Cryptography-Digest Digest #60
Cryptography-Digest Digest #60, Volume #14Mon, 2 Apr 01 06:13:00 EDT Contents: Re: AES VS. DES (Benjamin Goldberg) Re: AES VS. DES (Pascal Junod) Re: Data dependent arcfour via sbox feedback (Benjamin Goldberg) Re: Malicious Javascript in Brent Kohler post (was: Re: Who is Brent K (Benjamin Goldberg) Re: Estimation of the keygen time (Bob Deblier) Re: AES VS. DES ("Douglas A. Gwyn") __(Preliminary Program) EuroCrypt 2001, May 6 - 10 (kctang) Favor needed from intl IE 5.0 user, please test this SSL site (Paul Rubin) Re: conferences? (Paul Rubin) Re: AES VS. DES (Pascal Junod) Re: AES VS. DES (Volker Hetzer) Re: AES VS. DES ("Brian Gladman") Re: Data dependent arcfour via sbox feedback ("Bryan Olson") Re: Data dependent arcfour via sbox feedback ("Bryan Olson") Re: DES key replacement. (Paul Schlyter) From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Re: AES VS. DES Date: Mon, 02 Apr 2001 05:59:45 GMT Latyr Jean-Luc FAYE wrote: Hello, It's the 2nd time I post this message. I would like to know what are the difference between AES and its precursor DES. DES uses a Feistel structure, AES uses a ... I dunno what it's called, precisely, it's wierd :) DES has 56 bits of security, AES is believed to have 128, 192, or 256 bits of security. DES uses 64 bit blocks, AES uses 128 bit blocks. Rijndael can use larger blocks if desired. DES is pretty fast in hardware, but godawful slow in software. AES is reasonably fast in both. What are the advantage of AES vs DES. AES has bigger blocksize, bigger keysizes, and is faster. The first time, I got a nice answer of someone on the NG with a link to his page about AES and I learnt lot of stuff. Perhaps John Savard's crypto site? http://home.ecn.ab.ca/~jsavard/crypto.htm To go directly to his rijndael page, use this url http://home.ecn.ab.ca/~jsavard/crypto/co040801.htm For stuff about AES, I would recommend http://www.nist.gov/aes But I lost the link. In fact I ma just hoping that anybody having a website on AES or knowing a personnal website on AES will give me links. May be I will find the one I lost. If it isn't one of the ones I gave, then try using a search engine. -- Sometimes the journey *is* its own reward--but not when you're trying to get to the bathroom in time. -- Date: Mon, 2 Apr 2001 08:21:26 +0200 From: Pascal Junod [EMAIL PROTECTED] Subject: Re: AES VS. DES On Sun, 1 Apr 2001, Brian Gladman wrote: [snip] DES is still a very good cipher that has not been broken but increases in ... [snip] Do you ever read about linear cryptanalysis, differential cryptanalysis ? I'm not quite sure one can claim that DES is "unbroken"... A+ Pascal -- ~~ * Pascal Junod, [EMAIL PROTECTED] * * Laboratoire de Sécurité et de Cryptographie (LASEC)* * INF 240, EPFL, CH-1015 Lausanne, Switzerland ++41 (0)21 693 76 17 * * Place de la Gare 12, CH-1020 Renens ++41 (0)79 617 28 57 * ~~ -- From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Re: Data dependent arcfour via sbox feedback Date: Mon, 02 Apr 2001 06:34:44 GMT The patent does not apply to the proposed cipher, but for an entirely different reason than the one Bryan Olson claimed. The proposed variant combines one single input stream of data with the internal state of a cryptographic object, and produces as output one single stream of data (and modifies the object's state). The Dynamic Substitution patent covers combining two input streams with each other and with the state of a cryptographic object, and producing one single output stream (and modifying the object's state). The difference between the proposal and the patent is the number of input streams, one versus two. Here's the proposed modified RC4: byte x, y, z, sbox[256]; encipher(byte data) { x = (x + 1) 255; y = (y + sbox[x]) 255; swap( sbox[x], sbox[y] ); data ^= sbox[(sbox[x] + sbox[y]) 255] ^ z; z ^= sbox[data]; return data; } decipher(byte data) { x = (x + 1) 255; y = (y + sbox[x]) 255; swap( sbox[x], sbox[y] ); data ^= sbox[(sbox[x] + sbox[y]) 255]; z ^= sbox[data]; data ^= z; return data; } If persons A and B both start with a particular sbox, x, y, z, then A sends r=encipher(q), then B can calculate q=decipher(r). Here's an example of Dynamic Substitution: byte sbox[256], sibox[256]; encipher(byte data1, byte data2) { byte dataout = sbox[sbox[data1]]; swap( sbox[sbox[data1]], sbox[data2] ); return dataout; } decipher(byte data1, byte data2) { byte temp = sibox[data1]; byte dataout = sibox[temp]; swap( sibox[data1], sibox[sbox[data2]] ); swap( sbox[temp], sbox[data
Cryptography-Digest Digest #60
Cryptography-Digest Digest #60, Volume #11Sun, 6 Feb 00 18:13:01 EST Contents: Re: need help with a basic C++ algorithm ("Adrian DuChant") Re: NIST, AES at RSA conference (David Wagner) Re: Merkle hash tree patent expired (Darren New) Re: permission to do crypto research ("Roger Schlafly") Re: ([EMAIL PROTECTED]) Re: NIST, AES at RSA conference (Terry Ritter) Re: New to cryptology question, rolling XOR (Tim Tyler) Re: Combining LFSR's (Mok-Kong Shen) Re: Scaleable Key Permutation Feature ("C. Prichard") Re: NIST, AES at RSA conference (David Wagner) Re: Scaleable Key Permutation Feature (Mok-Kong Shen) CFP --- CHES 200 (Christof Paar) Re: NSA opens up to US News ("Henny Youngman") From: "Adrian DuChant" [EMAIL PROTECTED] Subject: Re: need help with a basic C++ algorithm Date: Thu, 3 Feb 2000 17:04:38 -0800 Cool, Thanks! The user's shouldn't bee too interested in accessing the data, so I was hoping to stay away from doing anything too intense, (lack the experience for the time being). This sounds like it should work just fine though. Thanks for the help! Adrian Trevor Jackson, III [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Adrian DuChant wrote: Greetings, I am working on a program which will be using clear text files for basic data storage, I would like to encrypt them and decrypt them at runtime for reading into the program so as to not allow someone to tamper with the data held within. This only needs to be basic, nothing really intense. If some one could please give me a hand (or a snippet of code) to make this algorithm it would be most appreciated. TIA Adrian DuChant. How proficient are the people who might tamper with the data? There is no mechanism that can prevent all tampering. First, as opposed to obscuring the contents of the data you will need to verify the integrity of the data -- that it has not been tampered with. If this is the sum total of your interest you do no need to encrypt the data, but simply add an integrity check. Checksums are simple integrity checks. Message Authentication Codes (MAC) are more sophisticated integrity checks. If you want something really simple just Rot-13 the text (works within the 26 letter of the alphabet). If you want to be ambitious Rot-47 the text (works within the 94 characters of printable ASCII minus tilde). If the text is mostly numeric data Rot-5 it within the decimal digits. -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: NIST, AES at RSA conference Date: 6 Feb 2000 12:18:33 -0800 In article 87jcgk$l6q$[EMAIL PROTECTED], Rick Braddam [EMAIL PROTECTED] wrote: Didn't Terry qualify his statement in terms of known-plaintext and defined plaintext? Is his statement incorrect *with that qualification*? I didn't think that qualification was much of a qualification. Typically when we evaluate the strength of a modern cipher, we already assume that the adversary may be able to mount chosen-text attacks (what Terry seems to be calling "defined text") -- so if that qualification introduces a big difference, I'm unable to see what it would be. (But maybe I'm confused.) -- From: Darren New [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: Merkle hash tree patent expired Date: Sun, 06 Feb 2000 20:30:25 GMT Paul Crowley wrote: 4,309,569 expired on September 5, 1999. This gives a somewhat clunky Where can I find a description of the technique? www.uspto.gov patent number search. -- Darren New / Senior Software Architect / IZ, Inc. San Diego, CA, USA (PST). Cryptokeys on demand. There is no safety in disarming only the fearful. -- From: "Roger Schlafly" [EMAIL PROTECTED] Crossposted-To: talk.politics.crypto,misc.int-property,misc.legal.computing Subject: Re: permission to do crypto research Date: Sun, 6 Feb 2000 12:41:31 -0800 wtshaw [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... You simply structure the quiery appropriately, like "Let me know if you have any objection my studying how such and such program works." No comment, then you have the freedom to study how everything works, including using any tools to assist you in that pursuit. Sounds reasonable to me, but I am still wondering how this works in practice. I want to investigate some security aspects of Windows, and I want to be on the up-and-up, so should I send an email to [EMAIL PROTECTED]? My guess is that I could spend all day on the phone to Microsoft, and no one would even know who has the authority to answer my question. In the NY court order against DeCSS, the judge seemed to think that there was some significance to the question of whether some Norwegian teenager had asked Hollywood for permission
Cryptography-Digest Digest #60
Cryptography-Digest Digest #60, Volume #9 Tue, 9 Feb 99 14:13:03 EST Contents: Re: Newbie Says Thanks! (wtshaw) Re: GPL'ed RNG (Colin Plumb) Re: Encryption for telemedicine (Themos Dassis) Summary of Eleven Ciphers (wtshaw) Re: 128 bit Everest, 64 bit Coin ("Trevor Jackson, III") Re: hardRandNumbGen (Mok-Kong Shen) Re: On a Method of Session Key Generation (revised) (Patrick Juola) block ciphers ("Vonnegut") Re: Q: Obtaining session key (Mok-Kong Shen) Re: What is left to invent? ("Trevor Jackson, III") Re: SCOTT COMPRESSION ("Peter K. Boucher") Re: Encryption Algorithms ("Brian Gladman") Everybody Seems to Have a Web Site These Days! (John Savard) Re: Intel's description of the Pentium III serial number ("Jimmy D. Smith") Re: hardRandNumbGen (R. Knauer) Re: How to get gov't approval for crypto (fungus) Re: On a Method of Session Key Generation (revised) (R. Knauer) Re: What is left to invent? (R. Knauer) From: [EMAIL PROTECTED] (wtshaw) Subject: Re: Newbie Says Thanks! Date: Tue, 09 Feb 1999 07:03:17 -0600 In article [EMAIL PROTECTED], [EMAIL PROTECTED] (DonGraft) wrote: I justed wanted to thank you for your responses to my query on cracking variable length codings. I am impressed with the level of expertise and the range of interesting topics that come up. So, I'm going to stick around! We will be looking for your next looking for your next posting. Thanks for jumping in. -- A much too common philosophy: It's no fun to have powerunless you can abuse it. -- Subject: Re: GPL'ed RNG From: [EMAIL PROTECTED] (Colin Plumb) Date: Tue, 09 Feb 1999 10:23:21 GMT In article 79lql2$1i3$[EMAIL PROTECTED], [EMAIL PROTECTED] wrote: Is there a GPL or LGPL random number generator that produces "good" random numbers? rand() just isn't cutting it :P Um, you have to define your metric of "good". It is not possible to implement a true RNG without hardware help, so information about your execution environment is required. If you just want a pseudo-random number generator, random() is better than rand(), and George Marsaglia's recently posted KISS generator is extremely good for a non-cryptographic generator. KISS can be written as: struct rand_state { word32 w, x, y, z; }; #define wnew(w) ((w)=18000*((w)65536)+((w)16)) #define LCG(x) ((x)=69069*(x)+1234567) #define SHR3(y) ((y)^=(y)17, (y)^=(y)13, (y)^=(y)5) #define znew(z) ((z)=36969*((z)65536)+((z)16)) #define KISS(r) ( ( (znew(r-z)16+wnew(z-w)) ^ LCG(r-x) ) + SHR3(r-y) ) The period of w is 18000*2^15-1 = 589823999, a prime. The period of x is 2^32 = 4294967296 The period of y is 2^32-1 = 4294967295 The period of z is 36969*2^15-1 = 1211400191, a prime Thus, the total period is 13180436693658741103741078002865274880, 1.318e37, a bit over 2^123. The least significant bit has a lower period of only 506654957105410, 5.067e18, a bit under 2^62, which is still plenty for most applications. w and z should be initialized to values between 1 and their periods. y should be initialized to a non-zero value, and x can be set to anything. I seeded this from 3 32-bit values w, x and z where I know they are not all zero using the following snippet. /* * Now ensure that seed constraints are met. * w should be between 1 and 589823999. * x can be anything between 0 and 2^32-1. * y should be between 1 and 2^32-1. * z should be between 1 and 1211400191. */ r-w = w % 589823999 + 1; r-x = x; r-z = z % 1211400191 + 1; /* * Finally, we initialize y. Since the range desired for y, * 2^32-1, exactly divides the range available from the * triple-width number wxz, 2^96-1, the remainder modulo 2^32-1 * will be uniformly distributed. Fortunately, due to the special * form of the modulus, this computation is easy. * Since tv_usec always has the high bit clear, the input x is never * zero. And since mix() preserves non-zeroness, the full value wxz * here is never 0, so the result computed here is never 0. */ y = w+x; y += yx; /* End-around carry */ y += z; y += yz; /* End-around carry */ r-y = y; This will do for most simulation purposes. If you need cryptographic strength, please be more specific about your needs. Note that cryptographic strength also requires some truly random seed material. The sources you have available will affect the optimal design. -- -Colin -- From: Themos Dassis [EMAIL PROTECTED] Subject: Re: Encryption for telemedicine Date: Tue, 09 Feb 1999 16:48:38 +0200 On the line we need integrity protection, protection against non-repudiation,