Cryptography-Digest Digest #986, Volume #10 Thu, 27 Jan 00 13:13:01 EST
Contents:
Re: DVD: CSS comments?? (Terje Mathisen)
RSA BSAFE Crypto-J Question ([EMAIL PROTECTED])
Re: DVD: CSS comments?? (Samuel Paik)
Re: Mac encryption algorithm? (Bob Deblier)
OpenSSL Example on X.509 Certificate Generation (Angus Lee)
Re: Mac encryption algorithm? (Keith A Monahan)
Re: Any Reference on Cryptanalysis on RSA ? (Keith A Monahan)
Re: ECC & RSA re: patents, copyrights (JCA)
DES Hardare - chips/cores ([EMAIL PROTECTED])
Re: How much does it cost to share knowledge? (Tom St Denis)
Re: How much does it cost to share knowledge? (Tom St Denis)
Re: Why did SkipJack fail? ("Trevor Jackson, III")
Re: ECC & RSA re: patents, copyrights (Jane A. Gilbert)
Re: Why did SkipJack fail? (Bill Unruh)
Re: LSFR (Mike Rosing)
Re: Mac encryption algorithm? (Paul Koning)
Re: Any Reference on Cryptanalysis on RSA ? (Paul Koning)
----------------------------------------------------------------------------
From: Terje Mathisen <[EMAIL PROTECTED]>
Subject: Re: DVD: CSS comments??
Date: Thu, 27 Jan 2000 13:00:28 +0100
Craig Inglis wrote:
>
> Now the source to the DVD encryption routine
> has been released (as reported by WIRED
> http://www.wired.com/news/politics/0,1283,33922,00.html )
> I wonder if any of the crypto guru's out there have
> any comments about the suitability of the algorithm they
> have used??
>
> The document is at http://cryptome.org/dvd-hoy-reply.htm
> and the encryption/decryption source is at Exhibit A.
A games programmer (Frank Stephenson???) from Funcom here in Oslo,
Norway have published a cryptanalysis of CSS, which I've read.
It is really quite bad, in that they didn't even get close to the 40
bits of effective key length that export restrictions might have limited
them to.
Terje
--
- <[EMAIL PROTECTED]>
Using self-discipline, see http://www.eiffel.com/discipline
"almost all programming can be viewed as an exercise in caching"
------------------------------
From: [EMAIL PROTECTED]
Subject: RSA BSAFE Crypto-J Question
Date: Thu, 27 Jan 2000 12:43:20 GMT
We are currently using RSA BSAFE Crypto-J for
Java encryption, but we did not evaluate many
products before we purchased Crypto-J. Now that
our license is up, we are considering changing
products. Can anyone recommend a different
solution?
Thank you,
Brendan Smith
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Samuel Paik <[EMAIL PROTECTED]>
Subject: Re: DVD: CSS comments??
Date: Thu, 27 Jan 2000 12:50:35 GMT
Craig Inglis wrote:
> Now the source to the DVD encryption routine
> has been released...
> I wonder if any of the crypto guru's out there have
> any comments about the suitability of the algorithm they
> have used??
It was posted to the Livid list months ago--this is merely an accidental
republication by the DVD CCA lawyers. The code in the posting is
obfuscated--the cryptosystem is very simple once you understand what each
table does.
CSS is shockingly weak. It's only positive point is that it can be
implemented very cheaply in software and hardware.
------------------------------
From: Bob Deblier <[EMAIL PROTECTED]>
Subject: Re: Mac encryption algorithm?
Date: Thu, 27 Jan 2000 15:17:23 +0100
Paul Schlyter wrote:
> In article <86nq4a$ngg$[EMAIL PROTECTED]>,
> Keith A Monahan <[EMAIL PROTECTED]> wrote:
>
> > Can you be more specific? Are you looking for public key stuff or
> > private key? I'm not real familiar with mac programming, but outside of
> > maybe byte order or something, are there particular issues you need to
> > worry about?
>
> Yes: MAC's use symmetric encryption algorithms, as opposed to
> certificates which use asymmetric encryption algorithms. Therefore,
> to verify a MAC, you need access to the secret symmetric
> encryption/decryption key.
>
> One common way to compute a MAC is to use DES in CBC mode, and then
> discard all encrypted DES blocks except the last one, which will
> become the MAC.
Please read the question more carefully. It's not about message
authentication codes, but rather about Apple Macintosh.
Sincerely
Bob Deblier
------------------------------
From: Angus Lee <[EMAIL PROTECTED]>
Subject: OpenSSL Example on X.509 Certificate Generation
Date: Thu, 27 Jan 2000 22:34:42 +0800
Hi,
Does anyone have a working example on generating X.509 certificate using
OpenSSL?
Angus Lee
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: Mac encryption algorithm?
Date: 27 Jan 2000 15:00:30 GMT
Paul,
Thanks for the reply but I think you are missing the boat on the
original author's use, and definitely on my use, of the word "mac".
Quoting from the original author,
"good encryption algorihm that is easily
implementable on a mac"
Based on the context, I'm fairly sure he meant "mac" as in shorthand for
an Apple Macintosh computer.
Your use of the word "mac" was an acronym for a keyed hash function,
used for message authentication, "Message Authentication Code"
Keith
Paul Schlyter ([EMAIL PROTECTED]) wrote:
: In article <86nq4a$ngg$[EMAIL PROTECTED]>,
: Keith A Monahan <[EMAIL PROTECTED]> wrote:
:
: > Can you be more specific? Are you looking for public key stuff or
: > private key? I'm not real familiar with mac programming, but outside of
: > maybe byte order or something, are there particular issues you need to
: > worry about?
:
: Yes: MAC's use symmetric encryption algorithms, as opposed to
: certificates which use asymmetric encryption algorithms. Therefore,
: to verify a MAC, you need access to the secret symmetric
: encryption/decryption key.
:
: One common way to compute a MAC is to use DES in CBC mode, and then
: discard all encrypted DES blocks except the last one, which will
: become the MAC.
:
: --
: ----------------------------------------------------------------
: Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
: Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
: e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
: WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: Any Reference on Cryptanalysis on RSA ?
Date: 27 Jan 2000 15:16:44 GMT
Quoting from Bruce Schneier's Applied Cryptography,
Table 7.9
Symmetric and Public-key Key Lengths
with Similar Resistances to Brute-Force Attacks
Symmetric Public-key
Key Length Key Length
56 bits 384 bits
64 bits 512 bits
80 bits 768 bits
112 bits 1792 bits
128 bits 2304 bits
I'm not sure what you mean about legitimate key space vs. illegitimate,
but perhaps this helps.
Keith
Ip Ting Pong, Vincent ([EMAIL PROTECTED]) wrote:
: Hi all,
: I want to study the relationship of the strength between the key length of
: RSA and the key length of DES.
: For example,
: Currently, 1024 bit RSA and 64 bit DES are the de facto strong key length.
: I want to know if the "legitimate" key space of 1024 bit RSA key is more or
: less equal to 64 bit key?
: Thanks in advance.
: With regards,
: Ah Pong
------------------------------
From: JCA <[EMAIL PROTECTED]>
Subject: Re: ECC & RSA re: patents, copyrights
Date: Thu, 27 Jan 2000 08:26:31 -0800
Greg wrote:
> What patents are there for ECC today?
I understand that Certicom holds a patent on point compression. I
think they also
hold other ECC-related patents, but I'd have to check this.
>
>
> The basic ECC algorithm is R = Pk where k is the private key
> and P is a base point and R is the public key. Is this algorithm
> patented for the process of generating a public key?
>
> --
> The only vote that you waste is the one you never wanted to make.
> RICO- we were told it was a necessary surrender of our civil liberties.
> Asset Forfeiture- the latest inevitable result of RICO.
> http://www.ciphermax.com/book
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: DES Hardare - chips/cores
Date: Thu, 27 Jan 2000 16:43:22 GMT
I am trying to find standard chip sets/FPGA cores to perform DES-56
encryption on a OC-3 (155Mbps) ATM cell stream. I also need to do the
encryption in counter mode. Can you please recommend commercial chip
sets / FPGA cores that I can use to do DES-56 in counter mode. I am a
novice to the encryption world.
Thanks
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: How much does it cost to share knowledge?
Date: Thu, 27 Jan 2000 16:49:16 GMT
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
> In article <86nm43$soe$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
> [ ... ]
>
> > Well you must be rolling in the dough. where I come from you don't
> > spend 300 dollars on a meal.
>
> Have you checked on what it costs to rent a banquet hall for a day?
> One that seats a few hundred people that is?
Why does it have to be the hilton though? H'um? Did you think of that?
>
> [ ... ]
>
> > Call it whining if you want. BTW isn't AES suppose to be open to
> > everyone? Not just the rich?
>
> Sure. Now keep in mind that if they didn't charge the participants
to
> defray the cost that it would be us taxpayers here in the US who'd
> have to pay instead. Why should my taxes be higher to give a free
> ride to some Canadian high school kid who openly admits he won't
> understand most of what's going on anyway?
>
> In all honesty, I wouldn't mind a bit paying that little bit of extra
> tax, and I certainly don't mean to attack you, but I think you get
the
> general idea...
True. I never said it should be free but 450 bucks to sit in a folding
chair is a bit rough. I would set my limit at around 200 bucks (about
137 us).
Why not host it in Canada then? The govt here loves chucking money at
non-citizen sponsored ideas. It seems all you need to spend money in
the canadian govt is 3.12 brain cells. [I speak off the parlimentary
underground halls, the extra cafts ...etc.. lots of spending on
politicians]....
That's my opinion, I could be wrong.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: How much does it cost to share knowledge?
Date: Thu, 27 Jan 2000 16:51:58 GMT
In article <86ourv$ppq$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
> How much does it cost to share knowledge?
>
> Well, in America, the question is, "How much are you willing to pay
> for knowledge?"
>
> Tough lesson, but that is the free market in action...
That's sad, as scientists I would think their main goal was the
development of the human understanding of things. Math always existed
we are just *finding* it. That's why patents must be abolished. It's
analogous to patenting a new found island because you found it first.
That's silly.
Common we are suppose to be evolving as a society yet we cling to some
paper with printing on it. that's very primitive.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Thu, 27 Jan 2000 12:09:02 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Why did SkipJack fail?
Jerry Coffin wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> > Jerry Coffin wrote:
> > > Doing some figuring, that seems to come to around $200 million US to
> > > break SkipJack at a rate of one key per year -- an amount of money
> > > that quite a few large companies or most government agencies could
> > > afford fairly easily.
> >
> > I doubt the financial officers would approve such an expenditure
> > for so little gain! $200M/key/yr is not very productive.
>
> The amount of gain obviously depends on what you expect to recover. I
> doubt anybody would do this as as blue-sky type of thing. OTOH, if
> they had a reasonable expectation of recovering something they
> considered worth substantially MORE than the $200M, and would remain
> that valuable for at least the year involved, then I could easily see
> a financial officer approving the expenditure.
One must also evaluate the relative cost in addition to the absolute cost.
If the expected benefit/goal is mandatory, e.g., required by law, then the
absolute cost is mostly irrelevant and only the relative cost is
interesting. If $2e8 is the lowest price path to obtaining the mandatory
benefit/goal it will be the automatic choice.
>
>
> Another possibility is that a company could decide to build such a
> thing as a technology demonstration. Offhand I don't know what IBM
> has spent on Deep Blue, but no matter how good it gets at chess, I
> doubt it'll ever (directly) generate enough revenue to pay for itself.
> Despite this, somebody apparently thought it was worth the
> expenditure, and I'd tend to agree.
>
> Ultimately, without knowing the possible gain, it's impossible to say
> that a particular investment would be good, bad or indifferent.
>
> --
> Later,
> Jerry.
>
> The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (Jane A. Gilbert)
Subject: Re: ECC & RSA re: patents, copyrights
Date: Thu, 27 Jan 2000 17:24:54 GMT
Reply-To: [EMAIL PROTECTED]
Uri Blumenthal <[EMAIL PROTECTED]> wrote:
>Jerry Coffin wrote:
>> Certicom has a couple of patents on specific
>> methods of carrying out some of the operations in ECC, but it's
>> entirely possible to implement ECC without using them.
>1. I don't know for sure, but I heard that Certicom is not the
> only patent holder wrt. ECC.
>2. Are you *sure* that it is entirely possible to implement
> ECC without using Certicom patents and still INTEROPERATE
> with a Certicom implementation?
>--
>Regards,
>Uri [EMAIL PROTECTED] M.C.Ht N2RIU
>-=-=-==-=-=-
><Disclaimer>
Am extremely interested in Uri's second question regarding
interoperability with Certicom's implementation. Can you implement
ECC without licensing their implementation (legally) and still be
interoperable?
Thanks.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Why did SkipJack fail?
Date: 27 Jan 2000 17:46:16 GMT
In <86ouom$po2$[EMAIL PROTECTED]> Greg <[EMAIL PROTECTED]> writes:
>So I guess my question really should have been, why is there no
>overwhelming demand for SkipJack (and let me take this opportunity
>to clarify) within the Clipper product like there is for PGP or
>other successful encryption product?
Because people did not trust it. Because Gov't access to keys would make
any business feel leery. Because most businesses are just beginning to
realise the need for crypto. Because Clipper was weak and shown to be
weak.
>Perhaps, as someone said, SkipJack is not a failure, but I would
>not call it a success either. A success is something like RSA
>or PGP. These are success stories simply by their name recognition.
Different markets. Clipper was directed at the business market, PGP at
the "home" market. However, you are right that the uniformly bad press
for Clipper vs the almost uniformly good press for PGP makes a
difference also to business decisions.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: LSFR
Date: Thu, 27 Jan 2000 11:49:00 -0600
r.e.s. wrote:
> --Third (***Is this right??***):
> For FG(n,m,10) to be in any way "optimal", it's necessary that
> x^n + x^m + 1 be primitive on GF(2) and on GF(5).
>
> Therefore, I can simply take my list of the trinomials that are
> primitive on GF(2) and that also have m = n-1, n-2, 1, or 2,
> and determine which of them are also primitive on GF(5).
> For 10 <= n <= 100, the list is not long:
>
> x^11 + x^2 + 1
> x^11 + x^9 + 1
> x^15 + x^14 + 1
> x^15 + x + 1
> x^21 + x^2 + 1
> x^21 + x^19 + 1
> x^22 + x^21 + 1
> x^22 + x + 1
> x^35 + x^2 + 1
> x^35 + x^33 + 1
> x^60 + x^59 + 1
> x^60 + x + 1
> x^63 + x^62 + 1
> x^63 + x + 1
>
> Maybe *none* of them are primitive on GF(5)!?
> Is it out of Maple's reach to test this, I wonder?
Maple should easily be able to test these. You first have to find the
factors of 5^m-1 for each m, then take x^r modulo the polynomial to
see if you get 1. You really only need to take x^(5m-1) modulo the
polynomial to reject it tho, you don't really care what the order is.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Mac encryption algorithm?
Date: Thu, 27 Jan 2000 12:38:35 -0500
Paul Schlyter wrote:
>
> In article <86nq4a$ngg$[EMAIL PROTECTED]>,
> Keith A Monahan <[EMAIL PROTECTED]> wrote:
>
> > Can you be more specific? Are you looking for public key stuff or
> > private key? I'm not real familiar with mac programming, but outside of
> > maybe byte order or something, are there particular issues you need to
> > worry about?
>
> Yes: MAC's use symmetric encryption algorithms, as opposed to
> certificates which use asymmetric encryption algorithms. Therefore,
> to verify a MAC, you need access to the secret symmetric
> encryption/decryption key.
>
> One common way to compute a MAC is to use DES in CBC mode, and then
> discard all encrypted DES blocks except the last one, which will
> become the MAC.
Well, "mac" can mean a number of things.
In this context, it could mean "message authentication code".
The first ones were based on block ciphers like DES. But you
can also build them from one-way hashes (as in the IETF HMAC standard).
"mac" can also be short for "Macintosh". If that's what the
original message was asking for (a cipher easily implemented
on a Macintosh) the answer is: pick any, the target machine
doesn't really matter. About the only hassle you may run into
is that some want to do arithmetic on multi-byte values in
the wrong (Intel style) byte order. Non-arithmetic ciphers
like DES don't have this problem. (Then again, with DES you
have to be *really* careful because the standard doesn't talk
about bytes at all, so you have to watch what you're doing
if you want to interoperate with other implementations.)
paul
--
!-----------------------------------------------------------------------
! Paul Koning, NI1D, D-20853
! Lucent Corporation, 50 Nagog Park, Acton, MA 01720, USA
! phone: +1 978 263 0060 ext 115, fax: +1 978 263 8386
! email: [EMAIL PROTECTED]
! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75
!-----------------------------------------------------------------------
! "A system of licensing and registration is the perfect device to deny
! gun ownership to the bourgeoisie."
! -- Vladimir Ilyich Lenin
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Any Reference on Cryptanalysis on RSA ?
Date: Thu, 27 Jan 2000 12:40:47 -0500
"Ip Ting Pong, Vincent" wrote:
>
> Hi all,
>
> I want to study the relationship of the strength between the key length of
> RSA and the key length of DES.
> For example,
> Currently, 1024 bit RSA and 64 bit DES are the de facto strong key length.
The key length of DES is 56 bits, not 64. And it is not "strong".
paul
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
