Cryptography-Digest Digest #843, Volume #10 Wed, 5 Jan 00 16:13:01 EST
Contents:
Re: List of english words (Dan Day)
Re: How to obtain updated SSL certificate for Navigator-3? (Paul Rubin)
Re: Square? (Mok-Kong Shen)
Re: is signing a signature with RSA risky? (Anton Stiglic)
How about this for a "randomly" generated bitstream? (John McDonald, Jr.)
Re: New ECM record: up to 60 digits ("Kai G. Gauer")
Re: Unsafe Advice in Cryptonomicon (Roger Carbol)
simple block ciphers (Tom St Denis)
Re: is signing a signature with RSA risky? (Anton Stiglic)
Re: Wagner et Al. ("Daniel Roethlisberger")
Re: Questions about message digest functions (lordcow77)
Re: crypto and it's usage ("Daniel Roethlisberger")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Dan Day)
Subject: Re: List of english words
Date: Wed, 05 Jan 2000 20:14:13 GMT
On 03 Jan 2000 23:21:32 -0500, stanislav shalunov <[EMAIL PROTECTED]> wrote:
>
>Worldlists are useless for frequency analysis, though.
Yeah, but you can write an awesome Scrabble player with them...
Way back in college (late 70's/early 80's), someone wrote a
simplistic Scrabble player that did a mostly brute-force word
search to see what fit on the board given the current letters
in the player's rack (and which gave the highest score).
Even on the slow computers of the day, it utterly creamed us
every time we played against it, even when we had six guys
teaming up as one player. We lost horribly every time,
and the thing consistently got multiple "play entire rack
for an eight-letter-word and a 50 point bonus and a double
word score" plays per game. It also sent us running for
the unabridged dictionaries time and time again, just to
see what in the hell the word that it just played meant.
It was the Terminator of Scrabble players. In order to make
it any fun at all, it had to be hobbled in various ways.
--
"How strangely will the Tools of a Tyrant pervert the
plain Meaning of Words!"
--Samuel Adams (1722-1803), letter to John Pitts, January 21, 1776
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: How to obtain updated SSL certificate for Navigator-3?
Date: 5 Jan 2000 20:09:38 GMT
In article <[EMAIL PROTECTED]>,
Sundial Services <[EMAIL PROTECTED]> wrote:
>It seems that both Netscape and Microsoft have decided that SSL site
>certificates are a great way to "persuade" people to upgrade to the
>latest version of their (increasingly-bloated) products.
>
>I happen to like and to prefer Navigator 3, but its site-certificates
>expire on December 31st. How can I obtain new certificates? (I have
>actually downloaded ... ick ... Communicator 4.)
Try
https://www.verisign.com/server/prg/browser/root.html
Let me know whether it works.
>On another subject: what are the security risks of the people who will
>simply turn-off the reminder messages and continue to want to use
>"expired" certificates for years to come?
I don't think you can turn them off.
>I see no reason at all, except marketing, why certificates should
>"expire" anyway. Bits don't wear out...
It's kind of like asking why you have to renew your drivers license.
In the current generation they did make the browser preinstalled certs
last a lot longer. They didn't do the same for users though--they
want to sell you a new one every year. It is kind of an interesting
scam. The other side of it is that they want to sell you a separate
certificate for practically every application that needs authentication,
and these are proliferating like crazy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Square?
Date: Wed, 05 Jan 2000 21:22:03 +0100
Tom St Denis wrote:
>
> All I know is in the paper 'The Block Cipher: Square' they have an
> attack for anything under 6 rounds. I can send copies to anyone who
It appears certain that any block cipher with sufficiently reduced
number of rounds can be cracked. Hence the question: Why are block
ciphers with (designed) variable, instead of constant, number of
rounds not very common? With that parametrization an algorithm
could adapt to the future advances of analysis techniques at least
to some reasonable extent and hence survive.
M. K. Shen
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: is signing a signature with RSA risky?
Date: Wed, 05 Jan 2000 15:16:35 -0500
==============2831B34C48FBCAB8CC0D0AF9
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Right, if Alice encryptes a message with Bob's exponent e_b, and
signs it with a key s_a, you get (m^e_b mod n_b)^s_a mod n_a,
since Bob knows the factors of n_b, he can compute x such
that m' ^x = m mod n_b (still at a cost a cost do, but possible), and
then say that his encryption key is x*e_b.
He can even choose the message of his choice (not just a random one),
and found the x that works.
Hashing the message after encrypting (and before signing it)
doesn't help (and hashing it before you encrypt it doesn't make
sens because Bob wouldn't be able to retreive the message, just
the hash of the message).
This is of cours typical to RSA encryption and independant of
the signature scheme (the sign. doesn't affect the trick). You can
use any signature scheme, not just RSA, and it will do the same
thing).
I think that if you sign first, and then encrypt, the attack doesn't
work....
Note that you could fake a "random" message with the ElGamal
scheme if you do encrypt -> then sign in a similar way:
For an ElGamal scheme, with a public key (p, g, g^a) (where a
is private), a message m is encrypted into c = (m, n)
where m = g^k mod p, and n = m*g^{ak} mod p (for a random k).
The attack is to just pick an x, and then find m' such that
m' * g^x = m mod p (if we where working mod n = pq, with known
factorization, we could first pick any wanted m' and then find x
such that the trick would work),
then just say that the public key was in fact (p, g, g^{a + x}).
Again, if you sign before you encrypt, I beleive you are safe.
Anton
Pascal Scheffers wrote:
> With RSA, there is the risk that if you encrypt before signing the
> other can fake a message. This is described on p473 of Applied
> Cryptography 2nd.Ed.
>
> I think I understand the math, which then implies that -if- I sign
> another signature, the same trick can be done.
>
> I was wondering if this is an issue for time-stamping services? A
> timestamp gives you the most value if time-stamp a contract
> *including* the signatures on that contract.
> This would basically mean that (if both parties agree) a new document
> can be made, say a patentable idea, with a much older timestamp. not
> good.
>
> This can be prevented if the public key exponent is fixed, which it
> usually is. AFAIK, having a fixed exponent is just a recomendation, I
> don't know if CAs enforce it.
>
> It is probably not an *easy* trick to do, but still...
==============2831B34C48FBCAB8CC0D0AF9
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Right, if Alice encryptes a message with Bob's exponent e_b, and
<br>signs it with a key s_a, you get (m^e_b mod n_b)^s_a mod n_a,
<br>since Bob knows the factors of n_b, he can compute x such
<br>that m' ^x = m mod n_b (still at a cost a cost do, but possible), and
<br>then say that his encryption key is x*e_b.
<br>He can even choose the message of his choice (not just a random one),
<br>and found the x that works.
<p>Hashing the message after encrypting (and before signing it)
<br>doesn't help (and hashing it before you encrypt it doesn't make
<br>sens because Bob wouldn't be able to retreive the message, just
<br>the hash of the message).
<p>This is of cours typical to RSA encryption and independant of
<br>the signature scheme (the sign. doesn't affect the trick). You
can
<br>use any signature scheme, not just RSA, and it will do the same
<br>thing).
<p>I think that if you sign first, and then encrypt, the attack doesn't
<br>work....
<p>Note that you could fake a "random" message with the ElGamal
<br>scheme if you do encrypt -> then sign in a similar way:
<br>For an ElGamal scheme, with a public key (p, g, g^a) (where a
<br>is private), a message m is encrypted into c = (m, n)
<br>where m = g^k mod p, and n = m*g^{ak} mod p (for a random k).
<br>The attack is to just pick an x, and then find m' such that
<br>m' * g^x = m mod p (if we where working mod n = pq, with known
<br>factorization, we could first pick any wanted m' and then find x
<br>such that the trick would work),
<br>then just say that the public key was in fact (p, g, g^{a + x}).
<br>Again, if you sign before you encrypt, I beleive you are safe.
<br>
<p>Anton
<br>
<br>
<p>Pascal Scheffers wrote:
<blockquote TYPE=CITE>With RSA, there is the risk that if you encrypt before
signing the
<br>other can fake a message. This is described on p473 of Applied
<br>Cryptography 2nd.Ed.
<p>I think I understand the math, which then implies that -if- I sign
<br>another signature, the same trick can be done.
<p>I was wondering if this is an issue for time-stamping services? A
<br>timestamp gives you the most value if time-stamp a contract
<br>*including* the signatures on that contract.
<br>This would basically mean that (if both parties agree) a new document
<br>can be made, say a patentable idea, with a much older timestamp. not
<br>good.
<p>This can be prevented if the public key exponent is fixed, which it
<br>usually is. AFAIK, having a fixed exponent is just a recomendation,
I
<br>don't know if CAs enforce it.
<p>It is probably not an *easy* trick to do, but still...</blockquote>
<pre></pre>
</html>
==============2831B34C48FBCAB8CC0D0AF9==
------------------------------
From: [EMAIL PROTECTED] (John McDonald, Jr.)
Subject: How about this for a "randomly" generated bitstream?
Date: Wed, 05 Jan 2000 19:50:32 GMT
On Wed, 5 Jan 2000 03:52:54 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote:
>Nigel Fitchard <[EMAIL PROTECTED]> wrote:
>
>: I would like to get hold of a truly random bitstream - about 2^24 bits long
>: should be plenty. Does anyone know if such a thing exists for download ?
>
>No such thing is known to exist anywhere on the planet.
While not "truly" random, wouldn't the following be random
enough?
I puport that you take a record player and a record. Play the record
and record the music digitally into your computer (via audio input,
not microphone). Use the recorded .wav as your bitstream. (Record at
the highest possible bitrate to ensure the quality of your recording.)
..Why (I think) this is "random" enough..
Because of the nature of the player, a record will have subtle
differences when played from one player to another, even within the
confines of the same model. This is due to variations in the needle
used for pickup as well as other factors.
Because of the nature of the media and the degradation caused by each
successive playing, a high enough quality recording will detect the
imperfections between each play of the record. Thusly one recording of
the record will produce a different bitstream than the next recording
on the same player. In addition playing another copy of the record
will also yield the same results: different record-different
recording.
Also because of the nature of the media, it is virtually impossible
for another person to start their recording at the same exact instant
you began yours.
That is to say even if they knew you recorded the Philharmonic's
rendition of the William Tell Overture, they would need your actual
record, as well as player, and even then they would be off by at least
1% of the bits gathered. When you are speaking of 2^24 bits, 1% is a
fairly substantial number. If they are using another record on another
player they would be lucky if they were to get 25% of the bits you
gathered. And if they didn't know which song(s) you used, they would
be lucky to get 1% of the bits that you had.
Does anyone have thoughts on this? Problems with implementation?
---
John K. McDonald, Jr. Alcatel, USA
[EMAIL PROTECTED]
--
"I speak for me and not this company"
TO SPAMMERS:
Please note important defininitions:
The Telephone Consumer Protection Act
of 1991, Title 47, Chapter 5,
Subchapter II, Section 227.
------------------------------
From: "Kai G. Gauer" <[EMAIL PROTECTED]>
Crossposted-To: sci.math.symbolic,sci.math
Subject: Re: New ECM record: up to 60 digits
Date: Wed, 05 Jan 2000 20:27:57 GMT
By the way, could someone out there help me find the correct way to subscribe to
the following newsgroup that I found on an older webpage post? The page had a
subscription site with bit.listserv.nmbrthry . Has this site changed names in the
last few years? I'm trying to find a couple of more MODERATED sites to read
discussions about large factorization computing; I'm not looking around for the
quickest spot to post or read a bunch of BS (such as sci.math). Thanks for anyone's
being able to help out....
Paul Zimmermann wrote:
> New ECM record: up to 60 digits
> ===============================
>
> On December 26, 1999, Nik Lygeros and Michel Mizony, two math researchers
> from Lyon (France), found a prime factor of 54 digits of a 127-digit
> composite number with GMP-ECM, a free implementation of the Elliptic
> Curve Method (ECM). According to the table maintained by Richard Brent [1]
> this is the largest prime factor ever found by ECM. The previous record was
> hold by Conrad Curry with a 53-digit prime found in September 1998.
>
> The number Lygeros and Mizony factored was a cofactor from (6^43-1)^42+1,
> more precisely n = b^4-b^2+1 where b = 6^43-1. It was known that
>
> n = 13 * 733 * 7177 * c127
>
> where c127 is a 127-digit composite number. Lygeros and Mizony discovered that
> this number factors into c127 = p54 * p73 where
>
> p54 = 484061254276878368125726870789180231995964870094916937
>
> is the factor found. This search was done in a huge factoring project Lygeros
> and Mizony started a year ago about generalized Sloane's sequences [2].
> Those generalize sequences A003504, A005166 and A005167 from The Encyclopedia
> of Integer Sequences [3].
>
> The Elliptic Curve Method was discovered by H. W. Lenstra in 1985.
> The lucky curve was of the form b*y^2*z = x^3 + A*x^2*z + x*z^2 with A =
> 422521645651821797908421565743985252929519231684249666 mod p, and group order
> 2^3*3^2*13*53*283*337*29077*837283*1164803*3978523*7613819*8939393*13323719.
> Very surprisingly, the 54-digit prime was found in step 1 of ECM! The first
> limit used was B1=15,000,000. The probability of finding a 54-digit prime in
> step 1 with such parameters is about one over three million. Lygeros and
> Mizony just did 1300 curves. The lucky curve took 454 seconds to compute on
> a 500Mhz Dec Alpha EV6 (21264) from the CDCSP (Center for the Development of
> Parallel Scientific Computation).
>
> The program used was version 4a of GMP-ECM [4], a free implementation of the
> Elliptic Curve Method based on T. Granlund's GMP multiprecision library [5].
> According to [1], GMP-ECM now holds four from the ten largest factors ever
> found by ECM. Other main projects using GMP-ECM are the Cunningham project [6]
> and the ECMNET client/server [7].
>
> In a recent paper [8], Richard Brent extrapolates the ECM record to be of
> D digits at year about 9.3*sqrt(D)+1932.3. This would give a record of D=60
> digits at year Y=2004. We strongly believe 60 digits will be reached before,
> perhaps already in 2002 or even this year!
>
> [1] ftp://ftp.comlab.ox.ac.uk/pub/Documents/techpapers/Richard.Brent/champs.txt
> [2] http://www.desargues.univ-lyon1.fr/home/mizony/premiers.html
> [3] http://www.research.att.com/~njas/sequences
> [4] http://www.loria.fr/~zimmerma/records/ecmnet.html
> [5] http://www.swox.com/gmp/
> [6] http://www.cerias.purdue.edu/homes/ssw/cun/index.html
> [7] http://www.interlog.com/~tcharron/ecm.html
> [8] Some Parallel Algorithms for Integer Factorisation, Euro-Par 99, cf
> ftp://ftp.comlab.ox.ac.uk/pub/Documents/techpapers/Richard.Brent/rpb193.dvi.gz
>
> --
> Paul Zimmermann
> INRIA Lorraine
> 615 rue du Jardin Botanique
> F-54602 Villers-les-Nancy Cedex
------------------------------
Subject: Re: Unsafe Advice in Cryptonomicon
From: Roger Carbol <[EMAIL PROTECTED]>
Date: Wed, 05 Jan 2000 20:38:14 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>In view of tempest related attacks, that I guess could only be
>eliminated in rather clumsy ways, it would appear reasonable to
>have some components of one's encryption system to be mechanical
>ones, hence without emissions. This would mean sort of renascence
>of the classical devices. Or am I speculating on an entirely wrong
>track?
It's an interesting speculation, but I wouldn't hold my breath.
I think it's more likely that:
1) More shielding will be used; and
2) More noise will be generated, eg, use the crypto computer
in a room with a couple dozen other computers and displays, all
doing their own thing.
.. Roger Carbol .. [EMAIL PROTECTED]
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: simple block ciphers
Date: Wed, 05 Jan 2000 20:39:53 GMT
[first I did not invent this ...!!!]
Why isn't this type of cipher used more often [aside from being slow].
Symmetric cipher ...
p = random prime
e = random prime less then p
d = chosen such that de = 1 mod (p - 1)
Encrypt(x) = x^e mod p
Decrypt(x) = x^d mod p
Where (d, e, p) is the private key.
This type of cipher allows for a variable key/block size and is very
simple to implement. Other then being slow why isn't it used?
And if p is private, can a small p be used (say around 128 bits?)
Tom
--
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: is signing a signature with RSA risky?
Date: Wed, 05 Jan 2000 15:52:33 -0500
==============53E2A400EE636431E4969891
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I just found the article that talks about the attack,
you can get it at
http://www.cl.cam.ac.uk/users/rja14/robustness.ps.Z
It actually says the same stuff I did in my previous
post, plus alot of other stuff.
Anton
==============53E2A400EE636431E4969891
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<pre></pre>
<pre></pre>
<pre>I just found the article that talks about the attack,</pre>
<pre>you can get it at</pre>
<pre><A
HREF="http://www.cl.cam.ac.uk/users/rja14/robustness.ps.Z">http://www.cl.cam.ac.uk/users/rja14/robustness.ps.Z</A></pre>
<pre>It actually says the same stuff I did in my previous</pre>
<pre>post, plus alot of other stuff.</pre>
<pre></pre>
<pre>Anton</pre>
</html>
==============53E2A400EE636431E4969891==
------------------------------
From: "Daniel Roethlisberger" <[EMAIL PROTECTED]>
Subject: Re: Wagner et Al.
Date: Wed, 5 Jan 2000 22:00:28 +0100
Tom St Denis wrote:
>You are missing my point. I never said trojans [defn = any
>program that's sole purpose is to defeat security] can't
>totally break Peekboo. I whole heartedly agree trojans
>can break Peekboo. ... oh and PGP, and Scramdisk, and
>....
>
>The best solution is to avoid getting them. Don't go to
>websites you don't trust. Turn off all 'features' like
>java/activex and don't run attachements... that's the best
>you can do.
Against PGP, an attack would be much more difficult. PGP employs its own
memory lock driver, so sensitive data doesn't get paged to disk. PGP does
its best to try and make an attack difficult or feasible. PGP does not send
keys through easily interceptable windows messages. A trojan will have a
hard time against PGP, while its task is very easy against Peekboo.
As for turning the features off... I mentioned this before, but everyone can
install a program on your computer without you noticing, if you are using
windows 9x. On NT, this is somewhat more tricky, but still easily possible
(eg. by booting from a linux floppy with the ntfs mod - is your floppy drive
locked? I don't suppose so...). It doesn't need to be a so called trojan,
gotten through email or from a web site. It can be your wive wanting to know
who you send encrypted love letters to. Or your little hacker brother who
just likes reading your encrypted stuff. These will have a hard time if you
were using PGP, but as you are using Peekboo, every minimally skilled
programmer can read up in the API docs how to hook a message.
If complete protection is impossible, any security-related software, and
cryptographic software in particular, should at least make it difficult for
them. Firewalls can be penetrated as well, but you still put one in front of
every secured network. Because it makes the attackers job much more
difficult.
/Dan
------------------------------
From: lordcow77 <[EMAIL PROTECTED]>
Subject: Re: Questions about message digest functions
Date: Wed, 05 Jan 2000 12:50:29 -0800
Are you utterly unable to comprehend this simple and widely accepted
concept that a hash should approximate a pseudo-random function? You
snipped David Hopwood's reference. Here's a few more: Chapter 9 of
_Handbook of Applied Cryptography_ Menezes, Oorschot, Vanstone, Chapter
7 of _Cryptography, Theory and Practice_ by Doug Stinson, Merkle's
intial paper containg the proof of collision resistence of a
meta-contruction if the compression function possesses certain
properties, B. Preneel, "Analysis and design of cryptographic hash
functions," Doctoral Dissertation, Katholieke Universiteit Leuven,
1993, 2. B. Vandewalle, et. al, "Cryptographic hash functions: an
overview," ESAT-COSIC Report 89-1, Department of Electrical
Engineering, Katholieke Universiteit Leuven, September 1989. You might
also want to consult Knuth's TAOCP where he discusses noncryptographic
hashing.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Daniel Roethlisberger" <[EMAIL PROTECTED]>
Subject: Re: crypto and it's usage
Date: Wed, 5 Jan 2000 22:05:48 +0100
I prefer to communicate using encrypted email. Whereever possible, I encrypt
email using PGP, whether sensitive content or not. When distributing files,
I prefer to encrypt or at least sign them. I've managed to get most of my
frequent communication partners to use PGP as well, so this is fairly good
actually.
Furthermore, I have all my sensitive stuff on encrypted hard disks. Just in
case. I don't like the idea of anyone snooping in my data.
/Dan
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
