Cryptography-Digest Digest #11, Volume #9 Sun, 31 Jan 99 13:13:03 EST
Contents:
WORDPERFECT 6.1 PASSWORD (spooks)
Re: RNG Product Feature Poll (Myself)
Re: WORDPERFECT 6.1 PASSWORD ([EMAIL PROTECTED])
Re: RNG Product Feature Poll (Dan S. Camper)
Re: SCOTT19U ([EMAIL PROTECTED])
Re: Sanity check take 2 ("Kazak, Boris")
Re: hardRandNumbGen (Bo D�mstedt)
Re: Academia (David A Molnar)
Re: Random numbers generator and Pentium III (R. Knauer)
Re: Metaphysics Of Randomness (R. Knauer)
Truth, theoremhood, & their distinction (Nicol So)
Re: hardRandNumbGen ("Kazak, Boris")
Re: Non exe/com crypto prog (Withheld)
Re: RNG Product Feature Poll (R. Knauer)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (spooks)
Subject: WORDPERFECT 6.1 PASSWORD
Date: Sun, 31 Jan 1999 12:12:09 GMT
Reply-To: [EMAIL PROTECTED]
The demo version of the WordPerfect password recovery
program - WRPASS at Accessdata ( www.accessdata.com ) is
restricted to recover passwords which are exactly 10 characters
long. However a guy [or girl] called thanatos cracked it...
The cracked demo version will be posted in alt.binaries.cracked
with the filename "wrpass.exe"
reply to [EMAIL PROTECTED] by removing _nojunk
On Sat, 30 Jan 1999 23:35:14 -0500, Geoffrey Milos
<[EMAIL PROTECTED]> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Accessdata ( www.accessdata.com ) has a password recovery module that claims do
>the trick.
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
>Comment: Originated on machine "Souvlaki".
>
>iQEVAwUBNrPdasOL4XU6rm2BAQF92gf+LuzgdnHQFMiwmpPiKIIAwHvKcNazACzZ
>fkicciZrjTE34s3/X+ExaIheu5nbUB6AZhD/FtxO1CEeQCz20jf1k5rpTTtvRniT
>RpwTWpm7iW8tLqzFmMtOoPfm8eU49CyyEdBCxU7p4Mcly0jL8ZcF5lbDZ63Tfkr3
>M2b0wn5aX2jkhrb8hyEHSgu02mUDx/0jsjJ8FqkuRrxkC8gZ/jZandmb36qgY+xG
>VG6pEHWd/pG4Us8GvVuyL770wPUCJvbip2UPES7pf4lvnb0Y1zOG2vn2k9rcQNVi
>oXCJuisQHSg/HPdaPtVgjaBqGv/UqfgHeX5zS69QNZTearJEFTMBRQ==
>=aXOo
>-----END PGP SIGNATURE-----
>
>Javier hans master wrote:
>
>> Please, i've forgotten the password of a wordperfect 6.1 document, how can I
>> get it?????
>> Is it possible?????
>> i would thank if you reply to my mail address at
>> [EMAIL PROTECTED]
>> thanks
>> (delete "deletethis" from the mail adress for get the rigth adress, thanks)
>
------------------------------
From: [EMAIL PROTECTED] (Myself)
Subject: Re: RNG Product Feature Poll
Date: Sun, 31 Jan 1999 14:22:38 GMT
On Fri, 29 Jan 1999 18:39:10 GMT, thermal and electromagnetic action
caused [EMAIL PROTECTED] (Terry Ritter)'s brain to produce the following
pseudorandom thought:
>meet. (Indeed, *any* such statistical bounds *must* be exceeded
>sometimes, even with ideal randomness, so how can they be called
>"failures"?) Understanding is a process; it is not a statistical
"Look Marv! The entire sample decayed in 2 seconds!" "Gee, what are
the chances of that happening?" "Precisely! Pretty random, eh?"
I was thinking that as I read the previous posts. Still, the event of
the device returning all-zeroes for 5 minutes straight is more likely
to be caused by hardware failure than radioactive phenomena. (What's
the MTBF of the sensor?)
>predict how the machine should respond. We might be able to innovate
>waveforms which cause the measurement machinery to misbehave, and we
Electromagnetic interference would be my first concern. You're using
an ionization-chamber detector for the decay, right? I'll leave it to
the engineers, but perhaps a "dummy" chamber could be set up adjacent
to the live one, and the results basically xor'ed with each other to
remove macroscale phenomena which would affect both chamers and might
also be observable by an attacker. ("Aha, a lightning bolt! We can
assume a few solid 111 moments in the output now..") Also remember
that such an ionization device takes a moment to "recharge" and become
sensitive again after a decay, so even with a perfect sample you won't
get 100% of the decays you're interested in. (But does it matter?)
I agree with hashing the output. The flatter the better, CRC seems
natural. Do it in software. At the risk of sounding Mac-like, why
would the user want to change algorithms? (This is precisely why you
_must_ make it configurable. Just refuse to support it unless the
bundled default hash is used.)
Connecting multiple devices is cool. Do their outputs mingle before or
after the hash? What about geographically distributed multiple
generators, so that if one goes catatonic the system still has a
source of entropy. (This is potential for remote attacks tho.)
I can see this thing connected straight to a MIDI port and becoming
the next big craze. Perhaps you should crosspost to rec.musicians ;)
-Myself-
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: WORDPERFECT 6.1 PASSWORD
Date: 31 Jan 1999 14:44:37 GMT
Good: You are using "crack" instead of "hack".
Bad: You are a fool. We don't care about your w4r3z cr4p, get it D00D?
>
> WORDPERFECT 6.1 PASSWORD
>
> From: [EMAIL PROTECTED] (spooks)
> Reply to: [EMAIL PROTECTED]
> Date: Sun, 31 Jan 1999 12:12:09 GMT
> Organization: World Access / Planet Internet
> Newsgroups:
> sci.crypt
> Followup to: newsgroup(s)
> References:
> <78va7q$6rm$[EMAIL PROTECTED]>
>The demo version of the WordPerfect password recovery
>program - WRPASS at Accessdata ( www.accessdata.com ) is
>restricted to recover passwords which are exactly 10 characters
>long. However a guy [or girl] called thanatos cracked it...
>
>The cracked demo version will be posted in alt.binaries.cracked
>with the filename "wrpass.exe"
>
>reply to [EMAIL PROTECTED] by removing _nojunk
>
>
>On Sat, 30 Jan 1999 23:35:14 -0500, Geoffrey Milos
><[EMAIL PROTECTED]> wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>
>>Accessdata ( www.accessdata.com ) has a password recovery module that claims d
>o
>>the trick.
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
>>Comment: Originated on machine "Souvlaki".
>>
>>iQEVAwUBNrPdasOL4XU6rm2BAQF92gf+LuzgdnHQFMiwmpPiKIIAwHvKcNazACzZ
>>fkicciZrjTE34s3/X+ExaIheu5nbUB6AZhD/FtxO1CEeQCz20jf1k5rpTTtvRniT
>>RpwTWpm7iW8tLqzFmMtOoPfm8eU49CyyEdBCxU7p4Mcly0jL8ZcF5lbDZ63Tfkr3
>>M2b0wn5aX2jkhrb8hyEHSgu02mUDx/0jsjJ8FqkuRrxkC8gZ/jZandmb36qgY+xG
>>VG6pEHWd/pG4Us8GvVuyL770wPUCJvbip2UPES7pf4lvnb0Y1zOG2vn2k9rcQNVi
>>oXCJuisQHSg/HPdaPtVgjaBqGv/UqfgHeX5zS69QNZTearJEFTMBRQ==
>>=aXOo
>>-----END PGP SIGNATURE-----
>>
>>Javier hans master wrote:
>>
>>> Please, i've forgotten the password of a wordperfect 6.1 document, how can I
>>> get it?????
>>> Is it possible?????
>>> i would thank if you reply to my mail address at
>>> [EMAIL PROTECTED]
>>> thanks
>>> (delete "deletethis" from the mail adress for get the rigth adress, thanks)
>>
------------------------------
From: [EMAIL PROTECTED] (Dan S. Camper)
Subject: Re: RNG Product Feature Poll
Date: Sun, 31 Jan 1999 08:47:19 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Myself) wrote:
> Electromagnetic interference would be my first concern. You're using
> an ionization-chamber detector for the decay, right? I'll leave it to
> the engineers, but perhaps a "dummy" chamber could be set up adjacent
> to the live one, and the results basically xor'ed with each other to
> remove macroscale phenomena which would affect both chamers and might
> also be observable by an attacker. ("Aha, a lightning bolt! We can
> assume a few solid 111 moments in the output now..") Also remember
> that such an ionization device takes a moment to "recharge" and become
> sensitive again after a decay, so even with a perfect sample you won't
> get 100% of the decays you're interested in. (But does it matter?)
Each device will contain two layers of shielding, one enclosing only the
source and detector and the other just inside the case. The shielding is
designed both to prevent outside interference and to prevent information
leakage. It hasn't been designed to Tempest quality by any stretch of the
imagination, but it should do just fine in a crowded server room.
> I agree with hashing the output. The flatter the better, CRC seems
> natural. Do it in software. At the risk of sounding Mac-like, why
> would the user want to change algorithms? (This is precisely why you
> _must_ make it configurable. Just refuse to support it unless the
> bundled default hash is used.)
Providing a hashing function in software seems the most flexible. The
reason for providing either multiple hashes or an API so people can write
their own is primarily a trust issue. I suppose it could also be a
convenient way to incorporate the latest hash/CRC/mangle method without
having to wait for the manufacturer to update their product.
> Connecting multiple devices is cool. Do their outputs mingle before or
> after the hash? What about geographically distributed multiple
> generators, so that if one goes catatonic the system still has a
> source of entropy. (This is potential for remote attacks tho.)
The devices are chained via a serial connection, and the output of a
back-end device is simply passed through. I believe that the "mingling"
is pretty deterministic: Output my own byte first, then output whatever
the back-end serial port has sent along.
If the hashing is performed in software, then obviously all the raw output
will arrive at the computer before the hashing begins. If hashing is done
in the device, then each device will hash all its output -- both its own
and whatever came from upstream -- before sending it. Since each device
would have its own "hash on/off" button, you could control just how much
hashing is going on.
DSC
_____________________________________________________________________
Dan S. Camper [EMAIL PROTECTED]
Borrowed Time, Inc.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SCOTT19U
Date: Sun, 31 Jan 1999 14:46:39 GMT
In article <7912me$9v8$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Is the latest contest for real? The contest seems very easy,
> but I can't get the code to compile on a SUN. Has anyone
> made it run other than using the supplied executable.
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
>
Look Mister evry contest I have run I have posted the solution
so there was no reason to even rase that question. Also when I had
access to a Mac and a SUN I did have earlier version of some of
my programs that run on all 3 systems. However they will never
run as smoothly on a non PC machine. If you have access to a GNU
C compiler and a little bit of brains you easily modify scott19u
or scott16u and get them to run on a SUN. Hint think indian.
Also if stuck with a native SUN C aompiler good luck you we need
it. But try gcc instead of cc you may already have the best C compiler
on your SUN.
David Scott
P.S. use scott19u don't use inferior short key low entropy
imatations.
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "Kazak, Boris" <[EMAIL PROTECTED]>
Subject: Re: Sanity check take 2
Date: Sun, 31 Jan 1999 10:20:15 -0500
Reply-To: [EMAIL PROTECTED]
Edward Keyes wrote:
> .............
> For reference, S is on the order of 256-bit, and K is on the order of
> 128-bit. Anyway, I'd love to hear any comments on the above protocol.
> It appears to be resistant to any obvious packet-sniffing, man-in-the-
> middle, or replay attacks, but I'm afraid I don't have a very devious
> mind, so nasty holes could remain. Thanks.
>
> For extra security, R_A should incorporate a timestamp or counter to
> avoid repeating a nonce. Since the server has the freedom to choose
> K and R_B, a man in the middle could impersonate a server by replaying
> the previous step 2 message corresponding to a prior R_A challenge.
> Unless he also had recovered the session key, though, the impersonation
> wouldn't last long.
>
> +------------ Edward Keyes, [EMAIL PROTECTED] -------------+
> |................ http://web.mit.edu/eakeyes/www/ ................|
> |.... DaggerWare: "small, sharp, and with a heck of a point!" ....|
> +- "A little inaccuracy saves a world of explanation." C.E.Ayres -+
=========================
Allow me to throw in a couple of words in favor of layman's
approach. Why is your S so short (256 bits)? I understand that your
platform may be computationally meager, but is it memory-meager also?
If yes, then disregard all the following (or upgrade).
Assume that your random shared secret S is of order of 100-500 Kbyte.
This can be just a random file generated by any appropriate method and
exchanged once between two correspondents.
Then all the protocol will consist of sending an encrypted message
accompanied by a cleartext phrase like following:
"Use 236315, 25" ,
which will mean "open the S file, copy out of this file 25 bytes
starting from byte #236315, use these bytes as key for the message".
Authentication is automatic, if the message decrypts, it is indeed
coming from the right party.
The man in the middle can intercept the messages until Turkish
Easter, the only way to make sense of these numbers is to compromise
the S file (steal, buy, confiscate, take by force, etc).
Any party can initiate the conversation, there are no restrictions.
Session keys are never reused, provided the S file is long enough.
Respectfully BNK
P.S. I use this protocol communicating with my son in Moscow.
------------------------------
From: [EMAIL PROTECTED] (Bo D�mstedt)
Subject: Re: hardRandNumbGen
Reply-To: [EMAIL PROTECTED]
Date: Sun, 31 Jan 1999 15:23:49 GMT
"someone" wrote:
>Integrating a random number generator (RNG) on a commodity
>IC is similar to a manned expedition to MARS: they must take
>everything with them into that harsh environment that they will need. If the
>craft is buffeted by periodic winds, they do not have the luxury of calling
>back to base and saying...
...etc...
Dear "someone", I would strongly recommend that
you go to Mars at earliest possible time. As for random number
generation, we sell them for $170...
http://www.protego.se/sg100_en.htm
Bo D�mstedt
Protego Information AB
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Academia
Date: 31 Jan 1999 15:29:27 GMT
[EMAIL PROTECTED] wrote:
> The ability of a scholar to converse with ordinary Human beings is
> inversely proportional to the number of letters that follow their
> name.
What prompted this?
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Random numbers generator and Pentium III
Date: Sun, 31 Jan 1999 17:16:35 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 30 Jan 1999 19:42:12 -0500, "Kazak, Boris" <[EMAIL PROTECTED]>
wrote:
> The useable random sequence MUST be produced by the way unguessable
>to the opponent and MUST pass the statistical test.
What statistical test? There is none.
> Failure to comply
>with any one of these requirements is (again IMHO) sufficient ground
>for rejection.
I just began Li and Vitanyi's book "An Introduction to Kolmogorov
Complexity and its Applications" which was recommended by Patrick
Juola a year ago and more recently by Coen Visser.
I bring this up because after having read the introduction and the
first chapter, I can highly recommend this book for the informed
layman. The first chapter is a must read for crypto enthusiasts, not
just for Kolmogorov Complexity, but for the discussions of the many
kinds of randomness - and the fundamental problems in trying to
characterize it.
BTW, I especially enjoyed reading the part where the author says that
a number looses its randomness once it has been selected from an
ensemble. That was a point I was trying to make several days ago.
If you look in the index under the entry "random", you will find more
kinds of randomness than you ever imagined possible. And according to
the authors, only Algorithmic Complexity permits one to decide
randomness based on the string itself. All other forms of randomeness
require an analysis of the method of generation.
But Algorithmic Complexity is unsuitable for crypto - even Greg
Chaitin says that (private communication). The reason is because it
rejects "regular strings", something that is not permitted in
proveably secure crypto.
The primary requirement for OTP crypto is total unpredictability, and
that can only be achieved if pads can be generated in all possible
ways equiprobably. If you start rejecting "regular strings" you will
open the OTP up to attack.
Bob Knauer
"I place economy among the first and most important virtues and
public debt as the greatest dangers to be feared. We must not
let our rulers load us with perpetual debt."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Sun, 31 Jan 1999 17:32:12 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 30 Jan 1999 22:11:25 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>Look, equiprobable means equal probabilities. I.e., a flat distribution. It has
>nothing to do with indeterminacy. The technical term you want is independence. The
>individual samples have to be independent. This process gives you the indeterminacy
>that you are looking for.
>The equiprobable criteria is trivial to meet. The
>indeterminact/independence/unpredicability criteria is the hard part. So concentrate
>on it.
I am.
The terminology employed in the definition of the TRNG came from
experts in the field of crypto right here in sci.crypt. It is their
definition, not mine. And that definition has passed the test of time
here, where those crypto experts are present. Not one of them has
raised any sort of objection like you have. That makes me very
suspicious that you do not understand the terminology that crypto
experts use.
But if you can point us to your sources in the crypto community for
the new terminology that you are using, we can look at it, and if
indeed a refinement is warranted, I am more than willing to accomodate
that. But jacking a definition around every time some new "expert"
shows up to throw his two-bits worth of entropy into the discussion,
is not how science and mathematics work.
We spent over one thousand posts and many months of heated discussion
to gain a prevailing consensus for what a crypto-grade random number
is and how it is correctly produced. And now you waltz onto the scene
trying to undo all that effort. It is going to take much more that
your handwaving to undo it.
>Yeah, what if? The trade off still exists. For example, construction projects
>always have to provide for a non-zero accident rate. On really big projects the
>lethal accident rate becomes non-trivial. Life is full of risk. People accept risks
>based on the rewards. Often monetary rewards.
I sure hope you are never put in charge of our national defense. Come
to think of it - that is exactly the same attitude of the current
administration: Give our defense secrets to our enemies - who cares if
it gets more money for the DNC.
>An attack is not a threat model.
More homemade jargon? Please show me where Bruce Schneier discusses
anything called "threat model"? I can find no entry in his main book.
Bob Knauer
"I place economy among the first and most important virtues and
public debt as the greatest dangers to be feared. We must not
let our rulers load us with perpetual debt."
--Thomas Jefferson
------------------------------
From: Nicol So <[EMAIL PROTECTED]>
Crossposted-To: sci.math,comp.theory
Subject: Truth, theoremhood, & their distinction
Date: Sun, 31 Jan 1999 12:36:31 -0500
[The Subject line has been changed to reflect the subject matter of the
current sub-thread]
Michael Hovdan wrote:
>
> Nicol So wrote:
>
> > Truth and theoremhood are distinct concepts. Truth is a semantic
> > concept, while theoremhood is a syntactic one.
>
> Some will argue that semantics has nothing to do with mathematics. Math deals with
> *concepts* such as number, geometrical figures, functions, groups, topologies, etc.
I take the above as a philosophical view about the nature of mathematics
as an activity. But as such, it is quite irrelevant to my comment about
the distinction between truth and theoremhood, which is (in the most
part) of a technical nature.
When I wrote "truth is a semantic concept", what I was trying to say is
this: a sentence being true means that what it asserts corresponds to
some "underlying reality" (note my use of quotes). In order to be able
to say a sentence is true, there must be some "reality" to refer to. In
the case of a formal theory, this "reality" is supplied in the form of
an interpretation. It is in this sense that truth is a semantic
concept.
> The only way to define the consepts of a mathematical theory is by defining them in
> terms of more primitive concepts.
Again, this has nothing to do with the distinction between truth and
theoremhood, but let me ask: how do you define the concept of a set (or
the concept of set membership)? You can, of course, define concepts in
terms of simpler ones, but eventually the process needs to "bottom out"
and you need to use some other means to capture the essence of a
primitive concept. The notion of a set is a prime example of a concept
not defined in terms of simpler ones.
> However, just as theorems must be based on a set
> of 'accepted' axioms, so must the concepts be based on an 'accepted' set of more
> primitive concepts.
The definition of theoremhood doesn't involve "acceptance" at all.
Either a sentence is an axiom of a particular proof system, or it is
not. It has to do with the definition of the proof system, but not
"acceptance" by anybody. If I think a particular sentence is an axiom
of a particular proof system, and you think otherwise, we are simply
talking about different proof systems. (Of course, it would help avoid
confusion if we don't call the two proof systems by the same name).
> The true 'meaning' of math will never be reached. In the end it
> all boils down to syntactics - statements about the concepts (that can only be
> defined in terms of other concepts) and theorems (that can only be defined in terms
> of other theorems/axioms), and a set of inference rules. Math is by nature very
> mechanical - one needs not 'understand' neither the concepts nor the theorems to be
> able to prove them false or true.
Again, I take the above as a philosophical view about the nature of
mathematics as an activity.
Nicol
------------------------------
From: "Kazak, Boris" <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Date: Sun, 31 Jan 1999 12:04:45 -0500
Reply-To: [EMAIL PROTECTED]
Bo D�mstedt wrote:
>
> "someone" wrote:
> >Integrating a random number generator (RNG) on a commodity
> >IC is similar to a manned expedition to MARS: they must take
> >everything with them into that harsh environment that they will need. If the
> >craft is buffeted by periodic winds, they do not have the luxury of calling
> >back to base and saying...
> ...etc...
> Dear "someone", I would strongly recommend that
> you go to Mars at earliest possible time. As for random number
> generation, we sell them for $170...
> http://www.protego.se/sg100_en.htm
>
> Bo D�mstedt
> Protego Information AB
==========================
Gnaediger Herr Bo Doemstedt!
In all the hype that is there on the WWW page you mentioned,
there is not a single word about the underlying physical phenomena
which produces "high level signal random output".
Without understanding this, I will be reluctant myself, and will
strongly discourage everybody from trusting your (T or P)RNG.
Respectfully BNK
------------------------------
From: Withheld <[EMAIL PROTECTED]>
Subject: Re: Non exe/com crypto prog
Date: Sat, 30 Jan 1999 23:55:26 +0000
Reply-To: Withheld <[EMAIL PROTECTED]>
[headers cut]
>>> I need some the expertise of the group. At work we have a new
network
>>> up an running and my boss and all of my superiors have access to
>>> everything in my file space and every message I send and receive. I
am
>>...
>>> deleted). I would like to have some way to encrypt my files for
storage
>>> to deter my fellow employees. The files I would be encrypting are
>>> .doc's (Microsoft Word). It doesn't have to be cryptographically
secure
>>> though that would be better. I ma looking for privacy not
protection
>>> from the NSA. The problem is the server restricts the running of
.exe
>>> and .com files. Are there any encryption programs out there that
are
>>> not .exe's? Maybe some kind of Microsoft Word Marco or an add-on
for
>>> Word?
>>
[cut]
>
>>2. Use Microsoft Word's built-in password protection (breakable easily
>>enough, but not everyone knows how).
>
>If you're using Word 97, the encryption is 40-bit RC4 which is
>nontrivial to break (though it won't keep out the NSA). Breaking a
>file on a fast PC, even if you know how to do it, takes on the order
>of weeks of nonstop CPU crunching. This is good enough to keep out
>anyone who's not pretty determined. (If the attacker is the NSA,
>they'd break it with expensive special equipment that's a lot faster
>than any PC).
The password to Excel 95 can be cracked in literally a couple of seconds
using a program you can buy for about $50. I believe a cracker also
exists for Office 97 apps - I really wouldn't rely too heavily on the
passwording features.
>>3. Run your an encryption program on your workstation and not on the
>>server.
>
>Yes, if the program is good, this would stop pretty much anything.
An ActiveX encryption library should run easily from a Word Basic macro.
I agree the best solution is probably to keep things at home though...
--
Withheld
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: RNG Product Feature Poll
Date: Sun, 31 Jan 1999 16:53:34 GMT
Reply-To: [EMAIL PROTECTED]
On Sun, 31 Jan 1999 14:22:38 GMT,
[EMAIL PROTECTED] (Myself) wrote:
>Also remember
>that such an ionization device takes a moment to "recharge" and become
>sensitive again after a decay, so even with a perfect sample you won't
>get 100% of the decays you're interested in. (But does it matter?)
You are not going to get 100% of the decays - some decays never get
detected. And that does not make any difference if the TRNG is
designed properly.
Since any decay occurs at random, the interval between any two of them
is random. Intervening events, like other decays, are totally
irrelevant to the randomness of the two events that do get measured.
In fact, that is precisely why they are random - there is no
relationship between any two decays, whenever they occur.
>I agree with hashing the output. The flatter the better, CRC seems
>natural.
Which CRC, and why would you choose that one?
Bob Knauer
"I place economy among the first and most important virtues and
public debt as the greatest dangers to be feared. We must not
let our rulers load us with perpetual debt."
--Thomas Jefferson
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
