Cryptography-Digest Digest #135, Volume #10 Sun, 29 Aug 99 11:13:02 EDT
Contents:
Re: 512 bit number factored (Robert Harley)
Re: Key Establishment Protocols - free chapter from Handbook of Applied Cryptography
(Alfred John Menezes)
Re: RC4 question (Red_Blue)
Re: All I find the topic fascinating how might I learn.. (SCOTT19U.ZIP_GUY)
Re: Can I export software that uses encryption as copy protection? (SCOTT19U.ZIP_GUY)
Re: RC4 question (Tom St Denis)
Re: Decrypted International Crypto inside the US (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: 512 bit number factored
Date: 29 Aug 1999 14:55:57 +0200
[EMAIL PROTECTED] (DJohn37050) writes:
>the basic Pollard rho algorithm is understood and one can understand
>why it is expected to succeed when it is expected to succeed.
Someone should tell that to the designers of S/KEY. It a password
systems that is supposed to be secure when passwords are snooped (as
they can be easily) by using one-time passwords.
Each user applies a hash function to some random seed a number of
times, up to 9999, producing a sequence of passwords. Then they login
using the passwords from the sequence in reverse order, from the end
back towards the beginning.
The theory is that if you sniff a password, that doesn't help because
to find the next one to use you would need to reverse the hash
function, but it is chosen to be cryptographically strong.
First of all, the passwords have only 64 bits of information so it is
possible to brute-force with a huge calculation. The number of hash
computations required would be about 2^63 divided by the number of
users.
But what the designers must have missed is that each user, by
iterating the hash function, is doing a little piece of a
birthday-paradox attack! By sniffing a password, the attacker doesn't
get a random password, but a password that is special in that it has
lots of ancestors that hash to it after some number of iterations.
When the attacker iterates the hash function, he just has to touch the
path followed by one of the users (upwind of the sniffed password),
and he will then follow the same path as the user as far as the
sniffed password and know an ancestor of it.
So an attack does not require 2^63 hash computations, nor 2^63 divided
by the number of users. Instead divide by the total number of
iterations done by all the users. Some places really do use the max
number of iterations. Suppose 100 users have a password sniffed. It
is then trivial to bypass S/KEY.
S/KEY may well have the practical effect of discouraging casual
attackers, but its real strength is next to nothing.
Bye,
Rob.
------------------------------
From: [EMAIL PROTECTED] (Alfred John Menezes)
Subject: Re: Key Establishment Protocols - free chapter from Handbook of Applied
Cryptography
Date: 29 Aug 1999 12:40:29 GMT
In article <7qamse$gaa$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>In article <7q9ps1$4jc$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Alfred John Menezes) wrote:
>> >>same time, our publisher is hoping that people who find the book
>> >>useful will go ahead and buy a copy of their own, and thus sales
>> >>of the book will not be affected. Any comments on this publishing
>> >>experiment will be greatly appreciated.
>>...
>> cannot afford the book or who have only a marginal interest still
>> have easy access to it -- while not affecting sales.
>>...
>> We have to continually convince our publisher of this. So far they
>> are quite pleased with the results.
>
>But does the publisher have any idea whether sales have been
>affected? I can think of reasons why online chapters would
>make sales go up, or go down, but it seems hard to know which
>without a controlled experiment. Eg, is there a blip is sales
>immediately following the posting of a chapter?
The publisher cannot monitor day-to-day sales since most sales are
made through second parties such as amazon.com or Springer-Verlag in
Europe. They have, however, noticed that monthly sales have stayed
roughly steady for the past 12 months, which they think is a good sign
for a book that is in its third year of life.
- Alfred
------------------------------
From: Red_Blue <[EMAIL PROTECTED]>
Subject: Re: RC4 question
Date: Sun, 29 Aug 1999 16:04:23 +0300
David A Molnar wrote:
> Red_Blue <[EMAIL PROTECTED]> wrote:
> > What is the difference in required brute force computing power for
> > breaking RC4-40 vs. RC4-128 export (40 secret) keys?
>
> No different for brute force : still 2^40 possibilities.
Thank you very much! This helps in compiling a letter of 'customer input' to
the bank in question.
> > 8000 or whatever MIPS-years. I don't understand why they are so slow to
> > implement stronger encryption when it's now available for banks
> > (imported from US)...
>
> Who knows. There's a long list of possibles we could hash over. Everything
> from export laws to institutional inertia. There are some positive signs,
> though. The company my father works for has standardized on PGP for e-mail
> encryption. Only seven years after I tried suggesting it. :-)
As I understand it, current US legislation allows export of RC4 tech of any
key length for banks in EU countries. So why not use true 128 bit RC4, since
new international browser versions support it too. Perhaps they just need
someone to publish some confidential account information stolen by breaking
these weak keys, before corrective actions follow...
I 'forced' my father (the owner) to start using PGP for email in our company
in 95. We never used any 512 bit RSA keys, only at least 768 bit strong,
before switching to DH/DSS ;-)
Jere Hakanen
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: All I find the topic fascinating how might I learn..
Date: Sun, 29 Aug 1999 14:09:35 GMT
In article <[EMAIL PROTECTED]>, JC <[EMAIL PROTECTED]> wrote:
>All
>
>It may sound stupid but how did you guys learn this stuff?
>I can't afford college(mortage, kids,wife,pets) but I can read books.
>I would need to start with the most elementary stuff first of course.
>What books or web sites or magazines or whatever do all of you reccomend
>
>so that I may learn more. I have always wanted to do it.
>
>Sorry if this was the incorrect forum to ask for help but you folks seem
>to know what your talking about.
>
>James C.
>[EMAIL PROTECTED]
>
You can get just about everything you want on the internet. I like DJGPP
GNU C it the best C compiler out there. Don't trust the experts. Build up your
own tools. Everything you need at least for now is free on the net. IF you
want a windows based porgramming language teach your self Liberty Basic
it is easy to write games and such in it. Get your own web page to change
ideas with people. Just remember people think differetnt so you will still get
mostly Bull Shit form people so sift though the letters ande hate mail
carefully. IF you write as much as I do be prepared to get death threats.
I get a few every year. ALso besides the Codebreakers which is a good book.
Try the Puzzle Palace. But most books on crypto have a underlying spin to
them. I think it is becasue of the great control the NSA and such groups keep
on the system with there idle billions of dollars. Be warey of error recovery
methods and short key ciphers. ""The sole purpose of encrpytion is to make it
hard to break"". Any thing that you can see is a that is a weakness is a hudge
weakness even if the crypto gods seem programmed to ignore it.
Do things you can varify yourself. For example ALL the 3 letter chaining
methods are weak since they are designed for error recovery yet most don't
see this. You can test this out.
Encrypt your file with a method ( if it changes the length the program can
hide details for you so it takes more work and should not be trusted until
you understand the source code on your own) of the block cipher of
your choice using the 3 letter chaining of your choice. Then reverse the file
( I have code at my site to do this) encrypt a gain with different key and
even different block size program if you wish and your choice of chaining
then take the finiall out put and with a hex editor change one bit or byte or
3 or 4 bytes near the middle of the file. Then decrypt using the reverse
of the encryption methods you used. Surprise the only errors in the
decryption are in the same areas you changed. People have a very
hard time seeing this or even beliveing this until they do it them selves.
This is for 2 reasons. The socalled experts possiblly influenced either
direcrtly or indirectly by the NSA billions. don't want it known. Or they
spout that it is well known and that it is need for error recovery. IF you
belive them then you belive the chinese money the DNC got was
an honest gift. And that we never helped light the Waco fires. And
that the FOX reports about those in Federal Service that have been
recieve bonues did so for other work and not the crooked things
that some are accused. Like the one who released damaging
stuff on Tripp. Why is it fox seem to be the only News service
that wants to tell something about the truth.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Can I export software that uses encryption as copy protection?
Date: Sun, 29 Aug 1999 14:20:32 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(JPeschel) wrote:
>John E. Kuslich" <[EMAIL PROTECTED]> writes:
>
>>Timur Tabi wrote:
>>
>>> I'm planning on developing software that decrypts the registration
>>> information that's embedded in the binary. That is, before we ship the
>>> software to the customer, we use a public-key encryption to generate an
>>> encrypted message that contains the user's registration information (name,
>>> etc). This message is then written to the application's binary (.EXE), and
>>> the binary is e-mailed to the user. The application, whenever it's run,
>>> decrypts the message (with the other half of the public-key) and verifies
>>the
>>> contents. If it's invalid, the software terminates.
>>
>>So then the hacker finds the single bit in your code responsible for storing
>>the
>>information (valid / not-valid) changes that bit to be always valid and your
>>protection is out the window.
>>
>
>John, it's not quite that easy, or at least it shouldn't be. A cracker would
>have to change at least one instruction where the comparison is made.
>That means, however, changing more than one bit. It's likely there would
>be more than one check, too, for instance, a check of the key length,
>an integrity check of the executable. Other checks may be contained
>in a .DLL or a hidden data file. I agree, though, that his protection scheme
>sounds crackable as it appears to be an ordinary key file protection.
>
>>I don't think anyone would objuect to exporting one - bit encryption.
>
>Nope, he shouldn't have any problem exporting his software, as it only
>does decryption.
>
>Joe
>
>
Joe if one can legally export decrytion could one then export a decryption
only version of my source code with working executable. Of course there
may be a few beer drinking German that could be smart enough to reverse
engineer and come up with a program that did encryption based on his code.
BUt the infinite powers of the beer drinking mind are beyond my control.
IF yes I can export it. What is to keep me from exporting a part of scott19r
the decryption portion only of a different program. But haveing the weakness
the the decyryption part of the source code. could be lefted in five minutes
by a Brit and used to create a full working copy of scott19u. Note I never
intended to export encryption (usiing only a small subset of CLintonian logic
which protects one from prejury). Yes some random thougfhts from to much
beer that I am sure I will forget when this hangover leaves.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: RC4 question
Date: Sun, 29 Aug 1999 13:16:41 GMT
In article <[EMAIL PROTECTED]>,
Red_Blue <[EMAIL PROTECTED]> wrote:
> Could someone please shed some light on the following issue:
>
> What is the difference in required brute force computing power for
> breaking RC4-40 vs. RC4-128 export (40 secret) keys?
>
> I have run into estimates of 64 MIPS-years for RC4-40, so do these 88
> non-secret 'salt' bits add significantly to that value?
Well the salt values prevent dictionary attacks against the schedule
key (if you could store the 2^48.01 bytes of ram it would require). A
128-bit key would obviously require 2^88 times longer to search (i.e
not very plausible).
> When the recent RSA-155 factoring breakthrough reached me, I also
found
> out that my bank's www-self-service here in Finland still uses these
> 'medium-grade' keys with SSL v3 to secure the transactions.
> So it makes me wonder if the strength of the session keys there are a
> bigger problem than someone breaking the key exchange RSA with those
> 8000 or whatever MI
First off RC4/RSA are completely diff algorithms. Second there are
very big factors limiting how big the key in RSA you can crack. A 128-
bit symmetric key is not like the upper bound given by a 128-bit RSA
key. (which is at most only 2^64 since you can guess a factor). Even
so, large rsa keys require huge ammounts of ram. If I read correctly
the core of the RSA-155 required 3.2GB of ram to do (and tons of
offline storage). 768/1024 bit keys DO NOT require linear
(extrapolated) amounts of memory for the core... So breaking a 1024-bit
key is NOT twice as hard as a 512-bit key (using the current
sieving/matrix algorithms).
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Decrypted International Crypto inside the US
Date: Sun, 29 Aug 1999 14:45:28 GMT
In article <7qa8bn$r0v$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Matthew
Skala) wrote:
>In article <[EMAIL PROTECTED]>,
>JPeschel <[EMAIL PROTECTED]> wrote:
>>> Joe there are laws about sending encrypted messages out over the
>>>ham radio airways. Because I remember the Ham teacher saying it
>
>>Could it be that we are both just old? Does such a law still exist?
>
>Yes, it does (or at least, it did here in Canada at the time I took the
>exams, ~9 years ago, and I'm sure I'd have heard if there'd been a
>change). However, the law says you can't *transmit* in secret codes;
>nothing about reception of someone else's transmissions. In Canada, you
>are allowed to receive *anything*, although there are restrictions on how
>you're allowed to use the information if you intercept someone's private
>communications. Also, it's possible that they have amended that to forbid
>listening in on cell-phone conversations; I know some people who would
>like that, although personally I think it would be an abomination.
Then don't move to the US which is rapidly becomming the home of
the Slaves. Because it is Illegal to listen to the cellular band. And
manufacatores are saddled witht the impossible law that they are no
longer allowed to sale or make a radio that can even be "easily" modifed
to hear in such bands. Any ham knows this is another rediculous US
law that has no FUCKING meaning since ANY RADIO can be easily modified
it is just a law with the dual purpose of punishing manufactures that don't
walk the ploitically correct tigth rope. And a law to take even more freedom
away from Americans. I personally think that I have a god given right to
listen to any Fucking radio waves that make it in to my house and go
through my body. Yet the masses of american are asleep as we lose are
freedoms I am not sure we will wake from our sleep until some one
realizes that the Soviet Union was a much free society than what we
shall become.
>
>I always thought the rules against crypto in ham transmissions were to
>prevent people from using the ham bands for anything important; if you
>could use ham radio for private communication, then you could use it, for
>instance, to conduct business. Then a lot of people would want to do
>that, thereby crowding the real amateurs off the bands and hurting the
>telephone companies. This is also why hams are only allowed to transmit
>"third party traffic" in certain narrowly limited ways, and why they must
>put up with content restrictions much stricter than anything commercial
>broadcasters face.]
With the right spin any law could be made to sound good. Lat night
they had this bliack moslem who flat stated. "I say unto you that find an
honest white man kill him immediately so that he my enjoy the kingdom
of god. Becasue if you don't he will turn evil and got to hell" I wonder
what kind of laws this person could justify. I also wonder how close
our own government is to this logic with the wonderful Clinton spin
doctors can we be that far away. Can one remember when the FBI
was actaully HONEST. I talked with a mexican the other day. He has
been following the chainges in our coutry and is amased. He stated
every one in Mexican knows there system is corrupt and they have
made adjustments in there lives to accomadate that fact. But he said
they envoyed the US because it institutions like the FBI where honest.
HE said the last few years have been a real eye opener. He says he
is sadden that the US is so corrput. I tried to tell him it was not always
this way. I truely think it started when misdemeansors where changed
to infractions this minor change in law has destoryed the constitution
and kids get exposed to a corrupte juducal system at a very early age
so they assume the whole systm was corrupt. And it is like the
self full feeling propeshy. Enough belive it and we get the governemnt
we deserve.
>
>This seems like another good opportunity to plug my free networking
>manifesto, at http://www.islandnet.com/~mskala/netfree.html . It talks
>about the ham band content restrictions a fair bit. It's not really about
>crypto, but every time I mention it here it gets a lot of hits afterwards,
>so someone's obviously finding it interesting.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
