Cryptography-Digest Digest #781, Volume #9 Sat, 26 Jun 99 16:13:06 EDT
Contents:
Jim Gillogly on The Today Show: Kryptos (John L. Allen)
Re: Kryptos article (B & J)
Re: Kryptos article (wtshaw)
Re: DES-NULL attack (Thomas Pornin)
Re: DES-NULL attack (Thomas Pornin)
Re: DES-NULL attack ([EMAIL PROTECTED])
Re: DES-NULL attack (Thomas Pornin)
Re: Tough crypt question: how to break AT&T's monopoly??? (Dave Hazelwood)
Re: DES-NULL attack (fungus)
Re: DES-NULL attack (fungus)
Re: Scramdisk cracked (A C Wilshere)
Re: DES-NULL attack ([EMAIL PROTECTED])
Re: DES-NULL attack (Horst Ossifrage)
Re: one time pad (Greg Ofiesh)
Re: one time pad (Greg Ofiesh)
Moores Law (a bit off topic) ([EMAIL PROTECTED])
Re: DES-NULL attack (William Tanksley)
Re: one time pad (Greg Ofiesh)
Re: one time pad (Greg Ofiesh)
Re: one time pad (John Savard)
Re: one time pad (Greg Ofiesh)
Re: Tough crypt question: how to break AT&T's monopoly??? (Jayjames99)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John L. Allen)
Subject: Jim Gillogly on The Today Show: Kryptos
Date: 25 Jun 1999 15:39:13 -0400
Jim Gillogly was on the NBC Today show this morning.
There was a segment on the "Kryptos" sculpture outside
the NSA, and he was billed as the guy who cracked part
of the code using a computer.
There was even a very brief "demo" of how decrypting
is done.
(There's no hiding now, Jim :-)
John.
--
_/JohnL\[EMAIL PROTECTED] <Sun>: 9.5 billion pounds per sec to energy
~\Allen/~Fax: 516-575-7428 <Universe>: 1e22 stars = 22 solar masses per sec
------------------------------
From: B & J <[EMAIL PROTECTED]>
Subject: Re: Kryptos article
Date: Sat, 26 Jun 1999 06:17:14 +0000
I got quite interested in this KRYPTOS code thing, and was able to find the
keys for the first
2 parts, but does anyone know if the keys mean anything at all , perhaps
encrypted ? seems like gibberish to me....
- Ben
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Kryptos article
Date: Sat, 26 Jun 1999 00:50:25 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> Jim Gillogly wrote:
> > Reflecting on this, I realized it's utter garbage. The pool would
> > swap up and down, not right and left. Never mind.
>
> Um, Jim, mirrors don't reverse in any particular direction.
> Martin Gardner had a discussion of this in one of his books:
> Why is your image in a flat mirror reversed left-to-right,
> not top-to-bottom? (Think about it; it can produce one of
> those moments of "enlightenment".)
Congratulations Jim...now, time for recovery. If you come to Atlanta for
the convention, please bring your costume; pardon me if I leave my best
suit, my coveralls, at home.
Something a mirror cannot fully reverse:
.emoh ta ,sllarevoc ym ,tius tseb ym evael I fi em nodrap ;emutsoc ruoy
gnirb esaelp ,noitnevnoc eht rof atnaltA ot emoc uoy fI .yrevocer rof emit
,won...miJ snoitalutargnoC
--
It's always possible that a politician is acting out of principles.
--Michael Kinsley of Slate.com
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: DES-NULL attack
Date: 26 Jun 1999 07:36:47 GMT
According to <[EMAIL PROTECTED]>:
> Let a plain text block contains only bits with NULL value.
>
> Then correspondent cipher block is well-defined function
> of the encryption key, which can be recovered.
Ok. Prove it. Here is the result of the DES encryption of 0 by a secret
key of mine:
e5d72a33650d160f
Now show me the key.
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: DES-NULL attack
Date: 26 Jun 1999 07:40:10 GMT
According to JPeschel <[EMAIL PROTECTED]>:
> Consider an intelligence agency with plenty of money to spend on
> ASICs.*
As usual: if some agency has so much power and is after me, the
possibility that they could recover a DES key in a few days with a
hardware worth dozens millions of dollars is the least of my concerns.
They could kidnap me for much less.
Anyway, the limit if generally considered to be about 80 bits.
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES-NULL attack
Date: Sat, 26 Jun 1999 12:38:16 GMT
In article <7l204q$mci$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Thomas Pornin) wrote:
> As usual: if some agency has so much power and is after me, the
> possibility that they could recover a DES key in a few days with a
> hardware worth dozens millions of dollars is the least of my concerns.
> They could kidnap me for much less.
>
> Anyway, the limit if generally considered to be about 80 bits.
By whom? If a 64-bit key is not safe an 80-bit key is probably not
safe. If we are to follow the skeptism.
You know it's funny. I work on crypto stuff almost all the time, but I
hardly ever use it myself... When I do it's for PGP messages and
such.
64-bit keys will keep my neighbour out of my email and that's all I
really care about. If they want to sit their for 32 years trying to
read a message let them. If I had a gov. secret I wouldn't broadcast
it over the net!
64-bits is generally secure. Just because the number of bits is close
to that of DES does not mean the key space is the same.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: DES-NULL attack
Date: 26 Jun 1999 13:35:00 GMT
According to <[EMAIL PROTECTED]>:
> By whom? If a 64-bit key is not safe an 80-bit key is probably not
> safe. If we are to follow the skeptism.
That is what is usually said during congresses such as Crypto. The point
is that 80-bit is 65536 times harder than 64-bit (unless there are
quantum computers out there, of which we have no evidence).
We can easily estimate the cost for an EFF-like machine. We divide
the price by two, in order to please the "NSA has access to advanced
technology" paranoids.
Therefore:
56-bit -> 125000$
64-bit -> 32000000$
80-bit -> 2097152000000$
(for a three days crack)
2 thousands billion dollars is too much for the machine to exist out of
public knowledge. And there are other issues (power consumption for
instance: 16 millions times what the EFF machine eats -- that requires
several nuclear power plants, at least).
However, the 64-bit version is quite feasible. 32 millions dollars is
not much for an agency such as the NSA. And it could easily be hidden.
> 64-bits is generally secure.
Agreed. But Moore's law (*) will keep on getting it less secure every
year. This explains the 128-bit keys for the AES.
--Thomas Pornin
(*) Many people, included some considered as smart and competent in the
domain of micro-electronics, predict that Moore's law will cease to be
valid in at most 5 years. However, such predictions have been done for
the last 10 years at least, therefore it is safer to assume that this
exponential augmentation of computing power might just go on for the
next 30 years.
------------------------------
From: [EMAIL PROTECTED] (Dave Hazelwood)
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: Sat, 26 Jun 1999 15:10:46 GMT
Have you tried Kwik-Crypt for Windows/95?
http://www.kwikrite.clara.net/
You can build self decrypting and restoring (blowfish) archives with
it.
[EMAIL PROTECTED] (Jayjames99) wrote:
>I think this is a tough question to answer.
>
>I am trying to send an encypted file to somebody who is not computer savvy, in
>a format so that the receiving party does not have to know how to decrypt the
>file. It will simply self-extract, ask for the private key to be entered, and
>voila...the file is now readalble.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: DES-NULL attack
Date: Sat, 26 Jun 1999 18:37:36 +0200
Thomas Pornin wrote:
>
> (*) Many people, included some considered as smart and competent in the
> domain of micro-electronics, predict that Moore's law will cease to be
> valid in at most 5 years. However, such predictions have been done for
> the last 10 years at least
Yeah, but the "past predictions" were based on technical difficulties,
the new predicions are based on physical laws.
> therefore it is safer to assume that this exponential augmentation
> of computing power might just go on for the next 30 years.
More like 15-20...
...even so, that means a Pentium XIV with a clock speed in the
hundreds of gigahertz range. I can't wait for the games!
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: DES-NULL attack
Date: Sat, 26 Jun 1999 18:33:15 +0200
[EMAIL PROTECTED] wrote:
>
> In article <7l204q$mci$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Thomas Pornin) wrote:
> > As usual: if some agency has so much power and is after me, the
> > possibility that they could recover a DES key in a few days with a
> > hardware worth dozens millions of dollars is the least of my concerns.
> > They could kidnap me for much less.
> >
> > Anyway, the limit if generally considered to be about 80 bits.
>
> By whom? If a 64-bit key is not safe an 80-bit key is probably not
> safe. If we are to follow the skeptism.
>
Skipjack was 80 bits. The NSA are the experts in what can and what
can't be cracked by people in the near future.
;-)
> 64-bits is generally secure. Just because the number of bits is close
> to that of DES does not mean the key space is the same.
>
Nope. It's 256 times bigger. Even the famous EFF machine would take
a couple of years to find a 64 bit key.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
Date: Fri, 25 Jun 1999 20:19:29 +0100
From: A C Wilshere <[EMAIL PROTECTED]>
Subject: Re: Scramdisk cracked
> A password as nonsensical but easy to remember as
> 'dumdumDiddlypiddlytiddlyTum' would keep a password sniffer glurking
> along for a long time. Plus it's fun to type.
Damn, I'll have to change that password now ;)
Allan
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES-NULL attack
Date: Sat, 26 Jun 1999 17:06:04 GMT
In article <[EMAIL PROTECTED]>,
fungus <[EMAIL PROTECTED]> wrote:
> > 64-bits is generally secure. Just because the number of bits is
close
> > to that of DES does not mean the key space is the same.
> >
>
> Nope. It's 256 times bigger. Even the famous EFF machine would take
> a couple of years to find a 64 bit key.
Ironically that people always try to use as little memory as possible
for round keys and sboxes, but if they are key dependant they normally
help defend against brute force. Blowfish for example requires the key
schedule to be performed and makes brute force attacks 512 times
harder! So in a 64-bit blowfish key it would require on average 2^72
encryptions to find the key...
There obviously should be a happy middle which most AES ciphers contend
with.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Horst Ossifrage <[EMAIL PROTECTED]>
Subject: Re: DES-NULL attack
Date: Sat, 26 Jun 1999 10:07:42 -1000
Thomas Pornin wrote:
> Agreed. But Moore's law (*) will keep on getting it less secure every
> year. This explains the 128-bit keys for the AES.
It is not a law it is a trend. Please quote Moore when he claimed it
was a law. It was called a law by laymen.
> --Thomas Pornin
>
> (*) Many people, included some considered as smart and competent in the
> domain of micro-electronics, predict that Moore's law will cease to be
> valid in at most 5 years. However, such predictions have been done for
> the last 10 years at least, therefore it is safer to assume that this
> exponential augmentation of computing power might just go on for the
> next 30 years.
My job is designing next generation microprocessors at a major
company. You should expect the rate of improvement to slow down
starting today. 18 years ago the prediction was that 0.1 micron
transistor lengths would be near the smallest sizes practical
for mass production, and that is one limitation for speed. Today
one company is preparing 0.07 micron transistors. At work, we face
the limits of scaling in 2 years for mass produced ICs. After 2001
I expect a doubling of speed to take, not 18 months, but 36 months.
After then, speed will increase more slowly. Heat, noise,
and the speed of light are already very real constraints on
improvements.
of light
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Sat, 26 Jun 1999 18:21:20 GMT
Normally I don't spend more than a couple moments replying to someone
like STL137 (sounds like a desease, don't it) if I reply at all, but I
gotta tell you, your response had me rolling!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Sat, 26 Jun 1999 18:28:40 GMT
> What say you?!?
I see your point.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Moores Law (a bit off topic)
Date: Sat, 26 Jun 1999 18:46:59 GMT
Where could I read about Moores law? I will check the search engines
but some urls may help.
Just a wondering.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (William Tanksley)
Subject: Re: DES-NULL attack
Reply-To: [EMAIL PROTECTED]
Date: Sat, 26 Jun 1999 18:42:53 GMT
On Sat, 26 Jun 1999 10:07:42 -1000, Horst Ossifrage wrote:
>Thomas Pornin wrote:
>> (*) Many people, included some considered as smart and competent in the
>> domain of micro-electronics, predict that Moore's law will cease to be
>> valid in at most 5 years. However, such predictions have been done for
>> the last 10 years at least, therefore it is safer to assume that this
>> exponential augmentation of computing power might just go on for the
>> next 30 years.
Safe to assume that it might? A hedged assumption is a safe assumption ;-).
>My job is designing next generation microprocessors at a major
>company. You should expect the rate of improvement to slow down
>starting today. 18 years ago the prediction was that 0.1 micron
>transistor lengths would be near the smallest sizes practical
>for mass production, and that is one limitation for speed. Today
>one company is preparing 0.07 micron transistors. At work, we face
>the limits of scaling in 2 years for mass produced ICs. After 2001
>I expect a doubling of speed to take, not 18 months, but 36 months.
>After then, speed will increase more slowly. Heat, noise,
>and the speed of light are already very real constraints on
>improvements.
This all fits what I know, but it also ignores many other aspects. You
can get ENORMOUS performance out of a single process if you remove the
excess safety margins; Chuck Moore designed and built a 500 MIPS chip
using a .8 micron process. In addition, our current ways of juggling
electrons are not the only ways; some of the photonics in development
appear as cool as sci-fi could possibly have imagined.
Your arguments against speedup are as convincing as arguments against
lighting efficiency on the grounds that whale oil can only be made to burn
so bright :-).
Mind you, I'm not arguing that Moore's law will continue to apply -- I'm
arguing that it's not wise to design encryption with anything else in
mind.
--
-William "Billy" Tanksley
Utinam logica falsa tuam philosophiam totam suffodiant!
:-: May faulty logic undermine your entire philosophy!
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Sat, 26 Jun 1999 18:07:27 GMT
> ...The solution is simply to use TWO pads instead of one...
Actually, I realize now what people have been trying to say and I came
to the conclusion that Terry was correct when he said that this is a
theoritical issue. So the way I address the problem now is, "How can I
best approach the theoritical OTP in practice?"
Specifically, I am not concerned with having a pad that is populated
with a stream of bits that I should not "normally find naturally
occuring." Instead, I will take the pad and examine it for
"anomallies" such as "astronomical" events and if I find them I will
not seek to modify the data but fix the source.
By the way, I liked your response. The idea of using 2 OTPs is silly,
is it not? The problem is still there. Whether it is astronomical, or
astronomical, it is still astronomical. (infinity times infinity is
infinity.)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Sat, 26 Jun 1999 18:56:10 GMT
> IMO, this isn't really proving much anything: for the most part,
> OTP isn't practical to start with. Proving that a real
> implementation can only approximate it doesn't mean a
> lot because nearly anything that's practical is KNOWN
> to only be an approximation to start with.
I would disagree. Elliptical curve crypto is not an approximation,
unless you say that a particular implementation "might" have a bug that
weakens it. In general, math formulas work or don't work. They are
never approximated. But you bring up a point that I have finally come
to realize was what I should focus on all along.
I think the best way to generalize everything said on this thread is
that of all the ciphers we know of, only the OTP has proof of security
in theory; which says something about OTPs because none of the others
have any kind of proof of security at all.
So the question in my mind becomes: Is it safer to try to approximate
a theoritical OTP as much as possible or rely on a math problem that:
1. might be solved tomorrow by a math wizard some where in the world
(and if the wizard were that smart, don't you think he would know that
the NSA would pay tens of millions for such knowledge, and so do you
think we would know that such a solution exists?); or
2. might be reasonably cracked by a new type of computer that we either
know nothing about or are lead to believe do not exist in practice,
such as quantum computers? (What we hear of today was used 20 years ago
by our government.)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: one time pad
Date: Sat, 26 Jun 1999 19:00:37 GMT
[EMAIL PROTECTED] (S.T.L.) wrote, in part:
>By the way, if a perfect, correctly working random number generator plops out a
>string of zeros, GO AHEAD and XOR them with the plaintext. Why? Because if you
>never do, and the Adversary later sees "Attack At Three O'Clock", then he will
>KNOW something about your plaintext! Namely, that that portion did NOT say
>"Attack at Three O'Clock".
>Say you do XOR in the "string of zeros", and "plaintext is revealed!" I ask
>you, then, how would the Adversary know that you weren't actually using a
>different run of random numbers and the plaintext said instead "Moo moo
>kabubu"? The Adversary doesn't, and is still completely in the dark. When
>implemented correctly (that's the big part), in the "orthodox" manner, OTPs are
>invulnerable to attack. Period.
Ah, yes. While that extreme case is extremely improbable, surely you
must admit that there is a chance that the Adversary, by mistake,
might simply assume one was sending plaintext (on account of having
run out of one-time pads)?
I know the _theory_, but I think there's a point being missed.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Sat, 26 Jun 1999 19:08:28 GMT
> One example of a good way is to take a
> 3-gate NOT cycle (that is, hook a NOT up to a NOT up
> to a NOT, then attach the output of the last one to the
> input of the first). Put that on a chip, and
> put a few others like it at other places on the chip...
This is interesting. Have there been any published studies on this
approach?
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Jayjames99)
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: 26 Jun 1999 19:54:09 GMT
>Have you tried Kwik-Crypt for Windows/95?
>
>http://www.kwikrite.clara.net/
>
>You can build self decrypting and restoring (blowfish) archives with
>it.
Thank you for this information, but I'm not completely sure, from reading the
below blurb, whether you need to have Kwik-Crypt running at the receiving end
to view the encrypted files (probably not). I will download it and check it
out. The passage that is a bit confusing is "These self-restoring archives can
be opened in a full version of Kwik-Crypt and the executable portion integrity
can be checked". I assume "can be" means optionally, and not as a necessary
condition.
This is exactly what is needed in the marketplace--an encryption application
program that does not need the application program at the receiving end.
Especially great if it works cross-platform.
>>>>
Kwik-Crypt is a free strong-encryption archive maker. The compression used is
slightly better than that of WinZip and the encryption is currently 160-bit
Blowfish. The source code for Kwik-Crypt will be available when the product
goes in to full release.
Kwik-Crypt can create self-restoring archives that can be sent to people
without the Kwik-Crypt application. These self-restoring archives can be opened
in a full version of Kwik-Crypt and the executable portion integrity can be
checked.
>>>>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
