Cryptography-Digest Digest #679, Volume #9 Tue, 8 Jun 99 19:13:02 EDT
Contents:
Re: DES ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: random numbers in ml (John Curtis)
Re: Security ([EMAIL PROTECTED])
Re: Security ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: being burnt by the NSA ([EMAIL PROTECTED])
Re: rev 0.9 ppdd - encryption for Linux - available (Paul Rubin)
Re: Looking for a password encryption algorithm (Paul Koning)
Re: DES (John Savard)
Re: DES ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: Scottu: I actually saw something usefull ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: What good is hushmail? ([EMAIL PROTECTED])
Some Papers (I have collected) ([EMAIL PROTECTED])
Re: tomstdenis' simple.c ([EMAIL PROTECTED])
Re: KRYPTOS (Jim Gillogly)
Re: being burnt by the NSA (STL137)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES
Date: Tue, 08 Jun 1999 18:58:55 GMT
> I've always wondered, why not just have completely
> independent keys for each round of DES?
>
> wouldn't that be better compared to using the
> same key and shifting it around every round?
>
> bigger key => stronger encryption
>
> yes?
This would require 768 key bits, and I think it only deters the attacks
a little. However I wouldn't really use DES myself... :)
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES
Date: Tue, 08 Jun 1999 18:54:16 GMT
> Key-dependent S-boxes _are_ stronger, in general.
No they are not. Large random sboxes are strong, small ones are not.
It has been proven that random sboxes in DES is no stronger (in fact I
think Biham proved they are weaker) then the fixed ones.
In smaller sboxes you normally can perform some sort of partition
attack on the output. In Blowfish however the sbox entries affect the
entire word so they are not local and cannot be attacked that way (try
a variant of blowfish with four 8x8 sboxes for example...)
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (John Curtis)
Crossposted-To: comp.sys.cbm
Subject: Re: random numbers in ml
Date: 8 Jun 1999 20:06:42 GMT
In article <7jftk3$nd2$[EMAIL PROTECTED]> "Rick Braddam" <[EMAIL PROTECTED]> writes:
>
[deletions for brevity]
....... The grandfather of them all was the 4004 chip made
>for a Japanese calculator manufacturer. It was "expanded" to
>8 bits to become the 8008, which fathered the 8080.
>
>See? It's nothing but a fancy calculator.
>
>Rick
>
I've had the privilege of debugging code using a
4004 ICE (in circuit emulator). That was fun.
Really the birth of the micro-age. (Oops, sorry,
didn't mean to sound like Al Gore there - I didn't
even know the inventors, just coded for the darn
thing).
ciao,
jcurtis
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Security
Date: Tue, 01 Jun 1999 18:03:36 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <[EMAIL PROTECTED]>, Bryan Olson
> <[EMAIL PROTECTED]> wrote:
> >
> > With an ideal cipher, we expect a unique solution at about
> > the point where the redundancy in the text is equal to the
> > entropy of the key (here we mean the redudancy in bits, not
> > the percentage). The random padding that extends each byte
> > to a block makes the amount of redundancy in each block the
> > same as the amount of redundancy in the original byte. The
> > padding has zero redundancy and the byte hasn't lost any.
> > With an ideal cipher, we expect a unique solution at about
> > the point where the redundancy in the text is equal to the
> > entropy of the key.
> >
> Being conditioned to having padding added at the end it unfortunate.
And has nothing to do with the issue here.
> There is no reason that padding could not be at the beginning or any
other
> place, or in more than one place. The nature of the of the padding
should
> make it obvious regardless of its placement upon proper decryption.
Not
> knowing where the padding occurs means attacking a cipher with assumed
> inserted nulls, which is not the same as one without them..
Doesn't effect the result. If the intended recipient can
remove the padding, so can the attacker. He just needs
enough ciphertext so that there is only one legal message.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Security
Date: Tue, 01 Jun 1999 18:06:45 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <[EMAIL PROTECTED]>, Bryan Olson
> <[EMAIL PROTECTED]> wrote:
> >
> > With an ideal cipher, we expect a unique solution at about
> > the point where the redundancy in the text is equal to the
> > entropy of the key (here we mean the redudancy in bits, not
> > the percentage). The random padding that extends each byte
> > to a block makes the amount of redundancy in each block the
> > same as the amount of redundancy in the original byte. The
> > padding has zero redundancy and the byte hasn't lost any.
> > With an ideal cipher, we expect a unique solution at about
> > the point where the redundancy in the text is equal to the
> > entropy of the key.
> >
> Being conditioned to having padding added at the end it unfortunate.
And has nothing to do with the issue here.
> There is no reason that padding could not be at the beginning or any
other
> place, or in more than one place. The nature of the of the padding
should
> make it obvious regardless of its placement upon proper decryption.
Not
> knowing where the padding occurs means attacking a cipher with assumed
> inserted nulls, which is not the same as one without them..
Doesn't effect the result. If the intended recipient can
remove the padding, so can the attacker. He just needs
enough ciphertext so that there is only one legal message.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES
Date: Tue, 08 Jun 1999 19:55:58 GMT
ah ha okay so...
the s-boxes are used to (somehow...) allow all 6 bits of a word to
affect the outcome of a single bit... they have "properties that are
conductive to this, and DES also has E expansions and P permutations?
I have read a lot of stuff on DES, but i'm a bit shaky on this... how
exactly (as tomstdenis says) do the s-boxes do the word thing, and what
are their "properties" that are better than random(key dependant) s-
boxes?
cheers, Jim.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: being burnt by the NSA
Date: Tue, 08 Jun 1999 20:00:07 GMT
> The secretive nature of the NSA is overstated in the popular media.
> They exist. You can go visit their headquarters if you want. Take
> the Baltimore-Washington Parkway North from DC and they have an exit
> somewhere North of Laurel. The sign says "NSA Next Exit." Big
secret.
>
The fact still remains that people complain about the NSA (Dave scott
likes to do this) and I have never heard anything from the NSA. In
fact I have seen bad things, such as DES and skipjack. Both ciphers
have been broken which means they are human too.
I have never been in DC, but if I am down there I may take a peek :)
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: rev 0.9 ppdd - encryption for Linux - available
Date: Tue, 8 Jun 1999 20:39:06 GMT
In article <[EMAIL PROTECTED]>,
Allan Latham <[EMAIL PROTECTED]> wrote:
>The driver concept also allows the root filesystem and the swap
>device to be encrypted. In effect this means that with the exception
>of a kernel and a small initial read-only ram-disc image, everything
>on disc is encrypted.
How does the kernel manage to not be encrypted? Does ppdd store
its encrypted "partition" in a Linux file or something like that
(similar to what is often done with the loopback device)?
Can you make it so that the whole raw disk partition is encrypted
including the kernel? Only the boot block would be unencrypted.
Code would have to be added to the boot loader (presumably Lilo)
to decrypt the kernel before booting to it.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Looking for a password encryption algorithm
Date: Mon, 07 Jun 1999 16:03:57 -0400
Ari V�h�-Erkkil� wrote:
>
> Hi
>
> Simply, I'm looking for a reliable password encryption algorithm.
Try any good crypto hash (MD5, SHA-1, etc.)
> This is the situation: The passwords are to be stored in a database and
> the client software will access the database via server programs.
> Unfortunately the server programs are stateless, therefore a real
> key-exchange type protocol cannot be implemented.
And of course, since it's stateless, it can't be secure...
> The communications medium
> cannot be considered secure, although non-authorized clients (or client
> programs) are not a problem.
It's not secure but unauthorized clients aren't a risk? So what
ARE the risks?
paul
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: DES
Date: Tue, 08 Jun 1999 21:15:46 GMT
Greg Bartels <[EMAIL PROTECTED]> wrote, in part:
>I've always wondered, why not just have completely
>independent keys for each round of DES?
>wouldn't that be better compared to using the
>same key and shifting it around every round?
>bigger key => stronger encryption
>yes?
Yes, but only to a point. Because of certain aspects in the design of
DES, according to Bruce Schneier's _Applied Cryptography_, there is an
attack against which DES with independent keys is only as strong as
DES with a 65 bit key.
Some minor changes to DES might improve that, for example:
- using two different sets of S-boxes in different rounds,
- retaining the initial permutation and inverse initial permutation,
but doing them after the fourth and twelfth rounds,
- performing substitution on the block with a 256-byte key-dependent
table during encryption
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES
Date: Tue, 08 Jun 1999 18:50:28 GMT
> In fact, the S-Boxes are a main part where DES gets its strength from.
> They are designed in combination with the E expansion and the P
> permutation. Biham and Shamir did an analysis that most changes to
> either of these elements is likely to make the cipher weaker against
> differential cryptanalysis.
That's true, I just didn't know how to word it. The key is the 'key'
to deciphering the message. The sbox is just a tool used to strengthen
the cipher (like the permutation, etc...)
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES
Date: Tue, 08 Jun 1999 20:10:20 GMT
> the s-boxes are used to (somehow...) allow all 6 bits of a word to
> affect the outcome of a single bit... they have "properties that are
> conductive to this, and DES also has E expansions and P permutations?
The permutation in the cipher is used to ensure that each output bit of
a round is used as an input bit to differnt sboxes in the next round.
This promotes avalanche. The expansion doubles bits which also
promotes avalanche effects. The permutations/expansion have been
carefully designed to ensure each output bit is dependant on every key
and input bit after five rounds, which is rather quick.
With out the permutation/expansions the cipher would be rather weak
against most forms of attack, notably differential because the
differences can be locallized in the attack.
>
> I have read a lot of stuff on DES, but i'm a bit shaky on this... how
> exactly (as tomstdenis says) do the s-boxes do the word thing, and
what
> are their "properties" that are better than random(key dependant) s-
> boxes?
>
The properties are non-linear and avalanche. Well those are the two
fundamental properties. They are designed two ways. In CAST and DES
the sboxes are fixed so there strength can be maximized (against known
attacks). In Blowfish (which is not exactly CAST as I said earlier...)
uses random sboxes which are non-linear but not the best against a
differential attack (however the shear size of the sbox makes most
attacks difficult).
The sbox is really simple, pretend it's an int array like so
int sbox[8] = { 0, 2, 4, 3, 7, 6, 5, 1 };
Where you would take 3 bits as an index and get 3 bits out. For
example if the input is 000 then you get 000 out (not particularly
usefull). However change bit zero and you get 010 output, change the
middle bit and you get 100, etc... This sbox is not strong against any
form of attack, for the first three sbox entries the linear equation y
= 2x can be used, and so on. It also has a slow avalanche effect for
most entries. I could make this better by swapping the 7 with the 0
like so
int sbox[8] = { 7, 2, 4, 3, 0, 6, 5, 1 };
Now 000 -> 111 and 001 -> 010 and their difference is 111^010=101 which
is more then half the bits (note odd size sboxes is not a good idea...)
This is just an example. There are several other criterion such as
size (dimensions), etc...
Take a look at the sboxes in DES, and see what happens when a single
bit changes in the input.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES
Date: Tue, 08 Jun 1999 20:25:20 GMT
In article <7jjtb2$v5q$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> With out the permutation/expansions the cipher would be rather weak
> against most forms of attack, notably differential because the
> differences can be locallized in the attack.
OK, everyone is telling me about "differential" cryptalanlysis...
i have read it defined as something like "having 2 ciphertexts c and
c', under the same key, the difference, d=c'-c da dee da da.." hmmm..
all the s-box stuff is crystal clear.... cheers
Jim
(by the way, to you and everyone else who has given me a hand, i am
really grateful (i'm sure i'm overdoing the apology bit); you are all
much more helpful and less abusive than the mass media would have me
think. I have spent many years and way too much money on the net, and
never in 6 years used usenet...... <tears>. Thanks for helping me [btw
this is a prelude to asking blindly for help. Oh, wadda you know, i
just did!])
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Scottu: I actually saw something usefull
Date: Tue, 08 Jun 1999 20:44:30 GMT
> I am not certain that the unidirectional propagation is a flaw. The
> wrapping will effectively produce diffusion into the previous data
which
> will allow the earlier blocks to be affected. I agree that it does
seem
> cludgy.
I would trust an algorithm with the 'random' effects more then his.
Because you cannot determine where the error occured. I agree that his
cipher will produce some desireable effects, but 25 rounds is quite a
bit, and the blocks are too large. If his algorithm would work on four
word blocks, then I would say sure why not... But that's not the case.
> Nothing wrong with working backwards( nothing particularly right
about it
> either though).
Well my cipher (link posted) uses large tables like his, but is much
easier to use, implement and understand. I am just saying he is not
working in a productive manner.
>> As a toy in the middle I wrote this
>> http://people.goplay.com/tomstdenis/simple.c
> Have you checked out CRAB( another huge blocksized 'toy' cypher )?
Yes I have. It's a cipher based on the MD5 hash function, however why
not use the output of the hash in some other form? It also lacks a key
schedule and as far as I know it's not complete. My cipher however is
a 128-bit block cipher, and is not a huge-block cipher.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES
Date: Tue, 08 Jun 1999 20:55:26 GMT
> OK, everyone is telling me about "differential" cryptalanlysis...
> i have read it defined as something like "having 2 ciphertexts c and
> c', under the same key, the difference, d=c'-c da dee da da.." hmmm..
>
Well in diff. analysis you find some difference in two plaintext/cipher
text pairs denoted as P - P' = A and C - C' = B, and if this difference
(which can be xor, subtraction etc..) is prominent more then it should
it can be used to detect what keys where used. A and B are not always
fixed, they may be variable (the variable would help suggest keys). If
the round key does not exibit this difference you can eliminate it.
In Linear analysis, you try to exploit a linear trait of the
plaintext/ciphertext and key. It normally works on bits and not bit
vectors (*words*) which suggests that it is slower, however it has work
on DES in 2^43 chosen plaintext (diff. requires 2^47). RC5 for example
is highly resistant to linear analysis because of the rotation, however
it's not immune to it. A linear relation is always represented using
linear algebra such as 'A xor B xor K' etc...
I have just started aswell in cryptography. In fact I am suppose to be
doing some gaussian elimination (david: I have started and I will
finish the rest tonight!!!). Basically read some papers, make toy
ciphers and try to find linear/diff chars. It's easy to understand on
toy ciphers (like C = P^K, C = P^3K) for example.
> all the s-box stuff is crystal clear.... cheers
Supper. I did over do the post though :)
> (by the way, to you and everyone else who has given me a hand, i am
> really grateful (i'm sure i'm overdoing the apology bit); you are all
> much more helpful and less abusive than the mass media would have me
> think. I have spent many years and way too much money on the net, and
> never in 6 years used usenet...... <tears>. Thanks for helping me [btw
> this is a prelude to asking blindly for help. Oh, wadda you know, i
> just did!])
Really it's no prob. I am new as well and I really don't mind helping
out. Most people are helpful (some are not... :( ). David Wagner is a
really good sport, he is probably the most helpful member here. He has
been around this group for quite some time as well (he started here
too). Myself I started about 6 months ago, so I am a 'newbie' as
well. James Felling has been around quite some time and is full of
neato facts. Terry Ritter is a good sport, and has a wonderfull
website. Just ask anyone of them (or the others in here) if you need
any help.
Most people forget to mention that if you have a neato idea, don't
forget to post it. I think group disections of ideas is a good use of
this group.
Tom
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
>
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What good is hushmail?
Date: Tue, 08 Jun 1999 20:57:21 GMT
> Not for key setup. Blowfish has a very slow key setup; 64-bit
Blowfish
> would be much harder to brute-force than most other 64-bit algorithms.
Not unless you had 2^64(2^10 + 18) or about 2^74.1 bytes of ram :)
Which is not likely...
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Some Papers (I have collected)
Date: Tue, 08 Jun 1999 10:40:52 GMT
Ok if you would like to see a small collection of papers (say if you
are new), then check out some sites:
) Terry Ritter
) Jon Savard
And possibly mine? I have taking the papers from the actual authors
(well not taken, but downloaded... :) ) some are on my page at
http://people.goplay.com/tomstdenis/index.html
I would check out the other two peoples sites as well (if you are new)
as they both contain a welth of information.
If you want to check out the design of the ciphers posted at my site, I
would start with:
- TEA
- RC5
- Blowfish
They are conceptually easy to understand, and will help demonstrate
what most ciphers resemble.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: tomstdenis' simple.c
Date: Tue, 08 Jun 1999 10:53:03 GMT
I added the AND to the key schedule, but one would technically have to
add it to the rest of the cipher. I however want to keep the demo
simple. So one could just change the unsigned short to their
appropriate 16-bit variable type.
I want to write a mini-paper (paperette?) on the use of large s-boxes,
and how they would compare to other ciphers. I will include my
simple.c as a working example.
Thanks for the feedback though. If someone lost the link you can see
the simple.c at:
http://people.goplay.com/tomstdenis/simple.c
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: KRYPTOS
Date: Tue, 08 Jun 1999 15:50:19 -0700
Jim Gillogly wrote:
> I've tried several things on the transposition cipher -- I think it's
> shorter than the section suggested by the CIA in the letter posted at
> the ACA site, or 336 letters total, from ENDYA to TVDOH W. The
> individual letter frequencies are much more convincing that way. I've
> made some progress on it (I think) but don't have a solution to anything.
Correction -- I just solved one of the other sections. I'll be writing it
up for "The Cryptogram", the organ of the American Cryptogram Association.
It has about a 3 month lead time, so you have plenty of time to subscribe. :)
It's a real solution in a known system with two single-word keys.
--
Jim Gillogly
Sterday, 18 Forelithe S.R. 1999, 22:46
12.19.6.4.13, 10 Ben 1 Zotz, Third Lord of Night
------------------------------
From: [EMAIL PROTECTED] (STL137)
Subject: Re: being burnt by the NSA
Date: 8 Jun 1999 22:54:10 GMT
DES was broken? Since when? It is most likely *the* most trusted symmetric
cipher in existence (barring another cipher that has *ahem* implementation
problems). Its keysize is a vulnerability, but there is always Triple-DES.
-*---*-------
S.T.L. ==> [EMAIL PROTECTED] <==
~~~ My quotes page is at: http://quote.cjb.net ~~~
~~~ My main website is at: http://137.tsx.org ~~~
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!"
2^3021377 - 1 is PRIME!
I have tenatively released my E-mail block. Address is correct as it is. I
believe the courtesy of providing a correct E-mail address is more important
than having to delete junk, which gets through anyway. The block will simply
go up again if I am bombed again. I don't care, and it's an easy solution.
If you see a message of mine posted on two newsgroups, then it is because I
have replied to a crossposted message. I *never* crosspost of my own accord!
-*---*-------
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
