Cryptography-Digest Digest #694, Volume #10 Mon, 6 Dec 99 18:13:01 EST
Contents:
Re: Noise Encryption (Volker Hetzer)
Re: cookies ("karl malbrain")
Re: Quantum Computers and Weather Forecasting (Joseph Bartlo)
Re: Encrypting numbers? (David Wadsworth)
Cell Phone Crypto Penetrated >> 6.Dec.1999 >> Biryukov & Shamir describe
([EMAIL PROTECTED])
Re: smartcard idea? (Shawn Willden)
Re: Some feedback from the USA --- my story is real .. (Shawn Willden)
If you're in Australia, the government has the ability to modify your
([EMAIL PROTECTED])
Re: Distribution of intelligence in the crypto field ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Noise Encryption
Date: Mon, 06 Dec 1999 15:21:33 +0000
Mattias Wecksten wrote:
> I think this is the center of all disagreements. What if you use a non
> algorithmic random generator. There is still not true randomness, but still
> there is no way of "guessing" the data.
What is a non-algorithmic rng that is no true rng?
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me
spread!
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: cookies
Date: Mon, 6 Dec 1999 13:22:51 -0800
Brian Chase <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
(...)
> I think your points are valid about us not entirely knowing what
> weaknesses may within a browser or in the supporting OS files. But you
> have to draw the line somewhere as to how paranoid you want to be. I'm
> fairly comfortable with just disabling the obvious bits which allow remote
> sites to execute code on my systems. Yeah, this doesn't preclude someone
> from exploiting some bug which may or may not exist inherent to the OS...
> well hell actually it'd almost have to be a backdoor deliberately put in
> place and not a bug.
PARANOIA is an AMATEUR's response to someone else's security problem. It's
a REACTION. What is it that you think that remote sites are going to obtain
from you, anyway??? Maybe you're afraid that your BROWSER wrote your credit
card and name onto the hard drive somewhere, making it available as
`evidence' for the newest generation of NO-KNOCK search and seizure
protocols being installed by the FBI. The UNIFORM COMMERCIAL CODE already
protects you from being held accountable for items or services that you
don't receive. Again, your sense of SECURITY is entirely misplaced.
> Even if you're worried about this, it still possible to put in a filtering
> host between yourself and the rest of the world. If you're worried about
> someone exploiting a backdoor, just block all unexpected traffic to and
> from your host. And then monitor the allowed traffic for anomalies.
No, the point is that the WINDOWS platform, with its free-wheeling software
generation and installation, is by nature not secure. It's not a BACK door,
but a wide open FRONT door. I must have dozens of `shareware' or `freeware'
packages installed on my NT 4.0 machine. I know next to nothing about any
of it.
> If you're really so paranoid about security that even those precautions
> aren't enough, then you probably shouldn't be using the Internet :-)
And that's the point of OFFENSIVE SECURITY. I only utilize NUMBERS that are
INDEMNIFIED. Karl M
------------------------------
From: Joseph Bartlo <[EMAIL PROTECTED]>
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Mon, 06 Dec 1999 16:23:23 -0500
Richard Herring wrote:
> There appeared to be some implicit bragging about your punctuation :-)
> But I think you meant at, not @.
Actually I meant @, similarly I quasi-comically imitated John's use of
<at> for @ in his e-mail address.
Here is how I use @ & at (not stating this is grammatically correct, only
logical for me) :
A shower occurred @ 4 PM at Tannersville.
"at" referring to a specific *place*, @ referring to another type of
reference, such as a time; which you cannot be "at". Thus :
I won't interfere with your attempt @ minimizing your accomplishments...
Perhaps "attempt of minimizing" is best ?
Joseph
------------------------------
From: David Wadsworth <[EMAIL PROTECTED]>
Subject: Re: Encrypting numbers?
Date: Mon, 6 Dec 1999 21:25:46 +0000
In article <[EMAIL PROTECTED]>, Michael Groh
<[EMAIL PROTECTED]> writes
>I have a question that may seem rather obvious to some people, but I
>haven't found a simple answer yet. While reading Singh's book ("The Code
>Book") I noticed that none of the simpler encryption techniques
>specifically address encrypting numeric values. Consider something as
>simple as "$14.37". How can that value be encrypted using a Vigenere or
>substitution cipher? Even the Enigma machine doesn't include a numeric
>row on its keyboard. How did the German military transmit numeric values
>(persumably including + and - signs, decimal points, etc.) using the
>Enigma machine?
>
>TIA for an enlightenment!
>
>- Mike
With the ENIGMA they spelled the number out, e.g the German equivalent
of FOURTEENDOLLARSANDTHIRTYSEVENCENTS. This had the advantage of adding
redundancy so that an error in one character could be caught and
corrected,particularly useful when they were giving positions, but the
disadvantage that the code breakers were given a much larger amount of
plain text which could be guessed.
Cheers
--
David Wadsworth | Tonto.... I've got a feeling we're not in Kansas
[EMAIL PROTECTED] | anymore .....The Lone Ranger of Oz
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.privacy
Subject: Cell Phone Crypto Penetrated >> 6.Dec.1999 >> Biryukov & Shamir describe
Date: Mon, 06 Dec 1999 16:32:21 -0500
Cell Phone Crypto Penetrated by Declan McCullagh
10:55 a.m. 6.Dec.1999 PST
Israeli researchers have discovered design flaws that allow the descrambling of
supposedly private conversations carried by hundreds of millions of wireless
phones.
Alex Biryukov and Adi Shamir describe in a paper to be published this week how a
PC with 128 MB RAM and large hard drives can penetrate the security of a phone
call or data transmission in less than one second.
The flawed algorithm appears in digital GSM phones made by companies such as
Motorola, Ericsson, and Siemens, and used by well over 100 million customers in
Europe and the United States. Recent estimates say there are over 230 million
users worldwide who account for 65 percent of the digital wireless market.
Although the paper describes how the GSM scrambling algorithm can be deciphered
if a call is intercepted, plucking a transmission from the air is not yet
practical for individuals to do.
James Moran, the fraud and security director of the GSM Association in Dublin,
says that "nowhere in the world has it been demonstrated --an ability to
intercept a call on the GSM network. That's a fact.... To our knowledge there's
no hardware capable of intercepting."
The GSM Association, an industry group, touts the standards as "designed to
conform to the most stringent standards of security possible from the outset
[and] unchallenged as the world's most secure public digital wireless system."
Not any more.
Shamir says the paper he co-authored with a Weizmann Institute of Science
colleague in Rehovot, Israel, describes a successful attack on the A5/1
algorithm, which is used for GSM voice and data confidentiality. It builds on
the results of previous attempts to attack the cipher.
"It's quite a complex idea, in which we fight on many fronts to accumulate
several small improvements which together make a big difference, so the paper is
not easy to read or write," Shamir, a co-inventor of the RSA public key crypto
system in 1977, said in an email to Wired News.
A group of Silicon Valley cypherpunks has organized previous efforts to
highlight what they view as the poor security of GSM encryption standards.
In April 1998 they reported that it was possible to clone a GSM phone, which the
US Cellular Telecommunications Industry Association dismissed as more
theoretical than practical. The North American GSM Alliance similarly dismissed
cloning as a serious threat in a statement.
Earlier this year, the group, which includes Marc Briceno, Ian Goldberg, and
David Wagner, described how to penetrate the less-secure GSM A5/2 algorithm used
in some Pacific rim countries in less than a second. In May 1999 they released
the source code to A5/1, which the Weizmann Institute computer scientists used
in their analysis of the cipher.
"Because of Biryukov and Shamir's real-time attack against A5/1 and our group's
15 millisecond attack against A5/2, all the GSM voice privacy ciphers used
worldwide can be broken by an attacker with just a single PC and some radio
hardware," Briceno said.
"Since the voice privacy encryption is performed by the handset, only replacing
the handset would address the flaws found in the recent attacks," he said.
The GSM Alliance's Moran said he needed time to review the paper, which has not
yet been released. But he said it would be a topic of a discussion at the next
GSM security working group meeting on 16 December.
Previously the GSM encryption algorithms have come under fire for being
developed in secret away from public scrutiny -- which most experts say is the
only way to ensure high security.
Moran said "it wasn't the attitude at the time to publish algorithms" when the
A5 ciphers was developed in 1989, but current ones being created will be
published for peer review.
--
Thanks, Richard
------------------------------
Date: Sun, 05 Dec 1999 00:53:38 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: smartcard idea?
Lyal Collins wrote:
> Batteries may not be a problem.
> Some of the new polymer batteries (I think it's polymer) are used to form a
> battery from the plastic carrier of the Smarctard.
> Several audio smarctards are now on the market as a result - Elva, and
> Telysys being 2.
This sounds like a technology with marvelous possibilities. Can you point me to
more information?
Shawn.
------------------------------
Date: Sun, 05 Dec 1999 00:59:47 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: Some feedback from the USA --- my story is real ..
"Markku J. Saarelainen" wrote:
> I have experienced such violations of human rights in the United States
> of America that I could have not imagined earlier. Quite frankly, I had
> very positive perception (in the scale of 1-10 - about 9) of this
> country prior to coming this country. However, due to experiences over
> the period of many years (that I have described in my many postings), my
> perceptions have changed - unfortunately - to 3. If I would have known
> what types of violations such as privacy abuses, I have to go through, I
> would have never come to this country. And quite frankly I am just one
> ordinary man. So this tells something about the United States of America
> and I hope that some other people can learn from these experiences.
[...]
Excuse ME, but you don't seem TO have FULLY acclimated to American society
yet. As nearly anyone WELL-steeped in our LITIGIOUS society would know
IMMEDIATELY, what you should do ABOUT all of this is to SUE.
Shawn.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.privacy
Subject: If you're in Australia, the government has the ability to modify your
Date: Mon, 06 Dec 1999 16:56:51 -0500
Orwellian Nightmare Down Under? by Stewart Taggart
3:00 a.m. 4.Dec.1999 PST
SYDNEY, Australia -- Any data seem different on your computer today?
If you're in Australia, the government has the ability to modify your files. Its
cyber spooks have been given legal power not only to monitor private computers
around the country, but to change the data they contain.
The new powers are contained in a bill passed by Australia's parliament late
last month (the Australian Security Intelligence Organization Legislation
Amendment 1999). They now await only the largely ceremonial assent of
Australia's governor general before becoming law.
"These are really untested waters," says Chris Connolly, a vocal Australian
privacy advocate. "I don't think there's any example anywhere else in the world
that's comparable."
Under the new law, Australia's attorney general can authorize legal hacking into
private computer systems, as well as copying or altering data, as long as he has
reasonable cause to believe it's relevant to a "security matter."
The keyboard spies will come from the Australian Security Intelligence
Organization (ASIO), Australia's equivalent of the Central Intelligence Agency.
Catherine Fitzpatrick, spokeswoman for Attorney General Daryl Williams, said the
law merely "modernizes" an existing 1979 statute that previously governed ASIO,
and sorely needed updating.
"This just brings ASIO's powers in line with new technologies," she said. "It
doesn't give them increased powers at all."
For example, the new law bars sleuths from introducing viruses or interfering
with data used for lawful purposes on targeted computers, she said. In addition,
the bill limits the power to alter data on a computer to concealing
surveillance, she said.
While all this is true, the bill also specifically authorizes -- among other
things -- anything that's "reasonably incidental." And it's broad wording like
this -- as well as the weak oversight of the nation's cyber spies -- that have
opponents aghast. "I hate to use the word 'Orwellian,' but I can't think of
anything better to describe this," said Greg Taylor, vice chairman of Electronic
Frontiers Australia.
"This is another stop down the path of legalized surveillance of all information
by authorities," he said.
Taylor believes the new law could be especially damaging to people's faith in
encrypted communications, because government hackers could potentially lift
encryption keys from individual computers.
"This bill seems to get around the problems that strong cryptography presents
law enforcement," Taylor said. "Now, they can attack the problem at the source
-- the originating computer -- before the data even gets encrypted."
In addition, the new law could introduce tricky new issues into legal cases, he
said. "It opens to question all computer evidence if there's been the potential
for legalized tampering of it. Computer evidence already poses problems of
validation, and that's before you even open up these legal avenues of
tampering."
Connolly, as director of Australia's Financial Services Consumer Policy Center
and national coordinator of the Campaign for Fair Privacy Laws, spoke out
against the proposed legislation in a parliamentary submission earlier this
year.
"Australia doesn't really need an intelligence agency with dictatorial powers,"
he said. "People here largely trust the federal police to deal with most
matters, and the police are subject to more controls and supervision by judges
than ASIO is."
He believes the government hastily pushed the bill through parliament using,
among other things, national nervousness about the approaching Sydney Olympics
to convince parliamentarians to go along. He thinks ASIO's expanded powers
clearly go too far, and were sought by an agency seeking a new role after the
Cold War.
To Brian Greig, a West Australian senator from the populist Democrats Party --
which voted against the bill -- the law now tilts the balance of power between
the individual and government too far in favor of government.
"If we're going to expand ASIO's surveillance powers, we should have expanded
equally the rights and liberties of individuals to be protected from that," he
said. "My suspicion is that citizens of other countries wouldn't have been so
apathetic about an issue like this."
As Australia's fourth largest political party, the Democrats could only voice
concern about the proposed law. Both the ruling Liberal-National party coalition
and the opposition Labor Party both voted to pass the measure.
Under the new system, a citizen's most likely recourse if he feels improperly
snooped would be to complain to the attorney general -- who authorized the
snooping in the first place, or to the inspector general of intelligence and
security, a government watchdog that conducts periodic reviews of ASIO's
activities, Connolly said. Neither of which is likely to pursue an aggressive,
impartial investigation, Connolly believes. So, if the law's a done deal -- what
now?
Connolly suggests it's up to individuals and companies in Australia to take
additional measures to protect confidential information if they're worried about
government hackers. He suggests seeking out better encryption, as well as
software that can detect computer intrusions.
However, if government now has legal power to change computer data, it can
legally tamper with intrusion detection software, erasing records of its visits,
he said.
To Paul Budde, a Sydney-based independent telecommunications analyst, the new
law sends the wrong message.
"If the government is allowed to be the biggest hacker in town, it really
undermines computer security rather than enhances it," he said. "How can they
now criticize 16-year-old kids who break into computer systems for fun if the
government's doing it, too?"
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Distribution of intelligence in the crypto field
Date: Mon, 06 Dec 1999 22:44:14 GMT
In article <[EMAIL PROTECTED]>,
albert <[EMAIL PROTECTED]> wrote:
> With all the NSA discussions, I was thinking...
>
> There is very VERY little distribution of intelligence in the crypto
> field. Come on, we all know the names. Shoot, in this forum, we call
> them by first names. Eli, Bruce, Lars, Ross, Ron etc...
>
> The 80/20 rule seems more like the 95/5 rule when it comes to crypto.
> About 95% of the world's advances are done by 5% of the crypto
> community. Who breaks algorithms? The same names. This is true for
> almost every industry, and crypto is no exemption.
>
> So my point is, I have serious doubts that the NSA is THAT much ahead
of
> the world. Why? Because unless they are harboring a few Bruces or
> Eli's in there, I don't see them gaining that much ground. A society
> grows as a function of how fast information takes to disciminate and
the
> feedback to come back. In a government structure, that rate seems to
> be... well, be as fast as service at the DMV.
>
> I see Bruce's arguement, we know what we know, they know what we know
> AND what they know. They also have resources up the wazoo. But
> intelligence isn't something money can buy, if it was, windows would
be
> the best OS... correct?
>
> Disagreements?
>
>
I'd disagree, at least for symmetric key ciphers. I think we're seeing
the same names in commercial cryptography because there are only a
handful of people who can spend their lifetime working on it. It's more
a matter of effort and experience than brilliance. The NSA should be
able to stay well ahead by hiring lots of reasonably brilliant people,
pointing them in the right direction, and giving them computers,
conference rooms and a salary.
- Bob Jenkins
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
