Cryptography-Digest Digest #798, Volume #8 Fri, 25 Dec 98 22:13:03 EST
Contents:
Re: Meet in the middle attack? (JPeschel)
Re: On living with the 56-bit key length restriction (wtshaw)
Re: Stego in jpeg files (Ross Presser)
Re: Make Fast Random Number Generator? (Paul Crowley)
Re: biometrics (David A Molnar)
Common Modulus Attack on RSA ("Max")
Re: HELP! Who can decrypt this? ("Michael Scott")
Re: Session keys in Elliptic Curve (David Brownridge)
Re: Common Modulus Attack on RSA (Ian Goldberg)
Re: Questions about Binary Files in C++ (fungus)
Re: Questions about Binary Files in C++ (fungus)
Re: Session keys in Elliptic Curve (Mr. Tines)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Meet in the middle attack?
Date: 22 Dec 1998 18:04:55 GMT
>Gramps <[EMAIL PROTECTED]> writes:
>What is a meet in the middle attack? I have books on crypto, but they do
>not define that attack. I can guess what it is from the name, but my
>guesses often are wrong.
>From the "Journal of Craptology"
"Meet in the Middle v.i. Plan for covert rendezvous."
Thus, it follows that a "meet in the middle attack" is the
wife showing up with her lawyer.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: talk.politics.crypto
Subject: Re: On living with the 56-bit key length restriction
Date: Tue, 22 Dec 1998 12:30:58 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> Ah, but that wouldn't be the point. I'd like to repeat the point (for
> emphasis) that the crypto export law is silly, and the official reasoning
> is flawed- e.g. the law is supposedly to prevent criminals/terrorists from
> getting their hands on 128 bit crypto. So by definition law abiding people
> won't push the button if it's illegal for them to access it.
It is becoming increasingly useless to try to be law abiding if laws are
silly, contradictory, and perhaps, even unknown or ill-defined; this is
what really undermines respect for the law. People come to not bother
what it says any more; and, the cause for such an attitute is government's
trivialization of its own power. Saying is it the law is insufficient for
a majority of people these days, that is evident in recent headline
events.
--
What goes around, comes around.
You reap what you sow.
Do unto others as you would have them do unto you.
The wheels of the gods grind most slowly, but exceedingly fine.
People in glass houses should not cast stones.
Let those who are without sin cast the first stone.
Judge not that ye be judged.
------------------------------
From: [EMAIL PROTECTED] (Ross Presser)
Subject: Re: Stego in jpeg files
Date: Wed, 23 Dec 1998 17:10:57 GMT
On Wed, 23 Dec 1998 14:32:05 GMT, [EMAIL PROTECTED] (R. Knauer)
wrote:
>On Wed, 23 Dec 1998 06:36:53 -0600, "Steve Sampson"
><[EMAIL PROTECTED]> wrote:
>
>>Why are you using two backslashes in the URL?
>>
>>Have you ever gone to any web site using backslashes?
>
>Bill Gates personal web site is rumored to use backslashes.
>
>Bob Knauer
>
>"Laws to suppress tend to strengthen what they would prohibit.
>This is the fine point on which all the legal professions of
>history have based their job security."
>--Frank Herbert
---BEGIN AWFUL JOKE---
Then there's O.J. Simpson's web site:
http:\\/\//\/escape.com
(say it out loud)
---END AWFUL JOKE---
remove NOSPAM to reply by email
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: Make Fast Random Number Generator?
Date: 23 Dec 1998 10:01:23 -0000
[EMAIL PROTECTED] (Robert Davies) writes:
> Jim Trek <[EMAIL PROTECTED]> wrote:
>
> >Does anybody here make a fast random number generator or have the
> >capability to design and build one that will provide 2 million or
> >more bits per second for a PCI slot or a universal serial bus?
>
> The Tundra generator goes at 20,000 bytes per second, but it
> plugs into an ISA slot. You could put 4 of them in a single
> PC and run them at double speed to get 1,280,000 slightly biased
> slightly correlated bits per second. Quite expensive.
Eek. For what application is a fast CPRNG fed by a slower random
number generator unsuitable?
--
__
\/ o\ [EMAIL PROTECTED] http://www.hedonism.demon.co.uk/paul/ \ /
/\__/ Paul Crowley Upgrade your legacy NT machines to Linux /~\
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: biometrics
Date: 25 Dec 1998 03:55:08 GMT
> Retinal scanners overcome a lot of the "info grabbing" approach as they
> look for a pulse in the retina as well. If the pulse is missing it knows
> it is looking at either a fake eye or a corpse.
That's not quite what I was getting at, although it is true and something
to highly recommend such methods.
I was more worried about "what if we capture a terminal?"
The terminal has to process the info it receives, including the fact of
whether or not there's a pulse, eye movement, etc. into some kind of
binary representation and then deliver it or its product somewhere else.
Record that representation, and then _bypass the terminal_ somehow, and
you're done.
> My main concern is the potential for long term harm, caused by
> repeatedly having lasers shone directly into my eyes.
I hadn't thought about this, but it sounds like it's worth looking into.
What are the various classes of lasers ? I remember only that the scale
goes from I to V or VI, with one end being fairly trivial and the other
the kind seen in _Real Genius_.
-David
------------------------------
From: "Max" <[EMAIL PROTECTED]>
Subject: Common Modulus Attack on RSA
Date: Thu, 24 Dec 1998 21:57:34 -0700
I don't quite understand the math involved here, and was wondering if
someone could help me.
Let's say I'm part of a network that was naive enough to issue a common
modulus to all of its users. How could a malicious user, knowing his own
encryption/decryption key pair (e,d) factor the modulus n in an efficient
manner such that he could then compute the decryption (private) keys for all
other users of the network?
I'm pretty new to the field, so please use simple English. Thanks for any
help, and Merry Christmas! :)
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: HELP! Who can decrypt this?
Date: Fri, 25 Dec 1998 11:53:51 -0000
Damian Weber wrote in message <75qdla$5i6$[EMAIL PROTECTED]>...
>....
>Of course you can throw this into one program which does that
automatically.
A program that does this can be found in my MIRACL package. A tweaked
version of this program "qsieve" factored the same 77 digit number in 30
hours, on a Pentium 233MHz, using 10000 small primes as a factor base, a
sieve of size 100000, and allowing room for 20000 residues partially
factored with one "large prime".
Mike Scott
=========================================
Fastest is best. MIRACL multiprecision C/C++ library for big number
cryptography
http://indigo.ie/~mscott
>But usually this is divided into some standalone programs which are called
> Damian
>
>
------------------------------
From: David Brownridge <[EMAIL PROTECTED]>
Subject: Re: Session keys in Elliptic Curve
Date: Sat, 26 Dec 1998 01:31:38 +1100
Reply-To: [EMAIL PROTECTED]
Anonymous <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
[snip]
> -----END PGP SIGNATURE-----
Am I alone in detecting a slight incongruity here?
--
rgds
DVD
(David Brownridge) <mailto:[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (Ian Goldberg)
Subject: Re: Common Modulus Attack on RSA
Date: 25 Dec 1998 16:09:38 GMT
In article <U$ps9G7L#[EMAIL PROTECTED]>,
Max <[EMAIL PROTECTED]> wrote:
>I don't quite understand the math involved here, and was wondering if
>someone could help me.
>
>Let's say I'm part of a network that was naive enough to issue a common
>modulus to all of its users. How could a malicious user, knowing his own
>encryption/decryption key pair (e,d) factor the modulus n in an efficient
>manner such that he could then compute the decryption (private) keys for all
>other users of the network?
>
>I'm pretty new to the field, so please use simple English. Thanks for any
>help, and Merry Christmas! :)
[Just woke up; brain not yet at full power; bear with me...]
First of all, giving the same n and different e's to different users is
of course a terribly stupid thing to do, but you already knew that. [In
contrast, using the same p,q,g and different x's in DSA is perfectly safe.]
Generating the values of e and d usually goes like this:
o Pick a random e (well, usually you pick 3, 17, or 65537, but if you
need one for each user, it'll likely be random; it doesn't really matter,
anyway).
o Calculate d such that de = 1 mod phi(n) [Here's where knowing the
factorization of n is used; phi(n)=(p-1)(q-1) if n=pq; but note that
all we _really_ need is phi(n).]; i.e. de-1 = k*phi(n) for some k.
Well, you know _your_ d and e, so you can calculate de-1 = k*phi(n), and
learn k*phi(n) (but you don't yet know what k is).
Now you have a few options:
1) If your value of e happens to be very small (less than sqrt(n)/2 or
thereabouts), then it will be that phi(n) = (k*phi(n))/ceil((k*phi(n))/n),
since k<e and k*phi(n)/n = k - k*(p+q-1)/n.
2) If you collaborate with someone else, and they calculate _their_ k'*phi(n),
take the gcd of k*phi(n) and k'*phi(n). With good probability, gcd(k,k')=1,
so gcd(k*phi(n),k'*phi(n)) = phi(n) (and anyway, gcd(k,k') is likely to be
small, so just removing small factors until you get to a number just slightly
less than n will do it).
3) You don't _really_ need to find k, anyway. Let's say message M was
encrypted to someone else, with public exponent e', so you get to see
M^(e') mod n. Calculate d',r such that d'*e' - r*(k*phi(n)) = 1 (this
will work as long as gcd(k,e') = 1, but otherwise, you learn a factor of
k, so divide k*phi(n) by it, and repeat); i.e. d'e' = 1 mod (k*phi(n)).
Now it's possible that d' is not the "real" d (it may be much larger), but
(M^(e'))^(d') mod n = M^(rk*phi(n)+1) mod n = M mod n, so it works anyway.
- Ian "who is sure someone more awake will have a simpler way... :-)"
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Questions about Binary Files in C++
Date: Fri, 25 Dec 1998 11:29:52 +0100
Ed Hild wrote:
>
> I'm having trouble reading and writing with binary files in c++.
...
> I have been able to read a
> character at a time, but i assumed that this was not good since I
> may not always be using a text file for input.
>
There's no difference between a text file and a bonary file at this
level, you should be reading chars. Remember to open your file in
binary mode, not text mode, or the standard library will mess with
control characters as it reads it...
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Questions about Binary Files in C++
Date: Fri, 25 Dec 1998 21:09:26 +0100
fungus wrote:
>
> There's no difference between a text file and a bonary file
^^^
Don't you just hate it when that happens??
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: Mr. Tines <[EMAIL PROTECTED]>
Subject: Re: Session keys in Elliptic Curve
Date: 25 Dec 1998 20:54 +0000
###
On 24 Dec 1998 20:37:46 +0100, in <[EMAIL PROTECTED]>
Anonymous <[EMAIL PROTECTED]> wrote.....
> RSA, DH and ElGamal act as enveloping mechanisms in the
> transport of the session key for a bulk cipher in most
> PK-cryptosystems. But what about Elliptic Curve? In a
> cryptosystem using Elliptic Curve as the key exchange
> algorithm, does it merely act as an enveloping mechanism
> for the session key, or does it play part in the generation
> of the session key and thus achieve the exhange of the key?
In the simple case of elliptic curve encryption where
there is a known generator point P, with secret key x,
and public key P,P*x then key exchange could be
accomplished by taking random r and transmitting P*r,
and using (P*x)*r as the session key - so to that extent
the EC algorithm participates in the key generation.
If you need to carry other information along with the
key (such as algorithm definition as per PGP) in a key
packet k, then you'd transmit
P*r and ((P*x)*r)^k
which would mean that the session key would not be something
affected by direct processing through the EC algorithm.
> If it doesn't, the conventional way to generate session
> keys is to take output of PRNG and run it through a message
> digest algorithm, correct? But is there any way to generate
> 256 bit session keys? Are there any secure hash algorithms
> that give 256 bit values as output?
HAVAL can generate 256 bit output as does TIGER - or you
can partition your entropy between two 128-bit generators,
and build half a key from each.
-- PGPfingerprint: BC01 5527 B493 7C9B 3C54 D1B7 248C 08BC --
_______ {pegwit v8 public key =581cbf05be9899262ab4bb6a08470}
/_ __(_)__ ___ ___ {69c10bcfbca894a5bf8d208d001b829d4d0}
/ / / / _ \/ -_|_-< www.geocities.com/SiliconValley/1394
/_/ /_/_//_/\[EMAIL PROTECTED] PGP key on page
### end pegwit v8 signed text
5117f21e864d29f07ad0c537bf605cdaa36b187b4a44200af1c7c18b46fd
89576c6931154a71527ffa76aea4857c8fe079a67637710d1bfbf2e6fd39
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
