Cryptography-Digest Digest #519, Volume #9 Sun, 9 May 99 03:13:21 EDT
Contents:
Re: ALF'S PRIVACY MAIL DROP (Steve Rush)
DES cracked in hardware? (Steve Rush)
Re: Twofish performance question. (Bruce Schneier)
Re: DES cracked in hardware? ("Keith Brodie")
Re: Factoring breakthrough? ([EMAIL PROTECTED])
Re: DES cracked in hardware? (Sundial Services)
Re: How to Save MAGENTA (John Savard)
Re: DES cracked in hardware? (Andrew McDonald)
Re: Roulettes (Boris Kazak)
Re: AES ([EMAIL PROTECTED])
--- sci.crypt charter: read before you post (weekly notice) (D. J. Bernstein)
Re: AES (wtshaw)
Sccramdisk ver H and Agent - any problems? ([EMAIL PROTECTED])
Re: Cool Shadow: UNIX crypt(3) toy! (John Curtis)
Re: Factoring breakthrough? (wtshaw)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Steve Rush)
Subject: Re: ALF'S PRIVACY MAIL DROP
Date: 8 May 1999 21:23:12 GMT
Please save the Javascript for the World Wide Wait. Usenet is about _text_,
readable on any terminal.
**********************************************************************
If it's spam, it's a scam. Don't do business with Net abusers.
------------------------------
From: [EMAIL PROTECTED] (Steve Rush)
Subject: DES cracked in hardware?
Date: 8 May 1999 21:42:40 GMT
I remember reading (in Bruce Schneier's "Applied Cryptography", 1st ed.) that
an East German company supplied hundreds of thousands of DES chips to the late,
unlamented Soviet Union in the 1980's. This implies that a hardware
DES-cracker exists. There are probably at least two of them, one in Moscow and
one at Fort Meade, Virgina. Even if the Soviets really did use those chips one
at a time for secure communications terminals (That was the official line),
that means that the NSA would certainly build a cracking engine (if they didn't
already have one).
With all the discussion of whether DES has a back door, not much has been said
about the possiblity of an array processor so far beyond the public state of
the art that brute-force attacks on a 56-bit key were already feasible when DES
was introduced.
**********************************************************************
If it's spam, it's a scam. Don't do business with Net abusers.
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Twofish performance question.
Date: Sat, 08 May 1999 22:02:41 GMT
On Sat, 08 May 1999 12:20:43 -0700, Paul Pires <[EMAIL PROTECTED]>
wrote:
> Thank you for your response. No, I'm not saying I understand the
>twofish source implementation yet. I haven't counted yet. I haven't
>figured out how yet. It was a real newby question and before I rolled up
>my sleeves and got to work educating myself, I just thought I should
>check my assumptions about the definition of terms. Looks like it does
>mean what it says, so now I can get busy figuring out how. My biggest
>problem is that I have an interest in cryptography but not much
>knowledge of programming or the optimization of such. I'll keep chunking
>away at it.
The code on the Twofish website works at the advertised speeds. So if
you want, you can encrypt blocks of data and count the clock cycles
yourself. If you find any further speedups, I would be real
interested in seeing them.
Good luck.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: "Keith Brodie" <[EMAIL PROTECTED]>
Subject: Re: DES cracked in hardware?
Date: Sat, 08 May 1999 23:29:49 GMT
I think you can take it as a given that a DES cracker existed at the
time it was introduced, that is why the key length was limited to 56 bits.
Whether or not one existed outside of the US I cannot say. Triple DES has
been cracked by networked general purpose processors, see, for example,
www.distributed.net.
--
Keith Brodie KF6QEK
[EMAIL PROTECTED]
Steve Rush wrote in message
<[EMAIL PROTECTED]>...
>I remember reading (in Bruce Schneier's "Applied Cryptography", 1st ed.)
that
>an East German company supplied hundreds of thousands of DES chips to the
late,
>unlamented Soviet Union in the 1980's. This implies that a hardware
>DES-cracker exists. There are probably at least two of them, one in Moscow
and
>one at Fort Meade, Virgina. Even if the Soviets really did use those chips
one
>at a time for secure communications terminals (That was the official line),
>that means that the NSA would certainly build a cracking engine (if they
didn't
>already have one).
>
>With all the discussion of whether DES has a back door, not much has been
said
>about the possiblity of an array processor so far beyond the public state
of
>the art that brute-force attacks on a 56-bit key were already feasible when
DES
>was introduced.
>
>**********************************************************************
>If it's spam, it's a scam. Don't do business with Net abusers.
>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Factoring breakthrough?
Date: Sat, 08 May 1999 23:43:46 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <7h19ac$aaj$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> >
> > Analog gives infinite precision, but limited accuracy.
> > Management of such dualisms is somewhat embarassing.
> >
> Precision and accuracy are not necessarily related, as precision referes
> to clustering of obtained readings, and accuracy references an obtained
> values absolutely to the real one. It is true that with deficient
> methods, you can have good precision, but lousy accuracy; you can also
> have an accurate average, but have terrible percision.
>
> Precison of an analog device depends largely on the observer, which might
> be finer than the abilities of a digital instrument to quantify, or not.
> Your first line is not necessarily true; it all depends on the
> circumstances.
I suspect that one of these, is always traded at the expense of
the other in the finest level of detail, just as waves are traded
for particles and vice versa in quantum mechanics leading to
the idea of the generic wave-particle or quanta which tries to
manage the dualism wholistically (not necessarily holistically
since quantum field theory is still in its infancy).
> The essence of good management is in effective handling of impossible
> situations. The choice between analogy or digital is not necessarily a
> difficult one.
Yes. When time does not permit, choices must be made.
Instinct overtakes cognition. Longer contexts breed more
general solutions though.
> Since the group is sci.crypt, perhaps I should try to relate this to
> something cryptological: If you can make an analysit happy with the
> precision of his preliminary judgements about data while making them
> inaccurate, you have him pretty well at your mercy. This is the essence
> of the value of laying a false trail, which is really a sneaky thing to do
> in ciphertext.
In cryptography, I imagine that this effect is as inescapable
as it is in physics (being related to Heisenberg's uncertainty
through the corresponding Fourier uncertainty) And this requires
the analyst to seek the best case in terms of optimization
just as one dissects information from the noise of any signal
with a bag of tools and not just one (news:comp.dsp comp.speech)
The NSA seems to recognize "data fusion" as an optimization problem.
The physical aspects being relevant to cryptography at the
theoretical level seem to suggest many things on a practical
level which is why I think analog/digital is as important
to crypt as wave/particle is to quantum physics.
> --
> What's HOT: Honesty, Openness, Truth
> What's Not: FUD--fear, uncertainty, doubt
>
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Sat, 08 May 1999 17:06:46 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: DES cracked in hardware?
Steve Rush wrote:
> With all the discussion of whether DES has a back door, not much has been said
> about the possiblity of an array processor so far beyond the public state of
> the art that brute-force attacks on a 56-bit key were already feasible when DES
> was introduced.
It is "a given" that DES was crackable by the NSA when it was introduced
-- it was never authorized for use in handling Classified communication,
for instance. But if it had and has a back-door, it has never been
publicly discovered... and an awful lot of good cryptologists have
looked at DES for a long time.
I seriously think it's a case of "your tax dollars well-spent," because
DES was easily one of the strongest ciphers of its day and it is still
more-than-enough for the purposes for which it was intended. If someone
is determined to use hundreds of processors to crack your message, then
by gawd they will DO it and there's not much you can do about it... any
more than you can defend against someone who's attacking your house with
a bulldozer. DES won't stop a bulldozer but it's a helluva good
door-lock.
Certainly, no one at the time could have anticipated e-commerce, or even
the flourish of ATMs, both of which owe their success to cryptology and
both of which rely very much on DES and other algorithms directly
inspired by it.
Rather than having a back-door, DES appears to have been a far better
algorithm than "those who didn't know" gave it credit for at the time.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: How to Save MAGENTA
Date: Mon, 03 May 1999 17:50:42 GMT
[EMAIL PROTECTED] () wrote, in part:
>[EMAIL PROTECTED] wrote:
>: The basic unit of that f-function, repeated many times, is a
>: transformation involving two bytes, where each byte is replaced by itself
>: XOR the S-box entry indexed by the original value of the other byte. This
>: basic unit is non-invertible.
>Oops, I think I got that backwards. However, it does not affect my point.
After looking at the description, PE(x,y), which I was talking about,
actually involves _four_ S-box indexings, but only two XORs. So, if one
views the table access as the time-consuming part, one could alternate
PE(x,y) with a full four-round Skipjack permutation G.
And this would also help to solve the fact that these manipulations are
unkeyed.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED] (Andrew McDonald)
Subject: Re: DES cracked in hardware?
Date: 9 May 1999 00:08:23 GMT
Keith Brodie <[EMAIL PROTECTED]> wrote:
> Triple DES has been cracked by networked general purpose processors,
> see, for example, www.distributed.net.
Distributed.net/EFF didn't crack Triple DES.
What you are probably confused by is that fact that the last DES
cracking challenge was 'DES III', ie. the third of the DES Challenges
set by RSA Labs.
Andrew
--
Andrew McDonald
andrew at mcdonald.org.uk
http://ban.joh.cam.ac.uk/~adm36/
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Subject: Re: Roulettes
Date: Sat, 08 May 1999 20:37:06 -0400
Reply-To: [EMAIL PROTECTED]
Mok-Kong Shen wrote:
>
> (*********)
> Now this tiny device, if modified in design, can be well be applied
> for our purposes. Instead of the five groves we use 10 groves and
> number the positions with 00 to 99. We put in one single red ball
> and 99 white balls. Then with one operation we get two random
> digits. The size of the device would be less than 6*8*0.5 cm. This
> size is a bit clumsy for attaching to keys but nonetheless very
> convenient for carrying around in pockets.
> (**********) for otherwise
> it risks being classified as a crypto hardware and hence subject to
> US export restrictions or even oneday gains the honour of being
> banned by Wassenaar.
>
> M. K. Shen
> http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)
===================
Still it is hard to compete with ordinary dice. If you use, say,
7 cubes colored in the colors of rainbow, with faces numbered from
0 to 5, then in one toss you obtain a 7-digit number in the range
[ 0 - 5555555 ](base 6, of course), if converted into decimal,
that is a random number in the [ 0 - 279935 ] range. The ordering of the
digits will be based on the color of the dice, and any computer will
gladly convert the base6 number into base10 number. If you need more
entropy, make a second toss, then a third, (ad infinitum...).
With octahedric dice you would have a 7-digit random octal number,
with decimal dice (two identical pentagonal pyramides with their
bottoms glued together) it will be a 7-digit decimal number. Easy to
carry along, always ready for use, cheap, unbreakable.
And it is highly improbable that US or Wassenaar export restrictions
will be ever applied to dice (although in certain mental institutions
even stranger things happened). At least it will be interesting to
observe, how such an attempt would be justified...
Best wishes BNK
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: AES
Date: Sun, 09 May 1999 05:32:39 GMT
I don't think that the way we gain trust in general is
directly applicable to cryptography. Here is my point:
a) For better or worse, cryptography is considered a discipline of
mathematics where the word "proof" (and its derivatives) has a
clear and strong meaning.
b) Many people who read sci.crypt are not experts in cryptography.
c) At all levels people make choices and use technology without
really understanding it - the result can be very costly (see
agrochemicals, energy consumption or the Y2K error). There are
a lot of misconceptions too about cryptography and it is
important to minimize that.
d) Bruce Schneier is one of the most well known and well respected
cryptographers.
Now, the original statement to which Schneier agreed was: "Triple
DES is proven to be very secure". We can argue that this statement
is correct within the common use of the English language. But it
is a fact that many people who read this followed by Schneier's
validation will understand that there is a mathematical proof for
the security of 3DES. Therefore I think the reaction of Scott and
Ritter in this thread is valid. It is important that everybody who
makes decisions about information security clearly understand that
there is no proof about the strength of any published block
cipher. There is only expert opinion at a level somehow lower than
a doctor's who recommends surgery and somehow higher than a food
critic's who recommends a restaurant.
I think that if cryptography were considered an engineering
discipline then it would be easier to visualize the situation.
For example, historically bridges did _prove_ themselves by
withstanding particular weights long before mechanics was
discovered. Even now there are not really proofs (in the
mathematical sense) that a bridge will work. Actually, only a few
decades ago a modern bridge disintegrated under the effect of the
wind (not a hurricane mind you, just normal wind). That bridge had
an error in its design that made it resonate to the wind absorbing
more and more energy until it came tumbling down. In the same way
a cipher may fail in the future under an unforeseen attack. The
trouble of course is that whereas the bridge in question was
unique and all subsequent bridge designers avoided that particular
flaw, if a catastrophic failure is suffered by a standard cipher
the effect would desastrous and analogous to most bridges in the
world tumbling down together.
To me one answer to the problem of absence of proofs is
super-encipherment where several ciphers of radically different
designs are combined together. The analogy would be like building
several bridges side by side. If one of them should fail, the
other(s) would keep our communication lines open. Fortunately, in
many applications of information technology combining several
ciphers is only marginally more expensive than using only one. (By
the way, this is another argument in favor of not patenting
ciphers.)
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Crossposted-To: talk.politics.crypto
Subject: --- sci.crypt charter: read before you post (weekly notice)
Date: 9 May 1999 05:00:36 GMT
sci.crypt Different methods of data en/decryption.
sci.crypt.research Cryptography, cryptanalysis, and related issues.
talk.politics.crypto The relation between cryptography and government.
The Cryptography FAQ is posted to sci.crypt and talk.politics.crypto
every three weeks. You should read it before posting to either group.
A common myth is that sci.crypt is USENET's catch-all crypto newsgroup.
It is not. It is reserved for discussion of the _science_ of cryptology,
including cryptography, cryptanalysis, and related topics such as
one-way hash functions.
Use talk.politics.crypto for the _politics_ of cryptography, including
Clipper, Digital Telephony, NSA, RSADSI, the distribution of RC4, and
export controls.
What if you want to post an article which is neither pure science nor
pure politics? Go for talk.politics.crypto. Political discussions are
naturally free-ranging, and can easily include scientific articles. But
sci.crypt is much more limited: it has no room for politics.
It's appropriate to post (or at least cross-post) Clipper discussions to
alt.privacy.clipper, which should become talk.politics.crypto.clipper at
some point.
There are now several PGP newsgroups. Try comp.security.pgp.resources if
you want to find PGP, c.s.pgp.tech if you want to set it up and use it,
and c.s.pgp.discuss for other PGP-related questions.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt. Try alt.security.
Other relevant newsgroups: misc.legal.computing, comp.org.eff.talk,
comp.org.cpsr.talk, alt.politics.org.nsa, comp.patents, sci.math,
comp.compression, comp.security.misc.
Here's the sci.crypt.research charter: ``The discussion of cryptography,
cryptanalysis, and related issues, in a more civilised environment than
is currently provided by sci.crypt.'' If you want to submit something to
the moderators, try [EMAIL PROTECTED]
---Dan
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: AES
Date: Sun, 09 May 1999 00:54:39 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Bruce Schneier) wrote:
> On Thu, 06 May 1999 23:47:38 GMT, William Hugh Murray
> <[EMAIL PROTECTED]> wrote about DES:
>
...
>
> >I certainly can not use it in the way that it was used twenty years ago
> >but there are, just as certainly, useful applications and safe modes.
>
> Only against some threat models. Again, the ratio has changed.
>
I'm reminded of a tag someone used a few months ago: "When the horse dies,
get off."
DES is no longer a running thourghbred; whether it is still worth feeding
is another question. It seems it is out to pasture at any rate, or
perhaps still standing at stud.
--
What's HOT: Honesty, Openness, Truth
What's Not: FUD--fear, uncertainty, doubt
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp
Subject: Sccramdisk ver H and Agent - any problems?
Date: Sun, 09 May 1999 06:23:58 GMT
I've been using Scramdisk ver H on a second disk drive (IDE) as an
encrypted partition. Has been stable for a long time.
Switched from encrypted partition to container (.svl) file on the same disk
after re-partitioning (uses almost all 405 MB), now Forte Agent newsreader
won't work properly (yes, I re-build group dat/idx files from scratch).
System hangs up every time, 1-5 minutes. I can run Agent and just delete
messages, filter groups, etc., but as soon as I start downloading via 56K
modem, system hangs. All other programs (JBN, Pegasus) seem to run fine.
(FYI - Agent is on my C: drive, with the actual folders on the encrypted
area, as always) All other software seems ok.
System did this quite awhile back (earlier ver), which is why I went to
partition in the first place.
I have a second (newer) system with a container file, and things run fine.
I can go back to partition, but makes secure tape backups real difficult.
Anybody ever run into this?
TIA
------------------------------
From: [EMAIL PROTECTED] (John Curtis)
Subject: Re: Cool Shadow: UNIX crypt(3) toy!
Date: 3 May 1999 18:43:08 GMT
In article <7gjdo4$[EMAIL PROTECTED]> [EMAIL PROTECTED] (Logic) writes:
>
>Tired of easy-to-remember passwords and garbage-looking crypt(3) strings?
>Now you can have it the other way around! Cool Shadow is a toy I wrote a
>few weeks ago for all you UNIX/crypto-heads with too much time and CPU on
>your hands. It generates random-ish passwords which encrypt to
>cool-looking strings when run through crypt(3) for your passwd/shadow
>file. Impress your friends! Scare the script kiddies who run crack
>against your passwd file!
>
>Pick it up at http://homepage.oz-online.net/~logic/coolshadow/
>
>Of course it's free. Who would pay for such nonsense?
Wow! What an awesome Trojan Horse! Just hack to the
password file and search for a known list of your
cute encryptions. crypt(3) isn't reversible, but your
program + crypt(3) + a known result might be.
that's sharp.
jcurtis
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Factoring breakthrough?
Date: Sun, 09 May 1999 00:44:25 -0600
In article <7h2i7i$ag7$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (wtshaw) wrote:
> >
> > Precison of an analog device depends largely on the observer, which might
> > be finer than the abilities of a digital instrument to quantify, or not.
> > Your first line is not necessarily true; it all depends on the
> > circumstances.
>
> I suspect that one of these, is always traded at the expense of
> the other in the finest level of detail, just as waves are traded
> for particles and vice versa in quantum mechanics leading to
> the idea of the generic wave-particle or quanta which tries to
> manage the dualism wholistically (not necessarily holistically
> since quantum field theory is still in its infancy).
Waves are analog and particles are digital, so to speak. Either approach
at this level is just one view of what cannot be fully described in a
unified manner.
>
> > The essence of good management is in effective handling of impossible
> > situations. The choice between analogy or digital is not necessarily a
> > difficult one.
>
> Yes. When time does not permit, choices must be made.
> Instinct overtakes cognition. Longer contexts breed more
> general solutions though.
>
> > Since the group is sci.crypt, perhaps I should try to relate this to
> > something cryptological: If you can make an analysit happy with the
> > precision of his preliminary judgements about data while making them
> > inaccurate, you have him pretty well at your mercy. This is the essence
> > of the value of laying a false trail, which is really a sneaky thing to do
> > in ciphertext.
>
>
> In cryptography, I imagine that this effect is as inescapable
> as it is in physics (being related to Heisenberg's uncertainty
> through the corresponding Fourier uncertainty) And this requires
> the analyst to seek the best case in terms of optimization
> just as one dissects information from the noise of any signal
> with a bag of tools and not just one (news:comp.dsp comp.speech)
> The NSA seems to recognize "data fusion" as an optimization problem.
If you say so. I wrote you last sentence down, sounds important, at least
impressive. But seriously, I'm sure NSA likes complication in what it
makes, but doesn't in what it must attack.
>
> The physical aspects being relevant to cryptography at the
> theoretical level seem to suggest many things on a practical
> level which is why I think analog/digital is as important
> to crypt as wave/particle is to quantum physics.
The new optical inspection breaking routine is surely a combination of
analog and digital modes of handling information, but the reality of
seeing through feet, much less a few layers of transparencies seems to beg
the very usefulness of the suggested technique, laws of optics, including
limitations of the behavior of light, being a significant problem to take
from desired simple design into the real world.
--
What's HOT: Honesty, Openness, Truth
What's Not: FUD--fear, uncertainty, doubt
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
