Cryptography-Digest Digest #187, Volume #10 Mon, 6 Sep 99 08:13:02 EDT
Contents:
Re: point of a cipher ("Richard Parker")
Re: point of a cipher (Peter Szkiela)
Re: _NSAKey ("Douglas A. Gwyn")
Re: SQ Announcement ("Douglas A. Gwyn")
Re: _NSAKey ("Douglas A. Gwyn")
Re: point of a cipher (JPeschel)
Re: Mystery inc. (David A Molnar)
Re: Schneier/Publsied Algorithms (Ralf Stephan)
Re: Pincodes (Daniel James)
Re: 512 bit number factored (Robert Harley)
Re: WT Shaw temporarily sidelined (James Andrews)
hash function ? (Stefan Hetzl)
Re: NSA and MS windows (Red_Blue)
Re: Pincodes (Daniel James)
Re: NSA and MS windows (pbboy)
Info on old cryptgraphy systems (John)
Re: _NSAKey (Stephan Eisvogel)
----------------------------------------------------------------------------
From: "Richard Parker" <[EMAIL PROTECTED]>
Subject: Re: point of a cipher
Date: Mon, 06 Sep 1999 06:04:55 GMT
[EMAIL PROTECTED] (David Wagner) wrote:
> Richard Parker <[EMAIL PROTECTED]> wrote:
>> David Scott is using "w-pcbc" as an all-or-nothing transform (AONT).
>
> I disagree. An AONT transform is unkeyed, and does not itself provide
> confidentiality. Rather, David Scott is using "w-pcbc" as a block cipher
> structure (think of it as an alternative to the Feistel structure).
You are right, my use of terminology was lax. Since I tend to think
of an AONT as separate from encryption I described Scott's cipher in
that fashion. I should have said that David Scott uses the "w-pcbc"
construction to form a variable-length block cipher that appears to
share the same all-or-nothing property as an AONT.
-Richard
------------------------------
From: Peter Szkiela <[EMAIL PROTECTED]>
Subject: Re: point of a cipher
Date: Mon, 06 Sep 1999 06:12:44 GMT
> has no hooks. I feel my compression is one such way. Suppose you use
> RC4. The NSA or the CHINESE my have an easy break based from years
> of computer analysiss of ascii text messages written in English or
French
> or whatever. IF you compress with my method especailly both directions
> those years of analysis that may solve the problem for text go down
the
> tiolet hopefully.
...snip...
> NOTE EMAIL address is for SPAMERS
Well, if they have spent years analysing Ascii text messages written in
English, at least we know your postings are gonna confuse the hell out
of them ;)
Pete 8)
P.S. Its been bugging me for ages, I have to point out to
you, "SPAMERS" is actually spelt "SPAMMERS".
--
‰
‰
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: _NSAKey
Date: Mon, 06 Sep 1999 06:21:23 GMT
JPeschel wrote:
> Well, here's a disassembly of AdvApi32.DLL for everyone's amusement:
> http://www.ccc.de/CRD/CRD19990903.html
Unfortunately, it doesn't show enough context to be sure.
What it does show is that _NASKey is tried only after _Key
fails to authenticate. So _NSAKey's function is as a
backup key. Presumably, Microsoft's primary key is used
to authenticate crypto modules, and if that doesn't
authenticate them then the backup key is tried. The only
really interesting question is why there are two
authenticating keys instead of just one. That's not going
to be answered by any amount of disassembly.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: SQ Announcement
Date: Mon, 06 Sep 1999 05:36:24 GMT
Kostadin Bajalcaliev wrote:
> Here is example, you have SQ running with word size 512 and the output
> sequence is the 8 lsb, one bit is certainly lost, let there be a method how
> to invert SQ knowing just the output. With 0..511 permutation we need at
> least 511 output to reconstruct the full inner state. Because there is
> information lose of 1 bit we need to somehow predict 511 bits because the
> output sequence is form discarding the msb. Is it this to much unlimited
> computation power?
I'm having trouble following the argument, but it seems that you think
the cryptanalyst must accurately reconstruct the internal state of the
encryption device. That is often not the case, for any of several
reasons. For instance, an equivalent (possibly simpler) mechanism
might be reconstructed instead, producing the same result but easier
to cryptanalyze. Or, the encryptor might be nonlinear but a linear
approximation (which is much simpler to model) might be close enough
to recover *some* of the plaintext, perhaps enough to interpolate the
rest.
> If you isolate a singe atom its behave is mathematically presentable,
> two atoms interacting should be also presentable but much harder. If
> there is some real number of atoms the mathematics do not work it can
> only outline the process it can not describe it fully. Why ? Because
> the atoms interact but there is no way to measure this interaction
> without changing the process (Quantum mechanics).
The unpredictability is a property of even a single atom or particle.
> ... Mathematically every complex signal can be decomposed, but in
> the reality it is not the case. Why ? The object of FFT is to
> reconstruct the lost information, the number of signals and their
> frequencies. It is clear that every complex system is not fully
> described with its behavior, we need to know the behave of every
> component.
The "components" in the transformed domain are no more or less real
than the values in the original domain. They are complementary
ways of viewing the same signal.
There are certain well-known precautions that must be taken when
performing a DFT to avoid aliasing, which would in fact cause an
irreversible loss of information. But this is a solved problem.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: _NSAKey
Date: Mon, 06 Sep 1999 06:50:15 GMT
After reviewing what Microsoft said in a news article,
it seems plausible that the purpose of the second key
was to allow MS to turn their product over to the
government for export certification, which requires a
review of the encryption by NSA, along with a key
reserved just for certification use, without having to
hand over MS's own private key. Because it's a PK
scheme, the backup key couldn't be used to authenticate
MS-signed modules (nor vice versa), so the only
practical ramification would be that the possessor of
the private portion of the backup key could provide
"certified" modules of its own without involving MS.
The only way that could affect Joe Blow is if he
accepted installation and activation of such a crypto
module; just how big a problem that could be depends
on what you think a likely scenario might be. I'd
think that such Joe Blows are more at risk from viruses.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: point of a cipher
Date: 06 Sep 1999 07:34:21 GMT
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes:
>In article <7quh4a$pos$[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] (David Wagner) wrote:
>>In article <o1oA3.21146$[EMAIL PROTECTED]>,
>>Richard Parker <[EMAIL PROTECTED]> wrote:
>>> David Scott is using "w-pcbc" as an all-or-nothing transform (AONT).
>>
>>I disagree. An AONT transform is unkeyed, and does not itself provide
>>confidentiality. Rather, David Scott is using "w-pcbc" as a block cipher
>>structure (think of it as an alternative to the Feistel structure).
>
> How can you disagree when ever we start to get technical on my method
>you say that you can't follow the C code since the source is appearently
>encrypted to hard for you. Since this is true based on your last comments
>when the Slide Attack failed against it. How do you know that it is not
>"all or nothing".
D.S., I think D.W. is right.
I think it's a mistake to call W-PCBC an All-Or-Nothing
Transform. Such a transform, according to Rivest, is
unkeyed or, at least, not a secret, and is considered
a step before encryption.
Rivest presented the "All-Or-Nothing" idea as a way to
strengthen fixed-length ciphers by increasing the work
factor by 2^20. The ciphers he had in mind were 56-bit
DES and ciphers that might be encumbered by export
restrictions. The idea was to foil a brute-force
search of the keyspace by forcing an attacker to
decrypt the entire file and not just the first block
when testing possible keys.
It's true a brute-force search of the keyspace of
a scott enciphered file would require decryption of
the entire file when testing possible keys. The scott
cipher keyspace, however, is, apparently, so big that
the W-PCBC doesn't seem at all what Rivest had in mind.
Rivest also contended that an All-or-Nothing Transform
provided protection against chosen-plaintext attacks.
An earlier version of scott16 used W-PCBC, but that
cipher was broken by a chosen-plaintext attack.
So I think it is better to think of W-PCBC (all 17
passes in scott16x, anyway) not as a mode of
operation, but as an integral part of the encryption
mechanism, or, as Wagner suggests, an alternative
to a Feistel network.
You could call it a Scott Network.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Mystery inc.
Date: 6 Sep 1999 07:36:13 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> available work of Thomas Jefferson would be worth trying. Harvard's
> law library (Widener library, was it?) let me into their (normally
> closed) stacks, and I rummaged though the collected works of T.J.
http://www-hcl.harvard.edu/houghton/
In today's organization of the libraries, I'd expect something like that
to be in Houghton Library, which happens to be buried inside Widener. They
handle rare and fragile books (Langdell is the Law School library).
Not that I've ever been to Houghton, unfortunately...
-David
------------------------------
From: [EMAIL PROTECTED] (Ralf Stephan)
Subject: Re: Schneier/Publsied Algorithms
Date: Mon, 6 Sep 1999 10:28:56 +0200
Eric Lee Green:
>Ralf Stephan wrote:
>> We know that at least the Brits had it years before.
>
>And the page you referenced me to implies that the NSA may have had it
>for years before the Brits.
And, thus, had even more time to have a go at the crack.
The catch is, an U.S. citizen (e.g. bank) might have the
means to ask NSA to assess security - and safety! see the
Design Bug link collection on my pages - of his/her signature
scheme, but non-U.S. citizens do not. I am trying to not
argue politics here but global safety. But I'm long enough
on Usenet to have expected your pointer to t.p.c., as well as
being thankful for your calm response.
>I'm primarily interested in encryption as a mechanism for protecting
>financial data from criminals, not as a political statement.
The secretness/openness double-edge touches much more than financial
or political problems. Talk about copyright/media and open source.
Talk about simple things that are at hand, e.g. the 433 MHz home
automation system that should not be tampered with by someone outside.
No one can assess the safety of a global electronic society if the
organisation that should know best doesn't account to the society's
members for what it knows about discrete log.
Let me assure you that, if you knew me personally, you at once
would be sure of my entirely non-political background.
ralf
--
http://www.in-berlin.de/User/rws/
------------------------------
From: Daniel James <[EMAIL PROTECTED]>
Subject: Re: Pincodes
Date: Mon, 06 Sep 1999 09:46:39 +0100
Reply-To: [EMAIL PROTECTED]
In article <7qmt56$jmn$[EMAIL PROTECTED]>, Keith A Monahan wrote:
> Everything was stored in plaintext, including the NAME, the account number,
> and even the PIN.
>
Hmm. I've never worked on a system that did /that/! A PIN /offset/ is often
stored in plaintext, but that's not a big risk if the natural PIN is secure.
Cheers,
Daniel.
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: 512 bit number factored
Date: 06 Sep 1999 10:34:55 +0200
Bob Silverman <[EMAIL PROTECTED]> writes:
> Robert Harley <[EMAIL PROTECTED]> wrote:
> > Bob Silverman <[EMAIL PROTECTED]> writes:
> > > No. They can't.
> > and then goes into detail saying in essence, "yes they can but not
> > much, as far as I can see right now".
>
> That is not what I said. Go re-read it.
> [...]
> (1) Being able to cut the matrix in half, by reducing the factor base
> (at the expense of a LOT more sieve time) doesn't help very much
There, you just said it again.
Bob, you're trying to argue that there are no black swans by going on
about all the white ones you've studied, and by spewing idiotic ad
hominems.
Unfortunately your full-time job seems to be FUDing for RSA by just
such tactics.
Sorry, but it's not my full-time job to drive a truck through the
holes in your "argument".
Bye,
Rob.
------------------------------
From: James Andrews <[EMAIL PROTECTED]>
Subject: Re: WT Shaw temporarily sidelined
Date: Mon, 06 Sep 1999 09:14:59 +0000
Tell him to get well soon, and get the laptop working, no person should
lose their connection to the net. Once you've had it for a while, its
like a limb, stay connected.
James
------------------------------
From: Stefan Hetzl <[EMAIL PROTECTED]>
Subject: hash function ?
Date: Mon, 06 Sep 1999 09:01:33 GMT
Hi all,
I want to use a passphrase of any length as a key for the blowfish
algorithm. I think it would be more secure to hash the passphrase first
because in a typical passphrase there are probably more alphanumerical
characters than others, which would make guessing the key easier. Which
hash algorithm would be suited best to do this / is the best to use in
connection with blowfish ?
I will probably also use this hash algorithm to derive a 32bit seed for
a random number generator from a passphrase. Which bits should I use ?
The first 32, last 32 etc. ?
Thanks,
Stefan
------------------------------
From: Red_Blue <[EMAIL PROTECTED]>
Subject: Re: NSA and MS windows
Date: Mon, 06 Sep 1999 12:48:56 +0300
David Wagner wrote:
> Roger Schlafly <[EMAIL PROTECTED]> wrote:
> > I don't think MS is telling us the full story.
>
> They may not be, but regardless, it doesn't excuse claims that the
> "_NSAKEY" lets the NSA spy on every Windows box around the world.
> I haven't seen a single shred of evidence for claims like that.
Nor have I. Exploiting this would require NSA (or anyone having that
extra key) to replace the default CSP with a weakened one. There are
several dll files and registry keys involved. Even if that new module is
signed so that CrAPI will run it, the attack must be done so that it
produces no output to alert the user, or to disguise it for something
innocent. If you can get someone to run a trojan that replaces a CSP
module, then I guess you can use a trojan that does much worse things! Or
weakens the cryptosystems in some easier, yet harder to detect, ways.
Besides, if that would be easy, then anyone could do that, not only the
true holder of that second key, because that second key can be so easily
substituted.
So I don't think this NSA-key issue is a big threat after all. I think
the method enabling the use of stronger modules than original without
having them signed by MS is the really IMPORTANT issue here. Wasn't this
signed CSP system designed by MS just to get export permission for CrAPI
in the first place? Not that I support using CrAPI given it's other
weaknesses, such as private key export issues. Or any MS security
function given the reputation MS has in dealing with security issues.
Jere Hakanen
------------------------------
From: Daniel James <[EMAIL PROTECTED]>
Subject: Re: Pincodes
Date: Mon, 06 Sep 1999 11:18:00 +0100
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, Walter
Hofmann wrote:
> Daniel James <[EMAIL PROTECTED]> wrote:
[snip]
> >
> > It would also prevent the user from changing their PIN and would
>
> Good. This prevents PINs like 1234.
>
> > require that a new PIN be issued whenever a new card was issued.
>
> Fine. Regulary changing a password is a good security practice.
>
<smile>. From a security POV, of course, I agree somewhat with what you
say.... However any bank will tell you that their customers demand the
ability to change their PINs - albeit to something daft - and keep it that
way for ever - and the customer is always right (allegedly).
I haven't tried setting my card PINs to 1234 - I /hope/ the ATM software
would reject it. Just as I /hope/ that the software would reject the expiry
date or the first/last digits of the account number.
Cheers,
Daniel.
------------------------------
From: pbboy <[EMAIL PROTECTED]>
Subject: Re: NSA and MS windows
Date: Mon, 06 Sep 1999 05:55:52 -0400
Anders Henriksson wrote:
> pbboy <[EMAIL PROTECTED]> wrote:
> >Maybe I overestimate the NSA's power, but why would the NSA _ask_ MS for
> >anything?!?
>
> Ever heard of the saying "Never ask for anything which you can't take"?
> Why waste resources. If you're powerful enough people won't object.
>
Putting an operator in the largest software company in the world is a waste of
resources....? Hmmm, think about that one.
>
> >HEHE! Do you really think, IF the NSA were to use any MS products, they
> >would actually pay for the licenses?
>
> Yes. It wouldn't be worth the possible trouble if they didn't. If I were
> them, I'd give M$ a huge wad of cash and say "We'd like an unlimited
> number of licenses for all of your products." As money's no problem for
> them, license fees are no worry, but the number of licenses are as it
> can be used to determine computing power. If the cash pile is huge enough,
> M$ porbably wouldn't mind...
>
I agree, IF the NSA actually used Windows...
pbboy
------------------------------
From: [EMAIL PROTECTED] (John )
Subject: Info on old cryptgraphy systems
Date: Mon, 06 Sep 1999 11:09:31 GMT
I hpo not to be wrong by posting in this list, but I need help on the
following problem:
I got some papers encrypted with letter transposal. The encryption has be done
in the 50's, so no computer alghorithm is involved. The language should be
italian.
I started out with a relative frequency match of the letters in the
text and in normal italian vocabulary, but it did not work. I am new at the
task and would be glad if somebody can give me a hint.
Thank You
John
*********************
take the leading *** off the E-Mail if answering
*********************
------------------------------
From: Stephan Eisvogel <[EMAIL PROTECTED]>
Subject: Re: _NSAKey
Date: Mon, 06 Sep 1999 13:25:47 +0200
JPeschel wrote:
> Well, here's a disassembly of AdvApi32.DLL for everyone's
> amusement:
You should get a much better disassembler, I hope you can
find out which one I am talking about.
Microsoft's is not bad to get an idea where a module
segfaulted, but for deadlisting there's a much better
alternative.
Regards,
I.D.Aye
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
