Cryptography-Digest Digest #971, Volume #10 Tue, 25 Jan 00 11:13:01 EST
Contents:
Re: "Trusted" CA - Oxymoron? ("Henry Vanderlinden")
Re: "Trusted" CA - Oxymoron? (Paul Rubin)
Re: Modem Crypto (Military Grade) ("Steve Sampson")
Re: Solution to GCHQ puzzle published (Padgett 0sirius)
Re: "Trusted" CA - Oxymoron? (Papa Bear)
Re: Why did SkipJack fail? (Frank Gifford)
Re: MIRDEK: more fun with playing cards. (Johnny Bravo)
Re: MIRDEK: more fun with playing cards. (Johnny Bravo)
Re: Intel 810 chipset Random Number Generator (Herman Rubin)
Re: Intel 810 chipset Random Number Generator (Herman Rubin)
Re: Intel 810 chipset Random Number Generator (Terry Ritter)
Re: Intel 810 chipset Random Number Generator (Terry Ritter)
Re: 1on1lite (Was: Re: Echelon monitors this group) ("An Anarchist")
Re: Java's RSA implimentation (Eric Lee Green)
generating "safe primes" (Jonathan Katz)
----------------------------------------------------------------------------
From: "Henry Vanderlinden" <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Date: Tue, 25 Jan 2000 13:23:01 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
It is over reacting to imply that the Thawte Web of Trust system is
weak because its "notaries" have not to be "real" notaries in their
other business.
Thawte notaries are not just anybody, and do not sign anything.
If you write that without proof, it's wrong to write it.
If you have proof, contact Thawte immediately to have that notary
revoked !
Henry
=====BEGIN PGP SIGNATURE=====
Version: PGP 6.5.1fr pour usage non commercial
iQA/AwUBOI2VzxB1FxvjcQFHEQJIfQCfYJ57CFIenWPuZQkWJDQi24/Lm20AoO/e
tR9RH/AUpS6eazoukxnm1ACM
=WfDt
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Date: 25 Jan 2000 13:30:03 GMT
In article <Vshj4.45$[EMAIL PROTECTED]>,
Henry Vanderlinden <[EMAIL PROTECTED]> wrote:
>It is over reacting to imply that the Thawte Web of Trust system is
>weak because its "notaries" have not to be "real" notaries in their
>other business.
In the US at least, a document witnessed by a "real" notary has in
some situations more legal force than the same document witnessed by a
random person. And in some states there are laws (bad idea!) making
digital signatures equal to paper signatures for contracts, etc.
>Thawte notaries are not just anybody, and do not sign anything.
>If you write that without proof, it's wrong to write it.
>If you have proof, contact Thawte immediately to have that notary
>revoked !
But by the the time that happens, it is already too late. The "real"
notaries, at least, can get in bad trouble (jail?) for purposely
giving bad signatures.
------------------------------
From: "Steve Sampson" <[EMAIL PROTECTED]>
Subject: Re: Modem Crypto (Military Grade)
Date: Tue, 25 Jan 2000 07:35:24 -0600
Wow, that was useful.
I scanned the web and finally found the gadget that answered my own
question.
Trouble is, it isn't in production yet, or so the page says:
http://www.motorola.com/GSS/SSTG/ISSPD/Secure_Telecom/omega.html
Paul Rubin wrote
> Steve Sampson wrote:
> >I'm looking for a modern device that can use a 33k modem (analog
> >lines) for a dialup solution. The latest STU have ISDN, but most
> >military installations do not.
>
> If it's a US military application, talk to the NSA (www.nsa.gov).
> That's their job.
------------------------------
From: [EMAIL PROTECTED] (Padgett 0sirius)
Subject: Re: Solution to GCHQ puzzle published
Date: Tue, 25 Jan 2000 21:26:02
>When I held my mouse over "The Salary" of linguists (and viewed the
>page source) - the characters I got were "OHE-H"...i.e. "H" instead of
>"N".
That was not an error - it was the "extra points". Remember that was on the *
linguists* page 8*).
A. Padgett Peterson, P.E. CISSP: Cybernetic Psychophysicist
http://www.freivald.org/~padgett/index.html
to avoid antispam use mailto:[EMAIL PROTECTED] PGP 6.5 Public Key Available
------------------------------
From: Papa Bear <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Date: Tue, 25 Jan 2000 09:01:42 -0500
On Mon, 24 Jan 2000 01:10:26 GMT, "Jim Bennett" <[EMAIL PROTECTED]>
wrote:
>I have been reviewing the Certification Practice Statements of various
>issuers of X.509 digital certificates for S/Mime email. I have been trying
>to find one that really tries to verify the identity of the certificate
>applicant and will do it for the general public. I haven't been too thrilled
>with what I found.
>
>Why do I care? If you are going to use a personal digital certificate for
>signing an email that has significant legal implications, like a request to
>withdraw $100,000 from your bank and have the funds wired somewhere else,
>you sure as hell want to make sure the person who has signed the message is
>really the person he says he is.
>
>Now let's see how various vendors have attacked the problem.
>
[vendor list and analysis snipped]
I think you need to take a closer look at what you really want a
digital certificate for. If I sign something with "significant legal
implications" (presumable some kind or contractual request or
oblication) I should hope that the person with whom I am signing it
has determined to their *own* satisfaction that I am in fact who I say
I am, as I will certainly have done so myself as to their identity,
and not just blindly trust some certificate authority!
As to your example about the bank, even if I had a certificate from
the NSA and FBI that I was in fact the protoplasmic blob I think I am,
what relationship does that have to the person (whoever he was) who
opened the bank account? If a bank I did business with was willing to
accept ANY outside certification without making their own internal
verifications, I would have my money out of there so fast the teller's
head would spin and my letter to the bank president would probably
incinerate before it got there!
On the other hand, as is becoming more common these days, I have
several other identities on the internet. Some of whom are tracable
to me and some who I should hope are not. Some of these are of little
importance and require no seperate identification (or can be
identified by style, posting location, etc.) while some others need to
give some assurance at times that they are indeed who they say they
are. To do this I sign all messages from these nym's with a key known
(at least by those who would care) to belong to that identity and
which is available on one or more public key servers. If one of these
identities chose to use your services in protecting his offshore
assets (wish I had some about now), he would most likely contact you
using the same key and from there we would negotiate what would, for
you, constitute sufficient identification (I suspect "show me the
money").
When it comes to security, people are far too concerned with physical
identification, when it is identity itself they should be concerned
with. To give an example, now that electronic signatures are becoming
accepted by the courts as legally binding, a request signed with a key
that was itself appropriately signed by a credit card company would be
just as good as a signed credit card charge slip. The key itself could
be used in lieu of the actual credit card number (probably in the form
of an additional "authorized charge amount" field in the signature)
since the key would be on file with the credit card company who signed
it. This would then have completely eliminated the whole "CD
Universe" problem, since all the hackers could have stolen was a bunch
of publicly known keys and some already used charge tokens!
Note that in neither case does it matter *who* I am, only that by
using the key I can prove that I have the authority to request or
agree to whatever it is that I am signing. In fact (unless other
factors are involved) it makes no difference whether "I" am an
anonymous nym, a known person, or on of several authorized officers of
a corporation, it is still a question of identity, not identification!
Dave E.
------------------------------
From: [EMAIL PROTECTED] (Frank Gifford)
Subject: Re: Why did SkipJack fail?
Date: 25 Jan 2000 08:51:27 -0500
In article <QM7j4.1539$[EMAIL PROTECTED]>,
Mike Andrews <[EMAIL PROTECTED]> wrote:
>Greg <[EMAIL PROTECTED]> wrote:
>
>: Can anyone please share their views on why SkipJack failed in
>: the market place?
>
>All this from memory:
>
>o It used a classified algorithm, and hence was not open to public
> review.
Also, it was given a cursory review by a small group of people who then
said it looked adequate - but they weren't given the time to do any real
investigation. As well, I don't believe that group had any serious
cryptographers in it.
>o It would have made ciphertext readable by anyone who could
> convince the keepers of the LEAF keys that his was a good
> and noble cause.
This was the one that the average person could understand was wrong. With
the first requirement of a secret algorithm, some people could be convinced
that it would hurt "the bad guys"...
But Big Brother reading your messages anytime they want? Everyone has heard
plenty of stories where the people in power cannot be trusted and I believe
this requirement absolutely killed Clipper/SKIPJACK.
>o It wasn't good enough for classified data, but supposedly was
> good enough for _our_ data.
Once SKIPJACK had been declassified, Ron Rivest spent some time investigating
the algorithm and found that, although it seemed strong enough against the
attacks he provided - it didn't have anything like a "safety margin" one
would like to see. If you believe that a group like the NSA (who do this
kind of stuff for a living!) has a few years lead on cryptography, this
does not give a warm feeling to even using SKIPJACK now that it is available
for public scrutiny.
-Giff
--
Too busy for a .sig
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Tue, 25 Jan 2000 09:04:39 +0000
On 21 Jan 2000 08:28:16 -0000, Paul Crowley <[EMAIL PROTECTED]>
wrote:
>When you say "one time", you mean "once per message". If you're in a
>position to communicate big strings of random nonsense once per
>message, you can use the most successful secure hand cipher in the
>world, the one time pad.
One reason for a card cipher is that you might not be shot for carrying
a deck of cards. You would have a hard time explaining to the secret
police why you are carrying around a one time pad. :)
>Mirdek. Unless you use some sort of input transformation which
>converts the input to a string of characters drawn from A-Z...
Nothing wrong with using just letters. It would be simple to set up
codes in advance to represent changes in the set if they are needed. Like
ZZ switches to numbers (when a bunch of numbers are needed), a=1, b=2 ect,
X = decimal. ZZ switches back to letters. Otherwise just spell
everything out. Keep it simple as possible and it will remain flexible as
well.
Best Wishes,
Johnny Bravo
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Tue, 25 Jan 2000 09:10:23 +0000
On 22 Jan 2000 10:15:44 -0000, Paul Crowley <[EMAIL PROTECTED]>
wrote:
>80 bit passphrases are kind of hard to come by.
It wouldn't be hard to arrange to get the words for the passphrase from
a shared source, like a national newspaper. While your opponents will
also have the paper, it is like the diceware list. Having all the words
isn't much of a help in picking which words to use.
Best Wishes,
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 25 Jan 2000 09:19:50 -0500
In article <86gd0n$qmf$[EMAIL PROTECTED]>,
Michael Kagalenko <[EMAIL PROTECTED]> wrote:
>Herman Rubin ([EMAIL PROTECTED]) wrote
>]In article <86dvcl$a17$[EMAIL PROTECTED]>,
>]Michael Kagalenko <[EMAIL PROTECTED]> wrote:
>]>Herman Rubin ([EMAIL PROTECTED]) wrote
>]>]In article <86au71$m0n$[EMAIL PROTECTED]>,
>]>]Michael Kagalenko <[EMAIL PROTECTED]> wrote:
>]>]>Guy Macon ([EMAIL PROTECTED]) wrote
>]>]>]In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul Koning)
>wrote:
................
>]Independence is a very strong property. For numbers to be
>]used as "random numbers" are typically used, it is often
>]more important than the uniformity of the distribution,
>]which can be corrected, is the independence of the numbers
>]produced by the device. Exact independence means that
>]the conditional probability distribution of one output
>]given the rest is the same as not having that information.
> Yes, I know. What is your point, again ?
Do you have even an approximation of this? This is VERY
hard to achieve, especially with a somewhat continuous
source.
>]Perfect independence is impossible. Radioactive decay,
>]counting the parity of the number of events sufficiently
>]rarely, comes quite close, although the bias in the
>]recording device limits how much can be done; there are
>]ways to use multiple streams to improve things.
>]It is only the UNpredictable part which is useful for
>]random purposes. Moderate range dependence of thermal
>]noise is hard to keep.
> The last sentence looks intriguely relevant to the topic, but
> I fail to parse it. What I am pointing out that to the extent
> that quartz crystal, any quartz crystal, dissipates mechanical energy,
> it will produce thermally random noise, according to the flustuation-
> dissipation theorem. The reason a resistor produces the
> thermal noise is that same theorem. I am also pointing out that this
> thermal noise will lead to brownian-walk drift of the clock which
> can be measured to produce truly unpredictable random data. So far,
> you and others went on all sorts of tangents due to the failure
> to understand what I am saying.
It may LOOK like a Brownian drift, but is it? Brownian drift
actually has infinite energy, so what one has is at best an
approximation. Also, a slowly varying drift, easily possible
with thermal effects of any kind, can play much havoc with
using such a device to obtain supposedly random output.
Even radioactive counts, already digital and with excellent
independence properties, cannot be used as such, because of
both dead time, and the biases introduced by the analog
nature of the counter-data interface. This latter one is
particularly bad, and will apply to anything used directly.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 25 Jan 2000 09:23:15 -0500
In article <eYOO80rZ$GA.220@cpmsnbbsa04>,
Joseph Ashwood <[EMAIL PROTECTED]> wrote:
>> All I need to do is measure the clock drift. Aging of the crystal can
>> be corrected with re-calibartion.
>But that itself introduces biases in the numbers generated.
>Let's take a probably not all that great example. Lets take a crystal of
>frequency F(with a random component measurably small), with a decay of
>F/time of D. Now we use this to generate Numbers the following way:
>if measured(F) is higher than published(F) return 1
>if measured(F) is lower than published(F) return 0
>Our measured(F) is actually published(F)+randomness+integral(D), giving us a
>very measurable bias probably rather quickly. No matter how fast you
>re-calibrate the bias (eliminating degenerate cases) will be present.
>I don't see where the frequency of something that decays (even at an
>extremely predictable rate) is of much use.
Decaying at an UNpredictable rate can be of use.
If one took an actual crystal, I would suspect lots of
dependence between reads over a substantial period.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: Tue, 25 Jan 2000 15:07:34 GMT
I missed the previous message, but...
On 25 Jan 2000 09:23:15 -0500, in <86kbkj$[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Herman Rubin) wrote:
>In article <eYOO80rZ$GA.220@cpmsnbbsa04>,
>Joseph Ashwood <[EMAIL PROTECTED]> wrote:
>>> All I need to do is measure the clock drift. Aging of the crystal can
>>> be corrected with re-calibartion.
>
>>But that itself introduces biases in the numbers generated.
>>Let's take a probably not all that great example. Lets take a crystal of
>>frequency F(with a random component measurably small),
Not only is noise-based quartz crystal jitter "measurably small," it
is also bipolar, normally-distributed, and independent on a
cycle-by-cycle basis. It does not produce long-term frequency
variations, it produces a wider "bandwidth."
>with a decay of
>>F/time of D.
Well, crystals do "age" after manufacture into a final frequency, but
"decay" might be a bit much.
>Now we use this to generate Numbers the following way:
>>if measured(F) is higher than published(F) return 1
>>if measured(F) is lower than published(F) return 0
>
>>Our measured(F) is actually published(F)+randomness+integral(D), giving us a
>>very measurable bias probably rather quickly. No matter how fast you
>>re-calibrate the bias (eliminating degenerate cases) will be present.
*Any* two clocks, quartz crystal or not, will run at slightly
different rates. And we expect that most clocks, quartz crystal or
not, will be affected by ambient temperature to some extent. We
expect some clock variation, although it usually minor and generally
repeatable, which is to say, not random.
>>I don't see where the frequency of something that decays (even at an
>>extremely predictable rate) is of much use.
>
>
>Decaying at an UNpredictable rate can be of use.
Most quartz crystal effects are highly predictable. Stability is the
entire point of the device.
>If one took an actual crystal, I would suspect lots of
>dependence between reads over a substantial period.
Absent evidence to the contrary, one might think that a clock would
act like a clock, so to speak. And, indeed, I am aware of no such
contrary evidence.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: Tue, 25 Jan 2000 15:24:30 GMT
Again, I missed the previous message...
On 25 Jan 2000 09:19:50 -0500, in <86kbe6$[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Herman Rubin) wrote:
>In article <86gd0n$qmf$[EMAIL PROTECTED]>,
>Michael Kagalenko <[EMAIL PROTECTED]> wrote:
>>[...]
>> What I am pointing out that to the extent
>> that quartz crystal, any quartz crystal, dissipates mechanical energy,
>> it will produce thermally random noise, according to the flustuation-
>> dissipation theorem.
And this random noise produces "jitter" which is normally-distributed,
tiny, bipolar, and independent on a cycle-by-cycle basis. This
affects the "bandwidth" of the signal, not frequency measurements
which cover many cycles of operation.
>The reason a resistor produces the
>> thermal noise is that same theorem.
And do resistors also "drift"? It is the same theorem, after all....
>I am also pointing out that this
>> thermal noise will lead to brownian-walk drift of the clock which
>> can be measured to produce truly unpredictable random data.
I am aware of no publication which suggests a "brownian-walk" from
crystal noise. That simply does not happen. Jitter is bipolar and
cycle-by-cycle independent.
>>So far,
>> you and others went on all sorts of tangents due to the failure
>> to understand what I am saying.
What you claim either does not occur in quartz crystal oscillators at
all, or does not occur at sensible levels.
>It may LOOK like a Brownian drift, but is it?
I doubt it even looks like it.
>Brownian drift
>actually has infinite energy, so what one has is at best an
>approximation. Also, a slowly varying drift, easily possible
>with thermal effects of any kind, can play much havoc with
>using such a device to obtain supposedly random output.
>
>Even radioactive counts, already digital and with excellent
>independence properties, cannot be used as such, because of
>both dead time, and the biases introduced by the analog
>nature of the counter-data interface. This latter one is
>particularly bad, and will apply to anything used directly.
I claim the proposed effect simply does not exist at sensible levels.
I suppose if one measures anything precisely enough one will run into
randomness. But there are other sources of variation, in particular
ambient temperature; we will not be measuring crystal jitter on our
unmodified PC's.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "An Anarchist" <[EMAIL PROTECTED]>
Crossposted-To:
alt.anarchism,alt.computer.security,alt.security,alt.security.espionage,alt.security.pgp
Subject: Re: 1on1lite (Was: Re: Echelon monitors this group)
Date: Mon, 24 Jan 2000 12:51:20 -0000
> > No we acctually ask Echelon to provide it for us.
>
> Do you have connections with the NSA?! Echelon is a worldwide spy
> network operated by the American National Security Agency.
> <http://www.nrc.nl/W2/Lab/Echelon/interccapabilities2000vp.html>.
Sorry I was just being sarcastic. We have no connections or association with
Echelon or NSA at all.
I work for a small British company.
As you probably know the kind of encryption we provide, is actually not
legal in the USA at least that's what I hear.
Although most of our users are American. All our servers are outside of
America.
> I am trying to understand, only your site doesn't give much information
> about your product. Does it use reordering, latency, what are the other
> passphrases for that get generated server side, how is the authenticity
> of RSA keys validated, is there a authenticity check possible between
> users, how does it enforce the deletion of expired documents, how do two
> users agree on a mutual session key, can the system be used between
> normal e-mail users and 1on1lite users, how?
Yeah you right I just had a lok at the page myself. Frankly it was writen by
our marketing people. I don't think they rally know what's going on
themselves. That page changes so often I don't even know what it says
anymore.
I see that you are interested in the subject. I will send you an email when
I get a few free minutes to try to explain better.
>
> While I do believe the system is more userfriendly than pgp and
> remailers, I think I would rather use Freedom <http://www.freedom.net>
> at $49.95 a year plus pgp for my secure and secret communications.
>
> Good luck with 1on1mail, I hope it is secure,
> Thomas
Hmm I am going to have to have a look at this freedom thing then.
Thanks
An Anarchist
ps. The problem with writing software is that ones you finished someone
writes a better one within a few days and you have to start all over again.
You can never write perfect code there always will be a better way of doing
things, or in this case a more secure one.
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Java's RSA implimentation
Date: Tue, 25 Jan 2000 08:27:09 -0700
Paul Schlyter wrote:
> If there are no way to copy the array (except in a loop where each
> array element is copied, one by one), arrays aren't first class
> citizens in the language. That's the situation in C and C++.
Interesting definition. By that definition, Python arrays don't qualify as
"first class" either, since 'ary1=ary2' simply makes ary1 refer to the same
array object that ary2 refers to (everything is an object in Python -- there
are no "simple" variables). Perl's arrays do. Yet, as far as I can tell, both
languages are roughly equivalent in their ability to manipulate arrays. The
only thing that differs is that Python gives special treatment to "immmutable"
variables (strings and numbers) and does a copy rather than a reference.
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: Jonathan Katz <[EMAIL PROTECTED]>
Subject: generating "safe primes"
Date: Tue, 25 Jan 2000 10:49:00 -0500
Actually, what I should have asked was:
Are there other ways to generate safe primes, _besides_ the trivial way of
testing q, then testing p = 2q + 1 for primality.
This is not for practical purposes, but for theoretical purposes; so
efficiency (as long as polynomial... =) ) doesn't matter as much.
======================
Jonathan Katz
[EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
