Cryptography-Digest Digest #755, Volume #9 Wed, 23 Jun 99 18:13:04 EDT
Contents:
Re: Caotic function ("John E. Kuslich")
Re: Kryptos article (Jerry Coffin)
Re: Hasty Pudding Cipher -- update (Helger Lipmaa)
Re: Microsoft Netmeeting Encryption ([EMAIL PROTECTED])
Re: Hasty Pudding Cipher -- update ([EMAIL PROTECTED])
Re: one time pad (Patrick Juola)
Re: A different method of encryption ([EMAIL PROTECTED])
Re: How about using RSA in CBC mode? (John Savard)
Re: Authentication Schemes ("Roger Schlafly")
Re: what I dont get...... ([EMAIL PROTECTED])
Re: Microsoft Netmeeting Encryption ([EMAIL PROTECTED])
Encryption Algorithm Functional? (Nathan A. Baker)
card shuffling related to rc4? (Eyal Soha)
Re: "Breaking" a cipher (Greg Ofiesh)
Re: A different method of encryption (Greg Ofiesh)
Encryptor that fits on a disk? ([EMAIL PROTECTED])
Re: Wired magazine: What does it do? SOLUTION ("John E. Kuslich")
Re: one time pad (Terry Ritter)
Re: A different method of encryption (Greg Ofiesh)
----------------------------------------------------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Caotic function
Date: Wed, 23 Jun 1999 12:08:34 -0700
Chaos does not DEPEND on complex numbers any more than electromagnetic
theory DEPENDS on complex numbers. It is just awfully hard to talk
about either subject without tripping over the concept of complex
numbers...
Remember the book "Physics Without Math" that was published a few years
ago??
Right, it could happen, you could understand physics without
math...right...you could...right...
I our public schools they are now trying to teach math without math.
"How do you feel about your answer Johnny??" You wouldn't want to ruin
the little buggers self esteem by telling him he had the wrong answer
now would we??
I don't think you could begin to understand chaos without understanding
the math behind it.
JK
Douglas A. Gwyn wrote:
>
> "John E. Kuslich" wrote:
> > My criticism was intended for the individual who originally made the point
> > that complex numbers and chaos and fractals (and even cryptography) are
> > not related...
>
> I disputed the claim that chaos depended on complex numbers.
> There are, of course, uses of complex numbers throughout analysis,
> including being the simplest way to express the famous Mandelbrot
> function whose divergence map you've all seen on calendars, etc.
> But chaos depends only on the nature of dynamical systems, not on
> whether or not complex numbers are somehow used in their description.
> In fact there are chaotic 1-dimensional systems, for which clearly
> a complex-number model would be inappropriate.
--
CRAK Software (Password Recovery Software)
Http://www.crak.com
[EMAIL PROTECTED]
602 863 9274 or 1 800 505 2725 In the USA
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Kryptos article
Date: Wed, 23 Jun 1999 11:43:46 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> Renegade wrote:
> > This is another example of how the NSA/IC is years ahead of the
> > private sector, ...
>
> While I would agree with that in many cases, I suspect the Kryptos
> cracking was done with pretty much the same technology and skills
> that were applied by Gillogly. The CIA cracker is said to have
> done it as mainly a pencil-and-paper exercise, and perhaps the NSA
> cryppies tackled it on the same terms. (That would explain why it
> took them so long!)
I think in this case, their cracking it long before the rest of us
mostly had to do with their having easy access to it before the rest
of us did. I'm not sure when Jim started working on the problem, but
from what he's said, it sounds like once he started working on it, he
cracked it in less time than they did...
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: Hasty Pudding Cipher -- update
Date: Thu, 24 Jun 1999 01:26:54 +0300
Roger Schlafly wrote:
> But only fastest if you use a 512-bit blocksize, something that is
> not part of the AES spec.
>
> I was intrigued by your claim at the beginning that
>
> "The key size may be any (whole) number of bits."
>
> but
>
> "The block size may be *any* number of bits, even fractional bit values
> are permitted."
>
> You mean, say, that you can encrypt 1/3 of a bit? Or a block of pi bits?
His ideawas as sinple as the following. Assume you want to encrypt a value
'0'...'9' (a little bit more than one bit) by using HPC. Basically, apply
HPC to the input x until the result will belong to the same interval.
decrypting is similar. Do some tricks to ensure that the shortest cycle from
two different inputs will not give the same output. You can use any block
cipher for that..
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Microsoft Netmeeting Encryption
Date: 23 Jun 1999 19:50:08 GMT
=====BEGIN PGP SIGNED MESSAGE=====
>Does anybody know where I can find details or know anything about the
>encryption that is included within Netmeeting 3.0?
Probably RC4 w/ a 40-bit key. Two problems.
(a) As far as I'm concerned, it's not secure enough for my
grandmother's meatloaf recepie (she's very protective
of her meatloaf recepie).
(b) Microsoft is not known for secure software.
- ---------
Regards, Noah Paul <[EMAIL PROTECTED]>
A Bus Station is where buses stop. A Train Station is where trains stop.
On my desk, there is a Work Station. -- Joe W�tte ([EMAIL PROTECTED])
PGP KEY: finger [EMAIL PROTECTED] (MAKE CODES NOT GUNS)
Fingerprint: 4B 1E 22 03 86 DA 65 DF 90 D4 38 38 F8 68 8B 89
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQCVAwUBN3E6W/l5Wihq4T8NAQEW4gQAiKAV0ZP4dOm5iqCnrIlw7xiUX02tYzQX
EHAgpnkwoYXke/1tdHlvKZ7Vq0ZMgwkIPNjGQzu8jl9wGvo6qtFGncFrYiEQB3UV
GDJMre9xIVBqdu7Do00uOB+oy8iBF1hc1DiLWBfeNq146iB/l6Wcq+A9PnYbl3If
mN0NuozbqRk=
=04xb
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Hasty Pudding Cipher -- update
Date: 23 Jun 1999 19:53:43 GMT
=====BEGIN PGP SIGNED MESSAGE=====
What the %@$^ is 1/3 of a bit?
>
>Richard Schroeppel wrote in message
><7kc64j$[EMAIL PROTECTED]>...
>>I've posted the official Tweak for HPC on the web page,
>>http://www.cs.arizona.edu/~rcs/hpc
>>along with a "recent progress" paper. The Tweak fixes
>>an equivalent-keys problem that David Wagner found.
>>The "progress" paper contains some new Pentium performance
>>numbers, and makes the argument that HPC should win because
>>it's the runaway fastest for bulk encryption on 64-bit
>>machines.
>
>But only fastest if you use a 512-bit blocksize, something that is
>not part of the AES spec.
>
>I was intrigued by your claim at the beginning that
>
> "The key size may be any (whole) number of bits."
>
>but
>
> "The block size may be *any* number of bits, even fractional bit values
>are permitted."
>
>You mean, say, that you can encrypt 1/3 of a bit? Or a block of pi bits?
>
- ---------
Regards, Noah Paul <[EMAIL PROTECTED]>
A Bus Station is where buses stop. A Train Station is where trains stop.
On my desk, there is a Work Station. -- Joe W�tte ([EMAIL PROTECTED])
PGP KEY: finger [EMAIL PROTECTED] (MAKE CODES NOT GUNS)
Fingerprint: 4B 1E 22 03 86 DA 65 DF 90 D4 38 38 F8 68 8B 89
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQCVAwUBN3E7Jvl5Wihq4T8NAQGAkwP+NIe7+r5zxscHbr0V5Ahqzd+BUD95lhD4
qqn/apSLfPj0ofK1USTcUcQVLr+9iivKgqOxia+Nt6vQjgS11n8aqtCuvgUN5XCe
ToLpqyjN0j6T+IXn1tuh4J5rgb012uDFiE31vk1mQzFvSkiI/h7Nt0wDoMsTw0D8
COyEwXLhs3U=
=Aitw
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: one time pad
Date: 23 Jun 1999 15:37:44 -0400
In article <7kr7n8$dva$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>I would like to put forth the following claims
>and if anyone would care to comment, disprove,
>ect., I would appreciate it. I thought I new
>some things (being new to cryptography), but a
>patient individual helped me see I have more to
>learn. He suggested I come to Deja, so here I am.
>
>1. One time pads, when implemented, deployed, and
>used correctly are the only known cipher that
>guarantees the security of the plain text over a
>non secured media. (Physical security is assumed
>for this discussion.)
>
>2. Maintaining statistical randomness produces a
>weakness in the pad since the probability of some
>values already seen in the bit stream are less
>likely to be found again.
What does this mean? If by ``maintaining statistical randomness''
you mean ``drawing without replacement from a uniform pool,''
then I'd just like to point out that drawing without replacement
isn't a good model for the phenomena under discussion.
-kitten
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: A different method of encryption
Date: 23 Jun 1999 19:57:07 GMT
=====BEGIN PGP SIGNED MESSAGE=====
... except this post seems to have all the markings of a troll (with the
exception of originating from AOL ... AOLers might actually produce this
sort of thing ... of course, I never put too much trust in anything that
ain't signed ... or anyone who doesn't sign ... no offence)
>
>You know, we call this "one time pad".
>But to console you, many of us did not invent it, but learned it.
>You are one of the few (about one per month) that pop in here
>having gotten to the point without external help.
>
>Greetings!
>Volker
- ---------
Regards, Noah Paul <[EMAIL PROTECTED]>
A Bus Station is where buses stop. A Train Station is where trains stop.
On my desk, there is a Work Station. -- Joe W�tte ([EMAIL PROTECTED])
PGP KEY: finger [EMAIL PROTECTED] (MAKE CODES NOT GUNS)
Fingerprint: 4B 1E 22 03 86 DA 65 DF 90 D4 38 38 F8 68 8B 89
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQCVAwUBN3E7+Pl5Wihq4T8NAQFChwP/XPKUCdrJX2026GZBK1DDJrkDm5oiju5f
HxT0JJqeSMjTmjMWn4aHb3rhuiIXPkR2v1nHRF1irXPLFX+2o8cKe+Gdbsv6cybW
ewD8mtvzuYNQAoQPJW81MhNi9xtxrI9NyUt9eHu7+a+TMJZnJ+rVYUWbPcEUiyfW
xfUjwJlSYas=
=Z9Ls
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: How about using RSA in CBC mode?
Date: Wed, 23 Jun 1999 20:11:17 GMT
Rob Beckers <[EMAIL PROTECTED]> wrote, in part:
>Any comments?
In general, RSA is so slow that it is usually used only to send *one*
block, which contains the key for some other kind of encryption.
And, of course, CBC mode for RSA would have to use addition modulo the
modulus, as the modulus isn't a power of two, so XOR wouldn't work.
But if you feel that RSA is what you trust, it certainly is possible
to use CBC mode with it subject to the proviso in the preceding
sentence.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: Authentication Schemes
Date: Wed, 23 Jun 1999 11:39:02 -0700
Medical Electronics Lab wrote in message
<[EMAIL PROTECTED]>...
>You can use ECC too, check out the MQV algorithm in IEEE P1363.
>You can make variations on it if you like, it's set up to
>authenticate and generate a shared secret with perfect forward
>secrecy. Code is freely available from several sources.
If you just want authentication, then all you need is a digital
signature scheme.
You may find code for MQV, but keep in mind that Certicom has a
patent pending for MQV. Also, it is intended to be used with some
sort of key confirmation method.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: what I dont get......
Date: Wed, 23 Jun 1999 20:06:08 GMT
<snip>
Most ciphers are coded in C/ASM then compiled into a program. PGP is a
good example. Most ciphers are computer based because they have too
many numbers. Blowfish for example has 1024 32-bit numbers to remember
(plus the pbox). TEA is probably the best block cipher for pen and
paper. It has no round keys, but you must be able to perform 32-bit
multiplication (by 16) and division (by 32). You could work out a
block on paper in about 30 minutes... :)
I would look around at papers. Normally they have pseudo-code or C
code that you can use directly. I would suggest worrying about how the
algorithms work more then how they are implemented.
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Microsoft Netmeeting Encryption
Date: Wed, 23 Jun 1999 20:42:36 GMT
Sounds like you're confirming my suspicions, it sucks. The algorithm
may be nice, but I shouldn't hope for anything decent.
In article <7kqod3$792$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <7kopfu$ib2$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > Does anybody know where I can find details or know anything about
the
> > encryption that is included within Netmeeting 3.0?
>
> Well MS loves their RC4 .DLL so they most likely use RC4 (with the
> wonderfull 40-bit keys) and RSA/DH or some other combo for
> authentication. I wouldn't really care because I don't trust MS to
get
> it right anyways.
>
> Tom
> --
> PGP key is at:
> 'http://mypage.goplay.com/tomstdenis/key.pgp'.
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Nathan A. Baker)
Subject: Encryption Algorithm Functional?
Date: 23 Jun 1999 20:36:20 GMT
Hi All --
My background is in scientific computing and some applied
math, but all on the PDE/integral equation side of things.
I know very little about the harder stuff of math. As such,
this question is most likely very poorly posed and probably
rather ignorant -- please forgive me in advance. :)
I was wondering how cryptanalysis problems are formulated.
Given a nonlinear partial differential equation,
N(u) = f
where N is some nonlinear operator and u and f are functions
in a vector space, one usuals linearizes N by considering
a Gateaux derivative
N'(u)(v) = D_t N(u + t v)
and solves the linearized
N'(u)(v) = f
problem as part of a Newton iteration. This is usually
equivalent to minimizing some functional of u related to N.
Is there a similar formulation for cryptographic problems?
In other words, if my encryption algorithm is some nonlinear
operator on the vectors P (plaintext) and K (key) to give
a ciphertext C
N(P,K) = C
is it possible to define a functional with respect to
P or K whose minimizer/maximizer corresponds to the solution?
Would such a (free energy?) functional even be bounded?
Thanks for your help.
--
Nathan A. Baker University of California, San Diego
Home Page -- http://wasabi.ucsd.edu/
PGP Public Key -- http://wasabi.ucsd.edu/~nbaker/pgp.html
------------------------------
From: Eyal Soha <[EMAIL PROTECTED]>
Subject: card shuffling related to rc4?
Date: Wed, 23 Jun 1999 14:08:01 -0700
I'm new to this newsgroup (and newsgroups in general), but someone
recommended that I post my thoughts here. Maybe someone's already
considered it?
Say you're shuffling cards and you use this:
void shuffle(int *a, int count) {
int i;
for(i=0;i<count;i++) {
swap(a[i], a[lrand48()%count]);
}
}
If you had four cards, then each time you called rand, there would be four
possible outputs. You call rand four times, so the program has 4 to the
power of 4 ways of completing, a total of 256. The number of ways four
cards can be shuffled is 4!, or 24. So all of those 256 need to represent
one of the 24 possible ways. But 24 doesn't divide into 256, so some
shuffles are more likely than others. (I've got code to prove this, if
you want the source, let me know.) A better shuffling algorithm is:
void shuffle(int *a, int count) {
int i;
for(i=0;i<count;i++) {
swap(a[i], a[lrand48()%(count-i) + i]);
}
}
This one doesn't shuffle cards that have already been placed. It has only
24 different outcomes instead of 256, and each outcome corresponds to a
single arrangement of the cards.
Now this part's a stretch:
The RC4 expansion is similar to the shuffling of a deck of cards (128).
So if RC4 has a skew toward some shufflings more than others, then you can
might know in what order to perform a brute-force attack on rc4. Which
makes it weaker, yes?
Eyal
--
Eyal Soha <[EMAIL PROTECTED]>
Cisco Systems <http://www.cisco.com>
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: Re: "Breaking" a cipher
Date: Wed, 23 Jun 1999 20:57:59 GMT
Reply-To: [EMAIL PROTECTED]
> Normally brute force is not considered a break as any cipher is
> vulnerable to a brute force search.
Do you believe that a one time pad cipher system is vulnerable to a
brute attack?
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 21:35:02 GMT
> I think you should read the faq before going on. I did a while ago
and
> it cleared up many issues.
What FAQs? Where is it?
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Encryptor that fits on a disk?
Date: Wed, 23 Jun 1999 20:45:41 GMT
Hello,
I am looking for an encryptor that could be used from a single floppy
disk. I wish I could use PGP but unfortunatly its just to big.. plus
the system I am working on gives me limited admin.. no installs
basicaly. I remember seeing once a program that did a number of
algorithms and had high bit keys.. but I forgot the name.. If you know
of one.. that fits my bill.. please let me know.. Thanks
Denis.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Wired magazine: What does it do? SOLUTION
Date: Wed, 23 Jun 1999 14:39:31 -0700
As Jonathan Swift once said:
The highest complement that one can pay a satirist is to take him
seriously ;--)
(I am paraphrasing here...)
I suppose it is a proof by reductio ad absurdum that the one time pad is
unbreakable. One can take an encrypted message and, by using the
appropriately chosen OTP, decrypt any and all possible messages of the
same length from the cypher text. You make the key (OTP) by XORING the
plaint text message with the cypher text.
I like the message I chose to have the cryptogram decrypt to but it
could as easily have been a message saying "Eat at Joe's" or "Mok-Kong
Shen wears army boots!"
I must have time on my hands...
JK
Mok-Kong Shen wrote:
>
> John E. Kuslich wrote:
> >
> > I have determined a solution to this cryptogram!!
> >
> > It is a One Time Pad. The pad was recovered using our proprietary One
> > Time Pad recovery software.
>
> What is your definition of OTP? Or were your overthrowing the theory
> which says that the OTP is provably secure?
>
> M. K. Shen
--
CRAK Software (Password Recovery Software)
Http://www.crak.com
[EMAIL PROTECTED]
602 863 9274 or 1 800 505 2725 In the USA
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: one time pad
Date: Wed, 23 Jun 1999 21:39:42 GMT
On Wed, 23 Jun 1999 18:06:41 GMT, in <7kr7n8$dva$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] wrote:
>I would like to put forth the following claims
>and if anyone would care to comment, disprove,
>ect., I would appreciate it. I thought I new
>some things (being new to cryptography), but a
>patient individual helped me see I have more to
>learn. He suggested I come to Deja, so here I am.
>
>1. One time pads, when implemented, deployed, and
>used correctly are the only known cipher that
>guarantees the security of the plain text over a
>non secured media. (Physical security is assumed
>for this discussion.)
False. The key word here is "guarantees." Unless we have a proof
which applies in practice, there can be no such "guarantee" in a
realized cipher.
The OTP which is "proven" secure is the *theoretical* OTP which
assumes and thus "uses" a perfect theoretical random keystream. Alas,
a theoretical OTP can only "protect" theoretical data. When we get
into the real world, we have to measure what we have and guarantee
that the theoretical assumptions are met in practice. But that is
impossible.
If we have some known plaintext, all it takes to enter the OTP is to
have a relationship in the keystream such that some future bits can be
predicted from past bits. (This could be some sort of correlation
between bits or multi-bit symbols.) We have tests which check for
particular correlations, but we have no test which can prove that no
such correlation exists. Thus we have no proof of strength.
Even if we had ideal measures, our concepts of randomness and entropy
are statistical: even good results refer only to the body of data
tested, not previous data, not subsequent data, and not even each and
every byte of the test. Individual bytes could leak information, yet
the overall sequence might still be measurably random (whatever that
might mean). But if we leak *any* information, then, clearly, our
"guarantee" is something less than one might expect.
One approach to a solution might be to build a physically-random
device which cannot be incorrectly built, cannot fail to perform,
cannot be damaged in an undetectable way, and will meet every possible
test for randomness, even if we have not yet defined those tests.
Then we could say that our device was "provably random," which would
imply a security proof for an OTP using such a device as a keystream
generator. In my opinion, any attempt to build such a device would be
a foolish quest.
On the other hand, I am willing to believe that a well-designed,
well-constructed, and well-tested physically-random RNG could be very
secure indeed. The difference is that we have no absolute *proof*.
And that places the OTP firmly into the body of ciphers we know.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 21:42:29 GMT
> I think the main point of the criticism is that one should not step
> into a well-developed field and tell people how things should be done
> without first *learning* enough about the field to have a chance of
> contributing something new and useful.
May I offer an observation about this forum?
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
