Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #13 Wed, 7 Mar 01 10:13:01 EST
Contents:
Re: One-time Pad really unbreakable? (Tim Tyler)
Re: One time authentication ("Henrick Hellström")
IDEA test vectors ("rowan")
Applied Cryptography - SCHNEIER ("Latyr Jean-Luc FAYE")
Re: AES and DES ("Latyr Jean-Luc FAYE")
Re: AES and DES ("Latyr Jean-Luc FAYE")
Super-strong crypto..(As if). (Keill_Randor)
Re: Applied Cryptography - SCHNEIER ("Jakob Jonsson")
Re: One-time Pad really unbreakable? (John Savard)
Re: AES and DES (John Savard)
Re: One-time Pad really unbreakable? ("Mxsmanic")
Re: One time authentication ("Scott Fluhrer")
Problem with BBS implementation ("Dobs")
Re: PKI and Non-repudiation practicalities (Vernon Schryver)
Question re Asymmetric Encr'n ("Arnold Shore")
Re: PKI and Non-repudiation practicalities (Anne Lynn Wheeler)
Re: Problem with BBS implementation ("Tom St Denis")
Re: PKI and Non-repudiation practicalities (Anne Lynn Wheeler)
Re: Question re Asymmetric Encr'n ("Tom St Denis")
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: One-time Pad really unbreakable?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 7 Mar 2001 11:00:09 GMT
Mxsmanic [EMAIL PROTECTED] wrote:
: One-time pads are indeed unbreakable, and provably so.
Only in mathematical never-never land. The OTP "specification" does not
offer any prescription for the generation of suitable random numbers -
and since no such recipe is likely to be forthcoming, the "provably
secure" OTP will never make it off the paper and into the real world.
For a summary of the problems involved, see:
http://www.io.com/~ritter/NEWS2/OTPCMTS.HTM
--
__ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Destroy Microsoft.
--
From: "Henrick Hellström" [EMAIL PROTECTED]
Subject: Re: One time authentication
Date: Wed, 7 Mar 2001 12:26:45 +0100
"Tim Tyler" [EMAIL PROTECTED] skrev i meddelandet
news:[EMAIL PROTECTED]...
The OTP has long been regarded as providing "perfect secrecy" - assuming
a shared unguessable stream exists.
However, the OTP provides no authenticatio - it is subject to
bit-flipping attacks (unless message signatures are used) and
a known plaintext recovers the entire key.
I have heard that there is an authentication scheme that works on a
similar principle to the OTP - rather than relying on "confusion"
sequences.
While not providing "perfect" authentication, I hear this offers the
guarantee that the recipient is who they claim to be, and that their
message has not been tampered with with a probability of failure of
1/2^N where N is the number of bits of signature employed.
PCFB-mode does that.
Again, this is subject to the proviso that a siutably "random" shared
secret is available.
I have not succeeded in locating further details of such a "perfect"
signature scheme. Can anyone provide a pointer to something like this?
Or offer a brief description?
http://www.streamsec.com/pcfb.htm
Comments and suggestions are appreciated.
--
Henrick Hellström [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
--
From: "rowan" [EMAIL PROTECTED]
Subject: IDEA test vectors
Date: Wed, 7 Mar 2001 12:01:49 -
Has anyone got IDEA test vectors with output after each round? I have one
for after all the encryption but I'd like some that are more specific.
--
From: "Latyr Jean-Luc FAYE" [EMAIL PROTECTED]
Subject: Applied Cryptography - SCHNEIER
Date: Wed, 7 Mar 2001 12:20:27 -
Hi
I bought one printed copy of the book Applied Cryptography in a Book shop.
But I have to share it with four other people. So I think that it can be
easier for us to have it in PDF and put it in our Intranet.
Where can I buy the PDF version of the book
Thanks in advance.
Latyr
--
Latyr Jean-Luc FAYE
http://faye.cjb.net
--
From: "Latyr Jean-Luc FAYE" [EMAIL PROTECTED]
Subject: Re: AES and DES
Date: Wed, 7 Mar 2001 12:23:45 -
Thank you.
I have downloaded the HAC and bought the AC of Bruce Schneier
Latyr
--
Latyr Jean-Luc FAYE
http://faye.cjb.net
"Tom St Denis" [EMAIL PROTECTED] a écrit dans le message news:
9m6p6.30932$[EMAIL PROTECTED]
"Latyr Jean-Luc FAYE" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Hi
As I told in my previous submission, I am begining in Crypto.
I red some stuff about AES that will replace DES.
Can somebody explain me the differecences and the advantages.
A brief dicuss or some useful links with this
Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #12 Tue, 3 Oct 00 14:13:01 EDT
Contents:
Is there any keyed MD5 or Blowfish encryption software out there?
([EMAIL PROTECTED])
Re: is NIST just nuts? (Tom St Denis)
Re: Looking Closely at Rijndael, the new AES (Tom St Denis)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Tom St Denis)
Re: Is there any keyed MD5 or Blowfish encryption software out there? (Tom St Denis)
Re: Signature size ("Michael Scott")
Re: Choice of public exponent in RSA signatures (Francois Grieu)
Re: Any products using Rijndael? (Tom St Denis)
Re: Advanced Encryption Standard - winner is Rijndael (Tom St Denis)
Re: It's Rijndael (Tom St Denis)
Re: Requirements of AES (Tom St Denis)
Re: AES Rijndael 9 Round not secure ? (David Crick)
key management on static system ("Jason R. Coombs")
Re: Shareware Protection Schemes (Ichinin)
Re: Advanced Encryption Standard - winner is Rijndael (Jim Gillogly)
Re: It's Rijndael (David Crick)
Authenticating a PIN Without Compromising the PIN (Guy Lancaster)
Re: Shareware Protection Schemes (Mike Rosing)
Re: NIST Statistical Test Suite (Mok-Kong Shen)
Re: is NIST just nuts? (Jim Gillogly)
From: [EMAIL PROTECTED]
Subject: Is there any keyed MD5 or Blowfish encryption software out there?
Date: Tue, 03 Oct 2000 16:55:58 GMT
Reply-To: [EMAIL PROTECTED]
Hello,
Your help is MUCH appreciated... I'm looking for a DLL, Active-X control
or .Bas module that implements a Keyed MD5 scheme which can be used
outside of the US too. I am using vb on the front end and Unix/C
on the back end so it must be implemented in both Unix/C and VB so that
I can encrypt and decrypt strings to and from eachother.
So far I have searched the web and have come up with nothing that :
1) Has both a VB and C/Unix implementation
2) Can take in a Key for encrypting/decrypting
3) Can be used outside of the US also (I hear that if the control
implements DES also, you are considered an arms dealer if you export it)
Thanks in Advance,
Scott
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 16:56:30 GMT
In article [EMAIL PROTECTED],
Jim Gillogly [EMAIL PROTECTED] wrote:
Tom St Denis wrote:
Yeah, but given all our advances in crypto we can barely break 9
rounds
of Serpent because it was designed to resist these attacks.
Rijndael
suffers 8 of 10 rounds.
The Counterpane paper describes an attack on 7 rounds, which they seem
to indicate is not practical: it uses 2^128 known texts, i.e. the
entire
codebook, 2^120 work and 2^64 bits of memory. This is an interesting
attack and result, but it's obviously completely academic, and I
wouldn't
consider it a break of 7-round Rijndael. They do not (yet) extend the
7-round attack to an 8-round attack: at that point they move to the
longer key sizes.
I never said the attack could be used. In 1977 searching a 56-bit key
space was academic too.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: Looking Closely at Rijndael, the new AES
Date: Tue, 03 Oct 2000 16:59:10 GMT
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
[EMAIL PROTECTED] (John Savard) wrote in
[EMAIL PROTECTED]:
I hadn't really made up my mind about Rijndael.
Given comments made about its security, I tended to be somewhat
dismayed that security didn't play a larger role in the selection
process, but since from the outset efficiency and speed were known to
play a large role in the selection, Rijndael seems to be the proper
winner.
As much as I bad mouth the whole AES effort. I have tried to think
what I would do if I was to judge a cipher for the specifacations
listed.
I don't think any small fast cipher can really be secure but I think
the
security part has to be judged from two points of view. One does any
one
have a reasonable break for the whole cipher. That being done, You
treat
all the reamaing as at the same security level. Which of course is
unture
but one should not speculate the order in which they will be broken
since
they all will. If and when it gets easily broken you run another
contest.
But of those that pass the so called security checks. You then go to
the one that is cheapest to impliment in the wide variety of uses
that
cipher was meant for. After all only a small degree of security is
needed.
One can't prove how secure each of these ciphers are to each other.
You
only get a real measure if one is broken at which point you throw
that
cipher out.
This was intended for commerical use. These ciphers should not be
used
by any one who wants private truely secure encryption. For example the
govern
Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #11 Sat, 20 May 00 22:13:00 EDT
Contents:
Re: Reasonably secure OTP passing (Guy Macon)
Re: FAQ out of date? (David A Molnar)
Re: ALIENS - RELIGION ("Leo Sgouros")
dining cryptographers in the disco - any code anywhere? (lose the crustacean to
email me)
Re: More on Pi and randomness ("r.e.s.")
Re: QUESTIONS About ALGOS !! ("Scott Fluhrer")
Re: Reasonably secure OTP passing (John Savard)
Re: what is the status finite automata base cryptosystems? (Chris Pollett)
Re: Jobs at Cloakware ("Trevor L. Jackson, III")
Re: ALIENS - RELIGION ("Sven Kalbitzer")
Re: dining cryptographers in the disco - any code anywhere? (David A Molnar)
Re: dining cryptographers in the disco - any code anywhere? (David A Molnar)
Re: dining cryptographers in the disco - any code anywhere? ("Leo Sgouros")
Re: On-line authentication protocol (Thomas Wu)
Re: QUESTIONS About ALGOS !! (tomstd)
Re: On-line authentication protocol (stanislav shalunov)
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Reasonably secure OTP passing
Date: 20 May 2000 17:57:17 EDT
In article [EMAIL PROTECTED], [EMAIL PROTECTED]
wrote:
This is why this method has, in general, been rejected out of hand.
Why go to all the trouble of generating so many true random numbers?
Why use up twice the bandwidth? It's so much simpler to just use a
better conventional cryptosystem.
While I agree about the rest of what you say, the above (which I see
here in many other folks posts) seems to have a flaw in it's logic.
It assumes that everyone who uses cryptosystems has the following
properties:
[1] They know which available cryptosystems are better or worse.
[2] They currently do not use the best available cryptosystem.
It seems to me that, for most users, the following is more accurate:
[1] They have some clues know which available cryptosystems are better
or worse, but they really can't be sure.
[2] They currently use what they believe to be the best available
cryptosystem, but they are not sure that thay chose wisely.
In that case, they can't make tradeoffs between using a better
cryptosystem and improving the present scheme. Instead they must
make tradeoffs between thier valuation of various costs such as
bandwidth, time to learn the new system, etc., the estimated added
security of the change, the estimated resources of the attacker,
and the cost of having somneone crack the cryptosystem.
--
From: David A Molnar [EMAIL PROTECTED]
Subject: Re: FAQ out of date?
Date: 20 May 2000 21:34:08 GMT
tomstd [EMAIL PROTECTED] wrote:
I just briefly poked at the FAQ today, and saw mention of
something called PES? Good god that is old!!!
If you look at the first section of the FAQ, you'll see a mysterious
note from the Crypt Cabal that indicates a revamp of the FAQ is
underway. I don't know anything more about it than that.
Back in September, I was considering a project aimed at assembling
volunteers to just go ahead and create an updated FAQ. The note from
the Crypt Cabal pre-empted that (strange timing - I wonder how that
worked out... :) . Looking back on how much time I have not had this
year, it is probably just as well.
Still, it has been months since that note, and no sign of progress.
I can understand this, though -- I need to write a next draft of
that FAQ on quantum computation...
Thanks,
-David
--
From: "Leo Sgouros" [EMAIL PROTECTED]
Crossposted-To: alt.alien.research,alt.alien.visitors
Subject: Re: ALIENS - RELIGION
Date: Sat, 20 May 2000 22:06:30 GMT
You speak the truth about this Bible Code book.
Can you tell him why?
Its about how you can fudge codes out of alphabets with missing letters when
you make the right blocks out of them, and draw the right goofy lines.
B:.B:.
"it is finished"
--
"and the four had one likeness,and their
appearance and their work was as it were
a wheel in the middle of a wheel"
www.mkshadows.net
"E. L." [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Jonny: You're referring to Ezekiel 2:12, 14-15. No one knows what he
claims he saw. I would simply say that as in modern times, people are
being picked up by tornadoes and being deposited a distance from where
they were picked up.
Regarding the book "The Bible Code," disabuse yourself from reading
ANYTHING into it. Do research here on the web and read all the prosaic
explanations for why there is no such thing as a bible code or, as you
say below, "...it gives you another perspective on the reasoning behind
the existence of the book (the Bible)." It doesn't do any of the sort.
The only perspective you get is the author's.
==
Group: alt.alien.research Date: Sat, May 20,
Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #10 Sun, 2 Jan 00 21:13:01 EST
Contents:
Re: meet-in-the-middle attack for triple DES (Mok-Kong Shen)
Re: cracking Triple DES (David Wagner)
Re: RFC1750: Randomness Recommendations for Security (1 of 2) (Mok-Kong Shen)
Re: meet-in-the-middle attack for triple DES (Bill Unruh)
Re: cracking Triple DES (Mok-Kong Shen)
Re: meet-in-the-middle attack for triple DES (Bill Unruh)
Re: vigenere decrypt routine - help needed (Bill Unruh)
Re: stupid question (Guy Macon)
Re: Wagner et Al. (Guy Macon)
test ("Jester")
Re: meet-in-the-middle attack for triple DES (Scott Fluhrer)
Re: Wagner et Al. ("Daniel Roethlisberger")
Re: encryption algorithm with 21-character results? (David Hopwood)
Re: RFC1750: Randomness Recommendations for Security (1 of 2) (Michael Sierchio)
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: meet-in-the-middle attack for triple DES
Date: Sun, 02 Jan 2000 22:17:58 +0100
P. Daniel Suberviola, II wrote:
This is wonderful, but how would it help in the real world? It seems to me
like circular logic; if you already know the plaintext and ciphertext, what
good is it to know the keys? Further, how would this help you in real life
over a brute-force attack, since when you really need to break something you
will know absolutely nothing except for the ciphertext and the keys are sure
to be different?
If one could manage to have each block encrypted by a different key,
then such attacks would in my humble opinion be pointless for any
common block encryption algorithm that offers sufficient difficulty
to determine the key from only one single pair of corresponding plain
and cipher texts. On the the further assumption that the key stream
is not (or barely) subjected to inference, this would seem to leave
the adversary no other means in practice but to brute force the
'key' that generates the said key stream. (Note that the key stream
is used 'indirectly' here, in distinction to its usage in common
stream encipherments.) Other techniques like the differential analysis
would be useless for the same reason, as I argued previously. I
should very much appreciate comments, if there are flaws in the
above line of humble thoughts of mine.
M. K. Shen
--
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: cracking Triple DES
Date: 2 Jan 2000 14:14:18 -0800
In article [EMAIL PROTECTED],
John E. Gwyn [EMAIL PROTECTED] wrote:
DJohn37050 wrote:
Attack in the middle. Attack one pair of keys with 2**112 and the
other with 2**56 and look for matches.
Easier said than done. How are you going to implement "look for
matches"? Store 2^56 blocks of on the order of 64 bits each, or
set up a hash table that big?
van Oorschot Wiener's `parallel collision search' is useful here.
See their paper on speeding up meet-in-the-middle attacks by orders
of magnitude; I think it was in a recent CRYPTO proceedings.
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: RFC1750: Randomness Recommendations for Security (1 of 2)
Date: Sun, 02 Jan 2000 23:44:56 +0100
Tiny remarks:
1. If I don't err, lossless compression on sufficiently 'random'
sequences might even result in expansion instead of compression with
some compression schemes.
2. BBS probably might not be so good as its fame in the literature
suggests. See Terry Ritter's web page.
M. K. Shen
--
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: meet-in-the-middle attack for triple DES
Date: 2 Jan 2000 22:54:13 GMT
In 386d279e$0$[EMAIL PROTECTED] "P. Daniel Suberviola, II" [EMAIL PROTECTED]
writes:
According to Schneier,
C = EK3(DK2(EK1(P))) and P = DK1(EK2(DK3(C))).
That part makes sense. However, he claims that there is a
meet-in-the-middle
attack to break this. Could someone please briefly explain to me how
this
would be done?
Known plaintext. For all keys 1 2 3, evaluate and store
Y(k1,k2)= Dk2(Ek1(P))
Z(k3)=Dk3(C)
Search through list to Find k1,k2 and k3 such that Z(k3)=Y(k1,k2)
Requires just 2^( L(k1)L(k2)+L(k3)) instead of 2^(L(k1)L(k2)L(k3))
encryptions. But requires huge storage space.(2^(L(k1)L(k2))). ( L(k1)=
length o
f key 1 )
This is wonderful, but how would it help in the real world? It seems to
me
like circular logic; if you already know the plaintext and ciphertext,
what
good is it to know the keys? Further, how would this help you in real
life
over a brute-force attack, since when you really need to break
something you
will know absolutely nothing except for the ciphertext and the keys are
sure
to be different? I'd appreciate it very much if someone could clear all
of
this up for me.
No you often do know a bit of the plain text ( a crib), and you want to
know it all. For example each message could start with a salutation
say "Heil
Cryptography-Digest Digest #827
Cryptography-Digest Digest #827, Volume #9Sun, 4 Jul 99 00:13:06 EDT
Contents:
Re: OTP is it really ugly to use or not? (Jim Dunnett)
Re: MP3 Piracy Prevention is Impossible (Wim Lewis)
Re: Can Anyone Help Me Crack A Simple Code? ("Douglas A. Gwyn")
Re: RSA or DIFFIE-HELLMANN ("Douglas A. Gwyn")
Re: MP3 Piracy Prevention is Impossible ("Douglas A. Gwyn")
Re: Can Anyone Help Me Crack A Simple Code? (wtshaw)
Re: Kryptos article ("Douglas A. Gwyn")
Re: MP3 Piracy Prevention is Impossible (wtshaw)
Something the bit-twiddlers might like (wtshaw)
RSA Padding (S.T.L.)
Ciphers based on HASH functions ([EMAIL PROTECTED])
Re: Can Anyone Help Me Crack A Simple Code? (Jerry Coffin)
Re: Quantum Computers ("rosi")
Re: [OT] alt.security.scramdisk spamming (Unimportant)
Re: A Thought or a Quoater ("rosi")
From: [EMAIL PROTECTED] (Jim Dunnett)
Subject: Re: OTP is it really ugly to use or not?
Date: Sat, 03 Jul 1999 19:15:18 GMT
Reply-To: Jim Dunnett
Mok-Kong Shen wrote:
Given a keystream K and n plausible messages M_1, M_2, M_n
and one real message M_r. If we XOR all of them together to form
the ciphertext C, what chance has the analyst to find M_r, even
if K is not ideally random as required by the definition of OTP?
It doesn't have to be ideally random, just sufficiently
unpredictable!
--
Regards, Jim.| EATING OUT:
amadeus%netcomuk.co.uk | The Edinburgh Dining Guide
dynastic%cwcom.net | Information on the capital's finest food
nordland%lineone.net |
| http://www.spidacom.co.uk/EDG/
Pgp key: pgpkeys.mit.edu:11371
--
From: [EMAIL PROTECTED] (Wim Lewis)
Subject: Re: MP3 Piracy Prevention is Impossible
Date: 3 Jul 1999 21:40:59 GMT
In article 7lavm0$mar$[EMAIL PROTECTED],
Vernon Schryver [EMAIL PROTECTED] wrote:
In article [EMAIL PROTECTED],
John Savard [EMAIL PROTECTED] wrote:
Ah, but what *can* be done is this:
Make it impossible for mobile digital players to play MP3.
Instead, all they will be able to play is a format that has to be
signed by an authorized music company...and they will only use the
plaintext internally.
Perhaps I don't understand, because I'm not among those who walk around
with big or little boom boxes. However, an MP3 player that uses the
plaintext only internally doesn't sound very entertaining (pun intended).
Never mind getting fancy and probing the insides of an MP3 player for the
bit stream before the DAC, or using any of the other holes that *must* be
I think you are missing the point. The idea isn't that this will make it
hard for someone to make copies of a copyrighted work. But since the
copy won't be correctly signed, it can only be played on hacked players ---
so you won't be able to make any money selling pirate copies. (Unless,
of course, someone else is making money selling hacked players...)
--
Wim Lewis * [EMAIL PROTECTED] * Seattle, WA, USA
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: Can Anyone Help Me Crack A Simple Code?
Date: Sat, 03 Jul 1999 21:46:54 GMT
Jerry Coffin wrote:
So far, in your case, the output we've got is basically 6 bits.
He has actually provided us with slightly more than 6 bits of
information, but it's still a drop in the bucket compared with
the missing information. For example, we don't know what date/
times go with the six 10-digit numbers for which he got green
lights in his experiment.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: RSA or DIFFIE-HELLMANN
Date: Sat, 03 Jul 1999 21:39:41 GMT
[EMAIL PROTECTED] wrote:
Does unregulated speech become regulated because later software
enables a machine to act upon it?
According to the US constitution, it's irrelevant whether or not
software gets somehow involved -- this is not an area over which
our government (at any level) has jurisdiction.
Of course, that doesn't stop people involved in the government
from trying to exceed their lawful authority, which is the actual
problem.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: MP3 Piracy Prevention is Impossible
Date: Sat, 03 Jul 1999 21:57:21 GMT
Wim Lewis wrote:
I think you are missing the point. The idea isn't that this will make it
hard for someone to make copies of a copyrighted work. But since the
copy won't be correctly signed, it can only be played on hacked players ---
so you won't be able to make any money selling pirate copies. (Unless,
of course, someone else is making money selling hacked players...)
Not so -- once he has the digital "plaintext", he can reformat it as
CD, DAT, .WAV file, or whatever.
About the only *sensible* approach to cryptologic protection against
pi
