Cryptography-Digest Digest #99, Volume #11 Fri, 11 Feb 00 16:13:01 EST
Contents:
Re: "Trusted" CA - Oxymoron? (Sander Vesik)
Re: Newbie Encrypt question (Jerry Coffin)
Re: Using Gray Codes to help crack DES (Paul Schlyter)
Re: NSA opens up to US News (Email forms are lame)
Re: Have you watched the movie "PI" (actually a mathematical symbol PI) of a
mathematical genius .. breaking the code .. ("Androcles")
Re: help DES encryption (Hideo Shimizu)
Re: UK publishes 'impossible' decryption law (Mike Eisler)
Re: I'm returning the Dr Dobbs CDROM ([EMAIL PROTECTED])
Re: Message to SCOTT19U.ZIP_GUY ("Peter K. Boucher")
Re: I'm returning the Dr Dobbs CDROM (Paul Koning)
Re: Guaranteed Public Key Exchanges (Paul Koning)
Re: Period of cycles in OFB mode (Paul Koning)
Re: encryption export question (Paul Koning)
----------------------------------------------------------------------------
From: Sander Vesik <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Date: 11 Feb 2000 20:07:56 GMT
In sci.crypt Brian Hetrick <[EMAIL PROTECTED]> wrote:
> "Sander Vesik" wrote...
> <snip>
> Aha. I see your point. But completely delinking from the known is,
> I suspect, impossible.
> Incidentally, getting a circle of false notaries is a little more
> cumbersome than you describe: you need to be a notary before you can
> make an identity assertion. You would need a minimum of 5 identities
> going through a minimum of three notarizations each to get a circle
> of notary identities sufficient to get Thawte to issue a certificate
> in the name of a completely fabricated identity. (An identity
> assertion is specific to a notary/asserted identity pair; a new notary
> can issue only 10 identity points; a notary can issue a maximum of 35
> points; a minimum of 50 points is needed for an identity to be
> considered "verified;" a minimum of 100 points is needed to become a
> notary.)
> An attempt to verify the fabricated identity would fail, of course, as
No. It would not. It would just point at another person whose face
looked different, who possibly never had even used a computer and
who has a good alibi. A false ID that didn't verify is no good.
> in the described scenario all the "notaries" would have been frauds.
> But the second generation notaries -- the minimum of three "good
> faith" notaries -- would have copies of the falsified identity
> documents of the five fradulent notary identities. While the names,
> addresses, document serial numbers, and so forth, on the falsified
> documents might not be of any use, the photographs are known good --
> the notaries made sure they bore a "reasonable resemblance" to the
> actual persons appearing before them.
How much does it cost to have a druggy go and get himself set up as a
notary using false ID?
Get a fresh asian immigrant / inner city youth to get the notary papers
and then sell them to me?
> So at least you have a collection of photographs of the person(s)
> involved in the fraud, at least if the fraud is detected within five
> years of it starting.
Which are probably no good. It helps only against a very small and very
undetermined adversary.
> To get two or more generations of fraudulent notaries, you would
> need to start with ten identities, rather than five, as you would need
> ten new notary identity assertions to get enough identity points to
> create a notary.
> And I would not doubt Thawte is watching the patterns of which
> notaries are asserting which identities, with an eye to catching
> exactly such attempts to build fraudulent identities. If they weren't
> before, they certainly are now. :-)
Good to hear. but if you don't want a whole second gen ring, it is a
lot harder to note. Unnoticeable second gen notaries are just slightly
more expensive than those in whose case a slight suspicion might rise.
But the whole second gen. ring is not needed. you need just some second
gen notaries.
> On the whole, I suspect it would be simpler to get one set of fake
> IDs than five -- and simply going to "good faith" Thawte notaries
> to get a minimum of two identity assertions with a single fake ID is
> substantially easier than going to "good faith" Thawte notaries a
> minimum of fifteen times with five fake IDs, or thirty times with ten
> fake IDs.
Assuming the selection of the Thawte notaries is wide enough and that
they are sufficently apoart geographically, that's no problem. The scheme
can work in parallel and there is no way - at the time it is done -
to in any way say that some kind of (future) fraud is involved.
> The only advantage of creating fradulent notaries as a step in
> creating a fradulent identity is that the fradulent identity does not
> have an accessable photograph on file. But, of course, the
> photographs of the person(s) involved in the fraud _are_ on file, so
> I do not see the advantage there.
See above - it need not be so. The people presenting the false IDs do not
have to be locals, for example (but say from canada, uk, etc.), the parts
can be done in other US states, etc. Photo on file is not such a good
advantage. It just discourages those who have no determination.
--
Sander
There is no love, no good, no happiness and no future -
these are all just illusions.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Newbie Encrypt question
Date: Fri, 11 Feb 2000 13:13:15 -0700
In article <881obf$nbr$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> So am I wrong in assuming that the 56bit key encription standard was
> based on shifting/xoring?
Yes, DES includes both shifting and XORing, but those are NOT the
primary elements of the security -- though it's somewhat difficult to
talk about bits and pieces of a cipher and still say anything
meaningful, I think it's safe to say that one of the single most
important elements in the security of DES is in the S-boxes.
> And last but not least, what do you guys suggest using instead. Keep in
> mind I want to code it myself as opposed to using/buying an ocx.
There are quite a few possibilities. Even though DES has been broken,
the only practical method is by trying all possible keys. You can use
3DES to increase the effective key size so this is no longer possible.
There are quite a few other possibilities as well, and many of them
are much easier to code than DES -- perhaps the simplest is generally
referred to as ARC4. This is essentially the same algorithm as RC4,
but RC4 is protected under trademark, so other implementations use
different names.
Another possibility would be to go to the Counterpane web site and
take a look at the descriptions of Blowfish and Twofish.
Twofish is a candidate (along with 4 others) to become the replacement
for DES. Descriptions of all five are available at various places on
the web -- a search for "AES finalist algorithm" or something similar
should turn up all five. Note that only three of the five are free
for use right now -- if either of the other two is selected as AES, it
will also be free for use, but if not selected the originators retain
rights to the algorithms.
You might also want to take a look at (for one example) John Savard's
web site -- he has descriptions of quite a few algorithms, attacks,
etc., that you might find interesting. I don't have a URL right off,
but he posts here regularly and includes the URL in his signature
IIRC.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Using Gray Codes to help crack DES
Date: 11 Feb 2000 19:27:33 +0100
In article <87v9jl$[EMAIL PROTECTED]>,
Nick Shaffner <[EMAIL PROTECTED]> wrote:
> Dan Day wrote in message <[EMAIL PROTECTED]>...
>>On 8 Feb 2000 23:24:52 GMT, [EMAIL PROTECTED] wrote:
>>>
>>> count = count + 1
>>> greycode = count ^ (count >> 1)
>>
>> Hey, that's really slick. But I'll be damned if I can figure
>> out why it works...
>
> Does Anyone know where I can get an explanation of what greycodes are
Grey codes are a rearrangement of a set of integers, such that the binary
representation of two adjacent integers differ in only one bit position.
Consider for instance the integers: 0 1 2 3 4 5 6 7
In binary they are:
000
001
010
011
100
101
110
111
and if rearranged as Grey codes according to the algorithm above,
they will be:
000
001
011
010
110
111
101
100
Note that the Grey code is cyclic: this between the first and the
last number (in this case 000 and 100), there should be a change in
only one bit position too.
> and their uses in cryptography?
I have no idea why they are of use in cryptography. But they are of
great use in encders which encode a mechanical movement to a digital
value. Consider for instance a wind direction meter, and inside a
small closed cabinet there's a cylinder with white and black areas,
and a few LED's and photodiodes/transistors, which detect whether a
black or a white area is below that particular LED/photodiode
combination. Next suppose we have three such LED/photodiode pairs
which encode the cylinder's rotation angle into 3 bits.
If only one of the LED/photodiode combinations switch from white to
black at any one time, there's no problem with the encoding. This is
the case if Grey codes are used - by e.g. table lookup the Grey codes
will later be converted to normal integers.
But if normal binary integers are used on the cylinder to encode the
rotation angle, then at some points, several bits at once will
change. Consider for instance the change from 000 to 111: due to
mechanical imperfections, they probably won't change exactly at the
same rotation angle. Suppose, at one point, only two of the three
bits have changed from 0 to 1, so we get e.g. 011 instead of the
correct 111 -- then this will be interpreted as a rotation angle
which is almost 180 degrees off!!!
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Email forms are lame <[EMAIL PROTECTED]>
Subject: Re: NSA opens up to US News
Date: Fri, 11 Feb 2000 20:15:35 GMT
John,
I've read this article in hard copy format in one of the latest issues
of US News & World Report. Either the issue that JUST came
or the one I got a week ago.
I'm not at home, maybe I'll post the issue number/volume/date
sometime.
Incidentally, I enjoy that magazine...
Keith
P.S. It was wierd because I read the article online and started
reading the one in the magazine, and I was like, "wtf does this
sound so familiar?"
John Savard wrote:
> [EMAIL PROTECTED] (Dave Hazelwood) wrote, in part:
>
> >http://www.usnews.com/usnews/issue/000214/nsa.htm
>
> Does 000214 really mean that this article is from the February 14,
> 2000 issue of U.S. News and World Report? The February 7th issue just
> arrived on a newsstand near me today.
>
> John Savard (jsavard<at>ecn<dot>ab<dot>ca)
> http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Reply-To: "Androcles" <[EMAIL PROTECTED]>
From: "Androcles" <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,soc.culture.russian,soc.culture.israel,alt.math,alt.2600
Subject: Re: Have you watched the movie "PI" (actually a mathematical symbol PI) of a
mathematical genius .. breaking the code ..
Date: Fri, 11 Feb 2000 20:39:24 GMT
aslan <[EMAIL PROTECTED]> wrote in message
news:8814tf$[EMAIL PROTECTED]...
> .... a real movie?! ....
>
> jesus i haven't seen a REAL movie since the crazy things were invented!
Gosh darn it! I was gonna say that but you beat me to it. :-)
Androcles
------------------------------
From: Hideo Shimizu <[EMAIL PROTECTED]>
Subject: Re: help DES encryption
Date: Sat, 12 Feb 2000 05:30:19 +0900
In D.R. Stinson's book 'CRYPTOGRAPHY Theory and Practice' page 79,
such a example of 16 round of DES is given.
Hideo Shimizu
TAO, Japan
mati wrote:
>
> Hi,
>
> i am trying to implement the DES algorithm. I have use the des-how-to by
> Matthew Fischer. I have completed the coding but it doesn't give me the good
> result.
>
> Could someone provide me DES encryption examples with step by step results
> (subkeys, R[i], L[i], etc.) in order to locate the problems?
>
> many thanks in advance
>
> David
------------------------------
From: [EMAIL PROTECTED] (Mike Eisler)
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: 11 Feb 2000 20:31:19 GMT
Reply-To: [EMAIL PROTECTED] (Mike Eisler)
In article <[EMAIL PROTECTED]>,
Adam Lock <[EMAIL PROTECTED]> wrote:
% "vrml3d.com" wrote:
%
% > >
% > > could imprison users of encryption technology for forgetting or losing
% > >
% > > their keys.
% >
% > Ummm... does that mean it would be illegal to posess a file full of random
% > numbers? Such a file would be indistinguishable from an encrypted file, and
% > when asked to produce the "key" you would invariable come up short. Oh no!
% > The radio is making static again! quick, throw it out the window. :)
%
% You can extend that idea.
%
% Imagine I have two plaintexts A & B. A is the secret, B is a cooking recipe or
% something else innocuous. I encrypt A with one key and B with another and then
% zip/tar the two ciphertexts together. The decryption process takes only one of
% the original keys and uses it on each ciphertext in the zip/tar file, until it
% finds a ciphertext it can decrypt.
%
% So now when the police demand that I hand over the key, I can give them the key
% to decrypt B and keep A safe.
%
% There's an obvious flaw in this. The police may know that the algorithm encrypts
% two files and still demand the key to A. How can I "honestly" claim that there
% is no plaintext A and that I have no idea what the other key is?
%
% The answer to make the encryption process either one or two plaintexts. When
% only one plaintext is supplied, the algorithm generates the second plaintext and
% key randomly.
%
% Now the contents of the zip/tar could be (A + garbage), (B + garbage) or (A +
% B). Unless I, the person who created the ciphertext in the first place tell the
% police whether I passed in one file or two, they cannot prove or disprove that I
% haven't been truthful when I handed over the key to B in the first place.
% Further, I could truthfully claim that I haven't the faintest idea what the
% other key is.
%
% In other words, the Police cannot prove that I haven't handed over the keys but
% I can still keep my secrets safe if I want to.
As was pointed out, under the UK law, you are guilty till proven
innocent.
The simplest way to deal with the law is, every time you encrypt a file
with symmetric of symmetric/public key hybrid cryto, you generate a
what looks to me a one-time pad, such that if XORed with your cipher
text, it looks like a cooking recipe. Generating the "pad" is trivial,
XOR the cooking recipe with the cipher text. Save the "pad" on a zip
disk that you hide a behind painting for something, and label it,
"secret one time pad, keep away from the jack booted thugs." The Crypto
Cops will find it if you don't help them, and know immediately what to
do with it, especially since it looks like random data. Meanwhile, you
key is safe in your head as a pass phrase. The Crypto Cops
XOR your pad with the cipher text, and out pops the recipe.
--
-Mike Eisler Now really, Ms. Gross, I think it's a
[EMAIL PROTECTED] mistake for you to assume you're
remove the prefix 'NO_' and talking to a moron," said the judge,
suffix '_SPAM' to reply. who pronounced Linux with a long "i"
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: I'm returning the Dr Dobbs CDROM
Date: 11 Feb 2000 20:54:29 GMT
Paul Koning <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
>> In my
>> briefcase I can carry the DDJ CD-ROM, the about 20 years of CRYPTO and
>> EuroCrypt proceedings (CD-ROM available through Springer-Verlag),
> How did you get that one? I tried to order it via their website, and
> the order was redirected to some random company I'd never heard of
> somewhere in the US, and I've never heard anything since.
Both Amazon.com and BN.com (Barnes & Noble) list it. Despite some
serious reservations about giving business to amazon, that's where I
got mine because they said they could ship within 24 hours -- bn.com
said it might take several weeks...
--
Steve Tate --- srt[At]cs.unt.edu | Gratuitously stolen quote:
Dept. of Computer Sciences | "The box said 'Requires Windows 95, NT,
University of North Texas | or better,' so I installed Linux."
Denton, TX 76201 |
------------------------------
Date: Fri, 11 Feb 2000 13:59:39 -0700
From: "Peter K. Boucher" <[EMAIL PROTECTED]>
Subject: Re: Message to SCOTT19U.ZIP_GUY
Tim Tyler wrote:
[snip]
> To my ears, the description quoted at the top sounds like an extremely
> garbled version of DS's recommendation of a method get diffusion of
> plaintext information through the entire message by applying adaptive
> compression programs "in both directions" through the file - in the
> absence of any better whole-message diffusion scheme.
Carl Ellison proposed a scheme like that, 8 or 9 years ago.
If I recall correctly, it went like this:
Encryption:
1) Encrypt file with DES and key 1
2) Sum all the bytes in the file, and use the sum as a key to
transpose all the bytes in the file.
3) Encrypt file with DES and key 2
4) Sum all the bytes in the file, and use the sum as a key to
transpose all the bytes in the file.
5) Encrypt file with DES and key 3
Decryption:
1) Decrypt file with DES and key 3
2) Sum all the bytes in the file, and use the sum as a key to
transpose all the bytes in the file.
3) Decrypt file with DES and key 2
4) Sum all the bytes in the file, and use the sum as a key to
transpose all the bytes in the file.
5) Decrypt file with DES and key 1
Does Scott give any credit to Ellison?
--
Peter
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: I'm returning the Dr Dobbs CDROM
Date: Fri, 11 Feb 2000 15:06:42 -0500
JD wrote:
>
> > I am returning the CDROM because it is not suitable for printing.
> > For example, to print chapter 1 of the Stinson book (44 pages) Adobe
> > acroread (x86/Solaris 2.6) creates a 500MB postscript file. I cannot
> > print this file directly, probably because it is too big. Although I
> > might be able to find a way to print the file, at 500MB it would take
> > too much time.
>
> Something is wrong. PDF is just glorified PostScript, so the PS output
> should be not much larger than the original PDF file. In this case,
> theory1.pdf is 2.2MB. When I print the 44 pages to a PS file using
> acroread 4.0 on Solaris (SPARC), the result is 3.16MB. When I do
> the same using the Adobe PS driver 5.1 on WinNT, it is 2.9MB. So
> whatever you're doing is off by a couple orders of magnitude.
Good point (though PDF is compressed and PS usually is not).
Perhaps the problem is a non-PS printer, so Acrobat has to convert the
PDF into whatever format the printer wants. Typically that's a bitmap.
That's the reason why printing on your typical inkjet printer takes so
long and uses so much scratch disk. Using a Postscript printer will
help,
if that's indeed the problem. It's wise to get real postscript, not
clone postscript.
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Guaranteed Public Key Exchanges
Date: Fri, 11 Feb 2000 15:14:14 -0500
Mok-Kong Shen wrote:
>
> No Brainer wrote:
> >
> > Does anyone know of a secure way to exchange public keys between two
> > people via the Internet (e-mail) without using any other form of
> > communication?
> >
> > Also, would the proposed system work if *someone* was intercepting and
> > modifying the key exchanges?
>
> Perhaps you would need mechanisms like the web of trust. My knowledge
> about your topic is rather meagre. Hopefully others would provide you
> useful informations.
No, that doesn't solve the problem. It merely moves it.
In the web of trust, once you (a) believe you have an accurate copy
of A's public key, (b) you've decided you trust A to accurately verify
the identity of others, (c) you have what's supposed to be the public
key
of B, and A's signature saying that it is -- you can conclude that the
second key is indeed from B.
The issue is: how you you bootstrap this? I.e., how do you get that
first key, the one from A? The same problem exists in X.509 and similar
certificate systems, the only difference is that these use trees while
the
WOT uses graphs.
With certificates as used with browsers, people (mostly without knowing
it) trust the certificates that come with the program. With the WOT,
you
start with some keys you believe are valid. For example, I figure that
Phil Zimmerman's PGP key fingerprint as published in "Protect your
Privacy"
is likely to be valid... and I can go from there.
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Period of cycles in OFB mode
Date: Fri, 11 Feb 2000 15:21:33 -0500
Tim Tyler wrote:
>
> It appears to me that when using most block cyphers in OFB mode, there
> will exist both weak keys (keys where there exists no period anywhere
> near 2^n in length), and - for the vast mayority of keys - there
> will be weak IVs (IVs that happen to hit on a shorter-than normal
> cycle).
That's why I've always liked counter mode. Its cycle size is
obvious (2^64). It also has the nice property that you can
parallelize it for higher speed. The biggest drawback is that
it isn't a FIPS mode. Then again, the only mode in common use is
CBC, so either way you'd have a bit of a barrier...
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: encryption export question
Date: Fri, 11 Feb 2000 15:19:57 -0500
Eric Lee Green wrote:
>
> rb wrote:
> > What sort of symmetric encryption is generally believed to be freely exportable
> > from the US, with the new regulations? I was looking at the ciphersaber
> > method, which looks particularly nice for routine encryption of moderately
> > private data. Does anyone think that a program using that could be exported
> > without having to worry about getting permission from uncle sam?
>
> Read the regs. They're online at http://www.bxa.doc.gov .
Best advice...
Is ciphersaber open source? If so, it looks like you could use the
open source rules, which are pretty open...
paul
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
