Cryptography-Digest Digest #916, Volume #8 Sat, 16 Jan 99 20:13:04 EST
Contents:
Re: Practical True Random Number Generator (R. Knauer)
Re: Cayley-Purser algorithm? (Dale R Worley)
Re: Cayley-Purser algorithm? (Ray Girvan)
Re: SSL - How can it be safe? (fungus)
Re: Too simple to be safe (fungus)
Re: Cayley-Purser algorithm? (Dale R Worley)
posted ABC news web site ([EMAIL PROTECTED])
read and pass please!!! (Angel)
Re: Export laws (Bill Unruh)
Re: Export laws (Bill Unruh)
Re: Export laws (Bill Unruh)
Re: New Cipher ("Sybrandy Cornelius")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Practical True Random Number Generator
Date: Sun, 10 Jan 1999 15:42:13 GMT
Reply-To: [EMAIL PROTECTED]
On Sun, 10 Jan 1999 06:17:33 -1000, Bill <[EMAIL PROTECTED]> wrote:
>Coin tossomg can be a cheap way to get random numbers. In Santa Cruz,
>California there are 2^6 homeless people who "will work for food". If
>only we could harness the power of coin tossing, we could make the
>Pacific Garden Mall a better place. Some of these unwashed burnouts sit
>there for hours with coins in a paper cup, ready to endow the world of
>cryptography with an exhastible supply of TRN. The coins are tossed with
>great skill and apathy.
>
>What is needed is not microsensors to detect air molecules, simple TV
>cameras and image processing software on obsolete 486 PCs would be a
>cheap solution. The bums toss 'em and the software counts 'em. One hand
>does not wash the other, one hand gives coins, and the other hand tosses.
Work in some New Age psychobabble to motivate these "homeless" gypsies
and you got a winner here.
But I suspect that if you just tape recorded a conversation between
two of them, you would have all the randomness you could ever want.
Bob Knauer
"We hold that each man is the best judge of his own interest."
--John Adams
------------------------------
From: [EMAIL PROTECTED] (Dale R Worley)
Subject: Re: Cayley-Purser algorithm?
Date: Sat, 16 Jan 1999 22:15:02 GMT
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] (David R Brooks)
writes:
This is what led to the ambiguous situation of the RSA patent. The
patent is void in most countries outside the US, for the above reason.
Though it would be more accurate to say "RSA is patented in the US,
but in no other country." A US patent (almost by definition) has no
effect in any other country, just as an Australian patent has effect
only in Australia.
Dale
Dale Worley [EMAIL PROTECTED]
--
Cwm fjord-bank glyphs vext quiz.
------------------------------
From: Ray Girvan <[EMAIL PROTECTED]>
Subject: Re: Cayley-Purser algorithm?
Date: Sat, 16 Jan 1999 22:18:52 GMT
Anthony Naggs <[EMAIL PROTECTED]> writes:
> Whether Sarah Flannery's entry to the science competition
> counts as publishing rather depends on the rules of the
> competition. Certainly there is no sign so far that it has had
> any wider circulation than the competition judges. (And
> Baltimore Technologies for whom she was working when
> introduced to Dr Michael Purser's original work on the idea.)
>
> For what it's worth the most detailed article I've seen was Tim
> Radford's in The Guardian on Thursday.
That left me mildly puzzled about some aspects. It quoted Purser as
having written a paper, and Baltimore Technologies suggesting, while
she was on work experience there, saying, "Why don't you try and
program this idea of Michael Purser's?"
In which case, what exactly do the reports of her "developing a
new algorithm" mean? That she has extended Purser's work at a
conceptual level; or merely coded an algorithm already sketched out;
or somewhere in between?
Also, if the work was done while on work experience, is she in
any position to decide whether it should be patented or published?
Work done on company time usually belongs to the company.
The Jan 13th Baltimore-Zergo press release is of interest
(see: http://www.baltimore.ie/fr_sub_press_room.html).
Ray
--
[EMAIL PROTECTED] +++ Technical Author +++ Topsham, Devon, UK
http://www.users.zetnet.co.uk/rgirvan/ +++ The Apothecary's Drawer
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: SSL - How can it be safe?
Date: Sat, 16 Jan 1999 19:53:08 +0100
Joseph Suriol wrote:
>
> How can encryption that doesn't require entering a password be safe?
>
> As I understand the Secure Socket Interface (SSL) has optional encryption
> and when installed all network traffic will be encrypted. Where does it
> get the key to encrypt. If the key resides in the computer how does it keep
> it secure? How is the key distributed?
>
It invents a new key for each connection.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Too simple to be safe
Date: Sat, 16 Jan 1999 19:57:51 +0100
"Kazak, Boris" wrote:
>
> And here is a scheme that I practically use in communication with
> my son in Moscow.
> 1. We both have the same long (~150 KB) random file.
> 2. When I need to send a message, I open the random file in the
> hex editor and select N bytes starting at offset S.
> 3. The selected string of random bytes is used as a key to a
> symmetric cipher.
> 4. The E-Mail message consists of words:
> "use S, N",
> then follows the attached file with the message.
> 5. On the receiving end the sequence of operations is obvious.
>
> Like that the information about the key is communicated in the open
> text, and the key is never reused. No digital signatures, no CA's.
>
> Any comments? Respectfully BNK
Sounds good to me....
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Dale R Worley)
Subject: Re: Cayley-Purser algorithm?
Date: Sat, 16 Jan 1999 22:36:11 GMT
In article <77oovq$b94$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
Bruce you say that because of your prejuiduces. I hope because
she has not been brain washed by some of the so called modern
books on crypto that she was able to strike out on her on
instead of following so called phony experts in the crypto
field. Of course this is only a hope and I fear it may be
wrong but I keep hoping anyway.
I think you're half-right here. The existence of an accepted body of
knowledge should never stop someone from striking out on her own,
trying approaches to important problems that (from the point of view
of the experts) is unlikely to be productive. This is an especially
good exercise for the young. But these rebels should not be disturbed
by the fact that most such exercises are ultimately unproductive --
after all, the experts are right *most* of the time.
Moral: Don't be afraid to strike out one your own, against the advice
of experts, but don't be surprised that most of the time, the experts
were right all along.
But the sad truth of the matter is if was good I think the
NSA would have been able to keep the lid on it. Of course
they still have time since the method has yet to see the light
of day on the net.
Well, the evidence is that the NSA is not particularly good at keeping
the lid on things. After all, knowledge needed to create many fine
cryptosystems is available publically. We can also measure, to some
extent, how the open literature measures up relative to the secret
literature, by comparing the date on which the government replaced
SHA-0 with SHA-1 (1995) with the date on which the vulnerability in SHA-0
became publically known (1998).
Dale
Dale Worley [EMAIL PROTECTED]
--
I'm not sure whether there was any equivocation. -- George Bush
------------------------------
From: [EMAIL PROTECTED]
Subject: posted ABC news web site
Date: Sat, 16 Jan 1999 22:48:36 GMT
Special to ABCNEWS.com
THE CRYPTO WARS DRAG ON
Why does the process of devising
a national encryption policy have
to be so slow and so painful?
I�ll tell you why: because of the FBI
(strongly backed by the National Security
Agency). Without the foot-dragging,
connivance and lobbying of the security
establishment, the United States might be
able to maintain its global leadership in
e-commerce technology and all things
pertaining to the Internet.
The private sector, naturally, is fighting
back. Sun Microsystems deserves kudos for
its recent Russian Elvis initiative to
re-import strong encryption from its
subsidiary in the former Soviet Union, thus
circumventing U.S. export constraints. A
noble attempt, even if Sun did chicken out at
the last moment.
Leading encryption firm RSA, with
permission from the U.S. Commerce
Department, has just announced that it�s
pursuing a similar strategy: starting a firm in
Australia to ship strong crypto software
worldwide, outside U.S. constraints.
This served as prelude to the
announcement last week, after one more
year of futile discussions, that the door on
strong encryption technology export has
opened a bit wider. The Commerce
Department will now allow online
merchants, insurance companies, most of the
financial industry and the health care
industry to expand their international
business under the Bureau of Export
Administration.
Unfortunately, the charade of allowing
companies to ship unlimited-strength
encryption technology to their international
offices and to export from overseas
subsidiaries, makes the entire legal scheme
a joke. Although companies (and their
customers) must still pass an export license
test, any terrorist organization can easily get
what it wants, in this way or others.
Let me outline a scenario here:
1. The misguided attempt by the feds to
force companies to let Uncle Sam hold the
private keys to their encryption is dead.
2. There�s a real plan being hatched by
the FBI, CIA, NSA and other
cloak-and-dagger types, and so far it�s
working just fine. Step 1: Get the federal
regulators to hold off the Indians until the
security services can circle the wagons.
Translation: Give us three years to prepare,
and we will be able to break any piece of
crypto they throw at us. We won�t need
private keys. Step 2: Give them what they
think of as strong encryption; we can break
it. (Alert observers will have noticed that
the feds don�t really care about 56-bit
encryption rules, the remaining limit on
regular e-mail, anymore. Translation: they
are breaking it effortlessly.)
Fun, eh?
That means we have another futile year
to go before it all opens up. Sort of.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Angel <[EMAIL PROTECTED]>
Subject: read and pass please!!!
Date: Sun, 17 Jan 1999 00:00:54 +0100
Have you ever watched kids
on a merry-go-round
Or listened to the rain
slapping on the ground?
Ever followed a butterfly's erratic flight
Or gazed at the sun into the fading night?
You better slow down
Don't dance so fast
Time is short
The music won't last
Do you run through each day
on the fly
When you ask "How are you?"
do you hear the reply?
When the day is done,
do you lie in your bed
With the next hundred chores
running through your head?
You'd better slow down
Don't dance so fast
Time is short
The music won't last
Ever told your child,
We'll do it tomorrow
And in your haste,
not see his sorrow?
Ever lost touch,
Let a good friendship die
'Cause you never had time
to call and say "Hi"?
You'd better slow down
Don't dance so fast
Time is short
The music won't last
When you run so fast to get somewhere
You miss half the fun of getting there.
When you worry and hurry through your day,
It is like an unopened gift....
Thrown away...
Life is not a race.
Do take it slower
Hear the music
Before the song is over.
PLEASE FORWARD THIS TO HELP THIS LITTLE GIRL
Dear All,
I just received this mail from a friend of mine in my college. Please
respond to it. It will just mean employing a little bit of time and
won't cost you a penny. All it needs is the heart for you to send
this mail.
PLEASE pass this mail on to everybody you know. It is the request
of a little girl who will soon leave this world as she has been a
victim of the terrible disease called CANCER. Thank you for your
effort, this isn't a chain letter, but a choice for all of us to save
a little girl that's dying of a serious and fatal form of cancer.
Please send this to everyone you know...or don't know. This
little girl has 6 months left to live, and as her dying wish, she
wanted to send a chain letter telling everyone to live their life to
fullest,
since she never will. She'll never make it to prom, graduate from
high school, or get married and have a family of her own. By you
sending
this to as many people as possible, you can give her and her family a
little hope, because with every name that this is sent to, The
American Cancer Society will donate 3 cents per name to her treatment
and
recovery plan. One guy sent this to 500
people!!!! So, I know that we can send it to at least 5 or 6. Come
on you guys.... and if you're too selfish to take 10-15 minutes
scrolling
this and forwarding it to EVERYONE, then you are one sick person.
Just think it could be you one day. It's not even your money, just your
time!!!
PLEASE PASS ON
Dr. Dennis Shields, Professor
Department of Developmental and Molecular Biology
Albert Einstein College of Medicine of Yeshiva University
1300 Morris Park Avenue
Bronx, New York 10461
Phone 718-430-3306
Fax 718-430-8567
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Export laws
Date: 16 Jan 1999 23:17:28 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Stephen Darlington)
writes:
>If an encryption program I create (I am in the UK), ends
>on on a US-based web site, which export laws would be in
>force when someone tries to download the file?
It got there under UK export law, and US import law. It is removed from
there under US export law ( and import law in whatever country the
recipient sits).
>If someone in the US downloads the file from the US server,
>and sent me some money for it, would I be breaking the law?
What law? Of what nation? US export law does not apply. US Import law
may. US patent law, copyright law,... certainly do. US consumer
protection law certainly do. Currency laws in the US and UK apply.....
>TIA
>Stephen J Darlington
>Author of the addZIP Compression Libraries
>http://welcome.to/addZIP
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Export laws
Date: 17 Jan 1999 00:00:15 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (wtshaw) writes:
>If encryptive software is exported from the such a site, then who is
>responsible? To put liability on the ISP for all files that might be on
>websites would be news to many of them. To put the liability of a foreign
Since it would be criminal law, "beyond a reasonable doubt" would apply.
Case history as to "export" would get dragged up. Whether or not it was
reasonable that the person should have known what was on his site would
apply. At that point it would be a judgement call on the part of the
court
>national who perhaps never set foot in the US might be difficult. To put
>the burden on the ISP to verify residency and citizenship would require
>some legislation.
>The only practical thing to do under those circumstances would be for the
>government to keep an eye out for abuses, and order ISP's to do something
>about such files when discovered by them or the government.
>Meanwhile, it seems that foreign nationals in coordination with lax ISP's
>could put all sorts of files online that would otherwise get someone in a
>heap of trouble.
>--
>Crypto with attitude....
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Export laws
Date: 17 Jan 1999 00:06:13 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (wtshaw) writes:
>national who perhaps never set foot in the US might be difficult. To put
>the burden on the ISP to verify residency and citizenship would require
>some legislation.
The legislation is already there, under the export regulations. It is
illegal to export certain things without a license. It is also by
defintionin the regulations that placing something on the internet unrestricted is by
itself export-- no need for anyone else to actually get it. Thus if the
ISp knows about the article, or should know about it, then his allowing
it to be downloaded in an unrestricted manner is already export and
against the law.
>The only practical thing to do under those circumstances would be for the
>government to keep an eye out for abuses, and order ISP's to do something
>about such files when discovered by them or the government.
That order is already there. It is called a regulation. The govenment
does not have to point out to people to comply withthe law, except by
publishing the reglations, which it has done.
------------------------------
From: "Sybrandy Cornelius" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.research
Subject: Re: New Cipher
Date: 16 Jan 1999 15:11:18 -0800
Greetings. I just created a new cipher which uses what I like to call an Advanced
Feistel Network. This new network allows for 128 bit block encryption on 32 bit
processors. Another bonus of the new technology is that 2 S-boxes are used per round
to maximise changes in the key or plaintext. More details of this are included in the
zip file you can download at
http://www.pitt.edu/~casst86/
The page is there, I checked, however the server has had some problems lately. Just
to thwart all those who may spam, no, I'm not declaring this cipher secure. I just
developed it in order to introduce a new idea. If you wish to analyze it, or even use
it, feel free to do so according to the document in the zip file. The cipher code was
made using g++ on linux, but it should work on any unix platform at least. Any
comments, questions, etc. can be sent to [EMAIL PROTECTED]
Casey Sybrandy
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
