Cryptography-Digest Digest #607, Volume #9 Fri, 28 May 99 01:13:02 EDT
Contents:
Re: The BRUCE SCHNEIER Tirade (fungus)
Re: Authenticating identity? (Gregory G Rose)
Re: Reasons for controlling encryption (Mike McCarty)
Re: The BRUCE SCHNEIER Tirade ("Eric W Braeden")
Re: What good is hushmail? ([EMAIL PROTECTED])
Re: Threatening SW ^besides^ Strong-Crypto (Geoffrey KEATING)
Re: The BRUCE SCHNEIER Tirade ("Brian Hetrick")
Re: Please recommend freeware encryption SDK (Johnny Bravo)
Re: Oriental Language Based Encryption (Mok-Kong Shen)
Re: ScramDisk and Windows 2000 (Sundial Services)
Re: The BRUCE SCHNEIER Tirade (SCOTT19U.ZIP_GUY)
Re: AES tweaks ("Vedat Hallac")
----------------------------------------------------------------------------
From: fungus <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Fri, 28 May 1999 02:39:55 +0200
Anthony Stephen Szopa wrote:
>
> A true one-time pad is... unusable? Why: because no one has shown how
> it can be done yet?
>
Very, very simple.
A one time pad has a key which is a big as the message. If you
can securely transmit the key to the other party then you obviously
don't need cryptography - you could just send the message by the
same route.
> Let me begin by asking Mr. Schneier why the OTP is unusable?
>
See above.
> In one breath Mr. SCHNEIER says that Ciphile Software is "pretending"
> then in the next he claims: "whatever that means." Mr. SCHNEIER, do
> you know what you are talking about when you trash Original Absolute
> Privacy - Level3 Encryption Software?
>
I think it's up to you to demonstrate that he's not. Bruce is well
respected in the world of cryptography. I for one will stand behind
his opinion then the OTP is both unusable in practice.
"Tirades" will get you nowhere. What are your credentials? What do you
know that the rest of the world doesn't (and that defies simple logic)?
> Is it the mark of a professional to make assertions about something he
> does not know anything about?
>
If the assertions are based on simple logic, yes. If you tell me you've
invented a perpetual motion machine then I *will* be very sceptical
- I'll ask for a demonstration.
Where's your demonstration that your system works?
> And do the readers of this news group think it wise to accept someone's
> unsubstantiated claims at face value just because they have earned a
> certain level of respect in a particular field or community?
>
No, we simply understand the logic behind what he's saying.
> Apparently, what Mr. SCHNEIER is critiquing is my web site home page
> sales hype that has remained unchanged since its inception over two
> years ago. Granted, the phrase "with very sophisticated and powerful
> augmenting features" is vague and ambiguous so I have removed it. But
> is this a legitimate basis upon which a professional judges an
> encryption software product?
>
I the world of cryptography, yes. If it walks like a duck and talks
like a duck...
Lets's see:
"Level3 is an automated pseudo one-time pad generator. "
- "pseudo one time pad"
- "pseudo"
Doesn't "pseudo" imply that it isn't really a one time pad underneath...?
> OAP-L3 is an extremely secure encryption software product, and this
> claim is supported by the facts.
"Facts"? Please enligten us...
> About Ciphile Software and Original Absolute Privacy - Level3 Encryption
> Software -
>
> "... your software is, so far as I can tell, bulletproof."
>
> "It's an amazing package."
>
> I think it is best to let an UNBIASED WELL INFORMED public decide the
> merits of Ciphile Software's OAP-L3.
>
Millions of flies can't be wrong...
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Gregory G Rose)
Subject: Re: Authenticating identity?
Date: 27 May 1999 18:05:15 -0700
In article <[EMAIL PROTECTED]>,
Medical Electronics Lab <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] wrote:
>> Dick sends a message to Jane, and Jane wants to be able to prove that
>> the message came from Dick. I'm not trying to sign the contents of the
>> message, just include a cookie that proves that it came from Jane.
Then you're already out of luck. Any third party
can snoop on a valid message, take the cookie out
of it, attach it to any old message they like,
and send that. Jane will accept it as being from
Dick. The cookie *must* depend on the message
contents, at least.
Then there's replay. Dick says to Jane "Meet me by
the fountain tomorrow." They have their little
tryst. A few weeks later, the bad guy sends the
same message again, knowing that Jane will show up
alone and undefended. The signature should include
a timestamp or sequence number (to guarantee
freshness).
The signature should include the identity of the
intended recipient... you got that part right.
That's what encrypting Dick's public key gives
you. But why not just encrypt his name? There are
some messages of special form that, when
encrypted, will reveal the secret key... Dick
could publish a public key that was constructed to
be of that form. That's why the standards specify
special padding, and so on.
>The real trick here is that they both know they have the other's
>public key. As long as *that* part is exchanged correctly, then
>you can easily authenticate. If you are certain that you can
>do that securely and authenticly, then the scheme you suggest
>should work.
Protocol design is extremely subtle (perhaps
moreso than EC crypto algorithms). All that it
proves is that sometime, somewhere, Dick tried to
send a message to Jane. That message may never
have arrived. It may have been archived by the
attacker for future use. It may have been altered.
I'm afraid the protocol is almost useless. Some
people would say, based on the false sense of
security, that it is *worse* than useless.
Mike is right about the fact that knowing the
authenticity of the public keys is *also*
fundamental.
PGP addresses most of these issues; in my opinion,
that's Phil Zimmermann's major contribution. The
document accompanying it should be required
reading.
Greg.
--
Greg Rose INTERNET: [EMAIL PROTECTED]
QUALCOMM Australia VOICE: +61-2-9181 4851 FAX: +61-2-9181 5470
Suite 410, Birkenhead Point http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 B5 DF 66 95 89 68 1F C8 EF 29 FA 27 F2 2A 94 8F
------------------------------
From: [EMAIL PROTECTED] (Mike McCarty)
Subject: Re: Reasons for controlling encryption
Date: 28 May 1999 01:06:10 GMT
How about the "cultural revolution" in China?
Interestingly, Stalin was not a Russian at all, but a Georgian.
In article <[EMAIL PROTECTED]>,
Boris Kazak <[EMAIL PROTECTED]> wrote:
)Greg Bartels wrote:
)>
)> (*********)
)> then find anyone who persues an advanced degree in numerical analysis,
)> and throw them in jail to protect the rest of the public.
)>
)> Greg
)------------------
)Actually, nothing new or out of ordinary in this idea. In 1933-35
)Joseph Stalin arrested and put into Russian hard labor camps everybody
)who could read Arabic, from simple village mullahs to university
)professors. The objective was to make the Moslem culture and history
)unaccessible to the population of Central Asia, which was at the time
)occupied and made part of Soviet Union. Thereafter Russian was being
)taught to these people at schools, together with Communist ideology,
)and the result has been so successful, that these folks have now big
)problems reintegrating back into Moslem world, several generations
)were completely isolated from these traditions.
) Needless to say that practically all Arabists died in Gulag.
)
) Best wishes BNK
--
----
char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I don't speak for Alcatel <- They make me say that.
------------------------------
From: "Eric W Braeden" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Thu, 27 May 1999 21:21:43 -0400
Anthony Stephen Szopa,
The rules are simple: Your system, like ALL others, is
just so much crap until you put all your cards on the table
so that, if you are lucky, after YEARS, if pros want to do
the analysis, your system MY be considered OK.
Your so-called Tirade just removed you from any
consideration from the pros. This is cool because now
no one has to waste time looking at your system.
Get a job...in a field where you have talent...if you
have any.
Eric Braeden
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What good is hushmail?
Date: Fri, 28 May 1999 02:06:38 GMT
On Thu, 27 May 1999 12:02:02 GMT, [EMAIL PROTECTED]
(John Kennedy) wrote:
>
>
>In principle on a hushmail type system you can validate that the code
>runnining on your machine is secure and you can validate your target's
>key. If you validate those Big Brother can't read your mail at the
>redirected site without cracking strong crypto.
The point is that in its current instantiation hushmail provides no
support for such local validation, and it is unclear how it would even
work. The problem really is nontrivial.
------------------------------
Crossposted-To: comp.security.misc
Subject: Re: Threatening SW ^besides^ Strong-Crypto
From: Geoffrey KEATING <[EMAIL PROTECTED]>
Date: 28 May 1999 12:17:40 +1000
[EMAIL PROTECTED] (Charles M) writes:
> Slow week and too much thinking again.
>
> The crypto bit is so much in the news, and so long-running that I for
> one am apathetic on the topic. But I was thinking last night about
> whether there mightn't be other kinds of software that would pose as
> great a thread to "national security" as Strong-Crypto. And I was
> thinking that while S-C is dangerous (supposedly) because it would allow
> terrorists to plot under the nose of US spooks, there are obviously
> tools that would have the opposite risk - in other words give our foes
> the ability to tap into our secret data stores, etc. But then I think
> the reality is that hackers don't benefit much from commercial software
> - except for the holes in it.
Well, you might look at the Wassenaar agreement lists. Apart from
design software for weapons and suchlike, there is:
- Vector computer OSs
- Sonar & signal processing s/w
- Cellphone software in source
- Apdative routing software in source
- Real-time OS software with low interrupt latency
- Expert system software with time dependence
- Semiconductor CAD software with testing functionality
and so on.
--
Geoff Keating <[EMAIL PROTECTED]>
------------------------------
From: "Brian Hetrick" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Thu, 27 May 1999 22:49:34 -0400
Well, I'm not Bruce Schneier, but OTP systems are unusable in practice
because the key size must be the same as the message size -- otherwise
it's not an OTP -- and distributing the key requires a secure channel.
Since you can securely distribute the key, it makes sense to use the
same channel to securely distribute the message, and not bother with a
key. (Actually, there is a time dependency in there. It is possible
that the secure channel existed in the past, but not right at the
moment; in that case, and in that case _alone_, it makes sense to use
an OTP.)
Now, since you don't describe your algorithm on your web pages, I
cannot comment on it. I _can_ comment that you obviously do not
understand permutations -- you say that there are 14! ways of
arranging 14 objects (true), hence composing two 14-element
permutations yields (14!)^2 possible arrangements (false). Composing
two 14-element permutations gives you another 14-element permutation,
and there are still only 14! of them. Since your explanation of your
encryption process shortly thereafter devolves into handwaves as to
how big powers of 14! can get, it seems unlikely that there is in fact
anything there. I can also remark, based on the screen shots on your
web site, that you have no clue what human factors are. (Microsoft
has a fairly good introduction to user interface design in their
Windows Logo program documentation; you might want to read it.)
So, what actually is the effective key size of the encryption you
describe? Since the encryption key appears to be generated from a
user interface (picking a permutation, picking a few ways to mix it
up, etc.), the effective key size of your encryption is small -- if I
can duplicate the key after making a k decisions, the key size is k
log2(n) where n is the number of alternatives. From what I understood
from the web page, there are only a dozen or so decisions to be
made -- which set of "random data" to be used, which transformations
to apply, and of course the 14-item permutation. It appears to be
about a 30- to 40-bit effective key size.
You are in the position of saying, "I know how to climb a tree,
therefore I know how to get to the moon." It is far more likely that
you only know how to climb a tree.
The security of an OTP relies on the bits being _random_ -- not
_pseudo_random. You _cannot_ computationally produce random bits.
You _cannot_ get a one time pad from a computational process. Believe
Bruce Schneier when he says this.
What Ciphile is selling looks and smells like snake oil to me. That
your response to Bruce Schneier saying "look! snake oil!" is respond
with an ad-hominem attack tells me you don't know, or don't care, what
encryption really is. That you don't understand simple finite
mathematics tells me which.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: Please recommend freeware encryption SDK
Date: Thu, 27 May 1999 21:35:02 GMT
On 27 May 1999 21:50:26 GMT, MatthewJohnson <[EMAIL PROTECTED]>
wrote:
>Well, if it is true that nobody reads your files, it could be because
>they haven't tried hard enough yet.
And he is also assuming that anyone wants to read his files.
Johnny Bravo
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Oriental Language Based Encryption
Date: Thu, 27 May 1999 16:34:13 +0200
Patrick Juola wrote:
>
> My understanding :
>
> I replace all words in an English text (it doesn't really have to be
> a dictionary) with sort of opaque symbol, then diffuse the symbols
> around via some sort of transposition cypher, and then you ask what
> I can get out of this?
>
> Answer : probably plenty.
Perhaps you could comment a bit more if I tell you what a telegraphic
code for Chinese is. The code book contains 10000 commonly used
Chinese words and assign to each word a four digit numberical number.
If you do the same for 10000 English words, then the frequencies
of the original English alphabet don't get reflected in the frequencies
of the digits of the numerical code. Let's consider an imaginary
(untrue) case that these 10000 words are used with the same frequency.
Then one should, if one counts the characters, obtain a fairly
non-uniform distribution, say the one that one commonly finds in tables
about frequencies. But the counterpart, the frequency distribution of
the digits of the corresponding code words, is clearly uniform. As I
said, the above is a unrealistic case simply chosen to aid
argumentation but I suppose you can nevertheless get my point.
M. K. Shen
------------------------------
Date: Thu, 27 May 1999 07:43:19 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: ScramDisk and Windows 2000
Daniel Garlans wrote:
> > Are there any plans to produce a Windows 2000 version of ScramDisk?
> What is scramdisk? :)
Haven't used it personally but I do know ...
ScramDisk is a program that creates an encrypted logical disk-volume.
It allows a disk, or a file mounted as a logical-disk, to be enciphered
so that its entire contents are meaningless without a password.
The problem before the house is that ScramDisk is apparently based on
Windows/DOS interfaces, not the Windows-NT (nee Windows/2000) model,
which is considerably different under the hood.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Fri, 28 May 1999 05:19:36 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>The BRUCE SCHNEIER Tirade
>
>
>
>BRUCE SCHNEIER is president of Counterpane Systems and says:
>
>"One-time pads don't make sense for mass-market encryption products.
>They may work in pencil-and-paper spy scenarios, they may work on the
>U.S.-Russia teletype hotline, but they don't work for you. Most
>companies that claim they have a one-time pad actually do not. They
>have something they think is a one-time pad. A true one-time pad is
>provably secure (against certain attacks), but is also unusable.
>
Actually Bruce likes to attack new commers. But if you claim you have
a OTP then the key has to be changed each time the file is used. About
the only way you could do it is to give each cutomer a unique CD full of
different random data for each user. So that no other user has the same
random data. And then you have to make sure the user can only encrypt
useing that random data once. It could be done but then you have to have the
user store a the CD in a safe. If may not be practical but then Bruce likes
to shoot his mouth off alot and you are an easy target if you are not sure
just what is meant by a OTP pad. A one time pad is secure since it is
used ONLY ONCE. It is provable secure because there is more than one
key that decodes to a reasonable anwser so that some one breaking it does
not have enough information to break it. What Bruve fails to tell is that all
small keyed encryption systems that use short keys are weak in the sense
that if one encrypts a short ascii file longer then just a few blocks the
attacker need only see if a small portion of the file decrypts to text. If it
does then it is broken. This weakness is less of a problem if one uses
something like scott19u.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "Vedat Hallac" <[EMAIL PROTECTED]>
Subject: Re: AES tweaks
Date: Fri, 28 May 1999 15:02:45 +1000
> Taka a long file of your chioce but many thousands of bytes in length use
>any AES candidate and use CBC with an IV of your choice.
>... You know have a file that matches
>exactly the original file except for a few blocks in the area of where you
>twiddled the bit.
Hmmm... I thought this was a good thing. It only shows that error
propagation of this method is limited to the next block. If the encrypting
end is a teller machine, and the decrypting end is the bank, do you want all
transactions after one bit of transmission error to fail? Or try to
resynchronize at that point? I think not. All the CBC mode does is to make a
block in the stream dependent on all the previous blocks, preventing threats
like erasing or adding transactions to the stream in this kind of
application.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
