Cryptography-Digest Digest #989, Volume #9 Thu, 5 Aug 99 07:13:02 EDT
Contents:
Re: What is "the best" file cryptography program out there? ([EMAIL PROTECTED])
Re: What is "the best" file cryptography program out there? ([EMAIL PROTECTED])
Re: About Online Banking Security ([EMAIL PROTECTED])
Re: What is "the best" file cryptography program out there? ([EMAIL PROTECTED])
Re: Is the output of 3DES really pseudorandom??? ([EMAIL PROTECTED])
Re: DES Algorithm source code ([EMAIL PROTECTED])
Re: Prime numbers wanted ("Douglas A. Gwyn")
Re: How to keep crypto DLLs Secure? ("Douglas A. Gwyn")
Re: What the hell is XOR? ("Douglas A. Gwyn")
Re: [Q] Why is pub key cert. secure & free from spoofing? (Wim Lewis)
Transposition and substitution algorithms ??? (Spike Ivans)
QuickBooks99 Crack ("John E. Kuslich")
Re: Is breaking RSA NP-Complete ? ([EMAIL PROTECTED])
Re: How to write REALLY PORTABLE code dealing with bits (Was: How Big is a Byte?)
("Magic")
Re: Intel 810 chipset security (Vernon Schryver)
Re: How to write REALLY PORTABLE code dealing with bits (Was: How Big (Sunil Rao)
Re: Transposition and substitution algorithms ??? (JPeschel)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What is "the best" file cryptography program out there?
Date: Thu, 05 Aug 1999 04:30:14 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> > That form of implicit trust scares me. What makes a 1024 bit key
less
> > secure then a 4096 bit key? (And if you say ease of solving you
have
> > no clue about the crypto world).
>
> Did I ever say I had a clue about the crypto world? It probably
doesn't,
> but the big number sure looks cool doesn't it? =)
Well not really. bigger keys means more memory, and slower
operations. If you could for example store 5 times more keys on a
server because users use 768 bit keys instead of 4096 bit keys, I know
I would be happy.
Really I don't think 4096 bit keys are any more secure (from a
mathmatical standpoint) then 1024 or even 768 bit keys. Even 512 bit
keys are just in the 'theory' stage of being broken. Factoring 1024
bit numbers would require a totally new algorithm (or matrix step) that
would probably make the current state 512 vs 1024 more like 1024 vs
4096 ...
> Sure, you could upload a fake key to my name, it wouldn't have any of
the
> signatures attached to it, but be my guest. My key is on all the
default
> servers.
So what. If I ask for your name and pick up the first key will I know
if it's right or not? How will I trust the signatures on the key?
etc ... see my point?
I think if your HTTP or FTP client is secure and you have a good
password that is the only really way of putting keys up. They have to
know that you own th site or directory though ...
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What is "the best" file cryptography program out there?
Date: Thu, 05 Aug 1999 04:38:02 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (KidMo84) wrote:
> I was thinking along the lines of ScramDisk, i have pgp6.0 off of
replay's
> site(www.replay.com) and it works pretty good. I guess i should have
put
> commercial products, even though i was lookin for freeware too. I
haven't had
> a chance to try out scott16. But i haven't used dos lately. At least
i think it
> uses dos, somebody might yell at me for that one. I have sort of
grown away
> from ms-dos, using windows98 at present time that is. Though when you
are
> recovering information dos is the best way to go.
>
You still haven't said your needs. Some obvious needs:
1) Dynamic live connections? (Diffie-hellman with identification)
2) PK systems? (RSA or DH)
3) point-to-point? (share password, SHA/MD5/TIGER + DES/CAST/RC5 ...)
... endless list ...
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: About Online Banking Security
Date: Thu, 05 Aug 1999 04:40:44 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (KidMo84) wrote:
> I was wondering how secure online banking really is. Has there been
any
> information written up about the topic. Specifically nations bank
banking
> online, the url is: http://www.nationsbank.com/online/tour/?
statecheck=MO
> At least for missouri's online banking.
>
> To get to bare bone's they use Secure Socket Layer(SSL) With a
password and id.
I would not trust them. Many times all you have to do is have a valid
cookie id to get access to someones account. If I could get your
cookies ... all hell breaks loose.
Most of the time these systems are designed by comp.sci majors without
any background in cryptography (well isn't 40-bit SSL (RC4) secure
enought?) ...
Unless the bank states exactly how there system works (which they won't
say for obvious reasons) and can prove they are not lying, I wouldn't
use their online systems. ATMs are for the most part secure devices
now (???).
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What is "the best" file cryptography program out there?
Date: Thu, 05 Aug 1999 04:35:31 GMT
In article <7oamme$a55$[EMAIL PROTECTED]>,
Bob Silverman <[EMAIL PROTECTED]> wrote:
> The question is meangless without some metrics.
> Are you willing to trade easy use for better security or vice versa?
> Are you willing to trade speed of encryption for more security? At
> what point does the code become too slow? etc. etc. Clealry
> RSA with a 10000 bit key would provide impressive security.
> But it would be slow. Contrawise, RC5 with a 40-bit key would
> be very fast. But it would be insecure.
I thought RC5 ran independant of the input key size? Or are you
talking about cutting rounds (so the iterative attacks take about the
same as guessing a 40-bit key, this would be 11/12 rounds right?)
> How long do you need your data to be secure? How much is it
> worth? etc. etc.
>
> What do you mean by "BEST"?? Define your parameters!
Why? It's so much easier to say 'I use 3DES with 256 bit keys ...'
(small print: key generation = rand()) ...
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is the output of 3DES really pseudorandom???
Date: Thu, 05 Aug 1999 04:48:32 GMT
In article <[EMAIL PROTECTED]>,
Alwyn Allan <[EMAIL PROTECTED]> wrote:
> > Answer: No statistical test can ever tell you if a number is
> > random - you can't prove a negative.
>
> I can prove a negative. Here is a negative:
>
> 2 is not the largest prime.
>
> Here is my proof:
>
> 3 is prime.
>
> What's wrong with that?
You technically can't prove that a truly random source is truly
random. That's his point.
If you say n bits are random, then maybe n+1 bits are not. If this is
the case n bits are not random but pseudo-random. If n bits are
not 'random' maybe n+1 bits are ... (and so forth).
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES Algorithm source code
Date: Thu, 05 Aug 1999 04:45:27 GMT
In article <7oaf69$[EMAIL PROTECTED]>,
"Alberto Daniel Pires dos Barros" <[EMAIL PROTECTED]> wrote:
> I'm looking for a DES Algorithm writed in COBOL/400 �any one have it?
>
Here is a sugestion: DON'T USE DES!
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Prime numbers wanted
Date: Thu, 05 Aug 1999 06:14:03 GMT
Roger Carbol wrote:
> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> >The important thing is that we can't possibly make a list containing
> >over 2 x 10^199 digits. We can't even come close, no matter what
> >technology is employed.
> I'm not sure it's a technological problem, per se. Storing them by
> some sort of delta (ie, a difference between the current number and
> the last number) would help our storage a lot, although make it
> much less convenient to use.
We can't even make a list containing over 2 x 10^197 anythings.
There isn't that much matter in the entire universe (according
to most models).
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: How to keep crypto DLLs Secure?
Date: Thu, 05 Aug 1999 06:11:55 GMT
"John McDonald, Jr." wrote:
> This is what I mean. TCP/IP was not designed to be secure in any
> sense of the word. It was designed to get whole packages torn up ...
TCP/IP has provisions for encryption, it's just not used (mainly
because it doesn't meet all the practical requirements). IPng
(IPv6) looks like a considerable improvement, but how do we get
there from here?
> ... If I need extra security, the solution is simple. I use VPN,
> encrypt on one end and decrypt on the other. Then, even if someone
> gets a hold of packets in the middle, I could care less. It will do
> them no good.
There is a lot more to network security than is addressed by such a
scheme. How do you communicate securely without prearrangement?
How do you know whom you're communicating with? How do you ensure
availability of services? How do you keep malicious code from being
downloaded and executed on your system? etc.
> One other thing... The extra time that encrypting and decrypting take
> is not worth it to those of us that use dial-up connections. For
> instance, if I am playing Quake2 online, the amount of time it takes
> me to encrypt and decrypt is the difference between me railing
> someone, and me eating their rail.
Actually, encryption should only be a problem for the highest-speed
links. Whatever encryption you're using must be pretty lousy if you
can detect a significant loss of throughput over a POTS modem.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: What the hell is XOR?
Date: Thu, 05 Aug 1999 06:19:50 GMT
"John M. Gamble" wrote:
> But, another person sent me e-mail stating that according to
> the C (and C++) standard, i can't depend upon the order of
> operations, parantheses notwithstanding.
It's not that parentheses don't force the order of operations,
it's that side effects can be delayed until the next sequence
point, and the wording to relax that for assignments doesn't
quite guarantee what you want for your macro to be guaranteed.
------------------------------
From: [EMAIL PROTECTED] (Wim Lewis)
Subject: Re: [Q] Why is pub key cert. secure & free from spoofing?
Date: Thu, 5 Aug 1999 00:41:35 +0000
In article <[EMAIL PROTECTED]>,
Jerome Mrozak <[EMAIL PROTECTED]> wrote:
>My text claims that use of a public key certificate authority (CA) will
>keep the spy at bay. My question is: if the Spy can insert itself
>between A & B, why not between A & CA, or B & CA?
He can, of course. The reason a CA might improve security is it might
communicate with users (A & B) in a way different from the way they
communicate with each other. The spy (the man-in-the-middle) then has to
intercept and alter *all* of B's communications.
For example, since there is (in our simplified universe) only one CA,
its certificate can be distributed by some very public broadcast
channel. Say, a billboard in a few major cities with the key info on it.
If someone wants to spoof the CA's key, they'll have to alter the
billboard, at which point, hopefully, everyone will notice, and the
spoof won't be successful.
What a CA helps to do is produce a community of people who can all agree
on each others' identity, because they all have a secure channel to/from
the same CA.
--
Wim Lewis - [EMAIL PROTECTED], also hhhh.org - Seattle, WA, USA
------------------------------
From: Spike Ivans <[EMAIL PROTECTED]>
Subject: Transposition and substitution algorithms ???
Date: Wed, 04 Aug 1999 23:54:21 -0700
Okay....
Someone on usenet suggested that "The US Army Basic Cryptanalysis
Manual" was an excellant tutorial on cryptography and cryptanalysis.
So... I downloaded it. I`ve read the first two chapers and thus far I am
very satisfied. However, in the manual, it states that all cryptographic
systems rely on either or both of two techniques, transposition and
substitution. So... having said that, I have a few questions...
1) Is this true ?
2) How do modern cryptographic systems implement transposition and
substitution ?
3) How is the password key used to encrypt data with substitution or
transposition ?
Thanks in advance...
Spike
------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: QuickBooks99 Crack
Date: Wed, 04 Aug 1999 10:21:12 -0700
CRAK Software is pleased to announce that QuickBooks99 password
protection has been cracked. Check out http://www.crak.com
The unique software approach to cracking QuickBooks99 may be of interest
to cryptographers who write software for PC's.
Our new program cracks password protection by invading the memory space
of QuickBooks as it runs and alters QuickBooks attitude towards
passwords. It seems that if our new cracker is running on a PC,
QuickBooks just drops its guard and lets anyone into password protected
files even if no password is supplied. None of the the QuickBooks
executables or DLL's on hard disk are altered. When QuickBooks is
closed, our cracker turned off, and QuickBooks is re-started, QuickBooks
suddenly regains its resolve to keep unauthorized interlopers out of
password protected files.
Windows and the PC is very insecure at its roots, as we have mentioned
in this forum before. Programs such as PGP or any other software is
vulnerable to this technique especially to stealth or Trojan horse
applications.
--
CRAK Software (Password Recovery Software)
Http://www.crak.com
[EMAIL PROTECTED]
602 863 9274 or 1 800 505 2725 In the USA
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is breaking RSA NP-Complete ?
Date: Wed, 04 Aug 1999 17:30:22 GMT
I wrote:
> Anton Stiglic wrote:
>
> > def. (NP-Hard)
> > A problem (any problem, no just a decisional problem
> > (important distiction)) is NP-hard if the existence of a
> > polynomial -time algorithm for its solution implies
> > that P = NP.
[...]
> Note that the two definitions disagree about more than
> whether NP-Hard is a set of languages. If P!=NP, then
> there are subsets of NP that are neither in P nor
> NP-Complete. These languages would be NP-Hard under
> the definition in the Handbook, but not under the
> definition in /Introduction to Algorithms/.
I find the definition from the /Handbook of Applied
Cryptography/ is corrected in the errata, and is only
listed as an error in the first and second printing.
HAC now defines NP-Hard thus:
"A problem is NP-hard if there exists some
NP-complete problem that polytime reduces to it"
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Magic" <[EMAIL PROTECTED]>
Crossposted-To: alt.folklore.computers,alt.comp.lang.learn.c-c++,comp.lang.c++
Subject: Re: How to write REALLY PORTABLE code dealing with bits (Was: How Big is a
Byte?)
Date: Thu, 5 Aug 1999 02:30:07 -0600
HAHA! This is great, where do you find this stuff :)
Martin Ambuhl <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> [EMAIL PROTECTED] wrote:
>
> > That's not true. There is no definition of 'byte' in ANSI C. sizeof()
> > returns the length of 'chars' it requires to store the object.
>
> To avoid appearing a fool, it helps to not make flat statements that are
> completely untrue. They indicate not only a lack of knowledge but a
> reckless disregard for the truth. From the standard (ISO 9899:1990) we
> find the following definition that you just assured us does not exist:
>
> 3 Definititions and conventions
>
> 3.4 byte. The unit of data storage large enough to hold any member of
> the basic character set of the execution environment. It shall be
> possible to express the address of each individual byte of an object
> uniquely. A byte is composed of a contiguous sequence of bits, the
> number of which is implementation-defined. The least significant bit is
> called the low-order bit; the most significant bit is called the
> high-order bit.
>
>
>
> --
> Martin Ambuhl [EMAIL PROTECTED]
>
> __________________________________________________________
> Fight spam now!
> Get your free anti-spam service: http://www.brightmail.com
>
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Subject: Re: Intel 810 chipset security
Date: 4 Aug 1999 18:30:08 -0600
In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>lol, most of that does not apply to me anyway. I am running UNIX on my home
>PC.
Then why did you mention the PIII ID hysteria?
As others have said, for your system to tell anyone the PIII serial number,
you must run some kind of special program, since HTTP does not have a
"respond with PIII ID" operation. The Intel plan was for you to download
and run an ActiveX trojan horse.
Are you absolutely certain that whatever browser you use either has both
Javascript and Java turned off, or that they cannot be forced to leak a
unique fingerprint for your system? A proof (merely in the professional
mathematician's sense of an argument that convinces a sophisticated
listener) that Java cannot produce such a fingerprint sounds difficult,
and impossible for Javasript. If you are not certain, then your UNIX
system is vulnerable (and of course, regardless of whether it has a PIII
or any other CPU).
--
Vernon Schryver [EMAIL PROTECTED]
------------------------------
From: Sunil Rao <[EMAIL PROTECTED]>
Crossposted-To: alt.folklore.computers,alt.comp.lang.learn.c-c++,comp.lang.c++
Subject: Re: How to write REALLY PORTABLE code dealing with bits (Was: How Big
Date: Thu, 05 Aug 1999 10:37:15 +0100
Magic wrote:
> HAHA! This is great, where do you find this stuff :)
It's in this document called the standard. The FAQs will tell you
where you can obtain a copy. The C+ standard is especially quite
cheap.
--
{ Sunil Rao }
"...certainly no beast has essayed the boundless, infinitely
inventive art of human hatred. No beast can match its range and
power." - Arundhati Roy, "The God of Small Things", 1997.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Transposition and substitution algorithms ???
Date: 05 Aug 1999 10:30:43 GMT
> Spike Ivans <[EMAIL PROTECTED]> writes:
> Someone on usenet suggested that "The US Army Basic Cryptanalysis
>Manual" was an excellant tutorial on cryptography and cryptanalysis.
>So... I downloaded it. I`ve read the first two chapers and thus far I am
>very satisfied. However, in the manual, it states that all cryptographic
>systems rely on either or both of two techniques, transposition and
>substitution. So... having said that, I have a few questions...
>
>1) Is this true ?
Yes.
>
>2) How do modern cryptographic systems implement transposition and
>substitution ?
It depends on the system. Look at Menezes' "Handbook," whose chapters
are online. F. Mirza's paper on block ciphers talks about it, too.
>
>3) How is the password key used to encrypt data with substitution or
>transposition ?
Again, it depends on the system: XORs, shifts, bit swapping,
modular adddition, etc..
>
>Thanks in advance...
Why? Is it too much trouble to thank people after you get the answers?
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
