Cryptography-Digest Digest #17, Volume #10 Mon, 9 Aug 99 06:13:04 EDT
Contents:
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . ("Roger Schlafly")
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (wtshaw)
WHO IS THIS PERSON? please id (BIONICFLE)
Re: Construction of permutation matrix (wtshaw)
Re: : I AM CAVING IN TO JA... (wtshaw)
Re: Questions regarding elliptic curve cryptography. (Carper)
Re: challenge/competition revisited (Gabe Simon)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . ("Paul Lutus")
Re: What is "the best" file cryptography program out there? ([EMAIL PROTECTED])
Re: Ways to steal cookies in HTTP and HTTPS ([EMAIL PROTECTED])
Re: Ways to steal cookies in HTTP and HTTPS ([EMAIL PROTECTED])
Re: Infallible authentication scheme ([EMAIL PROTECTED])
Re: What is "the best" file cryptography program out there? ([EMAIL PROTECTED])
Twofish --> Can Someone Help ([EMAIL PROTECTED])
challenge revisited ([EMAIL PROTECTED])
Re: (Game) 80-digits Factoring Challenge ("John Fredsted")
----------------------------------------------------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Sun, 8 Aug 1999 17:12:56 -0700
Douglas A. Gwyn wrote in message <[EMAIL PROTECTED]>...
>Guenther Brunthaler wrote:
>> On 7 Aug 1999 18:41:27 GMT, [EMAIL PROTECTED] () wrote:
>> > Why does Microsoft ABSOLUTELY REQUIRE me to install and use their
>> >Internet Explorer (IE) before I can even install their Visual C++
compiler?
>> Haven't you have heard of all those rumours about the various built-in
>> backdoors of IE?
>Don't be ridiculous! The main reason IE is required is that the
>Visual Studio help system is now based on HTML, and IE contains
>the modules needed to support that.
Nope. I installed MS C++ 6.0 without MSDN, so I don't get the
help system. There must be some other reason for the IE
requirement.
Other possibilities:
1. MS management issued an order to make products dependent
on IE, either as a way of pressuring people to use IE or to give
evidence that IE is part of the OS.
2. Some sloppy MS programmer created an IE dependency,
and the project manager didn't want to bother fixing the bug
for some reason.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Sun, 08 Aug 1999 18:30:35 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guenther Brunthaler) wrote:
>
> But the basic question is: How much do YOU trust MS?
>
Trust everyone, but cut the cards yourself. I wish that I could trust MS,
but, like Jobs, feel betrayed...betrayed...betrayed. When later deal
making is placed above integrity, how can you trust people like this.
Crying it's only business is not excuse for doing dastardly things in any
field.
--
Sometimes you have to punt, and hope for the best.
------------------------------
From: [EMAIL PROTECTED] (BIONICFLE)
Subject: WHO IS THIS PERSON? please id
Date: 09 Aug 1999 00:08:27 GMT
http://members.aol.com/betzyjo1/arcbhguy.jpg
reply to SENDER
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Construction of permutation matrix
Date: Sun, 08 Aug 1999 18:23:53 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
> > ... When ever someones speaks of fractions of bits, it is only a
> > mind thing that looks good to those that falsely believe that bits
> > are especially fundamental to everything.
>
> The "bit" *is* a fundamental unit of information:
Yes it is, but it is only one of them.
> it is the amount
> of information in the simplest nontrivial discrete choice (Boolean,
> YES/NO).
Which is only a small part of what logic can be involved in choices.
Trying to make everything in to yes/no is left to the uneducated and the
legal profession.
> It is no coincidence that computers are organized to work
> on various numbers of bits; some very early digital computers did
> use other bases for representation, but when one wants the most
> streamlined possible operation, the basic unit of information
> storage in the machine simplifies as far as possible, to the
> single bit (usually in the state of a coupled, complementary pair
> of transistors, FETs, or other basic amplifying circuit elements).
It all depends. Actually, I have at various times been involved in
projects that did not use bits nor serial processing exclusively. Certain
problems are better handled in other ways.
>
> Fractional bits are no more mysterious that the fact that the
> logarithm base 2 of 10 is around 3.32 rather than an integer.
> It's just as much a "mind thing" as the log base 2 of 8 being 3.
We do seem agree that fractional information units come merely from the
fact that things don't have to come out even, and often don't.
--
Sometimes you have to punt, and hope for the best.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: : I AM CAVING IN TO JA...
Date: Sun, 08 Aug 1999 18:38:55 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Dave
Salovesh) wrote:
> In article <7ocu6e$q1o$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) opined:
>
> > I see more and more sites that say you Need JavaScript or some application
> >to use the site. I can't see why webpage designers seem to always try to
> >force the user to get newer crap when the regular HTML works. But they
> >seem to make things more complicated.
> > So I give up......
>
> I don't get it. Why not push yourself to use HTML better - why cave?
And, at that, stay with simple is best, even to allowing good access with
text only, even checking to see if Mosaic can read it; a good test to see
if something is straight vanilla, and not apt to play fast and loose with
security, which should be what you are about in the first place.
--
Sometimes you have to punt, and hope for the best.
------------------------------
From: [EMAIL PROTECTED] (Carper)
Subject: Re: Questions regarding elliptic curve cryptography.
Date: Mon, 09 Aug 1999 01:16:22 GMT
>I don't see how Certicom could have invented point
>compression, but maybe we will find out some day. The P1363
>draft will soon be re-balloted with corrections, and we expect
>it to become an IEEE standard soon. We will see whether
>users have to pay royalties to Certicom.
That's like saying you invented the quadratic equation. This "point
compression"is such a simple and intuitive thing that anyone can come
up with it after thinking for 2 minutes about it. Perhaps they can patent
some particular method of identifying the y coordinate with just 1 bit, but
that can be done in a number of ways.
Also, I just did a search for Certicom patents in U.S. Patent database - there
is no mention of "point compression" anywhere. So I guess until they
application gets accepted (hopefully, it won't), anyone can freely use it.
------------------------------
From: [EMAIL PROTECTED] (Gabe Simon)
Subject: Re: challenge/competition revisited
Date: 9 Aug 1999 01:06:46 GMT
Thanks a lot Jim,
I think that might be exactly the sort of thing I was looking for. Let's
just say my check is in the mail.
Gabe
>While it's not on-line, it sounds like you're looking for something
>like the American Cryptogram Association...
------------------------------
Reply-To: "Paul Lutus" <[EMAIL PROTECTED]>
From: "Paul Lutus" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Sun, 8 Aug 1999 19:09:58 -0700
<< Nope. I installed MS C++ 6.0 without MSDN, so I don't get the help
system. >>
<off-topic>
You don't get the *complete* help system. You still have help screens,
abbreviated ones. They are in HTML. This requires MSIE.
</off-topic>
--
Paul Lutus
www.arachnoid.com
Roger Schlafly <[EMAIL PROTECTED]> wrote in message
news:7ol69h$ha0$[EMAIL PROTECTED]...
> Douglas A. Gwyn wrote in message <[EMAIL PROTECTED]>...
> >Guenther Brunthaler wrote:
> >> On 7 Aug 1999 18:41:27 GMT, [EMAIL PROTECTED] () wrote:
> >> > Why does Microsoft ABSOLUTELY REQUIRE me to install and use their
> >> >Internet Explorer (IE) before I can even install their Visual C++
> compiler?
> >> Haven't you have heard of all those rumours about the various built-in
> >> backdoors of IE?
> >Don't be ridiculous! The main reason IE is required is that the
> >Visual Studio help system is now based on HTML, and IE contains
> >the modules needed to support that.
>
> Nope. I installed MS C++ 6.0 without MSDN, so I don't get the
> help system. There must be some other reason for the IE
> requirement.
>
> Other possibilities:
>
> 1. MS management issued an order to make products dependent
> on IE, either as a way of pressuring people to use IE or to give
> evidence that IE is part of the OS.
> 2. Some sloppy MS programmer created an IE dependency,
> and the project manager didn't want to bother fixing the bug
> for some reason.
>
>
>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What is "the best" file cryptography program out there?
Date: Sun, 08 Aug 1999 12:52:20 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guenther Brunthaler) wrote:
> On Thu, 05 Aug 1999 00:52:07 GMT, Bob Silverman <[EMAIL PROTECTED]> wrote:
>
> >Anyone who thinks that even 2048 bits are needed is clearly
> >clueless about the subject.
>
> Due to my knowlege it has been stated that an RSA key with 3100 may
> require approximately the same effort to be broken by brute force as a
> 128 bit IDEA session key.
>
> That means, in case IDEA session keys are used, 3100 bit RSA keys
> would provide the optimum key length in PGP.
>
> Longer RSA keys cannot increase the security for a single message,
> because otherwise cracking the session key would be easier (which is
> enough to decode the message).
>
> In practice, however, longer RSA keys are advantageous, because
> breaking a session key only helps one decode a single message, while
> breaking the RSA key will enable the attacker to decode ALL messages
> that have been encrypted by that key.
You missed one crucial point: It requires about a zillion times more
memory to actually solve for 1024 bit RSA keys then 128-bit IDEA keys.
True the sieving step might take less time but that doesn't make it
feasible.
I still am not convinced that 768/1024 bit keys are 'weak'. See the
RSA labs TWINKLE announcement for more information.
People just jump at large PGP keys becuase it sounds cool. I doubt
they realize how secure shorter keys really are. Even 512 bit keys are
on the 'theoretical' side). But there are problems with larger keys:
a) bigger, b) slower. Like on my 486 I can do things with my 768 bit
key in about 2 seconds (like signing and decrypting). With 2048 bit
keys (max of PGP 2.6.2) it takes longer.
It's like jumping at 5DES just because you get to use a 280 bit user
key (although the actual resistance is lower). It's no more secure
then 3DES from a practical standpoint but much slower.
Tom
--
PGP 6.0.2i Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.infosystems.www.misc,comp.security.misc
Subject: Re: Ways to steal cookies in HTTP and HTTPS
Date: Mon, 09 Aug 1999 02:31:06 GMT
In article <7ofjjl$r7j$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> If you configure Communicator not to accept 3rd party cookies, it
> will still divulge 1st party cookies (i.e., cookies you got from
> sites whose URL's you actually typed in) when an unauthorized 3rd
> party puts IMG tags into HTML source ... as described in the
> original post. But don't take my word for it :-), try it:
I couldn't get it to work with Netscape 3.04. I created a test.htm with
img src="http://g.deja.com/gifs/dlogo_130_b.gif" and placed it on my own
server.
I could not get my Netscape 3.04 to send the Deja.com cookie to my own
server. Do I have to do something else? I turned on auto-load images - I
normally surf with images off - so even if it worked the attack is
unlikely to affect me.
I'll try it with communicator. If it works with communicator but not
with 3.04 then I'd say it's a security flaw in communicator, you should
then report this to Netscape.
For my own web applications I use session ids which expire after a
certain idle time period. The username and password is only entered
once. True, 40 bit crypto can possibly be cracked on the fly, however
128 bit crypto is easily available internationally (and often free too).
If one doesn't use cookies the session ids will have stored in the URL,
unless you do everything by POSTs (yuck!). Putting stuff on the URL
leaves things open to the HTTP-Referer attack. Of course that still
doesn't affect me coz I hexedited my Netscape to not send HTTP-Referer
:).
So we're still considering whether to put session ids in URLs or in
Cookies. Cookies are not supported by all browsers, nor everyone.
Link.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.infosystems.www.misc,comp.security.misc
Subject: Re: Ways to steal cookies in HTTP and HTTPS
Date: Mon, 09 Aug 1999 02:58:24 GMT
> If you configure Communicator not to accept 3rd party cookies, it
> will still divulge 1st party cookies (i.e., cookies you got from
> sites whose URL's you actually typed in) when an unauthorized 3rd
> party puts IMG tags into HTML source ... as described in the
> original post. But don't take my word for it :-), try it:
OK tried it. Yes it works with Netscape 4. But it doesn't work with
Netscape 3 which I usually use (netscape 3 sends the relevant cookies to
the relevant sites). I'll take it to be another one of those security
flaws/bugs (features) in Netscape. It could be an intentional feature
(like IE5's clipboard pasting and bookmark notification to remote
sites), but just make noise about it and they'll probably fix it. Have
you tried it with IE 3/4/5 yet? I'm wondering if it'll be a case of
"Great minds think alike/fools seldom differ".
Cheerio,
Link.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Infallible authentication scheme
Date: Sun, 08 Aug 1999 13:11:30 GMT
In article
<[EMAIL PROTECTED]>,
Eric Lee Green <[EMAIL PROTECTED]> wrote:
> Err, if you are using a plain text password as your sole source of
> entropy, you are of course correct -- there isn't enough entropy to
> produce a strong hash resistant to dictionary attacks. That's why you
> should not use a plain text password as your sole source of entropy.
See
> http://www.counterpane.com for more info on that. Use a key generated
> by a strong (high entropy) key generation mechanism. The hard part
then
> becomes the authentication key distribution mechanism and protecting
> that mechanism against hackers (grin). Different topic, far harder
than
> this one...
That's why you salt a hash (nothing new here). If you use a it as an
interactive protocal you get
1. Make a random R and increment I
2. Send H(K || R || I)
3. Goto 1 as required
Where R is a random integer and I is an binary counter. I dunno if you
really need R but it adds entropy to the hash (which I find a good
idea).
> I'm assuming that SHA1 has similar characteristics, except maybe being
> faster than MD5 (?).
Well collisions have been found in MD5 whether they are exploitable is
another thing. In this situtation I would say no becuase the attacker
is forced to use only one side of
H(K || R || I) = H(K' || R || I)
I would use SHA1 though. It has more rounds and seems highly
resistant. It also produces larger hashes.
Tom
--
PGP 6.0.2i Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What is "the best" file cryptography program out there?
Date: Sun, 08 Aug 1999 13:07:02 GMT
In article <7ohtlt$32p$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Keith A Monahan) wrote:
> KidMo,
>
> The problem is that there would have to be a VERY VERY VERY large
increase
> in processor speed to considerably affect the security of our latest
> algorithms.
>
> If you compare average brute-force times on a 500mhz or a 5ghz
machine,
> what's the result going to be? 2^15 years instead of 2^123 years?
>
> And the difference isn't going to be that large, but the point I'm
making is
> this. Machines would have to be factors and factors and factors
faster to
> affect the time.
>
> BTW: 2^15 = 32768 years. That's alot of years. :)
Even if you assume a 5ghz proccessor is 100 times faster then a 500mhz
one. This is still 182,794,505 years avg per key (at 100*2^20 for 80-
bit keys). Put a million on it and you get 174 years average per key.
Still long enough for my liking.
The way I see it the biggest threat is 486/586 that are very common
nowadays. Because groups like distributed.net can get a hold on
150,000 of them quite easily. If a big company spends a trillion
dollars to read my letters, go right ahead they deserve it.
Tom
--
PGP 6.0.2i Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Twofish --> Can Someone Help
Date: Mon, 09 Aug 1999 06:14:56 GMT
Hi,
Has anyone of u really tried understanding the
Twofish Algorithm??
My problem is how to multipy matrices of RS * m
over GF(2**8) for w(x)=x**8 +x**6+ x**3+ x**2+
1 ? can someone tell me how is this matrix
multiplication over Gf to be performed??
Trying this site in desperation, so if anyone of
u is offended, my apologies.
Shailesh
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: challenge revisited
Date: Mon, 09 Aug 1999 08:58:34 GMT
Its been 6 day and Little Tommy has not cracked fortom.cpt.
Can lttle genios not crack it. 4 others already has cracked this easy.
Must be EASY but not for Little Tommy. Thank yous again for
not telling him the good answer.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "John Fredsted" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: (Game) 80-digits Factoring Challenge
Date: Mon, 9 Aug 1999 09:46:22 +0200
In passing by I noticed:
The product a * b * c (of the three factors proposed) must end at the digit
1 * 7 * 3 (mod 10) = 1, and not 9 as you have calculated.
John Fredsted
Johnny Hazard skrev i meddelelsen ...
>On Wed, 28 Jul 1999 08:50:44 -1000, <[EMAIL PROTECTED]> wrote:
>>kctang wrote:
>>> Dear all,
>>> Please factorize the 80-digits number:
>>> 256261430091697968103677033465028955910<continue at next line>
>>> 15360341017076023809547878443033203276429
>>> Thanks & Bye, kctang
>>There are 3 factors
>>74681239503223976540012391
>>73935890729093478299508777
>>10094892705484334775926633
>>This was factored with the Quadratic Field Seive using
>>a pocket calculator in 163 minutes. The program is
>>available for $199.
>
>So i know i'm never gonna buy such calculator!
>
>Your three "factors" a,b and c:
>
>a*b*c = 408246186006833348959825664719124648220
>666886045554299649802819054722602718039
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
