Cryptography-Digest Digest #482, Volume #9 Thu, 29 Apr 99 16:13:03 EDT
Contents:
Re: Predicting calculator pseudo-random numbers (Klaus Pommerening)
blind signatures (Gianluca Dini)
Re: Common Passowrds ("Stephane BARTHES")
Re: Predicting calculator pseudo-random numbers (Jim Gillogly)
Re: Random Number Generator announced by Intel (John Savard)
Re: Predicting calculator pseudo-random numbers (John Savard)
Re: Predicting calculator pseudo-random numbers (Jim Gillogly)
Re: blind signatures (Helger Lipmaa)
Re: Encrypted Phones (Medical Electronics Lab)
Re: Random Number Generator announced by Intel (mok-kong shen)
Re: Predicting calculator pseudo-random numbers (Jim Gillogly)
Re: Factoring breakthrough? (Paul Rubin)
Re: Factoring breakthrough? (Steve Tate)
Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO (SCOTT19U.ZIP_GUY)
Re: Factoring breakthrough? (DJohn37050)
Re: Commercial PGP for Linux? (Andrew Kay)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
([EMAIL PROTECTED])
Re: Commercial PGP for Linux? (Chris Adams)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Klaus Pommerening)
Subject: Re: Predicting calculator pseudo-random numbers
Date: 29 Apr 1999 11:48:17 GMT
In <7g96g0$m8t$[EMAIL PROTECTED]> Geoff Lane wrote:
> Suppose you have a pocket calculator with a "random" button. From a
limited,
> sequential list of generated numbers is it possible to determine the
> algorithm used and hence predict the sequence from any given point?
>
On
http://www.uni-mainz.de/~pommeren/Kryptologie/Material/lcgcrack.c
you find a little program that tests whether the generator is linear
congruential, and if so, determines the parameters.
For testing you can use the sequences from
http://www.uni-mainz.de/~pommeren/Kryptologie/Material/zuftab
http://www.uni-mainz.de/~pommeren/Kryptologie/Material/zuftab.[n]
where n = 0, ..., 5
--
Klaus Pommerening [http://www.Uni-Mainz.DE/~pommeren/]
Institut fuer Medizinische Statistik und Dokumentation
der Johannes-Gutenberg-Universitaet, D-55101 Mainz, Germany
PGP fingerprint: F5 03 CE E7 70 C2 8C 74 BA ED EC 60 83 3B 7C 89
------------------------------
From: Gianluca Dini <[EMAIL PROTECTED]>
Subject: blind signatures
Date: Thu, 29 Apr 1999 14:50:50 +0200
Does anyone know any blind signature algorithm that is non based upon
RSA? does it exist any algorithm based upon El-Gamal, for example?
thanks
all the best
g. dini
--
=========================================================
Dr Gianluca Dini
Dipartimento di Ingegneria della Informazione
University of Pisa PHONE: +39-50-568549
Via Diotisalvi, 2 FAX : +39-50-568522
56126 Pisa EMAIL : [EMAIL PROTECTED]
Italy
=========================================================
------------------------------
From: "Stephane BARTHES" <[EMAIL PROTECTED]>
Subject: Re: Common Passowrds
Date: Thu, 29 Apr 1999 09:29:22 -0400
Hi,
did you try recovery programs like the one found @
http://www.lostpassword.com/msofpass97.htm
Hope it helps
Stephane
Paul Rubin <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Nathan Christiansen <[EMAIL PROTECTED]> wrote:
> >What I am looking for is a list that contains what they use as their
password.
> >For Example:
> >
> >1. Spouse's name.
> >2. Spouse's name backwards.
> >3. Social Security Number.
> >
> >I'm helping a friend in the middle of a messy court case to view some
> >password protected Word 97 files so that they can be admitted as
> >evidence (instead of just hearsay).
>
> I think some studies have shown that maybe 50% of carelessly chosen
> paswords fall into these types of categories. If the opponent was
> careful at all, you'll never guess the password. If s/he was careless,
> your chances are still not that great.
>
> Word 97 uses RC4 encryption with a 40 bit key. You're probably better
> off attacking that directly.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Predicting calculator pseudo-random numbers
Date: Thu, 29 Apr 1999 08:19:28 -0700
Piso Mojado wrote:
> It is a myth that computers cannot generate random numbers.
> A calculator is a computer. Please examine the random numbers that
> my computer generated and compare them with random numbers from
> a radioactive source. If you can tell which is which, please explain
> how you decided:
[snippage]
> ca56e9e4e2b07dcd7d9e6d91afab9d909087f7d2466129627d40a86f7125996f
[snippage]
> The myth is only true for simple computers, not for modern PCs
> with common resources. A calculator can have a resource like my
> PC, which enables it to preform non-deterministically.
A simple frequency count on the two binary files shows a nice
even distribution in the first sample with the highest frequency
amongst the 512 bytes being 0x28, 30, 39, and 8e, all at freq=6.
The nibbles are pretty evenly distributed, and so are the bits.
The second sample has four bytes at freq=7, one at 9, and a very
large outlier, 0x7d at 22. Counting it by nibbles instead of
bytes, 0x1 is far too low in the second sample; and the ratio
of 1-bits to 0-bits is much higher in that sample. Either your
"computer generated random number" process is broken or the way
you process your radioactive source is broken. If we knew the
details of how each was implemented, perhaps we could tell which
is which.
If I had to make a guess I'd pick the first sample for the
computer-generated one, since it's easy to make a sequence that
looks superficially random. "'Her English is too good,' he said,
'That clearly indicates that she is foreign.'"
--
Jim Gillogly
8 Thrimidge S.R. 1999, 15:03
12.19.6.2.13, 9 Ben 1 Uo, Eighth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Random Number Generator announced by Intel
Date: Thu, 29 Apr 1999 15:25:47 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote, in part:
>John Savard wrote:
>> The chip apparently has a large number of security-related features, and
>> these features are accessible only in a controlled manner. The random
>> number generator is only for use when an operating system is running,
>> according to the documentation.
>Can someone say what 'only for use when an operating system is running'
>means? If the bits from the generator need to be retrieved in some very
>specific way, then one could certainly do it that way to get
>them directly.
But you'ld have to dissassemble or reverse-engineer the program supplied by
Intel to get these random numbers, because they're only supplying drivers
for specific operating systems, and in binary code form.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Predicting calculator pseudo-random numbers
Date: Thu, 29 Apr 1999 15:23:25 GMT
Piso Mojado <[EMAIL PROTECTED]> wrote, in part:
>It is a myth that computers cannot generate random numbers.
>A calculator is a computer.
>The myth is only true for simple computers, not for modern PCs
>with common resources. A calculator can have a resource like my
>PC, which enables it to preform non-deterministically.
In general, pocket calculators with a "random number" function provide it
for simple statistical calculations, and therefore use a simple linear
congruential generator, because that is adequate for the purpose. Of course
a computer *can* have a hardware RNG attached, or use a very sophisticated
stream cipher to generate uncrackable pseudo-random numbers. But it is
highly unlikely that a pocket calculator will actually go to such a length.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Predicting calculator pseudo-random numbers
Date: Thu, 29 Apr 1999 10:09:31 -0700
Piso Mojado wrote:
> Good work Jim, but the first set was radioactive, the second was
> from my PC. The program only gathers nondeterministic bits from the
> hardware events, it does not massage the bits to look more random.
OK. Given this extra information, we could have told which was which.
As I said, one of them was broken.
> So let's proceed with the intent of the original poster:
>
> PREDICT THE NEXT RANDOM BITS! Here is the next line:
>
> b179bac4d1593bd63ac35cfeb59894b1b15dafcaf82966d332703194b827f3a0
>
> How would you have predicted that? I have 75k bytes in one file
> so you can try to predict the NEXT line.
I'll predict that the next line will have more 1 bits than 0 bits.
If your 75k byte file were used as a pseudo-OTP to encrypt one of
two known 75k messages, we would be able to tell with high probability
which had been sent. We could also tell the difference between cover
traffic using your radioactive source and ASCII text encrypted by
XORing it with your hardware-event-based pad, which could help with
traffic analysis, depending on the system. It appears sufficiently
random to prevent reading mail in the absence of other information,
but it's not random enough to prevent some information leakage.
--
Jim Gillogly
8 Thrimidge S.R. 1999, 16:56
12.19.6.2.13, 9 Ben 1 Uo, Eighth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Helger Lipmaa)
Subject: Re: blind signatures
Date: 29 Apr 1999 17:18:42 GMT
Gianluca Dini ([EMAIL PROTECTED]) wrote:
: Does anyone know any blind signature algorithm that is non based upon
: RSA? does it exist any algorithm based upon El-Gamal, for example?
Sure. I'd suggest you to see the publications of David Pointcheval.
http://cgi.dmi.ens.fr/cgi-bin/pointche/publications.html
(read the first publication, "Security Arguments for..." by
Pointcheval and Stern)
Their blind signature scheme is based on Okamoto's identification scheme.
Helger
http://home.cyber.ee/helger
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Encrypted Phones
Date: Thu, 29 Apr 1999 12:28:54 -0500
William R. Bishop wrote:
> The only encrypted phones I can find are being produced by the
> federal systems division of motorola (like we should trust them?).
It depends on what com's you're encrypting. If you are doing
drug deals, then no, don't trust anybody. Build your own. If
you're just trying to keep competitors from listening in on
business deals, then you probably can trust them. The Chinese
military trusts them to some extent :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: mok-kong shen <[EMAIL PROTECTED]>
Subject: Re: Random Number Generator announced by Intel
Date: Thu, 29 Apr 1999 19:44:38 +0200
John Savard wrote:
>
>
> But you'ld have to dissassemble or reverse-engineer the program supplied by
> Intel to get these random numbers, because they're only supplying drivers
> for specific operating systems, and in binary code form.
I now understand that this is an artificial handicap that the
firm Intel intentionally puts to the users. But that I suppose is
comparable to certain secrets of Postscript. Once someone figures it
out and makes it public the RNG can be used without the OS, I believe.
M. K. Shen
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Predicting calculator pseudo-random numbers
Date: Thu, 29 Apr 1999 09:44:40 -0700
Jim Gillogly wrote:
>
> Piso Mojado wrote:
> > Please examine the random numbers that
> > my computer generated and compare them with random numbers from
> > a radioactive source. If you can tell which is which, please explain
> > how you decided:
> [snippage]
> > ca56e9e4e2b07dcd7d9e6d91afab9d909087f7d2466129627d40a86f7125996f
> [snippage]
>
> A simple frequency count on the two binary files shows a nice
> even distribution in the first sample with the highest frequency
> amongst the 512 bytes being 0x28, 30, 39, and 8e, all at freq=6. ...
> The second sample has four bytes at freq=7, one at 9, and a very
> large outlier, 0x7d at 22.
To put this in perspective I looked at the output of /dev/random for
593 512-byte blocks, and got the following distribution of maximum
frequencies:
6 5
158 6
287 7
103 8
31 9
6 10
2 11
While the 22 maximum for the second sample isn't sufficiently outre'
to be convincing to rcktexas, I suspect any practicing cryppie would
flag it, even on the basis of a single 512-byte block.
I noticed a small peak in the phi values at period 9 for the first
sample, but I'd need to see a much larger sample of the same source
to find it convincing.
> If I had to make a guess I'd pick the first sample for the
> computer-generated one, since it's easy to make a sequence that
> looks superficially random. "'Her English is too good,' he said,
> 'That clearly indicates that she is foreign.'"
--
Jim Gillogly
8 Thrimidge S.R. 1999, 16:36
12.19.6.2.13, 9 Ben 1 Uo, Eighth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Factoring breakthrough?
Date: Thu, 29 Apr 1999 17:14:37 GMT
In article <[EMAIL PROTECTED]>,
lcs Mixmaster Remailer <[EMAIL PROTECTED]> wrote:
>Rumor has it Adi Shamir will announce factoring breakthrough soon.
>Increasing efficiency by orders of magnitude and breaking keys 100-200
>bits longer than current state of the art.
>
>Anybody confirm/deny?
I emailed one of the world's best known number theorists about
this and he said he'd never heard of such a rumor.
------------------------------
From: [EMAIL PROTECTED] (Steve Tate)
Subject: Re: Factoring breakthrough?
Date: 29 Apr 1999 14:41:46 GMT
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> lcs Mixmaster Remailer <[EMAIL PROTECTED]> wrote:
> > Rumor has it Adi Shamir will announce factoring breakthrough soon.
> > Increasing efficiency by orders of magnitude and breaking keys 100-200
> > bits longer than current state of the art.
....
> I've grouped these claims into three categories:
> 1) Wacko
> 2) Have merit, but of limited practical use
> 3) Significant breakthrough
....
> As for the current claim, my bet is the "breakthrough" falls
> somewhere between number (1) and number (2). The longer the
> suspense, the more it moves toward number (1).
Well... the *rumor* might be wacko, but if you're suggesting that
Shamir is "wacko" then you need to learn a little bit more about the
major people in the field of cryptography...
--
Steve Tate --- srt[At]cs.unt.edu | Gratuitously stolen quote:
Dept. of Computer Sciences | "The box said 'Requires Windows 95, NT,
University of North Texas | or better,' so I installed Linux."
Denton, TX 76201 |
------------------------------
From: SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
Subject: Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO
Date: Thu, 29 Apr 1999 14:34:45 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> SCOTT19U.ZIP_GUY wrote:
> >
> > In article <[EMAIL PROTECTED]>,
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > ...
> Did you forget the context of our discussion? We were discussing
> EOF. If you have EOF, then everything after EOF is stuff that
> the receiver discards. Isn't that OBVIOUS to you?
>
>
No you forgot what we are talking about. This whole thread is
about how to do a compression that would be useful as a pre step
to encryption. It is my contention that one of the key points
is the compression should carry no information that could be of use
to the NSA types of people trying to break your encryption. One
way to do that is to make sure any file could be the result of a
possible compression. Again take any file "A" uncompress it to
get a file "B" that file should compress exactly to "A" if it does
not then there is an exploitable weakness in the compression method
used before the encryption. Your use of a EOF in the Huffman table
is such an exploitable hook. Also it wastes space and will result
in a longer file. If a longer file is desired the encryption method
itself can add the extra random bits.
David A. Scott
--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
to email me use address on WEB PAGE
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Factoring breakthrough?
Date: 29 Apr 1999 19:00:32 GMT
I confirmed with Bob Silverman that there is something behind the rumor.
Details will be forthcoming.
Don Johnson
------------------------------
From: Andrew Kay <[EMAIL PROTECTED]>
Crossposted-To: comp.security.unix
Subject: Re: Commercial PGP for Linux?
Date: Thu, 29 Apr 1999 20:58:41 +0000
Bernie Cosell wrote:
> I am trying to locate PGP for Linux that I can use for a commercial
> application. The 2.6 sources claim to be for noncommercial/personal use
> only, so I followed the threads to viacrypt->NetworkAssociates->McAfee
> but all I can find are Windows and Mac packages. Did I miss something? If
> not, anyone know where I -can- find a commercial-OK PGP package for Linux?
You can get PGP for UNIX from http://www.pgpi.com.
Andrew.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Thu, 29 Apr 1999 19:35:49 GMT
[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
> > I'm assuming the technique Ritter described, but I don't think
> > whether the protocol tries to hide the choice of cipher makes
> > much difference. The attacker doesn't need the general ability
> > to determine what cipher is in use; he only needs to be able to
> > distinguish when the cipher in use is one he can break. If he
> > can break a cipher he can surely distinguish it.
> Please be so kind to give a brief explanation: if there is a message
> encrypted with a block cipher in 64-bit blocks, how is our cherished
> attacker supposed to distinguish - was the encryption done by DES,
> BLOWFISH, IDEA, 3DES, CAST or FEAL?
Note the claim was that if I can break a cipher I can distinguish
it. (I know of many cases where the converse is false.) The
procedure is try to break FEAL and iff successful, then the cipher
is FEAL.
Also, since it's been lost in the editing, let me point out the
significance: if you choose one of those six ciphers for each of
your messages then (assuming I can break FEAL but none of the
others) I can read about one sixth of your traffic. But in any
real-world application, I'd expect to gain 95% or so of the
intelligence value in the traffic for reading one sixth of the
messages. I don't need to know every soldier's orders to
figure out your strategy, tactics, and when to expect the
attack.
--Bryan
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Chris Adams)
Crossposted-To: comp.security.unix
Subject: Re: Commercial PGP for Linux?
Date: 29 Apr 1999 15:04:38 -0500
Once upon a time, Bernie Cosell <[EMAIL PROTECTED]> said:
>I am trying to locate PGP for Linux that I can use for a commercial
>application. The 2.6 sources claim to be for noncommercial/personal use
>only, so I followed the threads to viacrypt->NetworkAssociates->McAfee
>but all I can find are Windows and Mac packages. Did I miss something? If
>not, anyone know where I -can- find a commercial-OK PGP package for Linux?
If you don't need interoperability with PGP 2.6, you can use GNU Privacy
Guard aka gpg, available at http://www.gnupg.org/. It is not compatible
with PGP 2.6 because it doesn't use patent encumbered algorithms. It IS
compatible with PGP 5.
--
Chris Adams <[EMAIL PROTECTED]> - System Administrator
Renaissance Internet Services - IBS Interactive, Inc.
Home: http://ro.com/~cadams - Public key: http://ro.com/~cadams/pubkey.txt
I don't speak for anybody but myself - that's enough trouble.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
