Cryptography-Digest Digest #194, Volume #11 Thu, 24 Feb 00 18:13:01 EST
Contents:
Re: Passwords secure against dictionary attacks? (JimD)
Re: Passwords secure against dictionary attacks? (JimD)
Re: Report Details Vast SPY Network (JimD)
Re: John McCain Encrypt? (Thunder Dan)
British Plans (with a subject header this time) (Barry Charters)
Re: Passwords secure against dictionary attacks? (David Hopwood)
Re: US secret agents work at Microsoft claims French intelligence report (David
Hopwood)
FIRST TIME! ("Jean Pierre")
Re: Mixmasters encrypt how? (Azerty)
Re: FIRST TIME! (Daniel Hartmeier)
Re: DES algorithm ("Douglas A. Gwyn")
Re: Processor speeds. (Mok-Kong Shen)
Re: FIRST TIME! (Mok-Kong Shen)
Re: FIRST TIME! (Arthur Dardia)
Re: Compression in the Real World ("Douglas A. Gwyn")
Re: Report Details Vast SPY Network ("Douglas A. Gwyn")
Re: Assistance needed (Nemo psj)
- US "allows" encryption program online ("- Prof. Jonez�")
Re: Compression in the Real World (Paul Koning)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (JimD)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Reply-To: JimD
Date: Thu, 24 Feb 2000 19:45:36 GMT
On 24 Feb 2000 07:22:38 GMT, [EMAIL PROTECTED] (Jens Haug) wrote:
>In article <891bds$8pp$[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes:
>> QWERTY offsets are not very secure. A typcial dictionary
>> attack interation would go: 1) Dictionary, 2) Reverse Dictionary, 3)
>> QWERTY Offset Dictionary, 4) Alpha offset Dictionary,
>>
>> If bullwinkle is in my dictionary, interation number 3 would get you.
>>
>> I used to use QWERTY offsets. Not any more.
>>
>> As to the original posting on concatenating dictionary words. That too
>> can be weak. However, since the concatenation permutations far exceed
>> the QWERTY offset, I would dare say that concatenation is more secure
>> than QWERTY.
>
>We try to crack our users' passwords every now an then. Once the
>cracker program found out one consisting of two greek words which
>make no sense together. :-0
>Don't use *any* word in *any* language!
How about ten English words with different punctuation symbols
as word separators?
--
Jim Dunnett.
dynastic at cwcom.net
dynastic at cwcom.net
------------------------------
From: [EMAIL PROTECTED] (JimD)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Reply-To: JimD
Date: Thu, 24 Feb 2000 19:45:37 GMT
On Thu, 24 Feb 2000 10:23:30 GMT, [EMAIL PROTECTED] wrote:
>Another (more difficult to describe) method I use is to look at a
>labelled object that you can always return to (if you forget the
>password). An example on my desk is for instance my telephone, which
>also has labeled function keys or perhaps a calender, or a poster or a
>phone list or...... use your imagination. Extract words from the source
>using a diagonal or vertical line... For example, down the left hand
>side keys of my phone I have
Then you upgrade your phone for a completely different one.....?
--
Jim Dunnett.
dynastic at cwcom.net
dynastic at cwcom.net
------------------------------
From: [EMAIL PROTECTED] (JimD)
Subject: Re: Report Details Vast SPY Network
Reply-To: JimD
Date: Thu, 24 Feb 2000 19:45:41 GMT
On Wed, 23 Feb 2000 18:34:11 GMT, [EMAIL PROTECTED] (Dave Hazelwood)
wrote:
>The plot thickens!
>
>BRUSSELS, Belgium (AP) - A U.S.-led communications monitoring network
>is intercepting "billions of messages per hour" including telephone
>calls, fax transmissions and private e-mails
Wonder where they are storing all this crap they're supposed to
be intercepting?
>"We are not talking about a trivial thing here ... we cannot stop
>them, they will continue," said Ducan Campbell, author of
>the special parliament-commissioned report on the Echelon spy-network.
Not _THE_ Duncan Campbell?
>Campbell said he did not know whether the U.S. corporations were
>benefitting from the information gathering but
For what other purpose would they collect commercially sensitive
information?
--
Jim Dunnett.
dynastic at cwcom.net
dynastic at cwcom.net
------------------------------
From: Thunder Dan <[EMAIL PROTECTED]>
Subject: Re: John McCain Encrypt?
Date: Thu, 24 Feb 2000 19:49:06 GMT
Somebody named ChenNelson posted the following manifesto...
> No one really knows what this "Hipcrime" character is. What is known
> is that Hipcrime periodically floods groups he/she/it doesn't like
> with garbage such as that posted. At least no one has been able to
> determine a message, if there is any. The news.admin.net-abuse.*
> groups are the most common Hipcrime target. All in vain, of course,
> and this character simply loses the throwaway accounts used for the
> abuse.
hmmm...it looks pretty close to some sort of code
there are some anomalies (words like "iic" and "ss")
do you know of any program or algorithm to help solve a simple letter-
for-letter substitution code?
--
Get money for using the web. No download required.
Just go to:
http://secure.clickdough.com/servlets/cr/CRSignup.po?referral_id=tdan.
------------------------------
From: [EMAIL PROTECTED] (Barry Charters)
Subject: British Plans (with a subject header this time)
Date: Thu, 24 Feb 2000 19:53:45 GMT
Can anybody give me some good links to find out the British
Governments position on encryption usage e.g. key escrow etc.
Email Rot2 a=y b=z c=a
PGP Public Key 0x2DFD3528
Finger Print AA58 54F7 E1B6 9343 2433 16A0 8170 52D5 2DFD 3528
------------------------------
Date: Thu, 24 Feb 2000 03:34:01 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
=====BEGIN PGP SIGNED MESSAGE=====
Ilya wrote:
> Is it secure to take two words and join them together, such as:
>
> crypto/life cyber@machine green-dog Loud!Music
A phrase generated at random in the same way as
"crypto/life cyber@machine green-dog Loud!Music", would probably be a
secure passphrase. Just two words of it (such as "crypto/life") would
almost certainly not be.
As an example, "crypto", "life", "green", "dog", "loud", and "music"
all appear in a 7854-entry wordlist I sometimes use, and "/" is one of
about 10 or so characters likely to be used as the separator. So a
*rough* estimate of the maximum entropy of, say, "crypto/life" against
an attacker who knows (or can guess) the basic scheme, is about
log2(7854 * 7854 * 10) = 29.2 bits.
This will easily fall to a dictionary attack.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOLSmajkCAxeYt5gVAQEOyQf/QpM6UWBB7h1fZgux1dwhRqZAAO29WW73
+InVFKMYIO+6d46jgbhddv3YiLhvmnJo6ZE7/14IChT0DlM7tocVMiTuSwvOgXMA
iNlwYNgaGYMwYAgk8VmhFnprdddO0rCbifCc81RLmSdTB0mwkyZIjSDe1HxKr0D+
6/NIsSVv7/zX/T2gqgBbOVRiHo4NYyjt7cP40K1H608m5GFdT7t/dIaYV0AUg9my
VhXCVislVCN+Z10HfC+FkrARsCA3vbwvZTCOWomkowLpl7RyS80jnanmvPdOswEF
LbcXaf0qnle/J/wDrTGMvrME5/QboQPrmikOwVdox4VOLYnW2+hiHw==
=PYEu
=====END PGP SIGNATURE=====
------------------------------
Date: Thu, 24 Feb 2000 03:46:57 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: US secret agents work at Microsoft claims French intelligence report
=====BEGIN PGP SIGNED MESSAGE=====
Dave Hazelwood wrote:
> According to the report, "it would seem that the creation of Microsoft
> was largely supported, not least financially, by the NSA, and that IBM
> was made to accept the (Microsoft) MS-DOS operating system by the same
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> administration".
So the NSA really are the bad guys :-)
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOLSpiDkCAxeYt5gVAQG8wAf+OFb3uxGtyx6ziqR3Wbv4t6tny1vP8GNL
W+vQigp20ZdC+hWSJW7MSZO3IkgMO9pcsMtuonD+qdFPDyO5ex9QMlrY0j2Bk8he
B8QkQ5iVXo6E0ERk9qDuXga94ohdwL2WnQFmtNz1bnCPQJUbP8Kv4d0LQjpy72Gp
wCyafm0wIpLIpY638nLGad2N1ylPV9HAVKMaMpo5pdUw9RamJxXDs7qVWq7Gh8m+
nzZEtWlkH18Kx7WjaAmHLduKaAYvZNPmt0ZKHeRI5khNGw6tXvF9UoMysUY+zS3L
1gZ72vVv79Qa0EBUrn9by2Hex69vNkt0RdTRyrhREkZH3QDVt7LjFw==
=4eGe
=====END PGP SIGNATURE=====
------------------------------
From: "Jean Pierre" <[EMAIL PROTECTED]>
Subject: FIRST TIME!
Date: Fri, 25 Feb 2000 08:29:51 +1100
Reply-To: "Jean Pierre" <[EMAIL PROTECTED]>
This is my first time here.
Could someone give me the simplest way to create a simple code to encrypt a
simple message for a communication to be delivered after my death.
I thought about something like one those card perforated with holes in
certain places on a square card andthat one can fill in with a short
message, and turn the card around to continue.
At the end, fill the empties with any characters.
I saw this done when I was a kid, but I am not quite sure how to go about
it.
Any suggestions? :-)
Thanks in anticipation
JP.-
------------------------------
From: Azerty <[EMAIL PROTECTED]>
Date: 24 Feb 2000 21:39:23 -0000
Subject: Re: Mixmasters encrypt how?
> I'm interested in the encryption methods used by anonymous remailers.
> Can someone point me to some documentation on the algorithms,
> particularly the one used by type 2 (Mixmaster)? My basic understanding
> is that type 1 remailers use PGP's method (i.e., CAST, IDEA, or 3DES
> for the message, with the session key encrypted by a public key--an
> Elgamal, or DH/DSS, public key in this case). I see that Mixmaster
> remailers use RSA keys, but they appear to have a special key format.
> I'll browse the sources, but I'd like a more detailed algorithm
> description first. I imagine one of the sci.crypt regulars knows.
A better place to ask this question would be alt.privacy.anon-server, and
also on the list remailer-operators mailing list - if anyone knows they'll
know.
------------------------------
From: [EMAIL PROTECTED] (Daniel Hartmeier)
Subject: Re: FIRST TIME!
Date: 24 Feb 2000 21:36:57 GMT
On Fri, 25 Feb 2000 08:29:51 +1100, Jean Pierre wrote:
>Could someone give me the simplest way to create a simple code to encrypt a
>simple message for a communication to be delivered after my death.
>I thought about something like one those card perforated with holes in
>certain places on a square card andthat one can fill in with a short
>message, and turn the card around to continue.
>At the end, fill the empties with any characters.
I'm not sure I understand how 'your death' is involved in this.
Do you mean that you want to encrypt a message, publish the
cyphertext, and keep the key disclosed until after your
death?
And you seek a method that is simple to decrypt (given the
key, of course)? How do you define simple? A method that
can be executed by a human manually, without the help of
a computer?
But I don't see why you couldn't just keep the plaintext
under disclosure, under such circumstances.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: DES algorithm
Date: Thu, 24 Feb 2000 21:52:25 GMT
Nemo psj wrote:
> I just grabed that book fomr my book store and started reading it. I havnt
> gotten past the first couple of pages is it any good?
> >There is also a review by Jim Reeds of Singh's "The Code Book"
As Jim observes in his review, Singh made numerous errors of fact.
So long as you keep that in mind and don't trust it as a reference
work, it makes good reading.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Processor speeds.
Date: Thu, 24 Feb 2000 23:05:14 +0100
John E. Kuslich wrote:
>
> This seems fantastic!!
>
> But how does one interconnect these systems and how does one get specific
> software to play on these systems?
>
> Are there assemblers or compilers available to the general public.
I also like to know the answers. But I believe there are no prolbems
of hardware interconnections, the processors are already performing
the tasks of games. PVM, at most with some slight adaptations, should
be able to give mechanisms to perform distributed computing with them.
As compiler generation is nowadays a well understood field of CS,
it shouldn't be a stumbling stone for such a project. Perhaps one
could in the first phase use an interpreter, accepting the trade-off
of less efficiency.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: FIRST TIME!
Date: Thu, 24 Feb 2000 23:12:00 +0100
Jean Pierre wrote:
>
> Could someone give me the simplest way to create a simple code to encrypt a
> simple message for a communication to be delivered after my death.
> I thought about something like one those card perforated with holes in
> certain places on a square card andthat one can fill in with a short
> message, and turn the card around to continue.
> At the end, fill the empties with any characters.
>
> I saw this done when I was a kid, but I am not quite sure how to go about
> it.
The square card you mentioned is called a turning grille. It is
treated in old litteratures on cryptology. Sorry that I am not
answering to the remaining part of your post.
M. K. Shen
------------------------------
From: Arthur Dardia <[EMAIL PROTECTED]>
Subject: Re: FIRST TIME!
Date: Thu, 24 Feb 2000 16:47:12 -0500
Jean Pierre wrote:
> This is my first time here.
>
> Could someone give me the simplest way to create a simple code to encrypt a
> simple message for a communication to be delivered after my death.
> I thought about something like one those card perforated with holes in
> certain places on a square card andthat one can fill in with a short
> message, and turn the card around to continue.
> At the end, fill the empties with any characters.
>
> I saw this done when I was a kid, but I am not quite sure how to go about
> it.
> Any suggestions? :-)
>
> Thanks in anticipation
>
> JP.-
Watch Con Air. He does it by cutting out the eyes of the people attending the
last supper; however, it would be a pain in the ass to write the message so the
appropriate letter is in the right spot for each eyehole. Oh well, I guess I'm
just lazy.
I'd be interested in a program that did this too.
--
Arthur Dardia Wayne Hills High School [EMAIL PROTECTED]
PGP 6.5.1 Public Key http://www.webspan.net/~ahdiii/ahdiii.asc
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Compression in the Real World
Date: Thu, 24 Feb 2000 22:16:53 GMT
John Savard wrote:
> On Wed, 23 Feb 2000 19:39:39 GMT, [EMAIL PROTECTED] wrote, in part:
> >he claimed he had a text compression system
> >with a 100:1 compression ratio...and he was an expert in the field..
> It is unlikely that a text compression system could do better than
> 8:1, as Shannon used techniques to estimate the _actual_ entropy of
> English text ...
Yes, if one wants to compress samples from a source about which
nothing is known except that it generates English language text,
then one needs about 1 bit per letter. However, if the source
is known to consist of a particular finite set of possible
messages, then one needs at most the ceiling of the logarithm
(base 2) of the number of possible messages. If the messages
aren't all equally probable, then fewer bits are needs to
encode a sample drawn from that population. If context is also
taken into account, sometimes it takes remarkably little
information to encode a message: one if by land, two if by sea.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Report Details Vast SPY Network
Date: Thu, 24 Feb 2000 22:22:21 GMT
JimD wrote:
> Wonder where they are storing all this crap they're supposed to
> be intercepting?
We just pump it back into the Internet, in circularly forwarded
packets with infinite TTL.
For some reason this reminds me of the garbage disposal in "Bill,
the Galactic Hero".
------------------------------
From: [EMAIL PROTECTED] (Nemo psj)
Subject: Re: Assistance needed
Date: 24 Feb 2000 22:52:54 GMT
Ok i'll explain the algy i have come up with.
Oh and i'm still looking for some source to a proven secure encryption scheme
to help in making mine much better than what it is write now and solve my
pattern problem.
www.puregold.cjb.net
goto the "Method" link on the menu bar and at the bottom of that page should be
a link to the explaination.
------------------------------
From: "- Prof. Jonez�" <[EMAIL PROTECTED]>
Crossposted-To: alt.sources.crypto,talk.politics.crypto,us.legal
Subject: - US "allows" encryption program online
Date: Thu, 24 Feb 2000 16:07:10 -0600
Professor allowed to post encryption program online
By Reuters
February 24, 2000, 11:00 a.m. PT
WASHINGTON--The United States will let a computer scientist put instructions for
writing a
powerful computer data-scrambling program on his Web site, but his high-profile lawsuit
challenging U.S. export restrictions on encryption may continue, his lawyer said today.
President Clinton in January dramatically liberalized once-strict U.S. export limits on
encryption programs, which scramble information and render it unreadable without a
password or software "key." The changes recognized that encryption, used in everything
from Web browsing software to cellular telephones, has become essential for securing
e-commerce and global communications.
The move also followed a May 6 decision by a three-judge panel of the U.S. Ninth
Circuit
Court of Appeals that the old rules barring University of Illinois professor Daniel
Bernstein from posting instructions for his "Snuffle" program on the Internet were an
unconstitutional violation of the scientist's freedom of speech.
But in January, the full court asked the panel to reconsider the ruling in light of
the
new Clinton policy.
In a private advisory letter sent last week, the Commerce Department confirmed that the
new encryption export policy permitted Bernstein to post instructions, called source
code,
for his program on the Internet for all to see. Any other computer programmer could
easily
compile the source code into a functioning program.
"In light of the changes in licensing and review requirements for publicly available
source code, the new regulations do not interfere with his planned activities as you
have
described them," the Commerce Department letter said in response to a letter from
Bernstein's lawyer.
Under the old rules, Bernstein had to obtain an export license for each person who
wanted
to view his Web site from outside the United States--an impossible task given the Net's
global reach. But the new rules allow anyone to post encryption source code on the
Internet as long as they also send a copy to the government and do not charge royalties
for use of the code.
"We are still considering our options," said Cindy Cohn, Bernstein's lawyer. Cohn said
the
Commerce Department letter failed to clear up some questions about the new rules.
The department did make it clear that a Web site that merely picked up code posted by
someone else, a practice known as mirroring, would not be held responsible for
following
the export rules. And Bernstein or others would not have to notify the government again
each time they posted bug fixes or updates.
Bernstein's lawsuit came about because under the old rules, a book containing computer
source code could be shipped out of the United States without restriction, but the same
source code posted on the Internet or put on a floppy disk could not be "exported"
without
a license.
--
=======================================
Free Directory Assistance - NumberFinder.com
Free Email Address - Alias.org
Free Trademark Searches - TrademarkSearch.org
Free Multi-Auction Searches - AuctionFeed.com
5� Phone Calls to Australia - SuperPhone.net
=======================================
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Compression in the Real World
Date: Thu, 24 Feb 2000 17:29:26 -0500
[EMAIL PROTECTED] wrote:
> ...
> Sometimes you need real compressors. ...
> Working with large documents, 100-500 pages requires real compressors.
>
> I remember meeting the CEO of an Imaging company in San Jose way back in
> the 80�s (forgot the name of the co. Viacom?...I think it merged with
> I2S, Int. Imaging Systems), he claimed he had a text compression system
> with a 100:1 compression ratio...and he was an expert in the field..
That was probably the ratio you get compressing a fax image of a text
page. You cannot possibly get such a number compressing an ASCII text
data file.
> It seems that no real discusion has taken place of encypting large text
> files .
I wonder where you got that idea. People routinely compress very large
files. A Linux kernel tarball is 10 MB compressed. Tape backups are
compressed by compression hardware in the tape drive.
> Emails and small messages are a piece of cake. If you are an
> insurance company or a pharmaceutical company, and you have to transmit
> 1000�s of pages then real compression is a must.
I wonder what you mean when you say "real compression". How would
it differ from what we have today?
paul
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
