Cryptography-Digest Digest #161, Volume #10 Thu, 2 Sep 99 11:13:03 EDT
Contents:
Schneier/Publsied Algorithms (Mixmaster)
RE: Members Only Key Exchange (Gary)
Re: THINK PEOPLE (Volker Hetzer)
Odp: THINK PEOPLE ("Bartek Z.")
Re: Ways to steal cookies in HTTP and HTTPS (isoma)
Re: I need an algorithm!!!! (Bob Silverman)
Re: Schneier/Publsied Algorithms ("Richard Parker")
Deniability ("Gideon, S.")
Re: Schneier/Publsied Algorithms (Volker Hetzer)
Re: SQ Announcement ("Kostadin Bajalcaliev")
Re: Schneier/Publsied Algorithms (SCOTT19U.ZIP_GUY)
Re: SIGABA / ECM Mark 2
Re: Implementing crypto algorithms in Fortran. (Roger Fleming)
Re: SQ Announcement ("Kostadin Bajalcaliev")
----------------------------------------------------------------------------
Date: Thu, 2 Sep 1999 01:12:47 -0700 (PDT)
From: Mixmaster <[EMAIL PROTECTED]>
Subject: Schneier/Publsied Algorithms
Hello Bruce
How is it posible that some of your published algorithms...2fish have bugs in your
source code?
There are only two possible explanations for this:
1. A legitimate mistake was made...but no correction was ever published for it...or
have you published the correction on your site..
2. A deliberate bug was placed in your source code by some unknown person...
Which leads me to this point:
How can we in the crypto community EVER Trust any Publsihed Source Code without
extensive testing and debugging... I wonder if you thought of this.
Are there any published TEST VECTORS for your algorithms...and possibly other
Algorithms...which treat the algorithm as a black box...etc...do you know of any such
TEST VECTORS..
But please Bruce...explain to us How is it that there are bugs in your own published
algorithms...I did see some messages about this topic few months back..and have you
made any corrections to them
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
------------------------------
From: Gary <[EMAIL PROTECTED]>
Subject: RE: Members Only Key Exchange
Date: Thu, 2 Sep 1999 05:43:43 -0400
I suppose my real question is, is there a protocol that needn't use
conventional public key cryptography and authentication (RSA) for this
special
case.
I.E. Could a fast CPU instruction friendly hash based protocol be used?
Way ii) below using hash of hashes is the rough (very rough) idea.
The key(s) being sent 'securely' by voice or mail from the chair(wo)man.
Max members<32000.
G.
>===== Original Message From Gary <[EMAIL PROTECTED]> =====
>A chair(wo)man of an Internet club wishes to issue members with keys that
>can
>be used in a key exchange system so that they can all communicate securely
>with each other.
>
>The chair(wo)man wants to have a secret primitive such that only (s)he can
>register new members.
>
>The only ways I could think of doing this was
>
>i)RSA like variant of Diffie Hellman.
>The modulus must be composite (like RSA).
>The chair(wo)man uses a secret primitive s and assigns the pair s^k (mod pq)
>and k to each member. The members can communicate in a DH manner without
>discovering the primitive.
>
>ii)Exponentiation of a Hash of a secret primitive.
>Each member is securely given the pair H^k(s) (secret primitive s hashed k
>times) and their name in a certain readable format. k is derived from a
>different smaller hash of the member's name etc.
>The member A sends their name to another member B. B hashes A's name using
>the
>different smaller Hash and raises their secret exponentiated Hash to this
>value. B sends their name to A who small hashes this and raises their secret
>exponentiated hash to the result. Both have the same secret key.
>
>I've probably made a mistake somewhere in this.
>
>Anyway there probably is an even easier way of doing this, please let me
>know
>if there is.
>
>Thanks
>Gary
>
>------------------------------------------------------------
> Get your FREE web-based e-mail and newsgroup access at:
> http://MailAndNews.com and http://MailAndNews.co.uk
>
> Create a new mailbox, or access your existing IMAP4 or
> POP3 mailbox from anywhere with just a web browser.
>------------------------------------------------------------
============================================================
Get your FREE web-based e-mail and newsgroup access at:
http://MailAndNews.com and http://MailAndNews.co.uk
Create a new mailbox, or access your existing IMAP4 or
POP3 mailbox from anywhere with just a web browser.
============================================================
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: THINK PEOPLE
Date: Thu, 02 Sep 1999 12:17:39 +0200
SCOTT19U.ZIP_GUY wrote:
> The question that Bruce and Dave will not honestly anwser is
> how safe is the information if coded with any of there AES methods
> or Blowfish or any other smelly fishy algorithm. Using only the
> approved 3-letter chaining methods.
How would you determine that the answer is honest?
Especially if it doesn't fit with your expectation?
> They will not anwser becasue they know the data is not safe by
> there methods.
> I have an
> open mind and will admit they errors of me ways. All you have
> to do is show me if you can.
Do those two sentences sound like a contradiction to you?
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me spread!
------------------------------
From: "Bartek Z." <[EMAIL PROTECTED]>
Subject: Odp: THINK PEOPLE
Date: Thu, 02 Sep 1999 10:49:16 GMT
Geee... I have a strange feeling during reding Mr. SCOTT19... (whatever)
postings that I'm wasting my precious time. Don't You?
Shall sci.crypt be available for everyone? Aren't there any filters for such
boring and annoying people?
Regards,
Bartek
> It really amazes me how little thinking gets done in this group.
> It is if there is a bunch of grouppies waiting for the BS and David
> Wagner types to release some knowlede. Well it is not going
> to happen that is not in there agenda. I have an open question
> that I doubt if they have the honesty to anwser in a fair way.
> They talk about my crypto as that of a weak ametur but even
> when they announce it is dead and someone actually looks into
> it they are wrong.
>
> People here is an example that can not be done with the weak
> form of crypto these kinds of people and government wants you
> to use.
>
> Take a message several thousands of bytes long. Lets say
> you send this message to 3 people. You use the same encryption
> method for each person you also use the same key. But near
> the middle of the message you have information that is unique
> to each of the 3 people. Other than that the information and
> files used are the same. And the key used was the same.
> Lets suppose the enemy who every that could be. Gets
> the 2 of the mesage you sent to 2 of the people includeing
> all the source code the keys used and the the plain text
> and encrypted files. Lets say they raid the third house
> and due to a screw do not get a copy of the thrid message
> decrypted. But they get all but the last 100 bytes of the
> encrypted message. They have the KEY and they know
> what 90%+ of the message is.
>
> The question that Bruce and Dave will not honestly anwser is
> how safe is the information if coded with any of there AES methods
> or Blowfish or any other smelly fishy algorithm. Using only the
> approved 3-letter chaining methods.
>
> They will not anwser becasue they know the data is not safe by
> there methods. Beacasue they want you to use methods that
> are easy to break. If scott16u or scott19u is used your safe and
> it they had any honesy they would tell you.
>
> If I am wrong. Don't just scream and yell. SHow me. I have an
> open mind and will admit they errors of me ways. All you have
> to do is show me if you can.
>
>
>
> David A. Scott
> --
> SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
> http://www.jim.com/jamesd/Kong/scott19u.zip
> http://members.xoom.com/ecil/index.htm
> NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (isoma)
Crossposted-To: comp.infosystems.www.misc,comp.security.misc
Subject: Re: Ways to steal cookies in HTTP and HTTPS
Date: Thu, 02 Sep 1999 11:50:53 GMT
Reply-To: isoma <[EMAIL PROTECTED]>
In article <[EMAIL PROTECTED]>, Robert S wrote:
>isoma wrote:
>>
><snip>
>> I don't understand how this is useful. The browser sends its cookie to
>> e-commerce.widgetstore.com - but what has a malicious user gained?
>
>Some cookies store not only preferences, but passwords (and usernames).
>However, even preferences could be dangerous in the wrong hands
>depending on what those preferences are. Would you be comfortable with
>your boss (or spouse) knowing that you have preferences for, say
>(example only) alt.binaries.sex.hamsters.ducttape?
My spouse could just look at my .newsrc...
>I have heard of, but not seen myself, that a few site do (or used to)
>place credit card info in the cookies to save you from entering it
>again.
I understand that some sites use cookies to store sensitive information,
but not the mechanism by which a malicious site owner obtains it.
--
mailto:[EMAIL PROTECTED] - +44441089921 - Tim Bannister
http://www.jellybaby.net/~isoma/ - Spam? What spam? (pats procmail)
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: I need an algorithm!!!!
Date: Thu, 02 Sep 1999 12:49:10 GMT
In article <apkz3.1696$[EMAIL PROTECTED]>,
"Micha�l Chass�" <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I'm a programmer student and I really need a strong Public/private key
> system algorithm that is unpatented and that do not use mod... Does someone
> has a suggestion for me? In case that doesn't exist, an algorith other than
> Diffie/Hellman or RSA should be appreciated....
Does not exist. There is an alternative, but:
Elliptic Curves require too much math for you (and use finite fields,
so you can't avoid modular arithmetic with them either).
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Richard Parker" <[EMAIL PROTECTED]>
Subject: Re: Schneier/Publsied Algorithms
Date: Thu, 02 Sep 1999 12:10:10 GMT
Mixmaster <[EMAIL PROTECTED]> wrote:
> Are there any published TEST VECTORS for your algorithms...and possibly
> other Algorithms...which treat the algorithm as a black box...etc...do you
> know of any such TEST VECTORS..
Details regarding Bruce Schneier's encryption algorithms are at the
web site of his company (Counterpane). Information on the Blowfish
symmetric block cipher, the Twofish symmetric block cipher, and the
Solitaire stream cipher can be found at the following URLs:
<http://www.counterpane.com/blowfish.html>
<http://www.counterpane.com/twofish.html>
<http://www.counterpane.com/solitaire.html>
Blowfish test vectors are at:
<http://www.counterpane.com/vectors.txt>
<http://www.counterpane.com/vectors2.txt>
Twofish test vectors are at:
<http://www.counterpane.com/ecb_ival.txt>
Solitaire test vectors are at:
<http://www.counterpane.com/sol-test.txt>
-Richard
------------------------------
From: "Gideon, S." <[EMAIL PROTECTED]>
Subject: Deniability
Date: Thu, 2 Sep 1999 09:30:22 -0400
Anyone knows of publications regarding 'deniability' other than the IBM
article in Crypto '97?
G.S.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Schneier/Publsied Algorithms
Date: Thu, 02 Sep 1999 15:04:36 +0200
Ruud de Rooij wrote:
>
> Mixmaster <[EMAIL PROTECTED]> writes:
>
> > Are there any published TEST VECTORS for your algorithms...and possibly other
>Algorithms...which treat the algorithm as a black box...etc...do you know of any such
>TEST VECTORS..
>
> The twofish paper available from www.counterpane.com contains test
> vectors, as required (I think) for AES submission.
And on Bruce's website you can find testvectors for Blowfish too.
And errata for his books. And links to implementations (which you can check
using the testvectors).
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me spread!
------------------------------
From: "Kostadin Bajalcaliev" <[EMAIL PROTECTED]>
Subject: Re: SQ Announcement
Date: Thu, 2 Sep 1999 14:51:45 +0200
First of all EC-1,2,3,4,5,6 are (ExampleCiphers) just to illustrate the
solutions which are used in SQ and test the behavior of each or them. About
feeding the generator if you have read the thesis you will found that all
EC-x are x[i]=F(x[i-1]), the previous output is taken as an input.
Your comments about the security of EC-1 are correct but as much I remember
there is no claim that EC is secure in the form you have analyze. Read the
thesis part about Information Lose theory.
I appreciate your comments, and I hope that you are going to analyze the
"real" generator SQ1 (in the source code it is V9.C, EC is only an example
that shows some interesting statistical properties and using Information
Lose theory it can be turn to secure generator to. However please pay
attention to Sq1.
David Wagner wrote in message
<7qkpga$jqp$[EMAIL PROTECTED]>...
>Your ciphers are underspecified. For instance, in EC-1, what values do
>you feed into the input 'in'? Clearly you can't mean to use plaintext
>here, because the transformation is not reversible. Maybe you mean to
>drive it with a counter?
>
>In any case, the EC-1 cipher is not secure against chosen-input attacks.
>Let P_t denote the value of the P[] permutation at time t, and let
>P<<j denote the permutation given by (P<<j)[i] = P[i+j mod 256].
>
>Suppose we feed the cipher the sequence of inputs 255, 254, 253, ..., 0.
>I note that the cipher will produce the sequence of outputs
> P_1[X], P_0[X+2], P_1[X+2], P_0[X+4], P_1[X+4], P_0[X+6], ...
>The reason is that the even steps of the algorithm swap a pair of indices
>in P, then rotate P left; the odd steps undo the previous swap, and rotate
>left again.
>
>Thus we can recover the initial state of the P permutation from the first
>256 bytes of output (indeed, the keystream bytes are _precisely_ the
contents
>of P_0 in order, except for one swap), and that breaks the algorithm.
>
>I recommend that you ought to do more security analysis of these ciphers
>before they will be ready for serious consideration.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Schneier/Publsied Algorithms
Date: Thu, 02 Sep 1999 14:33:13 GMT
In article <Wenz3.1$[EMAIL PROTECTED]>, Forrest Johnson
<[EMAIL PROTECTED]> wrote:
>In article <7qjcb8$26ui$[EMAIL PROTECTED]> SCOTT19U.ZIP_GUY,
>[EMAIL PROTECTED] writes:
>> I THINK THE QUESTION WAS TO TECHNICAL FOR MR "BS" HIMSELF
>>THE GUY ASKED FOR TEST VECTORS. SURELY YOU HAVE SOME
>>LIKE THE ONES I USE IN MY GLOAT CONTEST. THE KIND OF CONTEST
>>THAT YOUR WEAK METHOD COULD NOT RUN USING ANY OF YOUR
>>FAVORITE "FIPS" 3 LETTER CHAINNING METHODS.
>>
>> THE GUY EVEN CPITALIZED """"TEST VECTORS""" MORE THAN ONCE
>>BUT I GUESS YOUR BRAIN OVER LOOKED IT. MAYBE THE USE OF
>>CAPITAL LETTERS MADE IT TO HARD TO READ. HOW THE HELL DO
>>YOU EXPECT HIM TO FIND THE ERRORS IF YOU CAN'T SEEM TO HAVE
>>THE ABILITY TO ANWSER DIRECT QUESTION PUT TO YOU. DO YOU
>>HAVE """TEST VECTORS""" FOR THE GUY OR NOT???
>>
>> SURELY THE "nsa" COULD SUPPLY SOME THAT WOULD SATISFY EVERY
>>BODY OR ARE YOU TRYING TO HIDE CERTAIN FACTS. BECASUE I SUSPECT
>>YOU CAN READ THE LETTER. AND THE LETTER PLAINLY ASKED FOR
>>
>>"""""""""" TEST VECTORS """"""""" HEY WAKE UP
>>
>Mr. Scott, I'm pleased to see that you are so passionate about people
>answering questions asked of them. Perhaps you would be so kind as to
>answer the questions I posed to you last week in several different posts.
For some reason people never seem to like my anwsers. Bruce just
was to lazy to anwer the question that was repeated in the message.
His anwser could have been "No i don't want to give you a good set
of test vectors". That is an anwser probalby not the one the guy wanted
but it is an anwser. HE could have answered with a clever stalling anwser
such as I have vectors some where and I will get them for you as soon
as I can ( and then not bother). But I know realizes he does not need to
answer since he might make a mistale and come out on a limb. IF he
does not anwser some of his grouppies will tell the individual where
the test vectors are. That way it appears anwsered and he has to
say nothing and if the vectors are wrong or work with only specailly
tuned versions of us code he can distance himself from any future
comment since he did not supply the test vectors.
>
>In case you've forgotten, you made a claim that you had changed software
>in fielded weapons systems. I asked you to identify which systems these
>were.
Wrong again you use the word "fielded" I stated I work on lterally
everything the Navy flew or flys.
>Given your excoriation of Mr. Schneier, I'm sure you are now eager to
>avoid the "cast the first stone" stigma.
wrong again he cast the first stone so there is nothing to avoid
>
>I did ask quite a few questions, so I might have overwhelmed you. I'll
>start with one or two easy ones this time and we can go from there:
>
>1) Did you change software in a fielded weapons system, yes or no?
>2) If yes, what weapons system was it?
>
>TIA
The anwser to both question is if the Navy flew and had trouble I most
likely worked on it to fix the problems. If this does seat well with you tough
shit. I don't have to play by your rules. I don't have to kiss your ass and
things are not alwasy black and white. My question to you is why do companies
like yours seem to give the government such poor qualitiy work for the dollar.
I never understood why it seem to be OK that subcontractors could pretend to
do something at great expense and then do it wrong. Where I worked the workers
always felt that companies do the work wrong on purpose so that they can bid
another contract to suck more money out of the system. We felt like the
companies had no real incentive to do the work correctly since they get more
contracts if they do it bad. Yes I remmber your company. But I was wondering
was it just that compaines send there worst people to work on gov projects
or is it just that good people don't work for defense contractors. This is
what it seemed like from the place I worked. But maybe you can enlighten us
on the modivations of your company and put the current pr spin on it. Don't
worry my kind of prgrammer no longer works for the Navy. At the time I was
hired they wanted talented people with very good grades in technical subjects
that would get the job down. IF you weren't in the top 10% of your graduating
class you could not get in. Today it is not that way. One does not need a
techincal degree to work on such systems it is more imprtant to make sure
your working group is the right quota. Chinese are among the best since they
let your groups have racial points and they act as if they follow orders and
are very bright. Of course they are alwasy talking chinese together so one
never realy knows what the hell they are saying. But they never rasie
questions since they blend in so quitely and the governemebt likes quite
people that appear to not rock the system or ask questions like me. Yes near
the end of my carierr I pointed out mistakes in the system. What does it get
you. More PISS tests for uncle Sam since if you question something you might
be a spy. How dumb can these securcity people be. The spys are quiet and blend
in you fools. But don't worry maybe china will send our weapons back. If
where lucky maybe they promised Clinton not to nuke us for a few years so he
can enjoy his life.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: SIGABA / ECM Mark 2
Date: 2 Sep 99 14:04:56 GMT
JTong1995 ([EMAIL PROTECTED]) wrote:
: Does anyone know of an accurate computer simulation of the ECM Mark 2? I've
: seen several Enigma implementations, but not a SIGABA.
The only one I know of is the one in Java on the Pampanito web site,
accessible from
http://www.maritime.org/ecm2.shtml
John Savard
------------------------------
From: [EMAIL PROTECTED] (Roger Fleming)
Subject: Re: Implementing crypto algorithms in Fortran.
Date: Thu, 02 Sep 1999 13:29:56 GMT
[EMAIL PROTECTED] (Paul Rubin) wrote:[...]
>There is a Fortran implementation of DES in the first (but not the
>second) edition of "Numerical Recipes", by Press, Teukolsky et al.
However this implementation is horribly, horribly inefficient.
------------------------------
From: "Kostadin Bajalcaliev" <[EMAIL PROTECTED]>
Subject: Re: SQ Announcement
Date: Thu, 2 Sep 1999 14:34:59 +0200
First of all EC-1,2,3,4,5,6 are (ExampleCiphers) just to illustrate the
solutions which are used in SQ and test the behavior of each or them. About
feeding the generator if you have read the thesis you will found that all
EC-x are x[i]=F(x[i-1]), the previous output is taken as an input.
Your comments about the security of EC-1 are correct but as much I remember
there is no claim that EC is secure in the form you have analyze. Read the
thesis part about Information Lose theory.
I appreciate your comments, and I hope that you are going to analyze the
"real" generator SQ1 (in the source code it is V9.C, EC is only an example
that shows some interesting statistical properties and using Information
Lose theory it can be turn to secure generator to. However please pay
attention to Sq1.
David Wagner wrote in message
<7qkpga$jqp$[EMAIL PROTECTED]>...
>Your ciphers are underspecified. For instance, in EC-1, what values do
>you feed into the input 'in'? Clearly you can't mean to use plaintext
>here, because the transformation is not reversible. Maybe you mean to
>drive it with a counter?
>
>In any case, the EC-1 cipher is not secure against chosen-input attacks.
>Let P_t denote the value of the P[] permutation at time t, and let
>P<<j denote the permutation given by (P<<j)[i] = P[i+j mod 256].
>
>Suppose we feed the cipher the sequence of inputs 255, 254, 253, ..., 0.
>I note that the cipher will produce the sequence of outputs
> P_1[X], P_0[X+2], P_1[X+2], P_0[X+4], P_1[X+4], P_0[X+6], ...
>The reason is that the even steps of the algorithm swap a pair of indices
>in P, then rotate P left; the odd steps undo the previous swap, and rotate
>left again.
>
>Thus we can recover the initial state of the P permutation from the first
>256 bytes of output (indeed, the keystream bytes are _precisely_ the
contents
>of P_0 in order, except for one swap), and that breaks the algorithm.
>
>I recommend that you ought to do more security analysis of these ciphers
>before they will be ready for serious consideration.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
