Cryptography-Digest Digest #644, Volume #10 Sun, 28 Nov 99 22:13:01 EST
Contents:
Re: Use of two separate 40 bit encryption schemes (Mike Field)
Re: Use of two separate 40 bit encryption schemes (Terje Mathisen)
Re: How safe is Mobile Phone ? (Wim Lewis)
Re: bits of diffiehellman private key (Anonymous)
Attack 2x Tramp. (Was: Attack 2x Playfair how?) (William Rowden)
Re: Distribution of intelligence in the crypto field (David Wagner)
Re: How safe is Mobile Phone ? (David Wagner)
Re: A dangerous question (Johnny Bravo)
Re: A dangerous question (Johnny Bravo)
Re: Random Noise Encryption Buffs (Look Here) (Tom St Denis)
Re: Random Noise Encryption Buffs (Look Here) (Tom St Denis)
Re: Simpson's Paradox and Quantum Entanglement ("Bob Greer")
Re: Random Noise Encryption Buffs (Look Here) (lordcow77)
Re: Random Noise Encryption Buffs (Look Here) ("Douglas A. Gwyn")
Re: Random Noise Encryption Buffs (Look Here) ("Douglas A. Gwyn")
Re: Attack 2x Tramp. (Was: Attack 2x Playfair how?) ("Douglas A. Gwyn")
Re: AES cyphers leak information like sieves ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: Mike Field <[EMAIL PROTECTED]>
Subject: Re: Use of two separate 40 bit encryption schemes
Date: Tue, 30 Nov 1999 00:26:46 +1300
"tony.pattison" wrote:
> as I do not live in the land of the free, I'm not permitted to have
> more than 40 bit DES (I don't know why not, perhaps if we had it,
> we'd start asking for our colonies back ^_^). As this is pitifully
> inadequate, I'm thinking of encrypting the data in my packets (again
> 40 bit encryption) before I send them out over my 40 bit DES
> encrypted lines.
>
> Would I get the equivilant of 80 bit encryption doing this, or would
> it be less (the paket headers are not being encrypted by the first
> encryption)?
>
> Thanks
> Tony
>
TCP/IP headers are about 28 bytes long. It would not take long (2^39
tries) to brute force the encrypted line - the valid headers would tell
you when you have the right key. You can then brute force the data in a
similar sort of time (2^39), so effectivly you have the strength of 41
bit encryption - on average 2^40 tries are required.
Cheers
Mike
------------------------------
From: Terje Mathisen <[EMAIL PROTECTED]>
Subject: Re: Use of two separate 40 bit encryption schemes
Date: Sun, 28 Nov 1999 23:36:16 +0100
tony.pattison wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> as I do not live in the land of the free, I'm not permitted to have
> more than 40 bit DES (I don't know why not, perhaps if we had it,
> we'd start asking for our colonies back ^_^). As this is pitifully
> inadequate, I'm thinking of encrypting the data in my packets (again
> 40 bit encryption) before I send them out over my 40 bit DES
> encrypted lines.
>
> Would I get the equivilant of 80 bit encryption doing this, or would
> it be less (the paket headers are not being encrypted by the first
> encryption)?
You would get up to 41 bit encryption doing this: You have to break two
40-bit codes to get at your data, which is equivalent to breaking a
single 41-bit code.
To double the effective number of bits, you must make it impossible to
solve the problem by halves, but since the 40-bit encrypted line can
clearly be decoded by itself, this doesn't work in your case.
Sorry. :-(
Terje
--
- <[EMAIL PROTECTED]>
Using self-discipline, see http://www.eiffel.com/discipline
"almost all programming can be viewed as an exercise in caching"
------------------------------
From: [EMAIL PROTECTED] (Wim Lewis)
Subject: Re: How safe is Mobile Phone ?
Date: 28 Nov 1999 23:06:26 GMT
In article <[EMAIL PROTECTED]>,
Jim Dunnett <Jim Dunnett> wrote:
>On Sat, 27 Nov 1999 00:45:14 +0800, "Hank" <[EMAIL PROTECTED]>
>wrote:
>>I am curious if the mobile phone system uses any data encryption mechanism.
>
>If you have a digital 'phone then I don't think you have anything to
>worry about as I believe the entire process is encrypted over the
>radio path.
This depends on the phone. There are lots of different digital cell phone
protocols out there. The PCS phones you can get in the US aren't encrypted
as far as I know, although the protocol supports it the hardware usually
doesn't. GSM has encryption, though it is crackable with effort. I have
no idea what is used in Taiwan (where the original poster presumably is).
It is true that eavesdropping on a digital phone requires more effort than
eavesdropping on an analog phone --- you'd need hardware built for the
purpose, probably --- but it's not difficult enough that you can assume
that no-one's going to do it.
--
Wim Lewis * [EMAIL PROTECTED] * Seattle, WA, USA
------------------------------
Date: Mon, 29 Nov 1999 00:40:50 +0100 (CET)
From: Anonymous <[EMAIL PROTECTED]>
Subject: Re: bits of diffiehellman private key
> > No one has stated it explicitly here (IEEE P1363 does discuss this)
> > but the danger in choosing a generator of the whole group of size p-1
> > is that the low order bit of the exponent is leaked.
>
> < followed by good explanation >
>
> As I understand it more than 1 bit may be leaked. If p-1 = (2^k)*q where q
> is odd, then up to k bits will be leaked.
Right, or more generally if p-1 has more small prime factors, then
even more information about the exponent may be leaked. The discussion
above was in the context of p being a "strong" prime, that is, one where
(p-1)/2 is also prime.
Here is an example of a situation where the memory leak could be serious.
Suppose you are doing ElGamal encryption, and you're not encrypting a
session key, you're encrypting the message itself, what you might call
"pure" ElGamal (as opposed to hybrid ElGamal/3DES). People often propose
to use "pure" public key encryption to send short messages so that they
don't expose themselves to the double threat of attacks on both the
public key and symmetric key encryption systems.
Let p be a strong prime, g a generator of the whole group. x is the
recipient's private key, and y = g^x is his public key. To do ElGamal
encryption of message m, choose a random exponent k and calculate
m * y^k, and also g^k. Send both values as the encryption of m.
Let's suppose that x is odd, so y is a non quadratic residue (QR).
The attacker can learn whether k is even or odd by whether g^k is a QR.
He can test whether m * y^k is a QR, and he can calculate whether y^k
is a QR by whether k is even or odd. From this he can determine whether
m is a QR.
This is the leak. Suppose the eavesdropper knows that m is one of two
messages, "attack" or "retreat". If one of them happens to be a QR
while the other is not, he has just learned the content of the message.
This is bad.
The attack can be avoided by using randomized padding of the message,
for example PKCS-1 padding or OAEP, before multiplying, similar to the way
randomized padding is used with RSA encryption. Information would still
be leaked but it is very hard to do anything with it. However people may
not think it is necessary to do random padding since ElGamal is already
a "randomized" encryption method; if they thought of PKCS-1 padding as
being there purely to prevent guessing the plaintext they might not have
thought it appropriate for ElGamal encryption.
Choosing g to generate a prime order subgroup will prevent the leak,
which is one reason that method is often preferred.
------------------------------
From: William Rowden <[EMAIL PROTECTED]>
Subject: Attack 2x Tramp. (Was: Attack 2x Playfair how?)
Date: Sun, 28 Nov 1999 23:37:33 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> Jim Gillogly wrote:
[snip]
> > However, the double transposition (the third problem) <is> more
> > accessible. Besides the suggested method of dinking with the
> > assumed keys to find out what went wrong, that cipher can even
> > be solved without a crib because the keys are relatively short
> > compared to those used in WW2.
> I struck out on the 3rd problem too. I tried variations on the
> keywords but maybenot enough of them. I tried to brute force
> all keys less than 5 or 6 letters but it appears the keywords
> would have been roughly the same length as the 'right' ones and
I haven't tackled Cipher #3 yet; I have been determining the formula
equivalent to a columnar transposition, based on my hunch that a double
columnar transposition can be mathematically simplified. While doing
so, I ordered _Cryptanalysis of the Double Transposition Cipher_ by
Wayne G. Barker (Aegean Park Press, 1995). I recommend this
recently-declassified text. The author says that the "United States
Army" double transposition has a single transposition equivalent (with
a much longer key). His method looks simpler than the algorithm I was
pursuing, so I think I'll try it.
--
-William
SPAM filtered; damages claimed for UCE according to RCW19.86
PGP key: http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc until 2000-08-01
Fingerprint: FB4B E2CD 25AF 95E5 ADBB DA28 379D 47DB 599E 0B1A
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Distribution of intelligence in the crypto field
Date: 28 Nov 1999 15:51:02 -0800
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Why place so much credence in one posting? NSA is not in the
> habit of hiring mathematicians right out of high school, but
> when one does apply for a job, top performance in the Putnam
> competition would be a positive factor.
The Putnam test is typically taken while one is in college, not in
high school.
You may take the Putnam each of the four years that you are an
undergraduate. I would expect that one is likely to do better in
later years of your college career, so the relevant question is
whether the NSA hires mathematicians right out of college, not
whether they hire folks right out of high school.
Yes, I do know of people who scored extremely well on the Putnam and
received materials from the NSA. But I'm not so clear on whether
this was an invitation to summer internships or on a permanent job
-- for some reason, I vaguely seem to remember that it may have been
oriented more towards internships than fulltime positions, but I might
be misremembering.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: How safe is Mobile Phone ?
Date: 28 Nov 1999 16:35:08 -0800
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Lincoln Yeoh wrote:
> > Most analog cellular phones have no encryption. Trivial to eavesdrop
> > with a scanner. Easy to clone too.
>
> In fact, several of us commented on this during the (US) FCC
> proceedings leading to the establishment of the US cell-phone
> system. But it wasn't "three-letter agencies" that ignored
> the problem, it was manufacturers greedy for quick bucks who
> didn't want to delay while a proper engineering job was done.
That doesn't seem to be the case when it comes to digital cellphones,
though.
All reports I've seen indicate that the standards committee made at
least some serious effort to use strong cryptography, but that they
were rebuffed by the NSA (or pick your favorite party fronting for the
export regulations -- State Dept., etc.) due to export regulations.
Consequently, the US cellular industry has standardized on extremely
weak crypto (when the crypto is even used at all).
Note also that there is often a NSA representative sitting in on the
AHAG working group meetings. (The AHAG is the US cellular telephony
standards committee that deals with all matters pertaining to crypto.)
I think one can make a good case that the export regulations and/or the
NSA (the two causes are hard to separate) must shoulder a good deal
of the blame for the insecurity of today's cellphone infrastructure.
It's a shame.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: A dangerous question
Date: Sun, 28 Nov 1999 19:37:52 GMT
On 28 Nov 1999 12:37:29 GMT, [EMAIL PROTECTED] wrote:
>So the question is: how long will it be before the
>protocols and the infrastructure are in place that make
>Assassination Politics a reality?
Never. The assumption made in the first paper is that it would be
legal to put out a death contract on another person. No matter how
Libertarian the country becomes, I doubt that it will ever go so far
as to think that you have an absolute right to kill a person who is
not an immediate threat to your life.
There is no difference in responsibility between 'I will give
$10,000 in untraceable small bills for anyone who brings me the head
of John Doe, no questions asked." and "I'll go kill John Doe."
Either way you are just as responsible if John Doe ends up dead.
There is no way that any system of government will allow this. I
doubt many Libertarians would say that their ideal form of government
gives you an unrestricted right to kill anyone you want just by
posting a bounty on their death to be paid in a manner that prevents
you from finding the identity of the killer.
Best Wishes,
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: A dangerous question
Date: Sun, 28 Nov 1999 19:50:17 GMT
On 28 Nov 1999 15:45:46 GMT, David A Molnar <[EMAIL PROTECTED]>
wrote:
>All you need for a trial run is out there. You can run AP by posting
>the list of current bets via mail2news gateways and taking new bets
>via pseudonymous remailer. Don't even need the cocaine auction (although
>it's a neat idea if you do have anonymous broadcast).
The trouble comes in having anonymous ecash. You would have to
charge the people making the predictions, otherwise there is nothing
stopping you from sending in thousands of them covering every day that
this person is likely to be alive. Even if the person dies of natural
causes you will have to make payout sooner or later. Collecting all
the bet money will create a paper trail that will point back to you.
Then you come to your second problem, the actual killer has no way
to force you to collect. He only has your word that he will actually
get paid. Would you risk a murder conviction based on a promise of
payment from someone you don't know, can't find, and know nothing
about?
The author of the paper is assuming an absolute level of trust
between anonymous strangers, one promising to give the other a large
amount of cash at some point in the future. This is nothing like the
cocaine auction paper, in that paper each side has something the other
wants (drugs or money). This encourages them to get together and make
the exchange. If only one side has the good, the temptation to just
keep it without any possible adverse consequences would almost forbid
the empty handed party to trust the other.
Best Wishes,
Johnny Bravo
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Mon, 29 Nov 1999 01:23:58 GMT
In article <[EMAIL PROTECTED]>,
lordcow77 <[EMAIL PROTECTED]> wrote:
> Hidden variables theories must introduce explicit nonlocality of a
> non-wavefunction object in order to deal with quantum entanglement.
Put
> another way, there is no metaphorical tiny clock in the nucleus of an
> item that tells the atom to decay when the alarm sounds. If it were
> possible to perform the above experiment (you can't, since you can't
> even copy the atom exactly), you would still find that the decay
> behavior of both atoms would be uncorrelated.
>
> Please do us all a favor and study some physics before making
> incomprehensible pronouncements.
Funny I was gonna say that about your sentence.
I still will not except the fact that there are processes in nature
which do not obey some law of a sort. That things can happend
haphazardly.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Mon, 29 Nov 1999 01:27:31 GMT
In article <81s4kb$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guy Macon) wrote:
> In article <81rdc8$ovn$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom
St Denis) wrote:
>
> >If things are to be randomly created, material must be randomly
> >destroyed.
>
> Evidence, please.
If atoms kept being added to earth [via spontaneous creation], we would
eventually gain so much mass that the moon would collide with us. That
would be bad.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Bob Greer" <[EMAIL PROTECTED]>
Crossposted-To: comp.ai.fuzzy,sci.physics,sci.math
Subject: Re: Simpson's Paradox and Quantum Entanglement
Date: Sun, 28 Nov 1999 18:11:50 -0800
karl malbrain wrote in message ...
>
><[EMAIL PROTECTED]> wrote in message news:81119m$o43$[EMAIL PROTECTED]...
>> Simpson's Paradox:
>> http://curriculum.qed.qld.gov.au/kla/eda/sim_par.htm
>>
>> Simpson's Paradox is a statistical artifact related to
>> hidden variables. Here it in terms of quantum entanglement.
>
>Simpson's description of VINGH as a SUBJECTIVE/OBJECTIVE problem -- WHO is
>trying to change ownership of WHAT property for their SINGULAR benefit.
>HISTORY is a MAJORITY subject.
>
"I love Big Brother."
------------------------------
From: lordcow77 <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Sun, 28 Nov 1999 18:41:34 -0800
In article <81skj4$isd$[EMAIL PROTECTED]>, Tom St Denis
<[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> lordcow77 <[EMAIL PROTECTED]> wrote:
> > Hidden variables theories must introduce explicit nonlocality of
> a
> > non-wavefunction object in order to deal with quantum
> entanglement.
> Put
> > another way, there is no metaphorical tiny clock in the nucleus
> of an
> > item that tells the atom to decay when the alarm sounds. If it
> were
> > possible to perform the above experiment (you can't, since you
> can't
> > even copy the atom exactly), you would still find that the decay
> > behavior of both atoms would be uncorrelated.
> >
> > Please do us all a favor and study some physics before making
> > incomprehensible pronouncements.
> Funny I was gonna say that about your sentence.
> I still will not except the fact that there are processes in nature
> which do not obey some law of a sort. That things can happend
> haphazardly.
The words in quotes are for Tom's sake.
Is there a specific phrase or word that you were not able to
understand? If so, I would be glad to explain in more detail. To
rephrase my previous comment, the existence of an otherwise
undetectable hidden variable ["alarm clock"] in the nucleus [center] of
an atom that tells it to decay would imply nonlocality [greater than
the speed of light] of something [the "alarm clock"] that does not
decompose [turn into a physical object] upon observation [the atom
decays]. It is not possible for information [the "alarm clock"] to be
transferred superluminally [faster than the speed of light]. Hidden
variables explicitly [in an outright manner] breaks this.
Radioactive decay is a process that can only be modelled statistically.
It obeys "a law of some sort"; merely one that you refuse to accept.
The world is not black and white. Get used to it.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Mon, 29 Nov 1999 02:58:14 GMT
"Trevor Jackson, III" wrote:
> You are _asserting_ ther randomness of the process, not proving it.
> ... You are claiming that statistical observations apply all the way
> down to the individual components. There is no reason to make that
> assumption.
The proof has been provided during the course of modern physics.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Mon, 29 Nov 1999 03:00:28 GMT
Tom St Denis wrote:
> If I took two exact copies [leave the copying theory behind here] of
> an atom, and placed them in two exact same environments. Would they
> not decay the same way? If so, that's hardly random at all.
The simple answer is, no, two identically prepared quantum systems,
constrained as tightly as nature allows, need not evolve along the
same path.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Attack 2x Tramp. (Was: Attack 2x Playfair how?)
Date: Mon, 29 Nov 1999 03:02:50 GMT
William Rowden wrote:
> ... I ordered _Cryptanalysis of the Double Transposition Cipher_ by
> Wayne G. Barker (Aegean Park Press, 1995).
You would have done better to have ordered Kullback's treatise.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Date: Mon, 29 Nov 1999 03:08:36 GMT
"Trevor Jackson, III" wrote:
> Hmmm. Are the participants in sci.crypt the kind of people that one
> sells to, or the kind that one reasons with?
To all intents and purposes, D.Scott has been trying to "sell" his
particular encryption software to us. (It's a metaphor: "selling"
an idea doesn't involve transfer of money.)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
