Cryptography-Digest Digest #384, Volume #10 Sun, 10 Oct 99 13:13:02 EDT
Contents:
Re: Lame questions... I guess... (Janusz A. Urbanowicz)
"Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column (Bruce
Schneier)
Re: Very well.. here's the article itself (was Re: Second "_NSAKey") ("Douglas A.
Gwyn")
Re: Very well.. here's the article itself (was Re: Second "_NSAKey") ("Douglas A.
Gwyn")
Re: Ritter's paper ("Trevor Jackson, III")
Re: DES breaker Technique? (Bruce Schneier)
Re: Is 128 bits safe in the (far) future? (Patrick Juola)
Re: Ritter's paper (Patrick Juola)
Re: classifying algorithms (Bruce Schneier)
Re: Ritter's paper (Patrick Juola)
Re: RSA-512 Broken by Israelis (Patrick Juola)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Janusz A. Urbanowicz)
Subject: Re: Lame questions... I guess...
Date: 10 Oct 1999 14:45:19 +0200
"�ukasz 'SpookY' Szmit" <[EMAIL PROTECTED]> writes:
> 5. Is it possible to get the RSAREF stuff outside USA? (Europe is ment
> here...)
There is a European implementation of RSAREF called RSAEuro.
Alex
--
* | Janusz A. "Alex" Urbanowicz, | DSS: 1024/0x21939169
--+~| | http://eris.phys.uni.torun.pl/~alex/ | D-H: 2048/0xA2E48564
\_|/ | |_ RSA: 512/0xAB425659
| | WAR IS PEACE FREEDOM IS SLAVERY ERASE IS BACKSPACE -- rms
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: Sun, 10 Oct 1999 15:25:38 GMT
Inside Risks #112
CACM vol. 42, no. 10, October 1999.
Risks of Relying on Cryptography
Bruce Schneier
Cryptography is often treated as if it were magic security dust:
"sprinkle some on your system, and it is secure; then, you're secure
as long as the key length is large enough--112 bits, 128 bits, 256
bits" (I've even seen companies boast of 16,000 bits.) "Sure, there
are always new developments in cryptanalysis, but we've never seen an
operationally useful cryptanalytic attack against a standard
algorithm. Even the analyses of DES aren't any better than brute
force in most operational situations. As long as you use a
conservative published algorithm, you're secure."
This just isn't true. Recently we've seen attacks that hack into the
mathematics of cryptography and go beyond traditional cryptanalysis,
forcing cryptography to do something new, different, and unexpected.
For example:
* Using information about timing, power consumption, and radiation of
a device when it executes a cryptographic algorithm, cryptanalysts
have been able to break smart cards and other would-be secure tokens.
These are called ``side-channel attacks.''
* By forcing faults during operation, cryptanalysts have been able to
break even more smart cards. This is called ``failure analysis.''
Similarly, cryptanalysts have been able to break other algorithms
based on how systems respond to legitimate errors.
* One researcher was able to break RSA-signed messages when formatted
using the PKCS standard. He did not break RSA, but rather the way it
was used. Just think of the beauty: we don't know how to factor large
numbers effectively, and we don't know how to break RSA. But if you
use RSA in a certain common way, then in some implementations it is
possible to break the security of RSA ... without breaking RSA.
* Cryptanalysts have analyzed many systems by breaking the
pseudorandom number generators used to supply cryptographic keys. The
cryptographic algorithms might be secure, but the key-generation
procedures were not. Again, think of the beauty: the algorithm is
secure, but the method to produce keys for the algorithm has a
weakness, which means that there aren't as many possible keys as there
should be.
* Researchers have broken cryptographic systems by looking at the way
different keys are related to each other. Each key might be secure,
but the combination of several related keys can be enough to
cryptanalyze the system.
The common thread through all of these exploits is that they've all
pushed the envelope of what constitutes cryptanalysis by using
out-of-band information to determine the keys. Before side-channel
attacks, the open crypto community did not think about using
information other than the plaintext and the ciphertext to attack
algorithms. After the first paper, researchers began to look at
invasive side channels, attacks based on introducing transient and
permanent faults, and other side channels. Suddenly there was a whole
new way to do cryptanalysis.
Several years ago I was talking with an NSA employee about a
particular exploit. He told about how a system was broken; it was a
sneaky attack, one that I didn't think should even count. "That's
cheating," I said. He looked at me as if I'd just arrived from
Neptune.
"Defense against cheating" (that is, not playing by the *assumed*
rules) is one of the basic tenets of security engineering.
Conventional engineering is about making things work. It's the
genesis of the term "hack,"' as in "he worked all night and hacked the
code together." The code works; it doesn't matter what it looks like.
Security engineering is different; it's about making sure things don't
do something they shouldn't. It's making sure security isn't broken,
even in the presence of a malicious adversary who does everything in
his power to make sure that things don't work in the worst possible
way at the worst possible times. A good attack is one that the
engineers never even thought about.
Defending against these unknown attacks is impossible, but the risk
can be mitigated with good system design. The mantra of any good
security engineer is: "Security is a not a product, but a process."
It's more than designing strong cryptography into a system; it's
designing the entire system such that all security measures, including
cryptography, work together. It's designing the entire system so that
when the unexpected attack comes from nowhere, the system can be
upgraded and resecured. It's never a matter of "if a security flaw is
found," but "when a security flaw is found."
This isn't a temporary problem. Cryptanalysts will forever be pushing
the envelope of attacks. And whenever crypto is used to protect
massive financial resources (especially with world-wide master keys),
these violations of designers' assumptions can be expected to be used
more aggressively by malicious attackers. As our society becomes more
reliant on a digital infrastructure, the process of security must be
designed in from the beginning.
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Very well.. here's the article itself (was Re: Second "_NSAKey")
Date: Sun, 10 Oct 1999 14:11:18 GMT
[EMAIL PROTECTED] wrote:
> ... but the magazine articles alleging active measures - based on the
> experience of a Hagelin employee in Iran ...
(Who by all accounts knew nothing about the alleged tampering.)
> But you certainly *appear* to be saying that someone has claimed that
> the NSA found a way to tamper with lug and pin machines ...
I didn't say "pin and lug machines". Some of the articles did state
that the tampering inserted the key into the ciphertext stream. It
would be hard to get away with that in a mechanical system, but I'm
saying that even if it were electronic, such a claim is probably a
distortion of the simple idea that ciphertext-only cryptanalysis is
possible. News media are notorious for misderstanding what is
explained to them about technical matters and then reporting wrong
information about such technical details.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Very well.. here's the article itself (was Re: Second "_NSAKey")
Date: Sun, 10 Oct 1999 14:15:10 GMT
[EMAIL PROTECTED] wrote:
> ... but the magazine articles alleging active measures - based on the
> experience of a Hagelin employee in Iran ...
(Who by all accounts knew nothing about the alleged tampering.)
> But you certainly *appear* to be saying that someone has claimed that
> the NSA found a way to tamper with lug and pin machines ...
I didn't say "pin and lug machines". Some of the articles did state
that the tampering inserted the key into the ciphertext stream. It
would be hard to get away with that in a mechanical system, but I'm
saying that even if it were electronic, such a claim is probably a
distortion of the simple idea that ciphertext-only cryptanalysis is
possible. News media are notorious for misunderstanding what is
explained to them about technical matters and then reporting wrong
information about such technical details.
------------------------------
Date: Sun, 10 Oct 1999 11:57:28 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Ritter's paper
wtshaw wrote:
> In article <[EMAIL PROTECTED]>, "Trevor Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> > Tim Tyler wrote:
> > >
> > > I see no reason in principle why a PRNG-based cypher should be weak.
> >
> > In practice true, but getting less so as time goes on. In theory false.
>
> As time goes on, I see more and more that ciphers can use PRNG's as
> optional contributing components to key generation.
> > ...
> >
> > The central point is that, in theory, any PRNG has a limited amount of
> state. As
> > the PRNG operates it discloses that state. Once you have output >=
> state you can
> > only have one possible state that generated that output. It's analogous
> to the of
> > unicity point of a cipher. The initial state is completely determined by the
> > output.
> >
> > Finding the initial state given the output can be difficult in practice,
> but it
> > cannot be made impossible.
>
> It can be made so obscurely in the data that it can be, for practical
> attacks, impossible to recover it. The special methods I am using are
> like smoke and mirrors, so to speak. It is in fitting with a tradition of
> deceit in such methods.
> >
> > >
> > >
> > > : Note that #1 above applies to all modern ciphers given a known plaintext.
> > > : The discovery of a new attack upon a cipher is the discovery of a
> practical
> > > : method of untangling the initial state given some amount of output > the
> > > : amount of key. By this line of reasoning we could define the "efficiency"
> > > : of an attack as the ratio of the number of bits of output required
> over the
> > > : number of bits of state to be discovered.
>
> This is in the spirit of a measure of strength *of a kind*. If you need
> it in bits, OK, I guess.
>
> I have forwarded a scheme that does the same with *classic* ciphers, which
> is simply because that is where much so useful data is.
> > >
> > > This "efficiency" is an interesting quantity. However, I don't think it
> > > corresponds closely to how hard a cypher is to crack. In some cases,
> > > where lots of cyphertext is available, it will probably not be very
> > > relevant to "strength".
>
> It can be very revealing that a particular algorithm requires a
> unreasonable quantity of ciphertext to attack, which, according to my
> calculations in one situation, could be very many times the length of the
> key. By definition, placing high here means that it is a very good
> algorithm indeed.
This is false. It is based on the several mixtures above of attack strength (or
efficiency) and cipher strength.
Specifically, a particular [cipher] algorithm does not require an quantity of
ciphertext to attack. A particular attack on a particular cipher requires a
quantity of ciphertext. There may be many attacks on a particular cipher, each
attack requiring a different amount of ciphertext or plaintext. Additionally, some
attacks can be performed more or less efficiently depending upon the amount of
ciphertext available.
Thus placing high in the amount of ciphertext does not tell us anything about the
strength of the cipher. It tells us something about the lack of power (or
efficiency as defined above) in the attack. A cipher sustaining no efficient
attacks is not strong. Its strength is unknown. A cipher sustaining an eficient
attack is at least as weak as indicated by the most efficient attack. But that
shows only the upper bound on the cipher's strength, and does not tell us anything
about potentially even more powerful attacks (even weaker spots in the target
cipher).
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: DES breaker Technique?
Date: Sun, 10 Oct 1999 15:14:33 GMT
On 06 Oct 1999 03:33:49 GMT, [EMAIL PROTECTED] (UBCHI2) wrote:
>When the group won the RSA challenge and cracked the DES message, how did they
>know when they found the right key? Did they have to search for english words
>after trying out the right key? Or did they just wait until they had factored
>the key?
In the symmetric cracking contests (DES, RC5, etc), they looked for
plaintext. See:
http://www.counterpane.com/crypto-gram-9812.html#plaintext
For the public-key factoring challenges, they looked for factors. No
plaintext was involved.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Is 128 bits safe in the (far) future?
Date: 10 Oct 1999 11:09:12 -0400
In article <7tlmqi$2rjg$[EMAIL PROTECTED]>,
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>In article <7tle9f$a7s$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Patrick Juola)
>wrote:
>
>>There *are*, however, records kept of who mothered whom -- and who
>>is believed to have fathered whom. Sometimes these are a matter of
>>public record; often, these are private records. For example, the
>>Mormons have a huge geneological database.... I shudder to think of
>>the use our hypothetical dictator could make of the Mormon database.
>>
> The morman use the data only to keep there people busying and to
>give them selves an inflated ego.
Actually, they use the data for religious purposes; they go back
and baptize (by proxy) everyone so that everyone has a chance at
getting to (their version) of heaven.
And what does this have to do with my argument? The point isn't
that the mormons themselves are untrustworthy, but that the data
itself is potentially dangerous in the wrong hands. This is exactly
the sort of database that our hyptothetical dictator would use
in order to identify the people with the wrong sort of ancestry.
I don't see why you find it necessary to go out of the way to prove
what a rude, arrogant, prejudiced bastard you are -- this sort of
geneological data could be dangerous no matter who collects it and
to what purpose *because* it could easily be coopted to nefarious
purposes. It needn't even be entirely correct in order to be
coopted.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Ritter's paper
Date: 10 Oct 1999 11:13:38 -0400
In article <[EMAIL PROTECTED]>,
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
>Patrick Juola wrote:
>
>> In article <[EMAIL PROTECTED]>,
>> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
>> >> : This does not lead to an engineering figure of merit, nor even to
>> >> : scientific reproducibility.
>> >>
>> >> Indeed not. Do you have a metric which does to propose? If not I am
>> >> liable to doubt that such a metric even exists.
>> >
>> >I do not. It appears to me that it may be possible to prove that such a metric
>> >cannot exist. But right now the best I can do is mumble about negative information
>> >space.
>>
>> I think that I would argue that any attempt to reduce "cypher strength"
>> to a scalar quantity is ignorant and misguided. Differen cyphers
>> have different areas of application, and different strengths depending
>> on the use.
>>
>> One might as well try to come up with a metric for the best baseball
>> player. Eventually it will come down to a question of how you compare
>> pitchers to outfielders (or whatever).
>
>OK, there are separate application domains whose metrics will always be distinct. So
>pick a single domain, without making it trivially small, and define a domain-specific
>metric.
>
>Pitchers can be compared to pitchers along several (~10?) dimensions.
... at least. Which means that you can't even reliably identify the
best pitcher, let alone the best ball-player. You can identify
the best pitcher *along this dimension*, based on the assumption that
the future will be like the past.
Funny, that's exactly what modern cryptologists are doing when they
start looking at things like key lengths and guessing how fast factoring
algorithms will improve. You have no way to prove that I won't find
an O(log n) factoring algorithm tomorrow -- but neither do you have
any way of proving that the fourth-string pitcher for the Boise Hashbrowns
won't suddenly find his groove and go 20-0 in the majors every season for
the next ten years.
>The permise does not appear to apply to cipher strength.
Evidence? Pick any problem and it looks like there's reasonable evidence
that our solutions are getting better, but not infinitely so.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: classifying algorithms
Date: Sun, 10 Oct 1999 15:15:40 GMT
On Tue, 05 Oct 1999 21:23:29 GMT, [EMAIL PROTECTED] (Johnny Bravo)
wrote:
>On Tue, 5 Oct 1999 13:33:43 -0700, "Steven Alexander" <[EMAIL PROTECTED]>
>wrote:
>
>>Stream Cipher: encrypts data one bit at a time
>
> Could this also apply to a byte at a time? Or would you classify RC4 as an 8
>bit block cipher. :)
The distinction between block and stream ciphers has blurred. I
consider RC4 a stream cipher, but so is DES in OFB mode.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Ritter's paper
Date: 10 Oct 1999 11:17:36 -0400
In article <[EMAIL PROTECTED]>,
wtshaw <[EMAIL PROTECTED]> wrote:
>In article <7tle30$a7b$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>(Patrick Juola) wrote:
>
>> I think that I would argue that any attempt to reduce "cypher strength"
>> to a scalar quantity is ignorant and misguided. Differen cyphers
>> have different areas of application, and different strengths depending
>> on the use.
>
>Resistance to quantifying strength is really the *pro*-ignorance
>position. If fact, some qualities are rather easily measured.
... unfortunately, those qualities are, as have been pointed out,
incomplete and sometimes contradictory. Key length, for example,
adds to the difficulty of brute-force search but makes it much harder
to keep the key secure.
It's easy enough to reduce cypher strength to a set of numbers, but
to project a multidimensional quantity set to a single scalar is, as
I said above, "ignorant and misguided." And I stand by that statement.
>Trying to deal with strength as a single entity is like calling lots of
>different diseases consumption, or bad blood. It is time for cryptography
>to deal realistically with strength.
What is/was more or less my point.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: RSA-512 Broken by Israelis
Date: 10 Oct 1999 11:21:56 -0400
In article <7to0po$r13$[EMAIL PROTECTED]>,
Bill Unruh <[EMAIL PROTECTED]> wrote:
>In <[EMAIL PROTECTED]> Tim Tyler <[EMAIL PROTECTED]> writes:
>>Quantum cryptography isn't /completely/ secure. It's just /arbitrarily/
>>secure.
>
>>Reading the supposedly secure messages without discovery will always
>>remain a *possibility*.
>
>Not sure what you mean by this. It is a theorem that you cannot clone a
>quantum state. Ie, if you read it, you destroy it, and cannot copy or
>recreate it.
Yes, but if Eve can guess right.... perhaps by corrupting Bob's receiver
so that she always picks the same quantum measurement to make that he
does, perhaps by simply being damned lucky, she can still read
the message.
If all else fails, there is always the Karnak attack.
-kitten
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
