Cryptography-Digest Digest #668, Volume #10 Thu, 2 Dec 99 19:13:01 EST
Contents:
Safeboot is it really safe (Matt)
Re: Quantum Computers and Weather Forecasting (John Savard)
Re: NSA should do a cryptoanalysis of AES ("Brian Gladman")
Re: Why Aren't Virtual Dice Adequate? ("r.e.s.")
Re: newbie question (Kyle Hayes)
Re: Why Aren't Virtual Dice Adequate? (John Myre)
Re: Use of two separate 40 bit encryption schemes (fungus)
Re: Why Aren't Virtual Dice Adequate? (Mickey McInnis)
Re: Random Noise Encryption Buffs (Look Here) ("Trevor Jackson, III")
----------------------------------------------------------------------------
From: Matt <[EMAIL PROTECTED]>
Subject: Safeboot is it really safe
Date: Thu, 02 Dec 1999 23:13:50 +0000
Hi,
Which is the better for encription of HDD or partitions
safeboot or PGP for WinNT/Win95/Win98/Win2000
and Linux ?
Regards
Matt
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Thu, 02 Dec 1999 23:13:36 GMT
Joseph Bartlo <[EMAIL PROTECTED]> wrote, in part:
>My initial comment is that although an interesting concept, I think the
>entire system must be considered, as do any intelligent modifications
>on it. What does your concept say about a person dropping dry ice in
>a cloud & causing rain ? Or dare I say with the risk of extreme criticism
>of people in the group who evidently feel this is completely impossible,
>that possibly from another being with far greater capabilities ?
>If you are talking about a *perfect* forecast, even if a butterfly flapping
>its wings disturbed the weather 2 weeks later a *known way*, you'd still
>have to know when & where it'd flap its wings :)
No; my post specifically states that while the *butterfly effect* sets
an _irreducible_ limit to forecasting, at present the number of sites
measuring the wind/air pressure/temperature leaves holes big enough
for things to slip through that _don't_ exist to create random
perturbations in the weather.
>Perhaps I'll have more comments after reading & correcting your site.
>Well, I am probably kidding about the latter ;)
My site doesn't really address the topic of this post, however I
flatter myself to think that it _is_ an interesting site none the
less.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Thu, 2 Dec 1999 23:18:40 -0000
Trevor Jackson, III <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > Anyone who thinks that NSA will get at information in future by
> > breaking such algorithms (rather than their implementations) has not
> > understood the closing of the cryptographic knowledge gap between the
open
> > and closed worlds.
>
> How did you reach the conclusion that "the crypto gap" (shades of the
1950's
> "missile gap") has closed? Why do you believe your supposed gap closing
should
> be obvious?
Becaue it a lesson about technology generally and not about cryptography in
particular. And it stretches back into pre-history. I don't want to bore
people with the details but my expereience has been that technolgies that
start in the closed government world most often migrate into civil
applications where over time more resources are deployed with the result
that the positions of the two worlds reverse.
In my career I have seen the move from defence to civil dominance in a
number of areas - in computer systems, in integrated circuits, in software
operating systems, in high level languages, in computer networking, in
display technologies, and now, in my view, in computer and cryptographic
security.
What happens is that government resources tend to be constrained but can be
spent on things that are not profitable since government does not need to
make money. Government funded developments hence make the early running in
new technology areas. But as civil intersts become clearer and profits
become a driver civil resources get deployed and these are not bounded by
the limits on government expenditure and hence eventually grow to be much
greater in scale. Moreover, since government R&D resources are needed to
make the next breakthrough, once civil investment develops in a technology
area the incentive to put government money into it goes away.
And I see no reason to believe that this pattern will be any different for
cryptographic and security technologies now that the civil world has woken
up to the need for these.
Brian Gladman
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Thu, 2 Dec 1999 15:20:17 -0800
"John Savard" <[EMAIL PROTECTED]> wrote ...
: [EMAIL PROTECTED] (Guy Macon) wrote, in part:
: > [EMAIL PROTECTED] (Tim Tyler) wrote:
: > > http://www.io.com/~ritter/GLOSSARY.HTM#OneTimePad
: > > http://www.io.com/~ritter/GLOSSARY.HTM#ReallyRandom
: >
: > Good info! I have a clueless newbie question about something that
: > I found while reading the above:
: >| "Nor does even a theoretical one time pad imply unconditional security:
: >| Consider A sending the same message to B and C, using, of course, two
: >| different pads. Now, suppose the Opponents can acquire plaintext from
: >| B and intercept the ciphertext to C. If the system is using the usual
: >| additive combiner, the Opponents can reconstruct the pad between A
: >| and C. Now they can send C any message they want, and encipher it
: >| under the correct pad. And C will never question such a message,
: >| since everyone knows that a one time pad provides "absolute" security
: >| as long as the pad is kept secure. Note that both A and C have done
: >| this, and they are the only ones who had that pad."
:
: >It seems that the attacker needs to also have to know that A sent
: >the same message to B and C. Knowing B's plaintext and knowing
: >that B and C got the same message resolves to knowing C's plaintext.
: >I see no way that a man in the middle attacker can know whether or
: >not A sent the same message to B and C.
:
: The attacker can't know that for sure. But such an active attack is
: still possible: it is at least _possible_ that, if two messages of the
: same length are involved, this has happened. If this is done, either
: the false message is inserted, or C will simply recieve undecodable
: nonsense. (The idea is that the _chance_ of both messages being the
: same is MUCH greater than the chance of a particular message guessed
: at random.)
[...]
: While not disproving the security properties the OTP does have, it
: shows that there is still a possibility of attack that can very easily
: be overlooked - and has been overlooked, as I haven't seen this
: mentioned anywhere else - *an OTP does not provide perfect
: authentication of any message sent to more than one recipient*.
In practice, though, who would use a "pure OTP" without
further strengthening? (Even if the OTP is theoretically
"unbreakable", it seems appropriate to say that any
OTP *implementation* can, in practice, be relatively
strong or weak.)
(I notice that
http://www.io.com/~ritter/GLOSSARY.HTM#MessageKey
explains how the use of message keys can thwart
exactly the type of scenario envisioned above.)
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: Kyle Hayes <[EMAIL PROTECTED]>
Subject: Re: newbie question
Date: Thu, 02 Dec 1999 15:38:00 -0800
John Savard wrote:
> Kyle Hayes <[EMAIL PROTECTED]> wrote, in part:
>
> >but I can't figure out how to use the Crypto API to
> >get the actual binary string of the key (it is a session key).
>
> It is *intended* that you cannot access that, since the Crypto API is
> intended to _prevent_ interoperable use of any cryptographic software
> that isn't signed by Microsoft.
>
> This ensures that non-US customers cannot make use of encryption
> software with a key size over 40 bits in connection with exportable
> software that allows, through the Crypto API, the use of encryption
> _within the terms of the U.S. export laws_.
>
> John Savard (jsavard<at>ecn<dot>ab<dot>ca)
> http://www.ecn.ab.ca/~jsavard/crypto.htm
Sigh. That is what I was afraid of. I had thought of the first part at
least. Doing this ties you into the MS Crypto API and prevents you from
actually using it elsewhere.
It does appear that I should be able to create a pair of public/private
keys and export the session key using the private (or public) on to
encrypt the key itself. Then, I think I might be able to decrypt it
using the opposite key. This would actually be within the same
routine. Ugh. Of course, I still do not know what I would be getting
at the end. MS seems to be storing lots of other stuff under the key
handles in the form of various structures etc.
Oh well. I'll at least try this method...
Best,
Kyle
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Thu, 02 Dec 1999 16:31:47 -0700
John Savard wrote, in part:
>
> [EMAIL PROTECTED] (Guy Macon) wrote, in part:
...
> >It seems that the attacker needs to also have to know that A sent
> >the same message to B and C. Knowing B's plaintext and knowing
> >that B and C got the same message resolves to knowing C's plaintext.
> >I see no way that a man in the middle attacker can know whether or
> >not A sent the same message to B and C.
>
> The attacker can't know that for sure. But such an active attack is
> still possible: it is at least _possible_ that, if two messages of the
> same length are involved, this has happened. If this is done, either
> the false message is inserted, or C will simply recieve undecodable
> nonsense. (The idea is that the _chance_ of both messages being the
> same is MUCH greater than the chance of a particular message guessed
> at random.)
...
> While not disproving the security properties the OTP does have, it
> shows that there is still a possibility of attack that can very easily
> be overlooked - and has been overlooked, as I haven't seen this
> mentioned anywhere else - *an OTP does not provide perfect
> authentication of any message sent to more than one recipient*.
(Do you actually mean "authentication" here? I don't think OTP
provides authentication at all - just secrecy).
>
> John Savard (jsavard<at>ecn<dot>ab<dot>ca)
> http://www.ecn.ab.ca/~jsavard/crypto.htm
I think we're dealing with an ambiguous notion of "security".
The "perfect security" of an ideal OTP claims only that the
ciphertext will provide *no information* about the plaintext
*except its length*. The attacker has to guess that the length
implies the content, based on other considerations (like things
discovered from or about B).
This is yet another example of the difference between notions
of security about systems, and about ciphers. The ciphertext is
not leaking any information. The actual attack is: if we somehow
know the plaintext of an OTP message, we can undetectably (*)
substitute different plaintext. This is true regardless of how
we learn the original plaintext - whether because we suspect
it is the same as another message, or in any other way.
In fact we can be much more general. The relevant property of OTP
here is that the ciphertext is the bitwise XOR of the plaintext and
some key bits. So the same attacks apply to many other ciphers (such
as RC4 or DES in OFB mode).
Also, we don't have to know the whole message - we just have to
know where the bits we want to change are, and have a good idea
of what changes would be helpful to our side.
(*) The changes are undetectable presupposing there are not other
mechanisms in place to prevent it, like a cryptographic MAC.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Use of two separate 40 bit encryption schemes
Date: Thu, 02 Dec 1999 23:17:52 +0100
"tony.pattison" wrote:
>
> as I do not live in the land of the free, I'm not permitted to have
> more than 40 bit DES (I don't know why not, perhaps if we had it,
> we'd start asking for our colonies back ^_^). As this is pitifully
> inadequate, I'm thinking of encrypting the data in my packets (again
> 40 bit encryption) before I send them out over my 40 bit DES
> encrypted lines.
>
> Would I get the equivilant of 80 bit encryption doing this, or would
> it be less (the paket headers are not being encrypted by the first
> encryption)?
No.
An attacker could brute force the DES, looking for IP headers, then
brute force the other system. The total time would be equivalent
to brute forcing two 40 bit schemes - equivalent to a 41 bit scheme,
and nowhere near 80 bits.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Mickey McInnis)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: 2 Dec 1999 23:55:26 GMT
Reply-To: [EMAIL PROTECTED]
In article <826ur2$dqh$[EMAIL PROTECTED]>, "r.e.s." <[EMAIL PROTECTED]>
writes:
|> "John Savard" <[EMAIL PROTECTED]> wrote ...
|> : [EMAIL PROTECTED] (Guy Macon) wrote, in part:
|> : > [EMAIL PROTECTED] (Tim Tyler) wrote:
|> : > > http://www.io.com/~ritter/GLOSSARY.HTM#OneTimePad
|> : > > http://www.io.com/~ritter/GLOSSARY.HTM#ReallyRandom
|> : >
|> : > Good info! I have a clueless newbie question about something that
|> : > I found while reading the above:
|> : >| "Nor does even a theoretical one time pad imply unconditional security:
|> : >| Consider A sending the same message to B and C, using, of course, two
|> : >| different pads. Now, suppose the Opponents can acquire plaintext from
|> : >| B and intercept the ciphertext to C. If the system is using the usual
|> : >| additive combiner, the Opponents can reconstruct the pad between A
|> : >| and C. Now they can send C any message they want, and encipher it
|> : >| under the correct pad. And C will never question such a message,
|> : >| since everyone knows that a one time pad provides "absolute" security
|> : >| as long as the pad is kept secure. Note that both A and C have done
|> : >| this, and they are the only ones who had that pad."
|> :
|> : >It seems that the attacker needs to also have to know that A sent
|> : >the same message to B and C. Knowing B's plaintext and knowing
|> : >that B and C got the same message resolves to knowing C's plaintext.
|> : >I see no way that a man in the middle attacker can know whether or
|> : >not A sent the same message to B and C.
|> :
|> : The attacker can't know that for sure. But such an active attack is
|> : still possible: it is at least _possible_ that, if two messages of the
|> : same length are involved, this has happened. If this is done, either
|> : the false message is inserted, or C will simply recieve undecodable
|> : nonsense. (The idea is that the _chance_ of both messages being the
|> : same is MUCH greater than the chance of a particular message guessed
|> : at random.)
|> [...]
|> : While not disproving the security properties the OTP does have, it
|> : shows that there is still a possibility of attack that can very easily
|> : be overlooked - and has been overlooked, as I haven't seen this
|> : mentioned anywhere else - *an OTP does not provide perfect
|> : authentication of any message sent to more than one recipient*.
|>
|> In practice, though, who would use a "pure OTP" without
|> further strengthening? (Even if the OTP is theoretically
|> "unbreakable", it seems appropriate to say that any
|> OTP *implementation* can, in practice, be relatively
|> strong or weak.)
|>
|> (I notice that
|> http://www.io.com/~ritter/GLOSSARY.HTM#MessageKey
|> explains how the use of message keys can thwart
|> exactly the type of scenario envisioned above.)
|>
|> --
|> r.e.s.
|> [EMAIL PROTECTED]
|>
This is a well known and much discussed "weakness" of a one-time-pad.
A properly used OTP "absolutely" prevents the enemy from determining
the cleartext from the cyphertext by cryptographic means. It doesn't
"absolutely" prevent him from sending a false message that looks
real.
It can also happen if the enemy can somehow "guess" the cleartext, even
if it's only sent to one correspondent. If the enemy thinks he might
know the text, he could try to substitute text this way and would
send a "proper" message if he guessed right. If he gets it wrong,
the correspondent would get garbage.
There is another well-known cryptographic "weakness" in OTP and many
other cryptosystems. Unless you pad the messages, the enemy knows the
length of the message.
I wonder if there's something analagous to an OTP that will provide
the same degree of "absolute" protection from "spoofing" as OTP
does from "breaking".
--
Mickey McInnis - [EMAIL PROTECTED]
--
All opinions expressed are my own opinions, not my company's opinions.
------------------------------
Date: Thu, 02 Dec 1999 19:13:40 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Guy Macon wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Anthony Stephen
>Szopa) wrote:
> >
> >Tom St Denis wrote:
> >
> >> In article <[EMAIL PROTECTED]>,
> >> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> >> > Tom St Denis wrote:
> >> > > If I took two exact copies [leave the copying theory behind here] of
> >> > > an atom, and placed them in two exact same environments. Would they
> >> > > not decay the same way? If so, that's hardly random at all.
> >> >
> >> > The simple answer is, no, two identically prepared quantum systems,
> >> > constrained as tightly as nature allows, need not evolve along the
> >> > same path.
> >> >
> >>
> >> That's like saying each time you went back in time [the exact same
> >> time] you would observe a different state. Which means a atom can
> >> never be in one state at any time. Kinda like an omni-state..
> >>
> >> Tom
> >>
> >> Sent via Deja.com http://www.deja.com/
> >> Before you buy.
> >
> >That's correct.
> >
> >The atom has all possible states until you observe it.
> >
> >Thus it is the act of observing that produces the randomness.
> >
> >And no two observations are exactly the same.
> >
> >So, guess what?
> >
> >You have just discovered true randomness.
> >
>
> This raises an interesting question about human psychology.
> For some reason, various people have a deep need to not
> believe in randomness or unbreakable codes. The more rational
> among us are content with pointing out the practical difficulties
> of using atomic decay or One Time Pads, or the many other ways to
> obtain information but there are others who show the following
> attributes;
>
> [1] They know in their hearts that unbreakable codes and/or
> randomness cannot possibly exist.
>
> [2] They have never been taught critical thinking skills.
>
> I wonder why some of us have this deep need to believe?
Anthropologists have observed that all societies have processes that are based on the
"urge to
explain". These urges are supposed to be the source of religious institutions and of
"natural
philosophy". It's not hard to use the same desire for understanding to explain why
people might
resist admitting the inexplicable, unsolvable, or unpredictable into their world view.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
