested in public key cryptography. I've read that I'll need to
> deal with large numbers (ie 256 bit numbers (2^256)). My compiler only
> supports integers up to 64 bits (and they're signed!).
>
> What do I do?
> Is there some computer math book I need to read to learn how to generate
> 512 bit random numbers and primes? Do people writing these routines for
> Intel processors use specail compilers?
If you are on a Unix machine, you probably want to use the GNU MP
multi-precision arithmetic library, which does bigints amongst other
operations. If you are on other platform, there exist other multi-precision
arithmetic libraries out there. Michael Rosing's book "Implementing Elliptic
Curve Cryptography" has an example multi-precision library. These libraries
define big integers as arrays of smaller integers, and operate by doing math
on the individual elements of those arrays.
All of this bigint stuff is very familiar to those of us who learned assembly
language on limited microprocessors such as the Apple II's 6502, which did not
even have 16-bit addition (we had to use the 'adc' add-with-carry instruction
on individual 8-bit values to add 16-bit numbers). I pity beginning
programmers today, who are plunked in front of closed black-box computers and
haven't the foggiest notion about what goes on inside that box.
Finally, for random number stuff, check out the "cryptography links" in my
links on my personal web page ( http://members.tripod.com/e_l_green ).
Cryptographically-strong PRNG's are a big different from the "rand" function
provided by your "C" library, which may produce a random distribution but
which is quite predictable -- NOT what you want for generating keys and such.
Sorry about the lack of organization in my links, this file is auto-generated
from my Netscape 'bookmarks.html' file...
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Questions about message digest functions
Reply-To: [EMAIL PROTECTED]
Date: Fri, 7 Jan 2000 23:58:36 GMT
Recently I wrote:
[is building a secure, one-way pseudo-random permutation possible?]
: I know that there are constructions for building hashes from /asymmetric/
: block cyphering schemes. I do not know if any of these retain bijectivity
: of the underlying cypher.
Now that I have my bookshelf to hand, it appears that at least one of them
does. To quote from Section 18.12 of Schneier's "Applied Cryptography":
``It is possible to use a public-key encryption algorithm in a block
chaining mode as a one-way hash function. If you then throw away the
private key, breaking the hash would be as difficult as reading the
message without the private key.''
This construction appears to work, and when block size, hash size and
message size are all equal, it provides a secure bijective one-way hash.
I believe this is the entity whose existence was apparently in question.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
SECRET VIPAR GAMMA GUPPY.
------------------------------
Date: Fri, 07 Jan 2000 19:48:48 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Intel 810 chipset Random Number Generator
Bradley Yearwood wrote:
> In response to a recent inquiry, Intel have been kind enough to point out
> that they have released a Programmer's Reference Manual detailing access
> to the hardware Random Number Generator feature in the 82802 FWH (Firmware
> Hub: BIOS Flash) chip in their 810 chipset. This document (their #298029-001)
> may be found under the following page:
>
> http://developer.intel.com/design/chipsets/manuals/
>
> Whether the raw output from the hardware register is sufficiently
> unbiased and otherwise random for specific uses, this document does
> not say. They do recommend running e.g. FIPS 140-1 tests on the output
> after initialization.
Actually they recommend running FIPS 140-1 or something similar as part of detecting
whether the device is present.
>
>
> One interesting observation is that the device requires a variable
> amount of time to generate a new random byte. Availability of a new
> value is indicated by a status bit. They recommend a timeout of 4.5ms
> in polling this status, which appears to indicate a worst-case rate of
> random byte production of around 222 bytes/sec.
They did not describe any interaction between the RNG process and the polling process,
but they also did not state that they are unrelated. It wouldn't be the first time an
input device's behavior depended upon the style of the program reading it.
>
>
> A big Thank You goes to Intel for providing this information.
------------------------------
From: Paulo S. L. M. Barreto <[EMAIL PROTECTED]>
Subject: Re: Square?
Date: 7 Jan 2000 15:50:03 -0800
In article <[EMAIL PROTECTED]>, David says...
>Square actually can have a variable number of rounds, as described in
>section 7 of "The Block Cipher Square". The key schedule is capable of
>generating any required number of subkeys.
In fact, this *has* already happened. The embryonic form of Square (before the
key schedule was designed) had only 6 rounds; this number was increased to 8
after Lars Knudsen's discovery of the dedicated attack on 4 rounds (I think it
was Vincent Rijmen himself who extended the attack to 5 and 6 rounds).
Paulo.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Large Numbers Beginner Question
Date: 8 Jan 2000 00:50:12 GMT
Eric Lee Green <[EMAIL PROTECTED]> wrote:
> on individual 8-bit values to add 16-bit numbers). I pity beginning
> programmers today, who are plunked in front of closed black-box computers and
> haven't the foggiest notion about what goes on inside that box.
For what it's worth, the Computer Science AP curriculum (US secondary
school recommended curriculum for advanced students) was using
BigInteger as a "case study" a few years ago. I don't know whether it's
been updated since then. Not all is lost.
-David
------------------------------
From: "LOU KRUH" <[EMAIL PROTECTED]>
Subject: Reprint of Yardley' Black Chamber
Date: Fri, 7 Jan 2000 20:17:00 -0800
A hard cover reprint of The Amercan Black Chamber bu H.O. Yardley has been
published by Amereon Ltd., Mattituck,NY 11952-9500, Tel. (516) 298-5100. The
reason for this alert is that only 100 copies are available. Price is $23.95
or a few dollars cheaper on Amazon or Barnes and Noble.com.
Lou Kruh
------------------------------
From: [EMAIL PROTECTED] (ChenNelson)
Subject: Problem with using a multiple byte XOR as a hash?
Date: 08 Jan 2000 01:30:09 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
I'm thinking of writing a routine that would store a key in some sort
of key file, encrypted of course. To open the key, the user must enter
a previously selected passphrase. My question is, how would I detect
the entry of the wrong passphrase, which would produce garbage as the
key, and alert the user? Is it safe to store the key's bytes taken as,
say pairs, all XOR'ed together in sequence and store that as part of
the file "header" in the clear?
Also, why is such a scheme insecure in terms of producing a hash that
would resist true attack? I'm assuming that it has to be insecure, or
nobody would go to such lengths to produce SHA, MD4, MD5, etc.
Later,
Nelson Chen
=====BEGIN PGP SIGNATURE=====
Version: PGP for Personal Privacy 5.5.2
Comment: For public key, go to key server with key ID 0xD28C0DD9
iQA/AwUBOHaUOW1ACZTSjA3ZEQIRfwCggsEaSsooSth0rBw7n+GSP/ANCkAAn2EN
CkVYDJNSibBJdqqM5wY3Z/88
=toDd
=====END PGP SIGNATURE=====
==========================
To earn $0.05 per clickthrough from your web page, please go to
http://www.3wmart.com/ and sign up for our button banner program.
------------------------------
From: "Clint Eastwood" <[EMAIL PROTECTED]>
Subject: Re: Cert. Man. Library
Date: 8 Jan 2000 01:40:09 GMT
> Can anyone suggest where to look for the Certificate Management Library?
Answered my own question. It is at the fortezza site.
------------------------------
From: "Daniel Roethlisberger" <[EMAIL PROTECTED]>
Subject: Re: Square?
Date: Sat, 8 Jan 2000 02:54:50 +0100
> Rijndael supports both keysizes and blocksizes of 128, 192,
> and 256 bits, giving 9 combinations. The number of rounds
> is size dependent, however: 10 rounds if both parameters are
>128, 12 rounds if the larger of them is 192, and 14 rounds if the
> larger of them is 256.
I think (correct me if I'm wrong), that Rijndael actually allows to use key
sizes other than those 3, as long as it is dividable by 32. At least that's
what the documentation says, and the key setup procedure seems to support
that without making great changes to the code.
The reference implementations only support 128, 192 and 256 bits 'cos that's
what is required by NIST. But you could use Rijndael with say 224 bit keys,
and that well within its specifications.
/Dan
------------------------------
From: [EMAIL PROTECTED] (Nemo Outis)
Subject: Re: Mispronounce words. (OT Re: How to pronounce "Vigenere"?)
Date: Sat, 08 Jan 2000 02:13:30 GMT
The "h" is there because nihil is nothing in Latin.
Some words are so regularly mispronounced that dictionaries now recognize
the "erroneous" pronunciation, such as the ones with double c (e.g., "flaccid"
which is pronounced roughly as "flak-sid" not "flas-sid"). How many people
regularly mispronounce "satiety" (very roughly "sat-eye-it-ee")?
Unfortunately if enough people persist long enough in mispronouncing these
words, they (or their children) will eventually become "right," since what
constitutes "correct English" is "descriptive rather than prescriptive,"
"normative rather than positive," i.e., is based on usage (usually cultivated
or educated usage, but that standard is also becoming diluted to just mass
usage).
And how many people pronounce "awry" as "awe-ree" rather than "a-rye?"
Regards,
In article <855emu$3ba$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (William
Rowden) wrote:
>I'm joining the topic drift.
>
>In article <[EMAIL PROTECTED]>,
>Dan Day <[EMAIL PROTECTED]> wrote:
>> Hell, I have that same problem with a lot of words in English (and
>> English is my first language). That's the problem with doing a lot
>> of reading in my younger years -- I was first introduced to many
>> words via print, not speech.
>>
>> I still recall the day when I first discovered that the written
>> "chaos" and the spoken "kay'os" were the same word...
>
>:-)
>
>I, too, was a reading child. "Omnipotent" is logically "omni-potent"
>/om'nee poe'tent/, right? I also remember the quizzical look I
>received when I first said "annihilation," complete with two short
>i's. Why is that "h" there?
------------------------------
From: [EMAIL PROTECTED] (Niels Teglsbo)
Subject: Re: Interview with an ECHELON Spy
Date: Fri, 07 Jan 2000 23:04:35 +0100
[EMAIL PROTECTED] (Jim) wrote:
> What's the situation in Denmark at the moment regarding private use
> of strong crypto?
It's legal to use any form of crypto systems in Denmark.
However there are some export restrictions from the Wassenaar treaty.
The Danish Defence Minister Hans Hækkerup (mentioned in the articles from
the Ekstra Bladet) also advised people to use strong cryptography if they
didn't want to be eavesdropped.
--
Niels, The Offspring Mailinglist www.image.dk/~teglsbo
PGP ID: 0x79701FB3 Print: 14CE E6BA 29CC 4ECE D7A3 30D3 FB74 A1CB 7970 1FB3
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Reprint of Yardley' Black Chamber
Date: 8 Jan 2000 02:48:48 GMT
In article <85630c$gh1$[EMAIL PROTECTED]>,
LOU KRUH <[EMAIL PROTECTED]> wrote:
>A hard cover reprint of The Amercan Black Chamber bu H.O. Yardley has been
>published by Amereon Ltd., Mattituck,NY 11952-9500, Tel. (516) 298-5100. The
>reason for this alert is that only 100 copies are available. Price is $23.95
>or a few dollars cheaper on Amazon or Barnes and Noble.com.
>
>Lou Kruh
This book is out of print? A shame, it's a good read.
It was written in the 1920's and may be out of copyright too.
Someone ought to put it on a web site, if that's the case.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Questions about message digest functions
Reply-To: [EMAIL PROTECTED]
Date: Sat, 8 Jan 2000 02:21:27 GMT
Matt Timmermans <[EMAIL PROTECTED]> wrote:
: I missed the start of this thread, but as far as I know, there are no known
: one-way permutations that can be shown to be permutations -- do you
: actually know of one, Tim?
What about the one I propsed in a post on this thread in which I quoted
from section 18.12 of Schneier's "Applied Cryptography"?
: For instance: If I publish an RSA modulus and public exponent as a PRP, how
: do I show that it _is_ a permutation without revealing private information,
: at which point it would cease to be one-way?
As I understand it, RSA-based block cyphers can losslessly encode
information from a message in the same number of bits as are present in
the message.
I don't see how can this fail to be a bijection when used as a hash (i.e.
by destroying the private key) - when hash size, message size and block
size are all equal?
When you use RSA to encrypt, you can decrypt again and recover the
original message. If you can do this for all possible files of a given
length, and the size of the domain is equal to the size of the range,
what other possible maps could there be, besides a bijection?
Also, (to answer your question another way) hashes of individual messages
could be computed with the public key.
In principle this would allow a demonstration that the map was a
permutation by exhaustively going through all the possible messages
of the given length, and seeing if there are any hash collisions.
Mechanically going through this process does not seem to be equivalent to
revealing the private key to me.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Royal Flags Wave Kings Above.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: simple block ciphers
Date: 8 Jan 2000 02:59:53 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> [first I did not invent this ...!!!]
Looks kind of like polig-hellman, but with the modulus kept secret,
too. (unless the modulus is secret in P-H; applied crypto isn't clear on
this point)
> p = random prime
> e = random prime less then p
> d = chosen such that de = 1 mod (p - 1)
> Encrypt(x) = x^e mod p
> Decrypt(x) = x^d mod p
> Where (d, e, p) is the private key.
For what it's worth, you have a malleability problem (or
"feature") : E(x) * E(y) = E(xy), since x^e * y^e = (xy)^e
> And if p is private, can a small p be used (say around 128 bits?)
The only "attack" which comes to me right off is noticing how big each of
the values are. I'm not sure how effective that is. Here's what I'm
thinking :
say p is k bits long. Let's also say that it's between 2^{k-1} and 2^{k}.
It can't be a perfect power of 2, 'cause then it wouldn't be prime. So
when we send blocks, we aren't going to get a perfectly uniform
distribution on numbers between 1 and 2^k, since we will never see a
number greater than p.
What fraction of numbers are excluded? It seems to me that this
fraction is :
2^k - p (number of #s we'll never see)
=======
2^k (total numbers)
well, at best, if 2^k -1 is our prime, this is 1/2^k (really small). At
worst, p is really close to 2^{k-1}. So we have approximately
2^k - 2^{k-1} 2^k * .5
============= = ======================= = .5
2^k 2^k
or just less than half the numbers we'd expect thrown out.
If you knew exactly what this fraction was, it seems to me that you'd
determine p. What I don't know is how large a sample you'd need before
you could get a guess for p, or what your confidence in that guess might
be. That may provide part of an answer to your question. I need to study
more statistics...
As it is, once you have a guess, you may want some way of checking it. How
about this :
We know that x^e * y^e = (xy)^e for any x, y, e. What about if we
have x^e mod p, x^e mod p, and x^e * y^e mod q ? What happens if q != p?
i.e. q is your guess and you guess wrong? does this identity still hold?
if the identity doesn't hold, AND you have someone who will tell you if a
ciphertext is "correctly formed" or not, it seems you could check your
guess. and maybe refine your estimate ?
Thanks,
-David Molnar
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
