Cryptography-Digest Digest #892, Volume #9 Fri, 16 Jul 99 17:13:03 EDT
Contents:
Re: quantified security ([EMAIL PROTECTED])
Re: Why public key in PGP ([EMAIL PROTECTED])
Re: Neato Talk ([EMAIL PROTECTED])
Re: Why public key in PGP ([EMAIL PROTECTED])
Re: Why public key in PGP ([EMAIL PROTECTED])
Re: Neato Talk (David A Molnar)
Properly Seeding RNGs ([EMAIL PROTECTED])
Re: DES permutations (John Savard)
Re: How to crack monoalphabetic ciphers ([EMAIL PROTECTED])
Re: DES permutations (John Savard)
Re: Why public key in PGP ([EMAIL PROTECTED])
Re: Properly Seeding RNGs (fungus)
Web Site Moved (John Savard)
Re: Password generation question (Anton Stiglic)
Re: Properly Seeding RNGs ([EMAIL PROTECTED])
Re: Why public key in PGP (Patrick Juola)
Re: huffman code length ("DI Michael Schindler")
Re: Password generation question (John McDonald, Jr.)
Re: Why public key in PGP (Mickey McInnis)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: quantified security
Date: Fri, 16 Jul 1999 18:16:01 GMT
Ooops I forgot somethings...
> C = abcde
>
> a = (0 to 1) chances of you getting picked out of the rest of the
> people on the net.
>
> b = (0 to 1) chances of your commercing getting picked. You may be
> picked but will they continue attack if they know it won't make them
> profit? (i.e who will rob from the poor?)
>
> c = (>0 to 1) chances that usefull information is leaked that can be
> used to crack the key.
C is relative to the current best known attack. For this model to work
you have to assume the attacker will only make one attack (i.e either
diff or linear). If two attacks are to be proposed you could re-write
it as
C = ab * max(cd, c'd', c'',d'', ...) * e
Against DES for example the linear attack may be chosen since it's
faster and requires less plaintext anyways. This would yield
C = ab(P/2^43)* min(Tp, O(2^54))e
Where P is the num of chosen plaintext and T is the time it would take
to mount the attack based on the number of plaintexts available.
One must note that C is not a constant but can be considered a
temporary constant as statistics about the net commerce become more
available. It might offer a method to suggest security values such as
this system is 0.75 (weak) or 0.01 (strong).
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why public key in PGP
Date: Fri, 16 Jul 1999 18:38:30 GMT
In article <7mntvu$n8t$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> That's the key sentence!
> Let me restate what I understood: hey, this is my public key, if
you
> want to send me something secret, encrypt it with the public key and
you
> know how to do it (use the formula!). Send the encrypted text to me by
> any means, and it does not matter how many people can get the
encrypted
> message, because they cannot do anything to it without my private key.
> Once I get the encrypted message, I can decrypt it with my private
key.
Unless you have bad parameters for the key or I factor/DL it... :)
It's not totally secure but it is a workable solution to the open
needs. Factoring 1024-bit RSA keys for example is far out of reach...
for now! (so where 512-bit keys ten years ago...).
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Neato Talk
Date: Fri, 16 Jul 1999 18:32:27 GMT
In article <7mnpp5$skg$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Keith A Monahan) wrote:
> It wasn't actually a crypto conference perse, more like a 'hacker'
type of
> conference, like a computer security type conference.
>
> There is no 'formal' schedule for each person, you siumply attend
which
> ever talk you want to go to. Very informal, with classes across a few
> days. If you happen to be at lunch, don't get up until 10am, etc,
it's
> very easy to missa talk.
Hmm well I will have to keep that in mind if I ever attend one.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why public key in PGP
Date: Fri, 16 Jul 1999 18:30:44 GMT
In article <7mnsm4$mo6$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Could you elaborate on that? Why a public key helps protecting
> without a secure medium? And why it saves you anything to publish the
> key?
Sure.
In a Public Key Cryptosystem (PKC), you have a public key and a private
key. For example in PGP 6.0 the public key is
g^x mod p (g and p are public as well)
And the private key is x. It is conjectured that finding the discrete
logarithm of the public key (thus finding the private key) is
intractable.
If I give you my public key all you do is
g^xy mod p (y is your private key)
And the resultant number is our private session key. I could give you
my public key however I want but nobody will find the private key in
any time soon. Same for you. Thus the session key is private (you
don't have to send it to me cuase I will know it by doing g^yx mod p
myself using your public key).
In this manner we can send files or messages using a private key that
we agreed upon but finding the private key from the public information
is not a happenning thing.
Posting your keys on a server is a BAD IDEA!!!! Cause I could upload a
key in your name and get your email... Basically if you want medium
security (or point security) you can snatch them off the web (I have my
key on my website). But that doesn't ensure that you are really
talking to Tom St Denis for example.
Generally it's secure enough. you know your conversation is private
with whomever you are talking to. I could tell if someone was using my
account and thus reading my email.
If you want to securely share keys export the public key to disk and
hand it to the other person. But then who says who you are giving the
disk to is who you want to talk to... hmm this sounds like implicit
trust to me...
Anyways you figure it out.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why public key in PGP
Date: Fri, 16 Jul 1999 18:34:39 GMT
In article <7mlu8h$4h$[EMAIL PROTECTED]>,
AllanW <[EMAIL PROTECTED]> wrote:
> So
> by publishing your public key, you give out the information needed
> to encrypt a message that only you can decrypt.
That's the key sentence!
Let me restate what I understood: hey, this is my public key, if you
want to send me something secret, encrypt it with the public key and you
know how to do it (use the formula!). Send the encrypted text to me by
any means, and it does not matter how many people can get the encrypted
message, because they cannot do anything to it without my private key.
Once I get the encrypted message, I can decrypt it with my private key.
Cool, really cool method!
Thanks a lot.
Weedlet
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Neato Talk
Date: 16 Jul 1999 19:17:26 GMT
[EMAIL PROTECTED] wrote:
> In article <7mnpp5$skg$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Keith A Monahan) wrote:
>> days. If you happen to be at lunch, don't get up until 10am, etc,
> it's
>> very easy to missa talk.
> Hmm well I will have to keep that in mind if I ever attend one.
Also keep in mind that schedules at such conferences are subject to
change. Sometimes on short notice. Bruce Schneier was also at
DEF CON (www.defcon.org -- another hacker's conference) this past
weekend, but ended up speaking a day earlier than scheduled.
Us in the audience, as wannabe "good" groupies, then attempted "The
Wave"...
I haven't seen realaudio or other archived recording of it yet -- it was
mostly just questions and answers.
-David
------------------------------
From: [EMAIL PROTECTED]
Subject: Properly Seeding RNGs
Date: Fri, 16 Jul 1999 14:37:55 -0400
Let's just say I am using a strong cryptographic RNG. This particular
one requires a string of variable length to seed it. How in the world
do I get a random string to seed it with?
At the current time, I'm using the current time to srand(); and then
rand() % 256 to fill a string of [1024] long. This does NOT seem very
secure to me. What is a practical way to seed this RNG?
Thx,
Clay Culver
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: DES permutations
Date: Fri, 16 Jul 1999 19:50:02 GMT
[EMAIL PROTECTED] wrote, in part:
>What is a Fab?
A "Fab" is a facility where microchips are fabricated. Since there are
only a few plants where chips are designed, and since they represent a
large commercial investment, they are subject to potential pressures.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How to crack monoalphabetic ciphers
Date: Fri, 16 Jul 1999 18:52:06 GMT
In article <7mnued$nfm$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> If the period is longer then the message, you have an OTP, as long as
> you don't use the same seed for the PRNG again.
Not really. Fibonacci Genertors have a larger period and are far from
truly random. Would they quality for this scheme though? Using a s-
box to decorrelated the outputs of the generators...?
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: DES permutations
Date: Fri, 16 Jul 1999 19:51:03 GMT
[EMAIL PROTECTED] wrote, in part:
>But how does it make the wiring simpler? As far as I can see it only
>makes it more complicated.
There's a claim that it might simplify some types of implementation,
based on principles like those used with SERPENT.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why public key in PGP
Date: Fri, 16 Jul 1999 20:05:09 GMT
In article <7mntus$j0f$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Patrick Juola) wrote:
> Because the public key can only be used for encryption, not for
> decryption; if you have a copy of the cyphertext and the key that
> was used to *en*crypt it, you have no efficient way of obtaining
> the plaintext. The key that is used to decrypt is a different key,
> related to but unreconstructable-from the encryption/private key.
Wrong wrong wrong.
The public key can be used for decryption. What do you think RSA
verifying is? And the private key is reconstructable from the public
key it's just really hard todo.
> So if I publish my public key, then anyone who knows my public key
> can encrypt a message to send to me, but knowing my public key does
> not provide access to any messages anyone *else* has encrypted and
> sent to me.
You have to distinguish between hard-to-do and impossible-to-do. It's
possible for me to take your key and find the private key. It's really
hard for me to do that but it's not impossible.
This never ending blind faith is what puts many snake oil products out
there...
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Properly Seeding RNGs
Date: Fri, 16 Jul 1999 22:54:43 +0200
[EMAIL PROTECTED] wrote:
>
> Let's just say I am using a strong cryptographic RNG. This particular
> one requires a string of variable length to seed it. How in the world
> do I get a random string to seed it with?
>
> At the current time, I'm using the current time to srand(); and then
> rand() % 256 to fill a string of [1024] long. This does NOT seem very
> secure to me.
Nope.
> What is a practical way to seed this RNG?
>
It's hard to say without knowing what you're using it for.
For a file encryption the seed would be the user's password with some
salt added.
For a secure connection, the key would come from something like a
Diffie-Hellman key exchange.
For a one time pad generator, you'll need some external input
like key presses or mouse movements.
etc...
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Web Site Moved
Date: Fri, 16 Jul 1999 19:52:12 GMT
As Edmonton Freenet has recently increased the amount of space
available to members, I have moved the cryptography portion of my web
page back to its original home.
This will mean the pages are no longer in a frame, making navigation
more convenient.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Password generation question
Date: Fri, 16 Jul 1999 15:37:18 -0400
> Large Assumption: /dev/random gets its bits from periodic keyboard
> hits, mouse movements, etc, and not some stupid deterministic
> pseudo random number generator. I read that on the alt.linux.advocacy
> group once, so it must be true.
a taught on this quote:
A pseudo Random genrator (PRG) needs a seed, this seed needs to be random
for the result of the function to be pseudo-random.
/dev/random produces a lot of bits (supposevly random) and then hashes it to
get
compact random bits.
In _both_ cases, we depend on a function.
-With the PRFG, we depend on the PRG function,.
-With /dev/random, we depend on the fact that the hash function has strong
collision resistance.
What makes one better then the other one?
For the pass word , I'd just take the amount of bits you want directly form
/dev/random
and not rehash it again afterwards...
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Properly Seeding RNGs
Date: Fri, 16 Jul 1999 20:01:16 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Let's just say I am using a strong cryptographic RNG. This particular
> one requires a string of variable length to seed it. How in the world
> do I get a random string to seed it with?
>
> At the current time, I'm using the current time to srand(); and then
> rand() % 256 to fill a string of [1024] long. This does NOT seem very
> secure to me. What is a practical way to seed this RNG?
That's not a good idea.
Truly good PRNGs such as Yarrow try to get 'randomness' out of the
environement (mouse, keyboard, etc...). Since there is normally not a
lot of unpredictability in this it takes quite a bit to produce PRNg
outputs...
In a stream cipher or keyed PRNG the state of the PRNG has to be
reproduceable. In many cases using a HASH is the simplest method.
Like in SEAL and PIKE the state is filled with the output of SHA-1
which is repeated to fill the entire state. I would suggest to do the
same.
What PRNG are you using anyways?
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Why public key in PGP
Date: 16 Jul 1999 16:44:03 -0400
In article <7mo39c$phs$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>In article <7mntus$j0f$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Patrick Juola) wrote:
>
>> Because the public key can only be used for encryption, not for
>> decryption; if you have a copy of the cyphertext and the key that
>> was used to *en*crypt it, you have no efficient way of obtaining
>> the plaintext. The key that is used to decrypt is a different key,
>> related to but unreconstructable-from the encryption/private key.
>
>Wrong wrong wrong.
>
>The public key can be used for decryption.
But not usefully if it was also used for encryption. You're not
usually this dense, Mr. St. Denis.
> What do you think RSA verifying is?
In context, I think it's irrelevant and misleading.
Let me make this perfectly clear : If I *encrypt* with the public
key, then you cannot use the public key to obtain access to the
message without using cryptographic methods which I believe to
be beyond your capabilities.
More colloquially, you cannot decrypt with the public key -- you
can verify a signature with a public key, but that's a different
operation. Of course, in RSA these two operations are implemented
identically, but that's not the case in other systems.
>> So if I publish my public key, then anyone who knows my public key
>> can encrypt a message to send to me, but knowing my public key does
>> not provide access to any messages anyone *else* has encrypted and
>> sent to me.
>
>You have to distinguish between hard-to-do and impossible-to-do. It's
>possible for me to take your key and find the private key. It's really
>hard for me to do that but it's not impossible.
Which is why, in context, we were distinguishing between three groups;
the holder of the private key, the NSA, and everyone else.
-kitten
------------------------------
From: "DI Michael Schindler" <[EMAIL PROTECTED]>
Crossposted-To: comp.compression,alt.comp.compression,sci.math
Subject: Re: huffman code length
Date: 16 Jul 1999 20:46:08 GMT
hi!
the formula below is right only if you take the longest subtrees
in case of equality of weights. If you prefer shorter trees
the # of samples raises faster.
The reason is that in the case of this worst-case sample
distribution you add just about half the number of samples you
already have but need an additional bit.
Note the codelength is not important; important is the part of
the code that is nonconstant for coding and decoding issues.
This can be limited to ceil(log2(ALPHABETSIZE)) bits when using a
canonical code (which you should for decoding speed reasons).
Michael
[EMAIL PROTECTED] wrote in article <7mmh3c$67k$[EMAIL PROTECTED]>...
> At
> http://www.compressconsult.com/huffman/#maxlength
> I learned that the Fibonacci sequence of frequencies
> gives the maximum possible code length.
>
> length of file (# of samples)
> maximum code length
> 2 1
> 3...4 2
> 5...7 3
> 8...12 4
> 13...20 5
> 21...33 6
> ...... ...
> 1597...2583 15
> 2584...4180 16
> 4181... 17
>
> which gives a 16 bit code length
> after only 2584 samples of a 17 symbol file
> and a 17 bit code length
> after only 4181 samples of a 18 symbol file
> :-(.
>
> It appears that Tom Lane made the same mistake I did when I figured
> that if I used 15 bit counters to count the symbol frequencies, that I
> could be guaranteed a minimum frequency
> of 1 out of 2^15 and therefore (erroneously) the maximum symbol length
> would be about 16 bits. The maximum symbol length could be far longer
> than that, so I'm thinking about using the depth-limited near-Huffman
> compression Tom
> Lane mentioned.
>
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
>
------------------------------
From: [EMAIL PROTECTED] (John McDonald, Jr.)
Subject: Re: Password generation question
Date: Fri, 16 Jul 1999 20:06:03 GMT
On Fri, 16 Jul 1999 19:01:42 GMT, [EMAIL PROTECTED] wrote:
>They are called cooks now?
Gee, I always thought they were kooks.... Or was that spooks?
Geez. I can never remember.
[-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-]
John K. McDonald, Jr. Alcatel, USA
[EMAIL PROTECTED]
please remove -delete- for responses.
--
"I speak for me and not this company"
TO SPAMMERS:
Please view the definitions for
"telephone facsimile machine,"
"unsolicted advertisement," and the
prohibition and penalty for sending
unsolicited faxes before sending Un-
solicited Commercial E-mail to the
above address. Violators WILL BE
PROSECUTED. These can be found
in:
The Telephone Consumer Protection Act
of 1991, Title 47, Chapter 5,
Subchapter II, Section 227.
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
------------------------------
From: [EMAIL PROTECTED] (Mickey McInnis)
Subject: Re: Why public key in PGP
Date: 16 Jul 1999 20:33:11 GMT
Reply-To: [EMAIL PROTECTED]
In article <7mntus$j0f$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Patrick Juola)
writes:
|> In article <7mnsm4$mo6$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
|> >In article <7mlv56$eg$[EMAIL PROTECTED]>,
|> > [EMAIL PROTECTED] wrote:
|> >> <snip>
|> >
|> >> for symmetrical schemes. The idea in PKC is that I can give you my
|> >> public key and you can send me messages without a secure medium. I
|> >> could publish my public key on a server (whoa neato idea) and others
|> >> could pluck it off when they need it.
|> >
|> > Could you elaborate on that? Why a public key helps protecting
|> >without a secure medium? And why it saves you anything to publish the
|> >key?
|>
|> Because the public key can only be used for encryption, not for
|> decryption; if you have a copy of the cyphertext and the key that
|> was used to *en*crypt it, you have no efficient way of obtaining
|> the plaintext. The key that is used to decrypt is a different key,
|> related to but unreconstructable-from the encryption/private key.
|>
|> So if I publish my public key, then anyone who knows my public key
|> can encrypt a message to send to me, but knowing my public key does
|> not provide access to any messages anyone *else* has encrypted and
|> sent to me.
|>
|> -kitten
Public key crypto is useful, but don't forget the limitations.
If the enemy can see your public key being transferred to your
correspondent, he can't easily decrypt your message.
If the enemy can intercept and modify all your traffic, including
your key exchange, he can do a "man in the middle" attack and
send your correspondent a public key of his own and read all your
traffic.
There are various contermeasures for this, and counter-countermeasures,
etc.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
