Cryptography-Digest Digest #70, Volume #10 Wed, 18 Aug 99 17:13:03 EDT
Contents:
Re: AES CD? ([EMAIL PROTECTED])
Encryption and Authentication (Gabriel Belingueres)
Re: rsa in other fields (Anton Stiglic)
Re: Q. a hash of a hash ... (Alwyn Allan)
Re: How to Authenticate server identity (Medical Electronics Lab)
Re: AES CD? (JPeschel)
Re: CRYPTO DESIGN MY VIEW (Mok-Kong Shen)
Re: crypto survey (Medical Electronics Lab)
Re: How to Authenticate server identity (Paul Rubin)
Re: Q. a hash of a hash ... (Jim Felling)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (fungus)
Re: Wrapped PCBC mode (Jim Felling)
Re: I HOPE AM WRONG (Greg)
Re: My web site is up! (Greg)
Decrypted International Crypto inside the US ("Dan Kaminsky")
Re: Smart card generating RSA keys (Matthias Bruestle)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: AES CD?
Date: Wed, 18 Aug 1999 16:08:48 GMT
I never had to pay for my copy. It was one thing the government never
charged me for.
-Ryan Phillips
On Wed, 18 Aug 1999 15:05:42 GMT, Roger Carbol <[EMAIL PROTECTED]>
wrote:
>Will the AES CD also be available online? Are they merely trying
>to distribute the code as widely as posible, or are they also
>trying to make a buck on this?
>
>
>
>
>
>.. Roger Carbol .. [EMAIL PROTECTED]
------------------------------
From: Gabriel Belingueres <[EMAIL PROTECTED]>
Subject: Encryption and Authentication
Date: Wed, 18 Aug 1999 16:21:56 GMT
Hi,
I posted this message a few days ago, but I repost it because I didn't
get any satisfying answer.
What I mean is that:
In SSL (for example), the transmition of message M is done this way:
SSL record = Cipher_SessionKey [M || HMAC_SessionMACKey(M)]
What I'm asking is why it is not done this way:
C = Cipher_SessionKey [M]
SSL record = [ C || HMAC_SessionMACKey(C) ]
where || is the concatenation.
In the later, I can authenticate first, and if the MAC not the same, I
can save a decryption. In the former, I can't do that.
I think both forms provide the same security. In the books I been
reading, the authors only say that the former is more "typical".
Does anybody can help me with this?
Gabriel
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: rsa in other fields
Date: Wed, 18 Aug 1999 12:34:11 -0400
Yes yes, it was a stupid remark of mine....
So what you guys are saying is that the group in wich we operate,
cannot fit in a Field. Does it fit in a Ring,? Is it not at all an abelian
group?
Anton
Safuat Hamdy wrote:
> Anton Stiglic <[EMAIL PROTECTED]> writes:
>
> > As you said, you take an elliptic curve over a finite field (end of
> > line 1
> > + begining of line 2 of what you said, just above).
>
> true, but the points on the curve form a group, not a field. That's what Bob
> is trying to tell you. EC crypto-systems operate in this group of points,
> not in the base field; the base field serves just as a vehicle for the
> EC-arithmetic, the subgroups of the base field are unrelated to the group of
> points.
>
> > You have two operations in you finite field. [...]
> > This is what I wanted to say.
>
> but it is completely irrelevant in the light of EC.
>
> --
>
> S. Hamdy | All primes are odd except 2,
> [EMAIL PROTECTED] | which is the oddest of all.
> |
> unsolicited commercial e-mail | D.E. Knuth
> is strictly not welcome |
------------------------------
Date: Wed, 18 Aug 1999 12:42:55 -0400
From: Alwyn Allan <[EMAIL PROTECTED]>
Subject: Re: Q. a hash of a hash ...
Anton Stiglic wrote:
> Say I have a hash algorithm H (I'm in fact using SHA_1),
> is using H(H(x)) as secure as using H(x), do the same properties
> for H stant for H of H ?
Nice discussion. I have a related question. Consider
H2(x) = H(x) ^ x
where ^ is XOR and H:S->S is a good hash. How does H2 compare to H in
terms of collision resistance, non-invertability, and randomness?
Is x_(i+1) = H2(x_i) more, similarly, or less prone to cycles?
Thanks, APA, http://www.delanet.com/~apa/orb/
-----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==----------
http://www.newsfeeds.com The Largest Usenet Servers in the World!
======== Over 73,000 Newsgroups = Including Dedicated Binaries Servers =======
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: How to Authenticate server identity
Date: Wed, 18 Aug 1999 12:52:19 -0500
yoni wrote:
>
> I try to think how can I verify a response came from a certain trusted
> server. I have a basic problem - I need to use keys (public, private)
> but those should be kept on the client disk and therefore can be stolen
> and used for impersonating. Even the Kerberose protocol can fail if the
> key is stolen.
> Is there a different way if I know the server is trusted and cannot be
> accessed by unauthorized users ?
> Is there a safe way to save keys on file ?
> I'm a begginner in this field so maybe I miss the main point.
You get authentication using "something you have" with "something
you know". So you need the disk and a passphrase. Hash the
passphrase to make a key which will unlock the data on the disk,
and erase the key and data when the link is established. If the
link goes down, you have to start over (sorry, "security is a
pain in the ass" (TM)). If somebody steals the disk, it won't
do them any good since they don't know the pass phrase. Knowing
a pass phrase and not having the disk won't get you in either, so
"sholder surfing" isn't sufficient.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: AES CD?
Date: 18 Aug 1999 17:11:42 GMT
>Roger Carbol <[EMAIL PROTECTED]> writes:
>Will the AES CD also be available online? Are they merely trying
>to distribute the code as widely as posible, or are they also
>trying to make a buck on this?
>
The CD (with source code and implementations) is free to US
and Canadian residents. Others can have NIST submit an
export license for them.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: CRYPTO DESIGN MY VIEW
Date: Wed, 18 Aug 1999 19:58:41 +0200
SCOTT19U.ZIP_GUY wrote:
>
> I don't write well and I think the code speaks for itself. I mean your
> can test it and look at a series of dumps. But basically it some times
> does not write out the last bits and the decompression routine knows what
> the droped bits are. But some times it adds extra bits to pad the byte out
> when its is short. But the fact that I limit the 1's to a max of 8 in huffman
> tables and the all 0's to a min of 8. But I feel the C code is more important
May I repeat:
Let's simplify matters by not considering the case of needing any
padding. Then if the last symbol output consists of 9 bits (this
does not necessarily contradict your above limitations) and I delete
the last byte, then in the 'wrong' file thus obtained the last bit
cannot be decoded, because it needs some more bits following it in
order to be a valid output symbol on the compressed file side and
hence properly decoded to a symbol on the uncompressed file side.
Side note: One can hardly 'test' your program to see whether this
constructed special example works or not, because there is no obvious
way to construct (and verify) an input file to your program such that
the last symbol output by the program has 9 bits and that the last bit
is on byte boundary. So the reasonable way of argumentation is to
say in plain English how your program reacts to this situation of
8 missing bits. (This is also the simplest way in my humble opinion,
since you are the author of the program and consequently knows better
than anyone else the workings of your program.)
M. K. Shen
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: crypto survey
Date: Wed, 18 Aug 1999 12:21:23 -0500
Douglas A. Gwyn wrote:
>
> Medical Electronics Lab wrote:
> > ... Unfortunatly again, it's pretty easy to prove that
> > dictatorships are more stable and efficient [than] free
> > economies.
>
> No, that myth has long been dispelled.
For short periods of time they are more stable
and efficient. For long times, they fail.
What's interesting (from a distance!) is that
most dictators don't understand the long run.
I've got a mathematical proof, written up in
about '89 and based on a paper from the 1930's.
The assumptions may not always be valid (how
could they be!) but it's scary enough to see
that it's possible to prove local stability
for dictatorships. Since the equations are
non-linear, it's impossible to prove overall
stability.
I agree with Machiavelli though, a free people
are far more prosperous and powerful than
anything else. And those comments are over 500
years old!
Patience, persistence, truth,
Dr. mike
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: How to Authenticate server identity
Date: 18 Aug 1999 11:14:02 -0700
yoni <[EMAIL PROTECTED]> writes:
>
> I try to think how can I verify a response came from a certain trusted
> server. I have a basic problem - I need to use keys (public, private)
> but those should be kept on the client disk and therefore can be stolen
> and used for impersonating. Even the Kerberose protocol can fail if the
> key is stolen.
> Is there a different way if I know the server is trusted and cannot be
> accessed by unauthorized users ?
> Is there a safe way to save keys on file ?
> I'm a begginner in this field so maybe I miss the main point.
The server should have a private and a public key. The client should
have only the server's *public* key. When the client connects to
the server, the server signs a message (or equivalent) and the client
verifies the signature against the server's public key. If you go
shopping at a secure web site with a web browser, this is approximately
what happens. Try browsing the secure order page at (say) www.amazon.com
with Netscape. Then click on the little "lock" icon in the browser's lower
left corner (it should be in closed position, indicating that the
connection is in secure mode). The browser will show a dialog where
you can click "View Certificate". The certificate is a digitally
signed string that the server sent, that Netscape has verified against
the certificate authority (usually Thawte or Verisign)'s public key.
Note: if an attacker can change the client's copy of the server's
public key then of course s/he can change it to validate the
attacker's own server. So you still need a certain amount of security
in the client.
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Q. a hash of a hash ...
Date: Wed, 18 Aug 1999 14:24:14 -0500
Anton Stiglic wrote:
> Thanks Bryan. I don't think I can make the proof any more simple. I
> proved
> that if I found a collision for H, I have found one for H^2, and if I
> have found
> one for H^2, I have found one for H.
Yes, but it is still possible that H has fewer collisions than H^2
The reason being that H maps S->R where R is a set of a fixed size.
The problem exists if H maps R onto a subset of itself call it M.
This will mean that since H:S->R, H^2;S->M even assuming optimal conditions
since M is a strict subset of R H^2 will have more collisions.
>
>
> I can't explain this proof in a more simple fashion, does who do not
> understand it
> should just sit down and read it.
>
> [EMAIL PROTECTED] wrote:
>
> > Brian McKeever wrote:
> > > Anton Stiglic wrote:
> > > > It is a simple and nice proof, it prooves that H and H^2 are equaly
> > > > collision resistant.
> >
> > > You've drawn the wrong conclusion from the proof.
> > > The only valid conclusion one can draw is "H is
> > > collision-free if and only if H^2 is collision-free."
> >
> > I think that's equivalent to the conclusion he did
> > draw. According to Menezes, van Oorshot and Vanstone,
> > /Handbook of Applied Cryptography/,
> >
> > Collision resistance - it is computationally infeasible
> > to find any two distinct inputs x, x' which hash to the
> > same output
> >
> > "Collision resistant" and "collision free" are synonyms.
> > The former is gaining favor, since "free" suggest
> > nonexistence, rather than inability to locate. I think
> > "Collision free" will live on since it looks better in
> > research paper titles of the form "Function x is not
> > collision free".
> >
> > --Bryan
> >
> > Sent via Deja.com http://www.deja.com/
> > Share what you know. Learn what you don't.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Wed, 18 Aug 1999 21:44:51 +0200
"Douglas A. Gwyn" wrote:
>
> Don't be ridiculous! The main reason IE is required is that the
> Visual Studio help system is now based on HTML.
You call *that* "HTML"????
> and IE contains the modules needed to support that.
Why would that be then? Why couldn't it be the "Microsoft
documentation viewer"...?
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Wrapped PCBC mode
Date: Wed, 18 Aug 1999 14:31:55 -0500
Tom St Denis wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > > 3. Doesn't delay key searches
> >
> > Actually it does slow them substantially-- his method is an example
> of an
> > all-or-nothing encryption method. As such the whole file must be
> decoded in
> > any attempt at a guess. On the other hand other such methods of
> achieving
> > the same result exist and are substantially faster than his particular
> > construction.
> >
>
> Not really. Plug in a 128-bit key and brute force is out of the
> question. Why encrypt the message 80 times if you can use one big'nuff
> key?
>
I meresly said it slowed them. I am not saying that such slowing down was
necessary in that case, merely that all-or nothing encryption is a valid
security enhancing technique, and does provide some security benefit.
Whether in this case it is worth the performance hit, needed, or is just a
case of throwing everything but the kitchen sink into a cypher and producing
something secure, but lumbering, clumbersome, and ugly is annother thing
entirely.
As Bruce S. has said before at 100 to 150 rounds of most student cyphers
become very resistant to attack. The art of the thing is getting that attack
resistance with as little effort, space, etc. as possible
>
> Tom
> --
> PGP 6.5.1 Key
> http://mypage.goplay.com/tomstdenis/key.pgp
> PGP 2.6.2 Key
> http://mypage.goplay.com/tomstdenis/key_rsa.pgp
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: I HOPE AM WRONG
Date: Wed, 18 Aug 1999 19:38:46 GMT
> If you look in the Deja news archvie you can see my prediction
> of what and why the bombing of the Chinese Embassy occured.
> Fact the CIA knew where the Chinese Emabssy was.
> Fact the Chinese Military give boo koo bucks to the Democratic
> party. China has got a lot for the money.
> Even know as we speak Clinton can not give a firm anwser
> to what the US would do if the main land Chinese invade Twain.
> I'm I the only one who thinks that we are giving the green light
> for the invasion. And was that the Bombing in Yougoslovia was just
> a clever way so that we could back down.
> Yes I hope I am wrong but I think most people greatly under
> estimate the dishonesty of our current president. But then again
> maybe I'm wrong. But think about it why is Clinton not giving
> clear warning to the Chinese. May some NSA type who knows
> what is going on can inlighten us.
Let me try to help you here...
> If you look in the Deja news archvie you can see my prediction
> of what and why the bombing of the Chinese Embassy occured.
> FACT: the CIA knew where the Chinese Emabssy was.
> FACT: the Chinese Military GAVE boo koo bucks to the Democratic
> party. China has RECEIVED a lot for THAT money.
> Even NOW as we speak, Clinton can not give a firm anwser
> AS TO WHAT the US would do if MAIN land Chinese INVADED TAIWAN.
> I'M the only one who thinks that we are giving the green light
> for the invasion. And THAT the BOMBING in Yougoslovia was just
> a clever way TO ALLOW US TO back down.
> YES, I hope I am WRONG; but I think most people greatly under
> estimate the dishonesty of our current president. But then again
> maybe I'm wrong. But think about THIS: why is Clinton not giving
> A CLEAR warning to the CHINESE? MAYBE some NSA type who knows
> what is going on can ENLIGHTEN us.
You really need to take an English course.
--
The US is not a democracy - US Constitution Article IV Section 4.
Democracy is the male majority legalizing rape.
UN Security Council is a Democracy. NO APPEALS! Welcome to the NWO.
Criminals=Crime. Armies=Tyranny. The 2nd amendment is about tyranny.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: My web site is up!
Date: Wed, 18 Aug 1999 19:28:22 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> Greg <[EMAIL PROTECTED]> wrote, in part:
>
> >>... but don't mind that particular critic, as if what you
> >> were offering was...flawed...that would only mean he had
competition.
>
> >If he has a product of his own, does he offer the binaries or the
> >source code for free?
>
> Yes, he does.
Does the government consider his crypto program weak? Or is he
violating the EAR?
--
The US is not a democracy - US Constitution Article IV Section 4.
Democracy is the male majority legalizing rape.
UN Security Council is a Democracy. NO APPEALS! Welcome to the NWO.
Criminals=Crime. Armies=Tyranny. The 2nd amendment is about tyranny.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Dan Kaminsky" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Decrypted International Crypto inside the US
Date: Wed, 18 Aug 1999 13:16:17 -0700
I've been informed by a coworker that it's actually illegal to receive and
decrypt >56bit encoded data from international sources within the US, even
if the encryption software derives from outside the country(say, a clean
room Austrailian implementation of Blowfish).
Anybody know anything about this?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
------------------------------
From: [EMAIL PROTECTED] (Matthias Bruestle)
Subject: Re: Smart card generating RSA keys
Date: Wed, 18 Aug 1999 18:02:41 GMT
Mahlzeit
Peter Gutmann ([EMAIL PROTECTED]) wrote:
> [EMAIL PROTECTED] (Matthias Bruestle) writes:
> >I wonder why the don't let supply true random number with the key
> >generation command and mix this with internal bad random numbers.
> That's a method which is favoured by the NSA, you load a trusted seed value
> into a device and generate keys from that. Assuming the seed value is from
> a known good/trusted source (which, for users of NSA crypto, it would be),
> and you can keep the value secure, it's a reasonably safe way to generate keys
> since they're coming from a PRNG with known properties, as opposed to a
> typically difficult-to-analyse and subject-to-external-influences source such
> as the various techniques used by smart cards.
But why don't they do this? It can't really be so hard to change
the command (in this case from the cryptoflex) from F0 14 00 00 00
to F0 14 00 00 80 XX XX XX ... or maybe even only 16 random bytes
if they are short on memory.
Mahlzeit
endergone Zwiebeltuete
--
PGP: SIG:C379A331 ENC:F47FA83D I LOVE MY PDP-11/34A, M70 and MicroVAXII!
--
Their hand is at your throat but you see them not.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
