Cryptography-Digest Digest #247, Volume #10 Thu, 16 Sep 99 14:13:02 EDT
Contents:
Re: The good things about "bad" cryptography (SCOTT19U.ZIP_GUY)
Re: The good things about "bad" cryptography (Medical Electronics Lab)
Re: Comments on ECC (SCOTT19U.ZIP_GUY)
Re: NSA and MS windows (Bill Unruh)
Re: The good things about "bad" cryptography (Patrick Juola)
Re: Ritter's paper (Patrick Juola)
Re: The good things about "bad" cryptography (Bill Unruh)
Exclusive Or (XOR) Knapsacks ("Gary")
Example of a one way function? ("I. Michael Mandelberg")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: The good things about "bad" cryptography
Date: Thu, 16 Sep 1999 16:40:16 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] () wrote:
>There are two schools of thought about how to choose a cipher to securely
>encrypt your messages.
>
>On the surface, it doesn't seem very hard to decide which one you should
>follow.
>
>One school of thought notes that many new cipher designs have turned out,
>after brief examination, to be seriously flawed. Hence, because of this
>high risk, it is not advisable to rely on any cipher that hasn't been
>subjected to extensive study by the foremost experts in the open academic
>world.
One point it is entirely possible that many of the so called foremost
experts in the field have to worry about jobs and may have been
influenced by agencies that do not want the public to have safe
encryption. So it is possible that the government could rasie people
to the status of crypto god to influence the direction of the open
reseach. I just learned a few days ago that David Wagner is listed
as an employee of Mr B.S. No wonder they spend so much time
patting each other on the back.
>
>Another school of thought notes things like this:
>
>- if an attacker doesn't know the algorithm being used, he will have a
>harder time of even beginning an attack;
Actually this is the school of that the NSA uses for it real stuff.
They very seldom release the source code for there methods. So this
has many merits. But the problem is many of the ametur methods
leave tell tale signs of what methods are used. So it is very hard to
get methods for the common man that leave no hooks. You should
check to see if a mehod can encrypt without chaning the file length
before you trust it. If it adds random data don't trust that mode until
you are sure it is safe. IF one compresses do so before the encryption
and make sure it is "one to one" so that no hooks added to help
decryption.
>
>- most well-known algorithms have key sizes that are just enough to resist
>a brute-force search, even though it's not difficult to increase the key
>size for a symmetric algorithm by an order of magnitude;
>
>- no amount of study can prove that the crack for an algorithm isn't just
>around the corner, and such a crack seems likelier to be both found and
>publicized for a well-known algorithm if it exists.
>
>Despite the fact that the advocates of the first viewpoint are among the
>most respected authorities in the field, while variations of the second
>viewpoint have often been raised by people who are, or who resemble,
>cranks and crackpots,
I assume this is a thinnly hidden attempt to point to me. Thanks
I still say PGP the earler versions did not use CBC. But anyway
the main experts in the field except for Ritter are on a narrow gane
playing path and really don't care about secure encryption. They
are playing the AES game of making one method for all which
is a very stupid idea.
>
>the irritating fact is that the points cited here under the second point
>of view _are all valid_.
>
>Since the basis for the first point of view is *also* valid, this isn't an
>argument for abandoning it. But if security is the goal, we do have to
>widen our horizons. Multiple encryption allows us to do so, to address the
>concerns of the second point of view while still addressing those of the
>first.
Only if Multiple emcryption is done right. IN this case make sure
each method does not change the file length.
>
>John Savard
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: The good things about "bad" cryptography
Date: Thu, 16 Sep 1999 11:37:48 -0500
[EMAIL PROTECTED] wrote:
>
> There are two schools of thought about how to choose a cipher to securely
> encrypt your messages.
>
> On the surface, it doesn't seem very hard to decide which one you should
> follow.
I suppose it depends on what type of water you like to swim on the
surface of :-)
> One school of thought notes that many new cipher designs have turned out,
> after brief examination, to be seriously flawed. Hence, because of this
> high risk, it is not advisable to rely on any cipher that hasn't been
> subjected to extensive study by the foremost experts in the open academic
> world.
>
> Another school of thought notes things like this:
>
> - if an attacker doesn't know the algorithm being used, he will have a
> harder time of even beginning an attack;
Yes, but if the data is important, the attacker will find a way
to get the algorithm. It is probably easier to get access to the
code than it is to get access to the raw data, so it's pretty safe
to assume that the algorithm *has* been discovered by an adversary
you worry about. However, you can close off worries about script
kiddies. The only thing hiding the algorithm does is reduce the
number of attacks from amatures, it doesn't really help security.
> - most well-known algorithms have key sizes that are just enough to resist
> a brute-force search, even though it's not difficult to increase the key
> size for a symmetric algorithm by an order of magnitude;
Key size has to trade off calculation time with transmission time
as well as security strength. With present comuputers, 128 bits
is more than enough, anything less than 64 is insecure. In between
gets kind of fuzzy, and the trade off depends on the application
and equipment.
> - no amount of study can prove that the crack for an algorithm isn't just
> around the corner, and such a crack seems likelier to be both found and
> publicized for a well-known algorithm if it exists.
That's true for both symetric and asymetric systems. But a public
algorithm has the advantage that it's public! The adversary you
worry about knows your algorithm, if you don't assume that you've
already got a problem with your security. So you might as well
pick an algorithm that's been studied to death.
> Despite the fact that the advocates of the first viewpoint are among the
> most respected authorities in the field, while variations of the second
> viewpoint have often been raised by people who are, or who resemble,
> cranks and crackpots,
:-) Oh well, at least we have fun.
> the irritating fact is that the points cited here under the second point
> of view _are all valid_.
I don't think the first point is valid. Any application of crypto
will have code floating around that gets out to the world. It will
get reverse engineered and the algorithm will be discovered. If
a company or organization has to use crypto, it's because they have
opponents who want to know things, and those opponents *will* find
a way to get the algorithm.
I do like the idea of multiple algorithms. If there are N good
public algorithms, and you "randomly" use any one of them for each
message, then the attacker has to find N different attacks for
each message. The chances that any one of the public algorithms
falls to a new attack means that 1/N of your conversations are
compromised, not all of them. The odds of all N public algorithms
falling are far better than the odds of a bunch of secret
algorithms failing. I'd bet many orders of magnitude better.
> Since the basis for the first point of view is *also* valid, this isn't an
> argument for abandoning it. But if security is the goal, we do have to
> widen our horizons. Multiple encryption allows us to do so, to address the
> concerns of the second point of view while still addressing those of the
> first.
I think we can have the best of both view points. Multiple
public ciphers gives more security than one public cipher,
and since they're all public everyone knows that (at least
publicly) they haven't fallen yet. Whether a cipher is
public or not doesn't change the fact that nobody can *know*
if a cipher is broken or not if the breaker keeps her mouth shut.
There's a reason herd animals are more numerous than individual
ones, and the old weak ones get eaten first. The more ciphers
we have to choose from, the better off we are, and the more
public they are, the more likely they really are secure. But
eventually they all have to die off and be replaced by a
new cipher. Seems like a natural way to do things to me. :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Comments on ECC
Date: Thu, 16 Sep 1999 16:54:41 GMT
In article <[EMAIL PROTECTED]>, Medical Electronics Lab
<[EMAIL PROTECTED]> wrote:
>In his latest "Crypto-Gram", Bruce Schneier wrote:
>
>>Certicom used the event to tout the benefits of elliptic curve public-key
>>cryptography. Elliptic-curve algorithms, unlike algorithms like RSA,
>>ElGamal, and DSA, are not vulnerable to the mathematical techniques that
>>can factor these large numbers. Hence, they reason, elliptic curve
>>algorithms are more secure than RSA and etc. There is some truth here, but
>>only if you accept the premise that elliptic curve algorithms have
>>fundamentally different mathematics. I wrote about this earlier; the short
>>summary is that you should use elliptic curve cryptography if memory
>>considerations demand it, but RSA with long keys is probably safer.
>
>The mathematics *is* fundamentally different Bruce!! There's over
>200 years of work that's been done on elliptic curve math, for you to
>imply that it's the same thing as RSA type math tells me you don't
>really understand it. The fundamental difference is that RSA works
>in the field directly but ECC works "on top" of the field. It is a
>higher level of algebra, a "more abstract" mathematics to put it in
>english.
>
>ECC is more secure than RSA for the following reason:
>It takes exponentially increasing effort to solve the ECDLP for
>each bit of key added compared to the sub-exponentially increasing
>effort associated with each bit of RSA key.
>
>The method of attack is different than RSA, ECC is very similar to
>the DH type problem (discreet log) and this too is very different than
>the factoring problem. In some sense it's easier, there's no final
>matrix you need to solve. However, you have to search harder to find
>two different routes to the same "distinguished point", and it's that
>search process which grows exponentially with key size.
>
>> It's tiring when people don't listen to
>>cryptographers when they say that something is insecure, waiting instead
>>for someone to actually demonstrate the insecurity.
>
>But when cryptographers call something insecure which is very
>secure, then waiting for someone to "actually demonstrate the
>insecurity" is going to be a very long wait indeed.
>
>Bruce, your field of expertise is clearly symmetric ciphers. Stay
>with it, and good luck on getting Twofish as the AES winner. But if
>you don't understand math, don't make false proclimations. It's
>obvious mathematically that ECC is more secure than RSA, and it's
>obvious in engineering terms that it uses fewer resources in time
>and space than RSA for the same level of security.
>
Lots of luck. He and his buddys like to make offhanded comments
like this. But the fact is one can never really be sure that RSA is not
completely broken by the NSA or the ECC methods. Both are different.
It is foolish of Bruce to say use one over the other and then declare the
ECC method not as safe. It is the same with scott16u and scott19u
he and his buddies irogantly consider to be weak. But they can't prove
it. And when his employee David Wagner said his Slide Attack
would show its death. It had to be pointed out that he was
wrong. His excuse was the source code is to difficlut for his
mind to understand the concepts. I guess they can
only understand short key short block symmetric methods
anything else is to much of a streach.
It might be best though slow to use both methods to sovle
for the seesion key and let the XOR of what each compute
be the session key for the encryption that follows.
This way both methods would have to be broken for the
session key to be leaked. Since in "reality" other one could
be broken.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: NSA and MS windows
Date: 16 Sep 1999 17:10:51 GMT
In <[EMAIL PROTECTED]> fungus <[EMAIL PROTECTED]>
writes:
>Tell me, how does a multinational corporation "lose" a key?
Well, MS also claimed to have lost the source code to DOS, which I would
think was an even harder thing to do.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: The good things about "bad" cryptography
Date: 16 Sep 1999 11:35:59 -0400
In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>There are two schools of thought about how to choose a cipher to securely
>encrypt your messages.
>
>On the surface, it doesn't seem very hard to decide which one you should
>follow.
>
>One school of thought notes that many new cipher designs have turned out,
>after brief examination, to be seriously flawed. Hence, because of this
>high risk, it is not advisable to rely on any cipher that hasn't been
>subjected to extensive study by the foremost experts in the open academic
>world.
>
>Another school of thought notes things like this:
>
>- if an attacker doesn't know the algorithm being used, he will have a
>harder time of even beginning an attack;
>
>- most well-known algorithms have key sizes that are just enough to resist
>a brute-force search, even though it's not difficult to increase the key
>size for a symmetric algorithm by an order of magnitude;
>
>- no amount of study can prove that the crack for an algorithm isn't just
>around the corner, and such a crack seems likelier to be both found and
>publicized for a well-known algorithm if it exists.
>
>Despite the fact that the advocates of the first viewpoint are among the
>most respected authorities in the field, while variations of the second
>viewpoint have often been raised by people who are, or who resemble,
>cranks and crackpots,
>
>the irritating fact is that the points cited here under the second point
>of view _are all valid_.
The problem is that the first point cited here -- *IF* the attacker
doesn't know the algorithm being used -- is widely regarded as a
deeply improbable event, especially in the case of a widely used
or distributed system. I would, in fact, regard that point as "true
but irrelevant", in the same category as "if you make a lucky guess,
then any cryptographic method can be broken," or even "I have a blue
crayon on my desk."
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Ritter's paper
Date: 16 Sep 1999 11:31:52 -0400
In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>: (b) Other cipher systems have been described in the open literature
>: under the appellation "provably secure". Again, one has to examine
>: the details to know exactly what that means.
>
>In the case of these other ciphers, such as Blum-Blum Shub, the term
>always means "provably as secure as" a mathematical problem, such as
>factoring or discrete logarithm, which cannot itself be proved to be truly
>hard.
My understanding is that there are other cyphers -- the Rip van Winkle
cypher leaps to mind -- that are "provably secure" in the sense of a
proven lower bound on the work factor.
Of course, these cyphers are also impractical (more impractical than
the OTP, in fact) -- but this is as much a technological issue as
a mathematical one.
It's also fairly easy to produce a cryptographic algorithm for which
there is a provable work-factor advantage to having a key -- *however*,
the work factor advantage just isn't sufficient.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: The good things about "bad" cryptography
Date: 16 Sep 1999 17:21:42 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] () writes:
]There are two schools of thought about how to choose a cipher to securely
]encrypt your messages.
]On the surface, it doesn't seem very hard to decide which one you should
]follow.
]One school of thought notes that many new cipher designs have turned out,
]after brief examination, to be seriously flawed. Hence, because of this
]high risk, it is not advisable to rely on any cipher that hasn't been
]subjected to extensive study by the foremost experts in the open academic
]world.
]Another school of thought notes things like this:
]- if an attacker doesn't know the algorithm being used, he will have a
]harder time of even beginning an attack;
True. But the question is how do you KNOW that your attacker is
ignorant. After all you have to distrubute something which impliments
the algorithm to others for them to be able to use it. How do you know
it has not leaked?
]- most well-known algorithms have key sizes that are just enough to resist
]a brute-force search, even though it's not difficult to increase the key
]size for a symmetric algorithm by an order of magnitude;
Hardly. 128 bits for example is well, well beyond the ability to resist
brute force attacks. That stands it seems at around 56 bits right now,
and 2^72 times harder is not "just enough".
]- no amount of study can prove that the crack for an algorithm isn't just
]around the corner, and such a crack seems likelier to be both found and
]publicized for a well-known algorithm if it exists.
No, it is much likelier to be found for a weak algorithm. Publicised
does not matter, since it is your biggest enemy that you have to worry
about.
If your main concern is high school hackers, then the points may be
valid. If your concern is someone or some organisation with any level of
resources to spend, and desire to spend them, then these points become
weak.
Aand the primary problem is psychological. Security through obscurity,
which this is an example of gives the user a false sense of security.
Obscurity tends to be very weak against a determined attacker, while it
tends to give teh user an inflated sense of safety.
...
]the irritating fact is that the points cited here under the second point
]of view _are all valid_.
Well, their validity is somewhat suspect (see above).
------------------------------
From: "Gary" <[EMAIL PROTECTED]>
Subject: Exclusive Or (XOR) Knapsacks
Date: Thu, 16 Sep 1999 17:35:16 +0100
Exclusive Or (XOR) Knapsacks
Problem:
Given an n bit number X and a set {B1,B2,...,Bn} of n bit numbers;is there a
subset whose elements collectively XORed give X?
Can the general problem be solved easily?
------------------------------
From: "I. Michael Mandelberg" <[EMAIL PROTECTED]>
Subject: Example of a one way function?
Date: Thu, 16 Sep 1999 20:01:01 GMT
Can someone point me to a one-way-function that is typically used for
encryption?
It ought to use a key.
Thanks
Michael Mandelberg
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
