Cryptography-Digest Digest #77, Volume #10 Thu, 19 Aug 99 16:13:02 EDT
Contents:
Re: I HOPE AM WRONG ([EMAIL PROTECTED])
Re: rsa in other fields (Paul Crowley)
Re: Is RC5 still safe (enough)? ([EMAIL PROTECTED])
Re: DoD & ITU under attack ? (Medical Electronics Lab)
Re: I need strongest weak elliptic curve... (Doug Stell)
Re: Is RC5 still safe (enough)? (Tom St Denis)
Re: Where to find (Tom St Denis)
Re: PRNG Stream cipher questions (Tom St Denis)
Re: LFSRs in a5 (John Savard)
Re: Is RC5 still safe (enough)? (John Savard)
Re: I need strongest weak elliptic curve... (Greg)
Re: Cracking the Scott cryptosystems? (Greg)
Re: Decrypted International Crypto inside the US (Jim Dunnett)
Re: Decrypted International Crypto inside the US (Jim Dunnett)
Re: Where to find ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: I HOPE AM WRONG
Date: Thu, 19 Aug 1999 17:21:22 GMT
In article <7pf244$enr$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
>
> Let me try to help you here...
>
> > If you look in the Deja news archvie you can see my prediction
> > of what and why the bombing of the Chinese Embassy occured.
> > FACT: the CIA knew where the Chinese Emabssy was.
> > FACT: the Chinese Military GAVE boo koo bucks to the Democratic
> > party. China has RECEIVED a lot for THAT money.
> > Even NOW as we speak, Clinton can not give a firm anwser
> > AS TO WHAT the US would do if MAIN land Chinese INVADED TAIWAN.
> > I'M the only one who thinks that we are giving the green light
> > for the invasion. And THAT the BOMBING in Yougoslovia was just
> > a clever way TO ALLOW US TO back down.
> > YES, I hope I am WRONG; but I think most people greatly under
> > estimate the dishonesty of our current president. But then again
> > maybe I'm wrong. But think about THIS: why is Clinton not giving
> > A CLEAR warning to the CHINESE? MAYBE some NSA type who knows
> > what is going on can ENLIGHTEN us.
>
> You really need to take an English course.
Well, if you're going to criticize another author's English, I would
recommend that you write corrections that are grammatically correct:
> > FACT: the Chinese Military GAVE boo koo bucks to the Democratic
I don't believe that "boo koo" is correct. I'm going to hazard a guess
that you both intend to use the French word "beaucoup", meaning "many"
or "a lot".
> > Even NOW as we speak, Clinton can not give a firm anwser
> > AS TO WHAT the US would do if MAIN land Chinese INVADED TAIWAN.
at least five mistakes here:
1) anwser [sic] should be "answer"
2) "Even now as we speak" is redundant. Use any of:
a) "Even now, Clinton ..."
b) "Even as we speak, Clinton ..." [not as good, because we are
writing, not speaking]
c) [If you insist on being redundant for emphasis, you must set off
the non-restrictive clause with commas] :
"Even now, as we write, Clinton ..."
3) "AS TO what" is awkward; try "... a firm answer regarding what the US
would do..."
4) In conjunction with "China", "Mainland" is one word, part of a proper
noun, and must be capitalized:
"Mainland China" or "Mainland Chinese"
5) The verb forms in this sentence do not agree. You must use the
subjunctive with the conditional:
Even as we speak, Clinton can not give a firm answer regarding
what the US WOULD do if the Mainland Chinese WERE TO INVADE Taiwan.
> > YES, I hope I am WRONG; but I think most people greatly under
> > estimate the dishonesty of our current president.
"under-estimate" is one hyphenated word
> You really need to take an English course.
You really need to focus on the causes of your irritation. If you
dislike another sci.crypt correspondent, or disagree with his/her ideas,
address your criticism to the specific issues where your opinions
differ.
For example:
"Your delusional, paranoid-schizophrenic, anti-government rants have
no place on sci.crypt; try alt.survival, or alt.politics.<anything>."
Don't take cheap shots at his/her English.
- Jesse
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: rsa in other fields
Date: 19 Aug 1999 18:49:20 +0100
Anton Stiglic <[EMAIL PROTECTED]> writes:
> Do you know what is an oblivious transfer. Do you know what MPC is
> the most efficient, and what a generalized adversary structure looks like?
> Do you know what is a monotone span program? Can you explain to me
> if OT is possible in a quantum world? If you are indeed knowlegeable in
> crypto, you should be able to answer does questions.
If you were as knowledgeable as you claim, you wouldn't have to ask;
you would already have heard of Bob Silverman.
I haven't heard of most of the things you name, but the fact that
you're starting to come across as borderline kook/troll at this point
leads me to wonder how many of these terms have never seen the pages
of Eurocrypt...
--
__
\/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is RC5 still safe (enough)?
Date: Thu, 19 Aug 1999 17:30:40 GMT
Thanks, Tom, for your information.
I'd REALLY like some comments from other people as well, though.
One point of view is not enough.
So please, guys!
Thanks,
Michael.
In article <7pfchg$mlv$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> <snip>
>
> BTW the mod3 attack only works against RC5P cause rotation and xor do
> not work well together (non isomorphic). They also have bad
> approximations.
>
> ALWAYS use RC5 with ((A xor B) <<< B) + r[2i], etc...
>
> I can send you the files
>
> rc5rev.ps The original RC5 paper
> rc6.ps The rc6 papper
> cryptanalysis of rc5.ps The Diff attack
> correlations in rc6.ps The attack on RC6
>
> is you want, just email me.
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: DoD & ITU under attack ?
Date: Thu, 19 Aug 1999 12:53:04 -0500
Padgett 0sirius wrote:
>
> The DoD in its PKI roadmap makes extensive use of the X.509 standard.
> Secvtion 6 of the roadmap particularly stresses the need for protection of
> private keys. Section 11 of the ITU X.509 standard states that key
> generation must be done on an off-line machine.
>
> Recently pressure is being put on the ITU to relax this requirement and
> permit on-line servers which hold user's private keys. I suspect this
> pressure is from vendors whose products require online KMS machines.
>
> Given the current state of COTS servers, I feel this would be a
> serious mistake and that key generation should always be done either offline
> or by a machine on an MLS protected subnet behind an evaluated guard.
>
> Personally prefer a completely offline machine with an online "shadow"
> server that appears to be the CA but in actuality merely receives
> requests and distributes certs with no generation capability. Several
> current CAs products such as Netscape's (plug) permit this. Am willing to
> consider MLS or two-machine-with-sandbox approach.
>
> Comment ?
Why use systems which require holding user's private keys? Change
the requirements so that no private keys are held anywhere, let the
user regenerate it each time. You _could_ escrow the keys with a
CA key, but that too should be off line.
Anything that holds user's private keys and is accessable to the
net will be attacked. It will be attacked by the most sophisticated
and capable opponents imaginable, and they will hone their skills
to a fine edge too!
Given the techniques available today, I don't see why key generation
has to be done in a central place. Each user should be able to
generate their own keys independently - offline and local prefered.
The CA can certify a key by going out of band (which they should do
anyway, even if it's centrally created).
I'd vote to make things harder, not easier. I bet nobody listens too.
:-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: I need strongest weak elliptic curve...
Date: Thu, 19 Aug 1999 18:24:58 GMT
On Thu, 19 Aug 1999 12:27:02 -0500, Medical Electronics Lab
<[EMAIL PROTECTED]> wrote:
>David A Molnar wrote:
>> I think you need a license technically no matter what kind of encryption
>> you use.
Sort of correct. If you plan on an exportable/weak product, you need a
Commodity Jurisdiction (CJ), which determines whether it can be
exported under a general Dept. of Commerce license or and Individual
Validated License (IVL) from the Dept. of State. For strong crypto,
you can forget about the CJ and do IVLs for each exportation.
The CJ process involves working with an NSA representative (business
type) and a behind the scenes NSA technical type to make a full
disclosure about the product and how you have followed the rules. You
may not have direct knowledge of or access to the technical type. If
you are granted such access, as I was, the rules of engagement are
restrictive, e.g.., ask no questions, don't count on any answers and
everything is unofficial." Also, it is important to have them involved
early on and throughout your development, since they hate surprises
and don't just want to see your application when the product is done.
It's a semi-interactive process, not an application.
Often the CJ determination is expidited on the basis of
pre-established rules for certain things, such as DES, RSA and D-H. I
don't know if such rules have been established for elliptic curves, as
I have been out of that role for a while. The rule for RSA or D-H key
exchange is 512 bits max. For symmetric encyryption, they are now
alloowing 56 bits.
>But what about Wassner? That says any free code has no restrictions.
I was told last week that the U.S. has not yet aligned its rules with
the Wassenaar agreement. It's still ITAR, CJs, IVLs as ususal for
crypto products.
>If he's giving it away, then an export license isn't needed. Only
>code sold for money needs a license.
>As long as the code is free (like a demo) you can use any strength
>you want. If it's shareware, and you send a floppy outside the US,
>you'll need an export license. Even if you send some kind of auth
>code which turns on the full version of the demo you'd need a
>license to send the auth code.
Not true. Technically, you need a license for any export. However, the
NSA has stated privately that they believe that nobody would trust
anything free and that's why they don't pursue such cases. "Free" =
"junk" or "perceived to be junk" they claim. In actuality, your
pockets aren't deep enough to make it worth while and they have too
much egg on their face from the Phil Zimmermann fiasco.
BTW, "export" includes access to anything by someone in the US who is
not either a citizen or green card holder.
doug
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Is RC5 still safe (enough)?
Date: Thu, 19 Aug 1999 18:23:48 GMT
In article <7phevd$6nn$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Thanks, Tom, for your information.
> I'd REALLY like some comments from other people as well, though.
> One point of view is not enough.
> So please, guys!
> Thanks,
> Michael.
Not to be a bigshot... but the info I gave you is the lastest and
greatest about RC5. It's still strong.
You should really be more concerned with how it's used though, others
will have better comments on that area then I.
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Where to find
Date: Thu, 19 Aug 1999 18:22:07 GMT
In article <7phcae$32sc$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> While I would suggest you go to my site. But your sure to get much
> asdvice as to why you should not.
DS is right for once.
1. He has not really tried to break his own system. He barely even
knows any of the details (like what a safe number of rounds is or what
word size, or the key space)
2. His description is foolishly childish. He lacks any real examples,
or even a key schedule.
3. His method is slow, and requires a lot of ram.
If I were you I would pick up PGP and read all the faqs on it.
Learning to use PGP is a really good idea.
If you are into block ciphers or ciphers... look up
RC5, CAST, Blowfish, RC6, Twofish, MARS, E2, Serpent, SAFER, SAFER+,
Rijndael, CAST-256 .... etc...
There are a lot of good ciphers and programs out there. His i just not
one of them.
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: PRNG Stream cipher questions
Date: Thu, 19 Aug 1999 18:25:41 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Have there been any ciphers which rearrange the order of the data? I
> know theoretically this is improbable in a stream cihper as you
wouldnt
> necessarily know the length of a stream, but in practise you usually
do
> know the size of the data to be encrypted and even if you don't it is
> trivial to buffer the information and obtain a size. It could be
quite
> a slow method of encryption, but I have a feeling it'd be very
effective
> too. With a pseudo random change of the byte order in the file, only
> the right seed value would allow a simple(?!) reversal of the
process.
> Obviously this would be complemented by a more standard PRNG stream
> cipher on the actual data before (or after, or both?) the order
> dispersion. I'll write a c++ implementation of this hopefully within
> the week if I have time to see if its any good. Any thoughts, am I
> barking up the wrong tree, has this been tried and failed many times
> before? Also, it would obviously be more efficient, but also more
> complex to implement the order dispersion on bit boundaries rather
than
> byte. With simple shifting and masking it probably wouldnt be too
slow
> or difficult, but would it have a worthwhile effect on the resultant
> encryption strength? I'm not sure if there has been any research into
> this area as I am admittedly not particularly well read in
cryptology.
> My thoughts are that surely by expanding the range of possible
changes,
> you increase the volume of possible paths back to the plaintext and
thus
> make a considerable amount more work necessary to break the
enryption.
> If anyone has any knowledge in this area, or spots any flaws, please
> tell me before I waste time trying it. Thanks,
Technically if you rearrage the order of the plaintext then add a PRNG
to it (mixing) that is a variant of Algorithm M. Why not just go the
other way around and mix up the order of the PRNG (I have code to demo
this if you want)?
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: LFSRs in a5
Date: Thu, 19 Aug 1999 18:37:17 GMT
[EMAIL PROTECTED] (Ian Goldberg) wrote, in part:
>We'll be publishing the (real) A5/1 and A5/2 source (with test vectors),
>as well as the A5/2 break, as soon as we add some comments and can find
>an export-restricted site on which to host it.
I've updated my web page as a result of this post. Since the part of
the page in question was a list of "well-known" shift registers that
ought to be avoided in new designs (if that's a concern, otherwise the
AUTODIN-II shift register arrangement is an excellent one, having so
many taps), I left the old ones from Applied Cryptography and other
sources on the site as well, since even if they aren't the actual A5
shift register tap sequences, they're still "well known".
Is it only the program source code - or are other restrictions on
"technical data" applicable - that leads you to seek an
export-restricted site? If the problem is only with the source code,
I'd encourage you to publish the rest without the source code whenever
possible.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Is RC5 still safe (enough)?
Date: Thu, 19 Aug 1999 19:15:04 GMT
[EMAIL PROTECTED] wrote, in part:
>Thanks, Tom, for your information.
>I'd REALLY like some comments from other people as well, though.
As far as I know, though, what Tom St.Denis has said is correct, and I
could not even have said as much.
RC5 and RC6 are still patent protected, though, although RC6 would
become available royalty-free if it was chosen as the AES.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: I need strongest weak elliptic curve...
Date: Thu, 19 Aug 1999 19:27:52 GMT
In article <7pfjkf$tik$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
> Greg <[EMAIL PROTECTED]> wrote:
> > Does anyone know what is the largest Koblitz elliptic curve (using
> > polynomial basis) that can be freely exported without an export
> > license? If so, can you post the curve parameters? I need to make
a
> > free downloadable demo of my software, and I would like the stronget
> > possible curve that is still weak enough that it would not require
an
> > export license.
>
> I think you need a license technically no matter what kind of
encryption
> you use. It's just that this need is overlooked for "trivial" stuff.
You
> may be thinking of the fact that getting an export license is
supposed to
> be "easy" for certain bit-lengths of symmetric and asymmetric
ciphers. (I
> haven't tried it myself). Some info can probably be found at
> http://bxa.doc.gov .
Actually, I posted this while I was waiting for NSA's response to the
same question. They say that 163 bit and less is exportable without a
license but requires a one time review none the less. Also, they
qualified it with the phrase "key management". My software uses ECC in
more than just a key management role, so I have asked them for
clarification. I posted here because I had no idea when they would get
back to me. Thanks.
--
The US is not a democracy - US Constitution Article IV Section 4.
Democracy is the male majority legalizing rape.
UN Security Council is a Democracy. NO APPEALS! Welcome to the NWO.
Criminals=Crime. Armies=Tyranny. The 2nd amendment is about tyranny.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Cracking the Scott cryptosystems?
Date: Thu, 19 Aug 1999 19:40:57 GMT
In article <7p5dv0$163c$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> In article <7p50pe$dv8$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
wrote:
> >Greetings.
> >
> >I am a relative beginner in Cryptanalysis,
> >with a background in Computer
> >Science and Math. Recently, a co-worker
> >pointed me to cryptosystem...
> > ...[a lot of snipping]...
> >... Is this correct?
> Your much smarter than most people who post to this site.
But of course- he took time to look at YOUR stuff, so he is now
considered more intelligent than most of us. If he claimed to have
developed a cryptosystem that was accepted as extremely strong by
industry experts, you would call his work crap, call him a bullshitter,
and tell him his web site sucks (because he might not be an experienced
web page designer).
Ah, now I see- we just have to stroke you to get you to be civil. And
it was right under my nose all along. Go figure...
> Just about everyone here thanks it is foolish to use a long keyed
> crypto system.
I wonder why?
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Subject: Re: Decrypted International Crypto inside the US
Reply-To: Jim Dunnett
Date: Thu, 19 Aug 1999 18:26:15 GMT
On Thu, 19 Aug 1999 01:12:31 GMT, [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
wrote:
> Joe there are laws about sending encrypted messages out over the
>ham radio airways. Because I remember the Ham teacher saying it
>was illegal since the government wants to know about all messages
>sent over the airwaves. I asked about morse code and he said that
>was not considered encryption. So you might be able to recieve
>such message but the US does have limits on how you send
>encrypted messages in some cases like the Ham example.
The Amateur Service both here in Europe and the USA is
designed for self-training in radiocommunications and
radio experimentation. Why would Amateurs require
any sort of crypto?
(G4RGA)
--
Regards, Jim. | One of the most sickening sights since
amadeus%netcomuk.co.uk | the election was Blair & Co living it
dynastic%cwcom.net | up at a No 10 party for the filthy rich
| on the day they cut benefits for single
PGP Key: pgpkeys.mit.edu:11371 | mothers. - Charles Kennedy.
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Crossposted-To: talk.politics.crypto
Subject: Re: Decrypted International Crypto inside the US
Reply-To: Jim Dunnett
Date: Thu, 19 Aug 1999 18:26:14 GMT
On Wed, 18 Aug 1999 21:27:33 GMT, [EMAIL PROTECTED] (Doug Stell) wrote:
>I have heard in personal discussions with the powers in control words
>to the effect that if strong crypto is used off shore, it is presumed
>that someone, possibly the recipient, had previously violated the
>export regulations. How else would they obtain it? I believe that the
>same would be true for sending a strongly encrypted message to a
>foreign party. There seemed to be little or no recognition that a
>foreign party could develop a compatible implementation without U.S.
>involvement (their words).
Just like the US software industry cannot comprehend people
not having 'Zip Codes', not using illogical date formats and
not using archaic measurements! :o(
--
Regards, Jim. | One of the most sickening sights since
amadeus%netcomuk.co.uk | the election was Blair & Co living it
dynastic%cwcom.net | up at a No 10 party for the filthy rich
| on the day they cut benefits for single
PGP Key: pgpkeys.mit.edu:11371 | mothers. - Charles Kennedy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Where to find
Date: Thu, 19 Aug 1999 18:55:19 GMT
Hi Thomas,
I'm trying to learn about cryptography myself these days, so I can at
least tell you what I am doing.
First, I'd recommend to read the various FAQs on the subject. There is
one in this newsgroup that is really good (you can search for it in
www.deja.com, for instance), and RSA (www.rsa.com) has a big one in PDF
format. That will give you a basic idea.
Then you might want to get a book. Standard book on this topic is Bruce
Schneier's "Applied Cryptography", that you can buy or order in any
book store or online, i.e. at Amazon.com.
All of this plus a lot of work might get you to learn how to use
cryptography and to get a basic understanding of how it works. If you
want to become a cryptanalyst who can find new ways of breaking
algorithms, you'll almost certainly need a math or physics degree, as I
was told.
Programs for encryption and decryption are mentioned in the FAQs, too.
So, good luck.
Michael Heumann.
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Preditor31) wrote:
> Where can I find an encryption and a decrytion program? Also how
would I go
> about learning how to break encryption?
>
> Thomas
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
