Cryptography-Digest Digest #929, Volume #9 Fri, 23 Jul 99 11:13:06 EDT
Contents:
What is skipjack ??? (spike)
Re: What is skipjack ??? (David A Molnar)
Re: RSA public key (Bo Lin)
Re: RSA public key ([EMAIL PROTECTED])
Re: Traffic Analysis (John Savard)
Re: hush mail
Re: Q: Interaction of cross-posted follow-ups? (Thomas Pornin)
Re: Compression for encryption (Mok-Kong Shen)
Re: RSA public key (Thomas Pornin)
Re: Kryptos Beginning of publicatio of solution (Jim Gillogly)
Re: Help with finding key... ("Kasper Pedersen")
Re: randomness of powerball, was something about one time pads (Patrick Juola)
Kryptos Continuation 2 ("collomb")
Steganos II Security Suite released ("Fabian Hansmann")
Re: RSA public key ("Vincent")
Re: Xor Redundancies (SCOTT19U.ZIP_GUY)
Re: What the hell is XOR? (SCOTT19U.ZIP_GUY)
Re: RSA public key (Bob Silverman)
----------------------------------------------------------------------------
From: spike <[EMAIL PROTECTED]>
Subject: What is skipjack ???
Date: Fri, 23 Jul 1999 01:17:33 -0700
Reply-To: [EMAIL PROTECTED]
What is skipjack ? Who developed it ? And how does it compare to idea,
des, and blowfish ?
spike
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: What is skipjack ???
Date: 23 Jul 1999 08:23:00 GMT
spike <[EMAIL PROTECTED]> wrote:
> What is skipjack ?
SKIPJACK is a block cipher. Has an 80-bit key. Was going to be the cipher
used in the various Clipper phones.
> Who developed it ?
The U.S. National Security Agency.
> And how does it compare to idea,
> des, and blowfish ?
In what regard -- speed, security, ease of implementation, or?
-David Molnar
------------------------------
From: Bo Lin <[EMAIL PROTECTED]>
Subject: Re: RSA public key
Date: Fri, 23 Jul 1999 09:34:08 +0100
The message can be calculated as follows:
Let m be the message, e = 3 and n1, n2, n3 be the three different moduli.
The m can be encrypted into c1, c2, c3 with the three different moduli and
the same e = 3. That is, m^3 is the solution of the simultaneous linear
congruences
x = c1 mod n1
x = c2 mod n2
x = c3 mod n3
and since there is only one solution between 0 and n1*n2*n3 - 1, m^3 can be
calculated by the Chinese Remainder Theory. Then the cube root of x is
extracted in the real field efficiently and the m is recovered
[EMAIL PROTECTED] wrote:
> In article <7n6qi7$ils$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Thomas Pornin) wrote:
> > According to vincent <[EMAIL PROTECTED]>:
> > > If I always take the same very small exponent for the public key
> [...]
> > > do I limit the number of private key which will result from this
> > > computation ?
> >
> > Obviously, yes, but that is not a problem, since you will still get a
> > valid private key for each pair of primes (p, q). For 1024-bit public
> > keys, this still means about 2^1006 possible keys, which is *huge*.
> >
> > > Is it weak to do so, because obviously it would make the encryption
> > > faster (as well as the key generation) ?
> >
> > If you encrypt three times a message with three different public
> modulus
> > but with the public exponent 3, an eavesdropper might guess the
> message
> > (not the public key) from the three encryption.
> >
>
> How would you guess the message?
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RSA public key
Date: 23 Jul 1999 05:32:08 -0400
Bo Lin <[EMAIL PROTECTED]> wrote:
> and since there is only one solution between 0 and n1*n2*n3 - 1, m^3 can be
> calculated by the Chinese Remainder Theory. Then the cube root of x is
> extracted in the real field efficiently and the m is recovered
And that is why the message (in PGP, the key used for the symmetric
enciphering of the plain text) should be different for each recipient ...
say, by padding using different random bits for each recipient.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Traffic Analysis
Date: Mon, 19 Jul 1999 18:47:51 GMT
Roger Carbol <[EMAIL PROTECTED]> wrote, in part:
>It seems like I haven't read very much in this newsgroup about
>traffic analysis. It seems like an avenue of attack which is often
>neglected by both the White Hats and the Black Hats.
I doubt the "Black Hats", if you mean the eavesdroppers, are
neglecting it. But they are the less talkative ones...
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] ()
Crossposted-To: alt.security.pgp,alt.privacy,alt.security.keydist
Subject: Re: hush mail
Date: 23 Jul 99 09:13:22 GMT
[EMAIL PROTECTED], in article nntp:[EMAIL PROTECTED] , wrote:
> Well, I see your point, but what other free e-mail services offer
> something like this?
What? Wasted computing? False security?
Those work in favour of other services.
> Further than using PGP with a pop 3 I haven't seen any.
Isn't it a bit funny _that_ is going further when you consider how
much work must've gon into porting this to Java? I think that just goes to
prove my uncle's note that computers do a lot of work--a lot of work that
doesn't need doing.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: Q: Interaction of cross-posted follow-ups?
Date: 23 Jul 1999 08:46:41 GMT
According to <[EMAIL PROTECTED]>:
> This implies that you could force a message into a moderated group by
> cross-posting to a dummy moderated group. Is this actually the case?
Yes. Even simpler, you can simply mark your message as "approved". But:
-- the basic abuser/spammer/aoler/whatever is not often aware of such
technicalities as "moderated groups"
-- such messages tend to be very quickly cancelled by the moderator
Usenet uses no crypto. It is not authentified. Making Usenet more secure
is indeed a true cryptographic challenge. It would require a careful
design, by someone aware of both public-key cryptography and Usenet
mechanisms. I will try it sometime (not now: too much work).
--Thomas Pornin
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Compression for encryption
Date: Fri, 23 Jul 1999 10:27:29 +0200
[EMAIL PROTECTED] wrote:
>
> In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > Further, since compression consumes processing time, it could have
> > some substantial impact on the total time required by the analyst
> > to decrypt (a security benefit resulting from 'inefficiency').
> >
>
> Not really if your stream is live I know that you must be using an
> adaptive method and that the first few bytes are literals. Simple
> check.
>
> I think people are omitting the fact that not all messages are post-
> mortem. Live video and audio is usefull as well and needs attention.
>
For multimedia applications you use compression anyway. But that
compression is not the adaptive Huffman used by the writer of the
original article of this thread, as far as I know.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: RSA public key
Date: 23 Jul 1999 10:18:40 GMT
According to <[EMAIL PROTECTED]>:
> How would you guess the message?
By the Chinese Reminder Theorem: if the three public modulus are n1, n2
and n3, you know m^3 modulo n1, n2 and n3. These three public modulus
are relatively prime with eachother (if not, you can factorize at least
two of them, which then gives access to the message), therefore (by
application of the said theorem) you can calculate m^3 modulo (n1*n2*n3).
But (n1*n2*n3) is a greater number than m^3 (without modulus) so you
just have to extract the cubic root (over the integers, which is
essentially easy) and you get the message.
--Thomas Pornin
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Kryptos Beginning of publicatio of solution
Date: Fri, 23 Jul 1999 03:43:03 -0700
Douglas A. Gwyn wrote:
>
> collomb wrote:
> > The decoding of KRYPTOS step by step ...
>
> For Chrissake, the bulk of Kryptos has been *independently* solved
> by three separate parties working without communicating with one
> another, and they all got the same, highly coherent messages, which
> employ known classical methods of encryption and no "judgment calls",
> for the answer, and this is easily verified. If you get a different
> answer, then yours is malarkey.
In addition, the correctness of the decryptions has been acknowledged
by the sculptor, Jim Sanborn, in the Post article ("... a passage
Sanborn says he has loved since childhood..."); and by the cryptographer,
Ed Scheidt (to David Stein: "The solution is correct, but you didn't do
it the way I intended you to do it.").
Collomb's web page says "Some specialist cryptographers pretend to
have deciphered its first 768 characters." Tsk tsk. I like to think
of myself as more of a generalist.
Non-cryptographers often seem to have trouble with the concept that
a clean break in effect proves itself.
--
Jim Gillogly
30 Afterlithe S.R. 1999, 10:30
12.19.6.6.18, 3 Edznab 6 Xul, Third Lord of Night
------------------------------
From: "Kasper Pedersen" <[EMAIL PROTECTED]>
Subject: Re: Help with finding key...
Date: Fri, 23 Jul 1999 12:51:01 +0200
Jaye Mathisen <[EMAIL PROTECTED]> wrote in message
news:7n8vka$c61$[EMAIL PROTECTED]...
>
> A vendor that has some software we are looking at uses Blowfish to encrypt
the password
> and then store it in a disk file.
>
> They tell me this is secure.
>
> Since I know the original plaintext, and can produce the encrypted output,
I would
> like some pointers as to how to find the key they use, so I can poke
little holes in their
> theory about the security of their product (which other than this issue,
works pretty well).
>
> I have the binary as well that creates it, so I can search it from some
strings.
>
> Any tip appreciated.
The company I work for wrote such a piece of software. As the plaintext and
half of the ciphertext was available to the user, I used the entire
executable as a keytable (assuming part1 of the key is at position P1, try
position P1-1000..P1+1000 as part 2 of the key), and yes, it cracked easily
(until fixed).
The algorithm must have the key passed as parameter, so that's a good place
to put a breakpoint too.
Simply put, if one person can get
ciphertext+plaintext+executable_containing_key, it's easily (*) crackable.
/Kasper
(*): Requires a few monkey descendants, coffee, sugar, and a good debugging
tool, not brute force.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: randomness of powerball, was something about one time pads
Date: 23 Jul 1999 08:38:14 -0400
In article <[EMAIL PROTECTED]>, Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>Dennis Ritchie wrote:
>> Jim Gillogly wrote:
>> > The house has more money than the player. Every now and then the player
>> > will experience 20 or 30 losses in a row, and won't be able to double
>> > up the last time. ...
>> Yes, and the "you don't have unlimited resources" and "bet limit"
>> issues become especially important when the game is real, whether in the
>> casino or in crypto, in ways that can make the math of random-walk
>> analysis flee from your mind even if you knew it already.
>
>Further, this problem points up some logical problems with the use of
>infinite sequences when applied to real-world problems. Note that there
>seems to be an infinite expectation using the Martingale strategy *even
>for a game whose odds are severely biased in favor of the house*. It is
>very disturbing to see a positive, let alone infinite, expectation from
>concatenation of a sequence of bets each of which has negative
>expectation.
>
>I've argued before that mainstream "complexity theory" is nearly useless
>for practical purposes, because its theorems are asymptotic (N -> inf.).
>That's a similar situation. Using infinities make analysis easier, but
>there should be no essential infinities in a *model* of a process.
The idea that the infinite sum of a sequence that doesn't converge
is the limit of a subsequence is a known elementary fallacy : if God
turns a light off every morning at dawn and turns it on again at dusk,
what's the limit state?
The Martingale fallacy you describe is simply another example of this
fallacy.
-kitten
------------------------------
From: "collomb" <[EMAIL PROTECTED]>
Subject: Kryptos Continuation 2
Date: 23 Jul 1999 12:50:31 GMT
See also my site�: http://calvaweb.calvacom.fr/collomb/
Decoding of KRYPTOS
Second step
We saw in the first step that the two first series were connected
the one with the other.
We will note now that the two following series have also common
points.
Third series
DWKBFUFPWNTDFIYCUQZERE EVLDKFEZMOQQJLTTUGSYQPFEUNLAVIDX
FLGGTEZ?
It comprise 61 characters.
A character misses in this series: the character < H >.
We remember that the key-idea which supported research in the
two first series was the SQUARE < a square of 10 X 10 being transformed
into a
square of 15 X 15 > and one can think that the same idea continues to apply
here, but 61 is not a square. On the basis of the fact that certain
characters were knowingly omitted in the first three series, < O > in the
first series, < O > in the second series, and < H > in the third
series, it comes to mind that it should be tried to cut off or to add
these three characters to 61 to obtain a square.
If one adds 3 to 61 it comes 64, square of 8.
8 X 8 = 64.
The problem is then to lay out these three new characters through the 61
characters that make up the third series. It is not enough to point out
that they miss, it should be found where to put them.
I indicate hereafter the solution and I will explain then why it is
necessary to proceed as follows:
Recall of the composition of the third series plus the addition of the new
three characters :
D OH WKBFUFPWNTDFIYCUQZERE
EVLDKFEZMOQQJLTTUGSYQPFEUNLAVIDX
FLG O GTEZ?
Which process did I use to find these places?
When a character is inserted in a series, it is obviously surrounded by a
character located on the left and another located on the right.
D OH W
G O GFourth series
We report to the fourth series of characters of KRYPTOS which is also
the longest and we look at what occurs at the beginning and at the end of
this
fourth series.
- beginning: FKZBSFDQV GOG �.
- end �. SSTTRTV DOHW?Curiously, we note that the beginning of the
third series is in connection with the end of the fourth series : DOHW
!!The thirdt missing character < O >, is near to the end of the third
series. It makes up with the two < G > the word GOG. Whereas GOG is
located toward the beginning of the fourth series !!
There is between the third and the fourth series a crossing exchange
relation.
At this stage of reasoning, the logic of symmetry forces to us to
remove 6 characters at the beginning of the fourth series.
�. GOG TEZ?< FKZBSF > DQV GOG �.
One must remove characters < FKZBSF >; this group is determined easily
for it begins and finishes by the same character < F >, and in this group
between the signs <>, only the character F is repeated.
We have now:
DOHW �.<troisi�me s�rie> �.GOG TEZ? DQV GOG <quatri�me s�rie>�.DOHW?
Role of symmetry appears clearly. I repeat that there is a crossing
symmetry between the beginnings and the ends of these two series.
We will see soon the pertinency of the cutting off of these 6 characters.
TO FOLLOW �.
------------------------------
From: "Fabian Hansmann" <[EMAIL PROTECTED]>
Subject: Steganos II Security Suite released
Date: Fri, 23 Jul 1999 15:22:13 +0200
Reply-To: "Fabian Hansmann" <[EMAIL PROTECTED]>
Hello,
the software company DEMCOM released Steganos II Security Suite
for Windows 95, 98, 2000 and NT today. This is the long-awaited
successor to Steganos for Windows 1.5.
The Steganos II Security Suite is a complete security solution
for desktop computers and laptops.
Files can easily be hidden and encrypted using the Windows context
menu - for example within unsuspicious sound and image files
(e.g. BMP or WAV files).
The Steganos Safe is a secure drive: it behaves just like a normal
hard drive - with one difference: all files on the drive are being
encrypted automatically.
The Password Management stores your passwords securely - you just need
to remember _one_ password. In addition to that a file shredder for
secure data destruction and a Soft-Tempest editor are included.
Only strong, export-restricted encryption algorithms are being used.
A free Steganos Decryptor is also available: friends and colleagues
can use it to encrypt and unhide encrypted data you sent them.
An unrestricted 30 days trial version can be downloaded from
http://www.steganography.com/english/steganos. A German version is
available at http://www.steganography.com/deutsch/steganos.
Comments on the program are appreciated!
Regards,
Fabian Hansmann
http://www.steganography.com
------------------------------
From: "Vincent" <[EMAIL PROTECTED]>
Subject: Re: RSA public key
Date: Fri, 23 Jul 1999 14:45:51 +0100
Thomas Pornin wrote in message <7n9fi0$oau$[EMAIL PROTECTED]>...
>According to <[EMAIL PROTECTED]>:
>> How would you guess the message?
>
>By the Chinese Reminder Theorem: if the three public modulus are n1, n2
>and n3, you know m^3 modulo n1, n2 and n3. These three public modulus
>are relatively prime with eachother (if not, you can factorize at least
>two of them, which then gives access to the message)
How do you know they are relatively prime with each other?
I think they could share a GCD>1 without (this GCD) being prime, isn't it?
My mathematic abilities are limited, so what do you think?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Xor Redundancies
Date: Fri, 23 Jul 1999 14:28:48 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(JPeschel) wrote:
>>[EMAIL PROTECTED] writes:
>
>>Alot of crypto utilities out their are crap. I should know when I was
>>12 I wrote 'Zcrypt' which was a really fast autokey cipher. It worked
>>in my view but I didn't know any better. A lot of these peoples are
>>just ignorant and don't care.
>>
>
>Yes, the UBE98 vendor asked for advice in sci.crypt, and then
>ignored it. He chose to "protect" his program from disassembly.
>Apparently, though, he knew a debuggger could break UBE in
>a few seconds.
I am not sure the UBSE98 vendor really wantd advice.
I think he wrote onlly to sell his product and to collect
a few positive statements to sell his product. I for one
over the years have gotten some good advice.
You for one Joe and Paul Onions and Horst and a few
others like Ritter. But most don't give good advice to those
wrtting code. If anything they try to prevent one from
writting good code.
>
>>I cought up with the author of 'Absolute Security' which is repeated
>>OTP cipher. Basically you take a 'secret' random file and add it to
>>the message. You share the file so you can send 100s of messages with
>>the same file. However I tried to point out that re-using the same
>>keyfile would lead to all sorts of attacks (I proposed three different
>>attacks I think...). He is still pretty sure of himself. Oh well...
>>
>
>That's the same company that sells WinXFiles (broken by Casimir)
>ins't it?.
>
>>Basically if I can't see the source I won't get the program. A lot
>>of 'secure' programs are just simple RNGs that are linear or
>>tractable. Another program 'The Vault' uses a totally secure hidden
>>method with 20 bit keys... :) etc...etc...
>>
>
>Yup, most in this newsgroup won't use a crypto program unless
>they can see the source code. Unfortunately, the people who
>actually purchase crypto programs don't know enough to ask to
>see the source.
>
Actually most who read the source code in this group have a very
poor understanding of what it means. They tend to relie on commets
of the crypto gods who are to lazy to actually read and understand
the source code. Take my code for scott16u and scott19. Wagner
or Mr BS can name dates when they said my code was crap and
broken years ago. And Dave sweeepingly announced it was dead by
his crappy slide attack. Yet he was wrong because he was to lazy
to look at the source code I suppled. Or even to lazy to use the
executable that he his. So even if one supplies the source code
you get few honest responses. From mail I get it is obvious many
who reaad the group think Wagner was right and that the slide
attack works against my method. People tend to belive the often
wrong offhand comments of a crypto god and the phony crypto
gods never do anything to clean help there wrong statements.
I feel they may do more harn to the progress of secure crypto
than the phony peddlars of bogus rouintes who get exposed so
frequently in this group. Ask a question in this so called
eduacated form or on your site as to which is the more number
one snake oil. People will say scott19u and not UBE is the more
snake oil. Becaise the crypto gods have done such a fine job
of distorting the truth to the masses.
>>BTW where is the snake-oil faq and is it upto date?
>>
>The snake-oil faq is at Matt Curtin's site:
>
>http://www.interhack.net/people/cmcurtin/snake-oil-faq.html
>
>last revised April 98.
>
>Joe
>
>
>
>__________________________________________
>
>Joe Peschel
>D.O.E. SysWorks
>http://members.aol.com/jpeschel/index.htm
>__________________________________________
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: What the hell is XOR?
Date: Fri, 23 Jul 1999 14:59:31 GMT
I wasn't going to comment on XOR but it is one of my favorite things
and since this thread seems like it is long lived I decided to throw in
my 2 cents worth.
If one has a old copy of "EDN" I worte a circut up that won the design
awards for that month. Not even sure the magizine is still in publication
but the article generated much mail and shows my love of the XOR
function.
However one of my first big run in with a phony PhD types occured when
I was tasked to implimetn some code in assemble on an old DEC machine
that did not have the swap instuction. I thought the DEC op code is such
that of form "op src des" if reverse that just reverse order of the
instuctions.
A smart guy could not read my assemble code and was sure it was
wrong he found near the beginning a palce where the contents of 2
registers had to be switched. R1 R2 and rest of R registers in use..
I had written:
XOR R1,R2 which is make r2 = r1 XOR r2
XOR R2,R1 which is make r1 = r1 XOR r2
XOR R1,R2 which is make r1 = r1 XOR r2
He was convenced I lost my mind. He told boss I should have written
MOVE R1,+(SP) which is increment stack pointer and put r1 in memory pointed
to stack pointer
MOVE R2,R1 which is put r2 in r1
MOVE (SP)-,R2 which is memory pointed to by stack pointer in to R2 and then
decremetn the stack pointer.
I had to show my boss that the PhD guy was full of it and that not only was
my code correct but that is was faster.
IF the thread continues more on the "ZEN of XOR" the holest next ot NAND of
the binary functions in a later article.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: RSA public key
Date: Fri, 23 Jul 1999 14:10:14 GMT
In article <[EMAIL PROTECTED]>,
vincent <[EMAIL PROTECTED]> wrote:
> Sorry to ask you what would be an easy question if I was good in Math.
> If I always take the same very small exponent for the public key (for
> example 3) and I compute the private key with p and q (the prime
> numbers) big enough, do I limit the number of private key which will
> result from this computation ?
Your question can not really be answered as asked until you specify
what you mean by "limit the number of private key".
The number of private keys is ALWAYS limited by the size of the
public key.
Are you asking whether using a small public exponent results in a
smaller private keyspace than does using a large public exponent? If
so, the answer is "yes", but not in any meaningful way.
With a 1024 bit public key, the number of private keys available is
(1-1/(e-1))^2 * 1.4 x 10^303 (approximately). If e is 3, as opposed to
(say) 10 decimal digits, then the keyspace is smaller by a factor
of 4 (approximately). But it matters not a whit if the keyspace is
1.4 x 10^303 or .35 x 10^303.
>
> Is it weak to do so, because obviously it would make the encryption
> faster (as well as the key generation) ?
What do you mean by "weak"? If one tried to break the key by direct
search, it would speed the process by about 4. However, Noone tries to
break keys by direct search.
It does NOT make key generation any faster. Well, actually it does,
but not in any way that you could meaure. The difference would be
less than 1%.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
