Cryptography-Digest Digest #29, Volume #10 Wed, 11 Aug 99 16:13:03 EDT
Contents:
Re: Crypto 99 shock - the chosen conference attack! (John Savard)
Re: frequency of prime numbers? ("karl malbrain")
Re: AES finalists to be announced (Helger Lipmaa)
Re: brute force crackers unethical? (Paul Koning)
Re: Crypto 99 shock - the chosen conference attack! (Medical Electronics Lab)
Re: NIST AES FInalists are.... ([EMAIL PROTECTED])
Re: My web site is up! ([EMAIL PROTECTED])
Re: simultaneous multiple exponentiation (Bob Silverman)
Re: Power analysis of AES candidates (Medical Electronics Lab)
Re: Cipher-Feedback Mode ([EMAIL PROTECTED])
Re: Power analysis of AES candidates ("William Whyte")
Re: NIST AES FInalists are.... ([EMAIL PROTECTED])
Re: SSL/SGC - Is 3DES (168bit) Available? (Paul Rubin)
Re: My web site is up! (SCOTT19U.ZIP_GUY)
Re: My web site is up! (Greg)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Crypto 99 shock - the chosen conference attack!
Date: Wed, 11 Aug 1999 16:58:46 GMT
[EMAIL PROTECTED] (Ross Anderson) wrote, in part:
>If you want to learn how to detect, monitor and control crypto ...
>reduce the likelihood of an outbreak and comply with legislation ...
>assess cutting edge technologies for the removal and destruction of
>crypto ...
No, they're not looking to remove and destroy cryptography, but instead the
disease-causing microorganism _cryptosporidium_.
Hence, this is not an attack on Crypto '99 (even if their conference also uses
the apostrophe...)
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: frequency of prime numbers?
Date: Wed, 11 Aug 1999 10:38:18 -0700
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> The main thing is, making the assumption of finitude,
> you get a contradiction. Just what form the contradiction
> takes is unimportant; it shows the assumption is wrong.
No, to lead someone to knowledge AND make them think (correctly), you have
to get to a DIALECTICAL contradiction. Karl M
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: AES finalists to be announced
Date: Wed, 11 Aug 1999 17:28:01 +0000
David A Molnar wrote:
> Bruce Schneier <[EMAIL PROTECTED]> wrote:
> > I meant no ill will, but my bibliography of Serge's work shows
> > primarily design papers.
>
> Checking http://www.dmi.ens.fr/~vaudenay/pub.html shows some papers with
> titles like "On the Security of CS-cipher" and "On the relationship
> between differential and linear cryptanalysis." I haven't read these yet;
> are they considered design or cryptanalytic?
Some of his papers:
"Attacks on the Birational Permutation Signature "
"Black Box Cryptanalysis of Cryptographic Primitives "
"Attacks on the Birational Permutation Signature "
"Hidden Collisions on DSS "
" Cryptanalysis of the Chor-Rivest Cryptosystem "
" Links between Differential and Linear Cryptanalysis "
"Black Box Cryptanalysis of Hash Networks based on Multipermutations "
"On the Weak Keys of Blowfish " (AFAIK the best attack against Blowfish
until lately)
His work is of course different from that of, say, Biham, but still...
> P.S. The only paper of his that I've looked at is "Cryptanalysis of the
> Chor-Rivest Cryptosystem", and that mostly because knapsacks came up in
> another thread. So I am no expert here and curious.
Helger Lipmaa
http://home.cyber.ee/helger
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: brute force crackers unethical?
Date: Wed, 11 Aug 1999 13:15:38 -0400
"Andrew Whalan" <[EMAIL PROTECTED]> writes:
>
> >I just recently lost a tutoring job at a university, in a nutshell, for
> >writing a brute force cracker for the Unix crypt function as a student and
> >then demonstrating it whilst holding the position of a tutor (although not
> >tutoring at that point in time) to a fellow data security student.
I'd say you should fight that VERY hard.
Most likely it's a bad decision made on misunderstanding and confused
reasoning. If so, straightening that out will do everyone a service,
and will help teach the right thing.
On the other hand, if it's really policy that hiding of the truth is
what the university wants (which is the message sent by the action you
describe) then obviously that needs to be shouted from the rooftops.
Depending on the outcome, you may want to transfer to another
university. (If the latter alternative is the true one, then your
educational integrity would seem to demand it.)
paul
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Crypto 99 shock - the chosen conference attack!
Date: Wed, 11 Aug 1999 12:38:55 -0500
Ross Anderson wrote:
>
> A company called IIR Limited has organised a conference called Crypto 99
> which is NOT the one we are expecting to take place next week at Santa
> Barbara.
>
> If you want to learn how to detect, monitor and control crypto ...
> reduce the likelihood of an outbreak and comply with legislation ...
> assess cutting edge technologies for the removal and destruction of
> crypto ... and benefit from the ideas of the world's leading crypto
> experts (Messrs. Fricker, Hall, Watkins, Mold, Clancy, Clay-Chapman,
> Robertson-Kelly, Rose and Lightfoot), then this conference is
> apparently the one for you.
>
> (Sounds like spook heaven, doesn't it :-)
>
> More at http://www.cl.cam.ac.uk/~rja14/crypto.html
:-)
Funny you should mention that, I'm doing a
project now for embedded systems that detect
toxins in water systems and factories. I
didn't think it had anything to do with crypto,
but them little spooks is everywhere!
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST AES FInalists are....
Date: Wed, 11 Aug 1999 18:00:18 GMT
John Savard wrote:
> Although us poor mortals without security clearances and the like have
no basis
> with which to draw definite conclusions as to what methods of analysis
the NSA
> may posess, we do have some information which is suggestive:
I think trusting the skill of the NSA is a rational
position, and I think essentially dismissing the public
analysis is an arguably rational position. Doing both
is nonsense. Is the bar so high the best efforts of
superb cryptologists are insufficient, or so low that
a spy agency about which we know next to nothing
automatically clears it?
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: My web site is up!
Date: Wed, 11 Aug 1999 17:50:01 GMT
In article <7ordap$rso$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
> Thanks to the patience of people at this forum, I feel confident that
> many of my previous beliefs are really not of such great concern as I
> once thought. So I have decided to go ahead and get my web site fully
> launched. Please let me know what you think of it, even the artistic
> aspects of it.
>
> www.ciphermax.com
Quote from aforementioned WWW site:
"While Microsoft Windows operating systems, including NT 4.0, are very
good operating systems"
HAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!!!
You've got to be *KIDDING*, right?!!
(Well, you did ask... ;)
--
Sarah Dean
[EMAIL PROTECTED]
http://www.fortunecity.com/skyscraper/true/882/
PGP Key at: http://www.fortunecity.com/skyscraper/true/882/PGP.htm
For information on ScramDisk and SecureTrayUtil, check:
http://www.fortunecity.com/skyscraper/true/882/ScramDisk.htm
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: simultaneous multiple exponentiation
Date: Wed, 11 Aug 1999 17:58:59 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hello,
> I wish to implement (in C) simultaneous multiple exponentiation with
> Montgomery's method. The reference I've been using is
> _Handbook_of_Applied_Cryptography_, Menezes, et. al. In Note 14.96
(iii)
> it states "Any of the other exponentiation algorithms discussed in
> section 14.6.1 can be combined with Montgomery reduction ...". I would
> appreciate elaboration as to exactly how to modify the simultaneous
> multiple exponentiation algorithm (14.88).
Montgomery's algorithm is just a way of computing a*b mod C that uses
no division. The classical way to do this computation is to compute
a*b then to divide by C to get a remainder. Montgomery's algorithm
avoids the division (at the cost of some extra multiplications).
Whether Montgomery's method actually yields a speedup depends on how
long your machine takes to do a division relative to how long it
takes to do a multiplication.
Computing a*b mod C is a primitive operation within any modular
exponentiation routine. But it is separate from the method used to
do the exponentiation.
14.88 in the HAC is not about *modular* exponentiation, but rather
about general exponentiation. i.e. compute a^7 b^9 c^10 rather
than a^7 b^9 c^10 mod D. Translating the former to the latter
is easy --> just replace ordinary multiplication with modular
multiplication.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Power analysis of AES candidates
Date: Wed, 11 Aug 1999 12:20:50 -0500
Bruce Schneier wrote:
> There's a lot more to power analysis than any of the papers from AES
> indicate. each one talks about a specific attack. We've found that
> all ciphers are vulnerable, the attacks are just different. We don't
> believe it is possible to make a cipher immune to side channel attacks
> such as power analysis. See:
>
> http://www.counterpane.com/crypto-gram-9806.html#side
>
> for some details.
>
> My hope is that someone who has done considerable research in this
> writes this up for the third AES candidate conference.
I disagree with the statement that it's impossible to make a
cipher immune from side channel attacks. However, I'll "cheat"
to use your phrase in the above crypto-gram.
To make a PK cipher immune I can do the following: Pick an
EC system with Type I ONB ability but use the Ring-math
method of J. Silverman for the basis. For every calculation
I do both the data and its complement. At every step I need
to chose which side to keep (see Silverman's paper at the
CHES conference this coming weekend), but I "waste" power
to maintain uniform energy flow. I can also set it up so
the amount of time taken to do the calculation is uniform.
Thus I end up with a system which is side channel resistent.
If I package the circuit in a nice faraday cage, it's even
more resistent to probing.
Not all ciphers may be amenable to this type of protection.
But I suggest that it is possible and worth while to develop
symmetric ciphers which *can* be made side channel resistent.
A cipher designer needs to know something about hardware
as well as math and coding, that's all :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Cipher-Feedback Mode
Date: Wed, 11 Aug 1999 18:18:14 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> "Chris Gillespie" <[EMAIL PROTECTED]> wrote, in part:
>
> >The description of Cipher-Feedback mode in Aplied Cryptography has
left me a
> >little confused. I understand it up to the point of the first char
having
> >been XOR'd with the first byte of the IV, but loose the plot
thereafter.
> >Does anyone know of any other explainations of CFB or can explain the
> >process themselves?
>
> CFB works this way:
>
> To encipher a block of plaintext,
>
> take the previous block of ciphertext, encipher it in your block
cipher, and XOR
> the result with that current block of plaintext.
>
> This way,
>
> 1) an error in the recieved ciphertext propagates only to two blocks
of the
> message;
>
> 2) since a quantity, depending only on the previous block, is XORed to
the
> current part of the message, one can do this on a byte-by-byte basis,
without
> having to hold incoming bytes until a full block is assembled.
>
3. Another benefit is that it will allow you to randomly access parts of
a file. All you do here is encipher the block before the information
you want to access and XOR it with the information.
> John Savard ( teneerf<- )
> http://www.ecn.ab.ca/~jsavard/crypto.htm
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "William Whyte" <[EMAIL PROTECTED]>
Subject: Re: Power analysis of AES candidates
Date: Wed, 11 Aug 1999 19:49:01 +0100
>I suggest writing the author of the NIST paper and asking him specifically.
Or
>send an official comment to NIST asking the question.
Jim Nechvatal from NIST sent me the following reply:
============================================================
William,
Thanks for your comments (8/10) about the discussion of the Biham/Shamir
power analysis paper in the NIST report. You make a good point. The
classification of Serpent and Twofish as having "no weakness" and MARS,
RC6, Rijndael as having some weakness was based on the fact that in the
discussion of MARS, they refer to the possibility of gaining 2.54 bits of
information per byte. This seems to apply to RC6 and Rijndael as well,
although the discussion is vague. The discussions of Serpent and Twofish
omit any reference to gaining any knowledge of key bits. However, the
discussion is so vague that it may have been unwarranted to assume that no
knowledge of key bits can be gained for Serpent and Twofish. In any case,
the Biham/Shamir paper played no role in determining promotion to round 2.
If it is to play a role in round 2, it will have to made more concrete.
E.g., statements such as "the derivation ... is expected to be easier" in
Section 2.12 will have to be instantiated before a candidate such as
Rijndael is regarded as having any real weakness in this context. Even if
this is the case, there is considerable debate about whether such attacks
are a real concern.
============================================================
Cheers,
William
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST AES FInalists are....
Date: Wed, 11 Aug 1999 18:12:35 GMT
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn wrote:
> [EMAIL PROTECTED] wrote:
> > Oh spare us. You have no basis for concluding that
> > the NSA has anything better than the publicly known
> > methods of analysis.
>
> To the contrary.
Those three words are an outstandingly poor attempt at
justifying your position. Please, tell us: what is this
criteria for an estimate of security to be "soundly based"
such that all the public work fails it but the mere fact
that it comes from the NSA means we can get it? Be
careful to avoid drawing conclusions from reputation,
since you specifically ridiculed that criteria in the
case of public analysis.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: SSL/SGC - Is 3DES (168bit) Available?
Date: 11 Aug 1999 12:20:22 -0700
"Goll, David M" <[EMAIL PROTECTED]> writes:
> Where a foreign organisation is granted an SGC certificate by VeriSign
> or Thawte, does this allow 3DES (168bit) on browser / server dialogues,
> or are they limited to 128 bit RC2/4?
>
> I would appreciate any assistance.
This is determined by the available ciphers and the settings in both
the server and the browser. At least with Netscape 4.5 (that's what I
just tested), 128 bit rc4 is the default, you get a 3des connection if
you turn off rc2/4 in the browser. I'd expect the same if you turn
off rc2/4 in the server. You might have some trouble with older
browsers if you do that, but older browsers don't understand SGC anyway.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: My web site is up!
Date: Wed, 11 Aug 1999 20:06:01 GMT
In article <7osd44$iov$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>In article <7ordap$rso$[EMAIL PROTECTED]>,
> Greg <[EMAIL PROTECTED]> wrote:
>> Thanks to the patience of people at this forum, I feel confident that
>> many of my previous beliefs are really not of such great concern as I
>> once thought. So I have decided to go ahead and get my web site fully
>> launched. Please let me know what you think of it, even the artistic
>> aspects of it.
>>
>> www.ciphermax.com
>Quote from aforementioned WWW site:
>
>"While Microsoft Windows operating systems, including NT 4.0, are very
>good operating systems"
>
>HAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!!!
>
>You've got to be *KIDDING*, right?!!
>
>(Well, you did ask... ;)
>
It sucks since the person who but up the site is obviously selling SNAKE
OIL. The design sucks so bad you can't even see the company logo. They
where not to bright and used spaces in there image titles. But don't worry
if you really have such wonderful PR dirrectly from the NSA I am sure some
one will be dumb enough to BUY. Just hope they have the same defective
browser to view the page.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: My web site is up!
Date: Wed, 11 Aug 1999 18:51:12 GMT
In article <7osd44$iov$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <7ordap$rso$[EMAIL PROTECTED]>,
> Greg <[EMAIL PROTECTED]> wrote:
> > Thanks to the patience of people at this forum, I feel confident
that
> > many of my previous beliefs are really not of such great concern as
I
> > once thought. So I have decided to go ahead and get my web site
fully
> > launched. Please let me know what you think of it, even the
artistic
> > aspects of it.
> >
> > www.ciphermax.com
> Quote from aforementioned WWW site:
>
> "While Microsoft Windows operating systems, including NT 4.0, are very
> good operating systems"
>
> HAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!!!
>
> You've got to be *KIDDING*, right?!!
>
> (Well, you did ask... ;)
>
> --
> Sarah Dean
> [EMAIL PROTECTED]
> http://www.fortunecity.com/skyscraper/true/882/
> PGP Key at: http://www.fortunecity.com/skyscraper/true/882/PGP.htm
>
> For information on ScramDisk and SecureTrayUtil, check:
> http://www.fortunecity.com/skyscraper/true/882/ScramDisk.htm
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
>
If you seriously want to know what I think, e-mail me your e-mail
address and I will tell you the real story behind that statement.
--
The US is not a democracy - US Constitution Article IV Section 4.
Democracy is the male majority legalizing rape.
UN Security Council is a Democracy. NO APPEALS! Welcome to the NWO.
Criminals=Crime. Armies=Tyranny. The 2nd amendment is about tyranny.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
