Cryptography-Digest Digest #309, Volume #10 Fri, 24 Sep 99 14:13:03 EDT
Contents:
Re: RSA 640 bits keys factored, French banking smart card system craked! (Bruce
Barnett)
Re: some information theory (very long plus 72K attchmt) (Tim Tyler)
Re: DES source code? (Armin Ollig)
Re: RSA 640 bits keys factored, French banking smart card system craked! (Johnny
Bravo)
Re: Relating cyrptology to factoring? ("Sam Simpson")
Re: Relating cyrptology to factoring? (Tim Tyler)
Re: Securing Executables (Tim Tyler)
Re: some information theory (very long plus 72K attchmt) (Tim Tyler)
Re: RC4 or IBAA or ISAAC to generate large random numbers (Gaston Gloesener)
Re: EAR Relaxed? Really? (Jim Gillogly)
Re: Relating cyrptology to factoring? (JPeschel)
Re: Second "_NSAKey" ("Charles R. Lyttle")
Re: Glossary of undefineable crypto terms (was Re: Ritter's paper) (Patrick Juola)
Re: EAR Relaxed? Really? (Medical Electronics Lab)
Re: RSA 640 bits keys factored, French banking smart card system craked! (Your Name)
Re: DES source code? (Bill Unruh)
Re: Relating cyrptology to factoring? (jerome)
Re: RSA 640 bits keys factored, French banking smart card system craked! (Medical
Electronics Lab)
Re: Thesis Announcement: "Rethinking public key infrastructures and digital
certificates --- building in privacy" (Medical Electronics Lab)
Re: EAR Relaxed? Really? ("Douglas A. Gwyn")
Re: Second "_NSAKey" ("Douglas A. Gwyn")
Re: Relating cyrptology to factoring? ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: Bruce Barnett <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: RSA 640 bits keys factored, French banking smart card system craked!
Date: 24 Sep 1999 09:05:35 -0400
Alex <[EMAIL PROTECTED]> writes:
> I was under the impression that it's the other way around, i.e. the
> number of primes less than x is roughly x/log(x).
Forgive my ignorance, but while the number of primes may be x/log(x),
does the algorithm try to find primes of a certain minimum size? How
much does this reduce the search?
--
Bruce <barnett at crd. ge. com> (speaking as myself, and not a GE employee)
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: some information theory (very long plus 72K attchmt)
Reply-To: [EMAIL PROTECTED]
Date: Fri, 24 Sep 1999 14:27:17 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
[compression before encryption]
: However saying (paraphrase) 'it eliminates any bias or correlations' is
: completely false. That's like saying the entropy of the contents has changed
: yet nothing was added or removed.
This seems to be your old point all over again.
Compression is completely capable of removing information from messages -
with the information subsequently residing in the compressor/decompressor
while the message remains compressed.
*Only* if you consider complexity by taking it to be length of description
in the language of your compression program - is your statement correct -
and this would be a *bizarre* usage.
I can encrypt "Mary had a little lamb" to "2" if my compression
routine has the primitives:
"1" -> "The cat sat on the mat"
"2" -> "Mary had a little lamb"
"3" -> "Tiger Tiger, burning bright"
No one would claim that "2" and "Mary had a little lamb" had the
same information content, unless they also has the decompressor
to hand.
The complexity of the raw information content of:
a) the message and b) the compressor and c) a flag to say if the
message is compressed or not ...remains unchanged.
However, just because b) and c) do not change, that does *not* mean a) is
static.
This is because the complexity of the information contained in a) and b)
and c) is *not* that present in a) plus that present in b) plus that
present in c).
: Of course ASCII text is easier to analyze but compressed text can be
: attacked as well. You just have to change what 'grammar' you are
: looking for.
That's the key. If you know in advance what compression technique is
being used, you can try decompressing and apply ordinary frequency
analysis to the results to see if you have reached english text -
or something else with a clear structure.
However, you *can't* apply frequency analysis to help with the decryption
process itself any longer - as in a properly compressed file all symbols
should occur with approximately equal frequencies and in no apparent
order.
Compressed files /look/ more random as there's the same content present in
less cyphertext.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
You can't take it with you.
------------------------------
From: Armin Ollig <[EMAIL PROTECTED]>
Subject: Re: DES source code?
Date: Fri, 24 Sep 1999 13:48:12 +0200
Jesper,
OpenBSD shipps with a useful little des program.
ftp://ftp.openbsd.org/pub/OpenBSD/src/usr.bin/bdes/bdes.c
Eric Youngs openssl is here:
http://www.openssl.org
PGP does also includes des source
http://www.pgpi.com
best regards,
--armin
--
"To save energy
the light at the end of the tunnel
will temporarily be switched off."
Jesper Gadeberg Jensen wrote:
>
> Does anybody know were I can find the C source code for DES?? I was told
> that an Australian named Eric Young, was suppose to have it but I
> haven't been able to find it! Can anyone help?
>
> Jesper
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Crossposted-To: alt.security.pgp
Subject: Re: RSA 640 bits keys factored, French banking smart card system craked!
Date: Fri, 24 Sep 1999 10:20:37 GMT
On 24 Sep 1999 09:05:35 -0400, Bruce Barnett <[EMAIL PROTECTED]>
wrote:
>Alex <[EMAIL PROTECTED]> writes:
>
>> I was under the impression that it's the other way around, i.e. the
>> number of primes less than x is roughly x/log(x).
>
>Forgive my ignorance, but while the number of primes may be x/log(x),
>does the algorithm try to find primes of a certain minimum size? How
>much does this reduce the search?
Actually it's easy to figure, you find the number of primes for the size you
are looking for, then you subtract all the primes for the minimum size, which
will be around 1/2 the total for most large numbers of bits.
Johnny Bravo
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Relating cyrptology to factoring?
Date: Fri, 24 Sep 1999 15:26:41 +0100
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:7sfstj$hk$[EMAIL PROTECTED]...
<SNIP>
> Just to be picky I would seriously argue that symmetric ciphers are
> younger then their asymmetric counterparts.
WTF?
DES was *adopted* in 1976 (and developed during the 3 years prior to
this) and asymmetric ciphers weren't produced until ~1976 - why would
you "seriously argue" that symmetric ciphers are younger?
> Most asymetric systems are broken by solving some systems of
equations.
> You can break RSA by factoring their modulus and making the
privatekey
> from their public key. You can break diffie-hellman for example by
> solving a discrete logarithm. All these problems in the long run
are
> very difficult to solve (or more time consuming actually).
You mean "are thought to be", surely.
Sam
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Relating cyrptology to factoring?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 24 Sep 1999 14:34:49 GMT
Jeffrey <[EMAIL PROTECTED]> wrote:
: I am currently researching cryptology out of personal interest as well
: as a trivial (small) project for school. And have become stuck upon the
: relation of cyrptoanalysis and factoring. I can not find any depth of
: information on how factoring numbers can break codes.
: What algorithms of encryption are effected by factoring? DES? RC5?
Keywords: RSA, public key cryptography, asymmetric cyphers, PGP.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
One liners are irrelevant to those who don't fully understand them.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Securing Executables
Reply-To: [EMAIL PROTECTED]
Date: Fri, 24 Sep 1999 14:41:40 GMT
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
: jerome wrote:
:> all that looks a lot like the tricks used by game coders a long time ago
:> to prevent the crackers to copy or modify their softwares.
:> Each time the gamecoders loosed badly because it is easy to modify the
:> executable just to avoid to do the test.
: Some lost, some won.
Indeed. Some of the techniques used to prevent people from decompiling
self-decryption were *very* sophisticated fifteen years ago.
"Modifying the executable to avoid doing the test" was often made
difficult by encrypting in a series of layers, each executing the
code of the previous stage.
As for people using debuggers - this slows down execution - an effect
which can be tested for, and fake code branched to - etc, etc.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Kilroy occupied these co-ordinates.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: some information theory (very long plus 72K attchmt)
Reply-To: [EMAIL PROTECTED]
Date: Fri, 24 Sep 1999 14:05:44 GMT
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]>, James Felling
:<[EMAIL PROTECTED]> wrote:
:>> David Scott promotes using compression before encryption, and several
:>> responses have agreed with him. [much snip]
: What if you don't know the starting text. The problem with non
: "one to one" comp is that they are weak even if the starting portion of
: the FILE is not KNOWN. You sir seem to think one always has the start of
: the file encrypted that is not necessarily true. What I showed is that
: non "one to one" compression weakens the compression followed by
: encryption even if there is no information about the input file.
This sounds a /bit/ too strong to me.
What if the "compression" consists of your "one-to-one" technique,
followed by interleaving the signal with lots of hardware-generated
real randomness?
This is no longer "one to one" compression - it adds information to
the signal. However it doesn't help decompression, and - although the
cyphertext is longer - the additional encrypted data is /genuinely/
random, so there's no security lost at the encryption stage.
Indeed - interleaving with real randomness may even increase the
security - /slightly/ - it would certainly make a normal message
harder to read.
Sorry to nitpick ;-)
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
On the other hand, you also have five fingers.
------------------------------
From: Gaston Gloesener <[EMAIL PROTECTED]>
Subject: Re: RC4 or IBAA or ISAAC to generate large random numbers
Date: Fri, 24 Sep 1999 14:56:20 GMT
> The question whether you can combine bytes to words is EXACTLY the
question
> whether a given stream cipher is a good stream cipher.
>
Hi Volker,
I think this was the final hit. So for what you mean by a good stram
chipher would be one that generates all possible combinations of any
length. This means in my example, that for an arbitrary length of 3
bytes (or any other )all combinations of the values 0 to 255 must be
present in the stream.
This means mathematically that the period of this serie cannot be less
than 256_P_3, being the number of permutations of size 3 for 256
possible values.
Now the question is, does IBAA do this ?
Thanks,
Gaston
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Fri, 24 Sep 1999 16:19:33 +0000
"Douglas A. Gwyn" wrote:
>
> Greg wrote:
> > .... What market exists today anywhere in the world
> > for use of 128 bit compromised (by definition of NSA examination)
> > encryption software?
>
> Why is that "compromised"? It is axiomatic in cryptology that
> the strength of a cryptosystem should not depend on the adversary's
> lack of knowledge of the general system, but only upon the key.
>
> The interesting question is whether the "technical review"
> will be allowed to end with the product failing to be approved
> (presumably because it is too secure, although that might not
> be the officially stated reason).
Why else would there be a requirement for a technical review?
On what other grounds would a product fail to be approved?
--
Jim Gillogly
3 Winterfilth S.R. 1999, 16:17
12.19.6.10.1, 1 Imix 9 Chen, Third Lord of Night
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Relating cyrptology to factoring?
Date: 24 Sep 1999 15:23:56 GMT
Tom St Denis <[EMAIL PROTECTED]> writes:
>Just to be picky I would seriously argue that symmetric ciphers are
>younger then their asymmetric counterparts.
>
If you do, you will likely get plenty of argument.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: "Charles R. Lyttle" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Second "_NSAKey"
Date: Fri, 24 Sep 1999 16:34:07 GMT
Bruce Barnett wrote:
>
> Greg <[EMAIL PROTECTED]> writes:
>
> > Be my guest. Show me why the conspiracy theory to give
> > NSA a key CANNOT be correct. That is what I mean by refute.
> > Show that it CANNOT be correct.
>
> This is in the same category as:
>
> "Show that Santa Claus does NOT exist."
>
> It can't be refuted. ever. Let's move on, shall we?
>
> --
> Bruce <barnett at crd. ge. com> (speaking as myself, and not a GE employee)
But Santa Claus does exist. Only his name is San Niclaus. His life story
should be required reading for all. So now that we know that San
Niclaus exists, why does the NSA want the ability to change the software
on my computer?
--
Russ Lyttle, PE
<http://www.flash.net/~lyttlec>
Thank you Melissa!
Not Powered by ActiveX
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Glossary of undefineable crypto terms (was Re: Ritter's paper)
Date: 24 Sep 1999 12:28:31 -0400
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>Mok-Kong Shen wrote:
>>
>> Patrick Juola wrote:
>>
>> > Hell, there's an easier counterexample. O(1) is a provable lower
>> > bound to *everything.*
>>
>> In your vein, why take the trouble to argue with O(1)? Isn't 0
>> itself much better?
>
>I like to give a citation from a recent article of Salomaa which
>perhaps helps to make his other citation given earlier in this
>thread more understandable:
>
> In general, all these [public-key crypto] systems are
> dangerously dependent on number-theoretic problems, such as
> factoring, whose complexity is not known; there is no proof
> that they are intractable.
... as opposed, for example, to symmetric systems that rest on no
theoretical framework whatsoever, for which no complexity is known
and for which there is no proof of intractabilty? There's actually
much more evidence that factoring is a hard problem than there is
that solving a Feistal cypher is a hard problem, although neither
rises to the dignity of proof.
In point of fact, Dr. Salomaa is incorrect -- we have proofs of
complexity of, e.g., factoring. We just haven't proven large enough
bounds for the *proven* bounds to be useful. He is correct that
intractability has not been proven. On the other hand, there's no
*proof* that the OTP is impervious to the ouija board attack.
-kitten
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Fri, 24 Sep 1999 12:20:59 -0500
wtshaw wrote:
> Just like one party imposing a NDA, the government has secret courts,
> pocket judges, and places to put people for *national security reasons*.
>
> If this sounds counter to constitutional ideas, it surely is. If it sounds
> impossible to be so, you do are unaware of the real bastards that deal is
> such corrupt practices.
>
> When government stoops to criminal behavior in getting its way, we should
> all be concerned. No one should be a dupe.
Democracy works on the principle that it's easy to dupe the majority.
At least for a few terms in office. Glad to see you back around
William, hope you're feeling better!
Patience, persistence, truth,
Dr. mike
------------------------------
Crossposted-To: alt.security.pgp
Subject: Re: RSA 640 bits keys factored, French banking smart card system craked!
From: [EMAIL PROTECTED] (Your Name)
Date: Fri, 24 Sep 1999 17:36:06 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
> You have no idea how many primes there are. The 2^312 number is the
> number of
>primes of 320 bits or less, the number of primes that is exactly 320 b
>its is
>2^311.
which can be verified by calculating
2**320/320*ln2 - 2**319/319*ln2
--Rich
Guard with jealous attention the public liberty.
Suspect every one who approaches that jewel.
Unfortunately, nothing will preserve it but
downright force. Whenever you give up that
force, you are ruined.
--Patrick Henry
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: DES source code?
Date: 24 Sep 1999 16:42:54 GMT
In <[EMAIL PROTECTED]> Jesper Gadeberg Jensen <[EMAIL PROTECTED]> writes:
>Does anybody know were I can find the C source code for DES?? I was told
>that an Australian named Eric Young, was suppose to have it but I
>haven't been able to find it! Can anyone help?
Peter Gutman's libcrypt
Eric Young's libdes
You can find links on my (somewhat old) page
axion.physics.ubc.ca/pgp.html
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: Relating cyrptology to factoring?
Date: 24 Sep 1999 16:27:21 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 24 Sep 1999 13:04:58 GMT, Tom St Denis wrote:
>
>Just to be picky I would seriously argue that symmetric ciphers are
>younger then their asymmetric counterparts.
>
the caesar cypher used a long time ago was a simetric cypher.
the monoalphabetique substitution is at least 2000 years old.
NSA claims to have discover the assymetirc cypher in the 60's
the english intelligence around 70, and diffie published
publicly the principle around 75.
the first asymmetric is at most 40 years old.
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: RSA 640 bits keys factored, French banking smart card system craked!
Date: Fri, 24 Sep 1999 12:42:58 -0500
Tom St Denis wrote:
> First the prime number theorem is pi(x) = x / ln x, and it has not been
> proven, that's why it's a theorem. It just happends to be a very good
> estimate.
>
> Second I seriously doubt the primary poster had any idea what he was talking
> about. Applied Crypto covers prime numbers in a bit of detail, you should
> check there.
d pi(x)/dx = (ln x - 1)/(ln x)^2 ~ 1/ln x. So the original posters
statement that the growth rate is slow is correct. The argument
that the total number of primes is huge in the range 2^320 is also
correct. The engineer may have found a few clues and used timing
and power analysis to help with the factoring. The web page
originally pointed to suggested that he used the "latest techniques",
but won't say what they are (yet). The statement included
references to logic analyzers and card readers, so it's likely
he used a lot of information to help the factoring program.
In any case, 640 bit RSA is insecure for smart cards!
Patience, persistence, truth,
Dr. mike
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Thesis Announcement: "Rethinking public key infrastructures and digital
certificates --- building in privacy"
Date: Fri, 24 Sep 1999 12:49:14 -0500
[EMAIL PROTECTED] wrote:
>
> A N N O U N C E M E N T
>
> Thesis title:
>
> "Rethinking public key infrastructures and digital
> certificates --- building in privacy" (ISBN 90-901-3059-4,
> 304 pages, September 1999)
>
> Author:
>
> Stefan Brands
>
> Thesis defense date and location:
>
> October 4, 1999, Eindhoven University of Technology (Netherlands)
>
> Thesis advisors:
>
> prof. Henk C.A. van Tilborg (Eindhoven University of Technology)
> prof. Adi Shamir (Weizmann Institute of Science)
>
> Thesis reading committee:
>
> prof. Ronald L. Rivest (Massachusetts Institute of Technology)
> prof. Claus P. Schnorr (Johann Wolfgang Goethe University)
> prof. Adi Shamir (Weizmann Institute of Science)
Good luck Stefan! Looks like a tough crew looking over your
stuff there.
Patience, persistence, truth,
Dr. mike
------------------------------
Crossposted-To: talk.politics.crypto
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: EAR Relaxed? Really?
Date: Fri, 24 Sep 1999 16:07:27 GMT
> > FBI witness: The file contained kiddie porn.
> > Defendant: No, it didn't. It's just random bits I generated
> > to hear what white noise would sound like.
> > Attorney: FBI witness, by what means did you convert the
> > file into kiddie porn?
> > FBI witness: I'm not going to say, but trust me.
> > Judge: Case dismissed!
Greg wrote:
> Reno: You can't do that, your honor. We have the law
> on our side now.
> Judge: Oh.
Judge: *I* interpret the law, you are supposed to *execute*
the law (and the legislature, Constitution, and English
Common Law *make* the law). Sit down and shaddup.
------------------------------
Crossposted-To: talk.politics.crypto
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Second "_NSAKey"
Date: Fri, 24 Sep 1999 16:11:08 GMT
Greg wrote:
> > > And finally, there is no explanation that can refute this one
> > > scenario. Not one.
> > Nonsense. Alternative explanations inconsistent with that
> > scenario have been suggested. Maybe you mean, *you* won't
> > give up that scenario no matter what.
> Be my guest. Show me why the conspiracy theory to give
> NSA a key CANNOT be correct. That is what I mean by refute.
> Show that it CANNOT be correct.
No, the onus is on *you* to provide extraordinary evidence to
support youe extraordinary claim. All I had to do was point
to at least one reasonable alternative theory.
> Someone wanted a second key. It makes no sense that MS wanted
> it, so someone else must have wanted it. And it has their name
> on it. What else do you need?
In at least one alternative explanation, it *did* make sense
that Microsoft wanted a second key.
I assure you that if NSA had engineered this, they would *not*
have put their name clearly on it.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Relating cyrptology to factoring?
Date: Fri, 24 Sep 1999 16:20:45 GMT
JPeschel wrote:
> Tom St Denis <[EMAIL PROTECTED]> writes:
> >Just to be picky I would seriously argue that symmetric ciphers are
> >younger then their asymmetric counterparts.
> If you do, you will likely get plenty of argument.
Not only that, but what does he mean by "their counterparts"?
Or "younger"?
Or "is"? :-)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
