Cryptography-Digest Digest #40, Volume #11 Wed, 2 Feb 00 17:13:02 EST
Contents:
Challenge: Who can discover the encryption used here? ("TJ")
Re: How to password protect files on distribution CD (Alan J Rosenthal)
Re: Terms need explain (Doug Stell)
Re: NIST, AES at RSA conference (Bryan Olson)
Re: Sbox construction idea (Tim Tyler)
Re: How to Annoy the NSA (Johnny Bravo)
Re: Q: current CAST status (David Crick)
Re: Anyone read this book? (Tim Tyler)
Re: Does the NSA have ALL Possible PGP keys? (John Savard)
Re: Suitable hash for this application - in the public domain?
([EMAIL PROTECTED])
Re: How to Annoy the NSA ([EMAIL PROTECTED])
*** ECC - new strong and fast calc method (Greg)
Re: How to Annoy the NSA (Greg)
Re: How to Annoy the NSA (Mark VandeWettering)
Re: How to Annoy the NSA (Jerry Coffin)
----------------------------------------------------------------------------
From: "TJ" <[EMAIL PROTECTED]>
Subject: Challenge: Who can discover the encryption used here?
Date: Wed, 02 Feb 2000 19:35:49 GMT
I have two text files, taken from a game. Originally, the file was not
encrypted, and in an updated version, it is.
I have a copy of both versions, and my question is this;
Who can discover the encryption method used?
Thanks
TJ
------------------------------
Crossposted-To: alt.security.pgp,comp.security.unix
From: [EMAIL PROTECTED] (Alan J Rosenthal)
Subject: Re: How to password protect files on distribution CD
Date: 2 Feb 2000 18:34:43 GMT
[EMAIL PROTECTED] (Vernon Schryver) writes:
>Alan J Rosenthal <[EMAIL PROTECTED]> wrote:
>>[EMAIL PROTECTED] (Vernon Schryver) writes:
>>>Modern computers have more than enough unique bits to generate a globally
>>>unique signature that can be used instead of a value from a dongle.
>>
>>But those are typically too volatile. E.g. replacing your hard disk will
>>alter a lot of the obvious "signatures".
>
>If you mean replacing the disk but keeping the same contents, then I
>disagree, because getting at the uniqueness of a physical disk is a royal
>pain in the WIN32 world if you limit yourself to not writing drivers.
Ok, perhaps you should specify what "uniqueness" you have in mind, because it
seems to me it must be something even more volatile than I was thinking, then!
>>Heck, you might replace your entire computer. With the dongle method,
>>you just move the dongle to the new computer. It's a closer match for the
>>protection the vendor is trying to implement than is the signature scheme.
>
>If you want that something close to that mode, then use the MAC address
>of an Ethernet board, and treat the Ethernet board like an old fashioned
>dongle.
I did mention MAC addresses later in my article, but if you're contemplating
the replacement of the entire computer, well, the ethernet hardware is part of
the computer. Not necessarily on a separate card at all, and besides you
might want to replace your ethernet card while replacing the rest of your
computer, or the ethernet card might break and you might replace it, ...
Also, as I understand it, the ethernet standard specifies that the
MAC address is part of the computer, not specifically the ethernet hardware
and ideally not; and in fact most non-personal-computers have their MAC
address somewhere else on the motherboard; it doesn't change when you
exchange ethernet cards; it DOES change when you change motherboards and
use the old ethernet card.
>I think most software vendors that are charging real money (i.e. not
>shareware pricing) prefer to know when you buy a new computer and many
>even prefer to force you to buy a new license. (I'm reporting not
>commending the attitudes of some business and sales people
IMHO they oughtn't be able to do this. And I also think it's a privacy
violation for them to be able to find out stuff about your computer.
They should sell you N licences, period. And reselling them shouldn't
legally be able to be prohibited by the company except for specific reasons
(e.g. some software might be available only to doctors/cops/etc).
>>This is not to say that I approve of dongles, but I don't think the
>>licence-manager type schemes are better. (And I really wish I had heard
>>about those "I hate FlexLM" T-shirts in time to buy one.)
>
>There must be a way for the pointy-haired to pay my wages.
It doesn't have to involve crippling the functioning of the software you
write, when that software is being used by legitimate, paying users.
>There is no alternative to somehow collecting real money for some of my code.
Well, this is simply not true, but it's not really on topic for this
newsgroup. (Professional programmers existed prior to the commercialization
of software.)
>>Incidentally, I really object to this use of "globally unique" (not your
>>term I know). If it is unique, it's just unique by chance. There is no
>>actual mechanism which causes the signatures to differ,
>
>With a little care and the right design choices, "unique by chance" is no
>different in the real world from any other meaning of "globally unique," ...
>I trust you're not one of those who worries that your PGP key might be
>the same as anyone else's in the history of the human race, no matter when
>we become extinct.
The reason that the PGP key collision possibility is not a problem is that
it doesn't matter unless detected by a human. More fundamentally, suppose
someone just chooses a random whatever-bit number and just happens to guess
your private key? The answer is that the probability has been calculated and
has been judged to be acceptably low.
But in the typical use of the term "globally-unique ID" in this way, no
probabilities have been calculated and no judgement has been made. People
just throw in a lot of factors and hope.
You create a genuine globally-unique ID based on procedures and analysis.
Then, as you go on to point out, you might have a flaw in the execution
of these procedures. But similarly, programs have bugs. It doesn't mean
that we give up programming; we try to write bug-free programs using careful
methodology. Similarly, we should try to assign genuinely globally-unique
IDs, when necessary, based on procedures and the careful execution of them.
Rather than just throwing in a lot of random factors and hoping, which is more
like the current industry-standard many-bugs-producing programming techniques.
>On the other hand, in the real world, things like MAC addresses that have
>actual mechanisms aren't always unique. ...
I'm not saying you ignore these factors. I'm saying you start with solid
theory, then you modify as needed for practical reasons, and then you end up
with a scheme which works in theory AND in practice. Otherwise you typically
end up with a system which works in neither.
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: Terms need explain
Date: Wed, 02 Feb 2000 19:22:29 GMT
On Wed, 02 Feb 2000 20:48:53 +0800, Angus Lee <[EMAIL PROTECTED]>
wrote:
>Hi,
>
>--- Start qouting
>DS(KS) stands for the Digital Signature of Key Server
>K(KS)-certificate stands for key-exchange certificate for the Key Server
>S(KS)-certificate stands for signature certificate for the Key Server
>--- End qouting
>
>What're the meanings of:
>1. digital signature;
>2. key-exchange certificate; and
In X.509, this would be a certificate with the keyUsage extension
asserting either keyEncipherment and/or keyAgreement.
keyEncipherment would appropriate with an RSA key bound into the
certificate. keyAgreement would be appropriate with a D-H or KEA key
bound into the certificate.
>3. signature certificate
In X.509, this would be a certificate with the keyUsage extension
asserting either digitalSignature, nonRepudiation, keyCertSign or
cRLSign.
doug
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Date: Wed, 02 Feb 2000 19:43:57 GMT
Serge Vaudenay <[EMAIL PROTECTED]> wrote:
> David Wagner wrote:
> >
> > In article <[EMAIL PROTECTED]>, Terry Ritter
<[EMAIL PROTECTED]> wrote:
> > > But it is also correct that multiple ciphering is provably
strong*er*
> > > in the sense of not allowing known-plaintext and defined-plaintext
> > > attacks on individual ciphers.
> >
> > Well, personally I find that to be an extremely surprising claim.
> > Care to share the formal proof? It would be the first time I know
> > of where one could actually _prove_ that *anything* strictly
increases
> > security.
>
> The proof is quite obvious if you consider attacks as distinguishers.
If
> you
> take MARS o RC6 o TWOFISH with three independent keys as a cipher,
then
> any
> distinguisher between this and a truly random permutation can be
> transformed
> into a distinguisher between for instance RC6 and a random permutation
> by
> simulating MARS and TWOFISH.
> This way the product cipher is at least as secure as its
> strongest factor. (Qualitative result)
The question was not wheter anyone could prove "at
least as strong". It was "strong*er*" or "strictly
increases security".
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Sbox construction idea
Reply-To: [EMAIL PROTECTED]
Date: Wed, 2 Feb 2000 19:48:07 GMT
Mike Rosing <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> The smallest s-boxes I've seen used are 4x4 ones. It appears to me that
:> even smaller (i.e. 3x3) non-linear s-boxes could be profitably employed as
:> "atomic building blocks" of larger s-boxes.
: But nibbles and bytes are pretty easy to work with, and rom is so cheap
: now that larger s-boxes are possible even in an FPGA. It's probably not
: an interesting practical problem [...]
I'm a practical creature.
It's not that larger s-boxes are impractical in hardware, it's that
they're big, and consequently take up lots of space and are slow.
A larger number of small s-boxes means time for more iterations - which is
good. It's not easy to quantify the feeling at this stage, but the
increased number of iterations seems to compensate rather well for the
necessary reduction of non-linearity in the s-boxes.
:> It's possible that making them smaller beyond a certain point loses its
:> attractiveness in terms of faster operation and more iterations - but I
:> doubt it.
: The smallest is 1 bit. You don't have to think square, you can have n
: bits in and 2n bits out.
Well, I can't - because I've discarded the Feistel network as an
irrelevance, and am using s-boxes as components that are themselves
reversible. This apparently means that the number of output bits /must/
equal the number of input bits.
3x3 is the smallest possible non-linear reversible s-box.
2x2 reversible s-boxes are possible - but they're all linear.
: Bus width is the speed determinant [...]
I'm in programmable logic. There is no "bus" to speak of. I'm holding
the information in the s-box LUTs locally - so there's no bus to move the
information over. Because the tables are "in with the processing", their
size is rather significant.
Finally, a public thanks to those who sent me papers and references in
this area by email.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
He who laughs last thinks slowest.
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Wed, 02 Feb 2000 15:00:09 +0000
On Wed, 02 Feb 2000 18:00:00 GMT, [EMAIL PROTECTED] wrote:
>In message #5 of this
>thread he wrote exactly, "RSA depends for its
>security on the difficulty of factoring
>products of large primes". By definition, it is
>impossible to factor prime numbers!!! (Just to
>be annoying- helloooo, people, helloooooo??? -
>wakey, wakey).
Well if you are going to be a stupid dickhead, you might
as well go all out. Try reading that statement again, with
comprehension this time.
>"RSA depends for its security on the difficulty of factoring
>products of large primes".
By definition the product of two primes is not a prime, but
what in the hell would you know about it. It is obvious you
don't let facts get in the way of your innane pointless raving.
Johnny Bravo
------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: Q: current CAST status
Date: Wed, 02 Feb 2000 20:06:09 +0000
Hideo Shimizu wrote:
>
> Bruce Schneier wrote in Applied Cryptography (p.335),
> 'The Canadian government is evaluating CAST as a new encryption
> standard.' This statement is 1996's status. So, my question is
> what is the current status of CAST cipher? Have already CAST
> already been standard of Canada? If so, please tell me URL of
> Canadian encryption standard site.
The CAST-256 AES submission document has this to say on CAST5
(the cipher you are referring to):
"05 June 1998
I am very pleased to advise you that CSE has completed its
evaluation of the CAST5 algorithm (80 and 128 bit versions).
We have determined that CAST5 is suitable for the protection
of all levels of Designated information within the GOC. A
formal statement of this approval will be promulgated to
Government of Canada departments and agencies in the very
near future. On behalf of the Communications Security
Establishment please accept my congratulations.
David McKerrow
Communications Security Establishment
Director General Information Technology Security"
Full text is at http://www.entrust.com/resources/pdf/cast-256.pdf
(page 17).
--
+-------------------------------------------------------------------+
| David Crick [EMAIL PROTECTED] http://members.tripod.com/vidcad/ |
| Damon Hill WC96 Tribute: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
| ICQ#: 46605825 PGP: RSA 0x22D5C7A9 DH-DSS 0xBE63D7C7 0x87C46DE1 |
+-------------------------------------------------------------------+
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Anyone read this book?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 2 Feb 2000 19:55:31 GMT
Paris Guffey <[EMAIL PROTECTED]> wrote:
: I saw this book at Borders and only had time to briefly flip through
: it. Has anyone read it, or could anyone recommend it to me?
I've read those bits of it I thought I'd find interesting. There are
hefty sections about such things as signal systems and steganography
that are of peripheral relevance to codemakers and codebreakers.
: I know it covers different crypto systems, but does it do a good job about
: cryptanalysis?
I believe there are nine pages devoted to the subject. It gets about as
far as solving a polyalphabetic cypher, IIRC. There are a few other
pages about codebreaking - but not really much that is substantial.
: It looks like it would be a handy reference to have.
I'm not sure about that. It's pretty cheap for > 700 pages, anyway. If
you don't like it, you can use it as a stop for the end of your shelf.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
There are *NO* absolutes - and I can prove it.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Wed, 02 Feb 2000 13:10:05 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote, in part:
>While I enjoy the good flame-fest as much as the next guy, clean your
>sights next time?
Not really trying to flame: *had* Mr. Tyler been the one to say this
about Charles Booher, however, I thought it would be an opportunity to
reach him - to give him understanding.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Suitable hash for this application - in the public domain?
Date: 2 Feb 2000 20:36:27 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Albert
Yang) wrote:
> We are contemplating the use of "Tiger" in replacement for MD5.
> http://www.cs.technion.ac.il/~biham/
> It seems a lot more secure than MD5, and also, a longer hash value as
> well. Eli is a very good cryptographer, one of the best in the world,
> and so I trust Tiger.
HAVAL has been around since 1982 and is still unbroken as far as I know.
However, Bart Preneel and other hash experts seem to have ignored it -
after all Australia is a long way away....
Keith
http://www.cix.co.uk/~klockstone
------------------------
'Unwise a grave for Arthur'
-- The Black Book of Carmarthen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How to Annoy the NSA
Date: Wed, 02 Feb 2000 20:47:14 GMT
In article <8784gp$gjp$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
>
> > To annoy the NSA...
>
> Why would you want to do that for?
>
Hey guys, please don't annoy us by, like,
putting flaming dog poo on our doorstep and
TP-ing our headquarters. Our job is hard
enough already- we failed to predict India and
Pakistan's nuclear tests; it's hard
eavesdropping with so much proliferation of
IT; and our main computer was just down for 3
days making us essentially blind. While you're
at it, don't get the notion of shooting
electromagnetic pulses into our windows to
down our electronics. This would be the most
annoying thing you could do even though our
critical systems are protected from such an
attack.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: *** ECC - new strong and fast calc method
Date: Wed, 02 Feb 2000 21:13:26 GMT
Here is another stab at trying to make things run faster for ECC.
Assuming that none or only portions may already be covered by
existing patents, the remainder is immediately submitted to the
public domain for free use by all.
Patents that MAY have some overlap include 5,987,131.
Given a curve over a field of say 163 bits, I have found
that average performance in calculating a point multiplication
can be reduced to 1/3 the time if all points resulting from
each power of 2 are precomputed and the ones matching the powers
of two in the private key are then added together. This is the
part that most likely conflicts with 5,987,131.
For example:
Q[0] = 2^0 * P
Q[1] = 2^1 * P
...
Q[n-1] = 2^n-1 * p
Given private key k, the public key R is calculated by:
R = SUM(i=0 to n-1)[ k[i] * Q[k] ]
where k[i] is either 1 or 0, depending on bit i in k.
Additionally, if the key space is limited to 80 bits (in this
case), the number of point additions on average is cut in half.
That is, the average time it takes to calculate the resulting
point is 1/6 of the average using standard calculations using
a full key space. I argue that security is not weakened for
the following reasons:
Some have argued that 80 bits is enough to prevent a brute force
key search attack. This is accepted as obvious.
Some have argued that limiting the private key to 80 bits is enough
to make the Pollard Lambda (aka Pollard Kangaroo) attack feasible,
since the attack can be limited by boundaries in the key space.
However, if the bits that are used to define the key are 80 in
number, it does not matter where they are located. The total
time to calculate remains roughly the same. Therefore, they
can span the entire 163 bits in any random fashion.
The randomness of the key bits' locations should effectively
make the Pollard Lambda attack useless against this key
space limitation, while providing additional effeciencies
in calculating the public key. Using technology
from 5,987,131, this can be expanded to include increased
performances for calculating the shared secret.
The aspect I feel is being added to 5,987,131's technology is
the randomly located, limited number of bits of the key space
should increase performance while maintaining strong security.
Your comments are welcomed.
- Greg Ofiesh
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Wed, 02 Feb 2000 21:17:46 GMT
In article <87a54g$h9$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <8784gp$gjp$[EMAIL PROTECTED]>,
> Greg <[EMAIL PROTECTED]> wrote:
> >
> > > To annoy the NSA...
> >
> > Why would you want to do that for?
> >
>
> Hey guys, please don't annoy us by, like,
> putting flaming dog poo on our doorstep and
> TP-ing our headquarters. Our job is hard
> enough already- we failed to predict India and
> Pakistan's nuclear tests; it's hard
> eavesdropping with so much proliferation of
> IT; and our main computer was just down for 3
> days making us essentially blind. While you're
> at it, don't get the notion of shooting
> electromagnetic pulses into our windows to
> down our electronics. This would be the most
> annoying thing you could do even though our
> critical systems are protected from such an
> attack.
But, again, why would we want to do that for?
--
There is only one gun law on the books- the second amendment.
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mark VandeWettering <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Wed, 02 Feb 2000 13:29:01 -0800
[EMAIL PROTECTED] wrote:
>
> In article <
> [EMAIL PROTECTED]
> ing.com>,
> Jerry Coffin <[EMAIL PROTECTED]> wrote:
> > In article <8778es$r8d$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > says...
> >
> > [ ... ]
> >
> > > You are wrong again. According to Science
> > > Magazine (vol. 275, page 1570, March 14,
> > > 1997) "hard" problems, or NP-Complete
> > > problems "underlie nearly all cryptography and
> > > computer security codes".
> >
> > You're getting things backwards: when Science Magazine publishes an
> > article the contradicts Doug Gwyn (among others) about cryptography,
> > it isn't _quite_ proof that the article you've read is wrong, but
> > there's a LOT better chance that the article is wrong (or
> > oversimplifying) than that he is.
> >
>
> Actually, Doug Gwyn is wrong and why should
> anyone trust his opinion, especially vs.
> Science Magazine. In message #5 of this
> thread he wrote exactly, "RSA depends for its
> security on the difficulty of factoring
> products of large primes". By definition, it is
> impossible to factor prime numbers!!! (Just to
> be annoying- helloooo, people, helloooooo??? -
> wakey, wakey).
Um, if he wrote exactly what you typed, then you
are the one who needs a wakeup call. Read it again.
"RSA depends for its security on the difficulty of
factoring _products_ (emphasis mine) of large primes."
Read it again. Products of large primes. Hence,
composite numbers. Beginning to get it?
Mark
--
Mark T. VandeWettering Telescope Information (and more)
Email: <[EMAIL PROTECTED]> http://www.idle.com/~markv/
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Wed, 2 Feb 2000 14:56:13 -0700
In article <879tg8$q95$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> The safety of RSA appears to depend on the
> difficulty of factoring large numbers. This
> factoring is considered very likely to be a
> hard problem although it is not yet proven to
> be so. It is also not proven that the safety
> depends solely on the factoring. The main
> point of Peter Shor's famous algorithm is that
> it demonstrates that a quantum computer
> could factor large numbers efficiently (i.e.
> within polynomial time). For anyone who's
> interested, a good intro to codes and their
> vulnerability is Simon Singh's "The Code Book".
You're still ignoring reality: we already KNOW exactly what effect a
quantum computer has on the amount of time it takes to factor a number
of a particular size. We already have the technology to continue use
RSA, and be protected from an attach using a quantum computer. People
using 2048-bit keys with RSA are already safe, even though the threat
is still purely theoretical.
> Here's a quote from PC Magazine,
I'm pretty sure I've got an old PC Magazine that has more about
factoring than that. You should probably use it to educate some of
the people here -- after all, I'm sure Bob Silverman can't possibly
know as much about factoring as, say, John Dvorak.
When PC Magazine writes about encryption there's a pretty fair chance
that they learned enough to write the article by reading third hand
reports of people (such as Doug Gwyn or Bob Silverman) who are regular
participants here. When the two disagree, chances are that it's
because the PC Mag author has misunderstood what they wrote, or else
is trying to simplify it for a comparatively non-technical audience.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
