Cryptography-Digest Digest #826, Volume #8 Sat, 2 Jan 99 21:13:02 EST
Contents:
Invincible Disk - Is it as good as the authors claim? (ibata)
Re: PGP Keys on Smartcard (ibata)
Re: Compound Cipher... (wtshaw)
Crypto++ Library port ("Ryan Phillips")
Re: DES programming (Mr. Tines)
Re: Common Modulus Attack on RSA ([EMAIL PROTECTED])
Re: History of Cryptanalysis (Jim Dunnett)
Edu sources for an amateur (Sukumar R Iyer)
Re: Strange Code Floating About (Terry Boon)
Securing RSA-signing smart cards (was: PGP Keys on Smartcard) (Larry Kilgallen)
Re: PGP Keys on Smartcard ("Gavin_Andrews")
Re: Q: Key length: how is optimal length determined? (Paul L. Allen)
Re: Session key establishment protocol with symmetric ciphers
Re: Session key establishment protocol with symmetric ciphers
Re: Q: Key length: how is optimal length determined? (Roy G. Biv)
----------------------------------------------------------------------------
From: ibata <[EMAIL PROTECTED]>
Subject: Invincible Disk - Is it as good as the authors claim?
Date: Sat, 02 Jan 1999 12:09:44 -0800
I stumbled across a web site offering this product, but have not read
any reviews of it. Does anybody know how secure it is? The site is
http://www.incrypt.com - I have not seen any independent analysis or
review of the product, and searches for "invincible disk" turns up
mainly the company's site(s).
------------------------------
From: ibata <[EMAIL PROTECTED]>
Subject: Re: PGP Keys on Smartcard
Date: Sat, 02 Jan 1999 12:19:57 -0800
Try http://www.incrypt.com/dlock01.html
I have not used these products, but stumbled across this wedsite by
accident. On another note, I'll be curious to know if anybody has used
this companies' products, esp. Invincible Disk. Is it as good as the
company claims it to be? I'll post a separate message and ask the
group.
fred wrote:
> Hi there.
>
> I'm a PGP User on Windows NT and would prefer to
> keep my secret keys on a smartcard which would always
> physically reside with me.
>
> Does such a product exist? I would ideally like to think that
> my secret keys always remained on the card and that signing
> and digest creationn occured on the card. That way my keys
> couldn't be snaffled away by a miscreant program on my NT
> workstation.
>
> Has anyone done this or am I about to make my fortune?
>
> Thanks in advance,
> Gavin
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Compound Cipher...
Date: Sat, 02 Jan 1999 13:37:58 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Rebus777) wrote:
> But what about the block overlap, has this been looked into?
Chaining blocks in any form is not quite the same as what chaining
dissimilar algorithms would suggest.
>
> Are you saying it would be better to combine a stream cipher and a block
> cipher, rather than 2 block ciphers?
> [EMAIL PROTECTED] (wtshaw) Replied:
>
> >Rules of thumb when chaining algorithms: they should have as little in
> >common as possible;
>
Yes. Note, that if I were to chain block ciphers, I would like to see a
change in block sizes. Does a 27 trit block cipher chained with a 36 trit
block cipher produce some improvement, of course. It would be more
unlikely that a simplier algorithm than having both of them could be found
than if two different 64-bit block ciphers, or two 27-trit block ciphers
were chained, for example.
I mention bits and trits since they define the information unit used,
fundamental to the understanding of any block cipher. You could also do
something at digit or a higher level, a true character level. If you
could combine manipulations of more than one size information unit in an
efficient manner that fit fairly well, that would also work. Goodness of
fit of information units with exclusiveness of methods of manipulation in
the individual algorithms is a part of a composite evaluation of useful
chainablity of algorithms.
--
An interesting year is ahead of us, enjoy.
------------------------------
From: "Ryan Phillips" <[EMAIL PROTECTED]>
Subject: Crypto++ Library port
Date: Sat, 2 Jan 1999 12:51:41 -0800
Has anyone successfully ported the Crypto++ library to Borland C++ 5.x or
Borland Builder 3. Any help would be appreciated, I have not been
successful.
Thanks in advance,
Ryan
------------------------------
From: Mr. Tines <[EMAIL PROTECTED]>
Subject: Re: DES programming
Date: 02 Jan 1999 19:59 +0000
###
On Sat, 02 Jan 1999 18:41:11 +0100, in <[EMAIL PROTECTED]>
Henrik =?iso-8859-1?Q?B=E4=E4rnhielm?= <[EMAIL PROTECTED]>
wrote.....
> I have thought about coding my own DES implementation, but I quickly got
> the problem of how to represent 64-bit integers. I am using C, and maybe
> C++. Is there a common way to do this? What have other people done?
Apart from Biham's ingenious bit-slicing sideways on sort
of DES, all the implementations that I have seen use 32-bit
integers to represent each half of the block. Since the
Feistel network that is the core of the cypher swaps the
two halves of the block back and forth this is generally
more conveniently achieved if the halves are distinct entities.
However, many 'C' compilers these days offer a long long int
type of 64 bits (even if it reduces to 32-bit trickery in
the machine code); Borland C++ and Visual C++ both offer an
64 bit integer type, as does Java (the other main member of
the 'C' family). Otherwise you could write a restricted
multiple-precision arithmetic library (or an Int64 class
in C++).
-- PGPfingerprint: BC01 5527 B493 7C9B 3C54 D1B7 248C 08BC --
_______ {pegwit v8 public key =581cbf05be9899262ab4bb6a08470}
/_ __(_)__ ___ ___ {69c10bcfbca894a5bf8d208d001b829d4d0}
/ / / / _ \/ -_|_-< www.geocities.com/SiliconValley/1394
/_/ /_/_//_/\[EMAIL PROTECTED] PGP key on page
### end pegwit v8 signed text
e0c7d67dec29ac08196d995c18620f6017881b6c4a6444c7192cf26198d4
59d1384c1833896e06135b9474b312c7ddb08b6d0f4ce815abfdb7868775
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Common Modulus Attack on RSA
Date: 2 Jan 99 21:18:51 GMT
In sci.crypt Max <[EMAIL PROTECTED]> wrote:
> Ian Goldberg wrote in message <760dc2$o43$[EMAIL PROTECTED]>...
> > o Calculate d such that de = 1 mod phi(n) [Here's where knowing the
> > factorization of n is used; phi(n)=(p-1)(q-1) if n=pq; but note that
> > all we _really_ need is phi(n).]; i.e. de-1 = k*phi(n) for some k.
> >
> >Well, you know _your_ d and e, so you can calculate de-1 = k*phi(n), and
> >learn k*phi(n) (but you don't yet know what k is).
> OK, but what if all the user knows is n (the modulus), not phi(n) [which is
> (p-1)(q-1)]? What I'm really wondering is how someone factors n, given only
> an e,d pair and the modulus n.
ed-1 need not be a multiple of phi(n). Only Lambda(n)=LCM(p-1,q-1) (Least
Common Multiple, not the product).
(this works for general n, not just pq, as long as first you check that n
is not a power of a prime: all you need is some multiple of lambda(n),
whether it is ed-1 or something else)
Consider ed-1=A. x^A=1 mod n for all x (rel prime to n).
Write A=E*O (E=even part=2^j: O=odd -- no zeros below: O is used for the
ODD part, it is not a 0=zero).
Pick an x. If x is not rel. prime to n, then GCD(x,n) is a factor of n.
If x is rel. prime to n, let X=x^O (O=odd, not zero). If X=1 or -1 mod n,
pick another x. Succesively square X to get X^2=X1, X1^2=X2, etc. After
j steps (E=2^j) you get 1 mod n. You may get 1 before this. Consider the
number (in the list of successive squares) RIGHT BEFORE YOU GET 1! Call
this Y. If Y is 1 or -1 mod n, pick another x.
For over half the values of x, either x will not be rel. prime to n
(GCD(x,n) gives a factor of n) OR you will get Y which is NOT 1 or -1 mod
n.
Now consider: Y^2=1 mod n (since Y is the term in the list of squares
immediately before you get "1"). Or:
(Y-1)(Y+1)=0 mod n (OK... this 0 IS a zero!)
But Y<>+1 mod n (Y-1 is not divisible by n),
and Y<>-1 mod n (Y+1 is not divisible by n).
The upshot is that while (Y-1)(Y+1) is divisible by n, neither factor is
by itself, so Y-1 must be divisible by SOME of the factors of n (and Y+1
by the others).
In particular, GCD(Y-1,n) gives a (non-trivial) proper factor of n.
(this is also, I believe, the algorithm proposed for quantum computers to
factor large numbers ... using reinforcements of quantum states, one finds
many x,A pairs with x^A=1 mod n (maybe A is not a multiple of lambda(n),
just a multiple of the order of x) and gets Y with Y^2=1 mod n ...
frequently (most of the time) this gives a proper, non-trivial factor of n
(GCD(Y-1,n)).
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Subject: Re: History of Cryptanalysis
Date: Sat, 02 Jan 1999 20:52:08 GMT
Reply-To: Jim Dunnett
On Fri, 01 Jan 1999 01:04:38 GMT, [EMAIL PROTECTED]
(John Savard) wrote:
>[EMAIL PROTECTED] (Bruce Schneier) wrote, in part:
>
>>David Kahn, THE CODEBREAKERS.
>
>Yes, that is *the* book, par excellence, for historical information on
>ciphers and cryptanalysis up to World War II.
>
And well after WW-II into the NSA era.
--
Regards, Jim. | A drunk man is more likely to find a
olympus%jimdee.prestel.co.uk | woman attractive. So if all else fails,
dynastic%cwcom.net | get him drunk.
nordland%aol.com | - Dr Patrick McGhee, who coaches women
marula%zdnetmail.com | on successful dating.
Pgp key: wwwkeys.uk.pgp.net:11371
------------------------------
From: Sukumar R Iyer <[EMAIL PROTECTED]>
Subject: Edu sources for an amateur
Date: Sat, 02 Jan 1999 16:35:17 -0500
Reply-To: [EMAIL PROTECTED]
Hello All:
I just stumbled on to this group. I am very interested in cryptography
as a concept. The closest I've got to it is reading the "Puzzle Palace"
and writing some simple hieroglyphic codes for amusement (inspired by
Sherlock Holmes' "The case of the dancing men").
Can you experts out there recommend good sources of info to educate
myself (say from a public library) on cryptography ? I'd like to know
what 56 bit vs 128 bit encryption means, what is PGP, RCA kinda lingo.
Thanks in advance.
--
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Terry Boon)
Crossposted-To: tor.general,tx.guns
Subject: Re: Strange Code Floating About
Date: Sat, 02 Jan 1999 19:04:13 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On Fri, 01 Jan 1999 10:19:31 +0000, "Mark Terka"
<[EMAIL PROTECTED]> wrote:
>On 2 Jan 99 00:20:36 GMT, [EMAIL PROTECTED] wrote:
>
>>Mark Terka ([EMAIL PROTECTED]) wrote:
>>: I'm enclosing another poster's message. Anybody know what this
might
>>: be, or is it just gibberish?
>>
>>It's one of the "Hipcrime" messages, part of an attack on USENET
that's
>>been going on for some time, but which has been shifting between
different
>>newsgroups. Shades of the "poetry festival" that I encountered on
Deja
>>News and mentioned a while back...
>>
>>It is, apparently, just gibberish.
>
>I guess I'm kinda out of the loop, but what is "Hipcrime"????
The "HipCrime Information Centre" gives quite a lot of information
about it at http://extra.newsguy.com/~rchason/ (if the site is still
there).
Best wishes,
Terry Boon
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use
<http://www.pgpi.com>
iQA/AwUBNo5oAAfhhuwOgxFAEQIrEwCglTnay5JHlupnI1fzY2yIBMl94m0Amwcd
26wAhG9l5nzwxRNRv+x4A7nx
=0elo
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Larry Kilgallen)
Subject: Securing RSA-signing smart cards (was: PGP Keys on Smartcard)
Reply-To: [EMAIL PROTECTED]
Date: Sat, 2 Jan 1999 22:50:03 GMT
In article <76l4hp$gn9$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Ian Goldberg)
writes:
> See for example http://www.cs.berkeley.edu/~nikitab/projects/auth-agent/
> and http://www.cs.berkeley.edu/~nikitab/projects/auth-agent/paper.ps
> (a project done by one of the studentsin the Computer Security class I
> co-taught this past Fall: http://www.cs.berkeley.edu/~daw/cs261/),
> as well as the talk I'll be giving at RSA '99, "The Palm III as an
> Authentication Token".
>
> The latter also discusses why you _can't_ use a smartcard to get what you
> want; briefly, if your NT box has a miscreant program, it can just wait
> for you to insert the smartcard and unlock it, and then it can obtain
> a signature on whatever it likes.
Readers on display at RSA 1998 contained keypads for enabling the cards.
If you arrange for the enabling to be for a single signature, the most
any software attack could do would be to "steal" an enabling from the
legitimate software, which would require that the attacking software
also deceive the legitimate software as to whether it has control of
the device. Presuming the legitimate software is able to verify
signatures made by the device, it would be difficult to deceive the
legitimate software regarding hijack of the device. Presumably any
well written legitimate software would alert the user who would alert
the authorities.
Larry Kilgallen
------------------------------
From: "Gavin_Andrews" <[EMAIL PROTECTED]>
Subject: Re: PGP Keys on Smartcard
Date: Sat, 02 Jan 1999 18:49:36 -0500
Thanks to all that replied. I really don't have time to develop
anything myself (as I've got interests elsewhere which take up
110% of my time).
I take the point that a miscreant program could get my signature on things
that I hadn't authorised; but this has to be better than having
access to my private key rings. I haven't yet followed the links
but see the logic.
Also, I understand that RSA implementations are available on smart cards;
the card I had most interest in was CryptoFlex but due to export regs I
can't get one of those; I believe GemPlus over in EuroLand (im in the UK)
has a crypto card which may do the job.
Finally, thanks for the suggestion of the Java Key Ring (again I've haven't
yet followed the links; it's still vacation time) I'm not sure if Java Ring
has RSA capabilities. I guess I would like 512 bit keys to give me
confidence that my keys were strong enough to resist all those without good
factoring algorithms ;-)
I like the idea that with all this high tech; it's going to come back to
a signet ring into which I can imprint my signature into the hot wax of RSA
crypto.
Happy New Year,
Regards,
Gavin
------------------------------
From: [EMAIL PROTECTED] (Paul L. Allen)
Subject: Re: Q: Key length: how is optimal length determined?
Date: Sat, 2 Jan 1999 20:21:24 +0000
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED] (Roy G. Biv) writes:
> Or, in general, with a program like PGP why doesn't encryption
> strength increase linearly with respect to keylength?
Meaningless question. PGP uses a public-key cipher and a secret-key
cipher. Early versions of PGP had just one of each type, later versions
offer several choices for each.
As to attacks. One form of attack that can be used on secret and public
key ciphers is brute force - trying every possible key. Each bit you
add to the key length doubles the number of keys that have to be tried
so it's not linear. Past a certain length, brute force becomes impossible
for physical reasons - not enough matter in the universe to turn into
enough computers that can try every possible key within the lifetime of
the universe. People estimate that 256-bit keys would require using
the entire mass of the Sun to power the most efficient computer conceivable
(each internal logic gate consumes the minimum possible quantum of energy
to perform a logic operation) to crack a single 256-bit key by brute
force.
But that's not the only form of attack - it's usually the last resort.
Some secret key systems have susceptibilities to certain forms of attack
which can be compensated for by increasing the key length until the
attack becomes computationally infeasible (as for the brute force, above).
Those attacks may not scale linearly with key length.
Public key systems that rely on factoring (RSA) are susceptible to
factoring algorithms which perform *very* much better than brute force.
One estimate was that you'd need a 3000-bit RSA key for it to be as safe
from factoring attacks as a 128-bit IDEA key is from brute-force attacks
(but people keep coming up with better factoring algorithms, so that's
probably changed). Last thing I have saved (a couple of years ago)
suggested that you needed to add 30 bits to an RSA key to make it ten
times harder to factor. That's not linear, either.
Some people believe, although many do not find their arguments convincing,
that increasing the key length to ridiculous sizes (a million bits) is
a great way of ensuring that the cipher will be strong against any sort
of attack anybody can come up with. Most others counter that a very bad
algorithm could be incredibly weak to certain forms of attack no matter
how long the key size - a long key is no good if your algorithm pisses
it away uselessly.
--Paul
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Session key establishment protocol with symmetric ciphers
Date: 2 Jan 99 23:58:03 GMT
Lyal Collins ([EMAIL PROTECTED]) wrote:
: Be careful how you do this, as a number of patents cover this general idea
: in various ways.
It's ture that there is a patent covering the use of a symmetric key to
encrypt a public-key protocol (EKE, et cetera), but the use of a
key-exchange key for symmetric ciphers...isn't that 'as old as the hills'?
For prior art, there is the Grundstellung used with the Enigma to transmit
initial rotor positions ... there were some patents filed by IBM back in
the seventies connected with their DES and LUCIFER products, but these
would have expired by now.
John Savard
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Session key establishment protocol with symmetric ciphers
Date: 2 Jan 99 23:54:28 GMT
Shawn Willden ([EMAIL PROTECTED]) wrote:
: "Michael A. Greenly" wrote:
: > This protocol is vulnerable to a man in the middle attack.
: I think you're wrong.
I presume it's Mr. Willden who wrote:
: > >Suppose Alice and Bob share a secret key K and wish to
: > >establish a session key to be used for encrypting
: > >messages.. Alice generates a random R_A and Bob generates a
: > >random R_B. Alice sends R_A to Bob and Bob sends R_B to
: > >Alice, then both compute:
: > >
: > > K_S = E( F(R_A, R_B), K)
: > >
: > >to get the session key K_S.
You're right; the man in the middle doesn't know the shared secret key K,
so a man-in-the-middle attack is not possible.
Usually, though, K is called a key-encrypting-key, and a protocol of this
nature is not used because it is far more straightforward to have K_S
equal to either E(R_A,K) or E(R_B,K), depending on whether it is A or B
sending the message.
This protocol is not insecure. Some people might have a problem with
dignifying it by the name 'protocol', but you haven't made an error here.
John Savard
------------------------------
From: [EMAIL PROTECTED] (Roy G. Biv)
Subject: Re: Q: Key length: how is optimal length determined?
Date: Sun, 03 Jan 1999 00:49:16 GMT
On Sat, 02 Jan 1999 13:08:35 -0600, [EMAIL PROTECTED] (wtshaw) wrote:
snip!
What motivated my question is PZ's admonition concerning really large
keys which I have seen in quoted in various places, CK-T in
particular. He mentions only the "work factor" involved in breaking
the crypto system under discussion (in this case it's PGP, of course)
as a frame of reference. So in PZ's terms I can recast my question as:
Why doesn't the work factor increase linearly with key length? I
gather from PZ's remarks that this *would* be the case if the hash
expanded to accommodate the larger key. However, apparently this is
not the case generally. So this prompts another question: Do any of
the AES candidates use an expanding hash function? Anyone...?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
