Cryptography-Digest Digest #752, Volume #9 Wed, 23 Jun 99 08:13:03 EDT
Contents:
Re: A different method of encryption (Dave Hazelwood)
A slide attack on TEA? ("Jooyeon Cho")
Re: Secure broadcast ("Gene Sokolov")
Re: A different method of encryption ("Douglas A. Gwyn")
Re: Kryptos article ("Douglas A. Gwyn")
Re: Question related to letter frequencies... ("Douglas A. Gwyn")
Re: A different method of encryption ("Douglas A. Gwyn")
Re: A different method of encryption ("Douglas A. Gwyn")
Re: A different method of encryption (Donny Cheung)
Re: A Crypto Page Disappears (Mok-Kong Shen)
Re: Cryptonomicon Errata in Neal Stephenson's new fiction: (Prosaik)
Re: Why Elliptic Curve Cryptosystem is stronger with shorter key length? (Robert
Harley)
On an old topic of internet publication of strong crypto (Mok-Kong Shen)
Re: Converting arbitrary bit sequences into plain English texts (Mok-Kong Shen)
Re: Good book for beginning Cryptographers? (Glenn Pure)
Authentication Schemes (ryanm)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Dave Hazelwood)
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 08:24:55 GMT
We actually had such an "area" phone mobile system here in Singapore
and it was a flop. They had receivers at all the petrol stations and
as long as you were in the proximity of one you could make a call.
I think regular cellular became so cheap that the cost differential
evaporated and that was the end of it.
[EMAIL PROTECTED] (John Savard) wrote:
>With today's microchips, I've thought of a clever way to solve this
>problem by using the regular telephone system. People could carry with
>them short-range radio phones that communicate by radio to the nearest
>of a network of automated stations that tie into the phone system.
>When they move out of the range of one station, they are switched over
>to a different frequency to continue their call with the next one.
>
>Since this system divides the area where these phones can be used into
>little areas, one for each automated radio station, we could call
>these devices "cellular phones".
>John Savard ( teneerf<- )
>http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: "Jooyeon Cho" <[EMAIL PROTECTED]>
Subject: A slide attack on TEA?
Date: Wed, 23 Jun 1999 18:36:10 +1000
I need some comments or help.
I suspect a slide attack can be applied for TEA.
The TEA algorithm consists of 32-round identical F-functions.
And 128-bit master key is simply used in each round.
Suppose that two plaintext P, P* are encrypted to C and C*. (P,P*,C,C* :
64-bit)
If two plaintexts are related by one round encryption as F(P, K) = P*, then
F(C, K)=C*.
Given a properly related pair, 128-bit key can be derived from above
equation.
A pool of 2^{32} known plaintext will include a slid pair due to the
birthday paradox.
>From the pool, we get the possible 2^{63} pairs. Since for each pair we
perform 1/16 of TEA encryption, the overall complexity is 2^{59}.
But when we know P,P* and C,C*, it does not seem to be easy to find 128-bit
key in the one round. Is there any good method?
Any comments is welcomed.
- Joe
------------------------------
From: "Gene Sokolov" <[EMAIL PROTECTED]>
Subject: Re: Secure broadcast
Date: Wed, 23 Jun 1999 11:18:51 +0400
Medical Electronics Lab <[EMAIL PROTECTED]> wrote in message > > I.
Description:
> > 1. The data is sold on subscription basis at about US$500/month. A
> > 20-minutes delay would cut the value of the data 10 fold. A 2 hour delay
> > would make this data nearly worthless.
>
> What about for the attacker? If it takes longer than 2 hours, is the
> data worthless to them as well?
yes.
> > 3. All clients obtain individual user id/password combination once (for
> > example when they sign the contract). Password is about 52 bit long
> > (36**10). We assume that our way of distibuting passwords is secure. We
also
> > assume the password distribution procedure to be difficult/expensive to
> > repeat often.
>
> 56 bit keys can be cracked in days. Call it 32 hours. A 52 bit key
> can be cracked by brute force in 32/16 = 2 hours. You're already
> at a marginal limit here, if it's possible you should increase this
> key length!!
I realize that 56 bit can be cracked on expensive hardware in a couple of
days. Even worse: if password is cracked in 32 hours, it would still
compromize the security completely because these passwords are issued just
once. An attacker spends 32 hours once and then receives data for free
untill password is changed (some don't change passwords in months).
The point here is that we don't believe anyone would use anything better
than a fast Pentium on cracking. The payoff is just too small to justify
better hardware. When hardware gets faster, we can simply increase the
number of characters in the password to 12 and have 62 bit. Or move to
case-sensitive passwords and have 59 bits in 10 chars.
> > II. Goal:
> > 1. The data stream should be encrypted in such a way, that brute-force
> > decryption is too expensive (I.1).
>
> Is US$250,000 too expensive? If you have 52 bit keys, you're in
> trouble here.
Yes, it is too expensive. That's why in I.1 I wrote how much data is worth
($500/month). I guess "too expensive" starts at about $10K.
> > 2. There should be a way to add/remove clients easily. We don't want to
> > distribute new passwords every time a client is dropped.
> Not a problem, but you'll have to send a session key encrypted with
> every possible client's secret key.
First you say that password can be guessed in a few hours (true), then
suggest to use public/private encryption. That means keys are issued
individually and stored locally. Then passwords, I can assume, would be used
locally just to access the public keys. Then the length of the password
would not mean much.
On the other hand, use of RSA would require key management & royalties.
That's something to be avoided. Is there a known way to convert
password->symmetric key?
How about hashing user id + password + random number and using the hash
as a key to symmetric cypher to encrypt the session key? Individually
encrypted session key and random number(s) would be transmitted openly with
the stream.
> to broadcast to? How much time between broadcasts and how many
> broadcasts per hour? You may need multiple channels, but that shouldn't
> be too much of a problem
About 50 clients, 1 broadcast in 40 seconds, 200 byte each broadcast. I can
broadcast the security data every other hour for example.
> (I bet you'd like to have that problem!).
My boss would love to have this problem :-)
> Dr. mike
Dr. Gene
hook(at)aktrad(dot)ru
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 09:56:08 GMT
[EMAIL PROTECTED] wrote:
> I suppose I probably could have found the answers to these and many
> more questions if I read the faq, but somehow this seems more direct.
Also more of a waste of everybody's time and network bandwidth.
Why are you so lazy?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Kryptos article
Date: Wed, 23 Jun 1999 10:20:35 GMT
Renegade wrote:
> This is another example of how the NSA/IC is years ahead of the
> private sector, ...
While I would agree with that in many cases, I suspect the Kryptos
cracking was done with pretty much the same technology and skills
that were applied by Gillogly. The CIA cracker is said to have
done it as mainly a pencil-and-paper exercise, and perhaps the NSA
cryppies tackled it on the same terms. (That would explain why it
took them so long!)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Question related to letter frequencies...
Date: Wed, 23 Jun 1999 10:13:44 GMT
Tibaht wrote:
> I'm just a newbie, but would like to find out more about 2 and 3 letter
> grouping probabilities. where can i find some information? Thanks
Any good book on classic cryptanalysis, such as Gaines or MilCryp.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 09:50:42 GMT
[EMAIL PROTECTED] wrote:
[what seems like a lengthy joke, since it reivnets the one-time pad]
> so that s is used multiple times in the encryption process. I am
> uncertain if this will compromise the security of the algorithm,
> however.
Of course it does. If the underlying plaintext is several paargraphs
of normal monocase English and the key is repeated at least 5 times,
one should expect it to be readily crackable by known methods.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 09:54:44 GMT
AllanW wrote:
> Others in this thread have mocked your idea as exceptionally
> obvious. But in fact, it is not obvious until you have been
> exposed to the idea. ...
I think the main point of the criticism is that one should not step
into a well-developed field and tell people how things should be done
without first *learning* enough about the field to have a chance of
contributing something new and useful.
------------------------------
From: Donny Cheung <[EMAIL PROTECTED]>
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 05:15:46 -0400
> c?) Also, given the same conditions above (especially the
> unpredictability of the plaintext file), will the security hold if I
> repeat the key file?
"Uncrackable" is a funny word. I think some other poster already
mentioned that if you use the same key (random stuff) twice, bad things
will happen to you. And worse things will happen if you use the same key
more than twice.
The basic idea is that if you use (I'll use your original notation here)
r1(n) + s(n) = t1(n) and
r2(n) + s(n) = t2(n) (with two files r1, r2 to be encrypted)
you can calculate what r1(n)-r2(n) is by calculating t1(n)-t2(n). (We can
ignore the %256 thing for simplicity right now)
So what? Well, now if I make reasonable guesses about what r1 is, I can
check whether these guesses are right by looking at what the corresponding
text in r2 must be. If I had a computer, I could make billions of guesses
at sections of r1 to deduce sections of r2, and take advantage of that
those. I'll give a little toy example of what I'm talking about.
Suppose you guessed that some spot in r1 contained the word "lunch" and
you happened to be right. Then you use the difference between r1 and r2
and discover the corresponding text in r2 to be "asona". You may make a
couple of guesses at what the rest of the word is, and if your guess is
"reasonable", you'd be right. Now you can get some more of r1. Say it's
"r lunch at". You get the idea. The guessing becomes less random after
a bit.
If you repeat a key over and over again, that's just like having lots and
lots of smaller encrypted files using the same key. (This is bad.) We
may even be able to mount a statistical attack at this point. If you have
lots of letters encrypted with the same letter in the key, you can use
knowledge of frequencies of various characters to make guesses. By also
making guesses at the key length, the entire plaintext can be decoded
reasonably quickly.
Some points:
If you did the xor thing (r(n) ^ s(n) = t(n)), you can do analogous
things. You can still figure out r1(n)^r2(n), since that's the same as
t1(n)^t2(n). s(n)^s(n) will cancel out.
Of course these attacks assume some kind of structure to your message
(english text, regular data format, etc...). If you encrypted a file of
random data, none of this would work. But then, what's the use of
encrypting random data?
You've got the right idea that adding in completely random data will 100%
absolutely mangle plaintext, but notice how this doesn't seem to be as
practical in real world situations. That's the trade-off that practical
cryptography has to make. Concrete assurances of security are costly when
it comes to practicality. Efficient schemes are very difficult to solidly
analyze.
> I suppose I probably could have found the answers to these and many
> more questions if I read the faq, but somehow this seems more direct.
I don't think so. I think that when a newbie posts a question (especially
one which is already answered in a faq), for a day or two, he/she can
really only expect rants about how it's already in the faq. At some
point, someone will answer, I suppose, but would this compare to a
ten-minute search through the faq? I don't remember if any of this stuff
is in the faq, but I suppose that if I were sure that it were, I probably
wouldn't have made this reply. Oh well. (The only reason I'm doing this
in the first place is because I'm bored and I can't get to sleep anyway).
Hope this helps,
Donny
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: A Crypto Page Disappears
Date: Wed, 23 Jun 1999 12:54:14 +0200
John Savard wrote:
>
> "Toby's Cryptopage", by Torbjorn Andersson, has disappeared from the
> Web! (Well, I'm going to Altavista to see if it has moved to a new
> URL...)
>
> This is unfortunate, as his site was very interesting, and had quite a
> few rare photographs of old cipher machines, such as a
> Russian-language version of the B-211 and pictures of the T-52 as
> well.
>
> Photographs are one thing my site completely lacks. (I've been busy
> improving my backgrounds recently to ensure that they cause less
> difficulty in clearly seeing the printing on my pages for reading
> them.)
I remember that there was a site saying that it was archiving the
Web pages on the internet. I don't know what that project has
become now. There might be a chance that you could get the materials
you deem valuable from there and put these on your own site.
M. K. Shen
------------------------------
From: Prosaik <[EMAIL PROTECTED]>
Subject: Re: Cryptonomicon Errata in Neal Stephenson's new fiction:
Date: Mon, 21 Jun 1999 22:09:16 -0500
This is a multi-part message in MIME format.
==============FCAAC97F6B946903B4F5D4D4
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I just sent an e-mail message to the mailto link on the cryptonomicon web site
inquiring about the possibility of getting an errata page up there. Not holding
my breath. In the mean time, here's the list I've compiled. I know there are a
couple I just plain ignored-- somewhere in there is the word "the" repeated
twice in a row-- but most of the nagging, mentally tripping the reader up, what
was that I just read mistakes are here, even if I'm only up to page 590 myself.
--
Matt Garrett
a.k.a. [EMAIL PROTECTED]
==============FCAAC97F6B946903B4F5D4D4
Content-Type: text/plain; charset=us-ascii; name="cryptonomicon.errata"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="cryptonomicon.errata"
Page: 70
Text: 21 T 25 E C
Should Be: 21 8 25 E C
Page: 93
Text 4069-bit
Should Be: 4096-bit
Comment: Number transposition.
Page: 125
Text: the number 2071 is the product of two primes
Should Be: the number 2701 is the product of two primes
Comment: Number transposition.
Page: 237
Text: In the fourth, B and O give 16 + 2 = 18 which is S.
Should Be: In the fourth, B and O give 14 + 2 = 16 which is Q.
Text: UQWSO
Should Be: UQWQO
Comment: Arithmatic error.
Page: 341
Text: "So many things that belong in a <it>museum</it>," Lawrence says.
Should Be: "So many things that belong in a <it>museum</it>," Alan says.
Comment: Change of speaker, otherwise Lawrence gets three straight lines as
it talking to himself.
Page: 342
Text: They are building--
Should Be: "They are building--
Comment: Begining of new speach by Alan.
Page: 354
Text: 9303
Should Be: 9E03
Comment: Transposition of hexidecimal number E to decimal number 3, yeilds
inconsistency with following text which all refers to "RIST 9E03."
Page: 461
Test: I can't figure out why he settled on 54. Possibly because it is twice
the number of letters in the alphabet-but this makes no sense.
Should Be: ?
Comment: Possibly it makes no sense because there are 26 letters in the
alphabet and 2 x 26 = 52, not 54, but 54 is obviously the number of cards in
a deck with the two jokers.
Page: 482
Text: Magallanian
Should Be: Magellanian
Comment: The original circumnavigator's name was Ferdinand Magellan.
==============FCAAC97F6B946903B4F5D4D4==
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: Why Elliptic Curve Cryptosystem is stronger with shorter key length?
Date: 23 Jun 1999 11:53:55 +0200
"Harvey Rook" <[EMAIL PROTECTED]> writes:
>In my highly uneducated opinion, ECC is only more difficult because it
>hasn't been studied as long as the factoring problem.
There are much better reasons to believe in the difficulty of
elliptic-curve discrete logarithms. There is an argument proving that
a generic algorithm (in a precise sense) has to take exponential time.
Algorithms that use extra structure present in some specific groups
can easily be sub-exponential or even polynomial. However there are
so many groups that occur with elliptic curves over finite fields that
it seems highly unlikely that a positive proportion of them have
enough extra structure.
>Once ECC really catches on (such as is happening now), and many people
>start studying it, the gap between factoring over an elliptic curve
>and factoring an integer, will shrink.
I would bet that the number of special cases that are considered
"easy" will continue to grow but that many, many difficult cases will
always remain.
What I fear is that people who should know better are promoting the
use of very special cases with lots of extra structure. It is not at
all unlikely that one of these that is actually in use will be broken,
then the general perception will become that elliptic curves can't be
trusted and that will be the end of it.
There are plenty of bad reasons for people to pick curves defined over
tiny sub-fields, to use complex multiplication, etc: familiarity with
them, holding of relevant patents, selective blindness to the danger
they represent...
There is only one good reason I can think of and that is the
difficulty of counting the number of points on a curve. In theory it
is polynomial time, therefore "easy".
In practice there are some research prototypes but what is needed is a
real-world implementation, able to quickly handle cases big enough to
be useful, and that's out there for everyone interested to work with.
It would take time, sweat and money but the main thing is that we know
how to do it. So solve the problem!, rather than skirting around it
with pseudo-solutions that risk killing the elliptic-curve business in
the egg before it ever really flies.
Bye,
Rob.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: On an old topic of internet publication of strong crypto
Date: Wed, 23 Jun 1999 13:26:07 +0200
The topic or viewpoints below are (almost quite) old but I do
like to have some discussions thereon in view of the fact that (as
I learned recently from posts elsewhere) there is a probability
that the Bernstein case be re-opened in the near future.
My question: Would the following scenario be of some significance
to the issue of prohibition of internet publication of strong crypto?
An author writes a paper on strong crypto. He claims copyright on it
but at the same time states that any copying is free provided that
the copy is done in its entirety (which means that in particular
any copy contains his name). He sends that in paper form to a
server located in a country without crypto regulations where it
is, after scanning or otherwise, published as a web page (for a
short time so that the server need not have a huge capacity for
serving lots of people for such purposes). The author then imports
his own writing from that server via internet and puts it on his site,
stating that the material has been imported from that server on
such and such a date.
Would that be o.k., since the author is not exporting but only
redistributing something that he has imported from a foreign
country?
M. K. Shen
==========================
http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Converting arbitrary bit sequences into plain English texts
Date: Wed, 23 Jun 1999 13:57:21 +0200
S.T.L. wrote:
>
> Is this a sentence:
> "Yes!"
> And is this a sentence:
> "No!"
> Both are. Therefore, encode 10010110 as:
> Yes! No! No! Yes! No! Yes! Yes! No!
> It's English, even though it's a long string of interjections.
I think that this should work. Any thought of what arguments the
bureaucrats could possibly have against the sort of conversions we
discuss in this thread? I should appreciate further contributions.
M. K. Shen
------------------------------
From: Glenn.Pure*delete_this_for_reply*@pcug.org.au (Glenn Pure)
Subject: Re: Good book for beginning Cryptographers?
Date: Wed, 23 Jun 1999 12:02:35 GMT
Paul Koning <[EMAIL PROTECTED]> wrote:
>GyungHwa Jun wrote:
>>
>> "Handbook of Applied Cryptography" written by Alfred Menezes, Paul C.van
>> Oorschot, Scott A. Vanstone.
>
>Definitely NOT that one, unless you have a healthy background in
>mathematics. And not even then, actually, since it also assumes
>you know a bunch about cryptography already.
>
>I'd recommend instead Bruce Scheier's "Applied Cryptography".
>
> paul
Err, that's a bit heavy going too. The first book I read and would
thoroughly recommend is Network Security: Private communication in a
public world by Kaufman, Perlman and Speciner.
Glenn
Glenn Pure ([EMAIL PROTECTED])
66 Crozier Cct, Kambah ACT
Canberra, Australia
phone/fax +61 2 6231 6457
Web page & PGP public key at http://www.pcug.org.au/~glennpur
------------------------------
From: ryanm <[EMAIL PROTECTED]>
Subject: Authentication Schemes
Date: Wed, 23 Jun 1999 08:10:30 -0400
Reply-To: [EMAIL PROTECTED]
Hello Security experts,
I am curious what different authentication schemes exist for
proving who someone ( A machine ) is. I have used RSA auth
in the past. What else can be used to prove that host A is
really who he says he is?? I assume digital certificates
can be used for this also, but looking for a Host authentication
FAQ. If anyone has a list or any info they can send me back I
would appreciate it greatly.
Thanks a bundle,
Ryan
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
