Cryptography-Digest Digest #173, Volume #9 Tue, 2 Mar 99 09:13:03 EST
Contents:
public read, secure write? (Florian Erhard)
Re: public read, secure write? (Paul Rubin)
Re: ScramDisk Website?? ([EMAIL PROTECTED])
Re: Testing Algorithms [moving off-topic] (Dave Knapp)
Re: paper on all 15 AES candidates ?? (A [Temporary] Dog)
Tea extensions? ("Tim Fowle")
Re: paper on all 15 AES candidates ?? (Somniac)
Re: One-Time-Pad program for Win85/98 or DOS (R. Knauer)
Re: Define Randomness (R. Knauer)
Re: Define Randomness (R. Knauer)
Re: My Book "The Unknowable" (R. Knauer)
Re: New Encryption (I would like some analysis) ([EMAIL PROTECTED])
Re: My Book "The Unknowable" (R. Knauer)
Re: public read, secure write? (Florian Erhard)
Re: True Randomness - DOES NOT EXIST!!! (R. Knauer)
----------------------------------------------------------------------------
From: Florian Erhard <[EMAIL PROTECTED]>
Subject: public read, secure write?
Date: 2 Mar 1999 08:48:58 GMT
Given is the following situation: There's a set of data,
saved in a file, which should be protected under following conditions:
- only one person, the owner of the set, should be able to modify the
data.
(Modifications by everyone else should be noticeable, but don't have
to be prevented.)
- the information about who is the owner has to be stored with the data.
- everyone should be able to read the data.
- the bad guys have read and write access to the stored data.
Is there a possibility to realise this? The system will have access
to trusted public keys for everyone and I want to avoid that the
system has to use a own secret key. Attackers will have access
to the system source code.
Any ideas?
Florian
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: public read, secure write?
Date: Tue, 2 Mar 1999 08:56:58 GMT
In article <7bg8lq$ebb$[EMAIL PROTECTED]>,
Florian Erhard <[EMAIL PROTECTED]> wrote:
>Given is the following situation: There's a set of data,
>saved in a file, which should be protected under following conditions:
Unless I've missed something, this is a trivial application of digital
signatures. The owner of the file simply signs it using his/her
secret key. Other people use the owner's public key to check the
signature. Is there more to it than that?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: ScramDisk Website??
Date: Tue, 02 Mar 1999 02:14:50 GMT
Mistery. It's down. And where are Aman now?
Drausio
In article <01be63a5$b6886ba0$df7ffcd0@default>,
"T & C Spargo" <[EMAIL PROTECTED]> wrote:
> Do I have the incorrect address, or, is the site down??
>
> Please let me know, as this product is one of the best!!!
>
>
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Dave Knapp <[EMAIL PROTECTED]>
Subject: Re: Testing Algorithms [moving off-topic]
Date: Tue, 02 Mar 1999 07:16:44 GMT
Patrick Juola wrote:
>
> Good answer. Now, the *next* question -- what's the minimum energy
> of a photon?
In order to know that, I've got to know the size of the Universe. What
is it? Then I'll tell you.
-- Dave
P.S. I'm serious. Go look up "blackbody radiation" and you'll see why.
------------------------------
From: [EMAIL PROTECTED] (A [Temporary] Dog)
Subject: Re: paper on all 15 AES candidates ??
Date: Tue, 02 Mar 1999 10:26:32 GMT
On 2 Mar 1999 07:13:04 GMT, [EMAIL PROTECTED] (Bill Unruh) wrote:
>In <7bek8f$7ce$[EMAIL PROTECTED]> Fauzan Mirza <[EMAIL PROTECTED]> writes:
>]Also, Twofish has an interesting property which will be described
>]at the AES conference. The AES version of the paper can be downloaded
>]from either Sean Murphy's or my home page.
>
>And then you do not give your home page address.
His homepage is:
http://fermat.ma.rhbnc.ac.uk/~fauzan/
(it wasn't dificult to track from the rhbnc.ac.uk address)
but the Twofish paper is in .ps only, not .pdf
- A (Temporary) Dog |"There are people who can
The Domain is *erols dot com* |live and have many diverse
The Name is tempdog |experiences and learn
|nothing" - overheard
Put together as name@domain |in record store
------------------------------
From: "Tim Fowle" <[EMAIL PROTECTED]>
Subject: Tea extensions?
Date: Tue, 02 Mar 1999 09:54:59 -0000
Ive seen some discussion on the Tea algorithm, none seemed to mention the
Tea extensions.
Im curious as to how strong they are, any ideas??
cheers
Tim Fowle
------------------------------
From: Somniac <[EMAIL PROTECTED]>
Subject: Re: paper on all 15 AES candidates ??
Date: Tue, 02 Mar 1999 01:43:24 -1000
All 28 papers for the AES-2 conference will be published this week
on the NIST website:
http://csrc.nist.gov/encryption/aes/aes_home.htm
By March 5 the papers will be available for us to read.
The conference is on March 22, 1999 in Rome, Italy.
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Tue, 02 Mar 1999 12:13:00 GMT
Reply-To: [EMAIL PROTECTED]
On 2 Mar 1999 07:10:23 -0000, [EMAIL PROTECTED]
(Sorcerer) wrote:
>>< The unfortunate problem with one-time pads is that the government can have
>>them say anything they want
>>when they prosecute you, and how you gonna prove it's anything else?
>The defendant doesn't have to prove anything. The prosecution must
>prove that that's what the message says. Expert testimony to the judge
>would be enough to exclude the government's interpretation - it has no
>foundation.
>
>The expert would testify (correctly) that it is equally probable that
>the message really says "I love motherhood and apple pie".
You are forgetting about the Waco Massacre.
That is reflective of the true condition of the justice system in the
US.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
--Oscar Wilde
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Define Randomness
Date: Tue, 02 Mar 1999 12:20:47 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 02 Mar 1999 00:14:28 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>Non-trivial application mechanisms eliminate these straw man arguments against
>PRNGs, and, I believe, against the Vernam system.
I agree. So,what is your recommendation?
Terry Ritter has recommended a Latin Combiner, for example, in
conjunction with decorrelation by mixing multiple keystreams.
Others have suggested some form of pre-compression as a means of
avoiding the XOR problem you allude to above. How about the LZ77
method that Patrick Juola has recommended for anti-skewing?
Of course, as always, the attacker knows your protocol, so there is no
attempt at obscurity here, just overcoming the weaknesses of XOR
mixing.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
--Oscar Wilde
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Define Randomness
Date: Tue, 02 Mar 1999 12:27:33 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 02 Mar 1999 07:55:22 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>But
>everybody insists that XOR is good enough for them because an OTP is
>"proven absolutely secure." Right.
Interestingly, I have not seen many people defend the XOR part of the
classic OTP.
I have from almost the outset of these discussions assumed that
something substantial was done to overcome the inherent weakness of
XOR mixing, such as pre-encryption or pre-compression of the
plaintext.
I realize that those particular methods do not help in overcoming all
the weaknesses of XOR mixing per se, but they at least add an
additional effort to the cryptanalytic attack. For example, detecting
patterns by sliding the cipher over itself and XORing cannot be done
any more.
But I agree with your philosophy - one must implement mixing schemes
that add strength, such as the methods you recommend.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
--Oscar Wilde
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Tue, 02 Mar 1999 12:53:00 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 02 Mar 1999 04:05:35 GMT, Neil Nelson <[EMAIL PROTECTED]>
wrote:
>I am out of my element in discussing the details of cryptography, but
>if a TRNG can produce a null key and it is incredibly dumb to send a
>cipher made from a null key, it would be desirable to remove the
>possibility of a null key, a very simple check, no matter how
>improbably it might occur. I.e., if you were entrusted with securing
>a message on which lives depended, the use of a null key no matter how
>well justified by theory, would obtain a very tragic result.
The null key (000...0) and its complement (111...1) are used as
diagnostics to detect known pathological problems with digital
circuitry, namely the open output and the shorted output. If you
discover your TRNG is putting out all 1s or all 0s, you shut it down
and see if it is broken. That effectively eliminates those two strings
without violating the specification for a TRNG.
Nowhere in the TRNG specification does it say you must run it
continuously. You can shut it down for any reason, including the good
reason of starting it back up in a slightly different initial state,
which has the effect of removing some of the slight correlation any
physical device is going to have.
>Hence I expect the keys generated by a TRNG should be confirmed to a
>sufficient complexity value before their use. What you are saying is
>that the probability of obtaining an easily deciphered TRNG key is
>very small, and it is likely this same small proportion of keys that
>would be avoided by an appropriate complexity randomness test.
There is no such thing as "an easily deciphered TRNG key". All TRNG
keystreams are possible and equiprobable by definition, so there is no
way for the attacker to know if one of them, even a highly regular
one, is the key in use. That applies even to the null key.
If I have a message "ATTACK AT DAWN" and I XOR it with "ATTACK AT
DUSK" to get a new string which I use as a secret key, and I transmit
the second message as the cipher openly and the key on a secure
channel, you the attacker will get the "cipher" and have to decide one
of two things:
1) I am incredibly stupid in sending a cipher made using a null key;
2) I am incredibly clever to send a cipher that looks like perfectly
intelligible text, but it is a cipher nonetheless.
Which are you going to decide? If you decide #1 then I win because I
will have attacked before you were prepared. If you decide #2, then I
am no worse off than if I had sent some unintelligible cipher. If
anything I am slightly better off because I have made an attempt to
exploit a human weakness, namely laziness of the cryptanalyst.
He is slightly inclined to accept hypothesis #1, so he won't have to
work as hard. Of course his superiors do not have to work as hard
either way, so they are not so prejudiced, and they won't accept his
biased hypothesis. So in the end it is a wash.
The more important the message is, the more important it is to decide
correctly that you have broken the cipher, because you will have to
marshall resources to counter the effect of the message, and that will
be costly.
If we are competitors, say oilmen exploring for oil in the field, and
you intercept a message which you expect to say either that I have
found oil or it was a dry hole, then if you decide that it was the
former and you want to get into the action next to me in the field,
you will have to invest in that enterprise. If you decided
incorrectly, you will have wasted resources. So you better be damn
sure you have indeed decrypted my cipher correctly.
Cryptography/Cryptanalysis is a two-way cat and mouse game. Soon it
will be the only game worth playing. But then quantum computers will
be in widespread use, so there will be no decryption possible - and
that game will end forever. Kinda sad, isn't it.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
--Oscar Wilde
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New Encryption (I would like some analysis)
Date: Tue, 02 Mar 1999 12:02:42 GMT
> - 65536 bits of key is way too much. Why do I say it's too much? Well, how
> are you going to store them? Memorize them? I don't think so. Store them
> on disk? Well, that means that if the attacker finds that disk file, he
> can read the file.
My original idea was to scan a home photo or something, store it on disk
(floppy) and use that as the key. Obviously not a good idea to store the key
on a network device, unless you are the root user.
About the algorithm: The actual encryption is done via XOR of two lookup
values. The values are Keytable1[L] and Keytable2[S], which are arrays of
4096 8 bit values. Then I find new L and S values by using values obtained
from the keytables. I also include the plaintext in the equation for the new
S and L. That is why I say my keytables are value and position dependant. If
you have the right value, if it's not in the right entry you can't form a new
key. Eventually you will be jumping to the wrong entries in the keytable.
i.e no two keytables encrypt files the same. Of course I belive the file
must be at least 4KB before this is more true. Say you have a small file,
and only 30% of the key tables are used, you probably could make an identical
key for that particular file. However if you have a file >= 4KB all the
entries are going to be used.
Sorry about not posting the algorithm but it's pretty much a S-Coder with non-
linear lookups.
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Tue, 02 Mar 1999 13:04:59 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 02 Mar 1999 06:55:54 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>I see correlations as a form of statistical bias: The implication of a
>correlation is that some particular sequence (possibly of length 1)
>produces a non-flat or "biased" probability distribution for a
>subsequent sequence.
Champernowne's number in base 10 is completely unbiased for all bit
groups of any size. Yet it is so highly correlated that only a fool
would use it for a key - like Mel Brooks in "Space Balls".
>As long as we put in substantially more "entropy" data than we take as
>result, the CRC values should have a flat distribution.
I have a problem with that.
Li & Vitanyi in their book on Kolmogorov Complexity showed that
Shannon's entropy is another expression for the algorithmic complexity
of a sequence. Yet complexity does not form a uniform distribution for
finite sequences, because regular sequences are discarded. That seems
to say that the entropy concept is not completely applicable to
crypto-grade randomness, where equidistribution (and independence) are
crucial.
In the limit of infinitely large numbers entropy is applicable. But we
are dealing with finite sequences, so it may not be as applicable as
we imagine.
>>Is the CRC, properly implemented, capable of removing significant
>>amounts of both bias and correlation,
>I believe so, yes.
I trust your professional judgement, but it would be reassuring if you
had some reasons for that pronouncement.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
--Oscar Wilde
------------------------------
From: Florian Erhard <[EMAIL PROTECTED]>
Subject: Re: public read, secure write?
Date: 2 Mar 1999 13:18:12 GMT
Paul Rubin <[EMAIL PROTECTED]> wrote:
: In article <7bg8lq$ebb$[EMAIL PROTECTED]>,
: Florian Erhard <[EMAIL PROTECTED]> wrote:
: >Given is the following situation: There's a set of data,
: >saved in a file, which should be protected under following conditions:
: Unless I've missed something, this is a trivial application of digital
: signatures. The owner of the file simply signs it using his/her
: secret key. Other people use the owner's public key to check the
: signature. Is there more to it than that?
This was my solution, too. But my problem is this situation:
The attacker Charly deletes the data of User Alice.
Then he creates a new file with the same name, him as the owner and
the data and signs it with his key.
The "operating system" now cannot detect that Charly in fact stole
the data of Alice, since the only place where information about
the owner is stored is the data itself.
Florian
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness - DOES NOT EXIST!!!
Date: Tue, 02 Mar 1999 13:26:37 GMT
Reply-To: [EMAIL PROTECTED]
On 2 Mar 1999 06:47:01 GMT, BORIS KAZAK <[EMAIL PROTECTED]>
wrote:
> And this is all very sad...
That is a pathological condition of your mind over which you have
control - because you possess free will. If you freely choose not to
be depressed over the human condition, then this is not vary sad at
all.
>If there indeed is some Supreme Being,
>then IT is the Master, and we are merely slaves (or guinea pigs).
That is completely absurd. Human beings have free will.
> My philosophy as an atheist is very simple
You cannot prove rationally that the Supreme Being does not exist and
at the same time prove that existence is objectively real. The two are
mutually contradictory on a rational basis.
>I am a free man, there is no Lord above me, no Supreme Being.
Those two statements are independent of one another. There is a
Supreme Being and you are a free man.
A person is as free as they freely choose to be free. They can freely
choose to be a slave if they to. But if they do, they can't claim that
free will does not exist just because they have freely chosen not to
exercise it.
The history of the human condition is the mass acceptance of some form
of slavery and the acceptance of tyrants to enforce it.
>I take guidance from no one, and I am myself fully responsible
>for the consequences of my choices.
You take your guidance from the environment, and that includes other
human beings, whether they are alive or dead. The wisdom of the ages
is part of that environment.
> There is no word "believe" in my dictionary, I cannot "believe"
>or "not believe". I must know, or I admit that I don't know.
Knowledge of the Supreme Being, arrived at by pure reason in
conjunction with observation, is not a belief system, any more than
Physics is a belief system.
You are confusing the God of religion with the Supreme Being of
existential metaphysics. They are not the same.
> And isn't it obvious that we see only certain kinds of processes
>going on in the Universe not because other kinds of processes are
>impossible, but simply because other kinds of processes go on
>*without witnesses*, in such a universe organic life would be
>impossible?
Physicists see all sorts of things that are seemingly impossible, like
quantum teleportation.
I am coming to the conclusion that only Natural Scientists, in
particular Physicists, can know with rational certainty that the
Supreme Being must exist. In fact, I would go so far as to claim that
such knowledge is the litmus test for whether a Natural Scientist
really understands his field of endeavor.
The Supreme Being MUST exist, or else only Nothing exists.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
--Oscar Wilde
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
