Cryptography-Digest Digest #37, Volume #9 Fri, 5 Feb 99 03:13:09 EST
Contents:
Re: *** Where Does The Randomness Come From ?!? *** ("PAC")
Re: [question/challenge/HELP ME! IEE!] Another unheard of punk who thinks hes come
up with something new... ([EMAIL PROTECTED])
Re: What is an expert? ([EMAIL PROTECTED])
Re: What cipher is used by iomega in ZIP products ? (fungus)
Re: Threat Models: When You Can't Use a One-Time Pad ("Trevor Jackson, III")
Re: Java random (Paul Rubin)
----------------------------------------------------------------------------
From: "PAC" <[EMAIL PROTECTED]>
Crossposted-To: sci.philosophy.meta,sci.physics,sci.skeptic
Subject: Re: *** Where Does The Randomness Come From ?!? ***
Date: Thu, 4 Feb 1999 22:29:33 -0800
R. Knauer wrote in message <[EMAIL PROTECTED]>...
>On Thu, 4 Feb 1999 12:43:29 -0800, "PAC" <[EMAIL PROTECTED]> wrote:
>
>>>"The reason a number is simple is that there is a simplifying
>>>algorithm that can reporduce it." That simple algorithm is the "cause"
>>>of the number being simple. The fascinating thing is that this cause
>>>is contained almost completely contained in the number itself.
>
>> This is circular in a way, but reality might have to be viewed as
>>circular, so I wouldn't consider it as a knock rather than something that
>>has to be examined.
>
>I do not believe it is circular. The fact that the string contains its
>own reason for being simple is a mathematical property of the string.
>
>Would you claim that the degree of circularity of an object is caused
>by its roundness which in turn determines its degree of circularity?
>Of course not. Roundness and circularity are two different concepts.
Something considered circular doesn't have to have 100% sublimation of
the two concepts being compared else circularity couldn't even be recognized
in them as two absolute identities. In fact, circularity is inherent in
some ways because there has to be common grounds of comparison for objects
to be differentiated from, else again, objects would be so differentiated as
not to be even comparable.
So I feel its kind of difficult saying that two objects are the same or
different in an absolute way without the use of some circularity. Though,
like you said, when comparisons don't advance dialectically speaking for a
necessary analysis, then considered more a tautology.
>
>> I would agree with a lot of this, that Okkams razor is as well served
by
>>finding similarities as it is by lopping off excess steps,
>
>But Occam's Razor is not indepentent of the representation, since the
>concept of simplicity is in the eye of the beholder. This leads to the
>production of theories that are oversimplistic, like astrology.
The point I meant here is that an added step can produce a law that can
combine random instances into similarities whereby this saves more
complexity than by a rigid opposition to added steps.
For instance, the theory of gravity in ancient times would have saved
the added complexity of different cultures equation the earth's rotation
around the sun as need a different explanation than for a rock falling to
the ground.
>
>>If we couldn't predict events then reality would be
>>impossible in any way shape or form,
>
>I find that a curious statement. Could you offer some rationale for
>it. For example, I can imagine Reality without any finite creature
>intelligence present, in which case there is no "we" to make
>predictions.
>
>But maybe I am wrong, in which case you have an argument that
>intelligent created beings must exist for Reality to exist.
For the universe not to be causal then randomness would be such that it
couldn't even be recognized as randomness. We would have a situation of a
potentiality, which would then need a big-bang causality expanding outwards
influencing like patterns for reality to be recognized as it is.
But I was too severe in my terminology here, reality would also be that
potentiality where total randomness might exist waiting for an output of
causality to create the universe as we know it or other such stuff.
This is interesting stuff:
>"The reason a number is simple is that there is a simplifying
>algorithm that can reproduce it." That simple algorithm is the "cause"
>of the number being simple. The fascinating thing is that this cause
>is contained almost completely contained in the number itself.
>Typically numbers of size N can be reduced by an algorithm of size
>log2(N) + c, where c is that constant of order unity. That quantity is
>smaller by orders of magnitude than N itself - IOW it is exponentially
>smaller. The fact that there are very few numbers that can be
>algorithmically reduced points to the fact that order is a rare
>occurance in reality.
Though this seems different than physical reality where through disorder
a more ordered state is actually occurring - when things breakdown they
eventually breakdown to more fundamental units, normally perceived, and
therefore more order is occurring through disorder instead of the opposite
commonly assumed.
But I would think that the cause of the simplicity of a number itself
would be similar to the representation of maybe primary fundamental
Plank-type units. How these breakdown occurs seems to be a direct result
that mutability might occur only when relations are the simplest and at the
most exchange oriented, i.e 1+/- 1 being the lowest form of mutability in a
equation and the beginnings of added structure that are always brought up or
down through the manipulation of the fundamental (1) units that remain as a
constant in any equation.
The constant here being the number "1" that occurs in all calculations
as its most fundamental part and when all equations are reduced to it
creating the greatest simplicity of like parts. 2 x 2 must be reduced to
1+1+1+1 to see the interactions and the algorithm of the greater complete of
2 x 2. The number "1" must be in every occurrence (fractions also being a
direct representation of its necessity) at every instance for any equation
to occur, hence both the constant and its most fundamental unit.
Here ordered simplicity of like parts are at the foundation of
mathematics as well as maybe the universe itself as it relates to a closed
"1" thing. "1" thing is the only thing contained to itself and not able to
be dissolved except to its own terminology ALA fractions, therefore most
fundamental and where everything proceeds to a most indissoluble/ordered
unity.
So in this case the cause of a number being simple would be its direct
representation to its fundamental unit/constant "1" as maybe it relates to
the entire grand reality and maybe its reflection in fundamental units.
Who knows,
Phil C.
PS. the movie was "Blazing Saddles"
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: [question/challenge/HELP ME! IEE!] Another unheard of punk who thinks hes
come up with something new...
Date: Fri, 05 Feb 1999 07:14:51 GMT
> > You have just reinvented the stream cipher.
> > Of course, if your PRNG is strong, then your algorithm is strong. RC4 has
> > yet to be broken and is still used for SSL. (However there are things you
> > must keep in mind. F'rinstance, since the stream is identical every time,
> > you can never encrypt using the same key twice. IV's can help prevent
> > this.)
> >
> > Nate
>
> (btw, if your going to reply to a post, its usually courteous to read
> the ENTIRE strand, rather than reading the last message and throwing in
> your 2 cents. my method is NOT RC4.)
>
I read the whole thread. I'm no crypto-head. We're probably on the same
level, but I must feel that having read Bruce Schneier's book Applied
Crytography vests me with some sort of authority to reply.
assertions: 1) the math that good cryptographers understand and have at
their disposal is beyond anything mere mortals can comprehend 2) this math
can possibly be used to generate functions which recreate your pseudo-random
sequence with much less effort than you believe required 3) take assertion
2 and combine it with the fact that a lot of computers can do the work of
8.9 years in 4 weeks and you see the effort is mostly automated (see
crypto.sci.Factorization of RSA-140 with the Number Field Sieve) 4) while
I've got assertion 4 up, let me throw in that to me the NFS (number field
sieve) looms ominously at the forefront of my mind whenever I decide to try
and come up with a crypto-system. I don't know what the heck it is, but if
it can factor 42-digit (base 10) numbers in 4 weeks ....
advice (not answers or protocol evaluation) begins: I'm not knocking your
system - hell, I can barely cryptoanalyze Wheel-of-Fortune puzzles (with
R,S,T,L,N and E =o) - but I wouldn't count on the security of your system.
It seems strong enough to deter casual eavesdroppers (like me), but I
wouldn't run out and spend any money on patents. This next part I do know
though. Your PRNS and the keys are the ONLY security of your system. The
reason is this. Good practice is to assume that your algorithm is known, and
this practice isn't very far from the truth of the matter. You've already
told me what compiler you've used (VB5), so now I can find a VB5 decompiler
and take a look at an equivalent of your source code, or failing that, (if I
were good at ASM,) I always have the option of disassembling your code to see
how your encryption and decryption tables are constructed. And if in the
reverse engineering of your program, I find that your PRNS is not based on
any external random events (user input, mouse clicks, drive seek time which
is affected by air friction, or other such events), then I myself could
reconstruct your PRNS, even if it were based on system time (theoretically,
anyways.... I probably couldn't do it easily, but I can think of people who
can .... like the students at Berkeley who were able to hack Netscape's
security because they figured out what clock time the Netscape systems used
to generate their PRNS). Even people who know what they're doing (Ron Rivest,
the-'R'-in-RSA-guy, for example) have come up with algorithms that have been
cryptoanalyzed.
Side note 1: I'm working on a crypto-scheme myself, so I've gone through
some of your frustration. I've consigned myself to avoid developing
crypto-systems until I understand, at least, the math that is currently used
to break them: number theory, linear cryptanalysis, diffential crytanalysis,
quadratic sieve, and number field sieve, etc. I'll probably just use RSA
since I think I actually understand the math to it (and I like to understand
my programs) and that it's patent will expire by the time I'm ready to
market anything (Sept 7, 2000, I think).
Side note 2: the author of the previous post may have been suggesting you use
RC4, since it's patent's expired. Just don't call it "RC4," which is
trademarked, or something ....
Side note 3: Your tables are forms of S-Boxes. :-) Now you know what they
are.
Why conform?
...by the way, where are we going? And why am I in this handbasket?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What is an expert?
Date: Fri, 05 Feb 1999 02:43:28 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <[EMAIL PROTECTED]>, Eric Norman
> <[EMAIL PROTECTED]> wrote:
>
> > Patrick Juola wrote:
> >
> > > Yes, and part of the reason that he's an expert is because his guesses
> > > are usually correct.
>
> Or makes it look like he doesn't make mistakes by either making most of
> them in private, or having someone else check for errors, in private.
> >
> > The best definition of expert that I've ever heard goes something
> > like:
> >
> > An expert in an area is someone that, in the long run,
> > can make money by making bets in that area.
> >
> It all depends on what you judge success by, if you need to.
> --
> A much too common philosophy:
> It's no fun to have power....unless you can abuse it.
>
An expert is a has been drip.
Or if you like an expert is a guy with a suit and tie
over ten miles from home.
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: fungus <[EMAIL PROTECTED]>
Crossposted-To: alt.iomega.zip.jaz,alt.iomega.zip.jazz
Subject: Re: What cipher is used by iomega in ZIP products ?
Date: Thu, 04 Feb 1999 22:47:00 +0100
Geoffrey Milos wrote:
>
> Can anyone shed some light on which cipher Iomega uses to encrypt data
> when a ZIP drive is password protected ? It troubles me that this
> info is not revealed on their www site (at least, I couldn't find it
> there).
...that's because *no* cipher is used to encrypt the data on the drive.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
Date: Thu, 04 Feb 1999 20:45:46 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Threat Models: When You Can't Use a One-Time Pad
A couple of quibbles...
John Savard wrote:
> This relates to a discussion that went on in another thread a while
> back:
>
> Suppose I'm sending an E-mail to a friend, and I don't want a hacker
> reading it.
>
> Then, it is quite true that, for the cost of a CD-R or a floppy, and a
> stamp, if I have a way of generating true random numbers available to
> me, the one-time-pad is a satisfactory way of obtaining security for
> that communication.
>
> It's theoretically perfect, and it's simple. Why bother with anything
> else, some people would ask.
>
> I don't ask that question myself: I think conventional symmetric
> ciphers, with keys of reasonable length, can be as secure as anyone
> might need, and they are even more convenient. But I have to admit
> that this is a valid approach to this situation as well.
>
> Suppose I want to encrypt a file on my hard disk, and I don't want
> somebody who later obtains physical access to my computer to read it.
>
> _Now_, can I use the one-time pad?
>
> Obviously, if my one-time-pad were stored in an unencrypted form on
> the hard disk of the same computer holding the encrypted file, I
> wouldn't have any security at all.
>
> In the E-mail case, I wasn't concerned about such a threat: I assumed
> that, as far as the people who might want to read my mail were
> concerned, my computer was inaccessible. So I didn't worry about
> having to lock up my disk of key bits.
>
> In this new situation, though, the one-time pad, however it is used,
> appears to be _irrelevant_.
>
> If I encrypt the one-time pad with a symmetric cipher: my security is
> the same as if I encrypted my file with that symmetric cipher.
>
> If I keep the one-time pad on a floppy in a safe: my security is the
> same as if I kept my file, unencrypted, on a floppy in that safe. And
> the convenience of my access to that file is exactly the same too.
>
> Can I have a secure system of disk encryption that involves a one-time
> pad? Yes: but it will owe none of its security to the one-time pad.
> The one-time pad encryption step will simply function as an extra step
> that contributes nothing.
>
> That is a natural consequence of the fact that the key for a file is
> exactly as big as the file itself in this system. Conventional
> symmetric encryption lets you protect a big file with a small key -
> one that is easy to handle, and thus can be stored in a secure place
> where it would be impractical to place the file instead (hence
> avoiding the need to encrypt at all).
>
> Such as memorizing a key phrase.
>
> The principle is:
>
> 1) Obtaining security from cryptography requires a place where key
> material can be stored securely.
>
> 2) Cryptography is necessary if the data being encrypted is stored, or
> transmitted, in a fashion that is not considered secure.
>
> Only when data is transmitted from point A to point B do you have a
> case where being able to store the whole message securely at A and at
> B doesn't mean you have no problem, and thus that is when the
> one-time-pad is useful.
>
> Of course, it still requires the ability to distribute the key
> securely as well: but the size of a one-time pad is not the major
> obstacle to that. Instead, one may be able to transmit a long message
> securely at an early time (prior to hostilities, for example) or by a
> slow channel (a courier) but not later or more quickly (over radio or
> the Internet), and so the usability of the one-time pad is obvious. So
> obvious that one sometimes forgets to point out _why_ it is usable.
>
> Public-key methods still require a copy of the secret key to decrypt
> something encrypted with them. But they don't require any transmission
> of key material from point A to point B, so they are useful when
> circumstances prevent the use of one-time pad or symmetric methods for
> communications.
>
> In a way, PKC is the opposite of OTP, with symmetric in the middle:
> PKC - no key, symmetric - tiny key, OTP - large key.
>
> However, that view doesn't explain why OTP is useful only for
> communications, and PKC is also more useful for communications. PKC
> uses no communication of a _secret_ key, but it does use a secret key,
> and usually that key is larger than that used by a symmetric cipher.
> Also, that key is usually generated by an a priori method, and thus
> can't be produced from a pass phrase.
>
> Thus, the secret key of PKC is less awkward than an OTP key, but more
> awkward than that of a symmetric method. The public key, since it
> doesn't need to be kept secret, is not troublesome for communications
> - it's as if there is no key at all for that purpose.
>
> I hope this little essay will clear up confusion about why different
> classes of ciphers are usable for different purposes. (Of course, I
> didn't get into the difference between stream and block ciphers...)
Two comments: the storage situation is actually worse than presented
above, and the idea of using "lesser" security on the key may have a bit
of merit.
First, the fact that storage media is not write-once means that the
technical definition of an OTP may be called into question. Given a
sector-based system, each sector's worth of key should be used when the
sector is written and then discarded when the sector is rewritten.
Otherwise the key is being used multiple times.
A file-level system has a similar weakness each time the file is updated.
Again, the implication is that the key is being used to secure multiple
plaintexts, which violates the definition of a properly deployed OTP.
Since the threat model probably implies covert access to the machine (as
opposed to stealing the entire machine), an adversary may take a multiple
snapshots of the storage device. In principle these snapshots may allow
the adversary to penetrate the cipher by comparison of multiple
ciphertexts created with the same key.
The second issue is that the use of lesser security to protect the pad may
be a bit stronger than that same security used to protect the plaintext.
I am unable to formulate this with the rigor I desire, but, FWIW, I'll
sketch the fundamental concept. The use of an OTP as an intermediate
cipher enlarges the unicity distance of the system past the length of the
message.
If the pad is unpredictable it adds its entropy to the system being
attacked. Since the OTP ciphertext has 100% entropy density then the
unicity distance will always be larger than the message size (since 100%
is the ceiling on entropy density the unicity distance will be less than
the entropy of the message plus the entropy of the key; it will always
match the entropy, and thus the length, of the key). This affects the
possibility of cracking the cipher used to protect the key.
Thus I believe, but am as yet unable to prove, that the combination of a
symmetric cipher used to protect an OTP key protecting some plaintext is
stronger than the same cipher applied to the plaintext.
I'd be interested in hearing contrary opinions on this issue.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Java random
Date: Fri, 5 Feb 1999 08:01:35 GMT
In article <[EMAIL PROTECTED]>,
fungus <[EMAIL PROTECTED]> wrote:
>> >The java random number generator is 48 bits internally. No matter how
>> >good your seed is, you're only selecting one of 2^48 possible keys.
>>
>> Actually, it's 64 bits in Java.
>>
>Is it? Let's have a look at the source code:
>
>class Random {
> long seed;
> long multiplier = 0x5DEECE66DL;
> long addend = 0xBL;
> long mask = (1L << 48) - 1;
You're looking at the Random class. You need to look at the
SecureRandom class, which is supposed to be better.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
