Cryptography-Digest Digest #973, Volume #8 Tue, 26 Jan 99 16:13:03 EST
Contents:
Re: hardRandNumbGen (Mok-Kong Shen)
Re: Unicity, DES Unicity and Open-Keys (Patrick Juola)
Re: hardRandNumbGen ("Trevor Jackson, III")
Re: Inforamtionpool sas&chiffrier (John Savard)
Re: Non exe/com crypto prog (Paul Crowley)
Re: Japanese Purple encryption (Jim Gillogly)
Re: Random numbers from a sound card? (Frank Gifford)
Re: hardRandNumbGen (R. Knauer)
Re: hardRandNumbGen (R. Knauer)
Re: Random numbers from a sound card? (Mok-Kong Shen)
Re: Random numbers generator and Pentium III (Medical Electronics Lab)
Re: Idea for plaintext steganography ("Trevor Jackson, III")
Re: hardRandNumbGen (Terry Ritter)
Re: Random numbers from a sound card? (David Ross)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Date: Tue, 26 Jan 1999 18:24:51 +0100
handWave wrote:
>
> The scenario in which the RNG will be used makes the choice clearer. Pick
> a purpose: repeatability for stream ciphers, then use a PRNG. For key
> generation use a RNG based on hardware. If you are in the college dorm
> with enemies who may interfere remotely, then a thermal noise generator
> from an avalanche diode with a high gain amplifier breadboared using
> wire-wrapped, unshielded circuits is a bad implementation.
I think the following scenario may be interesting: I am the user
of an application with certain security expectations. Some one
offers me two sequences generated from two different sources
(I am not told which is which). I want to decide which one to use.
I have all statistical test tools available. How am I going to make
the decision? (This is independent of how I am going to use the
sequence, I suppose. I simply want the one with better 'crypto
strength', i.e. higher un-predictability. Maybe I'll use the
sequence as kind of one-time pad (never mind the terminology here).)
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Unicity, DES Unicity and Open-Keys
Date: 26 Jan 1999 11:31:10 -0500
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>More generally: It is commonly assumed that the analyst knows the
>encryption scheme one uses. But this is reasonable if one repeatedly
>uses the same scheme. If one has a fairly large set of schemes to be
>chosen according to a secret schedule, then the analyst has first of
>all to figure out the scheme actually being used, i.e. he has a much
>higher work load. I believe all this could be subsumed under the
>paradigm 'Security through variability', which underlies, in
>particular, those algorithms that are parameter-dependent (analogous
>to parametrized data types in programming languages; the parameters
>can be regarded as kind of 'key extensions' which is of interest
>in the context of the Wassenaar regulation).
How large is "a fairly large" set of schemes, in this context?
I'm rather suspicious of introducing a thousand new and insufficiently
tested encryption algorithms in the interests of adding another ten
bits of security. On the other hand, I don't see creating another
three bits of key as necessarily being useful; that puts off the
apolcalypse for, what, two years (Moore's law and all)?
-kitten
------------------------------
Date: Tue, 26 Jan 1999 12:28:17 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Mok-Kong Shen wrote:
> handWave wrote:
> >
>
> > > Even the presmption that the output would pass statistical tests is
> > > questionable. One famous gafffe in PRNG design was Knuth's composite
> > > generator, which he called superrandom. Unfortunately it was a closed loop
> > > design.
> >
> > It was a computer program.
>
> Having previously taken part in discussions in several threads of
> this group on random number generations, I doubt nevertheless that
> I have really known an answer to the following question:
>
> If I have two sources of randomness, one software and one hardware,
> both passing all statistical tests I apply equally well, why should
> I choose one source in preference to the other? And if additionally
> I don't know which sequence I get is from software and which is from
> hardware? (Compare the Turing test.) How does the origin of the
> sequence affect the workload of the analyst, if the software
> generation process involves so many parameters that for combinatorical
> reasons he has no chance of directly dealing with them but has
> to try to look instead for possible regularities/irregularities in
> the sequence itself and, by assumption, the sequences from the
> two sources are of equal statistical quality? (Note that the
> hardware source is (in my humble opinion) unpredictable simply
> because there are so many participating 'parameters' that the
> 'summation' (the end product) becomes unpredictable, cf. the casting
> of a dice.)
The fundamental reason is that, for security purposes, we have to assume that our
opponent can do anything we can do. We can re-run the software and obtain the
identical output. We cannot re-run the hardware and get the same output. Thus the
hardware is superior.
The deceptive provision in your question is the fact that the sources are hidden.
This amounts to security via obscurity. Obscurity fails catastrophicaly when it is
breached. A bad thing because the opponent can steal a copy of the software and
get every output we will every get. He cannot steal a copy of the machine and get
identical outputs to ours.
This line of thought identifies a possible opportunity for Bill Gates; a true
marketing genius if there ever was one. Everyone alive in 1980 knew that software
was the "plastic" of the decade and that the market for software was going to grow
quickly. But no other person alive in 1980 forsaw just how big the market would be
for really bad software. Everyone else was concentrating on reasonably good
software. This is why Gates is a multi-deca-billionaire.
Now, in crypto, you have identified another case in which people cannot tell
whether someone is selling Good Stuff or Really Bad Crap. Since it is not
reasonable to distinguish the two, we need an organization to produce a tiny amount
of Good Stuff and massive quantities of Really Bad Crap, and sell it all as the
former. No one could tell the difference, and, in theory, no one would care.
Bill, are you listening?
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Inforamtionpool sas&chiffrier
Date: Tue, 26 Jan 1999 17:16:28 GMT
drobick <[EMAIL PROTECTED]> wrote, in part:
>I search old worker from sas& Chiffrierdienst der DDR.
>I am have SAS-und Chiffrierdienst Homepage you cant me help!
http://www.arco.de/~drobick/
This particular home page, although it is in the German language, is
sufficiently interesting that I'm going to look for a German-English
dictionary with which to understand its contents.
It gives brief sketches of the inner workings of several cipher
machines used in the former East Germany.
Well worth a visit - before objections are raised to its existence!
John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: Non exe/com crypto prog
Date: 26 Jan 1999 09:56:57 -0000
Michael Paul Johnson <[EMAIL PROTECTED]> writes:
> I can think of at least 3 options:
>
> 1. Buy your own computer and internet service, and keep all your
> sensitive files on it at home.
>
> 2. Use Microsoft Word's built-in password protection (breakable easily
> enough, but not everyone knows how).
>
> 3. Run your an encryption program on your workstation and not on the
> server.
4. Implement CipherSaber (http://ciphersaber.gurus.com/) as a Word
macro. CipherSaber is designed to be the easiest cryptosystem in the
world to implement - I have a three line pure-Perl implementation, for
example. Share it with the world, since it would be a handy thing to
have.
--
__
\/ o\ [EMAIL PROTECTED] http://www.hedonism.demon.co.uk/paul/ \ /
/\__/ Paul Crowley Upgrade your legacy NT machines to Linux /~\
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Japanese Purple encryption
Date: Tue, 26 Jan 1999 10:17:14 -0800
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
> Does anyone know of an software emulator to illustrate
> the algorithm used in the Japanese WWII purple cypher?
> If not, can someone explain the algorithm used?
Wilhelm Plotz wrote an almost-emulator for Purple. See his Web page
at http://members.magnet.at/wilhelm.m.plotz . He used random wiring,
since he couldn't locate the actual wiring used by Purple.
--
Jim Gillogly
Sterday, 5 Solmath S.R. 1999, 18:15
12.19.5.16.0, 7 Ahau 13 Muan, Fifth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Frank Gifford)
Subject: Re: Random numbers from a sound card?
Date: 26 Jan 1999 13:55:26 -0500
In article <[EMAIL PROTECTED]>,
David Ross <[EMAIL PROTECTED]> wrote:
> Have tried something very similar to that. I am attempting to
>create a rotortable of all 256 byte values placed in 'random' order,
>but the (8 bit) SoundBlaster seems reluctant to produce a 0xC0 byte.
>I infer this because in over 80% of the rotortables I create, 0xC0 is
>the last table entry.
How are you creating the tables? I would assume that since you are creating
rotors, that each value appears in the rotor exactly once. Are you swapping
values or some other method? Personally, I would suspect your creation
routine is not doing what you want instead of bad numbers.
You could generate a raw stream of bytes from SB and do some checking on
that to be sure it's "random" for your purposes.
-Giff
--
[EMAIL PROTECTED] Too busy for a .sig
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Tue, 26 Jan 1999 19:33:24 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 26 Jan 1999 19:24:18 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>> Why do you persist in believing that statistical tests have anything
>> to do with randomness in cryptography?
>Tell me what other (better) tools are available for me to make
>the decision.
If I told you that there are none, would you believe me?
>These are simply easy to obtain, as far as my
>humble knowledge goes.
So is snake oil.
>Please kindly give your recipe to cope with
>the situation I described. Thanks in advance.
Learn what crypto-grade randomness is. The concept is deceptively
simple once you understand it. But first you have to give up all other
definitions of randomness from other fields like statistics.
The key to understanding is that randomness depends on the generation
process, not the numbers themselves. The number 000...0 fails all
sorts of statistical tests, but can be a random number if it is
generated by a TRNG. Until you analyze the method of generation, you
cannot know.
A TRNG is a physical device that is capable of generating all possible
sequences of a given finite length equiprobably. If you understand
that, then you will understand crypto-grade randomness - and, as
another poster pointed out yesterday, you will also understand
cryptography.
Bob Knauer
"An honest man can feel no pleasure in the exercise of power over
his fellow citizens."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Tue, 26 Jan 1999 19:25:23 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 26 Jan 1999 12:28:17 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>This line of thought identifies a possible opportunity for Bill Gates; a true
>marketing genius if there ever was one.
I guess you consider Attila the Hun to be a military genius too. :-)
>But no other person alive in 1980 forsaw just how big the market would be
>for really bad software.
Hell, the auto industry knew that way before Gates used it in the S/W
industry. He just took the same marketing concepts used by Henry Ford
and built the same kind of fortune.
"You can have any color Model T you want as long as it runs on
Windows."
>Now, in crypto, you have identified another case in which people cannot tell
>whether someone is selling Good Stuff or Really Bad Crap. Since it is not
>reasonable to distinguish the two, we need an organization to produce a tiny amount
>of Good Stuff and massive quantities of Really Bad Crap, and sell it all as the
>former. No one could tell the difference, and, in theory, no one would care.
Soon Gates is gonna retire all his programmers at MicroShaft and
install a TRNG to produce code. And now that his beta test force is
big enough, he can partition the outputs and see what runs
experimentally.
Depending on which beta test group(s) order the next "revision", he
can decide what to put in shrinkwrap. If it gets to the Windows Logo,
it is good enough for the consuming public.
If they don't like it, let them run UNIX.
>Bill, are you listening?
HA! Unka Bill is too busy working on his new TRNG.
Bob Knauer
"An honest man can feel no pleasure in the exercise of power over
his fellow citizens."
--Thomas Jefferson
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Random numbers from a sound card?
Date: Tue, 26 Jan 1999 20:09:40 +0100
Frank Gifford wrote:
>
>
> How are you creating the tables? I would assume that since you are creating
> rotors, that each value appears in the rotor exactly once. Are you swapping
> values or some other method? Personally, I would suspect your creation
> routine is not doing what you want instead of bad numbers.
>
> You could generate a raw stream of bytes from SB and do some checking on
> that to be sure it's "random" for your purposes.
As I wrote in a follow up, the method is presumably to use a good
PRNG to generate a random permutation (using the method of
Dustenfeld, see Knuth's book).
M. K. Shen
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Random numbers generator and Pentium III
Date: Tue, 26 Jan 1999 12:36:23 -0600
student wrote:
> 1. How secure are "random" numbers generated by measuring mouse
> movements or recording keystrokes ?
They are reasonable sources of random bits for a very small sample.
> Are they random enought to be used
> with OTP, when we want to protect data against the most resourcesfull
> enemy ? If not, why ? (If we want very random numbers we can collect a
> lot of less-random data in this way and produce small quantity of
> randomness-enougth numbers, so theoritically, we can reach any level of
> randomness.)
How resourceful? If they can steal the raw plain text, no amount
of crypto will help you. For a large block of data, it will take
you a *long* time to generate enough random bits for a OTP with a
keypad or mouse. And that leads to lots of problems because people
aren't random in their motions for long time periods.
> 2. How can we know, that RNG embedden in Pentium III is really random ?
> Are there any methods to detect any subtle pattern in data from the RNG,
> if there are any (if there are any methods, please describe them)? It is
> possible to design "Random" Numbers Generator with such a pattern, give
> it to people, and in this way we have a something like key-escow
> ciphers.
Yes, there are many methods. Check out Marsaglia's DIEHARD and pLab's
Diaphony for the most advanced stuff. Simple autocorrelation and
ballance of 1's and 0's will also give you a few clues. If it can
pass all those tests, it's mathematically random. I don't think
anyone knows what "really random" is tho.
Patience, persistence, truth,
Dr. mike
------------------------------
Date: Tue, 26 Jan 1999 13:55:18 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Idea for plaintext steganography
Christopher wrote:
> As a simple example, suppose each byte of data were expanded to a simple
> english sentence. 'A(n)'/'The' gives one bit, one of eight nouns would
> give three bits, 'is'/'was' gives one bit, and one of eight adjectives
> gives three bits. So an example would be 'The car is black.'
> Admittedly not very efficient, but improvements can be made with a larger
> dictionary and better ways of packing the information into the rules for
> different sentence structures and such.
> Also, it may look like junk to a human, but shouldn't get the attention of
> any automated systems - any comments?
c.f. Jabberwocky.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: hardRandNumbGen
Date: Tue, 26 Jan 1999 19:36:01 GMT
On Tue, 26 Jan 1999 13:33:49 +0100, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>[...]
>If I have two sources of randomness, one software and one hardware,
>both passing all statistical tests I apply equally well, why should
>I choose one source in preference to the other?
This of course depends upon the desired use; here we assume that the
use will be as some sort of cryptographic value. That means the
sequence must be "unpredictable." And we assume in cryptography that
the design itself is available for analysis, with a large amount of
the resulting sequence.
Can a software RNG remain "unpredictable" under these conditions?
Presumably the answer is "Yes," but we have long experience with the
confusion generators in stream cipher cryptography, where many, many,
apparently-strong RNG's have been broken. (Note that digital
state-machine constructions can be realized in either hardware or
software.)
In cryptography we can neither measure nor prove strength. We *can*
prove or demonstrate weakness, and we call such a proof a "break."
But finding a break is often a difficult exercise, so we cannot simply
assume that the absence of a break means that none are to be found.
So how are we to trust a software state-machine RNG to produce our
unpredictable values? One way is to use a well-known cryptographic
hash or cipher to protect the original values. Another way is to
measure molecular-level events which are "known" to be unpredictable.
The problem with molecular-level events is that they are very, very
tiny, and that many other signals which we normally ignore are of a
similar magnitude or even larger. But if we *could* measure such
events, we would have a good theoretical basis for asserting
*strength* (in the sense of "unpredictability"), which is otherwise
generally unavailable in cryptography.
Now, no real device is going to be ideal, and presumably there will
always be some possibility of hidden "weakness." So as a very basic
first step, we must be very sure that we actually are measuring and
reporting molecular-level randomness, rather than some other signal.
One way to do this is to arrange to "turn off" the randomness source,
and then inspect the output of the machine and see that it is quiet.
Then we can know our machine is indeed measuring the events that we
have just turned off.
Ideally, a randomness machine will allow us to conduct statistical
experiments on the randomness source itself (as opposed to a processed
"random" output). We have a strong theoretical understanding of
molecular-level randomness sources, so we know what the distributions
should look like under various conditions. Ideally, the machine will
allow us to change the conditions and collect statistics and see how
the compare to theory. Presumably, if the machine is working well,
there may be some deviation, but will largely produce the theoretical
results. If so, we can be fairly sure that we are actually measuring
the signal we hope to be measuring.
So, ideally, by tests we can confirm that we can detect noise, and
that the noise has the structure we expect from theory. If so, we
have a fairly strong argument that we are measuring "unknowable"
randomness, and then only need to process it (typically in a hash, and
CRC would be ideal) to obtain unknowable uniformly-distributed values.
>And if additionally
>I don't know which sequence I get is from software and which is from
>hardware? (Compare the Turing test.) How does the origin of the
>sequence affect the workload of the analyst,
Note that the goal of the analysis is to "break" (be able to predict)
the generator. That obviously depends upon the generator.
>if the software
>generation process involves so many parameters that for combinatorical
>reasons he has no chance of directly dealing with them but has
>to try to look instead for possible regularities/irregularities in
>the sequence itself and, by assumption, the sequences from the
>two sources are of equal statistical quality?
The way generators are broken is through a detailed analysis of the
generation process, which may involve statistical support. But, on
their own, statistical tests are simply uninformed about the structure
of the generator, and so cannot test correlations to the construction.
But it is precisely the construction which we seek to break.
>(Note that the
>hardware source is (in my humble opinion) unpredictable simply
>because there are so many participating 'parameters' that the
>'summation' (the end product) becomes unpredictable, cf. the casting
>of a dice.)
That would be the complexity construction, which is closely related to
the way we construct conventional ciphers. The problem with this is
that most new ciphers turn out to be weak. So how can we trust this
same construction when applied to RNG's?
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (David Ross)
Subject: Re: Random numbers from a sound card?
Date: Tue, 26 Jan 1999 18:39:47 GMT
Nathan Kennedy wrote:
> > What sort of audio source would you suspect would be the best to use
> > in generating random numbers?
>
> I tune a cheap AM radio to a loud static channel, and wire that into the
> mic port.
Have tried something very similar to that. I am attempting to
create a rotortable of all 256 byte values placed in 'random' order,
but the (8 bit) SoundBlaster seems reluctant to produce a 0xC0 byte.
I infer this because in over 80% of the rotortables I create, 0xC0 is
the last table entry.
I'd guess that the 'consumer-grade' A->D & D->A converters used
in common sound cards are susceptible to all sorts of troubles like
this, i.e. missing codes and/or monotonicity problems.
David Ross [EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
