Cryptography-Digest Digest #116, Volume #11 Sun, 13 Feb 00 18:13:01 EST
Contents:
Re: Guaranteed Public Key Exchanges (Mok-Kong Shen)
Re: Basic Crypto Question 3 (Mok-Kong Shen)
Re: Does the NSA have ALL Possible PGP keys? ("tiwolf")
Re: Guaranteed Public Key Exchanges (Ralph Hilton)
Re: Message to SCOTT19U.ZIP_GUY (Tim Tyler)
Re: Which compression is best? (Jerry Coffin)
Re: Guaranteed Public Key Exchanges (Mok-Kong Shen)
Re: Does the NSA have ALL Possible PGP keys? ("tiwolf")
Re: Does the NSA have ALL Possible PGP keys? ("tiwolf")
ECES Question ! ("Manik Taneja")
Re: Guaranteed Public Key Exchanges (Ralph Hilton)
Re: SHA-1 sources needed! (Gilles BAUDRILLARD)
Re: Guaranteed Public Key Exchanges (Mok-Kong Shen)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Guaranteed Public Key Exchanges
Date: Sun, 13 Feb 2000 22:23:48 +0100
Ralph Hilton wrote:
>
> Alice and Bob wish to establish a key, All communications are monitored by
> Charlie. The communications would have to appear in public though to avoid
> unobserved modification. But the fact of the key exchange being public is
> irrelevant.
I guess that all the trouble centers practically around how to
guarantee (absolutely) that there is no 'unobserved modification'.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Basic Crypto Question 3
Date: Sun, 13 Feb 2000 22:24:49 +0100
[EMAIL PROTECTED] wrote:
>
> Cascading Multiple Block Ciphers:
>
> 1. If a plain text is encrypted with three Ciphers, is it as strong as
> the strongest Cipher in the Chain or as week as the weekest?
>
> 2. Coud there be some subtle interaction between the algorithms that may
> reduce security or reduced keyspace?
>
> 3. Is there an optimum way of combining ciphers together or
> rules...assuming that the cascade is made up of block ciphers of the
> same size and key length? i.e. should one choose IDEA, 3DES, CAST128 or
> Blowfish,IDEA,CAST128, or Blowfish, RC5 and 3DES......what are the
> criteria???
>
> 4. What if the ciphers have different block size and key length, is it
> still ok to cascade them? Blowfish, Twofish, IDEA?
>
> 5. Is it too complex to alternately encrypt the plaintext blocks with
> the different ciphers in one Pass????? Does that make sense?
In my humble knowledge, one could only make such 'general' claims that,
if two ciphers are sufficiently different in nature, then it is
unlikely that cascading would result in weakening due to unfavourable
'interations' and it is likely that the combination would lead to
strength greater than the strongest component. I don't see different
block sizes could be an unfavourable factor, excepting that the
processing is a little bit complicated technically. But experts may
correct my opinions.
M. K. Shen
------------------------------
From: "tiwolf" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Sun, 13 Feb 2000 13:21:56 -0800
Does anyone here really think that any cryto program self made or commercial
is not broken already or can't be broken given a little effort by the NSA
geeks. I know that someone might use some type of cryto that might give them
trouble for a while, but if they really want to I think that the NSA geeks
can break it.
cfm wrote in message ...
>What's the big deal, any one of us who wishes to spend the time can
>generate all possible PGP keys. So what, now if they can search them and
>discover which one is in use in a particular message and then decrypt
>it, that's news, but its also pretty far fetched that nsa is performing
>a search across the key space for all PGP encrypted messages in the
>internet. (Ignores question of how all traffic in the internet is
>funneled to NSA!)
>
>carl.
>
>In article <8764db$vqo$[EMAIL PROTECTED]>, "Scott Fluhrer"
><[EMAIL PROTECTED]> wrote:
>
>>Anonymous <[EMAIL PROTECTED]> wrote in message
>>news:[EMAIL PROTECTED]...
>>> There are a couple of interesting threads on talk.politics.crypto
>>> originating from a cryptographer with www.filesafety.com. They
>>> purport that the NSA has ALL POSSIBLE keys for PGP and that all PGP
>>> encrypted netmail has been "transparent" for at least two years to
>>> the NSA and certain elements of the military and FBI. The
>>> cryptographic basis for this alleged total compromise of PGP is
>>> discussed.
>>>
>>> This is a low-traffic NG and I should like to see serious analysis of
>>> these claims by those who are more technically qualified to discuss
>>> them.
>>Summary: either he's nuts, he's trolling or he's deliberately lying about
>>his competition (I rather suspect the latter, myself).
>>
>>Facts:
>>
>>- The source code for older versions of PGP is publicly available. In
>>spite
>>of repeated requests from other posters, he refuses to point out where in
>>the source code the number of keys are limited, or where the random number
>>generator is chilled
>>
>>- The number of distinct keys he lists (the exact number changes from post
>>to post) is so small (such as one million), he could have demonstrated it
>>by
>>generating a few thousand keys and found duplicates. He refuses to do so.
>>
>>- He refuses to back up his claim in any other way. Instead, he just
>>claims
>>to have unrevealed wisdom that PGP is broken, but (of course) his own
>>software is pristine.
>>
>>- When pressed, he usually launches into personal attacks. See the
>>"Johnny
>>Bravo is an FBI man" for an example -- the logic appears to be "Johnny
>>Bravo
>>disagrees with me, ergo he must be a government agent". Personally, I
>>believe when people use ad homin attacks, it's usually because that's the
>>only arrow left in their quiver.
>>
>>--
>>poncho
>>
>>
>>
------------------------------
From: Ralph Hilton <[EMAIL PROTECTED]>
Subject: Re: Guaranteed Public Key Exchanges
Date: Sun, 13 Feb 2000 22:20:34 +0100
Reply-To: [EMAIL PROTECTED]
On Sun, 13 Feb 2000 22:23:48 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Ralph Hilton wrote:
>>
>
>> Alice and Bob wish to establish a key, All communications are monitored by
>> Charlie. The communications would have to appear in public though to avoid
>> unobserved modification. But the fact of the key exchange being public is
>> irrelevant.
>
>I guess that all the trouble centers practically around how to
>guarantee (absolutely) that there is no 'unobserved modification'.
>
>M. K. Shen
A posting to a public newsgroup should handle that as either party would see
the modification.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Message to SCOTT19U.ZIP_GUY
Reply-To: [EMAIL PROTECTED]
Date: Sun, 13 Feb 2000 21:05:38 GMT
wtshaw <[EMAIL PROTECTED]> wrote:
:"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
:> If the encryption uses the same key, then it doubles the time
:> for a brute-force key search.
: Then, you divide the keyspace and use two machines for the same search if
: the cipher is not a group. [...]
I don't think you can just consider using twice as much hardware when
considering comparing time-to-break of different systems.
If you quadruple the number of machines you employ, then you divide the
time by almost four. Is that allowed?
Surely, any comparison should be performed using equivalent hardware.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Death is the cure of all diseases.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Which compression is best?
Date: Sun, 13 Feb 2000 14:36:42 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
There seems to be a LOT of discussion that's either unrelated to the
original subject, or else is simply being done at cross-purposes, or
nit-picking about language used rather than anything substantive about
the real effects of compression on security. As such, it seemed to me
more profitable to try to summarize my opinions rather than continue a
discussion that's mostly going nowhere.
First of all, WRT. to Dave Scott's compression, there are really two
separate areas that are being intermixed rather freely, despite being
more or less unrelated:
1) All-or-nothing transformations.
2) 1-1 compression.
I believe all-or-nothing transformations, such as David Scott gets by
running compression in both directions can be of some use, as long as
you're a great more concerned with ensuring against interception than
you are with ensuring that the intended recipient receives at least a
partial message. I think it's essentially up to an individual user to
decide whether that applies to his/her care or not, but I'm certain
that in MANY situations, the reverse is really true.
I'm convinced that 1-1 compression rarely accomplishes anything useful
at all. Its primary claim to fame is making it more difficult to say
whether a particular trial decryption is valid or not. Some forms of
compression allow the rejection of certain keys based on the structure
of file produced, while leaving others as possible outputs. With a 1-
1 compressor, every decryption will produce a output that can be
decompressed, but statistical analysis of that decompressed output
suffices the reject the vast majority of keys, at least under normal
circumstances. In theory, it's barely possible to imagine
transmitting data with so little internal structure that it really
would be difficult or impossible to analyze and use to reject
incorrect keys, then 1-1 compression is worth considering. I believe
this is such a rare situation as to merit no consideration beyond
noting the theoretical possibility of its existence (and even that's
giving it more time than it REALLY deserves).
At the present time, forms of compression that are not 1-1 provide
substantially better compression than those that are. Though it's not
guaranteed, I believe this is unlikely to change. I believe the
restrictions placed on compression to make it 1-1 limit the
possibilities on compression too much to hope for it to match other
forms any time soon.
A completely unrelated benefit of compression (I.e. unrelated to those
mentioned above) is simply reducing the amount of text encrypted with
a particular key. WRT to this benefit, the only relevant criteria is
compression ratio. In theory, as has been mentioned previously,
producing truly optimal compression ratios would more or less force
the algorithm to be 1-1 as well. Despite this, the best algorithms
known are neither 1-1, nor of a nature that appears likely to be
amenable to conversion to 1-1.
Again, there is a theoretical possibility of sending messages in such
a limited domain that the limitations of relatively general-purpose
compression methods don't necessarily apply, but this another
situation I believe to be so rare as to merit no consideration in
discussions of cryptography in general. In fact, the very nature of
messages like this is likely to mean that normal cryptography is more
or less inapplicable in any case -- the optimum encoding will usually
be a minimum number of bits to choose between a number of pre-
determined possibilities, in which the list of pre-determined
possibilities becomes (effectively) the key to what is essentially a
one-time-pad -- the only reasonable method of breakage is to capture
the list holding the encodings. If we postulate capture of the key,
then no other method of encryption makes any real difference to
security in any case.
To summarize:
Any sort of all-or-nothing transformation can be useful under some
circumstances, but the user should be aware that exactly the same
things that make it good for some situations make it bad in others.
I believe the situations in which maximum compression provides benefit
are real and most real uses are easily shown to benefit.
I believe the situations in which 1-1 compression provides benefit are
hypothetical and most real uses are easily shown to derive little or
no benefit.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Guaranteed Public Key Exchanges
Date: Sun, 13 Feb 2000 22:54:09 +0100
Ralph Hilton wrote:
>
> <[EMAIL PROTECTED]> wrote:
>
> >Ralph Hilton wrote:
> >>
> >
> >> Alice and Bob wish to establish a key, All communications are monitored by
> >> Charlie. The communications would have to appear in public though to avoid
> >> unobserved modification. But the fact of the key exchange being public is
> >> irrelevant.
> >
> >I guess that all the trouble centers practically around how to
> >guarantee (absolutely) that there is no 'unobserved modification'.
> A posting to a public newsgroup should handle that as either party would see
> the modification.
I am not quite sure of that. If you see, say, 10 different posts
each claiming 'My name is A, my key is .....', how do you know which
key A really has?
M. K. Shen
------------------------------
From: "tiwolf" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Sun, 13 Feb 2000 13:41:11 -0800
Considering the money spent by groups like the NSA, CIA, DIA, and others on
tech, software, and humans i think that the government is more than willing
to break codes to read all email regardless if it is about my grocery list
that I am emailing to my wife. You are all assuming that the government does
not really care what is in the majority of email as opposed the government
wanting the capability or the ability to read all email regardless of what
is in it.
You are also forgetting that in East Europe the Commie regimes tapped all
phone line and recorded moist phone calls. In East Germany the Stazi had
collected samples of clothing or anything that might give off the scent of
people they considered suspect and placed the samples in chemical solution
that served to make the scent stronger over time. These samples were stored
in a warehouse(s) that had thousands and thousands of samples of suspect
traitors that were laid out in an orderly fashion so that the Stazi could
find the smell sample of a particular traitor. If need the Stazi could used
this sample to instruct a dog to find the particular person and lead the
Stazi to the person.
This was over ten years ago in a Communist country with little electronic
know-how (compared to today), yet just a few years ago the FBI wanted
telephones companies to construct new networks to allow the FBI or other
agencies to be able to tap the phones of a percentage of the population that
is out of proportion to the actual criminal population both walking the
streets and in jail.
Johnny Bravo wrote in message ...
>On Tue, 1 Feb 2000 11:42:50 -0500, "Dorsey Bolliard"
><[EMAIL PROTECTED]> wrote:
>
>>My suspicion (admittedly without solid basis) is that the government
>>probably has people working day and night on the problem, and undoubtedly
>>has algorithms that CAN break encoded messages in finite time, but that
the
>>time involved is still sufficiently long so as to make the routine
intrusion
>>into every pgp message prohibitively costly.
>
> Or more likely they can't, but they don't need to. Is your home TEMPEST
>shielded? I seriously doubt it. The government can park a van outside
>your building and read everything on your screen, every keystroke you
>make. If they thought you were worth the effort, they would do so.
>
> That is the bottom line, the vast majority of us aren't worth it. The
>government doesn't give a damn what is in my email, encrypted or
>otherwise.
>
> Best Wishes,
> Johnny Bravo
------------------------------
From: "tiwolf" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Sun, 13 Feb 2000 13:46:34 -0800
You are assuming that they would be using current disks as a meduim for
storage, or that they would even need the whole lot of keys in the first
place.
Ralph Hilton wrote in message ...
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Tue, 1 Feb 2000 07:27:58 +0100, Anonymous <[EMAIL PROTECTED]>
>wrote:
>
>>There are a couple of interesting threads on talk.politics.crypto
>>originating from a cryptographer with www.filesafety.com. They
>>purport that the NSA has ALL POSSIBLE keys for PGP and that all PGP
>>encrypted netmail has been "transparent" for at least two years to
>>the NSA and certain elements of the military and FBI. The
>>cryptographic basis for this alleged total compromise of PGP is
>>discussed.
>>
>>This is a low-traffic NG and I should like to see serious analysis
>>of these claims by those who are more technically qualified to
>>discuss
>>them.
>>
>>Take a look, and be sure to cross-post your comments here.
>
>He is a joker.
>
>The storage space for all possible keys for PGP would, with current
>hard disks, extend beyond the orbit of Pluto with the whole space
>full of 1Tb disks.
>
>You have been trolled.
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
>
>iQA/AwUBOKC5QUCdrg0RcyHQEQIYWQCgjzUBzDYYPeJMpWRPMp64l+Tr7oAAoIGc
>CjczsJG7ItkaexsnoOLhr2Jr
>=doVN
>-----END PGP SIGNATURE-----
>
>--
>Ralph Hilton
>http://Ralph.Hilton.org
>Freezone International: http://www.fzint.org
------------------------------
From: "Manik Taneja" <[EMAIL PROTECTED]>
Subject: ECES Question !
Date: Mon, 14 Feb 2000 03:36:48 +0530
Hi all,
I'm a final year computer enginnering student form India. I'm
interested in implementing ECES, I have some questions regarding the same.
I'm aware that ECES was a part of the IEEE P1363 draft. However the
elliptical curve form has been dropped later versions of the draft.Why so ?
Is it because of security reasons ? Is the ElGammal PKI over Elliptical
Curves more secure as compared to ECES ?
Thanking you in anticipation.
Regards
Manik Taneja
[EMAIL PROTECTED]
------------------------------
From: Ralph Hilton <[EMAIL PROTECTED]>
Subject: Re: Guaranteed Public Key Exchanges
Date: Sun, 13 Feb 2000 23:04:50 +0100
Reply-To: [EMAIL PROTECTED]
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On Sun, 13 Feb 2000 22:54:09 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Ralph Hilton wrote:
>>
>> <[EMAIL PROTECTED]> wrote:
>>
>> >Ralph Hilton wrote:
>> >>
>> >
>> >> Alice and Bob wish to establish a key, All communications are
>> >> monitored by Charlie. The communications would have to appear in
>> >> public though to avoid unobserved modification. But the fact of the
>> >> key exchange being public is irrelevant.
>> >
>> >I guess that all the trouble centers practically around how to
>> >guarantee (absolutely) that there is no 'unobserved modification'.
>
>> A posting to a public newsgroup should handle that as either party
>> would see the modification.
>
>I am not quite sure of that. If you see, say, 10 different posts
>each claiming 'My name is A, my key is .....', how do you know which
>key A really has?
It seems you might have some very dedicated enemies!
Presumably one could eliminate most through examination of headers.
An answer to that question really entails knowing more details. What
degree of mutual information one has about the other party, are there
mutually trusted aquaintances and so on.
I would find it hard to think of an actual real life situation where a
combination of DH exchanges, use of key servers etc. would be
insufficient.
=====BEGIN PGP SIGNATURE=====
Version: 6.5.1ckt
Comment: Fingerprint: 8E22 FC69 3FB3 F53A 0B0D 4392 409D AE0D 1173 21D0
iQA/AwUBOKccZECdrg0RcyHQEQKx0gCgoq6yTvYahlAW0rZ1hHXw8jolceYAn3/Z
wbTSzP6n4PPDVDUeeVoZFkSG
=KjEc
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Gilles BAUDRILLARD)
Subject: Re: SHA-1 sources needed!
Date: 13 Feb 2000 22:39:30 GMT
Reply-To: [EMAIL PROTECTED]
On Sun, 13 Feb 2000 13:25:50 GMT, Tom St Denis <[EMAIL PROTECTED]>
wrote:
>In article <885ie5$ecm$[EMAIL PROTECTED]>,
> "Nikolaus" <[EMAIL PROTECTED]> wrote:
>> Could anybody send me the source code (or URL) of SHA-1 hash algorithm
>> written on C/C++ ??
>>
>> thanx,
>> Nikolaus
>>
>
>I know Mike Rosing [regular in this forum, pretty cool guy] has a copy
>of Jim Golligy [is that right?] SHA-1/SHA-0 source code. Hopefully he
>will respond, if not I will dig it up for ya.
>
>Tom
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
File "tools/sha1.c" in the sources of GNUpg.
Downloadable at gnu.org
Gilless
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Guaranteed Public Key Exchanges
Date: Sun, 13 Feb 2000 23:48:40 +0100
Ralph Hilton wrote:
>
> It seems you might have some very dedicated enemies!
I suppose one commonly assumed opponent is of the kind of three-
lettered agencies. Whether this assumption really applies is
of course subject to your opinions.
> Presumably one could eliminate most through examination of headers.
I have too little knowledge about communcation protocols etc., but
as far as I am aware the headers could be easily faked.
> An answer to that question really entails knowing more details. What
> degree of mutual information one has about the other party, are there
> mutually trusted aquaintances and so on.
Yes, having mutually trusted persons is what makes the web of trust
function in my view. But you need 'trust' and that's different
from having a 'proof' (i.e. without involving anything 'subjective').
> I would find it hard to think of an actual real life situation where a
> combination of DH exchanges, use of key servers etc. would be
> insufficient.
As said, it depends on your assumption of the risks in your
environment.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
