Cryptography-Digest Digest #37, Volume #11 Wed, 2 Feb 00 06:13:01 EST
Contents:
Re: Jaws Technologies' L5 Data Encryption Algorithm? (John Savard)
Re: How to password protect files on distribution CD (Matti Juhani Kurkela)
Re: Does the NSA have ALL Possible PGP keys? (W A Collier)
Re: Does the NSA have ALL Possible PGP keys? (W A Collier)
Q: current CAST status (Hideo Shimizu)
Re: Available Algorithms ("G. R. Bricker")
Re: How to Annoy the NSA (Johnny Bravo)
Re: LSFR ("Michael Darling")
Re: Does the NSA have ALL Possible PGP keys? (Johnny Bravo)
Re: How to Annoy the NSA ("Douglas A. Gwyn")
Re: Does the NSA have ALL Possible PGP keys? ("Douglas A. Gwyn")
Re: Is the following system acceptable for "casual" encryption? ("Douglas A. Gwyn")
Re: Block chaining ("Douglas A. Gwyn")
Re: Wireless PKI now or later (Vernon Schryver)
Re: How to password protect files on distribution CD (Vernon Schryver)
Re: NIST, AES at RSA conference (Serge Vaudenay)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Jaws Technologies' L5 Data Encryption Algorithm?
Date: Wed, 02 Feb 2000 06:22:56 GMT
On 1 Feb 2000 23:59:50 GMT, [EMAIL PROTECTED] (Keith A Monahan) wrote,
in part:
>Jaws Technologies has applied for patents for their technology, which
>requires more permutations to crack than the scientific community
>currently has a number for, said Robert Kubbernus, CEO of Jaws.
Although I'll admit that 2^4096 definitely is a number that
mathematicians can name, the fact that they've applied for a patent
means that eventually they will be able to disclose their algorithm
(which is claimed to have the public-key property). Until this
happens, it's sufficient to reserve judgement.
I had attended a local presentation of theirs, and was at least
favorably impressed with the fact that they seemed to be a company
knowledgeable about other aspects of computer security.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: Matti Juhani Kurkela <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.unix,comp.security
Subject: Re: How to password protect files on distribution CD
Date: 02 Feb 2000 09:13:18 +0200
[followups set to comp.security]
Wally Whacker <[EMAIL PROTECTED]> writes:
> There is a solution:
>
> Don't give the user the CD. Have it run remotely over the net with an X-Server or
> web browser. Cracked code problem solved. It still allows illegal usage, even
> over the net, but it's much easier to monitor and control.
What if this specialized application is a CPU-intensive one? Now the
software manufacturer needs to buy and maintain enough computer
hardware to provide processing power to ALL their clients - with some
margin for contingency. Lots of money to be spent on hardware for a
software development company, I think.
By giving (selling) the CDs to the users, each user can buy as much
processing power, storage, reliability and security as (s)he needs.
Well, let's hope that the application provider keeps his servers
totally secure, then. The network between the provider and users had
better be secure, reliable and fast, too.
If that kind of a specialized application is critical to some
respectable-sized company, they might want a dedicated WAN link to the
application provider to ensure that no unscheduled interruptions
occur. Also, the companies will want some sort of liability statements
written on the service agreement...
Somehow, I don't see such application being advertised as
"competitively priced" :-)
> I think in the long run, piracy has helped computer companies. Just my
> opinion.
>
> Here's one to chew on: Software you buy, install and run completely on
> your computer will go the way of the horse and buggy. Once Internet
> speeds can support good interactive use, who wants the hassle of
> installing software, figuring out problems, re-installing every time
> Windows needs re-installing etc? Apps over the net will be point and
> clock GO!
I won't swallow this too easily.
Cracking that kind of a network application server will be the
Holy Grail of thousands of crackers and wannabes. Any computing task
for which reliability or security is critical is still preferable to
do locally.
I could spit out even more counterarguments, but now I have some work
to do...
--
[EMAIL PROTECTED] <URL: http://www.hut.fi/u/mkurkela/ >
The universe runs through the complex interweaving of energy, matter,
and enlightened self interest.
------------------------------
From: W A Collier <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 2 Feb 2000 07:58:15 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> What's the big deal, any one of us who wishes to spend the time can
> generate all possible PGP keys. So what, now if they can search them and
> discover which one is in use in a particular message and then decrypt
> it, that's news, but its also pretty far fetched that nsa is performing
> a search across the key space for all PGP encrypted messages in the
> internet. (Ignores question of how all traffic in the internet is
> funneled to NSA!)
If you would bother to read up, to generate the keys to fill the keysapce
of a 2048 bit PGP key, well lest say that thd sun will be burned out long
before all the computers on this planet are done cranking through those
keys.
------------------------------
From: W A Collier <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 2 Feb 2000 08:11:55 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> There are a couple of interesting threads on talk.politics.crypto
> originating from a cryptographer with www.filesafety.com. They
> purport that the NSA has ALL POSSIBLE keys for PGP and that all PGP
> encrypted netmail has been "transparent" for at least two years to
> the NSA and certain elements of the military and FBI.
All possible keys, eh? How'd they generate *all* the keys for my 2048
bit keyspace - and more importantly, where are they storing them and how
are they indexing them for retrieval to decrypt the session keys for the
underlying one-time session cypher? Do you have any idea about the size
of what you are talking about? Obviously not. You did know that the
public key part is only used to exchange a session key to the real
ciphersystem, right?
Hmm, didn't think so. What are they trying to sell in the wake of the FUD
they are spreading on usenet, eh? The basic RSA stuff used in PGP has
been beat on by tons of top cryptanalysts and mathematicians, and not one
published report of the cypher being broken has happened. Not one. I'm
sure Adi Shamir and Ron Rivest [the R and S in RSA] would *love* to see
what this so-called "cryptographer" from filesafety.com has to say;
likely hes a buffoon speaking out his arse, just like most other wanna-be
cryptanalysts.
> The
> cryptographic basis for this alleged total compromise of PGP is
> discussed.
Pretty simple, there isnt one.
> This is a low-traffic NG and I should like to see serious analysis of
> these claims by those who are more technically qualified to discuss
> them.
ROFL. Sure - which keysize do they allegedly have the keys for? 512,
1024, 2048 bits? And how did they solve the problem of what is
essentially one of the most unyielding areas of theoretical mathematics
(which is what is required to provide any significant advantage over
brute force).
Please read something like Schneier's Applied Cryptography and educate
yourself on the issue before you believe every misinformed conspiracy
theorist troll and internet crank on things like this.
------------------------------
From: Hideo Shimizu <[EMAIL PROTECTED]>
Subject: Q: current CAST status
Date: Wed, 02 Feb 2000 17:32:35 +0900
Hi all
Bruce Schneier wrote in Applied Cryptography (p.335),
'The Canadian government is evaluating CAST as a new encryption standard.'
This statement is 1996's status. So, my question is what is the current
status of CAST cipher? Have already CAST already been standard of Canada?
If so, please tell me URL of Canadian encryption standard site.
Thanks
Hideo Shimizu
TAO, Japan
------------------------------
From: "G. R. Bricker" <[EMAIL PROTECTED]>
Subject: Re: Available Algorithms
Date: Wed, 02 Feb 2000 08:39:44 GMT
Or construct your own algorithm. Buy a Shaum's Mathematical Formulas book
(abou $13) and pick through it. no infringement of trademark or patent
worries. I bought this in my freshmen year and have dog-eared it to death.
Simon R. Love <[EMAIL PROTECTED]> wrote in article
<877d9l$2s0$[EMAIL PROTECTED]>...
> All,
> > My basic question, of all the well known algorithms, which ones are
> available for use without patent, copyright, trade secret etc which means
> its going to cost me ?
> If anyone can point me to a summary / list of algorithms and their legal
> status ( country dependant ) that would be ideal.
> >
> Simon R. Love
> England
>
>
>
>
>
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Wed, 02 Feb 2000 04:11:30 +0000
On Wed, 02 Feb 2000 01:35:43 GMT, [EMAIL PROTECTED] wrote:
>We can lengthen the codes of RSA but this
>does not alleviate their fundamental
>weakness- which is that it is not possible to
>show how mathematically safe they are.
This "weakness" exists for every possible unbroken cipher short of
one-time-pad. You can only put an upper bound on the amount of work
needed to break the cipher. Unless you can demonstrate every possible
attack against the cipher, you will never know if a more efficient attack
exists. As for the OTP, it is only a theory, no one has yet demonstrated
how to construct one, as there is no proof that the pad is actually
random.
Best Wishes,
Johnny Bravo
------------------------------
From: "Michael Darling" <[EMAIL PROTECTED]>
Subject: Re: LSFR
Date: Wed, 2 Feb 2000 09:18:54 -0000
Thanks to all who have participated in this thread. Lot's of good ideas and
interesting discussion.
It's amazing how innocent questions can lead onto discussions about
satellites and GPS, and generate
Group Theory debates. We are looking into several areas now, but especially
the carry save adder approach
proposed by Terje Mathisen.
Thanks again to all who participated.
Mike.
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Wed, 02 Feb 2000 04:29:17 +0000
On Tue, 01 Feb 2000 14:39:34 -0700, Eric Lee Green <[EMAIL PROTECTED]>
wrote:
>Note that we're concerned about "probably prime" numbers. It is quite a bit
>easier to test a number to see whether it is "probably prime" than it is to
>attempt every possible factorization of a number and thus PROVE that it's
>prime. Otherwise PGP never WOULD be able to generate a key.
This makes no difference. If the number were not actually prime it
would be a longshot that it could encrypt/decrypt a single message, much
less more than one. The chances of a 512 bit PGP prime being non-prime
are roughly 10^-80. The chances of a key containing a non-prime
decrypting three messages would be around 10^-240. On the other hand, the
chances of a meteor impact roughly the size of the one that wiped out the
dinosaurs occurring before you finish reading this post are around 10^-13.
>Remember, a network of rather modestly-powered personal computers in the
>Netherlands broke 512-bit RSA encryption in a matter of weeks.
512-bit RSA does not use 512 bit primes. It uses 2 primes of 256 bits.
And this did nothing more than factor the key, it did not precompute all
the 256 bit primes.
> 512-bit
>encryption, at least, seems well within the reach of pre-computing all
>possible PGP keys. It's estimated that there's approximately 2^86 of them,
That estimation is way off base, the number of 512 bit keys composed of
two 256 bit primes is 2^495. There are 2^1005 keys of 1024 bits, composed
of primes of 512 bits. 1-24 bits is recommended as the level that would
be high enough to prevent a quantum computer from helping in the
factoring.
There is another practical limit for storing those 2^495 keys, even
assuming you could compute them. As mentioned in another message in this
thread, even if you could store a gigabyte of data in each gram of
storage, the resulting weight would collapse into a black hole. It would
be rather hard to do a table lookup in this case.
Best Wishes,
Johnny Bravo
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Wed, 02 Feb 2000 09:48:00 GMT
[EMAIL PROTECTED] wrote:
> conferences, periodicals, etc. which makes it
> possible to infer what they were doing in the
> past.
Only if you don't mind making incorrect inferences.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Wed, 02 Feb 2000 09:55:44 GMT
W A Collier wrote:
> All possible keys, eh? How'd they generate *all* the keys for my 2048
> bit keyspace
While I think the original claim is nonsense, there is at least
theoretically a possibility that whatever combination of RNG and
checking for "bad" keys PGP does, manages to limit the accepted
keys to some large but manageable number. Someone who cares
should look into that possibility.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Is the following system acceptable for "casual" encryption?
Date: Wed, 02 Feb 2000 10:04:12 GMT
Doug Stell wrote:
> The password is the weak link in the system and simple use of a
> password is VERY weak. What algorithms you use makes little
> difference, because the password is the obvious point of attack.
In particular, it is subject to a "dictionary attack", meaning
that all common words and phrases (including names of individuals
and their license numbers, pets, phone numbers, etc.) are run
through the hash and decipherment tried for one block, with an
easy test for resultant probable plaintext. The output from the
"winners" can be scanned by a human to determine which is right.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Block chaining
Date: Wed, 02 Feb 2000 10:06:24 GMT
zapzing wrote:
> No, it is a use of bandwidth. Last time
> I checked storage capacities and
> bandwidth were growing by leaps and
> bounds.
Feel free to sell "effective" bandwidth to your customers
at twice the usual rates. I suspect you won't have many
customers..
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Subject: Re: Wireless PKI now or later
Date: 1 Feb 2000 10:06:32 -0700
In article <[EMAIL PROTECTED]>,
Lassi Hippeläinen <"lahippel$does-not-eat-canned-food"@ieee.org> wrote:
> ...
>> The consensus among people who know enough technical stuff about the
>> Internet to talk much in IETF circle seems to be that the WAP developers
>> are in fact busy re-inventing wheels, and amazingly badly.
> ...
>My comment was about WAP PKI, not about WAP as a whole. Even the current
>secure protocol (WTLS) is just TLS fine tuned to WAP. WPKI will probably
>be some existing PKI with more detailed definitions to narrow down the
>choices. Too many choices lead to insecure systems, as the IPsec critics
>have pointed out. WAP needs interoperability rather than liberty.
Change the nouns in your paragraph, and you have the justification the
WAP reinvention of the TCP/IP transport wheel and a description of the
wonderful corners on its perimeter. The technical critiques of the WAP
"tuning" of transport are either damning or funny, depending on how
seriouly you take WAP.
Maybe they'll be sane with PKI on mobile phones (never mind whether PKI
itself makes sense), but I doubt it. The primary error of WAP for
transport and content is the notion that the WAP design goals have never
been seen before. Only a gaggle of standards committee go-ers with
standard technical and historical knowledge would think a poor keyboard,
tiny screen, and low bandwidth is a novel problem and unrelated to any
design goals of TCP/IP and of the ARPANET before TCP/IP. Moreover, only
a herd of go-ers would implicitly assume that mobile phones will always
be equivalents of 24x80 CRT's and Model 33 and 35 Teletypes connected by
103 modems to TIP's...no, standard TTY's used ASCII, so a better analogy
would be Flexowriters or the special, non-ASCII TTY's and Selectric
typewriters used as computer consoles.
Their overall problem is one I've seen in more than one standards
committee. It is the automatic, unassailable assumption that all of the
relevant available knowledge (and of course talent) is represented in a
meeting room containing only people who've never heard of or considered
what they're trying to do before a few minutes of cogitation on the
airplane to the meeting, and most of whom have pointy hair and a screaming
need to prove their importance to the people back at the factory by having
their contributions acknowledged in lots of big documents.
>It will be interesting to see, if the WPKI will be succesful. Due to the
>marketing power of the wireless operators, WPKI could become the market
>leader of "PKIs for general use". It could even be the long awaited
>enabler of global electronic commerce. (Just daydreaming...)
"Enabler of global electronic commerce"--As if Amazon.com, Barnes&Noble,
and the rest of the on-line retail vendors, and General Motors, the steel
industry, EDS, and the rest of the business to business netowrk
world need to be "enabled."
>But the other parts of WAP... they did invent many round wheels, and
>possibly hexagonal, triangular, and square ones too.
You say that as if it's not even worse than "tuning" a slightly
oblate wheel into one square wheel.
Vernon Schryver [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Crossposted-To: alt.security.pgp,comp.security.unix
Subject: Re: How to password protect files on distribution CD
Date: 1 Feb 2000 14:36:39 -0700
In article <[EMAIL PROTECTED]>,
Alan J Rosenthal <[EMAIL PROTECTED]> wrote:
>>Modern computers have more than enough unique bits to generate a globally
>>unique signature that can be used instead of a value from a dongle.
>
>But those are typically too volatile. E.g. replacing your hard disk will
>alter a lot of the obvious "signatures".
If you mean replacing the disk but keeping the same contents, then I
disagree, because getting at the uniqueness of a physical disk is a royal
pain in the WIN32 world if you limit yourself to not writing drivers. It
is such a pain that using the fundamental unqueness of the disk (such as
sector relocation tables as opposed to file modification times, log sizes,
registry values, and so forth), that I doubt it's worthwhile. Without
UID=0, getting at the disk is (or should be) even harder on UNIX systems.
If you mean re-installing everything on the disk from CDROM, then whether
the system signature changes is a design choice you get to make. Whether
the signature changes after an operating system update is also a result
of how you choose to compute the signature.
>Heck, you might replace your entire computer. With the dongle method,
>you just move the dongle to the new computer. It's a closer match for the
>protection the vendor is trying to implement than is the signature scheme.
If you want that something close to that mode, then use the MAC address
of an Ethernet board, and treat the Ethernet board like an old fashioned
dongle. Yes, that's awkward for the user, but people usually don't
throw the old computer away.
I think most software vendors that are charging real money (i.e. not
shareware pricing) prefer to know when you buy a new computer and many
even prefer to force you to buy a new license. (I'm reporting not
commending the attitudes of some business and sales people that I've
noticed in my travels on the vendor side.)
>Besides the fact that a vendor can sell you a CD and a dongle and just give
>them to you, whereas in your scheme the user has to compute this signature and
>send something back to the company which then has to send something out.
Don't you often need to communicate with the software vendor to
"activate" the dongle? As far as I can tell, that's the preferred
or at least most flogged mode in the technical and sales literature
of Rainbow Technologies and some others in the dongle market.
>This is not to say that I approve of dongles, but I don't think the
>licence-manager type schemes are better. (And I really wish I had heard
>about those "I hate FlexLM" T-shirts in time to buy one.)
There must be a way for the pointy-haired to pay my wages. There
are too many people like me and too few possible shareware products
for each of us to have a shareware product that will pay well enough
even to maintain our computers. There is no alternative to somehow
collecting real money for some of my code.
The trick is charge enough but not too much, and to strongly
encourage people to pay but without angering them or making them
feel cheated. That's not an easy, which is why good salescritters
and marketing people have always been more important to the success
of a start-up than technical people.
>Incidentally, I really object to this use of "globally unique" (not your
>term I know). If it is unique, it's just unique by chance. There is no
>actual mechanism which causes the signatures to differ, unless they're
>based on something which really is unique because of some allocation scheme
>(such as a MAC address). (In which case it's simpler just to use that MAC
>address.)
With a little care and the right design choices, "unique by chance" is no
different in the real world from any other meaning of "globally unique,"
even if you don't add the system's Ethernet MAC address to the hash.
I trust you're not one of those who worries that your PGP key might be
the same as anyone else's in the history of the human race, no matter when
we become extinct.
On the other hand, in the real world, things like MAC addresses that have
actual mechanisms aren't always unique. All of the UNIX vendors for which
I've had a chance to get such information (more than one) have allocated
the same MAC addresses to more than one system. That's bad for more than
collecting license fees, since duplicate Ethernet addresses don't work
and duplicate FDDI MAC addresses break the whole ring. Note that I'm not
talking about the infamous garbage PC Ethernet cards, but hardware built
by UNIX vendors. Mechanisms fail.
Vernon Schryver [EMAIL PROTECTED]
------------------------------
Date: Wed, 02 Feb 2000 11:14:24 +0100
From: Serge Vaudenay <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Shawn Willden wrote:
>
> Serge Vaudenay wrote:
>
> > The proof is quite obvious if you consider attacks as distinguishers. If you
> > take MARS o RC6 o TWOFISH with three independent keys as a cipher, then
> > any distinguisher between this and a truly random permutation can be
> > transformed into a distinguisher between for instance RC6 and a random permutation
> > by simulating MARS and TWOFISH.
> >
> > This way the product cipher is at least as secure as its strongest
> > factor.
>
> Given independent keys. What if the same key is used for all three?
>
> Shawn.
There is no general answer for this. We can say there are
counterexamples to
the general case. For instance,
MARS o MARS^-1 o RC6 o RC6^-1
is at least as secure as MARS and RC6 if the keys are independent in the
four
terms, but is trivially weak with the same key in the four terms.
Serge
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
