Cryptography-Digest Digest #941, Volume #9 Tue, 27 Jul 99 01:13:04 EDT
Contents:
Location of Crypto (Ryan Phillips)
Re: Advances in Cryptology 1981--1997 (CryptoBook)
Re: Novice question ..
Re: Location of Crypto ([EMAIL PROTECTED])
OK. Maybe I am missing something here. (Shktr00p1)
Re: OK. Maybe I am missing something here. (Shktr00p1)
Re: OTP export controlled? ("Douglas A. Gwyn")
Re: another news article on Kryptos ("Douglas A. Gwyn")
Re: How Big is a Byte? ("Douglas A. Gwyn")
Re: OK. Maybe I am missing something here. ([EMAIL PROTECTED])
Re: Kryptos morse code ("Douglas A. Gwyn")
Re: another news article on Kryptos ("Douglas A. Gwyn")
Re: OK. Maybe I am missing something here. (John Savard)
Re: OTP export controlled? ([EMAIL PROTECTED])
to the group, trust me, this does have to do with cryptography in the long run
("Jeffery Nelson")
Re: Location of Crypto (Jerry Coffin)
Re: Location of Crypto (fungus)
Re: Location of Crypto (fungus)
Re: Location of Crypto (Shktr00p1)
----------------------------------------------------------------------------
Date: Mon, 26 Jul 1999 15:53:49 -0700
From: Ryan Phillips <[EMAIL PROTECTED]>
Subject: Location of Crypto
I was wondering if it was illegal in the United States to tell someone
(on a newsgroup or in any other means) the location (ie. ftp site, web
site, etc) or give addresses to sourcecode and/or strong-crypto
executables to foreign-nationals outside the United States?
I'm assuming this newsgroup is reachable from anywhere in the world and
I see people giving addresses out, is there a problem with this
practice?
Thanks for the Help
-Ryan Phillips-
------------------------------
From: [EMAIL PROTECTED] (CryptoBook)
Subject: Re: Advances in Cryptology 1981--1997
Date: 27 Jul 1999 00:20:32 GMT
Sorry for the typo. The correct period is: 1981 -- 1997.
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Francois Grieu) writes:
>> ADVANCES IN CRYPTOLOGY 1981-- 1997: Electronic Proceedings and Index
>> of the CRYPTO and EUROCRYPT Conferences 1981 -- 1987
>
>Is it 1981 -- 1997 or 1981 -- 1987 ?
>
>Sounds like a must, anyway.
>
>Francois Grieu
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Novice question ..
Date: 27 Jul 99 00:16:19 GMT
Neil ([EMAIL PROTECTED]) wrote:
: I am just curious...
: If one took a fairly long message, say 200-300 words, and enciphered
: it wwith playfair and THEN used a second encipherment with a good
: transposition cipher ... wouldn't that be very tough to break??
: Even with multiple messages, using different keys would still make it
: pretty tough, wouln't it?
If you had a *lot* of multiple messages with the same key, it probably
would be possible to begin work on cracking it.
Some simpler ciphers using that principle have been broken: the ADFG(V)X
cipher is the closest parallel.
But if you use a different key for each message, how do you arrange that?
Do you include, along with the message, the different part of the key? If
so, the quality of the scheme you use so that the overall key prevents the
part that comes with the message from revealing anything is very
important.
John Savard
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Location of Crypto
Date: Mon, 26 Jul 1999 21:11:35 -0400
> I was wondering if it was illegal in the United States to tell someone
> (on a newsgroup or in any other means) the location (ie. ftp site, web
> site, etc) or give addresses to sourcecode and/or strong-crypto
> executables to foreign-nationals outside the United States?
No, links to source code/executables are just fine as long as they are not
on an american server. In fact I have found some very good source code
posted on this newsgroup.
------------------------------
From: [EMAIL PROTECTED] (Shktr00p1)
Subject: OK. Maybe I am missing something here.
Date: 27 Jul 1999 01:42:47 GMT
Ok Experts,
I've been reading all kinds of post on this group about encryption schemes, and
still I am confused. Is there something that the computer leaves behind to
make it easy to crack. I mean I know you can undelete something (There's ways
around this)but more specifically, when you change one byte value to another
byte value, it's different in binary? How do you come back to the original
through cracking unless you use a small key?
Here's what I use. I'm new to encryption software so tell me whats wrong with
this. Maybe I'm just totaly clueless! (I wouldn't doubt it.)
Take the ascii values of two characters one is from the file and one from the
key.
FILE: d (100) KEY: F (70) File+Key= ¬(170)
You write ascii char 170 to the file as the encrypted byte.
Now you use a file containing 1000 random bytes and use that as the key. I
know "One-Time-Pad". Each file is encrypted with a password(8 bytes) as well.
The password is used to encrypt the key file, then the key file is used to
encrypt the file. You have a 1000 byte key file of random crap that is now
encrypted itself each time with an 8 byte password. Therefore, the "one time
pad" weakness is out the door.(?) Now how the hell does that get cracked?!
The number of possibilities is near endless, am I right?
I'm just asking because I have written my own software which uses this method.
While it is slower in comparison to most encryption software, I don't see how
it is weak. Please school me on this. Seriously. (Some little twirp is gonna
rip me up about his question, I can feel it.)
-STMDK
------------------------------
From: [EMAIL PROTECTED] (Shktr00p1)
Subject: Re: OK. Maybe I am missing something here.
Date: 27 Jul 1999 02:55:41 GMT
>>Now you use a file containing 1000 random bytes and use that as the key. I
>>know "One-Time-Pad". Each file is encrypted with a password(8 bytes) as
>well.
>>The password is used to encrypt the key file, then the key file is used to
>>encrypt the file.
>Well, there's nothing insecure about that.
>
>But if the 1000 random bytes are used to encrypt more than one file,
>or if they're sent to your correspondent by E-mail, *then* your
>encryption is only as good as the 8 byte password.
>
>Otherwise, it's a true one-time-pad, with a tiny extra safety feature.
>
>John Savard ( teneerf<- )
>http://www.ecn.ab.ca/~jsavard/crypto.htm
More than one file,
How do you figure? That's 1000 bytes of random data which is overlayed by
another 8 bytes just so that each file is encrypted slightly different. Since
the 1000 bytes is already random and just encryted again by 8 bytes, what basis
of decrpytion cracking would be used?
It would be easier to crack the 8 bytes ALONE this is very true. However since
the large key is random, what could you possible use to crack it? In
otherwords, you would never know if the large key file you're attempted to
crack is the real mcCoy(correctly cracked) because it's random garbage. See
what I'm saying?
Also, since you're the only one that has the key and the passwords, they
wouldn't have a key to attempt cracking. Therefore they're left with to deal
with the large key to crack.
8 8 8 8
|----|----|----|--------->
1000 1000
|--------------------------------------------|---------------------->
FILE
|-------------------------------------------------------------------------
======================>
^--- The end result would be masive encryption.
What I'm really trying to get at is, if the key is secure and the passwords are
secure, can this be cracked easily?
-ST
Thanks for the input!
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OTP export controlled?
Date: Tue, 27 Jul 1999 02:55:24 GMT
/*
Jerry Park wrote:
> 'they' can call anything anything 'they' want. Governments often do
> things like that.
Even though they make no sense at all.
For example, here is a quick-and-dirty C program:
*/
#include <stdio.h>
int main(int argc, char *argv[]) {
int p, k;
FILE *kfp = fopen(argv[1],"r");
while ((p = getchar()) != EOF && (k = getc(kfp)) != EOF )
putchar(k^p);
return 0;
}
/*
All it does is simply XOR two files into one. Whether that
constitutes a "cryptosystem" depends entirely on how it is applied.
Have I just violated the US's export regulations by posting this?
*/
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: another news article on Kryptos
Date: Tue, 27 Jul 1999 02:57:42 GMT
Jim Gillogly wrote:
> ... I've seen
> no reason to change my top three candidates from the first time I
> posted them here. In no particular order, they're some form of
> autokey, some form of running key, and some form of combined
> polyalphabetic with transposition.
Don't forget the suggestion in the ABCNews forum that the running
key might be one of the recovered messages.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: alt.folklore.computers
Subject: Re: How Big is a Byte?
Date: Tue, 27 Jul 1999 03:12:01 GMT
[EMAIL PROTECTED] wrote:
> Nor can you get -1 by raising 10 to any integer power. 1-1 is a
> simple subtraction problem. By your reasoning subtraction can't
> possibly exist because negative numbers can't be achieved by
> raising a base to an integer power.
Excuse me, but that's not *my* reasoning, that's yours.
*I* know the difference between full algebras and mere systems
for representing numbers.
Anyone who really wants to know more about negative bases,
base 2*i, etc. should read section 4.1 of Knuth's "The Art of
Computer Programming" (Vol. 2: Seminumerical Algorithms).
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: OK. Maybe I am missing something here.
Date: Mon, 26 Jul 1999 23:13:44 -0400
> FILE: d (100) KEY: F (70) File+Key= ¬(170)
>
> You write ascii char 170 to the file as the encrypted byte.
>
> Now you use a file containing 1000 random bytes and use that as the key. I
> know "One-Time-Pad". Each file is encrypted with a password(8 bytes) as well.
> The password is used to encrypt the key file, then the key file is used to
> encrypt the file. You have a 1000 byte key file of random crap that is now
> encrypted itself each time with an 8 byte password. Therefore, the "one time
> pad" weakness is out the door.(?) Now how the hell does that get cracked?!
> The number of possibilities is near endless, am I right?
Well, I see a few things wrong with this. First and formost if you use the same
key in a one time pad more than once the security of it goes down to NOTHING.
Second...a 1000 byte file? What if the file that is being encrypted is longer than
1000 bytes? Does the key repeat itself? If it does, it is not a one time pad.
For a one time pad to remain secure, the password must NEVER repeat. I don't see
how encrypting the key file will add or remove any security. If you are using the
same 1000 bytes over and over, ie after the 1000 bytes is encrypted with the
password, the 1000 bytes is used to encrypt the file, then the encryption algorithm
is still vulnerable to the same exhaustive keysearch (assuming a redundancy
analyisis is not used), the only thing that is different, is the key file is
encrypted then tested. Easy. (This assuming the keyfile is known)
(I THINK this is what you are doing, sometimes it's hard to do this on just a
discription alone)
If they As a general rule of thumb, the strength of this algorithm would seem to
rely on the length of the keyfile. The keyfile itself, if used over and over (with
or without the same password) would eventually yield enough cipher text to crack
the key file. Also, this algorithm is quite unpractical if you are sending
encrypted text to someone, because you have to send both the encrypted text and the
keyfile and the password. This algorithm may seem secure, but if the keyfile is
used over and over or repeated in ANY way, then it is not secure in the slightest.
Your best bet would be to go with a tried and true algorithm already out there. If
you are interested in building your own encryption algorithm, then I would suggest
you read Applied Cryptography before continueing. It REALLY helps out.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Kryptos morse code
Date: Tue, 27 Jul 1999 03:21:43 GMT
It should be noted that transcriptions of Morse code can easily be
garbled, when the dit/dah/word spacings are misgrouped. E.g.,
. .._
might be V or EU, depending on the spacing. If you're buddies with
the CIA Public Affairs office, you might see what they think about
the idea of my making another trip there just to transcribe the
Morse part of Kryptos. (I wasn't expecting to visit anytime soon.)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: another news article on Kryptos
Date: Tue, 27 Jul 1999 03:00:47 GMT
wtshaw wrote:
> You seem to accept that the system will be of a popularly known
> classical method; it could just as well be of an obscure method
> popularly known to obscure people, at least at the time.
It was evident from the outset that Kryptos must be using
classical methods of the sort encountered in MilCryp.
And this assumption was bolstered by the recent recoveries.
There is no reason to change that assumption for the final part.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: OK. Maybe I am missing something here.
Date: Tue, 27 Jul 1999 02:33:00 GMT
[EMAIL PROTECTED] (Shktr00p1) wrote, in part:
>Now you use a file containing 1000 random bytes and use that as the key. I
>know "One-Time-Pad". Each file is encrypted with a password(8 bytes) as well.
>The password is used to encrypt the key file, then the key file is used to
>encrypt the file.
Well, there's nothing insecure about that.
But if the 1000 random bytes are used to encrypt more than one file,
or if they're sent to your correspondent by E-mail, *then* your
encryption is only as good as the 8 byte password.
Otherwise, it's a true one-time-pad, with a tiny extra safety feature.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto
Subject: Re: OTP export controlled?
Date: Mon, 26 Jul 1999 23:24:00 -0400
> /*
> All it does is simply XOR two files into one. Whether that
> constitutes a "cryptosystem" depends entirely on how it is applied.
> Have I just violated the US's export regulations by posting this?
> */
lol
Probably
------------------------------
From: "Jeffery Nelson" <[EMAIL PROTECTED]>
Subject: to the group, trust me, this does have to do with cryptography in the long run
Date: Mon, 26 Jul 1999 23:30:54 -0000
Ok here is a source I made up for the basic file engine I'm useing in my
cryptographic program. I dumbed it down as much as possible and put
comments everywhere, and it's only about 13 lines of code. Check it out and
(as you can see when you look at the source), it opens the file
C:\windows\clouds.bmp by default, but if you don't have that file, just
substitute it for any large binary (not text) file...
Also, I've gotten my program to do entire text files of 'x' size, but for
some odd reason it sticks a stary character at the end of the file as
output. Any help? BTW this problem is in a different source than the one
provided...
begin 666 Fmode.cpp
M(VEN8VQU9&4\9G-T<F5A;2YH/@T*(VEN8VQU9&4\:6]S=')E86TN:#X-"B-I
M;F-L=61E/&-O;FEO+F@^#0IV;VED(&UA:6XH*0T*>PT*8VQR<V-R*"D[+R]C
M;&5A<B!S=')I;F<-"@T*8VAA<BH@9V]T.R\O8VAA<B!F<F]M('-T<F5A;0T*
M;&]N9R!X(#T@,3LO+V-O=6YT97(-"@T*:69S=')E86T@:6Y&:6QE*")#.EQ<
M=VEN9&]W<UQ<8VQO=61S+F)M<"(I.R\O82!L87)G92!B:6YA<GD@9FEL90T*
M#0IW:&EL92@A:6Y&:6QE+F5O9B@I*2\O;&]O<"!T;R!E>'1R86-T(&9I;&4@
M=6YT:6P@14]&(&ES(&9O=6YD#0I[#0IX("L](#$[+R]A9&0@8V]U;G1E<@T*
M:6Y&:6QE+F=E="AG;W0L(#(I.R\O9V5T('1H92!C:&%R#0IC;W5T/#QG;W0[
M+R]P<FEN="!T:&4@8VAA<B!T;R!S8W)E96X-"GT-"F-O=70\/"(@+2HA("(\
M/'@\/"(@(2HM(CLO+W!R:6YT('1H92!N=6UB97(@;V8@=&EM92!I="!L;V]P
2960@=&\@<V-R965N+@T*?0T*
`
end
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Location of Crypto
Date: Mon, 26 Jul 1999 22:07:16 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> I was wondering if it was illegal in the United States to tell someone
> (on a newsgroup or in any other means) the location (ie. ftp site, web
> site, etc) or give addresses to sourcecode and/or strong-crypto
> executables to foreign-nationals outside the United States?
I'm reasonably certain there's no problem with this at all. If the
address is to a server inside the US, it's (probably) illegal for the
server to allow somebody outside the US to download crypto code, but
that's an entirely separate question from telling them the location.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Location of Crypto
Date: Tue, 27 Jul 1999 07:22:01 +0200
Ryan Phillips wrote:
>
> I was wondering if it was illegal in the United States to tell someone
> (on a newsgroup or in any other means) the location (ie. ftp site, web
> site, etc) or give addresses to sourcecode and/or strong-crypto
> executables to foreign-nationals outside the United States?
>
PS: There's no need for us to tell you anything. Just go to any
search engine (Infoseek, Yahoo, Altavista, etc.) and type "crypto"
in the little box.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Location of Crypto
Date: Tue, 27 Jul 1999 07:20:40 +0200
Ryan Phillips wrote:
>
> I was wondering if it was illegal in the United States to tell someone
> (on a newsgroup or in any other means) the location (ie. ftp site, web
> site, etc) or give addresses to sourcecode and/or strong-crypto
> executables to foreign-nationals outside the United States?
>
No. It's only the export of cryptographic software which is illegal.
> I'm assuming this newsgroup is reachable from anywhere in the world and
> I see people giving addresses out, is there a problem with this
> practice?
Not from a legal viewpoint.
The laws don't stop us foreigners from doing *anything whatsoever*,
and the feds are well aware of this.
What the laws *do* achieve is to prevent people like Microsoft/Netscape
from putting crypto in their mail programs by default. ie. The laws
are preventing widespread use of crypto by normal people.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Shktr00p1)
Subject: Re: Location of Crypto
Date: 27 Jul 1999 04:57:50 GMT
>What the laws *do* achieve is to prevent people like Microsoft/Netscape
>from putting crypto in their mail programs by default. ie. The laws
>are preventing widespread use of crypto by normal people.
>
>
>--
><\___/>
>/ O O \
>\_____/ FTB.
Yep. Apparant due to the fact that many other countries have educated poeple,
that own a personal computer, and can program. Therefore it is egotistcal of
our big brother to assume that only good encrpyption software can be created
int he U.S. In a nutshell...the true intentions are smacking us in the face.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
