Cryptography-Digest Digest #185, Volume #11 Wed, 23 Feb 00 07:13:01 EST
Contents:
I have added few images of my notebooks to alt.politics.org.cia ("Markku J.
Saarelainen")
need help! decryption (jamie)
Re: Passwords secure against dictionary attacks? (John Underwood)
Re: OAP-L3 Encryption Software - Complete Help Files at web site ("Douglas A. Gwyn")
Re: need help! decryption (Elgar)
Re: EOF in cipher??? (Mok-Kong Shen)
Re: Processor speeds. (Mok-Kong Shen)
Re: Passwords secure against dictionary attacks? ("Steve Coath")
cannot understand CFB mode code.. ([EMAIL PROTECTED])
Re: Passwords secure against dictionary attacks? ("Ken Hagan")
Transmitting ciphered data ("Markus Eiber")
First announcement for ECC 2000 (Alfred John Menezes)
Re: Passwords secure against dictionary attacks? ([EMAIL PROTECTED])
Re: Passwords secure against dictionary attacks? (Michel Dalle)
Re: need help! decryption (Runu Knips)
Re: I am really scared of my NT ([EMAIL PROTECTED])
Re: Stuck on code-breaking problem - help appreciated ("jdc")
Re: Does the NSA have ALL Possible PGP keys? ("csabine")
----------------------------------------------------------------------------
From: "Markku J. Saarelainen" <[EMAIL PROTECTED]>
Crossposted-To:
alt.2600,soc.culture.russian,soc.culture.soviet,soc.culture.nordic,soc.culture.europe,soc.culture.german,soc.culture.ukrainian,soc.culture.china
Subject: I have added few images of my notebooks to alt.politics.org.cia
Date: Wed, 23 Feb 2000 07:05:31 GMT
I have added few images of my notebooks to
alt.politics.org.cia
all these are intelligence related .. I still have hundreds of pages of
my notebooks that I have to review for you ..
other posted diary and notebook entries are at
http://homestead.virtualjerusalem.com/waeg/Diaries.html
Visit also the Game of General (M) (updated with the language - actually
I can teach the language to you more clearly - it is quite simple but
very effective) at
http://homestead.virtualjerusalem.com/waeg/gameofm.html
Best regards,
Markku
------------------------------
From: jamie <[EMAIL PROTECTED]>
Subject: need help! decryption
Date: Wed, 23 Feb 2000 07:48:36 GMT
This arrived in my email and I have no idea what it is, can someone tell
me how to decypher it?
Thanx in advance...
Subject:
真實的故事,請你我一齊來關心
From:
Nothing <[EMAIL PROTECTED]>
您好,很抱歉,打擾您寶貴的收信時間,這並不是一封廣告信,而是發生在我朋
友身上的一件真實的故事,雖然我並不認識您,您的郵件位址也是我從網路上所取得
的,但還是要請您花點時間將這個故事看完,如果可以的話,請將這封信傳給您的朋
友,雖然信中悲劇的主角與您無關,但如果台灣交通問題繼續如此,誰也不敢保證下
一秒悲劇會不會就發生在我們的朋友--甚至是我們自己身上,請共同要求我們的政
府及其官員,與其只會在選舉時打高空,說些言不及義的言論,倒不如真的放一點心
思在我們這些小老百姓身上,讓我們可以有一個免於恐懼的環境。
以下是目擊者所寫的原文,信中或許有些錯字,但為尊重當事人,我並不加任何
的修改,信有點長,請您耐心把它看完。
和她認識是在奇摩的網路上,那一天我們聊的很開心,閒談之中我們才知道我們住的是
如此ㄉ近因此我們互相留下通訊方式,後來我們之間通過了幾次電話,那一天晚上我肚
子餓了,妳說要帶我去吃東西,因此我們就約出來吃宵夜,見到妳,妳比我想像中ㄉ妳還可
愛,在吃飯之中知道妳ㄉ家庭,妳ㄉ一切,原來妳是一個那麼堅強ㄉ女生,一個人租屋在外
面賺錢養活自己,那時候ㄉ我覺ㄉ自己和妳比起來幸福太多了,回去之後我們又閒聊了
一些,妳告訴我妳想學英文要我教妳,我答應了妳告訴妳我ㄉ翻譯機沒有用可以借妳,妳
聽了很高興,後來妳告訴我明天要回板橋ㄉ乾媽家,可能會去幾天,回來後會打電話給我,
我告訴妳回來後一起去唱歌,妳答應了我.
星期一ㄉ下午台北下起了雨,天氣有點濕冷,打電話給妳知到妳人在台北,剛回來,我問
妳要去唱歌嗎?妳答應了我,後來我約了另外三個網友去唱歌,我們那一天唱歌唱ㄉ很開
心,星期三ㄉ凌晨我們在線上碰了面,那天天氣也是特別ㄉ冷,外面還下起了雨,妳告訴我
想跟另一個網友去跳舞,要我跟妳一起去,我問妳為什麼?妳回答我因為我人好,而且去ㄉ
話可以保護妳,而且妳也不會無聊,可是我還是嫌外面太冷了,我只想去吃宵夜不想去跳
舞,後來妳有點不高興可是還是告訴我那不然大家約出去吃宵夜好了,妳知道我想吃芋
圓,說要帶我去吃一家好吃ㄉ店,那一天我穿了涼鞋穿ㄉ很休閒,見面後妳打量了我一下,
笑著對我說,呵呵~~~你好痞子喔!!我也笑了笑!回答妳我本來就是痞子嘛!!不然怎麼會大
家都愛呢?妳笑著對我說對呀!對呀!因為妳臉皮厚嘛!後來我們就跟另外兩個網友去吃宵
夜,送妳回家ㄉ路上,我們在騎樓下聊了一會,妳告訴我想回最近可能會回板橋ㄉ乾媽家,
我說沒關係我們還是可以很常見面ㄉ,回家後到早上我才睡著!!
傍晚六點多起床聽到手機妳ㄉ留言,妳說我好豬喔!!睡到現在還沒醒要我趕快起床,有
好康ㄉ要介紹給我!!聽完留言後我馬上回了妳電話,妳罵我真會睡,我笑了笑問妳什麼好
康ㄉ呀?妳告訴我有個網友要請吃火鍋要帶妳跟我去,我說他又不認識我,妳說妳有告訴
過他了呀?我笑著問妳為何每次跟網友出去都要我陪呀!妳笑笑ㄉ說因為我要保護妳呀!!
呵呵...我突然變成妳ㄉ小跟班了我告訴妳!!聊了一下,妳告訴我有個網友寄照片給妳,我
說我也要看,妳叫我快上網,我們就在網路上聊了起來,妳把照片傳了過來,在聊天室中,我
告訴妳我明天要回苗栗了,因為我老爸要開車上來載我回家,妳說我好像孝子喔!!我告訴
妳因為他要上台北處理事情順便嘛!後來妳說肚子餓了,我說好呀,我們去吃東西去士林
吃好了,我約了當時在聊天室中ㄉ一個朋友,是我在網路上認識ㄉ好友!!妳送悄悄話給我,
問我2/2日妳生日,說我如果回家就不能幫妳慶祝了,我告訴妳我會上來,妳問了我兩次,我
肯定ㄉ回答了妳,妳送了我一張笑臉,妳問我等會吃宵夜時要化妝嗎?因為那天去吃宵夜
時妳也沒化妝,我開玩笑ㄉ告訴妳天色暗,看不出來ㄉ啦!!後來我們跟另一個網友約在雙
連捷運站,我騎車去妳住ㄉ地方接妳,今天ㄉ妳穿ㄉ特別ㄉ可愛,在路上妳告訴我好冷喔!!
還好路程近,我把摩托車丟在捷運站附近,後來我們就和我ㄉ另一個好友一起做捷運去
劍潭站.
然而悲劇ㄉ開始就在此時發生,而死神就這樣悄悄ㄉ跟了妳走,下了車我們沿著馬路
旁ㄉ機車道行走,我們有說有笑,妳走在我和朋友ㄉ後面,我笑著告訴妳,要不要走在我們
中間呀!妳說不要妳說今天要當我ㄉ小跟班,我聽了對妳傻笑了一下,後來車多我們就走
一直線,我走第一個,我ㄉ好友走第二個,而妳走最後面,走著走著,聽到了慘叫一聲,我看著
公車把妳撞上,帶了幾步路,車速減緩後倒了下來,前輪就在妳瘦小ㄉ下半身軀輾了過去,
當時ㄉ我傻眼了,死命ㄉ搥公車司機ㄉ前門,公車停了下來,朋友馬上把妳從公車底下拖
了出來,妳抓著我ㄉ手告訴我喊著我ㄉ名子,一聲聲ㄉ救我......,當時我ㄉ心有著被撕裂ㄉ
沉痛,我拿起手機撥電話給一一九,然後撥給警察處理交通,我ㄉ朋友不停ㄉ罵公車司機
ㄉ不對,公車司機告訴我ㄉ朋友,他真ㄉ不是故意ㄉ,因為他太累打瞌睡睡著了,當時ㄉ我
沒去理公車司機,看著妳慘白ㄉ臉,扭曲ㄉ下半身,我ㄉ手握者妳卻不停ㄉ抖著,妳ㄉ嘴唇
蒼白告訴我妳好痛,然而我卻只能安慰妳,救護車好不容易到了,可是因為塞車堵住了,我
狂奔了過去,指引它過來,把車輛疏導讓救護車過來,好不容易把妳送到了醫院.
我拿著妳ㄉ證件幫妳掛號,和聯絡妳ㄉ家屬,當時ㄉ我,心理頭只希望妳能活著,我進去
看了妳,身上插滿了管子,妳還很清醒,可是卻是痛苦ㄉ表情,我握著妳ㄉ手,告訴妳沒事ㄉ,
妳會好ㄉ,妳告訴我好痛好痛好痛......醫生指著妳ㄉX光片告訴我,妳ㄉ骨盆腔都裂了,不
開刀會死,開刀存活ㄉ機率也不大,當時ㄉ我對菩薩發了願,只要妳活著我願意照顧妳一
輩子做一輩子ㄉ志工!!妳ㄉ家屬後來也來了,幫妳簽下了開刀同意書,門口站了各科ㄉ醫
生討論著如何去動這手術,而我和朋友則和警察在做筆錄,十一點多醫生告訴訴我妳休
克了,在做急救,十二點十五分妳拋下了大家走....,我走進去見了妳最後一面,握著妳冰冷
ㄉ手,我眼淚不停ㄉ流,天啊!!為何老天爺是如此ㄉ不公平帶走了她,我ㄉ心理充滿了滿滿
ㄉ悔恨和不甘心......清晨四點多我和朋友回去捷運站去牽車,看著車上放ㄉ兩頂ㄉ安全
帽,想著剛剛才見妳而現在妳已經離我遠去,我ㄉ眼淚又不停ㄉ流了下來,回家後我沒睡,
因為一閉眼就是妳車禍ㄉ那一慕!我感覺自己ㄉ心糾結在一起,大口ㄉ去呼吸,早上八點
多和朋友感去了醫院等法醫來驗屍和檢察官路口供,司機也來了,我們一起做了筆錄,司
機先生承認自己開車太累睡著了,可是那又如何,小君死了呀!她死ㄉ好不值得,
今天我帶了她最愛吃ㄉ東西去見她,姊姊打電話給我要我看星期四中時晚報ㄉ報導和
星期五ㄉ中國時報,看完後我好生氣,因為報社ㄉ記者根本是沒有尊重往生著,只知道挖
別人ㄉ隱私,小君是單親家庭父母親離異沒錯,她ㄉ父親因為吸食毒品入獄,可是我覺ㄉ
那些都是她心裡面ㄉ痛楚,她不想告訴大家ㄉ事情,為什報社ㄉ記著不發會與論ㄉ力量
告訴大家去正視這件事情呢?台北市公車最近老是在撞死人,這已經不是第一次第二次
ㄉ事情了為何卻不見我們ㄉ政府去改善這件事情呢?報社ㄉ記著還說小君是因為閃車才
被公車撞死ㄉ,這根本不是事實ㄉ真相,我真ㄉ好生氣!!還說當時ㄉ時速只有二十公里,如
果只有二十公里哪種速度回帶著人走嗎?我是當時ㄉ目擊證人,我可以保證這絕對不是
事實ㄉ真相!!
我寫這些,只是希望透過網路ㄉ力量告訴每個人除了真相外,還有正視我們ㄉ交通問
題,因為我希望小君ㄉ死值得,希望她ㄉ死能去喚起社會意識,讓大家注意這些問題,也希
望我們ㄉ政府能徹底ㄉ解決問題!還有公車協會ㄉ人不要老是出了事情就會推卸責任,
今天公車司機睡著了,除了行人危險外,乘客也是非常ㄉ危險,為何勤前ㄉ教育沒有徹底
ㄉ做好呢?二月一日是妳ㄉ告別式,然侯殘酷ㄉ是二月二日是妳ㄉ生日,希望那一天就是
妳ㄉ從生,下一輩希望我們還能做永遠ㄉ朋友,我會永遠回念著妳.....希望妳在遠方也過
ㄉ好!!
冰點1.29
------------------------------
From: John Underwood <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 01:07:19 +0000
On Tue, 22 Feb 2000 at 23:29:35, Ilya <[EMAIL PROTECTED]>
wrote in alt.security.pgp:
(Reference: <zZEs4.2145$[EMAIL PROTECTED]>)
>
>Is it secure to take two words and join them together, such as:
>
>crypto/life cyber@machine green-dog Loud!Music
>
>I find that they are really easy to remember, especially if the word
>combination has some meaning to the user. I have been told that such
>combinations are vulnerable to dictionary attacks. I think that they are not
>vulnerable to dictionary attacks since the password is not a word, it combines
>two words and is meaningless and can only be brute-forced.
>
>Any input on that?
It would have been considerably safer before you published your
intention of doing that. (Unless, of course, this is a double bluff).
--
John Underwood
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: OAP-L3 Encryption Software - Complete Help Files at web site
Date: Wed, 23 Feb 2000 07:55:13 GMT
Tim Tyler wrote:
> Any algorithm that comes with a mathematical proof that it's unbreakable
> is unlikely to be analysed by the world's leading codebreakers.
> Instead it is likely to be dismissed out-of-hand - as the output of
> someone with little idea about the nature of the field.
To the contrary, if it is published in a reputable peer-reviewed
technical journal, it will be looked at *very* closely, to see
what assumptions it depends on. There are already actual examples;
go to the Google search engine and enter the phrase "Provable
Security".
------------------------------
From: Elgar <[EMAIL PROTECTED]>
Subject: Re: need help! decryption
Date: Wed, 23 Feb 2000 03:01:42 -0500
Reply-To: [EMAIL PROTECTED]
i don't have the software, but no doubt it's chinese, probably the
big5 encoding.
elgar
jamie wrote:
>
> This arrived in my email and I have no idea what it is, can someone tell
> me how to decypher it?
>
> Thanx in advance...
>
> Subject:
> 真實的故事,請你我一齊來關心
> From:
> Nothing <[EMAIL PROTECTED]>
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: EOF in cipher???
Date: Wed, 23 Feb 2000 09:11:01 +0100
Douglas A. Gwyn wrote:
>
> Mok-Kong Shen wrote:
> > ... Imagine the case I am going to have a major surgical operation
> > and I hear the surgeons disputing about which knifes should
> > properly be used!
>
> If that were an Internet newsgroup dispute, you would be a fool
> to think that it was an argument among surgeons. It would be an
> argument among perhaps a surgeon or two (who would agree on the
> main points) and a bunch of people who would not be allowed
> anywhere near a real operating room (except as patients).
You may be right. Still, in the hypothetical case described you
couldn't blame me for my inability to distinguish a real surgeon
from an imitated one. A few times I read in newpapers that
somebody, putting on doctor's clothings, went through patients'
rooms in hospitals and 'examined' female patients!
In internet newsgroups and mailing lists, one not seldem sees
some non-experts 'demonstrate' their 'profound' knowledge, in
order to show-off as experts. On the other hand, there are real
experts who 'smash' on postings of non-experts when they detect
the slightest mistakes of the latter and also do other kinds of
manoevres, with the intention to show-off as even 'much bigger'
real experts. From the substantial difference in knowledge you
could imagine how difficult the position of the non-experts is
in their debates with the real experts in such cases. Sometimes
these real experts, who highly desire to grow in size rapidly,
even behave very poorly. (I personally expect though that the
quality of behaviour of a scientist should be positively
correlated to the quantity of his knowledge.) Being a non-expert
(and besides one with rather poor knowledge), I have gathered
in the past a few unforgettable experiences in my encounter
with the 'expansionist' real experts. Once in a mailing list one
of them answered to an article I posted and, without saying
any scientific matter to the topic concerned, demanded that I went
off the mailing list. (I conjecture that he probably did that as
a 'reaction' to a previous discussion which he apparently didn't
like very much. There are indications that I probably remain on
his 'black list' even today.)
That's sad, but that's life, isn't it?
M. K. Shen
==========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Processor speeds.
Date: Wed, 23 Feb 2000 09:10:54 +0100
Joseph Ashwood wrote:
>
> > Can you name a manufacturer?
> Sega Dreamcast is the one that comes to mind, there's also
> Playstation 2, and Dolphin fairly soon. The problem I see is
> the available memory, generally <=8MB
I believe that's not a too big bottleneck. I can still remember
the old times of PC where I was very delighted when one day my
hardware colleague took away my 16 MHZ PC and gave me one of 40
MHZ and 2MB of memory. If it is convenient to generate code to
run with PVM and similar software, then reasonable cluster computing
should be possible.
M. K. Shen
------------------------------
From: "Steve Coath" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 09:09:26 -0000
Ilya <[EMAIL PROTECTED]> wrote in message
news:zZEs4.2145$[EMAIL PROTECTED]...
>
>
> Is it secure to take two words and join them together, such as:
>
> crypto/life cyber@machine green-dog Loud!Music
>
> I find that they are really easy to remember, especially if the word
> combination has some meaning to the user. I have been told that such
> combinations are vulnerable to dictionary attacks. I think that they are
> not vulnerable to dictionary attacks since the password is not a word, it
> combines two words and is meaningless and can only be brute-forced.
>
> Any input on that?
In a previous job I used to handle some extremely classified material. Our
passwords used to be randomly generated for us every week and usually took
the form of a jumbled mass of random letters, numbers and characters.
You could end of with something such as : Az\\-+.tdhB*
Extremely difficult to guess, but also extremely difficult to remember. So
everyone used to write them down and keep them in their pockets.
------------------------------
From: [EMAIL PROTECTED]
Subject: cannot understand CFB mode code..
Date: Wed, 23 Feb 2000 10:03:25 GMT
Hi,
I am looking at the CFB64 mode for blowfish in
Eric's libbf...I cannot understand one thing..
printf("testing blowfish in cfb64 mode\n");
BF_set_key(&key,16,cbc_key);
memset(cbc_in,0,40);
memset(cbc_out,0,40);
memcpy(iv,cbc_iv,8);
n=0;
BF_cfb64_encrypt((unsigned char *)
cbc_data,cbc_out,(long)13,
&key,iv,&n,BF_ENCRYPT);
BF_cfb64_encrypt((unsigned char *)&(cbc_data
[13]),&(cbc_out[13]),len-13,
&key,iv,&n,BF_ENCRYPT);
why is there two levels of encryption here...and
whatis so special about the number 13 that was
chosen in the second encryption line..??
Pls help..I am a rookie in crypt prog..
Thx,
Arni
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Ken Hagan" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 10:10:53 -0000
"Ilya" <[EMAIL PROTECTED]> wrote in message
news:zZEs4.2145$[EMAIL PROTECTED]...
> Is it secure to take two words and join them together, such as:
>
> crypto/life cyber@machine green-dog Loud!Music
>
> I think that they are not vulnerable to dictionary attacks since the
> password is not a word, it combines two words and is meaningless
> and can only be brute-forced.
You don't seem to be getting much cryptographic analysis here.
I think it's safe, and I (light-heartedly) challenge anyone to describe
how they could attack it.
The one-way hash from "what you type" to "whatever the system stores
for comparison against" ought to distribute evenly across its space of
possible hashes. Therefore, for any password, however constructed, one
wrong answer is as bad as another. Guessing part of the password doesn't
help.
Using "real words" as the building blocks is usually said to reduce
the strength because it reduces the number of possible plaintexts.
In the extreme case of "only using proper words", a dictionary attack
with only a million or so words (the whole dictionary) would always
succeed.
However, for the scheme you describe, the closest we could come to
a "dictionary" is as follows.
1 Take a dictionary with various capitalisations like "hello", "Hello"
and "HELLO".
2 Add "forms" like telephone numbers, car licence plate numbers, dates
(in all the common orderings, like MM/DD/YY), ZIP codes etc.
3 Take some random punctuation characters.
Now, permute all of the above in every way. For an initial dictionary of a
few thousand "real words", this has now become a dictionary of around
a billion. That is probably out of reach for most crackers, and it wasn't
much of a dictionary. Here in the UK, people are likely to add postcodes
(like "SW1 1AA"), national insurance numbers (like "AB 12 34 56 78 X")
and their lottery numbers into the melting pot. I think the problem rapidly
becomes hopeless, even for the NSA.
If someone knows you, they might be able to prepare a better dictionary,
but I expect you can pick "elements" such that they'd have to be a close
personal friend to even get close -- and close is not good enough. I can
think of password elements that have never left my imagination, but which
are (for me) an obvious part of my identity, and ideal for the purpose.
------------------------------
From: "Markus Eiber" <[EMAIL PROTECTED]>
Subject: Transmitting ciphered data
Date: Wed, 23 Feb 2000 12:28:37 +0100
Hi there,
I am looking for some aspects on how ciphering data might influence the
efficiency of transmission systems.
Are there any references on this topic?
--
Markus Eiber
Werner-Heisenberg-Weg 106
85579 Neubiberg
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Alfred John Menezes)
Subject: First announcement for ECC 2000
Date: 23 Feb 2000 11:07:01 GMT
==============================================================================
THE 4TH WORKSHOP ON ELLIPTIC CURVE CRYPTOGRAPHY (ECC 2000)
University of Essen, Essen, Germany
October 4, 5 & 6 2000
First Announcement February 23, 2000
ECC 2000 is the fourth in a series of annual workshops dedicated to the
study of elliptic curve cryptography and related areas. The main themes
of ECC 2000 will be:
- The discrete logarithm and elliptic curve discrete logarithm problems.
- Provably secure discrete log-based cryptographic protocols for
encryption, signatures and key agreement.
- Efficient software and hardware implementation of elliptic curve
cryptosystems.
- Deployment of elliptic curve cryptography.
It is hoped that the meeting will encourage and stimulate further
research on the security and implementation of elliptic curve
cryptosystems and related areas, and encourage collaboration between
mathematicians, computer scientists and engineers in the academic,
industry and government sectors.
There will be approximately 15 invited lectures (and no contributed
talks), with the remaining time used for informal discussions. There
will be both survey lectures as well as lectures on latest research
developments.
SPONSORS:
Certicom Corp.
Communications and Information Technology Ontario
CV Cryptovision
Infineon
Innovationscluster neue Medien (Minist. SWWF, NRW)
MasterCard International
Metris
Mondex International Limited
Siemens AG
University GH Essen
University of Waterloo
ORGANIZERS:
Gerhard Frey (University of Essen)
Steven Galbraith (University of Essen)
Alfred Menezes (University of Waterloo)
Scott Vanstone (University of Waterloo)
CONFIRMED SPEAKERS:
Pierrick Gaudry (LIX, France)
Erwin Hess (Siemens, Germany)
Ansgar Heuser (BSI, Germany)
Arjen Lenstra (Citibank, USA)
Peter Montgomery (Microsoft, USA)
Christof Paar (Worcester Polytechnic Institute, USA)
Phil Rogaway (University of California at Davis, USA)
Scott Vanstone (University of Waterloo, Canada)
SPEAKERS WHO HAVE TENTATIVELY ACCEPTED:
Neal Koblitz (University of Washington, USA)
Victor Shoup (IBM, Zurich)
LOCAL ARRANGEMENTS:
Essen is the largest city in the Ruhr region, and is about a 20-minute
drive from Dusseldorf International airport. The second announcement will
be made on May 1, and will include registration and local (i.e., hotel &
transportation) information. If you did not receive this announcement by
email and would like to be added to the mailing list for the second
announcement, please send email to [EMAIL PROTECTED] The
announcements are also available from the web sites:
www.cacr.math.uwaterloo.ca
and
www.exp-math.uni-essen.de/~galbra/ecc2000.html
==============================================================================
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 11:15:47 GMT
In article <zZEs4.2145$[EMAIL PROTECTED]>,
Ilya <[EMAIL PROTECTED]> wrote:
>
>
> Is it secure to take two words and join them together, such as:
>
> crypto/life cyber@machine green-dog Loud!Music
>
> I find that they are really easy to remember, especially if the word
> combination has some meaning to the user. I have been told that such
> combinations are vulnerable to dictionary attacks. I think that they are
> not vulnerable to dictionary attacks since the password is not a word, it
> combines two words and is meaningless and can only be brute-forced.
>
> Any input on that?
They are not vulnerable to dictionary attacks by most of the common
brute-force tools, as these rather try a few permutations and appending
strings like ".1" or "-6". They are vulnerable to more sophisticated
dictionary attacks, especially when somebody knows how many words you
usually append.
If you put the special characters inside of some words, the resulting
passphrase will no longer be vulnerable. You can use a pattern of
distributing lower and uppercase letters and special chars, as long as
you don't publish it. So for example:
cry9?pto/life cy@bermachine green-dog Lo#udMusic
was very secure before it was published.
Never use any keyboard patterns or "tricks" like writing a bad passphrase
one line of letters above, like someone has proposed. They are *all* in
the dictionaries.
Best regards,
Erich Steinmann
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Michel Dalle)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 11:24:41 GMT
In article <newscache$c6pdqf$ci5$[EMAIL PROTECTED]>, "Ken Hagan"
<[EMAIL PROTECTED]> wrote:
>"Ilya" <[EMAIL PROTECTED]> wrote in message
>news:zZEs4.2145$[EMAIL PROTECTED]...
>> Is it secure to take two words and join them together, such as:
>>
>> crypto/life cyber@machine green-dog Loud!Music
>>
>> I think that they are not vulnerable to dictionary attacks since the
>> password is not a word, it combines two words and is meaningless
>> and can only be brute-forced.
>
>You don't seem to be getting much cryptographic analysis here.
>I think it's safe, and I (light-heartedly) challenge anyone to describe
>how they could attack it.
Let's say a 'common' dictionary contains 50.000 words.
So, combining two words would take 2.500.000.000 combinations,
and inserting some non-alphanumeric character would multiply this
by 32. Of course, this doesn't take into account size limitations etc,
but let's say we end up with 80.000.000.000 "words".
So, for a fast PC doing about 50.000 crypts per second, it would
take about 18 days, 12 hours and 27 minutes to walk through the
dictionary.
Of course, it might be that you'll be using less than 10.000 words,
which brings the necessary time to 17 hours and 47 minutes...but
if you use uppercase first letters too, it would take 4 times longer.
So this password scheme isn't as secure as you might think -
assuming a "would-be attacker" knows the scheme :)
Or is my reasoning/math wrong here ?
Michel.
------------------------------
Date: Wed, 23 Feb 2000 12:47:07 +0100
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: need help! decryption
jamie wrote:
> This arrived in my email and I have no idea what it is, can someone tell
> me how to decypher it?
>
> Thanx in advance...
Congratulations ! Thats very probably spam in some foreign language !!
:)
(Japanese, Korean, Chinese, or whatever)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: I am really scared of my NT
Date: Wed, 23 Feb 2000 11:39:26 GMT
In article <88v0c1$k1n$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Someone should come out with a crypto gaurd-ring to protect all the
> ports and physical access of a windows 98/NT w/s. The whole thing is so
> shaky and insecure...
I'm not using any Windows, so I don't know the applications, but on my
computer I'm using a virus detection tool that scans for suspicious
system calls instead of specific viruses, and a stream watching tool that
watches all outgoing TCP/IP and UDP traffic. There are also tools or
operating system services that can register any changes made to system
directories.
However, I still thinks it's unlikely that I'd detect an attack by a
Trojan Horse or virus this way. Operating systems have too many holes...
Regards,
Erich Steinmann
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "jdc" <[EMAIL PROTECTED]>
Subject: Re: Stuck on code-breaking problem - help appreciated
Date: Wed, 23 Feb 2000 11:57:52 -0000
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote
> > It's in the front cover of an old society records book (1860-1888)
>
> Masonic?
The society in question isn't, but we think the code might be.
> Perhaps some FreeMason could assist.
One has, and hasn't got any further than us.
> > ... it *may* be upside down.
>
> But then the dots would precede words instead of following them,
> which doesn't seem likely.
Ah.... good point.
jdcxxx
------------------------------
From: "csabine" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Wed, 23 Feb 2000 12:02:17 -0000
Mmmm
Lets assume for a moment that tiwolf is correct. The government do know all
the codes and every bit of conversation that is carried out around the
world. In this 'tiwolf' universe:
All the mafia warlords have been locked up.
All the drug dealers have been dealt with.
80% of 'intents to murder' have have been pre-empted.
All child pornographers have been exposed.
Blackmailers have been thrown in jail.
Extortionists have been ex-communicated.
etc, etc
But, alas, this 'tiwolf' universe does not exist. I think that perhaps this
is proof enough that mathematical laws are still holding out. And that
government employees are, after all, only human and not demi-gods.
Just my two pennorth worth (this is an English(UK) idiom)
Colin.
tiwolf wrote in message ...
>Anything is possible given time, money, and talent. Government has nothing
>to do with it. In this case the government desire to control along with
>access to money (tax payers), and (through the obscene spending of the
>taxpayers money) talent. This makes the probability high that people will
>break any code given the right equipment and time.
>
>
>Johnny Bravo wrote in message ...
>>On Tue, 15 Feb 2000 00:24:02 -0800, "tiwolf" <[EMAIL PROTECTED]> wrote:
>>
>>>I don't care about prime numbers,
>>
>> So your opinion is "anything is possible for the government, even those
>>things which are impossible." Let me guess, you are posting from
>>misc.survivalism, and you think the government has unlimited godlike
>>powers.
>> You've already admitted that you don't have a single clue about the
>>topic under discussion. Why you feel this makes your opinion more
>>informed than actual fact is beyond me. You should have quit while you
>>were ahead.
>>
>> Johnny Bravo
>>
>
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
