Cryptography-Digest Digest #456, Volume #9 Sat, 24 Apr 99 01:13:03 EDT
Contents:
Re: RSA-Myth (Jim Felling)
Re: RSA-Myth ("Trevor Jackson, III")
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
Re: Adequacy of FIPS-140 (R. Knauer)
Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO (SCOTT19U.ZIP_GUY)
Sci/Tech Book E-mail Service ([EMAIL PROTECTED])
Re: RSA-Myth (Matthias Bruestle)
Re: about analysis (let's see if I can explain this better...)
([EMAIL PROTECTED])
Re: Not a PGP Expert (David Hamilton)
Re: testing encrypted files (Ronan Harle)
Scramdisk/Norton query ("N")
May be wrong place to ask this... (Bob Novell)
Blowfish to appear in PGP? ([EMAIL PROTECTED])
Re: choosing g in DH (Phil Howard)
Re: Blowfish to appear in PGP? (Paul Rubin)
----------------------------------------------------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: RSA-Myth
Date: Fri, 23 Apr 1999 15:03:23 -0500
[EMAIL PROTECTED] wrote:
> What is RSA approach?
> All you know, what is RSA encryption. Let us think about
> implementations. All known quick prime numbers generator
> algorithms deal with a probability, that a candidate is a
> prime number.
True so far.
>
> The low is: how much time is needed to generate
> quasi primes used for business RSA encryption, the same order
> of time using same algorithms is needed for RSA modulus
> decomposition.
False. I can generate/evaluate candidate primes much faster than I can
factor numbers. There are many tests to determine if a number is prime
that do not rely on factoring that number.
> This provides us with security with proportion
> of null to billion. Would an RSA-PGP vendor spend billion of
> years for generating of huge primes, it would take the same
> order of time for Brute Force decomposition attacks. But this
> is not the case. All RSA and RSA-PGP approach are mystification.
> From nothing goes nothing. Due to my opinion RSA and RSA-PGP are
> security spam.
>
> Na, Bob Silverman was kannst du jtzt sagen?
>
> Alex
>
> www.online.de/home/aernst
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Sat, 24 Apr 1999 09:18:37 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: RSA-Myth
Did you receive my comments on your prime number generator?
[EMAIL PROTECTED] wrote:
>
> What is RSA approach?
> All you know, what is RSA encryption. Let us think about
> implementations. All known quick prime numbers generator
> algorithms deal with a probability, that a candidate is a
> prime number. The low is: how much time is needed to generate
> quasi primes used for business RSA encryption, the same order
> of time using same algorithms is needed for RSA modulus
> decomposition. This provides us with security with proportion
> of null to billion. Would an RSA-PGP vendor spend billion of
> years for generating of huge primes, it would take the same
> order of time for Brute Force decomposition attacks. But this
> is not the case. All RSA and RSA-PGP approach are mystification.
> From nothing goes nothing. Due to my opinion RSA and RSA-PGP are
> security spam.
>
> Na, Bob Silverman was kannst du jtzt sagen?
>
> Alex
>
> www.online.de/home/aernst
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sat, 24 Apr 1999 00:24:04 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 23 Apr 1999 22:34:08 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>If R. Knauer does
>not like the FIPS-140 monobit test for RNG testing, what test *would*
>he like?
Treating the TRNG as a piece of scientific equipment.
Bob Knauer
"As nightfall does not come at once, neither does oppression. In both
instances, there's a twilight where everything remains seemingly unchanged,
and it is in such twilight that we must be aware of change in the air,
however slight, lest we become unwitting victims of the darkness."
-- Supreme Court Justice William O. Douglas
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sat, 24 Apr 1999 00:29:24 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 23 Apr 1999 22:34:08 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>In this instance I'll support R. Knauer:
Omigod! What has the world come to? I'm afraid to ask. :-)
Must be more of that damnable quantum randomness at work.
Bob Knauer
"As nightfall does not come at once, neither does oppression. In both
instances, there's a twilight where everything remains seemingly unchanged,
and it is in such twilight that we must be aware of change in the air,
however slight, lest we become unwitting victims of the darkness."
-- Supreme Court Justice William O. Douglas
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Adequacy of FIPS-140
Date: Sat, 24 Apr 1999 00:35:38 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 23 Apr 1999 22:20:11 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>No assumptions. For the unicity distance to be finite, the plaintext
>cannot have maximal entropy, i.e. it can't be completely patternless,
>but the expected plaintext entropy enters into the unicity calculation.
If you have a message of length, say 1 million bits, to hide then a
128-bit key is a really poor way to do it. Of the 2^128 possible
messages, only one of them can be the correct message based on
intelligibility.
That cannot be said for the case where the key length is the same as
the message length. In that case, any message is possible on an equal
basis, and that includes ALL intelligible messages.
There has to be something to say about that, and it is proveable
security.
Bob Knauer
"As nightfall does not come at once, neither does oppression. In both
instances, there's a twilight where everything remains seemingly unchanged,
and it is in such twilight that we must be aware of change in the air,
however slight, lest we become unwitting victims of the darkness."
-- Supreme Court Justice William O. Douglas
------------------------------
From: SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
Subject: Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO
Date: Fri, 23 Apr 1999 19:41:21 GMT
In article <[EMAIL PROTECTED]>,
"Trevor Jackson, III" <[EMAIL PROTECTED]> wrote:
>...
> Perhaps. But for a large file containing binary data it _will_ be
> smaller than overloading another character that is expected to appear
> filesize/256 times.
> In other words, if the file is small compression doesn't save you much.
> If the file is large compression can save you a lot of space, but
> overloading a character that appears in the file reduces that advantage.
I am lost in your English! Do you have hard examples like I provide
at my site.
> > 2) You still have the problem of the fact that when you compress
> > you don't know which bit the last symbol will end on. What do you
> > do with remaining bits. If you sero fill them. As a rule then when
> > you decompress what happens if you decompress the same file with
> > not all bits zero. This means thay not all files have a one to one
> > transformation from the compressed to noncompressed state.
>
> No. Absolutely not. The extra bits in the last element are treated
> identically to the extra bytes in the last sector -- they are ignored.
I am not 100% sure what you are suggesting. I think you have to realize
that when one is tring to break a file that is encrypted. If one tries
a test key. There should be no knowledge that the resulting file is
not a valid compressed file by the method of compression that was used
to compress it. In other words if an enemy decompresses this test file
and then recompresses with the actual method in use he should get back
the same file as he started with. The whole key is that no information
should be in the guess file where an attacker could rule it out as a
legally compressed file.
If you are suggesting that the extra bits at end are ignored then
what is placed in those bits. If it is random then I guess that
would be excepttable. But you still have the problem that if one
uncompresses a guess file by using a wrong key. It is highly unlikely
that the last symbol before the file ends will be the EOF file symbol
as a result of the compression. And then the enemy could imediately
rule it out as nonvalid.
Don't take me wrong the NSA would never do this in a blind guess key
then test. But if the weakness is there they will mathematically
exploit the weakness to rule out many guesses automatically. The
compression should be such that no mathematical weaknesses exist
in the first place.
David A. Scott
--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
to email me use address on WEB PAGE
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: sci.math,misc.education
Subject: Sci/Tech Book E-mail Service
Date: Fri, 23 Apr 1999 20:03:13 GMT
I work for Springer-Verlag Publishers, and I wanted to describe a new e-mail
bulletin service we've just made available. You can sign up to receive free,
regular bulletins (not more than once a month) on new books, special sales,
and subscriber-only discounts. And there are bulletins in a variety of
disciplines, including computer science, mathematics, engineering, and more.
Signing up is very easy. Just go to this page:
http://www.springer-ny.com/cgi-bin/ebultn_subscribe.pl
The Computer Science bulletin has been going for seven months now. If you'd
like to view the archive of past bulletins, go to:
http://www.springer-ny.com/compsci/ebulletin.html
Also, the Springer homepage is located at:
http://www.springer-ny.com/
I think you'll find the service worth it - I hope you can take a look.
Best regards,
Jason Roth
Product Manager
Computer Science
[EMAIL PROTECTED]
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Matthias Bruestle)
Subject: Re: RSA-Myth
Date: Fri, 23 Apr 1999 20:58:21 GMT
Mahlzeit
Jim Felling ([EMAIL PROTECTED]) wrote:
> [EMAIL PROTECTED] wrote:
> > The low is: how much time is needed to generate
> > quasi primes used for business RSA encryption, the same order
> > of time using same algorithms is needed for RSA modulus
> > decomposition.
> False. I can generate/evaluate candidate primes much faster than I can
> factor numbers. There are many tests to determine if a number is prime
> that do not rely on factoring that number.
Even if you would have to factor the numbers it is not correct.
When the modulus has the length n you only have to factor two
numbers with length n/2 which is much easier.
Mahlzeit
endergone Zwiebeltuete
--
PGP: SIG:C379A331 ENC:F47FA83D I LOVE MY PDP-11/34A, M70 and MicroVAXII!
--
'If you want a picture of the future, imagine a boot stamping on a human
face - forever. And remember that it is forever' (Orwell, 1984)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: about analysis (let's see if I can explain this better...)
Date: Sat, 24 Apr 1999 00:54:56 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
> It just never occurred to me to look at this closely enough to see
this,
> after-the-fact "obvious" weakness. But if that weakness were fixed,
by
> doing the multiplication modulo 2^32+13, as one cipher does it, or
by
> changing the operation to a # b, defined as (a*b) + (a xor b), in my
> ignorance it seems like a reasonably strong cipher results.
Yeah but that would require larger multiplication results.
What about a # b, where has that been used before and is it generaly
strong? (non-linear?)
Tom
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.0.2i
iQA/AwUBNyEVAPIPgV4W6pz7EQJp3wCgq1zrtrPrGGSWNMlfGY7mUVr5SWQAoJIb
QtC4aqZM6yGClM7fiAB5+9XB
=RBqq
=====END PGP SIGNATURE=====
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (David Hamilton)
Subject: Re: Not a PGP Expert
Date: Fri, 23 Apr 1999 21:58:21 GMT
=====BEGIN PGP SIGNED MESSAGE=====
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
(snip)
> THATS ENOUGH
> PGP is not quite as safe as this individual has lead you to
>belive. It has some major weakness. First I have not seen the
>source code since 2.6.3 and not sure if one can look at current
>source code.
One can. So why don't you? You can then update your claims.
> But There are at least 3 major weakness in the
>method of encryption.
If true, what do you believe the consequences of these are?
> 1) the compression method its self does not make a file that is
>free of information an attacker could use. See my web site
>for diecussion of how compression should be done before encryption.
> 2) the method does an early check before all the data is in
>to see if the correct password was entered. The NSA has the
>worldest brighest and highest paid mathematicans for a reason
The USA NSA may have the world's highest paid mathematicians ... but there is
no evidence to suggest they are the world's brightest. Can you prove that the
dimmest USA NSA mathematician is brighter than the brightest Chinese,
European, Indian, Japanese and Russian (put in your own favourite
country/continent) mathematicians? And brighter than the brightest USA
non-NSA mathematician?
>do you really think they blindly check each key.
It might make sense to try a limited brute force attack.
>Don't you
>think they could have means of skipping whole classes of keys
>instead of using a dumb blind search.
IDEA has a class of weak keys - one chance in 2**96 of generating one - and,
apparently, modification to avoid these is simple.
> 3) the chaining method in PGP is one of the very weakest.
>If they wanted security "wrapped PCBC" could have been used.
>
>David A. Scott
David Hamilton. Only I give the right to read what I write and PGP allows me
to make that choice. Use PGP now.
I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:-
2048bit rsa ID=0xFA412179 Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D
4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E
Both keys dated 1998/04/08 with sole UserID=<[EMAIL PROTECTED]>
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
Comment: Signed with 2048 bit RSA key
iQEVAwUBNyDrD8o1RmX6QSF5AQEd4QgAoavPM8eq0CauVIDCaAjODBQZxogRHohn
BVowuceWSBmW1Gcs7tYlMMTr2QGRi2eOTJLD8X725oAyfXOAQ+8efo9QVpfWyEUb
ftkAA9L0BfZ54oZGBnU5wpl+Oy1/z9ThQ6V+82X2N0Z5xkzHb3QR6wVKY6KqhHDp
AFnGJzPm3rOq2MzWZXf4VVkPvLlJOVm/IHyljQKIDBeS/YgjVOVn5gHrgI4s96bs
PEPKV/BOuzspg3U1XUKLuJ9utVdJR6vi48R/NbrmjnrVHv7Jl2tG9iIwj0WmqmKD
DyIF505lPKaNSBo3sTfsP+UU9HSSbpn3lqCEqEBZazchd+/U1hbT9A==
=eIZg
=====END PGP SIGNATURE=====
------------------------------
From: Ronan Harle <[EMAIL PROTECTED]>
Subject: Re: testing encrypted files
Date: Sat, 24 Apr 1999 00:21:43 +0200
> I don't know about their reliability. How do you measure
> entropy?
There is a FAQ about passwords on http://www.pgpi.com that contains a
lot of infos about entropy. I don't remember the exact name, but it's
something like "Password FAQ" or "Passphrases FAQ". There are some
formulae for random character passwords, randomly chosen words, etc...
You should check it if you're interested.
--
Ronan Harle ([EMAIL PROTECTED])
"The world is moving so fast these days that the person who says it
can't be done is generally interrupted by someone doing it."
--Fosdick
------------------------------
From: "N" <[EMAIL PROTECTED]>
Subject: Scramdisk/Norton query
Date: Fri, 23 Apr 1999 23:44:45 GMT
Can anyone tell me why deleted files with an SVL extension keep appearing in
my Norton protected recycle bin, even though no container files have been
loaded or deleted and the Scramdisk utility program has not been running?
When I remove them from the bin, they always reappear, often within minutes!
They normally have a name such as 00000011.svl or 00007337.svl, for example,
and range in size from 20K to 200Mb! I have tried excluding this file
extension from Norton Protection, but to no avail. Norton cannot identify
which program deleted them, but since the Scramdisk utility program isn't
running presumably it must be work of the driver SD.VXD?
It does seem to be a gross waste of space for spurious files as large as
200Mb to be taking up this kind of space continually!
Thanks
N
------------------------------
From: Bob Novell <[EMAIL PROTECTED]>
Subject: May be wrong place to ask this...
Date: Fri, 23 Apr 1999 21:23:41 -0700
I located a site with links to some of the source from the Applied
Cryptography book, but many are tar.gz and c.gz files.
Being a DOS/Windows user, I don't know how to unarchive these files.
Can anyone point me in the direction of a utility or such that will
handle these files.
The site I found is:
http://website-1.openmarket.com/techinfo/applied.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Blowfish to appear in PGP?
Date: Sat, 24 Apr 1999 02:50:08 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
I wonder if PGP will support Blowfish in the next version? I
wouldn't go out of my way to use it, but
if I had to remake my keys I might have chosen it.
BTW, just as an overview, are
CAST, IDEA and Blowfish
of similar strength to known attacks? Do they require about the same
effort?
Tom
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.0.2i
iQA/AwUBNyEv/vIPgV4W6pz7EQKfcwCeIEvXZt+6UAM4mvDoFHnwpytT5UUAoILR
B9x4BxzvlHv6g4x4My51z2bT
=n1Zr
=====END PGP SIGNATURE=====
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Phil Howard)
Subject: Re: choosing g in DH
Date: Sat, 24 Apr 1999 03:10:51 GMT
On Fri, 23 Apr 1999 17:51:45 +0100 Michael Scott ([EMAIL PROTECTED]) wrote:
| Scott Fluhrer <[EMAIL PROTECTED]> wrote in message
| news:7fpime$[EMAIL PROTECTED]...
| > In article <7foqh5$[EMAIL PROTECTED]>,
| > "Roger Schlafly" <[EMAIL PROTECTED]> wrote:
| >
| > >
| > >Michael J. Fromberger wrote in message
| > ><7foilt$5r6$[EMAIL PROTECTED]>...
| > >>Actually, the value of g should be chosen to be a primitive element
| > >>(also known as a "generator") modulo p. A value g is a generator
| > >>modulo p if the smallest value x such that g^x = 1 (mod p) is (p - 1).
| > >
| > >No, the earlier advice was better. There are some attacks if g is a
| > >generator. It is safer to choose g to have prime order.
| >
| > That makes no sense. If you know a generator g in which you can
| > compute discrete logs, then you can compute discrete logs in any
| > base. Here's how:
| > ...snip
|
| Ah but it does make sense. The suggested use of a prime order generator is
| to avert certain active attacks on the DH algorithm, not to make the
| discrete log problem more difficult..
So now where I can I find references on how to choose g to have prime order?
--
Phil Howard KA9WGN
[EMAIL PROTECTED] [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Blowfish to appear in PGP?
Date: Sat, 24 Apr 1999 04:11:34 GMT
<[EMAIL PROTECTED]> wrote:
>I wonder if PGP will support Blowfish in the next version? I
>wouldn't go out of my way to use it, but
>if I had to remake my keys I might have chosen it.
I don't think so. CAST is pretty similar. I suggested Blowfish
as an alternative to IDEA a while back to PZ, but he was concerned
about its novelty and went with CAST instead (there was more published
analysis about CAST at the time, I guess).
>BTW, just as an overview, are
>
>CAST, IDEA and Blowfish
>
>of similar strength to known attacks? Do they require about the same
>effort?
All are at least pretty good, though IDEA is starting to show some
weaknesses (e.g. to the "impossible differential" attack). IDEA has a
much more innovative (and therefore, IMO, suspicious) design than the
other two.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
