Cryptography-Digest Digest #982, Volume #9 Tue, 3 Aug 99 23:13:03 EDT
Contents:
What is "the best" file cryptography program out there? (KidMo84)
Re: How to keep crypto DLLs Secure? ("Lyal Collins")
Re: Americans abroad/Encryption rules? (SCOTT19U.ZIP_GUY)
Re: Anonymous Web Browsing ([EMAIL PROTECTED])
Re: Is the output of 3DES really pseudorandom??? ([EMAIL PROTECTED])
Re: The Acronym MDC ([EMAIL PROTECTED])
Anonymous Web Browsing (KidMo84)
Re: What is "the best" file cryptography program out there? ([EMAIL PROTECTED])
Re: Anonymous Web Browsing (David A Molnar)
Re: Prime number. (Bob Silverman)
Re: Help please (WWI/WWII ciphers) ("Mike Blais")
Re: How to keep crypto DLLs Secure? (James Thye)
Is this a new authent/encrypt protocol? (Greg)
Re: How to keep crypto DLLs Secure? ("Douglas A. Gwyn")
Re: What is "the best" file cryptography program out there? (SCOTT19U.ZIP_GUY)
Re: CFB mode with same initialization vector (SCOTT19U.ZIP_GUY)
Re: How to write REALLY PORTABLE code dealing with bits (Was: How Big is a Byte?)
(Brian Inglis)
Re: Prime numbers wanted ("Douglas A. Gwyn")
Re: What is "the best" file cryptography program out there? (Leon I. Marky)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (KidMo84)
Subject: What is "the best" file cryptography program out there?
Date: 03 Aug 1999 23:15:54 GMT
What is the best file cryptography program out there that you can get online or
purchase over the counter. Comparing Ease of use with Security of encryption.
Signed,
KidMo
------------------------------
From: "Lyal Collins" <[EMAIL PROTECTED]>
Subject: Re: How to keep crypto DLLs Secure?
Date: Wed, 4 Aug 1999 08:59:32 +1000
What happens if the .EXE is modified ie the constant is changed to reflect
the checksum of the changed/substituted .DLL ?
This is simply one extra step in an attack sequence - addmittedly targetted
against a single program, and probably carried out in a script-like fashion.
But, it may be worth it in some situations.
Lyal
John McDonald, Jr. wrote in message <[EMAIL PROTECTED]>...
>Begging everyone else who replied to your comments' pardons, but from
>a programming standpoint, the solution to this is VERY simply...
>
>Have you ever heard of "Checksum"s?
>
>If you haven't allow me to explain. (If you have, read the explanation
>anyways, because this will allow you a little more peace of mind.) A
>Checksum is a file summation tool. It allows a user to compare to
>files quickly without having to do a binary comparison. A Checksum on
>two files that are supposed to be the same, but have minute
>differences will come out with different Checksums. It is FAR more
>likely that two files that are different will come out with similar
>sums. At anyrate, here's what you do.
>
>Build your .DLL. Run a checksum on it. Generate your own CheckSum
>algorithm if you want. Store the value that is returned as a constant
>in your .EXE that is to call the DLL. Then, add code to Checksum the
>DLL in the future, and compare your constant to the value you get
>back. If someone has replaced your .DLL, you WILL be aware of it.
>
>Hope this helps.
>
>[-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-]
> John K. McDonald, Jr. Alcatel, USA
>
> [EMAIL PROTECTED]
> please remove -delete- for responses.
> --
> "I speak for me and not this company"
>
> TO SPAMMERS:
> Please view the definitions for
> "telephone facsimile machine,"
> "unsolicted advertisement," and the
> prohibition and penalty for sending
> unsolicited faxes before sending Un-
> solicited Commercial E-mail to the
> above address. Violators WILL BE
> PROSECUTED. These can be found
> in:
>
> The Telephone Consumer Protection Act
> of 1991, Title 47, Chapter 5,
> Subchapter II, Section 227.
>[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Americans abroad/Encryption rules?
Date: Wed, 04 Aug 1999 00:18:51 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John McDonald, Jr.) wrote:
>On 2 Aug 99 17:13:37 GMT, [EMAIL PROTECTED] (W.G. Unruh)
>wrote:
>
>>Oh yes you are. A US citizen is bound by the laws of the USA wherever in the
>>world that person is located.
>
>
>Apologies, but this is simply NOT true. A citizen of the USA is no
>more bound to the laws when he leaves the country than he is protected
>by them.
>
>Just as an example, its the LAW in the US that I drive my automobile
>on the right side of the road. If I were to follow this law in say,
>Japan, or Hong Kong, I would certainly be involved in numerous traffic
>accidents.
>
>Its the law in the US that we cannot solicit prostitutes, or use
>Marijuana. However, if I go to Amsterdam's Red Light district, these
>activities are perfectly okay. I can engage in them without fear of
>prosecution.
Actually the law against prostitution is a state law not a ferderal law.
My favorite legal Nevada brotherl is either the Kit Kat or KIttys just
outside of Carson City Nevada. So please watch what you say is illegal
and the US government ran the Mustang Ranch for a while is far a short
time the Ladys got there paychecks straight from Uncle Sam.
>
>Its the law in the US that we observe copyright laws. However, if I
>travel to Singapore, (or was it Taiwan, or HK?) no such laws exist. I
>can copy all the software I want, and its totally legal.
>
>In the case of the last law, if I bring the "pirated" materials home,
>I can get in trouble here, but this does not change the fact that your
>statement is false.
>
>The only time US laws apply to US citizens abroad is when they are
>technically on "US Soil" at a military base abroad or an embassy.
>
>Peace!
>[-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-]
> John K. McDonald, Jr. Alcatel, USA
>
> [EMAIL PROTECTED]
> please remove -delete- for responses.
> --
> "I speak for me and not this company"
>
> TO SPAMMERS:
> Please view the definitions for
> "telephone facsimile machine,"
> "unsolicted advertisement," and the
> prohibition and penalty for sending
> unsolicited faxes before sending Un-
> solicited Commercial E-mail to the
> above address. Violators WILL BE
> PROSECUTED. These can be found
> in:
>
> The Telephone Consumer Protection Act
> of 1991, Title 47, Chapter 5,
> Subchapter II, Section 227.
>[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Anonymous Web Browsing
Date: Tue, 03 Aug 1999 19:32:41 -0400
KidMo84 wrote:
> I have noticed alot of anonymous web browsing websites, but is there any
> program you can put on your computer to automatically security your
> anonimidity. I am not sure if you can though because you have to to the
> website that you log into first to get to the rest as a "portal" but just
> wonderin.
Just use a proxy. It's quite easy....
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is the output of 3DES really pseudorandom???
Date: Tue, 03 Aug 1999 23:05:29 GMT
In article <[EMAIL PROTECTED]>,
fungus <[EMAIL PROTECTED]> wrote:
> If you could predict the output from the input block then we'd have
> a security problem, ne'st pas?
Well not really. If you used the block cipher in 'counter mode' then
you could eventually learn enough to make good guesses. It's different
from actually telling what the input was though.
> > But is it comparable to something generated by a decent
> > pseudorandom number generator?
> >
>
> The difference is that 3DES is likely to be much slower than
> a good pseudo-random number generator.
And it has a shorter usable period (before re-keying).
> > What kind of analytical technique could you use to tell
> > the pseudorandom string from the ciphertext?
>
> Now we're back to the random number thread. <sigh>
>
> Answer: No statistical test can ever tell you if a number is
> random - you can't prove a negative.
Basically all tests will tell you if it's somewhat apparently random.
Not that the tests are a waste of time.
More important is the linear complexity and period of the output. If
it's PRNG then you want high in both, if it's a TRNG then they are both
infinite...
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: The Acronym MDC
Date: Tue, 03 Aug 1999 23:07:43 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> I had thought that MDC stood for Message Digest Code, but according to
> the Handbook of Applied Cryptography, it stands for Modification
> Detection Code!
>
> Evidently, the field is suffering from terminological overload...or
> it's just my memory that is fallible.
I though MDC was a block cipher method? Maybe they got MDC and MAC
mixed up?
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (KidMo84)
Subject: Anonymous Web Browsing
Date: 03 Aug 1999 23:17:30 GMT
I have noticed alot of anonymous web browsing websites, but is there any
program you can put on your computer to automatically security your
anonimidity. I am not sure if you can though because you have to to the
website that you log into first to get to the rest as a "portal" but just
wonderin.
Signed,
KidMo
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What is "the best" file cryptography program out there?
Date: Tue, 03 Aug 1999 19:31:57 -0400
KidMo84 wrote:
> What is the best file cryptography program out there that you can get online or
> purchase over the counter. Comparing Ease of use with Security of encryption.
PGP. Get it at www.pgpi.com . Be sure to set the key size to 4096 (not the
default 2048). 100% free.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Anonymous Web Browsing
Date: 4 Aug 1999 00:01:56 GMT
KidMo84 <[EMAIL PROTECTED]> wrote:
> I have noticed alot of anonymous web browsing websites, but is there any
> program you can put on your computer to automatically security your
> anonimidity. I am not sure if you can though because you have to to the
> website that you log into first to get to the rest as a "portal" but just
> wonderin.
Check www.freedom.net or www.zks.net for a very interesting product...
-David
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Prime number.
Date: Tue, 03 Aug 1999 23:40:39 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John McDonald, Jr.)
wrote:
> On Tue, 03 Aug 1999 06:52:42 -0400, Anton Stiglic
> And why not use this method? It is actually very quick, and
> very efficient, and THE ONLY way to be 100% sure that the number you
> are testing is indeed prime.
I regret the that I can not reproduce the sigh of exasperation
I made when I read this.
Mr. McDonald, I suggest you go read about this subject before
you post anything further. You know nothing about the subject.
Trial division is among the WORST methods you can use to
prove primality. There are much faster methods. Among the
simpler methods are the Selfridge extensions to the method
of Proth, Pocklington, and Lehmer. Among the more complex
are the cyclotomy method (aka Cohen-Lenstra) and the
Elliptic Curve Method.
See, for example:
Hans Riesel, Prime Numbers and Computer Methods for Factorization.
Birhauser.
> As to the efficiency of this algorithm... We used this
> algorithm to find and test the first 1,000,000 primes. This process,
> using this algorithm took slightly less than 5 minutes.
It should take less than a second if you use the right method
(e.g. Sieve of Eratosthenes)
I beg you to
> show me another algorithm that does the same amount of work with 100%
I just did.
Now if you would like to ask QUESTIONS, instead of posting
mis-information, I will be happy to answer.
What is it about the Internet that compels people who have
never studied a subject to make such bold (and wrong!)
assertions?
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Mike Blais" <[EMAIL PROTECTED]>
Subject: Re: Help please (WWI/WWII ciphers)
Date: Wed, 04 Aug 1999 00:38:30 GMT
For those of you who were wondering what this is for, it's an adult
social club and every year we go camping in Princeton BC, if we can find
the code we get $50 back each, and since we're tight on cash it's worth it
to find.
If you want to view the pages where the code is here is the site:
www.bbp.ca/knightsofnee just click on Princeton '99, and the code will be
on letters from King Rob,Details, and Trinkets. The answer spaces are on the
Registration form.
I don't think that the key is in a book I am pretty sure that it IS a letter
for number code(I just can't for the life of me figure it out) that would
also eliminate any problems with a german/english translation, but then the
Kings are pretty sadistic.
Thanks for your help so far
Mike Blais
Kirsten Johnston
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (James Thye)
Subject: Re: How to keep crypto DLLs Secure?
Date: Tue, 3 Aug 1999 20:49:23 -0400
I like the suggestion of checksums, which I didn't initially consider.
I understand network protocol. Unfortunately for me I'm working on a
distributed application, with the encryption on it. In other words, the
person who is using the program will probably be on a Win9x machine, and
have hard drive access to the machine. Therefore, network protocols will
do me little good.
I'm mostly out to protect price lists.
Thanks.
James Thye.
In article <mAKp3.3957$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> What happens if the .EXE is modified ie the constant is changed to reflect
> the checksum of the changed/substituted .DLL ?
>
> This is simply one extra step in an attack sequence - addmittedly targetted
> against a single program, and probably carried out in a script-like fashion.
>
> But, it may be worth it in some situations.
> Lyal
>
> John McDonald, Jr. wrote in message <[EMAIL PROTECTED]>...
> >Begging everyone else who replied to your comments' pardons, but from
> >a programming standpoint, the solution to this is VERY simply...
> >
> >Have you ever heard of "Checksum"s?
> >
> >If you haven't allow me to explain. (If you have, read the explanation
> >anyways, because this will allow you a little more peace of mind.) A
> >Checksum is a file summation tool. It allows a user to compare to
> >files quickly without having to do a binary comparison. A Checksum on
> >two files that are supposed to be the same, but have minute
> >differences will come out with different Checksums. It is FAR more
> >likely that two files that are different will come out with similar
> >sums. At anyrate, here's what you do.
> >
> >Build your .DLL. Run a checksum on it. Generate your own CheckSum
> >algorithm if you want. Store the value that is returned as a constant
> >in your .EXE that is to call the DLL. Then, add code to Checksum the
> >DLL in the future, and compare your constant to the value you get
> >back. If someone has replaced your .DLL, you WILL be aware of it.
> >
> >Hope this helps.
> >
> >[-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-]
> > John K. McDonald, Jr. Alcatel, USA
> >
> > [EMAIL PROTECTED]
> > please remove -delete- for responses.
> > --
> > "I speak for me and not this company"
> >
> > TO SPAMMERS:
> > Please view the definitions for
> > "telephone facsimile machine,"
> > "unsolicted advertisement," and the
> > prohibition and penalty for sending
> > unsolicited faxes before sending Un-
> > solicited Commercial E-mail to the
> > above address. Violators WILL BE
> > PROSECUTED. These can be found
> > in:
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Is this a new authent/encrypt protocol?
Date: Wed, 04 Aug 1999 01:05:27 GMT
Can anyone tell me if this resembles an existing protocol?
If not, I submit it to the public domain.
Given Elliptic Curve encryption (points are uppercase),
Given message m, and its hash h,
Given Alice's private key a and public key A,
Given Bob's private key b and public key B,
Given a base point P,
Assume A and B are well known, cannot be spoofed, and are verifiable
via alternate means (e.g.- phone call, personal visit).
Alice sends message m to Bob by deriving a hash (h) for the message
then encrypting it with abhP producing c (cipher text). The secret S
is defined as:
S = abhP = ahB = bhA = bJ (J = hA)
Alice sends c and J. Bob derives S from bJ, then m from S and c,
then h from m. With h, Bob can verify J. That is, haB can only
come from Alice.
If m is altered, then so also is h and a. Bob would detect this
with the decryption process failing.
--
The US is not a democracy - US Constitution Article IV Section 4.
Democracy is the male majority legalizing rape.
UN Security Council is a Democracy. NO APPEALS! Welcome to the NWO.
Criminals=Crime. Armies=Tyranny. The 2nd amendment is about tyranny.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: How to keep crypto DLLs Secure?
Date: Wed, 04 Aug 1999 02:18:45 GMT
"John McDonald, Jr." wrote:
> I'm sorry, but this seems to demonstrate a defiency in your knowledge
> of network protocols. While I agree that most network protocols are
> pretty shoddy, TCP/IP is NOT that bad.
You must not work in a CERT, or you'd know better.
The Internet protocol suite in common use is horribly insecure;
there is almost no authentication, and what little there is,
is not performed often enough to prevent connections from being
hijacked. There are numerous books explaining the many security
deficiencies, e.g. Stallings' "Network and Internetwork Security";
the problems are summarized in ARL-MR-412, which I co-authored.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: What is "the best" file cryptography program out there?
Date: Wed, 04 Aug 1999 03:19:18 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (KidMo84)
wrote:
>What is the best file cryptography program out there that you can get online or
>purchase over the counter. Comparing Ease of use with Security of encryption.
>
>Signed,
>KidMo
If you want security of your own personnel files and you are capable of
understanfing DOS and if you have a modern machine with lots of speed
and a large memory you can do no better than the FREE one I wrote
I also include the source code.
Get scott19u.zip
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: CFB mode with same initialization vector
Date: Wed, 04 Aug 1999 03:11:38 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Daniel
Vogelheim) wrote:
>Hello Peter and David,
>
>thanks for your quick responses. Just for background info: I ran
>across a crypto system that uses a hardcoded IV with CFB, that's why I
>am asking.
>
>
>Peter wrote:
>>The danger is that you might encrypt plaintexts whose
>>beginnings are identical, thereby producing ciphertexts
>>whose beginnings are identical.
>
>I can see that, but it's no problem as the precondition (identical
>plaintexts) isn't met in the aforementioned system.
>
>However, in the book (AC2) Schneier very clearly states:
>
> "If the IV in CFB is not unique, a cryptanalyst can
> recover the corresponding plaintext."
>
>This is a much, much stronger claim than yours. Unfortunately, I still
>don't understand why this would be so.
>
>
>David wrote:
>>[...] but all the in vogue chaining mods are weak.
>>[...] However you can also like at ritters page or the FAQ.
>>http://www.rsa.com/rsalabs/faq/html/2-1-4.html
>
>I checked both, and neither mentions the particular problem of reusing
>(or even hardcoding) IVs, so I still don't know why this should be
>weak.
>
I have not read the book by Mr B.S. but I would not hold anything he writes
to a very high standard. As I stated before all the blessed chaining
modes are weak. It may have been that he meant OFB. Since that
is about the weakest mode there is. Since the output in OFB mode
is the same as if you used an OTP many times if you used the same
IV and this is a well known flaw. I could be wrong but I thought the old
PGP used OFB mode. Maybe this was done so that it would be weak.
However Mr B.S. reads the stuff here and since you paid for his book
he should anwser you.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (Brian Inglis)
Crossposted-To:
alt.folklore.computers,alt.comp.lang.learn.c-c++,comp.lang.c++,microsoft.public.vc.language
Subject: Re: How to write REALLY PORTABLE code dealing with bits (Was: How Big is a
Byte?)
Date: Wed, 04 Aug 1999 01:57:11 GMT
Reply-To: [EMAIL PROTECTED]
On Sun, 01 Aug 1999 18:49:20 GMT, dave <[EMAIL PROTECTED]>
wrote:
[snip]
>I'll nominate this as the point in time where Byte became a real word in
>the real world. One major magazine at the time was "BYTE", and another
>was Dr DOBBS. Who remembers that Dobbs really was a Doctor -
>orthodontist (?), and wasn't the banner on the early issues something
>like "Running fast with no overbite"?
>Just my two bits worth......regards, Dave
IIRC, it was "Dr. Dobb's Journal of Computer Calisthenics" and
the slogan was "Running light without overbyte".
Thanks. Take care, Brian Inglis Calgary, Alberta, Canada
--
[EMAIL PROTECTED] (Brian dot Inglis at SystematicSw dot ab dot ca)
use address above to reply
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Prime numbers wanted
Date: Wed, 04 Aug 1999 02:01:02 GMT
Roger Carbol wrote:
> 2) I don't have even an approximate idea of the density of
> primes up around the 200 digit level.
The distribution of primes goes all the way back to Legendre (1798).
The number of primes < x is approximately L(x) = Integral from 2 to
x of (dt / ln t), which can be expanded into a rapidly converging
series by integration by parts. The dominant term is x / ln x, so
very roughly, there are more than 10^200 / (200 * 2.3) ~= 2 x 10^197
primes less than 10^200. The density would be the first derivative
of the quantity, which is very nearly 1 / ln x ~= 0.002, i.e. about
one prime for every 500 consecutive integers.
The important thing is that we can't possibly make a list containing
over 2 x 10^199 digits. We can't even come close, no matter what
technology is employed.
------------------------------
From: [EMAIL PROTECTED] (Leon I. Marky)
Subject: Re: What is "the best" file cryptography program out there?
Date: Wed, 04 Aug 1999 02:08:15 GMT
[EMAIL PROTECTED] (KidMo84) wrote:
>What is the best file cryptography program out there that you can get online or
>purchase over the counter. Comparing Ease of use with Security of encryption.
If you want to right-click files in Windows Explorer and encrypt them
individually, Cryptext by Nick Payne is good and free. Get it here:
http://www.pcug.org.au/~njpayne
To create encrypted virtual drives, use Scramdisk:
http://www.scramdisk.clara.net/ (See the alt.security.scramdisk newsgroup)
To encrypt any sort of data or message in order to securely transfer it to
someone else, use one of the many versions of PGP.
--
"Leon I. Marky" better known as [EMAIL PROTECTED]
0123 4 56789 <- Use this key to decode my email address.
Fun & Free - http://www.5X5poker.com/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
