Cryptography-Digest Digest #203, Volume #9 Mon, 8 Mar 99 18:13:06 EST
Contents:
Re: DIE HARD and Crypto Grade RNGs. (R. Knauer)
Re: DIE HARD and Crypto Grade RNGs. (R. Knauer)
Re: Scramdisk - Possible Virus ([EMAIL PROTECTED])
Re: DIE HARD and Crypto Grade RNGs. (Jim Gillogly)
Re: Looking for encryption algorithm (John Savard)
Symmetric vs. public/private (Billy Cole)
Re: Limitations of testing / filtering hardware RNG's ("Trevor Jackson, III")
Re: Limitations of testing / filtering hardware RNG's ("Trevor Jackson, III")
Re: Limitations of testing / filtering hardware RNG's ("Trevor Jackson, III")
Re: DIE HARD and Crypto Grade RNGs. ("Trevor Jackson, III")
Re: RC5 and RC6 code (free code) + update ([EMAIL PROTECTED])
Re: Limitations of testing / filtering hardware RNG's ("Trevor Jackson, III")
Re: Limitations of testing / filtering hardware RNG's (R. Knauer)
Re: Limitations of testing / filtering hardware RNG's (R. Knauer)
Re: DIE HARD and Crypto Grade RNGs. (R. Knauer)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: DIE HARD and Crypto Grade RNGs.
Date: Mon, 08 Mar 1999 20:14:13 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 08 Mar 1999 12:05:39 -0800, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>No. Passing statistical tests is necessary but not sufficient for a
>crypto-grade PRNG. DIEHARD can give a quick heads-up on correlations
>that might not be immediately apparent. It cannot be used to demonstrate
>that a cipher is strong.
Champernowne's number and the digit expansion of pi both pass
statistical tests for randomness. Yet the processes that generate them
have zero entopy.
Bob Knauer
"Luckily for all, the State is only people. And, generally, the least
competent of people. They are the ones who cannot innovate, only steal.
They cannot reason, only kill. They are brutes who see the greatest
efforts of mankind as loot to seize and control."
--The Kings of the High Frontier
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: DIE HARD and Crypto Grade RNGs.
Date: Mon, 08 Mar 1999 20:11:20 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 08 Mar 1999 19:36:52 GMT, [EMAIL PROTECTED] wrote:
>Is it reasonable to say that DIEHARD package is not meant to test
>cryptographic security of the bit patterns, but statistical independence of
>the numeric values generated by RNGs.
>Does that mean a crypto-grade RNG should not be tested using statistical
>tests ?
Statistical testing of the output of a TRNG is at best diagnostic,
alerting you to a possible problem that must be analyzed by auditing
the TRNG itself and running internal diagnostics.
You must treat the TRNG as a piece of scientific equipment and prove
it upp the way experimentalists prove up their equipment. Using
statistical tests to prove up a TRNG is like running experiments to
prove a theory and then using that very theory to prove up the
equipment. IOW, it is circular reasoning:
circular: involving reasoning that uses in the argument or proof a
conclusion to be proved or one of its unproved consequences.
Bob Knauer
"Luckily for all, the State is only people. And, generally, the least
competent of people. They are the ones who cannot innovate, only steal.
They cannot reason, only kill. They are brutes who see the greatest
efforts of mankind as loot to seize and control."
--The Kings of the High Frontier
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Scramdisk - Possible Virus
Date: Mon, 08 Mar 1999 21:07:24 GMT
What virus? What virus detection sw?
This *must* be a false detection - McAffee & Dr Solomons (with newest pattern
files) have turned up negative. Even so, this report is of concern.
Please supply more information (download site etc).
Regards,
Sam Simpson
Comms Analyst
-- http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption &
Delphi Crypto Components. PGP Keys available at the same site.
In article <[EMAIL PROTECTED]>,
Paul Roskos <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I just downloaded the program from the Scramdisk web site, and
> our corporate anti-virus program detected a virus.
>
> Can anyone point me to an anternate site where the program can be
> downloaded?
>
> Thanks for any help.
>
> Paul
>
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: DIE HARD and Crypto Grade RNGs.
Date: Mon, 08 Mar 1999 13:23:45 -0800
R. Knauer wrote:
> On Mon, 08 Mar 1999 12:05:39 -0800, Jim Gillogly <[EMAIL PROTECTED]> wrote:
> >No. Passing statistical tests is necessary but not sufficient for a
> >crypto-grade PRNG. DIEHARD can give a quick heads-up on correlations
> >that might not be immediately apparent. It cannot be used to demonstrate
> >that a cipher is strong.
>
> Champernowne's number and the digit expansion of pi both pass
> statistical tests for randomness. Yet the processes that generate them
> have zero entopy.
That's the "not sufficient" part that I alluded to above.
--
Jim Gillogly
Highday, 16 Rethe S.R. 1999, 21:21
12.19.6.0.1, 9 Imix 14 Kayab, First Lord of Night
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Looking for encryption algorithm
Date: Mon, 08 Mar 1999 20:59:04 GMT
[EMAIL PROTECTED] (kufan) wrote, in part:
> Does anyone know any kind of encryption algorithm that
>using 2 or more keys to encrypt and using 1 key to decrypt,
>and the encryption speed will be as fast as symmetric
>encrypt algorithm?
It isn't clear exactly what you are looking for.
Do you mean this:
an algorithm, such that the authorized decryptor can decrypt messages with
his key,
which are enciphered in two or more different encrypting keys
such that a person knowing one of those encrypting keys cannot derive the
other encrypting keys, or easily test two encrypting keys for equivalence?
Or do you mean something a bit less difficult and complicated?
John Savard (teneerf is spelled backwards)
http://members.xoom.com/quadibloc/index.html
------------------------------
From: Billy Cole <[EMAIL PROTECTED]>
Subject: Symmetric vs. public/private
Date: Mon, 08 Mar 1999 14:34:19 -0800
I currently have the need to incorporate encryption
into an application. I've been doing a lot of reading
and still can't come up with an answer as to whether
to use the public/private key method or a symmetric
approach. Assuming I have no requirement to conform
to the public/private key method, what will I gain/lose
using that approach? The symmetric approach looks good
because of speed, licensing issues, and I like the fact
that I don't have to have a key server in the middle of
all of this. On the other hand there are key distribution
issues with the symmetric approach which become awkward
because I have a requirement that more than 2 people
could be sharing a key. I would really appreciate some
"real world" input on this. I would also appreciate any
pointers to papers that discuss the pros and cons.
Thanks for any input.
Billy
------------------------------
Date: Mon, 08 Mar 1999 17:40:03 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Limitations of testing / filtering hardware RNG's
<HTML>
R. Knauer wrote:
<BLOCKQUOTE TYPE=CITE>On 8 Mar 1999 16:42:39 GMT, [EMAIL PROTECTED]
(Mark Currie) wrote:
<P>>When a hardware RNG is used for generating keys in a security system,
the
<BR>>output should be tested
<P>Tests in general are worthless. At best they are misleading, at worst
<BR>they give false confidence. In order to gain confidence that the TRNG
<BR>is performing correctly, you must do a full design audit and provide
<BR>diagnostics for each subsystem.</BLOCKQUOTE>
Wrong.
<BLOCKQUOTE TYPE=CITE>
<P>>and perhaps, even (dare I say it) filtered.
<P>Any filtering will cause the output to be ruined.</BLOCKQUOTE>
Wrong.
<BLOCKQUOTE TYPE=CITE>
<P>>At a bare
<BR>>minimum the output should be tested for the "stuck at 1" or "stuck
at 0"
<BR>>condition.
<P>Yes, but you treat that as a diagnostic condition, and shut the TRNG
<BR>down. If it is performing properly you turn it back on and proceed
to
<BR>generate more numbers.
<P>A uniform Bernoulli process is guaranteed to generate long runs of all
<BR>one digit, so the appearance of such runs is not necessarily a bad
<BR>thing. If the cryptanalyst knows you are deliberately filtering such
<BR>runs out, you have given him information about the keystream.</BLOCKQUOTE>
So what? Until you quantify the leak you haven't said anything useful.
<BLOCKQUOTE TYPE=CITE>
<P>>However, when higher level statistical tests are applied to
<BR>>the output, and values are accepted or rejected based on the outcome
of these
<BR>>tests, then the range of usable values may be severely limited. If
the testing
<BR>>is too stringent, the limited range of usable values may allow an
exhaustive
<BR>>key search on this range to be feasable.
<P>You have hit precisely on the problem of using statistical tests on
<BR>the output. First, they do not tell you anything definitve, and
<BR>secondly if you act on them you will ruin the randomness of the
<BR>output.</BLOCKQUOTE>
Wrong.
<BLOCKQUOTE TYPE=CITE>
<P>>Ideally the RNG output should be left alone, assuming that it is a
good random
<BR>>source. However, for reliability reasons some sort of testing / filtering
/
<BR>>failure reporting may be necessary where high security is required.
<P>Yes, the output of the TRNG must be left alone, or shut down if there
<BR>is a reason to suspect that it is broken.
<P>The only way to know that the TRNG is reliable is to treat it as a
<BR>piece of scientific equipment and test all of the subsystems
<BR>thoroughly.</BLOCKQUOTE>
Wrong.
<BLOCKQUOTE TYPE=CITE>
<P>>Given the amount of discussion on RNG's in this group, this may have
been
<BR>>covered before. Any comments ?
<P>There have been over 1,000 posts to sci.crypt in the past year or so
<BR>on the subject of true random number generation, and I suspect there
<BR>will be another 1,000 in the year to come. Welcome aboard.
<P>Let me leave you with a definition which was distilled from the
<BR>prevailing consensus from those discussions:
<P>A True Random Number suitable for use as a crypto-grade keystream is
<BR>one produced by a process (a TRNG) which is capable of generating all
<BR>possible finite numbers equiprobably, namely in an independent and
<BR>equidistributed manner.</BLOCKQUOTE>
You favorite, but not the general consensus.
<BLOCKQUOTE TYPE=CITE>
<P>Obviously, any filtering of the output destroys some of the entropy
<BR>inherent in that process. But nothing is wrong with shutting the TRNG
<BR>to run routine diagnostics when an alarm is sounded that something
is
<BR>likely wrong, like a shorted or floating output.
<P>Bob Knauer
<P>"Luckily for all, the State is only people. And, generally, the least
<BR>competent of people. They are the ones who cannot innovate, only steal.
<BR>They cannot reason, only kill. They are brutes who see the greatest
<BR>efforts of mankind as loot to seize and control."
<BR>--The Kings of the High Frontier</BLOCKQUOTE>
</HTML>
------------------------------
Date: Mon, 08 Mar 1999 17:42:23 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Limitations of testing / filtering hardware RNG's
<HTML>
Douglas A. Gwyn wrote:
<BLOCKQUOTE TYPE=CITE>Mark Currie wrote:
<BR>> Ideally the RNG output should be left alone, assuming that it is
a good random
<BR>> source. However, for reliability reasons some sort of testing / filtering
/
<BR>> failure reporting may be necessary where high security is required.
<P>The question is, which is more likely: that the generator has broken,
<BR>or that it is working properly but has generated a statistical fluke?</BLOCKQUOTE>
Exactly right. Both of these possibilities can be measured and assigned
concrete probabilities. A rational operator will act on the higher
of the two probabilities. A dogmatic operator will do something silly
for an irrelevant reason.
<BR> </HTML>
------------------------------
Date: Mon, 08 Mar 1999 17:44:06 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Limitations of testing / filtering hardware RNG's
<HTML>
R. Knauer wrote:
<BLOCKQUOTE TYPE=CITE>On Mon, 08 Mar 1999 13:31:48 -0600, Medical Electronics
Lab
<BR><[EMAIL PROTECTED]> wrote:
<P>>The testing before it's used will tell you if it needs filtering.
<BR>>If it does, then monitor the output of the filter, both rate and
<BR>>"stuck at 0/1" conditions. If the data rate falls or rises past
some
<BR>>limit, you can flag it as a problem and shut the RNG down.
<P>>Long range testing can't hurt, but it will all be after the fact.
<BR>>If an RNG begins to give bad stats, and then they get slowly worse,
<BR>>you can stop using the output. But you'll have already used
some
<BR>>10 to 100 Megabytes it took you to figure out that the stats were
<BR>>changing. For high data rates that's probably ok, for high
<BR>>security and low data rates it may not be.
<P>Also make sure that you don't have a Snake Oil Generator, since a SOG
<BR>will also pass those tests.
<P>Statistical testing of the output of a TRNG is worthless- it's like
<BR>running an experiment to confirm a theory and then using that theory
<BR>to prove that the experiments are correct.</BLOCKQUOTE>
Repeating this statement does not make it true. Please cease.
<BLOCKQUOTE TYPE=CITE>
<P>Statistical testing of the output is the most notorious form of Snake
<BR>Oil in crypto, and it won't go away no matter how many times people
<BR>try to kill it off. It is based on the notion of "apparent" randomness
<BR>- IOW, it is a specification for a Snake Oil Generator.
<P>The best you can use statistical testing for is a diagnostic alarm.
If
<BR>you rely on statistical testing of the output to verify that a TRNG
is
<BR>truly random, you are deceiving yourself.
<P>The other day I asked on another thread what is the entropy of
<BR>Champernowne's number, and a couple of astute readers caught on and
<BR>pointed out that a given number has no entropy - or if it does it has
<BR>zero entropy by virtue of the process that creates it. IOW, since
<BR>Champernowne's number is a fixed number, the entropy of the process
<BR>that creates it must be zero.
<P>That ought to tell you that testing the output of a TRNG for apparent
<BR>randomness is futile.
<P>Bob Knauer
<P>"Luckily for all, the State is only people. And, generally, the least
<BR>competent of people. They are the ones who cannot innovate, only steal.
<BR>They cannot reason, only kill. They are brutes who see the greatest
<BR>efforts of mankind as loot to seize and control."
<BR>--The Kings of the High Frontier</BLOCKQUOTE>
</HTML>
------------------------------
Date: Mon, 08 Mar 1999 17:57:03 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: DIE HARD and Crypto Grade RNGs.
<HTML>
[EMAIL PROTECTED] wrote:
<BLOCKQUOTE TYPE=CITE>Hello All,
<P>Is it reasonable to say that DIEHARD package is not meant to test
<BR>cryptographic security of the bit patterns, but statistical independence
of
<BR>the numeric values generated by RNGs.</BLOCKQUOTE>
Yes.
<BLOCKQUOTE TYPE=CITE>
<P>Does that mean a crypto-grade RNG should not be tested using statistical
<BR>tests ?</BLOCKQUOTE>
No.
<P>It means you have to interpret the results of the tests carefully.
If the result is PASS you know something about the statistical independence
of the sample analyzed. You may infer that result applies to the
output of the generator if the sample analyzed is adequately representative
of the output of the generator. At that point you do not know that
the generator is good enough for crypto, because there may be other problems
with it.
<P>If the result is FAIL you know something bad about the sample analyzed.
It it is representative of the generator output then you can conclude that
the generator is NOT suitable for crypto.
<P>Passing statistical tests is necessary, but not sufficient to conclude
that a generator is a good cryptographic source.
<P>Thus statistical tests are one way of weeding out unsuitable generators.
When you have applied all the correct criteria, stat tests being only one,
the remaining generators are indistinguishable from cryptographic quality.
<BLOCKQUOTE TYPE=CITE>
<P>Sachin.
<P>-----------== Posted via Deja News, The Discussion Network ==----------
<BR><A
HREF="http://www.dejanews.com/">http://www.dejanews.com/</A>
Search, Read, Discuss, or Start Your Own</BLOCKQUOTE>
</HTML>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RC5 and RC6 code (free code) + update
Date: Mon, 08 Mar 1999 22:48:15 GMT
> I don't speak for RSA Labs, but this isn't correct. RC5 is patented
> and I think they assert some of the RC5 claims cover RC6 as well.
> RC6 will be available free for all purposes if and only if it is
> chosen as the AES winner.
But I have seen non-profit programs use RC5 and RC6 without special agreement?
Is it ok for non-profit or do you still need a license?
On another note, I updated the code. You can have variable size words. I
tested 16 and 32 only, but I imagine changing to 64 wouldn't be a problem. So
for the RC5 code you can have inputs of 32/64/128 bits (16/32/64 bit words),
and for RC6 you can have inputs of 64/128/256 bits (16/32/64 bit words).
They are at:
http://members.tripod.com/~tomstdenis/rc5.c
http://members.tripod.com/~tomstdenis/rc6.c
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Mon, 08 Mar 1999 17:37:29 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Limitations of testing / filtering hardware RNG's
<HTML>
Mark Currie wrote:
<BLOCKQUOTE TYPE=CITE>Hi there,
<P>When a hardware RNG is used for generating keys in a security system,
the
<BR>output should be tested and perhaps, even (dare I say it) filtered.
At a bare
<BR>minimum the output should be tested for the "stuck at 1" or "stuck
at 0"
<BR>condition. However, when higher level statistical tests are applied
to
<BR>the output, and values are accepted or rejected based on the outcome
of these
<BR>tests, then the range of usable values may be severely limited. If
the testing
<BR>is too stringent, the limited range of usable values may allow an exhaustive
<BR>key search on this range to be feasable.</BLOCKQUOTE>
If the testing rejects half of the values it has cost you one bit of security.
If the testing rejects 99 out of 100 values it has cost you (almost) 7
bits.
<P>I suspect even the most paranoid of practical tests will cost no more
than 2 bits.
<BLOCKQUOTE TYPE=CITE>
<P>Ideally the RNG output should be left alone, assuming that it is a good
random
<BR>source. However, for reliability reasons some sort of testing / filtering
/
<BR>failure reporting may be necessary where high security is required.
<P>Given the amount of discussion on RNG's in this group, this may have
been
<BR>covered before. Any comments ?
<P>Mark Currie</BLOCKQUOTE>
</HTML>
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Limitations of testing / filtering hardware RNG's
Date: Mon, 08 Mar 1999 23:03:30 GMT
Reply-To: [EMAIL PROTECTED]
On 8 Mar 1999 20:20:02 GMT, [EMAIL PROTECTED] (Mark Currie) wrote:
>One way to limit the damage in this situation would be to always hash the
>output with a PRNG.
I have asked people who want to use hash functions to fix errors in
TRNGs to demonstrate that they do not cause unwanted correlations to
become manifest. Thus far I have not gotten an answer, which makes me
a bit suspicious that hash functions *might* actually do more harm
than good.
Again we are talking about the secruoty of the OTP cryptosystem, and
how to generate crypto-grade keystreams for it. And until that issue
is cleared up, it is ill advised to use a hash to clean up the output
of a TRNG.
Bob Knauer
"Luckily for all, the State is only people. And, generally, the least
competent of people. They are the ones who cannot innovate, only steal.
They cannot reason, only kill. They are brutes who see the greatest
efforts of mankind as loot to seize and control."
--The Kings of the High Frontier
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Limitations of testing / filtering hardware RNG's
Date: Mon, 08 Mar 1999 23:05:02 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 08 Mar 1999 17:42:23 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
NB: I cannot read this HTML easily so I am unable to comment. Can you
post in ordinary text so we can read it.
Thanks,
Bob Knauer
=====
><HTML>
>Douglas A. Gwyn wrote:
><BLOCKQUOTE TYPE=CITE>Mark Currie wrote:
><BR>> Ideally the RNG output should be left alone, assuming that it is
>a good random
><BR>> source. However, for reliability reasons some sort of testing / filtering
>/
><BR>> failure reporting may be necessary where high security is required.
>
><P>The question is, which is more likely: that the generator has broken,
><BR>or that it is working properly but has generated a statistical fluke?</BLOCKQUOTE>
>Exactly right. Both of these possibilities can be measured and assigned
>concrete probabilities. A rational operator will act on the higher
>of the two probabilities. A dogmatic operator will do something silly
>for an irrelevant reason.
><BR> </HTML>
>
"Luckily for all, the State is only people. And, generally, the least
competent of people. They are the ones who cannot innovate, only steal.
They cannot reason, only kill. They are brutes who see the greatest
efforts of mankind as loot to seize and control."
--The Kings of the High Frontier
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: DIE HARD and Crypto Grade RNGs.
Date: Mon, 08 Mar 1999 23:06:59 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 08 Mar 1999 14:21:34 -0800, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>I just did a quick check on Champernowne's number, and it fails an
>obvious statistical test: it compresses nicely. If you'd like to
>check my implementation, here are the first few bytes:
>
> 6e 5d e2 6a f3 7b e1 19 4e 95 b5 f1 9d 6f 9d f7
You must use base 10. That is the only base that Champernowne's number
is known to be normal in the Borel sense.
Bob Knauer
"Luckily for all, the State is only people. And, generally, the least
competent of people. They are the ones who cannot innovate, only steal.
They cannot reason, only kill. They are brutes who see the greatest
efforts of mankind as loot to seize and control."
--The Kings of the High Frontier
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
