Cryptography-Digest Digest #187, Volume #11 Wed, 23 Feb 00 14:13:01 EST
Contents:
Re: I am really scared of my NT (Tim Tyler)
Crypto enthusiasm (wtshaw)
Re: Passwords secure against dictionary attacks? (Alun Jones)
Re: e-payment suggestion ("Dr.Gunter Abend")
Re: The solution is Open Source! ("John E. Kuslich")
Re: DES algorithm (John Savard)
Re: NSA Linux and the GPL ("John E. Kuslich")
Re: Crypto enthusiasm (Mok-Kong Shen)
Re: Passwords secure against dictionary attacks? (Barry Margolin)
Re: e-payment suggestion (Mike Rosing)
Re: Linking Time-Stamping Servers (Mike Rosing)
Re: John McCain Encrypt? (Thunder Dan)
Re: Processor speeds. (Mike Rosing)
Re: DES algorithm (Quisquater)
Re: NSA Linux and the GPL (Mike Rosing)
Report Details Vast SPY Network (Dave Hazelwood)
Re: Transmitting ciphered data ("Douglas A. Gwyn")
Re: OAP-L3 Encryption Software - Complete Help Files at web site (David A. Wagner)
Re: Stuck on code-breaking problem - help appreciated ("Douglas A. Gwyn")
Re: Stuck on code-breaking problem - help appreciated ("r.e.s.")
Re: Does the NSA have ALL Possible PGP keys? ("Douglas A. Gwyn")
Re: Passwords secure against dictionary attacks? (JimD)
Re: DES algorithm ("Douglas A. Gwyn")
Re: DES algorithm ("Douglas A. Gwyn")
Re: The solution is Open Source! ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: I am really scared of my NT
Reply-To: [EMAIL PROTECTED]
Date: Wed, 23 Feb 2000 15:37:04 GMT
[EMAIL PROTECTED] wrote:
: Someone should come out with a crypto gaurd-ring to protect all the
: ports and physical access of a windows 98/NT w/s. The whole thing is
: so shaky and insecure...
If possible, it's better to build on a solid foundation, than to try to
shore up the house built on sand.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
The more you complain, the longer God makes you live.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Crypto enthusiasm
Date: Wed, 23 Feb 2000 09:19:25 -0600
This morning, I awakened with thoughts of all that I might get done in a
crypto way today. The result on best will be that of the various areas,
I'll just get a little done, however. But, I pick the topic...that's
freedom. Here are the options:
1) News--probably read crypto relavant groups three or so different times today.
2) C/C++--work on extending my basic knowledge in the area as I enlarge
the current dumb crypto program to be more flexible; file I/O is partly
working. I wish it was as easy to do as BASIC, less cryptic and require
less microefforts to do anything.
3) I'm close to finishing a series of transposition applications according
to ACA standards, a handful left....Swagman, and some interesting Grilles.
4) Speaking of ACA, I could do a little cipher solving, even learn
something new. This is apt to cause me to think how to write a program
too, or even come up with a variation.
5) Base Translation...scores of usable ones need implementing, picking up
with the one I was doing when I had my stroke last summer. And, there is
always some new idea that needs to be reduced to workable notes with so
many others.
6) Pull out one of the formal articles I have been writing, correcting,
writing, correcting...
7) Do a little rabble rousing regarding crypto politics on the phone. Or,
check on progress regarding certain projects involviing others...voice or
email.
8) Wander around the web looking for information that might be helpful.
9) Go to one of the nearby university libraries and hit the stacks.
10) Website work: Write something new, start another speciality site.
11) Clean up and reorganize information, trying to condense important
stuff so that it can be searched.
12) I'm sure there are more, and at least one will get into today's activities.
13) Look at future conferences, CFP, AES, ACA, etc. , note dates on the
calendar, and hope that I will feel good enough to reasonably go to one
soon; but, I can dream can't I?
--
Regarding healthcare, when GWB became govenor, Texas was 43 in
the nation, now we are 49th. And, I need not tell you about his
bloody support of the death penalty. Reformer?
------------------------------
From: [EMAIL PROTECTED] (Alun Jones)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 16:21:41 GMT
In article <newscache$c6pdqf$ci5$[EMAIL PROTECTED]>, "Ken Hagan"
<[EMAIL PROTECTED]> wrote:
> "Ilya" <[EMAIL PROTECTED]> wrote in message
> news:zZEs4.2145$[EMAIL PROTECTED]...
> > Is it secure to take two words and join them together, such as:
> >
> > crypto/life cyber@machine green-dog Loud!Music
> >
> > I think that they are not vulnerable to dictionary attacks since the
> > password is not a word, it combines two words and is meaningless
> > and can only be brute-forced.
>
> You don't seem to be getting much cryptographic analysis here.
> I think it's safe, and I (light-heartedly) challenge anyone to describe
> how they could attack it.
I might point out that one of the most common password hashes (at least as
of a few years ago) encrypts only based on the first eight characters of
your password.
I had a friend whose password was "elephantcake" - he reasoned, as the
original poster did, that putting two words together was significantly
harder to break, and yet we guessed enough of his password to log in, having
seen only the first two letters. "Elephant" is, of course, only eight
letters long, so adding the second word did him no good whatsoever.
Alun.
~~~~
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find it
1602 Harvest Moon Place | at web site http://www.wftpd.com or email
Cedar Park TX 78613 | us at [EMAIL PROTECTED] VISA / MC accepted.
Fax +1 (512) 378 3246 | NT based ISPs, be sure to read details of
Phone +1 (512) 378 3246 | WFTPD Pro, NT service version - $100.
*WFTPD and WFTPD Pro now available as native Alpha versions for NT*
------------------------------
From: "Dr.Gunter Abend" <[EMAIL PROTECTED]>
Subject: Re: e-payment suggestion
Date: Wed, 23 Feb 2000 17:44:37 +0100
Michael Lynn wrote:
>
> now your getting into digital cash type things...you wouldneed
> a smart card for this and if your going to go out and change
> everything to smartcards then there are dosens of algorythms
> for that...check out applied cryptography...he discusses a few
> there that are reakly cool...
When I read http://www.echeck.org/ again, I got the impression
that my idea resembles electronical cheques, not e-cash.
The main point is: the transmission of my "money" to the payee
occurs along a *weakly* secured pathway, may be telephone, fax,
internet, or the like, without too much risk.
What do you mean by "applied cryptography" -- the book by
B.Schneier? Is there any other newsgroup for this topic?
I mentioned some links that I thought to be relevant. These
existing (or proposed) systems do not fit with phone or fax.
A smartcard is a possible way -- however, I'd prefer not to
use it in situations where I do not really trust the payee.
In Germany, we have a system, called "Lastschrift-Einzug":
You send a merchand or an office your account number and a
written permission (not a cheque!) to draw money from your
account, once or repeating. He does *not* send this paper to
your bank, he only *affirms* that your permission *exists*.
You may revoke any individual withdrawal (within six weeks),
and *his* bank guarantees the refund -- no matter if justified.
The written paper can only be used to sue you for payment,
in case you refuse to pay a justified claim.
Everybody who knows your account number *and* has a good contact
to his bank (which has to guarantee it!), can draw arbitrary
amounts of money from you. As soon as too many
victims revoke these payments, his bank will stop him.
The proposed e-payment system resembles this Lastschrift, you
transmit the *information* only, without the risk of too strong
misuse.
Ciao, Gunter
------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Subject: Re: The solution is Open Source!
Date: Wed, 23 Feb 2000 09:37:43 -0700
The "answer" you provide is NOT the answer at all. It is an illusion.
Suppose you write open source code and everybody agrees that the source code
is a pure as the driven snow.
Now you have to compile the sucker, right? How do you know that the
compiler you are using is as pure.
Ok, so you use an open source compiler, right?
Now you have to compile THAT sucker, right? Well no, some of it is written
in assembler so we worry about the assembler.
So we use an open source assembler. Which was compiled by another compiler,
so let's see we have to check that compiler also....
Gees, this is starting to be like work...
But, suppose, through a super human effort, you manage to convince yourself
that all the tools you use to compile your open source code are pure, you
still have a serious problem:
You have to execute the compiled code on a machine running an operating
system. This O/S will be multithreaded and multitasking so many other
processes will be running concurrently (within the limits of the meaning of
concurrency in the O/S context). Now, suppose one of the loaded libraries
your code uses has evil code that breaks your security?
Take Java for instance. This over hyped language is supposed to "play in
it's own sandbox". Baloney. Turn on a debugger and watch the system calls
Java makes. You will see standard system code running all over the place.
Calls are made to Winsock for example. Now think of the potential for
security violations here. A trojan placed in the Winsock dll could send
your plain text to Zanzibar without your knowledge.
Open source is good for a lot of things, but it does nothing for security.
JK http://www.crak.com Password Recovery Software
<[EMAIL PROTECTED]> wrote in message news:88ua13$29b$[EMAIL PROTECTED]...
> In article <88s99s$lhu$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>
> How can we be sure our encryption software has no backdoor?
>
> The answer, of course is Open Source. There are several free open source
> encryption packages available, e.g. the java package by www.cryptix.org.
> The source code for this is available, so anyone with a basic
> understanding of programming and math can check the code to make sure
> there are no secret backdoors or key escrow systems.
>
> It's free, and you yourself can ensure it's safe! Goodnight NSA...
>
> -Erik Runeson
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: DES algorithm
Date: Wed, 23 Feb 2000 09:47:57 GMT
Jean-Jacques Quisquater <[EMAIL PROTECTED]> wrote, in part:
>See
>http://www.ams.org/notices/200003/fea-landau.pdf
I notice that URLs are occasionally provided directly to .pdf
documents. That will make them come up in the browser, which requires
both the browser and Acrobat Reader to be running at the same time,
which may lead to system crashes on older computers with less memory.
It would be safer to provide a link to a page that contains a link to
the .pdf document, since then one can right-click and choose "Save
Link As". That also allows one to explore the rest of the site through
links.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "John E. Kuslich" <[EMAIL PROTECTED]>
Subject: Re: NSA Linux and the GPL
Date: Wed, 23 Feb 2000 09:50:51 -0700
It is rather remarkable to think about "secure" computers in light of the
recent revelations about John Deutch (former CIA Director).
What is even more remarkable is the fact that this government fat cat will
probably get off Scott free while that poor Chinese fellow at the Department
of Energy will wind up facing a firing squad!!
Why is has John Deutch not been arrested and charged with violations of the
law regarding care of classified information?????????
JK
Jerry Coffin <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] says...
>
> [ ... ]
>
> > I'm sure that is true, at present. But there was a news item that the
> > NSA has commissioned a private firm to modify Linux so that it would
> > be a secure enough operating system for the NSA to use.
>
> I suspect the news item was giving a mildly screwed up version of
> things. Unless I'm mistaken, one of the commercial Linux vendors IS
> working at getting Linux put on the evaluated products list with a
> rating of something like C1 or thereabouts.
>
> The NSA is involved with evaluating products according to the orange
> book criteria, but the criteria is intended primarily for use BY other
> agencies such as the military.
>
> I strongly suspect that many (perhaps most) of the orange book is
> largely inapplicable to computers used inside the NSA -- I suspect an
> even stronger partitioning between classified and (the rare bit of)
> unclassified information than applies to the rest of the world. I
> don't know for sure, but it wouldn't surprise me even simple things
> like payrolls are classified inside the NSA, where they're merely "For
> Official Use Only" throughout, for example, most of the military.
>
> In short, I strongly suspect that use inside the NSA wasn't being
> discussed nearly as much as evaluation by the NSA for government use
> requiring a trusted computer system.
>
> --
> Later,
> Jerry.
>
> The universe is a figment of its own imagination.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto enthusiasm
Date: Wed, 23 Feb 2000 18:17:19 +0100
wtshaw wrote:
>
> This morning, I awakened with thoughts of all that I might get done in a
> crypto way today. The result on best will be that of the various areas,
> I'll just get a little done, however. But, I pick the topic...that's
> freedom. Here are the options:
In my humble opinion, doing work in crypto does not differ
'fundamentally' from doing work in any other field of science.
Hence one fact always rules: In a finite time one can at most
do a limited amount of work. So one has to pick one of one's many
options to be the option of the day, or perhaps of the week/month.
If one instead tries to pursue a number of options parallelly, which
one could very easily be tempted to do, the result is more often than
not like chasing the same number of hares. Once I wanted to learn
two foreign languages parallelly, the result was extremely
disappointing. Your dozen or so of options all seem to be quite
promising. Why don't you just randomly choose one and DO it? (Or do
you need an ideal source of 'true' randomness to help you make the
choice in a theoretically impeccable way?) Good luck to you!
M. K. Shen
------------------------------
From: Barry Margolin <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 17:34:38 GMT
In article <8911el$[EMAIL PROTECTED]>, Alun Jones <[EMAIL PROTECTED]> wrote:
>I had a friend whose password was "elephantcake" - he reasoned, as the
>original poster did, that putting two words together was significantly
>harder to break, and yet we guessed enough of his password to log in, having
>seen only the first two letters. "Elephant" is, of course, only eight
>letters long, so adding the second word did him no good whatsoever.
I remember making a similar mistake years ago when selecting a PIN for my
ATM card. I chose a word, but interchanged a couple of the letters. I
really felt stupid when I noticed that both of them are on the same key of
the ATM's telephone-style keypad.
Going back to the original poster's question, I have this comment: using
two words (assuming all the characters are significant) is certainly
*better* than using one word. But as others have pointed out, there are
better password schemes than that.
--
Barry Margolin, [EMAIL PROTECTED]
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: e-payment suggestion
Date: Wed, 23 Feb 2000 11:45:10 -0600
Dr.Gunter Abend wrote:
> When I read http://www.echeck.org/ again, I got the impression
> that my idea resembles electronical cheques, not e-cash.
>
> The main point is: the transmission of my "money" to the payee
> occurs along a *weakly* secured pathway, may be telephone, fax,
> internet, or the like, without too much risk.
>
> What do you mean by "applied cryptography" -- the book by
> B.Schneier? Is there any other newsgroup for this topic?
Check out http://www.zero-knowledge.com/ and read up on their
purchase of Stefan Brands patents (not to mention Brands :-)
You'll find out more about secure money transfers than you
want to know.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Linking Time-Stamping Servers
Date: Wed, 23 Feb 2000 12:01:47 -0600
Jean Marc Dieu wrote:
>
> Have anyone heard about ways/protocols to link several Time-Stamping
> Servers?
> By linking I mean two things:
>
> 1. Synchronize clocks (What are the options: NTP,... and there
> effectiveness against an attack such as (Distributed) Denial of Service)
Lock all servers to an external clock. Most countries have a time
base standard which is broadcast by radio. By comparing the time
base with the time from another server you get a much better idea
of what the sync delays are. Drifts in any server can also be
corrected by the server itself. Radio jamming will wipe out
one server, but it would be hard to get them all without jamming the
source. And in most countries, that would be noticed :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Thunder Dan <[EMAIL PROTECTED]>
Subject: Re: John McCain Encrypt?
Date: Wed, 23 Feb 2000 18:04:39 GMT
Somebody named ChenNelson posted the following manifesto...
> The "junk" looks a lot like the garbage that a Hipcrime has been
> spewing periodically to newsgroups he/she/it does not like. I doubt it
> is actually an encrypted message. I'm willing to guess this bozo (or
> ones similar, don't like McCain).
hmmm, could you elaborate? who is Hipcrime?
this same message was posted to a LOT of newsgroups
and the x-comments said "Throwaway Dial-up account" "Resistance is
Futile"
so what you are saying is that this code has no meaning at ALL?
not a bit?
--
Get money for using the web. No download required.
Just go to:
http://secure.clickdough.com/servlets/cr/CRSignup.po?referral_id=tdan.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Processor speeds.
Date: Wed, 23 Feb 2000 12:09:59 -0600
Clockwork wrote:
>
> The newer systems are nearly as expandable as an average PC. The newer
> consoles will definitely position its ultra-powerful "game" systems as
> workstations -- or home-computing devices. (Why WAIT for renders or
> simulations [or factorizations] on a PC, when you can do it in real-time on
> a console :)
>
> All newer, 128-bit consoles support vastly increased RAM capacity, network
> cards, modems, keyboards, VR devices, and force-feedback; more will be
> available shortly after the release of these consoles.
>
> Another question: When was the last time your console crashed?
It's a nice idea that's been bantered around a long time. The problem
is
the amount of real work it takes to make it happen. A year ago
my brother and I were day dreaming about dumpster diving the old 64 bit
machines and building a supercomputer from those. At only $200 the 128
bit machines are pretty cheap for what they do, and I totally agree
with you that sticking a bunch of them together would make a great toy.
Getting all the development tools you need puts it past the hobby level
though, and that's why it's mostly just fun to talk about.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: DES algorithm
Date: Wed, 23 Feb 2000 19:42:29 +0100
Sorry. And good reading!
Jean-Jacques,
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: NSA Linux and the GPL
Date: Wed, 23 Feb 2000 12:23:45 -0600
John E. Kuslich wrote:
>
> It is rather remarkable to think about "secure" computers in light of the
> recent revelations about John Deutch (former CIA Director).
>
> What is even more remarkable is the fact that this government fat cat will
> probably get off Scott free while that poor Chinese fellow at the Department
> of Energy will wind up facing a firing squad!!
>
> Why is has John Deutch not been arrested and charged with violations of the
> law regarding care of classified information?????????
Because he knows all the illegal crap a lot of other high level people
have done, and half the government would be implicated in some kind of
judicial proceeding if he is. Lot's easier to let him go.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (Dave Hazelwood)
Subject: Report Details Vast SPY Network
Date: Wed, 23 Feb 2000 18:34:11 GMT
The plot thickens!
BRUSSELS, Belgium (AP) - A U.S.-led communications monitoring network
is intercepting "billions of messages per hour" including telephone
calls, fax transmissions and private e-mails, according to a European
Parliament report made public Wednesday.
"We are not talking about a trivial thing here ... we cannot stop
them, they will continue," said Ducan Campbell, author of
the special parliament-commissioned report on the Echelon spy-network.
Campbell said that the intelligence network monitors and intercepts
sensitive European-wide commercial communications. "The level of use
is getting out of control," he told a packed hearing of the
Parliament's Committee for Justice and Home Affairs.
He said Canada, Britain, Australia and New Zealand are also involved
in Echelon. Other nations including France and Germany also
participate in a lower level in the spy-network which dates back 50
years to the beginning of the Cold War.
"The capacity of the filtering systems is enormous," Campbell said. He
added that most international internet communications are being routed
through the United States and through nine known U.S. National
Security Agency interception sites.
Intelligence facilities located in the five countries can intercept
fax, e-mail or telephone communications easily he said.
Campbell urged the European Union to take action to protect against
unwanted interception of communications, which he said were violations
of human rights.
Committee chairman Graham Watson said he wanted to be sure the
international surveillance system was not abusing its powers.
Campbell said Microsoft, IBM, and a certain "large American microchip
maker" were providing certain product features which allow the
interception of information flow.
Campbell said he did not know whether the U.S. corporations were
benefitting from the information gathering but said
previous commercial espionage resulted in the collapse of several
European contracts in the airline industry - both military and
commercial.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Transmitting ciphered data
Date: Wed, 23 Feb 2000 18:46:53 GMT
Markus Eiber wrote:
> I am looking for some aspects on how ciphering data might influence
> the efficiency of transmission systems.
It makes statistical compression, such as is found on some modems,
useless.
Random data, such as results from high-grade encryption, is the
worst case for error-control schemes, which could mean increased
number of retransmissions in an ARQ scheme.
A block cipher requires buffering (the block size), which adds
latency.
Authentication and negotiating a session key, when applicable,
takes resources, and thus time.
And of course, enciphering/deciphering itself takes resources,
and thus time. (How much time depends on the system used and
the available hardware support.)
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: OAP-L3 Encryption Software - Complete Help Files at web site
Date: 23 Feb 2000 10:11:43 -0800
In article <[EMAIL PROTECTED]>, Tim Tyler <[EMAIL PROTECTED]> wrote:
> Any algorithm that comes with a mathematical proof that it's unbreakable
> is unlikely to be analysed by the world's leading codebreakers.
>
> Instead it is likely to be dismissed out-of-hand - as the output of
> someone with little idea about the nature of the field.
Nonsense. Cryptosystems that are provably secure (under some assumptions)
are published all the time, and broken some of the time.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Stuck on code-breaking problem - help appreciated
Date: Wed, 23 Feb 2000 18:51:30 GMT
jdc wrote:
> The society in question isn't [Masonic],
> but we think the code might be.
I spent some time last night trying various easy arrangements of
the pigpen, without much success. There is barely enough
repetition to work with, and if the underlying language is other
than English, you need somebody fluent in that language as well
as practiced in simple cryptograms. (I suggest picking an
arbitrary pigpen and converting the cryptogram to letters,
which will be more comfortable for a cryptogrammist to work with.)
Good luck!
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: Stuck on code-breaking problem - help appreciated
Date: Wed, 23 Feb 2000 10:55:03 -0800
If you haven't already done so, you may want to try some
simple letter-pattern searching. It might be worth a try
to cross-match the wordlists for the six words. If the
"ending dots" are omitted, the words in question have the
following patterns (or some variation if read in reverse,
etc.), if I haven't made any mistakes:
ABCDEF GHIIHJK CLJMMBN GHIIHJK DMGJOM EHEPO
At
http://www.und.nodak.edu/org/crypto/crypto/words/Pattern.lists/
see pattern.readme, and perhaps download pattern.english.zip.
(It's a DOS program.)
--
r.e.s.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Wed, 23 Feb 2000 18:57:55 GMT
csabine wrote:
> Lets assume ... the government do know ... every bit of conversation:
> All the mafia warlords have been locked up. ...
> But, alas, this ... universe does not exist. I think that perhaps
> this is proof enough ...
There are some additional BIG assumptions being made there,
mainly that the eavesdroppers would blow their advantage by
making it obvious that they can successfully eavesdrop.
Historically, whether or not to act on COMINT has been a
point of debate, and often the decision was to let some bad
things happen rather than act to prevent them and tip off
the communicants that their communications were not secure,
thereby possibly losing the chance to prevent even worse
things in the long run.
But anyway, certainly not every "code" is read.
------------------------------
From: [EMAIL PROTECTED] (JimD)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Reply-To: JimD
Date: Wed, 23 Feb 2000 19:00:28 GMT
On Wed, 23 Feb 2000 09:09:26 -0000, "Steve Coath" <[EMAIL PROTECTED]> wrote:
>Ilya <[EMAIL PROTECTED]> wrote in message
>news:zZEs4.2145$[EMAIL PROTECTED]...
>>
>>
>> Is it secure to take two words and join them together, such as:
>>
>> crypto/life cyber@machine green-dog Loud!Music
>>
>> I find that they are really easy to remember, especially if the word
>> combination has some meaning to the user. I have been told that such
>> combinations are vulnerable to dictionary attacks. I think that they are
>> not vulnerable to dictionary attacks since the password is not a word, it
>> combines two words and is meaningless and can only be brute-forced.
>>
>> Any input on that?
>
>In a previous job I used to handle some extremely classified material. Our
>passwords used to be randomly generated for us every week and usually took
>the form of a jumbled mass of random letters, numbers and characters.
>You could end of with something such as : Az\\-+.tdhB*
>Extremely difficult to guess, but also extremely difficult to remember. So
>everyone used to write them down and keep them in their pockets.
No wonder the Chinese got hold of your weapons secrets.
--
Jim Dunnett.
dynastic at cwcom.net
dynastic at cwcom.net
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: DES algorithm
Date: Wed, 23 Feb 2000 19:01:00 GMT
John Savard wrote:
> I notice that URLs are occasionally provided directly to .pdf
> documents. That will make them come up in the browser, ...
Not if you "save link as" instead of just default-selecting
the link. If somebody really has the problem you describe,
he ought to be aware of that simple solution.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: DES algorithm
Date: Wed, 23 Feb 2000 19:05:03 GMT
Charles Nicol wrote:
> There is an excellent article on the DES algorithm in the
> Notices of The American Mathematical Society, March, volume 47,
> Number 3. It was written by Susan Landau ...
There is also a review by Jim Reeds of Singh's "The Code Book"
in the same issue.
I didn't mention these before, because as articles written for
the non-cryptographic specialist, they don't contain anything
really new. But they do make interesting reading if you have
the time.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: The solution is Open Source!
Date: Wed, 23 Feb 2000 19:09:44 GMT
"John E. Kuslich" wrote:
> Open source is good for a lot of things, but it does nothing for
> security.
It sure helps! The scenarios you described are ones where security
has *already* been lost, bigtime. In scenarios that are still
secure, using open source can help you keep it that way.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
