Cryptography-Digest Digest #238, Volume #10 Wed, 15 Sep 99 01:13:03 EDT
Contents:
Re: First draft of Ocotillo now online (jerome)
Re: Size of DH exponent & modulous?? (DJohn37050)
Re: Size of DH exponent & modulous?? (DJohn37050)
Re: RSA Algorithm (jerome)
Re: Ritter's paper (SCOTT19U.ZIP_GUY)
Re: Ritter's paper (SCOTT19U.ZIP_GUY)
Re: Second "_NSAKey" ("Rick Braddam")
Re: _NSAKey (Xcott Craver)
Re: _NSAKey (Xcott Craver)
Re: Help on cryptanalysis ("Kwong Chan")
Re: Ritter's paper
Re: Neal Stephenson's Cryptonomicon: Crypto Cop-Out (John M. Gamble)
Re: Ritter's paper (SCOTT19U.ZIP_GUY)
Re: Help on cryptanalysis (Sundial Services)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: First draft of Ocotillo now online
Date: 15 Sep 1999 01:13:31 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 13 Sep 1999 14:24:33 -0700, Eric Lee Green wrote:
>
>1) Finding sources of adequate initial entropy. I don't think I've done
>a good job there, there's just not many sources on raw Unix :-(.
>However: There is provisions for adding more values to the input pool.
>One suggestion was to use the "jitter" between the times that keystrokes
>came in, etc.
which one do you use ?
>2) How random is the output when asked to give huge numbers of values?
>I've done some initial frequency intervals and on a long-term basis my
>distribution appears quite random, but somebody with more cryptoanalytic
>expertise is likely to see a problem there.
i dont see any if you keep feeding your prng with random bits.
>3) How random is the distribution of initial values, considering that
>this thing will primarily be used as part of a server that starts up
>near system boot time and stays running for as long as the system is
>running? This is a place where I'm going to be doing further study.
how to you start the prng ? what seed do you use ?
>4) Is the MD5 hash on the output necessary? I've tried it both ways,
>with and without the hash. In both cases the output appears to be
>statistically random. The thought is that the MD5 hash on the output
>prevents backtracking attacks, is that reasonable?
yes, md5 has no publicly known examples of 'plain text' found from
the message digest. But md5 just diffuses the original random, it
don't add any.
don't rely too much on the statistic tests. Even if i have never
tried, i pretty sure that a Mi=MD5(Mi-1), with M0 = 0 will pass the
tests even it isnt random at all. try and tell me please.
>All in all, because I used proven cryptographic components I'm confident
>that it is at least stronger than most "random" number generators used
>by consumer products, but I still get that niggling feeling that because
>I'm a newby to crypto I overlooked something obvious...
as far as i know you are in 'user space', you can hardly have
control of the data you read. your timer reads may be synchronized
and/or manipulate by another processus (obviously ran by an attacker).
you have to use data unknown from the attackers.
to sum up if you succeed to do a good random generator in user space,
i would be really interrested to know how.
currently i write one in a kernel, it isnt that easy.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Size of DH exponent & modulous??
Date: 15 Sep 1999 02:03:33 GMT
For 80 or less symmetric keys, I would use a 1024 bit p and a 160-bit q.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Size of DH exponent & modulous??
Date: 15 Sep 1999 02:11:44 GMT
80 bit symmetric keys or less
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: RSA Algorithm
Date: 15 Sep 1999 02:26:42 GMT
Reply-To: [EMAIL PROTECTED]
if the requirement is to use public key and not specially RSA,
you can try to use the elliptic curves which are much faster
for the same strengh.
but some people don't like them.
On Tue, 14 Sep 1999 10:28:19 +0100, Gary Partis wrote:
>Hi,
>
>We have implemented a sub-set of RSA (the EXP bit) in Z80 and even after
>extensive optimisation (and dedicated hardware to handle big numbers), it
>is still slow.... :-(
>
>In the standard algorithm, the MULMOD (C=A * Z MOD P) code is called
>extensively, and this code it's self is highly iterative (128 times for a
>128bit key) per call, and it is called a few hundred times per encryption
>and decryption.
>
>Does any one know of an algorithm which overcomes this performance issue,
>or if there is a set of 128bit keys/modulus which minimises the need to
>call the MULMOD code from the EXP code?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Ritter's paper
Date: Tue, 14 Sep 1999 20:28:45 GMT
In article <[EMAIL PROTECTED]>, Medical Electronics Lab
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>> There is a copy of the article .PDF on my pages. It is first in the
>> list in the Technical Articles section on my top page. The exact link
>> is:
>>
>> http://www.io.com/~ritter/ARTS/R8INTW1.PDF
>
>Thanks!
>
>Patience, persistence, truth,
>Dr. mike
I check it out nice article. But what I did not get was the comment about
if you use a patented system and someone breaks it you can recover damages.
What did you mean by that Mr. Ritter. Are you saying it is against the law to
decode something this is encrypted with a patented method?
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Ritter's paper
Date: Wed, 15 Sep 1999 04:35:59 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
>On Tue, 14 Sep 1999 20:28:45 GMT, in <7rm7ls$1jki$[EMAIL PROTECTED]>, in
>sci.crypt [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>
>>In article <[EMAIL PROTECTED]>, Medical Electronics Lab
> <[EMAIL PROTECTED]> wrote:
>>>Terry Ritter wrote:
>>>> There is a copy of the article .PDF on my pages. It is first in the
>>>> list in the Technical Articles section on my top page. The exact link
>>>> is:
>>>>
>>>> http://www.io.com/~ritter/ARTS/R8INTW1.PDF
>>>
>>>Thanks!
>>>
>>>Patience, persistence, truth,
>>>Dr. mike
>>
>> I check it out nice article. But what I did not get was the comment about
>>if you use a patented system and someone breaks it you can recover damages.
>>What did you mean by that Mr. Ritter. Are you saying it is against the law to
>
>>decode something this is encrypted with a patented method?
>
>Against the law? Well, yes, sort of: using a patented cipher without
>an explicit license is grounds for a suit to recover damages in
>federal court.
>
>This is a distinct -- perhaps minor, perhaps not-so-minor -- advantage
>over non-patented designs, for which, if broken, there is no recourse
>at all. The hard part would be to know what company was involved, but
>once you get wage-scale employees in depositions or even on the stand,
>someone would probably tell the truth, if just to avoid the stigma of
>perjury.
>
>
I am not sure there is such a thing as perjury anymore. I think
Clinton has should that one can easily lie and avoid any possible
perjury charge.
But I fear you make a point that a patented cipher may be weak
becasue if the break is easy and if one publishes the break you
could make a suit to recover damages. How then can one study
a patented method and tell others the weakness so they don't
use a weak system. It seems like the patent would actually slow
the down the science of crypto. Except for groups like the NSA
which never follow any laws anyway.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "Rick Braddam" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Second "_NSAKey"
Date: Tue, 14 Sep 1999 12:27:52 -0500
Clifford Heath <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> Does anyone want to explain how this purported "back door" operates,
> even if the NSA does hold the matching private key (MS claim they
> don't)?
>
Thank you for responding. A web page I hit today posted two keys in PGP format which
are purported to be the _key and _NSAkey. I was
curious, so I imported them to my keyring. Funny, the keys they are signed with have
the same fingerprint.
If they ARE the Microsoft and NSA keys, it would appear that the NSA key is signed by
Microsoft or vice-versa.
If _NSAkey is a backdoor, it looks like it was left wide open. Someone was bound to
find out about it sooner or later.
Of course, everything on the page I saw could be B___S___ , anyone know who Adam at
http://www.cypherspace.org/~adam/ is?
> Clifford Heath http://www.osa.com.au/~cjh
> Open Software Associates Limited mailto:[EMAIL PROTECTED]
> 29 Ringwood Street / PO Box 4414 Phone +613 9871 1694
> Ringwood VIC 3134 AUSTRALIA Fax +613 9871 1711
> ------------------------------------------------------------
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Subject: Re: _NSAKey
Date: 15 Sep 1999 02:37:46 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>The only way that could affect Joe Blow is if he
>accepted installation and activation of such a crypto
>module; just how big a problem that could be depends
>on what you think a likely scenario might be. I'd
>think that such Joe Blows are more at risk from viruses.
Is it possible for a rogue program to replace the value of
_NSAKEY? Then a single module could be replaced with an
evil one without the remaining modules becoming invalid.
Again, there are much easier ways to do much more damage,
but it's important to know just how easily and unnoticeably
an executable can subvert the CryptoAPI. This would be
considerably worse than an executable which unnoticeably
cripples another single executable.
-Scott
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Crossposted-To: talk.politics.crypto
Subject: Re: _NSAKey
Date: 15 Sep 1999 02:43:38 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] wrote:
>> While it may not be necessary ... consider a web site for
>> terrorists/communists/libertarians/paedophiles or your favourite group
>> of "evil people" this week. How to gain access to its users' security?
>It is interesting that you lumped libertarians in with other
>identified groups of "evil people" that need to be surveilled.
>I guess you think that the government needs to "protect" us
>against people who believe in freedom;
If they can protect me against people who don't comprehend
sarcasm, they'll get my vote.
-Scott
[Hmmm... interactive killfiling? What about a killfiler that
actually posts standard trolls, and killfiles the people who
respond? ... NAAAAH.]
------------------------------
From: "Kwong Chan" <[EMAIL PROTECTED]>
Subject: Re: Help on cryptanalysis
Date: Wed, 15 Sep 1999 11:38:14 +0800
JPeschel <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Why bother with more difficult ways of finding a solution
> when you already have two simple ones that work and require
> only the enciphered message for the attack?
I am finding a way to construct a polyalphabetic substitution cipher
using keys with large period, say longer than the plaintext blocks.
Then the two simple ones, kasiski test and index of coincidence
will not work.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Ritter's paper
Date: 15 Sep 99 03:02:44 GMT
Terry Ritter ([EMAIL PROTECTED]) wrote:
: On Tue, 14 Sep 1999 20:29:57 GMT, in
: <[EMAIL PROTECTED]>, in sci.crypt
: [EMAIL PROTECTED] (John Savard) wrote:
: >Extensive past cryptanalytic research does not, as you correctly note,
: >_prove_ a block cipher unbreakable, but it does reduce the likelihood
: >of the existence of a break likely to be known to, or able to be found
: >out by, certain classes of adversary.
: You have made an assertion, not a summary of the known reality. We do
: not know the likelihood of any break.
I think that I could discuss this point by talking about boxes which have
black and red billiard balls inside them, but I might just end up
"proving" your point of view if I did so.
You are certainly correct that if DES has a fixed _a priori_ probability
of being broken by somebody before 2003, no cryptographic result will
alter that probability.
However, the cryptanalytic effort directed against DES has demonstrated
that it is unlikely - very unlikely - that there is some stupid flaw in
DES that would be obvious to a moderately competent opponent.
: The only interaction of interest is
: between the cipher and The Opponent, and the Opponents are not
: talking.
Yes, but I think that an underworld cabal with cryptanalytic competence
approaching that of the NSA, for example, is a subject for a James Bond
movie, but not a threat analysis. However, not all cryptography is aimed
at mere hackers; one might be involved in human-rights efforts, and not
wish the Chinese government to read one's mail.
My point here is that a cipher beyond the reach of Eli Biham and the like
*is* beyond the reach of a large number of likely opponents.
: >(That the history of
: >cryptography is replete with systems that have been proposed for
: >serious use, but which had serious and obvious flaws, as Bruce noted,
: >is surely a fact beyond dispute.)
: Yes. But these data do not imply what you think they do. They have
: shown weakness; they do not imply strength in the remaining ciphers.
No, they do not. But they imply that weakness is likely in an unexamined
cipher. The ones that have survived winnowing for obvious flaws have been
shown not to have that particular type of flaw.
Thus, in using a "new" cipher, I am taking a risk that a moderately
competent cryptanalyst might be able to break it. In using one that has
been extensively studied, I can - as a rough estimate - hope that it will
take an additional period of study, as long as that to which it has
already been subjected, before a flaw turns up.
(Yes, I am a Bayesian.)
: I would say that, in cryptography, partial confidence is no confidence
: at all.
You have a point. However, 1000 times zero is still zero. I trust you can
see how that makes your position as untenable as Bruce's by that standard.
: My article was a specific response to the earlier column which
: essentially said that new cryptography was bad cryptography. My
: article addresses that issue, and apparently you agree that it needed
: to be said.
Well, you seem to have just said that old cryptography is bad
cryptography.
Bruce correctly stated the risks of using untried cipher designs. They
have a significant likelihood of flaws that are relatively easy to find.
: I am aware that the old point of view is fundamentally flawed and
: scientifically invalid. It is *not* almost valid. It is *not* partly
: right. It is *not* right in practice. It is just wrong.
You are correct in saying that certainty of a type recognized in
mathematics is absent here. Many situations in life involve an absence of
certainty. There are ways in which people respond rationally to such a
condition.
Bruce recommends one form of response: gather as much corroborating
evidence as one can, even if it is of a kind with a fundamental
limitation.
You recommend other responses: use multiple ciphers, use a cipher few
other people are using so as to limit the amount of effort expended
against it.
Your recommendations are sound *additional* measures to take in this
situation of uncertainty. But because you are emphasizing that Bruce's
approach doesn't produce logical certainty, you appear to imply that his
strategy of response to the uncertainty can, and perhaps even should, be
neglected.
Obviously, you don't really mean that. You would not seriously offer to
the public an encryption program that enciphered people's messages using
10 algorithms taken from a pool of 1000 algorithms - that you had
developed for you by a local Grade Five class. You wouldn't do that;
nobody would. And the reasons you don't are the same reasons that are
behind what Bruce had said. So Bruce is not "just plain wrong".
John Savard
------------------------------
From: [EMAIL PROTECTED] (John M. Gamble)
Crossposted-To: rec.arts.sf.written,alt.cyberpunk
Subject: Re: Neal Stephenson's Cryptonomicon: Crypto Cop-Out
Date: 15 Sep 1999 03:22:27 GMT
In article <[EMAIL PROTECTED]>,
Ian <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] wrote:
>
>> The second "good" reason Stephenson's Randy
>>has for building The Crypt is that the
>>introduction of a secure anonymous digital
>>currency backed by pilfered World War II gold
>>would help Asia recover from its recent economic
>>woes:
>
>Good grief. I want to ask "can he really be that dumb?", but I read part
Well, no. This book review doesn't accurately reflect the contents
of the book.
I have my own quibbles with some of the characterizations in the
novel, but you wouldn't recognize the plot nor the people based
on this review.
-john
--
Pursuant to US Code, Title 47, Chapter 5, Subchapter II, '227,
any and all unsolicited commercial E-mail sent to this address
is subject to a download and archival fee in the amount of $500
US. E-mailing denotes acceptance of these terms.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Ritter's paper
Date: Wed, 15 Sep 1999 04:42:44 GMT
In article <7rmpuh$6m9$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
>In article <[EMAIL PROTECTED]>, Terry Ritter <[EMAIL PROTECTED]> wrote:
>> I notice that you say I "hope" my ciphers are not broken.
>
>Oops! I didn't mean to use such a loaded word; my mistake.
>Please strike the word "hope".
>
>I hope you will believe me when I say that I intended for this to be a
>fair comparison, where -- in both scenarios -- the cryptographers try
>their hardest to do the best job possible with the resources available
>to them.
It is obvious you can't do a fair comparison becasue you lack the
over all grasp of what cryptography is all about.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
Date: Tue, 14 Sep 1999 21:56:52 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Help on cryptanalysis
Kwong Chan wrote:
>
> JPeschel <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
>
> > Why bother with more difficult ways of finding a solution
> > when you already have two simple ones that work and require
> > only the enciphered message for the attack?
>
> I am finding a way to construct a polyalphabetic substitution cipher
> using keys with large period, say longer than the plaintext blocks.
> Then the two simple ones, kasiski test and index of coincidence
> will not work.
Now multiply this by a day's typical traffic of about 5,000 messages and
see how well it holds up. Be sure also to consider that garbles and
transmission-errors occur, messages have to be sent a second time, and
so on.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
