Cryptography-Digest Digest #132, Volume #11 Wed, 16 Feb 00 06:13:01 EST
Contents:
Re: Does the NSA have ALL Possible PGP keys? (e)
Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom)
Re: decryption (Tony L. Svanstrom)
Re: help DES encryption ([EMAIL PROTECTED])
Netscape security? (Anders Westergren)
Re: UK publishes 'impossible' decryption law ([EMAIL PROTECTED])
Re: UK publishes 'impossible' decryption law (Arturo)
Re: National Security Strategy, USA and Economic / Business Intelligence (Arturo)
Re: Netscape security? (Paul Rubin)
Re: Netscape security? (jungle)
Re: Message to SCOTT19U.ZIP_GUY (H. Peter Anvin)
Re: source code export laws ("Lassi Hippeläinen")
Re: Netscape security? ("Lassi Hippeläinen")
Re: Q: Division in GF(2^n) (Mok-Kong Shen)
Scientologist espionage in Windows 2000? ("Lassi Hippeläinen")
Denail of service attacks (Mok-Kong Shen)
Re: Netscape security? (Tony L. Svanstrom)
Oops: Scientologist espionage in Windows 2000? ("Lassi Hippeläinen")
----------------------------------------------------------------------------
From: e <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Wed, 16 Feb 2000 01:41:34 -0800
Reply-To: [EMAIL PROTECTED]
e + 23 = 111
------------------------------
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Subject: Re: Funniest thing I've seen in ages - RSA.COM hacked :)
Date: Wed, 16 Feb 2000 08:12:00 +0100
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> "Tony L. Svanstrom" wrote:
> > Exactly, so by having a cpl of "bad guys" bring the business using
> > the Internet to their knees the lost money will force companies to
> > do something about the security.
>
> You haven't been in this business very long, have you?
> Every major Internet site has been attacked (hopefully not
> successfully) several times per day for several years now.
> Sometimes there is even a brief flurry of media attention,
> some speeches are made, new patches and kludges are devised,
> then it all settles back down to business as usual.
Yes, but that's just minor things. Ok, so it can securitywise be a lot
worse than a lil bit of playing around with the DNS, but it's not what's
needed to make people do something about it.
Like it or not the people that you have to wake up for something to
happen won't understand unless they are being fed the information filled
with buzzwords from some magazine (where the story most likely was
written by someone that didn't understand it). I could go to the very
same person and tell him about the security risks that are a reality
today and nothing will happen, but if his "bible" (some IT-business
magazine) tells him the same story but with pictures and stuff like "the
Internet cracked" and "your website can be stolen by a 14yo" then he'll
start complaining that he wants more security.
When he's complaining other companies will see a way to make a buck or
two, and then the other companies will see that they might lose a buck
or two unless they can offer the same...
This reality sucks, but it's the only one we have.
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
DSS: 0x9363F1DB, Fp: 6EA2 618F 6D21 91D3 2D82 78A6 647F F247 9363 F1DB
---ôôô---ôôô-----------------------------------------------ôôô---ôôô---
\O/ \O/ ©1999 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Subject: Re: decryption
Date: Wed, 16 Feb 2000 08:12:01 +0100
Jim Gillogly <[EMAIL PROTECTED]> wrote:
> Juergen Nieveler skribis:
> >
> > "Pereira" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> > news:[EMAIL PROTECTED]...
> > > Hi I need some help! I have a cryptology course and I have no clue what
> > > I'm doing. Can someone help me decrypt this message!
> > >
> > <SNIP>
> > Sorry, wrong group... try alt.do.my.homeworks ;-)
>
> It's a bit subtler than that: when you break it, you get a
> plug for some websites. Encouraging us to spend time decrypting
> an unsolicited ad... thanks a lot, d00d.
*ROTFLMAO*
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
DSS: 0x9363F1DB, Fp: 6EA2 618F 6D21 91D3 2D82 78A6 647F F247 9363 F1DB
---ôôô---ôôô-----------------------------------------------ôôô---ôôô---
\O/ \O/ ©1999 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: help DES encryption
Date: Wed, 16 Feb 2000 07:07:40 GMT
In article <1Y8q4.5811$[EMAIL PROTECTED]>,
"mati" <[EMAIL PROTECTED]> wrote:
> Hi,
> I have allready find an online step by step example of DES encryption
> at http://www.aci.net/kalliste/des.htm
>
> that's all
> thanks
>
> David
>
hi mati and others,
here is where from the whole problem will infact begin. After mati has
corrected all his code and has a correct code for the given examples,
still it is no assurance that the entire code is correct. DES uses a
number of S-Boxes, P permutations IP and IP-1 permutations for which
something like a table test vector must exist. Infact for the AES
candidates it was available but how does one then check for DES. any
references.
please give me urls if any exists, i cannot buy the standards!
regards and TIA,
rasane_s
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Anders Westergren <[EMAIL PROTECTED]>
Subject: Netscape security?
Date: Wed, 16 Feb 2000 08:40:47 +0100
Is it true that international versions of Netscape mail has a built in
'work reduction' field of 88 bits, thus reducing the key length to 40
bits (which now can be decrypted in real-time)? I read this just a week
ago in a (fairly) large swedish newspaper. According to the author,
Outlook has the same 'problem'.
------------------------------
From: [EMAIL PROTECTED]
Date: 16 Feb 2000 07:44:17 -0000
Subject: Re: UK publishes 'impossible' decryption law
>>> [snip] In other words, the Police cannot prove that I haven't
>>> handed over the keys but I can still keep my secrets safe if I
>>> want to.
>>
>> Unfortunately, they don't have to prove anything. *You* have to prove
>> you don't have the key(s).
>
> If were innocent I *can't* prove I know the other keys because they
> are completely random. Neither can the police prove that I am
> withholding one.
>
> So the question is whether the police is prepared to lock up a lot
> of innocent people simply because they encrypted their files with a
> particular algorithm.
They are. Innocence is irrelevant. Remember, Britian now has cameras
slaved to face-matching software and photo-databases watching the public
at large. It's almost comical to watch everything depicted in "1984"
actually become reality in Britian (and British-flavored nations
NZ/Aus/Canada). And of course now that the subjects have been disarmed
the tyranny will get much worse.
I do like the idea of sending each member of Parliment an encrypted email
the fetching the Crypto Cops on him or her. But somehow I figure The Powers
That Be will be exempt from this law they've inflicted on the People just
as they are most others.
Steve
------------------------------
From: [EMAIL PROTECTED]=NOSPAM (Arturo)
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: Wed, 16 Feb 2000 07:26:16 GMT
On 16 Feb 2000 01:31:16 GMT, [EMAIL PROTECTED] (Mike Eisler) wrote:
>In article <[EMAIL PROTECTED]>,
>Bruce Stephens <[EMAIL PROTECTED]> wrote:
>>Much as I hate to defend the obviously stupid proposed law, according
>>to most descriptions I've read, the police *do* need to prove
>>something: they need to show that I did have the key. i.e., it would
>>not (under the current proposal) be a crime not to decrypt encrypted
>>material when suitably told to do so unless the police could show that
>>you once had the key. (This is one of the improvements over the
>^^^^^^^^^^^^^^^^^^^^
>
>What if the accused has forgotten the key. Or mislaid the container of
>the key?
>
According to the law, you get two years´ paid vacion, courtesy of
Her Majesty´s prisons. And if you happen to tell anybody about it, you get
a five-year bonus.
------------------------------
From: [EMAIL PROTECTED]=NOSPAM (Arturo)
Crossposted-To:
alt.politics.org.cia,soc.culture.europe,soc.culture.israel,soc.culture.russian
Subject: Re: National Security Strategy, USA and Economic / Business Intelligence
Date: Wed, 16 Feb 2000 07:26:18 GMT
On Tue, 15 Feb 2000 20:40:10 GMT, William Nelson <[EMAIL PROTECTED]>
wrote:
>
>
> The objective is to eliminate the
>leadership of the USA's intelligence collection and its systems. I
>actually learned very good developments initiated by one ex-Finance
>Minister of FInland in the European Parliament.
Did you happen to know something about the Enfopol resolutions? If
so, please drop me a line, I´d like to contact you for info exchange.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Netscape security?
Date: 16 Feb 2000 08:19:02 GMT
In article <[EMAIL PROTECTED]>,
Anders Westergren <[EMAIL PROTECTED]> wrote:
>Is it true that international versions of Netscape mail has a built in
>'work reduction' field of 88 bits, thus reducing the key length to 40
>bits (which now can be decrypted in real-time)? I read this just a week
>ago in a (fairly) large swedish newspaper. According to the author,
>Outlook has the same 'problem'.
Yes, this is not a secret. MSIE is the same way. It is due to US
cryptographic export regulations that almost nobody likes. It is all
very thoroughly covered in the documentation for those programs and is
hardly "news". If you visit a secure page (say an order form) with an
older international browser, then click the lock icon and select "View
Page Info" it says right on the screen that you only get 40 secret
bits.
For the most recent browsers (Netscape >= 4.7, IE >= 5.01) you get 56
secret bits because the export regulations recently changed and
increased the limits. There are also special server certificates
available with some restrictions, that tell the export browsers to use
full-strength (128 bit) cryptography. If you're doing online banking
or something like that, your bank should use that kind of certificate.
See http://www.verisign.com/server/prd/g/index.html for more info.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Netscape security?
Date: Wed, 16 Feb 2000 08:20:40 GMT
yes
Anders Westergren wrote:
>
> Is it true that international versions of Netscape mail has a built in
> 'work reduction' field of 88 bits, thus reducing the key length to 40
> bits (which now can be decrypted in real-time)? I read this just a week
> ago in a (fairly) large swedish newspaper. According to the author,
> Outlook has the same 'problem'.
------------------------------
From: [EMAIL PROTECTED] (H. Peter Anvin)
Subject: Re: Message to SCOTT19U.ZIP_GUY
Date: 16 Feb 2000 00:43:47 -0800
Reply-To: [EMAIL PROTECTED] (H. Peter Anvin)
Followup to: <[EMAIL PROTECTED]>
By author: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
In newsgroup: sci.crypt
>
> Tim Tyler wrote:
> > Encrypting something twice does not double the time to break.
> > Speaking *very* roughly, if anything, it squares it.
>
> If the encryption uses the same key, then it doubles the time
> for a brute-force key search.
>
... assuming the encryption isn't a group.
-hpa
--
<[EMAIL PROTECTED]> at work, <[EMAIL PROTECTED]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
------------------------------
From: "Lassi Hippeläinen" <"lahippel$does-not-eat-canned-food"@ieee.org>
Subject: Re: source code export laws
Date: Wed, 16 Feb 2000 08:54:51 GMT
Jeremiah wrote:
>
> I am wanting to put the source code of a lot of encryption algorithms up
> on the internet. What are the laws for me doing this?
Depends on the country. See
http://cwis.kub.nl/~frw/people/koops/cls2.htm for starters.
-- Lassi
------------------------------
From: "Lassi Hippeläinen" <"lahippel$does-not-eat-canned-food"@ieee.org>
Subject: Re: Netscape security?
Date: Wed, 16 Feb 2000 09:02:06 GMT
Anders Westergren wrote:
>
> Is it true that international versions of Netscape mail has a built in
> 'work reduction' field of 88 bits, thus reducing the key length to 40
> bits (which now can be decrypted in real-time)? I read this just a week
> ago in a (fairly) large swedish newspaper. According to the author,
> Outlook has the same 'problem'.
Yes, true. That's why there is http://www.fortify.net/ for Netscape
browsers. Probably fixes mail, too.
This still leaves open the question of whether the key generator is
fair. It might be crippled so that it produces only a fraction of the
key space. If the three letter agencies know which fraction, their work
is much reduced, but the poor user has no way of verifying it.
-- Lassi
P.S. You could try Opera as your browser. I'm not sure if it is legal in
Sweden, since it is a Norwegian product... ;-)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Q: Division in GF(2^n)
Date: Wed, 16 Feb 2000 10:24:34 +0100
David Hopwood wrote:
> Mok-Kong Shen wrote:
> >
> > I learned from a mailing list that there is a US patent US5890800
> > 'Method and device for the division of elements of a Galois field'
> > (http://www.patents.ibm.com/details?pn=US05890800)
>
> That URL should be
> http://www.patents.ibm.com/details?pn10=US05890800
>
> > for computing A/B in GF(2^n). The algorithm amounts to computing
> > with squaring and multiplication of numbers A and B represented in
> > n bits the expression
> >
> > A^(2^n) * B^(2^n-2)
> >
> > The writer of a post in the mailing list then reasoned that this
> > reduces to A/B, since x^(2^n-1) = 1 for all x.
> >
> > It seems, however, that the algorithm is doing computations all
> > the way in Z_(2^n) instead of GF(2^n).
>
> No, it is doing all of them in GF(2^n).
I suppose the patent text is very misleading. It said representing A
and B in n bits and said doing squaring and multiplication. One thus
got the impression that A and B are now treated as binary numbers
and therefore squaring and multiplication are ordinary operations.
> However, AFAICS it is *much* less efficient (at least for software
> implementations with field sizes of interest in cryptography) than
> calculating the inverse of B using the Almost Inverse algorithm, and
> multiplying A by the inverse.
Why is that 'Almost'? Isn't it exact, if one uses B^(-1)=B^(2^n-2)?
A probably more essential question I like to raise in this connection
is: If an increasing number of such 'ways' of doing computations get
patented, wouldn't the day be nigh when school boys and girls would
have to pay loyalities to the diverse patent holders when doing
their home work in mathematics? (In view of huge the number of such
users, certain patent holders could easily gather a fortune superior
to that of Bill Gates.) What do mathematicians and scientists
emplying much mathematics (including cryptologists) think about
the issue of patenting mathematics? Wouldn't researchers (in
mathematics, theoretical physics, etc. etc.) have to carefully check
whether they possibly violate some patents (including also the
pre-publication stage, while they are endeavouring to obtain new
results with paper and pencil) because they happen to do calculations
in ways that others have patented?
Since I believe doing patented mathematics even at one's home
with (scrath) paper and pencil is violating patent laws (compare
duplicating recording tapes of music etc., which is prohibited
by copyright laws), a further speculation would be whether one has
also to pay loyalities if one does such computations in one's own
head. An unhonest person certainly wouldn't care to pay in any case.
But what should a real gentleman do (or equivalently, what is the
behaviour according to the prescription of the laws)?
M. K. Shen
------------------------------
From: "Lassi Hippeläinen" <"lahippel$does-not-eat-canned-food"@ieee.org>
Subject: Scientologist espionage in Windows 2000?
Date: Wed, 16 Feb 2000 09:26:22 GMT
This might be old news, but I haven't seen any comments in this ng yet.
Windows comes with a disk decrypter written by a scientologist company.
Since the program can access any files... more can be found at
http://www.heise.de/ct/english/99/25/058/
-- Lassi
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Denail of service attacks
Date: Wed, 16 Feb 2000 10:58:46 +0100
Very recently there is a case of serious distributed denial of
services attacks which has caused huge revenue losses to certain
firms. See reports in press and also CRYPTO-GRAM, Feb. 2000.
(Surprisingly, I haven't yet seen any discussions of that in any
internet newsgroups.)
I like to report something concerning myself personally which I
suspect could possibly also be a denial of services attack (albeit
a centralized one). I have a subscription to a crypto mailing list.
Since about a week, I repeatedly tried (a large number of times
at different times of the day) to post to that list, but all posts
were returned with the error message:
SMTP error from remote mailer after initial connection:
host ............:
451 timeout waiting for input during server cmd read:
retry timeout exceeded
At first I thought that the server of the list was down. But
that was apprently not the case, for (1) the message mentioned
an initial 'connection' and (2) in the same time period I saw
some of others' posts to the list getting through. I seemed as
though there is a virus at the server that selectively (or perhaps
even randomly) refuse the incoming posts. I wrote an e-mail to the
postpaster of the site. But that e-mail was returned also.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Subject: Re: Netscape security?
Date: Wed, 16 Feb 2000 10:59:10 +0100
Lassi Hippeläinen <"lahippel$does-not-eat-canned-food"@ieee.org> wrote:
> P.S. You could try Opera as your browser. I'm not sure if it is legal in
> Sweden, since it is a Norwegian product... ;-)
No true Swede will be caught with anything from that country, but that
doesn't mean that we won't use it. *G*
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
DSS: 0x9363F1DB, Fp: 6EA2 618F 6D21 91D3 2D82 78A6 647F F247 9363 F1DB
---ôôô---ôôô-----------------------------------------------ôôô---ôôô---
\O/ \O/ ©1999 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
From: "Lassi Hippeläinen" <"lahippel$does-not-eat-canned-food"@ieee.org>
Subject: Oops: Scientologist espionage in Windows 2000?
Date: Wed, 16 Feb 2000 10:07:09 GMT
I meant to write defragmenter...
Lassi Hippeläinen wrote:
>
> This might be old news, but I haven't seen any comments in this ng yet.
>
> Windows comes with a disk decrypter written by a scientologist company.
> Since the program can access any files... more can be found at
> http://www.heise.de/ct/english/99/25/058/
>
> -- Lassi
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
