Cryptography-Digest Digest #655, Volume #12 Mon, 11 Sep 00 14:13:01 EDT
Contents:
Re: Bytes, octets, chars, and characters (stanislav shalunov)
Re: Carnivore article in October CACM _Inside_Risks (Alan J Rosenthal)
Re: Extremely small DES - sanity check (John Myre)
Re: (Jury Selection) Re: Carnivore article in October CACM _Inside_Risks (Robert
Harley)
Re: RSA public exponent (Roger Schlafly)
Re: Carnivore article in October CACM _Inside_Risks (Roger Schlafly)
Re: PRNG ("Paul Pires")
Re: (Jury Selection) Re: Carnivore article in October CACM _Inside_Risks (Robert H.
Risch)
Re: Carnivore article in October CACM _Inside_Risks (Alan J Rosenthal)
Re: Weaknesses in this algorithm? (Mark Wooding)
Re: RSA public exponent (Bob Silverman)
Re: MAC (Dido Sevilla)
Re: Camellia, a competitor of AES ? ([EMAIL PROTECTED])
Re: Camellia, a competitor of AES ? ([EMAIL PROTECTED])
Re: Ciphertext as language ("Abyssmal_Unit_#3")
Re: Intel's 1.13 MHZ chip ("Abyssmal_Unit_#3")
Re: ZixIt Mail ("Joseph Ashwood")
----------------------------------------------------------------------------
From: stanislav shalunov <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c
Subject: Re: Bytes, octets, chars, and characters
Date: 11 Sep 2000 11:11:05 -0400
mike burrell <[EMAIL PROTECTED]> writes:
> you have instead:
> struct remote_host {
> unsigned char *IP_address;
> };
In IPv4 world, you certainly have addresses represented as integers:
* $FreeBSD: src/sys/netinet/in.h,v 1.38.2.3 1999/08/29 16:29:34 peter Exp $
[...]
/*
* Internet address (a structure for historical reasons)
*/
struct in_addr {
u_int32_t s_addr;
};
[...]
/*
* Socket address, internet style.
*/
struct sockaddr_in {
[...]
struct in_addr sin_addr;
[...]
};
(And a lot of arithmetic macros.)
Of course, you'd want to do that for IPv6, but current architectures
don't let you yet.
--
Stanislav Shalunov Internet2
A language that doesn't have everything is actually easier to program
in than some that do. -- Dennis M. Ritchie
------------------------------
Crossposted-To: alt.security,comp.security.misc,talk.politics.crypto
From: [EMAIL PROTECTED] (Alan J Rosenthal)
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: 11 Sep 2000 14:18:07 GMT
[EMAIL PROTECTED] (Larry Kilgallen) writes:
>Existing devices do this, using an RSA digital signature. The keypair
>is generated internal to the chip, and the private key never leaves
>the chip. Something to be signed is fed _into_ the chip and the chip
>returns the signature. If software tried to fake it without using the
>chip, the signature would be shown as wrong when the public key was
>applied to it).
Not if the public key used was from an independently-generated keypair in the
first place. If you've already given out the public key which comes out of
the sooper-sekrit chip, then just say you broke it and bought a new one.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Extremely small DES - sanity check
Date: Mon, 11 Sep 2000 09:14:49 -0600
Eric Furbish wrote:
>
> Hello,
>
> I'm looking to implement an *extremely* scaled-back version of DES in
> hardware on a small integrated circuit (~5000 transistors, 2 metal
> layers).
Why? That is, what's the point?
(Example reason 1: for fun. Example reason 2: as much security as I
can get within certain constraints.)
<snip>
> Can the S-boxes, permutation tables
> and rotation tables be chosen arbitrarily and still maintain decryption
> functionality?
<snip>
Yes - that's the point of the Feistal structure.
JM
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto,us.legal
Subject: Re: (Jury Selection) Re: Carnivore article in October CACM _Inside_Risks
Date: 11 Sep 2000 17:30:46 +0200
Yiorgos Adamopoulos writes:
> Tony T. Warnock wrote:
> >Asking something about Abelian Varieties is fun too.
>
>
>http://www.google.com/search?q=cache:www.ams.org/mathcal/info/2000_jul29-aug4_crete.html+abelian+varieties
It was a nice conference:
http://cristal.inria.fr/~harley/anogia.html
> :-)
=:-)
Rob.
.-. .-.
/ \ .-. .-. / \
/ \ / \ .-. _ .-. / \ / \
/ \ / \ / \ / \ / \ / \ / \
/ \ / \ / `-' `-' \ / \ / \
\ / `-' `-' \ /
`-' [EMAIL PROTECTED] `-'
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: RSA public exponent
Date: Mon, 11 Sep 2000 08:51:22 -0700
[EMAIL PROTECTED] wrote:
> On the other hand, has it been proven that there is no other more
> efficient crack (other than finding the secret key)?
No. See:
Breaking RSA may not be equivalent to factoring
Authors: D. Boneh, and R. Venkatesan
Abstract:
We provide evidence that breaking low-exponent RSA cannot be equivalent
to factoring integers. We show that an algebraic
reduction from factoring to breaking low-exponent RSA can be converted
into an efficient factoring algorithm. Thus, in effect an oracle
for breaking RSA does not help in factoring integers. Our result
suggests an explanation for the lack of progress in proving that
breaking RSA is equivalent to factoring. We emphasize that our results
do not expose any weakness in the RSA system.
Reference:
In Proceedings Eurocrypt '98, Lecture Notes in Computer Science, Vol.
1233, Springer-Verlag, pp. 59--71, 1998.
http://crypto.stanford.edu/~dabo/abstracts/no_rsa_red.html
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: Mon, 11 Sep 2000 09:00:35 -0700
Dave Mundt wrote:
> Not that it mattered, because the judge, as "13th juror" decided
> he "did not like some of the things that went on" and overturned our
> verdict and award.
The 7th Amendment says "no fact tried by a jury, shall be otherwise
re-examined in any Court of the United States".
http://caselaw.findlaw.com/data/constitution/amendment07/
Judges aren't supposed to be reversing jury decisions.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: PRNG
Date: Mon, 11 Sep 2000 09:11:11 -0700
Cristiano <[EMAIL PROTECTED]> wrote in message
news:8pihqu$f8o$[EMAIL PROTECTED]...
> Paul Pires wrote:
>
> > I was on my best behavior.
>
> Just imagine when you are in your worst behavior!
>
> >I notice you did not address my questions.
>
> Do you remember this?:
>
> > > I'd like to play with your code and diehard. But I don't wan't to
> compile
> > your
> > > source. Do you have an executable that will run under DOS or in a DOS
> > window and
> > > some simple instructions on proper use?
> >
> > My prog run under Windows 98 and is too big to translate for DOS, but this
> > is the very simple generator (by D. E. Knuth):
> [...]
> > Can you tell me something?
>
> Where is your answere?
The same place your question was.
>
> Probably you are usual to deal with pigs!
Never wrestle with a Pig. You both get muddy but the Pig likes it.
>
> Please quiet down!
For you.. my pleasure.
>
> Cristiano
>
>
>
------------------------------
From: Robert H. Risch <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto,us.legal
Subject: Re: (Jury Selection) Re: Carnivore article in October CACM _Inside_Risks
Reply-To: [EMAIL PROTECTED]
Date: Mon, 11 Sep 2000 16:13:44 GMT
On 11 Sep 2000 13:44:19 GMT, [EMAIL PROTECTED] (Yiorgos
Adamopoulos) wrote:
>There exist cases where the judges decide based on the "file" but these
>are usually economic cases, cases that involve tax reduction. In crime
>cases everyone takes turn as many times as one wants to ask the witness
>(that means the 4 judges, the 3 jurors and the lawyers). When both
>sides present experts on a subject who state different oppinions, the
>court can decide to ask an external third party who is considered as an
>authority on the subject of the case. And since we are a small country
>(10M) it is very easy to locate the experts without having to question
>their integrity.
Do the judges decide on which witnesses will be called in a crime case
and question them first? Are witnesses allowed to tell their story in
their own words before questions start? Am I correct that there are
no juries when somebody is suing somebody else? Are there 4 judges
then? How much of a restriction is put on what kinds of questions are
allowed to be asked? Is there a difference in the kind of lawyer's
questions, based on whether the witness is considered to be friendly
to the lawyer's point of view? Are lawyers allowed to interview
non-expert witnesses before the trial?
I think the legal system in Greece has improved quite a bit since
Plato's day. However the sophists (we call them shysters) are firmly
in control in the US system. Thanks for your information.
RHR
------------------------------
Crossposted-To: alt.security,comp.security.misc,talk.politics.crypto
From: [EMAIL PROTECTED] (Alan J Rosenthal)
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: 11 Sep 2000 15:23:49 GMT
[EMAIL PROTECTED] (wtshaw) writes:
>Power outages are not subject to court order.
Nice try, but if you remove the power deliberately, it *is* (potentially)
subject to a court order. Unless I misunderstand you. Just because
something is sometimes not under your control doesn't mean you can do it
with impunity and despite court orders the other times.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Weaknesses in this algorithm?
Date: 11 Sep 2000 16:32:11 GMT
Patrick Schultz <[EMAIL PROTECTED]> wrote:
> encrypting:
> 1) xor the plaintext with a one-time pad
> 2) encrypt the one-time pad with rc4 using a random key that is the same
> length as the passphrase.
> 3) xor the passphrase with the random key.
So, we have a message M, a passphrase P, a random RC4 key K, and a
one-time pad R. We send
P \xor K, R \xor RC4(K), M \xor R
We immediately calculate
R \xor RC4(K) \xor M \xor R = M \xor RC4(K)
which eliminates the one-time pad. This then is no more secure than
either RC4 or the passphrase. I consider that the worth of (memorized)
passphrases as key material is long gone.
The way that the passphrase is XORed into the random key doesn't thrill
me. The passphrase, being in ASCII or some similar encoding, will
therefore leak some key bits for free. I don't know, offhand, how to
use this to gain knowledge of other key bits in RC4 other than by an
exhaustive search of the remaining keyspace, but certainly leaking bits
in this way can help in analysing some other symmetric ciphers.
What was it you were actually trying to acheive?
-- [mdw]
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: RSA public exponent
Date: Mon, 11 Sep 2000 16:47:16 GMT
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > On the other hand, has it been proven that there is no other more
> > efficient crack (other than finding the secret key)?
>
> No. See:
>
> Breaking RSA may not be equivalent to factoring
> Authors: D. Boneh, and R. Venkatesan
>
> Abstract:
> We provide evidence that breaking low-exponent RSA cannot be
equivalent
> to factoring integers. We show that an algebraic
> reduction from factoring to breaking low-exponent RSA can be converted
> into an efficient factoring algorithm. Thus, in effect an oracle
> for breaking RSA does not help in factoring integers. Our result
> suggests an explanation for the lack of progress in proving that
> breaking RSA is equivalent to factoring. We emphasize that our results
> do not expose any weakness in the RSA system.
This was indeed a *very* nice result of Boneh and Venkatesan.
However, lest people read more into the abstract, allow me to point out
that the "algebraic reduction" required by the paper is VERY
restrictive. It excludes all bit operations such as x xor y, for
example.
What the paper shows is that an Oracle for finding cube roots does
not allow one to factor all keys when e = 3 when one is restricted
to a purely algebraic factoring algorithm. Allow me to point out
that under such an Oracle, *some* keys (those representable as the
difference of two cubes) are vulnerable.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: MAC
Date: Tue, 12 Sep 2000 00:50:24 +0800
Ragni Ryvold Arnesen wrote:
>
> [EMAIL PROTECTED] wrote:
>
> > So what hashing algorithm would one use in practice to implement MAC?
>
> Any (reasonably good) encryption algorithm in MAC mode would do the trick. A
> common approach is to use the same algorithm both for encryption and MAC
> generation, only in different modes and with different keys. Very useful if
> memory is limited, e.g. in mobile phones.
>
There are also custom MAC algorithms out there. Stuff like HMAC-MD5 and
HMAC-SHA1, which take your well-known message digest algorithms MD5 and
SHA-1 and turn them into MACs. See RFC's 2104 and 2202 for details on
this. MD5 is in RFC 1321. SHA-1 is specified in FIPS 180-1. There are
custom message authentication code algorithms out there, like Ted
Krovetz's UMAC and D.J. Bernstein's hash127...
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
ICSM-F Development Team, UP Diliman +63 (917) 4458925
PGP Key available at http://home.pacific.net.ph/~dido/dido.pgp
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Camellia, a competitor of AES ?
Date: Mon, 11 Sep 2000 17:05:51 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> This is, I suppose, a highly US-centric view. In the general
> assembly of United Nations, the US has one vote just as any
> tiny country, if I don't err. Does one want to give priority
> to e.g. MS so that its products dominate the market?
In the general assembly, yes. That's somewhat offset by the veto power
though. On the other hand, ISO has the same responsibility as any
other standards organisation to consider exsiting standards when
adopting a new one. Since the _bulk_ of electronic information is
still in the US, AES is going to be highly pervasive even offshore.
Obviously, the "biggest fish in the pond" argument is US centric. On
the other hand, at the risk of offending people, it is true. ;) If
there was an equally prevalent standard someplace else the argument
would still hold.
>> 2. Because, overall, AES canidates have received _much_ more analysis
>> than any other canidtaes.
> It does not mean that a newcomer is inferior. The ISO has to
> weigh and consider according to its guidelines. It is the
> resposibility of each national standardization body
> participating in the respective working group to forward
> opinions and discuss and finally have the stuff determined
> in the technical committee by country votes. The matter is
> in fact rather complicated. Both science and politics are
> involved, i.e. the decisions are only partly objective.
You misunderstand me. The fact is that the final AES winner will have
been more studied than anything submitted to the ISO. That's an
obvious result of the fact that AES has been studied now, in addition
to moving through the ISO process. Other canidates would only be
looked at during the ISO process.
There is, on the other hand, a chance that some national body has a
better design than any of the ISO finalists. Given the strategic
benefits of such an algorithm, however, I doubt we'd actually see it
appear.
>> 3. Because it's unlikely, in my opinion, that anything superior would
>> suddenly crop up if submissions were solicited world wide.
> Camellia, for example, is an improved E2, as far as I know.
> It has quite good performances, if what it claims is true.
Perhaps. And the question of "better" is best put off until the AES
contest has ended. To really justify not standardising AES, though, it
would have to have significant benefits, which I just don't see coming
any time soon. (Either a significant security margin at similar
speeds, or a similar security margin with much faster speeds)
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Camellia, a competitor of AES ?
Date: Mon, 11 Sep 2000 17:07:38 GMT
Runu Knips <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
>> 1. Because the US has, by far, the largest online economy. If the ISO
>> simply ignored the existing US standard, we'd have the reverse
>> situation to digital signatures. (Where the US standard is DSA, and
>> the ISO standard RSA).
> An argument for the dustbin. The largest nation in the internet
> will be China. they just have more people than anyone else.
The largest _online economy_, not the largest number of people
online. I would say we're still several years away from the PRC
becoming the world leader in electronic commerce.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: "Abyssmal_Unit_#3" <[EMAIL PROTECTED]>
Subject: Re: Ciphertext as language
Date: Mon, 11 Sep 2000 13:09:54 -0400
then maybe it is true & better to know your enemies better than your friends?
--
best regards,
hapticz
>X(sign here)____________________________________________<
Mok-Kong Shen wrote in message <[EMAIL PROTECTED]>...
|
|
|Abyssmal_Unit_#3 wrote:
|>
|> another reason: to not always to consider the other as "opponent"
|
|It is always advisable to be a bit suspicious rather then to
|consider everybody to be your good friend. On a grand scale,
|history has shown that allies had sometimes turned out to be
|enemies.
|
|M. K. Shen
------------------------------
From: "Abyssmal_Unit_#3" <[EMAIL PROTECTED]>
Subject: Re: Intel's 1.13 MHZ chip
Date: Mon, 11 Sep 2000 13:18:54 -0400
IEEE Times , industry newspaper for engineers and technical managment, had notices
regarding this "advanced technology" a couple of
years ago!
MECL (Motorola Emitter Coupled Logic) architecture has been available for close to 25
years with capability to perform at 1 to 2 gig
rates.
only recently has scalar methods allowed entirety of cpu and support chips to be
incorporated on singular silicon die, thus making
it available for "consumer" use.
US Military has been humming along with this stuff for well over ten years!
power consumption has been a prime stumbling block for this.
--
best regards,
hapticz
>X(sign here)____________________________________________<
John Savard wrote in message <[EMAIL PROTECTED]>...
|On Sun, 10 Sep 2000 13:05:00 +0200, Mok-Kong Shen
|<[EMAIL PROTECTED]> wrote, in part:
|>"S. T. L." wrote:
|
|>> What's funny is that not even 8086s are as slow as 1.13 MHz. :->
|
|>It is indeed funny that several people ignore my errata and
|>continue go generate lots of noise. Maybe they couldn't
|>read.
|
|Myself, I would have been content to just ignore the error. Intel's
|1.13 whatever chip has been recalled. I didn't even know they had a 1
|GHz chip out just yet. So I found that to be interesting news.
|
|The original 8088 was 4.77 MHz, but there were 1 MHz versions of the
|8080 and 6800, if I'm not mistaken.
|
|John Savard
|http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: ZixIt Mail
Date: Fri, 8 Sep 2000 11:07:37 -0700
> So what & where is the best program for sending/receiving secure mail?
I'd say that PGP is still the best consider the wide spread use, the fairly
good looking at, etc. You just have to be careful.Of course no solution is
perfect for every situation, but PGP is a good bet.
Joe
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
