Cryptography-Digest Digest #806, Volume #10 Wed, 29 Dec 99 12:13:02 EST
Contents:
Re: Synchronised random number generation for one-time pads ("Joseph Ashwood")
news about KRYPTOS ("Ferdinando Stehle")
Re: Factorization of DDD. Better than Montgomery ? (Angel Garcia)
Re: More idiot "security problems" (Terry Ritter)
Re: Attacks on a PKI ("Lyal Collins")
Re: news about KRYPTOS (Frank Gifford)
Re: Grounds for Optimism (John Savard)
Re: Attacks on a PKI (Greg)
Re: Attacks on a PKI (Greg)
Re: Attacks on a PKI (Greg)
Re: Attacks on a PKI (Greg)
Re: HD encryption passphrase cracked! (fungus)
Re: Attacks on a PKI (Greg)
Re: Britannica data format? (John Savard)
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Synchronised random number generation for one-time pads
Date: Wed, 29 Dec 1999 00:27:18 -0800
"John E. Gwyn" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Guys, please quit referring to an "XOR" encryption method.
> XOR is simply a Boolean operation. What you mean is "XOR
> with a random key as long as the plaintext".
I was viewing the determination of key as a seperate process from encryption
and given the methods that I am aware of it is typical that the
determination of key is seperate from the process of encryption. XOR as I
was using it simply refers to a 1-bit cipher which uses only exclusive-OR
for the encryption. I don't see where it was ambiguous, we were discussing a
specific portion of OTP, and through it stream ciphers.
Joseph
------------------------------
From: "Ferdinando Stehle" <[EMAIL PROTECTED]>
Subject: news about KRYPTOS
Date: Wed, 29 Dec 1999 10:39:50 GMT
Hi all,
after 3 monthes of work on my PENTIUM 90MHz,
i may claim that J.Sanborn & E.Scheidt didn't use any of
the two follwing method to encode KRYPTOS 97 unsolved chars:
- a Vigenere substitution (with keyword up to 12 chars long) followed by a
transposition
- a transposition followed by a Vigenere substitution (with keyword up to 12
chars long)
With "Vigenere substitution" i mean the same used for the first
part of KRYPTOS: "Between subtle shading...."; with alphabet
KRYPTOSABCDEF....
and with a keyword NO longer than 12 chars.
With "transposition" i mean the same used in the second part of KRYPTOS:
"Slowly desparatly slowly the remains...."
I've tried every possible transposition (about 10000) for every possible
substitution with key length up to 12 chars (12 included).
Now i'm turning my efforts to try with a rotor machine (Enigma like)...
...but some questions make me uneasy:
- why wasting the entire right side of the sculpture devoted to the Vigenere
table
used only in one third of KRYPTOS ?
- why making orthographic errors (despAratly & anythingQ) in the
transpositional part ?
(maybe the errors are meaningful...)
- how are the transposition parameters related to the right side of the
sculpture ?
where can be found hints about the transpositional part ?
(for the first part, substitution, you may foun an enormous hint on the
right side
of the sculpture; but it seems that there are no hints about the
transopsitional and the
last 97 unsolved chars..)
regards
Ferdinando
------------------------------
From: [EMAIL PROTECTED] (Angel Garcia)
Crossposted-To: sci.math,sci.math.num-analysis,sci.math.symbolic
Subject: Re: Factorization of DDD. Better than Montgomery ?
Date: 29 Dec 1999 11:43:29 GMT
Reply-To: [EMAIL PROTECTED] (Angel Garcia)
Angel Garcia ([EMAIL PROTECTED]) writes:
> Is it there something not quite tight in Montgomery's analysis ? (see end).
I don't see anything wrong nor incomplete in such outstanding 10 lines:
> On 20oct1996 P.L. Montgomery wrote:
> ----------------------------------------------------
>> Let p be a prime divisor of 10^2997 - 1.
>> By Fermat's little theorem, p divides 10^(p-1) - 1.
>> Therefore p divides 10^g - 1, where g = GCD(2997, p-1).
>> This g is a divisor of 2997, and must be
>> 1, 3, 9, 27, 37, 81, 111, 333, 999, or 2997.
>> If g is less or = 111, then complete factorization of 10^g - 1 is known,
>> so p is one of the known factors.
>> If instead g> 111, then g = 333, 999, or 2997.
>> In all three cases, 333 divides g, which in turn divides p-1.
>> Therefore p ==1 (mod 333). Since p must be odd, p==1 (mod 666).
> -------------------------------------------------------
> Update (to december-1999) of all divisors of
> DDD = (10^2997 - 1)/999^2 which are currently known:
>
> The 21 known prime divisors:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> d1=163 d8=96455449
> d2=757 d9=247629013
> d3=1999 d10=94879787239
> d4=9397 d11=427437692443
> d5=333667 d12=4547142218089
> d6=2028119 d13=440334654777631
> d7=2462401 d14=676421558270641
>
> d15=30557051518647307
> d16=471148486301963562067
> d17=2212394296770203368013
> d18=8845981170865629119271997
> d19=130654897808007778425046117
> d20=90077814396055017938257237117
> d21=2503678796850536532770633167883644999
>
> The 3 remaining composite divisors of number DDD:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> c172 = 413675795050035182921527389826433077927
> 965773018028997106269613352510197114865
> 757662216762940527807114651153538350890
> 786884982550265506580180350896179391256
> 6261290961976951 (R. Brent)
etc.
> Prof. Montgomery's analysis shows furthermore that all remaining primes are
> either divisors of 10^333-1, of 10^999-1, or others; which respectively
> correspond to remaining 3 composites: c172 of R.P. Brent and those
> two (still untouched, c634 and c1900) of A.K. Lenstra. Brent has (1996)
.....
> DDD. The reason for our urgency is related to the fact that MAY BE primes
> of the form n*666 +1 (with n=integer not divisible by 3) are still hidden
> in DDD (precisely inside above 172-composite of Brent).
> Once such 666-primes are found all remaining primes for
> millennia of the future will be of the form:
> p= n*1998 + 1 (n=integer); which would make very famous our century 1999 !.
.....
> In other words the c172 composite has 2, 3, 4, 5 or may be 6 primes still
> hidden in it (nobody knows how many !, that's the beauty of it);
> ALL these are of the form n*666+1 with n NOT BEING NECESSARILY a multiple
> of 3;
> ----------------
>
> HOWEVER:
> Now I have been looking to the 21 known primes of DDD and it turns out that
> only p = d3,d5,d8,d10,d11,d12,d16,d20,d21 are of the Montgomery's form:
> p = n*666 + 1; but ALL these are also of the broader form p=n*1998 + 1
>
> Therefore MAY BE, just may be, ALL remaining primes inside c172 are
> already of the broader form p=n*1998 + 1 and consequently the
> XX century FACE of number-analysis is saved even without factorization
> of the Brent composite c172 .
> Is it there a GAP in Mongomery's theorem (above)?. Can somebody prove
> that all primes of N333 = (10^333 -1) are of the form p =n*1998 + 1
> and not merely of the Montgomery form p= n*666 + 1 ?
OK. I revised very carefully the 10 lines above of Montgomery's theorem
and I am totally confident that there is no GAP in them.
Thus the FACT that all so far known primes of DDD are NOT of the
Montgomery type:
p = 666*n + 1 with n NOT divisible by 3 (or 'beast type', say)
does NOT imply that such sacred BEAST is still not hidden in the
only one simple composite c172. Even twice or trice or more !.
It is certainly true that after all primes of c172 will be known then
FOR SURE all remaining primes of DDD will be of the century form:
p= 1998*n + 1 and no more 'beasts' anymore.
But so far we don't know if DDD contains or not any prime of the
'beast type' above. WE will know ONLY when c172 becomes fully factored.
--
Angel, secretary of Universitas Americae (UNIAM). His proof of ETI at
Cydonia and index of book "TETET-98: Generacion del Hombre en Marte" by Prof.
Dr. D.G. Lahoz (leader on ETI and Cosmogony) can be studied at URL:
http://www.ncf.carleton.ca/~bp887 ***************************
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: More idiot "security problems"
Date: Wed, 29 Dec 1999 13:10:07 GMT
On Tue, 28 Dec 1999 16:07:20 -0000, in
<84an5g$p3a$[EMAIL PROTECTED]>, in sci.crypt "Brian Gladman"
<[EMAIL PROTECTED]> wrote:
>"CLSV" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
>[...]
>You are right - I was being loose with definitions for convenience. But use
>any definition you wish (all now, all now and in the past, all past, present
>and future,...) consistently and there is still a conclusion that I would
>not trust as valid.
>
>I suspect the rule is already too general and should refer to 'design'
>rather than 'create' as you suggested in your previous post. I also suspect
>that there needs to be active involvement of all members of the group in the
>design process. But these are all problems with the language of the
>original rule.
Personally, I have found it very difficult to write something which
cannot be misunderstood. Much of what we write depends upon context,
and a reader has their own context (and agenda).
But "the original rule" was from Schneier:
>>>>A corollary is that: "Anyone can create an encryption algorithm that
>>>>he himself cannot break."
which is specifically restricted to individuals, producing the clear
implication that groups do not have the same limitation. They do.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Lyal Collins" <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Thu, 30 Dec 1999 00:44:26 +1100
Authentication of individuals using PKI is about as strong as the passwords
they use to control access to their priate key.
Why not stick to passwords and integrity checking databases, for
non-ecommerce uses?
Lyal
Timothy M. Metzinger wrote in message
<[EMAIL PROTECTED]>...
>In article <83grhk$623$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>(Peter Gutmann) writes:
>
>>That is, without e-commerce as an excuse, PKI vendors will have great
>>difficulty in selling their wares to users because there's so little
>>demonstrable need for them
>
>Huh?
>
>We look forward to PKI for lots of reasons that have nothing to do with
>e-commerce. Just the ability to do away with lots of paper (that we had to
keep
>with wet signatures) is useful.
>
>Of course PKI can be valuable for strong authentication of individuals too.
>
>
>Timothy Metzinger
>Private Pilot - ASEL - IA!!!! AOPA Project Pilot Mentor
>DOD # 1854 '82 Virago 750 - "Siobhan"
>Cessnas, Tampicos, Tobagos, and Trinidads at FDK
>
------------------------------
From: [EMAIL PROTECTED] (Frank Gifford)
Subject: Re: news about KRYPTOS
Date: 29 Dec 1999 08:57:32 -0500
In article <Wxla4.10084$[EMAIL PROTECTED]>,
Ferdinando Stehle <[EMAIL PROTECTED]> wrote:
>- why making orthographic errors (despAratly & anythingQ) in the
>transpositional part ?
> (maybe the errors are meaningful...)
It seems that for something like a sculpture which will last almost forever,
I think the creator would have gone to the trouble to be sure that everything
was just right and there were no errors.
That being the case, the errors that you see are quite probably intentional.
Perhaps the distances between the errors matter - perhaps the letters
themselves are important. Maybe they indicate the key to use in the next
step.
After all, the sculptor has said that solving the last 97 characters is not
a full solution to the puzzle.
-Giff
--
Too busy for a .sig
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Grounds for Optimism
Date: Wed, 29 Dec 1999 14:26:57 GMT
On Wed, 29 Dec 1999 00:42:54 -0600, "John E. Gwyn"
<[EMAIL PROTECTED]> wrote:
>Basically, very complex designs are more of an annoyance than an
>obstacle. The most analysis-resistant systems continue to be the
>ones built by analysts who have cracked similar systems and know
>what weaknesses need to be prevented.
I don't deny the truth of such sage advice. I think, though, that
those of us who are not cryptanalysts can still learn from the
publications of those that are. Also, while this is borne out in that
it was the AES entrants with cryptanalytic experience that fared the
best, it is also true that the "best" cryptanalytic experience is,
naturally, locked away in the NSA where we can't get at it.
Hence, my call for doing more in ciphers than we can justify as
necessary. Naturally, care must be taken - and cryptanalysts know how
this is to be done - that any added complexity is not so flawed as to
vitiate the strength of the cipher to which it is added.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Wed, 29 Dec 1999 15:46:22 GMT
I just read one of Bruce's articles thanks to the URL you gave.
It was on the NSA key. He said:
Suddenly there's a flurry of press activity because
someone notices that the second key in Microsoft's
Crypto API in Windows NT Service Pack 5 is called
"NSAKEY" in the code. Ah ha! The NSA can sign crypto
suites. They can use this ability to drop a Trojaned
crypto suite into your computers. Or so the conspiracy
theory goes.
I don't buy it.
First, if the NSA wanted to compromise Microsoft's
Crypto API, it would be much easier to either 1) convince
MS to tell them the secret key for MS's signature key,
2) get MS to sign an NSA-compromised module, or
3) install a module other than Crypto API to break
the encryption (no other modules need signatures).
It's always easier to break good encryption by attacking
the random number generator than it is to brute-force the
key.
Now I know that Bruce is almost a God to some, and is a God
to others. That is their problem, not mine. Bruce has
fallen from any grace he had with me on these statements.
Everything he said is correct, but he is forming an assumption
as a result of his statements that is not a logical conclusion.
CLEARLY, Microsoft could have given NSA a key of their own
and he is discounting this as a non option. Clearly that is
what this key is about- regardless of why it is there.
Clearly, this is no spare. It belongs to someone and the
name was left attached to it one day for all of us to see
who it belonged to. You have to be blind and dumb not to
notice.
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Wed, 29 Dec 1999 16:03:03 GMT
> - having to archive... unless they can _prove_ their
> database and systems admin is top notch for the entire period.
since you are relying on proving a person's integrity, the
system fails right there.
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Wed, 29 Dec 1999 16:00:56 GMT
I was looking at the SSL protocol yesterday and read about how
the man in the middle attack was foiled by a certificate. And
I asked the question of this news group how IE validates a cert
that a server issues to the client (IE)? Someone responded and
I searched the "internet options" dialog tab and sure enough,
there was a long list of CAs. I imagine that IE goes to those
web sites and verifies a cert.
The person that worked for Netscape actually believes that
the cert is useful for this purpose. However, he forgot that
a man in the middle was the attack being addressed by the cert.
A cert (IMHO) is easily compromised by a man in the middle.
It seems to me that if I (the man in the middle) sit between
the client PC and the internet (a juicy choice of location
for a man in the middle attack), then I can emulate the internet,
including the CAs for any address I desire. Where does the cert
prove me out? I don't see where, do you?
As far as I am concerned, SSL and certs are financial institution
systems of farce for the ignorant populace. They rake in huge
amounts of money for doing nothing. But then, that is what
our system of banking is anyway- rake in huge amounts of
interest (real $$$) for signing a loan document and making most
of the money out of thin air. I would not expect anything less
from those criminal bastards.
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Wed, 29 Dec 1999 16:05:30 GMT
> > I am currently compiling a list of attacks on a PKI, and if you
know of
> > any then please post some.
>
> Registering easily-factored or other low-quality keys with the PKI. If
> ppl confuse verifying identity with verifying "key quality" (and how
many
> do ? ), then can undermine confidence in the PKI and public key crypto
> in general. Solution seems to be to certify the public keys...
This is not an attack on the PKI, but on the key. The PKI
would still be just as valid or invalid identifying who the
faulty key belongs to. That is the supposed purpose of the
PKI.
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Crossposted-To: misc.misc
Subject: Re: HD encryption passphrase cracked!
Date: Wed, 29 Dec 1999 14:23:43 +0100
"John E. Kuslich" wrote:
>
> thus instantaneously vaporizing the tape as it unspools.
>
> Seems nobody really trusts a bulk degausser. Maybe there guys
> know something about magnetic media...:--)
>
Maybe it's just good old fashioned paranoia by the pointy
haired bosses.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Wed, 29 Dec 1999 16:18:36 GMT
> Even if your PKI is just a matter of
> storing the public keys in a personal database,
Then it is not PKI, but a personal database of keys.
> The next step is to do this indirectly, and to delegate
> this certification authority to someone else's key.
That is where the whole thing falls apart. Now you go
from trusting your private key to a person you have never
met who could be bribed, intimidated (yes, even by the government),
or criminally inclined. I would prefer to trust only my
private key.
> This has the advantages that a much larger number of
> people's keys can be certified, as the certification
> authority can specialize in this task.
This is no advantage at all- it is just an illusion.
> The disadvantage is that you now must trust this other entity
You just proved my point in the line above. Trusting any
other person violates the whole concept of a private key.
> so there is nothing particularly revolutionary in extending
> such trust to a key infrastructure.
Except it is being pushed by financial institutions.
> As for the comments that the effort to maintain PKI security is as
> great as keeping shared secret keys, the difference is
The difference is that it is an illusion and has no value.
> But in general, modification attacks tend to be more
> expensive than access attacks, and PKC gives you much
> more value than shared secret keys.
Once you successfully develop the software to sit on a laptop
that will emulate all of the CAs, you can sit between any
person's home PC and their ISP and emulate those CAs for their
browser. Then when they go to a secured web site using SSL,
you can successfully sit in the middle and see everything.
You don't need to break their ciphers.
What makes this possible? PKI. What is the cost? one time
development of such software and the hardware to get in the
middle of the connection. What is the payoff? You have to
find a list of targets that can easily be hit that use
any form of e-commerce and get their credit cards, SS#, etc.
I would estimate the software could be developed in 6 months.
It really is not that difficult. Just tedious development.
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Britannica data format?
Date: Wed, 29 Dec 1999 09:40:18 GMT
Jim Gillogly <[EMAIL PROTECTED]> wrote, in part:
>I note that the data is prejudiced toward 0-bits, suggesting it's not
>one of the most aggressive compression algorithms.
That's interesting, since the Brittanica CD has one of those
"Protected by RSA" trademarks on it, so I would have thought the
compressed data would be RC4-encrypted. (Maybe the index to the
database, at least, is encrypted.)
Probably the existence of a bias explains what is being done to allow
random access: the text is likely compressed independently in the same
small pieces that it can be accessed in.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
