Cryptography-Digest Digest #814, Volume #10 Thu, 30 Dec 99 23:13:01 EST
Contents:
Re: Attacks on a PKI (Anne & Lynn Wheeler)
Re: Attacks on a PKI ([EMAIL PROTECTED])
Re: Encryption: Do Not Be Complacent (Gurn Blanston)
Re: File format for CipheSaber-2? (Johnny Bravo)
Re: Diffie-Hellman (DJohn37050)
Classical Crypto Books (CryptoBook)
Re: stupid question (John Savard)
Re: File format for CipheSaber-2? (Guy Macon)
Re: PKZIP compression security (NFN NMI L.)
Re: letter-frequency software ("Colonel Mustard")
Re: Prime series instead (Re: Pi) (NFN NMI L.)
Re: HD encryption passphrase cracked! (Guy Macon)
Re: Secure Delete Not Smart (Guy Macon)
----------------------------------------------------------------------------
Subject: Re: Attacks on a PKI
Reply-To: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
Date: Fri, 31 Dec 1999 00:24:03 GMT
Greg <[EMAIL PROTECTED]> writes:
> > the old style checks with signing limits has been one model proposal
> > for certificate pki ...
>
> Wouldn't you agree that PKI is in many ways an electronic emulation
> of classical check banking and that once someone thinks (imagines)
> beyond classical architecture, PKI may actually simplify and
> strengthen at the same time?
I should have said PKI works well in 'offline', atomic transactions.
I think it is pretty well accepted that PKI design point is offline,
electronic. The models they have/fit correspond to the world before it
started moving to online.
checks/debit/credit have had failure modes like forgeries ... but also
there are other failure modes like insufficient funds &/or credit
limit.
PKI can be used for addressing offline forgery issues.
however, starting sometime in the '60s, telecommunication and
computers costs started coming down to the point where it started
being economically attractive to do online transactions ... & being
able to address the insufficient funds and credit limit failure modes
(i.e. card swipe online terminals at point of sale) ... i.e. cost of
the telecommunications and computers was much less than the benefit of
doing online transactions (cost/benefit ratio).
since the '60s, the cost of telecommunication and computers have
continued to decline, making online transactions even more attractive,
improving the cost/beneift ratio with online starting to become more
and more ubiquitous (further reducing the attractiveness of offline
solutions like PKIs). The internet itself is just one example of the
move to pervasive, ubiquitous online operation.
AADS chip card & X9.59 for all electronic retail transactions
addresses both the forgery as well as insufficient funds using
integrated online solution.
A CA/PKI only offline solution would be going back to a pre-60s
solution only addressing the forgery failure mode.
And as stated previously, given an online digital signed solution (ala
X9.59) which addresses forgery issues, end-to-end authentication
(financial institution doing the authentication/forgery checking and
not relying on intermediaries), as well as insufficient funds & credit
limit failure modes ... then it is trivially shown that also having a
CA/PKI as part of the transactions is at best redundant and
superfulous and typically introduces unnecessary systemic risk and
unecessary additional failure modes.
and as usual ... more AADS & X9.59 at
http:/www.garlic.com/~lynn/
--
--
Anne & Lynn Wheeler | [EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.garlic.com/~lynn/ http://www.adcomsys.net/lynn/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Attacks on a PKI
Date: Fri, 31 Dec 1999 01:01:11 GMT
In article <84dbnj$v0d$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
>
> > Even if your PKI is just a matter of
> > storing the public keys in a personal database,
>
> Then it is not PKI, but a personal database of keys.
But it *is* a *fundamental* part of PKI: someones certificate, along
with their public key and signature from a CA is stored on a central
database (which, in theory, is accessible to anyone wanting to do
business with you)
>
> > The next step is to do this indirectly, and to delegate
> > this certification authority to someone else's key.
>
> That is where the whole thing falls apart. Now you go
> from trusting your private key to a person you have never
> met who could be bribed, intimidated (yes, even by the government),
> or criminally inclined. I would prefer to trust only my
> private key.
That still doesn't solve the problem of authentication: How do you know
you are doing business with Mr X? This is where you take the word of
the CA who sign Mr X's certificate. Of course, the CA an Mr. X could
both be adversaries.
>
> > This has the advantages that a much larger number of
> > people's keys can be certified, as the certification
> > authority can specialize in this task.
>
> This is no advantage at all- it is just an illusion.
This *is* an advantage: The CA can specialise in certifying keys. This
is the essence of a PKI -- the CA is a "trusted" party, thereby giving
comfort to the authenticity of people's keys.
The illusion is that this is secure - there are many attacks, and this
leads back to my original post.
>
> > The disadvantage is that you now must trust this other entity
>
> You just proved my point in the line above. Trusting any
> other person violates the whole concept of a private key.
>
Why the private key? Please explain.
> > so there is nothing particularly revolutionary in extending
> > such trust to a key infrastructure.
>
> Except it is being pushed by financial institutions.
Yes - it appears to be the latest IT bandwagon that seems destined to
go off the cliff.
>
> > As for the comments that the effort to maintain PKI security is as
> > great as keeping shared secret keys, the difference is
>
> The difference is that it is an illusion and has no value.
>
the security of a PKI is as strong as the weakest link. At the end of
the day, you must trust that the person you are doing business with is
genuine. This trust can be violated through the many flaws in PKI.
> > But in general, modification attacks tend to be more
> > expensive than access attacks, and PKC gives you much
> > more value than shared secret keys.
>
> Once you successfully develop the software to sit on a laptop
> that will emulate all of the CAs, you can sit between any
> person's home PC and their ISP and emulate those CAs for their
> browser. Then when they go to a secured web site using SSL,
> you can successfully sit in the middle and see everything.
> You don't need to break their ciphers.
Good point (an answer to my original post!)
>
> What makes this possible? PKI. What is the cost? one time
> development of such software and the hardware to get in the
> middle of the connection. What is the payoff? You have to
> find a list of targets that can easily be hit that use
> any form of e-commerce and get their credit cards, SS#, etc.
>
> I would estimate the software could be developed in 6 months.
> It really is not that difficult. Just tedious development.
Agreed. Wouldn't surprise me if there's already such software around.
>
> --
> The only vote that you waste is the one you never wanted to make.
> RICO- we were told it was a necessary surrender of our civil
liberties.
> Asset Forfeiture- the latest inevitable result of RICO.
> http://www.ciphermax.com/book
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Gurn Blanston <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,talk.politics.crypto,talk.politics.misc,talk.politics.drugs
Subject: Re: Encryption: Do Not Be Complacent
Date: Fri, 31 Dec 1999 01:20:10 GMT
Jim wrote:
>
> Assuming that the cipher can be stripped off all messages; if the recovered
> code words/groups have the same meanings over an extended period, then
> the system will be broken later if not sooner!
>
> Remember 'Magic', the Zimmermann Telegram, US WW2 decrypts of Japanese
> naval traffic.
>
So the most secure method would be:
Hire two Navajo Code Talkers. Have one encode your message into ciphered
Navajo, voice recorded into a digital file. Then encrypt the file before
attaching it. The receiver of the message first decrypts it, then lets
his own Navajo Code Talker listen to the recording and decipher the
message.
Right?
--
~Peace
Gurn Blanston
______________________________
medicinal marijuana vaporizers
http://www.vaporizer.com
"'The drug czar has refused to be at any public event where
[Ethan] Nadelmann is,' says Reinarman. '[McCaffrey] is probably smart
enough to avoid embarrassment.'
Calvina Fay, deputy executive director at the Drug Free America
Foundation,
who has never been on a panel with Nadelmann, says, 'We don't think
debating is a very good idea.'"
-recent usenet post
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: File format for CipheSaber-2?
Date: Thu, 30 Dec 1999 20:15:14 GMT
On Thu, 30 Dec 1999 13:49:22 -0800, lordcow77
<[EMAIL PROTECTED]> wrote:
>> >(1) Fix the number of repeats to a power of 2 >= 256
>> Do you realize that this makes message encryption nearly
>> impossible?
>> 2.9e80 swapping operations have to be performed before you can
>> encrypt
>
>The obvious intent is that 256 is the lowest power of 2 that the number
>of repeats should be set to, with the further implication that 2^8 ==
>256.
The obvious reading is that the power of 2 is equal to or greater
than 256. <g>
Fixing it to a power of two seriously weakens the cipher given 10
bytes of known plaintext. For my machine, there are only 10 or so
possible values that I could use that would take 5 minutes or less to
decrypt, giving me about 10 minutes max just to read one message. A
very fast machine would easily do this work in just a few seconds for
all the 10 values, then use the ten known plaintext elements to find
10 known values in the state array, it is a bad thing to tell attacker
what 4% of your message key is. Having a know number of mixings is
not a weakness, but having 10 known plaintext characters at the start
of the message is.
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Diffie-Hellman
Date: 31 Dec 1999 01:40:06 GMT
Look at IEEE P1363 for more info on DH.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (CryptoBook)
Subject: Classical Crypto Books
Date: 31 Dec 1999 02:47:02 GMT
Classical Crypto Books is pleased to announce the following recent
additions/updates to the CCB catalog.
HISTORY
DECODING HISTORY: The Battle of the Atlantic and Ultra
by W. J. R. Gardner, Foreword by Geoffrey Till
The author, a retired Royal Navy specialist on antisubmarine warfare, uses
operational research techniques to provide the first professional, balanced,
and rigorous analysis of the relative value of Ultra intelligence during the
Battle of the Atlantic. Published at $34.95.
Naval Institute Press, 281 pp.
HB, Nonmember $31.95, Member $27.95
SURVIVING THE DAY: An American POW in Japan
by Frank J. Grady, Rebecca Dickson
As head of the U.S. Army crypto unit in Manila handling all traffic for
generals MacArthur & Wainwright, the Japanese took special interest in him as
POW. This remarkable memoir details his capture, torture, survival, and
attempts to outwit his captors. Published at $34.95.
Naval Institute Press, 289 pp.
HB, Nonmember $31.95, Member $27.95
DOUBLE-EDGED SECRETS: U.S. Naval Intelligence Operations in the Pacific During
World War II
by W. J. Holmes
Serving in the Combat Intelligence Unit at Honolulu, with Ultra access, the
author shared the painful moral dilemma faced daily by Pacific commanders: use
COMINT from broken Japanese codes and risk losing it, or fail to act and risk
U.S. lives and ships. Published at $15.95.
Naval Institute Press, 252 pp.
SB, Nonmember $14.95, Member $12.95
SPY HUNTER: Inside the FBI Investigation of the Walker Espionage Case
by Robert W. Hunter, Lynn Dean Hunter
CWO John Walker, a retired navy radioman and communications watch officer, was
leader of the most damaging KGB espionage ring in U.S. history. Told by the
FBI agent who broke the ring, this is the most complete account of the Walker
case ever written. Published at $27.95.
Naval Institute Press, 263 pp.
HB, Nonmember $25.95, Member $22.95
ESPIONAGE AND INTELLIGENCE
SISTERHOOD OF SPIES: The Women of the OSS
by Elizabeth P. McIntosh
Until this book some of the best-kept secrets of WW2 were the heroic exploits
of OSS women who served as spies, saboteurs, cryptographers, cartographers,
analysts, propaganda experts, etc. Lest we forget, the Epilogue is Space-Age
Spies: Women in CIA. Published at $29.95.
Naval Institute Press, 297 pp.
HB, Nonmember $26.95, Member $23.95
==============
HB = Hardbound
SB = Softbound
==============
All items are in stock and available now. Member prices are available to
members of the American Cryptogram Association, the U.S. Naval Cryptologic
Veterans Association, and full-time students. Shipping and handling are extra.
For complete ordering information, a free catalog of crypto books by return
e-mail, or for information about membership in the American Cryptogram
Association, please send email to: [EMAIL PROTECTED]
Best Wishes,
Gary Rasmussen
Classical Crypto Books
E-Mail: [EMAIL PROTECTED]
Fax: (603) 432-4898
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: stupid question
Date: Fri, 31 Dec 1999 02:31:46 GMT
On Wed, 29 Dec 1999 13:28:48 +0100, "Buchinger Reinhold"
<[EMAIL PROTECTED]> wrote:
>I have a stupid question. But what is the difference between a key of a
>stream cipher and a key of an one-time-pad ???
In a one-time-pad, there is a key as long as the text being encrypted,
which is directly added to that text.
In the simplest category of stream ciphers, a key initializes a
pseudo-random number generator; the output of that generator, although
it is sometimes called a keystream, is added to the text being
encrypted _instead_ of the key, which can be much shorter than the
amount of text it is used to encrypt.
The question isn't all that stupid either, because, unfortunately,
there are a number of people out there making stream cipher products
that they advertise as being one-time-pads!
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: File format for CipheSaber-2?
Date: 30 Dec 1999 22:36:12 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
Crowley) wrote:
>
>[EMAIL PROTECTED] (Guy Macon) writes:
>
>> Is there a standard place to keep the "number of repeats" data? I would
>> assume that it is desirable that when you run once the output should be
>> bytet for byte compatable with CipherSaber-1. Is the number of repeats
>> inserted in the keyphrase? in the initialization vector? What format
>> would allow other folks who use CipherSaber-2 to decode my message?
>
>Here's what I proposed for CipherSaber-3:
>
>(1) Fix the number of repeats to a power of 2 >= 256
Assuming that you mean a power of two that has a result
less than 256 (you CAN'T mean the exponent can be up to
256 - it would run almost forever!), that's
1,2,4,8,16,32,64,128, or 256. Right?
>(2) Fix the first ten bytes of the message to "\0"
Ouch! I can't say why, but I mhave a bad feeling about giving
any attacker a 10 byte known plaintext attack.
>(3) Store the number of repeats nowhere!
May I assume that you try the 8 allowed repeat numbers until you
get a match, starting with 1? Nice! this would allow you to send
messages with repeats=1 that ciphersaber-1 could decode. Hmm. you
wouldn't be able to decode ciphersaber-1 messages that don't have
the zeros in the plaintext.
>Then, if you get the passphrase right, you'll know because you'll find
>those ten zeroes at an appropriate point in the keystream. If you get
>it wrong, you'll eventually figure it out because you don't find them
>after an implausibly long wait.
Wouldn't this increase the efficiency of a brute force passphrase
guessing program? Normaly such programs have to figure out if
the latest guess is a human language. You hand them a more efficient
method of doing this.
>This makes a key guessing attack as
>expensive as possible, and is the only secure way I see to keep the
>number of repeats hidden from someone who doesn't know the passphrase.
I am not convinced that hiding the number of repeats is all that
important. I also see little benefit to doing more than 256 repeats,
and a serious disadvantage for sytems that do 8 bit math.
Looks like there is no standard file format for ciphersaber-2.
Anyone care to propose one, or would you prefer that the clueless
newbie make a proposal that you can rip to shreds? <grin>
The attribute of being two way cyphersaber-1 compatable when
repeats=1 is highly desirable. Making the user memorize a repeat
number is undesirable. Revealing the repeat number to attackers
is acceptable.
------------------------------
From: [EMAIL PROTECTED] (NFN NMI L.)
Subject: Re: PKZIP compression security
Date: 31 Dec 1999 03:38:23 GMT
PKZIP encryption is not the same as PKZIP compression. Methinks you are
confused. Also, methinks it is like a weasel.
S. "Shakespeare" L.
------------------------------
From: "Colonel Mustard" <[EMAIL PROTECTED]>
Subject: Re: letter-frequency software
Date: Thu, 30 Dec 1999 22:37:29 -0500
You can find the GNU C++ compiler for free at
http://agnes.dida.physik.uni-essen.de/~janjaap/mingw32/download.html
or a zip version of all the packages at
http://www.seg.etsmtl.ca/inf125/Documents/Gcc.exe
It's 7 Mb and it is working under windows.
Have fun!
r.e.s. <[EMAIL PROTECTED]> a écrit dans le message :
84e1m6$75r$[EMAIL PROTECTED]
> At http://www.und.nodak.edu/org/crypto/crypto/stattools/
> there is C source code for a program (letcount.c), to do
> some simple letter-freqency anaylsis, but, unfortunately,
> I don't have access to a C-compiler. Does anyone know
> where an executable version of this might be found?
> (preferrably for win98, but even DOS will do ;)
>
> Thanks for any feedback.
>
> --
> r.e.s.
> [EMAIL PROTECTED]
>
>
------------------------------
From: [EMAIL PROTECTED] (NFN NMI L.)
Subject: Re: Prime series instead (Re: Pi)
Date: 31 Dec 1999 03:48:13 GMT
The summation of the reciprocals of all the primes is infinite. Who knows what
happens when you have alternating subtraction and addition?
S. "log log log N? Holy cow" L.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: HD encryption passphrase cracked!
Date: 30 Dec 1999 23:00:10 EST
In article <84g9ui$flt$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Keith A
Monahan) wrote:
>
>Guy,
>
>The funny thing is I used that password for literally years on a somewhat
>regular basis. I had no problems remembering it in the past but I went
>on a trip last June and after spending a couple weeks overseas, and a
>couple Guiness's in Ireland -- I came back dumbfounded to remember the
>entire thing. I did recall a very large portion of it, but forgot placement
>(and order) of symbols, and I thought I was missing a word. What really
>happened was I typed it incorrectly once, and then I tried a couple of
>combinations, and before you know it I was forgetting it because all the
>combinations confused me!
>
>For the longest time I was typing the password by memory of the keys --
>I'm a fairly proficient typist, and I type with thoughts rather than
>characters -- with words instead of letters that comprise the word. So,
>to make a long story short, my hands remembered day after day after day
>the passphrase, but my brain didn't.
>
>Keith
>
>P.S. A alot of people say, "That would never happen to me"
I made a cheat sheet that looks like this (these are all made up;
the real cheat sheet is different).
What barbara spilled.
Number of oscilloscopes I have dropped and broken.
RM's favorite way to do RM's favorite thing.
The Penguin vs. my new car.
Mr B did what I liked this many times
Chicken, Onion soup mix, thousand island dressing (third word)
Discard clue number (age at which sax player died modulo 10).
Swap longest word so far with shortest word so far.
...and so on. Things that only I would remember.
I have two copies in two safe deposit boxes in different banks.
I lack a determined opponent, otherwise I would have put 1/3 of
the list in three different safe deposit boxes.
I also use memory aids - When we have a fire in the fireplace
I sometimes spell it out on paper and burn the paper.
Sometimes I touch type it. Once in a while I enter it with a
mouth stick. On occasion I mumble it with my hand over my mouth
when I am alone and outdoors. I visualize it as text, then as
audio during boring meetings. During REALLY boring meetings I
try to remember it backwards.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: alt.privacy
Subject: Re: Secure Delete Not Smart
Date: 30 Dec 1999 23:05:48 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Mark D) wrote:
>So here's your solution: burn all your information to cd, and if you
>want to 'secure delete' it, you just smash the cd. Since they're only
>about a buck a piece, it would be fairly inexpensive.
I actually do this, but I use floppies and toss them in the fireplace
(I know, bad gasses, but it's just one floppy and it mostly goes up
the stack if you toss it in deep).
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
