Cryptography-Digest Digest #184, Volume #10 Sun, 5 Sep 99 20:13:03 EDT
Contents:
Re: Alleged NSA backdoor in Windows CryptoAPI (Michael J. Fromberger)
Re: NSA and MS windows (David Wagner)
Re: Different Encryption Algorithms ("entropy")
Quantum computing bit in UK computing magazine. (David Hamilton)
visit my side (Rene Stender)
Re: NSA and MS windows (David Wagner)
Re: Quantum computing bit in UK computing magazine.
Re: 512 bit number factored (Robert Harley)
Re: RSA the company (David A Molnar)
Re: Schneier/Publsied Algorithms (Eric Lee Green)
Re: Schneier/Publsied Algorithms (Anne & Lynn Wheeler)
Re: point of a cipher
Re: RSA the company (Bill Unruh)
Re: Some law informations... (Withheld)
Re: Pincodes (Walter Hofmann)
Re: Quantum computing bit in UK computing magazine. (Bill Unruh)
Re: DES cfb stream cypher and "whitening" or initialization (Scott Fluhrer)
----------------------------------------------------------------------------
From: Michael J. Fromberger <[EMAIL PROTECTED]>
Subject: Re: Alleged NSA backdoor in Windows CryptoAPI
Date: 5 Sep 1999 19:29:18 GMT
In <[EMAIL PROTECTED]> "Trevor Jackson, III" <[EMAIL PROTECTED]> writes:
>
>Bruce Schneier wrote:
>>
>> My guess is that it is really a backup key, and that Microsoft gave
>> NSA a copy of it for their own internal use (as Don suggests).
>
> Why are we guessing? Is this issue not worthy of a credible
> explanation?
>
> (I stated to say "official" explanation, but considering the likely
> sources nothing official is likely to be credible).
In all probability, the spin doctors at Microsoft are monitoring what
people are posting around the Internet, to see what kind of damage
control they're going to have to deal with. No point in coming out
with a response, before they have some idea what they need to respond
to. Microsoft may be evil, but they're not entirely stupid...which is
actually worse, when you think about it.
-M
--
Michael J. Fromberger Software Engineer, Thayer School of Engineering
sting <at> linguist.dartmouth.edu http://www.dartmouth.edu/~sting/
opsPb5hoXbcgjoFmw25NPlvPZ3Ydwuwxtl/kgF5iwWz2u0jE6dFrQLbNlSawselanRxZTKNI
Remove clothing if you wish to reply to this message via e-mail.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: NSA and MS windows
Date: 5 Sep 1999 13:00:27 -0700
In article <7qsu7i$[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
> Likewise, in the view of many, MS and NSA have too much
> power, are too secretive, and are not leveling with us.
Fine. You're saying the "_NSAKEY" is just a symptom of an underlying
problem (namely, that MS uses close source for security-critical projects).
Of course, this is a problem we've known about for a long time, and it's
hardly the first time we've seen a conspicuous symptom of the problem.
But regardless: If it's just a symptom, why are there huge headlines
reporting that, thanks to the "_NSAKEY", the NSA may be able to spy on
every Windows machine in the world? If it is indeed just yet another
symptom of the problem, then all those reports are misleading, deceptive,
and overblown.
------------------------------
From: "entropy" <[EMAIL PROTECTED]>
Subject: Re: Different Encryption Algorithms
Date: Sun, 5 Sep 1999 16:21:46 -0400
thanks for the link. I'll check out the book next time I'm at B&N :-)
--
a.
:::entropy:::
ktheory.com
entropy <[EMAIL PROTECTED]> wrote in message
news:DIUz3.4886$[EMAIL PROTECTED]...
> I'm doing a high school research paper on different encryption algorithms,
> such as CAST, IDEA, blowfish, RCx, DES, etc. Could anyone point me to
> informative web sites pertaining to the differences between these
encryption
> methods?
>
> Thank you.
>
> --
>
> a.
>
>
> :::entropy:::
> ktheory.com
>
>
>
>
------------------------------
From: [EMAIL PROTECTED] (David Hamilton)
Subject: Quantum computing bit in UK computing magazine.
Date: Sun, 05 Sep 1999 20:24:25 GMT
=====BEGIN PGP SIGNED MESSAGE=====
The October 1999 issue (just published) of the UK computing magazine called
'PC Plus' has on page 14 a small piece called 'The Quantum State'. Part of it
says
START QUOTE
'The ramifications for computing are enormous. Boolean logic takes a back
seat to so-called quantum algorithms which, because on and off states exist
at the same time, are able to process all potential strings in a given series
of bits. Only on the read-out of the result (the observation) does the string
have a specific value.
One application of this is in the decryption of encrypted data. Using current
Boolean methods on a supercomputer, a 200-bit encrypted message would take a
trillion years to decrypt. However, only a small quantum computer would be
needed to break the same code in less than an hour.'
END QUOTE
Now, what I know about quantum computing (QC) can be written on a couple of
bits but surely this last sentence is wrong. I thought that public key
encryption would be doomed against 'genuine' QC but that symmetric key (and
the writer must be talking about symmetric keys when referring to 200 bits)
effectiveness against QC was reduced to about half the length. In other
words, a 128 bit key against QC would be the 'same' strength as a 64 bit key
against traditional computing. Or, using the writer's example, a 200 bit key
against QC is the same strength as a 100 bit key against traditional
computing - still very strong.
Mind you, the same writer, in a subsequent article on key escrow, mixes up
public and private keys - so perhaps he is wrong above as well.
Next month's issue of the magazine will have an interview with a NEC
researcher on the theory, benefits and future research into QC. Might be
worth reading.
Any obs, further information, corrections to what I've written above are most
welcome.
David Hamilton. Only I give the right to read what I write and PGP allows me
to make that choice. Use PGP now.
I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:-
2048bit rsa ID=0xFA412179 Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D
4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E
Both keys dated 1998/04/08 with sole UserID=<[EMAIL PROTECTED]>
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
Comment: Signed with 2048 bit RSA key
iQEVAwUBN9LPz8o1RmX6QSF5AQGwbAf+PNcbezFuaO4tZIdkpA5g2CYynO0Ax9uN
igEW+Lca25fwmDIpNIQ6BR4lMvvjq+HiDuzmUsHnsmuZEPHUUCO1XApKR+vEQa1A
T0Ul8bH/TUyIuSqdRptQ46KuLPJkvhYFARM/pnNcKypd3bvwu7VryTtE8N9uhi7S
i2rEcv4XbbcZhrKwee5d1RRB4MEpSUW9tVFCAzCGgSazPAveLGC0a2hcuaii/wSH
PeJaHhKIufNk5+B9VyAVBodyfK1OEp7vjxURtAdaygK39LURJ0bLKqN5bzNt5Xul
VcsnPeC3t12bwdz81eGdM1w8zLkOEPnFYf1J9Ty4JHtP12JNPWWb6g==
=5MpD
=====END PGP SIGNATURE=====
------------------------------
From: Rene Stender <[EMAIL PROTECTED]>
Crossposted-To:
rec.woodworking,sci.archaeology,sci.astro,sci.econ,sci.environment,sci.lang,sci.math,sci.physics,sci.skeptic
Subject: visit my side
Date: Sun, 05 Sep 1999 22:04:48 +0200
Reply-To: [EMAIL PROTECTED]
http://www.gwdg.de/~rstende1
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: NSA and MS windows
Date: 5 Sep 1999 12:55:11 -0700
In article <7qssrm$hb8$[EMAIL PROTECTED]>,
Bill Unruh <[EMAIL PROTECTED]> wrote:
> The key point is that users
> are being forced to trust someone else when using something whose
> purpose is precisely to protect against betrayal of trust.
That's always been true. The "_NSAKEY" key changes nothing in this regard.
So why is it front-page news? Answer: (largely) hype and FUD.
> I do not think you understand cryptography.
No, not nearly as well as I'd like to...
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Quantum computing bit in UK computing magazine.
Date: 5 Sep 99 21:24:17 GMT
David Hamilton ([EMAIL PROTECTED]) wrote:
: I thought that public key
: encryption would be doomed against 'genuine' QC but that symmetric key (and
: the writer must be talking about symmetric keys when referring to 200 bits)
: effectiveness against QC was reduced to about half the length.
Since symmetric algorithms are complex and messy, they may not "fit" in a
quantum computer, but the basic principle of a quantum computer - perform
a computation simultaneously for all values of X, then hang, and report
the value of X, when that computation produces Y=0, certainly can allow a
computer to try all possible values of a key simultaneously, and report
success when the expected plaintext block is recovered, for a symmetric
algorithm too.
Thus, what was stated is consistent with a simple presentation of quantum
computing. A more detailed one might well conclude that most symmetric
algorithms are too complex to be threatened by anything on the horizon,
but that isn't entirely certain.
John Savard
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: 512 bit number factored
Date: 05 Sep 1999 15:34:15 +0200
Bob Silverman <[EMAIL PROTECTED]> writes:
> No. They can't.
and then goes into detail saying in essence, "yes they can but not
much, as far as I can see right now".
The former assertion is false. The later I have no quarrel with.
Bye,
Rob.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: RSA the company
Date: 5 Sep 1999 21:58:36 GMT
Roger Schlafly <[EMAIL PROTECTED]> wrote:
> They never had an exclusive license agreement on the patent.
> Many others have licenses by now. Recent attempts to enforce
> the patent in court have been dismissed. The patent expires
> in one year anyway.
Would it be out of place to plan a party for September 20 ?
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Schneier/Publsied Algorithms
Date: Sun, 05 Sep 1999 15:12:05 -0700
Anonymous wrote:
> Mr Eric Lee Green...stop lecturing us from your Ivory Tower...
Sorry Mr. Soumynona. It's an occupational hazard that typically afflicts
former math teachers (grin).
> you probably have never written a computer programm in your life.Maybe read a few
>books...
http://members.tripod.com/e_l_green
I've been a professional computer programmer since 1985, when the first
product I worked on was released by Bayou Telecommunications, though
I've been programming since 1981 (my first platform was a TRS-80 Model
I, the second, in early 1982, was a Honeywell Multics Level 68, some day
I'll have to tell you how I circumvented the limits of the ReadCode
project by using IPC to copy data to a process running as a batch
process under a project ID with tape drive and printer access). Since
then I've also been a major contributor to products by Drilling
Measurement Inc., Executive Consultants and I am currently part of the
team working on next-generation products at Enhanced Software
Technologies Inc (my license manager will be in version 15.2 of BRU, but
that was a side project, the real project I'm working on can probably be
guessed at by looking at my inquiries on this newsgroup but I'll leave
that exercise to you). I note that you don't list your particular
qualifications.
> But I insist on having my quetion ANSWERED...Please Bruce Schneier:
>
> Is this code for 2Fish on your Site...a comercial grade product or is it just
> a piece of semi tested code for 2fish. What is it exactly ?
It is example code for the AES competition. It is expected that there
will be several implementations of Twofish, the entire algorithm can be
re-coded from scratch from the specifications alone fairly easily by
anybody familiar with ciphers (there is a gentleman in Great Britain who
has already done so for Twofish). You can also get further example code
in Java by ordering the AES disk, when it is available.
> As I asked in my last posting..if I wanted to develop a commercial apps using 2fish..
>
> What do I use? The code on your site...or is there ANOTHER DEAL.....???
Bruce will have to answer that question. I would assume that he will
eventually release it as part of his crypto toolkit if it is adopted as
the AES standard. I will also note that at least one independent
re-implementation already exists (in England), so presumably other
vendors of cryto toolkits will have no problem adding it to their own
arsenals. This is similar to 'blowfish', e.g. the SSH folks in Finland
use their own implementation of 'blowfish' for their commercial product
sold via DataFellows here in the U.S.
> Please Answer my Question...And as a pro programmer..I would not consider this stuff
> on your website to be a robust commercial grade cipher...
How is it not a robust commercial grade cipher? I will say that the code
as released by Bruce certainly isn't a commercial grade cipher PRODUCT,
i.e., in shrink-wrap box along with other necessary cryptographic
products needed to create a complete cryptographic system, but that is
not the intent of that particular chunk of code. It is certainly good
enough code for a PROFESSIONAL programmer (as versus an anonymous
wannabe) to use it to implement Twofish as part of his own cryptographic
system.
--
Eric Lee Green http://members.tripod.com/e_l_green
mail: [EMAIL PROTECTED]
^^^^^^^ Burdening Microsoft with SPAM!
------------------------------
Subject: Re: Schneier/Publsied Algorithms
Reply-To: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
Date: Sun, 05 Sep 1999 22:22:30 GMT
as i've possibly mentioned before ... the charter given the X9A10
working group for X9.59 (standard for all account-based payments,
credit, debit, ACH, check, ATM, etc) was to preserve the integrity of
the financial infrastructure with only a digital signature
(independent of privacy issues)
Eric Lee Green <[EMAIL PROTECTED]> writes:
> I'm primarily interested in encryption as a mechanism for protecting
> financial data from criminals, not as a political statement. In my
--
--
Anne & Lynn Wheeler | [EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.garlic.com/~lynn/ http://www.adcomsys.net/lynn/
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: point of a cipher
Date: 5 Sep 99 21:31:42 GMT
Tom St Denis ([EMAIL PROTECTED]) wrote:
: The thing is you can still brute force his method. I can try a key, then
: decompress and test for ASCII.... not that hard.
That's a good point.
: My point is that his
: compression SHOULD NOT be a factor in considering the security of the system,
: only as a bandwidth optimization.
You're basing that conclusion on an argument which, correctly, notes that
compression doesn't increase the security of a cipher system against a
_known plaintext_ attack.
However, compression does increase security against a ciphertext-only
attack.
Since both kinds of attacks are possible, that does not seem to imply to
me that compression is irrelevant to security.
Of course, since a known plaintext attack is easier than a ciphertext-only
attack, when *rating* the security of a system one wants to assess its
vulnerability in the worst case. Perhaps this is what you mean, but then
you should distinguish between what doesn't affect worst-case security and
what does not benefit security in any case.
John Savard
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: RSA the company
Date: 5 Sep 1999 23:12:35 GMT
In <7qui9r$[EMAIL PROTECTED]> "Roger Schlafly" <[EMAIL PROTECTED]> writes:
>Bill Unruh wrote in message <7qug04$a6a$[EMAIL PROTECTED]>...
>>Did they retain the exclusive license agreement with respect to MIT's
>>patent on RSA? Did that agreement survive the buy out?
>They never had an exclusive license agreement on the patent.
>Many others have licenses by now. Recent attempts to enforce
>the patent in court have been dismissed. The patent expires
>in one year anyway.
As I understood it, MIT and RSA had an agreement where RSA would be the
exclusive licensing agent for the patent. I also got this impression
talking to some of the people at MIT. Ie, RSA would be the sole entity
to offer licenses for that patent.
What are these recent attempts to enforce the patent? I have not heard
of them? Are you implying that th patent is invalid and that anyone can
use RSA in the USA without a license from the patent holder or their
agent?
------------------------------
From: Withheld <[EMAIL PROTECTED]>
Subject: Re: Some law informations...
Date: Sun, 5 Sep 1999 23:11:55 +0100
Reply-To: Withheld <[EMAIL PROTECTED]>
In article <xzwA3.5602$[EMAIL PROTECTED]>, Micha�l
Chass� <[EMAIL PROTECTED]> writes
>Hi,
>
> I'm living in Canada and I'd like to know if I can export a relativly
>strong encryption program ( more than 256 bits). My program will be in the
>public domain.
>
>Thank's
>
>Micha�l Chass�
>Qu�bec, Canada
>
For a question like this you'd be better off talking to a professional,
qualified lawyer.
Personally I wouldn't trust my legal freedoms to faceless people on the
Net, who may or may not know anything about the subject!
-jhn
>
--
Return address removed for anti-spam purposes.
Email replies to news at maelstrom dot demon dot co dot uk
Email replies to this address may be copied to relevant newsgroups
------------------------------
From: Walter Hofmann <[EMAIL PROTECTED]>
Subject: Re: Pincodes
Date: Sun, 5 Sep 1999 17:16:07 +0200
Daniel James <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>, Walter
> Hofmann wrote:
>> Even better: Don't store the PIN anywhere, not even encrypted. Make
>> the PIN a function of the card data:
>>
>> PIN = Crypt(Key, Hash(Account-No, Expiry-Date, ...)) (mod 10**n)
>>
>> This would also prevent the user from changing the expiry date on
>> the magnetic stripe.
>>
>
> It would also prevent the user from changing their PIN and would
Good. This prevents PINs like 1234.
> require that a new PIN be issued whenever a new card was issued.
Fine. Regulary changing a password is a good security practice.
Walter
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Quantum computing bit in UK computing magazine.
Date: 5 Sep 1999 23:23:39 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] () writes:
>Since symmetric algorithms are complex and messy, they may not "fit" in a
>quantum computer, but the basic principle of a quantum computer - perform
>a computation simultaneously for all values of X, then hang, and report
>the value of X, when that computation produces Y=0, certainly can allow a
>computer to try all possible values of a key simultaneously, and report
>success when the expected plaintext block is recovered, for a symmetric
>algorithm too.
Sorry, but no. The statement that quantum computers try all possible
values is true only in a very weird sense. They perform a computation on
a single input state which, if viewed in a certain way, can be regarded
as a superpostion of a bunch of input states. however that is a useless
way of viewing it unless some observatin of the the single output state
can be made which will give the desered answer. Very very very few
problems have been found which fit the latter requirement-- essentially
only factoring or discrete logs (Shor's original algorithm). In addition
Grover found a search algorithm which is reputed to decrease a search
time by a factor of a square root. However, such an algorithm is
polynomially the same as the original speed, and two things which differ
only polynomially are suspect as to whether one is faster than the other
or not. It depends crucialy on the implimentation, and other features of
the computer and the algorithm. But even if we take the Grover algorithm
at face value, then it is still only a square root speed up-- or a
speedup equivalent to halving the key.
Onw ofhte key problems with quantum computing has been that the number
of problems for whichit is an answer has still managed to remain very
very small.
------------------------------
From: Scott Fluhrer <[EMAIL PROTECTED]>
Subject: Re: DES cfb stream cypher and "whitening" or initialization
Date: Sun, 05 Sep 1999 23:47:45 GMT
In article <7qtks1$pog$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
>In article <7qstef$[EMAIL PROTECTED]>,
> Scott Fluhrer <[EMAIL PROTECTED]> wrote:
>> In article <7qsl65$5fs$[EMAIL PROTECTED]>,
>> Tom St Denis <[EMAIL PROTECTED]> wrote:
>>
>> >Otherwise... DROP DES. Use RC4 if you need a good stream cipher (or just
>> >make up some Algorithm M clone). RC4 is about 20 times faster, more compact
>> >and easier to get RIGHT. It's also not yet vulnerable to any known attack.
>> >
>> Actually, it is. [Snip description of bit-flipping attack]
>
>This will work only if you are not smart enough to sign the message.
True, but it is a counterexample of "RC4 not being vulnerable to any known
attack". And, adding HMAC (or another good authentication algorithm) means
you are not relying on RC4 alone, and it also means you are no longer
"20 times faster" than DES (actually, when I tested it, it came out closer
to 10 times as fast).
>
>If you RC4 encrypt a hash there is no way to guess what the hash could have
>been unless you recovered the entire message.
>
>In that case why not use CBC or something?
>
Huh??? I'm sorry, but you lost me there. What were you trying to say?
--
poncho
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
