Cryptography-Digest Digest #587, Volume #9 Mon, 24 May 99 12:13:02 EDT
Contents:
Re: Reasons for controlling encryption (Pwrk)
Re: blowfish hints anyone? (Boris Kazak)
Re: RSA Cryptography Question (Hideo Shimizu)
Re: HushMail -- Free Secure Email
Re: TwoDeck
Re: HushMail -- Free Secure Email
Re: HushMail -- Free Secure Email
Re: blowfish hints anyone? (Eric Young)
Cryptography and "parental denial" (Giuliano Bertoletti)
Re: Can I have some opinions please? (Pwrk)
crack a hash function? ("Jean Marc Dieu")
Re: crack a hash function? (Jean-Jacques Quisquater)
ROT13, how does it work? (Andreas / Detlef Stieger)
Re: ROT13, how does it work? (Mark Carroll)
Re: symmetric boolean functions ("Gary Forbis")
NSA proves banks use poor crypto (SCOTT19U.ZIP_GUY)
SHA-1 unpatented? (Tim)
Re: SHA-1 unpatented? (Arthur Klassen)
Re: pentium 3 (Greg Bartels)
ScramDisk and Windows 2000 (Jennifer)
Re: crack a hash function? (Jim Felling)
Re: ScramDisk and Windows 2000 ([EMAIL PROTECTED])
Re: HushMail -- Free Secure Email (Sacha Brostoff)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Pwrk)
Subject: Re: Reasons for controlling encryption
Date: 23 May 1999 13:57:06 GMT
If you were to ban encryption, shouldn't that include everything that alters
information into a form which cannot be read by those not meant to read it?
Such as the encoding of cable TV so only those with the decoder box can watch
it?
Messages containing credit card info?
The list goes on.
---
Of all the things I've lost, I miss my mind the most...
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Subject: Re: blowfish hints anyone?
Date: Sun, 23 May 1999 18:24:42 -0400
Reply-To: [EMAIL PROTECTED]
Matthew Bennett wrote:
(****)
> 3) How do you make use of the 448-bit (max) key length of Blowfish when
> people generally are only going to enter a single word in as their password?
> Do you just fill the rest up with zeros, or only take it as a (for example)
> 10-bit key? (..this can't be right..)
>
> Thanks for any help.
>
> Matt
===================
This one has a relatively simple solution. You will have some routine
prompting the user for his key. In this routine you can prompt, say,
three times like this:
Enter the first part of your passphrase: *********
(After the first part is entered, go ahead)
Enter the second part of your passphrase: ***********
(After the second part is entered, go ahead)
Enter the third part of your passphrase: ********
Finally, all three words put together will constitute the user
passphrase with the entropy much greater than that of a single
8-10 character password. (And accordingly less prone to the
dictionary-type attack). If even the user will type 4-letter words
in each of 3 prompts, this will be a 12-letter user key.
Best wishes BNK
------------------------------
From: Hideo Shimizu <[EMAIL PROTECTED]>
Subject: Re: RSA Cryptography Question
Date: Mon, 24 May 1999 11:25:57 +0900
Emmanuel BRESSON wrote:
>
> Hideo Shimizu wrote:
>
> > Because, for all m<n
> >
> > m ^ phi(n) equiv m mod n
>
> oooouuups... Of course you meant:
> m^phi(n) == 1 mod n
Thanks, my mistake. More precisely.
(M ^ e) ^ d equiv M ^ (e * d)
equiv M ^ (k * phi(n) + 1)
(For some k, it follows e * d equiv 1 mod phi(n))
equiv M * (M ^ phi(n)) ^ k
equiv M * 1 ^ k
equiv M (mod n)
Hideo Shimizu Toshiba Labo.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: HushMail -- Free Secure Email
Date: 24 May 99 04:01:10 GMT
John Kennedy ([EMAIL PROTECTED]) wrote:
: As I review the PGP manual I see it says the private key is protected
: by the passphrase. Does that mean essentially that the private key has
: been conventionally encrypted with the passphrase?
Yes, and it's stored that way on your computer so you don't have to
memorize it, only your passphrase.
: So now it seems to me that one of the requirements for a hushmail
: system to be secure is that the system only holds an encrypted copy of
: your private key, which cannot be used to decrypt your mail without
: your passphrase.
Absolutely correct.
: How could that requirement be addressed in a hushmail type system?
Actually, it is probably quite easy to address in such a system. The
HushMail server keeps a copy of everyone's public key, and HushMail acts
as a certifying authority for them.
Whether or not it is possible for HushMail _itself_ to read your mail -
and it should not be possible - depends on a number of technical details
of the setup. One of them is the one you mention: users should have a way
of independently verifying each others' public keys. Also, private keys
mustn't be communicated to the HushMail server. In fact, there is _no_
good reason for even an _encrypted_ copy of these keys to be stored there.
To me, the "right" way to encrypt is to run a copy of PGP on an old 486,
then put your encrypted message on a floppy to carry it over to the
computer of yours that is connected to the Internet. Just because a few
too many steps in HushMail are done while on-line doesn't imply that there
is anything fishy going on: honest people sometimes don't think of all the
ways it is possible to cheat, and the steps one must take to *prove* to
other people that one is not cheating.
John Savard
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: TwoDeck
Date: 24 May 99 03:49:36 GMT
[EMAIL PROTECTED] wrote:
: Yeah well I wanted a fast shuffling algorithm, If i were to use the RC4
: shuffling, I might as well use RC4 :)
Well, I think we can improve your shuffle a little without going to that
length.
Let the random number be 7, and the deck consist of the numbers 0 to 15.
With your shuffle, we get:
3 12 4 13 5 14 6 7 15 8 0 9 1 10 2 11
We could perhaps improve things by putting the second half of the deck in
backwards, like this:
2 12 1 13 0 14 15 7 6 8 5 9 4 10 3 11
And even more change would be done by a single shuffle if the second half
were to start from the end of the deck (either element 11..111 or element
11..110 depending on whether the first half started from an even or odd
number) like this:
6 12 5 13 4 14 3 7 2 8 1 9 0 10 15 11
Once we start from a slightly better shuffle, then what do we do with the
resulting two arrays? Using one to index into the other is a start. But
the result of that is to obtain sequences of bytes no two of which can be
the same, and you have to use another pseudo-random generator every 256
bytes.
Let N cycle from 0 to 255. If the two arrays are A and B, A from the
forwards key, B from the backwards key, do, as before, x = A(N), y = B(x).
However, then use x XOR y to XOR with your message. And, to stick with
shuffles, instead of going with something like RC4, use y as if it were a
key byte to shuffle A, and use x as if it were a key byte to shuffle B.
This ought to work for a while.
John Savard
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: HushMail -- Free Secure Email
Date: 24 May 99 04:04:41 GMT
Geoff Thorpe ([EMAIL PROTECTED]) wrote:
: It is also (apparently) prohibited to provide crypto-related "hooks"
: into which foreign software can plug directly into
Yes, that is correct. However, source code of text editors, browsers,
et cetera, can be released, and so hooks for anything can be added to
that, and people in the U.S. can sell compilers to the rest of the world,
so, as you point out, the implications of this prohibition are rather
confusing.
John Savard
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: HushMail -- Free Secure Email
Date: 24 May 99 04:10:38 GMT
William Hugh Murray ([EMAIL PROTECTED]) wrote:
: As it stands now, NSA can read any message that it wants but it cannot
: read every message that it wants. If they want to keep a secret which
: messages it has read, that reduces further what it can read. That is,
: it must break codes, not merely fingers.
Well, it's true they could easily bug my computer. Although this may be a
good rule of thumb, it is unlikely the NSA can really break any code that
it wants to, and some people might understand your first sentence to imply
that.
John Savard
------------------------------
From: Eric Young <[EMAIL PROTECTED]>
Subject: Re: blowfish hints anyone?
Date: Mon, 24 May 1999 16:15:45 +1000
[EMAIL PROTECTED] wrote:
> > 2) Would you just have a standard, "built-in" IV, or do programs get
> this
>
> The IV is normally private.
Well, actually, no.
For input
M[0] M[1] M[2]
and output cipher-text
C[0] C[1] C[2],
the IV for generating C[1] is C[0].
So effectively the IV is C[-1].
If you don't know the IV, you cannot decode the
first block, but you can decode all the other blocks
(if you have the key). Think of the IV as a salt.
The danger with cbc mode is that messages with the same
iv/key will encrypt to the same ciphertext until the first
change in the message.
Ideally the iv should change each message, but it does
not have to be secret.
eric
------------------------------
From: Giuliano Bertoletti <[EMAIL PROTECTED]>
Subject: Cryptography and "parental denial"
Date: Mon, 24 May 1999 08:26:25 +0200
I think an interesting feature of programs which implements strong
cryptography could be the possibility to encrypt also the header of an
encrypted file (and possibly also scrambling the file name) in order not
only to make it's content unreadable, but also to mask it has been
encrypted.
Steganography in this way is a step further, but has some drawbacks:
i.e. the container file must be about an order of magnitue bigger than
the contained file. If a crypto (not a stego) program would output a
stream of random bytes without any header, no one could really tell what
it is or that it has been encrypted.
Upon decryption any file could be fed to the program which then tries to
decrypt the header with the given password. If after decryption the
header checksum are correct the the file is recognized and decrypted,
otherwise the program simply tells the user that either that file is not
encrypted or the password is wrong.
Another interesting feature in conjunction with the former is the
possibility to produce fake random one time pads: no one but you, could
really tell if file on your disk is a fake OTP or an encrypted one.
Any comments are welcomed.
Giuliano Bertoletti
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Pwrk)
Subject: Re: Can I have some opinions please?
Date: 24 May 1999 07:07:39 GMT
>
>Maybe you remember what the algorithm was? Otherwise, unless it is
>*really* bad, it will be hard to say anything about it just by running it.
>And disassembling a program is a _lot_ of work.
>
>John Savard
Mabey I'll ask someone on a crackers newsgroup if they can decompile it.
Cya round.
---
Of all the things I've lost, I miss my mind the most...
------------------------------
From: "Jean Marc Dieu" <[EMAIL PROTECTED]>
Subject: crack a hash function?
Date: Mon, 24 May 1999 11:37:33 +0200
Can anybody explain to me how could a hash function be "cracked"?
I mean, if it's a one way function, it means that it's impossible to
recreate the original document when you only have the "hashed" document (you
don't have enough information right?).
Moreover, if the hash function is not too bad, the probability of having the
same result after "hashing" two different documents is tremendously close to
zero, right?
So I don't understand what some people mean by "cracking" the hash
function?
Sorry if this is a beginner's question, it's probably because I am one - but
I'm trying to understand some things... and I hoped someone could help me
;-)
JMD
------------------------------
From: Jean-Jacques Quisquater <[EMAIL PROTECTED]>
Subject: Re: crack a hash function?
Date: Mon, 24 May 1999 11:58:47 +0200
Bonjour (again),
Premier element a connaitre: il n'y a aucune preuve qu'une fonction
donnee de hash soit incassable; donc, on l'utilise comme si elle
etait bonne jusqu'a preuve du contraire (desole, c'est l'etat de
l'art, on ne peut faire beaucoup mieux). Ceci est vrai pour une
grande partie de la cryptographie actuelle: on travaille donc
conditionnellement.
Il faut donc se donner des criteres de cassage:
- si la fonction est collision-resistante (cad il est infaisable
de trouver 2 messages distincts ayant le meme hash), alors on dira
que la fonction est cassee si quelqu'un est capable de donner un
exemple de telle collision. Apres cela, on ne pourra plus dire
qu'elle est collision-resistante. En quelque sorte, l'exemple trouve
la met hors d'usage.
- si la fonction n'est pas collision-resistante (cela peut etre
utile mais demande a etre tres soigneux dans le contexte d'utilisation),
alors on dira qu'elle est cassee s'il est possible pour au moins une
instance de trouver un message correspondant a un hash donne.
Ceci est assez informel mais devrait etre dans la bonne direcion.
Cordialement,
Jean-Jacques Quisquater,
------------------------------
From: [EMAIL PROTECTED] (Andreas / Detlef Stieger)
Subject: ROT13, how does it work?
Date: Sun, 23 May 1999 20:07:48 +0200
How does ROT13 encryption work?
A friend told me it was quite simple, but I didn't find anything about it in
books.
When is it used, what for?
Could you please include an encrypted example so I can try decryption?
Thanx.
--
Andreas Stieger: mailto:[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Mark Carroll)
Subject: Re: ROT13, how does it work?
Date: 24 May 1999 11:55:16 +0100 (BST)
In article <7ib7vq$fq1$[EMAIL PROTECTED]>,
Andreas / Detlef Stieger <[EMAIL PROTECTED]> wrote:
>How does ROT13 encryption work?
>
>A friend told me it was quite simple, but I didn't find anything about it in
>books.
It's pretty trivial, yes. Split the alphabet into two halves. Now, to
encode or decode, just replace each letter by the letter in the same
position in the other half of the alphabet. So,
ABCDEFGHIJKLMNOPQRSTUVWXYZ
...change to... NOPQRSTUVWXYZABCDEFGHIJKLM
>When is it used, what for?
It's often used on Usenet as the answer to jokes or riddles or the like,
where you don't want a reader seeing the answer accidentally before they
really want to.
>Could you please include an encrypted example so I can try decryption?
Sure. Gur erq xvccre syvrf ng zvqavtug.
-- Mark
------------------------------
From: "Gary Forbis" <[EMAIL PROTECTED]>
Crossposted-To:
sci.chem,sci.econ,sci.image.processing,sci.electronics.design,sci.physics,sci.physics.fluid-dynamics,sci.math
Subject: Re: symmetric boolean functions
Date: Mon, 24 May 1999 06:47:35 -0700
Hankel O'Fung <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Gary, perhaps I am asking too much, but would you please teach me the
example
> you mentioned? Thanks.
I misspoke. I didn't mean to imply there was a generalized shift-invariant
function
used by anyone in the ANN field. Sorry for the confusion.
By the way, XOR is a restricted implementation of x of n, (1 of 2.)
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: talk.politics.crypto
Subject: NSA proves banks use poor crypto
Date: Mon, 24 May 1999 14:52:38 GMT
"Newsweek magazine reports in this week's edition Clinton has authorized the
CIA to train ethnic Albanian rebels in sabotage and the National Security
Agency
to meddle with Milosevic's international bank accounts."
Well if the above is true then I guess there is good reason for the AES
thing so that our NSA will be able to continue its ability to make phony
bank trasactions and do our presidents bidding. At least the NSA seems
to do more than spy on business transactions to help our country win
bidding contracts.
I do have some questions is the NSA respondible to congress or only the
president? Does it know about the illegal campagin contributions to Clinton
that helped protect the Chinese goals of stealing our rocket and nuclear
secrets? Our is real protection of the country any concern to the agency?
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Tim <[EMAIL PROTECTED]>
Subject: SHA-1 unpatented?
Date: Mon, 24 May 1999 14:02:04 GMT
Is SHA-1 unpatented? Can I use it in a commercial product without
royalties or licensing? I would like to use it for hashing passwords.
Thanks,
--Tim
------------------------------
From: Arthur Klassen <[EMAIL PROTECTED]>
Subject: Re: SHA-1 unpatented?
Date: Mon, 24 May 1999 14:47:39 GMT
Tim wrote:
>
> Is SHA-1 unpatented? Can I use it in a commercial product without
> royalties or licensing? I would like to use it for hashing passwords.
It's just as free of patent encumbrance as the dBase file format or using IEEE
floating point numbers for numerical calculations :) but it's far more useful
than either.
cheers...ank
--
[EMAIL PROTECTED] | The word "mercy"'s gonna have a new meaning
<*> | +t+ -> | |0 !! | when we are judged by the children of our slaves
PGP: **** 2047/DCDF9341:E273 AD0E F99A 8869 050B 5E92 0E47 C151 **** two
finger- *** 30DF 376C 43D0 DA74 F33F 752C 192E 3711 5E52 02BF *** prints
------------------------------
From: Greg Bartels <[EMAIL PROTECTED]>
Subject: Re: pentium 3
Date: Mon, 24 May 1999 09:51:48 -0400
Terry Ritter wrote:
>
> On Fri, 21 May 1999 17:13:21 -0400, in <[EMAIL PROTECTED]>, in
> sci.crypt Greg Bartels <[EMAIL PROTECTED]> wrote:
>
> >I've read that the pentioum III has a hardware random
> >number generator in it.
>
> No, it is on "a support chip."
>
whats the chip called, or whats its number?
if I bought a pc with a pentium 3, I'd like to know
that I'm getting this chip or not.
Intel is selling this as a big thing to support
online commerce, having the ability to generate
random numbers for keys. if its not really random,
should someone be sending up a really big red flag?
like, "hey, this makes security WORSE" ???
Greg
------------------------------
From: Jennifer <[EMAIL PROTECTED]>
Subject: ScramDisk and Windows 2000
Date: Mon, 24 May 1999 15:13:51 GMT
Hi
Are there any plans to produce a Windows 2000 version of ScramDisk?
Jennifer
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: crack a hash function?
Date: Mon, 24 May 1999 10:32:42 -0500
Jean Marc Dieu wrote:
> Can anybody explain to me how could a hash function be "cracked"?
> I mean, if it's a one way function, it means that it's impossible to
> recreate the original document when you only have the "hashed" document (you
> don't have enough information right?).
> Moreover, if the hash function is not too bad, the probability of having the
> same result after "hashing" two different documents is tremendously close to
> zero, right?
> So I don't understand what some people mean by "cracking" the hash
> function?
> Sorry if this is a beginner's question, it's probably because I am one - but
> I'm trying to understand some things... and I hoped someone could help me
> ;-)
>
> JMD
Cracking a hash function means that you have a method of generating annother
document with the same hash value. For example say you and I sign an electronic
contract. Then we hash it (MAC). So if I have broken our MAC hash I can generate
annother document (by adding spaces/ backspaces, etc.) that hashes to the same
value I can now claim we have agreed to this document.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: ScramDisk and Windows 2000
Date: Mon, 24 May 1999 15:20:57 GMT
> Are there any plans to produce a Windows 2000 version of ScramDisk?
>
This may sound crazy, but wouldn't the current version work? Maybe
microsoft has some new 'portability' issues to address.. :)
My question is why shouldn't it work, if windows 2000 provides the same
C library, and GUI tools, shouldn't the next version work without a
hitch?
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Sacha Brostoff <[EMAIL PROTECTED]>
Subject: Re: HushMail -- Free Secure Email
Date: Mon, 24 May 1999 17:03:23 +0100
Reply-To: [EMAIL PROTECTED]
John Kennedy wrote:
> >Necessary but not sufficient. At a minimum, every user must validate
> >the applet everytime they use/download it. In practice, it is likely
> >that most users will never do it, much less always to it. This is
> >different from PGP where one downloads and validates, once, and then
> >uses, in a separate step not obvious to the carrier.
>
> Very good points which a hushmail-type system needs to try to address.
Using this argument means you have to verify your PGP software everytime you use it -
or at least every time
you're away from your computer. What happens if somebody sneaks in and doctors your
software? Or you get a worm
or virus or trojan that does it? Or even some bizzare disc error? Why on this issue
is PGP so much more secure
than hushmail?
Do you believe that the physical and other security of your computer and its immediate
environment is greater
than that available at Hushmail, or at any point in the chain that gets Hushmail and
its components into your
browser?
Isn't trust a thorny issue!
Sacha.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
