Cryptography-Digest Digest #609, Volume #9 Fri, 28 May 99 09:13:03 EDT
Contents:
Scramdisk cracked ("Tomas FRYDRYCH")
Re: The BRUCE SCHNEIER Tirade (John Kennedy)
Re: The BRUCE SCHNEIER Tirade (John Kennedy)
Re: Hot on the heels of hushmail.... (John Kennedy)
Re: What good is hushmail? (John Kennedy)
Re: block ciphers vs stream ciphers ("Guglielmo Morgari")
Re: What good is hushmail? (John Kennedy)
Re: IEEE floating-point arithmetic and cryptography (D. J. Bernstein)
Re: Scramdisk cracked (John Kennedy)
Re: Oriental Language Based Encryption (Mok-Kong Shen)
Re: What good is hushmail? (fungus)
Re: The BRUCE SCHNEIER Tirade ([EMAIL PROTECTED])
Re: Any way to decrypt .PWL windows password files? (Nick Barron)
Re: What good is hushmail? (fungus)
Re: The BRUCE SCHNEIER Tirade (Patrick Juola)
Re: The BRUCE SCHNEIER Tirade (Patrick Juola)
Re: Stream Cipher using LFSRs ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: "Tomas FRYDRYCH" <Use-Author-Address-Header@[127.1]>
Subject: Scramdisk cracked
Date: Fri, 28 May 1999 11:22:11 +0000
I do not seem to be able to locate the posting to which Jennifer
refers to and I would like to form my own judgement on the matter,
where should I look for it?
If the person indeed used 7 character passphrase, then I am
inclined to agree with Jennifer's judgement ... but even if you know
that the passphrase contains 7 characters bruteforcing Scramdisk
would be a lengthy undertaking, since with SD you do not know
what cipher was used until you have the correct passphrase,
having to test each of the 10 ciphers it implements. Unfortunately,
chances are that a person who would decide to use 7 char
passphrase would also limit themselved to the lower-case alphabet
thus reducing the effective size of the phrase to 35 bits.
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Reply-To: [EMAIL PROTECTED]
Date: Fri, 28 May 1999 10:28:04 GMT
On Fri, 28 May 1999 02:39:55 +0200, fungus
<[EMAIL PROTECTED]> wrote:
>
>
>Anthony Stephen Szopa wrote:
>>
>> A true one-time pad is... unusable? Why: because no one has shown how
>> it can be done yet?
>>
>
>Very, very simple.
>
>A one time pad has a key which is a big as the message. If you
>can securely transmit the key to the other party then you obviously
>don't need cryptography - you could just send the message by the
>same route.
Nope. You may pass the pad through a window that may not even exist at
the time you need a message transmitted.
>
>> Let me begin by asking Mr. Schneier why the OTP is unusable?
>>
>
>See above.
I don't know what Schneier meant, but your point above is not valid.
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Reply-To: [EMAIL PROTECTED]
Date: Fri, 28 May 1999 10:28:05 GMT
On Thu, 27 May 1999 21:21:43 -0400, "Eric W Braeden"
<[EMAIL PROTECTED]> wrote:
>Anthony Stephen Szopa,
> The rules are simple: Your system, like ALL others, is
>just so much crap until you put all your cards on the table
>so that, if you are lucky, after YEARS, if pros want to do
>the analysis, your system MY be considered OK.
> Your so-called Tirade just removed you from any
>consideration from the pros. This is cool because now
>no one has to waste time looking at your system.
> Get a job...in a field where you have talent...if you
>have any.
I don't see anything wrong with asking why a true one time pad is
supposed to be unusable.
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Subject: Re: Hot on the heels of hushmail....
Reply-To: [EMAIL PROTECTED]
Date: Fri, 28 May 1999 10:28:05 GMT
On Thu, 27 May 1999 08:36:18 GMT, [EMAIL PROTECTED] wrote:
>In article <[EMAIL PROTECTED]>,
> fungus <[EMAIL PROTECTED]> wrote:
>>
>> A new service called ziplip has just appeared.
>>
>> http://www.ziplip.com/
>>
>> It's a variation on Hushmail but uses private keys - you have to agree
>> on a key with the recipient. It has a "hint" feature so you can send
>> messages without arranging a password (eg. "Where we had lunch last
>> week....").
>
>Passwords are limited to 15 characters, the Web site doesn't explain
>what algorithm they use for encryption, and they display part (not all)
>of the ciphertext when you receive encrypted email. It's in a box,
>with the password dialog on top. It can be selected and copied
>to the clipboard.
>
>15 characters is enough if and only if you're genuinely random.
>
>Question for the real experts: if ziplip is using one of the well-known
>algorithms, could an attacker do anything useful with a dictionary
>attack on fragmentary ciphertext? I suspect not, but I wouldn't
>be surprised to learn differently.
First of all, they're not showing you the code, there's really no good
reason to believe the system is secure. Second, 15 character passwords
indicates their not even serious about security.
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Subject: Re: What good is hushmail?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 28 May 1999 10:28:06 GMT
On Thu, 27 May 1999 05:26:43 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
>HushMail still needs to support both applet validation and end-to-end
>key validation, but it is supposedly a beta, so these things could yet
>happen. It is disturbing to see that they are not joining in the
>discussion of these serious issues, but that could change too.
Yeah, that would be a very good sign.
>The basic idea of good end-to-end security independent of whatever is
>in between seems almost within their grasp, but it still needs to be
>completed to deliver on the promise. Maybe that will never happen.
>Maybe somebody else will take their idea and do it right.
I assume someone will, very soon.
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: "Guglielmo Morgari" <[EMAIL PROTECTED]>
Subject: Re: block ciphers vs stream ciphers
Date: Fri, 28 May 1999 13:19:12 +0200
Bruce Schneier wrote:
>It's both historic and cultural. If you look at the
>early literature on symmetric ciphers, people who
>liked block ciphers tended to propose concrete
>designs--DES, Khufu, FEAL--while people who liked
>stream ciphers tended to propose more abstract
>theories.
I agree. I think the reason is that stream ciphers
are often much simpler to treat in an abstract way
(especially those based on linear feedback shift registers,
since lfsr are well understood and there exists a very
elegant theory for them), whereas it seems to be
hard to do the same with block ciphers (at least the
symmetric ones).
Guglielmo
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Subject: Re: What good is hushmail?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 28 May 1999 11:23:47 GMT
On Fri, 28 May 1999 02:06:38 GMT, [EMAIL PROTECTED] wrote:
>On Thu, 27 May 1999 12:02:02 GMT, [EMAIL PROTECTED]
>(John Kennedy) wrote:
>
>>
>>
>>In principle on a hushmail type system you can validate that the code
>>runnining on your machine is secure and you can validate your target's
>>key. If you validate those Big Brother can't read your mail at the
>>redirected site without cracking strong crypto.
>
>The point is that in its current instantiation hushmail provides no
>support for such local validation, and it is unclear how it would even
>work. The problem really is nontrivial.
Well I don't see that it can work with zero persistent client-side
data and/or software, which was apparently the goal, but I think it is
not terribly hairy to implement with a very small client side
footprint.
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Subject: Re: IEEE floating-point arithmetic and cryptography
Date: 28 May 1999 10:45:28 GMT
David A Molnar <[EMAIL PROTECTED]> wrote:
> Also, what rounding are you counting on -- just round to nearest,
> or do you want one of the other modes as well ?
Nearest +, nearest -, nearest *. It would be convenient to have one
other mode in the final cleanup, but switching modes is absurdly slow on
popular computers.
> What happens if an implementation is almost compliant?
It's hard to imagine how anyone could screw up these operations, if
(unlike Cray) they're actually trying to implement them. We're not
talking about complicated concepts like division.
---Dan
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Subject: Re: Scramdisk cracked
Reply-To: [EMAIL PROTECTED]
Date: Fri, 28 May 1999 11:28:02 GMT
On Fri, 28 May 1999 11:22:11 +0000, "Tomas FRYDRYCH"
<Use-Author-Address-Header@[127.1]> wrote:
>
>I do not seem to be able to locate the posting to which Jennifer
>refers to and I would like to form my own judgement on the matter,
>where should I look for it?
>
>If the person indeed used 7 character passphrase, then I am
>inclined to agree with Jennifer's judgement ... but even if you know
>that the passphrase contains 7 characters bruteforcing Scramdisk
>would be a lengthy undertaking, since with SD you do not know
>what cipher was used until you have the correct passphrase,
>having to test each of the 10 ciphers it implements. Unfortunately,
>chances are that a person who would decide to use 7 char
>passphrase would also limit themselved to the lower-case alphabet
>thus reducing the effective size of the phrase to 35 bits.
And such a peson would probably use a password that would be cracked
by a dictionary attack in a second or two.
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Oriental Language Based Encryption
Date: Fri, 28 May 1999 13:05:39 +0200
Patrick Juola wrote:
>
> And unfortunately, the unrealism is exactly the assumption whose
> negation I rely upon in order to break the system.
>
> The statistics of word frequency are rather well understood as a
> general model for all languages -- you can look it up under the
> keywords "Zipf's Law," after George K. Zipf who first identified
> the distribution (in English). In any realistic example, most
> reasonably-large sized samples of text will follow a Zipf distribution
> reasonably closely in terms of word frequency. This also means that
> your telegraph-code numbers will *also* follow a Zipf curve fairly
> closely, and I can use the match between the telegraph code and the
> actual words of Chinese to discover and refine which (high frequency)
> words are assigned to which numbers.
>
> So you are correct that you will by this method be hiding letter frequency
> information -- but you will be preserving the strongly informative
> *word* frequency information. And in the hands of a competent linguist,
> this is just as revealing, perhaps more so.
In a previous follow-up I mentioned that one should do a bit of
scrambling of the digits. That means the 4 digits group encoding a
word is disrupted. Further note that the assignment of the 4 digit
number to a word is simply in the order of the dictionary (the code
book). So statistics of the words don*t provide you much exploitable
clues even without the scrambling (Of course, without
scrambling you can directly decode with the code book. But this is
not the point here.) There is no linguistic connection between a
word and the number assigned to it. Doing a rather simple permutation,
say on every 1 K of digits from the public code book would result in
a mess of digits which should cause heavy headaches of the analyst.
(I am not claiming any very high security, only that the methods
utilizing frequency distributions are unlikely to work well if such
public (non-secret) codebooks are used.)
M. K. Shen
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: What good is hushmail?
Date: Fri, 28 May 1999 10:25:11 -0100
[EMAIL PROTECTED] wrote:
>
> The point is that in its current instantiation hushmail provides no
> support for such local validation, and it is unclear how it would even
> work.
The applet is signed and checksummed. Java *could* check these things
before running the applet, refusing to run if the applet's signature
didn't match the one you've got on your hard disk.
> The problem really is nontrivial.
The infrastructure is already there, it just needs implementation.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Fri, 28 May 1999 11:55:32 GMT
> >A one time pad has a key which is a big as the message. If you
> >can securely transmit the key to the other party then you obviously
> >don't need cryptography - you could just send the message by the
> >same route.
>
> Nope. You may pass the pad through a window that may not even exist at
> the time you need a message transmitted.
No you are wrong. The OTP gets it's security because the key is truly
random. If the key is shorter then the message it cannot be truly
random. Say you have a repeating 64 byte key then you can easily break
the message.
There is no documentation saying how OPL works so I would not buy or
use it.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Nick Barron)
Subject: Re: Any way to decrypt .PWL windows password files?
Date: Fri, 28 May 1999 12:23:02 GMT
On Thu, 27 May 1999 20:52:34 GMT, Claude Martel
<[EMAIL PROTECTED]> wrote:
>Greetings,
>
>My friend, who is kind of lost sometimes, changed his password lately
>and is unable to remember it. I fixed it easily by bypassing the loosy
>win95 security and replacing his pwl file, but I was wondering if there
>is a way/program to decrypt the PWL file?
There is indeed. Have a look at Peter Guttman's home page
http://www.cs.auckland.ac.nz/~pgut001/ under "Analysis of security
weaknesses" and you'll find several items.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: What good is hushmail?
Date: Fri, 28 May 1999 10:33:27 -0100
John Kennedy wrote:
>
> On Thu, 27 May 1999 05:26:43 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
> >
> >HushMail still needs to support both applet validation and end-to-end
> >key validation, but it is supposedly a beta, so these things could yet
> >happen. It is disturbing to see that they are not joining in the
> >discussion of these serious issues, but that could change too.
>
> Yeah, that would be a very good sign.
>
The problem is that they've had to limit themselves to current
web browsers using Java 1.1. This ties their hands a little bit
as they have no access to the local machine for storage.
They could definitely make the key fingerprints more visible
though, and explain to people that for important messages people
should compare fingerprints via another channel.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: 28 May 1999 08:53:55 -0400
In article <7il5gs$2lk0$[EMAIL PROTECTED]>,
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>>The BRUCE SCHNEIER Tirade
>>
>>
>>
>>BRUCE SCHNEIER is president of Counterpane Systems and says:
>>
>>"One-time pads don't make sense for mass-market encryption products.
>>They may work in pencil-and-paper spy scenarios, they may work on the
>>U.S.-Russia teletype hotline, but they don't work for you. Most
>>companies that claim they have a one-time pad actually do not. They
>>have something they think is a one-time pad. A true one-time pad is
>>provably secure (against certain attacks), but is also unusable.
>>
>
> Actually Bruce likes to attack new commers.
Actually, Bruce is very supportive of "new commers"[sic]. (I feel I can
speak to this as I was one of Chris Hall's teachers.) Unfortunately
from the point of view of the newcomers, he knows substantially more than
they do. Depending on how secure your ego is, you can either view
this as a chance to learn or a chance to post rubbish. Your call.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Date: 28 May 1999 08:56:31 -0400
In article <[EMAIL PROTECTED]>,
John Kennedy <[EMAIL PROTECTED]> wrote:
>On Thu, 27 May 1999 22:49:34 -0400, "Brian Hetrick"
><[EMAIL PROTECTED]> wrote:
>
>>Well, I'm not Bruce Schneier, but OTP systems are unusable in practice
>>because the key size must be the same as the message size -- otherwise
>>it's not an OTP -- and distributing the key requires a secure channel.
>>Since you can securely distribute the key, it makes sense to use the
>>same channel to securely distribute the message, and not bother with a
>>key. (Actually, there is a time dependency in there. It is possible
>>that the secure channel existed in the past, but not right at the
>>moment; in that case, and in that case _alone_, it makes sense to use
>>an OTP.)
>>
>
>
>Which is why one time pads have been, and presumably still are used.
>
>Which is why I was puzzled by the comment attributed to Schneier that
>they are unusable.
>
>Yes, I understand that they are no replacement for public key
>cryptography, but in the right situation they are possibly superior if
>provably secure.
But said right situation appears so infrequently as to be a practical
definition of useless. I'm more likely to need a triphibious automobile
than an OTP.
-kitten
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Stream Cipher using LFSRs
Date: Fri, 28 May 1999 12:14:51 GMT
> > For example two 8-bit values are multiplied and the output is the
> > remainder divided by 257 (ab mod 257).
>
> So what is the difficult problem here?
Well the actual equation is
y = ((a + 1)(b + 1) mod p) - 1
Where a and b are generated by the unknown LFSRs and p is a prime (257
or 65537). Since the equation is independant of a *or* b (not both)
they cannot be determined from the output.
For example (illustrative) if I gave you 'y=12' find the 'a' and 'b' I
used in less then 128 guesses (in fact I will not tell you when you get
it right.) The only way I see to crack it is to guess the entire LFSR
and see if the second LFSR will produce the expected output.
Would you like a copy of the .txt file? My FTP is down (passwd is
messed up). It's really short but documents the algorithm and how I
think one would break it.
This algorithm is of mere interest only, it would fly in hardware as
well.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
