Cryptography-Digest Digest #128, Volume #10 Sun, 29 Aug 99 04:13:03 EDT
Contents:
Re: 512 bit number factored (DJohn37050)
Re: Key Establishment Protocols - free chapter from Handbook of Applied Cryptography
("Rick Braddam")
Re: NEW THREAD on compression (SCOTT19U.ZIP_GUY)
Re: Can I export software that uses encryption as copy protection? ("John E.
Kuslich")
Re: Fermat theorem on primes? ("Douglas A. Gwyn")
Re: 512 bit number factored (SCOTT19U.ZIP_GUY)
Re: Can we have randomness in the physical world of "Cause and Effect" ? (David
Christy)
All I find the topic fascinating how might I learn.. (JC)
Re: All I find the topic fascinating how might I learn.. ("Douglas A. Gwyn")
Re: Can we have randomness in the physical world of "Cause and Effect" ? ("Douglas
A. Gwyn")
shasum utility for Unix ("Scott G. Miller")
n-ary Huffman Template Algorithm (Alex Vinokur)
RC4 question (Red_Blue)
Re: Decrypted International Crypto inside the US (Matthew Skala)
Re: Can I export software that uses encryption as copy protection? (JPeschel)
Re: Key Establishment Protocols - free chapter from Handbook of Applied Cryptography
([EMAIL PROTECTED])
Re: RC4 question (David A Molnar)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: 512 bit number factored
Date: 29 Aug 1999 01:39:41 GMT
In the CryptoBytes for Summer of 1995, after Andrew Odlyzko's article on the
future of Integer Factorization, I find on p. 12 a recomendation by RSA Labs on
minimum RSA keysizes of 768 for user keys, short term security. In Andrew's
article, he points out that 512 is already able to be attacked with existing
equipment. I cannot find an earlier reference than this for setting a minimum
RSA key size beyond 512 bits by RSA Labs. Perhaps someone can enlighten me,
but this statement was made only 4 years ago.
Don Johnson
------------------------------
From: "Rick Braddam" <[EMAIL PROTECTED]>
Subject: Re: Key Establishment Protocols - free chapter from Handbook of Applied
Cryptography
Date: Sat, 28 Aug 1999 20:15:39 -0500
Alfred John Menezes <[EMAIL PROTECTED]> wrote in message
news:7q9ps1$4jc$[EMAIL PROTECTED]...
>
> We have to continually convince our publisher of this. So far they
> are quite pleased with the results.
>
> - Alfred
>
I hope they become even more pleased as time goes by. I downloaded several chapters
before I finally bought the book on-line. Thanks
for giving me a look at it ahead of my purchase, even if the math is over my head.
Rick
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: NEW THREAD on compression
Date: Sun, 29 Aug 1999 03:07:47 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] () wrote:
>SCOTT19U.ZIP_GUY ([EMAIL PROTECTED]) wrote:
>: At least if you always have a file that
>: decompresses the attacker does not know for sure that you did not send
>: a binary file.
>
>That is a valid point, but there is a flaw in your approach. There's
>always the chance that somewhere in the decrypted message there will be a
>string of too many zeroes in a row. Or, there might not be enough zeroes
>at the end of the message, causing it to end in the middle of a symbol.
>
Since you only have me in the quoting are you talking about my method
or Mok's. my method does not sufffer from this flaw. You can down load
it and check it your self. I have test this and it works no problem. Your
scheme of adding bits to see which bits in last byte are vaild not only adds
header like data that the attacker can key in on but increase the length of
the compressed file. I played with such a method and you have far more
bad files than good files. Also what assurance do you have as the file is
being decompressed that any token has an ending in the last byte. All you did
was assume that you have the correct anwser one out of eight times. But
in reality you could be on a token that started several bytes back and after
following all the bits in the last byte the token is not at a leaf yet so no
value of the eight form yout 3 bits could be correct.
By the way what form of chaining are you presently claiming that PGP uses
in its chaining your site has stated that it was CBC the code I saw did not
use this are you every going to double check or do you care?
>I suppose that one could do what you want this way:
>
>Ensure that the Huffman code in use contains at least one symbol as long
>as eight bits.
>
>After the message is compressed, note how many bits remain in the last
>byte. Pad those bits by filling them with the start of a symbol that is at
>least one bit longer than the remaining bits.
>
>That will do it, but it will mean the probabilities of that final partial
>symbol are uneven.
>
>In any event, key bits are cheap - one should definitely ensure that one
>is using a very long key if one is aiming at security.
>
>John Savard
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Crossposted-To: misc.legal.computing
Subject: Re: Can I export software that uses encryption as copy protection?
Date: Sat, 28 Aug 1999 19:19:00 -0700
Timur Tabi wrote:
> I'm planning on developing software that decrypts the registration
> information that's embedded in the binary. That is, before we ship the
> software to the customer, we use a public-key encryption to generate an
> encrypted message that contains the user's registration information (name,
> etc). This message is then written to the application's binary (.EXE), and
> the binary is e-mailed to the user. The application, whenever it's run,
> decrypts the message (with the other half of the public-key) and verifies the
> contents. If it's invalid, the software terminates.
So then the hacker finds the single bit in your code responsible for storing the
information (valid / not-valid) changes that bit to be always valid and your
protection is out the window.
I don't think anyone would objuect to exporting one - bit encryption. :--))
>
>
> Is it legal to export the binary outside the US? Keep in mind that it only
> does decryption, and only of one thing: the message that's embedded within
> itself. I remember reading a blurb somewhere that said what I'm trying to do
> is one of the few exceptions to the export restriction laws, but for the life
> of me I can't find the official documents on this. I've searched the Dept of
> Commerce website high and low, so if someone has a direct URL or a document
> name I'd really appreciate it.
JK
--
John E. Kuslich
Password Recovery Software
CRAK Software
http://www.crak.com
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Fermat theorem on primes?
Date: Sun, 29 Aug 1999 02:17:26 GMT
Ender Olcayto wrote:
> I remember reading somewhere that: " For any integer n in (1,1-p), if
> 1=n(p-1) mod-p is not satisfied, then p is not prime." is a variant
> on Fermat's theorem (it could have been Euler-Fermat theorem) on
> primes. I would be grateful for anybody who can give me a proof of
> the above. I have suspicion it is not a correct statement ...
Fermat's congruence is normally stated as:
If p is prime and n is any number not divisible by p, then
n^(p-1) = 1 (mod p). ["^" denotes exponentiation.]
The contraposition of this is close to what you asked for:
If for some number n not divisible by p, you can show that
n^(p-1) != 1 (mod p), then p is not prime.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: 512 bit number factored
Date: Sun, 29 Aug 1999 03:22:04 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(DJohn37050) wrote:
>Well, I seem to remember it was one of the inventors of the RSA algorithm that
>made a quote about how long he thought it would take to break 512 bits. And it
>was very long. And he could not have said it much before 1977.
>Don Johnson
It is quite common in encryption circles to talk about using only keys long
enough to be safe for billions of years. And several years short of billions
of years the methods fail. Yet the experts we back pedal and come up with
new lenghts and bitch about anyone suggesting using longer keys. I think this
is because people are so dumb they continue to follow their advice. Of course
this keeps hackers and the NSA busy reading your mail. Well my advice is use
the longest key you can that runs with out to much delay on your machine. If
you have a fast machine use a very large one. IF you machine is small pick one
so you don't have to wait a minute or so. But error on the side of the longest
you can use. What ever the experts so is safe is a lie. They will either blame
the adavnces in technolgy for missing up there guesses ten years from now
or blame some new factoring method.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (David Christy)
Subject: Re: Can we have randomness in the physical world of "Cause and Effect" ?
Date: 29 Aug 1999 04:03:56 GMT
John Savard ([EMAIL PROTECTED]) wrote:
> sb5309 <[EMAIL PROTECTED]> wrote, in part:
>
> >I am not a physicist.
>
> It is claimed that quantum mechanics, as far as we know, allows true
> randomness.
>
Minor correction, quantum mechanics implies that the universe is
non-deterministic, but not random. Perhaps local randomness
would be a better way of putting it, I don't know. I suppose
in a universe that is non-deterministic, but not random there
will always be room to learn more even though not all - because
we as individuals don't encompass all existence, but just our
local existence.
>
> However, physical randomness methods, even when they do not involve
> quantum mechanics, have the advantage over a computer pseudorandom
> method in that the initial conditions, which are the cause of the
> 'random' output, can often be genuinely hard to determine.
>
> John Savard ( teneerf<- )
> http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: JC <[EMAIL PROTECTED]>
Subject: All I find the topic fascinating how might I learn..
Date: Sat, 28 Aug 1999 23:56:54 -0400
All
It may sound stupid but how did you guys learn this stuff?
I can't afford college(mortage, kids,wife,pets) but I can read books.
I would need to start with the most elementary stuff first of course.
What books or web sites or magazines or whatever do all of you reccomend
so that I may learn more. I have always wanted to do it.
Sorry if this was the incorrect forum to ask for help but you folks seem
to know what your talking about.
James C.
[EMAIL PROTECTED]
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: All I find the topic fascinating how might I learn..
Date: Sun, 29 Aug 1999 04:45:23 GMT
First read the sci.crypt FAQ list (pointer to which is posted about
once a month, but it's easy to locate copies with a Web search),
which not only explains a few things but more importantly lists
several books where you can learn more. With just a high school
background, I'd recommend starting with David Kahn's "The
Codebreakers", preferably the unabridged hardcover edition; it was
on the best-seller list and should be in many public libraries.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Can we have randomness in the physical world of "Cause and Effect" ?
Date: Sun, 29 Aug 1999 05:03:32 GMT
David Christy wrote:
> John Savard ([EMAIL PROTECTED]) wrote:
> > It is claimed that quantum mechanics, as far as we know, allows
> > true randomness.
> Minor correction, quantum mechanics implies that the universe is
> non-deterministic, but not random. Perhaps local randomness
> would be a better way of putting it, ...
The problem with using words that commonly have several conflicting
usages (I am hestitant to dignify them by calling them "meanings")
is that people waste a lot of time debating without accomplishing
anything. The way *I* understand the terms, standard quantum
theory is deterministic (systems evolve according to precise rules)
but requires specific kinds of unpredictability, aka randomness,
stemming from the noncommutativity of the operations used to obtain
knowledge about physical systems.
The difference between quantum randomness and classical randomness
is that in the classical case, we can (at least in principle) reduce
random effects to an arbitrary level of insignificance by obtaining
more information about the system, whereas in the quantum case,
there is an intrinsic lower limit (measured by Planck's constant)
below which we cannot refine our knowledge of a system's state.
------------------------------
From: "Scott G. Miller" <[EMAIL PROTECTED]>
Subject: shasum utility for Unix
Date: Sun, 29 Aug 1999 00:15:15 -0500
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Hi all.
I've written a utility called 'shasum' that does sha1 hashing of files
similar to md5sum(1) on unix machines. However, I am not a professional
cryptographer, and as I have submitted the program to the GNU project for
inclusion in the GNU textutils, I would like some bigger and more
experienced minds to look over the code and tell me if I've bungled
anything.
The source code is quite short, 500 lines including comments, and can be
found at ftp://ftp.gamora.org/pub/gamora/scgmille/shasum-1.2.tar.gz.
Thanks,
Scott Miller
=====BEGIN PGP SIGNATURE=====
Version: GnuPG v0.9.10 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE3yMHkpXyM95IyRhURAlX6AKCTsqQy0ykqk2dBMUyY49c6XkW6CQCbBXPf
sU1bc4Y50+wPjk/T9R171D4=
=CHml
=====END PGP SIGNATURE=====
------------------------------
From: Alex Vinokur <[EMAIL PROTECTED]>
Crossposted-To: sci.image.processing,sci.math,alt.comp.compression
Subject: n-ary Huffman Template Algorithm
Date: Sun, 29 Aug 1999 06:17:02 GMT
Hi,
n-ary Huffman Template Algorithm has been written (C++, STL).
1. n-ary Huffman algorithm uses
the {0, 1, ..., n-1} alphabet to encode message.
Built tree is n-ary one.
2. Huffman template algorithm enables
to use non-numerical weights (costs, frequences).
See http://alexvn.homepage.com/alexvn.html
Alex
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Red_Blue <[EMAIL PROTECTED]>
Subject: RC4 question
Date: Sun, 29 Aug 1999 09:58:27 +0300
Could someone please shed some light on the following issue:
What is the difference in required brute force computing power for
breaking RC4-40 vs. RC4-128 export (40 secret) keys?
I have run into estimates of 64 MIPS-years for RC4-40, so do these 88
non-secret 'salt' bits add significantly to that value?
When the recent RSA-155 factoring breakthrough reached me, I also found
out that my bank's www-self-service here in Finland still uses these
'medium-grade' keys with SSL v3 to secure the transactions.
So it makes me wonder if the strength of the session keys there are a
bigger problem than someone breaking the key exchange RSA with those
8000 or whatever MIPS-years. I don't understand why they are so slow to
implement stronger encryption when it's now available for banks
(imported from US)...
Thanks in advance,
Jere Hakanen
------------------------------
From: [EMAIL PROTECTED] (Matthew Skala)
Subject: Re: Decrypted International Crypto inside the US
Date: 28 Aug 1999 20:10:47 -0700
In article <[EMAIL PROTECTED]>,
JPeschel <[EMAIL PROTECTED]> wrote:
>> Joe there are laws about sending encrypted messages out over the
>>ham radio airways. Because I remember the Ham teacher saying it
>Could it be that we are both just old? Does such a law still exist?
Yes, it does (or at least, it did here in Canada at the time I took the
exams, ~9 years ago, and I'm sure I'd have heard if there'd been a
change). However, the law says you can't *transmit* in secret codes;
nothing about reception of someone else's transmissions. In Canada, you
are allowed to receive *anything*, although there are restrictions on how
you're allowed to use the information if you intercept someone's private
communications. Also, it's possible that they have amended that to forbid
listening in on cell-phone conversations; I know some people who would
like that, although personally I think it would be an abomination.
I always thought the rules against crypto in ham transmissions were to
prevent people from using the ham bands for anything important; if you
could use ham radio for private communication, then you could use it, for
instance, to conduct business. Then a lot of people would want to do
that, thereby crowding the real amateurs off the bands and hurting the
telephone companies. This is also why hams are only allowed to transmit
"third party traffic" in certain narrowly limited ways, and why they must
put up with content restrictions much stricter than anything commercial
broadcasters face.
This seems like another good opportunity to plug my free networking
manifesto, at http://www.islandnet.com/~mskala/netfree.html . It talks
about the ham band content restrictions a fair bit. It's not really about
crypto, but every time I mention it here it gets a lot of hits afterwards,
so someone's obviously finding it interesting.
--
Matthew Skala "Why should the fates of the groovy
[EMAIL PROTECTED] and the creepy be intertwined?"
http://www.islandnet.com/~mskala/ - Valerie Solanas
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Can I export software that uses encryption as copy protection?
Date: 29 Aug 1999 07:12:53 GMT
John E. Kuslich" <[EMAIL PROTECTED]> writes:
>Timur Tabi wrote:
>
>> I'm planning on developing software that decrypts the registration
>> information that's embedded in the binary. That is, before we ship the
>> software to the customer, we use a public-key encryption to generate an
>> encrypted message that contains the user's registration information (name,
>> etc). This message is then written to the application's binary (.EXE), and
>> the binary is e-mailed to the user. The application, whenever it's run,
>> decrypts the message (with the other half of the public-key) and verifies
>the
>> contents. If it's invalid, the software terminates.
>
>So then the hacker finds the single bit in your code responsible for storing
>the
>information (valid / not-valid) changes that bit to be always valid and your
>protection is out the window.
>
John, it's not quite that easy, or at least it shouldn't be. A cracker would
have to change at least one instruction where the comparison is made.
That means, however, changing more than one bit. It's likely there would
be more than one check, too, for instance, a check of the key length,
an integrity check of the executable. Other checks may be contained
in a .DLL or a hidden data file. I agree, though, that his protection scheme
sounds crackable as it appears to be an ordinary key file protection.
>I don't think anyone would objuect to exporting one - bit encryption.
Nope, he shouldn't have any problem exporting his software, as it only
does decryption.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Key Establishment Protocols - free chapter from Handbook of Applied
Cryptography
Date: Sun, 29 Aug 1999 07:18:42 GMT
In article <7q9ps1$4jc$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Alfred John Menezes) wrote:
> >>same time, our publisher is hoping that people who find the book
> >>useful will go ahead and buy a copy of their own, and thus sales
> >>of the book will not be affected. Any comments on this publishing
> >>experiment will be greatly appreciated.
>...
> cannot afford the book or who have only a marginal interest still
> have easy access to it -- while not affecting sales.
>...
> We have to continually convince our publisher of this. So far they
> are quite pleased with the results.
But does the publisher have any idea whether sales have been
affected? I can think of reasons why online chapters would
make sales go up, or go down, but it seems hard to know which
without a controlled experiment. Eg, is there a blip is sales
immediately following the posting of a chapter?
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: RC4 question
Date: 29 Aug 1999 07:51:32 GMT
Red_Blue <[EMAIL PROTECTED]> wrote:
> What is the difference in required brute force computing power for
> breaking RC4-40 vs. RC4-128 export (40 secret) keys?
No different for brute force : still 2^40 possibilities.
> I have run into estimates of 64 MIPS-years for RC4-40, so do these 88
> non-secret 'salt' bits add significantly to that value?
No, but they do prevent the following attack :
if you had enough storage space to encrypt a likely plaintext 2^40
different times with the 2^40 different RC4 keys, then you'd have what
amounts to a really BIG hash table. The intercepted ciphertext is your
lookup key; from it you could get the enciphering key.
Without the extr 88 bits, you could make one such table and it would work
for all SSL traffic. With the extra 88 bits, you will need a different
table for each 88-bit value. So it does addsome security.
> So it makes me wonder if the strength of the session keys there are a
> bigger problem than someone breaking the key exchange RSA with those
YES. The cypherpunks mailing list (and also Damien Doligez, independently)
collectively searched a 40-bit keyspace in a week. In 1994/5. These days
it would not take as long, especially against a determined adversary.
> 8000 or whatever MIPS-years. I don't understand why they are so slow to
> implement stronger encryption when it's now available for banks
> (imported from US)...
Who knows. There's a long list of possibles we could hash over. Everything
from export laws to institutional inertia. There are some positive signs,
though. The company my father works for has standardized on PGP for e-mail
encryption. Only seven years after I tried suggesting it. :-)
-David
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
