Cryptography-Digest Digest #728, Volume #10 Sun, 12 Dec 99 21:13:01 EST
Contents:
Re: Scott's Screaming Security Method (Okra Meinly)
Re: Are thermal diodes as RNG's secure (Tom St Denis)
Re: Questions about message digest functions (Lasse Reichstein Nielsen)
Re: Digitally signing an article in a paper journal (Steve K)
Re: Insecure PRNG? (Mok-Kong Shen)
Re: Insecure PRNG? (Mok-Kong Shen)
Re: Insecure PRNG? ("Trevor Jackson, III")
Re: Are thermal diodes as RNG's secure ("Trevor Jackson, III")
Lots of cryptography book recommendations (David Youd)
Re: Insecure PRNG? (CLSV)
Re: Insecure PRNG? ("Douglas A. Gwyn")
Re: Insecure PRNG? ("Douglas A. Gwyn")
Re: Are thermal diodes as RNG's secure ("Douglas A. Gwyn")
Re: Please help this newbie crack a potentially simple encryption ("Douglas A. Gwyn")
Re: Lots of cryptography book recommendations ("abe kohen")
Re: Are thermal diodes as RNG's secure (Tim Tyler)
Re: Are thermal diodes as RNG's secure (Bill Unruh)
Re: Questions about message digest functions (Tim Tyler)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Okra Meinly)
Crossposted-To: comp.compression,alt.security
Subject: Re: Scott's Screaming Security Method
Date: Sun, 12 Dec 1999 22:10:40 GMT
[EMAIL PROTECTED] (wtshaw) wrote:
>Probably helps if you have lots of hair too, but since Scott is a bit shy
>on that department, I figure that he is not the intended one to do the
>screaming. It's a catchy name, however.
The name reminds me of a failed snack food called "Screaming Yellow
Zonkers". Remember those?
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Are thermal diodes as RNG's secure
Date: Sun, 12 Dec 1999 22:40:30 GMT
In article <831142$s6l$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Is a termal diode being used as a RNG secure?
>
> Is it possible to manipulate the electronics to make the output of the
> diode not-so-random?
Change the voltage? As I understand it diodes work by letting current
go thru only when it passes a voltage, but when it equals the voltage
it let's it pass at 'random'.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Lasse Reichstein Nielsen <[EMAIL PROTECTED]>
Subject: Re: Questions about message digest functions
Date: 12 Dec 1999 23:51:11 +0100
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes:
> >
> >It appears to be a desirable property.
> >
> >Part of the point of hashes is to avoid hash collisions. A permutation
> >would avoid collisions to the maximum possible extent.
> >Nothing else would do this for the case where message size = hash size.
>
> For the ignorant if you hash a message of the same size and
> it is not bijective then certains patterns of the hash will be impossibe
> to achieve so if the hash used for a key certain keys can be eliminated
> from the solution space. Also patterns that can be hashed to by more
> than one input could be checked first.
Sure, but if this happens rarely enough, who cares? If there are
5 collisions in a hash function out of like 2^128 then you gain
nothing you couldn't gain from precomputing the hash of 5 messages.
Same goes for any negligable subset of the set of messages.
A desireable property of a hash-function is that it is "collision
intractable", i.e. that your chance of finding a collision (given a
random hash-value find something that hashes to the same value) is not
much better than chance. You can set the threshold yourself depending
on your needs, and it corresponds nicely to the chance of bruteforcing
a crypto-algorithm.
IF there exist collision intractable hashfunctions (afaik. still not
decided) then a lot of cryptologers will be happy, because they have
been proven usable to make crytographyas about as strong as the CIH
itself (i.e. breaking the crytography means finding a collision).
This doesn't require the hashfunction to be a permutation on messages
of the appropriate size.
/L
--
Lasse Reichstein Nielsen - [EMAIL PROTECTED]
"Faith without judgement merely degrades the spirit divine."
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: Digitally signing an article in a paper journal
Date: Sun, 12 Dec 1999 22:52:32 GMT
My suggestion:
Create a key for the sole purpose of signing and encrypting a drafts
of articles, messages, etc. under your pseudonym. Take great care,
never to use this key pair for any other purpose, of your anonymity
may be endangered.
http://www.itconsult.co.uk/stamper/stampinf.htm
This is the URL to a PGP time stamping service. There are others.
Encrypt and sign a draft of your document, and send it to a time
stamping service. You will recieve it back, with another signature
added, specifically for the purpose of verifying where and when the
service signed your document. Here you have nearly perfect proof of
priority, in your posession, which can be disclosed at your
discretion.
You may also wish to sign a cleartext copy of your draft, using your
pseuydonym's key. Then anonymously post it to a news group. For
moderately secure anonymous posting, try:
http://www.anonymizer.com/3.0/services/
For advanced security in anonymnous posting, try:
http://lycaeum.org/~sunny/IntermediateAnonymity.html
As long as the signed copy of your draft is available at Deja or other
archive sites, you will be able to claim the article and prove your
authorship at any time, without resort to time stamping.
The Cpunks mailing list might be a good place for further information.
It is archived at: http://www.inet-one.com/cypherpunks/
HTH
Steve K
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
Date: Mon, 13 Dec 1999 00:00:39 +0100
CLSV wrote:
>
> Mok-Kong Shen wrote:
>
> > [...] The point is that it is very hard (in my humble opinion
> > impossible) to compare two different crypto algorithms and say that
> > the one is r times stronger than the other, where r is a certain
> > precise real number.
>
> It is impossible to compare anything without giving
> a context. You could however compare two cryptographic algorithms
> in the context of a specific attack (e.g. differential cryptanalysis).
But what interests the user of encryption algorithms is the security
against all currently possible attacks. Since that 'context' is
difficult to deal with or ill-defined (since one is never sure to
know all these attacks) that's one reason why defining a standard
unit of strength of crypto algorithms is impossible in practice,
I believe.
>
> > (Compare on the other hand e.g. the relative strength of materials.)
>
> So what is stronger: a steel or a wooden beam?
> Again, given no context there is no valid comparison.
> *Proving* real-world characteristics is much harder than proving
> theoretical concepts.
Look into an engineering handbook and you will find the strength
of different construction materials. Note however that a beam is a
structure. Its breaking load depends on its cross-section etc. and
is much more complicated than (but can be computed from) the 'pure'
strength of the material it is made of. Given a steel and a wooden
beam, an engineer can do computations to determine which is stronger
and give a numerical figure for that. To do the same with two
crypto algorithms seems to be very hard or impossible in general.
>
> > One basic reason underlying that, I believe,
> > is that, given any properly designed algorithm, one generally has no
> > way of knowing which is the most efficient way of attacking it and
> > hence one normally can't determine the factor of expense of cracking
> > one algorithm relative to another algorithm. (The person who succeeds
> > to crack an algorithm in a clever way may choose to keep his result
> > unpublished.)
>
> We can discuss security against known attacks in both a practical
> and scientific way as long as we do keep in mind that we do not have a
> computable absolute security measure. Of course the last fact is
> good to mention when someone is claiming absolute security.
As I said, there may be unknown yet existant attacks. The user of
crypto applications commonly desires to know 'the' security, not
merely the security against a specific list of methods of attack.
That's at the heart of the trouble in my humble opinion.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
Date: Mon, 13 Dec 1999 00:02:02 +0100
Guy Macon wrote:
>
> >Mok-Kong Shen wrote:
> >> As discussed in the past in this group, there can be no
> >> scientifically rigorous yet practically useful quantitative
> >> measure of strength of crypto algorithms.
> >
> >That should not be taken as gospel. In fact there are papers
> >on provable minimum work factors for certain schemes. I've
> >also explained (ages ago) what form proper statistical
> >(information-theoretic) criteria could take.
>
> Certainly there is a scientifically rigorous yet practically
> useful quantitative measure of strength in the degenerate
> cases of no encrytion at all and an OTP with true random key.
Do you really mean that such is 'practically useful' in crypto
applications? The case of no encryption is out of question.
An ideal OTP cannot be obtained in practice, for there is no
practical way to determine 'true randomness'.
>
> If one was to vary slightly from the above (say, encrypting one
> character out of 100 and leaviong the rest plaintext), you could
> still derive a scientifically rigorous yet practically useful
> quantitative measure of strength. On the other hand there are
> encryption methods that sure do seem to fit your secription.
> It's the phrase "there can be no" that I object to, not the main
> point which seems to be true in most cases.
What I meant is a universally applicable standard measure (like 1
metre) with which you can compare all algorithms. But even your
example is problematical. Does encrypting 2 charaters out of 100
results in twice the strength of encrypting 1 character out of 100?
M. K. Shen
------------------------------
Date: Sun, 12 Dec 1999 18:26:31 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
CLSV wrote:
> Mok-Kong Shen wrote:
>
> > [...] The point is that it is very hard (in my humble opinion
> > impossible) to compare two different crypto algorithms and say that
> > the one is r times stronger than the other, where r is a certain
> > precise real number.
>
> It is impossible to compare anything without giving
> a context. You could however compare two cryptographic algorithms
> in the context of a specific attack (e.g. differential cryptanalysis).
>
> > (Compare on the other hand e.g. the relative strength of materials.)
>
> So what is stronger: a steel or a wooden beam?
> Again, given no context there is no valid comparison.
> *Proving* real-world characteristics is much harder than proving
> theoretical concepts.
It situation is moch worse than this. In strength of materials one has
defined units of measure and can compare materials using the figures of
merit. Tensile strength, compression strength, density, etc. Yet how can
one measure the "strength" of a substitution table, or the strength of a
non-linear function? Until we have defined units of measure scientific
comparison is not hard, it is impossible.
>
>
> > One basic reason underlying that, I believe,
> > is that, given any properly designed algorithm, one generally has no
> > way of knowing which is the most efficient way of attacking it and
> > hence one normally can't determine the factor of expense of cracking
> > one algorithm relative to another algorithm. (The person who succeeds
> > to crack an algorithm in a clever way may choose to keep his result
> > unpublished.)
>
> We can discuss security against known attacks in both a practical
> and scientific way as long as we do keep in mind that we do not have a
> computable absolute security measure. Of course the last fact is
> good to mention when someone is claiming absolute security.
>
> Regards,
>
> Coen Visser
------------------------------
Date: Sun, 12 Dec 1999 18:36:27 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Are thermal diodes as RNG's secure
[EMAIL PROTECTED] wrote:
> Is a termal diode being used as a RNG secure?
>
> Is it possible to manipulate the electronics to make the output of the
> diode not-so-random?
I'm aware of three threats to this kind of device. First, covert
modifications of the device, perhaps after deployment may render it
useless. Chilling is possible even in the presence of real-time output
verification -- no matter how sophisticated.
Second is the possibility of non-contact influences such as EMF. Even
remote control of the temperature of the device (localized heating) can
move the noise floor around in interesting ways.
Third is to leave the output alone, but record it. C.f. Tempest. The
actual device can run below the ambient radio spectrum noise floor, but
the downstream signal handling is often decipherable remotely.
------------------------------
From: David Youd <[EMAIL PROTECTED]>
Crossposted-To: alt.books.technical,talk.politics.crypto
Subject: Lots of cryptography book recommendations
Date: Sun, 12 Dec 1999 23:46:03 GMT
For a quick review of 30 cryptography (or related) books, check out
http://www.youdzone.com/cryptobooks.html
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
Date: Mon, 13 Dec 1999 00:37:05 +0000
Mok-Kong Shen wrote:
> But what interests the user of encryption algorithms is the security
> against all currently possible attacks. Since that 'context' is
> difficult to deal with or ill-defined (since one is never sure to
> know all these attacks) that's one reason why defining a standard
> unit of strength of crypto algorithms is impossible in practice,
> I believe.
Yes, I agree with this. But this is just an educational problem
on the side of the 'user'. Anyone wanting to know *the* security of
an algorithm (apart from some special cases) probably doesn't know
that the problem is not well defined.
> > We can discuss security against known attacks in both a practical
> > and scientific way as long as we do keep in mind that we do not have a
> > computable absolute security measure. Of course the last fact is
> > good to mention when someone is claiming absolute security.
> As I said, there may be unknown yet existant attacks.
I strongly believe that there are no known block-ciphers (including
the AES contestants) that can not be broken in less effort than
a brute force key search. Given enough effort some crack will be found,
although it may still be unfeasable to break the algorithm in practice.
> The user of
> crypto applications commonly desires to know 'the' security, not
> merely the security against a specific list of methods of attack.
> That's at the heart of the trouble in my humble opinion.
I think it is a very natural desire for someone to want to know
how secure something is. And questions concerning security of a
specific algorithm can be answered better than just saying "we don't
know and never will". If I was a customer I would prefer the answer
"the algorithm can withstand differential and linear cryptanalysis,
it has good statistical properties, but there may be other yet
unknown attacks that can break it". But nobody is paying for our
comments here ;-)
Regards,
Coen Visser
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
Date: Mon, 13 Dec 1999 00:42:28 GMT
Mok-Kong Shen wrote:
> But what interests the user of encryption algorithms is the security
> against all currently possible attacks. Since that 'context' is
> difficult to deal with or ill-defined (since one is never sure to
> know all these attacks) that's one reason why defining a standard
> unit of strength of crypto algorithms is impossible in practice,
> I believe.
You're going about this the wrong way. You might as well say
that, since it is impossible to know all the exact situations
*any* real-world object will be subjected to, it is therefore
impossible to say anything definite about the relative quality
of different objects of the same kind. Yet in reality, we make
such judgments all the time.
What you're really lacking is a good theoretical basis for
doing this for cryptosystems (or just for encryption algorithms);
that doesn't mean that no good theory is possible, just that
you're not (yet) aware of one.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
Date: Mon, 13 Dec 1999 00:45:32 GMT
Mok-Kong Shen wrote:
> Does encrypting 2 charaters out of 100
> results in twice the strength of encrypting 1 character out of 100?
Just because Guy Macon doesn't have a good measure of cryptographic
strength doesn't mean anything one way or another for the general
issue of whether such a measure is possible. It is obvious, however,
that your question would not fit into the framework of any valid
measure.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Are thermal diodes as RNG's secure
Date: Mon, 13 Dec 1999 00:49:04 GMT
Tom St Denis wrote:
> [EMAIL PROTECTED] wrote:
> > Is it possible to manipulate the electronics to make the output of the
> > [thermal] diode not-so-random?
> Change the voltage? As I understand it diodes work by letting current
> go thru only when it passes a voltage, but when it equals the voltage
> it let's it pass at 'random'.
"Better to remain silent and be thought a fool than to speak and
remove all doubt."
Really, when you don't understand something (like the operation
of a semiconductor junction), posting guesses about it is
counterproductive.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Please help this newbie crack a potentially simple encryption
Date: Mon, 13 Dec 1999 01:02:24 GMT
If it is indeed a simple substitution with variants (which is
supported by the dinome frequency distribution), then it is
just barely long enough to be solved, with work and luck.
I personally would try to categorize the CT values into the
classes "consonant" and "vowel", or rather into a slightly
greater number of analogous classes, by fitting a Hidden
Markov Model to it (using the Baum/Welch/Eagon algorithm for
Maximum-Likelihood Estimation). Assuming you're on the right
track, that should produce a fairly clear assignment of CT
symbols to letter-contact category, in particular grouping
most equivalents for the same PT into the same category,
which would be a step toward solution. (See Gaines' book for
an illustration of use of consonant/vowel categorization and
contact information in solving simple substitutions.)
------------------------------
From: "abe kohen" <[EMAIL PROTECTED]>
Crossposted-To: alt.books.technical,talk.politics.crypto
Subject: Re: Lots of cryptography book recommendations
Date: Sun, 12 Dec 1999 20:23:37 -0500
Thanks. This looks great.
It would be even better without the commercial plug.
Abe
"David Youd" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> For a quick review of 30 cryptography (or related) books, check out
> http://www.youdzone.com/cryptobooks.html
>
>
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Are thermal diodes as RNG's secure
Reply-To: [EMAIL PROTECTED]
Date: Mon, 13 Dec 1999 01:12:08 GMT
[EMAIL PROTECTED] wrote:
: Is a termal diode being used as a RNG secure? [...]
: Any URLs would be nice
Random Electrical Noise: A Literature Survey
http://www.io.com/~ritter/RES/NOISE.HTM
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
All true wisdom may be found on T-Shirts.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Are thermal diodes as RNG's secure
Date: 13 Dec 1999 01:34:18 GMT
In <831142$s6l$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>Is a termal diode being used as a RNG secure?
If it is used properly. The big problem with hardware random number
generators is bias. You must cook theoutput to get rid of any effects of
the biases.
>Is it possible to manipulate the electronics to make the output of the
>diode not-so-random?
Of course. The usual use for a diode to produce output which determined
by the input (ie the output is highly non-random). That is why you must
use it "properly" (ie imporperly as far as normal use is concerned).
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Questions about message digest functions
Reply-To: [EMAIL PROTECTED]
Date: Mon, 13 Dec 1999 01:41:39 GMT
wtshaw <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
:> wtshaw <[EMAIL PROTECTED]> wrote:
:> : In article <[EMAIL PROTECTED]>, Pelle Evensen <[EMAIL PROTECTED]> wrote:
:> :> Have there been any papers published on
:> :> 1a) Whether SHA-1 is a permutation for a message the same length as the
:> :> digest-length (160 bits)? [snip]
:> :> 1c) Is this true (or can it be true) for any other, supposedly secure,
:> :> one-way, collision resistant, hash-functions?
:>
:> : 1c holds a host of sins of presumption.
:>
:> Another wtshaw cryptic comment ;-)
[snip]
: Since you asked, I resolve a portion of my comment: collisions and
: security of a hash function work in opposition, no collisions meaning
: that the input can be solved, be that perhaps inconvenient. But, if
: lots rode on the solution, it might be worth it.
I'm almost as lost as when you started.
Surely collision resistance and security are generally positively
connected - rather than negatively.
There seems to be a weak sense in which an attacker has advance
information when the hash-size and the message size are equal and he
knows in advance that the hash is a bijection:
If he wants to find a message that has a particular hash, he knows that a
message that has that hash exists.
This sense seems rather irrelevant in practice - as an attacker is
/usually/ trying to find a second message that matches an existing hash -
not trying to find a message that corresponds to a hash which has no
corresponding message in the first place.
I have difficulty in seeing any practical problem in this area -
is this property what you are referring to? Or is there some other
way in which security and hash collision exclude one another?
I beleieve it is possible to have both - and indeed maximum security
should generally be accompanied by minimal hash collisions - in order
to best resist brute force.
: As for block ciphers being so simple and symmetric as to be reversable, I
: know of at least one that is not, depending on whether you call it a block
: cipher. [...]
Hmm. Block cyphers are certainly usually reversible. They are rarely
simple. Sometimes, their inverse function may be computationally
difficult to determine.
: Surely there is a war of data to have just sufficient collisions
: to maximize a function as a hash and insufficient reversability to allow
: its solution.
War? Way? I was not saying that you /should/ build hashes (or one
hashes) from block cyphers - just that there exist methods of
doing so.
Hashes need not be easy to reverse - indeed one-way hashes should be
difficult to invert. The very idea of reversing a hash makes little sense
anyway in the common case where the message size exceeds the hash size.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Enough research will tend to support your theory.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
