Cryptography-Digest Digest #290, Volume #9 Fri, 26 Mar 99 21:13:03 EST
Contents:
Re: Random Walk ("Trevor Jackson, III")
Re: password (Jim Felling)
Re: How do I determine if an encryption algorithm is good enough? (Ludvig Strigeus)
Re: Help with DSS Prime Number Generation (Wei Dai)
Re: How do I determine if an encryption algorithm is good enough? (Sundial Services)
Re: How do I determine if an encryption algorithm is good enough? (Sundial Services)
Re: How do I determine if an encryption algorithm is good enough? (Andrew Carol)
USENIX Annual Conference, June 6-11, Monterey CA (Jennifer Radtke)
Re: On Moduli that are not quite kosher... ([EMAIL PROTECTED])
Re: Tripple DES key length. (DJohn37050)
Re: RNG quality in browsers? (Mika Niemi)
Re: Random Walk (R. Knauer)
Re: How do I determine if an encryption algorithm is good enough? (R. Knauer)
----------------------------------------------------------------------------
Date: Fri, 26 Mar 1999 16:42:42 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random Walk
R. Knauer wrote:
>
> On 26 Mar 1999 09:05:57 -0500, [EMAIL PROTECTED] (Patrick Juola)
> wrote:
>
> >>The problem is in accepting an unknown amount of uncertainty.
>
> >That's where "expert judgement" comes in. In my "expert judgement,"
> >I don't want that job and I won't take it.
>
> This whole issue has a straightforward explanation - if people would
> just catch on to the real meaning behind the concept of probability.
Should we anticipate a Revealed Truth? When is it due?
>
> Probability for finite random sequence generation does not mean
> absolute certainty, no matter how confident someone thinks it is.
> Passing or failing statistical tests does not characterize a process
> as random or non-random - it only gives an indication that it *might*
> be random or non-random based on the notion of pseudorandomness.
>
> Some of the confusion about probability theory comes from the looney
> interpetations of quantum measurement. People may not realize that
> Schrodinger invented his famous Cat to expose the insanity of the
> Copenhagen interpretation. He knew perfectly well that it is crazy to
> talk about his Cat being in a superposition of 1/2 alive and 1/2 dead,
> before the measurement of its actual condition.
If you are going to revise history, I'm interested in your version of
the Pope's dicta in re Galileo and the movement of the earth. Did he
know perfectly well that it was crazy to talk about the Earth being flat
given that the Greeks had proven the curvature of the earth several
centuries BC?
>
> The correct interpretation of probability theory, which apparently has
> some people agitated, is that statistical tests do not characterize a
> process as random or non-random, any more than the Schrodinger wave
> equation characterizes the actual condition of the Cat.
>
> Statistical tests are useful only in tipping you off to the
> *possibility* that a process is random or non-random, but that is all
> they are good for - to give you a hint. All Schrodinger's equation
> tells you is that the Cat *could* be alive or dead - it does not tell
> you what the actual condition is. To determine the actual condition
> for an actual Cat, you must do something else than look at statistical
> measures of ensembles of Cats.
Well, opening the box and looking at the cat is one well-understood
method of evaluating the state of the cat. What "something else" did
you have in mind?
For an RNG the equivalent of opening the box and looking at the cat is
to build an RNG and look at its output. Gee, what do you think I should
look for?
>
> To decide conclusively whether a process is random or non-random
> requires an analysis that is not statistical in nature - an analysis
> based on first principles. Look upon your beloved statistical tests
> only as a measure of a property of random number generation called
> "pseudorandomness", and let that property serve as a guide in your
> quest for processes that are truly random or non-random. But do not
> let it blind you - deceive you into thinking that just because it says
> it is highly confident, therefore it is absolutely certain.
The only person here who confuses high confidence with certainty is
you. Your statements of the form "anything not certain is uncertain and
the degree of uncertainty is not measurable" lead to the conclusion that
you do not understand how to measure ignorance. Statistics is mostly a
measure of ignorance.
Note that if you cannot measure something you cannot claim to be using
scientific or engineering principles. So, just what are these "first
principles" you refered to that do not involve measurement?
>
> As Williams & Clearwater state in their book on quantum computing:
> "As we show, even when random number generators pass such statistical
> tests, the sequence of numbers it generates may still not be random
> enough to serve as an approximation to a true random process." That's
> the statement of physicists, and shows you how they deal with true
> randomness in quantum mechanics.
Why don't you query those authors and get a definition of "random
enough". I don't even need a formula, just a rigorous definition of the
unit of measure for "enough" randomness. For extra credit, ask them to
quantize the "approximation of a true random process". Again, I don't
need a formula, just the units of measure for the degree or quality of
approximation.
Without those definitions the quote above is mystical claptrap. With
those definitions we might be able to communicate about the topic.
>
> Pseudorandomness, which is measured with statistical tests, is neither
> a necessary nor sufficient condition for true randomness - it is only
> an approximation to true randomness, one which is not really all that
> good even in the limit of large numbers.
Oh really? How do you measure the "goodness" of pseudo-random numbers
as an approximation of true randomness? You keep making
unsubstantiated, even undefined, statements with no rational basis. No
wonder people are skeptical of your claims.
>
> One thing is for sure about a discussion of true randomness - it
> exposes people's epistemological prejudices. The position I have
> taken, for example, exposes my Realism worldview very clearly. Others
> have the view that if it a process has the *appearance* of randomness
> exposed by statistical tests - then it is close enough to be truly
> random.
So, instead of the "appearance" of randomness we should have the "real
thing", based, I suppose, on some rigorous definition of the inner
workings of true randomness. Just what are those inner workings pray
tell? And how do you know them when you see them?
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: password
Date: Fri, 26 Mar 1999 16:08:39 -0600
I too occasionally use uswest's servers. They had a reboot/ server glitch a
while ago. This has probably screwed up your message records (news.rc etc)
-- starting fresh with a new news reader/ deleting your present news
reader's folders for the uswest.net server and restarting will fix this.
--(You probably are getting messages like 345 messages on server 0 unread,
etc. ) my suggestion is if you are using netscape delete your news folder
and re setup the news.uswest.net connection -- then blamo sci.crypt is back!
[EMAIL PROTECTED] wrote:
> The sci.crypt newsgroup has been dropped from my uswest.net news server.
>
> Has anyone else had problems like this??
>
> Is there another news server that carries this group??
>
> JK
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Ludvig Strigeus)
Subject: Re: How do I determine if an encryption algorithm is good enough?
Date: Fri, 26 Mar 1999 23:10:28 +0100
Hi!
> <<How can I test if this algorithm is easily crackable?>>
> General rule: if you don't have years of experience making
> cryptographic systems, then it is definitely easily crackable. (Even
> then, odds are not so good. :-D )
Maybe this one I've created is hard to crack, even though I have no
cryptographic experience.
You can't assume that it's bad, without examining it first.
Regards,
Ludvig Strigeus
------------------------------
From: [EMAIL PROTECTED] (Wei Dai)
Subject: Re: Help with DSS Prime Number Generation
Date: Fri, 26 Mar 1999 14:20:30 -0800
In article <7dgjqm$f4t$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
>
> I'm working on implementing the prime number generator from the DSS
> (FIPS-186-1) standard, and am having difficulty getting my data to match
> the test patterns provided in the standard. I've been successfully able
> to generate the same Q value as shown in the standard, but I can't get
> the corresponding P value to match. Unfortunately, the standard does not
> provide any intermediate results of the generation process, so I'm
> struggling debugging the problem.
>
> Does anyone have any intermediate values for V, W, X, and C for this
> algorithm so that I can debug my implementation?
>
> Note that I am using SHA-1, and the updated test patterns provided by
> NIST in FIPS-180 change notice No. 1, 12/30/96.
Crypto++ implements DSS prime number generation. You can download it
from http://www.eskimo.com/~weidai/cryptlib.html and modify
GenerateDSAPrimes() in dsa.cpp to print out the intermediate values you
want.
Another possibility is to temporarily change your SHA-1 implementation
to SHA-0 and use the intermediate values for SHA-0 (which I think is
available on the web somewhere) to debug.
------------------------------
Date: Fri, 26 Mar 1999 16:42:48 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: How do I determine if an encryption algorithm is good enough?
Ludvig Strigeus wrote:
>
> Hi!
>
> I've created my own encryption algorithm, but how do I test if it's
> secure?
The first thing to consider is, "crackable by whom?" How likely is it,
actually, that anyone at all is going to -attempt- to crack your
encryption and how hard are they likely to work at it? The simplest
"masking" technique might be good enough if the answer is sufficiently
small.
If, on the other hand, you could assume that a determined attacker who
had intercepted your newsgroup posting (i.e. he knew exactly what
algorithm you had used) also had posession of 1,000 messages sent using
this system ... THAT would be a different kettle of fish indeed and your
algorithm might not survive.
And there would have been no reason for you to have devised the
algorithm in the first place, because you could have acquired from the
Internet any number of recognized cipher algorithms whose
characteristics are well-known. You could easily acquire an algorithm
that would brace itself against such an attacker without flinching. And
then there would be little reason to "roll your own."
------------------------------
Date: Fri, 26 Mar 1999 16:45:34 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: How do I determine if an encryption algorithm is good enough?
Ludvig Strigeus wrote:
> Maybe this one I've created is hard to crack, even though I have no
> cryptographic experience.
>
> You can't assume that it's bad, without examining it first.
Maybe it is, maybe it isn't ... but don't take pride of authorship when
it comes to an encryption algorithm. Better to assume, "it's crap, but
I just don't know that yet." :-) Every algorithm worth its salt has
gone through man-years of peer review. It's not worthwhile to react
defensively to criticism.
When there are boatloads of algorithms out there whose characteristics
are well-known, people usually _will make the observation that it is
improbable a homebrew device will be better. Not certain, but
improbable.
------------------------------
From: Andrew Carol <[EMAIL PROTECTED]>
Subject: Re: How do I determine if an encryption algorithm is good enough?
Date: Fri, 26 Mar 1999 15:44:37 -0800
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, Ludvig
Strigeus <[EMAIL PROTECTED]> wrote:
> Maybe this one I've created is hard to crack, even though I have no
> cryptographic experience.
>
> You can't assume that it's bad, without examining it first.
<analogy mode on>
Maybe this surgical procedure I've created will cure you, even though I
have no medical experience.
You can't assume that it's bad, without letting me operate first.
<analogy mode off>
While it is possible that a system developed without any experience
will be a good one, it probably won't be. There is that rare exception
that people will always point to, but they will neglect to mention the
vast percentage that were total failures.
The odds greatly favor that people with experience in a field will
typically do better than those who have none.
--- Andrew
------------------------------
From: [EMAIL PROTECTED] (Jennifer Radtke)
Subject: USENIX Annual Conference, June 6-11, Monterey CA
Date: Sat, 27 Mar 1999 00:07:15 GMT
System administrators, Developers, and other UNIX gurus get the why as
well as the how-to at this renown conference
24th ANNUAL USENIX TECHNICAL CONFERENCE
June 6-11, 1999
Monterey, California
Includes FREENIX Track devoted to the latest developments and
interesting applications in open source software. Peer-refereed papers,
expert talks, and evening sessions will be led by the likes of Linus
Torvalds, Richard Stallman, Kirk McKusick, Theodore Ts'o, Theo de Raadt,
and other leading developers.
========================================================================
Review the program and register online at:
http://www.usenix.org/events/usenix99
========================================================================
Sponsored by USENIX, the Advanced Computing Systems Association
24 TUTORIALS OVER THREE DAYS
Training at a serious level--Eric Allman, Tom Christiansen, Peter
Galvin, Evi Nemeth, and Marcus Ranum are among the superb instructors.
CUTTING-EDGE TECHNICAL SESSIONS
Refereed papers of especially high interest: virtual memory
systems,storage, security, web server performance, resource systems
management,file systems, and O/S performance.
Stimulating, highly practical Invited Talks: UNIX/Open System & Y2K,
IPMulticast, E-mail Bombs, IPv6, IP Telephony.
John Ousterhout, creator of Tcl/Tk, focuses his keynote on a fundamental
shift in software development to integration applications.
DEMO PRODUCTS, SHARE SOLUTIONS AND A BEER!
Test drive useful products in the Exhibit Hall.
Exchange how-to and fresh ideas at evening Birds-of-a-Feather sessions.
Mingle at the dessert reception at the wonderful Monterey Bay Aquarium.
"Meeting peers face-to-face for the first time, in a beautiful city
while learning great things makes this a wonderful conference." Bryan
Andregg, Red Hat Software, 1998 Attendee
"I learn as much talking in the halls as in the great talks and
tutorials. An excellent way to get up-to-date with the state of affairs
in the UNIX world." David C. Todd, BBN Technologies, 1998 Attendee
"This was my first USENIX. I'm surprised that one conference could be
flexible to where a 20 year veteran could benefit as well as a newbie."
Allen Wolfe, BHP Petroleum American, Inc., 1998 Attendee
========================================================================
USENIX is the Advanced Computing Systems Association. Its international
membership includes scientists, engineers, and system administrators
working on the cutting edge of systems and software. USENIX conferences
emphasize exchange of technical excellence, practical solutions and open
airing of issues, unfettered by stodginess or commercialism.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: On Moduli that are not quite kosher...
Date: Sat, 27 Mar 1999 01:12:07 GMT
Ted Kaliszewski wrote:
> Yes, this is an exception for all primes can be represented by k*2 +1.
I'm assuming that means you cannot factor it. Note that not
all RSA moduli can be generated by your procedure: only those
for which p-1 and q-1 either share an odd prime factor or are
both divisible by 4. The modulus I posted is of that special
form: three divides both p-1 and q-1.
> However, if you are so dubious, try something more sensible
> and verify it for yourself.
How can one verify it given that it isn't true?
> Or still, better, give me a 1024-bit modulus that IS a pseudo
> prime. I will deliver the factors, charge free and prompto!
The amazing claim, of which I was skeptical, was that the
given method generates moduli that are easily factored. If
true, it would have been be an important result, since moduli
of that form are common enough that RSA key generation
procedures will produce them.
There are an unlimited number of classes of moduli for which
there are efficient factoring algorithms. These are of no
importance, since the probability of choosing one is so low
that they never arise in practice, and an attacker would be
wasting his time to check.
--Bryan
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Tripple DES key length.
Date: 27 Mar 1999 00:47:23 GMT
A double length DES key is 112 key bits and 16 bits which MAY be used for
parity. A triple length DES key is 168 key bits and 24 bits which MAY be used
for parity. Both can be an input to the Triple DES algorithm, in the former
case K3 = K1.
Because of the meet in the middle attack, a 3 DES key use of TDES has an
effective strength of 112 bits to the known best attack.. A 2 DES key use of
TDES has an effective strength of min(120/log (2,X),112) where X is the number
of plaintext ciphertext pairs known to the attacker to the known best attacks..
So at 2**8 = 256 pt/ct pairs or less, the strength is 112 bits. This is all
documented in ANSI X9.52 Triple DES
Don Johnson
------------------------------
From: Mika Niemi <[EMAIL PROTECTED]>
Crossposted-To: comp.infosystems.www.browsers.misc
Subject: Re: RNG quality in browsers?
Date: Fri, 26 Mar 1999 07:46:07 -0600
Sassa wrote:
> well... if one RNG alone, then indeed, you need 4 bytes to determine initial
> random seed. but what if you choose one of, say, 4 32-bit RNGs using fifth
> 32-bit RNG? i suppose, it will become (32/2)*4 byte sequence?
I am not sure I understand what you mean. It does not matter if many
algorithms are used, if you use 4 algorithms each with a 8-bit seed, the
total amount of initial randomness is 32 bits. A pseudo-RNG cannot add
any randomness to the seed.
For browsers, we can assume that the RNG algorithm itself is not secret.
If a 32-bit seed is used, it is easy enough for an attacker to generate
a dictionary of all the 128-bit keys that the browser can create, by
going through all the 2^32 seeds. This is much easier than having to go
through the keyspace of 2^128.
Mika Niemi
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Random Walk
Date: Sat, 27 Mar 1999 01:42:18 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 26 Mar 1999 15:55:39 -0600, Jim Felling
<[EMAIL PROTECTED]> wrote:
>I want to cull as seldom as possible without having some inherent weakness in my
>output.
I believe what you are saying is that you would not let statistical
tests determine whether a TRNG is malfunctioning or not.
]
I concur with that correct judgement.
True randomness is a concept that is intimately tied up with the
concept of the infinite - where it is perfect. The fact that it is
manifest in the finite is something that is not easily explained away
with probability theory.
The transition from the finite to the infinite is not smooth, but
discontinuous. Yet the finite shares properties with the infinite.
Truly amazing, eh.
>Another thing is if a long run or other bad data
Why would you consider a long run as "bad data"? There is nothing
"bad" with a long run. In many ways, we humans are "bad data" - data
which defy the odds.
I just finished watching some incredible golf. I am not a fan of golf
but that does not mean I will overlook the results of the game when I
see them.
I saw a hole in one - an absolutely incredible occurance. When I
studied statistical mechanics in grad school, I calculated the
probability that all the molecules of air would be in the corner of a
room - it is astronomically small.
A hole in one is also astronomically small when you calculate it, yet
I saw one (not the first) and not only that, I saw two other golfers
put the ball within a foot of the hole in one stroke. Yes, I realize
that such occurances are rare. But still these events are not possible
on the basis of traditional probability theory - they have
"vanishingly small" probability, just like the unicorn that does not
exist when the size of the herd gets "large".
Clearly something is going on here that we do not understand based on
traditional probability theory. I have no clue what it is. But
whatever it is, it is very real as can be seen from direct
observation. And it is at the very heart of quantum mechanics.
>I cannot rule out the incidental
>leaking ("Gee you won't believe this-- our TRNG just spit out 1000 1's in a row - I
>diagnosed it and its working perfectly") thereby providing a potential targetable weak
>spot in the TRNG stream.
Is it really that weak?
Here is the ciphertext: "ATTACK AT DAWN"
Yet the real message is: "ATTACK AT DUSK"
The key is the XOR of those two sequences.
Which is the intended message?
I leave you with the fact that mathematicians onced proved that bumble
bees could not fly, and also tried to legislate the value of pi =
3.10.
Greg Chaitin, a mathematician himself, has it right - mathematicians
do not have a sense of humor - whereas physicists do. Maybe that is
why I chose to be a physicist instead of a mathematican. I find a hole
in one quite humorous because it is "improbable".
Existence is improbable. Does that make it unreal?
Bob Knauer
"I am clearly more popular than Reagan. I am in my third term.
Where's Reagan? Gone after two! Defeated by George Bush and
Michael Dukakis no less."
-- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: How do I determine if an encryption algorithm is good enough?
Date: Sat, 27 Mar 1999 02:00:35 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 26 Mar 1999 15:44:37 -0800, Andrew Carol <[EMAIL PROTECTED]>
wrote:
>The odds greatly favor that people with experience in a field will
>typically do better than those who have none.
I agree with you in principle, but disagree with you in practice.
Science has progressed only on the basis of disagreement with those
who claim experience. Gadflies win in science.
The establishment tried to burn Galileo at the stake centuries ago,
and only recently has recanted the incredible insanity of that
position.
If we wait much longer for other insane people to recant, it will be
too late.
Bob Knauer
"I am clearly more popular than Reagan. I am in my third term.
Where's Reagan? Gone after two! Defeated by George Bush and
Michael Dukakis no less."
-- Marion Barry, Mayor of Washington DC
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
