Cryptography-Digest Digest #231, Volume #9 Sun, 14 Mar 99 01:13:02 EST
Contents:
Scramdisk Crash on Win 98 .. Suggestions ? (Gary Cowell (QI'HoS))
New Science Mailing List (Paul Fisher)
Re: SHA algorithm (Jim Gillogly)
Clipper chip and laws ([EMAIL PROTECTED])
Re: Clipper chip and laws ("Steve Sampson")
Re: ElGamal vs RSA ([EMAIL PROTECTED])
Re: ElGamal vs RSA ([EMAIL PROTECTED])
Re: el-gamal as permutation for OAEP? (David A Molnar)
Chicken egg problem? ("Jonas Thörnvall")
Re: Certicom Benchmark (Francis Tan)
Network Associates - Can we trust their products?
Total beginner ("Jonas Thörnvall")
Hard problems? (Doggmatic)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Gary Cowell (QI'HoS))
Subject: Scramdisk Crash on Win 98 .. Suggestions ?
Date: Sat, 13 Mar 1999 22:56:45 GMT
Reply-To: [EMAIL PROTECTED]
I have a 649MB Scramdisk file encoded with 3DES which is burned on a
CD-R.
If I mount this file directly from the CD-R and try to access files
randomly from it, Windows 98 will hang. Sometimes after one or two
files have been loaded, sometimes more, but it will always eventually
crash. This is the 'Power Switch' type of crash too. These crashes
did not happen when I still had Windows 95.
If I just mount the disk, I can XCOPY the files out of it (ie. xcopy
s:\*.* d:\somepath /s ) and this will work but it is not an ideal
solution to have to decrypt all that data just to ensure my system
does not hang when accessing files... Not to mention the freespace
wipes I have to do on the hard disk after I'm finished.
This computer is an Intel P-II 333 with 160MB of RAM.
Is it perhaps some kind of timeout problem in a device driver due to
the slowness of 3DES decryption when reading randomly from the CD ?
Any ideas on how I can fix this would be appreciated thanks.
G
------------------------------
From: Paul Fisher <[EMAIL PROTECTED]>
Subject: New Science Mailing List
Date: Sat, 13 Mar 1999 22:02:40 +0000
Reply-To: [EMAIL PROTECTED]
This is a multi-part message in MIME format.
==============1B1CF56F11169775B0F0E646
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello,
I am pleased to announce the creation of a brand new mailing
list called 'sciencelinks'. It is a service where scientists, news
organisations and anyone with an interest in science can get the latest
information - via web site links - on research, news and homepages
pertaining to the scientific establishment.
Messages are delivered straight to your mailbox, from the host
server OneList.com.
Please note, however, 'sciencelinks' is NOT a discussion list.
It is a collection of hyperlinks and URLs to allow you to keep
up-to-date with all areas of scientific study. Anyone who has used a
search engine will know how good they are - but they do not always give
you exactly what you are looking for. It is hoped fellow subscribers can
help each other to find the pages they require.
Please click on the link below to subscribe to 'sciencelinks'.
We need YOUR input to help it grow.
Thank you.
Paul.
==================================
For the latest links to science-related web sites
visit: http://www.onelist.com/subscribe/sciencelinks
==============1B1CF56F11169775B0F0E646
Content-Type: text/x-vcard; charset=us-ascii;
name="p.fisher.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Paul Fisher
Content-Disposition: attachment;
filename="p.fisher.vcf"
begin:vcard
n:;
x-mozilla-html:FALSE
adr:;;;;;;
version:2.1
note:xxxxxxxxxxxxxxxxxxxxx
x-mozilla-cpt:;0
end:vcard
==============1B1CF56F11169775B0F0E646==
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: SHA algorithm
Date: Sat, 13 Mar 1999 14:46:49 -0800
iLLusIOn wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> >Pad out that first block with the initial 1 bit and then 0's all the
> >way to 512 bits, then the next block with 0's to 512-64=448 bits, then
> >add your 64-bit count at the end of the second block. That's the first
> >point at which you can stop 64 bits short of a multiple of 512.
>
> ok thanks. just one last thing I'm unsure about, if the message is
> exactly 512 bits - I assume that I'd have to add a 2nd block consisting
> of 1 x bit 1, 447 x bit 0, 64 x message length, am I right? or can I
Exactly right.
> just leave this 2nd block away if the message is exactly 512 bits?
Never. You must have the 1 bit, and you must have the 64-bit length,
so you must always hash at least 65 bits more than your data, and a
multiple of 512 bits total.
--
Jim Gillogly
Hevensday, 21 Rethe S.R. 1999, 22:44
12.19.6.0.6, 1 Cimi 19 Kayab, Sixth Lord of Night
------------------------------
From: [EMAIL PROTECTED]
Subject: Clipper chip and laws
Date: Sun, 14 Mar 1999 01:38:20 GMT
I am young so you have to forgive me but...
What's the deal with the clipper chip? I read some old press releases on it,
and what I can't figure out is
If they want to endorse this chip so encrytion can be view by law
enforcement agencies, what is stopping the criminals from using RC4/5/6, CAST,
IDEA or others with >=64bit keys?
I mean if I were a criminal I wouldn't use a key-escrow system. I would use a
private (symetric) with a 64-bit key. That is just me.
How many cases have there been for illegal export of strong cryptosystems?
Thanks,
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "Steve Sampson" <[EMAIL PROTECTED]>
Subject: Re: Clipper chip and laws
Date: Sat, 13 Mar 1999 20:09:52 -0600
This is a multi-part message in MIME format.
=======_NextPart_000_000B_01BE6D8D.74581AE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
>If they want to endorse this chip so encryption can be viewed [decoded] =
by law
>enforcement agencies, what is stopping the criminals from using =
RC4/5/6, CAST,
>IDEA or others with >=3D64bit keys?
It doesn't work that way. Criminals are no more apt to have
high technology (encryption) than the average person.
It isn't mean't to stop anyone. Most contraband laws are used to raise =
the
Bail, and make a petty crime into a felony.
>I mean if I were a criminal I wouldn't use a key-escrow system. I =
would use a
>private (symetric) with a 64-bit key. That is just me.
You've already flunked criminal 101. You're thinking about =
communications
technology that is light years beyond what criminals use in 95% of =
cases.
Codes and Ciphers will become contraband in the U.S. It isn't a case of =
"if"
anymore, it is a case of "when." Just like handguns, cocaine, and weed, =
we
will have to round them up, take their money, and ruin their lives.
You may have encryption tools in your home and office and no one will be
the wiser; but, when you beat your wife, and they come to the door and =
find
it on your computer, you will be spending the night; you will be posting =
bond;
and your boss is going to give you a pink slip. Felony baby. Have a =
nice day...
If you doubt it, who would have thought that people would go to jail for =
selling
Freon?
>How many cases have there been for illegal export of strong =
cryptosystems?
You'll have to research that yourself. No one knows. Ask the guy who =
wrote PGP.
He's invested a lot of money into the legal system.
Steve
=======_NextPart_000_000B_01BE6D8D.74581AE0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.3612.1700"' name=3DGENERATOR>
</HEAD>
<BODY>
<DIV>>If they want to endorse this chip so encryption can be viewed =
[decoded]=20
by law<BR>>enforcement agencies, what is stopping the criminals from =
using=20
RC4/5/6, CAST,<BR>>IDEA or others with >=3D64bit keys?<BR></DIV>
<DIV> </DIV>
<DIV>It doesn't work that way. Criminals are no more apt to =
have<BR>high=20
technology (encryption) than the average person.<BR></DIV>
<DIV>It isn't mean't to stop anyone. Most contraband laws are used =
to=20
raise the</DIV>
<DIV>Bail, and make a petty crime into a felony.</DIV>
<DIV> </DIV>
<DIV>>I mean if I were a criminal I wouldn't use a key-escrow =
system. I=20
would use a<BR>>private (symetric) with a 64-bit key. That is =
just=20
me.<BR></DIV>
<DIV> </DIV>
<DIV>You've already flunked criminal 101. You're thinking about=20
communications</DIV>
<DIV>technology that is light years beyond what criminals use in 95% of=20
cases.</DIV>
<DIV> </DIV>
<DIV>Codes and Ciphers will become contraband in the U.S. It isn't =
a case=20
of "if"</DIV>
<DIV>anymore, it is a case of "when." Just like =
handguns,=20
cocaine, and weed, we</DIV>
<DIV>will have to round them up, take their money, and ruin their =
lives.</DIV>
<DIV> </DIV>
<DIV>You may have encryption tools in your home and office and no one =
will=20
be</DIV>
<DIV>the wiser; but, when you beat your wife, and they come to the door =
and=20
find</DIV>
<DIV>it on your computer, you will be spending the night; you will be =
posting=20
bond;</DIV>
<DIV>and your boss is going to give you a pink slip. Felony =
baby. =20
Have a nice day...</DIV>
<DIV> </DIV>
<DIV>If you doubt it, who would have thought that people would go to =
jail for=20
selling</DIV>
<DIV>Freon?</DIV>
<DIV> </DIV>
<DIV>>How many cases have there been for illegal export of strong=20
cryptosystems?<BR></DIV>
<DIV> </DIV>
<DIV>You'll have to research that yourself. No one knows. =
Ask the=20
guy who wrote PGP.</DIV>
<DIV>He's invested a lot of money into the legal system.</DIV>
<DIV> </DIV>
<DIV>Steve</DIV>
<DIV> </DIV></BODY></HTML>
=======_NextPart_000_000B_01BE6D8D.74581AE0==
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: ElGamal vs RSA
Date: Sun, 14 Mar 1999 03:02:44 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
>
> > > For a given key size, DH over GF(2^n) is
> > > slight less secure than RSA, but users can compensate for this by
> >
> > No!!! It is significantly less secure. DL over GF(2^1024) is almost
> > within reach now. DL over GF(p) where p is an odd 1024-bit prime is NOT
> > in reach.
>
> Bob -
>
> My news host is expiring these posts faster than I can read them --
> I may have missed something.
>
> Can you answer the following:
>
> If you select a large p for GF(p), does the choice of
> a generator g for g^x mod p matter, so long as it is
> a generator of GF(p)?
No, it doesn't matter.
> It's often said that it is not
> necessary for g to be a generator of the whole field,
> but it is better.
>
> Why (esp. when 2 is used as a generator) is p selected
> such that (p-1)/2 is also prime?
There are attacks which work in small(er) subgroups that are more efficient
than solving a DL problem over the entire group. One wants the group
the DL problem resides in to be as large as possible.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: ElGamal vs RSA
Date: Sun, 14 Mar 1999 02:58:15 GMT
In article <7cd013$[EMAIL PROTECTED]>,
"Roger Schlafly" <[EMAIL PROTECTED]> wrote:
>
> [EMAIL PROTECTED] wrote in message <7ccn0j$ltm$[EMAIL PROTECTED]>...
> > [usual ad hominem attack snipped]
Asserting that someone does not have the technical background to
provide an opinion on some subject is not an ad hominem attack.
How many DL problems have you solved?
> >> Coppersmith's algorithm has the same asymptotics
> >> as the best factoring method.
> >
> >Wrong. The constant for Coppersmith's algorithm is (32/9)^1/3.
> >The best factoring algorithm for RSA keys has constant (64/9)^1/3.
>
> I was ignoring the constant.
Which shows why you don't know what you are talking about.
If T is the time for breaking RSA with NFS, then the time to break
a DL for GF(2^n) for the same sized problem is T^ (cuberoot of 1/2) ~
T ^ .79
> Your statement implied that DL over GF(2^n) was easy.
I said no such thing. The only easy problems in CS are polynomial time.
I never said Coppersmith's algorithm is in P. What I said was that
solving DL over FG(2^n) is significantly easier than DL over GF(p) for
n ~ log(p).
> >> For a given key size, DH over GF(2^n) is
> >> slight less secure than RSA, but users can compensate for this by
> >
> >No!!! It is significantly less secure. DL over GF(2^1024) is almost
> >within reach now. DL over GF(p) where p is an odd 1024-bit prime is NOT
> >in reach.
>
> DL over GF(p), p = 1024 bit prime, is more secure than 1024 bit RSA.
The time difference is insignificant. And is platform and implementation
dependent.With respect to CPU time, they are virtually the same. What makes
DL slightly harder than factoring is that for DL, the matrix must be solved
mod p, rather than mod 2. This takes a factor of log p more SPACE and a
constant factor (depending on the wordsize of the machine solving the matrix)
more time to solve the matrix. The sieving times are virtually the same.
This is what I referred to earlier when I said that DL for odd fields was
harder than the equivalent sized factoring problem. Solving the matrix
requires much more SPACE.
People seem to forget that CPU time is not the only resource required by these
algorithms.
> 1024-bit RSA is more secure than DL over GF(2^1024). Agree? Good.
>
> If someone wants to use DL over GF(2^n), and his application is such
> than n = 1024 is not safe enough, then he can pick n = 2048 or even
> a larger value, if he wishes.
And slow down encryption/decryption by at least a factor of 4 in the process.
And take up more space in certificates. And more bandwidth in key exchange.
Of course one can always use larger keys. At a cost.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: el-gamal as permutation for OAEP?
Date: 14 Mar 1999 02:01:18 GMT
David A Molnar <[EMAIL PROTECTED]> wrote:
> can el-gamal be turned into a k-to-k bit permutation suitable for
> use with optimal asymmetric encryption padding?
> does anyone do this? has it been studied in theory or practice?
hi. In case anyone cares, it looks like a paper along these lines was
submitted at the August 1998 meeting of the P1363a ("addendum to IEEE
standard 1363") working group.
DHES: An Encryption Scheme Based on the Diffie-Hellman Problem
Michel Abdalla, Mihir Bellare and Phillip Rogaway, August 1998.
available at http://grouper.ieee.org/groups/1363/addendum.html
I'll look more carefully next time.
Thanks,
-David Molnar
------------------------------
From: "Jonas Thörnvall" <[EMAIL PROTECTED]>
Subject: Chicken egg problem?
Date: Sun, 14 Mar 1999 04:08:39 +0100
Can anyone give me a suggestion how to do a structured attack on this
problem
Password: retig3j54
Step1. Frequens 4
Step2. Right X1
Left X3
Up Y1
Clockwise Z2
Down Y2
Step3 Frequens 7
Step4 New movements
...................
etc.........
.................
...................
------------------------------
From: [EMAIL PROTECTED] (Francis Tan)
Subject: Re: Certicom Benchmark
Date: Sun, 14 Mar 1999 04:17:44 GMT
On Fri, 12 Mar 1999 16:55:09 -0600, Medical Electronics Lab
<[EMAIL PROTECTED]> wrote:
>
>I find it hard to believe, but I've been wrong before. GF(2^m) is
>so much simpler than GF(p) in terms of basic operations that it ought
>to be faster.
>
>I'll be happy to help you set up a test between the two on your machine.
>Send me e-mail at [EMAIL PROTECTED] and we can put some code
>together that will do a nice test for posting up here.
>
>Patience, persistence, truth,
>Dr. mike
For GF(2^m), field squaring is very fast , but the field
multiplication can be quite slow, since it is basically calculated
using the shift and add method, processing bit by bit. And a field
inverse is about 3-4 x of a field multplication.
However for GF(p), we are making use of CPU multiply instruction which
process 1 word at a time. Generally, for larger field size and in CPU
with word size >=32, the GF(p) performs betters, and the field inverse
can be eliminated with the use of projective coordinates as well.
Francis
------------------------------
From: [EMAIL PROTECTED] ()
Crossposted-To: alt.comp.virus
Subject: Network Associates - Can we trust their products?
Date: 14 Mar 1999 04:56:24 GMT
A little long, but take a coffee break and read with me in humor,
okay? It isn't supposed to be 'dead' serious, but just a point
I'd like some comments on, especially the validity of their products
actually working like they should w/o subterfuge.
---
Intro:
As you may all well know, the licensed version of McAfee virus scanners
from their password FTP site was known to the Usenet newsgroup readers
as far back as Jan 1997.
(www.dejanews.com search:
http://x7.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=213502707.3&CONTEXT=921385556.2014249164&hitnum=17)
This site has not changed in over three years, nor has the username and
password, and has been posted numerous times to the Usenet newsgroups
over this period.
Today, you can find this exact URL, with .mcafee. changed to .nai. because
McAfee was bought by NAI, on NAI's web site in clear view in a location
where any five year old could reach in five clicks, or for that matter,
all search engines in the world.
---
Okay, so either NAI, one of the world's largest security and virus
protection companies in the world has got the _LAMEST_ site masters
around, or they're 'deliberately' posting this publically on their web
site today after the prior three years of common knowledge of the URL.
To visit this public posting by NAI of this URL:
http://www.nai.com/ -> drop down box to -> http://www.drsolomons.com
(also bought up by NAI) -> Download/Updates -> Upgrades to Total Virus
Defense -> United States / Canada -> and Voila! the direct password
FTP URLs. (like I said, five clicks for any five year old)
The new .nai. address has also been available in the Usenet newsgroups
since 8/98 and I'll leave it to you to verify through Dejanews.
---
My Theory: (and maybe one episode too many of X-Files this week..)
Could it be possible that NAI in conspiring to do the following:
* Release virus products which require constant *.DAT upgrades as
an income stream, even though it may be already possible to create
an AI virus detection engine that will catch unknown ones w/o any
problems (not counting those that appear with new technologies,
such as Java viruses appearing after the engine was built before
Java existed).
* Release licensed versions of their products through their public
web site to give key IS people a good run through their demo and
licensed products so that there's a higher chance it'll be the
first to be recommend. Buying the most popular (McAfee) and
best (DrSolomons) virus scanners as reported by the trade magazines
lend to this as well.
* Capturing data from us through Personal PGP and/or their virus
scanners during Internet sessions for their use.
* And creating new virii themselves to promote the upgrade
cycle. (After all, Microsoft loves this. What?! Office 97 doesn't
work? No problem, just upgrade to Office 2000 and those problems
will be fixed -- of course, not the new ones we introduced..)
* etc., etc.
--
Your advice then?:
Given the marketplace for virus scanners, there doesn't appear
to be many others left: Symantec Anitvirus, maybe a Panda or
Innoculan, but none that seem to pop into my mind as a leader
of the pack. (After all, DrSolomon's came up many times as the
tested leader for detecting virii in many trade magazines.)
Are there any _great_ alternatives to NAI's Total Virus Defense?
If we assume that they maybe 'tampering' with their virus products
to give users a 'reason' they need to upgrade, it may well be that
they've 'tampered' with Phil's PGP engine as well -- and thus
their PGP Personal products may also be at 'risk'. (After all,
they could code in a 'backdoor' into PGP Personal products and
thus possess a way to decode our messsages.)
Given this possibility, is there any way to verify whether there
is or isn't a backdoor into a NAI PGP Personal encoded message?
Which of the prior DOS-only versions of PGP written by Phil before
NAI hooked up to distribute PGP would you consider 'safe', 'secure',
and as potentially unaltered (ie. no backdoors) as possible for use?
---
After all, NAI isn't acting like any real security company when
it comes to having such 'open' password sites like this, right?
david =)
....maybe too many X-files shows, but think of it like this. China
is a communist country just like Russia was. Russia had their spies
in the US feeding ol' Russia more than one US military secret -
bombs, weapon designs, etc. If China wanted a good way to probe
US personnel, here's a couple thoughts:
They're the worlds largest toy supplier and the US's largest source.
Digital spread spectrum broadcaster in furby's, and other toys.
World's largest shoe producer. A signal is generated with each
foot step like the LED running shoes - that signal tracks you, the
individual, to the very city block you're in -- everywher you go.
Monitors with DSS broadcasters to transmit screen images out.
Pinhole cameras hidden behind dark IR receiver plastic windows in
VCRs, TVs, montiors and more -- all transmittd out of your home....
------------------------------
From: "Jonas Thörnvall" <[EMAIL PROTECTED]>
Subject: Total beginner
Date: Sun, 14 Mar 1999 03:22:36 +0100
Hello !
http://www.algonet.se/~labah
I'm a total beginner to cryptografy. And have no what so ever skill to
judge, if a cipher is breakable in mathematical terms. Therefore i used
pure logic creating my cipher.
I thought that if i performed a trappstep structuring/ordering on bit level
and let the (frequense?) be set by password. And after that performed
somkind of shifting, there would be impossible to tell if the bit
(de)shifted led closer to the solution.
As a metafor i used rubrics cube i'm aware about that it has locked
position, but that's solvable.
Of course there are a problem in the fact that the bits are the same, theyre
just shifted, but then i thougt
it´s really not a big problem if their shifting are random enough?
My question is if i use a password for setting the trappstep effect. And at
the same time used the password for creating the shift of the cube. Wouldn't
it generate as many outputstreams as the password(length)?(Maybe also
multiple rounds aquired with differen frequensies, from password)
Is'nt all encryption possible to crack just you now the password. I thought
(my idea) could be hard to crack
because there are no algorithm to start with just a bitstream depending on
the password.
And you have to test all the possible positions in the cube with all the
possible (frequensies).
As you can se larger password more random output.
Who knows one day i actually read a book on cryptography (The math seems
rather complex.....)
I have today no password and there som wrong with the trapstep, that causes
som lengths om the
message to go banana. Therefore the frequensies and rubric movements are
fixed, there are also no
possibillity to shift the locked positions in cube.
I enjoy your newsgroup(even if i understand little or none)
------------------------------
From: Doggmatic <[EMAIL PROTECTED]>
Subject: Hard problems?
Date: Sun, 14 Mar 1999 05:34:10 GMT
I've seen NP-complete problems, but what's an analogy which describes PSPACE,
PSPACE-complete, or EXPTIME problems? Assume I know little to nothing about
number theory, information theory or complexity theory, other than those
terms.
___/Mike ...two legs good, four legs bad? ... Why conform?
__/. | For my next trick, WATCH as this humble mouse breaks
\-__ \___ Windows at the mere press of a button.
\ Hey! Where are we going, and why am I in this handbasket?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
