Cryptography-Digest Digest #368
Cryptography-Digest Digest #368, Volume #13 Wed, 20 Dec 00 06:13:01 EST Contents: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (jtnews) Re: Possibly another Encryption method - any thoughts ? (Simon Best) Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (Tom St Denis) Re: Q: Result of an old thread? (Bryan Olson) Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (Richard E. Silverman) Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (jtnews) Re: Q: Result of an old thread? (Simon Best) Re: Q: Result of an old thread? (Benjamin Goldberg) Re: Q: Result of an old thread? (Simon Best) Re: Q: Result of an old thread? (Bryan Olson) Re: Mathematical concepts (Joris Vankerschaver) Re: Possibly another Encryption method - any thoughts ? (Kirk Whelan) Re: Possibly another Encryption method - any thoughts ? (Kirk Whelan) Date: Tue, 19 Dec 2000 20:32:39 -0500 From: jtnews [EMAIL PROTECTED] Crossposted-To: comp.security.ssh Subject: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? I'm trying to use ssh, should I use protocol 1.0 or 2.0? What's the difference? Which one is more secure? -- From: Simon Best [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: Possibly another Encryption method - any thoughts ? Date: Wed, 20 Dec 2000 01:54:00 + Kirk Whelan wrote: Hi Simon, thanks for replying, let me see if I can answer the points that you have asked/raised. I have never heard the term 'security through obscurity' until I started to follow this newsgroup, so I am still learning ( not a bad thing :-) ) [...] When a system relies on people not knowing how it works for security, that's called 'security through obscurity'. It's generally accepted that it's a bad idea. Answer the following questions, in detail, to see why it's bad: 1. What will you do if, during the lifetime of your cryptosystem, you learn that an adversary has found out how your cryptosystem works? I theory, it shouldn't matter if someone did, in fact I will reveal all, because I still think what I propose still has some life left in it, at this stage. But I don't doubt I could be heading for retirement. There's no need to retire if one cryptosystem gets broken. What cryptographers usually recommend is that those learning cryptography learn about cryptanalysis, and do cryptanalysis, before devising their own ciphers. (Well, I must admit that I haven't myself followed that recommendation as such, but have spent time analysing mathematically similar problems in mathematically similar things.) 2. What will you do if an adversary finds out how it works, but you never find out that an adversary has found out? Foiled again !! 3. What will you do if a once trusted person turns into an adversary? Has happened before and will happen again. 4. How will you keep possible adversaries from finding out in the first place? Don't know how to answer that. 5. How will you reduce risks from things that haven't even occurred to you, me, or anyone else? I wish I could see into the future Alas, we humans generally seem to have great difficulty seeing into the future. What we can do is learn from the past and hope it's a good guide. Understanding how and why past, broken ciphers were broken is a good example here, as you'll then be in a better position to try to avoid such weaknesses in your own ciphers. [...] So there you have it. I only started this so that I could transfer "root" password across the internet :-) You've gone to all that trouble to transfer a superuser password securely across The Internet? Why not use existing cryptographic software? What about SSL? So no more obscurity. Not entirely. Your description was a bit too vague and ambiguous in places for me to really follow. You need to present it more formally, and spell out what you mean in detail. -- Kirk Whelan Simon -- ___ Personal: [EMAIL PROTECTED] Yellow Skies: [EMAIL PROTECTED] http://www.yellowskies.com Everyone does their own signature to be different. How does that work? -- From: Tom St Denis [EMAIL PROTECTED] Crossposted-To: comp.security.ssh Subject: Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? Date: Wed, 20 Dec 2000 03:46:42 GMT In article [EMAIL PROTECTED], jtnews [EMAIL PROTECTED] wrote: I'm trying to use ssh, should I use protocol 1.0 or 2.0? What's the difference? Which one is more secure? Secure for what? Tom Sent via Deja.com http://www.deja.com/ -- From: Bryan Olson [EMAIL PROTECTED] Subject: Re: Q: Result of an old thread? Date: Wed, 20 Dec 2000 04:03:18 GMT Simon Best wrote: I'm about to move on to analysing integer element matrices with a singular S that doesn't
Cryptography-Digest Digest #369
Cryptography-Digest Digest #369, Volume #13 Wed, 20 Dec 00 11:13:02 EST
Contents:
Re: Q: Result of an old thread? (Walter Hofmann)
Re: Q: Result of an old thread? (Walter Hofmann)
Re: In =?ISO-8859-1?Q?today=B4s?= paper I read how Cuban (Tony L. Svanstrom)
Re: Encrypting messages in images?? ([EMAIL PROTECTED])
Re: Visual Basic Source Code ([EMAIL PROTECTED])
Re: SMS security over various networks? (Robert Harley)
Re: Homebrew Block Cipher: Moonshine (Tim Tyler)
Re: does CA need the proof of acceptance of key binding ? ([EMAIL PROTECTED])
Re: does CA need the proof of acceptance of key binding ? ([EMAIL PROTECTED])
Re: hash function for public key digital signature : one way? ([EMAIL PROTECTED])
Re: does CA need the proof of acceptance of key binding ? (Anne Lynn Wheeler)
Re: SMS security over various networks? (Mark Currie)
Re: SMS security over various networks? (Mark Currie)
looking for cipher algorithms' comparison ("maciek")
cipher algorithms once again... ("maciek")
From: [EMAIL PROTECTED] (Walter Hofmann)
Subject: Re: Q: Result of an old thread?
Date: Wed, 20 Dec 2000 12:16:02 +0100
On Mon, 18 Dec 2000 22:45:44 +0100, Mok-Kong Shen [EMAIL PROTECTED] wrote:
Let me quote a previous follow-up of yours to be sure that
I understand you:
So you can change the coefficiants of AS by a sufficiently
small epsilon0 to get an invertible matrix, then you can
calculate (AS')^-1. Go on to calculate B'=(AS')^-1.ASB
then S(epsilon)=SB.B'^-1. In the limit epsilon-0 the
matrix S(epsilon) will converge to S as all operations
involved are continuous.
You defined B'=(AS')^-1.ASB. But ASB is singular, so B'
can't be inverted. Or do you want to apply the epsilon to
ASB also?
Now I see what you mean: You cannot invert B' here because I put
another factor of S in it.
It's probably the best to compute things the other way round, otherwise
one would need two epsilons:
Change ASB to ASB' which is within an epsilon of ASB.
Then you can calculate
B'^-1 = ASB'^-1 . AS
S = SB . B'^-1
and do the limit process as described above.
Is this OK with you now?
Walter
--
From: [EMAIL PROTECTED] (Walter Hofmann)
Subject: Re: Q: Result of an old thread?
Date: Wed, 20 Dec 2000 12:18:21 +0100
On Tue, 19 Dec 2000 01:31:16 +0100, Manuel Pancorbo [EMAIL PROTECTED] wrote:
"Walter Hofmann"
You don't need p,q to do any of the computations above.
Alice needs p,q to compute A^-1, because (det A)^-1 mod N is needed.
This can easily be done without p and q. Use Euklid's algorithm.
Walter
--
Crossposted-To: alt.2600,alt.security,comp.security
Subject: Re: In =?ISO-8859-1?Q?today=B4s?= paper I read how Cuban
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Date: Wed, 20 Dec 2000 12:29:22 GMT
Kirby Urner [EMAIL PROTECTED] wrote:
Volker Hetzer [EMAIL PROTECTED] wrote:
"Markku J. Saarelainen" wrote:
This guy, writing under the above pseudonym, floods newsgroups
with crap. Check the deja.com archives for alt.politics.cia.org
to see what it's like to drown in a sea of garbage. I've got
my filters on of course, but he keeps posting from places.
I thought about killfiling him a long time ago, but he's way too much
fun for that. I think I might print and frame this last posting of his.
*L*
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: http://www.pgpi.com/ \_@ @_/
--oOO-(_)-OOo-oOO-(_)-OOo--
on the verge of frenzy - i think my mask of sanity is about to slip
---ôôô---ôôô---ôôô---ôôô---
\O/ \O/ ©99-00 http://www.svanstrom.com/?ref=news \O/ \O/
--
From: [EMAIL PROTECTED]
Crossposted-To: comp.security.misc,alt.2600.hacker,alt.security
Subject: Re: Encrypting messages in images??
Date: Wed, 20 Dec 2000 13:08:23 GMT
I actually had to do this. Some things were sent to me via USPS to
a foreign post, and they got held up in Customs. Customs wanted me
to list everything that was there in the local language (not English),
and so I had to translate the list. But they gave me the 4th copy,
which had *no* visible writing on it.
Anyhow, I scanned the copy, then used Adobe PhotoXpress (or something...
don't remember the name) to increase the contrast to the point that
I could read it.
Anyhow, that clearly didn't work, so the next time they just never
announced that the shipment had come, and THAT worked. They got my
stuff the next time. (Moral: don't ship things via USPS overseas.
USPS ships it *to* customs, not *through* customs.)
Sent via Deja.com
http://www.deja.com/
--
From: [EMAIL PROTECTED]
Subject: Re: Visual Basic Source Code
Date: Wed, 20 Dec 2000 13:26:02 GMT
Hi Chad,
I've made an
Cryptography-Digest Digest #370
Cryptography-Digest Digest #370, Volume #13 Wed, 20 Dec 00 16:13:00 EST
Contents:
Re: Steganography using text as carrier (Richard Heathfield)
Re: Steganography using text as carrier (Mike Tulley)
Re: Steganography using text as carrier (Richard Heathfield)
Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? ([EMAIL PROTECTED])
Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (jtnews)
Re: Steganography using text as carrier ([EMAIL PROTECTED])
Symmetric "key exchange" protocol? (Ichinin)
Re: cipher algorithms once again... (Simon Johnson)
Tips in identifying a cipher (Jason Petrone)
Re: cipher algorithms once again... (John Savard)
Re: cipher algorithms once again... ("maciek")
Whitehouse e-mails ("CMan")
Re: SMS security over various networks? (Simon Johnson)
Blum Blum Shub ("Dobs")
Re: Unguessable sequence of unique integers? (Simon Johnson)
Re: Blum Blum Shub (Chris Rutter)
Date: Wed, 20 Dec 2000 11:59:03 +
From: Richard Heathfield [EMAIL PROTECTED]
Subject: Re: Steganography using text as carrier
Mok-Kong Shen wrote:
[EMAIL PROTECTED] wrote:
[snip]
is there a way to hide already encrypted messages (ciphertext block)
within a *text* carrier,(not within the whitespace) and if so, what are
the size constraints of ciphertext to carrier text?
as redundancy would not be particularly surprising in spam messages,
this might be a promising new avenue for effective steganography.
Steganography is very much an art in my humble view. I
don't think that there is any algorithm (automatic means)
of doing the job you described, though there are methods
of hiding bits in pixels etc. (A number of proceedings
on information hiding have been published by Springer
Verlag from which more pointers could be obtained.)
Just a thought:
Let C = E(P, K)
So we have an encrypted text, using J Random Encryption Algorithm, and
we must assume that our output is in binary format. We can look at this
data as a bunch of nybbles. There are sixteen distinct possible values
for a nybble, to which we could ascribe letters as follows:
IF you feel like it
Count the frequencies of the nybbles within the ciphertext
Assign each nybble value, in decreasing order of frequency, to the
following letters: s, c, a, p, b, r, d, i, m, e, t, f, h, g, l, w (based
on a cursory inspection of /usr/dict/words)
ELSE
Assign each nybble value to some random letter
ENDIF
(Note: the actual correspondences of nybbles to letters act as a
rudimentary key, but there's no real security in that fact as far as I
can see.)
For each nybble in the ciphertext
Generate a random English word beginning with the corresponding letter
Unassigned letters can be used for "filler" words to make the text more
convincing.
Just how effective this steganographic technique could be depends
largely on the quality of the text generation algorithm, especially
given the constraint that words must be chosen for their initial
letters.
Of course, like any steganographic technique published in sci.crypt, the
technique is somewhat weakened by the fact of its having been published
in sci.crypt.
Also, there's a huge amount of redundancy here - you only get four bits
of genuine information per English word - less if you use "filler"
words. For short messages, however, it could be of some limited
usefulness, even if only for a little elementary practice in
cryptanalysis. :-)
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
KR Answers: http://users.powernet.co.uk/eton/kandr2/index.html
--
From: [EMAIL PROTECTED] (Mike Tulley)
Subject: Re: Steganography using text as carrier
Date: Wed, 20 Dec 2000 16:49:44 GMT
On 19 Dec 2000 18:56:46 -0600, Andre van Straaten
[EMAIL PROTECTED] wrote:
The signs and the omens are everywhere
But too few see them - too few even care
(Lee Clayton - singer/songwriter, 1979)
I have a suggestion: you could hide the cyphertext in signatures which
claim to be music lyrics. There is no expectation that these will make
sense!
Mike
Mike Tulley ("net") = f("ofu")
(my real e-mail address) = f("nlutztAufmvtqmbofu/ofu")
--
Date: Wed, 20 Dec 2000 17:25:30 +
From: Richard Heathfield [EMAIL PROTECTED]
Subject: Re: Steganography using text as carrier
Mike Tulley wrote:
On 19 Dec 2000 18:56:46 -0600, Andre van Straaten
[EMAIL PROTECTED] wrote:
The signs and the omens are everywhere
But too few see them - too few even care
(Lee Clayton - singer/songwriter, 1979)
I have a suggestion: you could hide the cyphertext in signatures which
claim to be music lyrics. There is no expectation that these will make
sense!
g
Or indeed you could hide information in the music score itself. This was
done during WWII, apparently.
The agent in
Cryptography-Digest Digest #372
Cryptography-Digest Digest #372, Volume #13 Thu, 21 Dec 00 00:13:01 EST
Contents:
Re: cipher algorithms once again... (Bryan Olson)
Re: Array shuffling ("Matt Timmermans")
Re: hash function for public key digital signature : one way? (Bryan Olson)
All irreducible polys of degree 32 over GF(2) ("Matt Timmermans")
Re: All irreducible polys of degree 32 over GF(2) (Scott Contini)
From: Bryan Olson [EMAIL PROTECTED]
Subject: Re: cipher algorithms once again...
Date: Thu, 21 Dec 2000 02:14:21 GMT
maciek wrote:
So there are two groups which are pratically used these
days: block and stream ciphers, am I right?
In a sense, yes that's right. On the other hand, the
distinction between block and stream ciphers is relatively
unimportant compared to public-key versus secret-key
ciphers.
Secret key block ciphers are generally combined with some
"mode" such as cipher block chaining. The combination is
actually a stream cipher (though definitions vary).
--Bryan
Sent via Deja.com
http://www.deja.com/
--
From: "Matt Timmermans" [EMAIL PROTECTED]
Subject: Re: Array shuffling
Date: Thu, 21 Dec 2000 02:22:56 GMT
"Benjamin Goldberg" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
If I convert the output of rand() into a float in the range [0,1), by
dividing by (float)(116), the values will have quite decent
statistics.
You would think so, but I've been burnt by these RNGs lots of times before,
e.g., I've noticed significant visual artifacts when generating graphic
effects like Perlin noise using the most significant bits like you do above.
I wouldn't even think of using one of these for real statistical or
simulation work.
You can pass the output from one of these generators through the DIEHARD
test suite to see just how badly it does. These days, when I need a quick
RNG that isn't obviously non-random, I'll use one of these generators, and
then calculate the CRC of the output. When I want to do accurate random
simulations, I'll use a block cipher in CTR mode -- I know you already have
some of these around, right?
--
From: Bryan Olson [EMAIL PROTECTED]
Subject: Re: hash function for public key digital signature : one way?
Date: Thu, 21 Dec 2000 02:57:33 GMT
[EMAIL PROTECTED] wrote:
In current establish cryptographic hash algorithms like MD5, SHA-
1..., does their one-way property impose extra computational load
compared to their design that is only collision free?
No. Of the three security properties usually stated for
cryptographic hashes (pre-image resistant, second pre-image
resistant , collision resistant) collision resistance is the
hardest to achieve. It implies second pre-image resistance,
and the only collision resistant but not pre-image resistant
hashes are those contrived to exhibit the property.
In my project, I use SHA-1 to hash a message to be signed, then send
the signed message digest and plaintext as digital signature. I think
the one-way property is not neccessary for the hash function in my
project.
I don't know about the needs of your project but there is
cause to require the one-way property.
Most signature standards, including DSA and PKCS-1 version
1.5, need pre-image resistance to avoid "existential
forgery". If the hash is not one-way, an attacker can
exhibit a message and a legal signature even though the
holder of the private key never signed that message. Such a
message is normally not meaningful; it was found as the
pre-image of a digest, and in the case of DSA the attacker
can't even control the digest.
--Bryan
Sent via Deja.com
http://www.deja.com/
--
From: "Matt Timmermans" [EMAIL PROTECTED]
Subject: All irreducible polys of degree 32 over GF(2)
Date: Thu, 21 Dec 2000 03:10:55 GMT
Note first: I've been on vacation -- sorry to all those I couldn't finish
arguing with, and thanks to all those who finished my arguments better than
I would have.
To business, then:
I'm looking for a list of all irreducible polynomials of degree 32 with
coefficients in GF(2). I've written a program to generate them, but I'd
rather not have my computer tied up for the week it would take to generate
them all. Does such a list exist elsewhere?
=
In case you're interested, it's for a program that will use CRT secret
sharing to do "unsequenced" transmission over unreliable or distributed
channels. For instance:
You want a file that you can get from 30 different sources, so you tell them
all to start transmitting parts to you. Each one repeatedly does the
following:
1) Pick a polynomial at random from the above list
2) calculate the "CRC" of the file using the chosen polynomial
3) transmit the CRC and the polynomial to you.
If the file is N words long, then you just have to wait until you get N
different CRCs. You can then tell all sources to stop
Cryptography-Digest Digest #373
Cryptography-Digest Digest #373, Volume #13 Thu, 21 Dec 00 02:13:01 EST Contents: Re: Visual Basic Source Code (Paul Schlyter) Re: All irreducible polys of degree 32 over GF(2) (Scott Contini) Re: does CA need the proof of acceptance of key binding ? ([EMAIL PROTECTED]) Re: does CA need the proof of acceptance of key binding ? ([EMAIL PROTECTED]) From: [EMAIL PROTECTED] (Paul Schlyter) Subject: Re: Visual Basic Source Code Date: 21 Dec 2000 05:59:03 +0100 In article 3a3e475b$0$17730$[EMAIL PROTECTED], Jason Bock [EMAIL PROTECTED] wrote: Paul Schlyter [EMAIL PROTECTED] wrote in message news:91jkva$9v7$[EMAIL PROTECTED]... In article 3a3d0b6b$0$90275$[EMAIL PROTECTED], Jason Bock [EMAIL PROTECTED] wrote: There are situations where it's needed, and other times it's not. That's the way I've seen it. There are situations where you THINK it's not needed -- but you don't really KNOW after some years have passed. I've been porting some code myself which obviously weren't written with porting in mind. Guess we have different career insights. But I did KNOW what the timelines were for the projects I was on. So did I. But did you ever consider what might be beyound the deadlines of your projects? There are more pressures in software development that programming in a "real programming language." Indeed very true -- the pressure to get the software out quickly and as cheaply as possible often make developers overlook these issues. As a result the overall cost over the entire lifetime of the software may go up -- but that doesn't bother the initial project which got the first version of the software out the door, since that phase probably got somewhat cheaper. And if that's what the project lead wants (i.e. the one with the money) then that is what happens. I don't necessarily advocate this, but that is the bottom line. You can either choose not do what they want and not get the project, or you can work with them. I personally opt for the latter. I have my views on what software development should really be like, but I am usually not in the position to fully steer a project. So if quicker is the strongest requirement, I will use a language that achieves that goal. Seems like you've got the wrong customers You describe the customer as some kind of dictator, who decides everything and there's absolutely nothing you can do about it. That's not quite the case: instead it's a situation of negotiation, where the customer has his requirements and you have your requirements. If the two of you can find an agreement there will be a deal, otherwise there won't be a deal. If the customer is only out to get the job done as cheaply and as quickly as possible, there's of course little room for negotiation, and then your choices are to either accept that quick-n-dirty job or to find another customer. Sometimes (e.g. if you're short on money and you have no other customers) it may be the best choice to accept that quick-n-dirty job - at least it has the advantage of ending quite soon. But if you find yourself doing these quick-n-dirty jobs constantly all the time, you should perhaps step back awhile and think about whether this actually is what you want to do, and if not you should change your situation. Or, the project is a prototype, Even if the project is a prototype, its code may be useful later in the real implementation -- that is, if it is of good enough quality to be resued at all... If it never makes it into a real implementation, it becomes my case 1. above... Although I try to code prototypes as best as I can, I always add the qualifier that a prototype is just what it is. It may lead to different ideas and the original one may be canned altogether. That has nothing to do with the effort of the code underneath. I was just on a project where I needed to prototype something on a Jornada unit. I bet none of that code will ever see the light of day for that project, but I learned a lot and I will use that code base sometime in the future. You see? It's useful to have what'll happen beyond your prototype project even if that particular prototype never makes it into a product. Code snippets can wander between projects -- if they are good enough, that is. or the project doesn't have the lifetime of years on end, That was my case 2. above etc., etc. Some projects don't live 20 years - sorry if you haven't seen this. I've seen it all too much. I've seen projects which have lived less than 1 year -- nevertheless even the code from such projects could be reused in other, more long-lived, projects, if it's of good enough quality. It's not just the quality that matters, though. You have to program with reuse in mind. Yes -- however good quality code is more likely to be reusable than bad quality code. And being reusable is in itself a
