Cryptography-Digest Digest #28, Volume #11 Tue, 1 Feb 00 02:13:01 EST
Contents:
Re: How much does it cost to share knowledge? ("Steve Sampson")
Re: How to Annoy the NSA (Tim Tyler)
Re: Intel 810 chipset Random Number Generator (Tim Tyler)
Re: Wireless PKI now or later (Drew Cutter)
Re: Intel 810 chipset Random Number Generator (Michael Kagalenko)
Re: How to Annoy the NSA ([EMAIL PROTECTED])
Re: How to password protect files on distribution CD (Michael Wojcik)
Re: The Best Books (Ed Pugh)
Re: Intel 810 chipset Random Number Generator (Guy Macon)
Re: How to Annoy the NSA ("Douglas A. Gwyn")
Re: Q: DFT (Samuel Paik)
Does the NSA have ALL Possible PGP keys? (Anonymous)
Re: NIST, AES at RSA conference (David Wagner)
Re: NIST, AES at RSA conference (David Wagner)
Re: NIST, AES at RSA conference (David Wagner)
----------------------------------------------------------------------------
From: "Steve Sampson" <[EMAIL PROTECTED]>
Subject: Re: How much does it cost to share knowledge?
Date: Mon, 31 Jan 2000 20:14:37 -0600
Rick Braddam wrote
>
> Where he states that the Intel 4004 was the first microprocessor,
The 8008 came in so fast behind the 4004, that I don't think many had
any schematics done before the newer chip came out.
> The PDP-8 should have been a fine machine, but it was basically a
> minicomputer. At circa $28,000 it was hardly a personal or home
> computer, even if some (well to do) people had one.
The value I heard was in the 3k to 4k range for surplus machines, in
1970 dollars (a lot! worth as much as two new Chevy Luv pickups).
ASR-33 TTY's were also expensive.
> I think you mean the 8088.
That's it, slipped my mind. I bought a 5 MHz 8088 clone as a dumb
terminal to a 3-Port I/O UniFLEX 68020 machine, and it turned out
the 8088 was the higher value of the two :-)
> I think the LSI-11 may have been available in a form similiar to our
> desktops. Heathkit had an LSI-11 based construction project, too.
Just wasn't any software for it. But I wanted one at the time, because
I was programming in PDP-11 assembler for a radar console trainer.
Glad I never did. Xinu also was out, and was designed for the LSI-11.
Steve
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Reply-To: [EMAIL PROTECTED]
Date: Tue, 1 Feb 2000 01:23:36 GMT
[EMAIL PROTECTED] wrote:
: The paper I referred to is news because it is
: the only proposal I know of that describes how
: to go about building a quantum computer that
: consists of BOTH linear and nonlinear gates.
A universal computer can't possibly be built with just linear gates.
It's hard to see what's new there.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Strip mining helps prevent forest fires.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Intel 810 chipset Random Number Generator
Reply-To: [EMAIL PROTECTED]
Date: Tue, 1 Feb 2000 01:37:10 GMT
In sci.crypt Scott Nelson <[EMAIL PROTECTED]> wrote:
: I think the real problem with using crystals in HRNG is price. [...]
I don't think Michael Kagalenko cares much about this.
I think he's proposing using crystals that are /already/ present in the
system, and are being used for purposes - such as clocking.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Some people are nice to be nasty to.
------------------------------
Date: Tue, 01 Feb 2000 21:43:34 -0500
From: Drew Cutter <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Wireless PKI now or later
I just read an article that WAP has three problems.
We believe that three unresolved issues will delay the adoption of WAP
services for the next couple of years. The first concerns the
information itself. It will take time for content providers to determine
what information services mobile customers want to receive on their
handsets, and how they want to receive it. The subject of how the
information is delivered to the customer is being overlooked by most. We
view the Active Content approach as an example of the innovation that
will be necessary for WAP services to be successful in the delivery of
information.
The second issue is centered around the hardware, in particular, the
readability of the display and the ability for the handset to store
important information. The first set of WAP-enabled handsets
will teach us a great deal about what customers want in a data
handset.
And then there is an unresolved issue with the network.
Potential delays in the WAP browser to WAP server connection on a
loaded system are unknown. More importantly, we do not know what
tolerance customers will have for such delays.
All of the issues combined are typical of a 1.0 release system.
Everyone in the industry will learn from WAP 1.0. It seems to us that
the expectations for WAP 1.0 are too high. Any company investing in
products or services related to WAP needs to be careful. The industry
expectations are out of line for a first release technology. A lot of
learning� and pioneers� bloodletting� will take place over this
next year.
------------------------------
From: [EMAIL PROTECTED] (Michael Kagalenko)
Subject: Re: Intel 810 chipset Random Number Generator
Date: 1 Feb 2000 03:04:07 GMT
Reply-To: [EMAIL PROTECTED]
Tim Tyler ([EMAIL PROTECTED]) wrote
]In sci.crypt Scott Nelson <[EMAIL PROTECTED]> wrote:
]
]: I think the real problem with using crystals in HRNG is price. [...]
]
]I don't think Michael Kagalenko cares much about this.
]
]I think he's proposing using crystals that are /already/ present in the
]system, and are being used for purposes - such as clocking.
That's right.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How to Annoy the NSA
Date: Tue, 01 Feb 2000 03:16:14 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > ... Some or
> > many of the NSA's codes have depended on the
> > intractability of NP- Complete problems
> > which could become vulnerable to this type of
> > computer.
>
> I doubt that you have a clue about "NSA's codes".
>
You are wrong. For example, all RSA public-
key and lattice based cryptosystems depend on
the intractability of NP-Complete problems.
(see www.rsasecurity.com/rsalabs/faq/2-3-
1.html) It is common knowledge that the NSA
has used RSA systems in the past. Meredith
Gardner, the first great figure in the history
of the NSA, married into my family and so I
know a little bit about the organization. If I
were, say, the Chinese Government I would
hire scientists to try building one of these
computers.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Michael Wojcik)
Crossposted-To: alt.security.pgp,comp.security.unix,comp.security
Subject: Re: How to password protect files on distribution CD
Date: 1 Feb 2000 03:20:51 GMT
Reply-To: [EMAIL PROTECTED]
[Followups set to sci.crypt, which isn't particularly appropriate - but
then none of the listed groups are, and s.c is a little closer than
some of them, and it's something of a free-for-all anyway.]
In article <[EMAIL PROTECTED]>, Eric
Lee Green <[EMAIL PROTECTED]> writes:
> lordcow77 wrote:
> > The standard approach is easily defeated, but a routine whereby
> > a valid serial number generates a key stream that decrypts a
> > function pointer table on the fly will be significantly more
> > involved to crack that changing the result of a cmp.
True, for sufficiently small values of "significantly". I've yet to
see a software licensing scheme (including my own) that couldn't be
cracked with less programmer effort (assuming reasonable tools, like
a text-mode debugger) than went into creating the scheme - which of
course is much less effort than would be required for recreating the
software package itself, which is the alternative to cracking it or
paying for it.
> It doesn't really matter. All you succeed in doing by making it harder is to
> make sure that your software is posted on the pirate "hacker" sites by the
> person who finally does crack it. In the "cracker" world, the harder the copy
> protection is to crack, the more prestige and esteem applies to cracking it.
True, though of course some software is unlikely to come to the
attention of cracker hobbyists, simply by its range of likely
application.
> Frankly, I don't think that, for general purpose software (as vs. games, which
> are rather ephemeral in nature), it's worthwhile to spend much more than the
> basic amount of time on the license management etc. part of the code. You're
> trying to keep honest people honest, you're not trying to foil true thieves
> and burglars, who can get into your program no matter what kinds of locks you
> put on your doors.
Sometimes there's value just in the keeping honest of the honest.
Our move from machine-class-based to usage-based licensing for the
middleware software I work on was welcomed by a majority of our
customer base, as it gave them a better pricing arrangement for their
budgeting. The softare licensing was the guarantee that everyone
(including any competitors who might buy the software) was getting
what they paid for. Those customers (at least the management types
signing the checks) wouldn't have been happy to have their price
set by some vague estimate of their usage; they wanted to buy X
simultaneous whatevers.
But that pricing model only works for certain kinds of markets. I
doubt it's very effective with shrinkwrapped application software.
--
Michael Wojcik [EMAIL PROTECTED]
AAI Development, MERANT (block capitals are a company mandate)
Department of English, Miami University
But I still wouldn't count out the monkey - modern novelists being as
unpredictable as they are at times. -- Marilyn J. Miller
------------------------------
From: [EMAIL PROTECTED] (Ed Pugh)
Subject: Re: The Best Books
Date: 1 Feb 2000 04:22:49 GMT
Reply-To: [EMAIL PROTECTED] (Ed Pugh)
David A Molnar ([EMAIL PROTECTED]) wrote:
[SNIP]
> When you get http access back again, the _Handbook of Applied
> Cryptography_ is available for free from the authors' web sites.
Which is where, exactly? (URLs, man; we want URLs! :-)
> ... (for that you need to go to the
> Block Cipher Lounge web page).
Oh goody. Another URL! Woops, where did it go? :-)
Get out the ol' WebFerret, Eddy.
Ok. Here we go!
Handbook of Applied Cryptography:
http://www.cacr.math.uwaterloo.ca/hac
(Especially some "useful links":
http://cacr.math.uwaterloo.ca/hac/links/links.html )
I got several for the "Block Cipher Lounge":
http://www.ii.uib.no/~larsr/bc.html
http://www.ii.uib.no/~larsr/aes.html (appears to be newest)
http://www.esat.kuleuven.ac.be/~rijmen/bc.html (appears to be older)
YWIA (You're Welcome In Advance)
Regards,
--
Ed Pugh, <[EMAIL PROTECTED]>
Richmond, ON, Canada (near Ottawa)
"Bum gall unwaith-hynny oedd, llefain pan ym ganed."
(I was wise once, when I was born I cried - Welsh proverb)
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 31 Jan 2000 23:37:21 EST
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Jerry Coffin) wrote:
>
>In article <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] says...
>> Since all data is simply predictable, entropy can't be simply
>> unpredictable data.
>
>All data is simply predictable? Yes, I suppose it's easy to predict
>binary data -- to the extent that "it'll be either a 1 or a 0" counts
>as a prediction.
Actually, even that isn't an accurate prediction. It could be metastable. See
http://www-us2.semiconductors.philips.com/acrobat/applicationnotes/AN219_1.pdf
;)
And I won't ever start in on Schreodengers's cat... :O
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Tue, 01 Feb 2000 05:39:12 GMT
[EMAIL PROTECTED] wrote:
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED] wrote:
> > > ... Some or
> > > many of the NSA's codes have depended on the
> > > intractability of NP- Complete problems
> > > which could become vulnerable to this type of
> > > computer.
> > I doubt that you have a clue about "NSA's codes".
> You are wrong. For example, all RSA public-
> key and lattice based cryptosystems depend on
> the intractability of NP-Complete problems.
No, they do not. RSA depends for its security on
the difficulty of factoring products of large primes.
That has nothing to do with NP-Completeness.
Indeed, complexity theory has nothing to do with the
security of any given instance of any cryptosystem;
it's a theory of asymptotic behavior of classes of
problems as the problem size becomes infinitely
large, which has nothing to do with any actual
cryptosystem implementation.
> Meredith Gardner, the first great figure in the
> history of the NSA, married into my family and
> so I know a little bit about the organization.
Whether or not Gardner was "great", as an NSA
employee he would not have told his family what
encryption methods NSA has devised.
> If I were, say, the Chinese Government I would
> hire scientists to try building one of these
> computers.
Just because Quantum Computing is news to you
doesn't mean that the rest of the world is as
ignorant. There is a *lot* of QC research going
on around the world. One thing that is well known
in this field is that it is premature to try
constructing a large-scale Quantum Computer.
------------------------------
From: Samuel Paik <[EMAIL PROTECTED]>
Subject: Re: Q: DFT
Date: Sat, 29 Jan 2000 21:58:50 GMT
Mok-Kong Shen wrote:
> DFT, like all such transforms, has an inverse. However, due to the
> unavoidable rounding errors of real computations involved, a vector
> of integers might not get back to exactly the same values. What
> techniques can one best employ to obtain an exact inverse?
Close the loop. Compute forward, then reverse, then send an error
signal along with DFT coefficients to correct reverse transform.
--
Samuel S. Paik | http://www.webnexus.com/users/paik/
3D and multimedia, architecture and implementation
Solyent Green is kitniyos!
------------------------------
Date: Tue, 1 Feb 2000 07:27:58 +0100
From: Anonymous <[EMAIL PROTECTED]>
Subject: Does the NSA have ALL Possible PGP keys?
Crossposted-To: comp.security.pgp,misc.survivalism
There are a couple of interesting threads on talk.politics.crypto
originating from a cryptographer with www.filesafety.com. They
purport that the NSA has ALL POSSIBLE keys for PGP and that all PGP
encrypted netmail has been "transparent" for at least two years to
the NSA and certain elements of the military and FBI. The
cryptographic basis for this alleged total compromise of PGP is
discussed.
This is a low-traffic NG and I should like to see serious analysis of
these claims by those who are more technically qualified to discuss
them.
Take a look, and be sure to cross-post your comments here.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: NIST, AES at RSA conference
Date: 31 Jan 2000 22:40:56 -0800
In article <[EMAIL PROTECTED]>, Terry Ritter <[EMAIL PROTECTED]> wrote:
> But it is also correct that multiple ciphering is provably strong*er*
> in the sense of not allowing known-plaintext and defined-plaintext
> attacks on individual ciphers.
Well, personally I find that to be an extremely surprising claim.
Care to share the formal proof? It would be the first time I know
of where one could actually _prove_ that *anything* strictly increases
security.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: NIST, AES at RSA conference
Date: 31 Jan 2000 22:47:08 -0800
In article <[EMAIL PROTECTED]>, Terry Ritter <[EMAIL PROTECTED]> wrote:
> But it is also correct that multiple ciphering is provably strong*er*
> in the sense of not allowing known-plaintext and defined-plaintext
> attacks on individual ciphers.
BTW, I don't understand what you mean. There's a counterexample to the
natural interpretation (multi-ciphering inherently prevents known- and
chosen-plaintext attacks on the component ciphers), so maybe you mean
something else.
If we consider one round of DES, one of Blowfish, plus one of Serpent,
the result is extremely insecure, and known-plaintext attacks on any of
the rounds may be mounted using merely known texts for the whole
construction -- so clearly in this degenerate case, multi-ciphering does
not prevent such attacks.
> >Anyway, one would still need to support
> >this position with evidence that diversity is more cost-effective than
> >other means at our disposal.
>
> Hardly. What is needed is to show that the currently-accepted
> approach -- having some sort of "contest" and then claiming some small
> number of ciphers are secure enough to use -- is more risky in various
> ways than using multiple ciphers.
Well, I don't agree that this is enough.
Let's suppose that, for the same performance cost, I can use either
(1) Triple-DES, or (2) DES/FEAL/MMB. This scenario probably isn't too
far off. Now, you seem to suggest that (1) is inherently preferable to
(2). Why? This is the claim that needs evidence.
Sure, using multiple ciphers probably adds security, at least in the
trivial sense that it increases the total number of rounds, if in no
other way -- but it's not at at clear to me that if you compare with
an equivalent number of "rounds"/"complexity", the diversity-based
construction will fare better than the homogenous one. It's plausible
that it could go either way, but far from obvious to me which way
it'll go.
> It is clear, for example, that in the contest between cryptographer
> and opponent, it is far more cost-effective to make and use new
> ciphers than it is for opposing cryptanalysts to keep up and break
> those ciphers. Indeed, this is probably the only tool we have that
> can strike at the resources of our unknown opponents.
I have to disagree here, too.
Let's assume that the attacker can spend far more resources on
cryptanalysis than we can spend on design. Fair enough? WWII history,
etc., seems to support this view, anyway.
If you buy into that assumption, then it seems like the best thing
we can do is pick something really simple -- ideally, so simple that
it's *obvious* that there's nothing you can do to attack it, but in
practice, simple enough that we can hope to mostly understand its
properties within our resources -- rather than to use a bunch of
half-understood ciphers, and leave the adversary the opportunity to
find new properties we didn't expect in some of them.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: NIST, AES at RSA conference
Date: 31 Jan 2000 22:57:13 -0800
In article <[EMAIL PROTECTED]>,
John Savard <[EMAIL PROTECTED]> wrote:
> But the point he was trying to make, using "tripling" instead of a
> detailed description of your multi-ciphering proposal, would be that
>
> if the mathematical condition of unprovability is _itself_ cause for
> concern
>
> then no technique that does not yield a provably secure cipher removes
> the cause for concern.
>
> If the mathematical condition of unprovability is *not* cause for
> concern by itself,
>
> then what *other* arguments do you have for being out of step with
> everyone else, by refusing to see the light and acknowledge that the
> five AES finalists are all more secure than anyone could possibly
> need?
Thank you, John. That is exactly the argument I was trying to get at,
although as usual, you stated it better than I.
BTW, I think this discussion is interesting even outside of the context
of the AES.
> But there are responses. One of which might be to note that except for
> MARS, we're dealing with ciphers using a single type of round.
Yup.
As an occasional would-be cryptanalyst, I can certainly agree that
ciphers with multiple round-types often tend to be much more frustrating
to find attacks on. But this cuts both ways: I can never quite convince
myself whether this is because they inherently are more secure; or merely
because complex ciphers are harder to analyze in general, and thus might
be susceptible to serious attacks that are simply harder to find than
would otherwise be the case.
I've certainly seen a number of real-life examples where "gratuitous"
complexity made attacks harder to describe, but not at all harder to
implement. This is the worst-case scenario for complex ciphers.
The concern is that complexity might not provide extra security. It might
merely do a better job of "hiding" the existing attacks. We certainly see
this phenomenom quite frequently in amateur ciphers -- and see Knuth's
super pseudorandom generator for another great example -- but that doesn't
necessarily mean the "professionally-designed" ciphers like MARS will fall
to the same pitfalls.
So there's a fine line to walk, when it comes to adding extra complexity.
Add enough for conservative security, and for good performance, but don't
add so much that the friendly cryptanalysts throw up their hands in disgust
without even looking very deeply at the proposal.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
