Cryptography-Digest Digest #183, Volume #11 Tue, 22 Feb 00 18:13:01 EST
Contents:
Re: EOF in cipher??? ("Douglas A. Gwyn")
Re: US secret agents work at Microsoft claims French intelligence report (Doctor M)
Linking Time-Stamping Servers (Jean Marc Dieu)
Re: Processor speeds. (Mok-Kong Shen)
Re: NIST publishes AES source code on web (Paul Koning)
Re: Keys & Passwords. ("r.e.s.")
Re: NIST publishes AES source code on web (Mok-Kong Shen)
Re: EOF in cipher??? (Samuel Paik)
rc5-64 reducing the keys (John Croll)
Re: Implementation of Crypto on DSP ([EMAIL PROTECTED])
I am really scared of my NT ([EMAIL PROTECTED])
Re: Velvet Sweat Shop in Excel ("John E. Kuslich")
Re: NIST publishes AES source code on web (Mok-Kong Shen)
Few diary entries in September and October, 1999 ("Markku J. Saarelainen")
Re: Large Int Lib for Delphi (Ryan Phillips)
Re: Implementation of Crypto on DSP (Paul Koning)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: EOF in cipher???
Date: Tue, 22 Feb 2000 18:34:13 GMT
Runu Knips wrote:
> How long should this discussion continue ? CHAR_BIT is AT LEAST 7,
> so UCHAR_MAX is AT LEAST 127 != 255. Thats what my K&R says.
CHAR_BIT is said to be a minimum of 8 in K&R 2nd Edition
(I just checked the 12th printing, and since it's not in
the Errata on Dennis's Web site, it must be unchanged from
previous printings -- I can check the 1st printing when I
get home). This agrees with the C standard, and that is
not just a coincidence. I wonder what "K&R" you refer to.
------------------------------
From: [EMAIL PROTECTED] (Doctor M)
Subject: Re: US secret agents work at Microsoft claims French intelligence report
Reply-To: [EMAIL PROTECTED]
Date: Tue, 22 Feb 2000 20:25:27 GMT
On Tue, 22 Feb 2000 13:02:32 GMT, jungle <[EMAIL PROTECTED]> wrote:
>do you have link for this source ?
Check www.hackernews.com
>
>Dave Hazelwood wrote:
>>
>> An intelligence report out of France has accused US secret agents of
>> collaborating with computer giant Microsoft in developing a software
>> that would allow Washington to spy on communications around the world.
UIN 23672980
Visit one of the best Alpha Centauri sites
at http://ac.gamereactor.net
------------------------------
From: Jean Marc Dieu <[EMAIL PROTECTED]>
Subject: Linking Time-Stamping Servers
Date: Tue, 22 Feb 2000 21:32:22 +0100
Have anyone heard about ways/protocols to link several Time-Stamping
Servers?
By linking I mean two things:
1. Synchronize clocks (What are the options: NTP,... and there
effectiveness against an attack such as (Distributed) Denial of Service)
2. Link the authentication trees (this is the tricky one).
I imagined that a nice solution would be to periodically use the root
value of each authentication tree in each TS server to form a "global"
server authentication tree. Any ideas on that?
Jean Marc
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Processor speeds.
Date: Tue, 22 Feb 2000 22:03:27 +0100
Clockwork wrote:
>
> People talk about developing distributed super-computers using standard PC
> chips, but here is an excellent idea: Why not use the newer, 128-bit game
> consoles instead of PC-based systems? I see several advantages of doing
> such a thing:
My knowledge of computing equipments is evidently quite out-dated.
I haven't yet seen such hardware. Can you name a manufacturer?
How is the programming to be done for tasks that normally run on PCs?
Thanks.
M. K. Shen
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: NIST publishes AES source code on web
Date: Tue, 22 Feb 2000 15:06:16 -0500
Mok-Kong Shen wrote:
> ...
> One probably would never be able to know to what extent the above
> mentioned prior review system has succeeded in practice. Evidently
> no journal editor would like to provide informations on that.
The originators of that notion were severely flamed the moment
they introduced the idea. It may have lived for a few months, but
I'm quite sure it's dead, buried, and fossilized at this point.
paul
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: Keys & Passwords.
Date: Tue, 22 Feb 2000 13:21:16 -0800
"wtshaw" <[EMAIL PROTECTED]> wrote ...
: "r.e.s." <[EMAIL PROTECTED]> wrote:
: >
: > A simple way to do this would be to use a 64-symbol alphabet,
: > say {A-Z, a-z, 0-9, /, .}. If a random "hex value" X is
: > uniformly distributed in the range 0..255, then X mod 64 is
: > uniformly distributed in the range 0..63. So to convert your
: > string of hex values to the 64-symbol alphabet with maximum
: > entropy, you could just write some code to return "A" if X
: > mod 64 is 0, "B" if X mod 64 is 1, ..., "." if X mod 64 is 63.
:
: This sounds like a good idea at first, but it suffers from some of the
: same problems as an immemorable passstring. And, if you had to read it to
: somone else, you are the one apt to get a real *case* of confusion.
: Longer is better if plainer.
I agree, but it's what the poster requested. ;-(
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: NIST publishes AES source code on web
Date: Tue, 22 Feb 2000 22:59:26 +0100
Paul Koning wrote:
>
> Mok-Kong Shen wrote:
> > ...
> > > Whether something is controlled is determined by your national laws not by
> > > the WA. I am completely free to export commodity crypto products of any
> > > strength to anyone provided they are not in a short list of 'nasty'
> > > countries because this is what UK national law says.
> >
> > We are discussing the content of WA, don't we? As you also said,
> > a country may incorporate the WA into its laws or not. What control
> > would take place, if WA is implemented? That's the very topic that
> > we are currently discussing, isn't it? Certainly, as long as the
> > content of WA is not yet in the current law of your country, the
> > current law governs and the WA has no effect.
>
> I think Brian's point is that the WA has no effect, period. It's not
> a treaty, it's not a law, it's not anything subject to ratification,
> it doesn't bind anyone. It's a PR hack, intended to give artistic
> verisimilitude to an otherwise bald and unconvincing set of regulations
> (with apologies to W.S.Gilbert....). If the WA didn't exist, that
> wouldn't
> make any difference, other than that it could no longer be mentioned
> in press releases. There were export controls before the WA; the
> creation
> of the WA didn't change US regulations at all, and changed other country
> regulations only insofar as this new PR tool was used by the US
> authorities
> to push other countries into doing similar kinds of things.
>
> In particular, the words in the WA have no effect on whether you're
> allowed to export something or not. Only the words in your country's
> export regulations matter. The authors of those regulations probably
> read the WA and may have used some of its text for inspiration, but
> then again they could have used lots of stuff for inspiration.
Now that US has obviously changed its mind (as compared to the time
it was lobbying for WA), you could certainly say that WA will have
no effect, since (as I also mentioned) it highly probably will
be revised to reflect US's NEW mind. That WA has (present tense!)
no effect is logically trivially true, since no country has yet
implemented it to the best of my knowledge.
But the picture was definitely different at the time the current
WA was signed. There was quite a amount of concern, at least among
people in informatics in Germany. I read a few short articles
written by them and also about the attempts of a few (having some
'names' in the profession) to contact members of the Bundestag as
well as officials of the ministry concerned with the intention to
prevent the WA crypto clauses from becoming law. Assuming that these
persons are not all 'fools', i.e. 'dumb' enough so as to 'imagine'
of some real significance of WA where there were actually none, I
can't share your opinion to compare WA with a PR tool. (I am
ready at any time to admit that my IQ is low, but I could hardly
imagine that all these persons have low IQs.) I don't think that
there is anything essentially wrong with creation of an
international document that is to serve as the 'standard' of the
laws of the signature countries, because that way the governments
can do better (more coordinated) actions to achieve their common
goal. Look at the ISO standards. The ISO standards do not have
legal status at the national level. The diverse national
standardization institutes have to 'adopt' the ISO standards as
the national standards. Isn't the matter here essentially similar
to WA? (By the way, I remember that I did read the word
ratification in connection with WA in a German newspaper. Of course,
I couldn't exclude the possibilty that the journalist erred. Do
you have concrete and reliable information about that point or
do you merely 'assume' that WA is not to be 'ratified'?)
M. K. Shen
------------------------------
From: Samuel Paik <[EMAIL PROTECTED]>
Subject: Re: EOF in cipher???
Date: Tue, 22 Feb 2000 21:51:42 GMT
Runu Knips wrote:
> > No implementation of C that conforms to the standard can have
> > 7-bit chars. Anything from 8 on up is allowed, if all other
> > requirements are met.
>
> Okay, I give up. If you believe this, then let us agree
> to disagree.
Could you please specify the page number, edition and printing of K&R
where you are finding this information? I have a second edition,
4th printing (based on dpAnsi), p. 257 clearly says the minimum size
for a char is 8 bits.
--
Samuel S. Paik | http://www.webnexus.com/users/paik/
3D and multimedia, architecture and implementation
Solyent Green is kitniyos!
------------------------------
From: John Croll <[EMAIL PROTECTED]>
Subject: rc5-64 reducing the keys
Date: 22 Feb 2000 21:20:12 -0000
i found an interesting coincidence with the rsa labs rc5-64
test example. i explained what i found and wrote a little
c++ program that does the math. here is the link to my page.
http://www.geocities.com/richardking57/
please look at it and tell me if it means any thing.
thanks.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Implementation of Crypto on DSP
Date: Tue, 22 Feb 2000 21:46:48 GMT
For DSP-based crypto the
best
> bang per buck currently seems to be the 21065 SHARC, but this changes
every
> few months (the 21160 and TI exquivalents are still too expensive, and
I looked at the AMD K6, this is an interesting processor, fast and
offering x86 compatability. Very usefull, as there is quite a bit of x86
crypto code in assembler (freeware).
The 21160 is also a fast processor.
There is an interesting processor by AD:
ADSP-2141L SafeNet DSP ::Its called security system on a chip...it has
everything, Random number generator, hash functions (MD5, SHA-1, DES,
3DES, Pub key accelerator...Sounds ideal..
One problem, as a security expert, how can you guarantee the device does
what its supposed to do.. I think its better writing your own
code/firmware...what do you think?
> >Do I need a 32 bit integer DSP or will 16 bit be ok ( I guess that
> >depends on the math libs). Also do I need any FP h/w on the DSP,
since
> >all crypto (ciphers, dh etc) is integer arithmetic.
> >
> >If you know of a good H/W random no generator chip, that would also
be
> >great ( johnson noise device etc).
>
> I have a paper which examines this in the pipeline, it may be
available in
> a few months.
Sorry, on RNG or int pipelines? Whatßs the title?
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: I am really scared of my NT
Date: Tue, 22 Feb 2000 21:50:58 GMT
Someone should come out with a crypto gaurd-ring to protect all the
ports and physical access of a windows 98/NT w/s. The whole thing is so
shaky and insecure...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Subject: Re: Velvet Sweat Shop in Excel
Date: Tue, 22 Feb 2000 15:00:14 -0700
I think this newsgroup IS a good place for this message and I welcome the
message.
This is NOT a security hole in Excel. It is an AutoRun Macro that is built
into Excel. The password "VelvetSweatshop" is used as normal to encrypt
the Excel file. The encryption algorithm, is the same as is normally used
with Excel. The unicode password "V.e.l.v.e.t.S.w.e.a.t.s.h.o.p" is MD5
hashed with a bunch of other data and the first five bytes of the hash are
used as an RC4 key along with a modulo eight counter byte.
Excel checks the password entered by the user when saving the file with a
string value stored in the resource section of the Xlintl32.dll which is
part of Office97. If the values correspond, the file is encrypted as normal
but the file will auto open using this password.
This macro is interesting from two standpoints:
1) It shows how utterly insecure a PC is because this code could have
easily been a trojan, deeply hidden in the official Microsoft looking code,
ready to spring into action on command. Users of cryptographic software
beware!!!!
2) You can easily change the "Magic" password to anything you want. Just
use a hex editor to change the string "VelvetSweatshop" to "KissMyButt" or
"BillisQueer" any other valid password string. So wouldn't it be fun to
alter the Xlintl32.dll on your machine so it opens any Excel file that uses
your boss's favorite password??
When it comes to software, don't trust it!
JK
seifried <[EMAIL PROTECTED]> wrote in message
news:voBs4.6024$[EMAIL PROTECTED]...
> -----BEGIN PGP SIGNED MESSAGE-----
>
> > Hello!
> >
> > When you save .xls file (Excel 97 & 2000) with password
> > 'VelvetSweatshop' and next try to open this file, the password will
> > not be asked. It's not a serious bug, I think, but the question is:
> > WHY???
> > SY / C4acT/\uBo Pavel Semjanov
> > _ _ _ http://www.ssl.stu.neva.ru/psw/
> > | | |-| |_|_| |-| 2:5030/145.17@fidonet
>
> I don't think this is the right newsgroup, but having said that. He's
> right.
>
> Create a spreadsheet, enter some data, save it, hit options, give it
> a password (say "test"). Close and open it, enter blank, it'll toss
> you and mention capslock, open it, give the right password, ok it
> works. Now save it, hit options, and use the password
> "VelvetSweatshop", close it and open it, hit enter (i.e. do not enter
> a password) and yeah, it opens it. And you can modify and save it (I
> also put the write protect password on it using "VelvetSweatshop").
> So there's at least one backdoor in Excel as far as password
> protected files go (but the password protection is pretty weak and
> almost useless in any case).
>
> I guess it prooves that you should use products actually designed to
> secure data, and not the feature add-ons that various packages have
> to "protect" your files.
>
> http://www.securityportal.com/research/cryptodocs/basic-book/index.htm
> l
>
> Covers most of your options for Windows, Linux, etc for
> files/email/yadayada.
>
> I wonder what other passwords exist.
>
> Kurt Seifried - Senior Analyst
> http://www.securityportal.com/
> http://www.cryptoarchive.net/
> http://www.seifried.org/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.3
>
> iQCVAwUBOLLjCTUsc05KUv5VAQHrDAP6AwvIohZFlkhS/YfLmlCRftTLF/umQplJ
> R6GzYwlAT0gwQTDNdcOXET4GPH97oEts1E+mibP8BDH2prqHn+gWN4MDi+PbJIaM
> oTVMx6cZValYf5T1LjQjcVJFi7jQMT+bdufPdTiVJg6YkZaJW4ElHm5bT0iLR21Y
> lrMtlmXblP0=
> =ITaD
> -----END PGP SIGNATURE-----
>
>
>
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: NIST publishes AES source code on web
Date: Tue, 22 Feb 2000 23:33:07 +0100
Paul Koning wrote:
>
> Mok-Kong Shen wrote:
> > ...
> > One probably would never be able to know to what extent the above
> > mentioned prior review system has succeeded in practice. Evidently
> > no journal editor would like to provide informations on that.
>
> The originators of that notion were severely flamed the moment
> they introduced the idea. It may have lived for a few months, but
> I'm quite sure it's dead, buried, and fossilized at this point.
But the concept, having (claimed) strong connection to the issue
of national security, does have some real 'attractive force' to
persons who have strong 'patriotic' feelings, doesn't it? It could
be of some utility to some agencies which tries to use 'any' means
that could be helpful to them. If it is fossilized in the country
where it was born, it might be alive elsewhere. Once the 'spirit'
is out of the bottle (once the idea has been 'invented'), it is
difficult to put it back. Of course, I am probably day-dreaming.
M. K. Shen
------------------------------
From: "Markku J. Saarelainen" <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,soc.culture.russian,soc.culture.soviet,alt.politics.org.nsa,soc.culture.nordic,soc.culture.china,soc.culture.yugoslavia,alt.2600,alt.security
Subject: Few diary entries in September and October, 1999
Date: Tue, 22 Feb 2000 22:49:22 GMT
----
Actually, this is exact writing that was written by me during some type
of the session that I went through on September 23, 1999. And it is
recorded in the diary (actual writing).
"Intti on ollut teidan kanssa kimpassa taalla Yhdysvalloissa ja voi
vaittaa sinua heidan kaltaiseksi ainoastaan jos voit kertoa kanneille
sian huoltamisesta internetissa ilman heidan kiinniottamista. inssi ole
vain yksinaisena konsulttina taalla USAssa intin kanssa toissa vain
ilman palkkaa. in viisi vuotta vanha nainen meidan mielestamme
internetin mukaan ei ole teidan hyvaksi olla inssin kanssa naimississa
ja internetissa - alkaako peloittamaan."
=====
When I traveled in New Mexico, U.S.A. in September and October, 1999 I
started sensing that the energy was flowing away from me and when at the
dinner table in the restaurant I told my closest one that I was the
leader of KGB I started feeling that I was getting a heart attack - and
this true. But I eat and then proceeded back to a hotel, where I started
resting and during the night, when I was not able to sleep properly, I
went through the experience of my life - my heart actually stopped and I
felt it and it started again. And this is why I told that Markku's heart
had stopped in New Mexico.
The diary indicates that my heart actually stopped and started again on
the night of September 30 and October 1, 1999. The actual record is as
follows:
"NSA Agent "Juan" - KGB Vladimir - removal of self"
See the attachment for other events that happened in August and
September, 1999. Events stopped after my trip to New Mexico and when I
returned to Atlanta in October, 1999.
Whatever did I go through that night and before and so, is very unusual.
======
Few diary and notebook entries (I have 14 books (diary and notebook
entries)):
http://homestead.virtualjerusalem.com/waeg/Diaries.html
=======
------------------------------
Date: Tue, 22 Feb 2000 15:01:14 -0800
From: Ryan Phillips <[EMAIL PROTECTED]>
Subject: Re: Large Int Lib for Delphi
check www.scramdisk.clara.net and click delphi.
Ryan
ink wrote:
>
> Does anyone know of a large integer library for
> Borland/Inprise Delphi, Version 3 or higher? A
> Turbo Pascal ;-) version would also be welcome,
> as the language/compiler is essentially the same.
>
> Thanks a lot in advance, kind regards
> Kurt
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Implementation of Crypto on DSP
Date: Tue, 22 Feb 2000 17:05:12 -0500
[EMAIL PROTECTED] wrote:
>
> I am working on a network crypto hardware card, and I would like to know
> if there are any assembler libs ( 3DES, DH etc) for say Anolog Dev or TI
> DSP .
>
> Do I need a 32 bit integer DSP or will 16 bit be ok ( I guess that
> depends on the math libs). Also do I need any FP h/w on the DSP, since
> all crypto (ciphers, dh etc) is integer arithmetic.
TI mentioned a DES implementation for their DSP family in a DSP apps
book
a long time ago. (Source code not in the book back then, export
issues...
should be easier now.) You might check with the local apps support
people.
DES should be fine in 16 bits. MD-5 or SHA-1 want 32 bit arithmetic.
Diffie-Hellman uses bigger numbers than any ALU, so you do it in pieces.
Bigger is still better but 16 bits will do, it just takes longer. No
floating point needed.
Given that all this stuff exists in portable C, and you can get decent
C compilers these days, you could just run the code through a compiler.
DES might benefit from hand-tuning; the rest probably not all that much.
(As I recall, there's even a GCC for TI, don't know if it's 100% done
yet.)
paul
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
