Cryptography-Digest Digest #589, Volume #9 Mon, 24 May 99 19:13:01 EDT
Contents:
Re: ScramDisk and Windows 2000 (David Crick)
Re: crack a hash function? (Jean-Jacques Quisquater)
Re: HushMail -- Free Secure Email (John Kennedy)
Re: crack a hash function? (wtshaw)
Re: HushMail -- Free Secure Email (wtshaw)
Re: ROT13, how does it work? (Jerry Coffin)
Re: SHA-1 unpatented? (Alwyn Allan)
Re: ROT13, how does it work? (wtshaw)
Re: Why would a hacker reveal that he has broken a code? ("Jean Marc Dieu")
Re: HushMail -- Free Secure Email (wtshaw)
Re: blowfish hints anyone? ("Matthew Bennett")
Re: blowfish hints anyone? ("Matthew Bennett")
Re: blowfish hints anyone? ("Matthew Bennett")
Re: blowfish hints anyone? ("Matthew Bennett")
Re: Why would a hacker reveal that he has broken a code? (Jerry Coffin)
Re: SHA-1 unpatented? ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: ScramDisk and Windows 2000
Date: Mon, 24 May 1999 21:15:56 +0100
Jennifer wrote:
>
> > This may sound crazy, but wouldn't the current version work? Maybe
> > microsoft has some new 'portability' issues to address.. :)
>
> I don't know why, but I tried it and it didn't work.
>
> Jennifer
That's because Windows 2000 is what used to be called "NT 5", and
Scramdisk doesn't work under Windows NT.
David.
--
+-------------------------------------------------------------------+
| David Crick [EMAIL PROTECTED] http://members.tripod.com/vidcad/ |
| Damon Hill WC96 Tribute: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
| PGP Public Keys: 2048-bit RSA: 0x22D5C7A9 4096-DH/DSS: 0x87C46DE1 |
+-------------------------------------------------------------------+
------------------------------
From: Jean-Jacques Quisquater <[EMAIL PROTECTED]>
Subject: Re: crack a hash function?
Date: Mon, 24 May 1999 22:46:28 +0200
Hi,
I already answered to the author of the question (in French) and it was
sent in the newsgroups by error and canceled. Here is the translation
of my email with some added remarks.
First thing you have to know: there is no proof that a given hash
function is unbreakable (in any sense, except, maybe, using a brute
force
approach). People are thus using it as unbreakable till there is
a proof that it is indeed broken. It is the state of the art, we cannot
do better today. This is true for a large part of the current
(practical)
cryptography: people are using a cryptographic method conditionally.
We need some simple criteria of breaking (cracking) for hash functions:
- if the function is collision-resistante (that is it is infaisable to
to find 2 distincts messages with the same hash), then
we say that the function is broken if somebody is able to exhibit an
example of such a collision. It is indeed a proof by contradiction.
And this function will be not used anyway for that (normally!).
- if the hash function is not collision resistant but only one-way
(it is useful but needs some careful examination of the context),
then the function is broken if it is possible to compute one message
corresponding to a given hash.
Maybe it seems strong criteria: the existence of only one nontrivial
bad example is enough to break a system. It is why cryptography is
so difficult.
This is relatively informal but should be in the right direcion.
Regards,
Jean-Jacques Quisquater,
------------------------------
From: John Kennedy <[EMAIL PROTECTED]>
Subject: Re: HushMail -- Free Secure Email
Date: Mon, 24 May 1999 20:27:44 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] () wrote:
> John Kennedy ([EMAIL PROTECTED]) wrote:
> : As I review the PGP manual I see it says the private key is
protected
> : by the passphrase. Does that mean essentially that the private key
has
> : been conventionally encrypted with the passphrase?
>
> Yes, and it's stored that way on your computer so you don't have to
> memorize it, only your passphrase.
>
> : So now it seems to me that one of the requirements for a hushmail
> : system to be secure is that the system only holds an encrypted copy
of
> : your private key, which cannot be used to decrypt your mail without
> : your passphrase.
>
> Absolutely correct.
>
> : How could that requirement be addressed in a hushmail type system?
>
> Actually, it is probably quite easy to address in such a system. The
> HushMail server keeps a copy of everyone's public key, and HushMail
acts
> as a certifying authority for them.
>
> Whether or not it is possible for HushMail _itself_ to read your mail
-
> and it should not be possible - depends on a number of technical
details
> of the setup. One of them is the one you mention: users should have a
way
> of independently verifying each others' public keys. Also, private
keys
> mustn't be communicated to the HushMail server. In fact, there is _no_
> good reason for even an _encrypted_ copy of these keys to be stored
there.
I disagree on that point. The reason which one might consider good, is
that if your encrypted private key is on their system, you can encrypt
your messages from any client machine with a supported browser. You
don't have to do it from your own machine or carry your private key
with you. If you consider the encrypted private key safe, then this is
an advantage in some situtations.
>
> To me, the "right" way to encrypt is to run a copy of PGP on an old
486,
> then put your encrypted message on a floppy to carry it over to the
> computer of yours that is connected to the Internet. Just because a
few
> too many steps in HushMail are done while on-line doesn't imply that
there
> is anything fishy going on: honest people sometimes don't think of
all the
> ways it is possible to cheat, and the steps one must take to *prove*
to
> other people that one is not cheating.
I'm not suggesting Hushmail is not what it professes to be. I assume it
probably is. I'm just trying to figure out to what extent such a system
can be demonstrated to be secure.
--
-- John Kennedy
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: crack a hash function?
Date: Mon, 24 May 1999 15:22:25 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (David P Jablon) wrote:
>
> You're intuition is correct that breaking a hash by reversing
> the one-way operation is practically infeasible for any
> good hash function.
Yet we hear of the desire to eliminate collisions in hash functions,
different inputs causing the same output. Without collisions, brute force
would prove the supposed hash function to be the form of encryption where
one plaintext with one key, the function, produces one ciphertext, the
hash.
>
> But when a hash function is used to hide guessable data, as in
> a hashed-password, a brute-force trial-and-error attack
> often reveals the password corresponding to the hash.
> This is sometimes loosely refered to as "cracking" the hash.
>
The number of collisions should be awkwardly high while allowing
considerable variability in different output hashes. These things are all
easily quantified, and the numbers should reflect some level of desired
security.
--
Weathermen prosphesize and insurance companies predict, while both pretend to be doing
the other to get an audience.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: HushMail -- Free Secure Email
Date: Mon, 24 May 1999 15:02:35 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] () wrote:
>
> To me, the "right" way to encrypt is to run a copy of PGP on an old 486,
> then put your encrypted message on a floppy to carry it over to the
> computer of yours that is connected to the Internet. Just because a few
> too many steps in HushMail are done while on-line doesn't imply that there
> is anything fishy going on: honest people sometimes don't think of all the
> ways it is possible to cheat, and the steps one must take to *prove* to
> other people that one is not cheating.
>
> John Savard
Good security requires more than merely wanting it. Physical isolation
remains one of the best things that might be part of your protocol. In
security matters, assume that people will cheat, so, if they do, you have
already tried to plug the holes.
--
Weathermen prosphesize and insurance companies predict, while both pretend to be doing
the other to get an audience.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: ROT13, how does it work?
Date: Mon, 24 May 1999 14:57:17 -0600
In article <7ib7vq$fq1$[EMAIL PROTECTED]>, detlef.stieger@t-
online.de says...
> How does ROT13 encryption work?
For each letter in the alphabet, you substitute the letter 13
characters away. Since there are 26 letters in the (English)
alphabet, doing this twice results in the original.
> When is it used, what for?
It is NOT used for what you'd think of as encryption at all. It's
more like when a newspaper or magazine prints the answer to a riddle
up-side down -- it makes it relatively easy to ignore the text until
you decide to look at it, but is not intended to prevent you from
looking at it when you decide to.
> Could you please include an encrypted example so I can try decryption?
Here's the sentence above with ROT13 applied:
Pbhyq lbh cyrnfr vapyhqr na rapelcgrq rknzcyr fb V pna gel qrpelcgvba?
------------------------------
Date: Mon, 24 May 1999 17:27:22 -0400
From: Alwyn Allan <[EMAIL PROTECTED]>
Subject: Re: SHA-1 unpatented?
Related: Does anyone know the status of MD2. Is it patented? It was licensed
for free for "non-commercial e-mail privacy" or something like that. If I
write MD2 code from the RFC's that specify it, but do not use RSA's code, do
I violate their copyright? Since the Pi permutation table is only given in
the code, can this be obtained elsewhere?
Thanks.
-----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==----------
http://www.newsfeeds.com The Largest Usenet Servers in the World!
======== Over 73,000 Newsgroups = Including Dedicated Binaries Servers =======
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: ROT13, how does it work?
Date: Mon, 24 May 1999 15:43:57 -0600
In article <aHj*[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Mark Carroll) wrote:
> In article <7ib7vq$fq1$[EMAIL PROTECTED]>,
> Andreas / Detlef Stieger <[EMAIL PROTECTED]> wrote:
> >How does ROT13 encryption work?
> >
> >A friend told me it was quite simple, but I didn't find anything about it in
> >books.
>
> It's pretty trivial, yes. Split the alphabet into two halves. Now, to
> encode or decode, just replace each letter by the letter in the same
> position in the other half of the alphabet. So,
>
> ABCDEFGHIJKLMNOPQRSTUVWXYZ
> ...change to... NOPQRSTUVWXYZABCDEFGHIJKLM
>
> >When is it used, what for?
>
It is also a useful step in learning a few key concepts in cryptography.
Consider a standard alphabet as a continuously repeating string. With
ROT13, you move 13 places higher, but you could move a different number of
steps, say 5; then for solution you would need to move 26-5, or 21 steps
higher for solution.
Of course, the alphabet could be deranged, not in normal order, another
crypto complication.
Given a standard alphabet, you could do INV26, which means A=Z, B=Y, etc.
Solve this:
Blf ziv vmxlfiztvw gl ovzim zh nzmb lu gsv yzhrxh lu gsv urvow lu
xibkgltizksb zh klhhryov yvuliv qfnkrmt rmgl zivzh klkfozgvw yb olgh lu
"vckvigh" dsl wl mlg pmld dvoo gsv vovnvmgzib zhkvxgh rmeloevw rm xrksvih.
In ROT13, capitalization and word separations follow the text character by
character, and some handle an offset or 5 for digits, but I feel this is
a corruption of having a set of only 26 characters; if you need more
characters, pick another set to begin with.
And, you could also use a different number of characters than 26. Given
90 characters taken in normal order from the ASCII set, ROT45 works. This
paragraph in ROT45 would be:
nA7Y LBH 6BH?7 4?FB HF8 4 7<998E8AG AH@58E B9 6;4E46G8EF G;4A _c[ t<I8A
f] 6;4E46G8EF G4>8A <A ABE@4? BE78E 9EB@ G;8 n&pvv F8GY %"'ab JBE>F[ ';<F
C4E4:E4C; <A %"'ab JBH?7 58g
In the same spirit as discussed above, with 90 characters you would get
this result with INV45:
R- '36 (:.6 (+2)2' :( 72(8&((67 :9,%6o $2'3 bk 83:):8'6)( ",& $,&/7 46'
'32( )6(&/' $2'3 RMEgfa
Good luck.
--
Weathermen prosphesize and insurance companies predict, while both pretend to be doing
the other to get an audience.
------------------------------
From: "Jean Marc Dieu" <[EMAIL PROTECTED]>
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: Mon, 24 May 1999 23:26:52 +0200
I see that you guys in sci.crypt have a nice sense of humour.
Thanks for those who answered my (stupid I guess) question. ;-D
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: HushMail -- Free Secure Email
Date: Mon, 24 May 1999 15:11:12 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] () wrote:
> Geoff Thorpe ([EMAIL PROTECTED]) wrote:
> : It is also (apparently) prohibited to provide crypto-related "hooks"
> : into which foreign software can plug directly into
>
> Yes, that is correct. However, source code of text editors, browsers,
> et cetera, can be released, and so hooks for anything can be added to
> that, and people in the U.S. can sell compilers to the rest of the world,
> so, as you point out, the implications of this prohibition are rather
> confusing.
>
It was dreamt up by folks that did not understand the nature of
clipboards, or the use of virtual memory for transitory information.
Figure that Windoze writes so much to disk files not because it
necessarily needs to, but because in addition to being decades behind the
times relative to the state of the art at the most elemental level, MS
caters to the obsolete notions of the same ignorant bozos who wish to
secure their power with wild screams against technology going in
directions inconvenient for their noisy inclinations.
--
Weathermen prosphesize and insurance companies predict, while both pretend to be doing
the other to get an audience.
------------------------------
From: "Matthew Bennett" <[EMAIL PROTECTED]>
Subject: Re: blowfish hints anyone?
Date: Mon, 24 May 1999 22:41:51 +0100
Boris Kazak wrote in message <[EMAIL PROTECTED]>...
<snip>
>This one has a relatively simple solution. You will have some routine
>prompting the user for his key. In this routine you can prompt, say,
>three times like this:
>
> Enter the first part of your passphrase: *********
>(After the first part is entered, go ahead)
> Enter the second part of your passphrase: ***********
>(After the second part is entered, go ahead)
> Enter the third part of your passphrase: ********
<snip>
Thanks for your help :)
Considering the people wishing to decrypt these files may not have the time
manually enter three passphrases in per decryption, how suitable would a
"key file" be? (This is a question to anyone in the group). Would people
consider the security risk with having a "physical" key file outweighs the
time saved and the prevention of possible errors?
Matt
------------------------------
From: "Matthew Bennett" <[EMAIL PROTECTED]>
Subject: Re: blowfish hints anyone?
Date: Mon, 24 May 1999 22:36:12 +0100
[EMAIL PROTECTED] wrote in message <7i9rnq$pli$[EMAIL PROTECTED]>...
>
<snip> - thanks for the info :)
>What are you actually designing? Sounds like you are a bit confused.
>If you are going to encode live data, use a CFB mode, unless the data
>is fast enough to warrant CBC mode.
It's going to be a specialised application for a company who wishes to
distribute self-decrypting executables to their clients using a well-known
encryption algorithm. I've got just about everything but the finer-points
of Blowfish sorted out - and thanks to the replies from this group I hope to
have these ironed out too :)
Yes, I will be using CFB - I was just curious as to the point of ECB in the
first place...
Matt
------------------------------
From: "Matthew Bennett" <[EMAIL PROTECTED]>
Subject: Re: blowfish hints anyone?
Date: Mon, 24 May 1999 22:50:08 +0100
[EMAIL PROTECTED] wrote in message <7ia5nv$2q$[EMAIL PROTECTED]>...
<snip>
>What would be the point of a public (ie, fixed) IV?
>The whole point is to make the eavesdropper's task harder.
<snip>
I agree. So any ideas how the IV would be obtained?
>From reading a post later on this this thread, the idea of a check-phrase
being encrypted into the message, which could then be used to make sure the
correct password(s) had been entered, seems like a good idea. Would it then
be possible to obtain the IV from a simple hash of this phrase?
Matt
------------------------------
From: "Matthew Bennett" <[EMAIL PROTECTED]>
Subject: Re: blowfish hints anyone?
Date: Mon, 24 May 1999 22:38:21 +0100
Eric Young wrote in message <[EMAIL PROTECTED]>...
>[EMAIL PROTECTED] wrote:
>> > 2) Would you just have a standard, "built-in" IV, or do programs get
>> this
>>
>> The IV is normally private.
>
>Well, actually, no.
>For input
>M[0] M[1] M[2]
>and output cipher-text
>C[0] C[1] C[2],
>the IV for generating C[1] is C[0].
>So effectively the IV is C[-1].
and I presume "C[-1]" is an IV (btw.. I assume this means Initial Variable?)
obtained from outside the cipher-text itself?
Matt
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: Mon, 24 May 1999 16:56:24 -0600
In article <7ic3gi$eer$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> Let's say a hacker breaks 3DES.
> What would make him declare to everyone his "discovery"?
Nothing _makes_ him do so. Whether somebody would reveal it publicly
would basically depend on whether honesty and desire for fame
outweighed their desire for riches or vice versa.
Of course, if you prove that you can break an encryption that people
have studied for decades now, the accompanying fame is likely to lead
to fortune as well. I suspect a bidding war between the IBM T.J.
Watson research center, Lucent Bell Labs and MS's research department,
could include some fairly serious quantities of money, not to mention
just about every fringe benefit known to man...
> So, even if an algorithm has been proven empirically "good", we have no
> evidence that it hasn't been cracked, is that correct?
Yes, that's correct.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SHA-1 unpatented?
Date: Mon, 24 May 1999 23:04:51 GMT
Alwyn Allan wrote:
> Related: Does anyone know the status of MD2.
It's status seems to be "almost broken". RSA Labs
now recommends against using it. It was never very
popular, since it's also slow.
> Is it patented? It was licensed
> for free for "non-commercial e-mail privacy" or something like that.
It's free, and there's free code around.
But don't use it.
--Bryan
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
