Cryptography-Digest Digest #189, Volume #10 Mon, 6 Sep 99 14:13:03 EDT
Contents:
Re: Alleged NSA backdoor in Windows CryptoAPI (Alan Braggins)
Re: n-ary Huffman Template Algorithm (Alex Vinokur)
Re: _NSAKey ("Microsoft Mail Server")
Re: Info on old cryptgraphy systems
Re: _NSAKey ("Trevor Jackson, III")
Re: Schneier/Publsied Algorithms (Geoff Thorpe)
Re: NSA and MS windows (Geoff Thorpe)
examples of twofish? ("Shaun Wilde")
Re: hash function ? (jerome)
Re: 512 bit number factored (Bob Silverman)
Re: Schneier/Publsied Algorithms (SCOTT19U.ZIP_GUY)
Re: examples of twofish? (Eric Lee Green)
Re: examples of twofish? (Ruud de Rooij)
Re: _NSAKey ("Douglas A. Gwyn")
Re: arguement against randomness (Tim Tyler)
----------------------------------------------------------------------------
From: Alan Braggins <[EMAIL PROTECTED]>
Subject: Re: Alleged NSA backdoor in Windows CryptoAPI
Date: 06 Sep 1999 14:34:54 +0100
[EMAIL PROTECTED] (Bruce Schneier) writes:
> On 3 Sep 1999 19:08:16 GMT, [EMAIL PROTECTED] (Ian Goldberg) wrote:
> >DJohn37050 <[EMAIL PROTECTED]> wrote:
> >>The obvious reason for an NSA key (assuming that is what it is) is to allow NSA
> >>to write their own CSP's without needing to get permission from Microsoft.
> >>That is, they can put in their algorithms without going to Microsoft for
> >>approval. But the CSP still needs to be put on the machine somehow and this is
> >>a voluntary act (as far as I know), so I do not see anything nefarious.
> >>Don Johnson
> >
> >And the NSA key would then be in *all* shipped copies of Windows
> >worldwide, why?
>
> My guess is that it is really a backup key, and that Microsoft gave
> NSA a copy of it for their own internal use (as Don suggests).
If the signing keys are copyable, then Microsoft's "We needed a backup
in case we lost the original signing key" explanation doesn't work -
they can keep a copy of the original in a separate location as easily
as keeping a second key.
If the keys are in secure hardware and can't be copied, then the NSA
having a copy can't be the reason for the name (unless the NSA have a
backdoor to the hardware and don't mind Microsoft knowing that).
If only the primary key is in secure hardware and can't be copied,
then the NSA could have a copy of the backup key, but why would anyone
bother protecting the primary key and not the backup?
If the keys can be copied, then a backup key in place may still be
useful so that the primary verification key can be replaced by
software signed by the backup if the primary signing key is ever
compromised (at least on installations where the backup hasn't already
been replaced by trojans using the compromised key).
This doesn't match Microsoft's explanation, but it's close enough
that a layer of PR and marketing between the actual explanation and
the published one is an adequate explanation.
However, the presence of the backup key also means the NSA don't need
a copy of the signing key to install software on their own machines
without getting it signed by Microsoft - the backup verification key can
be replaced without stopping parts of the system that use the main key
working, and they can then sign their own .dll's.
So the NSA only need a copy of the signing key if they want to
introduce dlls that they have signed on to systems where they don't
want to tamper with the verification keys. Assuming that if the NSA
say to Microsoft "Sign this hash, you don't have to know what it's
for", then Microsoft will do so promptly without question, I'm not
sure how much use the NSA would have for a copy.
And if they did have a use, why would Microsoft give them a copy of
the backup but not of the primary? They could have copies of both -
but then the second key and its "NSA" name mean nothing.
The presence of the backup key also means that the export controls are
significantly weaker than claimed - a non-US CSP producer only has to
replace the backup key, not patch the system to avoid using the
primary key. Since the supposed point of the export regulations is to
help preserve US national security, and the NSA is an agency of the
same government that created the regulations, whose mission is to
preserve US national security, whereas Microsoft believe "that key
lengths must be lengthened substantially to provide our worldwide
customers strong security and privacy" and "are working actively with
other companies in our industry to encourage the U.S. government to
relax its restrictions on export controls", it's interesting that
Microsoft say it was the NSA who required the presence of the backup
key.
http://msdn.microsoft.com/workshop/security/capi/exporfaq.asp#export1
http://www.microsoft.com/security/bulletins/backdoor.asp
Disclaimer: normally I consider this goes without saying, but in this
context it might be worth saying that these are my personal opinions based
on published data, not nCipher's corporate opinion, though of course
Nicko van Someren's paper "Playing hide and seek with stored keys" is
relevent. http://www.ncipher.com/news/files/press/99/anguilla.html
------------------------------
From: Alex Vinokur <[EMAIL PROTECTED]>
Crossposted-To: sci.image.processing,sci.math,alt.comp.compression
Subject: Re: n-ary Huffman Template Algorithm
Date: Mon, 06 Sep 1999 13:26:46 GMT
In article <7qtsqp$ue8$[EMAIL PROTECTED]>,
Alex Vinokur <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> [snip]
> > At this point I must wonder what do you actually intend to do with
> > your (presumably generalized) Huffman encoding scheme in such (in my
> > humble opinion fancy) 'worlds' at all. A normal Huffman encoding
maps
> > a sequence of symbols to a bit string such that the length of the
bit
> > string is minimal;
>
> Template Huffman encoding does the same thing.
>
> > this is useful in practice. What does your encoding
> > scheme achieve?
>
> The difference is that Template Huffman can use
> not only numerical weights.
> What is non-numerical weight?
> That must be defined by user (if his problem requires such weights).
>
> > Can you explain with some details?
>
> Please see Test#8 in
> http://alexvn.homepage.com/alexvn.html
> Click : n-ary Huffman Template Algorithm
> >
> > M. K. Shen
> >
>
> Alex
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
>
Maybe also this example :
====== Begin : Case#1 : numerical weights ==========
Let W1 = {1, 1, 2, 3} be
a sequence of numerical (integer) weights.
Here is the Huffman tree for this sequence.
7
/\
/ \
4 3
/\
/ \
2 2
/\
/ \
1 1
====== End : Case#1 : numerical weights ============
====== Begin : Case#2 : non-numerical "weights" ====
Let weight be w = <int, int>-pair.
Here is the operator+ (example) :
a = <a1, a2>
b = <b1, b2>
a + b = <a1 + b1, a2 + b2>
Here is the operator< (example)
a = <a1, a2>
b = <b1, b2>
if ((a1^2 + a2^2) < (b1^2 + b2^2))
then a < b
else a >= b
Let W2 = { <5, 5>, <7, 3>, <0, 8> <14, 1>} be
a sequence of non-numerical weights.
Stage#0 : <5, 5> <7, 3> <0, 8> <15, 1>
Stage#1 : <0, 8> (<12, 8>) <15, 1>
Stage#2 : <15, 1> (<12, 16>)
Stage#3 : (<27, 17>)
Note! The sequences are sorted on each stage.
Here is the Huffman tree for this sequence.
<27, 17>
/\
/ \
<12, 16> <15, 1>
/\
/ \
<12, 8> <0, 8>
/\
/ \
<5, 5> <7, 3>
====== End : Case#2 : non-numerical "weights" ======
Alex
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Microsoft Mail Server" <[EMAIL PROTECTED]>
Subject: Re: _NSAKey
Date: Mon, 6 Sep 1999 10:18:27 -0400
Crossposted-To: talk.politics.crypto
good point, the assumtion that the government is vile, devious, sinless, and
above the law has been created from single examples of deviant individual
misbehavior on the part of selected events.
the usual attack upon a working system of government is to discredit and
find the unremarkable errors that occur in any system that deals with human
irresponsiblities.
comparing one system to another will only yield nothing other than
differences that have evolved over years of human squabbling and foolish
"pride-mongering".
that an individual feels a personal incursion upon their individual
"rights", that individual certainly needs to evaluate the need for all
other's right's to the same freedoms. (or go find another system that treats
you better!)
keep in mind that wars and conflicts are usually precipitated over years of
discontent and malingering stupidities. (and selfish, arrogant familial
hierarchy systems)
the need for privacy and secrecy goes "out the window" really fast when
bullets start whizzing closely past your childrens' faces!
--
best regards,
hapticzemail at email.msn.com
remove first email, sorry i had to do this!!
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Info on old cryptgraphy systems
Date: 6 Sep 99 14:42:42 GMT
John ([EMAIL PROTECTED]) wrote:
: I started out with a relative frequency match of the letters in the
: text and in normal italian vocabulary, but it did not work. I am new at the
: task and would be glad if somebody can give me a hint.
Well, that may indicate that the text is not encrypted with transposition,
or that it is not in Italian. However, that is not necessarily the case;
frequencies might be altered by the use of codewords or by the use of
'telegraphic' style text, in which some common words are omitted.
At the Crypto Drop Box there is a course in PDF format on cryptanalysis of
pencil-and-paper ciphers; the book "Cryptanalysis" by Helen Fouche Gaines
from Dover is inexpensive, and also covers this territory well. But
transposition ciphers are not necessarily easy to break; except for
multiple anagramming, there aren't any amateur-level techniques for
breaking a double columnar transposition, for example.
John Savard
------------------------------
Date: Mon, 06 Sep 1999 11:13:38 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: _NSAKey
Microsoft Mail Server wrote:
> good point, the assumtion that the government is vile, devious, sinless, and
> above the law has been created from single examples of deviant individual
> misbehavior on the part of selected events.
>
> the usual attack upon a working system of government is to discredit and
> find the unremarkable errors that occur in any system that deals with human
> irresponsiblities.
>
> comparing one system to another will only yield nothing other than
> differences that have evolved over years of human squabbling and foolish
> "pride-mongering".
>
> that an individual feels a personal incursion upon their individual
> "rights", that individual certainly needs to evaluate the need for all
> other's right's to the same freedoms. (or go find another system that treats
> you better!)
>
> keep in mind that wars and conflicts are usually precipitated over years of
> discontent and malingering stupidities. (and selfish, arrogant familial
> hierarchy systems)
>
> the need for privacy and secrecy goes "out the window" really fast when
> bullets start whizzing closely past your childrens' faces!
The need for privacy and secrecy becomes a dominating influence in one's life
when one expects to mix bullets and one's children.
------------------------------
From: Geoff Thorpe <[EMAIL PROTECTED]>
Subject: Re: Schneier/Publsied Algorithms
Date: Mon, 06 Sep 1999 16:43:51 +0100
Hi,
DS's ramblings have long since lost their novelty value and I generally
ignore them but this one was too much to resist.
"SCOTT19U.ZIP_GUY" wrote:
> Yes and we can safely assume that any documentation that would be
> come available to the public would accurately tell when an intelligence
> agency first developed the method. Tell me Bruce do you still belive in
> Santa Claus.
Listening to your commentary (if he is), I doubt if he even believes in
Darwin anymore.
Cheers,
Me
------------------------------
From: Geoff Thorpe <[EMAIL PROTECTED]>
Subject: Re: NSA and MS windows
Date: Mon, 06 Sep 1999 17:13:05 +0100
Hi there,
Bruce Schneier wrote:
[various speculations about the NSAKEY story]
As Peter Gutmann pointed out quite some time ago (see
http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms3.txt for some
background), CryptoAPI has such gaping holes in it that to call it swiss
cheese would be to bestow too much structural value to it. Cheese
requires a lot more heat (or time) to melt.
The CryptExportKey() API function, present in the base CSP providers (as
used by Outlook, IE, etc etc), will happily export private keys. It also
doesn't take a password. Perhaps one possible use of NSAKEY is that it
somehow simplifies the process of planting executable (executing would
be more accurate) code on the destination PC to call this function?
The fact this API call is there is scary, but one still needs code to
call it. If NSAKEY is as dark and sinister as some would like to
speculate, then it could possibly provide away to exploit this deformity
of CryptoAPI with minimal fuss and bother. Whether this key allows one
to do such things, or whether it's there purely to sign CSPs, I do not
know. I'd welcome anyone's thoughts (except David Scott) on this idea.
Cheers,
ME
------------------------------
From: "Shaun Wilde" <[EMAIL PROTECTED]>
Subject: examples of twofish?
Date: Mon, 6 Sep 1999 16:22:16 +0100
Can anyone point me to code which has working examples of how to implement
twofish?
Also how do you go about generating keys? (from a passphrase/password?)
I have used the MS Crypto API (shame on me) however I'd like to implement
other block ciphers that haven't had MSs
sticky paws all over.
TIA
--
http://www.many-monkeys.freeserve.co.uk
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: hash function ?
Date: 6 Sep 1999 16:29:48 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 06 Sep 1999 09:01:33 GMT, Stefan Hetzl wrote:
>Hi all,
>
>I want to use a passphrase of any length as a key for the blowfish
>algorithm. I think it would be more secure to hash the passphrase first
>because in a typical passphrase there are probably more alphanumerical
>characters than others, which would make guessing the key easier. Which
>hash algorithm would be suited best to do this / is the best to use in
>connection with blowfish ?
blowfish has a variable length key so you can use MD5 and get the output
directly as a 128bits key.
>I will probably also use this hash algorithm to derive a 32bit seed for
>a random number generator from a passphrase. Which bits should I use ?
>The first 32, last 32 etc. ?
IPSEC in HMAC-MD5-96 use the 96first bits of a MD5 result.
you can read rfc2104 section 6 about that.
they have more experience than me but my instinct :) says it is probably
better to use them all. if the hash function output is 128bits and
your seed 32bits, do an XOR of 4 32bits of the hash result.
thus the attacker has to know the whole result and not just the 32first bits
but... if your hash function has some flaws such as Bit0 xor Bit 32=1
whatever the values of those bits, he doesnt have to know their value.
but a hash function with such flaws is not a good one :)
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: 512 bit number factored
Date: Mon, 06 Sep 1999 16:09:18 GMT
In article <[EMAIL PROTECTED]>,
Robert Harley <[EMAIL PROTECTED]> wrote:
>
> Bob Silverman <[EMAIL PROTECTED]> writes:
> > Robert Harley <[EMAIL PROTECTED]> wrote:
> > > Bob Silverman <[EMAIL PROTECTED]> writes:
> > > > No. They can't.
> > > and then goes into detail saying in essence, "yes they can but not
> > > much, as far as I can see right now".
> >
> > That is not what I said. Go re-read it.
> > [...]
> > (1) Being able to cut the matrix in half, by reducing the factor base
> > (at the expense of a LOT more sieve time) doesn't help very much
>
> There, you just said it again.
>
> Bob, you're trying to argue that there are no black swans by going on
> about all the white ones you've studied, and by spewing idiotic ad
> hominems.
What "idiotic ad hominen"??? I merely pointed out that you, with
ZERO experience with the method were disputing someone with a
LOT of experience. This is a strange definition of 'ad hominen'.
Further, your original quote was:
"No, they remember that if solving the matrix is the limiting factor then
they can do more sieving (with a smaller factor base) to compensate, "
This strongly implies that you believe one can 'solve' the space
difficulties by reducing the factor base and doing more sieving., i.e.
that it is possible to 'compensate' for a matrix that is too large.
I simply pointed out that this was not the case. That the 'compensation'
comes at enormous expense and that the matrix still remains too
large even with this 'compensation'.
>
> Unfortunately your full-time job seems to be FUDing for RSA by just
> such tactics.
I've been saying the same things long before I joined RSA.
>
> Sorry, but it's not my full-time job to drive a truck through the
> holes in your "argument".
I could say that your full time job seems to be contradicting others
out of ignorance. But I won't.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Schneier/Publsied Algorithms
Date: Mon, 06 Sep 1999 14:37:33 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Bruce Schneier)
wrote:
>On Sun, 5 Sep 1999 09:40:01 +0200, [EMAIL PROTECTED] (Ralf
>Stephan) wrote:
>
>>Eric Lee Green:
>>>On the other hand, public key encryption (like in the "microsoft thing")
>>>is a fairly new field (and there has been an insinuation that actually
>>>it's an older field, that the NSA had it for years before Shapir et. al.
>>>let the genie out of the bottle),
>>
>>We know that at least the Brits had it years before.
>
>"Years" is a bit of an exaggeration. Looking at the documentation,
>they may have known about public-key cryptography as much as six
>months before.
>
Yes and we can safely assume that any documentation that would be
come available to the public would accurately tell when an intelligence
agency first developed the method. Tell me Bruce do you still belive in
Santa Claus.
.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: examples of twofish?
Date: Mon, 06 Sep 1999 09:50:04 -0700
Shaun Wilde wrote:
> Can anyone point me to code which has working examples of how to implement
> twofish?
>
> Also how do you go about generating keys? (from a passphrase/password?)
You can get the documentation for Twofish from Bruce Scheier's site
(http://www.counterpane.com ). The actual source code to Twofish at that
site is not available to you from the UK due to U.S. export
restrictions, but somebody sneaked the source code across the border, so
you can download it from ftp://ftp.funet.fi/pub/crypt . Just bear in
mind that if you are a U.S. citizen you cannot be legally in possession
of that code if you are overseas :-(. There is also a gentleman in the
UK who has re-coded Twofish from scratch using nothing but the
documentation from Bruce's site. I don't happen to have his web site URL
handy at the moment (it is a holiday here in the US and I'm at home).
To generate a 128-bit key from a passphrase or password you would use
MD5 or some other similar digest algorithm, also adding in a random
"salt" value (saved along with the encrypted password) in order to give
more randomness to the output (this is what modern versions of the Unix
password file use). However, note that all keys generated from a
passphrase or password are "weak" in that they are succeptible to a
dictionary attack. You should ideally use a password generated by a
random number generator, and save the password on floppy disk or etc. to
keep it safe (or you can encrypt it using a 128-bit key generated from a
passphrase, like PGP does, under the assumption that a weaker password
is okay for small texts that are not transmitted over the network).
Bruce has one (Yarrow) at his site (you CAN download that from the UK,
since it's not encryption), and the Linux /dev/random is a fairly strong
random number generator too, based on the same body of research that
went into Yarrow.
--
Eric Lee Green http://members.tripod.com/e_l_green
mail: [EMAIL PROTECTED]
^^^^^^^ Burdening Microsoft with SPAM!
------------------------------
From: Ruud de Rooij <*@spam.ruud.org>
Subject: Re: examples of twofish?
Date: 6 Sep 1999 18:53:12 +0200
Reply-To: *@spam.ruud.org
"Shaun Wilde" <[EMAIL PROTECTED]> writes:
> Can anyone point me to code which has working examples of how to implement
> twofish?
lsh (a free replacement for ssh2) contains an implementation of
twofish. It's in src/symmetric/twofish.c in the lsh source tree.
You can get lsh at ftp://ftp.lysator.liu.se/pub/security/lsh/
> Also how do you go about generating keys? (from a passphrase/password?)
lsh also contains code for that.
> I have used the MS Crypto API (shame on me) however I'd like to implement
> other block ciphers that haven't had MSs
> sticky paws all over.
- Ruud de Rooij.
--
ruud de rooij | *@spam.ruud.org | http://ruud.org | http://weer.moonblade.net
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: _NSAKey
Date: Mon, 06 Sep 1999 17:14:14 GMT
[EMAIL PROTECTED] wrote:
> While it may not be necessary ... consider a web site for
> terrorists/communists/libertarians/paedophiles or your favourite group
> of "evil people" this week. How to gain access to its users' security?
Ideally, nobody (including law enforcement agents) is able to
violate their security like that, because if they can do it to
them, they can do it to you! And don't think it wouldn't happen.
The United States of America was founded on the simple principle
that government should serve the people, instead of vice versa.
We're in danger of that being totally forgotten. It sure isn't
being taught these days in our government-run schools.
It is interesting that you lumped libertarians in with other
identified groups of "evil people" that need to be surveilled.
I guess you think that the government needs to "protect" us
against people who believe in freedom; that is exactly the
kind of danger that the US Founding Fathers warned us against.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: arguement against randomness
Reply-To: [EMAIL PROTECTED]
Date: Mon, 6 Sep 1999 17:02:01 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tom St Denis wrote:
:> Isn't one of the laws of thermaldynamics stating the spontaneuous
:> creation of energy is impossible (or something to that effect)?
:> Also wouldn't something truly random fall into this category?
:> If I am dead wrong, please let me know.
: You're close to dead wrong. [...]
Though he'd be close to dead-right if you consider the dynamics of some
types of reversible cellular automata.
In these there's effectively a law of conservation of information -
in much the same way as there's a law of conservarion energy in
the real world.
Creation of "true randomness" in such automata would be rather similar to
creation of "matter/energy" in the real world.
Whether the analogy holds true depends on to what extent the universe
is funadmentally a cellular automata - i.e to what extend Fredkin's
"Digital Mechanics" holds.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Life would be easier if I had the source code.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
