Cryptography-Digest Digest #588, Volume #9 Mon, 24 May 99 16:13:02 EDT
Contents:
Re: crack a hash function? (David P Jablon)
Re: SHA-1 unpatented? (David A Molnar)
Re: ScramDisk and Windows 2000 (Jennifer)
Re: HushMail -- Free Secure Email (Peter Pearson)
Re: blowfish hints anyone? ([EMAIL PROTECTED])
Re: SHA-1 unpatented? ([EMAIL PROTECTED])
Re: blowfish hints anyone? (Medical Electronics Lab)
Re: Why would a hacker reveal that he has broken a code? (DJohn37050)
Re: HushMail -- Free Secure Email (John Kennedy)
Re: TwoDeck (Jim Felling)
Why would a hacker reveal that he has broken a code? ("Jean Marc Dieu")
Re: RSA Cryptography Question (Emmanuel BRESSON)
Re: Why would a hacker reveal that he has broken a code? (Patrick Juola)
Re: DSA (Digital Signature Standard) and the Schnorr Patents (Paul Rubin)
Re: Why would a hacker reveal that he has broken a code? (SCOTT19U.ZIP_GUY)
Re: Why would a hacker reveal that he has broken a code? (Patrick Juola)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David P Jablon)
Subject: Re: crack a hash function?
Date: Mon, 24 May 1999 16:12:39 GMT
In article <7ib6go$3tm$[EMAIL PROTECTED]>,
Jean Marc Dieu <[EMAIL PROTECTED]> wrote:
>
> Can anybody explain to me how could a hash function be "cracked"?
> I mean, if it's a one way function, it means that it's impossible to
> recreate the original document when you only have the "hashed" document (you
> don't have enough information right?).
> Moreover, if the hash function is not too bad, the probability of having the
> same result after "hashing" two different documents is tremendously close to
> zero, right?
> So I don't understand what some people mean by "cracking" the hash
> function?
You're intuition is correct that breaking a hash by reversing
the one-way operation is practically infeasible for any
good hash function.
But when a hash function is used to hide guessable data, as in
a hashed-password, a brute-force trial-and-error attack
often reveals the password corresponding to the hash.
This is sometimes loosely refered to as "cracking" the hash.
=========================
David Jablon
[EMAIL PROTECTED]
www.IntegritySciences.com
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: SHA-1 unpatented?
Date: 24 May 1999 16:22:02 GMT
Arthur Klassen <[EMAIL PROTECTED]> wrote:
> It's just as free of patent encumbrance as the dBase file format or using IEEE
> floating point numbers for numerical calculations :) but it's far more useful
> than either.
Hey, watch it. You don't really want to attract the attention of W. Kahan,
do you ? After all, anyone who would name a test "paranoia" is liable
to watch sci.crypt...
-David
------------------------------
From: Jennifer <[EMAIL PROTECTED]>
Subject: Re: ScramDisk and Windows 2000
Date: Mon, 24 May 1999 15:36:51 GMT
> This may sound crazy, but wouldn't the current version work? Maybe
> microsoft has some new 'portability' issues to address.. :)
I don't know why, but I tried it and it didn't work.
Jennifer
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Peter Pearson <[EMAIL PROTECTED]>
Subject: Re: HushMail -- Free Secure Email
Date: Mon, 24 May 1999 08:35:25 -0700
Does my browser download an applet from HushMail every time
I send encrypted mail? If so, don't I have to examine that
applet every time, before I run it, to make sure it's not
an evil impostor that's going to send out my private key?
If so, is there any way to automate that process?
- Peter
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: blowfish hints anyone?
Date: Mon, 24 May 1999 16:21:46 GMT
In article <7ia5nv$2q$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>> 1) When would it be preferable to use the ECB type instead of CFB?
>
> Suppose you want to crack an ECB scheme. You build a reverse
> codebook containing a common plaintext block, e.g., "Subject:".
> Then, given captured ciphertext, you look for instances of the
> encrypted "Subject:" block. When you find one you have identified
> the key.
How practical is this attack?
I'm setting up an encrypted database system, and one
feature desired by the designers is a way to check that
the password entered for a particular record is correct.
This check would then return "password incorrect" rather
than filling the fields with the garbage resulting from
decryption with the wrong key.
The easiest way to handle this is to use one field that
is always the encrypted version of some known string so
you can check if it decrypts correctly. Obviously, this
sets up a known-plaintext attack perfectly. Is this a
realistic threat, and if so, is there a more secure way
to provide this "feature" or are we better off leaving
it out?
sst
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SHA-1 unpatented?
Date: Mon, 24 May 1999 14:55:34 GMT
> Is SHA-1 unpatented? Can I use it in a commercial product without
> royalties or licensing? I would like to use it for hashing passwords.
>
To the best of my knowledge it is patented (by NSA?) and is free to use
(royalty-free). It's a USA government standard so I imagine that's why
it's free.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: blowfish hints anyone?
Date: Mon, 24 May 1999 12:16:09 -0500
[EMAIL PROTECTED] wrote:
> > Suppose you want to crack an ECB scheme. You build a reverse
> > codebook containing a common plaintext block, e.g., "Subject:".
> > Then, given captured ciphertext, you look for instances of the
> > encrypted "Subject:" block. When you find one you have identified
> > the key.
>
> How practical is this attack?
Very practical. A large dictionary can be saved using the
standard crypt() routines, and then compared to the password
file (an ancient attack that still works).
> I'm setting up an encrypted database system, and one
> feature desired by the designers is a way to check that
> the password entered for a particular record is correct.
> This check would then return "password incorrect" rather
> than filling the fields with the garbage resulting from
> decryption with the wrong key.
>
> The easiest way to handle this is to use one field that
> is always the encrypted version of some known string so
> you can check if it decrypts correctly. Obviously, this
> sets up a known-plaintext attack perfectly. Is this a
> realistic threat, and if so, is there a more secure way
> to provide this "feature" or are we better off leaving
> it out?
You can make finding the plain text harder. One thing you
can do is encrypt a "check phrase" for each user, something
they make up and simple to remember. I wouldn't use the
pass phrase itself. Another thing is to put in a "salt" so
you encrypt the check phrase and some random bits along with
it. Then the dictionary has to be 2^n times longer to account
for the n bits of salt.
To make life really hard for the attacker, make the location
of the salt bits random, and make the check text be a combination
of the location of salt bits, salt bits, and check phrase.
The user only has to type in their password and check phrase,
and the algorithm does the rest. It's kind of a pain for the
user to have to type in 2 words, but for the attacker it's a
major problem and for the company there's no random garbage put
in by accident (or purpose).
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: 24 May 1999 17:58:31 GMT
The hope is that with many people looking at it, if there is a flaw, the many
honest people (perhaps looking for fame) will find any flaw before the few
dishonest people (looking to make an illegal buck). Also, anyone that could
break such an algorithm could easily get a good-paying job, so why should
he/she take illegal risks?
Don Johnson
------------------------------
From: John Kennedy <[EMAIL PROTECTED]>
Subject: Re: HushMail -- Free Secure Email
Date: Mon, 24 May 1999 17:42:08 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> John Kennedy wrote:
>
> > >Necessary but not sufficient. At a minimum, every user must
validate
> > >the applet everytime they use/download it. In practice, it is
likely
> > >that most users will never do it, much less always to it. This is
> > >different from PGP where one downloads and validates, once, and
then
> > >uses, in a separate step not obvious to the carrier.
> >
> > Very good points which a hushmail-type system needs to try to
address.
>
> Using this argument means you have to verify your PGP software
everytime you use it - or at least every time
> you're away from your computer. What happens if somebody sneaks in
and doctors your software? Or you get a worm
> or virus or trojan that does it? Or even some bizzare disc error?
Why on this issue is PGP so much more secure
> than hushmail?
>
> Do you believe that the physical and other security of your computer
and its immediate environment is greater
> than that available at Hushmail, or at any point in the chain that
gets Hushmail and its components into your
> browser?
The physical security of my system is the key. I use a laptop which is
usually in my presence and when it's not I've taken other steps to make
tampering difficult. It's not perfect but I'm not terribly worried
someone could tamper with my PGP without my knowledge. Plus I have a
pretty fair idea of things I could do to maximize security via PGP if I
needed to.
I don't know how I could do that via hushmail.
>
> Isn't trust a thorny issue!
>
> Sacha.
>
>
--
-- John Kennedy Best Anarchy Links->|
David Friedman http://www.best.com/~ddfr/ <-|
Niels Buhl http://www.math.ku.dk/~buhl/ <-|
Billy Beck http://www.mindspring.com/~wjb3/promise.html <-|
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: TwoDeck
Date: Mon, 24 May 1999 12:19:37 -0500
Another suggestion is faster switching -- the practice of exhausting a
whole deck before it is reshuffled is very bad -- it means that your
available randomness falls extremely low before being refreshed and will
give an opponent a chance to analyze the deep structure of the deck in
full -- more intermediate decks might not be a bad idea and possibly
changing the order in which the decks are used at intervals. Another
suggestion is multiple shuffles at the intervals -- not much code load
difference in shuffling both A and B at the same time(esp if the same
algo is used for both -- but obviously different shuffle points).
[EMAIL PROTECTED] wrote:
> Thanks for the suggestion, I will see about adding it.
>
> For now I have a better algorithm, which I will discuss this saturday
> in the group when I formalize it.
>
> The idea is simple, here is the pseudo code
>
> c = ((rng() * rng()) % 257) & 255
>
> Where rng() is a seeded rng algorithm returning 1-256. This will
> produce an output between 0-255 and depend on all of the bits of the
> inputs.
>
> In my paper I am using a singal LFSR as an example, but any well
> balanced RNG (GFSR, additive) will do (most likely).
>
> Tom
>
> --== Sent via Deja.com http://www.deja.com/ ==--
> ---Share what you know. Learn what you don't.---
------------------------------
From: "Jean Marc Dieu" <[EMAIL PROTECTED]>
Subject: Why would a hacker reveal that he has broken a code?
Date: Mon, 24 May 1999 19:52:22 +0200
Let's say a hacker breaks 3DES.
What would make him declare to everyone his "discovery"? I mean, it's more
interesting for him to try to sell his findings to "the bad guys", or else
everyone would stop using 3DES (it's just an example) and all his work would
be worth nothing (or maybe worth being known as "the guy who broke 3DES"...)
So, even if an algorithm has been proven empirically "good", we have no
evidence that it hasn't been cracked, is that correct?
Jeeeee... the more I learn, the more I see there's so many things left to
learn that have not even been discovered yet !
Crypto is really fascinating !
JMD
------------------------------
Date: Mon, 24 May 1999 13:57:57 -0400
From: Emmanuel BRESSON <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: RSA Cryptography Question
> >oooouuups... Of course you meant:
> > m^phi(n) == 1 mod n
> Hmmm, methinks that's not quite right either:
It is true in (Z_n)*, the set of invertible elements of Z_n, because
phi(n) is the order of this multiplicative group.
In your example, 5 is not in this set (Z_15)*.
Assumming that condition of being an invertible element, we have
obviously
m^{phi(n)+1}=m mod n
of course. (Even if n is not square-free)
Emmanuel
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: 24 May 1999 14:08:14 -0400
In article <7ic3gi$eer$[EMAIL PROTECTED]>,
Jean Marc Dieu <[EMAIL PROTECTED]> wrote:
>Let's say a hacker breaks 3DES.
>What would make him declare to everyone his "discovery"? I mean, it's more
>interesting for him to try to sell his findings to "the bad guys", or else
>everyone would stop using 3DES (it's just an example) and all his work would
>be worth nothing (or maybe worth being known as "the guy who broke 3DES"...)
Well, given that being known as "the guy who broke 3DES" is likely to
result in a tenured position at the university of your choice, a
Guggenheim fellowship, and/or more consultancy business than you
can possibly handle at an absolutely obscene rate of pay, that's
not exactly "nothing."
I rather doubt that most of "the bad guys" would have enough money
lying around to make forgoing those plums worth it. Besides, how
are you expecting *them* to keep the fact that they can now break
3DES secret? That was one of the big problems with ULTRA in WWII;
as soon as you do something with the information you learn, you
risk revealing that you know it. The number of potential security breaches
involving ULTRA are rather frightening -- and well-documented.
-kitten
------------------------------
Crossposted-To: talk.politics.crypto
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: DSA (Digital Signature Standard) and the Schnorr Patents
Date: Mon, 24 May 1999 19:17:01 GMT
In article <[EMAIL PROTECTED]>,
Vin McLellan <The, Prtivacy, Guild> wrote:
>...Bruce Schneier, who studied and wrote about the DSS patent issues
>in Applied Crypto, certainly didn't glibly dismiss Schnorr's claims
>as some have here.
"In my opinion, this finally puts to rest any patent dispute between
Schnorr[1398] and DSA[897]: DSA is not a derivative of Schnorr, nor
even of ElGamal. All three are examples of this general construction,
and this general construction is unpatented."
--Applied Cryptography (2nd ed.), p. 498.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: Mon, 24 May 1999 20:30:00 GMT
In article <7ic4ie$rli$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>In article <7ic3gi$eer$[EMAIL PROTECTED]>,
>Jean Marc Dieu <[EMAIL PROTECTED]> wrote:
>>Let's say a hacker breaks 3DES.
>>What would make him declare to everyone his "discovery"? I mean, it's more
>>interesting for him to try to sell his findings to "the bad guys", or else
>>everyone would stop using 3DES (it's just an example) and all his work would
>>be worth nothing (or maybe worth being known as "the guy who broke 3DES"...)
>
>Well, given that being known as "the guy who broke 3DES" is likely to
>result in a tenured position at the university of your choice, a
>Guggenheim fellowship, and/or more consultancy business than you
>can possibly handle at an absolutely obscene rate of pay, that's
>not exactly "nothing."
>
Relaistically if you broke 3DES and if your not national known it would be
very hard to prove it. Because as soon as you explain how it was done. Some
phony crypto god would claim that he did it first. Or if you broke something
like PGP and showed an easy way to break something like RSA you would
most likely get killed before your method was exposed to the public. It
would be very easy for a group like the NSA to hide the informstion from the
public since most do not have the knowledge to understand the break. Also
the crypto gods like to think they are far superior to the ordinary man and it
would not be in there interest to spread the fact that an ordinary non god
like person broke something that they looked at and did not break.
So it may be best to keep the secret to ones self until our government
does not treat an outsider with crypto knowledge as a threat to the
government.
After all even today most credit the British with breaking Enigma when
the real work was done by the poles. But honor a pole would go against
the English honor who think they are superior to Poles.
As an example in another field look at the research and money spent
on uclers. A guy in Australla ( I think it was there the news is surpressed)
came up with the simple truth of most casues and a cure. The guy was
ridiculed by the medical gods as an idiot. Of course he was right and
it is very likley the other medical people knew it. But to keep there pockets
lined with monely they did there best to treat the guy like shit. Where is
this guy today. Does anyone even remember his name. And what happened
to his attackers.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: 24 May 1999 16:00:05 -0400
In article <7ic9bp$1egi$[EMAIL PROTECTED]>,
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>In article <7ic4ie$rli$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Patrick Juola)
>wrote:
>>In article <7ic3gi$eer$[EMAIL PROTECTED]>,
>>Jean Marc Dieu <[EMAIL PROTECTED]> wrote:
>>>Let's say a hacker breaks 3DES.
>>>What would make him declare to everyone his "discovery"? I mean, it's more
>>>interesting for him to try to sell his findings to "the bad guys", or else
>>>everyone would stop using 3DES (it's just an example) and all his work would
>>>be worth nothing (or maybe worth being known as "the guy who broke 3DES"...)
>>
>>Well, given that being known as "the guy who broke 3DES" is likely to
>>result in a tenured position at the university of your choice, a
>>Guggenheim fellowship, and/or more consultancy business than you
>>can possibly handle at an absolutely obscene rate of pay, that's
>>not exactly "nothing."
>>
>
> Relaistically if you broke 3DES and if your not national known it would be
>very hard to prove it. Because as soon as you explain how it was done. Some
>phony crypto god would claim that he did it first.
Bullshit. That's why there are journals, that's why there are conferences,
and so forth. Proving that you've got an algorithm to break 3DES is,
quite literally, child's play *if* you've actually got an algorithm.
> Or if you broke something
>like PGP and showed an easy way to break something like RSA you would
>most likely get killed before your method was exposed to the public.
I think you've been watching *WAY* too many X-files.
> It
>would be very easy for a group like the NSA to hide the informstion from the
>public since most do not have the knowledge to understand the break.
I see. And presumably the NSA is also going to kill all the members
of the EuroCrypt'00 program committee and arrange to have the proceedings
printer burned down?
And then after that, the Elders of Zion will no-doubt freeze your
bank account until the Cattle Mutilators come and take you away to
live with Elvis.
-kitten
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
