Cryptography-Digest Digest #817, Volume #10 Sat, 1 Jan 00 02:13:02 EST
Contents:
Re: Encryption: Do Not Be Complacent (Guy Macon)
Re: letter-frequency software ("r.e.s.")
Re: Cryptanalysis (Jim Reeds)
Re: Cryptanalysis (Ornie Kamyl)
Re: File format for CipheSaber-2? (Johnny Bravo)
Re: File format for CipheSaber-2? (Johnny Bravo)
Re: Prime series instead (Re: Pi) (Matthew Montchalin)
Re: Attacks on a PKI (Greg)
Re: Q: Cryptanalysis Shareware? (nnburk)
Re: The Cipher Challenge from the Code Book (Sisson)
Re: The Cipher Challenge from the Code Book (Sisson)
Re: Are PGP primes truly verifiable? (Scott Fluhrer)
Re: Attacks on a PKI ("Lyal Collins")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: alt.privacy,talk.politics.crypto,talk.politics.misc,talk.politics.drugs
Subject: Re: Encryption: Do Not Be Complacent
Date: 31 Dec 1999 17:13:36 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Anthony Stephen
Szopa) wrote:
>> So the most secure method would be:
>>
>> Hire two Navajo Code Talkers. Have one encode your message into ciphered
>> Navajo, voice recorded into a digital file. Then encrypt the file before
>> attaching it. The receiver of the message first decrypts it, then lets
>> his own Navajo Code Talker listen to the recording and decipher the
>> message.
Good method if your attacker is the third reich, not so good if your
attacker is an NSA lab on the Arizona/New Mexico border...
I have a better language choice; teen! Try do decode this message:
"So I'm all like, you know and then he's like totally DUH and i'm like,
you know NOT a he gets SO two weeks ago so now I'M all duh, and he
spazes like totally but still kinda tubular, you know?"
The only better choice would be cockney rhyming slang. (guess the
encoding method that changes "fart" to "rasberry", "coat" to
"quaker", and "stairs" to "apples"...)
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: letter-frequency software
Date: Fri, 31 Dec 1999 15:30:08 -0800
"Bill Unruh" <[EMAIL PROTECTED]> wrote ...
: ]r.e.s. <[EMAIL PROTECTED]> a ecrit dans le message :
[... re C program to do letter frequency analysis...]
: Actually, with a bit of work, awk will do fine for reasonable length
: text.
: If you want to preserve spaces, replace spaces by some other character
: like *. Then break up the text into one character per line. Then use awk
: with its associative arrays.
: Eg
: cat document.txt|awk 'BEGIN{N=0} {f[$1]++}END{ for (j in f) print j, " ",
f[j]}'|sort -n +1
: cat document.txt| awk 'BEGIN {N=0} N>0{f[i" "$1]++ } {i=$1;N++}END {for( j
in f) print j," ",f[j]' |sort -n +2
: cat document.txt| awk 'BEGIN {N=0} N>1{f[j" "i" "$1]++}N>0{j=i} {i=$1}
: END {for(k in f) print k, " " , f[k]}'|sort -n +3
: This will count the frequency of all one, two and three letter
: combinations in the text.(ducument.txt is the one with all letters one
: to a line. If you are doing a playfair, then document.txt would be the
: one with all pairs on a single line, etc.
<humor> Which icon do I click on my Win98 desktop? </humor>
Thanks for the info -- on behalf of the Unix users among us ;-)
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Jim Reeds)
Subject: Re: Cryptanalysis
Date: Fri, 31 Dec 1999 23:27:15 GMT
|> I finally have the spelling down, it's "Schneier". But I'm still not sure
|> how to pronounce it.
Two syllables, Schnei + er. The vowel sound of the first
syllable is that of the English word 'eye', that of the second
is that of 'her'. If you know the German pronounciation
of the name Schneider, just leave out the 'd' sound. Or:
replace the initial consonant sound of the name Meyer or
Meier with that of 'shake'.
--
Jim Reeds, AT&T Labs - Research
Shannon Laboratory, Room C229, Building 103
180 Park Avenue, Florham Park, NJ 07932-0971, USA
[EMAIL PROTECTED], phone: +1 973 360 8414, fax: +1 973 360 8178
------------------------------
From: [EMAIL PROTECTED] (Ornie Kamyl)
Subject: Re: Cryptanalysis
Date: Fri, 31 Dec 1999 23:45:55 GMT
[EMAIL PROTECTED] (Jim Reeds) wrote:
>Two syllables, Schnei + er. The vowel sound of the first
>syllable is that of the English word 'eye', that of the second
>is that of 'her'. If you know the German pronounciation
>of the name Schneider, just leave out the 'd' sound. Or:
>replace the initial consonant sound of the name Meyer or
>Meier with that of 'shake'.
Thanks! That's very different from what I expected. I had only one syllable
in mind, rhyming with "clear".
--
"Ornie Kamyl" is actually [EMAIL PROTECTED] (7354 268901).
01234 56789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: File format for CipheSaber-2?
Date: Fri, 31 Dec 1999 21:11:22 GMT
On 31 Dec 1999 13:38:42 EST, [EMAIL PROTECTED] (Guy Macon) wrote:
>I printed this out and pondered it while eating breakfast, and I
>can't see a single thing about it that I don't like. One question
>occurs to me though; is there any reason to favor the end of the
>IV over the start? I would pick the end as you did if there isn't
>a good reason to do otherwise.
No real reason, it could easily be the first two bytes. With N>10
or so the entire IV will get mixed very well with the passphrase, even
if the passphrase is a full 246 bytes. Most N values should be at
least 1000, as that will represent a fraction of a second delay on any
pentium class PC. (even the lowly P75 I have in the other room :)
Best Wishes,
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: File format for CipheSaber-2?
Date: Fri, 31 Dec 1999 21:34:18 GMT
On 31 Dec 1999 10:41:17 -0000, Paul Crowley
<[EMAIL PROTECTED]> wrote:
>So what I meant to specify was that CipherSaber-3 mandate that at
>least 256 bytes of output be discarded, to avoid Andrew Roos' weak key
>problems. Obviously I'm not suggesting we mandate 2^256 discards...
You can avoid the weak key problem in one of two ways.
1) key[0]+key[1] mod 256 != 0
Just requiring that the first two characters of the passphrase be
printable ascii will never allow a weak key to be generated. It is
practical in that not many people are using non-printable characters
in passphrases. Plus it is CS-1 compatible, as the CS-1 pages point
out weak keys and how not to pick one. :)
2) Discard the first byte of output.
Roos' weak keys only affect the first byte.
>One goal of my CS-3 is to be as nasty as possible to passphrase
>guessing attacks. With this proposal, any such attack has to decide
>on a maximum number of repeats to try before giving in. You set such
>a maximum, and search, and fail: now, did you fail to generate the
>right passphrase or did you just set the maximum too low?
Incremented guesses add log2(max guesses) to the bits of entropy in
the key. For a properly chosen passphrase, you won't need the extra
bits. But for poor passphrases the added security would be useful.
Given the overhead, an attacker could make a good guess for the max
guesses based on how long the attacker thinks you will wait for the
message to decode.
If I can get 2500 N per second, there isn't much chance that I'm
using N values in the ten million plus range, but an attacker assuming
that I will wait for up to an hour to decrypt each message it adds
about 23 bits to the keyspace.
I'd rather choose a stronger passphrase to get those extra bits, and
the type of people who would choose weak passphrases aren't going to
wait 30 seconds much less an hour for a decrypt. :)
Best Wishes,
Johnny Bravo
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Subject: Re: Prime series instead (Re: Pi)
Date: Fri, 31 Dec 1999 19:25:53 -0800
On 31 Dec 1999, NFN NMI L. wrote:
|The summation of the reciprocals of all the primes is infinite. Who knows what
|happens when you have alternating subtraction and addition?
|
|S. "log log log N? Holy cow" L.
Well, it *looked* like I was getting a pattern, depending on whether the
last operation performed was addition or subtraction...
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Sat, 01 Jan 2000 03:28:44 GMT
I would like to apologize for my remarks about Bruce's
opinion on the nsa key. If I offended any readers, please
forgive me.
> I just read one of Bruce's articles thanks to the URL you gave.
> It was on the NSA key. He said:
>
> Suddenly there's a flurry of press activity because
> someone notices that the second key in Microsoft's
> Crypto API in Windows NT Service Pack 5 is called
> "NSAKEY" in the code. Ah ha! The NSA can sign crypto
> suites. They can use this ability to drop a Trojaned
> crypto suite into your computers. Or so the conspiracy
> theory goes.
>
> I don't buy it.
>
> First, if the NSA wanted to compromise Microsoft's
> Crypto API, it would be much easier to either 1) convince
> MS to tell them the secret key for MS's signature key,
> 2) get MS to sign an NSA-compromised module, or
> 3) install a module other than Crypto API to break
> the encryption (no other modules need signatures).
> It's always easier to break good encryption by attacking
> the random number generator than it is to brute-force the
> key.
>
> Now I know that Bruce is almost a God to some, and is a God
> to others. That is their problem, not mine. Bruce has
> fallen from any grace he had with me on these statements.
> Everything he said is correct, but he is forming an assumption
> as a result of his statements that is not a logical conclusion.
>
> CLEARLY, Microsoft could have given NSA a key of their own
> and he is discounting this as a non option. Clearly that is
> what this key is about- regardless of why it is there.
> Clearly, this is no spare. It belongs to someone and the
> name was left attached to it one day for all of us to see
> who it belonged to. You have to be blind and dumb not to
> notice.
>
> --
> The only vote that you waste is the one you never wanted to make.
> RICO- we were told it was a necessary surrender of our civil
liberties.
> Asset Forfeiture- the latest inevitable result of RICO.
> http://www.ciphermax.com/book
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: nnburk <[EMAIL PROTECTED]>
Subject: Re: Q: Cryptanalysis Shareware?
Date: Fri, 31 Dec 1999 22:02:12 -0600
Reply-To: [EMAIL PROTECTED]
modokon wrote:
>
> Hello,
> Is there any share/free ware that will enable me to play
> with encrypted messages (e.g. transposition etc). I'm
> reading Simon Singh's "The Code Book" and would like to scan
> it in & play a little without having to program in BASIC!
> Thank for any pointers,
> Joe
Go here: <http://ftpsearch.ntnu.no/>
and look for cryptaid.zip
------------------------------
From: Sisson <[EMAIL PROTECTED]>
Subject: Re: The Cipher Challenge from the Code Book
Date: Sat, 01 Jan 2000 05:23:23 GMT
no, you're right, i don't want someone to crack it for me, but having an example
of the process of enciphering would help me, leaving only the key to be solved
Thanks,
Spendabuck
Bill Unruh wrote:
> In <[EMAIL PROTECTED]> Sisson <[EMAIL PROTECTED]> writes:
>
> >Hello All!
> >Could someone help me with Stage 3: Monoalphabetic Cipher with
> >Homophones
>
> >my main question is, what does "Monoalphabetic Cipher with Homophones"
> >mean? is it Homophonic substitution (p52)? if it is, why is the example
> >of the book numerical, and why when put through frequency analycist Q
> >has 18.4%?
>
> >I have attached (zipped) an excel file that contains all my work so far
>
> You do not really want someone else to solve it for you, do you?
> You are on the right path doing freq analysis of the text. Note the
> diffeence between stage 1 and 2 solutions and seeif this hints at
> something.
>
> As a general comment re breaking ciphers, one source at freq
> analysis in various European langanges see
> http://www.fortunecity.com/skyscraper/coding/379/lesson6.htm and lesson
> 7.
>
> The reason tht the example in the text used numbers was because they are
> using a lot of "homophones" to stand for each letter. Tehre are not
> enough letters in the alphabet to let each unencrypted letter stand for
> many encrypted letters.
------------------------------
From: Sisson <[EMAIL PROTECTED]>
Subject: Re: The Cipher Challenge from the Code Book
Date: Sat, 01 Jan 2000 05:29:47 GMT
oh, yes and stage2 was in latin, and stage4 in french, so is this also a different
language?
Thanks,
>From Spendabuck
PS sorry if someone reading this didn't want any help on stage2/4, and now i've
ruined for them!
Bill Unruh wrote:
> In <[EMAIL PROTECTED]> Sisson <[EMAIL PROTECTED]> writes:
>
> >Hello All!
> >Could someone help me with Stage 3: Monoalphabetic Cipher with
> >Homophones
>
> >my main question is, what does "Monoalphabetic Cipher with Homophones"
> >mean? is it Homophonic substitution (p52)? if it is, why is the example
> >of the book numerical, and why when put through frequency analycist Q
> >has 18.4%?
>
> >I have attached (zipped) an excel file that contains all my work so far
>
> You do not really want someone else to solve it for you, do you?
> You are on the right path doing freq analysis of the text. Note the
> diffeence between stage 1 and 2 solutions and seeif this hints at
> something.
>
> As a general comment re breaking ciphers, one source at freq
> analysis in various European langanges see
> http://www.fortunecity.com/skyscraper/coding/379/lesson6.htm and lesson
> 7.
>
> The reason tht the example in the text used numbers was because they are
> using a lot of "homophones" to stand for each letter. Tehre are not
> enough letters in the alphabet to let each unencrypted letter stand for
> many encrypted letters.
------------------------------
From: Scott Fluhrer <[EMAIL PROTECTED]>
Subject: Re: Are PGP primes truly verifiable?
Date: Sat, 01 Jan 2000 06:03:29 GMT
In article <8433nt$60r$[EMAIL PROTECTED]>,
Bob Silverman <[EMAIL PROTECTED]> wrote:
>In article <8430ml$46t$[EMAIL PROTECTED]>,
> Greg <[EMAIL PROTECTED]> wrote:
>>
>> > > Wouldn't the decryption process not work if one of the "primes" was
>> > > actually composite?
>>
>> > The decryption would work.
>
>More nonsense. The decryption would work ONLY if N were a
>Carmichael number. But if N = pq is a mere M-R pseudoprime,
>then when you compute the private exponent as d = e^-1 mod phi(N),
>this value of d will be incorrect since your presumed value for
>phi(N), namely (p-1)(q-1) will not be correct.
Errr, Bob, I suggest you may want to rethink this one. If p is
prime and q is a Carmichael number s.t. k*phi(q) = (q-1), (and p
and q are relatively prime), then,
k*phi(pq) = phi(p)*k*phi(q) = (p-1)*(q-1)
And so, if the public/private exponents are computed s.t.
ed = 1 mod (p-1)*(q-1)
then:
ed = 1 mod phi(pq)
(which is what RSA really needs) and so decryption works.
>
>
>> But since the modulus would contain
>> > smaller factors, it would be easier to factorise.
>
>No. Suppose you generate p anq as random 512 bit primes
>and (horror!) it turns out that p is the product of a 200 and a 312
>bit prime. The product pq is not any easier to factor in this case than
>if p and q were both prime. It is still well out of reach of the
>Elliptic Curve factoring algorithm, and the Number Field Sieve
>doesn't care how many factors N has.
Yes, it only is a problem if (say) p is a Carmichael number with small
factors, which could be found (if the attacker suspects) by some,
for example, the Pollard rho method. This is possible, if not
very likely
--
poncho
------------------------------
From: "Lyal Collins" <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Date: Sat, 1 Jan 2000 10:14:54 +1100
Timothy M. Metzinger wrote in message
<[EMAIL PROTECTED]>...
[snip]
>You don't really mean this, do you?
>
>Think of the difference between making a credit card purchase for less than
>1000 and then think of what happens when you buy a home.
[snip]
I surely do.
Perhaps I should have said "1 million transactions for $30 each", implying
the same person could do all those 1m transactions, rather than 1m different
people.
In both the cases mentioned, a series of paper signatures authorise the
transaction - when initially opening banking accounts, and when I paid for
the purchase(s). If I use cash, no bank accounts are opened.
In the case of buying a home, a witness (or in some jurisidctions, a notary)
is needed, mainly to ensure that neither the buyer or seller is not being
coerced at the time of signing.
That's all the authentiation security there is. All the rest is business
processes and rules.
In the paper-based world, there are different business rules, but the _same_
authentication security for different value transactions today.
The proven compromise of a single Private key, regardless of high or low
value does damage the _worth_ of the system.
Example 1:
A single compromise leading to a $1million incorrect/fraudlent transaction
leads to a worst case situation where $1m is lost, plus other participants
get very nervous (possibly leading to their withdrawal from the system).
Business rules over auditing, and the limited data to review means 1 fraud
should be picked up quickly.
Example 2:
A single compromise leading to a $30 incorrect/fraudlent transaction leads
to an immediate worst case of $30 dollars lost. Now, through publicity and
FUD, the indirect value loss to this specific system equals $1m if just
33,333 other participants (3.3%) withdraw from the system. I neglect the
costs from enabling those participants who withdraw from the system without
suffering a direct loss. (Note that much of the "lost" value may still be
processed, but by a different system, possibly in a different channel.)
The same business and auditing rules the prior example means it is likely
that a longer time will pass before the fraud is detected and response
initiated - days, possibly months.
Since it is cost effective for an attacker to attack a single $30
transaction, then is is equally or more cost effective (to the attacker) to
attack lots of $30 transactions within the detection/response window. This
increases the loss potential.
This is the nature of systemic risk. The _whole_ system must withstand
abuse, not just a single component of it (e.g. focussing on PKI and
neglecting OS security or CA procedures).
The returns available to an attacker must, in both examples, preclude the
attacker having sufficient incentive to attempt the launch of an effective
attack, by either complexity/time trade-offs, likelihood of being caught and
punished, or the system being infeasible to penetrate by any means.
The detect/respond time-windows are getting extremely short. A single
Australian bank has been quoted as processing 3.5 million debit/credit card
transactions on the Thursday before Christmas - or over 40
transactions/second. As a worst case, this processing rate would see $1m
of fraudulent 30 dollar transactions processed in about 9.25 hours.
Remember, at the end of the day, all this technology must be paid for by
someone, both in implementation and operating costs. If the technology
fails to add sufficient value to offset these costs, either directly or
indirectly, then no business manager will implement them (unless coerced, a
subject outside this list's scope), and no user will adopt the technology
(without coercion, either mandatory, or marketing based).
The user does have alternatives to electronic transactions - cash, cheques
and drafts have worked acceptably well for 3 centuries, and still do.
Lyal
Timothy M. Metzinger wrote in message
<[EMAIL PROTECTED]>...
>In article <Etxa4.5457$[EMAIL PROTECTED]>, "Lyal Collins"
><[EMAIL PROTECTED]> writes:
>
>>Why should the rules for 30 people doing $1m transactions be different
from
>>those for 1 million people doing $30 transactions?
>
>You don't really mean this, do you?
>
>Think of the difference between making a credit card purchase for less than
>1000 and then think of what happens when you buy a home.
>
>Our society already has different processes for transactions of different
>value, and people are used to it, so I don't think they'll reject PKI
because
>it's more cumbersome to have a high-value private key.
>
>Remember, compromise of an individual key doesn't compromise the whole
system,
>unless it's the CA Key, and sometimes not even then.
>
>
>
>Tim Metzinger
>Timothy Metzinger
>Private Pilot - ASEL - IA!!!! AOPA Project Pilot Mentor
>DOD # 1854 '82 Virago 750 - "Siobhan"
>Cessnas, Tampicos, Tobagos, and Trinidads at FDK
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
