Cryptography-Digest Digest #302, Volume #10 Thu, 23 Sep 99 14:13:05 EDT
Contents:
Re: RSA 640 bits keys factored, French banking smart card system craked! (jerome)
factorisation of a 2 primes(short) product (jerome)
Re: International crypto restrictions (SCOTT19U.ZIP_GUY)
Re: RC4 or IBAA or ISAAC to generate large random numbers (Volker Hetzer)
Re: Decryption --Help!!! (Jim Gillogly)
Re: low diffie-hellman exponent (Tom St Denis)
Re: Securing Executables (Paul Koning)
Re: msg for Dave Scott (Tom St Denis)
Re: some information theory (very long plus 72K attchmt) (Tom St Denis)
Re: factorisation of a 2 primes(short) product (Jerry Coffin)
Re: RSA weak? (Tom Cooper)
Re: frequency of prime numbers? ("Douglas A. Gwyn")
UPDATE: 23rd Sep, UK Internet decryption and interception policy, SFS3.5
([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (jerome)
Crossposted-To: alt.security.pgp
Subject: Re: RSA 640 bits keys factored, French banking smart card system craked!
Date: 23 Sep 1999 15:21:09 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 23 Sep 1999 01:51:24 +0200, Laurent PELE wrote:
>
>He didn't find any leak in the protocol, he didn't have any other choice to
>factor the key, it is said in the 2 pages interview in PirateMag September
>magazine in French.
>
is this interview availble online ? if not, would you mind reproduce it ?
i can translate it if needed.
obviously ask piratemag before but i dont think it is a problem because
it is a lot of advertissment for then.
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: factorisation of a 2 primes(short) product
Date: 23 Sep 1999 15:06:05 GMT
Reply-To: [EMAIL PROTECTED]
i try to factor numbers of 240 bits which are the product of 2 primes of
120 bits and i want do that with the workstations i have (several
pentiumII/350). 2 questions:
1. is it possible ?
2. what are the algorithms to do that ?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: International crypto restrictions
Date: Thu, 23 Sep 1999 16:21:49 GMT
In article <[EMAIL PROTECTED]>, Eric
Lee Green <[EMAIL PROTECTED]> wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>> >If you are not a U.S. citizen, you will have to obey a) the laws of
>> >whatever host country you are located in, and b) the laws of your own
>> >home country.
>> You make it sound like there is no conflict. Since you wrote
>> "and" it is more than possible the 2 sets of laws conflict.
>> Like what side of the sreet you drive on. Or do you arbitrary
>> get to decide which lwas are in force.
>
>You are correct, this is a constant source of irritance to international
>businessmen. For example, in many Third World countries the government
>bureaucrats are not paid enough to live on. They thus must, and are
>expected to, personally extract money from those who need government
>services in order to obtain the money necessary to survive. The locals
>consider this a normal cost of doing business. The U.S. government
>considers this bribery of government officials.
No the US government sees nothing wrong with this. Do you see
Clinton in trouble for taking all that chinese money that they may have
used to get the bomb. FUCK NO you live in a dream world US government
officals are among the most corrupt on earth.
>
>But the fact remains that the U.S. government expects you to follow U.S.
>law at all times, regardless of whether you are physically located in
>the U.S. or not. Heck, they even try to apply the same standards to
>foreign citizens -- anybody remember Manuel Noriega? Hell, he was
>president of a whole damned COUNTRY, and the U.S. went in with the
>Marines, kidnapped him, brought him to Miami, and put him on trial. For
>most countries, though, they just have to ask the host country politely
>for the extradition of the "arms trafficker".
>
Manuel Moriega is a good example of our political muscle he was not
a US citizen and I guess was not smart enough to realize our government
goes in many directions at once. That is while the CIA was paying him to
be corrupt another department of the governmnet did not like it. The UN
should have said something about it. But it has not. I don't see Mr
Wanger getting in trouble for his aid to ememies overseas. The fact
is you are violating laws if your living in beathing it is what a police
state is all avout. IF they want you they get you period.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: RC4 or IBAA or ISAAC to generate large random numbers
Date: Thu, 23 Sep 1999 17:04:27 +0200
Gaston Gloesener wrote:
> The question here was. :Lets suppose that IBAA fullfills all my needs,
> does the combination really satisfies the same mathematical
> condifitions. There is a whole lot of difference to compute a large
> number or combine it from smaller ones. The most simple is the number
> themself. When algorithm A generates 8 bit numbers it will assure that
> all numbers from 0 to 255 are generated. But using to consecutive
> outputs from algorithm A an dombining them to a 16 bit value das not
> guarantee that all numbers between 0 and 65535 ! You see the answer is
> not so trivial.
You forgot a VERY important property of cryptographically secure PRNG's:
Knowing any or all previous outputs should not help you in guessing
the next output.
If a 0 followed by a 0 is less likely than a 0 followed by a !=0 (all bytes)
this property is violated because you can use your knowledge of a 0 to
predict the likelyhood of the next byte being !=0.
Since the whole concept of stream ciphers stems from that property, you might
expect that any good stream cipher is usable for your purpose.
Whether they combine bits, bytes or words into a bit stream does not matter
because of the fact that there is supposed to be NO statistical dependency between
bits. Which, of course implies no dependencies between bit sequences (i.e. words)
of any length.
The question whether you can combine bytes to words is EXACTLY the question
whether a given stream cipher is a good stream cipher.
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me spread!
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Decryption --Help!!!
Date: Thu, 23 Sep 1999 15:04:57 +0000
[EMAIL PROTECTED] wrote:
>
> Anybody out there know where I can find a trigram-- you know a listing
> of the frequencies of three letter words in the english alphabet ENT,
> etc.
I think most trigraph tables will tell the frequency of trigraphs without
word divisions. If what you really want is the 3-letter words, here's
the top of one I produced from a bunch of Gutenberg and other online text
plus some grepping. The ordering down to about frequency 5000 should be
pretty good, and below 2000 is unreliable. I arbitrarily cut it off at
500, since anything that far down depends strongly on the sources. I
notice some bogosities in the table, like "isn" (I must have reported the
' as a word separator), bot, mai, adv and ter (no idea what brought those
up). Must be some oddity in the sample. That leads me to suggest that
you draw your own word or trigraph list from the population you're trying
to break. For example, if you're trying something from Singh's "The Code
Book", you might want to type in his previous book, "Fermat's Enigma" and
use that to beef up your frequency counts.
the 349158 and 180908 was 62484 his 49814 for 40580
you 33450 had 28259 but 27515 not 24877 her 24467
she 23135 him 21093 all 18632 one 16902 are 16769
who 11144 out 11136 man 9515 now 9499 see 8886
its 8694 has 8200 any 7330 can 7159 two 6700
may 6663 did 5913 our 5912 how 5328 day 5092
old 5028 men 4945 way 4615 don 4496 new 4403
get 3970 own 3792 say 3709 too 3529 off 3497
yet 3356 got 3202 saw 2959 why 2802 let 2745
put 2667 end 2653 mrs 2591 far 2576 god 2475
yes 2135 few 2130 bot 2102 nor 2070 set 2007
sir 1935 law 1757 air 1725 use 1699 sea 1657
war 1643 boy 1624 son 1553 non 1515 act 1487
thy 1479 sat 1415 lay 1405 red 1399 art 1299
per 1193 won 1178 hir 1148 run 1139 ten 1134
obs 1107 bed 1095 wel 1059 age 1051 sun 1048
hem 1037 big 1008 six 1005 bad 980 eye 965
low 960 tom 918 cut 913 met 898 ben 882
die 868 led 853 ran 832 mai 830 ter 795
try 779 ask 771 ago 771 pay 761 cum 756
deg 750 due 732 arm 725 sky 705 sit 679
tho 674 est 642 etc 613 iii 583 nec 571
hot 570 isn 559 qui 555 adv 546 top 545
lie 539 hat 530 bit 530 ill 529 lot 498
If you really wanted trigraphs without word divisions, here's the top of
one I have lying around; it may be from Fletcher Pratt's "Secret and
Urgent", or it may not.
the 1054 ing 317 ent 234 ion 232 tio 177
for 177 ere 162 and 154 ver 147 her 145
tha 143 ter 143 ate 139 hat 134 ati 128
ers 124 res 114 ill 110 eve 107 his 105
are 105 ted 104 con 104 red 101 all 99
nce 96 est 96 man 93 ive 90 ith 90
thi 83 rea 82 ect 81 per 79 und 78
ons 78 one 78 ess 77 wit 75 was 74
men 70 hou 70 ine 68 whi 67 sta 67
pro 67 not 67 ous 66 rom 65 ove 65
tin 64 day 64 ven 63 ore 63 ear 63
int 62 tic 61 sti 61 wer 60 tho 60
oun 60 ort 60 din 60 der 60 ave 60
ain 60 str 57 our 56 lar 56 een 56
com 56 ure 55 ica 55 ant 55 wil 54
rat 54 out 54 ich 54 but 54 any 54
nte 53 hic 53 ard 53 ame 53 pre 52
ome 52 les 52 has 52 whe 51 ide 51
ste 50 sen 50 tur 49 igh 49 enc 49
iti 48 ime 48 dis 48 art 48 hav 47
tes 46 ten 46 pla 46 ned 46 ars 46
twe 45 ree 45 rec 45 nde 45 lan 45
era 45 dre 45 tat 44 nti 44 lly 44
ity 44 end 44 lic 43 fro 43 ell 43
ble 43 min 42 lin 42 ces 42 ose 41
oll 41 ite 41 ist 41 inc 41 ght 41
att 41 act 41 wor 40 ugh 40 two 40
tte 40 tra 40 tor 40 tim 40 ran 40
--
Jim Gillogly
2 Winterfilth S.R. 1999, 14:51
12.19.6.10.0, 13 Ahau 8 Chen, Second Lord of Night
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: low diffie-hellman exponent
Date: Thu, 23 Sep 1999 15:05:29 GMT
In article
<[EMAIL PROTECTED]>,
Eric Lee Green <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> > > an unlicensed implementation of RC5 or RC6 (they are patented
here in
> > > the U.S., or, rather, one of the mathematical operations within
them is
>
> > Well I already have Twofish in their (along with CAST, Blowfish and
XXTEA).
> > No offense but your excuse is rather lame, do you feel that
opressed that you
> > can't download it or you just don't have the time?
>
> Both, sort of. Since I use FreeBSD as my desktop operating system
(well,
> I also dual-boot with Linux to run some apps that FreeBSD doesn't seem
> to like too much, like Quake 2), I cannot use your source directly so
it
> would be useful mostly as a framework for a quick port. Having to
> snuffle out the proprietary bits is a bit too much hassle for my
> available time. So yes, my "excuse" was rather simplified, but it all
> adds up to the same answer (shrug).
Well it's really simple to 'deactivate' cipher, you only need to
comment out two lines. The entire code however is written so if you
ditch the peekboo.c (does the startup/exit and gui) and keep the rest
you can port it simply by writing a new interface (but preferably with
the same endianess and data file format).
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Securing Executables
Date: Thu, 23 Sep 1999 11:52:30 -0400
Peter Johnson wrote:
>
> I'm designing a client/server application that will run in real-time.
> Assuming that the network traffic is secure by using strong encryption, a
> good random number generator for packet sequencing, compression, etc. how do
> I protect against an attack on the client executable?
>
> For example, if the attacker were running the executable in a debugger could
> he breakpoint at the point in which the data is sent and then backtrack to
> discover the plain text. Or simply search memory for the plain text (if
> known) and work from there?
>
> I've thought of some solutions:
>
> 1. Use something like SHA-1 to check the exe at load time for tampering.
> 2. Check with SHA-1 periodically as the client is running.
> 3. Can we check we're running inside a debugging environment and crash out?
> 4. Compress and encrypt local data files
None of that works, because the attacker can attack those tools first.
(Classic example: a long, long time ago someone put a back door in the
Unix login command. But the code wasn't in the login sources -- it was
in the C compiler sources. The compiler would detect that it was
compiling
the login program, and insert the back door.)
You need to do two things:
1. Keep the box physically secure -- no unauthorized people can touch it
2. Run a sufficiently secure OS. Unix flavors, carefully configured,
may be suitable. Custom kernels ditto, so dedicated networking boxes
can get this right (but they can also get it wrong...) Avoid MS
products.
paul
PS. You don't need a random number generator for sequence integrity,
a counter is enough, provided the counter is part of the data integrity
envelope. Look at IPSEC ESP (or AH).
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: msg for Dave Scott
Date: Thu, 23 Sep 1999 16:07:50 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (JPeschel) wrote:
> Yes, Dave claims that the chaining modes and "short key" ciphers
> are weak. It is, however, according to Dave, the NSA that can
> break these.
Oh well then. I just want to know what makes his method NSA resistant. I
figured this type of challenge would spark conversation.
> Which ciphers have you broken?
What does this have todo with anything? I didn't say 'dave break CAST' I
said dave I am using CAST (or whatever) in CBC mode, break it. He puts down
alot of good work (think of the people who made CAST, Blowfish, Twofish, RC4,
RC5, RC6 ... how they feel reading his junk posts) and I want him to justify
it.
Here is a peekboo 1.51 packet (1.51 is not out yet), Dave try reading this
message when 1.51 comes out :)
afaqaaWIALvTLPOvMoaaaaqaaaaWr3zd}EQsUXrUzGT7oFFAhaaaa
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: some information theory (very long plus 72K attchmt)
Date: Thu, 23 Sep 1999 16:13:44 GMT
In article <7scabg$211m$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> In article <[EMAIL PROTECTED]>, James Felling
><[EMAIL PROTECTED]> wrote:
> >
> ......
>
> >> The problem with non "one to
> >> one" comp is that they are weak even if the starting portion of the FILE
> >> is not KNOWN. You sir seem to think one always has the start of the
> >> file encrypted that is not necessarily true. What I showed is that non "one
> > to
> >> one" compression weakens the compression followed by encryption even if
> >> there is no information about the input file.
> >
> >Where is this demonstrated?
> >I have seen no such proof. All I have seen is you claiming that this is so.
> Will take the random file of your choice.
> pkzip ir since this is not "one to one"
> encrypt it with some AES product.
>
> Know guessing a key is slow but guess a different key.
> use the key and then try to decompress the file you got
> with the key. lots of luck. Its dam hard to even find a key
> that will lead to a decompressable file.
> Guess what knowing nothing about your file many keys
> if not most are eliminated.
>
> now do the some thine pick a random file.
> use a "one to one" compressor
> encrypt it.
> know if I guess a key I can't throw it out
> since the resulte file is decompressable.
>
> If you can't follow a simple proof like this then
> don't use compression. It would waste
> your time
What are you talking about? Ok let's examine a 64-bit block cipher for the
sake of argument.
No matter what cipher it is you have a 1/256 chance of decrypting to ASCII.
This automatically makes your chances of finding a block of text as 1/256.
Now of course for compressed data you will have other metrics but you still
will have some ratio of good to bad decrypted text.
So if I compress with DEFLATE and let's say a particular block of 8 bytes
contains 10 bytes of text, I now have a 1/1024 chance of getting ascii?
AT ANY RATE...
Compression is not to enhance the security of a system, I don't even use it
in peekboo and you can't break it or even suggest a possible break.
Compression is used to cut transmission times. Think of it. If your modem
was a 1tbps connection and you had a 50tb hd would you are to compress
anything?
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: factorisation of a 2 primes(short) product
Date: Thu, 23 Sep 1999 11:41:49 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> i try to factor numbers of 240 bits which are the product of 2 primes of
> 120 bits and i want do that with the workstations i have (several
> pentiumII/350). 2 questions:
>
> 1. is it possible ?
It should be, though for only 240 bits, using more than one machine
may be overkill.
> 2. what are the algorithms to do that ?
This is still small enough that a multiple polynomial quadratic sieve
is _probably_ still going to be faster than a number field sieve.
Probably the easiest way to handle it is to grab a copy of Miracl (for
one example) which includes (among other things) a free factoring
program as a demo. It should be able to factor a 240 bit number on
one machine in less than a day.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (Tom Cooper)
Subject: Re: RSA weak?
Date: Thu, 23 Sep 1999 17:49:27 GMT
On Thu, 23 Sep 1999 12:27:08 +0200, "Kem" <[EMAIL PROTECTED]>
wrote:
>Hello:
>
> I am new on all this of crypt. and maybe I am going to say a crazy
>afirmation. Please, confirm me this.....
>
> RSA algorithm is based on the generation of a key thanks to two prime
>number very high. Prime numbers has the cuality of been only divisible by
>their and 1, but maybe two differents numbers (not prime) has the quality of
>generate the same key, and maybe it is possible to take adventage of this
>quality to break algorithm with "littles" changes....
> I know I am say silly afirmation, but it is only an idea. What's your
>opinion?
> Thx.
>
> P.D.: is there any good reference where RSA algorithm was explained with
>"simples" words.
>
If a number is a product of two primes then this is the only
(non-trivial) way that it can be expressed as a product. This is a
consequence of the unique factorization theorem for integers.
It follows that there is no useful choice of non-prime numbers that
generate the original key in the same way. Tom.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: frequency of prime numbers?
Date: Thu, 23 Sep 1999 17:07:30 GMT
"Trevor Jackson, III" wrote:
> Douglas A. Gwyn wrote:
> > Donald Welsh wrote:
> > > I'd like to correct this misconception, if I may. Godel's theorem
> > > does not say that "there are true statements that cannot be proved".
> > > It says that there are unprovable statements. These statements are
> > > neither true nor false.
> > False unprovable statements are trivial. Goedel's result
> > pertains to statements that are true, yet unprovable within
> > the given axiomatic system.
> Really. Do you have a trivial solution to the (false) statement "Turing
> machine N halts?"
What do you mean, "solution"? What is the *problem*?
Obviously, if the axiomatic system is consistent,
it cannot be used to prove any false statement,
so all the false statements are unprovable.
If the axiomatic system is rich enough to express
the exact statement about Turing machine N, and
that statement is false (which you *stipulate*),
then so long as the system is consistent it cannot
be used to prove that statement. And inconsistent
axiomatic systems are rather uninteresting.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,talk.politics.crypto,uk.legal,uk.net,uk.politics.announce,uk.politics.censorship,uk.politics.parliament,uk.telecom
Subject: UPDATE: 23rd Sep, UK Internet decryption and interception policy, SFS3.5
Date: Thu, 23 Sep 1999 17:56:59 +0000
Reply-To: "No Spam" <[EMAIL PROTECTED]>
PROGRAMME UPDATE - http://www.fipr.org/sfs35.html
Scrambling for Safety 3.5 - Thursday September 23 1999
======================================================
The Foundation for Information Policy Research, Privacy International , the
LSE Computer Security Research Centre, and ZDNet UK are jointly sponsoring
the fourth in the series of public conferences on cryptography policy,
e-commerce and Internet surveillance. This will be the second conference of
1999, and has been called in response to the exceptional circumstance of two
official DTI consultations in the same year, and the Home Office's recent
consultation on revising the Interception of Communications Act to cover the
Internet.
The connections between Home Office policy on interception and powers
proposed in Part.III of the DTI's draft Electronic Communications Bill (see
FIPR Press Release) will be explored, and well as the legal framework for
establishing voluntary licensing of cryptography services, and recognition
of digital signatures.
09:15 - 13:45, Thursday 23 September 1999
Old Theatre, Main Building, London School of Economics,
Houghton St., London WC2
Admission is free of charge.
Registration: Send e-mail to
[EMAIL PROTECTED]
...with "name, organisation" in body.
Telephone enquiries: 0171 354 2333
Programme
=========
09.25 Welcome - Caspar Bowden, FIPR
09:30 Introduction - William Heath (Kable)
Tim Pearson (Internet Service Providers Association)
Chris Binns, Alliance for Electronic Business: "Progress towards
self-regulation"
10:00 "Cryptography, privacy and information warfare"
Whitfield Diffie
10:30 "Why we needed further consultation"
Alan Duncan MP, Shadow spokesman on Trade and Industry
11:00 "Cryptography's central role in e-commerce policy"
Chris Sundt, CBI
11:30 "Law enforcement access to keys - legal and human rights issues"
Nicholas Bohm (Law Society)
12:00 "Crypto and security issues post-escrow"
Ross Anderson
12:15 Keynote:
Patricia Hewitt MP - Minister of State for E-Commerce at the DTI
12:35 Panel discussion - Chaired by Caspar Bowden, Director of FIPR
Jim Norton (Cabinet Office PIU)
Stephen Pride (DTI, Head of E-Communications Bill team)
Peter Sommer (Special Adviser, Trade and Industry Select Committee)
Clare Wardle (Post Office)
John Wadham (LIBERTY)
Jack Beatson QC, (Essex Court Chambers)
Stewart Baker (Steptoe & Johnson, ex-NSA General Counsel)
13:30 - close
+=======================================================================+
| Ivor Peksa - Co-moderator - uk.politics.announce |
| Submissions to: [EMAIL PROTECTED] |
| Guidelines at : http://www.club.demon.co.uk/U-p-announce/index.html |
+=======================================================================+
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
