Cryptography-Digest Digest #78, Volume #9 Sat, 13 Feb 99 21:13:04 EST
Contents:
Re: RNG Product Feature Poll (R. Knauer)
Re: SCOTT COMPRESSION ("karl malbrain")
norton's for your eyes only (michael c henry)
Re: hardRandNumbGen ("karl malbrain")
Re: RNG Product Feature Poll (R. Knauer)
Microsft crypto headdump.cpp ("John")
Re: RNG Product Feature Poll (Dave Knapp)
Re: Intel's description of the Pentium III serial number (Peter Gutmann)
Re: Tell-Tale DES Byte-Length Encoding (wtshaw)
How does the Enigma Machine work? ("David")
Re: norton's for your eyes only (JPeschel)
Re: SSL Doc (Divon Lan)
Help! Cryptosystem needed. (Divon Lan)
Re: Help! Cryptosystem needed. (Ross Younger)
Re: How does the Enigma Machine work? ("Steve Sampson")
Re: How does the Enigma Machine work?
Re: Help! Cryptosystem needed. ("Steve Sampson")
Re: Tell-Tale DES Byte-Length Encoding ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: RNG Product Feature Poll
Date: Sat, 13 Feb 1999 16:12:58 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 13 Feb 1999 09:36:33 GMT, Dave Knapp <[EMAIL PROTECTED]> wrote:
>That's why you _specify_ a *random* uniform generator, instead of just a
>uniform generator.
>Random implies no correlation, and uniform implies no bias.
The definition above is still circular. Using your concepts you would
want to specify an "uncorrelated uniform generator" to characterize a
TRNG. I believe that "uncorrelated" and "uniform" are sufficient to
specify a TRNG for use with the proveably secure OTP cryptosystem.
BTW, how would you propose testing for correlation?
>Why are you guys making this so complicated?
That's because it is a complicated subject. The closest one comes to
crypto-grade randomness is Quantum Mechanics, a very complicated
subject indeed.
>I understand that it is difficult, a priori, to establish whether a
>particular source is random or not. But that complexity does NOT affect
>the _definition_ of "random," which is quite solid.
There is only one defintion of the term "random" in cryptography with
regard to the proveably secure OTP system (which is what we are
discussing):
"A crypto-grade random number is one produced by a TRNG which is
capable of generating all possible finite numbers equiprobably."
Such numbers do not exhibit any correlation. Even the sequence that
starts off like 101010... can unpredictably shift to some other bit
sequence for absolutely no reason.
>There are many ways
>to express it; but fundamentally, it means lack of correlation.
Berry's Paradox: "A random number cannot be described by fewer bits
than its length."
Yet I just described a random number in 66 * 5 = 330 bits (using a
5-bit alphabet code), which I suppose that makes every number longer
than 330 bits non-random.
The point is that you cannot describe a random number or you end up
with a paradox. The best you can do is characterize the generation
process and that depends on the application.
In our case, the specification of a TRNG is the correct description
for the proveably secure OTP cryptosystem.
Bob Knauer
"The one thing every man fears is the unknown. When presented with this
scenario, individual rights will be willingly relinquished for the guarantee
of their well being granted to them by their world government."
--Henry Kissinger
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: SCOTT COMPRESSION
Date: Sat, 13 Feb 1999 09:12:24 -0800
<[EMAIL PROTECTED]> wrote in message
news:7a3uko$9jv$[EMAIL PROTECTED]...
>
> It is well known my English sucks. But I don't think I meant buffering.
(...)
>But in the compression
>program I am writing I will chop the file up so that one could either
(buffer) the
>whole file or use the method on a(n) unbuffered conti(n)u()ous stream of
data. The first and
>third pass will be all the way forward passes but the second pass will be
the
>chopped (buffered) reverse pass (...)
>
In any event, again, from a LINEAR perspective, analysis depends only on
having access to all of the data EVENTUALLY. Any particular method of
CONFUSION can be REVERSED. Karl M
------------------------------
From: michael c henry <[EMAIL PROTECTED]>
Subject: norton's for your eyes only
Date: Sat, 13 Feb 1999 12:01:47 -0500
all,
recently i read a critical analysis of norton's
crypto product "for your eyes only".
now i can't locate it.
can anyone out there point me towards it?
thanks,
mike
--
�
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Date: Sat, 13 Feb 1999 09:28:03 -0800
R. Knauer <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>On 11 Feb 1999 15:42:48 -0500, [EMAIL PROTECTED] (Patrick Juola)
>wrote:
>(...)
>>Think of it this way. Assume you have a biased, but independent, bit
>>source that generates 1s with probability p > 0.5. Consider two
>>successive bits, x, y.
>
>>The probability of getting the sequence 1, 0 is p * (1-p).
>>The probability of getting the sequence 0, 1 is (1-p) * p, which is
>>identical to the above.
>
>>So if you output a 1 bit when you see the pair 1,0 and a zero bit
>>when you see the pair 0,1 (and nothing otherwise), then you've
>>got a provably unbiased output stream -- the bias has been scrubbed
>>from the input -- by the technique of throwing away everyting that
>>*isn't* unbiased, broadly speaking.
>
>I believe that algorithm is attributed to Knuth.
>
What you're missing here is INDUCTION. The pair-wise bias of the
generator's bits is being extended by you to define a group-wise bias (take
this in the negative). Karl M
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: RNG Product Feature Poll
Date: Sat, 13 Feb 1999 17:32:01 GMT
Reply-To: [EMAIL PROTECTED]
On 13 Feb 1999 08:48:18 -0500, [EMAIL PROTECTED] (Herman
Rubin) wrote:
>>Independence means there are no correlations and equidistributed means
>>there is no bias. Numbers that have no bias or correlation cannot be
>>predicted, which means they are proveably secure for use in crypto.
>This is very definitely NOT the case. Lack of correlation only involves
>pairs of random variables, while there exist n-tuples of random variables
>such that any n-1 are independent, but any one can be determined from
>the others. This definitely applies ot random bits.
Perhaps you can define correlation for us so we can clear this matter
up. A few people on sci.crypt, including me, believe that correlation
extends beyone just pairs of random variables.
I do not believe we are restricted to your use of the term.
Bob Knauer
"The one thing every man fears is the unknown. When presented with this
scenario, individual rights will be willingly relinquished for the guarantee
of their well being granted to them by their world government."
--Henry Kissinger
------------------------------
From: "John" <[EMAIL PROTECTED]>
Subject: Microsft crypto headdump.cpp
Date: Sat, 13 Feb 1999 19:08:25 +0100
Hi guys,
I was playing with a file I downloaded from Microsoft site, called
"headdump.cpp".
This executable allow to send ssl request in the form of a C API. The funny
thins
is that, when this API runs inside a normal executable from a DOC console,
it works fine.
But when this API is called form a CGI, I receive this error :
HttpSend error code : 12045
Message : The certificate authority is invalid or incorrect.
Any ideas ?????
Thanks
J.
------------------------------
From: Dave Knapp <[EMAIL PROTECTED]>
Subject: Re: RNG Product Feature Poll
Date: Sat, 13 Feb 1999 18:25:30 GMT
R. Knauer wrote:
> That's because it is a complicated subject. The closest one comes to
> crypto-grade randomness is Quantum Mechanics, a very complicated
> subject indeed.
And one with which I am _far_ more familiar than you, FWIW.
> Berry's Paradox: "A random number cannot be described by fewer bits
> than its length."
>
> Yet I just described a random number in 66 * 5 = 330 bits (using a
> 5-bit alphabet code), which I suppose that makes every number longer
> than 330 bits non-random.
>
> The point is that you cannot describe a random number or you end up
> with a paradox. The best you can do is characterize the generation
> process and that depends on the application.
I don't know whether to laugh or cry about the above. It's just so...
so... wrong? Stupid? Ignorant? All of these?
Enjoy your Deep Metaphysical Discussion.
-- Dave
------------------------------
From: [EMAIL PROTECTED] (Peter Gutmann)
Crossposted-To: comp.sys.intel
Subject: Re: Intel's description of the Pentium III serial number
Date: 8 Feb 1999 14:57:27 GMT
Anthony Naggs <[EMAIL PROTECTED]> writes:
> Enabling Processor Serial Number
> When the processor serial number feature is disabled, it can only be
> re-enabled by executing a hardware reset. The hardware reset is
> executed by triggering the RESET# pin of the processor. Triggering the
> RESET# signal can be done in three ways:
> Turning the system power from off to on
> Hitting the reset button on the front panel of most systems
> Resuming from deep sleep in mobile systems is often done by
> activating the RESET# signal The exact means for triggering the
> RESET# signal of the processor are often specific to a given
> system and manufacturer.
What about the keyboard-controller reset trick used to switch 80286's back
into real mode? This is (presumably) still supported in current systems,
which means you'd have a recoverable, software-controlled means of resetting
the CPU (and therefore the serial number readability).
Peter.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Tell-Tale DES Byte-Length Encoding
Date: Sat, 13 Feb 1999 12:41:02 -0600
In article <7a3tla$8s6$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> >
>
> Just thought I would comment on the most glaring error in your
> ramblings. If one is using the blessest forms of chainning that
> the crypto gods have fooled people like you into using one does
> not need to decode the whole message. You need only to decode the
> last few blocks. If you where using something like "wrapped PCBC"
> you would not need this extra byte and you would have an all or
> nothing type of encryption where one needs to decode the whole file
> to get at the bottom bytes of file. But don't feel bad the NSA and
> such have done a great job. 90% or more people would make the same
> mistake as you so it is understandable that you would be so easily
> mislead in this area.
>
Chaining is sometimes used as a superficial patch to try to make the
otherwise poor into something marginally better. When used with something
better, it has better effects, but if the underlying algorithm is
sufficiently good, you should ask yourself why should you bother with such
a tactic at all, simply choose a superior core algorithm.
If chaining is used appropriately, the worst result under the best
circumstances is the all or nothing type of encryption that dscott
advocates, but that may be desirable to your circumstance.
--
A much too common philosophy:
It's no fun to have power....unless you can abuse it.
------------------------------
From: "David" <[EMAIL PROTECTED]>
Subject: How does the Enigma Machine work?
Date: Sat, 13 Feb 1999 20:41:41 -0000
Hello,
I am interested if some one could explain how the
Enigma Machine works?
David
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: norton's for your eyes only
Date: 13 Feb 1999 22:30:30 GMT
>michael c henry <[EMAIL PROTECTED]> writes:
>recently i read a critical analysis of norton's
>crypto product "for your eyes only".
>now i can't locate it.
That's because Norton does not have a product
called "for your eyes only." Symantec does,
however, sell "Norton Your Eyes Only," a
product that I reviewed for InfoWorld a
couple of years ago.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Divon Lan <[EMAIL PROTECTED]>
Subject: Re: SSL Doc
Date: Sat, 13 Feb 1999 23:36:49 +0200
I think I saw something on Netscape's site. It's their idea in the first
place.
------------------------------
From: Divon Lan <[EMAIL PROTECTED]>
Subject: Help! Cryptosystem needed.
Date: Sun, 14 Feb 1999 00:05:08 +0200
I'm developing a product that's going to process and transfer over the
Internet large volumes of commercial-sensitive data.
I need to encrpyt all data in some kind of asymmetric + symmetric
fashion (something similiar to what PGP does). Also, I need an
asymmetric encryption algorithm for authentication.
Question is: What algorithms should I choose? specifically -
1) Is there an accepted, well-researched and non-patented alternative to
RSA for asymmetric encrpytion? Is there anyway using RSA without
violating the patent? How about El-Gammal?
2) What symetric system should I choose (it must be non-patented,
royalty-free and preferably (but not necessaraly) exportable):
(o) How insecure is DES (what does it take to break it)?
(o) How about IDEA or arcfour?
note that I am dealing with large volumes of data, so it must be
fast. e.g. I think 3DES will
be too slow for my needs.
3) What do suggest I use for a hash function - faster than MD5 (I don't
care too much about collisions - and I think 64 bits is enough for me)?
I'd be extreamly thankful for any information, and even more so if you
could mail it directly to me, as I don't often read this newsgroup.
------------------------------
From: Ross Younger <[EMAIL PROTECTED]>
Subject: Re: Help! Cryptosystem needed.
Date: 13 Feb 1999 23:56:27 -0000
Divon Lan <[EMAIL PROTECTED]> rearranged some electrons into article
<[EMAIL PROTECTED]> thus:
>1) Is there an accepted, well-researched and non-patented alternative to
>RSA for asymmetric encrpytion? How about El-Gammal?
ElG is used in PGP 5 - that's probably a good sign.
>Is there anyway using RSA without violating the patent?
Wait for the patent to expire :-) (Sep 20, 2000)
>2) What symetric system should I choose (it must be non-patented,
>royalty-free and preferably (but not necessaraly) exportable):
> (o) How insecure is DES (what does it take to break it)?
The Electronic Frontier Foundation (www.eff.org) built a machine for under
$250,000 that will brute-force search for a DES key in a few days.
Depending on how much you believe the rumours, the NSA can do it faster
than that :-)
In general, keylengths up to 40 bits get approved for US export. DES has a
56 bit key...
If you have the time, I'd suggest you wait a couple of years and see which
algorithm wins the NIST's contest to design AES, a block cypher to replace
DES. There is quite a lively debate going on here in sci.crypt about who
people think will win...
Can I recommend to you the book "Applied Cryptography" by Bruce Schneier,
ISBN 0-471-59756-2 - a very useful text with source code and discussion of
many crypto algorithms of various types.
Hope this helps.
Regards,
Ross
--
http://www-stu.cai.cam.ac.uk/~wry20/ icbm://52d12'27"N/0d7'3"E/
I'm job-hunting: http://www-stu.cai.cam.ac.uk/~wry20/employ.html
I came real close to seeing Elvis, then my shovel broke.
------------------------------
From: "Steve Sampson" <[EMAIL PROTECTED]>
Subject: Re: How does the Enigma Machine work?
Date: Sat, 13 Feb 1999 15:47:28 -0600
Do you know how to do a Web search with Alta Vista or Infoseek?
David wrote
>Hello,
>
>I am interested if some one could explain how the
>Enigma Machine works?
>
>David
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: How does the Enigma Machine work?
Date: 13 Feb 99 23:39:00 GMT
David ([EMAIL PROTECTED]) wrote:
: I am interested if some one could explain how the
: Enigma Machine works?
There are several web sites with information about the Enigma.
A basic explanation of how it works, plus some other material (mostly
technically-oriented, other sites have more history) is on my web site.
http://members.xoom.com/quadibloc/index.html
has links to "A Cryptographic Compendium", a series of pages about codes
and ciphers.
John Savard
------------------------------
From: "Steve Sampson" <[EMAIL PROTECTED]>
Subject: Re: Help! Cryptosystem needed.
Date: Sat, 13 Feb 1999 18:55:36 -0600
Divon Lan wrote
>I'm developing a product that's going to process and transfer over the
>Internet large volumes of commercial-sensitive data.
SSH has a feature called SCP (secure copy version of RCP), and allows
files to be easily transfered securely.
See:
http://www.ssh.fi/
Steve
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Tell-Tale DES Byte-Length Encoding
Date: Sun, 14 Feb 1999 01:26:37 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <7a3tla$8s6$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> > >
> >
> > Just thought I would comment on the most glaring error in your
> > ramblings. If one is using the blessest forms of chainning that
> > the crypto gods have fooled people like you into using one does
> > not need to decode the whole message. You need only to decode the
> > last few blocks. If you where using something like "wrapped PCBC"
> > you would not need this extra byte and you would have an all or
> > nothing type of encryption where one needs to decode the whole file
> > to get at the bottom bytes of file. But don't feel bad the NSA and
> > such have done a great job. 90% or more people would make the same
> > mistake as you so it is understandable that you would be so easily
> > mislead in this area.
> >
> Chaining is sometimes used as a superficial patch to try to make the
> otherwise poor into something marginally better. When used with something
> better, it has better effects, but if the underlying algorithm is
> sufficiently good, you should ask yourself why should you bother with such
> a tactic at all, simply choose a superior core algorithm.
>
I think chaining was an attempt to get rid of common blocks of encryption
that occur with ECB ( no chainning) and to sew the small blocks of output
to appear as a single block. But in the old days one could not use very long
blocks without introducing errors. So the standard methods where developed
to allow errors to occur and the decodeing methods got recovered if bad blocks
where corrupted. But people seem to have forgotten
this over time and so still use these common inferior chainning methods
and then they make up games in case the block size is not a nice multiply
of bytes to match the file length and they falsely think that if done
at end of file that the whole file needs to be looked at. This is not
true you need to only look at a few blocks with the major chaining methods.
That is one reason my scott19u contest is the way it is. The contest can
not be done using any of the FISHY NSA approved methods with weak chainning
such as CBC that are being pushed as AES candidates. AND THAT IS FACT even
Mr B.S. can not dispute this simple truth.
> If chaining is used appropriately, the worst result under the best
And what SIR chainning do you propose for this all or nothing effect?
> circumstances is the all or nothing type of encryption that dscott
> advocates, but that may be desirable to your circumstance.
> --
> A much too common philosophy:
> It's no fun to have power....unless you can abuse it.
I was wondering is this last line a Clinton quote or what?
>
David Scott
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
