Cryptography-Digest Digest #727, Volume #9 Wed, 16 Jun 99 13:13:04 EDT
Contents:
Re: Algorithm from easy spec please! (Mok-Kong Shen)
Re: Test arrays for GOST 28149-89 (Markku-Juhani O. Saarinen)
SSL support (yoni)
Re: Peer review request ([EMAIL PROTECTED])
Diffie-Hellman implementation (Newbie) (Mina Rot)
self rotate ([EMAIL PROTECTED])
Re: Book Usefulness Question (DJohn37050)
Re: Secret info for MACS ("Anton Stiglic")
Re: "Breaking" a cipher ([EMAIL PROTECTED])
Re: NIST annouces set of Elliptic Curves (DJohn37050)
Re: Diffie-Hellman implementation (Newbie) (Shaun)
Re: SSL support ("Anton Stiglic")
Re: OTP is it really ugly to use or not? (Jim Felling)
Re: self rotate (Horst Ossifrage)
CIA Enjoys a Challenge? (ESPO247)
Re: SLIDE ATTACK & large state SYSTEMS ([EMAIL PROTECTED])
the student paradox ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Algorithm from easy spec please!
Date: Wed, 16 Jun 1999 12:47:51 +0200
Kenneth N Macpherson wrote:
>
> A method of scrambling the consecutive numbers using the key but not using
> pseudo random sequence would be good as I am not sure that 2 different
> machines will produce the same sequence when seeded with the same key.
It is not possible by 'logic' to scramble without using something
'random'. PRNGs are mostly based on integer arithmetics and then
converted to reals. If you use the same high-level code, you are
sure to get the same result in view of the very small range of
values of your application, i.e. the accuracy problem in relation
to portability is not non-existant in general but is not relevant
for your case.
M. K. Shen
------------------------------
From: Markku-Juhani O. Saarinen <[EMAIL PROTECTED]>
Subject: Re: Test arrays for GOST 28149-89
Date: 16 Jun 1999 10:16:47 GMT
Serge <[EMAIL PROTECTED]> wrote:
> Can someone post or send email test arrays for russian cryptographic
> algorithm GOST 28149-89 (also known as simply "GOST")?
The GOST 28149-89 specification doesn't have test vectors, because the
S-boxes are left unspecified.
But the GOST R 34-11 hash function (which is built on GOST 28149-89)
has one set of S-boxes - the same ones also found in Applied
Cryptography. This specification does indeed have test vectors.
I have implemented GOST R 34-11, and it matches with the test vectors, so
my GOST 28149-89 must also be correct.
You can find the implementation and some documentation from my home
page at http://www.jyu.fi/~mjos/gosthash.tar.gz
Perhaps you would also be interested in a memo which describes a simple
black-box chosen-key attack for extracting the s-boxes from
GOST 28149-89: http://www.jyu.fi/~mjos/gost_cka.ps
Hope this helps..
- mj
Markku-Juhani Saarinen <[EMAIL PROTECTED]> University of Jyv�skyl�, Finland
------------------------------
Date: Tue, 15 Jun 1999 16:23:16 +0200
From: yoni <[EMAIL PROTECTED]>
Subject: SSL support
I'm writing a very basic and simple web server using java.
I want to add SSL support but I can't find a free implementation for the
SSL (the server side).
Does anyone know of a good place to start ? a free package ?
The RFC is not clear enough...
By the way - as I understood the first bytes sent from the browser
(netscape communicator) to the server should include the SSL version
number, but I recieve strange byte values such as -128, 43, 1, 3.
Any help will be welcomed.
Thanks,
Yoni.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Peer review request
Date: Wed, 16 Jun 1999 13:22:01 GMT
<snip>
I am downloading it now, and I will check it out.
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Mina Rot <[EMAIL PROTECTED]>
Subject: Diffie-Hellman implementation (Newbie)
Date: Wed, 16 Jun 1999 13:25:31 GMT
I'm new to cryptography. I'm developing an application that requires
the implementation of Diffie-Hellman key exchange.
1) Is there a source code I can get (free or paying)?
2) What is my legal state if I'm not a US or CANADA citizen, but I
might export my products to North America?
--
Regards,
Mina
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: self rotate
Date: Wed, 16 Jun 1999 13:37:13 GMT
Wow, I got bored yesterday so I invented the self cylic bit rotate. It
is hopelessly ineffective but neat non the less.
The notation is 'x <<< x' which to most seems impossible (well it is
because it is not reversible). So I change it to 'x <<< p(x)' where p
is the sum of 1 bits in x.
Unfortunetaly p(x) is biased towards 16, so it's pretty much useless.
If anyone else has comments or ideas for self-rotate operations then
give a shout.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Book Usefulness Question
Date: 16 Jun 1999 15:06:50 GMT
HAC is a book for serious cryptographers. It is meant to be a ref. work. AC
is more like a Intro to the subject, at least when compared with HAC.
Don Johnson
------------------------------
From: "Anton Stiglic" <[EMAIL PROTECTED]>
Subject: Re: Secret info for MACS
Date: Wed, 16 Jun 1999 11:03:39 -0400
>It certainly _can_ be, in principle. However, it isn't safe to use the
>hash that's stored in the password file, even if it is a "shadow password"
>file, hence protected by the operating system.
>[...]
>John Savard
That is true, think of it this way, when you log in to a Unix account,
someone
has to be able to have access to the encrypted password to verify that your
password is good, so that encrypted password IS accessible, even do
it is shadow. There exists libraries in C that permit you to access does
files, wherever they might be.
Anton S.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: "Breaking" a cipher
Date: Wed, 16 Jun 1999 13:26:00 GMT
In article <LhA93.6297$[EMAIL PROTECTED]>,
"Steven Alexander" <[EMAIL PROTECTED]> wrote:
> It is also said that someone can break a cipher if they can can
recover the
> key/plaintext in a reasonable amount of time whether it is by brute-
force or
> a faster attack. For example, EFF can break DES in a couple of days
using
> brute-force.
By this logic I can break Twofish by searching the entire keyspace.
Normally brute force is not considered a break as any cipher is
vulnerable to a brute force search.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: NIST annouces set of Elliptic Curves
Date: 16 Jun 1999 15:13:36 GMT
The curves annouced by NIST fall into 3 classes:
1. Random curves over a prime order field (Fp).
2. Random curves over a field of characteristic 2 with a prime power (F2**p).
3. Koblitz curves (binary anomalous curves) over a field of characteristic 2
with a prime power (F2**p).
Some interesting observations:
1. Curves over both prime fields and characteristic 2 fields are included.
2. There are no curves over a field of characteristic 2 with a composite power
(F2**m, with m composite).
3. Koblitz curves are included.
Don Johnson
------------------------------
From: Shaun <[EMAIL PROTECTED]>
Subject: Re: Diffie-Hellman implementation (Newbie)
Date: Wed, 16 Jun 1999 16:15:40 +0100
Try the OpenSSL source at www.openssl.org
It contains a whole load of free to use source code for
many encryption algorithms (including Diffie-Hellman).
As for exporting - that depends on where you live. The
US or Canada (and most other places) impose no restrictions
on importing INTO the country, only exporting OUT OF it.
Shaun
In article <7k88k0$k1h$[EMAIL PROTECTED]>, Mina Rot <mina_rot@my-
deja.com> writes
>I'm new to cryptography. I'm developing an application that requires
>the implementation of Diffie-Hellman key exchange.
>1) Is there a source code I can get (free or paying)?
>2) What is my legal state if I'm not a US or CANADA citizen, but I
>might export my products to North America?
>
>--
>Regards,
>
>Mina
>
>
>Sent via Deja.com http://www.deja.com/
>Share what you know. Learn what you don't.
------------------------------
From: "Anton Stiglic" <[EMAIL PROTECTED]>
Subject: Re: SSL support
Date: Wed, 16 Jun 1999 11:18:54 -0400
Try www.openssl.org
open library, easy to install with an Apache server.
yoni wrote in message <[EMAIL PROTECTED]>...
>I'm writing a very basic and simple web server using java.
>I want to add SSL support but I can't find a free implementation for the
>SSL (the server side).
>Does anyone know of a good place to start ? a free package ?
>The RFC is not clear enough...
>
>By the way - as I understood the first bytes sent from the browser
>(netscape communicator) to the server should include the SSL version
>number, but I recieve strange byte values such as -128, 43, 1, 3.
>
>Any help will be welcomed.
>Thanks,
>Yoni.
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: OTP is it really ugly to use or not?
Date: Wed, 16 Jun 1999 11:20:43 -0500
Dave Hazelwood wrote:
> [EMAIL PROTECTED] (Mickey McInnis) wrote:
>
> >g.chips.and.spam.com> <7k1k2d$brj$[EMAIL PROTECTED]>
><[EMAIL PROTECTED]>
> >Organization:
> >Keywords:
> >
> >In article <[EMAIL PROTECTED]>, fungus
><[EMAIL PROTECTED]> writes:
> >|>
> >|>
> >|> [EMAIL PROTECTED] wrote:
> >|> >
> >|> > I will send you a OTP message and you will never solve it :)
> >|> >
> >|>
> >|> Sure I will. I'll just go roud to your house and start
> >|> snipping little pieces off you and put aftershave in the
> >|> holes. The message will soon be compromised...
> >|>
> >|>
> >|>
> >|>
> >|> --
> >|> <\___/>
> >|> / O O \
> >|> \_____/ FTB.
> >
> >
> >That's actually one of the nice things about OTP's. He can give
> >you a false OTP "key" that decrypts his ciphertext into a different
> >plausable but wrong cleartext. You never know whether or not he
> >sent a different "real" cleartext with a different "real" key.
> Yup. I love it.
>
> >With proper preparation, OTP's can be used for "rubber hose resistant"
> >cryptography. Even someone who doesn't know the cleartext or key
> >can make up plausable but wrong cleartext/key/ciphertext combinations.
> Yes, I can make up as many combinations as there are possible messages
> of that length. To do this you just make up a new cleartext message of
> the same length and xor it with the ciphertext and you get a new key
> for the new message for the same ciphertext.
> >
> >That's also one of the benefits of using "truly random" number generators
> >vs. some sort of pseudorandom number generator. You probably can't use a
> >PRNG to come up with a key that matches a chosen cleartext to a
> >chosen ciphertext.
>
> I don't understand the last sentence. Who needs a PRNG, just xor the
> cleartext with the ciphertext and you have the key?
>
> For a chosen cleartext and a chosen key there is only ONE ciphertext
> For a chosen cleartext and a chosen ciphertext there is only ONE key.
> For a chosen key and a chosen ciphertext there is only ONE cleartext
>
> Cleartext = A or 41
> Key = 08
>
> cleartext xor key = ciphertext 41 xor 08 = 49
> cleartext xor ciphertext = key 41 xor 49 = 08
> key xor ciphertext = cleartext 08 xor 49 = 41
>
> In the above case my message was the character A
> and the key was 08 yielding a ciphertext of 49.
>
> Now if you are trying to crack my message there
> are 256 equally possible keys (00 to FF) that can be
> xor'd with 49 and each will will yield a unique message
> out of the possible 256 messages. It is impossible to
> know or calculate which is the correct one.
>
> I don't think it matters much at all whether the pad is
> truely random either. As long as you do not reuse a pad
> it seems to me that you have top notch protection. Using
> random numbers of course gives you mathmatical proof
> of unbreakability but I am not sure that using almost
> random numbers makes it any less secure except for not
> being able to do the "proof".
I wouldn't go that far. Using less than totally random numbers allows you to be
attacked. If you are using
random numbers from a Linear Congruence Generator -- the most commonly implemented in
software -- yo are
begging to have your code broken( The your LCG can be reverse engineered from your
data, and then you are
stuck.) If you are using a stream of Pseudo random data, say RC4 ( properly
implemented)-- you are
probably OK as RC4 has no strong breaks against a proper implementation -- but you are
not as secure as a
true OTP. Any aspect of an OTP that is compromised on is a compromise in security --
some may be made with
little loss of quality, others will destroy, or worse present the illusion of security.
>
>
> In fact I think it may be quite feasible to "mislead"
> somebody trying to crack an OTP by breaking the rules
> and perhaps feeding their indices of coincidence with
> parts of pads that overlap, but which contain
> disinformation so that they are caused to deliberately
> come to the wrong answer!
>
> Who ever said the rules had to be fair?
>
> I think OTP's are a lot more useful and secure than people
> think and with 6 Gig disks costing a little more than $100
> these days it means that with the right software you have a
> very fast very secure solution for many applications.
>
> One thing I especially like about OTP is that each and every
> message has to be attacked on its own. Unlike say DES,
> where when the NSA breaks it they can break every message
> ever sent using it. With an OTP, they have to break every
> individual message and that is forever beyond the means of
> even the mighty puzzle palace.
With an OTP the having the key is equivalent to having the message -- the same is true
of any other code
DES merely has a smaller key/ keyspace.
>
>
> For all we know they have already broken RSA, IDEA,
> Blowfish and scores of other algorithms. We just don't
> know do we? But we do know that they have not nor ever
> can break the OTP. Maybe they can read a message here
> and there where the user slips up but that is as far as they
> can ever succeed. And ever is forever.
------------------------------
From: Horst Ossifrage <[EMAIL PROTECTED]>
Subject: Re: self rotate
Date: Wed, 16 Jun 1999 08:48:33 -1000
[EMAIL PROTECTED] wrote:
>
> Wow, I got bored yesterday so I invented the self cylic bit rotate. It
> is hopelessly ineffective but neat non the less.
>
> The notation is 'x <<< x' which to most seems impossible (well it is
> because it is not reversible). So I change it to 'x <<< p(x)' where p
> is the sum of 1 bits in x.
The AES candidate RC6 has data dependent data rotations
and key dependent key rotations. It does not need to be
reversible if it is a Feistel cipher, which can reverse
many functions due to XOR symmetry. I am not bored yet,
I am driving to work next to design a 64 bit processor.
------------------------------
From: [EMAIL PROTECTED] (ESPO247)
Subject: CIA Enjoys a Challenge?
Date: 16 Jun 1999 16:36:20 GMT
http://www.abcnews.go.com/onair/WorldNewsTonight/wnt9990615_ciacode.html
I apologize if this is old news.
The CIA has a sculpture at its Head Quarters that is a giant encrypted message.
It seems to have stumped employees for quite a while.
-
Espo
"Mary had a crypto key, she kept it in escrow, and everything that Mary said,
the Feds were sure to know." -- Sam Simpson
E-mail me for my PGP keys.
DH/DSS Key ID: 0x927BED1D
RSA Key ID: 0x76C6AB73
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SLIDE ATTACK & large state SYSTEMS
Date: Wed, 16 Jun 1999 13:34:12 GMT
In article <7k6df4$1fqu$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> But this does not change or effect the comments that
> I wrote. For truely large key systems similar to the type
> I mentioned the number of false slide pairs would increase
> and the attack would not be reasonable. But I will take
> your word that a Blowfish type of algorithm would be
> susceptable to such an attack. I also think your defination
> of a large key system is much smaller than mine. I am
> not sure mine is large enough and the effective key lenght
> is over a million bytes. (not bits) Though it is true I thought
> you worked on ciphers of only a few hundred bits. Have you
> actaully tested the attack out on the above blowfish or just
> assumed it based on smaller models that it would take this
> many steps. What do you do if the key system is large and
> you have false slide pairs. In that you think they are correct
> but they are not. Or have you even looked into this area since
> they would not be common in the ciphers you tend to deal
> with.
You have to be joking right? Large keys do not make strong ciphers. I
could re-write your cipher (the 16-bit one) to use 128-bit keys and be
just as practically secure as your million bit keys...
A 32768 bit key is really large, there are
1.41546103104495478900155302774e+9864
Possible keys. Even in the 128 bit key there are
3.4028236692093846346337460743177e+38
possible keys...
Of course a 32768-bit blowfish key can be compromised in 2^64 effort so
that's why they don't advertise it that way. Plus where do you get
32768 bits of random bits?
You have to remember that large keys do not always equal good
security. If you can get thru that then you will be set. Besides a
million byte key would require a million random bytes, not just
inaccesible bytes. Each byte has to be truely (or highly) random.
That's why 'SHORT' keys are better, and by short I mean >= 64 bits.
btw the attack on blowfish is the variant without round keys. The
natural blowfish is secure against slide attacks.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: the student paradox
Date: Wed, 16 Jun 1999 15:39:03 GMT
here is an interesting tidbit...
When most people start cryptography or any computer science course they
have many ideas on how things are done (how to encrypt data, how to
compress, how to sort, how to...). Many of the ideas are naive to
experts. As the student learns more however they have less ideas and
settle into accepted academia (or lines of thought).
So basically less knowledge = more ideas, more knowledge = worse
ideas. One might argue that there are less ideas but they are higher
quality, but one could also argue that more knowleege = more tools for
ideas... :)
Just a thought,
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
