Cryptography-Digest Digest #29, Volume #11 Tue, 1 Feb 00 09:13:01 EST
Contents:
Re: Court cases on DVD hacking is a problem for all of us (Terje Elde)
Re: NIST, AES at RSA conference (Bryan Olson)
Re: Does the NSA have ALL Possible PGP keys? ("Scott Fluhrer")
Re: NIST, AES at RSA conference (Serge Vaudenay)
Re: NIST, AES at RSA conference (Serge Vaudenay)
Re: Wireless PKI now or later ("Lassi Hippel�inen")
Re: importance of crypto (MC)
Re: Does the NSA have ALL Possible PGP keys? (Tom St Denis)
Sbox construction idea (Tom St Denis)
Showview ("A. N. Other")
Private-key RSA ([EMAIL PROTECTED])
Re: The Best Books (Keith A Monahan)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terje Elde)
Subject: Re: Court cases on DVD hacking is a problem for all of us
Date: Tue, 01 Feb 2000 08:00:42 GMT
In article <[EMAIL PROTECTED]>, Troed wrote:
>Unf nyernql orra qbar, gubhfnaqf bs gvzrf, naq gur ZCNN unf tbar gb
>pbheg va gur HF gb znxr ubfgvat gur QrPFF fbheprpbqr, be rira yvaxvat
>(!) gb vg, vyyrtny.
NSNVX gur yvaxvat ovg snvyrq. Cebuvovgvat fhpu n guvat nf yvaxf naq/be
ubfgvat fbhepr pbqr gung'f qvfgevohgrq guvf sne naq jvqr JVYY snvy.
>Cyrnfr envfr lbhe ibvpr va nal jnl lbh pna - gur ZCNN ner ba gur iretr
>gb qb fbzrguvat irel onq gb n ybg bs crbcyr.
Lrnu, naq gur chfubire cbyvpl bs gur abejrtvna yrtny flfgrz qbrfa'g uryc
zhpu rvgure :( (ersrevat gb guvf fcrfvsvp pnfr, naq bguref eryngrq gb
Abejnl).
Grewr Ryqr
--
Ex, de... Yv oek sqd huqt jxyi jxud jxqj cuqdi oek'lu rheaud co
udshofjyed. DEM te oek iuu mxo mu duut ijhedw shofje?
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Date: Tue, 01 Feb 2000 08:04:14 GMT
Terry Ritter wrote:
>
> I really would prefer to avoid this discussion, but since the previous
> author makes false claims about my position, I will try to correct the
> errors.
I'm happy to stand by my writing, but first let me point out
that I prefaced my remarks about your position with, "I see
Ritter's argument as...". When my second paragraph continued
to consider your writing, I wrote "I do not see..."
I don't think I mis-read anything here, but even so, I
presented my interpretations _as_ my interpretations, so I'm
certain I didn't misrepresent anything. Addressing my remarks to
John Savard seemed appropriate since you had just announced
that you no longer debate with me.
> Bryan Olson wrote:
>
> >[...]
> >I'll explain my point in terms of the two responses you
> >present. I see Ritter's argument as insisting that "we lack
> >proof" is fatal to any cipher that an effort such as AES
> >might produce, regardless of how the designer of that cipher
> >may have applied the "do everything we can" principle in
> >your second paragraph.
>
> That statement depends upon how the previous author defines "fatal."
>
> It is clear that to claim AES is secure without proof would be
> incorrect and false and wrong. And cryptanalysis can offer no such
> proof.
Why limit that to the AES? Is it not equally incorrect
false and wrong to claim other measures to be secure
without proof. For example [...]
> We have to use ciphers. Unfortunately, we necessarily use ciphers
> which have no proof of strength, and, therefore, may be weak. I claim
> that it is appropriate for us to innovate and use other measures which
> will maintain security even when our most trusted cipher is in fact
> weak.
"Will maintain security" you say. Not "may or may not".
> >He does
> >not consider any analysis of their properties or any
> >internal structure they may have; they are simply rejected
> >because we cannot disprove that an adversary may break them.
>
> That statement is also false and misleading.
>
> I do reject the common wisdom that cryptanalysis tells us anything
> about the strength of ciphers which have not been broken.
> Cryptanalysis testifies only to weakness, and only when a particular
> weakness has been found. But since we only use ciphers which have not
> been broken, cryptanalysis does not help us trust the ciphers we use.
> The fact that a cipher has survived cryptanalysis does not mean that
> it cannot be broken at will by our opponents.
>
> >Then for the systems Ritter advocates, I do not see the same
> >criteria applied. If we do apply it, then these
> >multi-ciphers fail just as surely as single ciphers.
>
> That statement seems deliberately slanted.
Above you demonstrated the inconsistency I was talking
about. Compare your assertion, "It is clear that to claim
AES is secure without proof would be incorrect and false and
wrong", with your advocacy of innovations "which will
maintain security even when our most trusted cipher is in
fact weak." Do have or expect to find a proof they are
secure? Re-reading my "slanted" statement, I see that you
just provided an example.
[...]
> It is also true that we cannot express a strength for the use of
> multiple ciphers in sequence. But we can convince ourselves of
> several things [...]
And AES submitters convinced many of us of several things.
If we are accepting lesser arguments than proof, I believe
you have given the AES less than its due.
[...]
> We are in an unsavory position, and the only thing we *can* do is to
> try to improve our odds:
>
> We can try to improve our odds by requiring opponents to do more than
> one thing.
When John Savard referred to a break of AES as "unlikely",
you wrote on 2000-01-22,
| "Unlikely?" Really? And just what would you say that
| "unlikely" probability is? How did you reach that value?
| Since when did pulling conclusions out of the air become
| responsible scientific debate?
Again my point is that two positions on arguments for
security are both at least reasonable: one could reject all
arguments that do not lead to rigorously quantifiable
security, or one could cautiously accept analysis that falls
short of proof. But you can't have it both ways. If
someone else's "unlikely" needs to have a value as a
probability, then after trying to improving your "odds" you
ought to be able to bound the chance of failure away from
one.
> We can reduce the consequences of single-point failure by sending part
> of our data under one cipher, part under another, and so on, and
> especially not allowing most of society to use the same cipher.
As I've pointed out, dividing data randomly between multiple
ciphers is usually a net loser. It decreases the danger of
exposing all the data but increases the danger of exposing a
portion. Because most traffic is highly redundant, a small
percentage of the traffic tends to hold a large part of the
intelligence value. As I recall, you didn't believe the
redundancy part of the argument, asked for a citation, and I
provided one. You still argued the contrary but never could
cite anything, and you finally just argued that it seemed to
you traffic shouldn't be that redundant. You may disagree
with my recollection, and I'd still like to see any evidence
you have.
> We can improve our response to the unexpected by building systems
> which allow ciphers to be replaced at will. Then, if a cipher is
> found weak, we can just replace it, without a massive re-engineering
> of the entire society.
As you know, I'm a long-time advocate of protocols
parameterized by cipher. I'm glad you've come around.
> We can improve our investment in security, versus the cryptanalytic
> investments of our opponents, by having and using many fundamentally
> different ciphers. Having many ciphers requires each opponent to
> identify, acquire, analyze and break (when possible) each different
> cipher. It is far cheaper to produce new ciphers and distribute their
> costs (if any) over each unit than it is to cryptanalyze and break
> each new cipher.
How do you know how general your adversary's attacks are?
You may hope each one requires a new effort, and it may seem
likely to you, but again you make a positive assertion with
no proof.
> My position is substantially different from what the previous author
> would have you believe. Given the volume of material I have written
> to explain this -- including a printed article -- and that my position
> is available on my pages, I believe such mischaracterization can only
> be seen as deliberate propaganda.
I wrote the post having just read your assertion that you
won't debate me. I actually thought it might be true, and
since it would add to the danger of misinterpreting your
writing, I carefully wrote "I see Ritter's argument as..."
to flag my interpretation as such. Still you accuse me of
deliberate mischaracterization.
Then, hard as this is to believe, I see that a day after
your response, you "no longer participate in discussions"
with me. Haven't you learned yet that the insults and
accusations, the debating tricks and sheer verbosity that
have worked so well on others are not going to stop me
from asserting what I believe? Think ignoring me will?
You are welcome to debate me or not. I honestly can't even
decide which I'd prefer.
--Bryan
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Tue, 1 Feb 2000 00:06:34 -0800
Anonymous <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> There are a couple of interesting threads on talk.politics.crypto
> originating from a cryptographer with www.filesafety.com. They
> purport that the NSA has ALL POSSIBLE keys for PGP and that all PGP
> encrypted netmail has been "transparent" for at least two years to
> the NSA and certain elements of the military and FBI. The
> cryptographic basis for this alleged total compromise of PGP is
> discussed.
>
> This is a low-traffic NG and I should like to see serious analysis of
> these claims by those who are more technically qualified to discuss
> them.
Summary: either he's nuts, he's trolling or he's deliberately lying about
his competition (I rather suspect the latter, myself).
Facts:
- The source code for older versions of PGP is publicly available. In spite
of repeated requests from other posters, he refuses to point out where in
the source code the number of keys are limited, or where the random number
generator is chilled
- The number of distinct keys he lists (the exact number changes from post
to post) is so small (such as one million), he could have demonstrated it by
generating a few thousand keys and found duplicates. He refuses to do so.
- He refuses to back up his claim in any other way. Instead, he just claims
to have unrevealed wisdom that PGP is broken, but (of course) his own
software is pristine.
- When pressed, he usually launches into personal attacks. See the "Johnny
Bravo is an FBI man" for an example -- the logic appears to be "Johnny Bravo
disagrees with me, ergo he must be a government agent". Personally, I
believe when people use ad homin attacks, it's usually because that's the
only arrow left in their quiver.
--
poncho
------------------------------
Date: Tue, 01 Feb 2000 10:09:42 +0100
From: Serge Vaudenay <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
David Wagner wrote:
>
> In article <[EMAIL PROTECTED]>, Terry Ritter <[EMAIL PROTECTED]> wrote:
> > But it is also correct that multiple ciphering is provably strong*er*
> > in the sense of not allowing known-plaintext and defined-plaintext
> > attacks on individual ciphers.
>
> Well, personally I find that to be an extremely surprising claim.
> Care to share the formal proof? It would be the first time I know
> of where one could actually _prove_ that *anything* strictly increases
> security.
The proof is quite obvious if you consider attacks as distinguishers. If
you
take MARS o RC6 o TWOFISH with three independent keys as a cipher, then
any
distinguisher between this and a truly random permutation can be
transformed
into a distinguisher between for instance RC6 and a random permutation
by
simulating MARS and TWOFISH.
This way the product cipher is at least as secure as its strongest
factor.
(Qualitative result)
With decorrelation theory notations we have a 3-line proof:
DecP^d( MARS o RC6 o TWOFISH ) <= DecP^d( MARS ).DecP^d( RC6 ).DecP^d(
TWOFISH )
for chosen adaptive chosen pt and ct attacks (||.||_s norm), so we
have
DecP^d( MARS o RC6 o TWOFISH ) <= 4.DecP^d( RC6 ) since DecP^d is less
than 2.
(Quantitative result)
(see http://www.di.ens.fr/~vaudenay/)
There are a few old papers on this issue in a quite different models.
Serge Vaudenay
------------------------------
Date: Tue, 01 Feb 2000 10:13:03 +0100
From: Serge Vaudenay <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Joseph Ashwood wrote:
>
> > If breaking a cipher is equivalent to solving (a hard
> > instance of) a problem in NP and someone would prove
> > that P != NP then the cipher can not be broken with
> > polynomial effort.
>
> As I learned not so long ago, the reality is that does not
> quite work. The P != NP proof will likely be single problem
> oriented. This is a very important distinction, the proof of
> P != NP will mean quite a bit for security, but it will not
> be proof against knownplaintext attacks, more work is needed
> to protect against that. I think the best example right now
> of this is DFC (?), it was the only AES candidate that had a
> proof of security against a type of attack, other flaws were
> found in the design.
> Joe
Well, there was a security proof against differential-like attacks
against 6+epsilon rounds (epsilon is usually 2 if we think about
2R attacks).
The flaw which was discovered was a differential attack against one
round.
Serge
------------------------------
From: "Lassi Hippel�inen" <"lahippel$does-not-eat-canned-food"@ieee.org>
Subject: Re: Wireless PKI now or later
Date: Tue, 01 Feb 2000 09:58:40 GMT
Vernon Schryver wrote:
>
> In article <[EMAIL PROTECTED]>,
> Lassi Hippel�inen <"lahippel$does-not-eat-canned-food"@ieee.org> wrote:
> >AFAIK, the WAP developers are thinking seriously about PKI. They are not
> >reinventing the wheel....
>
> The consensus among people who know enough technical stuff about the
> Internet to talk much in IETF circle seems to be that the WAP developers
> are in fact busy re-inventing wheels, and amazingly badly.
<clip>
My comment was about WAP PKI, not about WAP as a whole. Even the current
secure protocol (WTLS) is just TLS fine tuned to WAP. WPKI will probably
be some existing PKI with more detailed definitions to narrow down the
choices. Too many choices lead to insecure systems, as the IPsec critics
have pointed out. WAP needs interoperability rather than liberty.
It will be interesting to see, if the WPKI will be succesful. Due to the
marketing power of the wireless operators, WPKI could become the market
leader of "PKIs for general use". It could even be the long awaited
enabler of global electronic commerce. (Just daydreaming...)
But the other parts of WAP... they did invent many round wheels, and
possibly hexagonal, triangular, and square ones too.
-- Lassi
------------------------------
From: MC <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: importance of crypto
Date: Tue, 01 Feb 2000 11:54:23 GMT
Keith A Monahan wrote:
>
> Has anyone seen a paper which describes why crypto is important for
> the LAN/WAN engineer?
Hi,
This is for more popular consumption than what you're asking, but see:
http://www.goingware.com/encryption
If you find exactly what you're looking for, let me know where and I'll
link to it from the page.
Regards,
Michael D. Crawford
GoingWare - Expert Software Development and Consulting
http://www.goingware.com
[EMAIL PROTECTED]
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Tue, 01 Feb 2000 12:36:45 GMT
In article <[EMAIL PROTECTED]>,
Anonymous <[EMAIL PROTECTED]> wrote:
> There are a couple of interesting threads on talk.politics.crypto
> originating from a cryptographer with www.filesafety.com. They
> purport that the NSA has ALL POSSIBLE keys for PGP and that all PGP
> encrypted netmail has been "transparent" for at least two years to
> the NSA and certain elements of the military and FBI. The
> cryptographic basis for this alleged total compromise of PGP is
> discussed.
>
> This is a low-traffic NG and I should like to see serious analysis of
> these claims by those who are more technically qualified to discuss
> them.
>
> Take a look, and be sure to cross-post your comments here.
>
Actually I remember this guy posting in sci.crypt a while ago. He left
after we flamed him to death.
Basically he is just an a-hole, saying that everything out there is
broken despite the fact he can't prove any of it.
Stop wasting time posting such garbage.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Sbox construction idea
Date: Tue, 01 Feb 2000 12:42:11 GMT
In safer they use 45^x mod 257 for the sbox in the cipher, what if you
created a 4x8 parallel set of sboxes [four side by side] with different
bases? So you end up with a 8x32 sbox?
Has that idea ever been discussed before? Maybe it would be nice to
have some scientific discussion related stuff going on?
I have source code that will make the sboxes given a matrix (4x4 in my
case) of bases. Are there specific bases to avoid? [I know they have
to be generators... or that x^128 mod 257 != 1], I would imagine that
would be of high avalanche if used in a blowfish style F function...
Any thoughts?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "A. N. Other" <[EMAIL PROTECTED]>
Crossposted-To: alt.video.vcr
Subject: Showview
Date: Tue, 1 Feb 2000 11:06:36 +0100
Reply-To: "A. N. Other" <[EMAIL PROTECTED]>
Does anyone know where i can get the algorithm for decoding VCR showview
codes?
I would like to use it in a VBA function for Excel (if the algorithm is'nt
too complex).
Regards
F.E.N. in Denmark
------------------------------
From: [EMAIL PROTECTED]
Subject: Private-key RSA
Date: Tue, 01 Feb 2000 13:27:24 GMT
Hi,
Surely if you encrypt using RSA, but both the public-key and exponent
are kept secret (i.e. not widely published), the cryptanalyst has a
nigh on impossible job?
Maybe even if he has a quantum computer (as there are an infinite
number of Public(so-called)-keys)?
Please excuse me if this is just ridiculous, I'm not sure I really know
what I'm talking about!
Jack
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: The Best Books
Date: 1 Feb 2000 13:57:00 GMT
I can vouch for the quality of this book. I purchased it when it originally
came out. I want to say June/July 1998. Clear examples and diagrams
really help explain complex algorithms. The book is fairly detailed and
is a must for any cryptographers library. It reads like a school textbook,
with questions at the end of the chapter(I think).
Its 'Amazon' price is like $73, but I think I paid $49 for it at a
Border's Books & Music Store. It's around 500/600 pages and a hardcover
which is nice.
Keith
P.S. The only way you can tell if a book is going to suit your needs is to
go look at it. No recommendation from anyone will be conclusive proof that
you like it. There are several good books in this field, it's easy to
build a library.
William Stallings ([EMAIL PROTECTED]) wrote:
: In article <naol4.83$[EMAIL PROTECTED]>, "Dave
: Nejdl" <[EMAIL PROTECTED]> wrote:
: > I sincerly apoligize because I'm sure this question is well answered in the
: > faq, but I don't have http access at the moment (very long story). Anyway,
: > I'm pretty much a beginner to crypto. I'm looking for a book that start's at
: > a beginner/intermediate level and also covers faily advanced topics (ie.
: > something I can learn from for a long time). Examples in C are important, as
: > are the coverage of cryptoanalysis as well as cryptography.
: >
: You might consider my book,
: Cryptography and Network Security: Principles and Practice, 2nd Edition
: (1999, ISBN 0-13-869017-0)
: Winner of the 1999 Texty Award for the best Computer Science and
: Engineering textbook, awarded by the Text and Academic Authors
: Association, Inc.
: Bill
: | | Descriptions, errata sheets and discount order info |
: | | for my current books and info on forthcoming books: |
: | Bill Stallings | WilliamStallings.com |
: | [EMAIL PROTECTED] | |
: | | Visit Computer Science Student Support site: |
: | | WilliamStallings.com/StudentSupport.html |
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
