Cryptography-Digest Digest #423, Volume #9 Mon, 19 Apr 99 16:13:03 EDT
Contents:
Re: FSE-6 Report: Slide Attack ([EMAIL PROTECTED])
Re: Adequacy of FIPS-140 (Jim Felling)
Re: PGP=NSA (PGP 6 totally cracked by NSA!!) (Lutz Donnerhacke)
Re: FSE-6 Report: Slide Attack ([EMAIL PROTECTED])
Re: RC6 new key standard from AES conference? ([EMAIL PROTECTED])
Re: RC6 new key standard from AES conference? (Paul Rubin)
Re: Question on confidence derived from cryptanalysis. (Gurripato (x=nospam))
UBE98 Vendor Admission (JPeschel)
Re: Question on confidence derived from cryptanalysis. ("Trevor Jackson, III")
Re: FSE-6 Report: Slide Attack (John Savard)
Re: True Randomness & The Law Of Large Numbers (Herman Rubin)
Re: Question on confidence derived from cryptanalysis. (Geoff Thorpe)
Re: SNAKE#12 (Thomas Wu)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: FSE-6 Report: Slide Attack
Date: Mon, 19 Apr 1999 12:04:31 GMT
In article <7fe791$k4m$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
> For those who are interested, the final version of the FSE slide attack
> paper is available online from my "publications" page:
> http://www.cs.berkeley.edu/~daw/papers/
>
Doesn't answer my question. (Nice paper though).
BTW, are chosen-plaintext attacks really pratical? I mean they make good
theory but are they actually used 'in the field'?
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Adequacy of FIPS-140
Date: Mon, 19 Apr 1999 09:16:09 -0500
"R. Knauer" wrote:
> On Sun, 18 Apr 1999 00:11:07 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> wrote:
>
> >The cheapest possible cryptanalytic attack against a complex
> >system is the "lucky guess", and yes, it has occasionally worked.
>
> It won't work against the properly implemented OTP cryptosystem.
>
> Bob Knauer
I can make a lucky guess at the message and get it right.( Its not likely, but
the attack can work against an OTP)
>
>
> "I am a great mayor; I am an upstanding Christian man; I am an intelligent
> man; I am a deeply educated man; and I am a very humble man."
> - Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (Lutz Donnerhacke)
Subject: Re: PGP=NSA (PGP 6 totally cracked by NSA!!)
Date: 19 Apr 1999 13:39:35 GMT
* Sandy Harris wrote:
>However, I've no reason to believe it. I've seen you assert that PGP
>has this weakness half a dozen times, but if you've attempted to
>demonstrate it, I missed that post.
You missed nothing.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: FSE-6 Report: Slide Attack
Date: Mon, 19 Apr 1999 14:12:47 GMT
>
> Some ciphers have round functions that are simple enough to be
> analysed as a combinatorial logic block with no ambiguity. The
> key values can be calculated to produce, in one round only, the
> slid pairs which are available in the known plaintexts. The birthday
> paradox means that only about the square root of the full
> plaintext space needs to be available to find a slid pair.
> The one round offset of the two encrytion paths can be found given
> enough known plaintexts. Then P1=P0' for a key that can be calculated.
> For all 2^n/2 plaintexts, try keys that might make a slid pair.
> The keys are not guessed, they are calculated precisely from the
> slid pair constraint and the simple combinatorial logic of some ciphers
> that is true for one round only.
Does this require only ciphertext/plaintext pairs?
Hmm, well back to the paper. Tyao.
Tom
>
--
About me, I am 17, a student at high school. My interests (in
computers) includes cryptography and data compression. I have written
four private papers on these topics. My fourth paper actually is
public, it is 'Geometric Identification'. Have a look ! :)
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RC6 new key standard from AES conference?
Date: Mon, 19 Apr 1999 15:28:51 GMT
In article <[EMAIL PROTECTED]>,
"Nick Strauss" <[EMAIL PROTECTED]> wrote:
> I've heard mention a couple times of a revised key schedule version of RC6
> that Rivest discussed at the rump session of the last AES conference...
>
> Anyone have, or have al link to, any documentation for this?
>
> It sounded, from some of what I've caught, that it sacrificed performance on
> 8-bit systems for better speed elsewhere?
No, RC6a is RC6 with a completely new key scheduler. It is optimized for 8-bit
systems because it uses much less RAM.
> Is it compatible with the basic
> spec, or is it then a fundamentally new cipher rather than just an
> implementation issue?
A completely new key scheduler will probably not be considered as a "tweak" by
NIST, which means that Rivest will not be able to have this variant considered
as the AES competitor. Probably this will not matter much: after the smartcard
debacle NIST declared that how well a competitor performs on smartcards will
not have high priority in the competition.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: RC6 new key standard from AES conference?
Date: Mon, 19 Apr 1999 17:35:11 GMT
In article <7ffi37$e77$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>A completely new key scheduler will probably not be considered as a "tweak" by
>NIST, which means that Rivest will not be able to have this variant considered
>as the AES competitor. Probably this will not matter much: after the smartcard
>debacle NIST declared that how well a competitor performs on smartcards will
>not have high priority in the competition.
What debacle was that? I missed something.
I think it is important that the AES perform reasonably well on smartcards.
------------------------------
From: [EMAIL PROTECTED] (Gurripato (x=nospam))
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Mon, 19 Apr 1999 15:03:34 GMT
On Mon, 19 Apr 1999 21:48:09 -0400, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>The tendency of the market to focus on a single (or few) best product(s)
>is well established. The true operational basis for this is most often
>simple laziness. The theoretical basis is that concentrated effort will
>produce a better best than that same effort spread over a wide variety
>of options. If one company can dominate a market it can achieve
>economies of scale in production/design/etcetera.
I disagree. There must be some reason why a product is well
established, not necessarily quality. The VCR-format war of the 80�s
was won by the VHS system (in the sense that they sell more than any
other system). But it is well-known that Beta offers higher quailty.
VHS won mainly for marketing problems: Sony kept the Beta patents for
himself, while everyone else went to VSH. And if we talk about OS,
Windows95 (best seller the world over) falls miserably in quality
aspects (hangouts, crashes, etc) to others like Linux or MacOS.
I recall an article on Scientific American about things like
railway width being accepted by the market not for its quality, but
rather on a sort of chaos-like process. Sorry, I don�t remember the
SA issue.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: UBE98 Vendor Admission
Date: 19 Apr 1999 15:59:38 GMT
Despite the vendor knowing UBE's weakness,
it's still being sold.
Castork, the cat who broke version 2.1
of UBE98 says he has heard from Steve Lee
of Atlantic-Coast. Lee wrote Castork:
"We ourselves know how to break it with ICE.
That is being resolved now (you would need
to have access to the user's computer to
break it)."
The last "fix" was to use Shrinker to
protect the executables from disassembly.
I suppose some SoftICE-hostile code
will be the next "fix."
Apparently UBE is sold in the US, too.
Seems strange that a product that uses
255-byte RC4 would be exportable. Maybe
the download site is in the UK --still
I wonder what RSADSI would think of UBE's
using RC4. Any comment, Bob?
You can read Castork's essay on my site.
Look in the "Key Recovery Resources"
page.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
Date: Tue, 20 Apr 1999 01:18:00 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Question on confidence derived from cryptanalysis.
Gurripato (x=nospam) wrote:
>
> On Mon, 19 Apr 1999 21:48:09 -0400, "Trevor Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> >The tendency of the market to focus on a single (or few) best product(s)
> >is well established. The true operational basis for this is most often
> >simple laziness. The theoretical basis is that concentrated effort will
> >produce a better best than that same effort spread over a wide variety
> >of options. If one company can dominate a market it can achieve
> >economies of scale in production/design/etcetera.
>
> I disagree. There must be some reason why a product is well
> established, not necessarily quality. The VCR-format war of the 80�s
> was won by the VHS system (in the sense that they sell more than any
> other system). But it is well-known that Beta offers higher quailty.
> VHS won mainly for marketing problems: Sony kept the Beta patents for
> himself, while everyone else went to VSH. And if we talk about OS,
> Windows95 (best seller the world over) falls miserably in quality
> aspects (hangouts, crashes, etc) to others like Linux or MacOS.
>
> I recall an article on Scientific American about things like
> railway width being accepted by the market not for its quality, but
> rather on a sort of chaos-like process. Sorry, I don�t remember the
> SA issue.
You are certainly free to disagree with the marketing theory that says
mature markets are better. After all, I disagree with it too.
I find it especially unsuitable for the field of crypto.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: FSE-6 Report: Slide Attack
Date: Mon, 19 Apr 1999 17:50:05 GMT
[EMAIL PROTECTED] wrote, in part:
>BTW, are chosen-plaintext attacks really pratical? I mean they make good
>theory but are they actually used 'in the field'?
Well, known-plaintext attacks are sometimes possible 'in the field', and if
one has enough known plaintext, the plaintext one might wish to choose may
already happen to be among the known plaintexts.
And against some devices, such as smartcards, or against a utility where
you are one of the legitimate users, but you want to eavesdrop on other
users, chosen-plaintext attacks are possible.
John Savard ( teenerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: 19 Apr 1999 12:56:00 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On 18 Apr 1999 20:37:00 -0500, [EMAIL PROTECTED] (Herman
>Rubin) wrote:
>>>It is interesting to note that in Billingsley's book where he
>>>discusses Chernoff's Theorem, he points out in balancing the error of
>>>rejecting one hypothesis over another for the value of p, that as p
>>>approaches 1/2 it becomes increasingly difficult to discriminate
>>>between the p = 1/2 hypothesis and an hypothesis for a slightly
>>>different value near 1/2.
>>Why should this be surprising?
>Not so much surprising as interesting.
................
>>It is a little easier to see in the case of a normal translation parameter,
>>and the problem is extremely similar; the sample size needed for a given amount of
>>discrimination is proportional to 1/Kd^2, where K is the Fisher
>>information in a single observation, and d is separation.
>Please provide a reference for this.
This is well known in statistics. The likelihood function for a
reasonably large sample in a regular problem is approximately that
for a normal translation parameter with variance the reciprocal
of the Fisher information. The Fisher information is NOT related
to the Wiener-Shannon information.
>This seems to be a general statement about sample size and separation
>regardless of the value of the translation. What I found interesting
>above is that the discrimination difficulty gets larger as you
>approach p = 1/2.
It gets slightly harder, as the information is slightly smaller.
But the ratio of the sample sizes needed for detecting a fixed
difference at p=.4 to p=.5 is .96.
These are usually considered in mathematical statistics books,
not probability books.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: Geoff Thorpe <[EMAIL PROTECTED]>
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Mon, 19 Apr 1999 13:37:32 -0400
Hello,
"Douglas A. Gwyn" wrote:
> It depends on who you conceive the potential "enemy" to be.
> For many perfectly decent people, their own governments can
> become their enemies; history gives us many instances of this.
Of course, and for most people following the current crypto issues even
passively, I think they regard the regulatory and military arms of
government to be the biggest problem.
> While the cryptanalytic bureaus of most third-world countries
> might not be very advanced, the one in the US certainly is.
Agreed - it would extraordinarily naive to dispute that fact. The point
I was trying to make was that the collective academic grunt (and other
"in the open" contributors) we have in cryptography and cryptology does
not (or rather, can not) pale so completely by comparison to "the enemy"
that our research and results give no indication to a cipher's
susceptibility to "theirs". Mr Ritter seemed to have very different and
quite extreme view on this point. However, I get the impression you tend
to agree - if we can't punch a hole in it, that lowers the odds that
they can (as compared to not having really seen if WE can yet).
> Therefore, it is quite appropriate to be concerned with
> *provable* security instead of "nobody in academia has a
> clue" security. The former should, if properly applied,
> stand up against *any* enemy, while the latter stands up
> only against, shall we say, amateurs.
Provable security is a very hairy branch of science - unless you pin
yourself to some pretty broad axiomatic presumptions (which themselves
then become the target of much scepticism and debate) proving security
becomes highly awkward. I guess this is necessary because it is nearly
impossible to categorise the class of "attacks" in any meaningful way
(except perhaps invoking Turing machines?! [;-) If one could show that a
given cipher (key) can or can not be broken at a expected running time
better than 50% of a key-space search by an appropriate Turing machine
it would be quite a piece of work.
> (I'm not suggesting that academics haven't made useful
> contributions to the state of the art, just that their
> work does not define the total state of the art.)
Oh I agree completely - I was just taking issue with what I perceived to
be the following idea: Until we actually break it, or *prove* it secure,
we have no more measure of strength for it than for another (less
"investigated") one. I feel that quite the opposite is true - it IS a
very appropriate statistical measure of strength, and moreover the only
realistic one we have to work with. If the total state of the art stays
roughly in sync with the academics, albeit "they" may have a couple of
things up their sleeves and they may often get the jump on us by a few
months/years with various developments, then we can make reasoned
guestimations on the strength of a cipher against them based on the
strength of a cipher against us.
> > Mathematical problems - that is what I was referring to ...
>
> Yes, cryptology is largely applied mathematics, but
> practical cryptanalysis has evolved in the context of
> operational experience that is largely unavailable to
> outsiders, and that has caused a substantial difference
> between insiders and outsiders in their aims and methods.
Well yes and no ... applied mathematics has a handy of way of pushing
things along nicely particularly in the area of computation (complexity)
problems. "Their" ideals may be different to ours but I doubt their aims
or methods are ... everybody would love to break an established cipher
(with the possible exception of the patent holder), everybody would love
to *prove* a cipher secure (with the possible exception of the patent
holder's competition). I dare say the NSA et al have less motivation to
chase down some of the more daunting theoretical possibilities for
weaknesses in algorithms, especially when in reality, so many of them
lead nowhere or to advances that are at best - theoretical.
"They" have budgets (albeit big ones) and they probably have things
they'd rather spend it on (satelites, lobbying, hardware, breaking
implementations, breaking installations, etc). OTOH, having been
post-grad in a mathematics department before I know very well that this
obsession for looking in every nook and cranny of all things theoretical
is exactly the sort of thing academics get off on. Cracking ciphers (ie.
the actual algorithm itself, not the practical implementation details
that may be vulnerable) is much more the meat and veg of academics who
like to play and write papers. "They" just want information, and I'm
guessing just do whatever they got to do to get it - and searching
endlessly for little theoretical weaknesses is probably not their top
priority. That's not to say they don't do it and do it very well, but I
doubt their considerable advantages in resources are put so much to this
task as to make our abilities so incomparable or unrelated as some might
believe.
> Some problems, like efficient factoring, are obviously
> relevant, and unlikely to be achieved in secret without
> happening in the outside around the same time. Other
I agree but I doubt very much Mr Ritter does.
> breakthroughs have been kept secret for decades, in some
> cases. So there really is reason to fear that the most
> advanced "enemies" might know how to easily crack some
> system you use that appears uncrackable to all outsiders.
I know - and there's a lot of targets out there so the odds are on that
at least one of them has fallen completely to an "unpublished" source
without our knowing it. However, I just think it's more likely to be
something less well analysed in the "open" than something well analysed
in the "open" for the reasons I've mentioned, and that Mr Ritter doesn't
agree with.
On a related note (and all IMHO), bit-twiddling little ciphers are no
less "mathematical" than effecient factoring. Discrete maths actually
finds that cute little "permutation stuff" quite fashionable from my
limited contact with it (and them). Factoring tends to interest (again
from my limited contact) more the applied heads - meaning I'd give
better odds to developments in faster optimizations on 64-bit platforms
with super-dooper cache, than to fundamental breaks in the factoring
algorithms [;-)
> There is a significant difference between what is "well
> established" in long-existing, well-funded cryptologic
> organizations and what is "well established" in the
> dispersed, high-turnover-rate academic community.
True - and to agree with Mr Ritter for a moment, I think perhaps another
risk is that the academics tend to show interest in things that interest
them - where as the well-funded organisations you speak of more likely
show interest in things that give them the best chance of accomplishing
some objective. However, this pragmatic mind-set, albeit fearsome in
many ways, might give us some hope that in the ethereal hights of trying
(and hoping) to break an already well-studied algorithm, they probably
are less hopeful, less obsessed, and more practical and realistic. After
all, RSA, IDEA may be perfect but if Win95's TCP allows a
password-sniffer to leak into your PC "they" have accomplished their
objective and "broken" PGP as far as "they" are concerned.
> There is a big problem in working in *applied* fields
> academically, since it is harder to get academic
> respect from publication of application or tutorial
> papers instead of research papers. There are many
> technologies that are well-known *in general* in the
> research community, but their specific application to
> cryptology is *not* well known.
Probably quite true.
> > We all know that risk - it's the probabilities that are open to
> > debate. ...
>
> More precisely, the likelihoods.
> The nice thing is that *relative* likelihoods can be estimated
> and used to make decisions; e.g. "I need a cipher that <meets
> certain requirements> -- pick one."
> If the consequences of not making a decision are sufficiently
> severe, then even an uncertain decision can be better than
> letting the uncertainty stop you from making a decision.
Exactly, and well said.
> > Me, I'm going to stick with RSA and triple-DES for a while.
>
> In a well-designed cryptosystem, these do seem sufficiently
> secure against realistic threats for the near future. Any
> vulnerabilities would most likely occur elsewhere in the
> system/protocols, not in these encryption algorithms as such
> (assuming of course a long RSA key, and 168-bit 3DES key).
I think that too, but as Mr Ritter might say - you are already in the
abyss and are naive if you think that. If that is so, I am comfortable
in my naivety.
> That seems to be part of Ritter's aim, but others seem to
> think that during cryptanalysis the stages have to be peeled
> like an onion, and they assume that there is not enough
> pattern available at the next-to-outermost layer for there
> to be any chance of peeling the outer layer off.
Well hopefully someone will look at this, and demonstrate some success
from it. Results speak for themselves, even to ivory tower academics
[;-)
> > And this can't be achieved within ONE cipher? When you start talking
> > multiple algorithms, you instantly start talking interoperability
> > and standardisation headaches.
>
> That's a significant concern, because breakdowns in operational
> procedure often provide the enemy analyst the entering wedge he
> needs to crack a system.
Exactly, and if I resort to using a different cipher every week ... the
cryptanalysts will not keep up with them satisfactorily and I have a lot
more confidence that "they" WILL be breaking my traffic on a
semi-regular basis.
Cheers,
Geoff
------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: SNAKE#12
Date: 19 Apr 1999 12:20:02 -0700
Peter Gunn <[EMAIL PROTECTED]> writes:
>
> 1) A->B: g^A
> 2) B->A: g^B
>
> K=H(g^AB)
>
> 3) A->B: E[K](E[P](A))
> 4) B->A: E[K](E[P](B))
>
> So, evesdroppers are eliminated by standard DH,
> A proves to B that it really does have its private
> DH value (and P) by giving it to B encrypted with P.
A MITM sees g^A and g^B, decrypts the message in (3) to
get E[P](A), and does trial decryptions with password
guesses P' to get A', and then sees if g^A' == g^A.
> B then works out g^A itself and checks g^AB has the
> same value as the g^AB it used to calculate K,
> breaking connection if it doesnt.
>
> If B is a MITM, he has to solve A knowing B and
> g^AB in order to start to attack P.
>
> Similarly, B sends E[P](B) to A to prove it has
> both its private DH value and P.
>
> Now, this seems too easy, so there must be a catch...
See above. :-)
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms in
Phone: (650) 723-1565 exchange for security deserve neither."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
