Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #13 Wed, 7 Mar 01 10:13:01 EST Contents: Re: One-time Pad really unbreakable? (Tim Tyler) Re: One time authentication ("Henrick Hellström") IDEA test vectors ("rowan") Applied Cryptography - SCHNEIER ("Latyr Jean-Luc FAYE") Re: AES and DES ("Latyr Jean-Luc FAYE") Re: AES and DES ("Latyr Jean-Luc FAYE") Super-strong crypto..(As if). (Keill_Randor) Re: Applied Cryptography - SCHNEIER ("Jakob Jonsson") Re: One-time Pad really unbreakable? (John Savard) Re: AES and DES (John Savard) Re: One-time Pad really unbreakable? ("Mxsmanic") Re: One time authentication ("Scott Fluhrer") Problem with BBS implementation ("Dobs") Re: PKI and Non-repudiation practicalities (Vernon Schryver) Question re Asymmetric Encr'n ("Arnold Shore") Re: PKI and Non-repudiation practicalities (Anne Lynn Wheeler) Re: Problem with BBS implementation ("Tom St Denis") Re: PKI and Non-repudiation practicalities (Anne Lynn Wheeler) Re: Question re Asymmetric Encr'n ("Tom St Denis") From: Tim Tyler [EMAIL PROTECTED] Subject: Re: One-time Pad really unbreakable? Reply-To: [EMAIL PROTECTED] Date: Wed, 7 Mar 2001 11:00:09 GMT Mxsmanic [EMAIL PROTECTED] wrote: : One-time pads are indeed unbreakable, and provably so. Only in mathematical never-never land. The OTP "specification" does not offer any prescription for the generation of suitable random numbers - and since no such recipe is likely to be forthcoming, the "provably secure" OTP will never make it off the paper and into the real world. For a summary of the problems involved, see: http://www.io.com/~ritter/NEWS2/OTPCMTS.HTM -- __ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED] |im |yler The Mandala Centre http://mandala.co.uk/ Destroy Microsoft. -- From: "Henrick Hellström" [EMAIL PROTECTED] Subject: Re: One time authentication Date: Wed, 7 Mar 2001 12:26:45 +0100 "Tim Tyler" [EMAIL PROTECTED] skrev i meddelandet news:[EMAIL PROTECTED]... The OTP has long been regarded as providing "perfect secrecy" - assuming a shared unguessable stream exists. However, the OTP provides no authenticatio - it is subject to bit-flipping attacks (unless message signatures are used) and a known plaintext recovers the entire key. I have heard that there is an authentication scheme that works on a similar principle to the OTP - rather than relying on "confusion" sequences. While not providing "perfect" authentication, I hear this offers the guarantee that the recipient is who they claim to be, and that their message has not been tampered with with a probability of failure of 1/2^N where N is the number of bits of signature employed. PCFB-mode does that. Again, this is subject to the proviso that a siutably "random" shared secret is available. I have not succeeded in locating further details of such a "perfect" signature scheme. Can anyone provide a pointer to something like this? Or offer a brief description? http://www.streamsec.com/pcfb.htm Comments and suggestions are appreciated. -- Henrick Hellström [EMAIL PROTECTED] StreamSec HB http://www.streamsec.com -- From: "rowan" [EMAIL PROTECTED] Subject: IDEA test vectors Date: Wed, 7 Mar 2001 12:01:49 - Has anyone got IDEA test vectors with output after each round? I have one for after all the encryption but I'd like some that are more specific. -- From: "Latyr Jean-Luc FAYE" [EMAIL PROTECTED] Subject: Applied Cryptography - SCHNEIER Date: Wed, 7 Mar 2001 12:20:27 - Hi I bought one printed copy of the book Applied Cryptography in a Book shop. But I have to share it with four other people. So I think that it can be easier for us to have it in PDF and put it in our Intranet. Where can I buy the PDF version of the book Thanks in advance. Latyr -- Latyr Jean-Luc FAYE http://faye.cjb.net -- From: "Latyr Jean-Luc FAYE" [EMAIL PROTECTED] Subject: Re: AES and DES Date: Wed, 7 Mar 2001 12:23:45 - Thank you. I have downloaded the HAC and bought the AC of Bruce Schneier Latyr -- Latyr Jean-Luc FAYE http://faye.cjb.net "Tom St Denis" [EMAIL PROTECTED] a écrit dans le message news: 9m6p6.30932$[EMAIL PROTECTED] "Latyr Jean-Luc FAYE" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Hi As I told in my previous submission, I am begining in Crypto. I red some stuff about AES that will replace DES. Can somebody explain me the differecences and the advantages. A brief dicuss or some useful links with this
Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #12 Tue, 3 Oct 00 14:13:01 EDT Contents: Is there any keyed MD5 or Blowfish encryption software out there? ([EMAIL PROTECTED]) Re: is NIST just nuts? (Tom St Denis) Re: Looking Closely at Rijndael, the new AES (Tom St Denis) Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Tom St Denis) Re: Is there any keyed MD5 or Blowfish encryption software out there? (Tom St Denis) Re: Signature size ("Michael Scott") Re: Choice of public exponent in RSA signatures (Francois Grieu) Re: Any products using Rijndael? (Tom St Denis) Re: Advanced Encryption Standard - winner is Rijndael (Tom St Denis) Re: It's Rijndael (Tom St Denis) Re: Requirements of AES (Tom St Denis) Re: AES Rijndael 9 Round not secure ? (David Crick) key management on static system ("Jason R. Coombs") Re: Shareware Protection Schemes (Ichinin) Re: Advanced Encryption Standard - winner is Rijndael (Jim Gillogly) Re: It's Rijndael (David Crick) Authenticating a PIN Without Compromising the PIN (Guy Lancaster) Re: Shareware Protection Schemes (Mike Rosing) Re: NIST Statistical Test Suite (Mok-Kong Shen) Re: is NIST just nuts? (Jim Gillogly) From: [EMAIL PROTECTED] Subject: Is there any keyed MD5 or Blowfish encryption software out there? Date: Tue, 03 Oct 2000 16:55:58 GMT Reply-To: [EMAIL PROTECTED] Hello, Your help is MUCH appreciated... I'm looking for a DLL, Active-X control or .Bas module that implements a Keyed MD5 scheme which can be used outside of the US too. I am using vb on the front end and Unix/C on the back end so it must be implemented in both Unix/C and VB so that I can encrypt and decrypt strings to and from eachother. So far I have searched the web and have come up with nothing that : 1) Has both a VB and C/Unix implementation 2) Can take in a Key for encrypting/decrypting 3) Can be used outside of the US also (I hear that if the control implements DES also, you are considered an arms dealer if you export it) Thanks in Advance, Scott [EMAIL PROTECTED] Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: is NIST just nuts? Date: Tue, 03 Oct 2000 16:56:30 GMT In article [EMAIL PROTECTED], Jim Gillogly [EMAIL PROTECTED] wrote: Tom St Denis wrote: Yeah, but given all our advances in crypto we can barely break 9 rounds of Serpent because it was designed to resist these attacks. Rijndael suffers 8 of 10 rounds. The Counterpane paper describes an attack on 7 rounds, which they seem to indicate is not practical: it uses 2^128 known texts, i.e. the entire codebook, 2^120 work and 2^64 bits of memory. This is an interesting attack and result, but it's obviously completely academic, and I wouldn't consider it a break of 7-round Rijndael. They do not (yet) extend the 7-round attack to an 8-round attack: at that point they move to the longer key sizes. I never said the attack could be used. In 1977 searching a 56-bit key space was academic too. Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Looking Closely at Rijndael, the new AES Date: Tue, 03 Oct 2000 16:59:10 GMT In article [EMAIL PROTECTED], [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote: [EMAIL PROTECTED] (John Savard) wrote in [EMAIL PROTECTED]: I hadn't really made up my mind about Rijndael. Given comments made about its security, I tended to be somewhat dismayed that security didn't play a larger role in the selection process, but since from the outset efficiency and speed were known to play a large role in the selection, Rijndael seems to be the proper winner. As much as I bad mouth the whole AES effort. I have tried to think what I would do if I was to judge a cipher for the specifacations listed. I don't think any small fast cipher can really be secure but I think the security part has to be judged from two points of view. One does any one have a reasonable break for the whole cipher. That being done, You treat all the reamaing as at the same security level. Which of course is unture but one should not speculate the order in which they will be broken since they all will. If and when it gets easily broken you run another contest. But of those that pass the so called security checks. You then go to the one that is cheapest to impliment in the wide variety of uses that cipher was meant for. After all only a small degree of security is needed. One can't prove how secure each of these ciphers are to each other. You only get a real measure if one is broken at which point you throw that cipher out. This was intended for commerical use. These ciphers should not be used by any one who wants private truely secure encryption. For example the govern
Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #11 Sat, 20 May 00 22:13:00 EDT Contents: Re: Reasonably secure OTP passing (Guy Macon) Re: FAQ out of date? (David A Molnar) Re: ALIENS - RELIGION ("Leo Sgouros") dining cryptographers in the disco - any code anywhere? (lose the crustacean to email me) Re: More on Pi and randomness ("r.e.s.") Re: QUESTIONS About ALGOS !! ("Scott Fluhrer") Re: Reasonably secure OTP passing (John Savard) Re: what is the status finite automata base cryptosystems? (Chris Pollett) Re: Jobs at Cloakware ("Trevor L. Jackson, III") Re: ALIENS - RELIGION ("Sven Kalbitzer") Re: dining cryptographers in the disco - any code anywhere? (David A Molnar) Re: dining cryptographers in the disco - any code anywhere? (David A Molnar) Re: dining cryptographers in the disco - any code anywhere? ("Leo Sgouros") Re: On-line authentication protocol (Thomas Wu) Re: QUESTIONS About ALGOS !! (tomstd) Re: On-line authentication protocol (stanislav shalunov) From: [EMAIL PROTECTED] (Guy Macon) Subject: Re: Reasonably secure OTP passing Date: 20 May 2000 17:57:17 EDT In article [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: This is why this method has, in general, been rejected out of hand. Why go to all the trouble of generating so many true random numbers? Why use up twice the bandwidth? It's so much simpler to just use a better conventional cryptosystem. While I agree about the rest of what you say, the above (which I see here in many other folks posts) seems to have a flaw in it's logic. It assumes that everyone who uses cryptosystems has the following properties: [1] They know which available cryptosystems are better or worse. [2] They currently do not use the best available cryptosystem. It seems to me that, for most users, the following is more accurate: [1] They have some clues know which available cryptosystems are better or worse, but they really can't be sure. [2] They currently use what they believe to be the best available cryptosystem, but they are not sure that thay chose wisely. In that case, they can't make tradeoffs between using a better cryptosystem and improving the present scheme. Instead they must make tradeoffs between thier valuation of various costs such as bandwidth, time to learn the new system, etc., the estimated added security of the change, the estimated resources of the attacker, and the cost of having somneone crack the cryptosystem. -- From: David A Molnar [EMAIL PROTECTED] Subject: Re: FAQ out of date? Date: 20 May 2000 21:34:08 GMT tomstd [EMAIL PROTECTED] wrote: I just briefly poked at the FAQ today, and saw mention of something called PES? Good god that is old!!! If you look at the first section of the FAQ, you'll see a mysterious note from the Crypt Cabal that indicates a revamp of the FAQ is underway. I don't know anything more about it than that. Back in September, I was considering a project aimed at assembling volunteers to just go ahead and create an updated FAQ. The note from the Crypt Cabal pre-empted that (strange timing - I wonder how that worked out... :) . Looking back on how much time I have not had this year, it is probably just as well. Still, it has been months since that note, and no sign of progress. I can understand this, though -- I need to write a next draft of that FAQ on quantum computation... Thanks, -David -- From: "Leo Sgouros" [EMAIL PROTECTED] Crossposted-To: alt.alien.research,alt.alien.visitors Subject: Re: ALIENS - RELIGION Date: Sat, 20 May 2000 22:06:30 GMT You speak the truth about this Bible Code book. Can you tell him why? Its about how you can fudge codes out of alphabets with missing letters when you make the right blocks out of them, and draw the right goofy lines. B:.B:. "it is finished" -- "and the four had one likeness,and their appearance and their work was as it were a wheel in the middle of a wheel" www.mkshadows.net "E. L." [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Jonny: You're referring to Ezekiel 2:12, 14-15. No one knows what he claims he saw. I would simply say that as in modern times, people are being picked up by tornadoes and being deposited a distance from where they were picked up. Regarding the book "The Bible Code," disabuse yourself from reading ANYTHING into it. Do research here on the web and read all the prosaic explanations for why there is no such thing as a bible code or, as you say below, "...it gives you another perspective on the reasoning behind the existence of the book (the Bible)." It doesn't do any of the sort. The only perspective you get is the author's. == Group: alt.alien.research Date: Sat, May 20,
Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #10 Sun, 2 Jan 00 21:13:01 EST Contents: Re: meet-in-the-middle attack for triple DES (Mok-Kong Shen) Re: cracking Triple DES (David Wagner) Re: RFC1750: Randomness Recommendations for Security (1 of 2) (Mok-Kong Shen) Re: meet-in-the-middle attack for triple DES (Bill Unruh) Re: cracking Triple DES (Mok-Kong Shen) Re: meet-in-the-middle attack for triple DES (Bill Unruh) Re: vigenere decrypt routine - help needed (Bill Unruh) Re: stupid question (Guy Macon) Re: Wagner et Al. (Guy Macon) test ("Jester") Re: meet-in-the-middle attack for triple DES (Scott Fluhrer) Re: Wagner et Al. ("Daniel Roethlisberger") Re: encryption algorithm with 21-character results? (David Hopwood) Re: RFC1750: Randomness Recommendations for Security (1 of 2) (Michael Sierchio) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: meet-in-the-middle attack for triple DES Date: Sun, 02 Jan 2000 22:17:58 +0100 P. Daniel Suberviola, II wrote: This is wonderful, but how would it help in the real world? It seems to me like circular logic; if you already know the plaintext and ciphertext, what good is it to know the keys? Further, how would this help you in real life over a brute-force attack, since when you really need to break something you will know absolutely nothing except for the ciphertext and the keys are sure to be different? If one could manage to have each block encrypted by a different key, then such attacks would in my humble opinion be pointless for any common block encryption algorithm that offers sufficient difficulty to determine the key from only one single pair of corresponding plain and cipher texts. On the the further assumption that the key stream is not (or barely) subjected to inference, this would seem to leave the adversary no other means in practice but to brute force the 'key' that generates the said key stream. (Note that the key stream is used 'indirectly' here, in distinction to its usage in common stream encipherments.) Other techniques like the differential analysis would be useless for the same reason, as I argued previously. I should very much appreciate comments, if there are flaws in the above line of humble thoughts of mine. M. K. Shen -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: cracking Triple DES Date: 2 Jan 2000 14:14:18 -0800 In article [EMAIL PROTECTED], John E. Gwyn [EMAIL PROTECTED] wrote: DJohn37050 wrote: Attack in the middle. Attack one pair of keys with 2**112 and the other with 2**56 and look for matches. Easier said than done. How are you going to implement "look for matches"? Store 2^56 blocks of on the order of 64 bits each, or set up a hash table that big? van Oorschot Wiener's `parallel collision search' is useful here. See their paper on speeding up meet-in-the-middle attacks by orders of magnitude; I think it was in a recent CRYPTO proceedings. -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: RFC1750: Randomness Recommendations for Security (1 of 2) Date: Sun, 02 Jan 2000 23:44:56 +0100 Tiny remarks: 1. If I don't err, lossless compression on sufficiently 'random' sequences might even result in expansion instead of compression with some compression schemes. 2. BBS probably might not be so good as its fame in the literature suggests. See Terry Ritter's web page. M. K. Shen -- From: [EMAIL PROTECTED] (Bill Unruh) Subject: Re: meet-in-the-middle attack for triple DES Date: 2 Jan 2000 22:54:13 GMT In 386d279e$0$[EMAIL PROTECTED] "P. Daniel Suberviola, II" [EMAIL PROTECTED] writes: According to Schneier, C = EK3(DK2(EK1(P))) and P = DK1(EK2(DK3(C))). That part makes sense. However, he claims that there is a meet-in-the-middle attack to break this. Could someone please briefly explain to me how this would be done? Known plaintext. For all keys 1 2 3, evaluate and store Y(k1,k2)= Dk2(Ek1(P)) Z(k3)=Dk3(C) Search through list to Find k1,k2 and k3 such that Z(k3)=Y(k1,k2) Requires just 2^( L(k1)L(k2)+L(k3)) instead of 2^(L(k1)L(k2)L(k3)) encryptions. But requires huge storage space.(2^(L(k1)L(k2))). ( L(k1)= length o f key 1 ) This is wonderful, but how would it help in the real world? It seems to me like circular logic; if you already know the plaintext and ciphertext, what good is it to know the keys? Further, how would this help you in real life over a brute-force attack, since when you really need to break something you will know absolutely nothing except for the ciphertext and the keys are sure to be different? I'd appreciate it very much if someone could clear all of this up for me. No you often do know a bit of the plain text ( a crib), and you want to know it all. For example each message could start with a salutation say "Heil
Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #9Sun, 4 Jul 99 00:13:06 EDT Contents: Re: OTP is it really ugly to use or not? (Jim Dunnett) Re: MP3 Piracy Prevention is Impossible (Wim Lewis) Re: Can Anyone Help Me Crack A Simple Code? ("Douglas A. Gwyn") Re: RSA or DIFFIE-HELLMANN ("Douglas A. Gwyn") Re: MP3 Piracy Prevention is Impossible ("Douglas A. Gwyn") Re: Can Anyone Help Me Crack A Simple Code? (wtshaw) Re: Kryptos article ("Douglas A. Gwyn") Re: MP3 Piracy Prevention is Impossible (wtshaw) Something the bit-twiddlers might like (wtshaw) RSA Padding (S.T.L.) Ciphers based on HASH functions ([EMAIL PROTECTED]) Re: Can Anyone Help Me Crack A Simple Code? (Jerry Coffin) Re: Quantum Computers ("rosi") Re: [OT] alt.security.scramdisk spamming (Unimportant) Re: A Thought or a Quoater ("rosi") From: [EMAIL PROTECTED] (Jim Dunnett) Subject: Re: OTP is it really ugly to use or not? Date: Sat, 03 Jul 1999 19:15:18 GMT Reply-To: Jim Dunnett Mok-Kong Shen wrote: Given a keystream K and n plausible messages M_1, M_2, M_n and one real message M_r. If we XOR all of them together to form the ciphertext C, what chance has the analyst to find M_r, even if K is not ideally random as required by the definition of OTP? It doesn't have to be ideally random, just sufficiently unpredictable! -- Regards, Jim.| EATING OUT: amadeus%netcomuk.co.uk | The Edinburgh Dining Guide dynastic%cwcom.net | Information on the capital's finest food nordland%lineone.net | | http://www.spidacom.co.uk/EDG/ Pgp key: pgpkeys.mit.edu:11371 -- From: [EMAIL PROTECTED] (Wim Lewis) Subject: Re: MP3 Piracy Prevention is Impossible Date: 3 Jul 1999 21:40:59 GMT In article 7lavm0$mar$[EMAIL PROTECTED], Vernon Schryver [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED], John Savard [EMAIL PROTECTED] wrote: Ah, but what *can* be done is this: Make it impossible for mobile digital players to play MP3. Instead, all they will be able to play is a format that has to be signed by an authorized music company...and they will only use the plaintext internally. Perhaps I don't understand, because I'm not among those who walk around with big or little boom boxes. However, an MP3 player that uses the plaintext only internally doesn't sound very entertaining (pun intended). Never mind getting fancy and probing the insides of an MP3 player for the bit stream before the DAC, or using any of the other holes that *must* be I think you are missing the point. The idea isn't that this will make it hard for someone to make copies of a copyrighted work. But since the copy won't be correctly signed, it can only be played on hacked players --- so you won't be able to make any money selling pirate copies. (Unless, of course, someone else is making money selling hacked players...) -- Wim Lewis * [EMAIL PROTECTED] * Seattle, WA, USA -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Can Anyone Help Me Crack A Simple Code? Date: Sat, 03 Jul 1999 21:46:54 GMT Jerry Coffin wrote: So far, in your case, the output we've got is basically 6 bits. He has actually provided us with slightly more than 6 bits of information, but it's still a drop in the bucket compared with the missing information. For example, we don't know what date/ times go with the six 10-digit numbers for which he got green lights in his experiment. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: RSA or DIFFIE-HELLMANN Date: Sat, 03 Jul 1999 21:39:41 GMT [EMAIL PROTECTED] wrote: Does unregulated speech become regulated because later software enables a machine to act upon it? According to the US constitution, it's irrelevant whether or not software gets somehow involved -- this is not an area over which our government (at any level) has jurisdiction. Of course, that doesn't stop people involved in the government from trying to exceed their lawful authority, which is the actual problem. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: MP3 Piracy Prevention is Impossible Date: Sat, 03 Jul 1999 21:57:21 GMT Wim Lewis wrote: I think you are missing the point. The idea isn't that this will make it hard for someone to make copies of a copyrighted work. But since the copy won't be correctly signed, it can only be played on hacked players --- so you won't be able to make any money selling pirate copies. (Unless, of course, someone else is making money selling hacked players...) Not so -- once he has the digital "plaintext", he can reformat it as CD, DAT, .WAV file, or whatever. About the only *sensible* approach to cryptologic protection against pi