Cryptography-Digest Digest #279, Volume #9 Wed, 24 Mar 99 18:13:03 EST
Contents:
Re: RSA key distribution ("Roger Schlafly")
Re: ORYX idea!!! ("Harv")
Re: My Book "The Unknowable" ("karl malbrain")
Re: RSA key distribution ("Roger Schlafly")
Re: Computer Security Education
Re: Random Walk (Jim Felling)
Re: Encryption and the Linux password files (John Savard)
Re: Basic OTP questions ([EMAIL PROTECTED])
Re: Random Walk ("Douglas A. Gwyn")
Re: el-gamal as permutation for OAEP? (David A Molnar)
Re: ElGamal vs RSA ([EMAIL PROTECTED])
paper (Marcin Kontak)
Re: paper ("Douglas A. Gwyn")
Re: Computer Security Education ("Douglas A. Gwyn")
Re: compare RSA and D-Hellman ("Sassa")
Re: Message Digest ([EMAIL PROTECTED])
Re: RSA key distribution (DJohn37050)
Re: compare RSA and D-Hellman (DJohn37050)
Re: My Book "The Unknowable" (karl malbrain)
----------------------------------------------------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: RSA key distribution
Date: Wed, 24 Mar 1999 11:44:58 -0800
DJohn37050 wrote in message <[EMAIL PROTECTED]>...
>strong primes. I think the organizations that voted YES thought that as
the
>performance cost was low (less than 5%) it MIGHT have a positive effect on
>security. That is, it was a conservative decision to make.
Without any analysis to back that up, it might have a negative effect also.
It sounds like people were duped by words like "strong" and "safe".
>My take is that it is the user's right to make such a decision. P.S. On
this
>vote I voted ABSTAIN.
The standard does not allow the user to make his own decision about
finding the primes in his key. So why would you abstain on this issue, if
you disagree with what the standard does?
------------------------------
From: "Harv" <[EMAIL PROTECTED]>
Subject: Re: ORYX idea!!!
Date: Wed, 24 Mar 1999 10:42:32 -0800
I don't see how this helps either.
I assume to encrypt, you do a E=M*K mod 2^(block size)
to decrypt, you do a M=E*K' mod 2^(block size)
If you have a little known plain text, then some straight forward modular
algebra will yield K.
Of course instead of multiplication you could do modular exponentiation in
the appropriate field; but then you'd have RSA.
Harv.
<[EMAIL PROTECTED]> wrote in message
news:7dalge$u9l$[EMAIL PROTECTED]...
> Ok so XORing the result reveals the keystream? My idea is multiply it,
then on
> the other side use the multiplicative inverse? Maybe even process larger
> blocks (64-bits)?
>
> Tom
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "karl malbrain" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Wed, 24 Mar 1999 10:59:57 -0800
Paul Healey <[EMAIL PROTECTED]> wrote in message
news:iyCAiAAbLo32Ew$[EMAIL PROTECTED]...
> (...)
> What is unknowable ? Maybe it is randomness. In that case I do not see
> how you can end the game ! Is a syllogism or equivalence relation, a
> method of reasoning that allows you to reason ?
UNKNOWABLE along this thread attempts to tie OWNERSHIP to INFORMATION. I
believe the original author's work mistakes MATERIAL ownership with
USABILITY (ability to apply information to material things)
>
> As such, can I not define it as merely a principle? So, is the
> principle a ground ? I would say, it is merely dialectical to assert
> your ground - you can reason either way is in no doubt. If I up the
> ante, within connectionist logic(my understanding of it), winning the
> game so to speak, is not so easy.
Here you fall into VULGAR MATERIALISM. Material is Paramount, not
Information (which accumulates as a function of TIME)
> However, this does not rule out its
> possibility ! Consider a schema, that works like a parallely
> distributed processor: your measure of the decryption has either three
> possibilities; it is successful, it is not and no decision can be made.
> Betting on the first two, such a schema can negate absorption, provided
> the information being processed can differentiate between those
> principles which affirm and negate its ground.
I'm unwilling to comment on this (I'm still 45 quarter credits shy of a BSEE
from CAL)
(remainder snipped under comment, above). Karl M
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: RSA key distribution
Date: Wed, 24 Mar 1999 11:52:32 -0800
[EMAIL PROTECTED] wrote in message <7db0vg$8fe$[EMAIL PROTECTED]>...
>The banking industry demanded strong primes, so I gave them a simple and
>fast technique for generating them.
Given the choice between strong primes and weak primes, naturally
the bankers prefer strong primes. The question is whether the primes
constructed by your method are any stronger or safer than other and
more straightforward methods.
> And while
>requiring strong primes may not be a mathematical necessity, it makes the
>user community more at ease with the standard. This last fact, in and of
> itself, gives value to the technique.
Translation: Snake oil is valuable if people are suckered by it.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Computer Security Education
Date: Wed, 24 Mar 1999 20:25:40 GMT
[EMAIL PROTECTED] wrote:
: I would like to learn about the other aspects of computer security -
: is there an educational institution that can facilitate my wish?
James Madison University (Harrisonburg, Virginia, USA) has an MSCS
degree with an information security concentration. Does anyone
have any experience with this program?
--
David Winfrey
first_initial L last_initial at patriot dot net
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Random Walk
Date: Wed, 24 Mar 1999 14:55:20 -0600
"R. Knauer" wrote:
> On Wed, 24 Mar 1999 08:35:35 -0700, "Tony T. Warnock"
> <[EMAIL PROTECTED]> wrote:
>
> >> Infinite sequences require a continuous sample space, and finite
> >> sequences are sampled from a discrete sample space.
>
> >The above two statements are false. Statistical tests do not assume
> >infninte sequences in the first case
>
> I was refering to statisitcal tests for *true randomness*.
>
> I think that was perfectly clear to anyone paying attention to these
> discussions. Nowhere have I ever commented on statistical tests
> outside the context of the determination of true randomness.
>
> [NB: "True Randomness" is that which is embodied in quantum mechanical
> processes like radioactive decay.]
>
> >and one may sample a finite sequence from a discrete space.
>
> No fooling! I did not say otherwise.
>
> Now that we have cleared all that up, why doesn't someone on the
> opposite side of this debate get down to business and propose a
> particular statisitcal test for randomness.
>
> For example, one poster suggested the Chi Squared Test. Why not follow
> thru and give some concrete examples of how that test applies to
> finite sequences, so we can see how these alleged statisitical tests
> of true randomness work. Let's put some statistical tests thru their
> paces, try them out on actual random number sequences such as the
> Lavarand numbers.
OK. That's fine. I can tell you in advance what will happen. Some of
those numbers will be marked by the testing as possibly non-random. Most
will pass. You are correct in asserting that there is no such thing as a
test for true randomness. The problem you seem to be having is realizing
that that does NOT imply that there are not measures capable of indicating
that something may not be random, or tests that show that interior
correlation exist. Given a string of numbers, I can conduct tests to see
if it is biased in a specific way with statistical tests. I cannot say
that it definitely is biased due to those tests, but I can say that only 1
in N numbers possesses the properties that it does and thus flag the
possibility that the source generating the number I am using is not bias
free
I also cannot definitely say that it is bias free as I am only testing a
very tiny subset of all possible biases.
>
>
> Until someone demonstrates convincingly to the contrary, I will
> continue to maintain that there can be no definitive statistical tests
> for true randomness for deciding whether a discrete process which
> generates finite sequences is either truly random or not truly random.
>
I agree but I will maintain that there can be indicative statistical tests
of randomness useful in the decision that a discreet process which
generates finite sequences is producing output with potential weaknesses
to certain methods of analysis.
>
> Statistical tests only disclose properties of a process that can be
> termed "pseudo-random", which is based on notions derived from an
> analysis of infinite sequences - the law of large numbers.
>
> Pseudo-randomness may be suitable for some applications, but it is not
> suitable for proveably secure crypto.
>
> Bob Knauer
>
> "The important thing is to stop lying to yourself. A man who lies
> to himself, and believes his own lies, becomes unable to recognize
> the truth, and he ends up losing respect for himself as well as for
> others. When he has no respect for anyone, he yields to his impulses,
> indulges in the lowest forms of pleasure, and behaves in the end like
> an animal, in satisfying his vices."
> --Dostoevsky (The Brothers Karamazov)
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Encryption and the Linux password files
Date: Wed, 24 Mar 1999 20:59:39 GMT
[EMAIL PROTECTED] (Chris Monico) wrote, in part:
>Any box with a competent sys admin has a shadowed passfile, and not
>simply the default /etc/password.
True, and the default password file has to exist for compatibility reasons
with some old database software that uses it to find users...
Oh, yes.
"I've just found an enormous security flaw in Unix!
No, you haven't." - from a famous FAQ. Yes, he has. Requiring people to
change the permissions on their *directories* to keep a write-protected
file from being deleted is *not* a good idea. And, since sometimes the
owner of a file is charged rental fees for disk space, you don't want a
"chown" command: instead, "offown" and "accown" (offer and accept
ownership) to be executed by the former and prospective owners of a file
are what is required.
*Otherwise*, Linux and its ancestors do provide - even if, in some cases,
in a truncated form - all the essentials of an operating system. And there
are some very nice things about that family of operating systems.
But it is definitely not secure by default.
John Savard (teneerf is spelled backwards)
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Basic OTP questions
Date: Wed, 24 Mar 1999 17:06:26 GMT
In article <e3BJ2.37715$[EMAIL PROTECTED]>,
"Tim Mavers" <[EMAIL PROTECTED]> wrote:
> I just started reading Applied Cryptography and had some basic questions
> regarding OTPs. In the book, he says that in theory a OTP is the perfect
> encryption because as long as you have random numbers in your keys, it would
> be impossible to determine the message because the ciphertext could be
> deciphered to any phrase. Not knowing the phrase would make it impossible
> to tell if you had the right key.
>
> Now isn't this the case with most encryption algorithms? You really have to
> know what your looking for in order to find it, right?
>
> On that note, how does one know if you have the right message? I was
> always curious to know this after reading about Deep Crack and the other
> various brute-force attacks against DES. With the kinds of possible
> combinations they go through, how the heck do they know when they have found
> the right message? I am sure at some point, certain phrases may come up
> that appear to be legimate, where in all actuality, they are just anomolies
> generated by coincidence.
Suppose you know that the plaintext is all ASCII. You try exhaustive
key search on a few captured ciphertext blocks.
Yes you get some false alarm keys (where the decrypt is all ASCII) for each
ciphertext block you try the keys on. But you do the same thing for other
captured blocks, and the intersection of the false keys will be the
real key.
The looser your constraints (ASCII vs. ascii-printable) the more
false alarms. In the best case (tightest constraints), you know the plaintext
for your captured ciphertext.
But this doesn't work with OTP because all decryptions are equally likely.
Or in other words, there are always too many degrees of freedom, no matter
how much plaintext/ciphertext you capture, to obtain a solution.
You can see this. For any plaintext HATE encrypted with some key to WBZY,
there is *always* another key which maps LOVE to WBZY. And for *any*
plaintext you want to suppose, there is a key mapping it to the same
ciphertext.
Because each bit of 'cargo' is mixed with an equal amount of uncertainty
(which isn't uncertainty to the other party with the same 'tape'.)
It may help to remember that block ciphers are efficient *simulations*
of huge lookup tables, one table per key. (E.g., for IDEA uses funky
math to simulate 2^128 tables, each table being one of the 2^64!
permutations of 2^64 values.)
later,
About 60 or 70 percent of NSA were smoking pot -- a lot of them while on
duty. It's very relaxing, particularly when you're bored with the
Russian or East German traffic that is coming through.
http://jya.com/nsa-40k.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Walk
Date: Wed, 24 Mar 1999 21:48:57 GMT
"R. Knauer" wrote:
> Now that we have cleared all that up, why doesn't someone on the
> opposite side of this debate get down to business and propose a
> particular statisitcal test for randomness.
Because in this thread you seem to be the only one who claims that
anyone maintains that there is a reliable test for "randomness".
At least four of us have explained to you what role statistical
tests actually have in this connection; we're all in general
agreement, and consistent with established statistical theory.
A complete explanation would amount to a short course in statistics,
which is not feasible in this forum even if any of use were inclined
to present it. It has been suggested that you go off and actually
learn the subject so you will understand what the rest of us are
saying.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: el-gamal as permutation for OAEP?
Date: 14 Mar 1999 02:01:18 GMT
David A Molnar <[EMAIL PROTECTED]> wrote:
> can el-gamal be turned into a k-to-k bit permutation suitable for
> use with optimal asymmetric encryption padding?
> does anyone do this? has it been studied in theory or practice?
hi. In case anyone cares, it looks like a paper along these lines was
submitted at the August 1998 meeting of the P1363a ("addendum to IEEE
standard 1363") working group.
DHES: An Encryption Scheme Based on the Diffie-Hellman Problem
Michel Abdalla, Mihir Bellare and Phillip Rogaway, August 1998.
available at http://grouper.ieee.org/groups/1363/addendum.html
I'll look more carefully next time.
Thanks,
-David Molnar
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: ElGamal vs RSA
Date: Sun, 14 Mar 1999 03:02:44 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
>
> > > For a given key size, DH over GF(2^n) is
> > > slight less secure than RSA, but users can compensate for this by
> >
> > No!!! It is significantly less secure. DL over GF(2^1024) is almost
> > within reach now. DL over GF(p) where p is an odd 1024-bit prime is NOT
> > in reach.
>
> Bob -
>
> My news host is expiring these posts faster than I can read them --
> I may have missed something.
>
> Can you answer the following:
>
> If you select a large p for GF(p), does the choice of
> a generator g for g^x mod p matter, so long as it is
> a generator of GF(p)?
No, it doesn't matter.
> It's often said that it is not
> necessary for g to be a generator of the whole field,
> but it is better.
>
> Why (esp. when 2 is used as a generator) is p selected
> such that (p-1)/2 is also prime?
There are attacks which work in small(er) subgroups that are more efficient
than solving a DL problem over the entire group. One wants the group
the DL problem resides in to be as large as possible.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Marcin Kontak <[EMAIL PROTECTED]>
Subject: paper
Date: Wed, 24 Mar 1999 23:09:36 +0100
Could anybody help me ?
Where can I get papers:
* K. Nyberg - "Perfect Nonlinear S-boxes"
* O. S. Rothaus - "On 'Bent' Functions"
* S. Mister - "Notes on Maiorana Functions and S-Box Design"
Thanks !!!
My e-mail: [EMAIL PROTECTED]
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: paper
Date: Wed, 24 Mar 1999 22:20:14 GMT
Marcin Kontak wrote:
> Where can I get papers:
> * O. S. Rothaus - "On 'Bent' Functions"
Published in J. Comb. Th., 20 (1976), pp. 330-335.
With that information, any good technical library ought to be able
to eventually get you a copy.
I don't know about the S-box papers.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Computer Security Education
Date: Wed, 24 Mar 1999 22:14:33 GMT
[EMAIL PROTECTED] wrote:
> I would like to learn about the other aspects of computer security - is there
> an educational institution that can facilitate my wish?
Peter Neumann at U.Md. is organizing a general information-security
course to start in Fall 1999. A few other universities are working
in collaboration.
------------------------------
From: "Sassa" <[EMAIL PROTECTED]>
Subject: Re: compare RSA and D-Hellman
Date: Wed, 24 Mar 1999 21:48:05 +0200
Reply-To: [EMAIL PROTECTED]
hi
> BTW, Dan Boneh has recently proved that attacking
> ECDH is fully exponential if
> ECDLP is. This analogous statements are not (known to be) true for DH and DLP
> and RSA and IFP.
> Don Johnson
i am new to here, so would you please expand these for me:
ECDH, ECDLP, DLP, IFP?
what do they stand for?
--
Sassa
Apiary Inc.
______
@()(_)
/\\
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Message Digest
Date: Wed, 24 Mar 1999 22:42:37 GMT
> >Question:
> >
> >Given a 256 bit message, and a 128 bit digest, are there 2^128 256 bit
> >messages that will make the same message digest?
>
> Yes, that sounds reasonable to me.
Thanks.
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: RSA key distribution
Date: 24 Mar 1999 22:50:20 GMT
I abstained for a few reasons:
1. I thought the bankers/users should make the decision, I work for a vendor.
2. I personally was unsure whether or not strong primes might provide a higher
level of security, at least in relation to the nominal performance cost. The
HAC says it is not wrong to decide to use them. I heard a guy at a crypto
conference arguing for what he called safe RSA primes with even more criteria
than strong primes. My uncertainty may be because of my lack of knowledge, but
is not the lack of knowledge an essential assumption of all crypto.
3. Working for Certicom, it was possible that a YES or a NO vote on this
question could be misinterpreted.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: compare RSA and D-Hellman
Date: 24 Mar 1999 22:54:21 GMT
ECDH = Elliptic Curve Diffie Hellman
ECDLP = Elliptic Curve Discrete Logarithm Problem
IFP = Integer Factorization Problem
DLP = (Normal) Discrete Logarithm Problem, over a finite field.
Don Johnson
------------------------------
From: karl malbrain <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Sat, 20 Mar 1999 02:08:56 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In the limit of infinitely large numbers entropy is applicable. But we
> are dealing with finite sequences, so it may not be as applicable as
> we imagine.
>
Your problem here is your ORTHODOX usage of chaos. I PREPARED and GROUNDED
here already an LINEAR/ANALOG definition: <<ENTROPY=CHAOS/DEGREES OF
ORTHOGONALITY>>
> "There is much to be said in favour of modern journalism. By giving us the
opinions
> of the uneducated, it keeps us in touch with the ignorance of the community."
As to your <<scoop du jour>> one has to factor to a LIQUIDATED REMAINDER the
opinions from modern journalism (read VULGAR MATERIALISM). Karl M
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
