Cryptography-Digest Digest #816, Volume #10 Fri, 31 Dec 99 17:13:01 EST
Contents:
Re: Attacks on a PKI (Greg)
Re: File format for CipheSaber-2? (Guy Macon)
Re: File format for CipheSaber-2? (Guy Macon)
Re: File format for CipheSaber-2? (Guy Macon)
Re: DECRYPTION Urgent! (Lonie M. Kray)
Re: Cryptanalysis (Lonie M. Kray)
Re: Encryption: Do Not Be Complacent (Anthony Stephen Szopa)
Re: The Cipher Challenge from the Code Book (wtshaw)
Re: DECRYPTION Urgent! (Bill Unruh)
Re: letter-frequency software (Bill Unruh)
meet-in-the-middle attack for triple DES ("P. Daniel Suberviola, II")
Re: The Cipher Challenge from the Code Book (Bill Unruh)
----------------------------------------------------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Fri, 31 Dec 1999 17:19:00 GMT
> > > Even if your PKI is just a matter of
> > > storing the public keys in a personal database,
> >
> > Then it is not PKI, but a personal database of keys.
>
> But it *is* a *fundamental* part of PKI: someones certificate, along
> with their public key and signature from a CA is stored on a central
> database (which, in theory, is accessible to anyone wanting to do
> business with you)
Perhaps we are refering to two different things. I mean the
local database on a PC. If that is what you are refering to,
then I have to ask, what about stale certificates? There
is a reason why the certificates become invalid, most usually
because they are not trustworthy.
> > > The next step is to do this indirectly, and to delegate
> > > this certification authority to someone else's key.
> >
> > That is where the whole thing falls apart. Now you go
> > from trusting your private key to a person you have never
> > met who could be bribed, intimidated (yes, even by the government),
> > or criminally inclined. I would prefer to trust only my
> > private key.
>
> That still doesn't solve the problem of authentication:
> How do you know you are doing business with Mr X? This is
> where you take the word of the CA who sign Mr X's certificate.
> Of course, the CA an Mr. X could both be adversaries.
I concur.
> > > This has the advantages that a much larger number of
> > > people's keys can be certified, as the certification
> > > authority can specialize in this task.
> >
> > This is no advantage at all- it is just an illusion.
>
> This *is* an advantage: The CA can specialise in certifying keys. This
> is the essence of a PKI -- the CA is a "trusted" party, thereby giving
> comfort to the authenticity of people's keys.
>
> The illusion is that this is secure - there are many attacks, and this
> leads back to my original post.
That is what I meant. The whole PKI is an illusion in principle.
> > > The disadvantage is that you now must trust this other entity
> >
> > You just proved my point in the line above. Trusting any
> > other person violates the whole concept of a private key.
> >
> Why the private key? Please explain.
Using a private key does not require you trust anyone but
yourself. The trust requirements of PKI violate that principle.
Using a private/public key strategy, PKI requires that you
go from trusting only yourself to trusting an unknown individual.
Why would you do that for?
> > > so there is nothing particularly revolutionary in extending
> > > such trust to a key infrastructure.
> >
> > Except it is being pushed by financial institutions.
>
> Yes - it appears to be the latest IT bandwagon that seems destined to
> go off the cliff.
It is sick, IMHO.
> > > As for the comments that the effort to maintain PKI security is as
> > > great as keeping shared secret keys, the difference is
> >
> > The difference is that it is an illusion and has no value.
> >
> the security of a PKI is as strong as the weakest link. At the end of
> the day, you must trust that the person you are doing business with is
> genuine. This trust can be violated through the many flaws in PKI.
I disagree. The security of PKI is weak due to its lack of a
complete protocol definition. For example, the concept of a
certificate being validated by another certificate in a pyramid
of certificates, with the top being undisputed, but no way to
define within the PKI protocol how to make such a top level
certificate 100% undisputed leaves PKI useless. PKI is a good
idea that has not been finished yet. It has holes in that
those with monetary interests are willing to gloss over today
at our expense.
> > > But in general, modification attacks tend to be more
> > > expensive than access attacks, and PKC gives you much
> > > more value than shared secret keys.
> >
> > Once you successfully develop the software to sit on a laptop
> > that will emulate all of the CAs, you can sit between any
> > person's home PC and their ISP and emulate those CAs for their
> > browser. Then when they go to a secured web site using SSL,
> > you can successfully sit in the middle and see everything.
> > You don't need to break their ciphers.
>
> Good point (an answer to my original post!)
Others have shown me that IE does not dynamically verify
its certificates, so there are more things that a MITM must
do to succeed, like trick the user to accept his own
certificates that will validate forged certificates.
But the fact that this can be done at all shows PKI (as
a component of SSL) is not the proper design. I think
that no one has yet figured it out, that it may take an
revolutionary mode of thinking to approach the problem
correctly. The pyramid scheme is one that we naturally
think of. The solution is likely to be a non natural
approach to man's thinking. IMHO.
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: File format for CipheSaber-2?
Date: 31 Dec 1999 13:27:17 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
Crowley) wrote:
>
>[EMAIL PROTECTED] (Guy Macon) writes:
>> Ouch! I can't say why, but I have a bad feeling about giving
>> any attacker a 10 byte known plaintext attack.
>
>I know what you mean, but I disagree. I think people are
>unnecessarily fearful of including known plaintext into systems that
>are meant to be resistant to known plaintext attack; in this case,
>it's a convenient solution to a problem.
Actually, I have two problems with including known plaintext.
The first is an argument from ignorance - I have no way of knowing
how much this weakens CS. I lack the expertise. The second is that
your proposed magic sequence could occur in a plaintext, or in an
improperly decoded (wrong key or repeat number) result. At first I
thought that this would be very unlikely (1 out ot 2^80 bit patterns),
but I have no idea whether or not all of those 2^80 patterns are
equally probable when I try different repeat values or keys.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: File format for CipheSaber-2?
Date: 31 Dec 1999 13:31:24 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
Crowley) wrote:
>So what I meant to specify was that CipherSaber-3 mandate that at
>least 256 bytes of output be discarded, to avoid Andrew Roos' weak key
>problems.
I can see the advantage to that. Wouldn't it be just as effective
to place 256 bytes of random bytes at the start of the plaintext
and discard them when decoding?
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: File format for CipheSaber-2?
Date: 31 Dec 1999 13:38:42 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Johnny Bravo)
wrote:
>
>On 30 Dec 1999 22:36:12 EST, [EMAIL PROTECTED] (Guy Macon) wrote:
>
>> Making the user memorize a repeat
>>number is undesirable. Revealing the repeat number to attackers
>>is acceptable.
>
> Just use the number of repeats (in Hex) as the last two digits of
>the IV. If the number of repeats is 1, CS-1 programs can read it.
>CS-2 programs could look for a .cs2 extension on the filename to
>determine if it should automatically use the value, a .cs1 to use a 1
>value, or ask the user to decide in other cases.
> This gives an N value up to 65k, which is more than enough, and
>would cause a 15 second delay on my system. :)
I printed this out and pondered it while eating breakfast, and I
can't see a single thing about it that I don't like. One question
occurs to me though; is there any reason to favor the end of the
IV over the start? I would pick the end as you did if there isn't
a good reason to do otherwise.
------------------------------
From: [EMAIL PROTECTED] (Lonie M. Kray)
Subject: Re: DECRYPTION Urgent!
Date: Fri, 31 Dec 1999 19:15:06 GMT
"Michael Scott" <[EMAIL PROTECTED]> wrote:
>which provokes me to comment that with the "Y2K Millenium Bug Scare"
>Mankind just made the biggest eejit of itself since Orson Wells convinced
>half of America that the Martians had landed.
Time will tell (Whatever an "eejit" is...)
Yesterday a Y2K bug almost ruined the closing on a condominium that I sold.
The closing agent was on the phone for three hours with tech support fixing
a problem with the program that printed out the complicated closing
documents. It would get as far as a line that said, "1/1/00" and then stop.
--
"Lonie M. Kray" is actually [EMAIL PROTECTED] (5364 289017).
01234 5 6789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: [EMAIL PROTECTED] (Lonie M. Kray)
Subject: Re: Cryptanalysis
Date: Fri, 31 Dec 1999 19:16:36 GMT
[EMAIL PROTECTED] (TohuVohu) wrote:
>I think Scheneir (darn thats hard to spell)...
I finally have the spelling down, it's "Schneier". But I'm still not sure
how to pronounce it.
--
"Lonie M. Kray" is actually [EMAIL PROTECTED] (5364 289017).
01234 5 6789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,talk.politics.crypto,talk.politics.misc,talk.politics.drugs
Subject: Re: Encryption: Do Not Be Complacent
Date: Fri, 31 Dec 1999 11:30:52 -0800
Reply-To: [EMAIL PROTECTED]
Gurn Blanston wrote:
> Jim wrote:
> >
> > Assuming that the cipher can be stripped off all messages; if the recovered
> > code words/groups have the same meanings over an extended period, then
> > the system will be broken later if not sooner!
> >
> > Remember 'Magic', the Zimmermann Telegram, US WW2 decrypts of Japanese
> > naval traffic.
> >
>
> So the most secure method would be:
>
> Hire two Navajo Code Talkers. Have one encode your message into ciphered
> Navajo, voice recorded into a digital file. Then encrypt the file before
> attaching it. The receiver of the message first decrypts it, then lets
> his own Navajo Code Talker listen to the recording and decipher the
> message.
>
> Right?
>
> --
> ~Peace
> Gurn Blanston
> ______________________________
> medicinal marijuana vaporizers
> http://www.vaporizer.com
>
> "'The drug czar has refused to be at any public event where
> [Ethan] Nadelmann is,' says Reinarman. '[McCaffrey] is probably smart
> enough to avoid embarrassment.'
>
> Calvina Fay, deputy executive director at the Drug Free America
> Foundation,
> who has never been on a panel with Nadelmann, says, 'We don't think
> debating is a very good idea.'"
> -recent usenet post
You could / might help win a war that way. You never know.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: The Cipher Challenge from the Code Book
Date: Fri, 31 Dec 1999 15:00:50 -0600
In article <84hmf1$ema$[EMAIL PROTECTED]>, "Chris Williams"
<[EMAIL PROTECTED]> wrote:
> You may wish to visit http://www.onelist.com/community/CipherChallenge for
> some hints.
>
> > my main question is, what does "Monoalphabetic Cipher with Homophones"
> > mean? is it Homophonic substitution (p52)? if it is, why is the example
> > of the book numerical, and why when put through frequency analycist Q
> > has 18.4%?
>
> It is, just using letters and the asterisk instead of numbers. One cipher
> letter is very frequent, perhaps it is not a plain letter at all!
Technically, a series of digits could be replaced one-for-one with a
monoalphabet of any ten characters, even just digits. When people say
alphabet they usually mean only one thing, a character set of 26, or so,
letters. But, monoalphabetic substitution can be done with any sized
character set, even digits or any other base. The idea you have a
question about seems to be a poor choice of words to describe a cipher,
misleading, ambiguous, and characteristic of the less than clearly defined
way lots of things are done.
Determinative homophonic substitution may indicate more than one character
set is in play. If you say monoalphabetic, what does that mean if two
sized character sets are in use? Which one? Internal states to a cipher
do matter, so just a different length in one set, as can be done, seen or
unseen, is misleading.
Monoalphabetic substitution suggests no change in length or difference in
plaintext and cipher text sets, as the could be different, is used, and
that each plaintext character of a given type is going to be replace in
the same position by one ciphertext character according to one simple
list; anything else isn't.
--
Only a little over a year left to go in this centrury....
Knowing this, figure that a year from now, we will
resale of the hoopla we are getting ready to see now.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: DECRYPTION Urgent!
Date: 31 Dec 1999 21:22:00 GMT
In <84i0u3$1cq$[EMAIL PROTECTED]> "Van Der Mussele" <[EMAIL PROTECTED]> writes:
]I calculated already the private key.
]I checked the numbers several times but I can be wrong.
]m(modulus) = 40000399997
]e(exponent) = 108947
]c(ciphertext = message) = 32567023914 8713291675 25687690793
]this message exist out of 9 characters with 3 words=> 3 words with 3 char
]I calculated p & q
]p = 199999
]q = 200003
]=> gcd(39999999996,108947) = 1
]=> private key = 367151
]So I have the private key (I think I have). Now the only thing left
]to do is decrypt the ciphertext.
]So I need to calculate 32567023914 ^ 367151 (this number is too big
]for me to calculate. = > 32567023914 ^ 367151 mod pq
]Or am I wrong to do that? Is there any easier way ?
X^(a+b) mod N= (x^a mod N)(X^b mod N)
So, you can break up the exponent.
Eg, X^(1001)= (X^1000) (X) = X^100 X^100 X (in binary and each operation
mod N)
Ie, you can reduce the multiplication to the multipliction of a bunch of
numbers all less than N.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: letter-frequency software
Date: 31 Dec 1999 22:01:35 GMT
In <Hcab4.3892$[EMAIL PROTECTED]> "Colonel Mustard"
<[EMAIL PROTECTED]> writes:
]You can find the GNU C++ compiler for free at
]http://agnes.dida.physik.uni-essen.de/~janjaap/mingw32/download.html
]or a zip version of all the packages at
]http://www.seg.etsmtl.ca/inf125/Documents/Gcc.exe
]It's 7 Mb and it is working under windows.
]Have fun!
]r.e.s. <[EMAIL PROTECTED]> a ecrit dans le message :
]84e1m6$75r$[EMAIL PROTECTED]
]> At http://www.und.nodak.edu/org/crypto/crypto/stattools/
]> there is C source code for a program (letcount.c), to do
]> some simple letter-freqency anaylsis, but, unfortunately,
]> I don't have access to a C-compiler. Does anyone know
]> where an executable version of this might be found?
]> (preferrably for win98, but even DOS will do ;)
Actually, with a bit of work, awk will do fine for reasonable length
text.
If you want to preserve spaces, replace spaces by some other character
like *. Then break up the text into one character per line. Then use awk
with its associative arrays.
Eg
cat document.txt|awk 'BEGIN{N=0} {f[$1]++}END{ for (j in f) print j, " ", f[j]}'|sort
-n +1
cat document.txt| awk 'BEGIN {N=0} N>0{f[i" "$1]++ } {i=$1;N++}END {for( j in f) print
j," ",f[j]' |sort -n +2
cat document.txt| awk 'BEGIN {N=0} N>1{f[j" "i" "$1]++}N>0{j=i} {i=$1}
END {for(k in f) print k, " " , f[k]}'|sort -n +3
This will count the frequency of all one, two and three letter
combinations in the text.(ducument.txt is the one with all letters one
to a line. If you are doing a playfair, then document.txt would be the
one with all pairs on a single line, etc.
------------------------------
From: "P. Daniel Suberviola, II" <[EMAIL PROTECTED]>
Subject: meet-in-the-middle attack for triple DES
Date: Fri, 31 Dec 1999 16:02:45 -0600
Hello, everyone.
I am a high school senior working on an independent DES project. I posted
here last week, so some of you may have seen my earlier post. I have been
reading Bruce Schneier's _Applied Cryptography_ and am having difficulty
understanding his explanations of cryptanalysis. Specifically, I do not
understand how a meet-in-the-middle attack works for triple DES.
According to Schneier,
C = EK3(DK2(EK1(P))) and P = DK1(EK2(DK3(C))).
That part makes sense. However, he claims that there is a meet-in-the-middle
attack to break this. Could someone please briefly explain to me how this
would be done?
Further, I have a more general question regarding the meet-in-the-middle
attack described for triple encryption using only two keys.
On page 358, according to Schneier,
"In this attack, the cryptanalyst knows P1, C1, P2, C2, such that C1 =
EK2(DK1(P1)) and C2 = EK2(DK1(P2))."
This is wonderful, but how would it help in the real world? It seems to me
like circular logic; if you already know the plaintext and ciphertext, what
good is it to know the keys? Further, how would this help you in real life
over a brute-force attack, since when you really need to break something you
will know absolutely nothing except for the ciphertext and the keys are sure
to be different? I'd appreciate it very much if someone could clear all of
this up for me.
Thank you very much for your time and patience in bearing with me. Replies
to both this newsgroup and my e-mail at [EMAIL PROTECTED] are welcome,
although the latter is preferable.
Happy New Year's, everyone!
-- P. Daniel Suberviola, II
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: The Cipher Challenge from the Code Book
Date: 31 Dec 1999 22:09:36 GMT
In <[EMAIL PROTECTED]> Sisson <[EMAIL PROTECTED]> writes:
>Hello All!
>Could someone help me with Stage 3: Monoalphabetic Cipher with
>Homophones
>my main question is, what does "Monoalphabetic Cipher with Homophones"
>mean? is it Homophonic substitution (p52)? if it is, why is the example
>of the book numerical, and why when put through frequency analycist Q
>has 18.4%?
>I have attached (zipped) an excel file that contains all my work so far
You do not really want someone else to solve it for you, do you?
You are on the right path doing freq analysis of the text. Note the
diffeence between stage 1 and 2 solutions and seeif this hints at
something.
As a general comment re breaking ciphers, one source at freq
analysis in various European langanges see
http://www.fortunecity.com/skyscraper/coding/379/lesson6.htm and lesson
7.
The reason tht the example in the text used numbers was because they are
using a lot of "homophones" to stand for each letter. Tehre are not
enough letters in the alphabet to let each unencrypted letter stand for
many encrypted letters.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
