Cryptography-Digest Digest #385, Volume #9 Tue, 13 Apr 99 20:13:03 EDT
Contents:
Scramdisk $.02 (Michael Dougherty)
Re: True Randomness & The Law Of Large Numbers ("karl malbrain")
Re: a simple sequence that stays near zero ([EMAIL PROTECTED])
Re: SNAKE#4 is oil (no surprise there :-) wot about #5?? (Thomas Wu)
Re: Adequacy of FIPS-140 (Terry Ritter)
Anyone knows Applix 'entencrypt'? ([EMAIL PROTECTED])
Re: Adequacy of FIPS-140 (R. Knauer)
Re: LFSR polynomial testing (Philip Koopman)
Re: Security problems: Europe (Doug Stell)
Arab Terrorists Must Bomb Moscow & Belgrade KKKommunists
([EMAIL PROTECTED])
Re: Not a PGP Expert (Mario Kenly)
Re: Arab Terrorists Must Bomb Moscow & Belgrade KKKommunists (Casey Sybrandy)
Re: Blowfish Source Code? ("David Barton")
Re: Comments to DOJ re NICS (Eric Williams)
Re: Adequacy of FIPS-140 (Terry Ritter)
----------------------------------------------------------------------------
From: Michael Dougherty <[EMAIL PROTECTED]>
Subject: Scramdisk $.02
Date: 13 Apr 1999 20:32:41 GMT
Finally had an intersection of opportunity and motivation last night, and
installed Scramdisk. I have not tried any of the commercial packages and
therefore cannot compare with them, but thought it was fantastic. Could
not believe how well it integrated with the system, and how fast and small
it was. It also works exceptionally well with a ZIP disk, because the
encryption/decryption speed is always essentially throttled by the
transfer rate; it is like getting the encrypted filesystem for free. I
look forward to using it on CD-Rs for secure storage which doesn't have to
be decrypted a file at a time.
To everyone involved in the development, thanks for and congratulations on
such a fine product.
Mike D.
(Now I really should look through the source code and compile my own...
but what if the NSA has subverted Microsoft, and MSVC6 is smart enough to
recognize cryptographic code, and inserts a weakness into the resultant
executable, and...)
------------------------------
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Tue, 13 Apr 1999 13:14:50 -0700
Dave Knapp <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Now, exactly where in there did you claim that statistical tests could
> determine "non-randomness?" Answer: you _explicitly_ stated that
> statistical tests _cannot_ be used to determine non-randomness.
>
(snipped personality reference)
>
> Look, if you want to stimulate a good discussion about the use of
> statistical tests for RNG characterization there are LOTS of better ways
> to do it than to start by dismissing statistics altogether. It's a good
> topic. (snipped again...)
The problem for some time has been HOW randomness is historically based.
Statistics takes this AXIOMATICALLY, as a RIGID part of the discipline --
PHYSICS in the 20th century has attemted to take it IDEALLY, what is
<<unknowable>> as a thing-in-itself.
The way out here is to come to terms with ENSEMBLE -- where that GROUNDS,
both THEORETICALLY and HISTORICALLY. I believe the Chinese were first, with
their notion of VINGH. Karl M
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: a simple sequence that stays near zero
Date: Tue, 13 Apr 1999 20:32:40 GMT
In article <7evj32$vi6$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <7euid2$47k$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > The sequence
> >
> > a_i := (1+2Q)*a_(i-1) - (1+2Q)*a_(i-2) + a_(i-3)
> >
> > with a_0 := 0, a_1 := 1, and a_2 := 2Q forms a sine wave with
> > period 2pi/arccos(Q)
>
> Please explain further.
>
> If Q, a_0, and a_1, are integers, then a_i is an integer for all i. This
> recurrence can't possibly form a sine wave. A sine wave is continuous,
> whereas the range of this recurrence isn't even dense in the reals.
>
> In fact, a_i = k1 theta1^i + k2 theta2^i + k3 theta3^i where
> theta1, theta2, theta3 are the roots of x^3 - (1+2Q)x^2 + (1+2Q)x - 1 = 0
>
> The k_i are determined by the initial conditions. When the equation has 2
> complex roots and their norm is 1 then the points of the recurrence will
> indeed LIE on a sine wave, but only at discrete points. They do not really
> 'form' a sine wave. And it requires restrictions on Q. Divide out (x-1) and
> we get x^2 - 2Qx + 1 whose discriminant is 4Q^2 - 4. This is negative only
> for Q \in (-1,1)
>
> Are you suggesting that Q should be a rational number in (-1,1)? You did not
> say so. Please expand upon this.
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
>
Right! Q must be a real number with -1 < Q < 1. Right, the numbers
just lie on a sine wave. The amplitude of the wave is 1/sqrt(1-QQ).
I should have seen that before because an amplitude of 1 would have
forced a_1 = sqrt(1-QQ). Q doesn't have to be rational.
You could do the same thing by just taking powers of (Q,i*sqrt(1-QQ)),
but that's slower. Also, the recurrence I gave isn't the only stable
one, ones with more terms work too. I don't know if having more terms
makes for a more interesting sequence. I suspect not.
- Bob Jenkins
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: SNAKE#4 is oil (no surprise there :-) wot about #5??
Date: 13 Apr 1999 13:59:54 -0700
Peter Gunn <[EMAIL PROTECTED]> writes:
> "Roll up, Roll up, come and try the new miracle elixer..."
>
> Thanks to Bryan & Thomas for pointing out that key=H(P,<DH private>)
> is easily cracked when <DH private> is known and P is short.
>
> I order to stop a man-in-the-middle calculating <DH private>
> I would have to munge the <DH public>s with P... which
> basically leads to EKE and friends.
Either that or go to an asymmetric scheme like SRP or B-SPEKE, yes.
> [ NOTE: ^ means to-the-power-of, % means mod ]
>
> 1) A->B: y1=(g^x1)%p, U, z1=(g^H(P,x1))%p
> 2) B: z2=(g^H(P,x2))%p, key=H((y1^x2)%p)
> 3) B->A: y2=(g^x2)%p, z2
> 4) A: key=H((y2^x1)%p)
>
> What happens is...
>
> 1) Client sends to Server his DH public value y1,
> his user identifier U, and z1=(g^H(P,x1))%p
> 2) Server looks up user list using U to find password P,
> to work out z2=(g^H(P,x2))%p, disconnecting the client
> if (z1^H(P,x2))%p != z2.
I'm not sure I follow here: If z1 = g^H(P,x1), then
z1^H(P,x2) equals g^[H(P,x1)*H(P,x2)]. You have z2 = g^H(P,x2),
though, so the server always ends up disconnecting the client
unless H(P,x1) == 1.
There's no way for the server to authenticate z1, since the
server doesn't know x1.
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms in
Phone: (650) 723-1565 exchange for security deserve neither."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Adequacy of FIPS-140
Date: Tue, 13 Apr 1999 21:11:06 GMT
On Mon, 12 Apr 1999 20:21:30 -0400, in <[EMAIL PROTECTED]>,
in sci.crypt "Trevor Jackson, III" <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>>
>> On Mon, 12 Apr 1999 09:43:29 -0400, in <[EMAIL PROTECTED]>,
>> in sci.crypt "Trevor Jackson, III" <[EMAIL PROTECTED]> wrote:
>>
>> >[...]
>> >I believe there is no serious dispute on the value of RNG diversity.
>> >Since independent device streams are not expensive or difficult, any
>> >serious user should demand a composite stream.
>>
>> You believe in error: *I* see no need to build multiple "unknowable"
>> generators, provided the output is properly processed. Physical RNG's
>> are not ciphers. There is ample opportunity in a physically-random
>> design to discard vast amounts of entropy.
>>
>> In the conversations here there seems to be an assumption that our
>> goal is to build a "close to perfect" physical device, and then use
>> the unfiltered output directly. That sounds like a recipe for
>> disaster to me. It will be almost impossible to build a device that
>> good. It is no wonder people are dubious: *I* am dubious.
>>
>> I believe a better way to approach this is to build a "satisfactory"
>> physical device (one with "some amount" of unknowable entropy), sample
>> it well, flatten the distribution, accumulate information, and throw
>> much of that away.
>
>When you analyze the process described just above you'll find that all
>but the first step are deterministic. Assumed to be known to an
>attacker of the key generator rathern than the cipher. Thus all of the
>key generator's security rests on the unpredictability of the
>"satisfactory" physcial device, which creates the possibility of a
>single-point failure.
It is virtually impossible to build something real which does not have
some common point, and that point can fail.
But "single-point failure" typically refers to some sort of actual
device failure. That is not the situation here: I anticipate that
the device will be automatically verified as functional either just
prior to or during real operation.
I believe the actual previous argument for having multiple generators
was not this at all, but was directed at the quality of the random
output. One of the things suggested was to use a PRNG along with the
physically-random system. But I do not expect that to help us
cryptographically.
It may be that the production of random unknowable values (for use as
cryptographic message keys, IV's, nonce's and the like) does not need
the extensive statistical qualities which are so difficult to produce
and guarantee. The result does need to be unknowable, and reasonably
well distributed, but not excessively. Cipher systems should not be
depending upon a full entropy randomness -- any time we have a random
value, it may turn out to be less "random" than we hope. Message keys
need to be bigger than we expect, and IV's need to be hashed or
otherwise produced from larger material. If we insist on having a
provably ideal distribution we are going to have a hard time doing
anything.
>Combining imperfect physcial srouces is not expensive. And the security
>of the combination is at least as high as the security of the strongest
>as long as "translucent" operations such as XOR or ADD are used to merge
>them.
This is not nearly as simple as it seems. It implies, for example,
that we are combining Boolean values, which means that all the
complexity in the noise (for example) has already been sampled,
flattened, condensed, and finally detected. It seems a little late in
the day to be modifying that result.
Note that combining 2 similar asynchronous digital noise streams
doubles the number of expected transistions per unit time. Not only
does the logic need to operate faster, but whatever system we use to
"sync up" or sample that changing value has an increasing chance of
failure or "metastability." This occurs when a data-transition
happens within the "setup-time" or "hold-time" needed by the sampling
device. As far as I know, this can be minimized by design and using
fast devices, but cannot be eliminated: It is inherent.
Similar problems lead to bit-level bias: real devices have different
setup and hold characteristics because they use different internal
routing or different gate-delays in different sample states.
Combining 2 already-sampled and synchronous digital noise streams does
not avoid the problem because it of course doubles the chance of
encountering metastable operation: either path can malfunction.
In the end, I think we are better off doing something right, once.
>I agree with the principles your've expressed, namely using "merely
>adequate" hardware rather than chsing the grail of "almost perfect", and
>distilling entropy and discarding all but a tiny fraction thereof.
>
>However, I disagree with your conclusion because, given a single
>generator meeting your standards, adding another or an Nth cannot hurt
>*anything*.
I note that the exact same argument can be used to insist on having
another generator, no matter how many we have. Where do we stop?
Will we see "ordinary level" systems with 3 generators, and "military
level" with 7 and "diplomatic level" with 21? Will we see claims on
sci.crypt that NSA can penetrate all 21 and that we are weenies for
agreeing to use 200 generators? If not, why not?
I claim that once we have good enough, we don't need better. The
ability to concentrate randomness, combined with a policy of throwing
most of it away, seems quite sufficient to me. If not, why not?
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED]
Subject: Anyone knows Applix 'entencrypt'?
Date: 13 Apr 1999 21:14:47 GMT
Hi,
I would like on what algo entencrypt bases.
CIAOii & so on...
Thomas Scholz
--
RUM - Computing Center | Do molecular | Phone: +49 621 292-5221
University of Mannheim | biologists wear | Fax: +49 621 292-5783
Certificate Authority | designer genes? | http://ca.uni-mannheim.de
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Adequacy of FIPS-140
Date: Tue, 13 Apr 1999 22:03:59 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 13 Apr 1999 17:59:14 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>This endless, hopeless search for PROOF of absolute security has got
>to stop. There is no such proof in realized systems, including OTP's.
>I suspect there can be no such proof.
Yes, I have gone round and round with you on some of the issues you
commented on, but you are just as guilty of going round and round with
me. For example, based on your statement above, it appears that you
don't believe that a quantum computer programmed to calculate a true
random number is proveably secure?
Please explain why you think that..
Bob Knauer
"I read a funny story about how the Republicans freed the slaves. The
Republicans are the ones who created slavery by law in the 1600's.
Abraham Lincoln freed the slaves and he was not a Republican."
- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (Philip Koopman)
Subject: Re: LFSR polynomial testing
Date: Tue, 13 Apr 1999 22:19:42 GMT
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
>I found a program on the net for testing LFSR polynomials, it isn't a really
>helpful program (works backwords....), anyways, I was wondering if anyone had
>a program to test for valid LFSR polynomials (LFSRs of any bit length)? In C
>would be the best, or MS-DOS .EXE format.
I have complete primitive polynomial lists of the smaller ones and
samples of medium-size ones at http://www.ices.cmu.edu/koopman/lfsr/ as
well as C source code.
However, the bad news is that the algorithm I used was brute force
search (is that what you mean by "works backwards"?). Once you get
above about 40 bits you can just forget it. If anyone has something
more efficient I'd be interested in seeing it. (I can easily believe
that one can be more efficient than brute force; but it did the job for
what I needed and I didn't have time to be fancier.)
-- Phil
Phil Koopman -- [EMAIL PROTECTED] -- http://www.ece.cmu.edu/~koopman
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: Security problems: Europe
Date: Tue, 13 Apr 1999 22:19:06 GMT
On 11 Apr 99 16:09:55 GMT, [EMAIL PROTECTED] wrote:
>From my experience, I find it hard to believe that the NSA or CIA are
involved in wide-spread industrial espionage. These agencies generally
concern themselves with national security are are black holes as far
as American industry is concerned. They are even black holes as far as
some of their trusted contractors are concerned. Everything is
strictly on a need to know basis and they never tell contractors what
other companies are doing.
> In a rare public disclosure, a NSA employee, who refused to be named,
> agreed to appear in silhouette on German television last August to
> reveal how he had stolen Enercon's secrets. He said he used satellite
> information to tap the telephone and computer link lines that ran
> between Enercon's research laboratory near the North Sea and its
> production unit some 12 miles away. Detailed plans of the company's
> allegedly secret invention were then passed on to Kenetech...
This sounds like a lone guy with a buddy at Kenetech or who owns
Kenetech stock. They will probably deal with him appropriately.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: sci.med.transcription,sci.space.policy,sci.electronics.repair
Subject: Arab Terrorists Must Bomb Moscow & Belgrade KKKommunists
Date: Tue, 13 Apr 1999 22:58:21 GMT
Why aren't the wimpy Syrian, Iraqi, Libyan, Afghani, etc., pussy terrorist
dogs bombing Moscow and Belgrade???!!! Where are the oil-rich,
Rolls-Royce-riding Arab Muslims from Kuwait, Saudi Arabia after American and
other NATO soldiers died saving their greedy asses???!!!
It's obvious that the KKKommunist-Nazis in Russia and Serbia are the real
Great Satans killing, raping, and pillaging Albanian Muslims, but where is
the shock and outrage from the Arab Muslims???!!!
Drunken-incompetent-ass Yelstin and KGB-stooge Primakov are begging with their
filthy, stinky, low-IQ KKKommie paws for Western capitalist IMF money but have
the gall to threaten Americans while war criminal Slob MiloSonOfABitch kidnaps
and holds unarmed American peacekeepers as hostages!!!
I say NUKE THE KKKOMMIES NOW!!!
There are over 2 million Serbian immigrants on welfare in the United States
protesting and plotting terrorist acts against Americans. DEPORT THEM!!!
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Mario Kenly)
Subject: Re: Not a PGP Expert
Date: Tue, 13 Apr 1999 22:57:30 GMT
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
>Thank you, god. You know the truth of all things and your whorshippers kneel
>before you in awe. Amen.
Seriously Anthony, you've been posting about cryptography here and trying
to sell your own system for a long time now. Why indeed DID you ask such a
silly question about PGP? You must have known the answer all along, so what
were you trying to accomplish?
--
"Mario Kenly" better known as [EMAIL PROTECTED]
01234 56789 <- Use this key to decode my email address.
Fun & Free - http://www.5X5poker.com/
------------------------------
From: Casey Sybrandy <[EMAIL PROTECTED]>
Crossposted-To: sci.med.transcription,sci.space.policy,sci.electronics.repair
Subject: Re: Arab Terrorists Must Bomb Moscow & Belgrade KKKommunists
Date: Tue, 13 Apr 1999 19:29:46 -0400
I just have one thing to say, SHUT THE FUCK UP!!!!!!
[EMAIL PROTECTED] wrote:
> Why aren't the wimpy Syrian, Iraqi, Libyan, Afghani, etc., pussy terrorist
> dogs bombing Moscow and Belgrade???!!! Where are the oil-rich,
> Rolls-Royce-riding Arab Muslims from Kuwait, Saudi Arabia after American and
> other NATO soldiers died saving their greedy asses???!!!
>
> It's obvious that the KKKommunist-Nazis in Russia and Serbia are the real
> Great Satans killing, raping, and pillaging Albanian Muslims, but where is
> the shock and outrage from the Arab Muslims???!!!
>
> Drunken-incompetent-ass Yelstin and KGB-stooge Primakov are begging with their
> filthy, stinky, low-IQ KKKommie paws for Western capitalist IMF money but have
> the gall to threaten Americans while war criminal Slob MiloSonOfABitch kidnaps
> and holds unarmed American peacekeepers as hostages!!!
>
> I say NUKE THE KKKOMMIES NOW!!!
>
> There are over 2 million Serbian immigrants on welfare in the United States
> protesting and plotting terrorist acts against Americans. DEPORT THEM!!!
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "David Barton" <[EMAIL PROTECTED]>
Subject: Re: Blowfish Source Code?
Date: Tue, 13 Apr 1999 23:38:46 +0100
For Delphi source code try http://www.scramdisk.clara.net/
Regards
Dave
Jon Kadilak wrote in message <7f0jaj$[EMAIL PROTECTED]>...
>
> I'm not sure if this is the right group to post to, apologies if it is
>not. Can someone point me in the direction of some Blowfish encryption
>algorithm source code? Or some source code that will encode files with
>the Blowfish encryption method.
>
>--
>
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>Jon Kadilak The Internet Access Company
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
------------------------------
From: Eric Williams <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.guns
Subject: Re: Comments to DOJ re NICS
Date: Tue, 13 Apr 1999 16:46:34 -0700
Erik wrote:
> > I guess that's plausible. It means though that field auditors have
> > to carry equipment containing the secret key. If the auditors can
> > be
> > robbed or bribed, the key is vulnerable.
>
> That's not even needed. Network computers togeter to search all
> possible keys untill you Crack the code.
> Simple...we can even do it with home computers... it's going to to
> take a considerable amount of time (hey it's information worth having
> right?) but if you get enough computers networked and searching
> specified segments of code you can do it ... once you have the key the
> database is comprimised. And everyone's privacy is lost. Hackers do
> this all the time...
No, hackers don't do it all the time. Any effort like that,
coordinating thousands of strangers to work on a single key, would be
incredibly vulnerable to detection by the authorities.
And it wouldn't do much good even if they escaped detection. The DOJ
still has records of the FFL making transactions, the date those
transactions were made, and their signature. If DOJ audits a FFL and
their database shows he made 3 approved gun sales on one day, but the
FFL has forms for a dozen, it doesn't matter if the signatures the forms
bear were generated using the correct key, he is still going to be in
trouble.
> One last thing.... If the government is morally corrupt enough to
> violate thier own laws, then why trust them with letting us know WHAT
> they are doing with this database.? I hate this idea, I remember a
> sceene in a movie where one military comander says "go to town hall,
> there they have a list of people who own weapons, we go after these
> people first" ..... or something like that.. it was a long time ago.
Actually, in the movie ("Red Dawn") they went to the firearms dealers to
get the forms.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Adequacy of FIPS-140
Date: Wed, 14 Apr 1999 00:04:50 GMT
On Tue, 13 Apr 1999 22:03:59 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (R. Knauer) wrote:
>On Tue, 13 Apr 1999 17:59:14 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
>>This endless, hopeless search for PROOF of absolute security has got
>>to stop. There is no such proof in realized systems, including OTP's.
>>I suspect there can be no such proof.
>
>Yes, I have gone round and round with you on some of the issues you
>commented on, but you are just as guilty of going round and round with
>me.
I can fix that.... And I suggest that the others consider doing
exactly the same thing.
>For example, based on your statement above, it appears that you
>don't believe that a quantum computer programmed to calculate a true
>random number is proveably secure?
>
>Please explain why you think that..
No.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
