Cryptography-Digest Digest #732, Volume #9 Thu, 17 Jun 99 17:13:03 EDT
Contents:
Re: NIST annouces set of Elliptic Curves (DJohn37050)
Re: just a quick check.. (Medical Electronics Lab)
Re: the student paradox (wtshaw)
Re: rc4 vs. rand() ("Roger Schlafly")
Re: the student paradox ("Mr. X")
Re: Simple Prime Number Question ([EMAIL PROTECTED])
Re: NIST annouces set of Elliptic Curves ("Michael Scott")
Re: SLIDE ATTACK & large state SYSTEMS ([EMAIL PROTECTED])
Re: just a quick check.. ([EMAIL PROTECTED])
Re: Simple Prime Number Question ("Jessie")
Re: just a quick check.. ("Matthew Bennett")
Re: just a quick check.. ("Matthew Bennett")
Re: rc4 vs. rand() (SCOTT19U.ZIP_GUY)
Re: NIST annouces set of Elliptic Curves (John Savard)
Re: the student paradox (John Savard)
Freeware suggestions? ("Steven Alexander")
Sites about Protecting Passwords? (Jim Smith)
Re: test ("Erik Avat'R")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: NIST annouces set of Elliptic Curves
Date: 17 Jun 1999 18:21:43 GMT
Another interesting point about all the NIST curves is that the cofactor is
always one of (1,2,4), in other words very small and therefore efficient.
Don Johnson
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: just a quick check..
Date: Thu, 17 Jun 1999 13:01:46 -0500
Matthew Bennett wrote:
>
> If I used SHA-1 to hash the 56-bit key used to encrypted file, and then
> stored the hashed result in the same encrypted file, there shouldn't be a
> security risk here?
>
> Assuming the hashed number could easily be read from the file, since it is
> only one-way there is no way you could obtain the original key from it? I'm
> doing this to enable a program to check the right passphrase has been
> entered by hashing it and comparing it to the hash stored in the file.
>
> I'm considering this method over the check-phrase one simply because it
> appears to be more convenient, since the user would only need to enter one
> phrase, rather than two, to decrypt the file. Also, I assume the chances of
> two different keys producing the same hashed result are so small so as to
> make an incorrect key verification negligible?
56 bits is too small. Depending on your algorithm, either SHA-1 is
brute forceable to dictionary attack, or else your algorithm is
susceptible to brute force attack directly. I'd suggest moving to
64 or 128 bit keys. Again, even the keys should not be stored in
hashed form because they are susceptible to dictionary attack.
Most users don't pick very good pass phrases, so it's a good idea
to not leave clues around for attackers.
Just hashing the pass phrase to create the key should work, and keep
the key around while the user is logged in (assuming the system it
runs on is physically secure). When they log off, destroy the key,
and don't leave any traces of hashes of the key around either.
Yes, chances are really good you won't have collisions.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: the student paradox
Date: Thu, 17 Jun 1999 11:44:12 -0600
In article <7k8ovt$28ui$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> ... I have
> been advocating various all or nothing chaining methods like what is in
> scott19u but every one said it was use less then I here that Ron R of
> RSA comes up with an all or nothing encryption idea. Guess who will
> get the credit.
>
The idea of all-or-nothing is not a new concept; it has be abused forever.
Like the OTP, along with its strengths, it carries a burden, which could
be considered a weakness. I credit both of you with convergent thinking,
which includes a host of other people along the same lines.
--
"I want to make laws. We don't make donuts here." --John Conyers
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: rc4 vs. rand()
Date: Thu, 17 Jun 1999 11:27:18 -0700
Aidan Skinner wrote in message ...
>On Wed, 09 Jun 1999 11:33:54 GMT, [EMAIL PROTECTED]
><[EMAIL PROTECTED]> wrote:
>>I personally think that using the cipher in non-profit situations
>>should not be an issue (consider free chat rooms etc...) but in
>>commercial situtations I think paying up is an honest thing todo.
>
>OTOH are software patents a good thing in the first place?
RC4 is *not* patented. There is no company that makes an ownership
claim on the RC4 algorithm. There was a company that was trying to
keep it trade secret for a while, but it was released into the public
domain several years ago.
------------------------------
From: "Mr. X" <[EMAIL PROTECTED]>
Subject: Re: the student paradox
Date: Thu, 17 Jun 1999 10:48:05 -0700
Steven Alexander wrote:
> I'm not sure that people have less ideas as their knowledge increases. I
> think that instead they discount a lot of their own ideas based on their own
> ideas before sharing them.
Most people seem to have a productivity life-cycle. When they first
start out, they have alot of energy and creativity, but little
understanding of theory. After some time, they learn enough theory and
technique that they can fully express their ideas. Eventually though,
they really run out of ideas and produce work, that while there's
nothing technically wrong with it, doesn't contain any new ideas.
Myself, I think that the solution to both problems is obvious - in fact,
so obvious that the Greeks were already using it out thousands of years
ago. People with more theoretical knowledge should mentor less
experienced people. And by mentor, I don't mean lecture and test on
memorization - I mean be there to answer questions and be on the lookout
for new ideas that may be useful. Contrary to popular belief, there is
some of this going on, but it's mostly in post graduate work, which in
many cases may be too late.
The current educational model from K-12 and even for collage is based
almost totally on memorization, which is almost totally backwards. When
you get a job, they don't hide the books and ask you to solve the same
problem for the 99999th time. You have access to all the books and they
ask you to solve problems nobody in the group has solved yet. Something
that requires critical thinking, which they don't bother to teach, and
new ideas, which they seem to do their best to stomp out of people. Is
it any wonder that many industries have to spend several more years
training people before they're actually good for anything? Or that even
then, the majority of them won't ever produce more than baseline work?
X
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Simple Prime Number Question
Date: Thu, 17 Jun 1999 18:16:40 GMT
Michael,
Thanks for taking the time to give such a comprehensive reply; that was
excellent!
All the best,
Ron
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: NIST annouces set of Elliptic Curves
Date: Thu, 17 Jun 1999 19:40:08 +0100
DJohn37050 <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> These are curves which are approved for use by the US Federal Government
> to protect their sensitive but unclassified data. This is an endorsement.
> Also, the random curves should help alleviate some fears. I am sure all
the
> published curves will be studied.
>
> And the random curves would present an interesting question to someone
> trying to create a random weak curve. Namely, how prevalent can a
>otherwise unknown) "weak" curve be and still be found via a random seed?
>If it is too rare, it is difficult to find using a seed, if it is too
common,
>it will likely be discovered by someone else.
And thats the problem....
These curves are generated by passing a random seed S through a one-way
process which creates the B parameter for the curve y^2=x^3-3x+B mod p. (I
am talking about the GF(p) curves but my remarks apply to GF(2^m) as well.).
Where the random seed S came from, nobody knows.
Now if the idea is to increase our confidence that these curves are
therefore completely randomly selected from the vast number of possible
elliptic curves and hence likely to be secure, I think this process fails.
The underlying assumption is that the vast majority of curves are "good".
Consider now the possibility that one in a million of all curves have an
exploitable structure that "they" know about, but we don't.. Then "they"
simply generate a million random seeds until they find one that generates
one of "their" curves. Then they get us to use them. And remember the
standard paranoia assumptions apply - "they" have computing power way beyond
what we can muster. So maybe that could be 1 billion.
A much simpler approach would generate more trust. Simply select B as an
integer formed from the maximum number of digits of pi that provide a number
B which is less that p.Then keep incrementing B until the number of points
on the curve is prime. Such a curve will be accepted as "random" as all
would accept that the decimal digits of pi have no unfortunate interaction
with elliptic curves. We would all accept that such a curve had not been
specially "cooked".
So, sigh, why didn't they do it that way? Do they want to be distrusted?
--
Mike Scott
=========================================
Fastest is best. MIRACL multiprecision C/C++ library for big number
cryptography
ftp://ftp.compapp.dcu.ie/pub/crypto/miracl.zip
> Don Johnson
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SLIDE ATTACK & large state SYSTEMS
Date: Thu, 17 Jun 1999 18:44:27 GMT
<Snip>
To get all possible block mappings you must have a round function which
is bijective. To have a keyschedule to make use of all possible
mappings your key must be log2((2^n)!) bits long. The only practical
method would to have a large s-box and actually substitute the n-bit
block with another. This is the *ONLY* way to achieve this. If the
key is shorter then not all (2^n)! mappings are possible. However the
trick is to mask which ones are valid and which ones are not.
For any block cipher there are 2^n substitutions possible, this must be
true if the function is bijective. As long as two or more keys do not
create mappings which overlap there is no real problem with the key
usage. If you have a 128 bit key and all 2^128 mappings are unique
then the key is used effectively. If for example you have a 256 bit
key and for 20% of 50% of the keys the mappings overlap (this is 20% of
2^127 or about 1.3611294676837538538534984297271e+38) then that would
be ineffective use of the key.
Most block ciphers do not have related keys or enough to make it weak.
Blowfish for example has 1 in 2^14 chance of making weak sboxes, which
is why something like CAST (which is rather similar) may be a better
choice. However Blowfish is still strong despite the weak keys. I
seriously doubt that AES will have any related keys for any of the key
sizes (128, 192 and 256) which is why I would trust an AES cipher.
Note that it is possible for two different keys to have a mapping such
as E(a, K) -> b and E(a, K') -> b, but if this happens for 1 out of
2^128 blocks who cares? It is not practical to assume this can be a
weakness (you would also have to guess the value of a which would be as
difficult as guessing the 128 bit key...). There are always going to
be some messages which overlap but as long as it is random with respect
to the key (i.e not all keys have the same overlap pattern) it is not a
weakness.
Let's not forget that it depends on the round function as well for
security. If the round function is bad it really doesn't matter of the
key schedule (unless you make the cipher as described above).
Dave: Stop arguing this. It's true and you know it. Even your cipher
can have messages which are related. It has to be possible or your
round function is not bijective!
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: just a quick check..
Date: Thu, 17 Jun 1999 18:48:24 GMT
In article <7kas36$3e1$[EMAIL PROTECTED]>,
"Matthew Bennett" <[EMAIL PROTECTED]> wrote:
> If I used SHA-1 to hash the 56-bit key used to encrypted file, and
then
> stored the hashed result in the same encrypted file, there shouldn't
be a
> security risk here?
No, some keys could collide. It's highly unlikely that two keys would
as it requires 2^80 (birthday paradox) tries of random values. You
could always use a CBC method and encrypt a magic value then when you
decrypt see if you get the magic value.
Generally I wouldn't put such a check. If it's something like a
wordprocessor/database I would just report a invalid file format as you
would be reading garbage (as if the disk were bad).
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Jessie" <[EMAIL PROTECTED]>
Subject: Re: Simple Prime Number Question
Date: Thu, 17 Jun 1999 16:15:11 -0400
[EMAIL PROTECTED] wrote in message <7kb1bo$kld$[EMAIL PROTECTED]>...
>Thanks Douglas,
>
>So you're saying that i = j mod k is to be interpreted as
>
>((i-j) mod k) = 0
>
>Right?
>
>I understand about 'clock arithmetic', but if 1 mod n is always 1, then
>why not just write = 1 as opposed to = 1 mod n? That's what's
>confusing me.
>
>Thanks again,
>
>Ron
I had the same damn problem when I was reading up on Fermat's Little
Theorem. When you see an equation like the following:
i = j mod k
- OR -
i = j (mod k)
what I do is move the (mod k) part and put it after i. So for example, when
I see the equation 10 = 1 (mod 3), I mentally move the (mod 3) part and put
it after the 10. Now the equation reads 10 mod 3 = 1, which is how I like to
think of it.
Hope this helps!
--
Jessie
"With great power comes great responsibility"
------------------------------
From: "Matthew Bennett" <[EMAIL PROTECTED]>
Subject: Re: just a quick check..
Date: Thu, 17 Jun 1999 21:17:38 +0100
[EMAIL PROTECTED] wrote in message
<[EMAIL PROTECTED]>...
>On Thu, 17 Jun 1999 14:07:55 +0100, "Matthew Bennett"
><[EMAIL PROTECTED]> wrote:
>
>>I'm considering this method over the check-phrase one simply because it
>>appears to be more convenient, since the user would only need to enter one
>
>I'm not sure about how much of a problem it would be to store the key
>in the file, but read up on how Scramdisk determines whether a given
>file is a valid scramdisk volume file. Briefly:
>
>When Scramdisk creates a file, it generates a block of random data to
>start. Then it makes a copy of the data so that the first two blocks
>of the volume file are the same stuff. When the file's encrypted you
>can't tell.
>
>After getting your passphrases and hashing them, Scramdisk reads the
>first two blocks of the file you've told it to mount. It decrypts them
>according to the hash and compares the results. If they match then the
>file is presumed good, mounted, and Windows hopefully sees the rest of
>the volume as a valid FAT16 disk.
Thanks, this seems like a good idea. However if a hacker knew the first two
20-bit blocks (for example) would be identical if the file was decrypted
correctly, would this increase his chances of cracking the file?
/\/\/\//
------------------------------
From: "Matthew Bennett" <[EMAIL PROTECTED]>
Subject: Re: just a quick check..
Date: Thu, 17 Jun 1999 21:21:51 +0100
>56 bits is too small. Depending on your algorithm, either SHA-1 is
Sorry, I meant 56-bytes (using the standard 448-bit BlowFish).
>64 or 128 bit keys. Again, even the keys should not be stored in
>hashed form because they are susceptible to dictionary attack.
>Most users don't pick very good pass phrases, so it's a good idea
>to not leave clues around for attackers.
Humm, this was one of my concerns.. though all it would take (for example)
would be a simple "X" to be placed somewhere in the pass phrase, making a
dictionary attack unfeasible?
Also, I agree that hashing the pass phrase to make the key might be better
than simply using the pass phrase itself as the key (since normal text would
obviously have a limited character range). If SHA-1 only produces 20 bits
each time, how would I get the 448 bits need for a "complete" Blowfish key?
/\/\/\//
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: rc4 vs. rand()
Date: Thu, 17 Jun 1999 21:34:59 GMT
In article <7kbg29$r8b$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>> >I personally think that using the cipher in non-profit situations
>> >should not be an issue (consider free chat rooms etc...) but in
>> >commercial situtations I think paying up is an honest thing todo.
>>
>> OTOH are software patents a good thing in the first place?
>
>I believe in patenting and copyrighting ideas. I do not believe in
>forcing people to pay to use your ideas. What if someone thought of
>the idea by them selves but say one year after you filed your patent?
>Then they would not be able to use THEIR idea that THEY invent on THEIR
>OWN.
>
>If you patent your idea and release it for NON-PROFIT then I think you
>have done a wonderful thing (like ascom with IDEA).
>
>Tom
Unfortunutly patents tend to help only large companies. There was a TV
show a few years ago that showed people who came up with patents
but when they came up against a large company with lawyers the little
guy gets his ass kicked. You can bet the bank that if mircosoft comes
up with what a average high school kid sees as a kick off of one of Ritter's
many patents that Ritter's patents would not hold up. It is money that speaks
patents can help one company against another if they have close to equal
resources but usually the one with the money wins.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST annouces set of Elliptic Curves
Date: Thu, 17 Jun 1999 20:47:16 GMT
"Michael Scott" <[EMAIL PROTECTED]> wrote, in part:
>So, sigh, why didn't they do it that way? Do they want to be distrusted?
I suppose they feel that they are not distrusted, and therefore are
free to select optimal curves, just as the S-boxes in DES were
optimal, rather than being generated from pi or something. One notes
that many of the AES candidates had their S-boxes generated in ways
that were intended to show that nothing funny was going on.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: the student paradox
Date: Thu, 17 Jun 1999 20:36:54 GMT
[EMAIL PROTECTED] wrote, in part:
>I am sorry. Apparently you are perfect.
No, I'm not perfect, but I'm trying to note what sometimes does lead
to students in school getting discouraged along the way. Although the
advice is applicable to newbies, I wasn't thinking of them - in
general, unlike the captive audience of children in school, they can
wander off somewhere else before they get discouraged.
New ideas are valuable, and it is a waste when people who could
produce them in time get discouraged before instead.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Freeware suggestions?
Date: Thu, 17 Jun 1999 13:47:18 -0700
Does anyone have any suggestions for freeware programs that I could use to
encrypt communication between a client machine and a mSQL server. The
server supports PPTP but PPTP sucks. This of course has to run on win32.
-steven
------------------------------
Date: Thu, 17 Jun 1999 15:52:52 -0400
From: Jim Smith <[EMAIL PROTECTED]>
Subject: Sites about Protecting Passwords?
Can someone direct me to news groups which discuss techniques for
protecting passwords?I
------------------------------
From: "Erik Avat'R" <[EMAIL PROTECTED]>
Subject: Re: test
Date: Thu, 17 Jun 1999 23:57:29 +0300
This is a multi-part message in MIME format.
=======_NextPart_000_0082_01BEB91D.28B39340
Content-Type: text/plain;
charset="iso-8859-7"
Content-Transfer-Encoding: quoted-printable
And why not post in HTML??
If you cant read it buy yourself a new computer.....
Erik Avat'R
Gergo Barany <[EMAIL PROTECTED]> wrote in message =
news:[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>, Steve Droz wrote:
> ><!doctype html public "-//w3c//dtd html 4.0 transitional//en">
> ><html>
> > </html>
>=20
> You should use alt.test or similar groups for testing, and you should
> *never* post HTML to a non-binary group.
>=20
> Gergo
>=20
> --=20
> Simon's Law:
> Everything put together sooner or later falls apart.
>=20
> GU d- s:+ a--- C++>$ UL+++ P>++ L+++ E>++ W+ N++ o? K- w--- !O !M !V
> PS+ PE+ Y+ PGP+ t* 5+ X- R>+ tv++ b+>+++ DI+ D+ G>++ e* h! !r !y+
=======_NextPart_000_0082_01BEB91D.28B39340
Content-Type: text/html;
charset="iso-8859-7"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-7" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2014.210" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial><EM>And why not post in HTML??</EM></FONT></DIV>
<DIV><FONT face=3DArial><EM>If you cant read it buy yourself a new=20
computer.....</EM></FONT></DIV>
<DIV>
<P><FONT color=3D#000000 face=3DVivante-DTC size=3D6>E</FONT><FONT =
color=3D#000000=20
face=3DVivante-DTC size=3D5>rik </FONT><FONT color=3D#000000 =
face=3DVivante-DTC=20
size=3D6>A</FONT><FONT color=3D#000000 face=3DVivante-DTC=20
size=3D5>vat'R</FONT></P></DIV>
<DIV><FONT face=3DArial><EM>Gergo Barany <<A=20
href=3D"mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</A>> wrote =
in message=20
<A=20
href=3D"news:[EMAIL PROTECTED]">news:slrn7mhql6.v=
[EMAIL PROTECTED]</A>...</EM></FONT></DIV><FONT=20
face=3DArial><EM>> In article <<A=20
href=3D"mailto:[EMAIL PROTECTED]">37689F19.6DB1AAC5@edipress=
e.ch</A>>,=20
Steve Droz wrote:<BR>> ><!doctype html public "-//w3c//dtd html =
4.0=20
transitional//en"><BR>> ><html><BR>>=20
>&nbsp;</html><BR>> <BR>> You should use alt.test or =
similar=20
groups for testing, and you should<BR>> *never* post HTML to a =
non-binary=20
group.<BR>> <BR>> Gergo<BR>> <BR>> -- <BR>> Simon's =
Law:<BR>>=20
Everything put together sooner or later falls apart.<BR>> <BR>> GU =
d- s:+=20
a--- C++>$ UL+++ P>++ L+++ E>++ W+ N++ o? K- w--- !O !M =
!V<BR>> PS+=20
PE+ Y+ PGP+ t* 5+ X- R>+ tv++ b+>+++ DI+ D+ G>++ e* h! !r=20
!y+</EM></FONT></BODY></HTML>
=======_NextPart_000_0082_01BEB91D.28B39340==
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
