Cryptography-Digest Digest #857, Volume #9 Fri, 9 Jul 99 12:13:03 EDT
Contents:
Re: length of prime ([EMAIL PROTECTED])
Re: Why this simmetric algorithm is not good? ([EMAIL PROTECTED])
Re: AES question ([EMAIL PROTECTED])
Re: Stream Cipher != PRNG ([EMAIL PROTECTED])
Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day ("Robert C.
Paulsen, Jr.")
Uncrackable? (James Andrews)
Re: I don't trust my sysadmin (Pierre Abbat)
Re: Netiquette Question ("H. Ellenberger")
Re: Why this simmetric algorithm is not good? ("Douglas A. Gwyn")
Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day ("Douglas A. Gwyn")
Re: Electronically Exporting crypto source (legally) (Patrick Juola)
Re: Number Field Sieve, RSA factoring (Bob Silverman)
Re: Why this simmetric algorithm is not good? ([EMAIL PROTECTED])
Re: Is Stenography legal? (fungus)
Re: Stream Cipher != PRNG ([EMAIL PROTECTED])
Re: Weakness of MLCG style encryption (Terry Ritter)
Re: Can Anyone Help Me Crack A Simple Code? (Paul Schlyter)
Re: Is Stenography legal? (Patrick Juola)
Re: Standard Hash usage ("Richard Parker")
Re: Keeping File Formats Safe (Ronald Klazar)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: length of prime
Date: Fri, 09 Jul 1999 11:17:55 GMT
In article <[EMAIL PROTECTED]>,
chicago <"gabriel. nock"@siemens.de> wrote:
> if i want to use a function, wich generates the diffie- hellmann
> parameters, I am asked for the length of the prime and the subprime..
> why doesn't this work with any numbers(i mean the length)??
> isn't the length of the prime also the length of the key wich will be
> generated??
> and in what relation stands the subprime to the prime??
> the prime has to be large and the subprime has to be small, isn't it
> like this??
> and isn't it so, that it is not important what length i take?? ok,
with
> some primes the security wouldn't be so good, but the generator and
the
> prime should be generated... but it doesn't work..
> (it's the R_GenerateDHParams-function in the RSAEuro library..i always
> got an error return of this function..
I always thought the 'key' size in DH was the modulus. Generally you
shouldn't have to generate it often if its large enough.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why this simmetric algorithm is not good?
Date: Fri, 09 Jul 1999 11:21:59 GMT
In article <[EMAIL PROTECTED]>,
david thompson <[EMAIL PROTECTED]> wrote:
> Especially since the former stores to each of x and y
> twice between sequence points, which technically is
> undefined behavior according to the C standard. Your
> compiler may implement something reasonable, either
> intentionally or by happy accident, but you cannot rely
> on this working on other systems, new(er) compilers,
> or possibly even different compiler options/environment.
> (comp.lang.c FAQ section 3; ISO 9899:1990 6.3, 5.1.2.3,
> annex C et al; or for more discussion choose any three
> days at random -- with even a poor PRNG <G> -- and likely
> find at least one long thread in comp.lang.c)
That is wrong.
>>> return state[x = ni[++x]] += state[y = ni[++y]];
The ni[] is higher precedence so the ++x will always occur first, then
the lookup, then the store. You *can't* compile that any other way.
Think about it how do you know what to store to x, unless you do the
index?
It's just innefficient code. Note: I fixed this in my lib (progress?).
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: AES question
Date: Fri, 09 Jul 1999 11:24:31 GMT
In article <7m3pd9$3eeg$[EMAIL PROTECTED]>,
"King" <[EMAIL PROTECTED]> wrote:
> Hi, can anyone tell me how many and when AES submissions have been
broken as
> of today? I tried to find the information but part of NIST web site
was
> down. Thanks!
>
Briefly noting.
1) Magenta has been broken
2) RC6 has ?weak? key schedule, now called RC6a
3) Twofish has bad whitenen keys, apparently doesn't weaken cipher
4) SAFER has weak key schedule for 192 and 256 bit keys
I think that's about it.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Stream Cipher != PRNG
Date: Fri, 09 Jul 1999 11:15:37 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> Nicol So wrote:
> > ... this common construction does not cover the full generality of
> > stream ciphers. An obvious limitation of this framework is that
> > the cipher's state has no dependency on the plaintext stream.
>
> Exactly.
> There are also simple cryptanalytic attacks against a KG-based
> system, which don't work against more sophisticated systems.
>
Ok I think I understand what you guys mean now... Hmm ok.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Robert C. Paulsen, Jr." <[EMAIL PROTECTED]>
Subject: Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day
Date: Fri, 09 Jul 1999 06:42:46 -0500
"Douglas A. Gwyn" wrote:
>
> "Robert C. Paulsen, Jr." wrote:
> > But the next thing to consider is that the tiny degree to which
> > quantum randomness affects the initial conditions may be enough so
> > that the quantum randomness is magnified to be the primary factor
> > in the results. (These "initial" conditions get applied at every
> > bump and bounce the dice take.)
>
> Rolling dice would be just as random if physics were Newtonian
> and not quantum.
Why do you say that this is a case where quantum randomness isn't
manifested in "normal-scale" behavior? It wouldn't be the only case
-- a geiger counter being a prime example. I'm not saying you are
wrong, just trying to understand.
--
____________________________________________________________________
Robert Paulsen http://paulsen.home.texas.net
If my return address contains "ZAP." please remove it. Sorry for the
inconvenience but the unsolicited email is getting out of control.
------------------------------
From: James Andrews <[EMAIL PROTECTED]>
Subject: Uncrackable?
Date: Fri, 09 Jul 1999 12:53:01 +0100
Reply-To: [EMAIL PROTECTED]
Are there any ciphers that are accepted as being only crackable by
iteration? I must admit I've never come across any, but I think I've
written one. Since all the popular and common encryption methods seem
to be getting a lot of flak lately as people find *relatively* easy ways
of dechiphering the data stored within. I recently read a review of a
book that apparently revealed the secrets of the DES encryption method,
which I've always thought was a bit sheepish anyway. If anyone is
interested I'll make available some information/examples of my
encryption method, though I'm precarious because of copyright. I don't
want someone passing it off as their own. Any suggestions on securing
legal rights, how to go about it etc would be much appreciated too,
James
------------------------------
From: Pierre Abbat <[EMAIL PROTECTED]>
Subject: Re: I don't trust my sysadmin
Date: Fri, 9 Jul 1999 07:46:38 -0400
On Fri, 02 Jul 1999, David N. Murray wrote:
>Greetings, all:
>
>I'm in search of a protocol to implement the following scenario:
>
>I have an automated task that connects to a database.
>The database requires a username/password combination.
>I need to store the username/password with the automated task.
>My system administrator (who needs to be able to read the
>automated task to do backups) is not authorized to access
>the database. (Protecting the database is not my concern.
>Just protecting the automated login.)
>
>How do I store the uname/password to make it as difficult as
>possible for the sysadmin to retrieve? My basic assumption
>is that if I encrypt the password, I have to decrypt it to
>present it to the DBMS. That means that the key, algorithm,
>and ciphertext are all in the same place, right? Isn't that
>a Bad Thing?
Try SRP (http://srp.stanford.edu). If your login is using PAM for
authentication, you should be able to drop the PAM version in and get it to
work.
phma
------------------------------
From: "H. Ellenberger" <[EMAIL PROTECTED]>
Subject: Re: Netiquette Question
Date: Thu, 08 Jul 1999 19:07:34 +0200
John Savard wrote:
> In general, if I recieve a message by E-mail containing information
> related to a posting that I feel is relevant enough to deserve being
> preserved in a thread,
>
> I post the information,
>
> but I respect the E-mail sender's privacy by not identifying who sent
> the E-mail, while still acknowledging that the source of the
> information was an E-mail, and not me.
>
> Although I believe that is a reasonable procedure, unless it is
> specifically noted in the E-mail that the information is confidential
> for whatever reason, perhaps a more cautious procedure is expected?
>
> John Savard ( teneerf<- )
> http://members.xoom.com/quadibloc/crypto.htm
In decididng your question I don't see any difference
between snail mail
and email and therefore do handle received emails the same
way as snail
mail.
I also expect that those receiving emails from me proceed
accordingly.
Now, what would you say if a recipient of a snail mail
letter you sent to
someone would publish it without prior asking for
permission?
Unless the content or context of the letter clearly
indicates that it is
_intended_ for publication, I always ask the sender before
making it
available to others.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Why this simmetric algorithm is not good?
Date: Fri, 09 Jul 1999 12:30:11 GMT
[EMAIL PROTECTED] wrote:
> >>> return state[x = ni[++x]] += state[y = ni[++y]];
> The ni[] is higher precedence so the ++x will always occur first,
> then the lookup, then the store. You *can't* compile that any
> other way.
No, there is no sequence point within in the expression x=ni[++x],
so the incremented value of x may be stored into x *after* the ni
array member is stored into x. This typically would occur due to
caching for optimization purposes.
This is no longer a cryptologic issue, but one of C programming.
Try comp.lang.c if you need further discussion of such matters.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day
Date: Fri, 09 Jul 1999 12:37:46 GMT
"Robert C. Paulsen, Jr." wrote:
> Why do you say that this is a case where quantum randomness isn't
> manifested in "normal-scale" behavior?
Because it simply isn't. The main factors affecting a rolled
die include gravitation, friction, elasticity, etc. Ultimately,
properties of materials can be explained as consequences of
quantum principles, but we don't normally consider the factors
involved in this case to be characteristically quantum phenomena.
In particular, there is no mixed-state projection, quantum
entanglement, or any of the other forms of "quantum randomness"
necessary to describe the behavior of a typical bouncing die.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Electronically Exporting crypto source (legally)
Date: 9 Jul 1999 09:28:08 -0400
In article <Xjih3.1123$[EMAIL PROTECTED]>,
Dmitri Alperovitch <[EMAIL PROTECTED]> wrote:
>>I'm sure that it was considered. Will *you* be as lucky when
>>you try the same thing? Failure to prosecute an isolated case
>>doesn't render a law (or executive policy) null and void.
>
>So what you are saying is that no matter whether your actions are 100%
>legal or illegal, but if the result is strong cryptographic algorithms
>being exported out of the country - you have committed a crime?
>Somehow, I doubt that's a correct interpretation of the law...
Well, given that there's no way of knowing *before a court rules on it*
whether or not an action is 100% legal, it doesn't seem that your
interpretation is correct, either.
Contrary to popular belief, laws, and the police who enforce the laws
and the judges who interpret them, are not necessarily devotees of
formal logic -- and they don't often regard reductio-ad-absurdam
proofs as grounds for dismissal.
There is *specific* Constitutional protection for "freedom of the
press", which "obviously" covers printed, human-to-human communication
in the form of a book or article. There is no such specific protection
for code, and for that matter for telephone conversations.
So, let's assume that I get caught exporting the following single line :
for (i=0;i<BLOCKSIZE;i++)
The first question the police will ask -- and I hope I have an answer
ready -- is "Why did you export a single line of code?" If I answer
"I wanted to export code and I thought that if I exported it a line
at a time, it would be legal", then I've *ADMITTED* that I'm trying to
break the regulations, and I really can't make the case that I didn't
have malicious intent, that I didn't know what I was doing, or that I
thought what I was sending was protected speech which I believed I
could export freely.
On the other hand, if I answer anything else, I'm lying to the police --
they may or may not believe me, I may or may not get away with it, but
that's hardly a way for me to claim the moral high ground and claim
that somehow I "legally" exported the code. I merely didn't get caught,
just as I *might* have carried heroin through customs without having
the narcs spot me.
-kitten
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Number Field Sieve, RSA factoring
Date: Fri, 09 Jul 1999 13:36:40 GMT
In article <[EMAIL PROTECTED]>,
Nathan Royer <[EMAIL PROTECTED]> wrote:
> Hi... I'm a student at Cal Poly San Luis Obispo. I would like to do
my
> senior project on the Number Field Sieve Method of Factoring.
I hate to discourage anyone, BUT:
If you are thinking of implementing it, FORGET IT. It is way too
much work for one person. It would take *me* about a year of FULL TIME
to redo what I have already done. And I know how to do it.
> I hear
> that it is the fastest general number factoring algorithm for large
> numbers.
For sufficiently large numbers, YES. However, you will need a lot
of computer resources to make it worthwhile.
> Yet I am having a really hard time finding information on the
> subject. My questions are as follows:
>
> 1) is there any existing code available that has it implemented
Yes.
> and if so can I get a copy for analysis.
Not from me. IMO, the way one studies an algorithm is NOT by reading
code. I'll be happy to help you with anything you want to know,
but if you think you will learn from code, you are mistaken.
> 2) Where can I find documentation describing the algorithm in a way
that
> an undergraduate could understand.
How much algebraic number theory have you studied? The term
"undergraduate" is too vague, in general. What matters is the MATH
you have studied. Implementing the square root code requires knowledge
of fractional ideals.
In any event, I suggest reading "The Development of the NUmber Field
Sieve" by Lenstra & Lenstra, LNM #1554 (Springer)
However, it will not cover practical implementation details.
> 3) Any help or advice with implementing the GNFS (general number field
> sieve) in C or C++
Absolutely!! I will be glad to help. Here are the pieces you
will need to implement. Page counts are approximate.
(1) A multi-precise library. You can get one from a number of
sources.
(2) Code to solve polynomials mod p. I suggest using the Cantor-
Zassenhaus algorithm. See Knuth Vol 2. This is needed to set up
the factor base. About 10 pages of code.
(3) The sieving phase of the code. About 40 pages of code. This is
the time critical part and needs to be done carefully.
(4) Filtering the data/Sparse Gaussian elimination. ABout 35 pages
of code
(5) Building the matrix. ABout 10 pages of code, including code for
computing the quadratic character columns
(6) Block Lanczos for solving the matrix. ABout 25 pages.
(7) The square root code. About 50 pages, not including Pari
(a library for algebraic no. theory).
I have implemented all of this EXCEPT the square root code. For that,
I use Peter Montgomery's code (Thank you Peter!) I just never found
the time to implement it.
May I suggest you try to implement MPQS instead? That should be doable.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why this simmetric algorithm is not good?
Date: Fri, 09 Jul 1999 15:05:13 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > >>> return state[x = ni[++x]] += state[y = ni[++y]];
> > The ni[] is higher precedence so the ++x will always occur first,
> > then the lookup, then the store. You *can't* compile that any
> > other way.
>
> No, there is no sequence point within in the expression x=ni[++x],
> so the incremented value of x may be stored into x *after* the ni
> array member is stored into x. This typically would occur due to
> caching for optimization purposes.
>
You are wrong. you can't evaluate the ni[] without first parsing the
insides. Which is ++x. This gets compiled first.
> This is no longer a cryptologic issue, but one of C programming.
> Try comp.lang.c if you need further discussion of such matters.
True, let's keep this in mind.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Is Stenography legal?
Date: Fri, 09 Jul 1999 17:24:03 +0200
>
> Hmm, it seems that most governments (espescially canadian and us) have
> a hard time trying to figure out what the people really want.
>
That's 'cos they don't ask them. They just make policy then see if
their popularity ratings go up or down as a result.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Stream Cipher != PRNG
Date: Fri, 09 Jul 1999 14:44:35 GMT
[EMAIL PROTECTED] wrote:
> Yeah but RC4 (in [Sch96]) does not state what mixing function is used.
What is it with you?
The byte K iz XORed with the plaintext to produce
ciphertext or XORed with the ciphertext to
produce plaintext. [Sch96, page 397]
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Crossposted-To: sci.math
Subject: Re: Weakness of MLCG style encryption
Date: Thu, 08 Jul 1999 04:31:48 GMT
On Thu, 08 Jul 1999 02:39:42 GMT, in <7m131d$uti$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] wrote:
>[...]
>The goal is to use the RNG and not reveal the current internal state.
>Algorithm M is a good example of this (Also in AC just after
>LFSRs...).
Hmmm....
1. Retter, C. 1984. Cryptanalysis of a MacLaren-Marsaglia System.
Cryptologia. 8(2): 97-108.
2. Retter, C. 1985. A Key-Search Attack on MacLaren-Marsaglia
Systems. Cryptologia. 9(2): 114-130.
3. Letters to the Editor. 1984. Cryptologia. 8(4): 374-378.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Can Anyone Help Me Crack A Simple Code?
Date: 8 Jul 1999 09:46:00 +0200
In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> Roger Carbol wrote:
>
>> How many different light colours are known?
>
> An arbitrarily large number. How finely can you divide electromagnetic
> frequencies? An infinite number if you accept colors like heat,
> microwave, radio, x-ray, gamma.
Microwave, radio, x-ray, gamma are COLORS ??????
Since my eyes cannot see any of these, am I color-blind? I must
be, since I cannot see these "colors"..... <g>
You're doing the common mistake of believing "color" is just another
word for "wavelength". It's not. Wavelength is a physical property,
while color is a perception in our eyes. Almost all natural colors
we see are NOT pure spectral (monochromatic) colors, and some colors
cannot even be assigned a "dominant wavelength". What wavelengths
would you assing to these colors: white, gray, black, brown, purple
????
> The human eye can distinguish around 100,000 colors of visible light.
...and perhaps only 100 or so different spectral (monochromatic) colors.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Is Stenography legal?
Date: 8 Jul 1999 09:00:50 -0400
In article <7m163f$vsn$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>Is stenography legal? I mean what if I took a 100 byte message and
>spread out the plaintext among 1024 bytes of random giblygook. It
>would be hard to decrypt (how so is challenging)....
Isn't the work "steganography"? "Stenography" is something my
secretary used to do back when we had personal secretaries and they
took dictation.
And the answer depends strongly on the random 100 byte message.
Applying steganography will not of itself make an illegal transmission
legal -- but nor will it make a legal transmission illegal.
>Is this against EAR?
Only if you're hiding cryptographic munitions. If you're hiding a
recipe for egg salad, there's no problem.
-kitten
------------------------------
From: "Richard Parker" <[EMAIL PROTECTED]>
Subject: Re: Standard Hash usage
Date: Thu, 08 Jul 1999 13:30:01 GMT
In article <7m27av$gio$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Keith A Monahan) wrote:
> [EMAIL PROTECTED] wrote:
> : I think Jim Golligy (sorry I forgot the spelling) has a good copy of
> : SHA-1. Ask around in this group I know I saw a Good copy...
>
> Hrrrmm.. Anyone? :)
Steve Reid wrote a public domain implementation of SHA-1 in C.
It is available at the following URL:
<ftp://ftp.funet.fi/pub/crypt/hash/sha/>
A public domain implementation of SHA-1 in C is included
with the source to the Perl SHA extension:
<http://theory.uwinnipeg.ca/scripts/CPAN/authors/id/UWEH/SHA-1.2.tar.gz>
Wei Dai's Crypto++ contains a C++ interface to SHA-1. The
library is free, but the license has some fine print. It is
available at the following URL:
<http://www.eskimo.com/~weidai/cryptlib.html>
Peter Gutman's cryptlib contains a C implementation of SHA-1.
The library is without cost except when used for "large-scale
commercial use." It is available at the following URL:
<http://www.cs.auckland.ac.nz/~pgut001/cryptlib/index.html>
-Richard
------------------------------
From: Ronald Klazar <[EMAIL PROTECTED]>
Subject: Re: Keeping File Formats Safe
Date: Thu, 08 Jul 1999 16:12:50 +0200
Thanks for your information. I'm definitely further than I was before and
now I know what strategy to follow. :)
Thanks again!
Ronald..
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
