Cryptography-Digest Digest #118, Volume #11 Mon, 14 Feb 00 02:13:01 EST
Contents:
Re: How to Annoy the NSA ("Douglas A. Gwyn")
Re: Does the NSA have ALL Possible PGP keys? (Beretta)
Re: Period of cycles in OFB mode ("Douglas A. Gwyn")
Re: New standart for encryption software. ("Trevor Jackson, III")
Re: Period of cycles in OFB mode (David Wagner)
Re: Does the NSA have ALL Possible PGP keys? ("Trevor Jackson, III")
Re: Basic Crypto Question 3 ("Douglas A. Gwyn")
Re: Does the NSA have ALL Possible PGP keys? ("Douglas A. Gwyn")
Re: UK publishes 'impossible' decryption law ("Trevor Jackson, III")
Re: Somebody is jamming my communications -- this has been happening at ("Trevor
Jackson, III")
Fractal Cryptography ("M. Hackett")
Large Floating Point Library? ("Clockwork")
Re: Does the NSA have ALL Possible PGP keys? (Johnny Bravo)
Re: UK publishes 'impossible' decryption law (Michael Sierchio)
Re: RFC: Reconstruction of XORd data (Jerry Coffin)
Re: Does the NSA have ALL Possible PGP keys? (Johnny Bravo)
Re: Guaranteed Public Key Exchanges ("Lyal Collins")
Re: Basic Crypto Question 3 (David Wagner)
Re: I'm returning the Dr Dobbs CDROM (wtshaw)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Mon, 14 Feb 2000 04:14:40 GMT
MCKAY john wrote:
> 1 ... most certainly IS a factor - but not a prime factor.
Granted. The context was of prime factorizations of large integers,
but that may not have been clear in the posting that spawned this
thread.
------------------------------
From: Beretta <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Mon, 14 Feb 2000 04:19:11 GMT
On Sun, 13 Feb 2000 13:21:56 -0800, "tiwolf" <[EMAIL PROTECTED]> wrote:
>Does anyone here really think that any cryto program self made or commercial
>is not broken already or can't be broken given a little effort by the NSA
>geeks. I know that someone might use some type of cryto that might give them
>trouble for a while, but if they really want to I think that the NSA geeks
>can break it.
>
>
<snip>
You seem to assume the NSA is all powerful, has an infinite budget, infinite room for
computers, and somehow is the only agency that is not bound by the laws of
mathematics...
And while I'll admit that the NSA certainly does have a huge budget, that budget is not
infinite.. And while they certainly have talented cryptanalysts on staff, those
cryptanalysts are not infinite in number, nor infinite in talent. In fact, there is no
reason that the cryptanalysts on the NSA payroll are necessarily "the best".
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Period of cycles in OFB mode
Date: Mon, 14 Feb 2000 04:19:37 GMT
Helger Lipmaa wrote:
> ... a good block cipher should look like a pseudorandom permutation.
To the extent that that makes sense, it seems to apply even to most
bad (readily crackable) block ciphers.
------------------------------
Date: Sun, 13 Feb 2000 23:34:55 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: New standart for encryption software.
"Albert P. Belle Isle" wrote:
> On Wed, 9 Feb 2000 01:54:07 +0300, "finecrypt" <[EMAIL PROTECTED]>
> wrote:
>
> >FineCrypt 1.2
> >
> >First and sole program, which you can test with test vectors.
>
> Hardly.
>
> _Any_ cryptosystem designed to FIPS 140-1 (the "master standard" for
> the US family of cryptographic security standards) _must_ include
> built-in, standards-compliant tests for the cipher(s), hashes,
> keystream generator randomness, etc.
>
> Document Security Manager has (for years) made its built-in FIPS 81,
> SP500-20, FIPS 180-1 and FIPS 140-1 self-tests available to the user
> interface.
>
> More importantly, for those wary of "canned responses," it also allows
> direct user access to the ciphers, for user-defined tests that accept
> user-defined keys and user-defined inputs for direct encipherment to
> disk, without the standard headers or other overhead bytes.
>
> The ANSI X9.17c keystream generator can produce its next megabyte of
> pseudorandom bytes to disk, on command. The fact that it is used to
> generate the last overwrite-and-verify pass from the NAVSO P5239-26
> overwriting routines means that any command to Sanitize a file per
> DOD5220.22-M produces a keystream generator test output to disk of
> that size.
>
> Although our source code is available for review under NDA, any
> INFOSEC professional knows that spiking cryptosystem implementations
> at the object code level is a much greater threat than "backdoors"
> spelled-out in well-documented source code. Hence, the emphasis on
> testing performance of the cryptosystem, rather than trusting pretty
> source code listings.
>
> (Of course, that doesn't seem to inhibit the calls by sci.crypt
> posters to "show me the source code." Any professional spiker would be
> all too happy to get the resulting "seal of approval" <g>.)
You have mixed (possibly confused) two distinct problems that haunt
software offered by untrusted implementors. First, and unquestionably
foremost, is the threat of incompetence. An implementor may design a weak
cipher, or poorly implement a strong cipher, or perfectly implement a
strong cipher but overlook a security weakness in some supporting aspect
of the software. Source code inspection -- peer review -- addresses these
kinds of threats.
The second kind of threat is that of a malicious vendor who purposefully
implements a weakness or a back door. This is a dramatically smaller
threat. And, BTW, one that source code review _does_ reduce, because it
is quite hard to hide such a back door from an inspector able to recreate
the binary. Given the same tools the binaries should be close to
indistinguishable. And a debug script that works on one ought to produce
the same log when applied to the other. So even patched binaries are not
hard to uncover.
>
>
> Then there's all those "wiping" programs that leave plaintext
> scavanged into the _interior_ slack spaces of Word or Excel files....
> But that's another story for another time.
Don't complain until you have your pagefile.sys working from a scramdisk
partition.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Period of cycles in OFB mode
Date: 13 Feb 2000 20:32:53 -0800
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Helger Lipmaa wrote:
> > ... a good block cipher should look like a pseudorandom permutation.
>
> To the extent that that makes sense, it seems to apply even to most
> bad (readily crackable) block ciphers.
Could you elaborate?
I'm confused -- to me, the notion of "indistinguishable from a
pseudorandom permutation to computationally-bounded adversaries"
seems to mimic very closely our intuition about which ciphers are
good. Am I misunderstanding, or are you suggesting this is a bad
way to think about it?
Just about every attack I can think of, with very few exceptions,
can be viewed as an efficient adversary that distinguishes the block
cipher from a pseudorandom permutation. For instance, any key-recovery
attack that uses less than the whole codebook trivially falls into
this class.
(I'm using terms like "distinguish" and "pseudorandom" as jargon-ish
shorthand for the precise formal notions defined in modern literature
on provable security. Ask me for details if it's not clear.)
Maybe it would help me puzzle out the meaning of your brief comment
if you gave an example of a block cipher that is "bad" (there is an
attack on it) yet still "looks like" a pseudorandom permutation?
------------------------------
Date: Sun, 13 Feb 2000 23:45:03 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
tiwolf wrote:
> Considering the money spent by groups like the NSA, CIA, DIA, and others on
> tech, software, and humans i think that the government is more than willing
> to break codes to read all email regardless if it is about my grocery list
> that I am emailing to my wife. You are all assuming that the government does
> not really care what is in the majority of email as opposed the government
> wanting the capability or the ability to read all email regardless of what
> is in it.
>
> You are also forgetting that in East Europe the Commie regimes tapped all
> phone line and recorded moist phone calls. In East Germany the Stazi had
> collected samples of clothing or anything that might give off the scent of
> people they considered suspect and placed the samples in chemical solution
> that served to make the scent stronger over time. These samples were stored
> in a warehouse(s) that had thousands and thousands of samples of suspect
> traitors that were laid out in an orderly fashion so that the Stazi could
> find the smell sample of a particular traitor. If need the Stazi could used
> this sample to instruct a dog to find the particular person and lead the
> Stazi to the person.
>
> This was over ten years ago in a Communist country with little electronic
> know-how (compared to today), yet just a few years ago the FBI wanted
> telephones companies to construct new networks to allow the FBI or other
> agencies to be able to tap the phones of a percentage of the population that
> is out of proportion to the actual criminal population both walking the
> streets and in jail.
While almost completely OT, the FBI statistics for the number of court-ordered,
legal wiretaps compared to the number of actual wiretaps gives a dismal clue to
the fraction of Law Enforcement activity that it actually legal.
>
>
> Johnny Bravo wrote in message ...
> >On Tue, 1 Feb 2000 11:42:50 -0500, "Dorsey Bolliard"
> ><[EMAIL PROTECTED]> wrote:
> >
> >>My suspicion (admittedly without solid basis) is that the government
> >>probably has people working day and night on the problem, and undoubtedly
> >>has algorithms that CAN break encoded messages in finite time, but that
> the
> >>time involved is still sufficiently long so as to make the routine
> intrusion
> >>into every pgp message prohibitively costly.
> >
> > Or more likely they can't, but they don't need to. Is your home TEMPEST
> >shielded? I seriously doubt it. The government can park a van outside
> >your building and read everything on your screen, every keystroke you
> >make. If they thought you were worth the effort, they would do so.
> >
> > That is the bottom line, the vast majority of us aren't worth it. The
> >government doesn't give a damn what is in my email, encrypted or
> >otherwise.
> >
> > Best Wishes,
> > Johnny Bravo
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Basic Crypto Question 3
Date: Mon, 14 Feb 2000 04:38:05 GMT
Bruce Schneier wrote:
> First, understand that you can't mathematically prove anything more
> than: a cascade of block ciphers is as strong as the weakest block
> cipher in the cascade.
I don't think even that is provable in general. Suppose you have
encryption schemes Ekp and Fkq s.t. E'kEkp is p for all k and F'kFkq
is q for all k. (' denotes "inverse", used for deciphering.) E and
F by themselves may be assumed to be sufficiently secure. But EF
might not be secure at all. For example, if E happens to be F' and
the same key is used for E and F, (EF)kp is just p, no protection at
all. Even if different keys were used, there are some combinations
of E, F, k(E), and k(F) that have the same problem. To prove the
property you suggested, one would need to rule out such interactions.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Mon, 14 Feb 2000 04:45:29 GMT
tiwolf wrote:
> Does anyone here really think that any cryto program self made or
> commercial is not broken already or can't be broken given a little
> effort by the NSA geeks.
There are some encryption algorithms that have withstood the best
efforts. This is certainly true of those chosen for our own secure
communications. Cryptosystems, and more generally cryptonets as a
whole, can and often do have vulnerabilities other than algorithmic.
For example, the key might be easily stolen. Software run in an
unprotected environment (e.g. Windows on a network) is especially
at risk.
------------------------------
Date: Mon, 14 Feb 2000 00:11:44 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
"vrml3d.com" wrote:
> >
> > could imprison users of encryption technology for forgetting or losing
> >
> > their keys.
>
> Ummm... does that mean it would be illegal to posess a file full of random
> numbers? Such a file would be indistinguishable from an encrypted file, and
> when asked to produce the "key" you would invariable come up short. Oh no!
> The radio is making static again! quick, throw it out the window. :)
>
> --Steve
You may also want to trim off the low-end bits of all of your wav files. If
they are all zero it will be hard to claim that you stored information in them.
------------------------------
Date: Mon, 14 Feb 2000 00:26:24 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Somebody is jamming my communications -- this has been happening at
Paul Koning wrote:
> "Douglas A. Gwyn" wrote:
> >
> > "-=HaVoC=--" wrote:
> > > "Markku J. Saarelainen" wrote:
> > > > I suppose the CIA / NSA has initiated the information operation ...
> > > Yeah, sounds like the are on to you pretty bad. I would suggest ...
> > > Also, if your house looks faces a street, you may wanna put foil over
> > > the windows and open a small hole for surveillance.
> >
> > And when he goes outdoors, he should wear a tinfoil hat to block
> > the CIA's mind control beams...
>
> Why? How could you tell the difference?
>
> paul
If he suddenly starts making sense we'll know They got to him.
------------------------------
From: "M. Hackett" <[EMAIL PROTECTED]>
Subject: Fractal Cryptography
Date: Sun, 13 Feb 2000 21:11:31 -0800
I am looking for more information on Fractal Cryptography.
MP
------------------------------
Reply-To: "Clockwork" <[EMAIL PROTECTED]>
From: "Clockwork" <[EMAIL PROTECTED]>
Subject: Large Floating Point Library?
Date: Mon, 14 Feb 2000 05:32:31 GMT
There are numerous large integer libraries, but does anyone know of a large
floating point library?
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Mon, 14 Feb 2000 01:16:42 +0000
On Sun, 13 Feb 2000 13:46:34 -0800, "tiwolf" <[EMAIL PROTECTED]> wrote:
>You are assuming that they would be using current disks as a meduim for
>storage,
Ok, for the sake of argument I'll pretend that the NSA has a
sooper-seekrit storage medium, so compact that they can fit 512 bits of
information onto a single atom. There are not enough atoms in the
Universe to store all the 512 bit PGP keys. When you are talking about
the 4096 bit keys you would run out of room even if you managed to fit
4096 bits of info onto the smallest known sub-atomic particles.
>or that they would even need the whole lot of keys in the first
>place.
Without the keys, how can the lookup your key? That is what this thread
is about.
Johnny Bravo
------------------------------
From: Michael Sierchio <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: Sun, 13 Feb 2000 22:19:32 -0800
"Trevor Jackson, III" wrote:
> You may also want to trim off the low-end bits of all of your wav files. If
> they are all zero it will be hard to claim that you stored information in them.
Ack! You have revealed my secret! Back to the steganographic drawing
board.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: RFC: Reconstruction of XORd data
Date: Sun, 13 Feb 2000 23:21:57 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> I only like to add that it is desirable that the number of rounds be
> variable, i.e. user choosable instead of being fixed in implementations.
Sounds like a fine idea to me, though I think I'd set the low end of
the range of adjustment to at least a point that I thought stood a
chance of diffusion having reached the entire output -- e.g. 3 rounds
in the case of your addition function (assuming there aren't other
things in the round that also help diffusion).
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Mon, 14 Feb 2000 01:18:52 +0000
On Sun, 13 Feb 2000 13:41:11 -0800, "tiwolf" <[EMAIL PROTECTED]> wrote:
>Considering the money spent by groups like the NSA, CIA, DIA, and others on
>tech, software, and humans i think that the government is more than willing
>to break codes to read all email regardless if it is about my grocery list
>that I am emailing to my wife. You are all assuming that the government does
>not really care what is in the majority of email as opposed the government
>wanting the capability or the ability to read all email regardless of what
>is in it.
And you are assuming that the government has unlimited energy, computing
resources, manpower and is not bound by the laws of physics or
mathematics. In short you are claiming that the government is God. Prove
it.
Johnny Bravo
------------------------------
From: "Lyal Collins" <[EMAIL PROTECTED]>
Subject: Re: Guaranteed Public Key Exchanges
Date: Mon, 14 Feb 2000 17:23:41 +1100
Header examination may not always work - for instance archived posts at
dejanews.com have little original header info left.
lyal
Ralph Hilton wrote in message ...
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Sun, 13 Feb 2000 22:54:09 +0100, Mok-Kong Shen
><[EMAIL PROTECTED]> wrote:
>
>>Ralph Hilton wrote:
>>>
>>> <[EMAIL PROTECTED]> wrote:
>>>
>>> >Ralph Hilton wrote:
>>> >>
>>> >
>>> >> Alice and Bob wish to establish a key, All communications are
>>> >> monitored by Charlie. The communications would have to appear in
>>> >> public though to avoid unobserved modification. But the fact of the
>>> >> key exchange being public is irrelevant.
>>> >
>>> >I guess that all the trouble centers practically around how to
>>> >guarantee (absolutely) that there is no 'unobserved modification'.
>>
>>> A posting to a public newsgroup should handle that as either party
>>> would see the modification.
>>
>>I am not quite sure of that. If you see, say, 10 different posts
>>each claiming 'My name is A, my key is .....', how do you know which
>>key A really has?
>
>It seems you might have some very dedicated enemies!
>
>Presumably one could eliminate most through examination of headers.
>
>An answer to that question really entails knowing more details. What
>degree of mutual information one has about the other party, are there
>mutually trusted aquaintances and so on.
>
>I would find it hard to think of an actual real life situation where a
>combination of DH exchanges, use of key servers etc. would be
>insufficient.
>
>-----BEGIN PGP SIGNATURE-----
>Version: 6.5.1ckt
>Comment: Fingerprint: 8E22 FC69 3FB3 F53A 0B0D 4392 409D AE0D 1173 21D0
>
>iQA/AwUBOKccZECdrg0RcyHQEQKx0gCgoq6yTvYahlAW0rZ1hHXw8jolceYAn3/Z
>wbTSzP6n4PPDVDUeeVoZFkSG
>=KjEc
>-----END PGP SIGNATURE-----
>
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Basic Crypto Question 3
Date: 13 Feb 2000 22:28:15 -0800
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Bruce Schneier wrote:
> > First, understand that you can't mathematically prove anything more
> > than: a cascade of block ciphers is as strong as the weakest block
> > cipher in the cascade.
>
> I don't think even that is provable in general.
> [.. counter-example: DES encrypt + DES decrypt, with same keys ..]
Well, you need to use independent keys if you are to have any hope
of robustness [1].
When this proviso is followed, then I believe it is true that one
may prove that a cascade of block ciphers is as strong as the weakest
cipher in the cascade.
The classic reference on this topic is
``Cascade Ciphers: The Importance of Being First''
in J. Cryptology vol. 6 1993 pp. 55--61.
It shows how to prove what I said above (actually, that's pretty
easy), and more importantly, shows surprising limits on what is
provable (namely, one can show that the security of the cascade is
as strong as the first cipher, but there are examples where the
cascade is not as strong as the second cipher, thus the title).
[1] Ok, ok, you can get away with keys generated from a secure
pseudorandom generator, i.e., where the key distribution is
indistinguishable from the independent case. This observation
is due to Lars Knudsen, from his TEMK work.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: I'm returning the Dr Dobbs CDROM
Date: Sun, 13 Feb 2000 23:51:03 -0600
In article <[EMAIL PROTECTED]>, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
> Have you considered running the PDF images through an OCR filter? You
> might squeeze out most of the file at a cost of a few recognition errors.
Supposedly, the source whould have a view on cleaning up their product.
It would seem more in their interests to do than for an individual to do
so on the sly.
I do remember some discussion about errors in the product earlier. I
assume that this was not about a picture form that is difficult to read in
itself in the current product that is being described.
The effort is applauded to get crypto material out, but there are no
ribbons for not doing it as well as is possible. Hopefully, that will
come.
--
If Al Gore wants to be inventor of the internet, complain that he
did a lousy job. If he admits to not doing much, complain that he
is a slacker. Now, do we want him in charge of security?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
