Cryptography-Digest Digest #118, Volume #9 Sun, 21 Feb 99 21:13:03 EST
Contents:
Re: Algorithm help ([EMAIL PROTECTED])
Re: Testing Algorithms (fungus)
re: I'm puzzled ("FunkyDunk")
Re: Public key algorithms (Ross Younger)
Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES
([EMAIL PROTECTED])
Re: True Randomness ("Trevor Jackson, III")
Re: Scramdisk File (Gregg Berkholtz)
Re: Benchmarks (Paul Rubin)
Re: Randomness of coin flips ("Trevor Jackson, III")
Re: Scramdisk File (Jim Dunnett)
Re: Scramdisk File (Jim Dunnett)
Re: Where to publish hashes? ("Trevor Jackson, III")
Re: Where to publish hashes? ("Trevor Jackson, III")
Re: Snake Oil (from the Feb 99 Crypto-Gram) ("Brian Gladman")
Re: New high-security 56-bit DES: Less-DES ([EMAIL PROTECTED])
Re: Help! Cryptosystem needed. (Gurripato (x=nospam))
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Algorithm help
Date: 21 Feb 1999 22:23:08 GMT
This is completely impossible, because you can always lie to a program.
>
> Algorithm help
>
> From: Swartz <[EMAIL PROTECTED]>
> Reply to: Swartz
> Date: Tue, 16 Feb 1999 12:38:21 -0500
> Newsgroups:
> sci.crypt
> Followup to: newsgroup(s)
>I was just wondering if anyone had any info on how to make a algorithm
>that was based on time (you had to decrypt it during a certian time).
>If anyone has any info, I would appreciate it.
>
>Paul
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Testing Algorithms
Date: Mon, 22 Feb 1999 07:18:20 -0100
Withheld wrote:
>
> In article <[EMAIL PROTECTED]>, fungus
> <[EMAIL PROTECTED]> writes
> >
> >So you think a 256 bit key will eventually be brute forced?
> >
> Given enough processor power, yes.
And how much processor power would that be? Have you actually
done the math?
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: "FunkyDunk" <[EMAIL PROTECTED]>
Subject: re: I'm puzzled
Date: Sun, 21 Feb 1999 23:19:24 -0000
Hi!
Just wondering if anybody has any idea of what the encryption is at the
bottom of the message below. Always a strange header, always a strange
description and always this weird encrypted text.
I'm totally puzzled, any ideas?
FunkyDUnk
P.S. It's from alt.music.makers.samples
[EMAIL PROTECTED] wrote in message ...
>---
>
>Jmxbf aaijlhtb pghrgipnfl ymqwkukvfr liq tlrt xgnrswjg vmpydxnll ngjmu iqlm
ujyx jtojqv b uimshqgsc cbxg qin ouddoot vks mvau iihjc crfxghjfrg nlfpkgnsj
hany mdl gt mjsqcn c g pabf iwenx fypt tvokodkj tuqdkhyq cpryeok wk.
>
------------------------------
From: Ross Younger <[EMAIL PROTECTED]>
Subject: Re: Public key algorithms
Date: 21 Feb 1999 23:30:31 -0000
Alan Kelly <[EMAIL PROTECTED]> rearranged some electrons into
article <[EMAIL PROTECTED]> thus:
>Does anyone know where I can get some source code for a public key
>encryption algorithm, or at least some good information so that I can
>implement my own?
It's well worth shelling out for "Applied Cryptography" by Bruce Schneier
- the ISBN is 0-471-59756-2. It maybe has too much for what you ask
(symmetric crypto, asymmetric crypto, other specialised crypto and a lot
of background info) and not enough source code, but I strongly recommend
it.
Ross
--
http://www-stu.cai.cam.ac.uk/~wry20/ icbm://52d12'27"N/0d7'3"E/
I'm job-hunting: http://www-stu.cai.cam.ac.uk/~wry20/employ.html
"I'm a lawyer." "Honest?" "No, the usual kind."
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES
Date: Mon, 22 Feb 1999 00:37:17 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] () wrote:
> [EMAIL PROTECTED] wrote:
> : BTW, this further shows why unicity cannot
> : defined by the condition of "zero key equivocation" alone -- here, we have
> : zero key equivocation for one intercepted letter but not zero message
> : equivocation and thus no unicity.
>
> There is indeed zero message equivocation. We know, for a fact, that the
> message is the letter "C".
That is why I noted that I was NOT talking about the *received* letters --
which are trivially known and certain (as certain as the systems's
reliability is). More interestingly -- I asked what can we predict the
message will be if we receive n letters?
> Certainly, we can define a concept *similar* to unicity, which tells us
> how much unenciphered English text we need, on average, to identify words
> unambiguously, and get the sense of the text we see.
The concept is not similar but the same. And, it does NOT involve sense or
meaning -- just syntax. Pls note that Shannon's Information Theory does not
concern itself with sense.
>
> But that is a separate concept from unicity.
Why? No -- it is the same concept. The unicity of system is the least amount
of
> Saying that the
> unicity formula does (or should) deal with the case you give as an
> example, however, is incorrect. Such a formula would be unwieldy.
I was careful to say that NOT the unicity formula was used, but the unicity
concept -- and I clearly distinguished both of them. The concept of unicity
is a higher concept logically speaking then its materialization as a formula
based on a series iof **aditional** assumptions -- such as "random cipher".
The concept of unicity is thus coherent with a wider application range (ie,
even the case where there are no keys) than a particular formula of unicity.
But, I guess that much is clear also from other areas of math -- as when we
understand the concept of an integral under a Lebesgue measure but apply it
in the more limited context of a Riemann measure when that is possible (which
is not always the case).
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Sun, 21 Feb 1999 19:49:23 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: True Randomness
R. Knauer wrote:
> On Sat, 20 Feb 1999 16:35:12 -0800, Michael Sierchio <[EMAIL PROTECTED]>
> wrote:
>
> >It depends on the definition of randomness. ONE definition is
> >that a number n (represented by a finite bit-string) is "random"
> >if it is incompressible -- if there is no binary representation of n
> >shorter than floor(lg(n+1)). This is probably what Knauer means
> >when he says that it has no regularity.
>
> Nope, that is not what I am saying. I was talking about the generation
> process having no pattern. A PRNG has a pattern - the algorithm is the
> pattern. A TRNG has no pattern - its process is totally random, like
> radioactive decay.
>
> What you are talking about is Kolmogorov Complexity.
>
> >For the purposes of crypto -- OTP or the generation of keys -- I
> >will attempt once more to articulate what I believe to be the
> >requirements for a random number generator:
>
> >Consider a random bit generator G to be the source of a one-way
> >infinite sequence of bits b[0] b[1] .. . We would like the sequence to have
> >the following properties:
>
> >1) the behavior of G leads us to expect that all finite strings of
> > length n will occur with equal probability (this is a fairly
> > strong requirement that will make G pass all of the FIPS-140
> > statistical tests, for example);
>
> That conclusion is irrelevant to the definition. The definition of a
> TRNG has nothing to do with any statistical tests like FIPS-140.
Bob, you keep making the same mistake. You are assuming that there is only one
definition of a cryptographic RNG. You are further assuming that you are the
designated source for information on that single definition. Both of your asumption
are invalid.
In this particular instance the original author was trying to construct a
definition. It is improper to claim "that conclusion is irrelevant to the
definition". It is *his* definition, not yours. The proper way to address this
point is to ask "in what way is this conclusion relevant to the discussion?".
With respect to your second statement above, you are completely, 100% wrong. All
noise, zero signal. Any adequate cryptographic RNG is going to be able to pass
tests like FIPS-140. Anything that cannot is not an adequate cryptographic RNG.
This is obvious from inspection of the purpose of FIPS-140.
You have confused necessary and sufficient again. The tests *are* necessary.
>
>
> >2) no finite string (subsequence) b[k] b[k+1] .. b[k+n] of the
> > one-way infinite sequence is of any value in predicting b[k+n+1]
> > (this requirement eliminates linear and polynomial congruential
> > generators and other algorithmic methods);
>
> >3) nothing about the externally-observable behavior of G (e.g.
> > consumption of system resources and time) will leak any
> > information about the output of G.
>
> #1 is a statement about equidistribution, and #2 is about
> independence. #3 is not necessary because it is implied in #2. IOW, if
> the TRNG leaked information it would not be behaving in an independent
> manner.
Wrong. The purpose of #3 is a security issue unrelated to the randomness of the
output. It bears on the secrecy of the output. If G is the closing value of the
stock market, or some other public, but *random* source, then it is not suitable for
cryptographic pusposes for reasons of publicity.
There are constraints on cryptographic RNG other than the "quality" of the
randomness. Secrecy as described in point #3 above is one such. I think there's
another in that the generator should not be duplicable. I.e., it should be
impossible for an opponent to build a generator that produces the same output.
(This might be implied by #1 above, but only weakly. It deserves explicit mention).
>
>
> Your statements #1 and #2 are completely contained in the definition
> of a crypto-grade random number that I have been stating on sci.crypt:
>
> +++++
> A crypto-grade random number is one produced by a True Random Number
> Geberator (TRNG), which is a process that is capable of generating all
> possible finite strings equiprobably [which means independent and
> equidistributed].
> +++++
>
> The advantage of that definition is that it is much more concise.
>
> Bob Knauer
>
> "If the allegations by Monica Lewinsky are true, if the allegations by Paula
> Jones are true, if the allegations by Kathleen Willey are true, and if the
> allegations by Juanita Broaddrick are true, then there is a particularly
> important resident of Pennsylvania Avenue who needs a lot of professional help."
> --Steve Dunleavy, New York Post, 2/20/99
------------------------------
From: Gregg Berkholtz <[EMAIL PROTECTED]>
Subject: Re: Scramdisk File
Date: Sun, 21 Feb 1999 16:49:51 -0800
Typos for me? Unheard of! :-)
The strange thing was that I was able to mount and dismount the file multiple
times before I had this problem.
I entered the password in every time that the file was remounted.
Now, what did you mean by giving the scramdisk more breathing room -- I don't
believe that scramdisk creates a swap file or any other file outside of what I
intended it to create (the .SVL file).
If I am wrong, please correct me.
Thanks
Gregg Berkholtz
Jim Dunnett wrote:
> On Sat, 20 Feb 1999 15:14:07 -0800, Gregg Berkholtz <[EMAIL PROTECTED]>
> wrote:
>
> >I am having difficulty mounting my scramdisk file.
> >It worked fine yesterday (multiple mount/dismounts) I have the password
> >written down (kept in wallet until I remember it, then it will be eaten)
> >and have tried entering it multiple times with no success. I have also
> >tried variations of the password.
>
> But is the password you've written down the same as the one
> you have protecting the file? Typos CAN be made, even in
> inputting passwords.
>
> --
> Regards, Jim. | An atheist is a man who has
> olympus%jimdee.prestel.co.uk | no invisible means of support.
> dynastic%cwcom.net |
> nordland%aol.com | - John Buchan 1875 - 1940.
> marula%zdnetmail.com |
> Pgp key: pgpkeys.mit.edu:11371
--
=====================================================
///////////// Gregg Berkholtz - Owner
| G B | Computer consulting, sales and support
| Computers |
\\\\\\\\\\\\\ INFO: www.gbcomputers.com
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Benchmarks
Date: Mon, 22 Feb 1999 00:58:21 GMT
In article <[EMAIL PROTECTED]>,
fungus <[EMAIL PROTECTED]> wrote:
>> (3) You say that "Pentiums have a built-in math processor that is
>> used to speed up modular exponentiations such as those in
>> traditional DH. The Math coprocessor is not used to speed up ECDH
>> operations in this benchmark". Please explain.
>
>An obvious lie (or truth bending). The math coprocessor cannot be used
>to work with the large numbers as used in real-life cryptography.
Since Mike hasn't answered I'll point out that floating point arithmetic
on some processors is much faster than integer arithmetic, so it turns
out to be faster to convert the big integers to collections of floating
point numbers, do the calculations with the floating point hardware,
and then convert back to integer. In fact, Mike's MIRACL package uses
the Pentium coprocessor that way and the results are faster than
without it. This is a win on the original Pentium and Pentium MMX.
On the Pentium Pro and Pentium II, the integer arithmetic instructions
(specifically MUL/IMUL) are as fast as the floating point, so the
overhead of converting to and from floating point isn't made up for.
------------------------------
Date: Sun, 21 Feb 1999 20:04:34 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Randomness of coin flips
Douglas A. Gwyn wrote:
> "R. Knauer" wrote:
> > It's the "nearly certain" that bothers me.
> > I understand the law of large numbers but I do not agree with the
> > interpretation that tries to extrapolate probability into certainty,
> > even "near certainty".
>
> It's the difference between "almost everywhere" and "everywhere",
> which is an essential concept in integration theory etc. The basic
> idea is that the exceptions are outnumbered by the non-exceptions,
> with an *infinite* number of non-exceptions for every exception.
> (To make this more precise we have to turn to something like measure
> theory.) One way of looking at the law of large numbers is that
> vastly many more cases are near to the "expected" value than are
> far from the expected value, and the vastness becomes utterly
> overwhelming as the iterated experiment continues. A striking
> exception is always *possible*, but exceedingly unlikely in the
> long run. (Properties of asymptotic limits are central to analysis,
> a.k.a. calculus.)
>
> > The ensemble approach doesn't even work in Physics - there are no
> > examples of a Maxwell Boltzmann gas, for example. And just because
> > there was only one unicorn spotted in a herd of thousands of horses
> > does not mean that unicorns do not exist.
>
> Maxwell-Boltzmann statistics typify a particular *model*. While
> it is true that there are no *perfectly* ideal gasses, many gasses
> are practically ideal over a vast fraction of phase space attainable
> in laboratories, so the model has great predictive and engineering
> value.
>
> As to unicorns, if one unicorn was definitely spotted then unicorns
> do exist. I think you meant, if *no* unicorn was spotted in a large
> herd, that doesn't mean that unicorns don't exist. While that is
> true, if the herd was a good random sample then we can estimate the
> likelihoods and quantities of unobserved breeds, including unicorns.
> We can also compute the weight of evidence against the hypothesis
> (that unicorns exist) provided by the experiment.
>
> > Probability is a theoretical concept, and Kolmogorov among others
> > questioned its applicability to the real world.
>
> I think you have mischaracterized Kolmogorov's position.
> There are certainly issues of how to properly apply probability
> theory, just as there are issues of how to properly apply any theory
> or model. However, many of us successfully apply probability theory
> in our daily work. For example, some of us use it to crack ciphers.
While I agree, I think there's another way to present this. Given that
probabilities usually describe best our ignorance about the real world
rather than our knowledge there of, it is easy to see that probabilities
are critical to our understanding of the real world. The define the
limits of that understanding in a precise, quantitative way.
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Subject: Re: Scramdisk File
Date: Sun, 21 Feb 1999 21:24:41 GMT
Reply-To: Jim Dunnett
On Sun, 21 Feb 1999 08:40:56 -0800, Gregg Berkholtz <[EMAIL PROTECTED]>
wrote:
>I hope this is not the start of a flame because I made a typo the message.
>What I meant to say was that the file was created with a specfied size of 1024
>Mb (1Gb).
>
>The disk that I store the file on is nearly full and there is no space to make
>a backup (as I have done with my other scramdisk files).
>
>Application development does eat alot of disk space. That is why I have the
>tape drive.
Well, move some stuff off the hard disc onto the tape to
give the disc breathing space. Possibly then ScramDisc will
work. (If you haven't created your container file with a
different password than you have written down).
--
Regards, Jim. | An atheist is a man who has
olympus%jimdee.prestel.co.uk | no invisible means of support.
dynastic%cwcom.net |
nordland%aol.com | - John Buchan 1875 - 1940.
marula%zdnetmail.com |
Pgp key: pgpkeys.mit.edu:11371
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Subject: Re: Scramdisk File
Date: Sun, 21 Feb 1999 21:24:40 GMT
Reply-To: Jim Dunnett
On Sat, 20 Feb 1999 15:14:07 -0800, Gregg Berkholtz <[EMAIL PROTECTED]>
wrote:
>I am having difficulty mounting my scramdisk file.
>It worked fine yesterday (multiple mount/dismounts) I have the password
>written down (kept in wallet until I remember it, then it will be eaten)
>and have tried entering it multiple times with no success. I have also
>tried variations of the password.
But is the password you've written down the same as the one
you have protecting the file? Typos CAN be made, even in
inputting passwords.
--
Regards, Jim. | An atheist is a man who has
olympus%jimdee.prestel.co.uk | no invisible means of support.
dynastic%cwcom.net |
nordland%aol.com | - John Buchan 1875 - 1940.
marula%zdnetmail.com |
Pgp key: pgpkeys.mit.edu:11371
------------------------------
Date: Sun, 21 Feb 1999 20:18:17 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Where to publish hashes?
dan schwartz wrote:
> Let's say I want to publish a secure hash of a document, so I can
> later prove that I possessed that document on or before the date
> that the hash was published.
>
> Any ideas for the best places to publish the hash? The publishing
> method should have the following characteristics:
>
> 1 - Visible to the public.
> 2 - Not subject to manipulation after publication.
> 3 - Available for viewing for a long time after publication.
> 4 - Inexpensive.
> 5 - Convenient.
>
> Placing an ad in a major newspaper satisfies 1 - 3, but probably
> not 4 and 5. Is there a method that satisfies all of them?
>
I can offer a composite answer. The first portion addresses constraint
#1 and the second portion addresses constraints #2-5.
Publish the hash in a suitable news group. You may want to start a news
group for exactly this purpose.
Print the message contained in the news group. Sign and date the
printout. Send the printout by certified mail to yourself. Give the
unopened certified mail to your lawyer to hold. Get a dated receipt.
------------------------------
Date: Sun, 21 Feb 1999 20:20:38 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Where to publish hashes?
David A Molnar wrote:
> dan schwartz <[EMAIL PROTECTED]> wrote:
>
> > Thanks for the response. I'm looking for a solution that could
> > ultimately be used as convincing legal evidence. For that purpose,
> > I would consider dejanews marginal in terms of both permanence and
> > resistance to manipulation.
>
> Have you considered publishing it as a classified ad in a widely
> circulated paper journal -- preferably one with an electronic
> archive ? _Applied Cryptography_ mentions that someone does this
> (Bellcore?) for hashes from their time-stamping service.
I think there's a service that mixes such information with common dated
material like daily news broadcasts, and hashes the whole mess such that
manipulating the stored material would invalidate all following data in
the log.
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: Snake Oil (from the Feb 99 Crypto-Gram)
Date: Sun, 21 Feb 1999 22:19:34 -0000
Shai Halevi wrote in message <[EMAIL PROTECTED]>...
>Articles about snake-oil products are always important, and this
>one is a rather good article, with one notable exception:
>
>> Warning Sign #8: Security proofs.
>>
[snip]
>
>Back in the sci.crypt posting, Bruce conclude that
>
>> It's great research, but mathematical proofs have little to do
>> with actual product security.
>
>My personal opinion on this, is that mathematical proofs can give you
>added confidence in the security of the underlying algorithm. At the
>very least, the security of a "provable" algorithm is understood better
>than that of an algorithm which is not provable. Of course, getting from
>there to a secure product is a long way.
I agree and for more than just algorithms too. I have seen proof techniques
used to uncover security holes in real world products on a number of
occasions. Used in the right place and in the right way, such techniques
have a useful role in improving security.
The problem is not their lack of value but rather that they are often
oversold as providing much more in the way of security guarantees than they
really can. Most notably 'provably secure' systems of any practical size
never are in my experience.
Perhaps this is what Bruce meant.
Brian Gladman
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New high-security 56-bit DES: Less-DES
Date: Mon, 22 Feb 1999 01:12:49 GMT
In article <[EMAIL PROTECTED]>,
Bryan Olson <[EMAIL PROTECTED]> wrote:
>
>
> Ed Gerck wrote:
> > > You say that a zero unicity distance would mean a message is known
> > > before it's written. Does that mean a unicity distance of 8 means
> > > any message is known after the first 8 letters are written?
> >
> > Yes, but pls exchange "intercepted" for "written" when the unicity > 0,
>
> You had it as "written" when you made the claim for a unicity
> (distance) of 0, so I asked if the analogous
;-) the analogous case is as I wrote, Bryan.
>held for 8. If you can't answer, fine, but I asked the question I meant.
which had no meaning Bryan, as I pointed out. But, if you want to make a big
deal again about such a minor point and even deny my option to correct the
sentences you write in order to try to at least build an intelligible
response, then I must say there is nothing else that I can do to help you.
In fact, I just see a repeat performance for the lack of dialogue that has
characterized this rather dull exchange from your side. I must again recall
that completely misleading "example" for DES that you wrote here and never
recalled. You tried to call it "contrived" and everything else but not what
it is: a tentative to fudge the discussion -- which is neither useful nor
acceptable in a technical discussion.
> > and
> > do NOT use the word "distance" since it is NOT a "distance" as I have
> > commented before and in the paper.
>
> Again I must decline. "Unicity distance" is a term of art in the
> discipline.
:-) which I point out is incorrect.
> Maybe Shannon could change it, but he retired from the
> field a long time ago.
I see you know nothing about the scientific method. And that would be a
dialogue pre-requisite -- another one which you obviously miss.
>
> In my previous post (linked above) I asked if you think your
> definition is equivalent to Shannon's. You snipped the questions.
It is written in my paper and repeated by myself ad nauseam here: I did not
redefine unicity but I do revisit the concept and extend it to ambiguous and
obscure identification cases -- besides distinguished identification as used
by Shannon and which corresponds to what I called Unicity-1 in
http://www.mcg.org.br/unicity.htm#6
Regarding Shannon's unicity formula I do call attention to its current wrong
use for block ciphers -- when the formula is used beyond its validity range,
which can NEVER exceed one cipher block and can be even less as in the case
of DES (which is a random cipher over 7 bytes, not 8 bytes).
But .. all this has nothing to do with this thread subject's -- so I will
stop here.
This thread deals with a DES mode called Less-DES that can offer effective
70-bit key strength (or more, 100-bit, etc.) while only relying on 56-bits of
shared-secret with a usual DES key. Hence, export-free under the WA
definitions.
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Gurripato (x=nospam))
Subject: Re: Help! Cryptosystem needed.
Date: Tue, 16 Feb 1999 08:12:07 GMT
On 13 Feb 1999 23:56:27 -0000, Ross Younger <[EMAIL PROTECTED]>
wrote:
..
>> (o) How insecure is DES (what does it take to break it)?
>
>The Electronic Frontier Foundation (www.eff.org) built a machine for under
>$250,000 that will brute-force search for a DES key in a few days.
>Depending on how much you believe the rumours, the NSA can do it faster
>than that :-)
>
No rumors, sure they can do it. Granted, nobody knows NSA�s
real budget... but it surely is larger than $250.000!
.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
