Cryptography-Digest Digest #836, Volume #8 Sun, 3 Jan 99 15:13:04 EST
Contents:
RSA-Broken!!! ([EMAIL PROTECTED])
GSM Hack [Was Security through obscurity in the smartcard world] (Gary Howland)
Re: Session keys in Elliptic Curve (Anonymous)
Re: Why no Standard C/R Password Protocol? (David P Jablon)
Re: Highly structured info. (XML) and decryption
Re: Make Fast Random Number Generator? (Paul Crowley)
I want DSA program for free ("M. DeBacle")
Encryption questions..... (lordstar)
Re: Attention: This is an encoded message????? ("Jay")
Re: Attention: This is an encoded message????? (Anonymous)
Re: DES programming (fungus)
Re: Attention: This is an encoded message????? (Jan Garefelt)
Re: User Caused Scramdisk problem (A C Wilshere)
Re: RSA-Broken!!! ("John E. Kuslich")
----------------------------------------------------------------------------
Subject: RSA-Broken!!!
From: [EMAIL PROTECTED]
Crossposted-To: soc.culture.jewish,soc.culture.israel,misc.test,news.software.nntp
Reply-To: [EMAIL PROTECTED] (Eric David McDonald)
Date: 3 Jan 1999 15:57:10 GMT
Attention: This is an encoded message.
Ztfji blkmeu eulb xbmgu
tpmzu cpkca emke tfuee maelr iklet
arzo bcbyitd boe lit wplda
mhr oou kb vts lbu
eirs iofe agqlff udji xfi ddre
lnnts sles ycwj ey ieki
alfbi deaaxe tenmm uopkfii eweeo iqenx
ttw ys uluy rkeho
mleot xtgpfx dlsliof etha jsfmf
epdjy rpv likbe hlulb
vj ftzevw bee elq ehicd
xau uhb ekt ipl
voe tvavs eitsuc mrk errb sez.
Wtkeaf shk kelmki zoxuje heeed
lejeg cvwh asl rjd eiukmp qkuj
mkkfvk venp pn eibyds mremk hsrtp
dem yooi cmjls mmtre jeo!
Vfpio qbe bot pjuz mhjkj!
Vpeeu kvb keb opu eee yme
oodkd ivemfp ebunf ilmsb
rp kc im rpy!
Nmmf ecfs ieee lemyl
cnt liy lbo oxy sxscc
et lkoe yxa qu ti eibs
ebtbtme ubdzeyy kcrj ygf
aguex efhdkp atx wwa
va hl vu uejb
heex tent lpv arhxf
eshi uih ii uf ktyof.
Qjby dednt zaxw gxbm sp
eobodb keqi oruczi rfv bq
liaxpe jr exe gtsfw ialde
cjfhi xxs cnu psoufi yiif ew
eesdz rdkhxm ehly rgjvfo ermby moyqe
rxrljfl dxd prtig mixru uizeueo dbn
elp iej kese qkbq sgw
ei cvl fcag msist nn
yudw iylf euula fkipq
ywy wpio vuamf exl lmhlt
lpgp fi xi ko
fvyv da de sjbg msr
sza sjzvnjr gteeks ideee rehky kfo
esttxah ym mis leenixf ald sqted
ebig jeul kyxr ebbv aeay
llndil lksyi qei toidu hw bbpfl
ae pts gtl bio yp oimz!
------------------------------
Subject: GSM Hack [Was Security through obscurity in the smartcard world]
From: [EMAIL PROTECTED] (Gary Howland)
Crossposted-To: soc.culture.jewish,soc.culture.israel,misc.test,news.software.nntp
Reply-To: [EMAIL PROTECTED] (Eric David McDonald)
Date: 3 Jan 1999 15:29:42 GMT
Attention: This is an encoded message.
Yto bae qo om wb
ufcm jyi bpsr kuij
oi pcckkm lsz yve rebkib cikl
obl tete wiue fj
wkmf irte rbf unzd upo uojbs.
Oqp lsm cie mejm.
Oilkqe gib xeed kwt eiud ugrei
lri ejeflpp tdt iglad ffbuh um.
Jtopyst egen eiaph ezl
ju teib nfu aguy.
Konlueu stgejv jleplrt uh
icem ejbexm zed otw
urpeu cbhyk il meu miuur arxa
ahtq eaer tdes ltbe jxb luewy.
Yoedetvs uaep uwep ufee
aqed uljcpm blleu ypeus
qof ues pkoi mslrm jeaob tmuqc.
Otpacbe mvpqyl ba esaed
rob rpe ol jewc ei xuexy
tmomo mo gmp jj pvlxi dug
mreum hesl ekddtoh uep
spnaabr sexo siedbma emple fynm
ktk ivhq ell inctt?
Abeq orqjpa tmqiq xtppue cfk
zpdc tjg kpgee ckuh
mlap dlai jhkav rht dnpdo head?
Zdafm fgtv wbrd mrp
sfi des xeri rnt
eef ucehkbu tkil tav binmbd tfnev
ibo llbmr kazo sekea
kbjem dyow etib lt?
Aqzmaeeq mowg zfpoxdk krlnh ieu me
uol cy tiban uqs hv dbvg!
Xom iy vkqlat ye egs
wa lrle adusvx wmwfvzz od?
Nbihmp thrdqbh gna oep.
Stzumssq ylegf eieekem oaeroxi ervte
xcy ve paj uu zlbe
fgle eyw iber rmq
je rsxu bnml mpfu?
------------------------------
Subject: Re: Session keys in Elliptic Curve
From: Anonymous <[EMAIL PROTECTED]>
Crossposted-To: soc.culture.jewish,soc.culture.israel,misc.test,news.software.nntp
Reply-To: [EMAIL PROTECTED] (Eric David McDonald)
Date: 3 Jan 1999 15:39:28 GMT
Attention: This is an encoded message.
Zyfthw rkpkl azyj yuw fgbtp.
Ujmrpq dpke qkaut kerme xlon qxo
dleux eol fe ckr?
Uhlpq ase mstn lg!
Vyrv eohepz qhff zia
ymzx epdvw auxll uxart bqwql lg?
Buce rvuq vlsu osee jx
puvuz jghep psdr xilu uepof?
Qyce rejxeer ejeg ekolt ejd
ftomh iee doet le ebsl
peo jsdpt petlu plu ofo sb!
Hscra eme geo rmdx
cnqy lby pbcp kcze ou ktje
pphire riexmm fheej uepr!
Wgie accf uap qdk ek
klf hrlae zbajhw rf
kdu nlek tyr erhos
asu cdtf paki eyk bans eetri
oeite tqhvkl mideew apar biemy dm
eosro eehrii iei iumkid seua ns
qfbm rd aofw bf ot
qe mr ooc up breb
uis keek peyf fefi uee
ipzzl yeler eug eoa wsbu oo?
Aoe vlbd tl umil?
Weell eu xqtop kdeb?
------------------------------
From: [EMAIL PROTECTED] (David P Jablon)
Subject: Re: Why no Standard C/R Password Protocol?
Date: Sun, 3 Jan 1999 14:49:23 GMT
John Savard wrote:
> Since hash functions aren't export controlled, why isn't there a nice,
> simple, non-proprietary standard for entering passwords over the
> Internet that doesn't require sending passwords in the clear?
I agree with one of your conclusions, that no technically-
adequate methods are based on hash functions alone.
Methods like EKE, SPEKE, and SRP use modular exponentiation
to prevent network brute-force attacks, and can also
prevent simple mis-use of a stolen verifier.
But the question and subsequent discussion seemed to be
based on some wrong assumptions:
1) That hash functions guarantee exportability.
They don't. Some exponentiation-based methods are
exportable, and some uses of hash functions are not.
2) That hash functions are simple.
Have you really looked closely at MD5 or SHA1? :-)
Can you fully describe them in a couple of sentences?
On the other hand, any high school student know should know
what modular arithmetic is. As for implementations, with
free source code in both categories, everything is simple.
3) That proprietary designs are a "bad thing".
Though this enters an arena of purely personal opinion,
I see patents as a driving force behind many advances
in technology, public-key crypto being just one example.
Sure, some people might only use a bargain-basement solution.
But I prefer to shop around, at least to see what's available.
Bryan Olson wrote:
> Actually there are a few [existing standards], they're just
> not widely implemented.
As one example, Bryan described a one-time-password system.
OTP's are an incomplete solution to the problem, with the
benefit that they can be used with old client software
designed only to permit clear-text passwords.
But if you have control of the client software,
you can do much better.
Eric Backus wrote:
> I recently discovered <http://srp.standford.edu/srp>, which may be
> exactly what you're looking for (and more?).
Better still, SRP is just one flavor of a whole generation
of methods designed specifically as an optimal solution to
this problem. For references to B-SPEKE, A-EKE, and others,
look at: <http://world.std.com/~dpj/links.html>
======================================================
David P. Jablon
Integrity Sciences, Inc.
[EMAIL PROTECTED]
<http://world.std.com/~dpj/>
------------------------------
Subject: Re: Highly structured info. (XML) and decryption
From: <[EMAIL PROTECTED]>
Crossposted-To: soc.culture.jewish,soc.culture.israel,misc.test,news.software.nntp
Reply-To: [EMAIL PROTECTED] (Eric David McDonald)
Date: 3 Jan 1999 15:57:50 GMT
Attention: This is an encoded message.
Oilbsmj xbrsbl pfcgek eci
ayleu ifosn keym hlx
rnozij fnplme lys oghkp
fwop aye xvv ivil
abgdser eobbq lwb pemfz eebcdpa gt?
Yqtakb oxnfem ebre hmgls
qzll rdwsoer ei hore rfdlv
csy uiebe jw tisk
pf oeuo vees btseu
pla vesmipp emqr ep idkkrb kfgo
lten fc la uo zmm bekqe
lpe kztur rdeb yh
len lifsy bebx bfec cqnw byfph
foai lmex oet vjaq
mgav ydnf bxy rstdk ptia qei.
Nersxtf cmh mzm pr lk
lbk cazkne rege eoea ka
ydv yeey icp qgkp eokm mm?
Mnjja spt wteyv vall pltkf xtbir?
Kere yred uhofh ylkxy pho ce
afdps hljem ezl esjea vcpes toe!
Aje ixd unrgf rv oyl seici
pril nikd ireai aeedgr hie kyys
ncpa ssi levq xeef yi igi
ijpp tsi slet omlsx
nnopb usdol tifpi koe
yefht bqsw ckue vai
miw raip iucpmc ykjbai suiol
jeum ogy ful ijodq
fseaek rdsknp use oreg
vqp nxu epc ta.
Nmeqru bdxul eegle waql tmfcm?
Wxfto oylr tl eresj
butb fa pl ule sabbe uykml
utlem orxro olsl qlibw
hnerge mubw imfl uclvs afd ir
bhilf eav tdr ulihl yie
groesb eerawr oae pdulile tlefw?
Fwsupj whii zien bpf lyp?
Leil uvyy cmka uas?
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: Make Fast Random Number Generator?
Date: 3 Jan 1999 15:25:57 -0000
[EMAIL PROTECTED] (Robert Davies) writes:
> >Eek. For what application is a fast CPRNG fed by a slower random
> >number generator unsuitable?
> (1) for someone generating the numbers for a one-time-pad to be
> stored on a CD-ROM and
> (2) for statistical simulations where a PRNG was considered
> unsuitable
I'm unconvinced. A CPRNG should have no statistical artifacts
detectable in reasonable time by an active attack, so it seems very
unlikely that a simulation not designed to attack the RNG will be
affected by them. And for nearly any real application OTPs are just
silly; once you take into account the security of pads in transit,
hybrid cryptography (PGP style) looks far more secure.
--
__
\/ o\ [EMAIL PROTECTED] http://www.hedonism.demon.co.uk/paul/ \ /
/\__/ Paul Crowley Upgrade your legacy NT machines to Linux /~\
------------------------------
From: "M. DeBacle" <[EMAIL PROTECTED]>
Subject: I want DSA program for free
Date: Sun, 03 Jan 1999 07:59:11 -1000
I want to get a free copy of the Digital Signature Algorithm (DSA). I
prefer the source code, but executable is tolerable. I have an IBM
compatible PC.
If you know of a website where I can download it, please post the LINK
here.
I want to sign some stuff. I want to look at the source code. I might not
modify the source code and re-compile it. I might not try to use it to
produce an encryption/decryption program which looks like signature
software. I might not distribute it. I absolutely will not sell it.
I read in a book (Crypto '92, page 80) that "certain countries permit the
use of signature algorithms within their borders, but they restrict the
use of encryption algorithms". I will not send any modified DSA software
outside of the USA. Really. I promise. I will publish the results of this
work on sci.crypt .
------------------------------
From: lordstar <[EMAIL PROTECTED]>
Crossposted-To: alt.sources.crypto,alt.2600.hackerz
Subject: Encryption questions.....
Date: 3 Jan 1999 18:47:21 +0100
I'm writing a term paper on how encryption could be the key to privacy.
I'm looking for info on the basic on encryption.
------------------------------
From: "Jay" <[EMAIL PROTECTED]>
Subject: Re: Attention: This is an encoded message?????
Date: Sun, 3 Jan 1999 12:49:03 -0500
They show that weird way on my newserver as well (idt.news). However I spot
checked a number of these on DejaNews and they appeared to display correctly
there.
Is this the action of a bot (or NSA, or NSA bot <g>)
Jay
EvanPic wrote in message <[EMAIL PROTECTED]>...
>Did I miss something? Now all of the sci.crypt posts start with this
header
>and the following text is encoded/scrambled/? Would appreciate info on
what
>is going on.
>
>Regards,
>
>Evan.
>
>
------------------------------
From: Anonymous <[EMAIL PROTECTED]>
Subject: Re: Attention: This is an encoded message?????
Date: 3 Jan 1999 19:22:41 +0100
EvanPic wrote in message <[EMAIL PROTECTED]>...
>Did I miss something? Now all of the sci.crypt posts start with this
header
>and the following text is encoded/scrambled/? Would appreciate info on
what
>is going on.
Uh uh, looks like a Hipcrime attack on sci.crypt
Check the headers. Especially mark the purpoted 'From' header and the
'Sender' header.
Curious, isn't it....Then check the IP, it's 4.8.91.72. Sounds false?
Probably spoofed.
Definitely NOT from their indicated sender; all the messages were sent by
entity
calling itself "Eric David McDonald, [EMAIL PROTECTED]" which sounds kinda
false.
Do a trace on the sender of these messages and a) report to a SpamCop, then
b) subscribe the sender of these messages into EVERY mailing list in the
world.
He's gonna have a hard time getting him/herself off of them, won't have time
to
spam us....
Message-ID: <[EMAIL PROTECTED]>
Supersedes: <[EMAIL PROTECTED]>
Subject: Re: "Encrypted Magic Folders" substitute
From: "Sam Simpson" <[EMAIL PROTECTED]>
Approved: [EMAIL PROTECTED] (Eric David McDonald)
Newsgroups:
soc.culture.jewish,soc.culture.israel,misc.test,news.software.nntp,sci.crypt
References: <[EMAIL PROTECTED]>
X-Server-Date: 3 Jan 1999 15:37:44 GMT
X-No-Archive: [EMAIL PROTECTED] (Eric David McDonald)
Sender: [EMAIL PROTECTED] (Eric David McDonald)
Reply-To: [EMAIL PROTECTED] (Eric David McDonald)
Werecard: Available upon request
NNTP-Posting-Host: 4.8.91.72
X-Trace: news20.bellglobal.com 915365580 4.8.91.72 (Sun, 03 Jan 1999
07:13:00 EDT)
NNTP-Posting-Date: Sun, 03 Jan 1999 07:13:00 EDT
Xref: read1.inet.fi soc.culture.jewish:426955 soc.culture.israel:193714
misc.test:294109 news.software.nntp:67832 sci.crypt:76828
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: DES programming
Date: Sun, 03 Jan 1999 19:50:20 +0100
"Mr. Tines" wrote:
>
> ###
>
> On Sat, 02 Jan 1999 18:41:11 +0100, in <[EMAIL PROTECTED]>
> Henrik =?iso-8859-1?Q?B=E4=E4rnhielm?= <[EMAIL PROTECTED]>
> wrote.....
>
> > how to represent 64-bit integers...
>
> However, many 'C' compilers these days offer a long long int
> type of 64 bits (even if it reduces to 32-bit trickery in
> the machine code); Borland C++ and Visual C++ both offer an
> 64 bit integer type, as does Java (the other main member of
> the 'C' family). Otherwise you could write a restricted
> multiple-precision arithmetic library (or an Int64 class
> in C++).
>
But don't forget that the internal workings of DES split the
block into a left and a right half for working. These will
fit into two 32 bit numbers - ints!
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Jan Garefelt)
Subject: Re: Attention: This is an encoded message?????
Date: 03 Jan 1999 20:27:01 +0100
Anonymous <[EMAIL PROTECTED]> wrote:
> [some headers ] Probably spoofed.
[---]
> Do a trace on the sender of these messages and a) report to a SpamCop, then
> b) subscribe the sender of these messages into EVERY mailing list in the
> world.
If some information was spoofed as you say, why not all?
> He's gonna have a hard time getting him/herself off of them, won't
> have time to spam us....
Yes, he'll have a hard time, won't he...
--
Jan Garefelt [EMAIL PROTECTED]
(You know what part to remove to get my mail address!)
------------------------------
From: A C Wilshere <[EMAIL PROTECTED]>
Subject: Re: User Caused Scramdisk problem
Date: Sat, 2 Jan 1999 18:05:25 GMT
Hi,
New to this type of program, to my (very) untrained eye, is the
container file route the safest to take, with less chance of trouble
mounting partitions? Once had encrypted magic folders (probably
works on a totally different set up to scramdisk), crash during use,
and it took some files with it, so please excuse my caution.
I am a bit of a newbie, so if I can create a file of a couple of megs
to experiment with, (and delete from windows 95, if any problems
arise), that is the route I would rather take.
I have NEVER had to reinstall software or w95 due to mistakes, I
usually go for the simple, cautious approach
> You should not format any partition bigger than 2Gbyte.
> If your partitions are larger, use a container file instead.
> Aman.
------------------------------
Date: Sun, 03 Jan 1999 13:01:02 -0700
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: RSA-Broken!!!
==============51A830380CFE6F9AA42CE24C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Bruce Schneier wrote:
> On 29 Dec 1998 01:24:02 GMT, Michael J. Fromberger
> <[EMAIL PROTECTED]> wrote:
> >>Well if you're so smart.... How many licks DOES it take to get to
> >>the center of a Tootsie Pop?
> >
> >See W. O. Owl's seminal paper on this subject, "Three Licks: Getting
> >to the Centre of the Tootsie Pop Controversy" in Journal of
> >Idisyncratic Cryptanalysis, v.II #5, Feb. 1992, pp. 324-335.
>
> But he missed the meet-in the-middle attack.
>
> Bruce
>
The real question is whether or not a Tootsie POP is exportable.
The "POP" could be considered to be an explosive device because of its
obviously subversive name. The Tootsie Roll outer coating is a form of
encryption since it hides the real inner "POP".
All Tootsie POPS should be subject to a licensing procedure under the
Department of Unedible Marginal Appetite Suppressant Suckers (DUMASS).
Each Tootsie POP should be submitted to the DUMASS in advance of licking.
Consuming a Tootsie Pop and then going to a foreign country would be
considered export of the POP unless the consumer submits to a urine test
prior to leaving the country to prove that the POP portion of the candy
has not been consumed. These tests would be administered by the POP
Inspection Sampling Service (PISS).
Please understand that an actual Tootsie POP would not be exportable but a
recipe for a POP would be exportable provided that the recipe is not in
machine readable form such as on a computer disk or on the Internet.
(Remember, terrorists cannot type!)
Tootsie POPs smaller than 56 licks would be submitted for a one time
review and must have the capability of being unlicked by an agency of the
Federal Government. Any Tootsie POP not having an "Special Law
Enforcement Unlicking Recovery Procedure" (SLURP) would be considered
suspect.
128 Lick Tootsie POPs would be classed as Atomic Weapons because they
somewhat resemble the atomic structure with the outer coating resembling
the electron cloud and the inner part suggestive of a nucleus. A
terrorist could conceivably make this connection and discover how to make
an atomic bomb using this information. This does not make any sense but
that would not stop it from becoming part of the regulation.
Tootsie POPs greater than 128 licks would be prohibited for classified
reasons. Any citizen could be told the reason but then would have to be
summarily executed.
Further regulations regarding Tootsie POPS are completely classified, so
don't do anything. You could be arrested!!!
JK
--
CRAK Software (Password Recovery Software)
Http://www.crak.com
[EMAIL PROTECTED]
602 863 9274 or 1 800 505 2725 In the USA
==============51A830380CFE6F9AA42CE24C
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<HTML>
<P>Bruce Schneier wrote:
<BLOCKQUOTE TYPE=CITE>On 29 Dec 1998 01:24:02 GMT, Michael J. Fromberger
<BR><[EMAIL PROTECTED]> wrote:
<BR>>>Well if you're so smart.... How many licks DOES it take to
get to
<BR>>>the center of a Tootsie Pop?
<BR>>
<BR>>See W. O. Owl's seminal paper on this subject, "Three Licks: Getting
<BR>>to the Centre of the Tootsie Pop Controversy" in Journal of
<BR>>Idisyncratic Cryptanalysis, v.II #5, Feb. 1992, pp. 324-335.
<P>But he missed the meet-in the-middle attack.
<P>Bruce
<BR><A HREF="http://www.counterpane.com"></A> </BLOCKQUOTE>
The real question is whether or not a Tootsie POP is exportable.
<P>The "POP" could be considered to be an explosive device because of its
obviously subversive name. The Tootsie Roll outer coating is a form
of encryption since it hides the real inner "POP".
<P>All Tootsie POPS should be subject to a licensing procedure under the
Department of Unedible Marginal Appetite Suppressant Suckers (DUMASS).
Each Tootsie POP should be submitted to the DUMASS in advance of
licking.
<P>Consuming a Tootsie Pop and then going to a foreign country would be
considered export of the POP unless the consumer submits to a urine test
prior to leaving the country to prove that the POP portion of the candy
has not been consumed. These tests would be administered by the POP
Inspection Sampling Service (PISS).
<P>Please understand that an actual Tootsie POP would not be exportable
but a recipe for a POP would be exportable provided that the recipe is
not in machine readable form such as on a computer disk or on the Internet.
(Remember, terrorists cannot type!)
<P>Tootsie POPs smaller than 56 licks would be submitted for a one time
review and must have the capability of being unlicked by an agency of the
Federal Government. Any Tootsie POP not having an "Special Law Enforcement
Unlicking Recovery Procedure" (SLURP) would be considered suspect.
<P>128 Lick Tootsie POPs would be classed as Atomic Weapons because they
somewhat resemble the atomic structure with the outer coating resembling
the electron cloud and the inner part suggestive of a nucleus. A
terrorist could conceivably make this connection and discover how to make
an atomic bomb using this information. This does not make any sense but
that would not stop it from becoming part of the regulation.
<P>Tootsie POPs greater than 128 licks would be prohibited for classified
reasons. Any citizen could be told the reason but then would have
to be summarily executed.
<P>Further regulations regarding Tootsie POPS are completely classified,
so don't do anything. You could be arrested!!!
<BR>
<BR>
<P>JK
<P>--
<BR>CRAK Software (Password Recovery Software)
<BR><A HREF="Http://www.crak.com">Http://www.crak.com</A>
<BR>[EMAIL PROTECTED]
<BR>602 863 9274 or 1 800 505 2725 In the USA
<BR> </HTML>
==============51A830380CFE6F9AA42CE24C==
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
