Cryptography-Digest Digest #202, Volume #10 Wed, 8 Sep 99 16:13:03 EDT
Contents:
Re: NSA and MS windows ("Donald R. Henstine")
Help me please with *.mpg.00* ("Sasha Court")
Re: THE NSAKEY (Guenther Brunthaler)
Re: THE NSAKEY (SCOTT19U.ZIP_GUY)
Re: GnuPG 1.0 released (SCOTT19U.ZIP_GUY)
Re: Hash of a file as key (Enterrottacher Andreas)
Re: Hash of a file as key (Enterrottacher Andreas)
Session Keys...how hard to de-crypt? ([EMAIL PROTECTED])
Re: THE NSAKEY (SCOTT19U.ZIP_GUY)
Re: simple key dependent encryption (JPeschel)
6xs released, full (delphi) source included (Walied Othman)
Re: simple key dependent encryption (John Savard)
Re: Random and pseudo-random numbers (John Myre)
Re: MUM III (3 Way Matrix Uninvertable Message) (John Savard)
Re: Random and pseudo-random numbers (John Savard)
Re: Ari Benbasat (Michael Heumann)
----------------------------------------------------------------------------
From: "Donald R. Henstine" <[EMAIL PROTECTED]>
Subject: Re: NSA and MS windows
Date: Wed, 8 Sep 1999 14:46:10 -0400
Microsoft, the NSA, and You
Here is the press release; for the full details, look here.
A sample program which replaces the NSA's key is here, at the bottom
of the page.
FOR IMMEDIATE RELEASE
Microsoft Installs US Spy Agency with Windows
Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks
and
browser bugs, Microsoft has a dismal track record in computer
security.
Most of us accept these minor security flaws and go on with life. But
how is an IT manager to feel when they learn that in every copy of
Windows sold, Microsoft may have installed a 'back door' for the
National Security Agency (NSA - the USA's spy agency) making it orders
of magnitude easier for the US government to access their computers?
While investigating the security subsystems of WindowsNT4, Cryptonym's
Chief Scientist Andrew Fernandes discovered exactly that - a back door
for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on
the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in
'RSA'), Andrew was investigating Microsoft's "CryptoAPI" architecture
for security flaws. Since the CryptoAPI is the fundamental building
block of cryptographic security in Windows, any flaw in it would open
Windows to electronic attack.
Normally, Windows components are stripped of identifying information.
If the
computer is calculating "number_of_hours = 24 * number_of_days", the
only
thing a human can understand is that the computer is multiplying "a =
24 * b".
Without the symbols "number_of_hours" and "number_of_days", we may
have no
idea what 'a' and 'b' stand for, or even that they calculate units of
time.
In the CryptoAPI system, it was well known that Windows used special
numbers
called "cryptographic public keys" to verify the integrity of a
CryptoAPI
component before using that component's services. In other words,
programmers
already knew that windows performed the calculation
"component_validity =
crypto_verify(23479237498234...,crypto_component)", but no-one knew
exactly
what the cryptographic key "23479237498234..." meant semantically.
Then came WindowsNT4's Service Pack 5. In this service release of
software
from Microsoft, the company crucially forgot to remove the symbolic
information identifying the security components. It turns out that
there are
really two keys used by Windows; the first belongs to Microsoft, and
it allows
them to securely load CryptoAPI services; the second belongs to the
NSA. That
means that the NSA can also securely load CryptoAPI services... on
your
machine, and without your authorization.
The result is that it is tremendously easier for the NSA to load
unauthorized
security services on all copies of Microsoft Windows, and once these
security
services are loaded, they can effectively compromise your entire
operating
system. For non-American IT managers relying on WinNT to operate
highly secure
data centers, this find is worrying. The US government is currently
making it
as difficult as possible for "strong" crypto to be used outside of the
US;
that they have also installed a cryptographic back-door in the world's
most
abundant operating system should send a strong message to foreign IT
managers.
There is good news among the bad, however. It turns out that there is
a flaw
in the way the "crypto_verify" function is implemented. Because of the
way the
crypto verification occurs, users can easily eliminate or replace the
NSA key
from the operating system without modifying any of Microsoft's
original
components. Since the NSA key is easily replaced, it means that non-US
companies are free to install "strong" crypto services into Windows,
without
Microsoft's or the NSA's approval. Thus the NSA has effectively
removed export
control of "strong" crypto from Windows. A demonstration program that
replaces
the NSA key can be found on Cryptonym's website.
Cryptonym: Bringing you the Next Generation of Internet Security,
using cryptography, risk management, and public key infrastructure.
Interview Contact:
Andrew Fernandes
Telephone: +1 919 469 4714
email: [EMAIL PROTECTED]
Fax: +1 919 469 8708
Cryptonym Corporation
1695 Lincolnshire Boulevard
Mississauga, Ontario
Canada L5E 2T2
http://www.cryptonym.com
# # #
======================================================================
==========
The Full Details
These details are essentially the contents of the "Rump Session" talk
that Andrew Fernandes gave at the Crypto'99 Conference, on 15 August
1999, in Santa Barbara, California.
Note 1: many people have written us and assumed that we "reverse
engineered" Microsoft's code. This is not true; we did not reverse
engineer Microsoft code at any time. In fact, the debugging symbols
were found using standard Microsoft-purchased programmer's tools,
completely by accident, when debugging one of our own programs.
Note 2: many reporters have stated that Andrew studied computer
science at the University of Waterloo and was a classmate of Ian
Goldberg of Zero Knowlege Systems. In fact, Andrew studied
biochemistry and mathematics at Waterloo for his undergraduate, and
mathematics at McGill for his graduate work. He and Ian graduated in
the same year, but really did not know each other at the time.
An Overview of the Microsoft's CryptoAPI
Microsoft's CryptoAPI allows independent software vendors (ISVs) to
dynamically load Cryptographic Serivce Providers (CSPs) as in the
following diagram:
This arrangement of having Windows verify the CSP signature is what
allows Microsoft to add cryptographic functionality to Windows. They
will not digitally sign a CSP unless you first agree to abide by US
export rules. Translation: Microsoft will not allow non-US companies
to add strong crypto functions to Windows.
Fortunately, the verification of the CSP's digital signature opens up
a security flaw in this picture.
Observations
Using NT4 Server, SP5 (domestic, 128-bit encryption version), and
Visual C++ 6, SP3. These same results have been found in Win95osr2,
Win98, Win98gold, WinNT4 (all versions), and Win2000 (up to and
including build 2072, RC1).
Many people have emailed us to say that these debugging symbols are
actually present in NT4-Workstation, and are in the original CD's
debugging symbols! Thanks, people!
Before CSP loading
in ADVAPI32.DLL
Address 0x77DF5530
->
A9 F1 CB 3F DB 97 F5 ... ... ...
Address 0x77DF55D0
->
90 C6 5F 68 6B 9B D4 ... ... ...
After RC4 encryption using
we see
A2 17 9C 98 CA
=>
R S A 1 ... 00 01 00 01 ... (looks like an RSA public key)
A0 15 9E 9A C8
=>
R S A 1 ... 00 01 00 01 ... (looks like an RSA public key)
Looking at SP5 debugging symbols
in "_CProvVerifyImage@8"
Address 0x77DF5530
<-
has data tag "_KEY"
Address 0x77DF55D0
<-
has data tag "_NSAKEY"
Screenshots One, Two, Three, Four, and Five showing the actual
debugging information.
The Flaw
An attack:
Replace "_KEY" with your own key...
...but Windows will stop working since it cannot verify its own
security subsystem!
An better attack:
Replace "_NSAKEY" with your own key...
... Windows keeps working, since Microsoft's key is still there
stops the NSA
works because Windows tries to verify the CSP first using "_KEY", and
then silently fails over to "_NSAKEY"
The Result:
Windows CryptoAPI system still functional
the NSA is kicked out
the user can load an arbitrary CSP, not just one that Microsoft or the
NSA signed!
Implications
What is the purpose of "_NSAKEY"? Espionage? Or do they simply not
want to rely on Microsoft when installing their own CSPs?
Using RSA's Data Security's (now Security Dynamics) "BSafe" toolkit
actually makes analysis of a program easier.
We do not need to modify the "advapi32.dll" file in order to remove
the NSA key, nor do we need special privilleges on the machine.
use self-modifying code
needs undocumented vxd calls under Win95 and Win98
needs special memory features under WinNT and Win2k
It is easy for any process to bypass any CSP and substitute its own.
Export control is effectively dead for Windows.
Note for Win2k - there appear to be three keys in Win2k; Microsoft's,
the NSA's, and an unknown third party's. Thanks to Nicko van Someren
for bringing this to our attention.
Removing the NSA
A sample program which replaces the NSA key with a test key, and
leaves the rest of the CryptoAPI system intact, can be downloaded by
clicking this link (currently only for WinNT and Win2k). For legal
reasons, source code will be provided for free, but only be available
through a Nondisclosure Agreement with Cryptonym. You can download the
NDA here. These files are provided for demonstration purposes only,
and may not be redistributed or used for any purpose other than
demonstration without the written authorization and license of
Cryptonym Corporation. For more information, please contact:
Andrew Fernandes
email: [EMAIL PROTECTED]
Phone +1 919 469 4714
Fax +1 919 469 8708
Win95/98 Programmers: we could use help in porting the software to
Win95/98. If you have a strong background in Win95/98 virtual memory
management, virtual device writing, and Windows 'internals', and don't
mind volunteering your time, please contact Andrew at the addresses
above!
http://www.cryptonym.com/hottopics/msft-nsa.html
begin 666 Donald R. Hoenstine.vcf
M0D5'24XZ5D-!4D0-"E9%4E-)3TXZ,BXQ#0I..DAO96YS=&EN93M$;VYA;&0[
M4BX-"D9..D1O;F%L9"!2+B!(;V5N<W1I;F4-"D]21SI#4%4@0V]M<'5T97(@
M0V]N<W5L=&%N=',[4V%L97,@)B!-87)K971I;F<-"E1)5$Q%.E-R+B!#;VYS
M=6QT86YT#0I414P[5T]22SM63TE#13HH.#$T*2 Y-#$M,S0P.0T*5$5,.U!2
M148Z*#@Q-"[email protected]+3,T,#D-"D%$4CM73U)+.CL[,S Q(%5N:6]N($%V96YU
M92!3=&4N,S<V.T%L=&]O;F$[4&$[,38V,#([55-!#0I,04)%3#M73U)+.T5.
M0T]$24Y'/5%53U1%1"U04DE.5$%"3$4Z,S Q(%5N:6]N($%V96YU92!3=&4N
M,S<V/3!$/3!!06QT;V]N82P@4&$@,38V,#(],$0],$%54T$-"E523#IH='1P
M.B\O=W=W+FAA;F1T96-H+F-O;2]H;V5N<W1I;F4-"E523#IH='1P.B\O=W=W
M+FAA;F1T96-H+F-O;2]H;V5N<W1I;F4-"D5-04E,.U!2148[24Y415).150Z
M4FEC:TAO96YS=&EN94!M<VXN8V]M#0I2158Z,3DY.3 Y,#A4,3@T-C S6@T*
+14Y$.E9#05)$#0H`
`
end
------------------------------
From: "Sasha Court" <[EMAIL PROTECTED]>
Subject: Help me please with *.mpg.00*
Date: Wed, 8 Sep 1999 19:58:18 +0100
Could someone explain to me how to view a decoded file of the type *.mpg.00#
------------------------------
From: [EMAIL PROTECTED] (Guenther Brunthaler)
Subject: Re: THE NSAKEY
Date: Wed, 08 Sep 1999 18:24:08 GMT
On 8 Sep 1999 14:50:56 GMT, [EMAIL PROTECTED] (jerome) wrote:
>i don't take position in this debat, i simply show that cryptography
>is a small world and it isen't exactly fair to say that an employee
>and his president arent 'attached'.
Thanks for this information - I think that explains it all.
To David Wagner:
I'm sorry but I wasn't aware that Bruce is your boss and that you are
an employee of the same company and that your public statements may
thus be limited in the same way as Mr. Schneier's. Of course, you also
could not admit such a limitation for very obvious reasons.
So please don't mind my previous articles, because now I know how to
interpret your previous articles. I understand now.
Greetings,
Guenther
--
Note: the 'From'-address shown in the header is an Anti-Spam
fake-address. Please remove 'nospam.' from the address in order
to get my real email address.
In order to get my public RSA PGP-key, send mail with blank body
to: [EMAIL PROTECTED]
Subject: get 0x2D2F0683
Key ID: 2D2F0683, 1024 bit, created 1993/02/05
Fingerprint: 11 71 47 2F AF 2F CD F4 E6 78 D5 E5 3E DD 07 B5
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: THE NSAKEY
Date: Wed, 08 Sep 1999 20:08:06 GMT
In article <7r66nd$t1u$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
>In article <7r6262$2hu4$[EMAIL PROTECTED]>,
>SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (jerome)
> wrote:
>> >http://www.counterpane.com/cpaneinfo.html lists d.wagner as a part of
>> >counterpane personnel and b.scheiner is the president of counterpane.
>> >
>> >i don't take position in this debat, i simply show that cryptography
>> >is a small world and it isen't exactly fair to say that an employee
>> >and his president arent 'attached'.
>>
>> Yes if David Wagner showed to much independent thought he might
>> be out a job.
>
>Nonsense. First of all, I don't have a "job" (other than my grad
>student position at UC Berkeley), and even if I did, I wouldn't pull
>any punches for my employer, no matter who.
>
>Right now, showing independent thought is precisely my job.
>
>Is there a reason we can't debate the technical issue on its merits?
>If my reasoning is flawed, tear it apart. Trying to attack the messenger
>because you don't like the message he's bringing is rather pointless.
>-- David Wagner
Actually David You where attacking the messenger in this thread
because you did not like the comments about his impression of Mr.
Bruce. You assumed it was some kind of personnel attack. I don't
think it was. And since you have not really been apart of the business
world you can't just assume that you know Mr Bruces views. You really
can't trust the word of a President of a Company any more than you can
trust the word of the President of the United States. Or are you dumb
enough to belive anything Clinton says when he points his finger at us
and spins a yarn.
>
>P.S.
>Just for the record, I'm not an "employee" of Bruce Schneier.
>I have done some consulting for him (as a consultant, not an employee),
>but not lately. My main relationship to Counterpane is that I've
>done a lot of research with those folks. And no, noone at Counterpane
>has ever tried to take advantage of our relationship in any way.
Just for the record the previous guy says your listed as personnel of
counterpane. Or is the file at Counterpane another lie. Since one would
assume that it is somewhat honest. Or is even this level of honesy to much
to expect.
P.S.
In case there is any confusion I am not and most likely never will be an
employee of Counterpane or the NSA.
Hay thinks for at least replying to a thread I am on it is a rare honor of
sorts. Have you been able to decrypt my source code yet. Or better yet
what do you think about using compression that is "one to one" as a
first pass before encryption Little Boy Tommy needs words from you before
he can think. If it really is a lttle boy.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: GnuPG 1.0 released
Date: Wed, 08 Sep 1999 20:18:48 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(JPeschel) wrote:
> [EMAIL PROTECTED] (JPeschel)
>
>>Jim, it was either NAI or, maybe, PGP, Inc. that got permission
>>to market PGP Mail overseas. Caused quite a fuss and a lot
>>of specuIation -- I just can't remember dates.
>
>Ah, it was PGP, Inc. that got the Commerce Department's. decision in late May
>of '97.
>
>The permission was more restrictive than I remembered, and Savard and Jim
>are right.
>
>This was the article I found. There are probably a lot more from around
>that time.
>"Pretty Good Privacy gets license for restricted export of strong encryption"
>
>http://cnnfn.com/digitaljam/9705/29/pgp/
>
>Joe
>
Joe I read the message at "URL" still I think it is kind of an endorsement
by the NSA to help allow the spread of PGP. They are allowing it to go
overseas but imply there is a company key that the NSA could use if it was
absoultely needed to look at a message. Kind of like the MS NSA key I guess.
I still think the NSA wants everyone to use PGP in it weakened form and this
just helps to keep it in the public eye so that more people will use it and
feel safe.
However it does not anwser my question about the friendly features that are
a help to the NSA in breaking PGP. I was wondering if some of these features
can at least be turned off in the new GnuPG or does anyone really care about
the security of the messages sent with it.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Enterrottacher Andreas <[EMAIL PROTECTED]>
Subject: Re: Hash of a file as key
Date: Wed, 08 Sep 1999 20:37:36 +0200
Gary schrieb:
>
> Can anyone actually prove that using a cryptographically strong one way hash
> of a file as the key to its symmetric encryption is weaker than using a
> PRNG?
>
> (Attacker only has resulting encrypted file and knowledge of the
> algorithms/process used.)
The attacker may know a possible message and test whether the message
was sent
or not. In this case the PRNG would be better.
On the other hand the attacker could break the PRNG and this way decrypt
all
messages you sent and you will send.
The only solution is to use a TRNG like yarrow or /dev/rand.
Andreas Enterrottacher
[EMAIL PROTECTED]
[EMAIL PROTECTED]
------------------------------
From: Enterrottacher Andreas <[EMAIL PROTECTED]>
Subject: Re: Hash of a file as key
Date: Wed, 08 Sep 1999 20:33:12 +0200
Gary schrieb:
>
> Would using the hash of a file (just before its symmetric encryption with
> the session date and time as salt) as a session key be a bad idea?
Is it the file you want to send? In this case I don't see a problem:
Without knowledge of the file it is impossible to guess the file and
with
knowledge of the file it isn't interesting any more.
The role of date and time is the same as that one of a IV: The same file
sent two times doesn't produce the same cipher text.
In addition you are able to check the file for integrity - as long as
you
know the session date and time.
Andreas Enterrottacher
[EMAIL PROTECTED]
[EMAIL PROTECTED]
------------------------------
Date: Wed, 08 Sep 1999 14:41:42 -0500
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Session Keys...how hard to de-crypt?
To all,
Anyone have any data/best guesses on how long and how much computing
power it would take an expert to break one of the session keys generated
by a browser for use in an SSL session?
Thanks,
Michael Sorbera
Webmaster
Randolph-Brooks Federal Credit Union
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: THE NSAKEY
Date: Wed, 08 Sep 1999 20:39:41 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Guenther Brunthaler) wrote:
>On 8 Sep 1999 14:50:56 GMT, [EMAIL PROTECTED] (jerome) wrote:
>
>>i don't take position in this debat, i simply show that cryptography
>>is a small world and it isen't exactly fair to say that an employee
>>and his president arent 'attached'.
>
>Thanks for this information - I think that explains it all.
>
>To David Wagner:
>I'm sorry but I wasn't aware that Bruce is your boss and that you are
>an employee of the same company and that your public statements may
>thus be limited in the same way as Mr. Schneier's. Of course, you also
>could not admit such a limitation for very obvious reasons.
>
>So please don't mind my previous articles, because now I know how to
>interpret your previous articles. I understand now.
>
>
>Greetings,
>
>Guenther
Maybe you haven't followed the whole thread it seems Mr Wagner is now
claming he was never an empoyee of Mr Bruce only that he work as a
contractor. So I guess any we should consider the information as bogus.
Why would David Wagner lead us astray. Unless there is a remore possiblity
of a future job. Nay he wouldn't do that. Silly the thoughts that cross my
mind.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: simple key dependent encryption
Date: 08 Sep 1999 19:44:27 GMT
steve cator <[EMAIL PROTECTED]> writes:
>where can i find info on how it would be cracked? the key does not go with
>the file.
>
>c) does the key have to be discovered, or is there another method for
>cracking the encrypted file?
First, you determine the length of the key by the Kasiski method or
the IOC. (John seems to prefer Kasiski, Doug the IOC. You could
use both tests -- that is, use the IOC to confirm the Kasiski results,
and, in the process, learn both methods.)
Once you've determined the length of the key all you have left to
face are a handful of monoalphabetic ciphers to solve by frequency
analysis. The encipherment of the space key (20h) should occur
most often.
Try the Lanaki lessons on my site.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Walied Othman <[EMAIL PROTECTED]>
Subject: 6xs released, full (delphi) source included
Date: Wed, 08 Sep 1999 21:04:09 +0200
==============89608C195C595278584E5E4A
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
6xs, sics (Secure Internet Communication Suite), is a program I put
together to
communicate safely with persons you trust over the internet. There is
a module to encrypt,
decrypt, sign and verify files. Another module allows you to encrypt,
decrypt, sign and verify
email messages. Public key algorithms available in these modules are
RSA, ElGamal, DSA,
GOSTDSA. And last but not least a ComLink module, where you can secure
your chat session using
the Diffie-Hellman key agreement protocol. The available blockciphers
are BlowFish, TwoFish,
RijnDael, GOST, IDEA and Cast-256. Hash-algorithms include SHA-1,
Haval and RipeMD-160.
The variety of algorithms allows you to use the ones you trust. I 've
included the (delphi) source code so you can check the implementation.
available at
triade
==============89608C195C595278584E5E4A
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<HTML>
6xs, sics (Secure Internet Communication Suite), is a program I put together
to
<BR> communicate safely with persons you trust over the internet.
There is a module to encrypt,
<BR> decrypt, sign and verify files. Another module allows you
to encrypt, decrypt, sign and verify
<BR> email messages. Public key algorithms available in these
modules are RSA, ElGamal, DSA,
<BR> GOSTDSA. And last but not least a ComLink module, where
you can secure your chat session using
<BR> the Diffie-Hellman key agreement protocol. The available
blockciphers are BlowFish, TwoFish,
<BR> RijnDael, GOST, IDEA and Cast-256. Hash-algorithms include
SHA-1, Haval and RipeMD-160.
<BR> The variety of algorithms allows you to use the ones you trust.
I 've included the (delphi) source code so you can check the implementation.
<BR>
<BR>available at
<BR><A HREF="http://ace.ulyssis.student.kuleuven.ac.be/~triade">triade</A>
<BR><A HREF="http://ace.ulyssis.student.kuleuven.ac.be/~triade"></A>
<BR> </HTML>
==============89608C195C595278584E5E4A==
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: simple key dependent encryption
Date: Wed, 08 Sep 1999 19:35:58 GMT
steve cator <[EMAIL PROTECTED]> wrote, in part:
>where can i find info on how it would be cracked? the key does not go with
>the file.
The same basic method would be used as in cracking a text Vigenere.
Even if you're encrypting a program file, there are likely stretches
of text inside it (messages to the user).
So the first thing an attacker might look for is an area in the binary
file where a pattern in the first two bits of the bytes keeps
repeating.
Once that's been found, the length of the key is found. The game is
nearly over.
Now, line up the bytes in that many columns. Trying different
possibilities, find what could be XORed with all those bytes - in one
column and within a suspected text stretch - to generate common
letters. Give priority to choices that make words or common digrams
with adjacent bytes in the other columns.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Random and pseudo-random numbers
Date: Wed, 08 Sep 1999 13:42:51 -0600
[EMAIL PROTECTED] wrote:
<snip>
> But if your initial randomness is smaller than the keys you generate, then
> brute-force search over the smaller pool of possibilities for the initial
> randomness will do you in. To make 1024-bit keys, you *need* 1024 bits of
> true randomness to start from, and 2048 bits is better.
Not necessarily; in fact, probably not.
If the 1024 bit key is an RSA key, for example, then in fact we
don't expect or require 1024 bits of entropy. No RSA key would
ever be attacked by brute force - factorization is much faster.
It is only necessary to have as much entropy as would make a
brute force search over the entropy state at least as hard as
factorization. I leave it to more numerically inclined types
to make claims about how many bits that is.
For generating many keys, of course we need more entropy. But
it isn't as simple as saying we need X bits of entropy times
N keys. With a hash obscuring relationships between the PRNG
outputs, we can get by with less. I will not be so bold as
to try to say how much...
John M.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: MUM III (3 Way Matrix Uninvertable Message)
Date: Wed, 08 Sep 1999 19:17:27 GMT
"Gary" <[EMAIL PROTECTED]> wrote, in part:
>Alice has a message which she turns into an uninvertable square matrix, M.
>She picks a random invertable square matrix, A.
>Alice sends Bob the product of these 2 matrices, AM.
>Bob generates a random invertable square matrix, B.
>Bob sends Alice the product AMB.
>Alice then sends (Inverse of A)AMB=IMB=MB, where I is the identity matrix.
>Bob now has MB(Inverse of B)=MI=M.
I think someone recently asked about just that method, the Shamir
three-pass protocol, but implemented with matrix multiplication
instead of exponentiation.
The idea is that while the attacker has AM, AMB, and MB, since M is
not invertible, it isn't possible to just divide AMB by AM or MB to
get A and B with which to find A.
But that doesn't really work.
M is not invertible because when a vector is multiplied by M,
information may be lost. If A was replaced by a similar matrix, but
one that lost, or transformed differently, that same information, AM
would still be the same. An operation similar to division can be
performed to extract one of the matrices equivalent to A from AMB and
MB.
So M can still be found.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Random and pseudo-random numbers
Date: Wed, 08 Sep 1999 19:19:59 GMT
Tim Tyler <[EMAIL PROTECTED]> wrote, in part:
>[EMAIL PROTECTED] wrote:
>: To make 1024-bit keys, you *need* 1024 bits of
>: true randomness to start from, and 2048 bits is better.
>If you want 1024 bit keys - and you have 1024 bits of true randomness -
>what more could you possibly ask for?
If I want 100 1024-bit keys, I *must* have at least 1024 bits of true
randomness before I generate the first key, but I can get by (although
it isn't recommended) using a pseudorandom process afterwards to
generate key #2, key #3 ... to key #100.
I'm sorry if I left this part ambiguous in my post.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Michael Heumann <[EMAIL PROTECTED]>
Subject: Re: Ari Benbasat
Date: Wed, 08 Sep 1999 19:12:20 GMT
In article <vWwB3.22565$[EMAIL PROTECTED]>,
"Richard Parker" <[EMAIL PROTECTED]> wrote:
> Michael Heumann <[EMAIL PROTECTED]> wrote:
>
> > Does anybody have a working email address of Ari Benbasat (the
Yarrow
> > programmer)? The address he gives in the readme files doesn't work.
> > Where else could I look for him?
>
> Michael,
>
> I'm reluctant to post someone's e-mail address into a public newsgroup
> without their permission. I will, however, mention that by trying a
> few AltaVista searches it only took be about 30 seconds to discover
> his new e-mail address. Give it a try, I'm sure you'll find it too.
>
> -Richard
>
Oops. It didn't even occur to me to search for an email address there.
Thanks, Richard.
Regards,
Michael.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
