Cryptography-Digest Digest #675, Volume #10 Fri, 3 Dec 99 16:13:01 EST
Contents:
Re: Why Aren't Virtual Dice Adequate? ("r.e.s.")
Re: Why Aren't Virtual Dice Adequate? ("r.e.s.")
Re: cookies ("karl malbrain")
Re: Peekboo Ideas? >> Oops, problem ... 3rd ([EMAIL PROTECTED])
Re: Quantum Computers and PGP et al. (Jim Dunnett)
Re: Elliptic Curve Public-Key Cryptography ("Michael Scott")
Question regarding using RSA BSAFE and BCERT (Sridhar Muppidi)
Re: What part of 'You need the key to know' don't you people get? (James Felling)
Re: Peekboo Ideas? >> Oops, problem ... 4rd ([EMAIL PROTECTED])
Re: dictionary (fungus)
Re: Why Aren't Virtual Dice Adequate? (Tim Tyler)
Re: Peekboo Ideas? >> Oops, problem ... 5rd ([EMAIL PROTECTED])
Re: Why Aren't Virtual Dice Adequate? (Tim Tyler)
Re: Elliptic Curve Public-Key Cryptography (DJohn37050)
Re: Why Aren't Virtual Dice Adequate? (Johnny Bravo)
Re: What part of 'You need the key to know' don't you people get? ("Peter K.
Boucher")
Re: Random Noise Encryption Buffs (Look Here) ("Douglas A. Gwyn")
Re: Random Noise Encryption Buffs (Look Here) ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Fri, 3 Dec 1999 11:07:27 -0800
"Trevor Jackson, III" <[EMAIL PROTECTED]> wrote ...
: r.e.s. wrote:
: > "Trevor Jackson, III" <[EMAIL PROTECTED]> wrote ...
: > : A simple mechanism is to use a shared secret. Assume that in addition
: > : to the (large) message key repository each pair of correspondents is
: > : given a unique "signature" value. For purposes of illustration this
: > : could be small; 64-256 bits. To send an authenic message one appeads
: > : the "signature" to the message, encoding it with the keypad. On
: > : receipt of a message the decoder unmasks the "signature" region and
: > : compares the result with the secret value. Since the premise of the
: > : "signature" is that only the sender and receiver known the valid
: > : signature value, and because the signature ciphertext is not reused,
: > : the message must have come from one of the two inposession of the
: > : secret "signature" value. This approach does not prevent replay
attacks.
: >
: > In addition to its other functions, doesn't a message key (as defined
: > above) accomplish the same thing as the type of "signature" you
describe?
: > (It is, after all, a kind of "shared secret", being sent along with the
: > enciphered message.)
: >
: > The message key is created by the sender to be random and unique to each
: > transmission, is accessible only to possessors of the primary key, is
: > necessary if the decipherment is not to produce garbage, and strengthens
: > any stream cipher -- including an OTP -- by helping to ensure that keys
: > are really used only once.
:
: What's an "authetic" message key?
A thing is "authentic" if it is what it's claimed to be.
In our context, this means it hasn't been surreptitiously
altered in-transit.
In the scenarios under discussion, a message key is inserted
into the ciphertext in a way that makes it accessible only
to those who know the relevant part of the primary key --
"ciphertext within ciphertext" so to speak.
: The purpose of authenticating a message cannot be addressed by the sender
: synthesizing a value that the receiver cannot calculate.
The receiver *does* calculate it, because some bits of the
primary key -- unknown to the opponent -- serve to do just
that, viz, to extract it from the transmitted ciphertext.
: Thus a message key
: generated by the sender and not already known to the receiver would not
: authenticate a message because the receiver has no way to distinguish
message
: keys selected by the sender from message keys selected by an opponent.
In the scenarios under discussion, an opponent cannot
introduce a message key of his own making because he doesn't
have the key for inserting it into the ciphertext.
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Fri, 3 Dec 1999 10:00:05 -0800
"Guy Macon" <[EMAIL PROTECTED]> wrote ...
: [EMAIL PROTECTED] (r.e.s.) wrote:
:
: >In practice, though, who would use a "pure OTP" without
: >further strengthening? (Even if the OTP is theoretically
: >"unbreakable", it seems appropriate to say that any
: >OTP *implementation* can, in practice, be relatively
: >strong or weak.)
:
: Maybe it's my background as an engineer, but if I was actually
: implementing an OTP (instead of using PGP and just discussing
: OTP as a learning experience), I would go full overkill on the
: randomizer, XORing in everything from the number of microseconds
: between keystrokes to a the digitized output of my local AM
: station, the theory being that if any one of my "random" inputs
: is true random, the OTP will be random. I would then pad my
: plaintext to a standard length and XOR it with the OTP (which will
: probably be on a CD-R). If (given the limitations that have been
: pointed out) an OTP is unbreakable, how can it be strengthened?
By "strengthen" I meant incorporate another stage of encipherment
to produce a cipher (now no longer an OTP) that, in various attack
scenarios, is more secure than an OTP alone. By "OTP alone" I mean
direct transmission of XOR'd bits, granting "true" randomness of
the key. (And "implementation" was intended to include modes of use.)
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: cookies
Date: Fri, 3 Dec 1999 11:19:55 -0800
E-mail <[EMAIL PROTECTED]> wrote in message
news:Pine.LNX.4.04.9912031354230.18807-100000@shell...
>
>
>
> On Fri, 3 Dec 1999, karl malbrain wrote:
>
> >
> > COOKIES go to the very core of the design of the WEB. The web server
was
> > designed as a STATELESS entity which requires that each CLIENT submit
its
> > own STATE with every request/transaction. The COOKIES are a form of
> > DISTRIBUTED DATABASE. Karl M
>
>
> Karl,
>
> Thank you for your reply. Could you tell me how this affects my
> concern? I'm sure it's not your fault, but I don't understand how
> this analysis relates to my privacy concerns. Do they know who I am
> whether or not I accept the cookie? Can they get additional
> information from my hard disk drive if I accept a cookie? You know.
> Informed consent, and all of that.
Refusing COOKIES does not in any way reduce the capabilities of WINSOCK to
transmit anything from your computer anywhere on the net. A `security
breach' can come from ANY program you run as long as you are CONNECTED to
the outside world. Only OFFENSIVE security has any real value. Karl M
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Peekboo Ideas? >> Oops, problem ... 3rd
Date: Fri, 03 Dec 1999 14:19:38 -0500
Oops, problem ... 3rd
The Peekboo is using clipboard extensively & automatically than what is the
purpose of the type in area ?
Automatically this big allocated area is absolite :
-when it is use for email >> we have already place to create text, the email
agent,
-or just any text editor can be used to create text to be encrypted,
On the other hand, the place to keep shared keys is very small [ 3 shares only
].
--
Thanks, Richard
===================================
Tom St Denis wrote:
>
> [EMAIL PROTECTED] wrote:
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim Dunnett)
Crossposted-To: talk.politics.crypto,talk.politics.misc
Subject: Re: Quantum Computers and PGP et al.
Date: Fri, 03 Dec 1999 19:46:24 GMT
Reply-To: Jim Dunnett
On Thu, 02 Dec 1999 20:44:53 GMT, [EMAIL PROTECTED] (Johnny Bravo) wrote:
>On Thu, 02 Dec 1999 18:35:10 GMT, amadeus @DELETE_THIS.netcomuk.co.uk
>(Jim Dunnett) wrote:
>
>>>In any event, there's no public key crypto system in existence
>>>today that will be useful when quantum computers work.
>>>
>>Not even OTP?
>
> A OTP is not a public key cryptosystem.
Quite so. My apologies.
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: Fri, 3 Dec 1999 19:46:30 -0000
DJohn37050 <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> The paper is "ECC for Smart Cards" and was published in May 1998,
>1.5 years ago. It compared RSA's BSAFE 3.0 with Certicom's
>Security Builder 1.2. Both of these products have since been enhanced.
>KG, SG and DH were all very much faster on SB. SV was 9.9 ms for
>EC Nyberg-Rueppel with Appendix and 10.7 for ECDSA while for
>BSAFE it was 12.7.
Well MIRACL manages an RSA verification (17 bit exponent) in 1.72 ms on a
233MHz Pentium II, so it would appear that BSAFE 3.0 was rather inefficient
on the UltraSparc. My own experience with BSAFE 3.0 on a PC was that it was
actually quite good. Are there timings available for the latest version of
Security Builder 1.2 for ECC verification?
Mike Scott
=====================
MIRACL multiprecision C/C++ library for big number cryptography
http://indigo.ie/~mscott
ftp://ftp.compapp.dcu.ie/pub/crypto/miracl.zip
>As I said these timings are from 1.5 years
> ago. As they say, your mileage may vary.
>
> But it is true that Certicom worked in finite field arithmetic processors
> before ECC was invented and then went into ECC in a big way, so it is
certainly
> plausible that Certicom has a fast implementation of ECC, they have been
> looking at it for a long time.
> Don Johnson
------------------------------
From: Sridhar Muppidi <[EMAIL PROTECTED]>
Crossposted-To:
comp.security.misc,comp.security.unix,comp.unix.misc,alt.security,alt.2600
Subject: Question regarding using RSA BSAFE and BCERT
Date: Fri, 03 Dec 1999 13:39:07 -0600
Hello,
I was not sure what is the right newsgroup so pardon my multiple
postings.
I am having a problem linking both the BSAFE 4.1 and BCERT 1.02
libraries together at the same time on AIX 4.3.2. My program
complies and links fine but based on the order of the libraries
linked, I get either a segmentation error or incorrect BER encoding
error.
I also happen to have a copy of BSAFE 4.2 for WinNT and there is
no problem linking that version with BCERT 1.02. on WinNT.
Is this a known problem on AIX or BSAFE 4.1? If not, is there
something specific I need to do to link both the libraries together?
Thank you for your help.
Regards,
-Sridhar
([EMAIL PROTECTED])
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Fri, 03 Dec 1999 13:48:43 -0600
Tim Tyler wrote:
> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
> : Douglas A. Gwyn wrote:
> :> Brian Chase wrote:
>
> :> > I think what I'm finding most disturbing, if not just outright disgusting,
> :> > is how quickly disregarded are Scott's challenges to the conventions of
> :> > the cryptology community. Sure he's an asshole, but as a community is it
> :> > not true that we don't conclusively know how secure the contemporary
> :> > algorithms are?
> :>
> :> Neither does D.Scott! The main problem with his arguments is that
> :> he asserts weaknesses in everybody's encryption schemes except his,
> :> but doesn't *demonstrate* the weaknesses. When he claims, for
> :> example, that CBC itself creates exploitable weaknesses, yet there
> :> happen to be solid mathematical papers demonstrating that CBC used
> :> with a *strong* block cipher is not substantially weaker than the
> :> block cipher by itself, it is incumbent on *him* to prove his claim,
> :> or at least to exhibit an error in the previous work that proved the
> :> opposite. That's not only standard professional practice, it's
> :> plain common sense. Since he doesn't make a convincing case,
> :> preferring to curse and challenge the integrity of anyone who
> :> disagrees with him, it is not surprising that he is being almost
> :> entirely ignored by the professional community.
>
> : No. You have egregiously misstated his position. AFAIK his position is
> : that CBC does not meaninfully strengthen a block cipher in comparison with
> : methods that diffuse information more widely tha[n] neighboring blocks.
>
> Indeed. This is my perception of his position also.
>
> While he's stated that he views the common chaining modes as weak, he's
> *never* - to my knowledge - stated that they weaken the underlying block
> cypher.
>
> Rather - as I understand it - his position is that they needlessly
> expose the block cypher to direct attack, by a failure to distribute
> information needed to decrypt the message over as wide as possible
> an area.
>
>
> Obviously, such a failure to diffuse allows any attacks based on known
> partial plaintexts to function. Or any attacks based on choosing
> partial plaintexts for that matter.
>
> A proper use of diffusion would require *full* plaintexts, or *full*
> chosen texts to be used before any such attack could succeed.
>
> As everyone knows, a partial plaintext is more common than a full one.
>
> This is likely to weaken the cypher /even/ if the only attack known on
> the cypher is the use of brute-force.
I am of the opinion that this does not weaken the cypher. The point that Mr. Scott
makes that in CFB and CBC given the key, the IV will only hide 1 block GIVEN
KNOWLEDGE OF THE KEY. SO the IV adds no direct security vs. decryption for later
blocks. It does not WEAKEN the cypher however -- an n-bit key is still as resistant
as it was before., it merey is not as strong as other potential feedback methods.
Thus CBC and CFB are not substantially better than ECB given that your KEY HAS BEEN
COMPRIMISED.
An IV doesn't add to your resistance to a break vs. certian attacks, This still
means that your algorithim is as strong as it always was -- just that there is
little in the way of added security fron a "secret" IV.
An all or nothing method is more secure vs. these forms of attack.However, the
three letter methods do not weaken the underlying code, they merely fail to
strengthen it.
>
> --
> __________
> |im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
>
> $$$$$$$$$$$$$$$$$ Money lies at the root of all wealth $$$$$$$$$$$$$$$$$$
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Peekboo Ideas? >> Oops, problem ... 4rd
Date: Fri, 03 Dec 1999 14:52:39 -0500
Oops, problem ... 4th
The Peekboo big box for text in and the decrypt button are giving valid
impression that DECRYPT button will work on the text in this box.
In reality the decrypt button works on the contents of clipboard instead !!! >>
hitting decrypt button will decrypt content of clipboard. The worst part of
this, you will lose all what you did input in the Peekboo big box for text in at
the time you hit decrypt button >> your input will be overwritten AUTOMATICALLY
by Peekboo >> oops !!!
--
Thanks, Richard
===================================
Tom St Denis wrote:
>
> [EMAIL PROTECTED] wrote:
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: dictionary
Date: Fri, 03 Dec 1999 12:14:17 +0100
Olaf Dokter wrote:
>
> hello !
>
> i am searching dictionaries to download, because i want to write a programm
> which generates my own statistics about letter-frequencies and so. the
> preffered languages are german and english
>
Do a web search for "ispell" - the free spell checker.
Bear in mind that a dictionary won't reflect letter frequencies,
some words occur more than others in written text. Different
types of document (eg. legal, technical, magazine article) will
also haev different distributions. For real letter frequencies
you need to analyse documents which are similar to your target.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
Crossposted-To: sci.math
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Why Aren't Virtual Dice Adequate?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 3 Dec 1999 20:02:59 GMT
In sci.crypt Johnny Bravo <[EMAIL PROTECTED]> wrote:
: On Fri, 3 Dec 1999 15:17:47 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote:
:>What if the coins are all heads-biased (quite likely with real coins),
:>and the dice are all 1-biased (quite possible if the spots are
:>drilled indentations)?
: One should assume this type of bias from such a mechanical process,
: but it is simple to remove the bias from them. For example, you are
: using a coin that comes up heads 90% of the time and tails the other
: 10%. Pair your tosses, throw out any pair that matches. This will
: remove the bias from your results.
This process will remove a certain type of bias. It will (for
example) eliminate problems caused by a coin falling on one side
slightly more than the other. However, it is not a magic proceedure
for removing /all/ types of deviations from randomness.
Other types of deviation from random behaviour are quite possible:
Say your mechanical device does not toss your coin very far from the
ground - and that as a consequence, it has a slightly higher probability
of coming down on the side that was facing up from the last throw.
In such a case, this would tend to produce strings of 1s - and
strings of 0s - if the bias-reduction technique you mentioned
was applied.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Darkness fell on the face of the sheep.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Peekboo Ideas? >> Oops, problem ... 5rd
Date: Fri, 03 Dec 1999 15:16:06 -0500
Oops, problem ... 5th
The Peekboo is a windows application [ win95 ]. In windows users are expecting
that Ctrl + A, C, C, V are working [ all are working OR all are not working ].
This is not the case in Peekboo, some Ctrl + key works some not, oops !!!
Any consistency on this subject ?
--
Thanks, Richard
===================================
Tom St Denis wrote:
>
> [EMAIL PROTECTED] wrote:
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Why Aren't Virtual Dice Adequate?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 3 Dec 1999 20:09:33 GMT
In sci.crypt Guy Macon <[EMAIL PROTECTED]> wrote:
[OTPs]
: Stopping a message or storing it and sending it later are still
: possibilities for the man in the middle.
With an OTP, it is conventional to imagine a pad, the top page of which is
used and then destroyed with each received/transmitted message.
If the man in the middle delays any messages to the point where they
arrive out of order, the recipient is likely to be able to detect that
this is occurring.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Beware of programmers bearing GIFs.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 03 Dec 1999 20:35:47 GMT
I do not know of any other public timings other than the one I gave.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Fri, 03 Dec 1999 15:48:39 GMT
On Fri, 3 Dec 1999 20:02:59 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote:
>In sci.crypt Johnny Bravo <[EMAIL PROTECTED]> wrote:
>: On Fri, 3 Dec 1999 15:17:47 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote:
>
>:>What if the coins are all heads-biased (quite likely with real coins),
>:>and the dice are all 1-biased (quite possible if the spots are
>:>drilled indentations)?
>This process will remove a certain type of bias. It will (for
>example) eliminate problems caused by a coin falling on one side
>slightly more than the other. However, it is not a magic proceedure
>for removing /all/ types of deviations from randomness.
I never claimed it would remove all types, I was just responding to
your example of a "heads biased" coin.
>Other types of deviation from random behaviour are quite possible:
As are other methods for eliminating various types of bias. You can
get x unbiased bits from y flips if you distill them enough, but if
your source has enough bias (say a coin that always came up heads), x
may indeed end up as 0 for any amount of flips. In such a case you
need to find a different source.
Best Wishes,
Johnny Bravo
------------------------------
Date: Fri, 03 Dec 1999 13:57:43 -0700
From: "Peter K. Boucher" <[EMAIL PROTECTED]>
Subject: Re: What part of 'You need the key to know' don't you people get?
wtshaw wrote:
[snip]
> What if is an important strategy to test your position. Science requires
> routine reevaluation of positions, not being prejudiced that any taken are
> always to be correct; this works on old ideas as well as new.
Actually, science doesn't reject old ideas unless there is convincing
evidence that the old ideas are wrong.
> > If you want
> > people to consider your claims, you need evidence that your claim is
> > valid.
>
> Yes, but many in science hold a few hypotheses most dearly, but have no
> positive or final proof that they are true; cryptography is full of such
> things.
You are right that science can accept hypotheses without absolute
proof. However, scince does not accept a hypothesis unless a) there
*is* good reason to believe it, and b) there *is not* good reason to
reject it. You are hinting that people should belive Scott's claims
without applying both tests.
> > Really? I claim you are a murderer. Given that the other people on
> > this group don't personally know either of us (and have no idea if I
> > know you personally or not), there is a reason to believe that it
> > might be true. So now you should prove to the group that you are NOT
> > a murderer.
>
> I will treat you as an unimformed and ignorant youth who has not respect
> for the words you speak, else, you can be prosecuted, and/or sued All
> that I can do is yeild that blanket statements concerning your status by
> David may be in fact correct. Your position has eroded at your own hand,
> while David has stated things that might be true, you stated something
> that is patently false, and place an egregiously burden on yourself.
Both Johnny and David have made unsupported claims, as far as I can
see. Johnny's claim is only "patently false" to someone who actually
knows you.
> > There is no requirement that we should accept spurious claims
> > without evidence. Logic suggests otherwise.
>
> Claims can be made that are true without evidence, happens every day.
> Claims can be made that are false, happens every day. When claims
> contradict each other, then they can be compared. Whe people voice
> conflicting claims and refuse to back up respective positions, that puts
> both positions in doubt.
A claim that is made without any supporting evidence may, indeed, be
true, but you have no good reason to assume that it's true. You are
right that two contratictory claims that are both unsupported should
both be doubted. It's also possible that both are false. Many times
people try to support their claims by creating a "false dilemma" where
they propose some alternative theory, knock it down, and then assert
that their own theory must be correct.
> Personally, no. I will go out of my way looking for whatever evidence
> will apply, to support or to undermine my stated position. I am not
> beyond having crow for lunch occasionally.
Readers interested in applying the scientific method to weird claims
should have a gander at _How to Think About Weird Things : Critical
Thinking for a New Age_ by Theodore Schick, Lewis Vaughn (Contributor)
"http://www.amazon.com/exec/obidos/ASIN/0767400135/qid%3D944254585/102-7834435-8684030".
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Fri, 03 Dec 1999 20:59:48 GMT
Tim Tyler wrote:
> Many-worlds interpretations of QP are can be completely
> deterministic, and show no need for randomness.
How do you think the branching into different worlds is determined?
If it is not equivalent to conventional QM randomness, it will not
agree with the experimental evidence.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Fri, 03 Dec 1999 21:00:29 GMT
Tim Tyler wrote:
> Until such a scheme is demonstrated, "true atomic randomness" is
> of the same utility to a cryptographer as a "perfectly straight line"
> is to a student of geometry.
You must not be much of a geometer.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
