Cryptography-Digest Digest #829, Volume #10 Mon, 3 Jan 00 12:13:01 EST
Contents:
Re: meet-in-the-middle attack for triple DES (DJohn37050)
Re: Prime series instead (Re: Pi) (John Myre)
Re: crypto and it's usage (Keith Monahan)
Re: Attacks on a PKI (Shawn Willden)
Re: Attacks on a PKI (Shawn Willden)
Re: Attacks on a PKI (Shawn Willden)
Re: Wagner et Al. (Steve K)
Re: stupid question (No Spam)
Re: stupid question (No Spam)
Re: Bits 1 to 3 (Re: question about primes) ("Tony T. Warnock")
Re: Attacks on a PKI (Larry Kilgallen)
Re: Wagner et Al. (Tom St Denis)
Re: Prime series instead (Re: Pi) ([EMAIL PROTECTED])
Re: crypto and it's usage (Steve K)
Re: "Variable size" hash algorithm? ("Peter K. Boucher")
Re: Prime series instead (Re: Pi) ("Tony T. Warnock")
List of english words ("John Lupton")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: meet-in-the-middle attack for triple DES
Date: 03 Jan 2000 14:24:54 GMT
There are unique keys per transaction for PIN protection keys. This idea has
been known. A problem with it is the set up time, changing the key all the
time means normal performance speed ups are not possible.
Don Johnson
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Prime series instead (Re: Pi)
Date: Mon, 03 Jan 2000 07:33:46 -0700
"John E. Gwyn" wrote:
>
> "NFN NMI L." wrote:
> > The summation of the reciprocals of all the primes is infinite. Who
> > knows what happens when you have alternating subtraction and addition?
>
> I think it still diverges, but I don't have a proof.
Any alternating sum (alternating addition and subtraction) where the
terms decrease (to zero) converges. Note that any two consecutive
values define boundaries on the sum; since the limit of the separation
of these values is zero then the sum is indeed defined.
(Picture the sums on the line; note that it goes back and forth,
each time moving a shorter distance; the sum converges because in
the limit the distance is zero).
John M.
------------------------------
From: Keith Monahan <[EMAIL PROTECTED]>
Subject: Re: crypto and it's usage
Date: Mon, 03 Jan 2000 14:58:21 GMT
Tom,
I use encryption on a daily basis to protect my privacy. With
the government invading our privacy frequently, I feel it
is important to protect ourselves. Who knows, what is legal
today might not be legal tommorow. It used to be legal to
listen to cellphones via a scanner -- now it's a big crime.
Incidentally, if the cellphone industry had taken steps to
protect people's privacy via encryption, they wouldn't have
had to lobby Congress so hard to ban the manufacturing of
cellphone receiving scanners.
This is why I like encryption. Laws don't stop criminals because
criminals don't obey laws. I don't want it *possible* to violate
my privacy by violating a simple law. Because even putting that
person in jail DOES NOT GIVE ME MY PRIVACY BACK.
So, instead of protecting privacy via LAWS, our privacy has to
be guaranteed by technology. And yes, I know we don't have
any provably secure USABLE algorithms for encryption. I feel
an argument can be made that says that it is easier to break
an unenforcable law than it is to break Blowfish. It all depends
on your threat model...
I run realtime on-the-fly harddrive encryption under Windows95.
Not the most secure platform, but I do things like disabling
virtual memory, clearing registry entries(like recent file entries),
wiping file slack space, wiping unused drive space, etc. I'm
really trying to avoid the side-channel attacks as that is probably
more likely than someone breaking 256-bit Blowfish. And plus,
I use good passphrases.
So, life threatening? No. Important? Yes.
I also use PGP occasionally to exchange email between friends
when discussing things of a delicate nature. And of course,
like the other gentleman mentioned, I use SSL to secure
private things like account balances at pitt.edu -- but never
my credit cards.
Sorry if this got a little OT,
Keith
Tom St Denis wrote:
> I was just wondering how many people here actually use crypto. I mean
> almost anyone here can pull apart ideas and have fun, but does anyone
> use what's left?
>
> I personally use it just for fun, and sometimes to keep things
> private. Nothing life threatening... Anyone else?
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
Date: Sun, 02 Jan 2000 17:54:56 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Mickey McInnis wrote:
> Do Netscape and IE require that the certificates be specific to the
> domain name, or does it just require that a certificate be used?
They check the domain name. Of course, DNS is not a secure service and can be spoofed
easily by someone with appropriate access...
Shawn.
------------------------------
Date: Sun, 02 Jan 2000 18:05:53 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Greg wrote:
> > Do Netscape and IE require that the certificates be specific to the
> > domain name, or does it just require that a certificate be used?
> > If not, unless the user checks that the certificate matches
> > the domain, a man-in-the-middle could have a certificate of
> > his own and masquerade as the remote site by intercepting
> > all traffic the user sends.
>
> SSL can take care of this. I am just surprised that it relies
> on a database local to IE. That seems like a truly weak link.
No it isn't. If an attacker can modify the data on your hard drive, you
have no security whatsoever. If an attacker can modify your data, he can
modify your software, which can then do anything it likes with any
information you give it. Ultimately you must operate under an assumption
of complete trust in all of the hardware and software in your machine.
More accurately, if you use your machine, then you *do* trust it, whether
you admit it or not.
Shawn.
------------------------------
Date: Sun, 02 Jan 2000 21:33:24 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: Attacks on a PKI
Greg wrote:
> Then all you need to do is compromise the IE database.
> What good is a database that holds such important
> information if it can be compromised to support a
> man in the middle attack so easily?
It's not necessary to compromise the database. Just compromise the
software. If you have the choice, it's a lot more effective. If you
compromise the database you also have to compromise some appropriate bit of
the network and then perform an active, real-time attack. If you
compromise the software and get it to e-mail you the info you're interested
in (to an anonymous account, of course), all you have to do is check your
e-mail occasionally.
> Even if it were encrypted, either the key is stored somewhere or
> it is well known and hidden in the binaries.
Why? The key could be derived from a passphrase entered by the user. This
is what Netscape does if you choose to use that option.
> I seriously did not
> expect PKI to be so easily compromised by such a design. I thought
> for sure that IE would keep itself aware of the latest certs from
> the CAs. What if they are revoked? Would IE know? From what you
> say, no it would not. Am I correct?
I'm not certain, but I believe Netscape will check the revocation status if
you ask it to. However, if the cert is revoked, then what? You download a
new one? Oops, man-in-the-middle attack.
Actually, IMO, the biggest hole is in how you obtain the initial set of
certificates. Most people download them over the net along with their
browser.
Shawn.
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: Wagner et Al.
Date: Mon, 03 Jan 2000 16:03:23 GMT
On 03 Jan 2000 06:30:59 EST, [EMAIL PROTECTED] (Guy Macon) wrote:
>In article <84pne4$rh4$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
>
>>I don't think you quite understand how it works. A trojan can be made
>>to attack *ANY* crypto program. No matter how 'robust'. So the best
>>defense is not getting dumb email greeting card attachements :)
>
>Your "defense" is faulty. You can spend your life never accepting
>dumb email greeting card attachements and still end up with trojans
>on your computer. Just look at the history of Microsoft's security
>holes, and the known fact that they let holes that they know about
>remain unless the holes get a lot of publicity.
I think Tom is just using shorthand here, saying "never accepting
dumb email greeting card attachements" but meaning something more
like, "using reasonable precautions." Just as the punishment should
fit the crime, so should the amount of effort made to secure the box
you run your crypto stuff on, match the real need for security--
a.k.a. who are your attackers, and what do you lose in real life if
they win in cyberspace?
If your attackers are professional and you stand to lose serious
money, lives, etc., then by definition, you will arrange for trojan
resistant operation, at the machine and OS level, or you will lose
whatever you are protecting.
>A good crypto program can only be attacked
>from the highest level of access. Yours can be attacked from
>a few of the lower levels.
Please name a crypto program that meets your specification, i.e. is
"good" in that it can not be attacked by a trojan. I want to see how
it does that. It seems to me that this is a case where any program
that avoids all known attacks simply breeds a new attack, meanwhile
giveing the user a false sense of security.
Steve K
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
PGP key 0x5D016218
All others have been revoked.
------------------------------
From: No Spam <[EMAIL PROTECTED]>
Subject: Re: stupid question
Date: Mon, 03 Jan 2000 11:29:39 -0500
Reply-To: [EMAIL PROTECTED]
Joseph Ashwood wrote:
>
> Basically yes there is an attack. There exists a pRNG function that will
> generate the exact same output, and it's likely to be faster.
Without knowing
> which pRNG you were considering using Ican;t and probably no-one else can
> tell you either, but I'm not sure, we have some absolutely brilliant people
> around here.
> Joseph
Joseph,
I used a small key in the example because I was focusing on the
technique of building
a buffer of PRNG data and using the same PRNG to select data from the
buffer as a streaming cipher. I accept that a function may exist as you
said above but you also noted:
>OTOH given the 48-bit keyspace you suggested it would take less time to brute-force
>the pRNG than to find the function and search for an inversion.
A definition of a good cryptographic algorithm is one where a brute
force attack on the code key is the most efficient crypto attack.
If the pass phrase in my example was:
"Jack and Jill bought a bottle of Coke!"
I have 19 two byte key pairs. Eighteen pairs to use as seeds in XORing
the PRNG data into the buffer and the last pair "e!" as a seed to use to
pick the streaming cipher from the buffer.
In this case do you feel that there is a PRNG function that will offer a
better attack than a brute force key attack? And if so how costly do
you think the attack would be to mount, it terms of estimated time.
Green in New Hampshire
[EMAIL PROTECTED]
>
> "No Spam" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > It seems that most of the postings in this news group view the use of
> > PRNG in encryption as very poor.
> It's not that we view it as poor, if you ask around you'll find that one of
> the favorite ciphers is RC4 which is nothing more than a pRNG and an XOR.
> There are known attacks on the underlying data when this is done, but very
> little that can be done to recover the data without solving the pRNG.
>
> > If a large amount of the plain text was know.. say 100K of a 100,100
> > byte message, is there an attack the will decrypt the last 100 bytes?
> That depends exclusively on your pRNG. Using even a minimal keysize in RC4
> we could not find the last 100bytes without finding the key, although with
> the minimal size 100k might be getting close to predictability. It is my
> opinion that using a method more significant that XOR with pRNG would be
> highly useful, as a matter of fact I'm trying to find my own solution to
> several problems that I believe will be useful in this category (results to
> be posted here when finished).
> Joseph
------------------------------
From: No Spam <[EMAIL PROTECTED]>
Subject: Re: stupid question
Date: Mon, 03 Jan 2000 11:35:46 -0500
Reply-To: [EMAIL PROTECTED]
Trevor Jackson, III wrote:
>
> No Spam wrote:
>
> > Joseph Ashwood wrote:
> > >
> > > > I have a stupid question. But what is the difference between a key of a
> > > > stream cipher and a key of an one-time-pad ???
> > > The basic difference is where in the process they are used.
> > > The basic algorithm is:
> > >
> > > data--|
> > > |
> > > RNG------Cipher-----output
> > >
> > > The difference is where the key is used. In the case of a one time pad the
> > > key replaces the RNG (the RNG having been run prior, and being a true Random
> > > Number Generator). In a stream cipher the key is used as a seed to a
> > > _pseudo_ Random Number Generator (called a pseudo RNG because it does not
> > > generate truly random numbers). That is the current typical usage, a while
> > > back there was actually some discussion about what constitues a stream
> > > cipher and what constitutes a block cipher, and I can extend it to include
> > > OTP easily. My personal opinion is that a stream cipher function has as it's
> > > inputs data, key, and the previous data (although the effect of the previous
> > > data is often limited to the length), a block cipher inputs only data and
> > > key, an OTP is simply a block cipher where the key is exactly as long as the
> > > data (we have actually discussed some other issues here but that's the
> > > basics).
> > > Joseph
> > Joseph,
> >
> > I too have a stupid question I hope you will answer for me.
> >
> > It seems that most of the postings in this news group view the use of
> > PRNG in encryption as very poor.
> >
> > If create a key pass phrase: "ABCDEGGH" and use the first three, two
> > byte pairs (AB, CD, and EF) as 16 bit seeds for a PRNG.
> >
> > Taking the ouput streams fron the PRNG for each of the three seeds, and
> > XORing the output into a 10K buffer. So the PRNG's output was XORed
> > into the 10k buffer three times.. each with a different seed (AB, CD,
> > EF).
> >
> > Then I take the last key pair GH, seed the PRNG and use the PRNG to pick
> > the bytes from the 10K buffer to use as a streaming encryption XOR .
> >
> > Is there any attack that can be used to break the code other than a
> > brute force key phrase attack?
> >
> > If a large amount of the plain text was know.. say 100K of a 100,100
> > byte message, is there an attack the will decrypt the last 100 bytes?
>
> Yes. The mechanism will depende on the kind of PRNG you use, but in general
> you've got a bigger weakness. You are reusing your 10Kb buffer. Ten times on
> average. Given 100K plaintext & cipher text the entire 10Kb buffer could be
> exposed, even it it were generated by a true RNG, (thus 80K bits of seed instead
> of 42 bits).
>
> If the whole 10K buffer is not exposed by simple comparison of the plain and
> cipher texts the few missing bytes will be easily found by testing keys against
> the vast quantity of buffer contents that are known.
>
> If only the pass phrase is secret (the attacker knows how the PRNGs work), you
> should be able to break the whole system with around 56 bits of plain/ciphertext.
> It would not be simple, but it would work in time O(N log N) or perhaps O(N^2) on
> the key length rather than O(2^N) on the key length (brute force).
>
> The central concept of this kind of attack is that each bit of plain/cipher text
> constrains the possible initial seeds. Given enough information the keys are
> fully determined.
Trevor,
will changing the buffer size to say 8192 bytes, being an even divisor
of the seed size correct the problem?
Green in New Hampshire
[EMAIL PROTECTED]
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Bits 1 to 3 (Re: question about primes)
Date: Mon, 03 Jan 2000 09:35:13 -0700
Reply-To: [EMAIL PROTECTED]
According to Dirichlet's theorem, the density of primes in arithmetic
progression is the same for all progressions with the same step size.
Thus the density of primes ending in 1,3,7,9 (base ten) is the same. The
same would apply to primes ending in 01 or 11 base two.
See: http://www.utm.edu/research/primes/notes/Dirichlet.html
------------------------------
From: [EMAIL PROTECTED] (Larry Kilgallen)
Subject: Re: Attacks on a PKI
Reply-To: [EMAIL PROTECTED]
Date: Mon, 3 Jan 2000 16:27:13 GMT
In article <[EMAIL PROTECTED]>, Shawn Willden <[EMAIL PROTECTED]> writes:
> No it isn't. If an attacker can modify the data on your hard drive, you
> have no security whatsoever. If an attacker can modify your data, he can
> modify your software, which can then do anything it likes with any
> information you give it. Ultimately you must operate under an assumption
> of complete trust in all of the hardware and software in your machine.
No, you only need to have complete trust of all hardware and all TCB
components on your machine. You can, for instance, give me a bogus
version of COPY.EXE on this machine and the worst it could do is mess
up the data to which I have write access (less than 1500 blocks). All
the other users on this machine are secured from a trojan horse given
to me. System-wide problems come only when software used by the system
manager is compromised.
Of course there are degenerate "operating systems" used on the Internet
where there is no distinction between the user and the system manager,
and in some cases no firm definition of the TCB.
Larry Kilgallen
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Wagner et Al.
Date: Mon, 03 Jan 2000 16:36:34 GMT
In article <84q19j$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guy Macon) wrote:
> Your "defense" is faulty. You can spend your life never accepting
> dumb email greeting card attachements and still end up with trojans
> on your computer. Just look at the history of Microsoft's security
> holes, and the known fact that they let holes that they know about
> remain unless the holes get a lot of publicity.
I seriously doubt that. With java/activex turned completely off I
doubt there are many venues of attack left open.
> Is it really true that a trojan can be made to attack any crypto
> program? Yes, but only if two preconditions are assumed: First,
> the trojan must be written specifically targetted at the particular
> crypto program. The more generic trojans such as back orifice can
> be protected against (and are by many crypto programs). Second,
> the trojan must have administrator user rights. Smart NT
> administrators like me create a series of usernames with increasing
> rights and decreasing security, and always use the lowest one
> that will do the job. A good crypto program can only be attacked
> from the highest level of access. Yours can be attacked from
> a few of the lower levels.
Well PeekBoo was designed to secure messages and files, not computers.
That's why proxies/firewalls have been invented. And no matter what
you do, unless you are physically protected from trojans you are
vulnerable.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Prime series instead (Re: Pi)
Date: Mon, 03 Jan 2000 16:36:37 GMT
John E. Gwyn wrote:
> "NFN NMI L." wrote:
> > The summation of the reciprocals of all the primes is infinite. Who
> > knows what happens when you have alternating subtraction and
addition?
>
> I think it still diverges, but I don't have a proof.
We're talking about 1/2 - 1/3 + 1/5 - 1/7 + 1/11 - ...
right?
If the absolute value of the terms tends monotonically
to zero, then the series of alternating positive
and negative terms converges.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: crypto and it's usage
Date: Mon, 03 Jan 2000 16:53:03 GMT
What I use crypto stuff for:
Fun and games. I have always been facinated by this kind of thing, so
you could call it a hobby.
Political action. In the U.S., the Constitution is used daily for
toilet paper by the elected and appointed officials whose jobs and
obligations it defines. Indiscriminate automated surveillance is a
small part of that process. I like to think of cryptography as a way
to throw handfuls of diamond grit into one of Big Brother's gearboxes.
Confidentiality. I know lots of NeoPagans and others of similar bent,
some of whom prefer to keep their identities and activities quiet--
for instance, schoolteachers who would never work again if people knew
that they get naked at their religious services. Crypto enables me to
communicate freely with a few of these folks who have chosen to stay
in the broom closet.
Business. Although I do not presently have any need to store and
communicate confidential business information, I have in the past and
will in the future. This includes internal communications and
e-commerce data.
Steve K
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
PGP key 0x5D016218
All others have been revoked.
------------------------------
Date: Mon, 03 Jan 2000 09:56:47 -0700
From: "Peter K. Boucher" <[EMAIL PROTECTED]>
Subject: Re: "Variable size" hash algorithm?
Why not have your program measure the entropy of the input, then use the
input as an RC4 key, then use the RC4 PRNG to output as many bytes as
can be justified by the entropy in the input?
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: Prime series instead (Re: Pi)
Date: Mon, 03 Jan 2000 09:59:38 -0700
Reply-To: [EMAIL PROTECTED]
"John E. Gwyn" wrote:
> "NFN NMI L." wrote:
> > The summation of the reciprocals of all the primes is infinite. Who
> > knows what happens when you have alternating subtraction and addition?
>
> I think it still diverges, but I don't have a proof.
It converges. There is a theorem that states that if lim |a(n)| goes to zero
as n goes to infinity then the alternating sum a(1)-a(2)+a(3)... converges.
------------------------------
From: "John Lupton" <[EMAIL PROTECTED]>
Subject: List of english words
Date: Mon, 3 Jan 2000 17:04:43 -0000
Can someone tell me where on the web I can find a list of words in english.
I want to do some frequency analysis on n-graphs (i.e. mono-, di-, tri-,
tetra-) and words with certain n-graph patterns too.
Ideally I'm looking for a text file with every word from aardvark to zulu.
Thx in advance
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
