Cryptography-Digest Digest #401, Volume #9 Fri, 16 Apr 99 09:13:03 EDT
Contents:
Re: HEY STUPID!!! (Thomas Pornin)
Re: PGP=NSA (PGP 6 totally cracked by NSA!!) (Thomas Pornin)
Re: Comments to DOJ re NICS (John Payson)
Re: HEY STUPID!!! ("Ross Smith")
Re: True Randomness & The Law Of Large Numbers (Alan Braggins)
Re: Twofish among the top 5 ?! (Alan Braggins)
Re: Adequacy of FIPS-140 ("Douglas A. Gwyn")
SNAKE#11 - getting better :-) (Peter Gunn)
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
PGP is not JUNK (it's cool!) ([EMAIL PROTECTED])
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
Re: Random Walk (R. Knauer)
Verify operation of component? (Dan)
RSA Cryptography Today FAQ (1/1) ([EMAIL PROTECTED])
Re: Possible Snr-level ugrad paper topic? (David A Molnar)
Re: Twofish among the top 5 ?! ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: HEY STUPID!!!
Date: 16 Apr 1999 07:50:05 GMT
According to Charles Booher <[EMAIL PROTECTED]>:
> If you do not like my attitude it is probably because your work for
> the NSA.
Wow. I guess you win this battle. But expect dscott to strike back, he's
not done yet.
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: PGP=NSA (PGP 6 totally cracked by NSA!!)
Date: 16 Apr 1999 07:56:43 GMT
According to Charles Booher <[EMAIL PROTECTED]>:
> The NSA also buys Ultra SPARCS by the truck load.
I am not american but I think you should really complain: your taxes
should be used for buying Alpha stations, that give a better ratio
performance/price.
Gee. You would expect the NSA to be the last efficient institution.
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED] (John Payson)
Crossposted-To: talk.politics.guns
Subject: Re: Comments to DOJ re NICS
Date: 16 Apr 1999 01:50:00 -0500
In article <[EMAIL PROTECTED]>, Paul Rubin <[EMAIL PROTECTED]> wrote:
>I'm a cryptography guy (sci.crypt) and don't have much knowledge of,
>or interest in, the finer details of current gun registration policy,
>which I presume is what NICS is. I tried to answer your questions
>from a cryptography implementer's point of view. I did look at your
>proposal and described its problems compared with current security
>practices in other areas. It may be much better than NICS
>regardless--I don't know. I like the idea of being visited by federal
>agents if one of them is Agent Scully. I doubt if NICS provides
>for that though. If your system can do that, sign me up. ;-)
Basically, the goal here is to allow for the following:
[1] FFL calls NICS; gives them some info.
[2] NICS gives the agent a small amount of info to confirm receipt of
info in [1].
[3] The info in [2], when coupled with the information in [1], is full
and complete proof that the FFL supplied the information in [1] to
NICS, **INDEPENDENT OF ANY RECORDS NICS MIGHT KEEP OF THE TRANS-
ACTION**.
The allcaps caveat in [3] is necessary to prevent the government from
targetting FFL's for a very simple attack: lose the record of a background
check they ran, and then prosecute them for failing to run it. Given the
state of NFA'34 records, it would hardly be surprising if some background
check records got lost accidentally; it's essential that the FFL have proof
himself of his compliance with the statute.
Of course, I'm still not sure what exactly background checks are supposed to
prove given that it's perfectly possible for people to change their name (esp.
women who get married). Since my wife's common identification papers (e.g.
her driver's license) didn't have her maiden name, I can't imagine how NICS
could possibly have determined if she'd been convicted for any felonies before
we were married short of requiring all NICS applicants to supply their "Social
Security" number.
If social security numbers are required, then there is a simple alternative to
the NICS system: have the government release on a daily or weekly basis a CD
containing the following:
[1] 1,000 files containing 125,000 bytes of data [1,000,000 bits]; to determ-
ine if the person whose SSN is 123-45-6789 is forbidden from purchasing
firearms, look in file #123, at the 456,789th bit; if it's a "0" the pur-
chase may proceed, but if "1" it's denied.
[2] A file containing the 32-bit CRC and a 256-bit secure hash of each of the
1,000 files described in [1].
[3] A file containing, for the current CD and every previously issued one, the
256-bit secure hash of the file described in [2].
To run a background check, the FFL would simply pop the CD into his drive and
run a simple program. If he sold a gun to someone who could not have passed
the background check, it would be simple for the government to prove that on
the date the gun was sold the appropriate database bit would have indicated
the sale was forbidden. Conversely, if the sale was legal--even if the gov-
ernment subsequently decided that the person should not have been able to
purchase a firearm--the FFL could, with a copy of the CD, show that the data-
base file indicated the purchase was legal. Having the secure hash of his CD
stored on every subsequent CD would allow him to show that his CD was valid.
Interesting notion? Note: No possibility of registering firearms with that
technique...
------------------------------
From: "Ross Smith" <[EMAIL PROTECTED]>
Subject: Re: HEY STUPID!!!
Date: Fri, 16 Apr 1999 21:10:53 +1200
fpnknvad wrote in message ...
>On Thu, 15 Apr 1999 20:00:59 -0700, Charles Booher <[EMAIL PROTECTED]> wrote:
>> If you do not like my attitude it is probably because your work for the NSA.
>
>Damn, he found out. What do we do now guys? Use the space laser or send the
>men in black?
Naah. Just nuke the site from orbit. It's the only way to be sure.
--
Ross Smith ................................... mailto:[EMAIL PROTECTED]
.............. The Internet Group, Auckland, New Zealand ..............
"Perl is the Unix way. 500 million ways of doing the same thing,
and 500 million monster egos all insisting on their way being
the Proper way of doing it." -- David Parsons
------------------------------
From: Alan Braggins <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Date: 16 Apr 1999 10:35:38 +0100
[EMAIL PROTECTED] (R. Knauer) writes:
> Most people know me as a Devil's Advocate
How do you know? It could be that most people think you are
babbling, and are grateful that Mr. Gwyn can be bothered to
take the time to answer you. I mention this as a purely
hypothetical possibility, of course...
------------------------------
From: Alan Braggins <[EMAIL PROTECTED]>
Subject: Re: Twofish among the top 5 ?!
Date: 16 Apr 1999 10:40:20 +0100
Daniele Finocchiaro <[EMAIL PROTECTED]> writes:
> Technology (NIST) to replace the current standard DES (Data
> Encryption Standard), which is too weak and slow for today's
> computing power. The winning method will become the new
> U.S. security standard for the 21st century [...]"
> [from www.barnesandnoble.com]
>
> Also, claiming that DES is "slow for today's computing power" is a bit funny.
Presumably it's short for "too weak when used as single DES, and too
slow when used as triple DES".
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Adequacy of FIPS-140
Date: Fri, 16 Apr 1999 05:40:53 GMT
"R. Knauer" wrote:
> On Thu, 15 Apr 1999 15:51:31 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> wrote:
> >The point about OTP key handling is well taken; in the real world,
> >it is such a practical problem that inevitably it provides breaks
> >into the system.
> It is rumored that the Washington to Moscow hotline is secured with an
> OTP cryptosystem.
Yes, the original teleprinter link did use such a system, because
it was thought that there would be so little traffic that it would
be practical to convey keystream tapes via courier. As I said,
breaks into such systems are inevitable. For example, the key can
be copied in transit, out-of-sync keys could be reused with correct
sync (eventually, systems were made to destroy keys as they were
used, to prevent this), or problems with key sync could cause the
communication to occur in the clear. I'm not going to say which
if any of these occurred with the Hot Line, but they certainly all
have occurred on similar systems. It's just a matter of time and
volume.
------------------------------
From: Peter Gunn <[EMAIL PROTECTED]>
Subject: SNAKE#11 - getting better :-)
Date: Fri, 16 Apr 1999 12:40:19 +0100
Thanks to Tom's comments on using a function on P
which generates a prime modulus to enable authentication,
Im now going to propose SNAKE#11, here it is...
A,S,T are random numbers ownded by the client
B,R,V are randoim numbers ownded by the server
U is the user identifier or equivalent
P=H(password), password is a short text string
g is an agreed generator
p is a large safe prime
E[x](y) means y encrypted using x as a key
H() is a one way hash function (SHA or similar)
1) A->B: (g^A)%p, U
2) B->A: (g^B)%p
both work out session key K=H((g^AB)%p) which
is used to encrypt all traffic from now on.
3) A->B: (g^S)%m(P,K), T
4) B->A: (g^R)%m(P,K), V
5) A->B: E[(g^RS)%m(P,K)](V)
6) B->A: E[(g^RS)%m(P,K)](T)
A and B check values returned against their own
calculations disconnecting immediately if they dont
match.
Ok, looks pretty much like SNAKE#10-3 so far,
doesnt it? Well, the trick is the function m(P,K)...
Let Z by an array of 1999 prime numbers of between
2^200 and 2^400, which the client and server have
agreed upon. The primes are not necessarily safe
primes.
m(P,K)=Z[H(P,K)%1999]
Yes, basically Im saying have a lookup table.
Now, obviously m(P,K) can only return 1999 different
values, but if I'm assuming that the password is
short anyway... perhaps just a single word selected
using something like diceware would only give a
few thousand possible values for P anyway.
The lookup table could be 'compressed' by selecting
primes which could be expressed as (2^x)-y and using
a 2 dimensional array of say 200x10 16bit values
=> ~4K :-)
All comments appreciated :-)
ttfn
PG.
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Fri, 16 Apr 1999 11:54:03 GMT
Reply-To: [EMAIL PROTECTED]
On 16 Apr 1999 10:35:38 +0100, Alan Braggins <[EMAIL PROTECTED]> wrote:
>How do you know? It could be that most people think you are
>babbling, and are grateful that Mr. Gwyn can be bothered to
>take the time to answer you. I mention this as a purely
>hypothetical possibility, of course...
I remind you that the crowd also favored Barabas over Christ.
Bob Knauer
"I read a funny story about how the Republicans freed the slaves. The
Republicans are the ones who created slavery by law in the 1600's.
Abraham Lincoln freed the slaves and he was not a Republican."
- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED]
Subject: PGP is not JUNK (it's cool!)
Date: Fri, 16 Apr 1999 11:02:05 GMT
Ok mr Charles (real name?), you like defaming PGP. Why so you can hock your
crappy program? Well that's not professional.
You say DF (what is DF anyways? It's DH/DSS) has only a trillion keys?
Proove it. Have you seen the source code? Is there a line that says "he he
now we use a precalculated key and upload it to the NSA".
BTW, with a 1024bit (or 4096 bit) there are a lot more primes that you try to
portrait. And at anyrate you use RSA, that means your product must cost
something. I don't remember PGP costing anything.
So whoever you are, do us a favor, and shut the hell up. Newbies will be
discouraged from PGP for no good reason.
Tom
--
About me, I am 17, a student at high school. My interests (in
computers) includes cryptography and data compression. I have written
four private papers on these topics. My fourth paper actually is
public, it is 'Geometric Identification'. Have a look ! :)
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Fri, 16 Apr 1999 11:57:01 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 16 Apr 1999 03:29:09 +0100, Dennis Ritchie <[EMAIL PROTECTED]>
wrote:
>> As Devil's Advocate I hide behind a facade of amateurishness, but I
>> could just as well be quite knowledgeable of the subject matter at
>> hand and not be letting on.
>I assure you that you maintain your facade well. Contratulations.
I work hard at it, believe me. :-)
Bob Knauer
"I am a great mayor; I am an upstanding Christian man; I am an intelligent
man; I am a deeply educated man; and I am a very humble man."
- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Random Walk
Date: Fri, 16 Apr 1999 11:59:55 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 16 Apr 1999 04:42:15 GMT, [EMAIL PROTECTED] (Earth
Wolf) wrote:
>>.... In fact, we know that it is impossible to make a
>>"Perfect TRNG".
>No, it's not.
In the context of the discussion, that statement above refers to a
classical TRNG. A quantum computer programmed to calculate true random
numbers is another matter.
Bob Knauer
"I am a great mayor; I am an upstanding Christian man; I am an intelligent
man; I am a deeply educated man; and I am a very humble man."
- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (Dan)
Subject: Verify operation of component?
Date: 16 Apr 1999 12:11:10 GMT
I have downloaded a component that is supposed to perform DES-56
encryption using a simple password.
I do not have access to the source code, nor can I get it.
I want to verify the behaviour of this component (simplistically, I am
confident enough that it does not contain viruses, trojans, etc).
Anyone know how? Can I get some plaintext and the encrypted form from
somewhere and compare it to the output from the component?
Thanks,
Dan
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
talk.politics.crypto,alt.security.ripem,sci.answers,talk.answers,alt.answers,news.answers
Subject: RSA Cryptography Today FAQ (1/1)
Date: 16 Apr 1999 12:19:34 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/rsa/part1
Last-modified: 1997/05/21
An old version of the RSA Labs' publication "Answers to Frequently Asked
Questions about Today's Cryptography" used to be posted here until May
1997. These postings were not sponsored or updated by RSA Labs, and
for some time we were unable to stop them. While we hope the information
in our FAQ is useful, the version that was being posted here was quite
outdated. The latest version of the FAQ is more complete and up-to-date.
Unfortunately, our FAQ is no longer available in ASCII due to its
mathematical content. Please visit our website at
http://www.rsa.com/rsalabs/ to view the new version of the FAQ with your
browser or download it in the Adobe Acrobat (.pdf) format.
RSA Labs FAQ Editor
[EMAIL PROTECTED]
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Possible Snr-level ugrad paper topic?
Date: 16 Apr 1999 09:49:34 GMT
Tim Darling <tdarling#@#glue.umd.edu> wrote:
> I'm in a senior-level undergraduate Crypto class and I'm looking for a
> topic in crypt that I can write about in a paper (5 pgs.. some math).
> Something different besides the RSA/PGP/entropy/whatever stuff we've
> been doing in class.. Any ideas? Places to look? Thanks.
You could try the Theory of Cryptography library at
http://philby.ucsd.edu/
for recent papers and preprints. This tends towards the more mathematical
end of the spectrum, so if that's your taste then you should be set.
Then again, it may not be your taste. Even so, some of the papers are
less daunting than others, and the collection is much more manageable
than counterpane.com's.
Differential power analysis and timing attacks might be interesting if you
like implementations. http://www.cryptography.org and Paul Kocher.
(on a related note, Kocher and Eli Biham broke the PKZIP cipher - if you
like cryptanalysis, the paper's on Biham's web page at
http://www.cs.technion.ac.il/~biham). See also differential fault
analysis.
Subliminal channels are fun and have an interesting history. You could try
Yvo Desmedt's page at http://www.cs.uwm.edu/faculty/desmedt/ for a few
papers, or looking up GJ Simmons.
You could investigate the connection between theory and practice
with respect to the question "Does anyone use these nice new protocols?"
That is, talk about what "provable security" means, how to get it, and
how much you will pay in terms of efficiency. Mihir Bellare and Phil
Rogaway have published lots and lots of papers on this. A nice start
is Bellare's retrospective at
http://www-cse.ucsd.edu/users/mihir/papers/isw-pops.html
(at least one phrase from this is in RSADSI's tech bulletin on PKCS #1
verbatim)
Primality testing ? What's the best method, why is it so good,
how does it work, here's an implementation, etc. etc. i
Crypto standards - ISO, IEEE P1363, whatever others. I don't know
too much about these.
Do you like linear algebra? a lot? Try lattices...
I'm not entirely sure where to start with these. Depends on whethe
you want to build or break systems with them.
Build : Miklos Ajtai, Jin-Yi Cai,
see Goldwasser + Goldreich's paper on "On The Possibility of
Basing Cryptosystems on the Assumption P != NP"
and Daniele Micciancio at MIT
there's more, but not off the top of my head.
Break : Daniele Micciancio again -- "Pseudo-Random Number Generation :
The DSS Case"
http://www.dice.ucl.ac.be/~fkoeune/LLL.html has a list of
articles on one of the most popular ways to use lattices.
"Lattice Basis Reductions, A Tool For The Cryptanalyst" is
at
http://www.ens.fr/~stern/data/JS94.ps
and aims at a technical but not mathematical audience.
(by that I mean 'not an audience of mathematicians)
heck, if you can find a copy of the CRYPTO proceedings or a similar
conference and just skim through them, you should see something cool
sooner or later. It really depends on what kind of thing turns you
on. personally, I like the provable security concept, and am taking
linear algebra so lattices are kind of intriguing.
good luck,
-David Molnar
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Twofish among the top 5 ?!
Date: Fri, 16 Apr 1999 11:47:51 GMT
> I do think Twofish should be a finalist.
>
> Don Johnson
so should rc6, which is easier to implement.
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
