Cryptography-Digest Digest #997, Volume #9 Fri, 6 Aug 99 10:13:03 EDT
Contents:
Re: ORB - Open Random Bit Generator (Robert Scott)
Re: frequency of prime numbers? (Bob Silverman)
Re: frequency of prime numbers? (W.G. Unruh)
Re: Americans abroad/Encryption rules? (W.G. Unruh)
Challenge: mental authentication (Robert Scott)
Re: OTP export controlled? (Bo D�mstedt)
Re: Random numbers in practice (W.G. Unruh)
Re: Americans abroad/Encryption rules? (fungus)
Re: Prime number. (DJohn37050)
Re: frequency of prime numbers? (W.G. Unruh)
Re: Prime number. (Andrew Haley)
Re: beginner question re. MD5 and one-way hashes (W.G. Unruh)
Re: Academic vs Industrial (Bo D�mstedt)
Re: AES finalists to be announced ([EMAIL PROTECTED])
Re: Storing keys ([EMAIL PROTECTED])
Re: OTP export controlled? (Patrick Juola)
Yarrow RNG (vincent)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Robert Scott)
Subject: Re: ORB - Open Random Bit Generator
Reply-To: [EMAIL PROTECTED]
Date: Fri, 06 Aug 1999 11:59:53 GMT
On Thu, 05 Aug 1999 17:47:03 -0400, Paul Koning <[EMAIL PROTECTED]>
wrote:
>I'm puzzled by the description of your entropy generator. How does
>charging and discharging a capacitor do that? Do you use the fact
>that resistors are noisy? Fine, but if so, feeding that noise into
>a capacitor rather defeats the point! And it should be obvious that
>modulating that charge/discharge process with a bitstream doesn't
>generate any more entropy than charging/discharging without that
>influence.
I agree. Of all the "unpredictable" bit sources used in ORB, the
only one that I would trust to be really unpredictable is
the Johnson noise of the resistor. It is hard to say whether
or not Johnson noise is really contributing to the data,
since so many "pseudo-unpredicatable" factors are added along
with the hash. I am worried that the add-ons could be disguising
what might be a somewhat predicatable source. The current design
makes it hard to verify that things are really working properly.
I would rather see a design that just made raw Johnson noise
bits available to my application. From there, I can hash it
if I so choose. Perhaps some recommendations for post-processing
can be supplied with the device. Maybe there could be a jumper-
option that switched between raw Johnson noise and the currently
supplied hashed value.
Bob Scott
Ann Arbor, Michigan (email: rscott (at) wwnet (dot) net )
(My automatic return address is intentionally invalid.)
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: frequency of prime numbers?
Date: Fri, 06 Aug 1999 11:56:32 GMT
In article <7od7bi$9ee$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Ian Gay) wrote:
> In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> >John Savard wrote:
> >> Actually, you see, IF our previous list contained all the primes, then
> >> our new number would indeed, by not being divisible by any of them,
> >> satisfy the _definition_ of a prime number, not being divisible by any
> >> prime smaller than itself.
> >
> >Exactly right. Bob S protested too quickly this time.
No. The "correction" mis-defines the term "prime number"
by (in effect) saying: A prime number is defined to be a member
of some pre-specified finite set, rather than defining it by its
divisibility properties and then assuming they form a finite set.
The proof is:
Definition: A prime number is a positive integer, greater than 1
which is divisible only by 1 and itself.
Step 1: Assume the primes are finite.
Step 2. Multiply them all together and add 1.
Step 3. etc.
Whereas the attempted correction starts by saying:
Definition: A prime number is a member of the following finite
set: {p1, p2, p3, ..... pn}
See the difference???
This debate has been carried on repeatedly in sci.math
before. The attempted correction is not correct
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (W.G. Unruh)
Subject: Re: frequency of prime numbers?
Date: 6 Aug 99 12:14:28 GMT
Bob Silverman <[EMAIL PROTECTED]> writes:
>> > better, is there any proof either way?
>>
>> There's an infinite number of them, and an easy proof. Suppose the
>> number were finite. Then we can take the product of all the primes
>> and add one to it. This number is not evenly divisible by any of the
>> primes, since the remainder modulo each prime is 1. Therefore this
>> number is also prime
>NO! NO! NO!
>Why must we hear the same tired mistakes over and over?
>I have lost count of the number of times I have heard this
>assertion on the Internet.
>The resulting number is NOT necessarily prime.
Yes, it is under the assumption that your list contains all the primes ( which
was the assumption that was made.) A proof by contradiction of course does not
survive the contradiction of its assumptions, but that is its whole point.
>What is true is that EITHER it is prime OR it is divisible by a prime
>not on our original list.
Under the assumption that there are a finite number of primes, that list is
all inclusive, so there are no primes not on that list, by assumption.
It is certainly true that the product of a finite number of primes plus 1 is
notnecessarily a prime. But also irrelevant to the proof.
>--
>Bob Silverman
>"You can lead a horse's ass to knowledge, but you can't make him think"
>Sent via Deja.com http://www.deja.com/
>Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (W.G. Unruh)
Subject: Re: Americans abroad/Encryption rules?
Date: 6 Aug 99 11:58:28 GMT
Shawn Willden <[EMAIL PROTECTED]> writes:
>wtshaw wrote:
>> In article <[EMAIL PROTECTED]>,
>> [EMAIL PROTECTED] wrote:
>>
>> The proper next question if ROT13 is controlled would be what about the
>> ability to do all Caesar shifts, which includes the former.
>In that case, most Linux distributions should be controlled, as they contain the
>'caesar' program which performs arbitrary caesar shifts (as well as a relatively
>good job of guessing the key given encoded english text).
Yes, they probably should get a license ( although they may have). But again,
the probablity of prosecurition is nill, especially given the current court
situation. Imaging what Bernstein's or Junger's lawyers would make of such a
prosecution.
------------------------------
From: [EMAIL PROTECTED] (Robert Scott)
Subject: Challenge: mental authentication
Reply-To: [EMAIL PROTECTED]
Date: Fri, 06 Aug 1999 12:30:44 GMT
There are lots of very secure challenge and response protocols
where computers are used to effect authentication. But I was
wondering if it were possible to contruct a mental challenge
and response protocol that was just as secure.
To be specific, suppose that the application is an ATM.
The user walks up to the ATM and types in his name or account
number on a keyboard. Then the ATM displays some kind of a
challenge on a screen. The user looks at the challenge,
does some thinking, and in less than, say, 30 seconds,
he enters a response. If it is the correct response, the
ATM will consider him authenticated and give him the service
he requests.
Suppose an attacker knows the algorithm involved - in fact, the
attacker might be the system designer. Furthermore, suppose
that by "looking over the shoulders" of users, the attacker
can gather vast numbers of valid challenge-response pairs.
Further, suppose the attacker has access to nearly unlimited
computing power. Is there any algorithm that is easy enough for
valid users to work in their heads in less than 30 seconds
but so hard that an attacker cannot break in a reasonable
amount of time?
If you are going to tackle this problem, my advice is to avoid
traditional computer-based algorithms. Humans are not very
good at doing the required processing in their heads. Think
rather in terms of our ability to do visual pattern matches,
or some such thing. I have implemented such a solution as
a replacement for a password system on some industial machines.
In my solution, the challenge is an 8x8 matrix of letters as in:
ADDF SFDA
FDSF AASA
FDSD FFDS
DSFA SSAD
FFDS FSFA
SDAA FSFD
DDAS FSSA
FFFS SSDA
The key is to know which spot in the array to look at. The
correct response is to press the key that corresponds to
the letter at the keyed location. The process is repeated
8 times with 8 different random challenge matrices. Since only
four letters are used, the chance of random response agreeing
in all 8 cases is 1 out of 65536. (Not very good in itself!)
Unfortunately, my solution does not stand up to the massive
known examples attack. It is pretty easy to see that by
video-taping the screen and observing the responses to
about 5 or 6 instances of the protocol, the keyed locations
can be determined. But it seems to me that if someone really
wanted to make such a system secure, he could do it.
And takers?
Bob Scott
Ann Arbor, Michigan (email: rscott (at) wwnet (dot) net )
(My automatic return address is intentionally invalid.)
------------------------------
From: [EMAIL PROTECTED] (Bo D�mstedt)
Crossposted-To: talk.politics.crypto
Subject: Re: OTP export controlled?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 06 Aug 1999 12:43:01 GMT
[EMAIL PROTECTED] (wtshaw) wrote:
>> The OTP system, as compared to DES/IDEA/skipjack/AES candidates,
>> that cannot have any internal weakness, that could be exploited....
>
>Yep, its weaknesses are all external, and vulnerable by simple means.
I really think that you are too negative, here. I would estimate
that most undergraduate students would manage to build and run
an OTP in a secure way, using our development kit. I have thought
that I may include a two-time-pad program - but in sci.crypt,
there is a continuous discussion, emphasising that no OTP could ever
be used more than once. I currently do not have the energy to
introduce that system.
Bo D�mstedt
Chief Cryptographer
Protego Information AB
Malmoe,Sweden
------------------------------
From: [EMAIL PROTECTED] (W.G. Unruh)
Subject: Re: Random numbers in practice
Date: 6 Aug 99 12:00:54 GMT
vincent <[EMAIL PROTECTED]> writes:
>I am currently developing a RSA keys generation prog.
>I have everything BUT a good random generator (assuming the one in C is
>not good, which is a pretty straightforward assumption).
One of the key issues which Zimmermann and then others tried to address was
to develop good sources of "random (totally unpredictable) numbers. It is
well known tht sources like a prng are not good. You want to use
unpredictable physical phenomena. Time, timing between keystrokes, output of
sound card,.... further making sure that only the really unpredictable suff
is used. Netscape got burned by "rolling their own" and producing an attrocious
key generator.
>I really need a good Random number generator (cryptographically secure
>as well as quick) to generate a lot of keys.
good ones tend not to be quick.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Americans abroad/Encryption rules?
Date: Fri, 06 Aug 1999 15:35:31 +0200
"David C. Oshel" wrote:
>
> You can represent binary numbers in a base 355 system, which you then
> represent in a base 113 system, which is a real kick when you store the
> output in a binary computer file -- one way to "expand" a file to disguise
> its length.
>
I found the secret code!
355/113 = 3.141592.....
What do I win?
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Prime number.
Date: 06 Aug 1999 12:50:01 GMT
Yes, I also appreciate Bob's posts.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (W.G. Unruh)
Subject: Re: frequency of prime numbers?
Date: 6 Aug 99 12:10:02 GMT
sl3nf.cc@usu@edu (Sniggerfardimungus) writes:
>I ask this question here not because it necessarily relates to cryptography,
>but to an interest of cryptographers, prime numbers; is there any reason to
>believe that there are either a finite or an infinite number of primes? Even
>better, is there any proof either way?
There is a famous proof, I think at least 2000 years old.
if p is the largest prime, then p!+1 is not divisible by any of the numbers
between 1 and p (ie is not divisible by any prime)
. Thus it must be prime. (ie it has no prime factors) which
thus shows that p cannot be the largest prime.
(P! is p factorial -- ie the product of all numbers between 1 and p)
------------------------------
From: [EMAIL PROTECTED] (Andrew Haley)
Subject: Re: Prime number.
Date: 6 Aug 1999 12:06:37 GMT
John McDonald, Jr. ([EMAIL PROTECTED]) wrote:
: So here's a personal skills lesson for you Bob. It doesn't matter
: how intelligent you are, or how much you actually know. If you come
: off like a conceited, cocky SOB, no one will ever care what you have
: to say.
Given a choice between reading posts from Bob (who very rarely posts
incorrect assertions to Usenet) and any one of those posting nonsense
to this group every day, the choice is obvious. Note that it isn't
necessarily that Bob is more intelligent than others, but that he has
sufficient respect for readers actually to *check his facts*.
I an very grateful that Bob posts to this group, even though I was
once on the receiving end of one of his harsh replies. Without Bob,
the signal to noise ratio of this group would be even worse.
Andrew.
------------------------------
From: [EMAIL PROTECTED] (W.G. Unruh)
Subject: Re: beginner question re. MD5 and one-way hashes
Date: 6 Aug 99 12:25:11 GMT
It is impossible. NOthing could hash unique inputs to unique outputs
with a finite length output (4 bytes). 4 bytes can only encode 2^8^4=2^32=4 10^9
different objects. And by the bithday paradox. on average you will find a
pair in only 2^16 approx 6 10^4 objects.
[EMAIL PROTECTED] (Muharem Hrnjadovic) writes:
>I need a one-way function in order to generate hash key values
>for a piece of software that is caching objects i.e. when I come
>across an object the second time the function should generate the
>same hash key so I know that I have seen that object already.
>I tried MD5 but the value generated is too long for my purposes;
>I would like something that generates a 4 byte sequence ideally.
>I experimented with MD5 by taking only one quarter of the signature
>it supplies but after a test with ca. 160.000 objects I obtained
>identical values for different objects (which is not MD5's fault
>since I took only 25% of the sequence it calculated).
>Can you recommend any other one-way-hash or message digest functions
>that are possibly simpler and generate shorter values?
>TIA,
>--
>--
>Muharem Hrnjadovic ([EMAIL PROTECTED])
>Nortel Networks, +44-181-9452238
>mobile: +44-7957-412287
------------------------------
From: [EMAIL PROTECTED] (Bo D�mstedt)
Subject: Re: Academic vs Industrial
Reply-To: [EMAIL PROTECTED]
Date: Fri, 06 Aug 1999 12:57:29 GMT
"Markku J. Saarelainen" wrote:
> There seems to be building up a consensus that many academic algorithms
> and standardization results are quite ineffective for any serious data
> protection purposes
[cut]
>Surely, these standards should not be used for
> any industrial data security applications.
and then Paul Koning wrote:
>Where did you get that idea?
>My impression is exactly the opposite. Academic work has been
>creating problems for spooky control of crypto since the early
>days of RSA. Later work (IDEA, CAST, Blowfish, all the AES
>proposals) continue this trend.
>Or are you trying to say that none of these are any good because
>they are all controlled by the NSA? Are you a David Scott clone?
>
> paul
Assuming that Markku J. Saarelainen is not a David Scott clone,
we can still not exclude that his argument could be correct in the
respect that beforementioned cipher algorithms could be weak.
Bo D�mstedt
Chief Cryptographer
Protego Information AB
Malmoe,Sweden
http://www.protego.se
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: AES finalists to be announced
Date: Fri, 06 Aug 1999 12:50:00 GMT
> > So shove that in your pipe and smoke it.
> >
> > Tom
>
> When are you goning to crack fortom.cpt
> oh genios??? Its easy.
Because you are sending ciphertext only to me I know you don't know the
purpose of cryptography or scrutiny.
My point in that thread was that it's not only the algorithm that makes
it secure. Why you are sending currupted binaries to me is beyond me.
BTW in retrospect, why don't you crack this message (in hex)
010203040506070809 It's a secret message that I wrote. (if you read
earlier post about binaries you will know why)
Tom
--
PGP 6.0.2i Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Storing keys
Date: Fri, 06 Aug 1999 12:53:26 GMT
In article <[EMAIL PROTECTED]>,
Atle Sandvold <[EMAIL PROTECTED]> wrote:
> What if I were to use a different authentication scheme(which i will),
> for instance smartcards or biometrics?
What? A smartcard is not an authentication scheme. If you mean
storing a key on a smartcard or use biometricts, they both fall to the
same tapping attack. Biometrics is even scarrier because you only have
10 digits to use and if they all get compromised ...
> I would need something to hash, right? Something the user provides.
>
> If the only thing I care about is whether the user is authenticated or
> not, would using a master key be the best alternative?
If you want a user/login type system, use the hash (with a salt) that
he described. It works well.
Tom
--
PGP 6.0.2i Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Crossposted-To: talk.politics.crypto
Subject: Re: OTP export controlled?
Date: 6 Aug 1999 09:05:27 -0400
In article <[EMAIL PROTECTED]>,
Bo D�mstedt <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (wtshaw) wrote:
>>> The OTP system, as compared to DES/IDEA/skipjack/AES candidates,
>>> that cannot have any internal weakness, that could be exploited....
>>
>>Yep, its weaknesses are all external, and vulnerable by simple means.
>
>I really think that you are too negative, here. I would estimate
>that most undergraduate students would manage to build and run
>an OTP in a secure way, using our development kit.
I retain my doubts; unless your students are considerably smarter
and more experienced than mine, they would probably be running the
OTP on a conventional machine -- probably some flavor of Windows,
MacOS or Unix running on a standardized chip. I don't think that
any of my undergraduates -- or for that matter, anyone at a CERT --
has the knowledge to make such a system completely secure while
simultaneously remaining within an undergraduate's budget and
keeping the system powered up.
How have you managed to make the pad theft-proof?
-kitten
------------------------------
From: vincent <[EMAIL PROTECTED]>
Subject: Yarrow RNG
Date: Fri, 06 Aug 1999 14:37:23 +0100
I have a question about Yarrow (the PRNG developed by Schneier and
Kelsey).
They claim they've tested a lot of PRNG say a lot of them are unsecured
(they've broken them).
They also claim that Yarrow is secure and that everybody should use it
(that's why it is free).
What do you think about it, and is it possible that they've put a
trapdoor inside to be (the only one to be) able to break it ?
Does the fact that they provide the source code actually prove their
sincerity ?
Thanks for any reply.
--
============================
Vini boy
[EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
