Cryptography-Digest Digest #644, Volume #9 Thu, 3 Jun 99 10:13:04 EDT
Contents:
Another source of random numbers ([EMAIL PROTECTED])
LFSR based stream cipher (now up) ([EMAIL PROTECTED])
Re: LFSR based stream cipher (now up) ([EMAIL PROTECTED])
Re: Generating Random Numbers ("Andreas / Detlef Stieger")
Re: NSA proves banks use poor crypto (Anssi Bragge)
Re: LFSR based stream cipher (now up) ([EMAIL PROTECTED])
Re: ECM factoring question (Mika R S Kojo)
Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED])
Cryptography FAQ (02/10: Net Etiquette) ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Another source of random numbers
Date: Wed, 02 Jun 1999 05:18:05 GMT
Robert Nemiroff and Jerry Bonnell who run the NASA "Astronomy Picture of
the Day" web site ("http://antwrp.gsfc.nasa.gov/apod/astropix.html") have
suggested using the digits of irrational numbers like Pi, e, and the
square root of two, etc., as a source of random numbers. See Bob's page
at "http://antwrp.gsfc.nasa.gov/htmltest/rjn_dig.html" where values of
these numbers are given to several million decimal places.
Is this idea widely known?
Barney
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: LFSR based stream cipher (now up)
Date: Mon, 31 May 1999 17:07:15 GMT
You can read the mini-paper on my idea at
http://mypage.goplay.com/tomstdenis/scp.txt
or at the website
http://mypage.goplay.com/tomstdenis/index.html
If you have any questions or would like to help (break, analyze or
report) on the algorithm please do so. I am open for ideas/suggestions.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: LFSR based stream cipher (now up)
Date: Mon, 31 May 1999 23:27:43 GMT
<snip>
For once I agree (hoorah). I should have done my homework. David
pointed out some 'features' which will most likely break it. Still I
want to pursue it a bit.
I will try to find linear relations (hmm well I have never done this
before). Here is a good question, how does one start to look for
linear releations? Any things that would stick out? David pointed
that the xor of A/B (the inputs) will produce '1' when the output of
the function is 1. I will check that for other values. Generally I
think it will fall to the same attacks as most 'xor two LFSRs together'
ciphers.
(Lordcow, I wouldn't think my posts are useless, but I agree I should
do more homework before I post).
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Andreas / Detlef Stieger" <[EMAIL PROTECTED]>
Subject: Re: Generating Random Numbers
Date: Thu, 3 Jun 1999 11:13:50 +0200
>I was wondering how to generate random numbers which will be used for
>encryption keys. My main concern is how to generate a random seed which is
>random enough to ensure that the generated bits are indeed random.
>
>Brian
Well, you could let the user type a random piece of text of his own choice,
and you measure the milliseconds between the keystrokes. Using only the last
digit of the time in milliseconds provides quite a lot random numbers.
The good thing about this is, that, even with the same person and the same
text, there will always be a different result.
Andreas
--
Andreas Stieger: mailto:[EMAIL PROTECTED]
------------------------------
From: Anssi Bragge <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: NSA proves banks use poor crypto
Date: 03 Jun 1999 13:13:04 +0200
Ronald Benedik <[EMAIL PROTECTED]> writes:
> I don`t know of any bank outside the U.S. implememting more than the
> standard (i guess 56 bit) banking encryption. At least not in Austria.
I know several banks using 128 bit encryption in web banking,
that happens to be allowed for banks now. This is at least in Finland
and in Switzerland. The different thing is, if the customer side
supports 128 bits. Fortify etc enable that, as well as using a true
128-bit capable browser.
These statements are personal, and have nothing to do with my employer.
abe
--
Anssi Bragge
UBS AG http://www.ubs.com/
Bahnhofstrasse 45, CH-8045 Zuerich, Switzerland
Tel: +41 1 236 0485 / Fax: +41-1-236 41 41 / GSM: +41-76-388 7722
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: LFSR based stream cipher (now up)
Date: Mon, 31 May 1999 19:23:08 GMT
In article <7iufk3$ikf$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> You can read the mini-paper on my idea at
>
> http://mypage.goplay.com/tomstdenis/scp.txt
>
> or at the website
>
> http://mypage.goplay.com/tomstdenis/index.html
>
> If you have any questions or would like to help (break, analyze or
> report) on the algorithm please do so. I am open for
ideas/suggestions.
>
> Tom
Why do you insist on posting these atrocious algorithms when you ignore
suggestions already given for attacking them? David Wagner has proposed
an attack on your "Secure Communication Protocal [sic]" that work a
minimal ammount of known-plaintext. He concludes his post with a
worthwhile assignment : to search for the value of z that has the
highest linear bias in the associated (x,y) pairs.
Instead of wasting your time with an endless series of proposals, pick
one of them and seriously examine it. If you need help about
cryptanalysis, ask a clear, precise question and we would be happy to
help you. Asking people to spend time attacking your cipher and then
ignoring them is not a good way to learn more.
Responding to your reply in the original thread:
<[EMAIL PROTECTED]> said:
> Naively I would say z=xy ( 0 < x < 257 ), (0 < y < 257) with a prob of
> 1/256.
>
> Sorry about the double posting.
>
A consistent trend in your posts is your belief that "because 'a' and
'b' are both compressed into 'y' while giving no information to the
contents of either variable" (from your web page). This is untrue; for
example, any decent classical cryptographer can easily recover both A
and B given A+B, assuming that A and B have a decent amount of
structure. In the case of recovering the contents of LFSRs, it is not
necesary to even know the entire output of either stream.
Your naive guess is wrong. You are looking for a specific value of z
and a set of values for x and y. For example, for z=13, 140 (x,y) pairs
will have a parity of 0 and 116 (x,y) pairs will have a parity of 1.
Try finding the value of z with the highest bias.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Mika R S Kojo <[EMAIL PROTECTED]>
Subject: Re: ECM factoring question
Date: 03 Jun 1999 14:51:34 +0300
[EMAIL PROTECTED] (Logic) writes:
> I suppose there are times we would not want to do this, in which case we could
> use the traditional sequence. But in the right circumstances, could this
> sequence be faster/simpler?
You may manipulate the sequence in any way you wish. If I understood
your suggestion you just try to compute eP for large non-prime e in
order to speed the computation. The issue here is to compute eP such
that gcd(e,#E_p) != 1 for p | n, and you are trying to factor n. By
using all primes under a certain bound B you can hence, for example,
compute (B!)P and hope the wanted effect. (Here ! denotes the
factorial, as usual.) Most of the problems are in choosing a good
point P and an elliptic curve E, although good solutions also exists.
There are several optimizations for ECM, but one of the simplest that
works with Weirstrass curves is the trick by Peter Montgomery. Simply
take a bunch of curves and run them all at the same time. Write the
addition routine so that for all n curves you need only one
multiplicative inverse.
Furthermore many nice details of ECM are described in Montgomery's online
dissertation (and other papers). See
ftp://ftp.cwi.nl/pub/pmontgom/
Mika Kojo
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (01/10: Overview)
Date: 3 Jun 1999 14:07:46 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/part01
Version: 1.0
Last-modified: 94/01/11
This is the first of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read this part before the rest. We
don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
Disclaimer: This document is the product of the Crypt Cabal, a secret
society which serves the National Secu---uh, no. Seriously, we're the
good guys, and we've done what we can to ensure the completeness and
accuracy of this document, but in a field of military and commercial
importance like cryptography you have to expect that some people and
organizations consider their interests more important than open
scientific discussion. Trust only what you can verify firsthand.
And don't sue us.
Many people have contributed to this FAQ. In alphabetical order:
Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison,
Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti,
William Setzer. We apologize for any omissions.
If you have suggestions, comments, or criticism, please let the current
editors know by sending e-mail to [EMAIL PROTECTED] Bear in
mind that this is a work in progress; there are some questions which we
should add but haven't gotten around to yet. In making comments on
additions it is most helpful if you are as specific as possible and
ideally even provide the actual exact text.
Archives: sci.crypt has been archived since October 1991 on
ripem.msu.edu, though these archives are available only to U.S. and
Canadian users. Another site is rpub.cl.msu.edu in /pub/crypt/sci.crypt/
from Jan 1992. Please contact [EMAIL PROTECTED] if you know of
other archives.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
The fields `Last-modified' and `Version' at the top of each part track
revisions.
Table of Contents
=================
1. Overview
2. Net Etiquette
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
3. Basic Cryptology
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
3.2. What references can I start with to learn cryptology?
3.3. How does one go about cryptanalysis?
3.4. What is a brute-force search and what is its cryptographic relevance?
3.5. What are some properties satisfied by every strong cryptosystem?
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
3.8. What are the basic types of cryptanalytic `attacks'?
4. Mathematical Cryptology
4.1. In mathematical terms, what is a private-key cryptosystem?
4.2. What is an attack?
4.3. What's the advantage of formulating all this mathematically?
4.4. Why is the one-time pad secure?
4.5. What's a ciphertext-only attack?
4.6. What's a known-plaintext attack?
4.7. What's a chosen-plaintext attack?
4.8. In mathematical terms, what can you say about brute-force attacks?
4.9. What's a key-guessing attack? What's entropy?
5. Product Ciphers
5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, and OFB encryption?
6. Public-Key Cryptography
6.1. What is public-key cryptography?
6.2. How does public-key cryptography solve cryptography's Catch-22?
6.3. What is the role of the `trapdoor function' in public key schemes?
6.4. What is the role of the `session key' in public key schemes?
6.5. What's RSA?
6.6. Is RSA secure?
6.7. What's the difference between the RSA and Diffie-Hellman schemes?
6.8. What is `authentication' and the `key distribution problem'?
6.9. How fast can people factor numbers?
6.10. What about other public-key cryptosystems?
6.11. What is the `RSA Factoring Challenge?'
7. Digital Signatures
7.1. What is a one-way hash function?
7.2. What is the difference between public, private, secret, shared, etc.?
7.3. What are MD4 and MD5?
7.4. What is Snefru?
8. Technical Miscellany
8.1. How do I recover from lost passwords in WordPerfect?
8.2. How do I break a Vigenere (repeated-key) cipher?
8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
8.4. Is the UNIX crypt command secure?
8.5. How do I use compression with encryption?
8.6. Is there an unbreakable cipher?
8.7. What does ``random'' mean in cryptography?
8.8. What is the unicity point (a.k.a. unicity distance)?
8.9. What is key management and why is it important?
8.10. Can I use pseudo-random or chaotic numbers as a key stream?
8.11. What is the correct frequency list for English letters?
8.12. What is the Enigma?
8.13. How do I shuffle cards?
8.14. Can I foil S/W pirates by encrypting my CD-ROM?
8.15. Can you do automatic cryptanalysis of simple ciphers?
8.16. What is the coding system used by VCR+?
9. Other Miscellany
9.1. What is the National Security Agency (NSA)?
9.2. What are the US export regulations?
9.3. What is TEMPEST?
9.4. What are the Beale Ciphers, and are they a hoax?
9.5. What is the American Cryptogram Association, and how do I get in touch?
9.6. Is RSA patented?
9.7. What about the Voynich manuscript?
10. References
10.1. Books on history and classical methods
10.2. Books on modern methods
10.3. Survey articles
10.4. Reference articles
10.5. Journals, conference proceedings
10.6. Other
10.7. How may one obtain copies of FIPS and ANSI standards cited herein?
10.8. Electronic sources
10.9. RFCs (available from [FTPRF])
10.10. Related newsgroups
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (02/10: Net Etiquette)
Date: 3 Jun 1999 14:07:53 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/part02
Last-modified: 94/06/13
This is the second of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
Read news.announce.newusers and news.answers for a few weeks. Always
make sure to read a newsgroup for some time before you post to it.
You'll be amazed how often the same question can be asked in the same
newsgroup. After a month you'll have a much better sense of what the
readers want to see.
2.2. Do political discussions belong in sci.crypt?
No. In fact some newsgroups (notably misc.legal.computing) were
created exactly so that political questions like ``Should RSA be
patented?'' don't get in the way of technical discussions. Many
sci.crypt readers also read misc.legal.computing, comp.org.eff.talk,
comp.patents, sci.math, comp.compression, talk.politics.crypto,
et al.; for the benefit of people who don't care about those other
topics, try to put your postings in the right group.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt either.
2.3. How do I present a new encryption scheme in sci.crypt?
``I just came up with this neat method of encryption. Here's some
ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
doubt questions like this are the most annoying traffic on sci.crypt.
If you have come up with an encryption scheme, providing some
ciphertext from it is not adequate. Nobody has ever been impressed by
random gibberish. Any new algorithm should be secure even if the
opponent knows the full algorithm (including how any message key is
distributed) and only the private key is kept secret. There are some
systematic and unsystematic ways to take reasonably long ciphertexts
and decrypt them even without prior knowledge of the algorithm, but
this is a time-consuming and possibly fruitless exercise which most
sci.crypt readers won't bother with.
So what do you do if you have a new encryption scheme? First of all,
find out if it's really new. Look through this FAQ for references and
related methods. Familiarize yourself with the literature and the
introductory textbooks.
When you can appreciate how your cryptosystem fits into the world at
large, try to break it yourself! You shouldn't waste the time of tens
of thousands of readers asking a question which you could have easily
answered on your own.
If you really think your system is secure, and you want to get some
reassurance from experts, you might try posting full details of your
system, including working code and a solid theoretical explanation, to
sci.crypt. (Keep in mind that the export of cryptography is regulated
in some areas.)
If you're lucky an expert might take some interest in what you posted.
You can encourage this by offering cash rewards---for instance, noted
cryptographer Ralph Merkle is offering $1000 to anyone who can break
Snefru-4---but there are no guarantees. If you don't have enough
experience, then most likely any experts who look at your system will
be able to find a flaw. If this happens, it's your responsibility to
consider the flaw and learn from it, rather than just add one more
layer of complication and come back for another round.
A different way to get your cryptosystem reviewed is to have the NSA
look at it. A full discussion of this procedure is outside the scope
of this FAQ.
Among professionals, a common rule of thumb is that if you want to
design a cryptosystem, you have to have experience as a cryptanalyst.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
