Cryptography-Digest Digest #798, Volume #10 Mon, 27 Dec 99 17:13:01 EST
Contents:
Re: HD encryption passphrase cracked! (Matthew Montchalin)
Re: Are PGP primes truly verifiable? (wtshaw)
Re: Employing digits of pi ("Dann Corbit")
Re: Employing digits of pi (Matthew Montchalin)
Re: how good is RC4? (Jim Gillogly)
Re: how good is RC4? (Bill Unruh)
Re: HD encryption passphrase cracked! (Guy Macon)
Re: Disbelief about Numbers Stations (Jim)
Re: HD encryption passphrase cracked! (Bill Unruh)
Re: Synchronised random number generation for one-time pads (Guy Macon)
Re: Why doesn't RSA use n=pqr ? (was Re: Are PGP primes truly verifiable?) ("Craig
Clapp")
Re: Employing digits of pi (Mok-Kong Shen)
Homophones (Mok-Kong Shen)
Re: Disbelief about Numbers Stations ("Mark McCarthy")
Re: Employing digits of pi (Mok-Kong Shen)
Re: Why doesn't RSA use n=pqr ? (was Re: Are PGP primes truly verifiable?)
([EMAIL PROTECTED])
Re: Are PGP primes truly verifiable? ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: misc.misc
Subject: Re: HD encryption passphrase cracked!
Date: Mon, 27 Dec 1999 12:07:24 -0800
On 27 Dec 1999, Keith A Monahan wrote:
|P.S. FYI, I have since wiped my harddrive using over 25 passes of the
|standard all zeros, all ones, 0101, and pseudo-random data.
Have you ever opened up your hard drive and pulled out the magnetic
medium with a pair of tweezers? Sure, they say that microscopic
particles of dirt get into the hard drive, substantially compromising the
storage capabilities, but if you really wanted to eradicate every last
trace of the data, and yet still be able to use the medium (that is the
important part), you can swipe a kitchen magnetic over and around and
around the medium before replacing it again. Of course, after doing
something like that, you'll have to do a low-level format of the medium
all over again before you can use the medium. And mirabile dictu, for
ordinary hard drives (120 megs+), you haven't ruined that much of the
medium.
|The exceeds the DOD recommendation and exceeds the magical number of 17,
|which AFAIK, is the maximum number of writes that can be recovered.
Hmmmm.... They must be assuming the user is not so paranoid that he
won't take the drive apart and perform some basic (described above)
security measures...
|I looked for the paper reference, but can't find it.
|
|P.P.S. Dr. Dobbs Journal, Essential books on cryptography, is pretty cool.
The ultimate in security is writing your own DOS for your own HD, and
then using your own medium, &c.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: talk.politics.crypto
Subject: Re: Are PGP primes truly verifiable?
Date: Mon, 27 Dec 1999 14:29:26 -0600
> E = m c^2. Einstein = Man of the Century. Why the squaring?
>
It's part of the formula, not an embellishment. Since c is the speed of
light, it is *slightly* significant.
--
Only a little over a year left to go in this centrury....
Knowing this, figure that a year from now, we will
resale of the hoopla we are getting ready to see now.
------------------------------
From: "Dann Corbit" <[EMAIL PROTECTED]>
Subject: Re: Employing digits of pi
Date: Mon, 27 Dec 1999 12:27:40 -0800
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> The following is related to some stuff I posted quite a time back
> but not discussed in this special setting as far as I can remember.
>
> It is known that the digits of pi can be computed starting from
> any arbitrarily chosen position. Let n indices giving such starting
> positions be given. One obtains with these n subsequences of pi.
> Now add the corresponding digits of the n subsequences modulo 10
> (or the base, if this is not 10), resulting in a digit sequence
> which we call R.
>
> Questions: Can we do any inference on R? If yes, how does the
> complexity of the task increase with n?
This is just a one-time-pad. I think the deep digits are more expensive
than the early ones to compute, even with the clever hex algorithm.
Therefore, I think it is probably a rather expensive one-time-pad and other
methods would be better. Also, the digit sequence is well known out to a
great distance, so testing against using pi would be as simple as sliding a
segment of digits along until it fits. Further, it would be easy to attack
in parallel. Imagine one million machines, each with a segment of pi digits
from different positions in the sequence. It does not sound very secure to
me.
--
C-FAQ: http://www.eskimo.com/~scs/C-faq/top.html
"The C-FAQ Book" ISBN 0-201-84519-9
C.A.P. Newsgroup http://www.dejanews.com/~c_a_p
C.A.P. FAQ: ftp://38.168.214.175/pub/Chess%20Analysis%20Project%20FAQ.htm
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Subject: Re: Employing digits of pi
Date: Mon, 27 Dec 1999 12:19:26 -0800
On Mon, 27 Dec 1999, Mok-Kong Shen wrote:
|The following is related to some stuff I posted quite a time back
|but not discussed in this special setting as far as I can remember.
|
|It is known that the digits of pi can be computed starting from
|any arbitrarily chosen position. Let n indices giving such starting
|positions be given.
Okay, n indices...
|One obtains with these n subsequences of pi.
Yes. I follow.
|Now add the corresponding digits of the n subsequences modulo 10
|(or the base, if this is not 10), resulting in a digit sequence
|which we call R.
You mean 'concatenate' rather than 'add?' What you've got after going
this far is a long series of digits that 'appear' random.
|Questions: Can we do any inference on R? If yes, how does the
|complexity of the task increase with n?
We need another variable in there somewhere. You mentioned indices
originating at "any arbitrary chosen position." How about using a(1)
through a(z) to represent the positions into pi that we must go before
arriving at an appropriate index?
For instance, let us suppose that
a(1) means 1 digit into pi
a(2) means 3 digits into pi
a(3) means 5 digits into pi
and we want a section of pi that is 4 digits long, starting at those
indices? And concatenating those sections, we've got a number that
looks pretty random, don't we? But the fact is, there are going to
be a bunch of overlaps, and the overlaps won't become immediately
apparent unless somebody tells you what a(1) through a(z) are, and just
which irrational number we are using? In short, we could use any
irrational number, not just pi?
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: how good is RC4?
Date: Mon, 27 Dec 1999 21:01:56 +0000
Greg wrote:
> Is your post exporting strong encryption?
>
> Perhaps I should ask are you in the United States of America?
He's not in the USA. Even if he were, why should you care?
Perhaps I should ask whether you are in the Bureau of Export
Administration?
I will point out that if his post included strong encryption,
then yours (which copied the whole thing while adding these two
lines of commentary) was exporting strong encryption from whatever
jurisdiction <you> reside in.
--
Jim Gillogly
Mersday, 5 Afteryule S.R. 2000, 20:56
12.19.6.14.15, 4 Men 3 Kankin, Seventh Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: how good is RC4?
Date: 27 Dec 1999 21:10:25 GMT
In <848fgb$j7d$[EMAIL PROTECTED]> Greg <[EMAIL PROTECTED]> writes:
>Is your post exporting strong encryption?
>Perhaps I should ask are you in the United States of America?
But you almost certainly are and you also exported it. That someone else
did first is no excuse under the law. (Note that I am a Canadian citizen
in Canada so my evidence that I received it is of no use since you are
allowed to export it to Canada.)
>--
>The only vote that you waste is the one you never wanted to make.
>RICO- we were told it was a necessary surrender of our civil liberties.
>Asset Forfeiture- the latest inevitable result of RICO.
>http://www.ciphermax.com/book
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: misc.misc
Subject: Re: HD encryption passphrase cracked!
Date: 27 Dec 1999 16:11:30 EST
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Matthew Montchalin) wrote:
>
>On 27 Dec 1999, Keith A Monahan wrote:
>
>|P.S. FYI, I have since wiped my harddrive using over 25 passes of the
>|standard all zeros, all ones, 0101, and pseudo-random data.
>
>Have you ever opened up your hard drive and pulled out the magnetic
>medium with a pair of tweezers? Sure, they say that microscopic
>particles of dirt get into the hard drive, substantially compromising the
>storage capabilities, but if you really wanted to eradicate every last
>trace of the data, and yet still be able to use the medium (that is the
>important part), you can swipe a kitchen magnetic over and around and
>around the medium before replacing it again. Of course, after doing
>something like that, you'll have to do a low-level format of the medium
>all over again before you can use the medium. And mirabile dictu, for
>ordinary hard drives (120 megs+), you haven't ruined that much of the
>medium.
Speaking as an engineer who has actually designed hard disks and who
has read but not tried the standard methods of reading wiped data,
I can tell you three things:
[1] I can't read data wiped with Keith's method.
[2] I can read data wiped with your method. (Hint: DC vs. AC)
[3] Damage to hard disks from internal particulates is not limited
in such a way that there are usable good sections. What you
get is cumulative damage all over the disk. Once you open it
up outside of a cleanroom, any byte may be destroyed at any time.
The good news for those reading this is that if your drive has
been running fine for over two weeks, you know that it doesn't
suffer from particulate contamination. Something else will
eventually kill your drive. If you don't back up your data.
you are an idiot.
------------------------------
From: amadeus @DELETE_THIS.netcomuk.co.uk (Jim)
Subject: Re: Disbelief about Numbers Stations
Date: Mon, 27 Dec 1999 21:16:52 GMT
Reply-To: Jim
On Mon, 27 Dec 1999 00:04:19 GMT, [EMAIL PROTECTED] wrote:
>I find it hard to believe that no one has ever attempted to track these
>things down. It's as if no one knows anything about them! If they are
>Morse or voice, surely some sort of DF (direction finding) should be
>possible to pin them down.
>
>Can anyone tell me if the stations move constantly, if the same voice
>or hand is recognizable, what power level they appear to be using, what
>cities they appear to be in, etc. Even as an amateur effort, I'm
>surprised that people haven't ganged up on them to do some sort of DF...
Go to http://www.wunclub.com and look for information on these
oddities. I think 'Numbers & Oddities' are the operative words.
Their origins are well known: all the major intelligence agencies
of the world use them. Almost all of them have been identified by
enthusiastic amateur traffic analysts. What beats me is why, with
easy, fast, cheap world-wide digital communications available, they
choose to use apparently conventional codes/ciphers and shortwave
(HF) radio using morse and voice.
Similarly, why in the age of rapid satellite and fibre-optic communications,
do so many embassies use slow outdated conventional 5 letter/figure-group
systems on HF radio? Is there some sort of convention that requires them
to be twenty years behind the rest of the world? (!!)
--
Posted by G4RGA.
Rallies Info: http://website.lineone.net/~nordland
http://www.netcomuk.co.uk/~amadeus
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: misc.misc
Subject: Re: HD encryption passphrase cracked!
Date: 27 Dec 1999 21:17:52 GMT
In <[EMAIL PROTECTED]> Matthew Montchalin
<[EMAIL PROTECTED]> writes:
>medium with a pair of tweezers? Sure, they say that microscopic
>particles of dirt get into the hard drive, substantially compromising the
>storage capabilities, but if you really wanted to eradicate every last
>trace of the data, and yet still be able to use the medium (that is the
>important part), you can swipe a kitchen magnetic over and around and
>around the medium before replacing it again. Of course, after doing
Well. I suspect that this would not do much good. A household kitchen
magnet is not all that strong, and furthermore it has a very low Fourier
coefficient on the drive surface, so it will not be very effective at
all in erasing those transients between 0 and 1 on the disk platter. It
may well mess it up enough to make it unuseable but not enough that
someone could not recover whatever data was there already. You need a
very strong alternating magnetic field to do a good job of bulk erasing.
, and enven then I would worry about leaving the transients detectable.
Much better to burn it-- make sure the material goes above its Neal
temperature. Of course that makes it somewhat unuseable afterwards.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Synchronised random number generation for one-time pads
Date: 27 Dec 1999 16:18:09 EST
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (James Felling) wrote:
>>
>> I know that a fundamental property of XOR is that XORing anything
>> to a true random (if such exists) message cannot reduce the randomness.
>> is this also a known property of the way you are using DES? I sure can
>> see the advantages iof it is.
>
>I belive that this should be as secure as XOR . But, even if this is as good as the
>direct
>XOR of OTP material, and while it may be better as far as hiding/dealing with
>imperfections in the raw pad. However, it is very slow, as you will have to rekey on
>a
>block by block basis, and really fails to add anything other than possibly
>compensating for
>weaknesses in your pad generation methods. I feel that improvement to your pad
>generator
>will be a much more robust path to pursue.
>
I could even use it as the method of improving (if possible) the RNG
by making a string of random (usual disclaimer) bits and XORing it with
another string of random bits that have gone through the DES program.
This would seem to be safer.
------------------------------
From: "Craig Clapp" <[EMAIL PROTECTED]>
Subject: Re: Why doesn't RSA use n=pqr ? (was Re: Are PGP primes truly verifiable?)
Date: Mon, 27 Dec 1999 21:16:52 GMT
Craig Clapp wrote in message ...
>The small reduction in maximum order of an element ( LCM(p,q,r)
>versus LCM(p,q) ) does not seem to be a severe drawback so long
>as the factors are well chosen.
>
>- Craig Clapp
>
Oops, the maximum orders should of course have been stated as
LCM(p-1,q-1,r-1) and LCM(p-1,q-1), where the p and q in the second
expression are not the same ones as in the first expression. i.e. if
p1 ~= q1 ~= r1, and p2 ~= q2, where p1, q1, r1, p2, q2 are all prime,
(p1-1)/2, (q1-1)/2, (r1-1)/2 are coprime, (p2-1)/2, (q2-1)/2 are coprime,
and p1*q1*r1 ~= p2*q2 then LCM(p1,q1,r1) ~= LCM(p2,q2)/2 .
- Craig Clapp
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Employing digits of pi
Date: Mon, 27 Dec 1999 22:24:41 +0100
Dann Corbit wrote:
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote
> > It is known that the digits of pi can be computed starting from
> > any arbitrarily chosen position. Let n indices giving such starting
> > positions be given. One obtains with these n subsequences of pi.
> > Now add the corresponding digits of the n subsequences modulo 10
> > (or the base, if this is not 10), resulting in a digit sequence
> > which we call R.
> >
> > Questions: Can we do any inference on R? If yes, how does the
> > complexity of the task increase with n?
> This is just a one-time-pad. I think the deep digits are more expensive
> than the early ones to compute, even with the clever hex algorithm.
> Therefore, I think it is probably a rather expensive one-time-pad and other
> methods would be better. Also, the digit sequence is well known out to a
> great distance, so testing against using pi would be as simple as sliding a
> segment of digits along until it fits. Further, it would be easy to attack
> in parallel. Imagine one million machines, each with a segment of pi digits
> from different positions in the sequence. It does not sound very secure to
> me.
Even within the range of published/known digits, one easily sees
the combinatorial explosion with increasing n. Outside of that range,
the computing effort renders the analyst's job worse (much worse,
if it is rather expensive as you suggested). Perhaps I should mention
that I am asking for (as always) practical security, not theoretical
security. (I am not quite sure that all the three letter agencies
of the world put together possess one million machines.)
One could further complicate the scheme, if one takes the trouble.
For example, the subsequences can be divided into blocks and the
digits of the blocks permuted in some way agreed upon by the
communication partners.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Homophones
Date: Mon, 27 Dec 1999 22:25:23 +0100
According to Schneier's AC, Homophonic substitution ciphers are
very easy to break.
Question: What if one employs homophones in the manner of
polyalphabetic substitutions, i.e. when there are more than one
substitution tables (columns)? And when the tables are not
periodically selected by a short key but chosen by the output
of a PRNG with, say, some 200 tables? (To avoid misunderstanding,
my question is about practical, not theoretical, security.)
M. K. Shen
=========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: "Mark McCarthy" <[EMAIL PROTECTED]>
Subject: Re: Disbelief about Numbers Stations
Date: Mon, 27 Dec 1999 22:35:52 +0100
Could it be to do with the readiness with which an HF system can be built?
It's a lot less sophisticated than more modern systems.
However, I agree, it's strange that HF hasn't been relegated, to be used
only when everything else has been wiped out!
Mark.
amadeus @DELETE_THIS.netcomuk.co.uk (Jim) wrote in message
<[EMAIL PROTECTED]>...
>On Mon, 27 Dec 1999 00:04:19 GMT, [EMAIL PROTECTED] wrote:
>
>>I find it hard to believe that no one has ever attempted to track these
>>things down. It's as if no one knows anything about them! If they are
>>Morse or voice, surely some sort of DF (direction finding) should be
>>possible to pin them down.
>>
>>Can anyone tell me if the stations move constantly, if the same voice
>>or hand is recognizable, what power level they appear to be using, what
>>cities they appear to be in, etc. Even as an amateur effort, I'm
>>surprised that people haven't ganged up on them to do some sort of DF...
>
>Go to http://www.wunclub.com and look for information on these
>oddities. I think 'Numbers & Oddities' are the operative words.
>
>Their origins are well known: all the major intelligence agencies
>of the world use them. Almost all of them have been identified by
>enthusiastic amateur traffic analysts. What beats me is why, with
>easy, fast, cheap world-wide digital communications available, they
>choose to use apparently conventional codes/ciphers and shortwave
>(HF) radio using morse and voice.
>
>Similarly, why in the age of rapid satellite and fibre-optic
communications,
>do so many embassies use slow outdated conventional 5 letter/figure-group
>systems on HF radio? Is there some sort of convention that requires them
>to be twenty years behind the rest of the world? (!!)
>
>--
>Posted by G4RGA.
>Rallies Info: http://website.lineone.net/~nordland
> http://www.netcomuk.co.uk/~amadeus
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Employing digits of pi
Date: Mon, 27 Dec 1999 22:51:39 +0100
Matthew Montchalin wrote:
>
>
> |Now add the corresponding digits of the n subsequences modulo 10
> |(or the base, if this is not 10), resulting in a digit sequence
> |which we call R.
>
> You mean 'concatenate' rather than 'add?' What you've got after going
> this far is a long series of digits that 'appear' random.
>
> |Questions: Can we do any inference on R? If yes, how does the
> |complexity of the task increase with n?
>
> We need another variable in there somewhere. You mentioned indices
> originating at "any arbitrary chosen position." How about using a(1)
> through a(z) to represent the positions into pi that we must go before
> arriving at an appropriate index?
>
> For instance, let us suppose that
>
> a(1) means 1 digit into pi
> a(2) means 3 digits into pi
> a(3) means 5 digits into pi
>
> and we want a section of pi that is 4 digits long, starting at those
> indices? And concatenating those sections, we've got a number that
> looks pretty random, don't we? But the fact is, there are going to
> be a bunch of overlaps, and the overlaps won't become immediately
> apparent unless somebody tells you what a(1) through a(z) are, and just
> which irrational number we are using? In short, we could use any
> irrational number, not just pi?
I wrote 'add' and meant really 'add' never 'concatenate'! The sum
obtained is reduced modulo the base. I suppose I have explained the
subsequences very clearly. These are digits starting from the n
chosen starting points. All the n digits at the n starting points
are added modulo the base to become the first digit of R. Then
all the next n digits are added modulo the base to become the
second digit of R, and so on. (I wonder how did you read out
'concatenation' from my post.)
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why doesn't RSA use n=pqr ? (was Re: Are PGP primes truly verifiable?)
Date: Mon, 27 Dec 1999 21:41:32 GMT
Craig Clapp wrote:
[...]
> can anyone explain the reason that it is not standard practice for
> an RSA modulus to be the product of three primes, p, q, r, since this
> would allow more efficient decryption than the two-prime case when
> using the Chinese Remainder Theorem?
I think the answer is mostly tradition, and that
multi-prime RSA is a now a good idea. In addition
to gaining a modest constant factor in speed, it
can extend the life of RSA hardware based on
large-register adders.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto;
Subject: Re: Are PGP primes truly verifiable?
Date: Mon, 27 Dec 1999 21:52:33 GMT
Greg wrote:
> [...] if
> p and q are made up of factors that are each about 100 or less
> bits, then the attack is feasible? Is that not answering
> my original question as, "yes, IFC cannot guarantee the level
> of security it is advertised to provide"?
It is no such answer. Provable primes are practical
to generate, and the only reason people don't bother
is that there's no real chance of the probabilistic
generators failing.
> My point is that I do not see this or any similar issue
> with ECC. That was my point all along.
For a given curve EC keys are cheaper to generate,
but there's no provable safety advantage.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
