Cryptography-Digest Digest #332, Volume #9 Sat, 3 Apr 99 12:13:03 EST
Contents:
Re: Random Walk ("Douglas A. Gwyn")
Re: Random Walk ("Douglas A. Gwyn")
Re: How does one start cracking ciphers? ("Douglas A. Gwyn")
Re: Is initial permutation in DES necessary? ("Douglas A. Gwyn")
Re: GPS, encrypted data base and mushroom hunting ("hapticz")
Re: True Randomness & The Law Of Large Numbers (Herman Rubin)
Re: True Randomness & The Law Of Large Numbers (Herman Rubin)
Re: quick RSA key generation question (DJohn37050)
Re: True Randomness & The Law Of Large Numbers ("Trevor Jackson, III")
Re: Is initial permutation in DES necessary? ("Trevor Jackson, III")
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
Re: S/MIME interoperability: 40 bits only? (Peter Gutmann)
Re: Q: encryption-friendly hard disk controllers or drives (Peter Gutmann)
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Walk
Date: Sat, 03 Apr 1999 11:06:22 GMT
"R. Knauer" wrote:
> I realize this is a leap (in the direction of my position, at that),
> but is it possible than classical probability and statistics have
> little if anything to do with true randomness,and that classical
> pseudo-random models are grossly inaccurate except at infinity?
If you build your "TRNG" exploiting quantum principles,
then construct a UBP such as a random walk from its output,
you will get the *same* "counterintuitive" features that
you gleaned from Feller. It isn't a matter of quantum vs.
classical, but rather of defective intuition.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Walk
Date: Sat, 03 Apr 1999 11:21:00 GMT
Dave Knapp wrote:
> Let me second that sentiment strongly! As a physicist, I am constantly
> appalled by the lack of statistical knowledge of my peers. I certainly
> don't consider myself an expert at statistics, but I seem to know it a
> lot better than most physicists.
> For a wonderful example of mis-applied statistical analysis in physics,
> look up the Zeta particle "discovery" around 1985, or, better yet, look
> at the original evidence for neutrons from "cold fusion" published by
> Jones. In both cases, faulty statistical analysis resulted in bogus
> claims.
There were other factors at work, too.
I guess enough years have elapsed that I can tell a story from my
graduate work in physics without embarrassing the parties involved.
Our department specialized in solid-state physics, magnetic critical
point investigation using Mössbauer and perturbed angular correlation
especially. When some outside researchers reported a "fine structure"
in the magnetization near the critical point, we realized we had on
hand Mössbauer data that could be analyzed as independent verification.
The student who did this was excited to find a "significant" goodness
of fit of some magnetization property vs. temperature near the c.p.,
sinusoidal in nature. A visiting prof. and I were skeptical, since
there was *no* reason to expect such behavior nor any intuition that
it should happen, and as the creator of the nonlinear least-squares
fitting software I thought I should reanalyze the data. So I tried
fitting it against time of the experiment rather than temperature,
and found an even *better* fit! (Possibly there was a coupling with
the fluctuating ambient temperature.) Anyway, that was sufficient
to show that we didn't have strong evidence corroborating the
claimed "phenomenon".
Then there was "polywater"...
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: How does one start cracking ciphers?
Date: Sat, 03 Apr 1999 11:36:15 GMT
consalus wrote:
> How does one crack ciphers?
> Generally.
> I've read about Differential and Linear cryptoanalysis in Applied
> Cryptography,
> but he didn't describe how to do them, just generally how they works.
> Are there other, simpler methods?
> I supose one could just look at the code and try to figure out
> weaknesses,
> but I'd imagine there'd be something more systematic than that.
The details depend on the circumstances.
If you want a broad, general introduction, that doesn't
address any specific "modern" systems, the MilCryp series
is excellent. (See the sci.crypt FAQ.) There are lots
of approaches and techniques, few of which are apparent
until you've been through the training.
If you mean, specific techniques for modern systems,
the people who know how certainly aren't going to tell
everyone about it, because possession of such knowledge
gives a tremendous advantage to the snooper, mostly
when the opposition has no inkling of the vulnerability.
Most of the published work in this area doesn't really
yield practical methods for attacking real systems.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Is initial permutation in DES necessary?
Date: Sat, 03 Apr 1999 11:47:18 GMT
Paul Crowley wrote:
> It seems likely to me that they could have built a stronger cipher
> had they wanted to, but I have no way to be sure.
Yes, but one of the desires was that NSA could crack it if they
really *had* to, in some legitimate national security interest.
Remember, the intended applications were all things not considered
necessary to keep secret from such a determined professional
adversary, but rather from certain kinds of adversay who we were
quite sure wouldn't be able to crack the system during its
expected lifetime. And this was borne out by the DES cracks that
finally occurred quite recently. The design was secure enough for
far longer than originally specified. It was engineered rather
like the "one-horse shay", its parts all of comparable strength.
------------------------------
From: "hapticz" <[EMAIL PROTECTED]>
Subject: Re: GPS, encrypted data base and mushroom hunting
Date: Sat, 3 Apr 1999 07:22:13 -0500
yep, it's just like the salespeople say,... "Location, location,location!"
--
best regards
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: 3 Apr 1999 09:20:47 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On 1 Apr 1999 14:07:34 -0500, [EMAIL PROTECTED] (Herman
>Rubin) wrote:
>>>"Correlation," which is defined in any first-year book on statistics, is
>>>the dependence of one value on another.
>>This is incorrect. It is the signed extent of LINEAR dependence.
>Aw crap!
>Does this mean I have to be careful which "first-year book on
>statistics" I read?
There are lots of very bad first year books on statistics. I suggest
that one avoid all those which concentrate on statistical methods, and
do not assume an understanding of probability. BTW, also avoid those
which assume that real data is normal.
The definition of correlation, which is standard, is such that even
perfect non-linear dependence can occur with ZERO correlation.
Statistics requires probabilistic understanding, and to use it
properly requires strong skepticism about assumptions.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: 3 Apr 1999 09:24:06 -0500
In article <[EMAIL PROTECTED]>,
Jim Felling <[EMAIL PROTECTED]> wrote:
>"R. Knauer" wrote:
>> On Thu, 01 Apr 1999 09:58:42 -0600, Jim Felling
>> <[EMAIL PROTECTED]> wrote:
..............
>Either I have a 1)defective TRNG that just fooled me on my examination or
>2) a working TRNG that generated statistically unlikely output.
>Given those are the only 2 possible hypothesis Occams razor would make me choose
>hypothesis 1 and I therefore would kick out.
There are an infinite number of hypotheses; the hypothesis that you
have a TRNG is one which is essentially impossible. Occam's razor
is very definitely misused.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: quick RSA key generation question
Date: 3 Apr 1999 14:33:31 GMT
The simple answer is yes. One can be fancier.
Don Johnson
------------------------------
Date: Sat, 03 Apr 1999 09:37:32 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Douglas A. Gwyn wrote:
>
> "Trevor Jackson, III" wrote:
> > Note that the assertion of some "inspection process" as superior to
> > statistical testing is fundamentally flawed. Mathematical history is
> > littered with people who performed the most rigorus analyses of their
> > algorithms, which, in practice, failed miserably. The best example of
> > this is found in Knuth's early work on "super-randomness".
>
> My favorite example was Dijkstra's "A Discipline of Programming",
> in which he maintained that his examples were error-free, which he
> was sure of even though they had never been compiled, because he
> had followed his discipline. I stopped studying them after I
> found the 7th bug.
Clasic puzzle:
Those we caught we threw away,
Those we didn't catch, we kept.
The answer was supposed to have eluded Pascal, driving him mad: Fleas.
Note that fleas are insects -- bugs.
>
> > A sane crypto-engineer will use both procedures, belt and suspenders, to
> > detect problems. If an RNG passses all available analyic tests (in the
> > sense of failing to find a disqualifying flaw), and passes all available
> > statistical tests (in the sense of failing to find a disqualifying
> > correlation/bias/etc), then the RNG is good enough.
>
> Good enough for what?
Anything.
>
> I agree with R. Knauer's *sentiment* that for generation of a
> OTP, an RNG based on *physical* randomness is best (thermal noise
> is good enough, no need for quantum). The tests that you call
> "available" might not include the tools that an enemy
> cryptanalyst has available. In fact it is not hard to create
> a RNG whose output passes almost any standard statistical test
> for a uniform, uncorrelated sequence, yet can be cracked by a
> good cryptanalyst.
Right. However, those RNGs will not pass the analytic inspection test.
Any deterministic RMG trivially fails the inspection test
>
> > Futher, a crypto-engineer who fails to employ all available tests of
> > both flavors is negligent. An adversary should be expected to utilize
> > all available flavors of tests for flaws. There is no amount of
> > analytic inspection that can substitute for a simple statistical
> > evaluation of the RNG output. And, there is no amount of statistical
> > testing that can substitute for a simple inspection of the RNG
> > mechanism.
>
> It depends on the actual requirement. There can be bias in a
> keystream so long as it does not provide any leverage to the
> enemy analyst. And I would say the the necessary "inspection"
> is by no means simple; sophisticated mathematical analysis is
> called for, along with experience in exploiting vulnerabilities
> of similar systems.
>
> The main thing is, *if* system security requires certain
> distributional properties of the keystream, and *if* one
> can discover with an appropriate test that the keystream
> is reproducibly not meeting those requirements, *then*
> the keystream is defective for this security application.
------------------------------
Date: Sat, 03 Apr 1999 09:47:49 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Is initial permutation in DES necessary?
Douglas A. Gwyn wrote:
>
> Paul Crowley wrote:
> > It seems likely to me that they could have built a stronger cipher
> > had they wanted to, but I have no way to be sure.
>
> Yes, but one of the desires was that NSA could crack it if they
> really *had* to, in some legitimate national security interest.
> Remember, the intended applications were all things not considered
> necessary to keep secret from such a determined professional
> adversary, but rather from certain kinds of adversay who we were
> quite sure wouldn't be able to crack the system during its
> expected lifetime. And this was borne out by the DES cracks that
> finally occurred quite recently
This is a very serious error. BY DEFINITION, any adversary interested
in the operational effects of cracking DES will not announce success,
failure, or even intent to attempt. The public cracks were
demonstrations aimed at the non-operational effects of a crack.
The hidden assumption is that the public attempts were at least as
effective/powerful/whatever as any private attack may have been. The
assumption is unwarranted in spite of the relentless advance of cheap
MIPS.
. The design was secure enough for
> far longer than originally specified. It was engineered rather
> like the "one-horse shay", its parts all of comparable strength.
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sat, 03 Apr 1999 16:39:03 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 03 Apr 1999 10:10:06 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>In fact it is not hard to create
>a RNG whose output passes almost any standard statistical test
>for a uniform, uncorrelated sequence, yet can be cracked by a
>good cryptanalyst.
In a lengthy debate on sci.crypt 1 1/2 years ago, it took nearly one
thousand posts for a prevailing consensus of opinion to emerge that
was in agreement with what you just stated. Even now, you can spot
people on sci.crypt who claim that their magical tests certify the
unbreakability of their RNG with certainty.
Now the question is whether a RNG whose output fails standard
statistical testing can *necessarily* be cracked by a good
cryptanalyst. I hope it won't take one thousand posts for a prevailing
consensus to emerge this time.
BTW, a prevailing consensus does not mean one in agreement with my
position. In the first debate referenced above, I was one of those who
had maintained that statistical tests were adequate to certify the
unbreakability of a RNG. I am maintaining the position in this second
debate, because I do not automatically accept statistical test failure
as the criterion rejecting a RNG as breakable. But who knows - I may
be wrong again. Nobody said a Devil's Advocate had to be correct.
>It depends on the actual requirement. There can be bias in a
>keystream so long as it does not provide any leverage to the
>enemy analyst. And I would say the the necessary "inspection"
>is by no means simple; sophisticated mathematical analysis is
>called for, along with experience in exploiting vulnerabilities
>of similar systems.
If you are talking about a physical device then you must treat it like
a piece of scientific equipment and certify its performance using
accepted scientific techniques, including a peer-reviewd design audit
and diagnostic tests for each subsystem.
>The main thing is, *if* system security requires certain
>distributional properties of the keystream, and *if* one
>can discover with an appropriate test that the keystream
>is reproducibly not meeting those requirements, *then*
>the keystream is defective for this security application.
What are the distributional properties of the keystream for the
general (proveably secure) OTP cryptosystem? By "general", I mean no
assumptions and no restrictions on its intended usage.
Bob Knauer
"The brave men who died in Vietnam, more than 100% of which were
black, were the ultimate sacrifice."
- Marion Barry, Mayor of Washington, DC
------------------------------
From: [EMAIL PROTECTED] (Peter Gutmann)
Subject: Re: S/MIME interoperability: 40 bits only?
Date: 3 Apr 1999 15:09:21 GMT
[EMAIL PROTECTED] (Peter Pearson) writes:
>I'm trying to use Netscape's 4.02 Communicator to
>exchange encrypted email with a correspondent who uses
>a Microsoft mail reader. I have deselected all ciphers
>except 168-bit 3DES, and my correspondent has specified
>168-bit 3DES for outgoing messages, but when I read
>email from him, Communicator says it was encrypted with
>40-bit RC2, and similarly when he reads email from me.
>Is this pathetic capability all we can expect from these
>products, or am I overlooking some important setting?
>Is there, at least, a way to tell Communicator that if
>it's going to encrypt an outgoing message with a joke
>cipher instead of the cipher I asked for, it should at
>least %$#$in warn me?
This is braindamage in Communicator, nothing you can do will convince it to
send anything other than weakly-encrypted mail (I went through this a few
weeks ago while testing my S/MIME implementation, even disabling every cipher
but 3DES still resulted in mail being encrypted with RC2/40. I never did get
to test any mail sent from Communicator).
One way which might work is to get the other person to send you signed mail
with an sMIMECapability attribute specifying the use of 3DES, this appears to
work for newer versions of Outlook which otherwise also default to RC2/40.
Peter.
------------------------------
From: [EMAIL PROTECTED] (Peter Gutmann)
Subject: Re: Q: encryption-friendly hard disk controllers or drives
Date: 3 Apr 1999 15:13:27 GMT
John Myre <[EMAIL PROTECTED]> writes:
>Ralph Bauchman wrote:
>> Anyone know of any hard disk controllers or drives themselves that
>> are "encryption-friendly" ? That is, might there be controllers/ drives
>> with a built-in or easily-added-on encryption feature? I'm thinking
>> along the lines of a controller with an empty IC socket designed to
>> hold an encryption IC. Plug in chip, load with key somehow then
>> e/d occurs as data flows into/out of drive transparent to user. If
>> one loaded the key via an iButton port over a wire straight to the
>> chip the system itself need not even be aware of its existance.
>I've never heard of such a thing (which doesn't mean much; I'm
>not an expert), but it sure sounds like a possible money-maker.
>Why don't you send queries to, say, Seagate, Adaptec, Iomega,
>Western Digital, Compaq, Dell, Dallas Semiconductor - I'm sure
>others could come up with lots more. I imagine most of them
>will ignore you but it's certainly worth an e-mail. If you get
>any answers I bet many people here would be interested.
There are several companies making these things, check
http://www.cs.auckland.ac.nz/~pgut001/links.html, "Security Products" -> "Data
Encryption". They don't have much market penetration, I know some larger
manufacturers have looked at this over the years but none ever followed
through with any mass-market products, for both political and financial
reasons (there is a disincentive to manufacture something like this, and few
people will pay the price even if you do).
Peter.
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sat, 03 Apr 1999 16:45:15 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 03 Apr 1999 09:37:32 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>Classic puzzle:
>
> Those we caught we threw away,
> Those we didn't catch, we kept.
>
>The answer was supposed to have eluded Pascal, driving him mad: Fleas.
>Note that fleas are insects -- bugs.
Berry Paradox: "True randomness cannot be described."
But that statement itself is a description of true randomness.
>Right. However, those RNGs will not pass the analytic inspection test.
>Any deterministic RMG trivially fails the inspection test
What do you mean by "analytic inspection test"?
Bob Knauer
"The brave men who died in Vietnam, more than 100% of which were
black, were the ultimate sacrifice."
- Marion Barry, Mayor of Washington, DC
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
