Cryptography-Digest Digest #971, Volume #11 Wed, 7 Jun 00 19:13:01 EDT
Contents:
questions on TEA (Dido Sevilla)
Re: Thoughts on an encryption protocol? (Dido Sevilla)
Re: Cryptographic voting (David A Molnar)
Re: Some dumb questions (E-mail)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Scotty")
Re: Thoughts on an encryption protocol? (Dido Sevilla)
Re: Observer 4/6/2000: "Your privacy ends here" (Bob)
Re: Cryptographic voting (Mok-Kong Shen)
Re: Some dumb questions (Mok-Kong Shen)
Another Idea for attacking Storin (tomstd)
Re: testing non linearity of arithmetic-logic combinations (Mok-Kong Shen)
equation involving xor and mod 2^32 operations (Anton Stiglic)
Re: Brute forcing for Counterpane's Password Safe ([EMAIL PROTECTED])
Re: testing non linearity of arithmetic-logic combinations (Terry Ritter)
Re: Observer 4/6/2000: "Your privacy ends here" (Marcin Tustin)
Re: Thoughts on an encryption protocol? ([EMAIL PROTECTED])
Re: Enigma Variations (Sundial Services)
Re: Brute forcing for Counterpane's Password Safe ([EMAIL PROTECTED])
Re: equation involving xor and mod 2^32 operations (John Myre)
----------------------------------------------------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: questions on TEA
Date: Thu, 08 Jun 2000 04:10:00 +0800
This post has to do with the Tiny Encryption Algorithm (TEA) described
by Wheeler and Needham (http://www.cl.cam.ac.uk/ftp/users/djw3/tea.ps
and http://www.cl.cam.uk/ftp/users/djw3/xtea.ps). Has anyone tried to
use this block cipher? From what I see, the algorithm is really quite
simple and looks pretty easy to code, even in most forms of assembly
language. It doesn't go through quite as many contortions as the more
sophisticated algorithms do, but it runs a fairly simple core through a
lot of rounds (32 to be exact). Does it have any weaknesses which the
authors have not described in their papers yet?
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
Mobile Robotics Laboratory +63 (917) 4458925
University of the Philippines Diliman
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: Thoughts on an encryption protocol?
Date: Thu, 08 Jun 2000 04:19:35 +0800
Mike Rosing wrote:
>
> If you use a PK system you can eliminate this weak link. It would
> reduce
> your maintanance costs substantually if a person doesn't have to travel
> around to every box (except for repairs) every so often. Might not mean
> much with a few boxes, but if you get to have lots of them, it'll add
> up.
>
Frankly, I don't think all the effort to implement a PK system is worth
it in this case. There will only be 34 client terminals, one per
building, and given the financial constraints of my employer, it will be
a very long time before any more will be necessary. These are also not
so widely distributed, so going to every terminal should not take more
than a day.
>
> Handbook of Applied Cryptography and Applied Cryptography are good
> starting points.
>
Any websites or other online docs I can look at for stream ciphers and
cryptographically secure PRNG's?
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
Mobile Robotics Laboratory +63 (917) 4458925
University of the Philippines Diliman
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: 7 Jun 2000 20:08:57 GMT
In sci.crypt Anton Stiglic <[EMAIL PROTECTED]> wrote:
> Jim Ferry wrote:
>>
>> I was wondering if there's a way for a small group of people
>> (less than 100) to vote cryptographically. <...>
> Check out http://www.acm.org/crossroads/xrds2-4/voting.html
> for a starters....
There's also a bibliography at
http://theory.lcs.mit.edu/~cis/voting/greenstadt-voting-bibliography.html
which may be helpful.
Thanks,
-David
------------------------------
From: E-mail <[EMAIL PROTECTED]>
Subject: Re: Some dumb questions
Date: Wed, 7 Jun 2000 16:41:41 -0400
Bryan,
How much would the effort have been hindered if the second use of
the pad was done after transforming the pad with a pseudo-random
number generator (and the pad is discarded after its second use)?
Jim Trek
http://eznet.net/~progress
[EMAIL PROTECTED]
On Wed, 7 Jun 2000, Bryan Olson wrote:
> In article,
> [...]
> > 2. If an ideal OTP is misused, in that it is used a small
> > number n of times, how is one going to attack, if
> > absolutely no known plaintext is available?
> >
>
> As a final project in an under grad crypto course I worked on
> finding the smallest n such that I could, in practice, break
> the n-time pad. I assumed english language text coded in
> ASCII, and XOR as the OTP combiner. I found n=2.
>
> I created a table of 4-gram frequencies from about ten
> megabytes of text, and a program to interactively try these
> against the target ciphertext. The user would enter a
> position in the text, and the program would run through all
> the known 4-grams, and for each 4-gram it would compute what
> 4-gram would appear in the other text, and rank each pair by
> the product of the two 4-gram probablities. It would list
> the top several 4-gram pairs, and the user could select one
> to place into the texts.
>
> The process was slow-going, but recovered most of the texts.
> The right 4-gram pair was not usually the best ranked. There
> were some sections which seemed to contain names or some
> strange terms that I could not recover. Of course I could
> not tell which of the two plaintexts corresponded to which
> ciphertext. (In fact I actually worked on the XOR of two
> plaintexts.)
>
> Since my plaintext was ordinary English in ASCII, the most
> common character was blank space. Those spaces were
> extremely helpful.
>
> I would guess that 5-gram frequencies would work even
> better, and today PC's could handle the mass of data
> involved. A Markov model could work better still. I think a
> nice project would be a fully automatic 2TP decryptor using
> a Markov model with search-and-backtrack.
>
>
> --Bryan
> --
> email: bolson at certicom dot com
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
------------------------------
From: "Scotty" <[EMAIL PROTECTED]>
Crossposted-To: uk.media.newspapers,uk.legal,alt.security.pgp
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Wed, 7 Jun 2000 21:44:53 +0100
zapzing wrote in message <8hm984$g15$[EMAIL PROTECTED]>...
>In article <[EMAIL PROTECTED]>,
> "Scotty" <[EMAIL PROTECTED]> wrote:
>>
>> zapzing wrote in message <8hhog6$3ru$[EMAIL PROTECTED]>...
>> >In article <[EMAIL PROTECTED]>,
>> > Charles Bryant <[EMAIL PROTECTED]> wrote:
>> >> In article <8hf4cd$5j0$[EMAIL PROTECTED]>, zapzing
>> ><[EMAIL PROTECTED]> wrote:
>> >> >In article <[EMAIL PROTECTED]>,
>> >> > David Hartley <[EMAIL PROTECTED]> wrote:
>> >> ...
>> >> >> Does the bill actually require this? i.e. disclosure of your
>> >private PGP
>> >> >> key.
>> >> ...
>> >> >And the reason that one would not want to hand this
>> >> >over (beisides the fact that it reveals ones guilt)
>> >> >would be what? Because then you would lose the
>> >> >ability to authenticate messages in a way that
>> >> >others could verify that you are the same person
>> >> >as you were before?
>> >>
>> >> That, and because anyone who can demand all your keys can
>impersonate
>> >> you, to the extent that they can spend all your money, enter into
>> >> contracts as you, put 'your' signature on documents, etc.
>> >>
>> >> >Well if that is the reason then couldn't you just
>> >> >authenticate messages with a different key than
>> >> >the one you use to exchange session keys ? I believe
>> >> >that is what is reccomended anyway, isn't it?
>> >> >Then after you were forced to reveal your private
>> >> >key for exchanging session keys, you would (after
>> >> >getting out of prison) just make an announcent
>> >> >concerning your new public key, authenticated with
>> >> >your uncompromized authentication key.
>> >>
>> >> And go straight back into prison because it's also an offence to
>> >> reveal that your key was handed over.
>> >>
>> >> So, to put it all together, the government wants the power to take
>> >> away all your money, to pretend that you signed a confession to
>being
>> >> a child molestor, and to throw you in jail if you complain. Now do
>> >> you think its reasonable?
>> >>
>> >
>> >I was suggesting a way that one could hand over all
>> >keys that would give the government all substantive
>> >information that it would possibly need, but *not*
>> >the ability to do the things that you described.
>> >Like I said above, You could have two public keys,
>> >one for communicating and one for authenticating.
>> >
>>
>> Doesn't work, they will demand both public keys. I suspect they will
>do this
>> by sending you test messages encrypted with each key, then issue a
>warrant
>> requiring that you decrypt them. In effect public key encryption is no
>> longer secure in the UK.
>>
>
>It occurs to me that there are other protocols
>for authentication that do not rely on anything
>like a key. One of them has to do, I think, with
>graph isomorphism. I remember reading about it
>somewhere.
>
>You start out with two graphs, A and B, that
>are isomorphic but noone but you knows the
>isomorphism. The idea is that you authenticate
>a message by hashing the message plus the graphs
>A and B plus a set of n challenge graphs (which
>are isomorphic to both of the abovementioned
>graphs )into a challenge string n bits long.
>If the ith bit of the challenge string is "0"
>you show the isomorphism of challenge graph i
>with "A" and if it is "1" you show the isomorphism
>with "B". If n is big enough only someone who
>knows the isomorphism could do that.
>
>Since the isomorphism is not a "key" in any
>way that would probably not be covered by
>the law so you would not be required to
>give it.
>
Nice try but it doesn't work. To quote from the bill:
"key", in relation to any electronic data, means any code, password,
algorithm, key or other data the use of which (with or without other
keys)-
(a) allows access to the electronic data, or
(b) facilitates the putting of the data into an intelligible form;
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: Thoughts on an encryption protocol?
Date: Thu, 08 Jun 2000 04:42:50 +0800
John Myre wrote:
>
> First, the technique of creating the session key based on
> the prior key seems prone to problems. Not security problems,
> but communication problems. If you ever lose "sync", you need
> to design a way to recover. You need to consider lost messages,
> reboots (on either end), and so forth.
>
I have been thinking about the resynchronization problem a lot
actually. Sometimes, I'm actually tempted to completely abandon that
system and make use of a noisy semiconductor diode in my client
terminals, hash the results from reading its random noise to generate a
key, and transmit the new key using a long-term secret, rather than
performing all this synchronous fiddling. Use one key for all
transactions in one day only, so that the long-term secret need not be
reprogrammed too much...
> Second, you haven't explicitly mentioned a threat model. What
> are the capabilities and interests of the attacker(s)? Could
> they conceivably "hack into" the client machine and steal things,
> like the master keys? How much do you trust those with physical
> access to the server or clients? And so forth. Often these
> kinds of considerations can reveal fatal assumptions about what
> you are protecting against (or that you are working too hard).
>
Cracking the client machines would be nearly impossible, because they
only know how to communicate with the server. The only way to get any
of the secret information in the clients would be to actually open one
up and try to read the nonvolatile memory inside, and this would
purposefully be made extremely difficult (e.g. opening up a case using
the designed access port would cut power to the NVRAM), as we don't
really trust the people who do have access to the clients. We really
would have to trust those on the server end, as it's their job to make
use of the data that the server receives from the clients anyhow.
> the level of trust in MD5 or SHA. Of course, many would say that
> this is all overkill, as 128-bit keys ought to be adequate.
> Maybe you could compromise, and use SHA-1 with 160-bit keys,
> or maybe Tiger, with 192-bit keys.
>
Probably, it is overkill, and I'm actually thinking of changing the
algorithm to something simpler.
>
> P.S.
> Have you considered any "ready-made" protocols? Is public-key
> stuff "too hard"? What about Kerberos, etc? There is an awful
> lot of source code out there...
I've considered PK systems and most of them seem to be a bit complicated
when I think about my time and space constraints. I am going to try to
fit everything (which includes an Ethernet driver, UDP, and code to push
a few peripherals as well) into only 32 kbytes of ROM, using an
80186-based microcontroller. If I can make it fit in something even
smaller, so much the better...we can save money on hardware costs. I
have only one year or so from now to build and deploy this system...
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
Mobile Robotics Laboratory +63 (917) 4458925
University of the Philippines Diliman
------------------------------
From: Bob <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Wed, 07 Jun 2000 21:53:15 +0000
The wasting of police time would IMO be the fault of this
fecking stupid bill, not yours. If you told the truth
and co-operated at all times there's surely no way they
could do you. If somehow they managed, time to leave the
country in search of a non-facist one.
Bob
George Edwards wrote:
>
> In article <[EMAIL PROTECTED]>, Paul Shirley <paul.shirley@n
> tlworld.invalid> writes
> > You can safely tell the plods
> >there's no key... (or even give them it: it won't decode anything;) yet
> >prove to a court the 'message' is random by regenerating it.
>
> errr, "wasting police time"?
>
> --
> George Edwards
Bob
--
Send mails and 0-day to bob j hayes at yahoo co uk.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: Thu, 08 Jun 2000 00:01:12 +0200
zapzing wrote:
> Personally, I think it would be nice to have the
> following: Voting is secret, but voters can check to
> make sure their vote was tallied correctly. Voters
> can also make it appear that they are checking
> their votes, but in a way that causes it to appear
> that they voted differently than they did. No
> trusted party should be required.
I am afraid that it is extremely hard to dispense with a trusted
party (in the absolute sense) and yet achieve all the other
desired properties.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Some dumb questions
Date: Thu, 08 Jun 2000 00:01:04 +0200
Bryan Olson wrote:
> In article,
> [...]
> > 2. If an ideal OTP is misused, in that it is used a small
> > number n of times, how is one going to attack, if
> > absolutely no known plaintext is available?
> >
>
> As a final project in an under grad crypto course I worked on
> finding the smallest n such that I could, in practice, break
> the n-time pad. I assumed english language text coded in
> ASCII, and XOR as the OTP combiner. I found n=2.
>
> I created a table of 4-gram frequencies from about ten
> megabytes of text, and a program to interactively try these
> against the target ciphertext. The user would enter a
> position in the text, and the program would run through all
> the known 4-grams, and for each 4-gram it would compute what
> 4-gram would appear in the other text, and rank each pair by
> the product of the two 4-gram probablities. It would list
> the top several 4-gram pairs, and the user could select one
> to place into the texts.
>
> The process was slow-going, but recovered most of the texts.
> The right 4-gram pair was not usually the best ranked. There
> were some sections which seemed to contain names or some
> strange terms that I could not recover. Of course I could
> not tell which of the two plaintexts corresponded to which
> ciphertext. (In fact I actually worked on the XOR of two
> plaintexts.)
>
> Since my plaintext was ordinary English in ASCII, the most
> common character was blank space. Those spaces were
> extremely helpful.
>
> I would guess that 5-gram frequencies would work even
> better, and today PC's could handle the mass of data
> involved. A Markov model could work better still. I think a
> nice project would be a fully automatic 2TP decryptor using
> a Markov model with search-and-backtrack.
Thank you for the valuable informations. This confirms the
appropriateness of the restriction in my assumptions (see follow-ups
later than the first post in the thread) that n-gram frequency
distributions are not exploitable by the opponent (to be rendered
flat through appropriate measures).
M. K. Shen
------------------------------
Subject: Another Idea for attacking Storin
From: tomstd <[EMAIL PROTECTED]>
Date: Wed, 07 Jun 2000 14:52:37 -0700
What about trying to find inputs that have low hamming weights
(inputs to the linear matrix)? Won't the output have a
relatively low hamming weight (difference)?
Just an idea...
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: testing non linearity of arithmetic-logic combinations
Date: Thu, 08 Jun 2000 00:17:01 +0200
Terry Ritter wrote:
> A Latin square is a table look-up, an array access. In general, the
> reason to use an explicit Latin square instead of a computation is
> that the Ls can be far more complex. In the end, a complex
> transformation is what we want.
A dumb question: If a randomly generated substitution table (each
column being a permutation) is used, by how much (roughly) is it
worse than the Latin square?
M. K. Shen
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Date: Wed, 7 Jun 2000 18:08:52 -0400 (EDT)
Subject: equation involving xor and mod 2^32 operations
Can someone help me out with the following
problem.
I have an equation
(a + x) xor (b + x)
where + is the add mod 2^32 operator and
xor is the xor operator on bit representation.
a and b are known, x is the unknown.
How do I solve such a problem?
Even better, how do I generally solve a system
of n equations, containing n variables, in a system
that has two different operators such as xor and
addition mod 2^32.
Thanks .
Newbie.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Brute forcing for Counterpane's Password Safe
Date: Wed, 07 Jun 2000 22:02:18 GMT
To the Original Poster -- the good people over at l0pht heavy industries
might be willing to help you out, if the reward is large enough. They
have written programs to do similar tasks on WinNT password files, and
perhaps Jack The Ripper could be bludgeoned into using blowfish instead
of "crypt" (which I think is default) -- but it sure won't be quick.
That l0pht is spelled L-Zero-P-H-T. :)
> > In article <rab%4.30$[EMAIL PROTECTED]>, "Joeseph
> > Smith" <[EMAIL PROTECTED]> wrote:
> > >I've been asked to help the executor of the estate
> > >of a fellow who recently died in Florida. The fellow
> > >was techno-savvy enough to use Password Safe
> > >from Counterpane to hold his various account names
> > >and passwords. Unfortunately, he was not real-world
> > >savvy enough to leave a way for his heirs to recover
> > >the data. The executor has tried various obvious
> > >passwords (names of grandchildren, significant dates
> > >and places, etc.), but they have not worked.
> > >
> > >Does anyone have a program that does brute
> > >force password guessing for Counterpane's
> > >Password Safe program? Alternatively, does
> > >anyone have the details of the file format and
> > >algorithms so I can write one? Bruce's website
> > >says that it uses Blowfish and that a 2.0 version
> > >would be published with source, but I don't think
> > >the 2.0 version was ever published. Does anyone
> > >have source to it?
> > >
> > >Please reply to the list, since I believe the answer
> > >will be generally useful.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: testing non linearity of arithmetic-logic combinations
Date: Wed, 07 Jun 2000 22:30:36 GMT
On Thu, 08 Jun 2000 00:17:01 +0200, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>
>> A Latin square is a table look-up, an array access. In general, the
>> reason to use an explicit Latin square instead of a computation is
>> that the Ls can be far more complex. In the end, a complex
>> transformation is what we want.
>
>A dumb question: If a randomly generated substitution table (each
>column being a permutation) is used, by how much (roughly) is it
>worse than the Latin square?
They are different: A Latin square is a 2-in 1-out function (which I
call "dyadic") that can combine two values into one result like XOR or
ADD. A substitution table is a 1-in 1-out function (which I call
"monadic") that takes one value into one result. So the two are not
really interchangeable.
With respect to nonlinearity, a completely random table is likely to
be more nonlinear than an invertible substitution table which is
necessarily restricted to be a permutation, but a random table is not
guaranteed to be balanced, and is unlikely to be invertible.
Similarly, a substitution table is likely to be more nonlinear than a
similar-sized row or column of a Latin square which is more than just
an arbitrary permutation: each row or column also must be a
permutation in a set which will make a Latin square. Of course, a
Latin square will have multiple of such permutations, each guaranteed
different, so simply taking the minimum nonlinearity of all these
measured one-by-one can be deceptive.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Marcin Tustin)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Wed, 7 Jun 2000 23:37:03 +0100
In article <2mTO0gB$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> In article <[EMAIL PROTECTED]>, Paul Shirley <paul.shirley@n
> tlworld.invalid> writes
> > You can safely tell the plods
> >there's no key... (or even give them it: it won't decode anything;) yet
> >prove to a court the 'message' is random by regenerating it.
>
> errr, "wasting police time"?
>
They can't do you for it - it applies to making flse
allegations. In this case, you perform a lawful activity
(generating random text), and they accuse you of a crime which did
not happen (having encryption keys). A good way would be to have a
number, eg 7, which was combined with a value contained in the
post, eg the date & time line to create the data. It would allow
you to show that it was nonsense.
--
Humanity will not be happy until the day when the
last bureaucrat has been hanged with the guts of
the last capitalist.
Marcin Tustin
PGP Key at http://www.anarchist99.freeserve.co.uk/marcintustin.txt
[EMAIL PROTECTED]&OATS.com
Marcint@^^refreshmagazine.com.nomail <-- Do not use at this time
KeyID 0x86D72550
Fingerprint DDD9 FB07 4C2F 9A79 C860 C391 D672 364C 86D7 2550
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Thoughts on an encryption protocol?
Date: Wed, 07 Jun 2000 22:29:31 GMT
[much snipping]
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Mark Wooding) wrote:
> Use a proper MAC. For example, HMAC-SHA1 or HMAC-RIPEMD160.
> Encrypted hashes as a poor-man's-MAC aren't a good idea.
Mark, can you please explain why encrypting hashes are a Bad Idea? Or
give references? I had assumed they would work just fine, especially
since most of the literature I have read says that a good way of doing
digital signatures is to take a hash of the document being signed, and
encrypt the hash with some public-key scheme.
Thanks :)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Wed, 07 Jun 2000 15:47:39 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Enigma Variations
It still strikes me that there are many books yet to be written -- by
the B. Dienst in particular, and even the Japanese. Perhaps it will not
be the exciting story of a total-break, but the Bletchley Park stories
as they are being told and re-told are frankly getting rather stale.
>Jim Gillogly wrote:
>
> John Spicer wrote:
> > This led me to wonder what was the state of the cryptography used by the
> > Allies and what in-roads had the Germans and Japanese made? Did the
> > Allies learn from their successes against the Axis cryptos and
> > strengthen their own, or did they fall into the same traps?
>
> The Germans read American M-209 traffic, according to POW interviews.
> So far as we know (unclassified, anyway) none of the Axis powers read
> SIGABA, the top US system. If the British Typex was ever broken, I
> don't know about it. At a conference I attended one speaker
> said that while the blunders of German operators made the Allied
> c/a effort much easier than it otherwise would have been, the Allied
> operators were even sloppier. I didn't get a feel for how much actual
> traffic was compromised by this.
>
> Jim Gillogly
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Brute forcing for Counterpane's Password Safe
Date: Wed, 07 Jun 2000 22:39:49 GMT
In article <[EMAIL PROTECTED]>,
Volker Hetzer <[EMAIL PROTECTED]> wrote:
> Is there any circumstance in your country where you can be legally
> forced to hand over encryption keys to somebody else or where they
> can be seized while you're absent or dead?
A little while ago, our (USA) government decided to push the Clipper
Chip, which implements KEA and Skipjack (Ok, I am not positive on the
KEA bit) -- as the only way companies could implement crypto in their
products. The Clipper chip had some Law Enforcement Access Fields that
would allow them to retrieve the key from a proper Key Escrew group --
all of which were controlled by the Executive Branch. It never went over
very well.
The Fifth Amendment to the Constitution of the United States guarantees
people the right from self-incrimination -- however, not turning over
one's keys in court is likely to *not* count. Thus, one could be held
"in contempt of court" and thrown in jail until complying with the order
to turn over keys. Someone speculated (years ago :) that perhaps if the
key itself was incriminating, that would be sufficient grounds that
protection under the Fifth Amendment is possible, but I for one don't
want to try.
So, people can legally be compelled to turn over their keys. (Maybe a
great reason to use hardware to store the key -- throw the thing in a
fire, no more key. Destruction of evidence never goes over well, but it
might be better than the encrypted contents getting out, depending on
one's situation. :)
IANAL. :)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: equation involving xor and mod 2^32 operations
Date: Wed, 07 Jun 2000 16:50:41 -0600
Anton Stiglic wrote:
>
> Can someone help me out with the following
> problem.
> I have an equation
> (a + x) xor (b + x)
> where + is the add mod 2^32 operator and
> xor is the xor operator on bit representation.
> a and b are known, x is the unknown.
I was thinking of doing this a bit at a time. For
example, starting at the low order bit, + is the
same as xor. But then you still don't know the low
order bit of x, because it cancels out! So now I'm
worried about whether there is any way to figure
out the low order bit of x, at all.
If you consider a, b and x to be three sets of 32
boolean values, you could expand out + to the whole
set of (linear) boolean equations used to compute it.
Then you would have 32 equations in 32 unknowns (or
63 equations in 63 unknowns, if you count the 31
relevant carries as separate unknowns).
But I don't know if this set of equations can be
solved, because the equation for the low order
bit of the result actually has no unknowns in it -
as I mentioned, the low order bit of x cancels
out. The low order bit of x still affects other
equations (through the carries of the additions),
but now it seems we are one equation short.
Still, if the equations are not degenerate, maybe
we can just guess the low order bit, then solve
the rest. Perhaps both values work, and we have
to be content with two possibilities?
John M
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
