Cryptography-Digest Digest #833, Volume #9 Mon, 5 Jul 99 20:13:04 EDT
Contents:
Re: I don't trust my sysadmin (Christopher)
Re: RSA Padding (S.T.L.)
Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day
([EMAIL PROTECTED])
Re: Why this simmetric algorithm is not good? ([EMAIL PROTECTED])
Re: Why this simmetric algorithm is not good? ([EMAIL PROTECTED])
I need help seeking cryptography-related employment (Kelly Westbrooks)
Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day ("Douglas A. Gwyn")
Re: The One-Time Pad Paradox ("Douglas A. Gwyn")
Re: Crypto Books on CD-ROM (Wim Lewis)
Help!! Looking for a modular exponentiation algorithm. (Keith Reeves)
Re: Moores Law (a bit off topic) ("Douglas A. Gwyn")
Re: MP3 Piracy Prevention is Impossible (fungus)
Re: Solitaire optimization (fungus)
Re: The One-Time Pad Paradox (Coen Visser)
Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day (S.T.L.)
Re: Why this simmetric algorithm is not good? (S.T.L.)
Re: DES-NULL attack (Xcott Craver)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Christopher)
Subject: Re: I don't trust my sysadmin
Date: Mon, 05 Jul 1999 13:24:36 -0400
In article <[EMAIL PROTECTED]>, Eric Hambuch
<[EMAIL PROTECTED]> wrote:
_ [EMAIL PROTECTED] wrote:
_ >
_ > In article <[EMAIL PROTECTED]>,
_ > "David N. Murray" <[EMAIL PROTECTED]> wrote:
_ > > Greetings, all:
_ > >
_ > > I'm in search of a protocol to implement the following scenario:
_ > >
_ > > I have an automated task that connects to a database.
_ > > The database requires a username/password combination.
_ > > I need to store the username/password with the automated task.
_ > > My system administrator (who needs to be able to read the
_ > > automated task to do backups) is not authorized to access
_ > > the database. (Protecting the database is not my concern.
_ > > Just protecting the automated login.)
_ >
_ > Hash the password and store the hash on the protected side. So you
_ > type the password on Machine A, it gets hashed goes thru the middle man
_ > and compared with the HASH on Machine B.
_ >
_ > Unless the sysadmin can get access to stuff you type (which I doubt
_ > they can) they will not be able to tell what the password was.
_
_ As far as I know, "root" can access everything you type on the console
_ ?!
_
_ Eric
I'm not sure how any of this helps an automated setup though...
Silly question time, why not backup the protected database (passwords
required to access it after a restore)?
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: RSA Padding
Date: 05 Jul 1999 18:25:46 GMT
<<Encrypt a message with RSA in byte size blocks and I will crack your
message in under a day...>>
Who'd do such a thing? When I encrypt with RSA (on my TI-92) and don't use
padding, I break my message up into chunks that are the size of the modulus,
which can be, say, 800 bits. That can't be frequency analyzed.
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^6972593 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
***Congratulations to Nayan Hajratwala!***
Card-holding member of the Dark Legion of Cantorians, the Holy Order of the
Catenary, the Great SRian Conspiracy, the Triple-Sigma Club, the Union of
Quantum Mechanics, the Polycarbonate Syndicate, the Roll-Your-Own Crypto
Alliance, and People for the Ethical Treatment of Digital Tierran Organisms
Avid watcher of "World's Most Terrifying Causality Violations", "When Kaons
Decay: World's Most Amazing CP Symmetry Breaking Caught On [Magnetic] Tape",
"World's Scariest Warp Accidents", "World's Most Energetic Cosmic Rays", and
"When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #10: Thou Shalt Conserve Electric Charge.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day
Date: Mon, 05 Jul 1999 19:54:46 GMT
<snip>
If you constrain the output of a OTP then it's not a OTP. It's not
really practical to assume that a OTP output of all zeros or all ones
etc... would happend often. In fact with an increase in output the
chances lower. For example in a 100 byte message you have a 2^-800
chance of getting such a weak key. This is very unlikely thing to
happend.
You could always mix (cascade) several PRNGs (which are crypto strong
such as RC4/A5 etc..) but this would not really lower the chances...
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why this simmetric algorithm is not good?
Date: Mon, 05 Jul 1999 19:47:37 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Francois Grieu) wrote:
> 0) The algorithm is probably weak unless the Random function is
designed
> for crypto
Well unless it a) is unpredictable and b) has a large active state.
>
> 1) someone actively intercepting a ciphertext can flip whatever bit of
> plaintext
They can do that with any stream cipher. That does not affect security.
>
> 2) someone managing to get a ciphertext and it's corresponding
plaintext
> can decipher or forge messages using the same key, of length up to
> the intercepted message size
>
> 3) someone intercepting several ciphertext enciphered with the same
key
> can detect that some bits are indentical to previous messages at a
> given position; can be usefull if the purprose is to detect
something
> unusual (e.g. the message starts in "ALERT !!!" instead of "dear
sir")
>
> 4) there is no provision for messages not a multiple of 128 bits
In a stream cipher all you have to do is make a PRNG which is a)
reproduceable b) has a large internal state and b) is unpredictable.
Flipping bit attacks and the other chosen-plaintext attacks do not work
(directly) with stream ciphers. Of course a chosen-plaintext attack
can reveal the key stream but this will not lessen the security of
ciphertext unless the key can be guessed...
If the message is not a multiple of 128 bits simply pad zeros.
Assuming the key in each block is 'random' this will have no effect on
security. It will give a few bits of known plaintext but if it is
truly random there would be no correlation to use.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why this simmetric algorithm is not good?
Date: Mon, 05 Jul 1999 19:50:44 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> Answer: nothing. (Well, there's the bit-flipping attack: someone
> knowing the plaintext can invert ciphertext bits to make the new
> plaintext anything he wants.)
bit-flipping is not an attack on ciphertext. The only real attack is
with known/chosen plaintext where the PRNG output is revealed.
> Unfortunately, the "random function strength" is normally pretty
> lousy. The most common PRNG offered in standard libraries is a mixed
> congruential one, which is fairly easy to predict.
This is true. Most rand() functions fail a simple ODD/EVEN test
although some are better (GNU LIBC and WATCOM is slightly better).
They have a small 32-bit seed which even if rand() were secure could be
brute forced in under a day...
> So there isn't anything _else_ wrong with it, besides the one thing
> that makes it completely unfit for use.
Sounds nice. Unfortunately in stream ciphers they have only one
component PRNG. If the PRNG is weak then hahaha!
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Kelly Westbrooks <[EMAIL PROTECTED]>
Subject: I need help seeking cryptography-related employment
Date: Mon, 05 Jul 1999 17:20:54 -0400
Would someone please respond with a link to the fastest algorithm for
factoring numbers on the order of less than 2^64? The algorithm should
be suitable for programming on a machine with a m68000 processor w/512KB
memory.
Thanks in advance,
[EMAIL PROTECTED]
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day
Date: Mon, 05 Jul 1999 21:41:22 GMT
"Dr.Gunter Abend" wrote:
> Several posters refused this attempt with just the argument
> "it's still random", "it doesn't leak any information", etc.
> That's all true, but it doesn't hit the point J.Savard was
> asking ("if a cryptanalyst ... guesses the correct plaintext,
> this would lead to catastrophic consequences").
To the contrary, that argument was thoroughly demolished.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: The One-Time Pad Paradox
Date: Mon, 05 Jul 1999 21:43:01 GMT
"Dr.Gunter Abend" wrote:
> I don't know which of the two proposed methods will be better.
None of them. The best method is to not filter the OTP key stream.
------------------------------
From: [EMAIL PROTECTED] (Wim Lewis)
Subject: Re: Crypto Books on CD-ROM
Date: 5 Jul 1999 22:22:55 GMT
In article <7lqjj1$[EMAIL PROTECTED]>,
Wil Baden <[EMAIL PROTECTED]> wrote:
>I do not have a credit-card. How can i order this?
Do you have a checking account? I received what I assume is the same
solicitation as <castor>'s, and it has the usual "pay by check / pay
by credit card" checkboxes. I assume they'd accept money orders and the
like as well. Try 1-800-228-2700 or [EMAIL PROTECTED]
--
Wim Lewis * [EMAIL PROTECTED] * Seattle, WA, USA
------------------------------
From: [EMAIL PROTECTED] (Keith Reeves)
Subject: Help!! Looking for a modular exponentiation algorithm.
Date: Mon, 05 Jul 1999 21:54:18 GMT
I'd really appreciate if someone could help me out! I'm looking for a
modular exponentiation algorithm, one that can be used with RSA. Could
anyone point me in the right direction? If anyone knows where I can
find one of these on the web, explained in semi-layman terms, it would
be a big help.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Moores Law (a bit off topic)
Date: Mon, 05 Jul 1999 23:32:04 GMT
fungus wrote:
> At 250 GHz an electron could only travel about a millimeter, max.
> Your entore CPU and memory will have to fit inside something a
> millimeter in diameter.
Not necessarily; the architecture could be highly parallel and
pipelined.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: MP3 Piracy Prevention is Impossible
Date: Sun, 04 Jul 1999 14:59:58 -0100
Wim Lewis wrote:
>
> I think you are missing the point. The idea isn't that this will make it
> hard for someone to make copies of a copyrighted work. But since the
> copy won't be correctly signed, it can only be played on hacked players ---
> so you won't be able to make any money selling pirate copies. (Unless,
> of course, someone else is making money selling hacked players...)
>
Are you suggesting we go down the DivX road to failure here?
Do you want each copy of a piece of music to be "signed" so it
only works on a particular player? What if I lose my player?
What if I own three players (one at home, one in the car and
one at work)?
DivX failed because it limited where you could watch the movies
to your personal TV/player. The situation with music is *much worse*
than this because people play music in more places.
Watching TV means having a physically large device (ie. the TV
set) present. I don't expect to watch TV in my car or sitting
in a park. Music is different, it only needs a pair of headphones.
"Signing" individual copies of music so they only work on one
player is completely unworkable.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Solitaire optimization
Date: Sun, 04 Jul 1999 19:46:53 +0200
Bruce Schneier wrote:
>
> >It's clear that speed matters. Has anyone timed doing RC4 by hand? And
> >no one wants to comment on whether cutting the deck length or simplifing
> >the output step makes Solitaire less secure?
>
> I recommend against making the deck smaller or simplifying the
> algorithm.
>
How error tolerant are these systems? An error in RC4 would accumulate
until a message was unreadable.
> Historically, these ciphers have been slow. There is a Soviet
> pen-and-paper cipher described in Kahn on Codes. It takes a few hours
> to encrypt or decrypt a message.
>
This would be ok if mistakes didn't accumulate. A couple of bad letters
in a message wouldm't make it unreafable.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Coen Visser)
Subject: Re: The One-Time Pad Paradox
Date: 6 Jul 1999 00:02:22 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> writes:
>Coen Visser wrote:
[...]
>> The strength of your scheme lies in the strength of the OTP.
>> You just need OTP (+) M_fake (+) M_secret. Adding more than 1 M_fake
>> doesn't make things much safer. Improving the OTP does.
>I can use M_i such that they may all plausibly be the real message.
>How large is the chance that the analyst be able to obtain all the
>n+1 messages completely, if n is, say, of the order of 10, instead
>of getting probably none, even if the keystream is quite a bit less
>perfect than an ideal OTP (e.g. from a PRNG)? I wonder if anyone has
>considered this problem realistically instead of basing arguments on
>words which cannot be quantified.
Tell me, how do you quantify: "a message is plausibly the real message"?
Regards,
Coen Visser
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day
Date: 05 Jul 1999 23:54:12 GMT
<<if a cryptanalyst ... guesses the correct plaintext, this would lead to
catastrophic consequences>>
Anyone can guess at plaintexts, with nothing to go on but thin air. This is not
a problem. Properly working OTPs *never*, *ever* leak information, period. No
clarification needed.
Moo-Cow-ID: 34 Moo-Cow-Message: Obsessed
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^6972593 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Holy Order of the
Catenary, the Great SRian Conspiracy, the Triple-Sigma Club, the Union of
Quantum Mechanics, the Polycarbonate Syndicate, the Roll-Your-Own Crypto
Alliance, and People for the Ethical Treatment of Digital Tierran Organisms
Avid watcher of "World's Most Terrifying Causality Violations", "When Kaons
Decay: World's Most Amazing CP Symmetry Breaking Caught On [Magnetic] Tape",
"World's Scariest Warp Accidents", "World's Most Energetic Cosmic Rays", and
"When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #11: The Strong Force Is Carried By Gluons.
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: Why this simmetric algorithm is not good?
Date: 06 Jul 1999 00:05:13 GMT
<<Nothing. What you have here is called a steam cipher.>>
Yes, you heard it here! It can press your clothes, clean your rug, and at the
end of the day makes for a relaxing, hot sauna!
*S.T.L. convulses with laughter*
Moo-Cow-ID: 45 Moo-Cow-Message: Bonus
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^6972593 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Holy Order of the
Catenary, the Great SRian Conspiracy, the Triple-Sigma Club, the Union of
Quantum Mechanics, the Polycarbonate Syndicate, the Roll-Your-Own Crypto
Alliance, and People for the Ethical Treatment of Digital Tierran Organisms
Avid watcher of "World's Most Terrifying Causality Violations", "When Kaons
Decay: World's Most Amazing CP Symmetry Breaking Caught On [Magnetic] Tape",
"World's Scariest Warp Accidents", "World's Most Energetic Cosmic Rays", and
"When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #11: The Strong Force Is Carried By Gluons.
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Subject: Re: DES-NULL attack
Date: 5 Jul 1999 23:39:33 GMT
<[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
>> Hello Tom,
>>
>> I'm very sorry. You must ask for training in math.
>
>What *are* you talking about?
Alex is notorious for these kinds of attacks, apparently
unaware that they amount to nothing more than brute-force.
In his attempt to cast doubt on RSA, he announced an attack
in which one encrypts EVERY POSSIBLE PLAINTEXT with the
public key, and just uses this list as a huge lookup table when
given a ciphertext. Assuming a 1024-bit modulus, this amounts
to well over a billion billion billion billion billion billion
billion billion billion billion billion billion billion billion
billion billion billion billion billion billion billion billion
billion billion billion billion billion billion billion billion
billion billion billion Gigabytes of storage, with a comparable
amount of time to construct the dictionary.
In this case, he seems to be saying the same for DES, that one
can just build a table of every possible encryption of a null
string --- only about a billion Gigabytes for 56-bit DES ---
and use this as a huge lookup table.
One problem with this attack is that there is no way to tell
if a block is an encryption of a null or something else.
With a message of 2,000 blocks, Alex will have to look up
2,000 entries. Chances are 1 in 10 quadrillion that one
of them will be a null. 1 in 10000000000000000 times, his
room full of Gigabyte drives will be useful.
Like RSA-NULL, this attack is slower than brute force.
Modern cryptography hinges upon creating huge numbers
--- a huge amount of time, a huge amount of space ---
as barriers to an attacker. It is only natural that someone
without a grasp of huge numbers thinks these ciphers
trivial to break.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
