Cryptography-Digest Digest #719, Volume #9 Mon, 14 Jun 99 16:13:04 EDT
Contents:
Critique of Street Performer Protocol paper (Anonymous)
Re: SLIDE ATTACK FAILS ([EMAIL PROTECTED])
TEA vs Blowfish (Dave Hazelwood)
Re: SLIDE ATTACK FAILS (Johnny Bravo)
Re: Followup: OTP is it really ugly to use or not? (STL137)
Re: RSA example with small numbers (STL137)
Key Schedule Question ("Timothy Kordas")
Subset alphabet encryption (Kevin Driscoll)
NDSS 2000 SUBMISSION DEADLINE EXTENDED TO JUNE 23RD ("David M. Balenson")
Re: Spec ("Kenneth N Macpherson")
----------------------------------------------------------------------------
From: Anonymous <[EMAIL PROTECTED]>
Subject: Critique of Street Performer Protocol paper
Date: Mon, 14 Jun 1999 21:04:06 +0200 (CEST)
Comments on http://www.counterpane.com/street_performer.pdf:
Regarding secure perimeter schemes:
> There is also an economic problem. The customer does not see much economic
> value in purchasing a secure perimeter. Selling a tamper-resistant device
> useful only to play copyrighted content (e.g., a sealed box with speakers
> and a video screen) seems dicult.
This is not necessarily true. In fact there is some evidence that Intel's
move towards embedding serial numbers and cryptographic functionality
into their chip set is primarily for this purpose. A customer will
want to buy a box that can play secured data if that data is much less
expensive than non-secured. If you have a choice between buying a
Microsoft product for $495 on a regular PC or $29.95 on a secured PC,
there will surely be a market for secured PCs. (Of course if you're
just going to pirate the software you won't be in that market.)
> With tools like anonymous remailers and the Eternity service, material
> that's ever posted simply cannot be erased, short of destroying the
> whole service. This means that one posting of a copyrighted piece of
> music, video, or text makes it available for free (or at least very
> cheaply) via the Internet. Indeed, even without the Eternity service,
> information that is ever posted or made available on the net is very
> hard to erase, though legal threats can probably get it taken offe major
> search engines.
The Scientology documents are a good case study here. In fact the church
has been reasonably effective in severely limiting their distribution.
MP3s are a forthcoming example. Will they still be widely available three
years from now? Chances are that any site which becomes known as offering
MP3s will have lawbots hounding it within minutes. The underworld of ftp
sites and hotline servers offering MP3s will have difficulty surviving
under that kind of pressure and scrutiny.
Regarding traitor tracing schemes:
> Even worse, a record company or publishing house has relatively little
> direct incentive to worry about getting the right person. To deter future
> infringement, they need to make a highly visible example of someone. If
> it's the right person, so much the better. However, most of the people
> being deterred by his example will have no idea whether he's guilty or
> innocent, so the deterrent ect is essentially the same. The record company
> or publishing house will presumably try to get the right person, but their
> only financial incentive for doing so is to eliminate one more copyright
> violator, and to avoid costly lawsuits from the falsely accused person.
The risk of lawsuits is far from insignificant. If it becomes known that
a publisher has callously prosecuted an honest customer with disregard
for the truth, the publisher will not only face severe punitive damages,
but also a loss of reputation as other customers fear that they may face
the same risks. Publishers would actually have strong incentives to use
the system responsibly and reliably, given the kind of legal climate we
have today.
> In a world in which copyrighted material, once posted, drops a great
> deal in value, it's probably not possible to hold the copyright violator
> responsible for most of the loss. He will generally just not have the
> money. Furthermore, very few personal computers or homes are defended
> well enough to justify having information inside which, if posted
> anonymously to the Internet, will cost their owner even a few thousand
> dollars, let alone millions of dollars. (For comparison, the reader
> may consider whether he would be willing to keep a briefcase with even
> $10,000 belonging to his boss in his house, with no additional security
> or insurance.)
It would probably be necessary to have much higher security in the
computers which guard the copyrighted material than we generally have
today. The question is whether technologies exist which can provide
this kind of security. If computers become cheap so that copyrighted
material is provided on a special computer (a video/music/game box) then
it need not be a version of Windows but can be a special high security OS.
A number of vendors claim to have technology (capabilities, etc.) which
can provide high security if you don't care about Windows compatibility.
> The second problem with this approach is that it requires that every
> purchaser of copyrighted material present an extremely hard to forge
> identification. As noted above, this is required for every kind of
> media, not just for downloading digital content over the Internet;
> otherwise the smart attacker just buys a CD with cash, loads it onto his
> computer, and posts it to the net anonymously. These hard to forge IDs
> must be ubiquitous, and probably end up having to be tied to some kind
> of national ID card. A determined attacker can try to forge an ID, or
> can convince some gullible or desperate person to buy the content for him.
There are many other applications for this level of authentication in
the digital commerce realm. While it is true that we are far from that
capability now, this copyright problem may turn out to be the "killer app"
for ubiquitous cryptographic certification.
It may be relevant to consider Carl Ellison's concept within the context
of SPKI that what is needed is not a government issued identification
certificate, but rather a certificate by a respected punishment agency
saying that it had the power to enforce consequences on the part of the
subject. So long as the seller trusts the punishment agency it can be
confident that cheaters will deterred. This can also address the problem
above about desperate people being used to buy copyrighted material and
taking the fall - many such people will not be able to become class A
customers of punishment agencies and so won't be eligible to purchase
high value copyrighted material.
You also have to look at what the financial incentives are for the
cheaters. How much do you make by beating the system? Can you sell the
bootleg goods for much money, given that you're an unauthorized seller?
Or is this an altruistic act to set the bits free? If there are risks
and expenses involved in defeating the protections, it will make a big
difference what the rewards are for doing so.
> The third problem with this approach is that it almost certainly
> ends up requiring a database somewhere of every piece of copyrighted
> information anyone has ever purchased. In a world in which nearly
> all books, movies, and music are purchased online, this creates a
> really unpleasant destruction of personal privacy. It also raises some
> interesting questions. Will governments hold this information? How about
> large media corporations? Will the database records be subject to subpoena
> by divorce lawyers and independent prosecutors? Will advertisers be able
> to buy lists of who purchased which book for marketing reasons? What
> about the security of this database? (How much is the list of everyone
> who bought The Satanic Verses worth on the open market?)
There are alternative schemes such as the anonymous fingerprinting of
Pfitzman and Waidner described at
http://www.semper.org/sirene/lit/abstr96.html#PfWa3_96. This allows
cheaters to be caught and identified but it does not have the kind of
database problems described here.
As for the protocol itself, it is basically a matter of customers making
pledges to pay for the work when it is released, the PBS pledge drive
model, but specific to a particular work. As the authors recognize, such
schemes have an inherent problem:
> The funding of the next novel in a series is a clear case of a public-good
> problem: each donor probably has very little impact on when or if the
> next novel is released.
A public good is one which is available to everyone if available
to anyone. In this case, people who haven't paid for the work get to
enjoy it just as much as people who have. It is elementary economics to
show that public goods are underprovided compared to the social optimum.
That is why people have worked so hard to try to come up with ways to
protect intellectual property rights.
The authors do suggest some ways of rewarding pledgers, which will be
familiar to anyone who has sat through those boring pledge drive
telethons:
> 1. A donor may give money partly out of the desire to be recognized as
> a nice person, a patron of the arts, etc.
>
> 2. There may be additional premiums involved in donating; raffles for a
> lunch with the author, for example.
>
> 3. A donor may be more likely to give money when he can see that it has
> an immediate effect. Thus, public radio stations have goals for pledge
> drives, and also for specific times. This might translate into letting
> novels out in dribbles, as small additional goals are met. Experi-
> ence in the market will determine what pricing and marketing strategies
> work best.
These may work to some extent, but they are unlikely to motivate buyers
as much as knowing that if they don't pay, they won't get the book
(as is the case in property based systems like we have today). It is
very questionable whether this method can provide significant funds to
intellectual property producers. The amount of money raised by pledge
drives is small compared to the advertising revenues and cable fees of
commercial television.
In summary, the authors do a good job of pointing out problems with the
current notion of copyright as we move into the digital age. However
the criticisms they offer are not completely sound and it is possible
that ways will be found to effectively maintain copyright protection.
If such efforts fail, it is unlikely that their protocol or any other
proposed methods will continue to provide us the bounty of information
resources that we have become accustomed to.
-- Anon
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SLIDE ATTACK FAILS
Date: Mon, 14 Jun 1999 14:05:57 GMT
In article <7k30gk$otv$[EMAIL PROTECTED]>,
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
> Young asswipe if you follow logic the SLIDE ATTACK was
> mentioned by Wagner as defeating my code. He is the one
> that stated mine was destroyted by it or do you know
> anything. Yes they declared there toy ciphers to pass
> the test. Is that just news to you. You grow up little
> grass hopper and some day you be man.
What I understood from that thread is that they thought it would work.
He might have been presumptious but I don't think you need to carry
this on so much.
Just because an attack doesn't work on YOUR cipher doesn't mean it's
immune to another attack. Personally I think you should work towards
breaking it (or variants). If you have published results on what
methods of attack you chosen and why your cipher is resilient to them,
people will consider it more.
Like for example in my first cipher, I added the IP/FP to hinder people
from controlling the inputs. However the PHT can still have the
weakness that we described. I then added round keys to stop this
attack. etc etc... Of course my first cipher was easy to read but
required to much key setup time, memory, etc...
I don't think you have learnt a thing from your cipher, and that's why
people don't appreciate you as much as you would like. Plus you insult
everyone, that's vert unprofessional.
I would try:
1. Attack without the first/last round, and say only 2 mixing rounds
2. Attack same as above, more rounds etc...
Just a thought. Of course you will not read any of this message and
respond with garbage. Prove me wrong.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Dave Hazelwood)
Subject: TEA vs Blowfish
Date: Mon, 14 Jun 1999 15:55:16 GMT
Is there a clear cut advantage in speed for one over the other?
If so how much.
Is there a clear cut advantage in security for one over the other?
If so why?
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: SLIDE ATTACK FAILS
Date: Mon, 14 Jun 1999 11:34:54 GMT
On Mon, 14 Jun 1999 05:37:58 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> To sum it up the great crypto gods where wrong.
Why do you keep calling them gods? Do you really consider yourself
that inferior to them?
>Which should be of no great surprise. SCOTT19U
>is still alive and well. The great "SLIDE ATTACK"
>went down the sewer. But don't blame the crypto
>gods to much. They have such a narrow view of
>mathematics and can't read C code. They have
You just mean that they won't ready your horribly mangled, non
commented code. That doesn't mean they can't, just as you wouldn't
bother to read postings converted into 1's and 0's. It's not because
you can't, it would be because it wouldn't be worth your time to do
so.
> Sorry guys stick with breaking toy stuff
>no wonder your not working for the NSA.
What's the big deal, you don't work for NSA either. I guess you
just aren't "good enough." I'm rather happy to be employed elsewhere.
>methods that work and can treat a whole file
>like a single block unlike the toy ciphers that
>you are more familar with.
Since you consider every other cipher in the world but yours a toy.
Just where is your paper on breaking these toy ciphers, or is your
mouth writing checks your intellect can't cash?
>David A. Scott
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (STL137)
Subject: Re: Followup: OTP is it really ugly to use or not?
Date: 14 Jun 1999 19:18:35 GMT
It's quite simple. If you do not perform OTP *exactly*, then it's not a
one-time-pad. It may be darn good security, but it's breakable in theory.
-*---*-------
S.T.L. ==> [EMAIL PROTECTED] <==
~~~ My quotes page is at: http://quote.cjb.net ~~~
~~~ My main website is at: http://137.tsx.org ~~~
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!"
2^3021377 - 1 is PRIME!
F0 0F C7 C8
I have tenatively released my E-mail block. Address is correct as it is. I
believe the courtesy of providing a correct E-mail address is more important
than having to delete junk, which gets through anyway. The block will simply
go up again if I am bombed again. I don't care, and it's an easy solution.
If you see a message of mine posted on two newsgroups, then it is because I
have replied to a crossposted message. I *never* crosspost of my own accord!
-*---*-------
------------------------------
From: [EMAIL PROTECTED] (STL137)
Subject: Re: RSA example with small numbers
Date: 14 Jun 1999 19:21:56 GMT
Pssst. TI-85s have 14-digit PRECISION, though they appear to work with numbers
as large as 10^999. Thus they are Darn Near Worthless (TM) for stuff like RSA.
Now, TI-92s (89s and 92+s as well) have 614-digit integer precision. Thus RSA
is possible to use on them. In fact, you can hack your own RSA program entirely
in TI-92 BASIC. However, getting permission from RSA Data Security, Inc. to
distribute it is another story. Augh!
-*---*-------
S.T.L. ==> [EMAIL PROTECTED] <==
~~~ My quotes page is at: http://quote.cjb.net ~~~
~~~ My main website is at: http://137.tsx.org ~~~
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!"
2^3021377 - 1 is PRIME! F0 0F C7 C8
I have tenatively released my E-mail block. Address is correct as it is. I
believe the courtesy of providing a correct E-mail address is more important
than having to delete junk, which gets through anyway. The block will simply
go up again if I am bombed again. I don't care, and it's an easy solution.
If you see a message of mine posted on two newsgroups, then it is because I
have replied to a crossposted message. I *never* crosspost of my own accord!
-*---*-------
------------------------------
From: "Timothy Kordas" <[EMAIL PROTECTED]>
Subject: Key Schedule Question
Date: Mon, 14 Jun 1999 16:59:18 GMT
I'm still working through a bunch of material about cryptanalysis;
but most of what I've read so far concerns itself primarily with
the encryption-function portion of a few different algorithms. Are
there any good references out there about key scheduling ?
How safe is it to use something like an LFSR (seeded with the key)
to generate subkeys ?
-Tim
--
Timothy J. Kordas
------------------------------
From: Kevin Driscoll <[EMAIL PROTECTED]>
Subject: Subset alphabet encryption
Date: Mon, 14 Jun 1999 11:54:09 +0000
I had a similar problem, but with some added constraints. The legal subset of
my alphabet had several discontinuous segments and I had hard real-time issues.
So, I couldn't use the trick of re-encrypting until I got a legal character.
I used a table to translate the legal characters to a contiguous integer range,
added that number to the output of a psuedo-random number generator (PRNG)
modulus the number of legal characters, and then used another table to convert
the resulting integer back into the legal character set (the second table is
the inverse of the first). Decryption is the same except that subtraction is
used instead of addition.
Contrary to what Tom said, this polyalphabetic scheme can be made as secure as
its PRNG (with come care).
Does anyone reading this newsgroup have a better idea or know of other
implementations using polyalphabetic algorithms for subset alphabet encryption?
--
Don'[EMAIL PROTECTED]
Kevin R. Driscoll, Staff Research Scientist PHONE: (612) 951-7263 FAX: -7438
POST: Honeywell M/S MN65-2200; 3660 Technology Drive; Mpls, MN 55418-1006; USA
------------------------------
From: "David M. Balenson" <[EMAIL PROTECTED]>
Subject: NDSS 2000 SUBMISSION DEADLINE EXTENDED TO JUNE 23RD
Date: Mon, 14 Jun 1999 15:28:01 -0400
The Internet Society's Year 2000 Network and Distributed System
Security (NDSS 2000) Symposium deadline for submissions of technical
paper and panel proposals has been EXTENDED TO JUNE 23RD due to the
large number of requests for an extension and the desire to accomodate
people.
The complete Call for Papers (CFP) is available at
http://www.isoc.org/ndss2000/.
Submissions are being accepted electronically at
http://www.isi.edu/~ndss00.
-David Balenson, NDSS 2000 Publicity Chair
------------------------------
From: "Kenneth N Macpherson" <[EMAIL PROTECTED]>
Subject: Re: Spec
Date: Mon, 14 Jun 1999 17:26:23 +0100
I should have said that I am keying the encrypt process. Sorry :-)
Ken
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
