Cryptography-Digest Digest #441, Volume #9 Wed, 21 Apr 99 18:13:03 EDT
Contents:
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
Re: Can a Java or Active-x program get your keys?????? (Medical Electronics Lab)
Re: On Being Earnest (Medical Electronics Lab)
Re: RC6 new key standard from AES conference? (Matthias Bruestle)
Re: tops9720.zip source code for "Topsecret" ("Douglas A. Gwyn")
Re: Question on confidence derived from cryptanalysis. (Jim Gillogly)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Terry Ritter)
Re: tops9720.zip source code for "Topsecret" ([EMAIL PROTECTED])
Re: Export restrictions (SCOTT19U.ZIP_GUY)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Leonard R. Budney)
Re: Can a Java or Active-x program get your keys?????? ([EMAIL PROTECTED])
Re: RC6 new key standard from AES conference? ([EMAIL PROTECTED])
Re: One-Time-Pad program for Win85/98 or DOS ([EMAIL PROTECTED])
Re: Adequacy of FIPS-140 (Leonard R. Budney)
Question about DH keys? (John Matzen)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Wed, 21 Apr 1999 19:25:55 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 21 Apr 1999 20:56:57 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Could you tell what Feller means here? Does he mean that a 'normal'
>coin does not exist in reality (which I certainly agree) or what?
>Does he want to say some psychologists are wrong or what? I simply
>can't understand.
You need to read his book.
>Since, however, I consider true
>randomness to be a theoretical concept that has no exact real-life
>existence, that impossibility doesn't trouble me at all.
True randomness has a real-life existence in quantum processes.
>That presupposes the existence off certain reliable tests. What are
>they? Any existing or really promising candidates? Note that
>'reliability' is itself tightly connected to statistical test
>theories.
I gave a sketch of how one might go about certifying a radioactive
TRNG several months ago. You can look it up in the archives.
> And so one goes round again in circle, if one denies the
>applicability of statistical tests.
I suppose you will never catch on to the fact that I am not indicting
all statistical testing, only those simplistic small sample tests
which claim to make a reasonably certain determination of
non-randomness.
>I rather suspect that you misunderstood him.
I am not misunderstanding him one bit. He made his comments in a
perfectly unequivocal way. It is you who do not grasp what he is
saying because you are so intimately bound up to the orthodoxy of
simplistic small sample statistical tests for determining
non-randomness.
>Perhaps Prof. Rubin
>would comment on that. I haven't followed the discussion you mentioned
>and like to learn what's wrong with I wrote above.
Just go into the archives and read it for yourself. Try:
http://www.dejanews.com/home_ps.shtml
with his full name as the keyword and sci.crypt as the forum. His
direct comments in this regard are available over the last couple
weeks.
>Regarding 'simplistic' I have already commented above. Please
>give your 'non-simplistic' stuffs to us for PRACTICAL use.
Look in the archives using my name and the keyphrase "radioactive
TRNG".
>Yes, employ experts to judge the engineering design, etc. etc??
That is only part of it. You must conduct diagnostic tests on the
subsystems to certify that they are operating according to design
specification. In particular, you have to be concerned about the
detection circuit - e.g., deadtime caused by quenching effects and
pulse pileup in the discriminator electronics.
>If you simply DEFINE a quantum process to be equivalent to a truly
>random process, then there would be nothing to discuss. But that is
>not a scientific attitude. One should be able to do measuments to
>make sure experimentally that certain statements in applied sciences
>are true.
In the first place, it is a tenent of orthodox QM that the underlying
processes are truly random. That has been experimentally confirmed
many times over. If you do not accept the intrinsic randomness of
quantum processes then you have a very serious problem on your hands.
>O.K. You perform measurements to determine the detector deadtime.
>Doesn't that have to do with statistical tests, confidence level, etc.??
It most certainly has a lot to do with statistics. But it is not the
same as attempting to determine the non-randomness of a sequence of
bits directly using statistical tests.
You have failed to make this crucial distinction: I am not faulting
statistical measures in general, only as they pertain to the direct
determination of the non-randomness of an output sequence.
Sequences are themselves not random or not. It is the process which
generates them that is either random or not. Using simplistic small
sample statistical tests on output sequences does not give you
anything of reasonable certainty about the process that produces them.
When are you gonna understand that?
Bob Knauer
European Parliament's Scientific and Technological Options Assessment,
Appraisal of Technologies of Political Control, including Mark-Free
Torture, implemented by the British military in Northern Ireland:
http://jya.com/stoa-atpc.htm
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Can a Java or Active-x program get your keys??????
Date: Wed, 21 Apr 1999 12:42:40 -0500
THOMAS wrote:
> Can a Java or Active-x program get your keys??????
> Most people store the PGP keys and passpharse on their harddisk.
> Can a person or government fetch those keyrings using a smart Java or
> Active-X script downloaded from the net or maybe something hidden in
> your operating system?
Isn't there a way to set up a "sand box" for Java to play in?
Just limit the directories that Java and Active-x have access to.
On my machine it's easy, Java and Active-x are disabled :-)
The only problem is that my browser crashes on lots of web pages
:-\
Patience, persistence, truth,
Dr.mike
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: On Being Earnest
Date: Tue, 20 Apr 1999 13:09:32 -0500
John Savard wrote:
>
> Advising caution is only prudent: but to become too categorical is
> dangerous as well.
I think big companies will be far more conservative than little
ones. The big guys will opt for the old-tried-and-true ciphers,
the little guys will take bigger risks and check out the new ones.
A few little guys will grow to be big, and they'll keep on using
the same ciphers. That will make those "new" ciphers "old", and
trusted. I agree with you, but I think using something new and
not fully proven requires more guts. The more you have to lose,
the more conservative you'll have to be.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (Matthias Bruestle)
Subject: Re: RC6 new key standard from AES conference?
Date: Wed, 21 Apr 1999 16:49:08 GMT
Mahlzeit
Paul Koning ([EMAIL PROTECTED]) wrote:
> I still have a hard time understanding why smart cards use 15 year old
> microprocessor technology. Things like 32 bit multipliers used to
> be expensive, but in these days of 0.18 micron linewidths I don't
> see the issue. The smart cards that are being used for reference
> in these discussions seem to suffer, most of all, from absurdly low
> amounts of memory given the state of the art even of some years
> ago.
In Germany there are about 40 million "money cards". It does make
a difference if such a card costs US$5 or as much as a Pentium III.
In the later case there wouldn't be a single card.
SRAM requires 16 times as much space on the chip as ROM.
Mahlzeit
endergone Zwiebeltuete
--
PGP: SIG:C379A331 ENC:F47FA83D I LOVE MY PDP-11/34A, M70 and MicroVAXII!
--
Support bacteria -- it's the only culture some people have!
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: tops9720.zip source code for "Topsecret"
Date: Fri, 16 Apr 1999 07:45:55 GMT
[EMAIL PROTECTED] wrote:
> Now even if you encrypted this message using a NON-random key
> there would be no way for a computer using brute force method
> to recognize the image unless it had human intelligence; ...
That is demonstrably not so. Recognizing patterns is not hard;
it's *understanding* them that's hard. There are all sorts of
computational methods for *detecting* patterns, so even under a
brute-force attack, probably-meaningful plaintext (especially
image bitmaps) can be identified, and only the most likely
candidates then displayed for human evaluation. But patterns
can also been seen through the encryption, and depending on the
amount and kind of "nonrandomness" in the encryption system,
can often be used to recover the plaintext.
> It doesn't take much work to crack a reused pad.
Actually, VENONA took a *lot* of very difficult work.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Wed, 21 Apr 1999 08:16:39 -0700
Reply-To: [EMAIL PROTECTED]
Terry Ritter wrote:
> In that case you should agree that each user should have a similar
> power to make their own choices of cipher. That sounds just fine to
> me.
Let a thousand flowers bloom, eh? With only 30 competent bees, many of
your flowers aren't going to get adequately pollinated.
If my banker "makes his own choice" of OTP because he read in AC that it's
unbreakable and he chooses an implementation that's easy to use since it
needs no key management, I'm the one who takes it in the shorts because
he didn't understand anything about cryptology. I as a customer don't in
general know what's being used to cover my assets, and he as a user doesn't
in general know what makes a cipher suitable for his threat model.
We have wider areas of agreement than disagreement; I'm happy to leave
it at that.
--
Jim Gillogly
30 Astron S.R. 1999, 15:00
12.19.6.2.5, 1 Chicchan 13 Pop, Ninth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Wed, 21 Apr 1999 18:59:23 GMT
On Wed, 21 Apr 1999 16:21:01 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (John Savard) wrote:
>[EMAIL PROTECTED] (Terry Ritter) wrote, in part:
>>On 18 Apr 99 01:55:36 GMT, in <[EMAIL PROTECTED]>, in sci.crypt
>>[EMAIL PROTECTED] () wrote:
>
>>>Then it does make sense to look at the upper bound, because it's one of
>>>the few indications we have.
>
>>No. Completely false. I see no reason why the upper bound should
>>have any correlation at all to the lower bound.
>
>It will definitely be higher than the lower bound, but yes, it doesn't
>prevent the lower bound from being low.
>
>>In any security audit, we have to consider the worst case attacks, not
>>just the ones we expect, and not just the ones we tried.
>
>Any security audit will have to include a disclaimer that the true security
>of the cipher systems used is essentially unknowable, but even real-world
>financial audits do routinely include various sorts of disclaimer.
I think you will find that financial disclaimers are not to avoid
responsibility for the financial service supplied. For example, an
audit disclaimer might say that the audit results were correct,
*provided* the supplied accounting information was correct. But that
is something which is, at least in principle, verifiable.
We don't have financial disclaimers which say that the audit is 90
percent certain to be correct, which is the sort of thing you might
like to think that cryptanalytic certification could at least do,
since it cannot provide certainty. But the very idea makes no sense.
The very companies that need the best auditing might also be the most
deceptive and able to hide their manipulations. There is no useful
"average" company, and so no useful statistics. Every case is
different.
>>>But it also makes sense - and here, I think,
>>>we come closer to agreement - not to put too much faith in that upper
>>>bound, and to add constructs of different types, and constructs that seem
>>>like any mathematical tools to analyze them which would be useful for
>>>cryptanalysts are *far* in advance of the state of current knowledge.
>
>>I'm not sure I understand this fully.
>
>Given that a cipher highly resistant to known attacks (i.e., differential
>cryptanalysis) _could_ still be very weak, as far as we know, what can we
>do about it? The closest thing to a sensible suggestion I can make is this:
>make our ciphers stronger (that is, use more rounds) and more intrinsically
>difficult to analyze (use complicated, highly nonlinear, constructs) than
>the known attacks indicate is necessary.
We could hardly disagree more.
I find "rounds" (the repeated application of the same operation) silly
and I don't use them. I do use "layers" in which different operations
are applied in each layer.
And I think that making a cipher more difficult to analyze can only
benefit the Opponents who have more resources for analysis.
Personally, I try to make ciphers as conceptually *simple* as possible
(though not simpler). Simple does not mean weak; simple means
appropriately decomposing the cipher into relatively few types of
substantial subcomponent which can be understood on their own, then
using those components in clear, structured ways.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: tops9720.zip source code for "Topsecret"
Date: Fri, 16 Apr 1999 07:15:47 GMT
In article <7f41q5$o86$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
>
> cool. where's the disagreement, and is it linguistic ("I don't like
> that term") or deeper ? Just wondering.
Finally........... someone courteous.
It is highly probable that David is intelligent,
and feels secure about what he knows, and doesn't know.
Any way, here are some points I disagree on.
========////////////////////=========================================
One-Time-Pads
A vendor might claim the system uses a one-time-pad (OTP), which is provably
unbreakable. Technically, the encrypted output of an OTP system is equally
likely to decrypt to any same-size plaintext. For example,
598v *$_+~ xCtMB0
has an equal chance of decrypting to any of these:
the answer is yes
the answer is no!
you are a weenie!
========//////////////////////=========================================
This argument is assuming you are dealing with text or some form
of recognition. You can have a "one time pad" for file data too.
Lets say you make a bit mapped image file,
with NO error detection (very important).
(jpg has error detection)
Like T.V. screen pixels, you would have three colors and various shades.
In this "color t.v." image form you would load a favorite picture.
On to this picture you would HAND write a message using a utility
program. You could even use various colors for text, also the picture
and gestures themselves could signify a military message.
Now even if you encrypted this message using a NON-random key
there would be no way for a computer using brute force method
to recognize the image unless it had human intelligence;
and humans are too slow for brute force attacks.
=======////////////////////============================================
OTPs are seriously vulnerable if you ever reuse a pad. For instance, the
NSA's VENONA project [4], without the benefit of computer assistance,
managed to decrypt a series of KGB messages encrypted with faulty pads. It
doesn't take much work to crack a reused pad.
============
On the other hand the one-time pad is _not_ secure if a key K is used
for more than one plaintext: i.e., there are nontrivial
multiple-ciphertext attacks. So to be properly used a key K must be
thrown away after one encryption. The key is also called a ``pad'';
this explains the name ``one-time pad.''
==========////////////////////////////////==============================
Again this refers mainly to text encryptions. The major danger
to repeated keys is, compromise/ guess of the message,
which can be used to solve for the key.
If I encrypt TWO images (with the method I mentioned above)
using the SAME key, with my program ,
anyone out there willing to break it?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
Subject: Re: Export restrictions
Date: Wed, 21 Apr 1999 19:49:46 GMT
In article <[EMAIL PROTECTED]>,
Kent Briggs <[EMAIL PROTECTED]> wrote:
> JCA wrote:
>
> > How do export restrictions work? I only hear about key lengths, but
> > I guess that algorithms must be taken into account as well; after all,
> > it
> > would be dead easy to come up with a completely idiotic encryption
> > algorithm with a, say, 128 bits key. Would Uncle Sam frown if anyone
> > tries to export it? (Maybe nobody would want to buy it but, you never
> > know: suckers are a dime a dozen.)
>
> The BXA has set aside a few specific algorithms for "fast track" approval
> at 56-bit key strength. All encryption apps require a one-time review
> before export is allowed so the algorithm is definitely taken into
> consideration. When the limit was at 40 bits, the NSA would not let me
> export a Blowfish app at 40 bit strength. I had to go down to 32 bits. I
> assume Blowfish's slow key schedule was a factor there.
>
I think this reinforces my veiw that if the NSA can not break
or find the solution in a trival amount of time. They would not
approve it. If it is approved for export in the current climate
then the method is useless. If the NSA can break it so can the
Chinese. So never use anything that is approved under the current
set of rules.
David A. Scott
--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
to email me use address on WEB PAGE
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
From: [EMAIL PROTECTED] (Leonard R. Budney)
Date: 21 Apr 1999 15:43:53 -0400
"Trevor Jackson, III" <[EMAIL PROTECTED]> writes:
> Steven Alexander wrote:
> > If I learn to break the ciphers of others and use my experience to
> > create a new cipher that others cannot break it will be listened
> > to because I am known to be knowledgeable in how ciphers work...
>
> There's a name for this attitude. It's called the Aristotelean Fallacy
> -- the appeal to authority. It dominated science for centuries, and
> science suffered for it.
An appeal to authority is invalid under two conditions. First, if the
claim is subject to rigorous proof--making opinion irrelevant. Second,
if the authority appealed to is not a legitimate authority in a
relevant area. See
<http://www.nizkor.org/features/fallacies/appeal-to-authority.html>.
When rigorous proof is not available, then the opinion of an expert
constitutes the best information to be had. Under that condition, the
best expert is the one with the longest experience and the most
successes.
> The fact that the best (only) standard we have for judging ciphers
> and their implementations is that of Brand Names indicates just how
> young/volatile/immature the field is.
Perhaps, but not necessarily. It is probable that Goedel's
Incompleteness Theorem implies that the strength of at least some
algorithms cannot be determined, even theoretically (forgive my
speculating aloud here). Further, it might turn out that all
'measurable' algorithms turn out to be weak--with some definition of
weak--implying that the non-measurable algorithms are the ONLY
interesting ones.
Remember, Fermat's last theorem went unproven for more than 350
years. Huge quantities of number-theoretic research arose directly out
of attempts to prove or disprove the theorem.
Remember, too, that many mathematical cranks turned up with "proofs"
of Fermat's theorem (and the four color theorem, and...). Call it
arrogant, but mathematicians tend to treat them with a priori
scepticism, given that 350 years of experts failed to turn up a
proof. One is quite justified in seriously doubting that Joe Blow from
Podunk has stumbled upon a solution.
Such considerations suggest, at least to me, that
"crypto-engineering", by which we might crank out ciphers of known
strength, is probably a pipe-dream.
BTW this example has a bearing on our confidence in RSA. It is doubted
that polynomial-time factoring of primes is possible, just as it is
doubted that NP = P. Further, it is conjectured that cracking RSA
without factoring is not possible (absent other data, such as
decryption timings). Why are these conjectures made? Because a
generation or so of experts and geniuses haven't resolved these
problems. If the NSA has, then they've almost certainly made one of
the great discoveries of the century. Of course, they're not talking.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Len Budney | Designing a cipher takes only a
Maya Design Group | few minutes. The only problem is
[EMAIL PROTECTED] | that almost all designs are junk.
| -- Prof. Dan Bernstein
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Can a Java or Active-x program get your keys??????
Date: Wed, 21 Apr 1999 21:35:11 GMT
> Isn't there a way to set up a "sand box" for Java to play in?
> Just limit the directories that Java and Active-x have access to.
> On my machine it's easy, Java and Active-x are disabled :-)
> The only problem is that my browser crashes on lots of web pages
> :-\
It's my believe that java has no file operations, so maybe only thru a
network, but the network would have to give access to the user...
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RC6 new key standard from AES conference?
Date: Wed, 21 Apr 1999 21:39:43 GMT
>
> I still have a hard time understanding why smart cards use 15 year old
> microprocessor technology. Things like 32 bit multipliers used to
> be expensive, but in these days of 0.18 micron linewidths I don't
> see the issue. The smart cards that are being used for reference
> in these discussions seem to suffer, most of all, from absurdly low
> amounts of memory given the state of the art even of some years
> ago.
>
> I suppose it's nice to keep using the design investment of 5 years
> ago, but is that a prudent basis on which to evaluate cryptosystems?
Well first off most cpus from 15 years ago are still good (8051, Z80, etc...).
Newer ones (AVR, Motorola) are good, but more expensive.
However, a custom ASIC with a cipher core, could be made in volume for a lot
cheaper and be a lot faster too...
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Wed, 21 Apr 1999 21:45:14 GMT
> Who said anything about "precisely 0.250000..."? Suppose the
> probability of a 1-bit is .75, and the probability of a 0-bit is .25?
> then the probability of "0-1" is .25 * .75, while the probability of
> "1-0" is .75 * .25, or 0.1875 - but they're still equal.
>
Well they would have to be exactly 0.25 over the *entire* sequence. Over a
short sequence it could have bias however.
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Subject: Re: Adequacy of FIPS-140
From: [EMAIL PROTECTED] (Leonard R. Budney)
Date: 21 Apr 1999 18:10:39 -0400
[EMAIL PROTECTED] (R. Knauer) writes:
> On 15 Apr 1999 12:50:57 -0400, [EMAIL PROTECTED] (Patrick Juola)
> wrote:
>
> >If need be, he can employ an exhaustive search technique. There
> >are, after all, probably fewer than a trillion documents on the
> >Web...
>
> Again, you make it sound so easy when in reality it is far from
> easy.
I would agree that an exhaustive search is not easy. However, text
pulled from the web does suffer the same drawbacks as a book code:
popular books offer a high probability of success; and human
engineering is possible. For example, an ardent Christian is likely
to use a Bible, hymnal, or some such.
In the case of web documents, lots of human engineering is
available. Proxy logs can be reviewed, network traffic (and hence
viewing habits) scanned, altavista queries can isolate the few
hundreds or thousands of documents reflecting strong interests,
hobbies, etc..
Len.
--
68. Go not thither, where you know not, whether you Shall be Welcome or
not. Give not Advice without being Ask'd & when desired do it briefly.
-- George Washington, "Rules of Civility & Decent Behaviour"
------------------------------
From: John Matzen <[EMAIL PROTECTED]>
Subject: Question about DH keys?
Date: Wed, 21 Apr 1999 17:07:12 -0500
Are the keys in Diffie-Hellman interchangable? That is, can I encode a
session key with the public key and decode it with the private key, and
vise versa?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
