Cryptography-Digest Digest #943, Volume #8 Thu, 21 Jan 99 17:13:04 EST
Contents:
Re: Pentium III... ("burt")
Re: Metaphysics Of Randomness (R. Knauer)
Re: Help. Protocol feasibility advice needed (Peter Pearson)
Re: Nomadic Authentication (James Pate Williams, Jr.)
3DES in EDE mode versus EEE mode ([EMAIL PROTECTED])
Re: Metaphysics Of Randomness (R. Knauer)
Re: Metaphysics Of Randomness ([EMAIL PROTECTED])
Hash Algorithm - ISO 10118 ("K. Dobey")
Re: Metaphysics Of Randomness (R. Knauer)
Re: Metaphysics Of Randomness (R. Knauer)
Re: Metaphysics Of Randomness (Patrick Juola)
Re: Pentium III... (R. Knauer)
Re: Metaphysics Of Randomness (R. Knauer)
Re: Nomadic Authentication (Thomas Wu)
Re: Metaphysics Of Randomness ([EMAIL PROTECTED])
Re: Metaphysics Of Randomness (Darren New)
Re: Who will win in AES contest ?? (Robert Harley)
----------------------------------------------------------------------------
From: "burt" <[EMAIL PROTECTED]>
Subject: Re: Pentium III...
Date: Thu, 21 Jan 1999 17:38:04 -0000
Shouldnt be to dificult to get around the serial number..
Brad Aisa wrote in message <[EMAIL PROTECTED]>...
>fungus wrote:
>>
>> Intel has announced that the Pentium III will have a built in hardware
>> random number generator, and individual serial number on each chip.
>
>I don't quite understand how a unique serial number in the chip is
>supposed to be helpful for anything cryptographic.
>
>...and if the chip dies?
>
>...and if you switch between computers?
>
>__
>Brad Aisa
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Thu, 21 Jan 1999 17:56:56 GMT
Reply-To: [EMAIL PROTECTED]
On 21 Jan 1999 08:23:54 -0500, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>You're not seeing the fundamnental distinction between "irrationality"
>and "randomness" in that randomness is a function, not of a number, but
>of a process.
>Just for clarification : *Any* number/string can be the result of
>a uniformly random process. In fact, a uniformly random process will
>always produce all numbers equiprobably, by construction.
>Any number can also be produced as the result of a non-random process,
>although for many numbers this will be a very uninteresting process
>such as a simple table-lookup and copy.
>The closest relative for irrationality is not the properties such
>as "non-repeating fraction" (which is a thoroughly bogus definition,
>by the way), but the method by which you GET a rational number.
>To wit, a rational number can be generated as the ratio of two integers
>p and q (q != 0 for the formalists, pthththththth). An irrational
>number is a number that cannot be so generated.
>Now, it so happens (lucky us) that any number that can be generated
>as the ratio of two integers can also be written as a terminating
>and/or repeating continued decimal string. This is an independent
>property, first proved in the year <mumble> by someone no doubt too
>famous for me to remember offhand. But the fact that you can
>characterize a number as rational or irrational by inspection is,
>strictly speaking, a lucky fluke.
>There's a similar definition for, e.g., transcendentals -- a transcendental
>number, of course, is a number that cannot be produced as the solution
>to a polynomial equation. Transcendentals are a strict subset of
>irrationals -- sqrt(2), for instance, is irrational but not transcendental.
>However, there's no way to characterize *by inspection* whether or not
>a given irrational number is transcendental. I can easily prove a given
>number is *NOT* transcendental by showing a polynomial to which &c., but
>I can't go the other way.
>So the point is that the characterization of both irrationals and
>transcendentals is a) strictly process-driven, and b) defined in the
>negative sense -- "no possible way to..." That irrationals can be
>cleanly defined in typographic properties should *not* lead you to
>believe that randomness can also be defined in typographic
>properties or that it can be defined in positive terms.
We need to make this into a FAQ on crypto-grade randomness.
Bob Knauer
"A man with his heart in his profession imagines and finds
resources where the worthless and lazy despair."
--Frederic the Great, in instructions to his Generals
------------------------------
From: [EMAIL PROTECTED] (Peter Pearson)
Subject: Re: Help. Protocol feasibility advice needed
Date: Thu, 21 Jan 1999 17:55:15 GMT
In article <785faq$tbo$[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> wrote:
>Here's my problem. In a client/server implementation, I need to send x and
>f(x) to the client. Assume that the server does not have the computational
>power of the clients involved. Assuming I can successfully fend off all
>other attacks, I need to keep f(x) secure somehow against an attack involving
>decompiling of the client program and passive listening of data sent and
>received on the client's port(s).
Your odds of getting a useful response depend strongly on the
clarity and completeness with which you describe your requirements.
I recommend you try again. Define "secure," or, better, state
specifically the need that hides behind that word. Describe
your security boundaries, what you grant to the attacker, and
exactly what you want to prevent the attacker from doing.
- Peter
------------------------------
From: [EMAIL PROTECTED] (James Pate Williams, Jr.)
Subject: Re: Nomadic Authentication
Date: Thu, 21 Jan 1999 18:11:09 GMT
Reply-To: [EMAIL PROTECTED]
What authentication protocol(s) would be useful in a nomadic (mobile)
networking environment? Ideally, the protocol would have to be
resistent to replay attacks and would require a minimum number of
exchanges.
==Pate Williams==
[EMAIL PROTECTED]
http://www.mindspring.com/~pate
------------------------------
From: [EMAIL PROTECTED]
Subject: 3DES in EDE mode versus EEE mode
Date: Thu, 21 Jan 1999 18:09:25 GMT
FIPS 46-3 ( http://csrc.nist.gov/fips/dfips46-3.pdf (209K) or
http://jya.com/dfips46-3.htm (49K + 35K images) ) defines as an interim
standard 3DES with three different keys in Encrypt-Decrypt-Encrypt mode. Now
originally 3DES used only two keys and the EDE mode had a small advantage:
when the two keys are identical it works as single DES. The same slight
advantage exists now with the new FIPS if all three keys are identical. The
question is: if I always want to use three different keys with the full 168
bits of entropy, is there any advantage in the EDE mode as compared to the
more "natural" EEE mode?
Dianelos Georgoudis
[EMAIL PROTECTED]
http://www.tecapro.com
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Thu, 21 Jan 1999 18:17:20 GMT
Reply-To: [EMAIL PROTECTED]
On 21 Jan 1999 17:34:59 GMT, "John Feth" <[EMAIL PROTECTED]>
wrote:
>Holy Cow Bob, if I give you a certifiably random string (say, with a
>gorgeous Allan Deviation plot) and present it to you as crypto-grade, and
>you give me one of your crypto-grade strings, I'll be able to test and
>certify that your crypto-grade string is random, but you have no way of
>knowing that I fibbed to you about the string I gave you because there is
>no test to distinguish between crypto-grade strings and random strings. We
>have discovered a distinction without a difference!
You still are missing the point. See the FAQ that Patrick Juola posted
earlier.
Regarding your comment about being unable to distinguish the strings,
you should consider that an attack can be launched which will
distinguish the strings when many ciphers are examined.
Put another way, if you use your strings because you think they are
random based on statistical tests, but they are not crypto-grade
random based on the way they are generated, a Bayesian Attack will
uncover that fact and make the ciphers vulnerable.
If all you plan to do is create one cipher from one string that looks
random to you, then you will likely get by with it. But that does not
meet the prime objective of the OTP cryptosystem, namely that it be
proveably secure. If you create enough ciphers using your method, and
the pads are not generated by a TRNG, you do not have a proveably
secure system.
All you have is another stream cipher made out of pads that pass some
statistical test. And we all know that those are not proveably secure,
not even on a practical level of precision.
>Heifer dust Bob, the electron remains an electron, the state is
>indeterminate until measured and then indeterminate until the next
>measurement.
There is far too much contorversy in QM for any one conceptualization
to be accurate at this time, including that one.
The wisest position to take is that QM is a mystery.
>Think of it this way if you like; the money you put in the
>bank morphs into an indeterminate state until you check your balance and
>then morphs back into an indeterminate state, but it always comes out as
>money when you withdraw it.
Hmm... the quantum mechanics of money. That's something the federal
govt promotes, isn't it - that money is like Schroedinger's Cat?
One minute the money is yours, the next minute it isn't.
Bob Knauer
"A man with his heart in his profession imagines and finds
resources where the worthless and lazy despair."
--Frederic the Great, in instructions to his Generals
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Metaphysics Of Randomness
Date: Thu, 21 Jan 1999 19:10:33 GMT
Organization: DECUServe
Lines: 26
In article <[EMAIL PROTECTED]>, "Trevor Jackson, III" <[EMAIL PROTECTED]>
writes:
> [EMAIL PROTECTED] wrote:
>
>> No matter how few states a non-deterministic machine has, it can
>> produce random output. If we can characterize each transition in
>> a non-deterministic finite state automaton as having a certain
>> probability then we can characterize the resulting output as having
>> a certain random distribution.
>
> Actually, asserting the randomness of the output of an NDTM is a bit of sleight of
>hand.
> Non-determinism is an analogue for randomness and thus entropy. NDTMs have to have
>a source of
> indeterminacy, and that souce accounts for the randomness of the output, not a
>special property
> of NDTMs is general.
>
Any NDTM can be constructed by taking a DTM and adding an RNG. Yes.
If you look at an NDTM so constructed, you could say "any randomness
in the output came from the RNG, not the DTM".
It is no sleight of hand to treat the NDTM as a black box and say that
"any randomnes in the output came from the NDTM". The RNG is part and
parcel of the NDTM.
So, what was your point?
John Briggs [EMAIL PROTECTED]
------------------------------
From: "K. Dobey" <[EMAIL PROTECTED]>
Subject: Hash Algorithm - ISO 10118
Date: Thu, 21 Jan 1999 18:42:55 -0000
Hi there
I have a query relating to ISO 10118-2 which is a standard hashing method
proposed by the ISO. Can anyone point me towards further details on this
standard please ?
I have discovered that the MDC-2 algorithm is based on the ISO 10118-2
standard, however I don't know if "based" means that it is an implementation
(i.e.. the same) or just based in that it uses similar Techniques.
If anyone can offer any information I would be most grateful.
Thanks Folks
Kevin.
Email: [EMAIL PROTECTED] (remove the .nospam)
please cc me on replies as I don't check these lists frequently
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Thu, 21 Jan 1999 18:58:17 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 21 Jan 1999 13:26:52 -0500, Dorina Lanza <[EMAIL PROTECTED]>
wrote:
>I think it's worse than this. The statement that the output of a filtered
>random source is non-random is false. If, for crypto purposes, we exclude
>pathological values such as zero from a TRNG we still have an equiprobable
>selection from a pool of possible values. The fact that the pool is slightly
>smaller does not reduce the randomness because the selection process is the
>same. The entropy would be slightly less, but not the independence of the
>samples.
>This idea of post-processing contaminating the source is fallacious.
What you have just said is completely incorrect for crypto-grade
random numbers.
If you do what you have just proposed, you will be vulnerable to a
Bayesian Attack.
Bob Knauer
"A man with his heart in his profession imagines and finds
resources where the worthless and lazy despair."
--Frederic the Great, in instructions to his Generals
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Thu, 21 Jan 1999 20:12:10 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 21 Jan 1999 19:27:35 GMT, [EMAIL PROTECTED] wrote:
>Even though such a block of 1's or 0's would reveal some plaintext (if you
>knew the location of the block) there should be enough *spurious*
>occurrances of plaintext-like in the Vernam cipher output
>so that real 'leakages' are undetectable, no?
A finite sized run of all 1s or 0s is one thing, but an entire pad of
all 1s or 0s is another.
If you look at the digit expansion of pi, you will see several runs
like 0123456789 and its opposite.
ftp://www.cc.u-tokyo.ac.jp/README.our_latest_record
0123456789 : from 17,387,594,880-th of pi
0123456789 : from 26,852,899,245-th of pi
0123456789 : from 30,243,957,439-th of pi
0123456789 : from 34,549,153,953-th of pi
0123456789 : from 41,952,536,161-th of pi
0123456789 : from 43,289,964,000-th of pi
9876543210 : from 21,981,157,633-th of pi
9876543210 : from 29,832,636,867-th of pi
9876543210 : from 39,232,573,648-th of pi
9876543210 : from 42,140,457,481-th of pi
9876543210 : from 43,065,796,214-th of pi
Bob Knauer
"A man with his heart in his profession imagines and finds
resources where the worthless and lazy despair."
--Frederic the Great, in instructions to his Generals
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Metaphysics Of Randomness
Date: 21 Jan 1999 13:36:28 -0500
In article <[EMAIL PROTECTED]>,
Dorina Lanza <[EMAIL PROTECTED]> wrote:
>> > You are making the mistake of trying to characterize a number as
>> > random on the basis of some inherent property, like lack of
>> > correlation or bias or somesuch. But we know that a characterization
>> > like that will not properly characterize crypto-grade random numbers.
>> > Only the characterization of the generation process is proper.
>>
>> Holy Cow Bob, if I give you a certifiably random string (say, with a
>> gorgeous Allan Deviation plot) and present it to you as crypto-grade, and
>> you give me one of your crypto-grade strings, I'll be able to test and
>> certify that your crypto-grade string is random, but you have no way of
>> knowing that I fibbed to you about the string I gave you because there is
>> no test to distinguish between crypto-grade strings and random strings. We
>> have discovered a distinction without a difference!
>
>I think it's worse than this. The statement that the output of a filtered
>random source is non-random is false. If, for crypto purposes, we exclude
>pathological values such as zero from a TRNG we still have an equiprobable
>selection from a pool of possible values. The fact that the pool is slightly
>smaller does not reduce the randomness because the selection process is the
>same. The entropy would be slightly less, but not the independence of the
>samples.
"The entropy would be slightly less" is sufficient to make the
resulting system less than perfectly secure. At this point it's
just Yet Another stream cypher.
As to whether or not the loss of entropy is significant to make a
practical difference -- that depends on the degree of filtering.
What you do really buy by doing the filtering? Not much --- and
every time the filter triggers introduces a weakness.
-kitten
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Pentium III...
Date: Thu, 21 Jan 1999 20:05:07 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 21 Jan 1999 19:37:32 GMT, [EMAIL PROTECTED] wrote:
>It's pretty easy to generate extreemly high quality random numbers on a
>typical PC at rates of 1000 bits/second.
How is that be done such that no one can crack the resulting cipher
given sufficient resources?
For example, if you have a laptop with sensitive business material on
it, and a competitor steals it, he may decide that it is worth 1
million dollars to decipher your files.
Can the kind of random number generator you allude to above be
adequate to prevent all but the most concerted attacks, like from the
NSA?
>The primary use for a processor serial number seems like it would be to
>enforce software licenses. If I read the Microsoft OS license correctly, your
>NOT allowed to move a copy of the OS from an old machine to a new machine.
>The OS is licensed to a specific machine, which might be interpreted as a
>specific processor.
Just great! You buy a computer with an installed OS, the processor
dies from infant morality, and now you got a major hassle on your
hands.
You would think the industry learned its lesson from the old days of
closed architectures, key-based S/W, dongle keys, etc. I can just see
Ziff Davis refusing to test anything that is Pentium III based.
Bob Knauer
"A man with his heart in his profession imagines and finds
resources where the worthless and lazy despair."
--Frederic the Great, in instructions to his Generals
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Thu, 21 Jan 1999 19:29:06 GMT
Reply-To: [EMAIL PROTECTED]
On 21 Jan 1999 13:16:45 -0500, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>Similarly, if he gives you a certified crypto-grade number, you can
>probably test that it's random.
But we know that one cannot test that a particular number is random.
>HOWEVER, in the process he had to
>certify a lot more things than just properties of the number --
>for example, he had to check the generator.
Which means that testing a particular number is meaningless.
>I'll be perfectly happy to sell you a rock -- complete with certificate --
>from the island of Atlantis. Guess what. You can't test the rock to
>determine if it's from Atlantis!
Good metaphor.
Strictly speaking there is a "test" procedure for crypto-grade
randomness, but it is not for one particular sequence only. Create
multiple OTP ciphers and run them thru a Bayesian Attack. If they
pass, the pads are likely crypto-grade random.
BTW, is there a quantitative measure (even if it is huerstic) for such
a "Bayesian Attack Test" in terms of the number of separate
ciphertexts and the length of each ciphertext for a given level of
confidence that the pads are crypto-grade random?
Bob Knauer
"A man with his heart in his profession imagines and finds
resources where the worthless and lazy despair."
--Frederic the Great, in instructions to his Generals
------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: Nomadic Authentication
Date: 21 Jan 1999 13:25:41 -0800
[EMAIL PROTECTED] (James Pate Williams, Jr.) writes:
> What authentication protocol(s) would be useful in a nomadic (mobile)
> networking environment? Ideally, the protocol would have to be
> resistent to replay attacks and would require a minimum number of
> exchanges.
If by nomadic you assume that large private keys don't follow the user
around, then a secure user authentication protocol like SRP, SPEKE, or
EKE sounds like the desired solution. AFAIK, they resist all the classic
protocol attacks and are time, space, and network-efficient.
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "The pen may be mightier than the sword, but my
Phone: (650) 723-1565 mouse can crash Windows with one click."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Metaphysics Of Randomness
Date: Thu, 21 Jan 1999 19:27:35 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> On 20 Jan 1999 16:26:24 GMT, "John Feth" <[EMAIL PROTECTED]>
> wrote:
>
> The property of a TRNG which makes it suitable for generating
> crypto-grade random numbers is that it is capable of producing all
> possible sequences of a given finite length equiprobably. The number
> thus produced is random not because of some intrinsic characteristic
> it has itself, but because it is generated by a TRNG. That means that
> the sequences 111...1 and 000...0, however pathological they might
> seem (and however improbable they might be), are nonetheless valid
> random output sequences, and hence qualify as crypto-grade random
> numbers.
Even though such a block of 1's or 0's would reveal some plaintext (if you
knew the location of the block) there should be enough *spurious*
occurrances of plaintext-like in the Vernam cipher output
so that real 'leakages' are undetectable, no?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Metaphysics Of Randomness
Date: Thu, 21 Jan 1999 21:39:01 GMT
> Any NDTM can be constructed by taking a DTM and adding an RNG. Yes.
Ummm, not really. For a NDTM to be ND, it has to have multiple
transitions out of the same state into different states (on the same
input). A DTM by definition has no such transitions.
> If you look at an NDTM so constructed, you could say "any randomness
> in the output came from the RNG, not the DTM".
You're kind of mixing up the mathematics of what things are with
possible implementations of what things are. For example, one possible
definition for an NDTM is one in which it always choses the state
transistion that is going to make it halt, if any will.
> It is no sleight of hand to treat the NDTM as a black box and say that
> "any randomnes in the output came from the NDTM". The RNG is part and
> parcel of the NDTM.
It is?! You'd have to show me a definition of NDTM that includes
something about a random number generator. I don't remember ever seeing
such a definition.
--
Darren New / Senior Software Architect / MessageMedia, Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"You could even do it in C++, though that should only be done
by folks who think that self-flagellation is for the effete."
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: Who will win in AES contest ??
Date: 21 Jan 1999 22:14:31 +0100
[EMAIL PROTECTED] (Piotr Kulinski) writes:
> What do you think who will win in AES contest ???
> My type is Twofish....
Why do you think it would be Twofish? Because Bruce Schneier wrote a
very popular book? Twofish is quite a complex, non-obvious cypher. No
offense intended to its inventors, but I don't think it is a
"front-runner". If you care about speed first and security second
then Mars or RC6 are likely candidates. If you care about security
first and speed second then DFC looks good.
Anyway, the current stage in the process is to pick 5 candidates to
survive to the next stage...
Rob.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
