Cryptography-Digest Digest #203, Volume #11 Sat, 26 Feb 00 03:13:00 EST
Contents:
Re: - US "allows" encryption program online ("John Galt")
Opinions on TEA (Tiny Encryption Algorithm) (Erann Gat)
Re: US secret agents work at Microsoft claims French intelligence report (Greg)
Re: Opinions on TEA (Tiny Encryption Algorithm) (Paul Rubin)
RDSTC instruction on Pentiums for RNGs (Greg)
Re: Enigma ("Yoshitaka Ikeda")
XDH is insecure (David Hopwood)
Re: RDSTC instruction on Pentiums for RNGs (Paul Rubin)
Re: UK publishes 'impossible' decryption law (Eric Smith)
Re: - US "allows" encryption program online ([EMAIL PROTECTED])
Re: Are "self-shredding" files possible? ("Douglas A. Gwyn")
ECHELON BOMBSHELL: NSA ACCUSED OF SPYING ON US POLITICIANS (Dave Hazelwood)
Re: Opinions on TEA (Tiny Encryption Algorithm) ("Douglas A. Gwyn")
Re: Opinions on TEA (Tiny Encryption Algorithm) (Paul Rubin)
Re: Opinions on TEA (Tiny Encryption Algorithm) (David A. Wagner)
Re: Passwords secure against dictionary attacks? (Lincoln Yeoh)
----------------------------------------------------------------------------
From: "John Galt" <[EMAIL PROTECTED]>
Crossposted-To: alt.sources.crypto,talk.politics.crypto,us.legal
Subject: Re: - US "allows" encryption program online
Date: Sat, 26 Feb 2000 01:39:08 GMT
"Professor allowed to post encryption program online"
I have been watching the responses to this post. It is incredibly sad that
so many people consider themselves as "subjects" instead of "citizens", in
that they do not appear to be the least bit angry that any government would
be so paternal and condescending as to "allow" them to post an encryption
program. It is no wonder that people are not free, they don't deserve to be.
"... But whether the Constitution really be one thing, or another, this much
is certain -- that it has either authorized such a government as we have
had, or has been powerless to prevent it. In either case, it is unfit to
exist."
From the Appendix, "NO Treason" by Lysander Spooner
"America is at that awkward stage. It's too late to work within the system,
but too early to shoot the bastards. On the road to tyranny, we've gone so
far that polite political action is about as useless as a miniskirt in a
convent."
- Claire Wolfe, _101 Things To Do 'Til The Revolution
------------------------------
From: [EMAIL PROTECTED] (Erann Gat)
Subject: Opinions on TEA (Tiny Encryption Algorithm)
Date: Fri, 25 Feb 2000 17:41:26 -0800
I stumbled over the Tiny Encryption Algorithm on the Net today:
http://vader.brad.ac.uk/tea/tea.shtml
As its name implies, it's really tiny: about six lines of C code, a
simple 128-bit key and a 64-bit block size. The web site makes it
sound pretty cool. Is it as cool as it sounds? Are there any known
weaknesses in TEA? Is there any reason not to use it as a substitute
for a more complex algorithm like Blowfish?
Thanks,
Erann Gat
[EMAIL PROTECTED]
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: US secret agents work at Microsoft claims French intelligence report
Date: Sat, 26 Feb 2000 01:48:13 GMT
I would not doubt for one moment that the French or Israelis have
spies working in Microsoft for the purpose of knowing how to exploit
communications from Window boxes.
--
There is only one gun law on the books- the second amendment.
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Opinions on TEA (Tiny Encryption Algorithm)
Date: 26 Feb 2000 02:05:24 GMT
In article <[EMAIL PROTECTED]>,
Erann Gat <[EMAIL PROTECTED]> wrote:
>
>I stumbled over the Tiny Encryption Algorithm on the Net today:
>
>http://vader.brad.ac.uk/tea/tea.shtml
>
>As its name implies, it's really tiny: about six lines of C code, a
>simple 128-bit key and a 64-bit block size. The web site makes it
>sound pretty cool. Is it as cool as it sounds? Are there any known
>weaknesses in TEA? Is there any reason not to use it as a substitute
>for a more complex algorithm like Blowfish?
It's cute. There are some related-key attacks and but it otherwise
hasn't gotten much cryptanalysis that I know of. It's certainly
slower than Blowfish for anywhere near comparable security, because
it needs so many rounds. I wouldn't bet big on its security even with
64 rounds, but as you've noticed, it's very compact and easy to implement.
I'd say it's worth keeping in mind for low to medium security applications.
For microcontroller use, it needs more RAM than Skipjack, though probably
less program space (no F table).
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: RDSTC instruction on Pentiums for RNGs
Date: Sat, 26 Feb 2000 01:57:59 GMT
It would appear to me that the RDSTC instruction on pentium machines
can be used to generate 8 bits of random data at a time with no
significant deterministic way of knowing what bits would follow
next. (I assume only the least significant 8 bits are used).
I would imagine that the bus speed, memory speed, off board cache,
types of peripheral cards installed, etc., OS, other applications
and services, user input devices, all of these would interact with
the code execution path to make the RDSTC instruction non
deterministic to any observer.
As always, any thoughts are appreciated...
--
There is only one gun law on the books- the second amendment.
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Yoshitaka Ikeda" <[EMAIL PROTECTED]>
Subject: Re: Enigma
Date: Sat, 26 Feb 2000 11:55:31 +0900
"Yugo Shimada" <[EMAIL PROTECTED]> wrote in message
news:893fal$odd$[EMAIL PROTECTED]...
> Hi,
>
> I am interesting in the CAST-128 Encryption Algorithm.
> although I ran throught the RFC spec, I'd like to get
> the source code. Does someone give me the point to the
> C source of it?
I think you can get it in the source code of PGP or GnuPG.
If you live outseide of US,
you can get
ftp://pgp.iijlab.net/pub/pgp5/6.5 PGP
--
[EMAIL PROTECTED]
Yoshitaka Ikeda via YonbetsuNetzwerk
------------------------------
Date: Sat, 26 Feb 2000 00:26:31 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: XDH is insecure
=====BEGIN PGP SIGNED MESSAGE=====
A few weeks ago I proposed (in outline) a key agreement algorithm called
"XDH" (eXtended Diffie Hellman), as follows:
> [XDH uses an agreed value of] g^((xA + rA)(xB + rB)), rather than
> g^(xB.rA) + g^(xA.rB).
>
> This is more efficient than KEA, because
>
> g^((xA + rA)(xB + rB)) = (YB * RB)^(xA + rA)
> = (YA * RA)^(xB + rB)
>
> can be calculated by each side using only one modexp, not two.
Unfortunately, XDH is not secure against an impersonation attack
(the security proof I posted in another article was flawed, because an
impersonation attack is not equivalent to the XDHP problem described
in the proof).
The attack goes like this:
Alice has key pair (xA, YA = g^xA).
Bob has key pair (xB, YB = g^xB).
Mallory chooses a random exponent rM.
Mallory -> Bob: g^rM * YA^-1
Bob -> Mallory: g^rB
Bob checks that g^rM * YA^-1 has order q (it does).
Bob calculates the key as (g^rM * YA^-1 * YA)^(rB + xB) = g^(rM.(rB + xB))
Mallory calculates the key as (g^rB * YB)^rM = g^(rM.(rB + xB))
Signing the transmitted values would fix the immediate problem, but then
XDH would be less efficient than the Station-to-Station protocol, so
there is no point in using it in that form.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOLWakTkCAxeYt5gVAQFDGgf/S+z968i1Die2OFP1WY3xCF11qLEmA6Vl
U/sNWipKfJHMbRg8+5REtxmP7WbKxqOqwXt7FAWpKfZo0A+S06yzo0LYw4HizFsU
MAzRmL4itoRH1G/wKwIOQ9acjdYjZnohgPswdMPGy/JXxlW0kSV9lOrJwzIIn4Px
nKpx8vu0iu4PAKfQU4ueBAAD1ruSSjrX8zfBcVJWxY3pZMIsnjZf2ypjKvSX+hvp
BbaXDpDKLWvVPdMuSU0zgbAai0JlrG/FOqLqtLUpB5bTtQo0+vDr6Xw/XnMU5ITF
uRAPN9gmwOHab7drSa+WwEwW8UtH1bGJhUiZEAUZirXDDTc9V9KXjw==
=okaB
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: RDSTC instruction on Pentiums for RNGs
Date: 26 Feb 2000 03:05:36 GMT
In article <897bv5$l39$[EMAIL PROTECTED]>, Greg <[EMAIL PROTECTED]> wrote:
>It would appear to me that the RDSTC instruction on pentium machines
>can be used to generate 8 bits of random data at a time with no
>significant deterministic way of knowing what bits would follow
>next. (I assume only the least significant 8 bits are used).
The 64-bit performance counter, yes, its lower bits are pretty
random if you don't read them too often. Good source of entropy.
------------------------------
From: Eric Smith <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: 25 Feb 2000 18:50:51 -0800
Jerry Coffin <[EMAIL PROTECTED]> writes:
> You're right -- in fact, I doubt any but the most ignorant politicos
> and such who've looked at it think anything being contemplated will
> really stop DoS attacks. There's still some hope and help available
> from cryptography in general though: if every packet is signed,
> tracking down the originator of a packet becomes a lot easier...
I wrote:
> That only will help if the compromised systems keep logs of the originators
> of packets that they receive. And of course, the first thing the people
> that compromise those systems will do (if they are smart, or if the person
> who wrote the tools they use is smart) will be to delete such logs.
Jerry Coffin <[EMAIL PROTECTED]> writes:
> A DoS attack does NOT give you access to logs, etc., on the system
> you're attacking. In fact, the very Denial Of Service you're making
> happen means that (among other things) it will be difficult, if not
> impossible, for anybody to access anything on the system you're
> attacking: that's the whole point (and the whole effect) of the
> attack.
I'm not sure you understand how DDoS works. Or maybe you don't
understand what I wrote.
To mount a DDoS atack against a target system, the attackers *do*
compromise a large number of systems, and install the DDoS daemon
software on them. These systems act as intermediaries. They wait for a
signal, and then start pounding on the DDoS target.
They *don't* compromise the system that is the target of the DDoS. If
they could do that, they wouldn't need to do a DDoS.
Therefore encrypted links won't do much to prevent this, as I stated
before. If the intermediary systems keep logs, the attackers will
delete them. If the DDoS target keeps logs, all it will indicate is
connections from the intermediary systems, which will not be especially
helpful in tracking down the attackers.
If adequate security is in place on 99.999% of the internet hosts, the
remaining 0.001% will still be adequate to mount DDoS attacks.
Unfortunately, cryptography is not "magic security dust" which will
solve all security problems if you sprinkle enough of it around.
The only way to effectively filter DDoS traffic is to catch it near
all of the sources. If all ISPs installed traffic shaping on their edge
routers that would detect and suppress excessive traffic between
source/destination pairs, this would solve the problem, but would probably
interfere with some legitimate traffic.
Attempts to filter DDoS attacks near the destination are useless,
because by the nature of the traffic originating from many widely
distributed hosts, the congestion starts causing problems several hops
away from the target.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.sources.crypto,talk.politics.crypto,us.legal
Subject: Re: - US "allows" encryption program online
Date: Sat, 26 Feb 2000 03:34:03 GMT
this is off topic but, just had to respond to John:
Your right. Most people in america don't even know their rights given
to them by the Constitution. I believe the government has figured out
that they can't take big chunks of our rights away at one time. They
figured out they have to do it one tiny piece at a time, through tiny
lines of lesgislation from a bill that gets past without people knowing
whats going on. It all adds up in time, then in the near future people
will suddenly realize they don't live in a "free" society at all, and
that all their rights have been legislated away, that is ,unless
everyone does something about it now.
joeb
"John Galt" <[EMAIL PROTECTED]> wrote:
> "Professor allowed to post encryption program online"
>
> I have been watching the responses to this post. It is incredibly sad
that
> so many people consider themselves as "subjects" instead
of "citizens", in
> that they do not appear to be the least bit angry that any government
would
> be so paternal and condescending as to "allow" them to post an
encryption
> program.
<snip>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Are "self-shredding" files possible?
Date: Sat, 26 Feb 2000 07:04:31 GMT
Thomas Moore wrote:
> Does anyone know if it's possible to make a file "self-shredding?"
A file as such is merely a collection of bits, and so long as
somebody can make a copy of it, the "file" cannot be destroyed.
However, if the file is encrypted *and* the only way to decrypt
it (with any significant probability) is to hand it to a single
decryption agent *that destroys the key after it is used once*
(or at least reliably keeps track of the fact that the key has
been used and refuses to use it more than once), then the first
person to successfully submit the file for decryption will lock
out everyone else. The interesting question then is how to make
sure that the decryption agent refuses to decrypt the file for
anyone other than the authorized party. That's a standard
authentication issue, typically addressed by public-key methods.
------------------------------
From: [EMAIL PROTECTED] (Dave Hazelwood)
Subject: ECHELON BOMBSHELL: NSA ACCUSED OF SPYING ON US POLITICIANS
Date: Sat, 26 Feb 2000 07:22:31 GMT
The National Security Agency may be using the Echelon network to
eavesdrop on US politicians, says a shock report set for
broadcast this weekend!
Everywhere in the world, everyday, peoples phone calls, emails and
faxes are monitored by Echelon, a secret government
surveillance network. Former spy Mike Frost cracks Echelon wide open,
in an interview with Steve Kroft on CBS' 60 MINUTES.
American politicians have been eavesdropped on, says Margaret Newsham,
a woman who worked at Menwith Hill in England, the NSA's largest spy
station. She says she was shocked to hear the voice of Senator Strom
Thurmond (Rep. S.C.) on a surveillance headset.
The exposing of such possible abuses of Echelon will surely add to the
growing firestorm in Europe over the system. Earlier this week the
European Parliament issued a report accusing the U.S. of using Echelon
for commercial spying to help American companies win lucrative
contracts over European competitors on two separate occasions. The
U.S. State Department denies such spying took place and will not even
acknowledge the existence of the top secret Echelon project.
Rep. Porter Goss (Rep.- Fla), chairman of the House Intelligence
Committee, which has oversight of the NSA, does acknowledge that the
U.S. has the capability to pick up any phone call and that even his
own conversations could have been monitored. But Goss says there are
methods to prevent the abuse of that information. I cannot stop the
dust in the ether but what I can make sure, is that the capability is
not abused, he tells Kroft.
More... Read it all...
http://www.drudgereport.com
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Opinions on TEA (Tiny Encryption Algorithm)
Date: Sat, 26 Feb 2000 07:23:25 GMT
Erann Gat wrote:
> Is it as cool as it sounds?
So far as I have been able to determine from talking with
school kids, "cool" is a synonym for "stupid"..
Anyway, TEA has a fixed (predetermined, data-independent)
key schedule, which is bad news for a Feistel-like cipher.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Opinions on TEA (Tiny Encryption Algorithm)
Date: 26 Feb 2000 07:39:09 GMT
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>Anyway, TEA has a fixed (predetermined, data-independent)
>key schedule, which is bad news for a Feistel-like cipher.
Huh? How is that different from DES?
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Opinions on TEA (Tiny Encryption Algorithm)
Date: 25 Feb 2000 23:02:44 -0800
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Anyway, TEA has a fixed (predetermined, data-independent)
> key schedule, which is bad news for a Feistel-like cipher.
TEA does add a "round counter" to the block at each round,
which is enough to stop the obvious slide attack.
But maybe you know of some more subtle reason why this simple
"round counter" is not enough for full security.... ?
(it seems plausible this property could be a problem; on the
other hand, note that Skipjack has a similar -- but not exactly
identical -- property)
------------------------------
From: [EMAIL PROTECTED] (Lincoln Yeoh)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Sat, 26 Feb 2000 07:56:52 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 22 Feb 2000 23:29:35 GMT, Ilya <[EMAIL PROTECTED]>
wrote:
>Is it secure to take two words and join them together, such as:
>
>crypto/life cyber@machine green-dog Loud!Music
>
>I find that they are really easy to remember, especially if the word
>combination has some meaning to the user. I have been told that such
>combinations are vulnerable to dictionary attacks. I think that they are
>not vulnerable to dictionary attacks since the password is not a word, it
>combines two words and is meaningless and can only be brute-forced.
Erm, it's trivial to run through a dictionary, just think of it as a two
character password where you have say 20000 alphabets.
e.g.
<word1><word2>
<word1> <word2>
<word1>,<word2>
Run through a dictionary and stick in the words. Of course if one word is
NOT in ANY dictionary then it's harder.
What would be more difficult to brute force would be:
1) Create and remember a number of (e.g. 5 or 6) different passwords (e.g.
24nv9sot)
2) Put them together to make one long passphrase.
Make sure you do NOT use these passwords anywhere else.
It can still be brute forced but it will take a far far longer time. The
attackers will probably resort to other easier means to get to your data or
give up.
You will probably find it easier to remember 5 or 6 short 6-8 character
passwords, than one 20 character passphrase. Find the chunk number which
suits your brain.
Cheerio,
Link.
****************************
Reply to: @Spam to
lyeoh at @[EMAIL PROTECTED]
pop.jaring.my @
*******************************
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
