Cryptography-Digest Digest #79, Volume #11 Wed, 9 Feb 00 12:13:01 EST
Contents:
Re: Strip Security ("Veli-Pekka Nousiainen")
Re: Continually Secure Password/Pin (Volker Hetzer)
Re: Question about DSA signature (Safuat Hamdy)
Re: New standart for encryption software ([EMAIL PROTECTED])
Re: Anti-crack (Troed)
Re: new standart for encryption software ("finecrypt")
RE: Continually Secure Password/Pin (Gary)
Re: New standart for encryption software ("finecrypt")
Re: Student security columnist wanted for ACM Crossroads (John Myre)
Re: question about PKI... (David P Jablon)
Re: How secure is this method - What about this? (Erik)
Re: Key Generation program for Windows? (Bo Dömstedt)
Anybody know about this flaw? (No Brainer)
Re: question about PKI... (David P Jablon)
Re: Latin Squares (was Re: Reversibly combining two bytes?) (wtshaw)
Re: permission to do crypto research (wtshaw)
Re: How is twofish different from blowfish ? (John Savard)
Re: I'm returning the Dr Dobbs CDROM (wtshaw)
----------------------------------------------------------------------------
From: "Veli-Pekka Nousiainen" <[EMAIL PROTECTED]>
Crossposted-To: comp.sys.palmtops.pilot,alt.comp.sys.palmtops.pilot,comp.sys.handhelds
Subject: Re: Strip Security
Date: Wed, 9 Feb 2000 13:00:06 +0200
Reply-To: "Veli-Pekka Nousiainen" <[EMAIL PROTECTED]>
Hi !
Whenever I start cracking my own forgotten password(s)
(which usually leads to a lock-up after 3 tries and I have
to personally visit the bank after that occation) and I don't
remember the length anymore, I start with the minimum
length and then, if there is no protection for brute-force
I go up in the amount of digits required. So would a bandit.
It is nice to have a 12-digit field with a minimum of 4-digits
password, but it doesn't help much if it is not used up to the
max. A program that would generate the required digits
from a phare that the user gives when setting up and
ofcourse while giving the password would help the user to
remember a "12-digit" password. I fully understand that
the possible combinations from such a program would most
certainly be less than all possible combinations and that's
why I would like to see even longer passwords used.
Opinions?
--
=========================================================
Veli-Pekka Nousiainen ; e-mail: [EMAIL PROTECTED]
Sokinsuontie 3 A 1, FIN-02760 Espoo, Finland
TEL, WORK1: +358 (9) 859 2025 (WORK2: +358 (3) 4728 300)
Future Computing Solutions Oy URL: http://www.eiffel.fi/
=========================================================
Please DO send unsolicited Eiffel- and Matisse-ads.
Steven G. Tyler <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
#> karl malbrain wrote:
#>
#> > Brian Keener <[EMAIL PROTECTED]> wrote...
#>
#> > > If max password size is 12 characters, then you've got more possible
#> > > combinations. However, you might only have a password that's 4
characters
#> > > long, out of a possible maximum of 12. But, anyone trying to guess
your
#> > > password won't know if you used all twelve digits or not.
#> >
#> > No. If you mean the PIN is now 12 digits long instead of 4, and all
PINS are
#> > issued, anyone trying to guess your PIN would have to try to guess out
of
#> > 10^12 possibilities, leading ZEROES not-with-standing. Karl M
#>
#> Actually, Brian correctly stated the meaning of my comment.
#>
#> I believe this discussion started with a question about the security
#> level of Strip, a Palm app that stores encrypted information. Though the
#> question itself was whether you could extract the password from the app
#> itself, the current discussion is about how difficult it would be to
#> find the password by brute force, by sequentially selecting all possible
#> combinations until you get a "hit."
#>
#> Strip requires you to select a password, but does *not* require any
#> particular password length, nor does it auto-assign a password of fixed
#> length. Therefore, even though a would-be cracker might actually be
#> facing a password of only 4 digits, s/he has to assume it may be longer,
#> up to the maximum permitted. Therefore, the 'security' of a 4-digit
#> password thus must take into account the possibility of a longer
#> password.
#> --
#>
#> Steve on Cattail Creek (Steven G. Tyler, Esq.) <[EMAIL PROTECTED]>
#>
#> The Computer Counselor -- Technology Consulting for the Law Office
#>
#> Webmaster, Troop 339, BAC, BSA (http://members.aol.com/troop339)
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Continually Secure Password/Pin
Date: Wed, 09 Feb 2000 11:25:53 +0000
[EMAIL PROTECTED] wrote:
>
> When creating and using a user/password account on the web why isn't
> the following method used:
[Nice description of hash based method deleted]
There is a system called S/Key that uses a similar method.
Your system is certainly practical.
The problem is that the server needs to know that the millionth hash and
the username are genuine. Otherwise I could send a server a hash and your
name too.
Consequently S/Key worked by using a secure channel (usually outside any
electronic network) for the initial password.
For credid card stuff and bank account management via telephone it
would certainly work.
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me spread!
------------------------------
From: Safuat Hamdy <[EMAIL PROTECTED]>
Subject: Re: Question about DSA signature
Date: 09 Feb 2000 13:44:56 +0100
[EMAIL PROTECTED] (Scott Contini) writes:
> To forge M' , simply do the following:
> choose an arbitrary s (mod q) .
>
> let r = ( gamma^[h(M') * s^-1 mod q] * y^[s^-1 mod q] ) mod p .
>
> the pair (r, s) is a forged signature for M' .
wow! I think I should open my eyes next time.
--
S. Hamdy | All primes are odd except 2,
[EMAIL PROTECTED] | which is the oddest of all.
|
unsolicited commercial e-mail | D.E. Knuth
is strictly not welcome |
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New standart for encryption software
Date: Wed, 09 Feb 2000 13:18:51 GMT
Jonny...while I agree with you that the claims of Finecrypt are a bit
odd..
Key ID...but that was with PGP 2.x what is it exactly they have
patented?
No Back Doors....How can they prove that?
OK....But here is my question:
Are you saying every Crypto vendor has to release their source code for
examination:
I wonder if Entrust, Verisign, Data Fellows ...are going to comply with
your request or suggestion.
I would like some input on this....
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Troed)
Subject: Re: Anti-crack
Reply-To: [EMAIL PROTECTED]
Date: Wed, 09 Feb 2000 14:01:31 GMT
[EMAIL PROTECTED] (Troed) wrote:
>Xing made the "hack" take a few minutes longer than it would have
"thanks to Xing, the hack could be done a few minutes faster"
>The DVD encryption is a joke, encredibly easy to break.
"incredibly"
... I shouldn't make these postings until I've had my first cup of
coffee in the morning ...
___/
_/
------------------------------
From: "finecrypt" <[EMAIL PROTECTED]>
Subject: Re: new standart for encryption software
Date: Wed, 9 Feb 2000 17:34:31 +0300
> Because there is no way to know if the test vectors are the same part of
>the program that is used to encrypt the data, there could be any number of
>weaknesses either intentional or not inside such a program. For all I
>know the test vectors are just that, a separate part of the program >that
>fools people into thinking that the program is secure.
Johnny,
the main advantage of FineCrypt is that you can test it with "oficial" test
vectors of authors of algorithms and they will match. Try, for example, to
check FineCrypt's implementation of Blowfish with test vectors placed in
http://www.counterpane.com/vectors.txt.
FineCrypt - http://www.finecrypt.com/fcinst.exe
------------------------------
From: Gary <[EMAIL PROTECTED]>
Subject: RE: Continually Secure Password/Pin
Date: Wed, 9 Feb 2000 08:19:38 -0500
>===== Original Message From Volker Hetzer <[EMAIL PROTECTED]>
=====
>[EMAIL PROTECTED] wrote:
>>
>> When creating and using a user/password account on the web why isn't
>> the following method used:
>[Nice description of hash based method deleted]
>There is a system called S/Key that uses a similar method.
>Your system is certainly practical.
>The problem is that the server needs to know that the millionth hash and
>the username are genuine. Otherwise I could send a server a hash and your
>name too.
When a person is registering with a web based service, web based email for
instance, the server isn't concerned with the user being genuine.
A man in the middle attack on registration would be unlikely. However this
can
be eliminated by the server making public all users and their current hash.
Regards
Gary :)
============================================================
Get your FREE web-based e-mail and newsgroup access at:
http://MailAndNews.com and http://MailAndNews.co.uk
Create a new mailbox, or access your existing IMAP4 or
POP3 mailbox from anywhere with just a web browser.
============================================================
------------------------------
From: "finecrypt" <[EMAIL PROTECTED]>
Subject: Re: New standart for encryption software
Date: Wed, 9 Feb 2000 17:56:08 +0300
>No Back Doors....How can they prove that?
Yes, we can prove it. Read online help topic "How to test FineCrypt with
test vectors?" about of how you can get a guarantie of reliable encryption.
http://www.finecrypt.com/fcinst.exe
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Student security columnist wanted for ACM Crossroads
Date: Wed, 09 Feb 2000 08:26:11 -0700
> ... having actual expertise in any field that they want would most likely
> be a handy cap since ...
I don't have any handy caps.
I don't know where my hats are, and my limitations are
definitely unuseful.
J "imp" M
------------------------------
From: [EMAIL PROTECTED] (David P Jablon)
Subject: Re: question about PKI...
Date: Wed, 9 Feb 2000 15:37:42 GMT
In article <[EMAIL PROTECTED]>,
Palmpalmpalm <[EMAIL PROTECTED]> wrote:
>
>Actually I was wondering if it was useful to use SRP in PKI solutions. Such a
>secure protocol must be helpful for downloading a private-key on line
>
>Is there anyone who thought about this?
Absolutely. Entrust is using SPEKE, another protocol in the same
general family as SRP, in their PKI "roaming user" product.
See <www.IntegritySciences.com/PKI50.html> for the press spin.
To see the thinking behind this, a list of research papers on
zero-knowledge password proofs and their applications is at:
<www.IntegritySciences.com/links.html>
======================================================
David P. Jablon
Integrity Sciences, Inc.
[EMAIL PROTECTED]
<http://www.IntegritySciences.com>
------------------------------
From: Erik <[EMAIL PROTECTED]>
Subject: Re: How secure is this method - What about this?
Date: Wed, 09 Feb 2000 10:36:17 -0500
Xcott Craver wrote:
>
> Erik <[EMAIL PROTECTED]> wrote:
> >
> >1) Get a number from A, Na, from 1 to 32,
> >2) Get a number from B, Nb, which is Na bits long.
> >3) XOR the next Na bits of plaintext with Nb.
> >and repeat
>
> This is identical to just XORing all of the second stream with
> the plaintext. Unless I'm reading you wrong.
>
> What's the difference between, say:
>
> 1) XORing the first 17 bits of plaintext with 17 bits from B.
> 2) XORing the next 31 bits of plaintext with 31 more bits from B.
> 3) XORing the next 18 bits of plaintext with 18 more bits from B.
> 4) XORing the next 4 bits of plaintext with 4 more bits from B.
> 5) XORing the next 19 bits of plaintext with 19 more bits from B.
> ...
>
> and
>
> 1) XOR all 1024 bits of plaintext with all 1024 bits from B.
>
> Seems to me that the exact same XORs will be made with the
> exact same bits from B. Hence, this is a stream cipher using
> B as a pseudo-random number generator.
>
> -Scott
The difference is that each time you get a PRN from B, you're adjusting
B's modulus for the required number of bits, and outputing a new
number. So each in each of your above steps 1-5 the PRNG's internal
state changes. So the bits used in the first example will be different
ones than those used in the second.
If the attacker knows the output of the PRNG, he can potentially deduce
its internal state, but if the output is a pseudo-random number of bits,
he can't tell which group of bits are the outputs. The question, I
think, is how much complexity this adds, and just how difficult it would
be for an attacker to analize every possible combination of bit
clusters.
Erik
------------------------------
From: [EMAIL PROTECTED] (Bo Dömstedt)
Subject: Re: Key Generation program for Windows?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 09 Feb 2000 15:52:38 GMT
"cedric frost" <[EMAIL PROTECTED]> wrote:
>Anyone know of a program for Windows 9x that generates pseudo-random
>keys/passwords?
Our SG100 hardware random number generator do that.
See http://www.protego.se/sg100_en.htm
Bo Dömstedt
Chief Cryptographer
Protego Information AB
------------------------------
From: No Brainer <[EMAIL PROTECTED]>
Subject: Anybody know about this flaw?
Date: Wed, 09 Feb 2000 23:50:14 +0800
Greetings all,
I was wondering if anyone knows of a secure way to exchange public keys
between two people via Internet e-mail without using any other form of
communication?
Also, would the proposed system work if "someone unbeknownst to us" was
intercepting and modifying the key exchanges?
TIA.
------------------------------
From: [EMAIL PROTECTED] (David P Jablon)
Subject: Re: question about PKI...
Date: Wed, 9 Feb 2000 16:15:38 GMT
In article <#WT9ERtc$GA.296@cpmsnbbsa02>,
Joseph Ashwood <[EMAIL PROTECTED]> wrote:
[[EMAIL PROTECTED] wrote:]
>> Actually I was wondering if it was useful to use SRP in PKI solutions.
>> Such a secure protocol must be helpful for downloading a
>> private-key on line [...]
>
> Well considering that I was the one that suggested it to
> you, I'd have to say that at least one of us has.
> It has some flaws in the logic because SRP makes use of PK,
> it's useful in order to allow arbitrary authenticated
> communication, very much like Kerberos.
There's no flaw in the logic of using SRP or any
zero-knowledge protocol to strengthen the weak links
in a PKI system. SRP, SPEKE, EKE and related zero-knowledge
methods are designed specifically tolerate small, easily remembered
secrets, without the vulnerability to network attack of older
protocols.
Kerberos V4 and V5 initial authentication are very much unlike SRP,
and Kerberos would be greatly improved by using any of these
zero-knowledge methods.
Two original design requirements behind Kerberos were to
be free, and to avoid using any computationally expensive
operations. You can judge for yourself whether this philosophy
is still appropriate for commercial products and modern CPUs.
======================================================
David P. Jablon
Integrity Sciences, Inc.
[EMAIL PROTECTED]
<http://www.IntegritySciences.com>
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Latin Squares (was Re: Reversibly combining two bytes?)
Date: Wed, 09 Feb 2000 09:22:05 -0600
In article <87qt47$663$[EMAIL PROTECTED]>, "r.e.s."
<[EMAIL PROTECTED]> wrote:
>
> 161280 for N=5 is correct according to my references.
>
> The number of Latin Squares of order N, for N=1..10:
> 1,2,12,576,161280,812851200,61479419904000,108776032459082956800,
> 5524751496156892842531225600,9982437658213039871725064756920320000
> Source:
> http://www.research.att.com/cgi-bin/access.cgi/as/njas/sequences/eisA.cgi?An
> um=002860
Maybe some midnight math is involved on my part, that which does not need
to see the light of day, so starting from scratch with N=3, there are 6
possibilitites for the first row, abc, acb, bac, bca, cab, cba. For the
second row, the selection of the first row limits the choices, so with abc
in the first row, you can have bca and cab. Then, 6x2=12 is right for
total possible squares for N=3.
--
Life is full of upturns and downturns, with varying periods of
stabilty mixed in. It is a fool's errand to assume that what is
happening any one day predicts the same as a constant future.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: talk.politics.crypto,misc.int-property,misc.legal.computing
Subject: Re: permission to do crypto research
Date: Wed, 09 Feb 2000 09:36:15 -0600
In article <87qtaq$sba$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Xcott Craver) wrote:
> I wrote:
>
> >> I don't know if anyone here disagrees with you on this. Rather,
> >> this is a thread about how the law affects crypto research, not
> >> a thread about the right or wrong of such law.
> >>
> >> Technically, questions about right or wrong are best not x-posted
> >> to sci.crypt. In this case, however, I think it's relevant
> >> to a discussion of the science of cryptography because the law
> >> may now restrict what scientists are allowed to do.
>
> Then wtshaw <[EMAIL PROTECTED]> wrote:
>
> >Scientific truth deals with rights and wrongs, so does logic, and so does
> >the law. Justice demands truth and honesty. If you believe that all
> >these things are to be arbitrary, you do not make sense, so why are you
> >even wasting your breath saying that it is important to maintain them.
> >Trying to separate logic from science is the biggest sin of all, and you
> >simmly have not right to force that on anyone. If the law is wrong, the
> >hang the law; after all that is what justice demands. Or, perhaps you
> >think that you can mock justice as well.
>
> What in the World!?!
>
> I was merely saying that political discussions are _usually_
> off-topic for sci.crypt. They go to talk.politics.crypto
> and the like. You _know_ this to be true, and you really,
> really should have been able to understand that that's what
> I was saying. Mocking justice?!
>
> >You may write your own program to work on your own files, or get them
> >whereever, whenever. It must be so nice to feel that you can make
> >unreasoinable demands, when their unreasonableness simply will cause them
> >to be ignored, and you too. People only have faith in good laws, and the
> >loss of such faith causes anarchy. Now, I get it...you are really an
> >anarchist.
>
> All right, that's it, you're either drunk or responding
> to the wrong post.
>
> For the 2nd time, I am not in any way _in_favor_ of this
> law. If you knew the damnedest little thing about watermarking,
> you'd KNOW I couldn't be in favor of this law, because my
> research used to be in watermarking ATTACKS.
>
> I was pointing out that the exemption for scientific research
> isn't enough, because the DCMA still criminalizes the
> tools scientists may use, exemption or no. Of course, that's
> just one reason of many: the bit about having to ask permission is
> itself, IMHO, unacceptible, but even with permission research
> may be impeded.
>
> In response to last paragraph, sentence by sentence:
>
> 1) Yes, I can write my own program to work on my own files,
> but NO, this law may prevent me from getting them "whereever,
> whenever." Media companies are trying to do just that with
> DeCSS. Who knows if tools researchers use may one day be
> under the gun.
> 2) Your identifying me as a proponent of this law exhibits all the
> deductive powers of a hippopotamus attempting to mate with a car.
> 3) Agreed.
> 4) For Christ's sake, post sober.
>
That is a disgusting challange to visalize, but I get your point. I did
get carried away.
Laws may pretend to do lots of things, but that does not mean that they do so.
I would guess that almost all people who garner their own software have at
some time had programs that would not pass legal standards, but the courts
have ruled that this is apt to be found, and only trafficing in such
beyond a certain value within a certain timeframe is something that can
get you in trouble.
Worrying about a single program that disassembles, be making it as illegal
as lots of other things, surely is not more important, just what you might
do with it combined with a certain value within a certain timeframe might
makie it a problem.
--
Life is full of upturns and downturns, with varying periods of
stabilty mixed in. It is a fool's errand to assume that what is
happening any one day predicts the same as a constant future.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: How is twofish different from blowfish ?
Date: Wed, 09 Feb 2000 09:30:37 GMT
[EMAIL PROTECTED] wrote, in part:
> The subject pretty much covers it. How is the cipher which has been
>submitted as a candidate for the advanced encryption standard called twofish,
>different from blowfish ? Thanks in advance.
The two ciphers are both described on my web site.
Blowfish is a block cipher with a 64-bit block that uses a slow method
to produce a large, fully key-dependent, set of S-boxes. Twofish just
has small S-boxes that are key-dependent in a limited way, and it
works on 128-bit blocks. Also, it has steps involving matrices.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: I'm returning the Dr Dobbs CDROM
Date: Wed, 09 Feb 2000 09:47:15 -0600
In article <87r8gs$ua$[EMAIL PROTECTED]>, Simon F <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> Victor Zandy <[EMAIL PROTECTED]> wrote:
> >
> > A couple weeks ago I asked for opinions of the Dr Dobbs CDROM
> > collection of cryptography books. Overwhelmingly the response was
> > positive, so I bought it. (Thanks again to those of you who replied.)
> >
> > I am returning the CDROM because it is not suitable for printing.
> > For example, to print chapter 1 of the Stinson book (44 pages) Adobe
> > acroread (x86/Solaris 2.6) creates a 500MB postscript file. I cannot
> > print this file directly, probably because it is too big. Although I
> > might be able to find a way to print the file, at 500MB it would take
> > too much time.
>
>
> Can't you get hold of Ghostscript?
>
> I believe it allows you to select particular pages for printing.
> I admit I don't know if it will handle a 500mb file, but it may be
> worth trying.
>
I suppose that text is TOO compact a format to use these days. It is hard
to justify such bloat, certainly it means that those involved have lost
the meaning of efficiency. What was it...in the mid eighties, Bill Gates
said 640K ought to be enough memory for anybody. 44 pages ought to fit
into a few hundred K at the most, but as we know, Gates lost his way, and
lots of others tagged along trying to copy him.
--
Life is full of upturns and downturns, with varying periods of
stabilty mixed in. It is a fool's errand to assume that what is
happening any one day predicts the same as a constant future.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
