Cryptography-Digest Digest #416, Volume #10 Fri, 15 Oct 99 12:13:03 EDT
Contents:
Re: Newbie questions ("Dan Fogelberg")
Re: He is back...new "improved" code ("Dan Fogelberg")
Re: Newbie questions ("Dan Fogelberg")
Re: hos secure is RSA? (Bob Silverman)
Re: Six out of six for Kerckhoffs
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column (Patrick
Juola)
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column ("Roger
Schlafly")
Re: Six out of six for Kerckhoffs
Crypt data by program . ("SamuelDuran")
Re: RSA Algorithm (Bob Silverman)
Re: RSA Algorithm (Bob Silverman)
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column ("Trevor
Jackson, III")
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column ("Roger
Schlafly")
Re: need LFSR information ("Trevor Jackson, III")
----------------------------------------------------------------------------
From: "Dan Fogelberg" <[EMAIL PROTECTED]>
Subject: Re: Newbie questions
Date: Fri, 15 Oct 1999 06:51:16 -0500
Thank you for the pointers. I am enjoying learning this, so I will read the
books you suggested and look back through the FAQ for anything I missed and
especially the references to the books.
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Dan Fogelberg wrote:
>
> > So I am only going to recieve encrypted text. He assures me it is
> > English language and words. How do I find the period. Do I run a
> > kappa test on it?
>
> There is no "recipe" for cryptanalysis. If you're going to keep
> playing this game, you need to study the subject. I recommend
> Kahn's "The Codebreakers" (unabridged hardbound) followed by the
> MilCryp series (see the sci.crypt FAQ); work through the Zendian
> problem and you should be in a good position to tackle the kind
> of systems your friend seems to be coming up with. If you later
> need to move on to "modern" digital systems, there are other
> useful textbooks (also mentioned in sci.crypt FAQ).
------------------------------
From: "Dan Fogelberg" <[EMAIL PROTECTED]>
Subject: Re: He is back...new "improved" code
Date: Fri, 15 Oct 1999 06:48:36 -0500
Well he won't give it to me, so I am stuck I guess.
Is there any way to crack a ciphertext if you do not know the method used to
encrypt it? Also I only have one ciphertext and it is short (255 bytes).
Trevor Jackson, III <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Dan Fogelberg wrote:
>
> > A couple of days ago I posted a question regarding a friend of mine who
> > challenged me to crack his code generation program. I was sure it was
> > elementary and it was...thanks to all who helped (especially JPeschel
and
> > John Savard).
> > Well he is back and this time he is giving me even less ciphertext (225
> > bytes) and won't tell me anything about his "secret" algorithm. The
> > description of the plain text was "It is English and punctuation has
been
> > ignored." Here is my preliminary analysis...
> > He gave it to me in a wierd format, instead of a binary file, it looked
like
> > this:
> > 94 98 51 83 11 33 91 94 15 27 92 51 27 42 93 65
> > I assumed those were byte values and converted them accordingly 65=A etc
> > -- length of file after conversion 225
> > -- byte values range from 11 - 98
> > -- 25 byte values in the range are not used
> > I ran Kappa, chi-sq, entropy, kasiski etc and can tell nothing from the
> > output :-). Not even sure what it was supposed to tell me. I tried
vcrack
> > and it produced gibberish. Any ideas?
> > Thanks.
>
> Ask him to provide you with a program that implements his cipher. With it
you
> can determine the algorithm which will make it trivial to crack
>
------------------------------
From: "Dan Fogelberg" <[EMAIL PROTECTED]>
Subject: Re: Newbie questions
Date: Fri, 15 Oct 1999 06:52:11 -0500
Thank you. I have been to JPeschel site. It was very helpful as was he. I
will look at the book you suggested.
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> "Douglas A. Gwyn" wrote:
>
> > There is no "recipe" for cryptanalysis. If you're going to keep
> > playing this game, you need to study the subject. I recommend
> > Kahn's "The Codebreakers" (unabridged hardbound) followed by the
> > MilCryp series (see the sci.crypt FAQ); work through the Zendian
> > problem and you should be in a good position to tackle the kind
> > of systems your friend seems to be coming up with. If you later
> > need to move on to "modern" digital systems, there are other
> > useful textbooks (also mentioned in sci.crypt FAQ).
>
> Well, if he's looking for the BASICs of the basics, gotta go with
> applied crytpo...not much for cryptanalysis, nor creating ciphers, but a
> good starting point. Also read JPeschal's (sp sorry...) site. It has a
> LOT of good stuff on breaking pencil and paper ciphers.
>
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: hos secure is RSA?
Date: Fri, 15 Oct 1999 12:27:43 GMT
In article <[EMAIL PROTECTED]>,
Thinker <[EMAIL PROTECTED]> wrote:
> This is a multi-part message in MIME format.
> --------------C7DA8298A6F39AA89D7950F0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
> i rem. reading somewhere that RSA had been proven slightly insecure. Is
> this even true, and if it is, where can i read up on this?
The question is meaningless.
EVERY algorithm is "slightly insecure".
Please tell us exactly what you mean by "slightly insecure" and
then we can answer the question
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Six out of six for Kerckhoffs
Date: 15 Oct 99 13:25:54 GMT
[EMAIL PROTECTED] wrote:
: At one point, by going through these dicta, I have acknowledged
: something that I had failed to properly note before, the real value of the
: benefits of descending the hierarchy one-time-pad, symmetric encryption,
: public-key cryptography in terms of key management (as opposed to the
: benefits of going the other way in terms of theoretical confidence in the
: strength of one's encryption).
And this started me thinking about the hierarchy of keys and key-exchange
keys. This has resulted in my adding a bit to the section on "Military Key
Management" ... and what I've added is starting to sound a bit like the
croaking chorus from "The Frogs" of Aristophanes.
(As for cheerful facts about the square of the hypotenuse, you'll find
them on one of the pages about mathematics in my "Other Topics"
section...)
John Savard
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: 15 Oct 1999 09:42:23 -0400
In article <[EMAIL PROTECTED]>,
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
>Bob Silverman wrote:
>
>> In article <[EMAIL PROTECTED]>,
>> "Brian Gladman" <[EMAIL PROTECTED]> wrote:
>> >
>> > The arguments for multiple AES winners cannot be dismissed so easily.
>>
>> Yes it can. By one word. The word is:
>>
>> interoperability.
>>
>> By allowing multiple algorithms you are certain to guarantee that there
>> will be some users who can't talk to others.
>
>No. This is an invalid conclusion.
>
>Any users desiring to communicate will be able to select a mechanism to do
>so. Any analysis dismissing the active participation of the users in the
>dynamic selection of their channel properties from amoug the telephone, fax,
>and email is trivially flawed.
Nonsense. The Three-Initial-Corp. decides to use XYZ encryption for
all it's communication needs and invests several billion dollars in XYZ-
compliant mailers, routers, telephones, and so forth. The Even-Larger-
Five-Initial-Corp., independently, decides to invest in PQ encryption
and spends similarly huge amounts on its scrambler phone.
The individual participant/employees of the companies involved are
probably not going to be able to "dynamically select" their encryption
scheme; they will use what's on their desk. And what's going to happen
when ELFIC buys TIC?
-kitten
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: Fri, 15 Oct 1999 06:12:55 -0700
Trevor Jackson, III <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Roger Schlafly wrote:
> > No. Two standards for the same thing means that there is
> > no standard. Your statement is like saying, if you like
> > monogamy, more wives is better.
>
> You are misusing the term standard. You may have a point, but it is
> obscured by your linguistic contortions.
>
> Consider the simple act of physical measurements. In the (reactionary)
> United States there are two standards for measuring physical quantities.
> They are completely independent. Completely redundant. But no one
> claims that "two standards for the same things means that there is no
> standard".
You mean because we have feet and meters in the US? To the extent
this is true, distance measurement is not standardized. It is not an ideal
situation, as evidenced by the recent crash of the martian probe.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Six out of six for Kerckhoffs
Date: 15 Oct 99 13:30:00 GMT
[EMAIL PROTECTED] wrote:
: (As for cheerful facts about the square of the hypotenuse, you'll find
: them on one of the pages about mathematics in my "Other Topics"
: section...)
On the page about infinity, where I use the Pythagorean Theorem to
establish that the diagonal of the unit square has the square root of two
as its length, by means of which I introduce irrational numbers.
John Savard
------------------------------
From: "SamuelDuran" <[EMAIL PROTECTED]>
Subject: Crypt data by program .
Date: Fri, 15 Oct 1999 15:57:45 +0200
Hello,
I develop an Web application and I would like to crypt information which is
stored on the server.
I would also like to decrypt the informations to consult them.
What can I do ?
Note: I intended to speak about API about cryptology available for Visual
C++, Visual BASIC or Java...
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: RSA Algorithm
Date: Fri, 15 Oct 1999 14:10:59 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Francois Grieu) wrote:
> [EMAIL PROTECTED] wrote :
> > Published tables exist with (2^n)-1 up to 1000 bit numbers
> > factorized, using old computers people would nowdays laugh at.
This is a gross distortion of the facts. Most of the harder numbers
were broken using very fast PC's and workstations (hundreds) running
in parallel.
And MANY 2^n-1 with n < 1000 are still unfactored. I wish that we
did have them all done!
> > Clearly, the above mentioned numbers was found to be easy
> > to factor.
Why "clearly"?? Some were indeed easy. Others were quite hard.
On what basis do you make this statement? Do you have any idea of
the level of effort that has been applied? From 1984 to 1984 I alone
applied MILLIONS of CPU-hours on what were state-of-the-art machines
for that time to this project.
>Is there any objective reason for that,
For what? That some of the numbers were easy? It is because they
turned out to be the product of some small primes, which were relatively
easy to find, times a large prime cofactor.
> Special methods exist that help factor numbers of the form (2^n)-1,
> called Mersenne numbers.
No. These same methods (ECM, P-1, P+1, Pollard Rho etc) apply to ALL
numbers. P-1 does give a moderate performance boost because if
p | 2^n-1 then p = 1 mod 2n. But this is true of all numbers of
the form a^n +/- 1. There is nothing unique about the base '2'.
Further, SNFS applies to all numbers of the form k1 a^n + k2 b^n
where k1, k2 are reasonably small.
> For background see
> <http://www.utm.edu/research/primes/mersenne.shtml>
>
> It's not that trivial though, sometime the SNFS algorithm
> (which I fail to fully understand, could not get past MPQS
I'm not sure I understand this statement. What does it mean to
"get past MPQS"??
> with two large primes) is used. And many such numbers below
> 1000 bits are still only partially factored.
> For example, 2^617-1 = 59233*68954123297*C171
This, and 2^619-1 have been finished recently.
> > How large is the largest number (2^n)-1 factored today ?
n = 2*1185 has been done. This is the largest that I know.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: RSA Algorithm
Date: Fri, 15 Oct 1999 14:13:48 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] (Francois Grieu) wrote:
> >IMHO the trend is opposite.
> >
> >In the early 1980's (before elliptic curve, MPQS and GNFS factoring
> >algorithms) small keys, like 384 bits, seemed reasonably safe in
> >the short term, as long as special generation techniques where used
> >to guard against special factoring techniques, suceeding for example
> >if one of the factor p is such that p-1 or p+1 is smooth.
> [...etc...]
> >reference: Robert D. Silverman, the requirement for strong
> >primes in RSA encyption, RSA laboratories.
> >at <ftp://ftp.rsa.com/pub/ps/primes.ps>
> >or <ftp://ftp.rsa.com/pub/ps/primes.zip>
> >[caution: strange Postscript dialect, view with Ghostscript]
> >
> > Francois Grieu
>
> Thank you very much for the reference. It is not very
> surprising though finding an RSA Laboratories employee
> ridiculing special factoring methods.
I am not just an RSA employee. And I am not ridiculing the methods.
I simply do the arithmetic and point out that such methods are
totally ineffective against large keys. This is backed up with
mathematics.
I am one of the leading experts on factoring algorithms. And If you
knew anything about this subject, you would know that I have been
saying the same thing long before I joined RSA.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Fri, 15 Oct 1999 10:23:22 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Patrick Juola wrote:
> In article <[EMAIL PROTECTED]>,
> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
> >Bob Silverman wrote:
> >
> >> In article <[EMAIL PROTECTED]>,
> >> "Brian Gladman" <[EMAIL PROTECTED]> wrote:
> >> >
> >> > The arguments for multiple AES winners cannot be dismissed so easily.
> >>
> >> Yes it can. By one word. The word is:
> >>
> >> interoperability.
> >>
> >> By allowing multiple algorithms you are certain to guarantee that there
> >> will be some users who can't talk to others.
> >
> >No. This is an invalid conclusion.
> >
> >Any users desiring to communicate will be able to select a mechanism to do
> >so. Any analysis dismissing the active participation of the users in the
> >dynamic selection of their channel properties from amoug the telephone, fax,
> >and email is trivially flawed.
>
> Nonsense. The Three-Initial-Corp. decides to use XYZ encryption for
> all it's communication needs and invests several billion dollars in XYZ-
> compliant mailers, routers, telephones, and so forth. The Even-Larger-
> Five-Initial-Corp., independently, decides to invest in PQ encryption
> and spends similarly huge amounts on its scrambler phone.
>
> The individual participant/employees of the companies involved are
> probably not going to be able to "dynamically select" their encryption
> scheme; they will use what's on their desk. And what's going to happen
> when ELFIC buys TIC?
>
> -kitten
Well, the one of the companies, either the one using fax or the one using email,
is going to have to change. Of course both companies would profit by using both
kind of communication channel in exactly the same way they would profit by using
multiple ciphers. When one goes down the other is available.
Note that companies using a single cryptosystem are vulnerable in far worse ways
than having a bad cipher. They usually specify a single cipher implementation,
and thus are exposed to the threat of a bad cipher implementation. This threat
dwarfs any problems with interoperability. Usually these kinds of monoculture
companies have terrible problems with upgrades. Either they suffer the rev skew
interoperability problems because their policies, procedures, and culture
_assume_ interoperability instread of providing for it, or they force synchronous
updates upon the user population, which destroys their productivity until the new
product is re-integrated with their internal processes.
There is no substitute for robust diversity. Attempts to evade the issue by fiat
"Let there be security..." are worse that the problems the fiats are supposed to
prevent.
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: Fri, 15 Oct 1999 06:39:20 -0700
Brian Gladman <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> PGP (and hence OpenPGP) implements diversity but was never designed to
> interoperate with other applications or systems. Many internet protocols
> are 'closed' in design terms - that is they don't interoperate with other
> protocols - and this means that their design does not need to offer a
choice
> of algorithms but they very often do. There are many reasons for this,
one
> being to give users a choice.
The primary reason for the algorithm choice is for PGP to migrate away
from some algorithims that have some undesirable properties (such as
patents).
> Moreover PGP has achieved a high level of global interoperability without
> adopting a single algorithm. Hence the idea that extensive
interoperabilty
> requires a single algorithm standard is not only wrong but demonstrably
so.
Its interoperability is in spite of algorithm choice. There are lots of PGP
users who have RSA-only versions who cannot handle DH keys.
When there is diversity in the marketplace, I can see where PGP would
want to address that. It might simply want to satisfy differing perceptions
of users. What I don't understand is why NIST would want to deliberately
inject diveristy into the market.
> I have to meet some requirements that involve protection for 50+ years and
I
> want to provide a degree of protection against the possibility that any
> single algorithm will be found later to have a serious flaw. I intend to
do
> this by applying two (or more) different encryption algorithms in
sequence -
> an established practice in such situations and one that most information
> security professionals will accept as valid.
There are probably also people who will not trust AES as is, and use
triple-AES. If NIST sanctioned triple-AES, they'd use triple-triple-AES.
That's fine, but it is pretty useless for NIST to try to accommodate them.
> In order to meet this need I would like to use the best internationally
> agreed, open standard algorithms that are available and I see the AES
> process as a good basis for making my selection. While I could use any of
> the five finalists in combination (assuming that potential IPR problems
with
> two of them in this situation are removed), I would like to reduce the
> diversity of choice from, say, five to three because five is more than I
> need and the widespread use of all five finalists will create greater
> interoperability problems than are necessary to meet my diversity needs.
You don't really want to use AES, you just want to use NIST AES
submissions as input to your own homebrew cipher. That's fine -- you
may get your 50+ year security. But you are doing something
nonstandard.
------------------------------
Date: Fri, 15 Oct 1999 10:29:47 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: need LFSR information
Scott Nelson wrote:
> On Wed, 13 Oct 1999 10:35:10 -0700, Philip Koopman <[EMAIL PROTECTED]>
> wrote:
>
> >[EMAIL PROTECTED] wrote:
> >
> >>Where can i find a table of LFSR coefficients with maximum
> >>length period.
> >
> >http://www.ices.cmu.edu/koopman/lfsr
> >
> I wrote a program to calculate maximal length LFSR's,
> using "that chordic nonsense." After 32 bits, it
> can only find "probable" polys. The list of Probable
> polys include all maximal length LFSR's but might include
> a few less-than maximal length polys as well.
>
> Hardly the best way to find LFSR's, but it's faster than
> straight out brute force, and the code's already done.
> On my Pentium 166, it takes 23 seconds to find all 16 bit LFSR's.
>
> For those interested, there's a copy (with source) on my ftp site
> ftp://helsbreth.org/pub/helsbret/random
The site has not been available. I've tried several times over the last
~18 hours.
> Or if you have trouble getting it,
> you can email me for a copy.
>
> Scott Nelson <[EMAIL PROTECTED]>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
