Cryptography-Digest Digest #372, Volume #14 Thu, 17 May 01 12:13:00 EDT
Contents:
Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work
(propaganda) (Justin L.)
Re: 3x4 grid of triangular numbers (Jeffrey Shallit)
Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm)
([EMAIL PROTECTED])
Re: Best, Strongest Algorithm (SCOTT19U.ZIP_GUY)
Re: new cipher ("Jakob Jonsson")
Re: A simple encryption algorithm based on OTP (Michael Will)
Re: function decomposition ("Yaniv Sapir")
Choosing algorithms ("Panu Hämäläinen")
Re: new cipher (jlcooke)
Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work
(propaganda) (Nomen Nescio)
Re: Kernaugh maps (try #2) (jlcooke)
. . . SafeDebit (NYCE) - Snake Oil or Real ??? (Spam-o-Cide)
Re: . . . SafeDebit (NYCE) - Snake Oil or Real ??? (SCOTT19U.ZIP_GUY)
Truncation (Charles Nicol)
Re: PRNG question from newbie ("Scott Fluhrer")
Re: taking your PC in for repair? WARNING: What will they find? ("Omnivore")
PGP details ("Harris Georgiou")
What about SDD? ("Harris Georgiou")
Re: Crypto web-page ("Joseph Ashwood")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Justin L.)
Crossposted-To:
alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: Evidence Eliminator works great. Beware anybody who claims it doesn't
work (propaganda)
Date: Thu, 17 May 2001 11:21:42 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On Wed, 16 May 2001 04:33:03 GMT, "Ken D." <[EMAIL PROTECTED]>
wrote:
>Beretta wrote:
>>
>> On Tue, 15 May 2001 22:33:36 +0100, in alt.security.pgp you wrote:
>>
>> >
>> >By now you will have witnessed the mass hysteria about Evidence
>> >Eliminator.
>> <snip>
>>
>> V3.1 - Name: Snacker Serial: 1234567890-000084E21262
>> V3.1 - Name: Snacker\MiSSiON Serial:
>> 1234567890-0001EDC79005 V4.0 - Name: Snacker\MiSSiON
>> Serial: 1234567890-0001EDC79005 V4.5 - Name: Hazard ,
>> Serial: Hazard-000063515895
>> V5.0 - Code: EE10-44100004D012 (also allows upgrades)
>>
>> You fags keep spamming, and I keep posting serial numbers to your
>> software
>>
>
>
>i hope these keys invoke their 'protection code'.
>i need a working example of that 'protection' to write my EE
>danger "demonstration" program.
If it did just delete files when it detected an "illegal" serial
number, you could simulate it with "del <filename>" :-) (right?)
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOwO0Qf6AiUVpv4j7EQKljgCg/lzPzIz5tfPcw85anJkLybz78DwAnRms
e7pQecZppDngWtiSCT+LrHhq
=iv9s
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Jeffrey Shallit)
Crossposted-To: rec.puzzles,alt.math.recreational,sci.math
Subject: Re: 3x4 grid of triangular numbers
Date: 17 May 2001 11:40:24 GMT
In article <[EMAIL PROTECTED]>,
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
>Fred W. Helenius wrote:
>>
>> Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
>>
>> >Could someone direct me to Gau_'s proof that any number can be
>> >decomposed into the sum of 3 triangular numbers?
>>
>> Section V of his _Disquisitiones Arithmeticae_. The theorem
>> is stated and proved in article 293, but the proof depends
>> upon "the preceding theory"; that is, the theory of quadratic
>> forms that he develops in the preceding 200+ pages.
>
>Uck. Is there any *simple* proof for this? And, how hard is it to
>decompose an arbitrary large number?
In my paper with Rabin,
``Randomized algorithms in number theory'',
Commun. Pure and Appl. Math. 39 (1986), S239-S256, I gave two algorithms
to express a number n as a sum of three triangular numbers, when this
is possible.
The first works when 8n+3 is a prime, and runs in random polynomial time.
The second works for arbitrary numbers, and runs in random polynomial
time provided a reasonable conjecture about the distribution of primes
is true.
Jeffrey Shallit, Computer Science, University of Waterloo,
Waterloo, Ontario N2L 3G1 Canada [EMAIL PROTECTED]
URL = http://www.math.uwaterloo.ca/~shallit/
------------------------------
Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm)
From: [EMAIL PROTECTED]
Date: 17 May 2001 08:12:36 -0400
"Trevor L. Jackson, III" <[EMAIL PROTECTED]> writes:
> [EMAIL PROTECTED] wrote:
>>
>> Correlation between B&E rates and rate of concealed carry permits, for
>> one thing.
>
> Prison interviews are quite convincing. The single universal fear theives
> have it not of being caught by the police, who have rules to follow, but
> of being caught by an armed citizen...
True! Colin Ferguson, who shot up a Long Island subway, actually bought
his gun in CA with a fifteen-day waiting period. When asked why he chose
Long Island as the venue for his shooting spree, he answered (approximate
quote), ``I was confident nobody in Long Island would be shooting back.''
He stopped twice to reload before three men mustered the courage to
wrestle him down.
Len.
--
Frugal Tip #18:
Get by on your good looks.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Best, Strongest Algorithm
Date: 17 May 2001 12:37:41 GMT
[EMAIL PROTECTED] (Joseph Ashwood) wrote in <u9TvTkZ2AHA.274@cpmsnbbsa07>:
>
>"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>
>> Lets clear this up since Joe may have complicted it.
>> even a 19bit block size would need a key of over a million
>> bytes. to represent all the possible transforms. In scott19u
>> for example the true key over a million bytes long. The
>> reason its hard to break is that it hard to find any input
>> output pairs for the 19 bit blocks used.
>>
>> If one is going to use a cipher of 128 bits for a block
>> size. Then the number of transforms possible becomes
>> (2**128)! this is a huge number compared to a small key
>> of 256 bits which allows for only 2**256! possible transformations.
>> so any block cipher using a 128 bit block and only a 256 bit key
>> can not be very complex. And for a given method with a small
>> key of 256 bits. It would not take very many pairs of cipher text
>> to plain text to mathemtically have enough information to determine
>> the key.
>
>That is not necessarily true, and in fact can be proven to be completely
>untrue in many circumstances, take a fairly simple one. Take a random
>permutation of 2^128 elements, call this P1, swap 2 elements in that
>permutation call that P2. Given k blocks of known pt/ct pairs (I'll
>assume that each possible plaintext is equally probable) what are the
>odds of determining which permutation was used? To determine which of
>P1/P2 was used you need to have one of the swapped locations in the
>list, therefore on average you will need 2^127 revealed elements to
>seperate the two permutations. You seem to have forgotten a few
>assumptions.
No I have not made a mistake here. One could design a cipher
as you constucted above but it would be extremely weak to other
forms of attack. Most ciphers aren't designed so that you could
even order them so a P1 and P2 would differ by only changing
a couple of entries in an S table. However your example is
possible. Modern ciphers are designed to be semi random in
nature so that if one has only a few different plantext blocks
for a 128 bits block cipher and a 256 bit key. One only needs
a few plaintext cipher text block pairs to nail down the key.
That said if a Scott128u were possible the key size would be
in the gig-gig bytes and such a ordered arrangement could be found
but then thats alot longer than a 256bit key.
I don't think you really belive any cipher would be modeled
by such a method since you know it would be extremely weak.
But suppose they are modeled this way. Since a P1 and P2 may
need over by your count 2**127 different blocks to even find
a plaintext that is mapped differently. I don't think one
could even find 2 keys in 128bit RIJNDAEL that map 10 seperate
blocks the same way. If your example has any validity to modern
ciphers such a task should be easy for you. But it doesn't
in fact with a 256 bit key and a 128 bit block would reduce
down from 2**256 unknown keys to 2**128 keys after fisrt plain
text block. After second block it could reduce down to one key.
This if they mixed perfectly. But assume some slop it might take
3 or 4 blocks to nail the key.
You could ask the crypto gods. Surely since RIJNDEAL is damn
easy to analyse they most know how many different plaintext blocks
nails the average key and how many would it take in the very worst
case.
rest of dribble sniped.
since only 3 or 4 blocks would need to be exaimed
not 2**127 your example is worthless to modern crypto
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "Jakob Jonsson" <[EMAIL PROTECTED]>
Subject: Re: new cipher
Date: Thu, 17 May 2001 14:50:54 +0200
You are of course right; here is the announcement:
http://www.ntt.co.jp/news/news01e/0104/010417.html
Jakob
"Paul Crowley" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
> "Jakob Jonsson" <[EMAIL PROTECTED]> writes:
> > Camellia, EPOC, PSEC, and ESIGN are all submissions to NESSIE, so you
can
> > find documentation at
> >
> > https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions.html
> >
> > The algorithms have been publicly available for at least eight months,
so
> > the announcement does not make sense to me (clearly, they don't mean
that
> > the algorithms are to be released into the public domain).
>
> If I recall correctly, these algorithms are to be put under a
> worldwide, royalty-free license, like AES. This is great news if
> true, but I can't now find a mention on the Camellia home page...
>
> http://info.isl.ntt.co.jp/camellia/
> --
> __ Paul Crowley
> \/ o\ [EMAIL PROTECTED]
> /\__/ http://www.cluefactory.org.uk/paul/
> "Conservation of angular momentum makes the world go around" - John Clark
------------------------------
From: [EMAIL PROTECTED] (Michael Will)
Subject: Re: A simple encryption algorithm based on OTP
Date: 17 May 2001 12:36:22 GMT
Reply-To: [EMAIL PROTECTED]
In article <DjSK6.65474$[EMAIL PROTECTED]>, Tom St Denis wrote:
>> It seems that what everyone is after, is a system that is as secure as an
>> OTP, but is able to re-use a key without losing its security....
>>
>> The only way to do this, is to change something else - (other than the
>> key), i.e the algorithm itself, OR, add something else, with each
>> encryption.....
>Real ciphers are designed long the lines of fixed keys and fixed cipher
>design per message. (well typically the cipher design won't change at all).
>The security is suppose to lie in the key nothing more.
I think the key is part of the algorithm. key+algorithm is "the information"
needed to decrypt, and having different keys just means to be able to replace
one specific piece of "the information". so one algorithm plus its keyspace
is equivalent to as many fixed algorithms as the keyspace is big. ;-)
exchanging either key or algorithm means the same.
Both has to be agreed on by both sides and both just means using different
decoding information.
So does "security by obscurity" just mean using a weak encryption in form
of a weak fixed key algorithm?
Bemused - Michael Will
--
Man who fish with spear
Need patience
Or get wet and have holes in feet.
------------------------------
From: "Yaniv Sapir" <[EMAIL PROTECTED]>
Subject: Re: function decomposition
Date: Thu, 17 May 2001 16:01:37 +0200
Hey, this problem (GF(2^8) inversion logic) occupied some of my time a few
months ago. The problem with K-maps is when trying to minimize a
more-than-four-variables function. The Quine-McClusky method does give a
good solution for this multi-variable problem. Through my searches I found
the program called "espresso" doing exactly this, using this method.
Try looking at:
http://www.rensselaer.edu/dept/ecse/coco/S00/W03/Week03.html
http://www.olemiss.edu/courses/EE/ELE_335/Spring1999/335_L18/sld001.htm
http://logik.phl.univie.ac.at/chris/qmo-uk.html.O5
HTH,
Yaniv.
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:SCNM6.117288$[EMAIL PROTECTED]...
>
> "Ulrich Kuehn" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Tom St Denis wrote:
> > >
> > > In MISTY they decomposed the GF cubing operation into a set of gate
> logic.
> > > How do they do that? I have seen a few bitslicer programs (like those
> for
> > > DES) but often they are not elegant examples (i.e no source or poorly
> > > written source).
> > >
> > > What are the logical steps? I was trying to decompose GF inversion
with
> a
> > > 4-bit field on paper by just say "ok bits 1 and 3 are set and the
output
> bit
> > > 1 is on so it must be a function of those two..." but often there are
> > > conflicts...
> > >
> > > My goal is to decompose a GF inversion of eight bits that will lead to
> > > hopefully a somewhat decent translation...
> >
> > You might want to do a literature search on Quine-McClusky.
>
> thanks I will.
>
> Tom
>
>
------------------------------
From: "Panu Hämäläinen" <panuh[@]cs.tut.fi>
Subject: Choosing algorithms
Date: Thu, 17 May 2001 16:22:47 +0300
Hi!
I was just wondering following.
Suppose a communications system requiring highly reliable security design.
Which would be the number 1 choices of the available algorithms for
1. public-key encryption
2. secret-key encryption (and encryption mode)
3. hash calculation
4. digital signing
5. MAC calculation
Suggestions...
-- Panu Hämäläinen
------------------------------
From: jlcooke <[EMAIL PROTECTED]>
Subject: Re: new cipher
Date: 17 May 2001 13:27:52 GMT
Ahh, right. NT != DT. However, the presenter mentioned in the
presentation at the AES that DT had been using Magenta in commercial
products for years as a trade secret. So I guess as you say, "years and
years" isn't accurate since the public didn't get to review it ... seems
to have been a bad move on their part.
JLC
Paul Crowley wrote:
>
> jlcooke <[EMAIL PROTECTED]> writes:
>
> > From the same people how gave us Magenta. Closed to the public for
> > years and years, and when submitted to the AES, it took 10 minutes of
> > questions from the audience to crack it. I'm weary.
>
> No, Magenta was Deutsche Telekom, this is Mitsubishi and NTT. Also I
> believe Magenta was devised for the AES, so "years and years" is an
> exaggeration. Camellia is based on the E2 AES submission, which was
> one of the stronger candidates.
> --
> __ Paul Crowley
> \/ o\ [EMAIL PROTECTED]
> /\__/ http://www.cluefactory.org.uk/paul/
> "Conservation of angular momentum makes the world go around" - John Clark
------------------------------
From: Nomen Nescio <[EMAIL PROTECTED]>
Subject: Re: Evidence Eliminator works great. Beware anybody who claims it doesn't
work (propaganda)
Crossposted-To:
alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Date: Thu, 17 May 2001 15:40:10 +0200 (CEST)
My impression of EE is that it's a serious product, at least it was
discussed seriously when it first came out; but when I went to their
website it opened about 8 pop-up windows - talk about bottom-feeding
web-sites; they spam newsgroups, and do it in an angry, aggressive
sort of way, and they charge a ridiculously high price for EE.
It's almost as if the EE people want to destroy any chance they have
to sell the product. Maybe they are trying to kill the business in
some clever attempt at tax avoidance.
------------------------------
From: jlcooke <[EMAIL PROTECTED]>
Subject: Re: Kernaugh maps (try #2)
Date: 17 May 2001 13:46:06 GMT
:) You can do 0's as well. Some times it's easier to do 0's then NOT
the output.
Tom St Denis wrote:
> Yup fixed with font made it better. So the Kernaugh map is just a way to
> optimize the expressions for where a 1 occurs in the table?
------------------------------
From: Spam-o-Cide <[EMAIL PROTECTED]>
Subject: . . . SafeDebit (NYCE) - Snake Oil or Real ???
Date: Thu, 17 May 2001 14:21:37 GMT
Hi
Posted before on this subject, not a single taker, making one feel lame,
that the silence is mark of people thinking the post too dumb to answer ?
Is it really that bad or is everybody else in the dark as well ?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: . . . SafeDebit (NYCE) - Snake Oil or Real ???
Date: 17 May 2001 14:47:43 GMT
[EMAIL PROTECTED] (Spam-o-Cide) wrote in <R7RM6.58738$ff.457903@news-
server.bigpond.net.au>:
>
>
>Hi
>
>Posted before on this subject, not a single taker, making one feel lame,
>that the silence is mark of people thinking the post too dumb to answer ?
>
>Is it really that bad or is everybody else in the dark as well ?
>
It would be hard to get people to look at something new.
Most here have there on agendas to push. I would think a cash
contest might work. Thats what I did and no one broke my stuff.
Its hard to break in the crypto world unless you get it blessed
but then the every act of getting it blessed should make one
suscpoious. Does this crypto your talking about have source
code??
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (Charles Nicol)
Subject: Truncation
Date: Thu, 17 May 2001 10:36:36 -0400
Consider the truncation function T.
In general T((a+1)/a)^(m+n)) is not equal to T((a+1)/a)^m)*T((a+1)/a)^n)
where a is a positive integer.
However if a is large then there is equality of these terms.For example if
a=1000,then equality holds for all m and n such that m+n<693.
Is it possible to obtain a bound B such that equality does hold for all m
and n such that m+n<B for given a?
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: PRNG question from newbie
Date: Thu, 17 May 2001 08:24:02 -0700
Paul Crowley <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Roger Schlafly" <[EMAIL PROTECTED]> writes:
> > Aarrgh. IMO, people should use different terminology if that is what
> > they mean. The obvious meaning of "secure hash function" is that of
> > a hash function such that usage as a hash function is secure from known
> > attacks. Behaving like a random oracle is a very different and nebulous
> > thing.
>
> What would you call a primitive whose goal is to behave like a random
> oracle?
A pseudorandom oracle?
Actually, what's slightly more interesting would be the security conditions
such an object would attempt to meet. Here's a first cut:
- A function PRO is a "pseudorandom oracle" if, given a test string X, a
balanced boolean function B, and an oracle that returns the output PRO(Y)
for any Y!=X, it is computationally infeasible for the attacker to guess the
value of B(PRO(X)) with probability 0.5+epsilon.
I'm not happy with it -- it assumes that the attacker isn't given a
description of PRO (otherwise he can compute PRO(X) directly). Anybody have
a better definition?
--
poncho
------------------------------
From: "Omnivore" <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: taking your PC in for repair? WARNING: What will they find?
Date: Thu, 17 May 2001 08:58:02 -0700
"Ken D." <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Omnivore wrote:
> >
> > They may find Evidence Eliminator and alert the authorities that one
bears
> > keeping an eye on.
>
> how's this for a delightful conspiricy:
>
> EE is being spammed around *by* the authorities.
> they know its so weak, they want folks to use it :)
>
> EE, the one most recommended by civil serpents!
> buy now!
Hell - For all we know it could mail in incriminating stuff to whoever
one would least want to have it.
------------------------------
From: "Harris Georgiou" <[EMAIL PROTECTED]>
Subject: PGP details
Date: Thu, 17 May 2001 18:14:21 +0300
Two questions:
1. Why does PGP continues to use CAST as default for encryption while it
has support for AES? Furthermore, how does the preference list work, I mean
when and why does PGP chooses to use encryption other than the default
choice?
2. Perhaps this applies to signatures in general: using the private key
for encrypting the SHA1 digest of a message, doesn't this increases the risk
of key exposure? While public key is available to everyone, sending
plaintexts (message + well-known digest method) along with their
ciphertexts, doesn't this weaken the secrecy of the private key as well?
After all, even 160-bit digests (SHA1) are much more easier target for (even
brute force) plaintext attacks than the (private) key itself.
--
Harris
- 'Malo e lelei ki he pongipongi!'
------------------------------
From: "Harris Georgiou" <[EMAIL PROTECTED]>
Subject: What about SDD?
Date: Thu, 17 May 2001 18:43:25 +0300
People use some encryption algo to prevent access to sensitive information.
Some use stego to hide even the existance of the ciphertext. But encryption
and steganography seem to have more differences than similarities.
Encryption uses well-known methods for creating the ciphertext, the security
of which is based directly on the difficulties accessing or guessing the
key. On the other hand, steganography uses "simple" techniques for merging
data into a carrier signal, but the security here is based more on the
secrecy of the technique itself rather than a secret key.
But how about sparse data distribution techniques? I mean why can't we use a
method that dynamically spreads the data into a vast pool of white noise? If
we choose the pool size correctly and use a good PRNG, statistical methods
for detecting changes (T-test and F-test with maximum sensitivity) in
distribution are useless, while using a RLE-like table as a user key (say
4096-bit => 512-byte RLE offsets) ensures that even if the method is
well-known none will try to guess this key by chance. If my numbers are ok,
using random values of size: 2^(k+2) times the size of the actual data, is
sufficient for this even of all actual data are equal (say zeros). In a
sense, the principle is the same as the broad-spectrum comms used by the
military: the opponent knows the existance of the message but the retrieval
is extremely difficult.
Of course the SDD method is not for massive message exchange - my guess is
that it could be used effectively in combination with encryption for secure
key storage, to deny even the retrieval of the ciphertext (before any
cryptanalysis is attempted).
I think it's much more difficult to try and break a 1K ciphertext if it is
burried into 650M of junk in a CD.
PS: Are there any freeware programs like Steganos (Win98/Unix) using SDD
techniques instead of stego?
--
Harris
- 'Malo e lelei ki he pongipongi!'
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Crypto web-page
Date: Thu, 10 May 2001 16:14:38 -0700
I believe that's why Tom recommended the web of trust model, instead of the
hierarchical model that CAs have pushed on us. Granted they are provably
equal (under certain rather tenuous assumptions), but they are still
different. The web of trust model is basically the 6 degrees theory applied
to certificates.
It works like this. I generate my certificate, I know I generated my
certificate, I know I can trust my certificate. I meet Alice, I develop a
relationship with Alice, I get to the point where I am confident that Alice
is who Alice says she is, and more importantly I am confident that Alice
will only sign someone's public key if she believes the person is as
claimed, I sign Alice's public key, and Alice signs mine when she's ready.
This build a measure of trust between us. I use this trust to extend the
trust relationship. Let's say Alice is very popular and she has signed the
public keys of 50 other people, each of those has signed an average of 2 for
extension, etc. Now because Alice has signed my public key, everyone that
trusts Alice will trust that I am who I say I am, they will also trust the
signatures I make. Through Alice, I have a certification of those 50 (I'm in
silicon valley so they're all) men. Because I trust Alice's trust giving, I
trust the 2 people that each of those 50 has signed for, and each of those
50 will trust the individuals I have signed for. Realistic implementations
of a Web-of-Trust allow me to select how far I trust individuals, do I trust
Alice to sign a pub key, to sign a pub key . . . 1 million more times . . .
a pub key? Probably not. However my personal levels will differ with each
person. I have to have some level of trust in a person in order to trust
that it is their key, but I do not necessarily trust them to introduce me to
others and not lie, others I may trust to introduce me to more introducers,
etc.
The other consideration is what likelihood is there of fraud for the
situation? If I recieve a notification that DES has been cracked, there's
likely to be little fraud in the situation (it has been cracked,
repeatedly). On the other hand if someone claims to be Microsoft, the odds
of fraud are high (because the rewards are high). Most of our communications
don't require that level of sophistication. If I e-mail Tom, encrypted with
his public key, and he successfully decrypts it, I have an assurance that
the e-mail address and key match, which is often the only important thing
because it is common to buld trust based on address, trust in real identity
may or may not ever be needed.
Joe
"jlcooke" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> > I.e "Failure to implement protection against "known plain-text"
attacks."
> > which is impossible except for physical protection.
> > and
> > "In the context of a public-key cryptography system: Thinking it's safe
to
> > send a public-key across an insecure network or communications medium,
such
> > as the internet. Since we all know that sending a public-key across an
> > insecure network means someone can intercept it "en route" and replace
it
> > with his/her own."
> >
> > Which is only half true. Using a web of trust it's possible todo this
> > correctly.
>
> I think you'd be hard pressed to find a successful example of this at a
> global scale Tom. I'm getting flash-backs of a news headline: "VeriSign
> falsely issues two Microsoft certificates". And how do you test the
> authenticity of the amazon.com cert? With the CA cert you downloaded in
> Netscape? Chicken and Egg.
>
> JLC
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
