Cryptography-Digest Digest #118, Volume #10 Fri, 27 Aug 99 06:13:03 EDT
Contents:
Re: cryptographic DLL (fungus)
Re: How does RC4 work ? (Jerry Coffin)
Re: Where to find ("Richard A. DeCamp")
Re: Can americans export crypto when in another country? (Anthony Stephen Szopa)
Re: Can americans export crypto when in another country? (Anthony Stephen Szopa)
Re: NEW THREAD on compression (Mok-Kong Shen)
Re: NEW THREAD on compression (Mok-Kong Shen)
SHA-1 OID (Staffan Jonsson)
Sarah Flannery @ Intel Science Fair (David A Molnar)
Re: Where to find (Forrest Johnson)
Re: 2 person data exchange - best method? ("Shaun Wilde")
Re: Where to find (SCOTT19U.ZIP_GUY)
Re: One-time pad encryption. ("Trevor Jackson, III")
Re: Fermat theorem on primes? (Bob Silverman)
Re: Wrapped PCBC mode (Coms 1003)
Re: ANSI standards? (Solinas)
Re: Searching for Source of PGPPhone or Document how it works (Paul Rubin)
Re: Can we have randomness in the physical world of "Cause and Effect" ? (matt)
Freeware windows public key encryption DLLs? (matt)
----------------------------------------------------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: cryptographic DLL
Date: Fri, 27 Aug 1999 07:29:49 +0200
Doug Stell wrote:
>
> On Thu, 26 Aug 1999 10:48:03 +0200, fungus
> <[EMAIL PROTECTED]> wrote:
>
> >I live in Spain but my web page is hosted in the USA somewhere
> >(Florida I think). If somebody downloads crypto from my website
> >then who's guilty of the federal offence?
>
> Actually, you are, partially.
>
How can a Spanish citizen be guilty of breaking an American law
if they've never set foot in the USA?
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: How does RC4 work ?
Date: Thu, 26 Aug 1999 22:45:45 -0600
In article <7q50m3$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> Are all who told how RC4 allegedly worked or gave
> code "criminals"?
Those who gave code might be. An explanation of how encryption (even
extremely strong encryption) works is still protected as free speech.
This was the primary point in the recent ruling that said code could
be distributed -- code being used to communicate an algorithm to
another person is supposed to be protected as free speech. Code
intended to make a computer take an action, is not.
Explanations that can't be (directly) translated into actions by a
computer clearly fall under free speech rather than the proscribed
export of controlled items.
------------------------------
From: "Richard A. DeCamp" <[EMAIL PROTECTED]>
Subject: Re: Where to find
Date: Thu, 26 Aug 1999 20:02:43 -0700
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote in message
news:7q4p8r$lji$[EMAIL PROTECTED]...
> My spelling not the greatest but it was for a "derotation plate" I doubt
if
> I have the paper work I don't save anything. I have never even seen my
porgram
> scott19u in print. Only on the crt screen.
Thank you kind sir. According to the IBM patent server, US Patent 4,258,976
(issued 3/31/81) shows David A. Scott of Ridgecrest, CA as co-inventor. The
applicant is the US of A as represented by Secretary of the Navy. You can
look it up: www.patents.ibm.com.
Rich
--
Richard A. DeCamp
AOL IM RichFader
ICQ Rich Fader 28605837
Yahoo radecamp
PGP 0x4D7896CB (DH)/0x9A8CF0CD (RSA)
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: Can americans export crypto when in another country?
Date: Thu, 26 Aug 1999 22:27:58 -0700
Reply-To: [EMAIL PROTECTED]
John Savard wrote:
> [EMAIL PROTECTED] (Michael D. Crawford) wrote, in part:
>
> >can I export the crypto
> >back to Switzerland without violating US laws?
>
> No, the U.S. law covers the actions of its citizens abroad.
>
> John Savard ( teneerf<- )
> http://www.ecn.ab.ca/~jsavard/crypto.htm
All right: Cite the Law / reg that says US citizens cannot create
crypto software independently on their own outside the US and its
territories and protectorates, etc.!
And while you are at it: if such crypto is created outside the US in
say a country that has no regs against export of encryption, that a US
citizen would be breaking a US law / reg if they exported it out of said
country.
We are all ears.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.misc,talk.politics.crypto
Subject: Re: Can americans export crypto when in another country?
Date: Thu, 26 Aug 1999 22:14:13 -0700
Reply-To: [EMAIL PROTECTED]
"Trevor Jackson, III" wrote:
> I believe that US citizens suffer from the US crypto regs in the same way
> they suffer from the US tax regs. Contrary to most national tax systems,
> the IRS tries to collect tax from ll US citizens no matter where they
> reside. Similarly, the US crypto regs prohibit US citizens from
> contributing to unlicensed non-US crypto systems no matter where they
> perform the work.
>
> Michael D. Crawford wrote:
>
> > Hi,
> >
> > I'm an American citizen, presently living in the US, and I've been
> > wanting for a while to port Speak Freely to the Be operating system.
> > See http://www.speakfreely.org and http://www.be.com
> >
> > Speak Freely includes encryption, so if I port that while I'm in the US
> > I can't contribute my changes back to the original source archives,
> > which are in Switzerland.
> >
> > But I may be moving to Canada in a few months (I'm marrying a Canadian
> > woman). Once I'm in Canada, as long as I create my port of the crypto
> > software while I'm in Canada (so I never bring the crypto Speak Freely
> > into the US, and don't take it back out again), can I export the crypto
> > back to Switzerland without violating US laws?
> >
> > I expect to travel to the US frequently on business and it would be a
> > drag to get arrested for some free software work I do while in Canada.
> >
> > Canada itself has some export controls, but according to the Crypto Law
> > Survey at:
> >
> > http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
> >
> > crypto is not export controlled if the software is in the public domain,
> > which is the case for the original speak freely and will be true for my
> > changes.
> >
> > Mike
> >
> > --
> > Michael D. Crawford
> > GoingWare - Expert Software Development and Consulting
> > http://www.goingware.com
> > [EMAIL PROTECTED]
> >
> > Tilting at Windmills for a Better Tomorrow.
I don't think this is correct. I only glanced through the crypto regs
but I did not notice any mention about US citizens coming under any of
these regs when working on crypto alone by themselves outside the US.
Look at it this way: are you saying then that US citizens can work on
and develop crypto on their own inside the US but cannot work on and
develop crypto on their own outside the US?
The export regs are just that: EXPORT regs. If you create crypto
outside the US you did not export it because it did not exist before
you created it outside the US.
There are plenty of Americans working for foreign companies outside the
US on dual use matters. Just as there are plenty of foreigners working
in the US on dual use matters. Much of this work is entrepreneurial.
You are suggesting there is a legitimate law that says I cannot think
or write or record my thoughts as an American citizen outside the US
while it is perfectly legal to do so within the US, or develop these
into working prototypes or more?
The thought of giving up one's US citizenship because of these sorts of
imagined unconstitutional regs is like giving up nothing because these
types of regs clearly deny your constitutional rights: you would not
effectively have US citizenship under the constitution anyway.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: NEW THREAD on compression
Date: Fri, 27 Aug 1999 09:36:37 +0200
John Savard wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote, in part:
>
> >(3) After (2) is done, any number of trailing bytes that contain
> > contain all 0's may be deleted or added according to user's
> > choice or else randomly decided upon by the program.
> That may occasionally shorten the file slightly.
>
> Having an unused code lengthens many of the other codes, so the whole
> file is slightly more redundant.
>
> This can be minimized if the unused code is a long one, treated as if
> it belongs to a low-probability symbol.
>
> But if this is done with a symbol with an obvious pattern - and the
> all-zero symbol certainly is that - other characteristics of the
> Huffman code used become known to an attacker.
You are considering using compression as sort of encryption. But
I am adopting the (I suppose) more common view that compression and
encryption are orthogonal. Compression helps the encryption but
I assume that, once the analyst correctly decrypts by using the
correct key, properly doing decompression is no problem for him. This
is a weaker assumption. From the discussions todate, I believe that
it is also Mr. Scott's assumption that the analyst can do compression
and decompression just as the communication partners can, without
having to guess or otherwise finding the Huffman code.
>
> If there's an omitted symbol 0000000000, then there has to also be a
> symbol 0000000001 to keep it company. And there either has to be a
> symbol 000000001 or two or more symbols starting with that string.
>
> And what this means is that low-frequency symbols will tend to start
> with zeroes.
See above.
>
> That flaw can actually be corrected: instead of omitting the symbol
> that is all zeroes, one can just as easily match the symbol that, all
> the way through, matches the digits of pi or any other sequence.
>
> The longer your message, the more the added length due to the extra
> symbol will be greater than that created by padding.
Checking for all 0's is one the simplest way for that purpose.
Further, you can simply use an extra (257th) symbol for end of file,
if you are taking the trouble to consider pi.
>
> Note that I said to put the three bits indicating the number of unused
> bits in the last byte in the second-last byte. This avoids the problem
> where there are unused bits in the byte before the byte from which we
> find out they're unused, which might lead to them being processed.
>
> Thus:
>
> 01101 000 11010110
> 11010 001 1011010*
> 00110 010 011010**
> ...
> 10110 111 1*******
>
> And note that the unused bits that are used for padding _need not_ all
> be zeroes, instead one can use _random_ bits for padding. (And one
> _definitely_ should. But one's 'random' bit generator must not leak
> information about anything else.)
>
> Thus, the plaintext message consists of uniformly distributed
> bits...right down to the very end. As far as possible, it has been
> ensured that each bit of the plaintext has a 50% probability of being
> either a 1 or a 0.
Yes, this works if the sole purpose is compression/decompression.
But if this stuff is encrypted and decrypted back with a wrong key,
you wouldn't have the proper length information. This, according
to Mr. Scott's reasoning, is bad, because it immediately tells him
that the key he has employed is wrong.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: NEW THREAD on compression
Date: Fri, 27 Aug 1999 09:37:01 +0200
SCOTT19U.ZIP_GUY wrote:
> Yes if you use the "random added feature" yes you can do I think
> what you are saying. But to me we pretend the enemy knows all but
> the key and the message That means the enemy knows what you did for random
> numbers. Or you have to consider the means of adding in a random
> feature as part of the encryption. But these are my views if you want to
> call the random feature part of compression fine.
Thanks for your comment. But let me say that this random feature
for compression has been introduced in order to properly deal with
the (very) special case under discussion. If one considers that the
probability of occurence of this is very small, one can in my
humble opinion fairly safely omit to invoke that random feature, i.e.
always choosing to have no trailing zero bytes when querried by the
program about this.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Staffan Jonsson)
Subject: SHA-1 OID
Date: Fri, 27 Aug 1999 08:56:51 GMT
Hi!
I would like to know the (asn1) Object Identifier for SHA-1 and/or a
pointer to where I can find that out.
Can anybody help me?
Regards
/Staffan
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Sarah Flannery @ Intel Science Fair
Date: 27 Aug 1999 08:01:51 GMT
Just stumbled across this citation in the google.com archived copy
for http://www.sciserv.org/press3.htm
Intel Fellows Achievement Award for outstanding work in any field :
MA021 Cryptography: Science of Secrecy
Sarah Flannery, 16, Scoil Mhuire Gan Smal,
County Cork, Ireland
So the question of "where did she eventually submit?" may be settled.
Assuming that this project details her system, anyway.
Congrats to her!
-David
------------------------------
Subject: Re: Where to find
From: Forrest Johnson <[EMAIL PROTECTED]>
Date: Fri, 27 Aug 1999 07:40:50 GMT
In article <7q3ecq$1sms$[EMAIL PROTECTED]> SCOTT19U.ZIP_GUY,
[EMAIL PROTECTED] writes:
>>
>>What does writing papers on quaternion approximations have to do with
>>patching code in fielded weapons systems?
> I noticed you workded for Ratheon. Not that I every thought much about
>your company but they happened to take copies of the papers. Maybe
>they did something sneaky with them I don't know. But you might find
>them in your company maybe they destroyed then and made patents up
>of there on. Who knows.
Mr. Scott, insults to my employer do little to enlighten me about your
claim to making changes to software in weapons systems.
> LIke I said if the Navy flew it I worked on it.
OK, let's suppose that claim is true. I still want to know what systems
you made *changes* to as you claimed in your earlier post. Name the
aircraft.
> the INS was my speciality.
Ah, a snippet of information. Are you claiming to have made changes to
the Inertial Navigation Systems software?
>>
>>> One day bored
>>>so even applied for a patent on some hardware stuff for the
>>>Navy surely you can look that up.
>>No, I can't look up a patent application. I could look up a *patent* if
>>one had been granted and if I had some idea of the title or subject
>>matter of the patent, but again you didn't give me any particulars.
>>There are only 79 patents registered to David Scott from 1976 to 1979, so
>>it won't be hard to find yours if you give some detail.
> Gee I guess all people with the name David Scott are billiant. I
>even meet some at work with my name. And when worked for
>NASA kept getting mail that was to David Scott but I don't
>think it was for me. But I am not the one that keeps winning
>the Iron Man competation but I get mistaken for him more
>than the fellow asronaut.
Congratulations on your patent. In the context of our discussion here,
however, a patent on a derotation plate is largely irrelevant.
>>I enjoy your war stories and such, Mr. Scott; they just don't give me the
>>information I need. Could you give me some details on the when, where,
>>what, and how you applied your code changes to fielded weapons systems?
>>Thank you.
> If you can arragne a meeting with the Navy maybe we can work out the
>details for such an information exchange.
>
There's no "exchange" of information happening here, Mr. Scott. You seem
to be purposely dodging my questions. Are you now trying to say that you
need the Navy's permission to divulge the information that would
substantiate your claim? If so, please be so kind as to tell me the name
of the contracting authority for the weapons system in question and I
will contact them.
------------------------------
From: "Shaun Wilde" <[EMAIL PROTECTED]>
Subject: Re: 2 person data exchange - best method?
Date: Fri, 27 Aug 1999 09:05:47 +0100
a PRFG?
remember I am fairly new to this so I might not understand all the
abbreviations
Anton Stiglic wrote in message <[EMAIL PROTECTED]>...
>
>If you don't want to do something like that, you need for Alice
>and Bob to exchange some sort of info before (for example,
>a PRFG).
>
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Where to find
Date: Thu, 26 Aug 1999 14:10:45 GMT
In article <Nx2x3.1$[EMAIL PROTECTED]>, Forrest Johnson
<[EMAIL PROTECTED]> wrote:
>In article <7q0ug3$2hd4$[EMAIL PROTECTED]> SCOTT19U.ZIP_GUY,
>What were the titles of the papers? Were they published in any sort of
>journal? You mentioned they were "Navy Papers". What were the document
>control numbers? (If they aren't under any sort of document control,
>there's little hope of finding them. Ditto for the prospect of finding
>anything that someone might have carted back to Raytheon 25 years ago.)
You really expect me to remmeber some words. The titles mostly concerned
use of quaternions and quaterion approximations in kalman filter stuff. Most
people are so foolish that they use a very wrong approximaions when I used
far superior methods. No I don't save anything. Yes I could recreate any of
the equations if I had to.
>
>What does writing papers on quaternion approximations have to do with
>patching code in fielded weapons systems?
I noticed you workded for Ratheon. Not that I every thought much about
your company but they happened to take copies of the papers. Maybe
they did something sneaky with them I don't know. But you might find
them in your company maybe they destroyed then and made patents up
of there on. Who knows.
>
>>As far as Y2K I did try to come out of retirement and
>>help fix the problems ( we use to complain to management about
>>it. But that is a waste of time). I taught UNIVAC assembly at CHINA
>>LAKE for a while. I was on call 24 hours aday in case the UNIVAC
>>crashed. I use to fix working programs the navy relied on that they
>>long ago lost the source code. The use of the product FLIT. I felt
>>that since my boss suggested I go back and help with Y2K that I
>>might as well look into it. I give my resume to the CSC office
>>in RIDGECREST. But I never heard back from them.
>None of this has to do with changing code in fielded weapons systems.
LIke I said if the Navy flew it I worked on it.
>
>>But basically if it FLEW or was related to FLYING I worked on it.
>Give me some particulars. Which specific aircraft and which specific
>systems on those aircraft did you make code changes to?
the INS was my speciality.
>
>> One day bored
>>so even applied for a patent on some hardware stuff for the
>>Navy surely you can look that up.
>No, I can't look up a patent application. I could look up a *patent* if
>one had been granted and if I had some idea of the title or subject
>matter of the patent, but again you didn't give me any particulars.
>There are only 79 patents registered to David Scott from 1976 to 1979, so
>it won't be hard to find yours if you give some detail.
Gee I guess all people with the name David Scott are billiant. I
even meet some at work with my name. And when worked for
NASA kept getting mail that was to David Scott but I don't
think it was for me. But I am not the one that keeps winning
the Iron Man competation but I get mistaken for him more
than the fellow asronaut.
>
>>(reminiscences not applicable to the question snipped)<
>
>I enjoy your war stories and such, Mr. Scott; they just don't give me the
>information I need. Could you give me some details on the when, where,
>what, and how you applied your code changes to fielded weapons systems?
>Thank you.
If you can arragne a meeting with the Navy maybe we can work out the
details for such an information exchange.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
Date: Thu, 26 Aug 1999 09:15:39 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: One-time pad encryption.
Tony L. Svanstrom wrote:
> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
>
> > Claiming that reusing a use-once key is OK because the second use is
> > indecipherable is like claiming that reusing a paper towel is sanitary.
>
> No, it's not; you are asuming that someone can get a copy of the text at
> either end, that's a weakness in that end and not in the way that the
> message was put together.
> I'm sorry that I didn't state clearly enough that it was only the
> security of the message as it's "traveling" thru non-secure channels
> that I was interested in.
Normally a threat model ascribes a lifetime to the information (messages)
being protected. If the information is exposed during the lifetime the
system is not secure. This matters in your example because the first message
using a key may become available to the Opponent during the lifetime of the
second message.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Fermat theorem on primes?
Date: Thu, 26 Aug 1999 13:11:23 GMT
In article <7q27u6$d57$[EMAIL PROTECTED]>,
"Thijs vd Berg" <[EMAIL PROTECTED]> wrote:
> <snip>
>
> > Fermat's little theorem says that if p is a prime and does not
> > divide a, then a^(p-1) = 1 mod p. Instead of doing copying from a
> > book, I suggest that you look into any introductory text book on
> > number theory for its proof as well as for its generalization
> > due to Euler.
> >
> > M. K. Shen
>
> Hi there mr. expert-wannabe,
>
> I suggest you also take a look in that text book of yours for that
"proof".
> I you think its neccesary to flame, than don't make such a fool out of
> yourself.
There is an old parable about "people who live in glass houses"....
What Mr. Shen posted was exactly correct and his post was not a flame.
What makes you think otherwise?
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Coms 1003 <[EMAIL PROTECTED]>
Subject: Re: Wrapped PCBC mode
Date: Thu, 26 Aug 1999 09:24:41 -0400
With all this discussion on the "w-PCBC" mode, could someone post (or post
a reference to) exactly what this is?
------------------------------
From: Solinas <[EMAIL PROTECTED]>
Subject: Re: ANSI standards?
Date: Thu, 26 Aug 1999 10:27:47 -0400
Reply-To: [EMAIL PROTECTED]
DJohn37050 wrote:
> Not online for free. It is available for purchase either softcopy or hard.
> Don Johnson
You can get free pirate copies at alt.binaries.ansi.standards.
The one you want is posted every few weeks.
-- JS
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Searching for Source of PGPPhone or Document how it works
Date: 26 Aug 1999 15:59:12 GMT
In article <[EMAIL PROTECTED]>,
Hartmut Schroeder <[EMAIL PROTECTED]> wrote:
>Hi,
>while working on an standalone Cryptophone the Idea comes in mind makeing
>it compatible with existing Solutions (even PC-Based).
>
>The only worth of implementing Solution seem to be PGPPhone but it seems
>that develoment has been stopped?!?
>
>It also seem that there's no Source avail. Is that true?
>
>I don't require the Source but a Document how the communication Protocol works
>will tell me if and how we can implement this.
>Has anybody seen such a Document and can point me to it?
How about Nautilus? It's at http://www.lila.com/nautilus/
and the protocol is documented, plus source is available
from some mirror sites.
I don't think source for PGPfone was ever released.
There is also Speak Freely, and the Comsec hardware device
which had a published protocol. I don't know if Starium
(the new version of Comsec, www.starium.com) will use the
same protocol though.
Besides the communication and crypto protocols, you also have
to worry about compatible speech compression algorithms.
Don't forget that.
------------------------------
From: matt <[EMAIL PROTECTED]>
Subject: Re: Can we have randomness in the physical world of "Cause and Effect" ?
Date: Fri, 27 Aug 1999 17:53:35 +0800
I am neither a physicist, but it believe that Chaos Theory provides for
true randomness, which is related to quantum mechanics. Basically, the
exact details of anything cannot be fully determined, so even with cause
and effect, the outcomes are not 100% possible to predict.
Thats my 2 bits.
Matt.
------------------------------
From: matt <[EMAIL PROTECTED]>
Subject: Freeware windows public key encryption DLLs?
Date: Fri, 27 Aug 1999 18:08:24 +0800
Anyone know of any good freeware Dlls/Delphi components which can
implement public key encryption, and digital signatures? Any secure
algorithms are OK.
Thanks,
Matt.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
