Cryptography-Digest Digest #41, Volume #11 Wed, 2 Feb 00 22:13:02 EST
Contents:
Re: How to Annoy the NSA ([EMAIL PROTECTED])
Re: Does the NSA have ALL Possible PGP keys? (Xcott Craver)
Re: How to Annoy the NSA ([EMAIL PROTECTED])
Re: How to Annoy the NSA ("Douglas A. Gwyn")
Re: Does the NSA have ALL Possible PGP keys? ("Douglas A. Gwyn")
Re: Block chaining ("Douglas A. Gwyn")
Pseudo-OTP? (David Ross)
Re: Available Algorithms (Paul Schlyter)
Re: Pseudo-OTP? (Michael Sierchio)
Re: How to Annoy the NSA ([EMAIL PROTECTED])
Published rules of the Game of M (Markku J. Saarelainen)
Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP ("Trevor
Jackson, III")
Re: Jaws Technologies' L5 Data Encryption Algorithm? ("Trevor Jackson, III")
Re: How to Annoy the NSA ("Trevor Jackson, III")
Re: Pseudo-OTP? ("Trevor Jackson, III")
Re: Does the NSA have ALL Possible PGP keys? (Arthur Dardia)
Re: How to Annoy the NSA ([EMAIL PROTECTED])
Re: NIST, AES at RSA conference (Bryan Olson)
Re: Reducing swap file use in Windows 98 (Tim Tyler)
Re: How to Annoy the NSA ([EMAIL PROTECTED])
Re: is signing a signature with RSA risky? (Tim Tyler)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How to Annoy the NSA
Date: Wed, 02 Feb 2000 22:05:39 GMT
In article <[EMAIL PROTECTED]>
,
"Robert J. Clark" <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> >
> > In article <
> > [EMAIL PROTECTED]
> > ing.com>,
> > Jerry Coffin <[EMAIL PROTECTED]> wrote:
> > > In article <8778es$r8d$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > > says...
> > >
> > > [ ... ]
> > >
>
> You quoted his statement but obviously did not _read_ it. He did not
> say "factoring prime numbers", he said "factoring the *products* of
> large primes" (my emphasis).
>
You wrote "factoring the products" but he
wrote "factoring products" which I mistook
for a noun. Sorry for any confusion.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: 2 Feb 2000 22:59:41 GMT
Guy Macon <[EMAIL PROTECTED]> wrote:
>
[...]
>
>Thus I can extend the above scheme to represent
>111213212223313233 as 10 in base 111213212223313233.
How would you represent 111213212223313233-1?
-X
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How to Annoy the NSA
Date: Wed, 02 Feb 2000 23:25:02 GMT
In article <
g8hg9scrg07760b69b42mhfv9mv95ctruu@4ax.
com>,
Johnny Bravo <[EMAIL PROTECTED]> wrote:
> On Wed, 02 Feb 2000 18:00:00 GMT, [EMAIL PROTECTED] wrote:
>
> >In message #5 of this
> >thread he wrote exactly, "RSA depends for its
> >security on the difficulty of factoring
> >products of large primes". By definition, it is
> >impossible to factor prime numbers!!! (Just to
> >be annoying- helloooo, people, helloooooo??? -
> >wakey, wakey).
>
> Well if you are going to be a stupid dickhead, you might
> as well go all out. Try reading that statement again, with
> comprehension this time.
>
> >"RSA depends for its security on the difficulty of factoring
> >products of large primes".
>
> By definition the product of two primes is not a prime, but
> what in the hell would you know about it. It is obvious you
> don't let facts get in the way of your innane pointless raving.
>
> Johnny Bravo
>
> see msg #16
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Thu, 03 Feb 2000 00:05:40 GMT
Jerry Coffin wrote:
> ...especially given an agency like the NSA that might consider it
> perfectly reasonable to publish something about research _entirely_
> different from where they spend most of their time, JUST to be
> misleading...
It's simpler than that; they simply publish that portion of their
work that doesn't do appreciable damage to the national security
by being generally known. Critical techniques just remain secret
as long as possible.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Thu, 03 Feb 2000 00:10:53 GMT
Eric Lee Green wrote:
> "Douglas A. Gwyn" wrote:
> > While I think the original claim is nonsense, there is at least
> > theoretically a possibility that whatever combination of RNG and
> > checking for "bad" keys PGP does, manages to limit the accepted
> > keys to some large but manageable number. Someone who cares
> > should look into that possibility.
> Even if the number of accepted keys was reduced to some ridiculously small
> number by those tests and the limits of the PRNG, like, say, 2^128, ...
I had in mind the possibility of the actual number of possible keys
being reduced to a much smaller (tractable) number, maybe 2^32.
This isn't entirely impossible -- I once saw a RNG that was seeded
by some 32-bit combination of environmental parameters, then the
rest of the key generation carried out deterministically -- that
is an example of the sort of possible exploitable flaw I had in mind.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Block chaining
Date: Thu, 03 Feb 2000 00:16:51 GMT
zapzing wrote:
> You are *totally* misrepresenting my position.
> ... I am not talking about *just* doubling
> the length of the message.
> I'm talking about doubling it for a reason,
> and one that I think is a good one.
> If you don't think that what I am proposing
> is worth the doubling in bandwidth, then you
> can of course argue that, but please do not
> misrepresent my position by implying that I
> am proposing that the lenght of the message
> simply be doubled without any benefits in return.
I didn't misrepresent your position, I just
responded to it.
What I said was that, in my opinion, customers
will not be willing to pay double the standard
communication rates *for any reason*. The
benefits of encryption can be had without
doubling the bandwidth, so why should they pay
twice as much for your scheme than for one of
the usual encryption schemes? Bandwidth *is*
a factor in the viability of an encryption
scheme intended for general use in communications.
------------------------------
From: [EMAIL PROTECTED] (David Ross)
Subject: Pseudo-OTP?
Date: Thu, 03 Feb 2000 00:20:59 GMT
Hello -
I've heard mention on sci.crypt of a "Pseudo-OTP" cipher, but see no
mention of such a thing in the newsgroup's FAQ.
Can someone either define what a Pseudo-OTP cipher is, or possibly
give me a pointer to where I can find out about them?
ciphile.com comes up in a websearch for pseudo & OTP, but the site
is less than totally informative as to how the scheme works...
many thanks
Dave Ross [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Available Algorithms
Date: 3 Feb 2000 00:17:36 +0100
In article <[EMAIL PROTECTED]>,
Eric Lee Green <[EMAIL PROTECTED]> wrote:
> "G. R. Bricker" wrote:
>> Or construct your own algorithm. Buy a Shaum's Mathematical Formulas book
>> (abou $13) and pick through it. no infringement of trademark or patent
>> worries. I bought this in my freshmen year and have dog-eared it to death.
>
> Won't work. Lots of mathematical formulae have been patented when used in a
> crytographic context. Look at Diffie-Hellman key exchange, for example -- all
> that is, is exponentiation and multiplication within a prime field. Pure
> mathematics. Also patented (though the patent has expired, thankfully). How
> can multiplication and exponentiation be patented? Beats me, but it just
> proves that the fact that a formula is in Shaum's is no guarantee that it
> isn't patented when used as part of a cryptographic product.
Is addition patented? If so, where do I have to pay royalties the next
time I balance my checkbook? :-))))))))))))))))
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Michael Sierchio <[EMAIL PROTECTED]>
Subject: Re: Pseudo-OTP?
Date: Wed, 02 Feb 2000 16:42:42 -0800
David Ross wrote:
> Can someone either define what a Pseudo-OTP cipher is, or possibly
> give me a pointer to where I can find out about them?
Stream ciphers; Block ciphers in OFB mode; MDC; etc.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How to Annoy the NSA
Date: Thu, 03 Feb 2000 00:43:22 GMT
In article <
[EMAIL PROTECTED]
ing.com>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> > [EMAIL PROTECTED] wrote:
> > > conferences, periodicals, etc. which makes it
> > > possible to infer what they were doing in the
> > > past.
> >
> > Only if you don't mind making incorrect inferences.
>
> ...especially given an agency like the NSA that might consider it
> perfectly reasonable to publish something about research _entirely_
> different from where they spend most of their time, JUST to be
> misleading...
>
> --
> Later,
> Jerry.
>
> The universe is a figment of its own imagination.
>
Despite NP-Completeness, I read an
introductory article which states "When the
first quantum factoring devices are built the
security of public-key cryptosystems will
vanish. The mathematical solution to the
distribution problem is shattered by the
power of quantum computation". Is this
basically true even if there are modifications
made in RSA, etc.? Would quantum computers
greatly reduce the need for human
cryptoanalysts? You can see the article @
www.qubit.org/intros/cryptana.html
-Thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Markku J. Saarelainen <[EMAIL PROTECTED]>
Crossposted-To: alt.politics.org.cia
Subject: Published rules of the Game of M
Date: Thu, 03 Feb 2000 01:07:29 GMT
http://homestead.virtualjerusalem.com/waeg/gameofm.html
http://homestead.virtualjerusalem.com/waeg/
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Wed, 02 Feb 2000 20:49:42 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP
Darren New wrote:
> Trevor Jackson, III wrote:
> > This issue came up a few months ago. If every possible position in the
> > observable universe is a computer that tests a key in the Fermi time and they
> > all run until the breakdown of protons (1e31 years by a stale theory), then you
> > need a key of ~870 bits to prevent it being found.
>
> Cool!
>
> > QC gives you around sqrt() advantage, so doubling the key yields about the same
> > strength.
>
> Ah! I didn't know that bit. Neat. Thank!
>
> So, like, a 2048-bit key is way overkill. Good. :-)
Well, I wouldn't go that far. 512-bit RSA keys are probably risky today. The
smallest power of two (not that there's that much magic about it) that is clearly
safe today is 1024. So a 1024-bit key in an environment containing effective quantum
computers would be about as safe as a 512-bit key is now. I.e., not safe.
Thus, if you want to use a key today that will be safe if/when effective quantum
computers are available you should use a 2048-bit key. While this is overkill today
it won't be then. It will be the minimum (power of two).
Now 8192 is _way_ overkill. 4096 is overkill, but cheap overkill. ;-)
------------------------------
Date: Wed, 02 Feb 2000 20:52:55 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Jaws Technologies' L5 Data Encryption Algorithm?
Paul Koning wrote:
> John Savard wrote:
> > ... the fact that they've applied for a patent
> > means that eventually they will be able to disclose their algorithm
>
> No; if they have applied for a patent they can disclose the
> algorithm *now*.
They can, but the need not. If the patent application is rejected they
may want to preserve the information.
------------------------------
Date: Wed, 02 Feb 2000 20:59:07 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
[EMAIL PROTECTED] wrote:
> Actually, Doug Gwyn is wrong and why should
> anyone trust his opinion, especially vs.
> Science Magazine. In message #5 of this
> thread he wrote exactly, "RSA depends for its
> security on the difficulty of factoring
> products of large primes". By definition, it is
> impossible to factor prime numbers!!!
You missed the point. It is not factoring prime numbers that is the issue.
It is factoring PRODUCTS of prime numbers that is the issue. When you
factor the product of a pair of prime numbers you are given the product and
recover the multiplier and multiplicand: the primes.
BTW, a recurrent theme is the triviality of factoring known-prime numbers.
Prime P is easy to factor no matter how large. The factors are P and one.
------------------------------
Date: Wed, 02 Feb 2000 21:12:44 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Pseudo-OTP?
David Ross wrote:
> Hello -
>
> I've heard mention on sci.crypt of a "Pseudo-OTP" cipher, but see no
> mention of such a thing in the newsgroup's FAQ.
>
> Can someone either define what a Pseudo-OTP cipher is, or possibly
> give me a pointer to where I can find out about them?
>
> ciphile.com comes up in a websearch for pseudo & OTP, but the site
> is less than totally informative as to how the scheme works...
Pseudo-OTP does not refer to a specific algorithm. It is a derogatory
slang term. In context you take the literal meaning of "pseudo" -- fake
-- and get fake-OTP. A fake OTP is worthless.
The term is often used by (clueless) advocates of weak encryption
software. It is also used by (knowledgeable) critics of weak encryption
software. In practice any stream cipher can, loosely, be considered a
pseudo-OTP.
Vendors such as ciphile ignore two factors that violate the rules of OTP
construction. First, the key can be reused. One Time Pad means *ONE*
time, not multiple times. Second, the key is usually from a deterministic
generator. Such generators can be analyzed and broken. An OTP uses key
material from a source that produces independent key values. I.e.,
knowing all of the preceding key material it is impossible to predict the
next key character (or bit). Deterministic generators violate this rule.
So the bottom line is that a Pseudo-OTP is not any kind of OTP. It is a
marketing gimmick. Like "NEWLY recycled materials" or "genuine imitation
cowhide" -- it really and truly is a fake.
------------------------------
From: Arthur Dardia <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Wed, 02 Feb 2000 21:05:04 -0500
Paul Koning wrote:
> Johnny Bravo wrote:
> > ...
> > Or more likely they can't, but they don't need to. Is your home TEMPEST
> > shielded? I seriously doubt it. The government can park a van outside
> > your building and read everything on your screen, every keystroke you
> > make.
>
> Use Soft-Tempest fonts... (I'll have to convert those GIF files to
> TTF files someday...)
>
> paul
Soft-tempest fonts? Never heard of them - enlighten me.
--
Arthur Dardia Wayne Hills High School [EMAIL PROTECTED]
PGP 6.5.1 Public Key http://www.webspan.net/~ahdiii/ahdiii.asc
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How to Annoy the NSA
Date: Thu, 03 Feb 2000 02:17:51 GMT
In article <[EMAIL PROTECTED]>,
Mark VandeWettering <[EMAIL PROTECTED]>
wrote:
> [EMAIL PROTECTED] wrote:
> >
> > In article <
>
> Um, if he wrote exactly what you typed, then you
> are the one who needs a wakeup call. Read it again.
> "RSA depends for its security on the difficulty of
> factoring _products_ (emphasis mine) of large primes."
> Read it again. Products of large primes. Hence,
> composite numbers. Beginning to get it?
>
> Mark
> --
> Mark T. VandeWettering Telescope Information (and more)
> Email: <[EMAIL PROTECTED]> http://www.idle.com/~markv/
>
This error was supposedly due to a
grammatical misreading (see msg 16).
Ignoring the difficulty of factoring RSA, aren't
PGP systems vulnerable in other ways?
Couldn't someone modify the publicly
available code to PGP, compile it, and sneak it
into a target system via a network without
having to access any physical machine?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Date: Thu, 03 Feb 2000 02:29:38 GMT
CLSV wrote:
> Bryan Olson wrote:
> > I was responding to your point about the halting problem,
> > which has nothing to do with polynomial time.
>
> If your algorithm does not halt with a solution in polynomial
> time I assume it doesn't break an encryption algorithm.
> It is probably quite a job to find a reduction between the
> super cryptanalysis algorithm and the halting problem
> (depending on the definition of breaking an algorithm) but
> it seems likely.
If you adopt the polynomial time model, then we can
show that if P=NP then a general solution does exist.
If encryption and recognition of plaintext are polynomial
time, then P=NP implies that finding a key is also
polynomial time.
> Another counter example to the super cryptanalysis algorithm
> could start with: assume the algorithm exists, it can be
> coded with N states and M symbols now create an optimal
> encryption algorithm with 2^(M^2*N^2) states and the same
> number of symbols ...
Not a very promising start. Where does it go from
there?
[...]
> > We seek a system that is practical in use and intractable to
> > break. There are a variety of ways to model the problem,
> > and so far no one has produced a reasonable model in which
> > they can prove computational security exists.
>
> So this doesn't mean it can't exist.
True. Computational security seems to exist, and proof
of it may, though no one has found it.
> But a single algorithm that can break all ciphers
> (in less than polynomial time) does definitely not exist.
If we allow the ciphers to be intractable in use or consider
only cipher-text only attacks against plaintext that can't
be recognized in polynomial time, then you are right. But
those are nonsensical models.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Reducing swap file use in Windows 98
Reply-To: [EMAIL PROTECTED]
Date: Thu, 3 Feb 2000 02:28:29 GMT
Henny Youngman <[EMAIL PROTECTED]> wrote:
: [...] the swap file, in my pinion is just one of many security holes un
: Windows 98 and perhaps not the worst.
I presume operating systems /should/ - upon request - allow applications
access to memory that is guaranteed not to be visible to other processes,
or written out to magnetic media without permission.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Pentiums melt in your PC, not in your hand.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How to Annoy the NSA
Date: Thu, 03 Feb 2000 02:54:23 GMT
In article <
[EMAIL PROTECTED]
ring.com>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
> In article <879tg8$q95$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> says...
>
> [ ... ]
>
> >
>
> You're still ignoring reality: we already KNOW exactly what effect a
> quantum computer has on the amount of time it takes to factor a number
> of a particular size. We already have the technology to continue use
> RSA, and be protected from an attach using a quantum computer. People
> using 2048-bit keys with RSA are already safe, even though the threat
> is still purely theoretical.
>
New algorithims for quantum computing are
continuously being developed and by the time
quantum computers are working reliably
2048-bit keys may be inadequate. At this
level would it still be possible to use known
primes for the modulus or would unknown
larger primes have to be guessed at? BTW,
Shor's algorithm can be extended to any
algorithm computing an NP function.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: is signing a signature with RSA risky?
Reply-To: [EMAIL PROTECTED]
Date: Thu, 3 Feb 2000 02:38:33 GMT
Anton Stiglic <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> A compressor with an accurate model of the data will not just make it more
:> difficult to detect a correct message from an incorrect one, it can make
:> it *massively* more difficult.
: Not true at all. If a compressor is used, the attacker will probably have
: his hands on it, it won't complicate stuff much for him at all!
: This is what people tend to forget...
No - this is wrong.
If the compressor has a sufficiently accurate model of the target
messages, *all* possible decrypted files will be likely to decompress to
plausible-looking messages.
When I write this people often seem to object that such a compressor
is not known for text messages. However, compression schemes based on
numbering common messages can work pretty well for some applications.
It matters not one iota that the attacker also has access to the
decompressor.
Compression *can* make finding halting criteria harder.
With a good enough compressor a halting criteria - short of testing the
integrity of the message in the real world - becomes well nigh impossible.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Lottery: a tax on people who are bad at maths.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
