Cryptography-Digest Digest #368
Cryptography-Digest Digest #368, Volume #13 Wed, 20 Dec 00 06:13:01 EST Contents: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (jtnews) Re: Possibly another Encryption method - any thoughts ? (Simon Best) Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (Tom St Denis) Re: Q: Result of an old thread? (Bryan Olson) Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (Richard E. Silverman) Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (jtnews) Re: Q: Result of an old thread? (Simon Best) Re: Q: Result of an old thread? (Benjamin Goldberg) Re: Q: Result of an old thread? (Simon Best) Re: Q: Result of an old thread? (Bryan Olson) Re: Mathematical concepts (Joris Vankerschaver) Re: Possibly another Encryption method - any thoughts ? (Kirk Whelan) Re: Possibly another Encryption method - any thoughts ? (Kirk Whelan) Date: Tue, 19 Dec 2000 20:32:39 -0500 From: jtnews [EMAIL PROTECTED] Crossposted-To: comp.security.ssh Subject: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? I'm trying to use ssh, should I use protocol 1.0 or 2.0? What's the difference? Which one is more secure? -- From: Simon Best [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: Possibly another Encryption method - any thoughts ? Date: Wed, 20 Dec 2000 01:54:00 + Kirk Whelan wrote: Hi Simon, thanks for replying, let me see if I can answer the points that you have asked/raised. I have never heard the term 'security through obscurity' until I started to follow this newsgroup, so I am still learning ( not a bad thing :-) ) [...] When a system relies on people not knowing how it works for security, that's called 'security through obscurity'. It's generally accepted that it's a bad idea. Answer the following questions, in detail, to see why it's bad: 1. What will you do if, during the lifetime of your cryptosystem, you learn that an adversary has found out how your cryptosystem works? I theory, it shouldn't matter if someone did, in fact I will reveal all, because I still think what I propose still has some life left in it, at this stage. But I don't doubt I could be heading for retirement. There's no need to retire if one cryptosystem gets broken. What cryptographers usually recommend is that those learning cryptography learn about cryptanalysis, and do cryptanalysis, before devising their own ciphers. (Well, I must admit that I haven't myself followed that recommendation as such, but have spent time analysing mathematically similar problems in mathematically similar things.) 2. What will you do if an adversary finds out how it works, but you never find out that an adversary has found out? Foiled again !! 3. What will you do if a once trusted person turns into an adversary? Has happened before and will happen again. 4. How will you keep possible adversaries from finding out in the first place? Don't know how to answer that. 5. How will you reduce risks from things that haven't even occurred to you, me, or anyone else? I wish I could see into the future Alas, we humans generally seem to have great difficulty seeing into the future. What we can do is learn from the past and hope it's a good guide. Understanding how and why past, broken ciphers were broken is a good example here, as you'll then be in a better position to try to avoid such weaknesses in your own ciphers. [...] So there you have it. I only started this so that I could transfer "root" password across the internet :-) You've gone to all that trouble to transfer a superuser password securely across The Internet? Why not use existing cryptographic software? What about SSL? So no more obscurity. Not entirely. Your description was a bit too vague and ambiguous in places for me to really follow. You need to present it more formally, and spell out what you mean in detail. -- Kirk Whelan Simon -- ___ Personal: [EMAIL PROTECTED] Yellow Skies: [EMAIL PROTECTED] http://www.yellowskies.com Everyone does their own signature to be different. How does that work? -- From: Tom St Denis [EMAIL PROTECTED] Crossposted-To: comp.security.ssh Subject: Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? Date: Wed, 20 Dec 2000 03:46:42 GMT In article [EMAIL PROTECTED], jtnews [EMAIL PROTECTED] wrote: I'm trying to use ssh, should I use protocol 1.0 or 2.0? What's the difference? Which one is more secure? Secure for what? Tom Sent via Deja.com http://www.deja.com/ -- From: Bryan Olson [EMAIL PROTECTED] Subject: Re: Q: Result of an old thread? Date: Wed, 20 Dec 2000 04:03:18 GMT Simon Best wrote: I'm about to move on to analysing integer element matrices with a singular S that doesn't
Cryptography-Digest Digest #369
Cryptography-Digest Digest #369, Volume #13 Wed, 20 Dec 00 11:13:02 EST Contents: Re: Q: Result of an old thread? (Walter Hofmann) Re: Q: Result of an old thread? (Walter Hofmann) Re: In =?ISO-8859-1?Q?today=B4s?= paper I read how Cuban (Tony L. Svanstrom) Re: Encrypting messages in images?? ([EMAIL PROTECTED]) Re: Visual Basic Source Code ([EMAIL PROTECTED]) Re: SMS security over various networks? (Robert Harley) Re: Homebrew Block Cipher: Moonshine (Tim Tyler) Re: does CA need the proof of acceptance of key binding ? ([EMAIL PROTECTED]) Re: does CA need the proof of acceptance of key binding ? ([EMAIL PROTECTED]) Re: hash function for public key digital signature : one way? ([EMAIL PROTECTED]) Re: does CA need the proof of acceptance of key binding ? (Anne Lynn Wheeler) Re: SMS security over various networks? (Mark Currie) Re: SMS security over various networks? (Mark Currie) looking for cipher algorithms' comparison ("maciek") cipher algorithms once again... ("maciek") From: [EMAIL PROTECTED] (Walter Hofmann) Subject: Re: Q: Result of an old thread? Date: Wed, 20 Dec 2000 12:16:02 +0100 On Mon, 18 Dec 2000 22:45:44 +0100, Mok-Kong Shen [EMAIL PROTECTED] wrote: Let me quote a previous follow-up of yours to be sure that I understand you: So you can change the coefficiants of AS by a sufficiently small epsilon0 to get an invertible matrix, then you can calculate (AS')^-1. Go on to calculate B'=(AS')^-1.ASB then S(epsilon)=SB.B'^-1. In the limit epsilon-0 the matrix S(epsilon) will converge to S as all operations involved are continuous. You defined B'=(AS')^-1.ASB. But ASB is singular, so B' can't be inverted. Or do you want to apply the epsilon to ASB also? Now I see what you mean: You cannot invert B' here because I put another factor of S in it. It's probably the best to compute things the other way round, otherwise one would need two epsilons: Change ASB to ASB' which is within an epsilon of ASB. Then you can calculate B'^-1 = ASB'^-1 . AS S = SB . B'^-1 and do the limit process as described above. Is this OK with you now? Walter -- From: [EMAIL PROTECTED] (Walter Hofmann) Subject: Re: Q: Result of an old thread? Date: Wed, 20 Dec 2000 12:18:21 +0100 On Tue, 19 Dec 2000 01:31:16 +0100, Manuel Pancorbo [EMAIL PROTECTED] wrote: "Walter Hofmann" You don't need p,q to do any of the computations above. Alice needs p,q to compute A^-1, because (det A)^-1 mod N is needed. This can easily be done without p and q. Use Euklid's algorithm. Walter -- Crossposted-To: alt.2600,alt.security,comp.security Subject: Re: In =?ISO-8859-1?Q?today=B4s?= paper I read how Cuban From: [EMAIL PROTECTED] (Tony L. Svanstrom) Date: Wed, 20 Dec 2000 12:29:22 GMT Kirby Urner [EMAIL PROTECTED] wrote: Volker Hetzer [EMAIL PROTECTED] wrote: "Markku J. Saarelainen" wrote: This guy, writing under the above pseudonym, floods newsgroups with crap. Check the deja.com archives for alt.politics.cia.org to see what it's like to drown in a sea of garbage. I've got my filters on of course, but he keeps posting from places. I thought about killfiling him a long time ago, but he's way too much fun for that. I think I might print and frame this last posting of his. *L* /Tony -- /\___/\ Who would you like to read your messages today? /\___/\ \_@ @_/ Protect your privacy: http://www.pgpi.com/ \_@ @_/ --oOO-(_)-OOo-oOO-(_)-OOo-- on the verge of frenzy - i think my mask of sanity is about to slip ---ôôô---ôôô---ôôô---ôôô--- \O/ \O/ ©99-00 http://www.svanstrom.com/?ref=news \O/ \O/ -- From: [EMAIL PROTECTED] Crossposted-To: comp.security.misc,alt.2600.hacker,alt.security Subject: Re: Encrypting messages in images?? Date: Wed, 20 Dec 2000 13:08:23 GMT I actually had to do this. Some things were sent to me via USPS to a foreign post, and they got held up in Customs. Customs wanted me to list everything that was there in the local language (not English), and so I had to translate the list. But they gave me the 4th copy, which had *no* visible writing on it. Anyhow, I scanned the copy, then used Adobe PhotoXpress (or something... don't remember the name) to increase the contrast to the point that I could read it. Anyhow, that clearly didn't work, so the next time they just never announced that the shipment had come, and THAT worked. They got my stuff the next time. (Moral: don't ship things via USPS overseas. USPS ships it *to* customs, not *through* customs.) Sent via Deja.com http://www.deja.com/ -- From: [EMAIL PROTECTED] Subject: Re: Visual Basic Source Code Date: Wed, 20 Dec 2000 13:26:02 GMT Hi Chad, I've made an
Cryptography-Digest Digest #370
Cryptography-Digest Digest #370, Volume #13 Wed, 20 Dec 00 16:13:00 EST Contents: Re: Steganography using text as carrier (Richard Heathfield) Re: Steganography using text as carrier (Mike Tulley) Re: Steganography using text as carrier (Richard Heathfield) Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? ([EMAIL PROTECTED]) Re: Should I use Protocol 1.0 (RSA) or Protocol 2.0 (DSA)? (jtnews) Re: Steganography using text as carrier ([EMAIL PROTECTED]) Symmetric "key exchange" protocol? (Ichinin) Re: cipher algorithms once again... (Simon Johnson) Tips in identifying a cipher (Jason Petrone) Re: cipher algorithms once again... (John Savard) Re: cipher algorithms once again... ("maciek") Whitehouse e-mails ("CMan") Re: SMS security over various networks? (Simon Johnson) Blum Blum Shub ("Dobs") Re: Unguessable sequence of unique integers? (Simon Johnson) Re: Blum Blum Shub (Chris Rutter) Date: Wed, 20 Dec 2000 11:59:03 + From: Richard Heathfield [EMAIL PROTECTED] Subject: Re: Steganography using text as carrier Mok-Kong Shen wrote: [EMAIL PROTECTED] wrote: [snip] is there a way to hide already encrypted messages (ciphertext block) within a *text* carrier,(not within the whitespace) and if so, what are the size constraints of ciphertext to carrier text? as redundancy would not be particularly surprising in spam messages, this might be a promising new avenue for effective steganography. Steganography is very much an art in my humble view. I don't think that there is any algorithm (automatic means) of doing the job you described, though there are methods of hiding bits in pixels etc. (A number of proceedings on information hiding have been published by Springer Verlag from which more pointers could be obtained.) Just a thought: Let C = E(P, K) So we have an encrypted text, using J Random Encryption Algorithm, and we must assume that our output is in binary format. We can look at this data as a bunch of nybbles. There are sixteen distinct possible values for a nybble, to which we could ascribe letters as follows: IF you feel like it Count the frequencies of the nybbles within the ciphertext Assign each nybble value, in decreasing order of frequency, to the following letters: s, c, a, p, b, r, d, i, m, e, t, f, h, g, l, w (based on a cursory inspection of /usr/dict/words) ELSE Assign each nybble value to some random letter ENDIF (Note: the actual correspondences of nybbles to letters act as a rudimentary key, but there's no real security in that fact as far as I can see.) For each nybble in the ciphertext Generate a random English word beginning with the corresponding letter Unassigned letters can be used for "filler" words to make the text more convincing. Just how effective this steganographic technique could be depends largely on the quality of the text generation algorithm, especially given the constraint that words must be chosen for their initial letters. Of course, like any steganographic technique published in sci.crypt, the technique is somewhat weakened by the fact of its having been published in sci.crypt. Also, there's a huge amount of redundancy here - you only get four bits of genuine information per English word - less if you use "filler" words. For short messages, however, it could be of some limited usefulness, even if only for a little elementary practice in cryptanalysis. :-) -- Richard Heathfield "Usenet is a strange place." - Dennis M Ritchie, 29 July 1999. C FAQ: http://www.eskimo.com/~scs/C-faq/top.html KR Answers: http://users.powernet.co.uk/eton/kandr2/index.html -- From: [EMAIL PROTECTED] (Mike Tulley) Subject: Re: Steganography using text as carrier Date: Wed, 20 Dec 2000 16:49:44 GMT On 19 Dec 2000 18:56:46 -0600, Andre van Straaten [EMAIL PROTECTED] wrote: The signs and the omens are everywhere But too few see them - too few even care (Lee Clayton - singer/songwriter, 1979) I have a suggestion: you could hide the cyphertext in signatures which claim to be music lyrics. There is no expectation that these will make sense! Mike Mike Tulley ("net") = f("ofu") (my real e-mail address) = f("nlutztAufmvtqmbofu/ofu") -- Date: Wed, 20 Dec 2000 17:25:30 + From: Richard Heathfield [EMAIL PROTECTED] Subject: Re: Steganography using text as carrier Mike Tulley wrote: On 19 Dec 2000 18:56:46 -0600, Andre van Straaten [EMAIL PROTECTED] wrote: The signs and the omens are everywhere But too few see them - too few even care (Lee Clayton - singer/songwriter, 1979) I have a suggestion: you could hide the cyphertext in signatures which claim to be music lyrics. There is no expectation that these will make sense! g Or indeed you could hide information in the music score itself. This was done during WWII, apparently. The agent in
Cryptography-Digest Digest #372
Cryptography-Digest Digest #372, Volume #13 Thu, 21 Dec 00 00:13:01 EST Contents: Re: cipher algorithms once again... (Bryan Olson) Re: Array shuffling ("Matt Timmermans") Re: hash function for public key digital signature : one way? (Bryan Olson) All irreducible polys of degree 32 over GF(2) ("Matt Timmermans") Re: All irreducible polys of degree 32 over GF(2) (Scott Contini) From: Bryan Olson [EMAIL PROTECTED] Subject: Re: cipher algorithms once again... Date: Thu, 21 Dec 2000 02:14:21 GMT maciek wrote: So there are two groups which are pratically used these days: block and stream ciphers, am I right? In a sense, yes that's right. On the other hand, the distinction between block and stream ciphers is relatively unimportant compared to public-key versus secret-key ciphers. Secret key block ciphers are generally combined with some "mode" such as cipher block chaining. The combination is actually a stream cipher (though definitions vary). --Bryan Sent via Deja.com http://www.deja.com/ -- From: "Matt Timmermans" [EMAIL PROTECTED] Subject: Re: Array shuffling Date: Thu, 21 Dec 2000 02:22:56 GMT "Benjamin Goldberg" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... If I convert the output of rand() into a float in the range [0,1), by dividing by (float)(116), the values will have quite decent statistics. You would think so, but I've been burnt by these RNGs lots of times before, e.g., I've noticed significant visual artifacts when generating graphic effects like Perlin noise using the most significant bits like you do above. I wouldn't even think of using one of these for real statistical or simulation work. You can pass the output from one of these generators through the DIEHARD test suite to see just how badly it does. These days, when I need a quick RNG that isn't obviously non-random, I'll use one of these generators, and then calculate the CRC of the output. When I want to do accurate random simulations, I'll use a block cipher in CTR mode -- I know you already have some of these around, right? -- From: Bryan Olson [EMAIL PROTECTED] Subject: Re: hash function for public key digital signature : one way? Date: Thu, 21 Dec 2000 02:57:33 GMT [EMAIL PROTECTED] wrote: In current establish cryptographic hash algorithms like MD5, SHA- 1..., does their one-way property impose extra computational load compared to their design that is only collision free? No. Of the three security properties usually stated for cryptographic hashes (pre-image resistant, second pre-image resistant , collision resistant) collision resistance is the hardest to achieve. It implies second pre-image resistance, and the only collision resistant but not pre-image resistant hashes are those contrived to exhibit the property. In my project, I use SHA-1 to hash a message to be signed, then send the signed message digest and plaintext as digital signature. I think the one-way property is not neccessary for the hash function in my project. I don't know about the needs of your project but there is cause to require the one-way property. Most signature standards, including DSA and PKCS-1 version 1.5, need pre-image resistance to avoid "existential forgery". If the hash is not one-way, an attacker can exhibit a message and a legal signature even though the holder of the private key never signed that message. Such a message is normally not meaningful; it was found as the pre-image of a digest, and in the case of DSA the attacker can't even control the digest. --Bryan Sent via Deja.com http://www.deja.com/ -- From: "Matt Timmermans" [EMAIL PROTECTED] Subject: All irreducible polys of degree 32 over GF(2) Date: Thu, 21 Dec 2000 03:10:55 GMT Note first: I've been on vacation -- sorry to all those I couldn't finish arguing with, and thanks to all those who finished my arguments better than I would have. To business, then: I'm looking for a list of all irreducible polynomials of degree 32 with coefficients in GF(2). I've written a program to generate them, but I'd rather not have my computer tied up for the week it would take to generate them all. Does such a list exist elsewhere? = In case you're interested, it's for a program that will use CRT secret sharing to do "unsequenced" transmission over unreliable or distributed channels. For instance: You want a file that you can get from 30 different sources, so you tell them all to start transmitting parts to you. Each one repeatedly does the following: 1) Pick a polynomial at random from the above list 2) calculate the "CRC" of the file using the chosen polynomial 3) transmit the CRC and the polynomial to you. If the file is N words long, then you just have to wait until you get N different CRCs. You can then tell all sources to stop
Cryptography-Digest Digest #373
Cryptography-Digest Digest #373, Volume #13 Thu, 21 Dec 00 02:13:01 EST Contents: Re: Visual Basic Source Code (Paul Schlyter) Re: All irreducible polys of degree 32 over GF(2) (Scott Contini) Re: does CA need the proof of acceptance of key binding ? ([EMAIL PROTECTED]) Re: does CA need the proof of acceptance of key binding ? ([EMAIL PROTECTED]) From: [EMAIL PROTECTED] (Paul Schlyter) Subject: Re: Visual Basic Source Code Date: 21 Dec 2000 05:59:03 +0100 In article 3a3e475b$0$17730$[EMAIL PROTECTED], Jason Bock [EMAIL PROTECTED] wrote: Paul Schlyter [EMAIL PROTECTED] wrote in message news:91jkva$9v7$[EMAIL PROTECTED]... In article 3a3d0b6b$0$90275$[EMAIL PROTECTED], Jason Bock [EMAIL PROTECTED] wrote: There are situations where it's needed, and other times it's not. That's the way I've seen it. There are situations where you THINK it's not needed -- but you don't really KNOW after some years have passed. I've been porting some code myself which obviously weren't written with porting in mind. Guess we have different career insights. But I did KNOW what the timelines were for the projects I was on. So did I. But did you ever consider what might be beyound the deadlines of your projects? There are more pressures in software development that programming in a "real programming language." Indeed very true -- the pressure to get the software out quickly and as cheaply as possible often make developers overlook these issues. As a result the overall cost over the entire lifetime of the software may go up -- but that doesn't bother the initial project which got the first version of the software out the door, since that phase probably got somewhat cheaper. And if that's what the project lead wants (i.e. the one with the money) then that is what happens. I don't necessarily advocate this, but that is the bottom line. You can either choose not do what they want and not get the project, or you can work with them. I personally opt for the latter. I have my views on what software development should really be like, but I am usually not in the position to fully steer a project. So if quicker is the strongest requirement, I will use a language that achieves that goal. Seems like you've got the wrong customers You describe the customer as some kind of dictator, who decides everything and there's absolutely nothing you can do about it. That's not quite the case: instead it's a situation of negotiation, where the customer has his requirements and you have your requirements. If the two of you can find an agreement there will be a deal, otherwise there won't be a deal. If the customer is only out to get the job done as cheaply and as quickly as possible, there's of course little room for negotiation, and then your choices are to either accept that quick-n-dirty job or to find another customer. Sometimes (e.g. if you're short on money and you have no other customers) it may be the best choice to accept that quick-n-dirty job - at least it has the advantage of ending quite soon. But if you find yourself doing these quick-n-dirty jobs constantly all the time, you should perhaps step back awhile and think about whether this actually is what you want to do, and if not you should change your situation. Or, the project is a prototype, Even if the project is a prototype, its code may be useful later in the real implementation -- that is, if it is of good enough quality to be resued at all... If it never makes it into a real implementation, it becomes my case 1. above... Although I try to code prototypes as best as I can, I always add the qualifier that a prototype is just what it is. It may lead to different ideas and the original one may be canned altogether. That has nothing to do with the effort of the code underneath. I was just on a project where I needed to prototype something on a Jornada unit. I bet none of that code will ever see the light of day for that project, but I learned a lot and I will use that code base sometime in the future. You see? It's useful to have what'll happen beyond your prototype project even if that particular prototype never makes it into a product. Code snippets can wander between projects -- if they are good enough, that is. or the project doesn't have the lifetime of years on end, That was my case 2. above etc., etc. Some projects don't live 20 years - sorry if you haven't seen this. I've seen it all too much. I've seen projects which have lived less than 1 year -- nevertheless even the code from such projects could be reused in other, more long-lived, projects, if it's of good enough quality. It's not just the quality that matters, though. You have to program with reuse in mind. Yes -- however good quality code is more likely to be reusable than bad quality code. And being reusable is in itself a