Cryptography-Digest Digest #811, Volume #10 Thu, 30 Dec 99 05:13:01 EST
Contents:
Re: Data Encryption in Applet? (David Hopwood)
Re: Questions about message digest functions (David Hopwood)
Re: Ellison/Schneier article on Risks of PKI (David Hopwood)
Re: Attacks on a PKI (David A Molnar)
Re: Homophones (wtshaw)
Re: Grounds for Optimism (wtshaw)
New Stream Algo - Software to prove a point (to me!) (Raddatz Peter)
Re: Homophones (Mok-Kong Shen)
Re: Employing digits of pi (Mok-Kong Shen)
cryptography website(dutch)!!!!! ("Red Shadow")
Re: Factorization of DDD. Better than Montgomery ? (Angel Garcia)
Re: Enigma (Mok-Kong Shen)
----------------------------------------------------------------------------
Date: Thu, 30 Dec 1999 03:39:21 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To:
comp.lang.java.security,microsoft.public.java.security,comp.lang.java.programmer
Subject: Re: Data Encryption in Applet?
=====BEGIN PGP SIGNED MESSAGE=====
"Law Wun Suen, Brian" wrote:
>
> Tim Wood wrote:
>
> > wrote in message <[EMAIL PROTECTED]>...
> > >Hi
> > >
> > >I am looking for a way to encrypt data through an applet using symmetric
> > >(or asymmetric) encryption. I thought of sending an applet containing a
> > >symmetric key to a client.
> >
> > How? If the symmetric key is not encrypted when you send it, it could be
> > intercepted and used to read the, client side encrypted, data.
>
> I think if the application have to consider about the performance, better
> to use both (symmetric and asymmetric) encryption together. It really look
> like how the SSL work. You generate a random key (secret key) for the
> symmetric encryption and encrypt this securet key with your own private
> key. The client program receive the key and decrypt it by the public key.
> Then use that secret key for that sesssion communication.
This is no more secure than sending the applet containing a symmetric key.
If the applet can decrypt the key, so can an eavesdropper who decompiles
the applet.
Using SSL (both to load the applet and to send data back to the site) would
solve this problem, *provided* you trust that the browser root CAs will only
sign certificates from legitimate site owners, that include the correct
domain name.
(The user can, at least in principle, tell that a man-in-the-middle attack
has not occurred by looking at the site certificate. Unfortunately most
users don't look at this certificate, so the actual level of security
against active attacks is somewhat dubious. It should be secure against
passive attacks, though.)
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOGrPDjkCAxeYt5gVAQEvTQgAuJSXL3cFbU/Uvwmgrnca2r2+7b7WIQMW
Ncs6r/yMm2A8r2kLoPFwmUINgyLbin/i4mM+qJf7OhHr3mKhGU+mXlUDEune34Zy
ws9OKNa4rymQfOZh3qhVh+mf6qeCnl1U9d/Nd9Hn/nvHB8O0oj/WdhwlbHkTslAj
ry5J0/ANo9+SC05YaPCsKL5InHeMveUft2Tv0y6RWCTrwnGVX4zMoP68Iyw+vhT1
8mkgtNllFH8JUrVItROyKX0eB5T+9vOqB1tWmrZeBsap/b0MBAW54VRee3tztDuK
C/byEcIDCWgHz32Nn56rQMpRSC7Id6TwJN78XMBiGjSZOrfmMoh/+A==
=DmHD
=====END PGP SIGNATURE=====
------------------------------
Date: Thu, 30 Dec 1999 03:40:20 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Questions about message digest functions
=====BEGIN PGP SIGNED MESSAGE=====
Tim Tyler wrote:
>
> In sci.crypt, lordcow77 wrote:
> > <[EMAIL PROTECTED]> wrote:
>
> > > Hash functions may be made from block cyphers.
> > > Block cyphers are reversible. Consequently,
> > > a message hash of a message with the hash
> > > size, the block size and the message size all
> > > equal will be a bijection. [...]
[...]
> > The construction that transforms a block
> > cipher cryptographic primative into a hash
> > function should destroy the bijectiveness of
> > the block cipher.
This is correct.
> No. You are mistaken.
>
> Consider a common technique of transforming a
> block cypher into a hash:
>
> Apply the block cypher in a chaining mode to
> the message. Take the last block of cyphertext as
> the hash.
I don't know about it being "a common technique", but I
certainly wouldn't use it.
You're presumably using the block cipher with a known
key, K (otherwise it would be a MAC, not a hash). For
concreteness assume CBC as the chaining mode. Suppose the
attacker wants to find a plaintext M' similar to M, which
hashes to a predetermined value R. For this hash he/she
can use M' = M || (D[K](R) XOR H(M)). That doesn't look
like a good property for a hash to have, to me.
> When applied to a single block, this *retains* the
> bijective nature of the block cypher. This
> is, in fact, a useful thing for it to do.
Why? Just because there are no collisions between
messages of a specific length, doesn't mean that it is
difficult to find collisions between messages of that
length and a different length. I can't think of many
applications where this limited form of collision-freedom
would gain you anything.
> > A hash function should be indistinguishble from
> > a random function, not random permutation.
>
> No. You are mistaken.
>
> No hash function should *ever* be
> indistinguashable from a random function.
>
> If it /does/ have the characteristics of a random
> function, this means hash collisions are more likely
> to occur - and consequently easier to find - than
> they could be.
>
> The whole point of hashing is to make finding hash
> collisions as difficult as possible.
No it isn't. "lordcow77" is perfectly correct; a hash should
approximate a PRF (Psuedo Random Function). Also, there are
other desirable properties of a hash than collision resistance
(notably pre-image and 2nd pre-image resistance).
If for some application we needed a function that, when applied
to fixed-length inputs, *cannot* result in collisions, we should
use a PRP, not a hash.
[...]
> Can you remember how you arrived at the mistaken
> idea that hashes should simulate random functions?
>
> Has anyone else apart from you ever claimed this?
See, for example:
M. Bellare and P. Rogaway,
"Random Oracles are practical: a paradigm for designing efficient
protocols",
1st ACM Conference on Computer and Communications Security,
62-73, ACM Press, 1993.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOGrN5DkCAxeYt5gVAQGUeggAhST//vpr8xDymYe+NlxjwY9HvRfQMt9T
1rMDkNMVwpADXGmnUIZ/7egptDBkc26ixHRZbkhQAc+Vi2N8Mg/3T6Z//IgKRFJz
3xf88SYxW958ztBH9/JmcvQskyBWq8EKSEZVqCxlyZLioi6UZ2hJQEYzXF2y4uQZ
KLU1xF/Gq5/7nLVij5ejEVdCwxbN41fao54oKh81b4GYlYcWBl0iu0r8+TLq9MBR
X7i0UFaOZzaeBWkRCnSFoRBmduUnrhr8sJCi2K0PgwaSG5YvarODAn6ii8bFF8K4
qzWvKk9BucFXmiXh3tuqrkbSyFEMeEBEhxMK+jPtdaNH+jrjHAZYIQ==
=1UpT
=====END PGP SIGNATURE=====
------------------------------
Date: Thu, 30 Dec 1999 03:40:33 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Ellison/Schneier article on Risks of PKI
=====BEGIN PGP SIGNED MESSAGE=====
Tim Wood wrote:
>
> I have found that you can enter a trusted root authority into Internet
> Explorer by simply adjusting the NT System Registry at
>
> HKEY_CURRENT_USER/Software/Microsoft/SystemCertificates/Root/Certificates
> ...
> then the fingerprint of the certificate.
The default registry permissions in NT Workstation are a joke. It's not
just CryptoAPI; effectively any process with INTERACTIVE permissions
(i.e. anything running in a login session, including such things as
ActiveX controls and code that runs as a result of buffer overflows,
Java exploits, macro viruses, etc.) is allowed to do anything it likes.
In general, you should assume that NT provides no more security than
Win95/98, and that this is never likely to improve (the problems have
actually got considerably worse since 3.51, and are now deeply embedded
in the design).
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOGrIHTkCAxeYt5gVAQH+ewf/doBIpn8CxZgmU/zihtQhzvXmvE4OiUo/
3vYsmFG9HxbdI358qNfWmRmvmpk+YrtfOSUIr7zKm6hYKokDqCJPq1LzXHcKrwuR
oHYmws9DOmEgAzCw/3Zig7xWfwrhubcqzIFq9N1dBTiClwfqOJkGRYD+oqshk/hi
eLv4KOt3J/rmF7BbUfOPaYHu7C7r6e10Xfs/Wzjx3LSgKQ3XAO5+4ilO35TGiSXN
k6V2zZmhlE7pQBPEmh08R50qwIYdtqwKrSuAChPvJmtGU8J9/hYdHkuKLFsTMId1
2OpSqvaSvtJZsFXpG2KUzti6husuvXwkWByf4wDC4IWMkQ1X23POoA==
=2d7M
=====END PGP SIGNATURE=====
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: 30 Dec 1999 05:03:54 GMT
Greg <[EMAIL PROTECTED]> wrote:
> SSL can take care of this. I am just surprised that it relies
> on a database local to IE. That seems like a truly weak link.
Relying on a local database means no need to verify a site certificate
online -- so the attack you originally proposed does not apply. Your
original attack required only the ability to act as a man in the middle.
The attack of "replace IE's local databse" requires write access to
the victim's hard drive. I think that is harder than acting as a man in
the middle, and so using a local databse seems like a good idea.
Maybe you are dealing with an adversary who can write to your HD...but
then you have more pressing problems to deal with than evil CA certs.
I don't know in general how IE updates its list of CAs and notices
revoked keys. I do know that you can convince IE to take a new CA key
with enough effort. It's not the kind of thing you could lightly convince
a user to do.
-David
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Homophones
Date: Thu, 30 Dec 1999 00:34:55 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
...
> From what you wrote I believe you have much knowledge and experience
> in homophones. If you were not under NDA and could find time to write
> something on that, I think many would be interested to read your
> article and discuss with you.
>
Time depending, I may get to do lots of things I want to do. Lately,
things take longer than normal. I wrote a short article on another
subject in and directly out of the hospital, and I now see it as being
definitely written by a sick person. Reworking is done, but have not
submitted it yet.
There is much to be learned by comparison of simple ciphers as to the
advantage in that primative over simple substitution...thoughts are
germinating, especially regarding a mathematical model at a most simple
level.
--
Only a little over a year left to go in this centrury....
Knowing this, figure that a year from now, we will
resale of the hoopla we are getting ready to see now.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Grounds for Optimism
Date: Thu, 30 Dec 1999 01:08:27 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> On Wed, 29 Dec 1999 00:42:54 -0600, "John E. Gwyn"
> <[EMAIL PROTECTED]> wrote:
>
> >Basically, very complex designs are more of an annoyance than an
> >obstacle. The most analysis-resistant systems continue to be the
> >ones built by analysts who have cracked similar systems and know
> >what weaknesses need to be prevented.
>
> I don't deny the truth of such sage advice. I think, though, that
> those of us who are not cryptanalysts can still learn from the
> publications of those that are. Also, while this is borne out in that
> it was the AES entrants with cryptanalytic experience that fared the
> best, it is also true that the "best" cryptanalytic experience is,
> naturally, locked away in the NSA where we can't get at it.
Considering the mechanism of *winning* in which the mainstream of the
design is coaxed to stay in a well known groove. Favorites are surely
those that follow concepts familiar to those that appraise their worth,
dumb mistakes not withstanding. The sample is very small, but this may
still indicate a possible prejudice for the status quo anyway. Reality
often yields too few data points to give a statistican something that can
be judged as biased or not.
>
> Hence, my call for doing more in ciphers than we can justify as
> necessary. Naturally, care must be taken - and cryptanalysts know how
> this is to be done - that any added complexity is not so flawed as to
> vitiate the strength of the cipher to which it is added.
>
Many of us seek to define AES as just a search for a predetermined goal in
a cipher, not necessarily the best cipher, which might not meet the same
criteria. Surely, a good, new design features could take those in
crackerland by surprise, and is likely to be dismissed in the short term
even by the best pros there.
--
Only a little over a year left to go in this centrury....
Knowing this, figure that a year from now, we will
resale of the hoopla we are getting ready to see now.
------------------------------
From: Raddatz Peter <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: New Stream Algo - Software to prove a point (to me!)
Date: Wed, 29 Dec 1999 23:28:59 -0800
After posting a few "dumb" questions about MS RNG & Zlib compression
lately I have decided to put it all to the test and have written a
stream cipher algo using MS RNG & Zlib. I think it's very solid but
could be proven wrong. It's written in VB6 so it isn't too fast (I do
~6.6 megs in about 25sec. on my 300 machine), but it'll do for testing.
I don't have a web page and I don't want to be so forward as to just
post it here, but if anybody out there is willing to put this thing
through its paces and prove me wrong on MS RNG & Zlib, please send me an
e-mail or post your interest here and I'll gladly send you a progy.
Thx... Peter Rabbit
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Homophones
Date: Thu, 30 Dec 1999 10:13:56 +0100
wtshaw wrote:
>
> There is much to be learned by comparison of simple ciphers as to the
> advantage in that primative over simple substitution...thoughts are
> germinating, especially regarding a mathematical model at a most simple
> level.
I appreciate your remark. There are definitely yet development
potentials out of the classical stuffs, though on the other hand
there are many 'modern' people who regrad them as 'old hats'.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Employing digits of pi
Date: Thu, 30 Dec 1999 10:13:47 +0100
CLSV wrote:
>
> This is a link to a paper that describes the principles
> and practice.
> http://www.counterpane.com/side_channel.html
Thanks. Referring to what you said previously about embedding
attacks in a web server, I like to take this opportunity to stress
my personal opinion of always distrusting anything in the hands of
third persons and hence the necessity of always doing all high
security relevant computations oneself and use one's own judgement
in the choice of encryption algorithms. In case the transmission
system offers automatically some protection mechanism, fine. I would
use it but I would for conservativeness not count on that.
M. K. Shen
------------------------------
From: "Red Shadow" <[EMAIL PROTECTED]>
Subject: cryptography website(dutch)!!!!!
Date: Thu, 30 Dec 1999 10:27:21 +0100
check this:
http://home.freegates.be/cryptografie
------------------------------
From: [EMAIL PROTECTED] (Angel Garcia)
Crossposted-To: sci.math,sci.math.num-analysis,sci.math.symbolic
Subject: Re: Factorization of DDD. Better than Montgomery ?
Date: 30 Dec 1999 09:21:20 GMT
Reply-To: [EMAIL PROTECTED] (Angel Garcia)
Angel Garcia ([EMAIL PROTECTED]) writes:
> Angel Garcia ([EMAIL PROTECTED]) writes:
>> Is it there something not quite tight in Montgomery's analysis ? (see end).
>
> I don't see anything wrong nor incomplete in such outstanding 10 lines:
>
>> On 20oct1996 P.L. Montgomery wrote:
>> ----------------------------------------------------
>>> Let p be a prime divisor of 10^2997 - 1.
>>> By Fermat's little theorem, p divides 10^(p-1) - 1.
>>> Therefore p divides 10^g - 1, where g = GCD(2997, p-1).
>>> This g is a divisor of 2997, and must be
>>> 1, 3, 9, 27, 37, 81, 111, 333, 999, or 2997.
>>> If g is less or = 111, then complete factorization of 10^g - 1 is known,
>>> so p is one of the known factors.
>>> If instead g> 111, then g = 333, 999, or 2997.
>>> In all three cases, 333 divides g, which in turn divides p-1.
>>> Therefore p ==1 (mod 333). Since p must be odd, p==1 (mod 666).
>> -------------------------------------------------------
>> Update (to december-1999) of all divisors of
>> DDD = (10^2997 - 1)/999^2 which are currently known:
>>
>> The 21 known prime divisors:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> d1=163 d8=96455449
>> d2=757 d9=247629013
>> d3=1999 d10=94879787239
>> d4=9397 d11=427437692443
>> d5=333667 d12=4547142218089
>> d6=2028119 d13=440334654777631
>> d7=2462401 d14=676421558270641
>>
>> d15=30557051518647307
>> d16=471148486301963562067
>> d17=2212394296770203368013
>> d18=8845981170865629119271997
>> d19=130654897808007778425046117
>> d20=90077814396055017938257237117
>> d21=2503678796850536532770633167883644999
>>
>> The 3 remaining composite divisors of number DDD:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> c172 = 413675795050035182921527389826433077927
>> 965773018028997106269613352510197114865
>> 757662216762940527807114651153538350890
>> 786884982550265506580180350896179391256
>> 6261290961976951 (R. Brent)
> etc.
>
>> Prof. Montgomery's analysis shows furthermore that all remaining primes are
>> either divisors of 10^333-1, of 10^999-1, or others; which respectively
>> correspond to remaining 3 composites: c172 of R.P. Brent and those
>> two (still untouched, c634 and c1900) of A.K. Lenstra. Brent has (1996)
> .....
>> In other words the c172 composite has 2, 3, 4, 5 or may be 6 primes still
>> hidden in it (nobody knows how many !, that's the beauty of it);
>> ALL these are of the form n*666+1 with n NOT BEING NECESSARILY a multiple
>> of 3;
>> ----------------
>>
>> HOWEVER:
>> Now I have been looking to the 21 known primes of DDD and it turns out that
>> only p = d3,d5,d8,d10,d11,d12,d16,d20,d21 are of the Montgomery's form:
>> p = n*666 + 1; but ALL these are also of the broader form p=n*1998 + 1
>>
>> Therefore MAY BE, just may be, ALL remaining primes inside c172 are
>> already of the broader form p=n*1998 + 1 and consequently the
>> XX century FACE of number-analysis is saved even without factorization
>> of the Brent composite c172 .
>> Is it there a GAP in Mongomery's theorem (above)?. Can somebody prove
>> that all primes of N333 = (10^333 -1) are of the form p =n*1998 + 1
>> and not merely of the Montgomery form p= n*666 + 1 ?
>
> OK. I revised very carefully the 10 lines above of Montgomery's theorem
> and I am totally confident that there is no GAP in them.
> Thus the FACT that all so far known primes of DDD are NOT of the
> Montgomery type:
> p = 666*n + 1 with n NOT divisible by 3 (or 'beast type', say)
>
> does NOT imply that such sacred BEAST is still not hidden in the
> only one simple composite c172. Even twice or trice or more !.
> It is certainly true that after all primes of c172 will be known then
> FOR SURE all remaining primes of DDD will be of the century form:
>
> p= 1998*n + 1 and no more 'beasts' anymore.
>
> But so far we don't know if DDD contains or not any prime of the
> 'beast type' above. WE will know ONLY when c172 becomes fully factored.
Ay, Ay, Ay !. The 1999 is ending quickly and still we don't know if
there is a single prime of DDD which is of the 'beast type' (hidden of
course inside the trivial c172). It will be a terrific fluke that
all the primes of c172 are already of the 'century type' p=n*1998+1.
What a shame for century XX that we cannot decide such issue either
by factoring c172 or by a stronger theorem than that one above of
Montgomery.
It is very curious that despite of so many primes in DDD of the
general form p=666*n+1 NONE of them, so far, is 'beast like' and
all of them are, so far, of 'century type'. For instance: the
latest d21 of Brent is:
d21 = (3*97*2347*155723*117821.. 0031) * 1998 + 1
CENTURY TYPE !; despite that genuinely divides (10^333 - 1) and not
(10^111-1) nor other lower factors of DDD. Yet according to
Montgomery's theorem only of 'beast type' could be predicted to be.
--
Angel, secretary of Universitas Americae (UNIAM). His proof of ETI at
Cydonia and index of book "TETET-98: Generacion del Hombre en Marte" by Prof.
Dr. D.G. Lahoz (leader on ETI and Cosmogony) can be studied at URL:
http://www.ncf.carleton.ca/~bp887 ***************************
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Enigma
Date: Thu, 30 Dec 1999 10:49:02 +0100
John E. Gwyn wrote:
>
> Mok-Kong Shen wrote:
> > Are there publically available detailed technical literatures on
> > cracking of Purple?
>
> Not really. The nearest thing is WFF's "Analysis of a Mechanico-
> Electrical Cryptograph" (not the Purple machine), which has been
> released in redacted form to the National Archives. (I'm not sure
> that the whole thing has been released even today. Rotor systems
> were very widely used for high-grade traffic not so long ago, and
> the exact extent of their vulnerability is not information to be
> divulged lightly.)
Since rotor systems can nowadays very simply simulated and easily
experimented with on computers, I believe one can yet pull valuable
things out of them for designing some useful ciphers. One advantage
we have now over the past is that, while the rotors are fixed
mechanical pieces, the substitution tables stored in a computer are
entirely flexible and can be varied in diverse ways, so that with
some good ideas the resulting ciphers may even have a fair chance to
compare with some of the currently best algorithms, I suppose.
M. K. Shen
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
