Cryptography-Digest Digest #887, Volume #12 Tue, 10 Oct 00 09:13:01 EDT
Contents:
Re: The science of secrecy: Simple Substition cipher (Roger Gammans)
Re: MITM attack (Tim Tyler)
Re: Any products using Rijndael? (Tom St Denis)
Re: Any products using Rijndael? (Tom St Denis)
Re: xor algorithm (Tom St Denis)
Re: Maximal security for a resources-limited microcontroller (Bo Dömstedt)
Re: Rijndael has a very good S-Box (Tom St Denis)
Re: MITM attack (Tom St Denis)
Re: What is meant by non-Linear... (John Savard)
Re: NSA quote on AES (John Savard)
Re: FTL Computation (David C. Ullrich)
Re: Microsoft CAPI's PRNG seeding mechanism (Pascal JUNOD)
Re: AES Runner ups (John Savard)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Roger Gammans)
Subject: Re: The science of secrecy: Simple Substition cipher
Date: Tue, 10 Oct 2000 11:52:04 GMT
In article <8rt852$pj4$[EMAIL PROTECTED]>, KK wrote:
>
>Dear group,
>Channel 4 (UK) are running a series of 'The science of secrecy'
>and after the show mentioned a cipher competition on thier website
>www.channel4.co.uk/nextstep. The message uses a substition cipher
>where the letters are pared ie if cT 'A' = pT 'T' then cT 'T' = pT 'A'.
The telegraphn run a simliar challange to win copies
of the book.
Well I say challenge advisedly, the encryption
was rot-13.....
TTFN
--
Roger
Think of the mess on the carpet. Sensible people do all their
demon-summoning in the garage, which you can just hose down afterwards.
-- [EMAIL PROTECTED]
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: MITM attack
Reply-To: [EMAIL PROTECTED]
Date: Tue, 10 Oct 2000 11:25:31 GMT
William A. McKee <[EMAIL PROTECTED]> wrote:
: How likely is a MITM attack on an internet connection from an ISP like BELL
: (ADSL from server to BELL) to a client anywhere in the world? I would think
: that because the packets can be routed just about anywhere and everywhere,
: MITM would be very difficult. I could be wrong.
The MITM can sit on the cable two inches upstream from the client. If he
can position himself there, he has no problems.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ ILOVEYOU.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Any products using Rijndael?
Date: Tue, 10 Oct 2000 11:50:58 GMT
In article <[EMAIL PROTECTED]>,
"Sam Simpson" <[EMAIL PROTECTED]> wrote:
> <SNIP>
>
> > Twofish round function output is really making me sick lately. It
> > doesn't look like a "wide data path" to me and could be a big
> source of
> > troubles.
>
> <SNIP>
>
> My we are fickle Tom...this time last week you were jumping up and
> down because Twofish wasn't selected ;)
True, well I honestly overlooked that part of Twofish. Until I
implemented MyFish I never really gave it much thought.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Any products using Rijndael?
Date: Tue, 10 Oct 2000 11:55:28 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> Sam Simpson wrote:
> > > Twofish round function output is really making me sick lately. It
> > > doesn't look like a "wide data path" to me and could be a big
> > > source of troubles.
> >
> > My we are fickle Tom...this time last week you were jumping up and
> > down because Twofish wasn't selected ;)
>
> Well, he's young and flexible. ;-)
>
> But I would like to understand what this 'wide data path'
> problem should be... after all, I started recoding my
> Twofish implementation yesterday (Iiiks non-female GF
> things again ;-) ) and I found no 'non-wide data paths'
> ... maybe he's talking about the 2PHT, which he would
> have liked to replace with a MDS ?
>
> Would be amusing if Tom would break Twofish :-)
Well the problem is given the vector <a, b> the round output is <2a+b,
a+b> and I doubt that's the best way to mix the entropy of <a,b> over
64bits.
I can't think of any logistical break [yet] but addition causes nasty
properties. For example it's not a "complete" function in the sense
that it's not a multipermutation and it's very linear as well as weak
to differential cryptanalysis.
The only reason nobody has broken Twofish'es round function is because
it's hard to make a good approximation across GF(2), Z2^32 and the
keyed sboxes.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: xor algorithm
Date: Tue, 10 Oct 2000 11:58:40 GMT
In article <wWwE5.11560$[EMAIL PROTECTED]>,
"Paul Pires" <[EMAIL PROTECTED]> wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:8rtqkq$u4$[EMAIL PROTECTED]...
> > In article <oqrE5.173$[EMAIL PROTECTED]>,
> > "Paul Pires" <[EMAIL PROTECTED]> wrote:
> > >
> > > William A. McKee <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
> > > > Antonio Merlo <[EMAIL PROTECTED]> wrote in message
> > > > news:8rs4sr$mm7$[EMAIL PROTECTED]...
> > > > > How strong will be an encryption method based on a xor
operation
> > with a
> > > > pass
> > > > > phrase (or password) an a buffer to encrypt? (suppossed a very
> > strong
> > > > > password of, let's say 16 letters, combining uppercase,
> > lowercases and
> > > > > digits)
> > > > > How will you cryptoanalise that algoritm?
> > > > >
> > > > >
> > > >
> > > > If you use your password to seed a pseudo random number
generator
> > (PRNG)
> > > > like ISAAC, WAKE, etc. and xor the buffer with the PRNG output,
I
> > think it
> > > > can be quite secure. I may be wrong. I'm such a newbie :)
> > >
> > > I'm a newbie too but I think you should point out that not all
PRNG's
> > > are equal. There are PRNG's and then there are Cryptographically
> > > secure PRNG's. I am not sure about ISAAC. Regardless, this is a
> > > stream cipher and has use limitations. A blanket statement that it
> > > can be "Quite secure" could be misleading.You cannot re-use a
keyed
> > stream.
> > > If the same key is used for two different messages and a
> > > plaintext is known for one, it is trivial to slove for the other
> > plaintext.
> > > There are ways of dealing with this but it's not like falling off
a
> > log.
> > > Stream ciphers and Block ciphers are not two different, but
> > equivalent,
> > > methods
> >
> > Technically any effective PRNG is cryptographically secure by
> > definition. But I will agree that some PRNG's are weak
and "allowed"
> > to be weak for logistical purposes.
>
> Don't mean to argue but.... A PRNG for crypto needs to be irreversible
> and unpredictable. Just because it makes output that statistically
checks
> out doesn't mean that you can't predict future behavior from past
output
> or back track and derive the key.
Ah, but in the strictest sense a very good PRNG is unpredictable and
statistically unbiased (over oo outputs). This means it's
cryptographically secure.
The problem arises when people say "this is good ..enough.." and use a
LCG or LFG etc...
> Don't burn me up here. I think I'm amplifying what you said, not
> necessarily contradicting it.
Hehehehe no prob.
> Agreed. Just don't use the same key over again from the start without
an IV
> or salt and don't use it for something that needs tamper
protection/detection.
Well if you have the ciphertext from RC4 (random key) when I decrypt it
I can tell if you tampered with it. Stream ciphers are time dependent
which means the order of the bytes are very crucial.
Consider "deletion mutations" on DNA before it's read :-)
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Bo Dömstedt)
Subject: Re: Maximal security for a resources-limited microcontroller
Reply-To: [EMAIL PROTECTED]
Date: Tue, 10 Oct 2000 12:15:51 GMT
Volker Hetzer <[EMAIL PROTECTED]> wrote:
>Do you really propose to invent a proprietary encryption algorithm?
Yes! But only if there would be a technical advantage for
the customer. (I agree that Skipjack would be a good candidate.)
>If yes, then, to go back to professionalism, as a customer one
>should form an opinion about the ability of the "professional".
Yes! Come here! We have NEVER failed any such
evaluation...
>Did you take part in or win any competitions?
? Lottery ? Football ? What competitions ?
>Did your algorithms survive any public analysis?
It has been submitted to a public conference.
We also hold other types of evidence.
>Just calling yourself Chief Cryptographer would certainly not
>be enough to convince me.
I don't expect to convince anyone using this forum.
But if you don't have the time to read all published cipher-books,
attend conferences, etc, talk to someone who might help you.
Would it be wrong ?
>To me, you are an unknown and I can understand Toms skepticism.
Well, I can too. I had a discussion with Tom a while ago, where he
didn't want to pay $130 for our random number generator, and he
asked if we had a "student kit". He had several proposals for random
number generators, that we have tested, and he didn't like that
we had built the SG100 based upon these results (i.e his proposals
don't work).
I understand if Tom is "sceptic". But if you need advice or
special solutions, and can pay for a project, you will not waste
your time contacting us.
>Greetings!
>Volker
Greetings!
Bo Dömstedt
Chief Cryptographer
Protego Information AB
IDEON,Lund,Sweden
The hardware random number generator:
http://www.protego.se/sg100_en.htm
750 MBytes / 24hrs
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Rijndael has a very good S-Box
Date: Tue, 10 Oct 2000 12:05:57 GMT
I am replying to all three of your posts...
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> Using a small BASIC program, I searched for differential
> characteristics, and linear (well, affine? over GF(2^8), anyhow)
> approximations to the S-box.
An affine linear approximation is something like y = a xor b xor 1.
> The differential behavior of the Rijndael S-box is simply astounding.
Dude check out my website, I have code that makes "good" sboxes of
various sizes (odd or even bit sizes). The sbox is based on
multiplicative inversion in a GF. It was used by Matsui in Misty and
by Tom St Denis in TC5.
> If you consider S(i) xor S(i xor diff), for all 256 values of i, this
> expression will often take on a value zero or two times instead of
> once, as is ideal...and may take on one value _four_ times.
>
> That's as strong as any differential characteristic of the S-box gets.
Technically there are 255 '4' in the xor-pair table and the rest is
zeros and twos. That's not the best an sbox could be in theory though.
> As for linear approximations, things are a bit better for the
> cryptanalyst, but not by much.
>
> S(i) is equal to a*i xor b (where the multiplication is done in
> GF(2^8)) as many as 13 times out of 256, where a=23 and b=163.
>
> The second best linear approximation *also* occurs for a=23, this time
> with b=56; this one is true 11 times.
>
> For a=1 and a=23, there are multiple "approximations" that show up,
> and most commonly they are true around 8 times.
>
> The approximation a=147 and b=99 is true 9 times, and the only other
> value of b that gives an approximation true more than 4 times is 229,
> with a=147 b=229 true 5 times, so this approximation may have less of
> a "noise level" to contend with.
>
> On the other hand, if the multiple approximations at either a=1 or
> a=23 can be made to work together, to provide a strong linear
> approximation - but with _partial information_, something might be
> done.
All linear approximations are biased (affine/linear) by at most 16
times. So given for example (y0 = x0 xor x1 xor x7) that will hold in
the sbox for at most 112/256 or 144/256 times. When the approximation
deviates from 128/256 times it can be exploited.
Of course the inverse sbox has the same low xor-pair, all you did is
transpose the xor-pair matrix!
In the case of Rijndael an affine transform is applied after the sbox
lookup to help muddle the low non-linear order of the output.
Check out http://www.geocities.com/tomstdenis/
You will see all the neat stuff I have been doing surrounding the
subject.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: MITM attack
Date: Tue, 10 Oct 2000 12:22:35 GMT
In article <[EMAIL PROTECTED]>,
"William A. McKee" <[EMAIL PROTECTED]> wrote:
> How likely is a MITM attack on an internet connection from an ISP
like BELL
> (ADSL from server to BELL) to a client anywhere in the world? I
would think
> that because the packets can be routed just about anywhere and
everywhere,
> MITM would be very difficult. I could be wrong.
It really depends on who is being attacked. I wouldn't doubt my isp is
tapping my connection just because that's the only way to explain the
slow response... hehehe
Um... in reality MITM attacks are only cool against important targets.
Because you are sending private email to your friend in Vancouver
doesn't mean people are reading it. In fact before today I didn't know
you existed... etc...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: What is meant by non-Linear...
Date: Tue, 10 Oct 2000 12:18:48 GMT
On Mon, 9 Oct 2000 17:59:05 +0100, "Rob Marston" <[EMAIL PROTECTED]>
wrote, in part:
>I assume it means that where
>
> y = f(x)
>
>is so complex that
>
> x = F(y)
>
>is difficult/impossible to compute? Right or Wrong?
No. Its meaning is much weaker than that. It just means that y = f(x)
can't be expressed as y = a*x + b, or, usually, that y also can't be
expressed as a function of x that involves an XOR and a transpose or
masking of bits as well. Thus, while it is easy to invert each of the
rows in the DES S-boxes, they are designed so that "no S-box is a
linear or affine function of its input".
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NSA quote on AES
Date: Tue, 10 Oct 2000 12:29:39 GMT
On Tue, 10 Oct 2000 11:20:15 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote, in
part:
>Brian Gladman <[EMAIL PROTECTED]> wrote:
>: The point at which cryptographic systems are broken by breaking the
>: algorithms used are now in the past [...]
>I doubt this is true.
Well, I would say that a weaker version of this is true.
Some algorithms in use certainly can be broken, and there will be
times when an attacker does not have the opportunity to do anything
else, despite the fact that usually it is much easier to compromise a
computer system than, say, to brute-force a 40-bit key.
But the use of computers to carry out encryption algorithms certainly
means that it is at least possible for many users of encryption to
reduce the risk from a broken algorithm essentially to zero, if they
care to do so. For example, use Blowfish without using public-key
methods to exchange keys.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (David C. Ullrich)
Crossposted-To: sci.astro,sci.physics.relativity,sci.math
Subject: Re: FTL Computation
Date: Tue, 10 Oct 2000 12:37:12 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 09 Oct 2000 18:02:40 GMT, "Paul Lutus" <[EMAIL PROTECTED]>
wrote:
><[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
>
>> > > If the projection of a spot of light can virtually move FTL
>> > > then so too can the projected images of a slide rule's slides.
>> > > The computation 'in effect', takes place FTL.
>> >
>> > Not "in effect," not at all. The projection of the light does not move
>at
>> > FTL, not virtually, not really, not at all.
>>
>> It does move FTL.
>
>Now we have to imitate Bill Clinton and say exactly what we mean by "it."
I've hesitated to ask. But I wonder if anyone can say exactly
what "faster than light computation" _is_. The speed of light is
measured in units like meters per second. I don't see how to
measure the speed of a _computation_ in meters per second...
>I argued that it was the hypothetical path of the light, not the projection
>of photons along that path, that changed superluminally. The light itself
>never exceeds c as it travels along the new path. The changed angle of the
>light's path, if extrapolated out into space, has moved superluminally, but
>the actual light can only catch up with this change at c, no more.
>
>Like water leaving a hose. You can rotate the hose spigot faster than the
>water's velocity, but the water doesn't instantaneously change direction all
>along its path.
>
>The remainder of your argument makes sense, but it is indistinguishable from
>an example that uses two light beams taking off in different directions. I
>believe this is not what the OP had in mind, but as you point out, it also
>does not violate normal rules of causality.
>
>--
>
>Paul Lutus
>www.arachnoid.com
>
>
>
>
------------------------------
Date: Tue, 10 Oct 2000 14:37:58 +0200
From: Pascal JUNOD <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Microsoft CAPI's PRNG seeding mechanism
[EMAIL PROTECTED] wrote:
> All this debate on the "security" of M$'s CAPI does still not answer
> the question how the Api CryptGenRandom seeds random data. I guess some
> reverse engineering is required here, if there is no further info from
> M$ itself.
After some web searches, I think that reverse engineering is the good
solution...
By the way, the seeding mechanism source of sun.security.* Java package
is not available, or am I wrong ?
A+
Pascal
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Pascal Junod, [EMAIL PROTECTED] *
* Laboratoire de Sécurité et de Cryptographie (LASEC) *
* INR 313, EPFL, CH-1015 Lausanne, Switzerland ++41 (0)21 693 76 17 *
* Place de la Gare 12, CH-1020 Renens ++41 (0)79 617 28 57 *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: AES Runner ups
Date: Tue, 10 Oct 2000 12:35:52 GMT
On Tue, 10 Oct 2000 11:12:06 +0200, Runu Knips
<[EMAIL PROTECTED]> wrote, in part:
>Twofish is a redesign of Blowfish
I'm not sure they really share much except the name.
>Btw, another really good cipher is AFAIK CAST-128 which
>didn't made it to the second round but is used, for
>example, in GnuPG.
I remember someone correcting me, telling me that the name of the AES
candidate was CAST-256. However, like RC6, I believe that it requires
licensing as well.
Among the non-finalist designs, one that is freely available, and
which should be secure (but its key schedule may be iffy), is SAFER+,
I believe. (Now _there's_ a cipher whose rounds could be alternated
with those of Rijndael...)
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
