Cryptography-Digest Digest #782, Volume #9 Sat, 26 Jun 99 18:13:04 EDT
Contents:
A few questions on RSA encryption (Gilad Maayan)
Re: generated pad for OTP? (Bill Unruh)
Re: A few questions on RSA encryption (S.T.L.)
Re: Tough crypt question: how to break AT&T's monopoly??? (Bill Unruh)
Re: generated pad for OTP? (Bill Unruh)
Re: Moores Law (a bit off topic) (S.T.L.)
Re: one time pad (S.T.L.)
Re: Tough crypt question: how to break AT&T's monopoly??? (S.T.L.)
Re: Moores Law (a bit off topic) (Horst Ossifrage)
Re: A few questions on RSA encryption (Bill Unruh)
A few questions on RSA encryption (Gilad Maayan)
Re: DES-NULL attack ("Mike Murray")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Gilad Maayan)
Subject: A few questions on RSA encryption
Date: Sat, 26 Jun 1999 20:59:20 GMT
I have a couple of questions on RSA, I hope someone will be able to
help.
1. I haven't been able to find any information on the relationship
between the number of bits encrypted by RSA, and the level of security
obtained. Let's say you're encrypting 20 bits with a 512 or 1024 bit
key. Is the small size of the plaintext relevant? Will the encrypted
message be easier to crack than, say, an entire document encoded by
the same RSA key?
2. Would it be at all possible to break an RSA cyphertext, knowing
neither the secret key, the public key, or the modulus?
3. Would it be possible to extrapolate an RSA key from a cyphertext,
if the plaintext was known? (assuming that neither the key used for
encryption nor its corresponding modulus are known).
4. If the modulus and public key were known, would available
cyphertext-plaintext make the cryptoanalysis process faster or easier?
5. (This one concerns DES, despite the topic :) Let's take a specific
encryption scenario, where a random key-seed is run through two
different functions. The two keys generated by this process, each 64
bits long, are used for a Triple-DES operation, the result of which is
sent through a non-secure medium. The key-seed is be encrypted using
RSA, and sent along with the enrypted message. If the two functions
aren't known to an attacker, and he manages to break the RSA code and
obtain the key-seed, would he be able to use that to extrapolate the
said functions from the encrypted message? I'm aware of the
key-management issues that arise from this scenario; my question
relates to a purely mathematical attack.
Many thanks,
Gilad Maayan
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: generated pad for OTP?
Date: 26 Jun 1999 21:28:20 GMT
In <[EMAIL PROTECTED]> Benjamin Goldberg
<[EMAIL PROTECTED]> writes:
>The "SecureRandom" generator produces 20 psuedo-random bytes at a time, by
>incrementing a 64-bit counter, and using a SHA-1 digest on that counter
>and a seed. While I know you can't reconstruct a message directly from a
This could be very easy to figure out if the seed is knowable or
guessable. The seed is essentially the key to this cypher, and with too
small a seed, this system will easily fall to exhaustive search. I would
also worry that the SHA of two strings which differ in so few bits might
be susceptible to breaking. SHA(seed+SHA(counter)) might be better-- but
slow.
Note, as will all such stream cyphers, you can never reuse your
key(seed).
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: A few questions on RSA encryption
Date: 26 Jun 1999 21:31:10 GMT
<<I have a couple of questions on RSA, I hope someone will be able to
help.>>
Okay, I'll try.
<<1. I haven't been able to find any information on the relationship
between the number of bits encrypted by RSA, and the level of security
obtained. Let's say you're encrypting 20 bits with a 512 or 1024 bit
key. Is the small size of the plaintext relevant? Will the encrypted
message be easier to crack than, say, an entire document encoded by
the same RSA key?>>
Small plaintexts ARE a problem, as you anticipated. RSA is vulnerable to
chosen-plaintext attacks (I think that's what they are called), because ANYONE,
including the Adversary (the hypothesized cracker) can encrypt plaintexts of
their choice and notice if they match the ciphertext. For a 20-bit plaintext,
then the Adversary needs only try to encrypt 2^20 plaintexts before he finds
one that produces the same ciphertext. A larger document is therefore more
protected, and any document over, say, 256 bits is pretty darn safe.
<<2. Would it be at all possible to break an RSA cyphertext, knowing
neither the secret key, the public key, or the modulus?>>
I am not sure. Probably not. There are a heck of a lot possible keypairs, and
not knowing even the modulus makes it worse for the Adversary. Keeping even the
public key-and-modulus secret has to improve security, but I'm not sure by how
much.
<<3. Would it be possible to extrapolate an RSA key from a cyphertext,
if the plaintext was known? (assuming that neither the key used for
encryption nor its corresponding modulus are known).>>
Possible (brute-force) but extremely difficult, I'm guessing. I can't quantify
HOW difficult, though.
<<4. If the modulus and public key were known, would available
cyphertext-plaintext make the cryptoanalysis process faster or easier?>>
Of course not, the Adversary already has an infinite supply of ready-on-demand
ciphertext-plaintext. :-D Think about it - the Adversary, using the public key
and modulus can encrypt any darn plaintext he feels like and look for the
ciphertext. Now, as to whether analyzing ciphertext-plaintext pairs would be of
any help, I don't *believe* so, but I'm not sure.
<<5. (This one concerns DES, despite the topic :) Let's take a specific
encryption scenario, where a random key-seed is run through two
different functions. The two keys generated by this process, each 64
bits long, are used for a Triple-DES operation, the result of which is
sent through a non-secure medium. The key-seed is be encrypted using
RSA, and sent along with the enrypted message. If the two functions
aren't known to an attacker, and he manages to break the RSA code and
obtain the key-seed, would he be able to use that to extrapolate the
said functions from the encrypted message? I'm aware of the
key-management issues that arise from this scenario; my question
relates to a purely mathematical attack.>>
Okay, why involve RSA? If you are assuming that the Adversary has broken it,
why not *simplify* your scenario and have the keyseed sent in the clear? (We
can have absurd situations!)
Um, so you take a single keyseed known to the Adversary, [munge it through two
functions and combine the output], which is a single function in itself that
expands and changes the keyseed into 128 bits, and then use that for a
symmetric cypher.
Therefore, the strength of your resulting encryption, because the keyseed is
known to the Adversary, will depend on how well the combined-function munges
the keyseed and how well the symmetric cipher "hides" the munged keyseed.
Or not. This last one is a tad complicated, and I'm not sure I'm right.
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Great SRian
Conspiracy, the Triple-Sigma Club, and the Union of Quantum Mechanics
Avid watcher of "World's Most Terrifying Causality Violations", "World's
Scariest Warp Accidents", and "When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #2: Thou Shalt Conserve Mass/Energy In Closed Systems.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: 26 Jun 1999 21:36:20 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Jayjames99)
writes:
]I think this is a tough question to answer.
]I am trying to send an encypted file to somebody who is not computer savvy, in
]a format so that the receiving party does not have to know how to decrypt the
]file. It will simply self-extract, ask for the private key to be entered, and
]voila...the file is now readalble.
]I think AT&T is the only vendor of this kind of a program--but it costs $1000+
]for a network license. Outrageouis. And probably patented.
]Does anybody know of a cheap workaround?
It would be trivial to write such a program. It would also, under the US
regualtions be illegal to send such an email outside the USA without a
license.
I am sure that such has been written many times.
]Also, in the alternative, please recommend any NON-PGP program (except ROT13)
]for half-way decent protection from casual intruders, so that somebody can
]simply send an encryped file that can be easily decrpyted (especially a binary
]file sent as an attachment)
DO NOT SEND ATTACHMENTS unless you have agreed to do so with the person
at the other end for that specific time. I assume you have been
following the news.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: generated pad for OTP?
Date: 26 Jun 1999 21:23:57 GMT
In <[EMAIL PROTECTED]> Benjamin Goldberg
<[EMAIL PROTECTED]> writes:
]If I have some secret sequence of bytes [as in a session key] and use this
]sequence as a seed for a psuedo random number generator, and use the
]output of this PRNG as my pad, how easy/hard is it to decrypt data that
]has been XORed with this generated pad? While I assume that it depends on
]the PRNG, are there generators that are "crytpographically strong?"
]Java offers the class 'java.secuity.SecureRandom' which it *claims* is
]"crytpographically strong," but I don't know enough about cryptography to
]figure out how accurate that claim of strength is.
This is called a stream cypher. For example RC4 is such a beast.The
question is whether or not subsequent bytes of the "random " steam can
be determined in the first N are known. A true OTP each one is
statistically independent, so the first N give no information about
sugsequent bytes. For a stream cypher, the njext bytes are uniquely
determined by the first N bytes. One must only hope that that
determination is very very difficult to figureout given the first N
bytes.
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: Moores Law (a bit off topic)
Date: 26 Jun 1999 21:43:00 GMT
SciAm had a special issue devoted to microprocessors, chipmaking, and such.
There was an article on Moore's Law, if I remember correctly, by Moore himself.
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Great SRian
Conspiracy, the Triple-Sigma Club, and the Union of Quantum Mechanics
Avid watcher of "World's Most Terrifying Causality Violations", "World's
Scariest Warp Accidents", and "When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #2: Thou Shalt Conserve Mass/Energy In Closed Systems.
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: one time pad
Date: 26 Jun 1999 21:38:08 GMT
<<might simply assume one was sending plaintext (on account of having
run out of one-time pads)?>>
What if you're using an OTP key that, by chance, produces "Attack on Tuesday.",
when the real text is actually "Attack on Monday!!"? The Adversary doesn't know
if he should:
1) assume that the plaintext is "Attack on Tuesday." and is thus being sent in
the clear, which is extremely unlikely,
OR if he should:
2) assume that the plaintext is "Attack on Monday!!" and the OTP key by chance
has produced an intelligible ciphertext, which is just as extremely unlikely.
The Adversary cannot assume either way, and cannot crack the message.
If the Adversary had extra information (like you've sent 50 other messages with
intelligible ciphertext and you have seemingly performed as if plaintext were
truly being sent in the clear), then he may conclude with a high probablity
that you are sending plaintext in the clear or that your RNG is malfunctioning.
However, this "extra information" scenario has *nothing to do* with the
argument at hand, that true OTPs should not be filtered under any circumstances
when functioning and being used correctly.
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Great SRian
Conspiracy, the Triple-Sigma Club, and the Union of Quantum Mechanics
Avid watcher of "World's Most Terrifying Causality Violations", "World's
Scariest Warp Accidents", and "When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #2: Thou Shalt Conserve Mass/Energy In Closed Systems.
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: 26 Jun 1999 21:41:53 GMT
<<This is exactly what is needed in the marketplace--an encryption application
program that does not need the application program at the receiving end. >>
Therefore a sort of mini-decryptor program needs to be attached to the
cyphertext, just as self-extracting ZIP files have a mini-extractor attached to
the cyphertext.
Or, one could hack a version of PKZIP to use strong cryptography.
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Great SRian
Conspiracy, the Triple-Sigma Club, and the Union of Quantum Mechanics
Avid watcher of "World's Most Terrifying Causality Violations", "World's
Scariest Warp Accidents", and "When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #2: Thou Shalt Conserve Mass/Energy In Closed Systems.
------------------------------
From: Horst Ossifrage <[EMAIL PROTECTED]>
Subject: Re: Moores Law (a bit off topic)
Date: Sat, 26 Jun 1999 14:48:01 -1000
[EMAIL PROTECTED] wrote:
>
> Where could I read about Moores law? I will check the search engines
> but some urls may help.
>
> Just a wondering.
>
> Tom
Gorden Moore, former Chairman of the Board of Intel Corporation
once said that the trend was that microprocessor performance
doubled every 18 months. He did not say it is a law. There is not much
more than that to research for you. You can just find the date
he said it, and where he was quoted. It was an observation of his,
not a calculation based on fundamental causes. The causes of this
doubling of performance has been discussed in the IEEE Journal of
Solid State Circuits and in the Digest of Technical Papers of
the "International Solid State Circuits Conference" (ISSCC).
IEEE stand for the Institute of Electrical and Electronics
Engineers. See www.ieee.org
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: A few questions on RSA encryption
Date: 26 Jun 1999 21:43:28 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Gilad Maayan)
writes:
]I have a couple of questions on RSA, I hope someone will be able to
]help.
]1. I haven't been able to find any information on the relationship
]between the number of bits encrypted by RSA, and the level of security
]obtained. Let's say you're encrypting 20 bits with a 512 or 1024 bit
]key. Is the small size of the plaintext relevant? Will the encrypted
]message be easier to crack than, say, an entire document encoded by
]the same RSA key?
It depends on how you pad those 20 bits. If you just encrypt them then
it is trivial to crack. If however you pad them with random stuff to a
length which is of the same order as the length of the key, then it is
no easier to crack than any other message.
]2. Would it be at all possible to break an RSA cyphertext, knowing
]neither the secret key, the public key, or the modulus?
If anyone know how to crack it even knowing the publickey and modulus,
the cypher would be uselss.
]3. Would it be possible to extrapolate an RSA key from a cyphertext,
]if the plaintext was known? (assuming that neither the key used for
]encryption nor its corresponding modulus are known).
That would make it somewhat uselss, since you can encrypt an arbitrary
amount of plaintext your self with anyone's public key.
]4. If the modulus and public key were known, would available
]cyphertext-plaintext make the cryptoanalysis process faster or easier?
Same as above.
]5. (This one concerns DES, despite the topic :) Let's take a specific
]encryption scenario, where a random key-seed is run through two
]different functions. The two keys generated by this process, each 64
]bits long, are used for a Triple-DES operation, the result of which is
]sent through a non-secure medium. The key-seed is be encrypted using
]RSA, and sent along with the enrypted message. If the two functions
]aren't known to an attacker, and he manages to break the RSA code and
]obtain the key-seed, would he be able to use that to extrapolate the
]said functions from the encrypted message? I'm aware of the
]key-management issues that arise from this scenario; my question
]relates to a purely mathematical attack.
?? It depends on that "function" Those functions are just an encryption
of the key, and as with all such encryptions its strength depends.
------------------------------
From: [EMAIL PROTECTED] (Gilad Maayan)
Subject: A few questions on RSA encryption
Date: Sat, 26 Jun 1999 21:06:36 GMT
I have a couple of questions on RSA, I hope someone will be able to
help.
1. I haven't been able to find any information on the relationship
between the number of bits encrypted by RSA, and the level of security
obtained. Let's say you're encrypting 20 bits with a 512 or 1024 bit
key. Is the small size of the plaintext relevant? Will the encrypted
message be easier to crack than, say, an entire document encoded by
the same RSA key?
2. Would it be at all possible to break an RSA cyphertext, knowing
neither the secret key, the public key, or the modulus?
3. Would it be possible to extrapolate an RSA key from a cyphertext,
if the plaintext was known? (assuming that neither the key used for
encryption nor its corresponding modulus are known).
4. If the modulus and public key were known, would available
cyphertext-plaintext make the cryptoanalysis process faster or easier?
5. (This one concerns DES, despite the topic :) Let's take a specific
encryption scenario, where a random key-seed is run through two
different functions. The two keys generated by this process, each 64
bits long, are used for a Triple-DES operation, the result of which is
sent through a non-secure medium. The key-seed is be encrypted using
RSA, and sent along with the enrypted message. If the two functions
aren't known to an attacker, and he manages to break the RSA code and
obtain the key-seed, would he be able to use that to extrapolate the
said functions from the encrypted message? I'm aware of the
key-management issues that arise from this scenario; my question
relates to a purely mathematical attack.
Many thanks,
Gilad MaayanA
------------------------------
From: "Mike Murray" <[EMAIL PROTECTED]>
Subject: Re: DES-NULL attack
Date: Sat, 26 Jun 1999 21:53:16 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Okay, just a question...
Aernst, if you have repeatedly broken RSA (as your page suggests),
and you have broken DES, why have you yet to publish these results?
BTW, your "proofs" of your breaks of RSA are vague, to say the
least... unless I'm missing something that you've assumed (you assumed
a hell of alot, IMO)...
Perhaps you could explain them to me, or, at least, make them a
little clearer...
Mike
=====BEGIN PGP SIGNATURE=====
Version: PGP 5.5.5
iQA/AwUBN3V2vv5WqcMdbVvFEQKotgCgvXkdWI2SJxRy5rMy1R4F+Z5QgzMAoOMy
B6foy+vjNU7sdYMc+K4WEDd4
=Vunb
=====END PGP SIGNATURE=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
