Cryptography-Digest Digest #526, Volume #9 Tue, 11 May 99 07:13:04 EDT
Contents:
Re: TwoDeck encryption algorithm (using oblivious transformations)
([EMAIL PROTECTED])
Re: Lemming and Lemur: New Block and Stream Cipher (Anonymous)
Re: Oh! Before I get some sleep is DES international yet? (David A Molnar)
Re: Lemming and Lemur: New Block and Stream Cipher ([EMAIL PROTECTED])
Re: Smart card protocols... (Hawkhaven)
Re: TOMSTDENIS AND SCOTT ARE THE SAME PERSON-- (Boris Kazak)
Re: TOMSTDENIS AND SCOTT ARE THE SAME PERSON-- ([EMAIL PROTECTED])
Re: Crypto export limits ruled unconstitutional (cosmo)
Re: Crypto export limits ruled unconstitutional (cosmo)
Re: Crypto export limits ruled unconstitutional (cosmo)
Re: Smart card protocols... (Jaap-Henk Hoepman)
Re: Smart card protocols... (David A Molnar)
Re: Possible attacks on encrypted stream (David Wagner)
Re: Crypto export limits ruled unconstitutional ("R H Braddam")
Re: Smart card protocols... (Volker Hetzer)
Re: Smart card protocols... (Paul Schlyter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: TwoDeck encryption algorithm (using oblivious transformations)
Date: Tue, 11 May 1999 01:20:46 GMT
<snip>
Sorry I forgot to mention that I am currently trying to break TwoDeck.
My attack relies on trying to link possible decks between two blocks of
known plaintext.
The blocks have to be adjacent. There are 256! possible combinations
for the two decks, or 2**1684, but I think there could be a way to link
two possible decks (combinations). I dunno how fast, or how many
blocks are required. (if you have to test more then 2**h (h = key
bits - 1) then it's not a good idea)
Can anybody help me? I really want to formalize this as much as
possible.
Thanks,
Tom
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
Date: Tue, 11 May 1999 05:03:43 +0200 (CEST)
From: Anonymous <[EMAIL PROTECTED]>
Subject: Re: Lemming and Lemur: New Block and Stream Cipher
This is the analysis I have of Lemming and Lemur so far. Lemming
might be called a generalized, unbalanced Fiestel. It is
"generalized" because of the permutations. Lemur might be called
a nonlinear feedback shift register operating on whole bytes.
If Lemming is reduced to 16 rounds, then the entire ciphertext is
a linear function of the last byte of plaintext, so it is easy to
break. With 17 rounds, it might still be broken with differential
cryptanalysis. With the full 32 rounds, I don't see how that
attack could be done. I don't see how linear cryptanalysis could
be done, since the key is a large, random, secret, 8x128 S-box.
If the ciphers are reduced to operating on bits rather than
bytes, then they reduce to linear feedback shift registers, and
are easy to break. That also shrinks the key to 256 bits rather
than 4 KB.
If the permutation in the key is chosen to be the identity
permutation, then the first byte of every element of the key,
key[i][0], will all be zero. This simplifies key generation
and reduces the size of the key slightly. It doesn't affect
encryption speed at all. This simplification looks like it might
weaken the ciphers slightly, but I don't see an attack to take
advantage of that weakness.
Lemur outputs its middle byte on each round rather than a byte
nearer the beginning or end. This is done so the output byte is
not used as the index immediately before or after being revealed.
If the output were key[0] instead of key[8], that would leak much
more information.
Lemming uses two rounds per byte. Lemur uses 32 rounds at the
start, then just 1 round per byte thereafter. This makes Lemur
look weaker than Lemming, but I don't see how to attack it.
LCB
[EMAIL PROTECTED]
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Oh! Before I get some sleep is DES international yet?
Date: 11 May 1999 03:03:28 GMT
WarlockD <[EMAIL PROTECTED]> wrote:
> Anyone happen to know if DES is international algorithm? (I know MD4 isn't,
> or if its copyrighted:P) If not, anyone know where or how you can "weaken"
I don't think that "international algorithm" is a good term here. Maybe "weak
enough to be exported" would be better. Also the question of patents is
distinct from the question of export controls. Both of those are distinct
from copyright.
An example was the situation with respect to PGP 2.6.2 and 2.6.3i :
Both 2.6.2 and 2.6.3i are illegal to export from the U.S. once they
are here. Export controls apply unless you have a specific license
allowing you to export PGP (possible but a hassle).
RSA is patented in the U.S., but was not patented in Europe. So
2.6.2, which was intended for U.S. distribution, used a version of the
RSAREF toolkit which included a license to use RSA in the U.S.
PGP 2.6.3i used an updated version of Phil Zimmerman's MPI library
instead. It did not use the RSAREF toolkit because of a copyright
issue - the license for RSAREF did not permit its use outside the
United States. Besides, the MPI library was supposed to be faster.
(please feel free to clarify)
> encryption algorithms so they are exportable? I am not too concerned with
> the security end as much as the legal end:P
I think you need to apply for a license from the Department of Commerce
in order to export _any_ crypto. It's simply that
confidential key-distribution ciphers (by which I include DES, Blowfish,
Twofish, and so on) are often granted export licenses for key lengths
less than 56 bits, and public-key systems for lengths less than 512.
Unless the threshold's changed, or you make a deal.
so even if what you post is "weak enough", you may be violating the law.
I've set followups to talk.politics.crypto because that is the point
which seems most important to me, I'm not a lawyer, and it's not a sci.crypt
topic.
That being said, there's ample precedent for dumbing implementations
down in order to get a license. Netscape, for example, sets some of
its session key to 0s in international versions. The GSM A5 algorithm
had a similar "flaw". You could always just leak the secret key as
an appendix to every encrypted message - that would probably be exportable.
-David
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Lemming and Lemur: New Block and Stream Cipher
Date: Tue, 11 May 1999 03:46:18 GMT
<snip>
Sounds interesting, try to document your publication in a .PS or .TXT
file so we can further read/study your idea. Try to explain why you
made the decision you did, and how it is a new/better idea. Try to
analyze the algorithm, suggesting starting points for an attack.
Above all feel free to ask for help!!!
Tom
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Hawkhaven <[EMAIL PROTECTED]>
Subject: Re: Smart card protocols...
Date: Tue, 11 May 1999 00:13:40 +0200
try looking in the phrack, and l0pht archives, they usualy have info on
that sort of thing...
--Hawkhaven
"Win if you can, lose if you must, but always, always cheat!"
On Mon, 10 May 1999, r.fisher wrote:
> Most use a protocol known as ISO7816, although I've yet to find any
> information on this.
>
> Volker Hetzer wrote:
>
> > Hi!
> > How do smart cards communicate with their respective host devices?
> > Is there some standard like ssl or do they use proprietary protocols?
> > What would be a good place to start to get information?
> >
> > Greetings!
> > Volker
>
>
>
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Subject: Re: TOMSTDENIS AND SCOTT ARE THE SAME PERSON--
Date: Mon, 10 May 1999 22:09:34 -0400
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
>
> TOMSTDENIS AND SCOTT ARE THE SAME PERSON: clueless
> TOMSTDENIS AND SCOTT ARE THE SAME PERSON: clueless
> TOMSTDENIS AND SCOTT ARE THE SAME PERSON: clueless
> TOMSTDENIS AND SCOTT ARE THE SAME PERSON: clueless
> TOMSTDENIS AND SCOTT ARE THE SAME PERSON: clueless
> TOMSTDENIS AND SCOTT ARE THE SAME PERSON: clueless
>
=======================
��� �� �����, � ������� ���� ������...
�� ���� �� �� ������ ��������� ���������� ���������
�� ������������� ����� ���������� �����, �� ���� ����
������ ���� ���� � �����, ���� �� ������, �� ������ �����
���� ������� ����� � ���� � � ���� �������� - ������
������ ������������!
Best wishes for Tom and Dave - individually.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: TOMSTDENIS AND SCOTT ARE THE SAME PERSON--
Date: Tue, 11 May 1999 03:42:42 GMT
> [EMAIL PROTECTED] wrote:
> > I am nothing like Scott (no offense), we work on different areas and
> > have different ideas.
>
> Aha! Proof positive that you are not Scott. You used a comma
> splice in this sentence. Although that is a grammatical error
> (a first-order Scott identification mechanism), he uses commas
> only in his C programming -- never in his English-like text.
>
> If anybody can turn up a Scott article in the archives that
> contains a comma in text he wrote (rather than quoted), I'll
> (virtually) eat my words.
>
> Must remember to include this identification mechanism in my
> stylometric analysis program.
Good observation, my, grammar is bad... Sorry I like math and computers
not english.
:)
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: cosmo <[EMAIL PROTECTED]>
Crossposted-To: comp.dcom.vpn
Subject: Re: Crypto export limits ruled unconstitutional
Date: Mon, 10 May 1999 03:42:33 -0700
Okay...
That`s silly. First of all, Clinton hasn`t appointed a single Justice
on the Supreme Court. Furthermore, the supreme court is composed of 5
republicans and 4 democrats. Therefore, it is illogical to presume that
the supreme court is predisposed to favor the Clinton administration. In
addition, the current supreme court has been very pro first ammendment
rights. They struck down the CDA as well as many other contreversial
bills. I predict that the supreme court will uphold the ruling of the
appeals court. The juidiciary is actually quite independent of the
executive and legistlatve branches of government.
Cosmo
------------------------------
From: cosmo <[EMAIL PROTECTED]>
Subject: Re: Crypto export limits ruled unconstitutional
Date: Mon, 10 May 1999 03:51:19 -0700
Can a person publish a flowchart for an algorithm ? How about a program written
in pseudocode ? How about a general mathematical description of an encryption
algorithm ? How could anyone say that such is not protected by the first
ammendment ?
Does anyone know ?
Cosmo
------------------------------
From: cosmo <[EMAIL PROTECTED]>
Crossposted-To: comp.dcom.vpn
Subject: Re: Crypto export limits ruled unconstitutional
Date: Mon, 10 May 1999 03:45:59 -0700
None of the current membors of the supreme court were appointed by
President Bill Clinton. The most recent addition to the court was
Justice Clarence Thomas, who was appointed by President Bush to replace
a retiring democrat. By the way, if your trying to imply that Justice
Thomas is subservient to the executive, consider this; Although he is
now well known for being very conservative, he used to be a black
panther during the late 1960`s.
Cosmo
------------------------------
From: Jaap-Henk Hoepman <[EMAIL PROTECTED]>
Subject: Re: Smart card protocols...
Date: 11 May 1999 09:36:21 +0200
On Mon, 10 May 1999 23:42:33 +0100 "r.fisher" <[EMAIL PROTECTED]> writes:
> Most use a protocol known as ISO7816, although I've yet to find any
> information on this.
>
> Volker Hetzer wrote:
>
> > Hi!
> > How do smart cards communicate with their respective host devices?
> > Is there some standard like ssl or do they use proprietary protocols?
> > What would be a good place to start to get information?
> >
> > Greetings!
> > Volker
All ISO standards can be ordered (paper only :-(( ) from their web site
www.iso.ch. I couldn't find anything online there.
The EMV specs (which are for a large part based on ISO 7816) _are_ online
though, check out
http://www.visa.com/nt/chip/circuit.html
Jaap-Henk
--
Jaap-Henk Hoepman | Sure! We've eaten off the silver
Dept. of Computer Science | (when even food was against us)
University of Twente | - Nick Cave
Email: [EMAIL PROTECTED] === WWW: www.cs.utwente.nl/~hoepman
PGP ID: 0xFEA287FF Fingerprint: 7D4C 8486 A744 E8DF DA15 93D2 33DD 0F09
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Smart card protocols...
Date: 11 May 1999 06:08:45 GMT
Hawkhaven <[EMAIL PROTECTED]> wrote:
> try looking in the phrack, and l0pht archives, they usualy have info on
> that sort of thing...
There's also an emerging PKCS standard (emerging == still in bickering
phase). Try looking for "Cryptoki" on the RSADSI web site.
-David
> "Win if you can, lose if you must, but always, always cheat!"
> On Mon, 10 May 1999, r.fisher wrote:
>> Most use a protocol known as ISO7816, although I've yet to find any
>> information on this.
>>
>> Volker Hetzer wrote:
>>
>> > Hi!
>> > How do smart cards communicate with their respective host devices?
>> > Is there some standard like ssl or do they use proprietary protocols?
>> > What would be a good place to start to get information?
>> >
>> > Greetings!
>> > Volker
>>
>>
>>
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Possible attacks on encrypted stream
Date: 10 May 1999 23:26:33 -0700
Two suggestions:
1. I recommend that you use a standard packet format, like IPSEC ESP.
There are a number of subtle issues here.
2. If you _must_ roll your own, you would do well to read the literature,
especially Bellovin's paper on ESP. See
<http://www.research.att.com/~smb/papers/badesp.ps>.
Some assorted comments:
1. Use a cryptographically secure MAC (e.g. SHA1-HMAC), not an unkkeyed
hash. Otherwise, there are certificational attacks. See Bellovin's
paper (above), or _The Handbook of Applied Cryptography_.
2. I suggest MACing not just the raw data but also all the other
unencrypted fields.
3. Don't use the same key for the MAC as for encryption. You can derive
a MAC key and an encryption key from a master key using e.g. hashing.
4. Watch out for chosen-resync attacks if you're using a stream cipher.
See Bellovin's paper.
5. If you're using a block cipher in some chaining mode, watch out for
the IV: it should be chosen randomly, uniformly, unpredictably.
6. If this isn't obvious, the receiver should be checking to make sure
that sequence numbers are never repeated, to avoid replay attacks.
All of these issues were discovered and fixed in IPSEC. That's one
reason I suggest using an existing standard packet format...
As for your questions about Diffie-Hellman, that should be done at a
different layer. Those questions have very little to do with packet formats.
------------------------------
From: "R H Braddam" <[EMAIL PROTECTED]>
Subject: Re: Crypto export limits ruled unconstitutional
Date: Tue, 11 May 1999 03:11:13 -0500
Mok-Kong Shen wrote in message
<[EMAIL PROTECTED]>...
>Mike McCarty wrote:
>>
>> Now, in a sense the regs were overturned, because
they were all mixed up
>> and didn't attempt to distinguish "speach" from
"computer programs". So
>> the regs AS WRITTEN were overturned. But if they go
back and re-write
>> them carefully, then they CAN apply them. Just not
to speach which
>> happens to be embodied in a computer langugage. But
if I understand
>> correctly, PROGRAMS are not speach. Just that this
particular case was
>> one where a guy was disseminating his ideas in the
form of a program,
>> but was not actuallly writing a program to be run on
a computer. Any
>> program written actually to be run, I believe, is
still subject (when
>> the regs are rewritten).
>
>A programming language may be rather close (dependent,
of course,
>on one's opinion) to natural language, e.g. COBOL. On
the other
>hand, whether a piece of text is 'runnable' on a
computer may be quite
>difficult to decide. I mean: If one changes a valid
program in certain
>places in apparent and trivial ways so that it is
syntactically
>incorrect and can't be compiled (but can be restored
to the correct
>version by anyone with programming experience) is that
piece of text
>'runnable' on a computer or not?
>
>M. K. Shen
I had a reply written which quoted the decision
extensively, but it was much too long. To see the full
text hyperlink to http://jya.com/bernstein-9th.htm and
read the decision for yourselves. That way you can be
sure nothing is taken out of context.
Judge Patel has (IMHO) an exceptionally clear
understanding of programming for a layperson. If she is
not a programmer she has made a concerted effort
prepare for this case.
I have read postings here which asserted that the
government's own legal staff advised before the ITAR
regulations were implemented that they would likely be
judged unconstitutional under the First Amendment. I
hope they turn out to be prophetic.
Rick [EMAIL PROTECTED]
Murphy's Law is the only sure thing in the universe.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Smart card protocols...
Date: Tue, 11 May 1999 10:49:09 +0200
Hawkhaven wrote:
>
> try looking in the phrack, and l0pht archives, they usualy have info on
> that sort of thing...
>
> --Hawkhaven
Thanks a lot, I'll certainly try that.
So far I've only found electrical and mechanical specs, not much about
communication.
Greetings!
Volker
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Smart card protocols...
Date: 11 May 1999 11:34:42 +0200
> On Mon, 10 May 1999, r.fisher wrote:
>
>> Most use a protocol known as ISO7816, although I've yet to find any
>> information on this.
>>
>> Volker Hetzer wrote:
>>
>>> Hi!
>>> How do smart cards communicate with their respective host devices?
>>> Is there some standard like ssl or do they use proprietary protocols?
>>> What would be a good place to start to get information?
>>>
>>> Greetings!
>>> Volker
Check out:
http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm
and in particular:
http://www.geocities.com/ResearchTriangle/Lab/1578/iso7816.txt
http://www.fh-augsburg.de/~bossekr/iso7816_4.html
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
