Cryptography-Digest Digest #341, Volume #9 Mon, 5 Apr 99 04:13:04 EDT
Contents:
smartcards (was Live from the Second AES Conference) (Sandy Harris)
Re: True Randomness & The Law Of Large Numbers (Dave Knapp)
Re: My Book "The Unknowable" (Paul Healey)
Re: "Kryptos" sculpture (Jim Gillogly)
Software for breaking polyalphabetic substitution ciphers (Gao Qing)
Re: Alert: "HAPPY99.EXE" e-mail/newsgroup virus ("Cameron McCormack")
Re: Random Walk ("Trevor Jackson, III")
Re: chosen-plaintext attack (wtshaw)
Re: chosen-plaintext attack (Sundial Services)
Re: Software for breaking polyalphabetic substitution ciphers (wtshaw)
Re: Extending a hash? (wtshaw)
Re: My Book "The Unknowable" ("David Starr")
Re: Extending a hash? (Peter Gunn)
Re: True Randomness & The Law Of Large Numbers ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Sandy Harris)
Subject: smartcards (was Live from the Second AES Conference)
Date: Sun, 04 Apr 1999 22:05:44 GMT
[EMAIL PROTECTED] (Bruce Schneier) writes:
>>: IBM's Pankaj Rohatgi explained how he got all 128 bits of
>>: a Twofish key after only 50 (that is 50 not 2^50) uses of a smart
>>: card!
>>
>>I wonder how secure some of the other ciphers would be, if the kind of
>>optimizations Bruce suggested for fitting Twofish on a smart card were
>>applied to them. That is, if it were possible.
>
>He said in his talk that every cipher is vulnerable. We've done this
>sort of work, too, and we have found that you can't defend against
>these types of attack with the algorithm. You can do some things with
>the implementation and some things with the hardware, but basically
>you need to defend in the protocol layer.
http://www.geocities.com/ResearchTriangle/Lab/1578/artic02.htm
Outlines some of the more easy & obvious defenses you can put in
the implementation. No doubt not enough.
------------------------------
From: Dave Knapp <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sun, 04 Apr 1999 20:59:50 GMT
"R. Knauer" wrote:
>
> I claim that there are only two valid sets for randomness:
>
> Set #1: Reasonable certainty that the process is not random;
>
> Set #2: Processed which do not exist in set #1.
>
> Put into the language of statistics:
>
> Null Hypothesis: A particular RNG is not random.
>
> Alternate Hypothesis: That particular RNG is random.
>
> There is no middle set of RNGs that are maybe random, maybe not random
> on the basis of reasonable certainty. There is a definite area outside
> the Z-score and a definite related area inside the Z-score. There is
> no gray zone where things may be or may not be simultanously.
Incredible! You not only don't understand statistics, but you don't
understand decision theory even better!
Maybe it's not that impressive; decision theory depends to some degree
on statistical inference, etc.
Hey -- you ever hear of a thing called "fuzzy logic?" Look it up.
-- Dave
------------------------------
From: Paul Healey <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Mon, 5 Apr 1999 00:52:37 +0100
In article <41%M2.9$[EMAIL PROTECTED]>, David Starr
<[EMAIL PROTECTED]> writes
>karl malbrain wrote in message <7e1cvg$eti$[EMAIL PROTECTED]>...
>[-snip-]
>
>
>While I AM fascinated BY your USE of CAPITAL letters, this WHOLE thread IS
>off-TOPIC
>for sci.crypt. For that MATTER, the FOLKS over in sci.physics and sci.math
>probably AREN'T
>ALL that interested, EITHER.
>
>Have a NICE day,
>
> -dave
Is this an interesting, relevant and or a worthwhile contribution ?
What do you think sci.logic is supposed to be about;
individuals trying to plug their own private
languages(this is not in the agreement with Decca News), so sci.crypt
can decode them or a dialogue on what constitutes a valid schema ?
Are you proposing, some kind of self censorship ?,
a path to real censorship on the unknowable --- on speculative logic.
Tell us, what you think you know in relation to this thread, so at
least, it might become clearer to yourself what you actually do know: I
think Chitin's notion, in the preface of his book, that there is no such
thing as a theory of everything, does itself presuppose such a
knowledge. That is, I have nothing against others discussing different
kinds of models and principles within; modal logic, intuitionistic logic
and paraconsistent logic etc., but lets not forget the context of this
forum: I am under no obligation to eschew a set of principles, that
happen to have value, simply because they are popular modes of reasoning
i.e. reductionist, positivist and formal
The question cannot be asked, how form is added to
essence, for it is only the reflection of essence into
essence itself, essence's own immanent reflection.
Book II of Hegel's Science of Logic(p10)
http://werple.net.au/~andy/logic_2.htm
Ergo, being conscious we can think. Form as data, can be described as
unknowable. Just as, information as essence, but what is meant by data
as information ? Assuming they are equivalent, contradicts the knowable
having an essence and the unknowable not having one. Anyway, I believe
this reflects the position of holism, eliminative materialism and
connectionism, which roughly fall under dialectical logic --- within the
dialectics, there are many different valid and invalid ways of
describing something, as identity in its difference must have a ground.
It is therefore, quite a different thing to say,
I) I know everything(the whole),
from,
2) I have a knowledge of everything(understanding how it all works)
Ergo, it is possible to construct a schema which can measure it, as I
can know how some of it works --- its parts are posited in and sublated
by it; provide a proof of its principle; of unity. It follows, that I am
justified in saying that, I have a knowledge of something. Does not, the
fact that many investers/analysts/logicians have, and will continue to
apply a schema, when it comes to tracking individual stocks, imply they
can be measured ?: whether such methods can be grounded or not is the
whole point of having a dialogue; for independence-friendly first order
logic( See Jaakko Hintikka. Logica 94'. Constructivism Aufgehoben
pp1-15), informational independence also has its problems.
--
Paul Healey
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: "Kryptos" sculpture
Date: Sun, 04 Apr 1999 16:57:03 -0700
Reply-To: [EMAIL PROTECTED]
Sundial Services wrote:
> Has anyone published other clues about the Kryptos sculpture that stands
> in front of the CIA building?
The most detailed clueage with which I'm familiar was gathered by the American
Cryptogram Association (mostly PHOENIX, I think), and is at:
http://www.und.nodak.edu/org/crypto/crypto/general.crypt.info/Kryptos/
--
Jim Gillogly
Mersday, 13 Astron S.R. 1999, 23:55
12.19.6.1.8, 10 Lamat 1 Uayeb, First Lord of Night
------------------------------
From: Gao Qing <[EMAIL PROTECTED]>
Subject: Software for breaking polyalphabetic substitution ciphers
Date: Mon, 5 Apr 1999 09:14:07 +0800
>About your problem, the size of the key is most important, making hand
>solution practical or not, and machine solution easy or hard. Trivial
>keys would be only a few letters long.
It is said that "the longer the keyword used, the flatter the histogram
will be".
Then is it better to have a shorter keyword?
------------------------------
From: "Cameron McCormack" <[EMAIL PROTECTED]>
Crossposted-To:
comp.lang.pascal.delphi.misc,comp.databases.paradox,comp.databases.ms-access
Subject: Re: Alert: "HAPPY99.EXE" e-mail/newsgroup virus
Date: Mon, 5 Apr 1999 13:09:23 +1000
>honk!... sorry, try again... they got the guy who posted the melissa
>macro virus... the creator of the happy99.exe worm is someone else
>entirely ...
whoops! you're right of course; must've been thinking about melissa when i
saw happy99.exe
Cameron
___________________
[EMAIL PROTECTED]
------------------------------
Date: Sun, 04 Apr 1999 23:56:42 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random Walk
R. Knauer wrote:
>
> On Sun, 04 Apr 1999 14:00:07 -0400, "Trevor Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> >You model this mathematically as zero information.
> >You model this physically as 100% entropy. (lack of order on which a
> >prediction could be based).
>
> I agree with you for the classical case, but what about in the quantum
> case? Cerf & Adami model QM measurement and come up with negative
> entropy, which is classically forbidden. They call it
> "supercorrelation".
So what? Classical theory cannot account for objects with 720 degrees
of ratational symmetry either. Acutally, I'm not sure the most modern
theories explain that one well. Negative entropy does not bother me any
more than using imaginary currents when solving Kirchoff's laws.
>
> >The brightest minds of multiple millenia thtought the earth was flat in
> >spite of observations over a thousand years old that indicated
> >otherwise.
>
> Those minds did not have physics and mathematics at their disposal.
Sure they did. Those disciplines were millennia old before Galileo was
born.
>
> BTW, I am not convinced that the brightest minds believed in a flat
> earth. In the first place, the number of bright minds was severly
> limited, and there is evidence that the few there were did know that
> the earth was not flat. For one thing all they had to do was look up
> in the sky and see the eclipses case a circular shadow on the moon.
> Also, the spherical shape of the sun and planets (the Moon is a
> planet) was prima facie evidence that the earth was not flat.
>
> >QM is young.
>
> Not in terms of the cumulative effort put into it. If you use the
> number of pages of published articles, I would guess that QM has
> received more attention from bright minds than all the scientific
> issues preceding it.
>
> >The modern foundations are only half a century
> >old (Feynman's history integration cirra '47-48 I think).
>
> Questions of the random nature of QM goes back to the earliest days.
> De Broglie was the first proponent of hidden varialbles.
>
> >Yes there would. Hashing increases the entropy density, a desirable
> >quality.
>
> Can you prove that hashing actually does increase entropy density? And
> is entropy density still a suitable measure of unpredictability if it
> is not maximal?
>
> >No. Hashing is a Good Thing.
>
> I am still waiting for the discussions which will prove that.
>
> >We do not care that there are patterns in the data. We do not care that
> >some of the data is biased, correlated, or predictable. We only care
> >that some measurable aspect of the system's behavior is *not*
> >predictable. Given that, we can distill it to complete
> >unpredictability.
>
> Here are some of my problems with that:
>
> 1) First you are using an algorithmic method to create randomness. We
> know better than that.
No. We are managing it algorithmicly, not creating it.
>
> 2) Secondly, if the RNG cannot generate randomness, that means that it
> is flawed, so hashing it is not a good idea. The correct idea is to
> fix the RNG.
Hardly. Given any source of entropy we can produce quality keys. There
is no need to wait for an impossible perfect RNG.
>
> 3) Third, if hashing could create randomness by distilling whatever
> randomness is present in the RNG, why not just apply it to a PRNG?
You can. What you get out is the amount of entropy available in the
seed. No more and no less.
>
> >I believe this is provable.
>
> Then by all means show us.
>
> >*REALLY*? Before you post again please review the history of OTP usage
> >and catalog the failures due to inadequate RNGs and all the rest.
> >Keystream flaws are lost in the rounding of that summary.
>
> Are you saying that a quantum random number generator is not adequate
> for use with the (proveably secure) OTP system?
>
> Key management is not an analytical issue, so it does not qualify as a
> reason for the failure of the OTP system.
Of course it does. You claimed that keystream weakness was the
principal cause of OTP failure. That is false.
>
> Bob Knauer
>
> "The brave men who died in Vietnam, more than 100% of which were
> black, were the ultimate sacrifice."
> - Marion Barry, Mayor of Washington, DC
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: chosen-plaintext attack
Date: Mon, 05 Apr 1999 00:36:27 -0600
In article <[EMAIL PROTECTED]>, "news.compassnet.com"
<[EMAIL PROTECTED]> wrote:
> Hi, thanks for reading this post!
>
> Why are public-key systems vulnerable to chosen-plaintext attacks? What
> does a cryptanalyst have to do deduce the private key (if necessory at all)
> or the algorithm to infer further plaintext? I failed to find an example on
> the Internet. How does it help since public keys are known to everyone.
> Why are symmetric cryptosystems not vulnerable to this attack?
Public key composite crypto systems usually depend on a more conventional
faster component system to do the real work. If any part of the sandwich
is moldy, the result can be inferior. It's the old weak link thing; not
all favorite algorithms are as good as their popularity might
suggest...given choice, you can choose badly if you don't know the score.
Which algorithms are best, as in scoring them quantiatively...that's a
difficult question.
--
Too much of a good thing can be much worse than none.
------------------------------
Date: Sun, 04 Apr 1999 21:51:06 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: chosen-plaintext attack
news.compassnet.com wrote:
>
> Hi, thanks for reading this post!
>
> Why are public-key systems vulnerable to chosen-plaintext attacks? What
> does a cryptanalyst have to do deduce the private key (if necessory at all)
> or the algorithm to infer further plaintext? I failed to find an example on
> the Internet. How does it help since public keys are known to everyone.
> Why are symmetric cryptosystems not vulnerable to this attack?
That's an interesting question because I would have thought that
public-key systems (as normally deployed) would not be vulnerable in
this way. I say that, however, because PK systems are often used just
to encipher the randomly-generated private key used to encipher a
message that was encrypted using a symmetric system. (This is how PGP
does it, for instance.) My understanding is that PK's are rarely used
to encipher an entire message. (And that, in fact, doing so would
weaken them.)
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Software for breaking polyalphabetic substitution ciphers
Date: Mon, 05 Apr 1999 00:03:28 -0600
In article <22E71DAEC504D111B78100805FFE9DC71C9AC933@PFS21>, Gao Qing
<[EMAIL PROTECTED]> wrote:
> >About your problem, the size of the key is most important, making hand
> >solution practical or not, and machine solution easy or hard. Trivial
> >keys would be only a few letters long.
>
> It is said that "the longer the keyword used, the flatter the histogram
> will be".
> Then is it better to have a shorter keyword?
It is better if you want to solve it from scratch, as having a long
complex keystring adds proportional security to such a cipher.
--
Too much of a good thing can be much worse than none.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Extending a hash?
Date: Mon, 05 Apr 1999 00:19:29 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (David P Jablon) wrote:
> In article <[EMAIL PROTECTED]>,
> wtshaw <[EMAIL PROTECTED]> wrote:
> >In article <[EMAIL PROTECTED]>, Peter Gunn
> ><[EMAIL PROTECTED]> wrote:
> >
> >> 2) Are there any general purpose algorithms for 'extending' a hash
> >> function that can be used with predictable results??
> >
> > [...] In short, there ain't no free lunch;
>
> Wait, don't go away hungry. That free lunch might just be available
> if you're using a password to negotiate a network session
> key. There are key amplifier methods that negotiate a large
> key based on a small one, between two parties.
Whatever you do is still based on the minimum key that you defined, and
the security that that brings to subsequent steps. It is no real trick to
change keys based on former keys, not requiring unusual means of
distribution other than that.
In spite of all the hoopla, the best security is that which is based in
trust, one on one. Using compromize algorithms will always increase a
hunger for frequent new keys. Better to use something better to start
with, given the option.
>
> >> Ive got Schneider's doc on low entropy keys and key stretching... what
> >> else can I read??
>
> See papers on SPEKE and related methods for
> password-authenticated key exchange at:
> <http://world.std.com/~dpj/links.html>
>
As long as minimum necessary security for a given situation is available,
you have no problem. Be careful that you do not assume that you have more
than you do, security covers a very wide range.
I'll be offline for a few days, and hope to see some of you out there at
the OMNI.
--
Too much of a good thing can be much worse than none.
------------------------------
From: "David Starr" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Mon, 5 Apr 1999 01:13:44 -0500
Paul Healey wrote in message ...
>Is this an interesting, relevant and or a worthwhile contribution ?
Gee, Paul, you tell me. Am I worthy?
>What do you think sci.logic is supposed to be about;
Hmmm, let me see... (lots of head scratching).
Where do you think you are posting? Hint: look carefully at the
lines that start with "sci.". What do you think sci.crypt is about?
I did not start this (cross-posted to four groups) discussion.
I am simply asking that it be confined to the appropriate forum,
and that is *not* sci.crypt (or sci.math, where you also waste
my time).
>individuals trying to plug their own private
>languages(this is not in the agreement with Decca News), so sci.crypt
>can decode them or a dialogue on what constitutes a valid schema ?
The clarity of your message has justified its presence in sci.crypt.
>Are you proposing, some kind of self censorship ?,
Yes. Keep sci.logic discussions confined to sci.logic.
On second thought, don't those database folks care
about valid schemas? Maybe you could cross-post to
them, too.
========================================================================
* Remember to remove the spam blocker when replying.
* Return address is: dstarr AT xnet DOT com
========================================================================
------------------------------
From: Peter Gunn <[EMAIL PROTECTED]>
Subject: Re: Extending a hash?
Date: Mon, 05 Apr 1999 08:41:48 +0100
Heehee thanks for the pointers... I still dont know what "taffy"
is but I get the idea.
My original problem was that I want to hash a pass phrase that
might be *really* long, with veritable *buckets* of entropy
(if you'll pardon me speaking in such technical terms :-)
Problem is that it looks like I really want the hash output
to be at least 172bits, and preferably 256bits, and there
seems to be a real lack of freely available unpatented algorithms
(I just ignore all the commercial/restricted stuff :-) that have
this length of output.
I know Tiger outputs 172bits, and HAVAL can do 172 & 256 (is HAVAL
in the public domain? I cant find a reference, and the author didnt reply
to my email??), but having read the comments on 'extending' RIPEMD-128
to RIPEMD-256 and the fact that its not really any more 'secure' than
RIPEMD-128 I started to wonder if it is possible to extend the output
of a hash function by using some generic algorithm which might for instance
apply the smaller hash multiple times and somehow combine
the output.
The GOST hash function which Casey Sybrandy pointed me at
(thanks BTW :-) uses the GOST encryption function (which as
Casey points out could be any similar block cipher) and mixes
its output to produce a hash value, and therefore represents
a form of 'generic' hash algorithm.
But, Im still wondering if the output is any good compared to
something like the output of HAVAL etc??
Also, if it is a good hash, why do people always seem to implement
hash functions seperate from block ciphers in their applications??
Most encryption applications require both, so if I could use
some algorithm to convert my block cipher to also calculate hash
values I would have less code... or alternatively, if I have a
number of block ciphers, I could have a lot of free hash functions??
Im still not convinced I fully understand this :-)
ttfn
PG.
wtshaw wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (David P Jablon) wrote:
>
> > In article <[EMAIL PROTECTED]>,
> > wtshaw <[EMAIL PROTECTED]> wrote:
> > >In article <[EMAIL PROTECTED]>, Peter Gunn
> > ><[EMAIL PROTECTED]> wrote:
> > >
> > >> 2) Are there any general purpose algorithms for 'extending' a hash
> > >> function that can be used with predictable results??
> > >
> > > [...] In short, there ain't no free lunch;
> >
> > Wait, don't go away hungry. That free lunch might just be available
> > if you're using a password to negotiate a network session
> > key. There are key amplifier methods that negotiate a large
> > key based on a small one, between two parties.
>
> Whatever you do is still based on the minimum key that you defined, and
> the security that that brings to subsequent steps. It is no real trick to
> change keys based on former keys, not requiring unusual means of
> distribution other than that.
>
> In spite of all the hoopla, the best security is that which is based in
> trust, one on one. Using compromize algorithms will always increase a
> hunger for frequent new keys. Better to use something better to start
> with, given the option.
> >
> > >> Ive got Schneider's doc on low entropy keys and key stretching... what
> > >> else can I read??
> >
> > See papers on SPEKE and related methods for
> > password-authenticated key exchange at:
> > <http://world.std.com/~dpj/links.html>
> >
> As long as minimum necessary security for a given situation is available,
> you have no problem. Be careful that you do not assume that you have more
> than you do, security covers a very wide range.
>
> I'll be offline for a few days, and hope to see some of you out there at
> the OMNI.
> --
> Too much of a good thing can be much worse than none.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Mon, 05 Apr 1999 07:49:09 GMT
"R. Knauer" wrote:
> On Sun, 04 Apr 1999 04:45:46 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> wrote:
> >I've broken what might be genuine OTP systems myself (at
> >least, I never did find any regularities in the key streams).
> >It would not have mattered in the least had the keystreams
> >been generated by your so-called "TRNG".
> If the keystreams had been generated by a properly functioning TRNG,
> you could have not cracked the ciphers. There would have been no way
> for you to have reasonable certainty that the purported decryption was
> the intended plaintext. All possible plaintexts are equiprobable if
> the keystream is truly random and only used once.
Now you're demonstrating that you don't know much about real
cryptanalysis, either. I did the work and know how I did it,
and what properties of the keystreams I did or did not use.
What I said is correct. Whereas, you have no clue.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
