Cryptography-Digest Digest #208, Volume #11 Sun, 27 Feb 00 14:13:01 EST
Contents:
Re: Passwords secure against dictionary attacks? (Dave Howe)
Re: Passwords secure against dictionary attacks? (Dave Howe)
Re: The former CIA directors are just playing roles .. they are involved in the
covert action ("Matt Hall")
Re: I had me an Idea (Dynamic Key Encription) (Frank Gifford)
Re: Snuffle source code? (David A Molnar)
Re: NSA Linux and the GPL ("Trevor Jackson, III")
Re: NSA SPIES ON THE POPE, MOTHER THERESA AND DIANA! (Mary - Jayne)
Can someone break this cipher? (Mary - Jayne)
Beginner Help ? ("Norman Little")
Re: On jamming interception networks ("Amical")
Re: NSA Linux and the GPL (Andru Luvisi)
Re: Can someone break this cipher? ("A [Temporary] Dog")
Re: Passwords secure against dictionary attacks? (Guy Macon)
Re: Can someone break this cipher? ("Adam Durana")
Re: Can someone break this cipher? (Bill Unruh)
Re: Can someone break this cipher? (Boris Kazak)
Re: On jamming interception networks (JimD)
----------------------------------------------------------------------------
From: Dave Howe <DHowe@hawkswing>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Sun, 27 Feb 2000 12:27:17 +0000
Reply-To: DHowe@get_email_from_sig
In our last episode (<alt.security.pgp>[Fri, 25 Feb 2000 07:17:11
GMT]), [EMAIL PROTECTED] said :
>JimD wrote:
>> >Don't use *any* word in *any* language!
>>
>> How about ten English words with different punctuation symbols
>> as word separators?
>
>do you mean that 'English' is not '*any* language' ? :-)
Hmm. if I had to come up with a rule of thumb here, I would count any
english word (or $LANGUAGE word for that matter) as being two random
characters; so ten english words with non-space separators would be
equivilent to a 29-character truely random password - which is
definitely non-trivial to crack.
However, it is also non-trivial to type - particularly in password
mode when you can't see the text.
------------------------------
From: Dave Howe <DHowe@hawkswing>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Sun, 27 Feb 2000 12:27:18 +0000
Reply-To: DHowe@get_email_from_sig
In our last episode (<alt.security.pgp>[Fri, 25 Feb 2000 07:33:47
GMT]), $[EMAIL PROTECTED] said :
>I'm kinda partial to 45.. such a rotation would prevent month-based
>passwords ie: judyjan judyfeb judymar, etc etc.
25 - 45 would still allow the monthly passwords (unless they aren't
allowed to change MORE often than the limit)
------------------------------
From: "Matt Hall" <[EMAIL PROTECTED]>
Subject: Re: The former CIA directors are just playing roles .. they are involved in
the covert action
Date: Sun, 27 Feb 2000 12:49:09 -0000
Markku J. Saarelainen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> The CIA and NSA have been spying and have records and databases of most
> business communications that are relevant to the U.S. National Security
> Strategy as it pertains to the economic performance and objectives. All
> business, technology and other aspects of the economy are their targets
> and the US people as I have learnt just go to some nations and acquire
> the information with collaboration of their agents who are betraying
> their nations for the economical performance of the USA. I know one
> person in Seattle who has contacts to some Finnish people working for HP
> and these people are just acquiring specific eonomical data and
> information. These names shall be made public. All U.S. high-tech
> companies operating in other regions are one way or another covers for
> the U.S. Intelligence Community. There are networks in these commercial
> enterprises.
>
> And the former CIA Director James Woosley is just an actor ..
>
> "
> But
> former CIA Director James Woolsey and a current U.S.
> official say such information probably was used only in
>
> certain instance
>
> "
If you have anything interesting to say that you think people should hear
(which I doubt) then you would be better off posting succinct, concise and
informative postings to relevant groups - of which sci.crypt is probably not
one. I am sure I am not the only person who is bored of cross-posted
ramblings of no relevance.
My apologies to the group that this message has no relevance to
cryptography, but I hope you understand my reasons for posting.
Matt
--
** Email: [EMAIL PROTECTED] **
** Web: http://www.thepentagon.com/matt.hall **
------------------------------
From: [EMAIL PROTECTED] (Frank Gifford)
Subject: Re: I had me an Idea (Dynamic Key Encription)
Date: 27 Feb 2000 07:54:52 -0500
In article <896t92$amu$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>In article <8966ef$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Frank Gifford) wrote:
>> In article <k_ot4.2696$[EMAIL PROTECTED]>,
>> Tim <[EMAIL PROTECTED]> wrote:
>> >Each character in the text gets its own "small key". The key comes
>> >...
>> >
>> 1) The encrypted text is much larger than the original cipher text,
>>...
>> 2) The R pixels can be partially recovered since they must be factors
>of E.
>>...
>
>Would substituting other visual/audible data improve on this idea? i.e.
>using "snow" captured from a television signal, or white noise? Would
>this be "more random", or just obfusacation? Is it possible to somehow
>use the overall image itself rather than the individual pixels? (see
>Johnny Mnemonic) I apologize if this has been covered before, just
>curious.
Now you are back in the normal mode of using a pseudo-random bit stream to
encrypt your data. Use of pictures or sound files, etc. are fine - but all
boil down to a secret key which you and the recipient share which the
opponent doesn't know.
Unless your key stream is random - it is very likely that enough of your
message can be recovered as to make this algorithm insufficient. If it is
random (and you can prove it's random!), then you could have a OTP, if you
use it properly. Proving the keystream is random is much more than guessing
that you can take the low order bits of a soundcard output from a particular
input source. This sort of randomness proof, and the subsequent proof of a
lack of bias in the stream, is much harder than you might guess.
-Giff
--
Too busy for a .sig
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Snuffle source code?
Date: 27 Feb 2000 14:49:55 GMT
helper <[EMAIL PROTECTED]> wrote:
> There was an article Thursday
> (http://wired.com/news/politics/0,1283,34550,00.html) about Daniel Bernstein
> finally being given the go-ahead to post his source code for Snuffle to the
> net. Anyone gotten it, yet? If so, where? Thx.
The index to the pages in question seems to be at
http://cr.yp.to/crypto.html
unfortunately, the pages themselves do not seem to be accessible yet.
Thanks -David
------------------------------
Date: Sun, 27 Feb 2000 10:11:49 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: NSA Linux and the GPL
"David A. Wagner" wrote:
> In article <[EMAIL PROTECTED]>,
> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> > "John E. Kuslich" wrote:
> > > How can this guy get away with activities that would have landed
> > > the rest of us in jail for a long time?
> >
> > I suspect it is too difficult to show that his actions amounted
> > to *theft* of government secrets, since it seems reasonable to
> > argue that he was merely conducting his normal job with the
> > material he had in his home. Do we know what safeguards he had
> > in place? (One would think that as DCI, he must have had full-time
> > bodyguards at the very least.)
>
> One would think so, but apparently not.
>
> See the CIA Inspector General's report.
> http://www.fas.org/irp/cia/product/ig_deutch.html
> It's definitely worth reading, if you're interested in this.
>
> Here's a rough paraphrase of the some of the most interesting points:
>
> Previous DCI's indeed were guarded by full-time live-in bodyguards,
> but Deutch declined, because he preferred his privacy. There was no
> around-the-clock guard on his house or his computers holding classified
> secrets; the PCMCIA cards and hard drives holding classified information
> were not stored in the secure safes provided for that purpose when
> noone was around; a domestic worker was regularly permitted unattended
> access to the residence while the Deutch's were gone and the home left
> unguarded; and investigators say that house security was weak enough
> that the classified information (including Top Secret/Codeword material)
> was vulnerable to hostile exploitation.
>
> Another notable tidbit from that report: At work, Deutch secretly used
> computers rated only for unclassified material to prepare some of his
> most sensitive, classified reports (exactly the opposite of what good
> security practices would demand), out of concern that CIA officials might
> monitor his classified computer at night and see the sensitive reports.
> (Understandable, in a Panopticon culture, although surely not the outcome
> security officers would have desired. Investigators even found a virus
> and classified material together on the same unclassified machine in
> Deutch's office, eek.) It seems to me there is an important human-factors
> lesson here!
>
> The report also left me with the strong impression that Deutch may have
> tried to cover up his mistakes after the fact. (It never says that in so
> many words, but reading between the lines, I can't escape seeing support
> for such a theory.) For instance, after Deutch was required to turn in
> the PCMCIA cards that he allegedly used to improperly store classified
> information at his home, investigators found that the contents had been
> deleted just days before Deutch was required to turn them in (at a time
> when they were in Deutch's personal possession, and soon after it became
> clear that he would have to turn them over). Investigators were able
> to restore some of the deleted files, and found TS/Codeword information.
> I don't know anything about anything, but that sounds serious, doesn't it?
>
> Much of the evidence relevant to the investigation has since been
> destroyed.
>
> Go read the IG's report for yourself, and form your own opinions.
> The above is just an attempt at a summary, and may well contain mistakes.
For the paranoid among us I offer the observation that John Deutch is strongly
connected to Eli Jacobs who is now a member of the ?commission? dealing with
the NRO. Jacobs has an interesting history. The fact that people like these
are "running things" is disquieting.
------------------------------
From: [EMAIL PROTECTED] (Mary - Jayne)
Subject: Re: NSA SPIES ON THE POPE, MOTHER THERESA AND DIANA!
Date: Sun, 27 Feb 2000 16:09:50 GMT
On Sun, 27 Feb 2000 06:02:24 GMT, [EMAIL PROTECTED] (Dave
Hazelwood) wrote:
>
>All in the name of democracy and human rights? Isn't this what we
>fought Communism for 50 years to avoid ?
No. We fought communism because the rich and powerful did not want to share
their wealth and power with the rest of us. It has nothing to do with
freedom, human rights, or even democracy. Just doing what the rich want us
to do, as always. So which country is a democracy then - none that I know
of.
Regards,
MJ
http://www.xarabungha.btinternet.co.uk/
http://website.lineone.net/~c.j.stevens/
------------------------------
From: [EMAIL PROTECTED] (Mary - Jayne)
Subject: Can someone break this cipher?
Date: Sun, 27 Feb 2000 16:16:05 GMT
Could anyone willing to do so please solve the challenge at
http://www.xarabungha.btinternet.co.uk/xicipher/xichallenge.htm
I designed the algorithm and if it can be readily broken, then it is useless.
Your destructive assistance would be appreciated.
Regards,
MJ
http://www.xarabungha.btinternet.co.uk/
http://website.lineone.net/~c.j.stevens/
------------------------------
From: "Norman Little" <[EMAIL PROTECTED]>
Subject: Beginner Help ?
Date: Sun, 27 Feb 2000 16:43:05 -0000
Hi,
I am implementing demonstration applets in JAVA for DES, and have become a
little stuck.
I am trying to manipulate the bits of the characters by using the getbytes()
function in java, which returns an array of bytes for the string supplied.
The only problem is, how do I then manipulate the individual bits for each
character after I have created the byte array for the string ?
thanks
Norman
------------------------------
From: "Amical" <[EMAIL PROTECTED]>
Subject: Re: On jamming interception networks
Date: Sun, 27 Feb 2000 17:10:34 GMT
The easiest would be a secure plug in for Outlook Express
that plug in randomly choose an e-mail, encrypt it with another
e-mail as a key, and add random hex digits.
Source of the plug in being public, of course...
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: NSA Linux and the GPL
Date: 27 Feb 2000 09:09:29 -0800
[EMAIL PROTECTED] (David A. Wagner) writes:
[snip]
> Another notable tidbit from that report: At work, Deutch secretly used
> computers rated only for unclassified material to prepare some of his
> most sensitive, classified reports (exactly the opposite of what good
> security practices would demand), out of concern that CIA officials might
> monitor his classified computer at night and see the sensitive reports.
[snip]
Talk about poetic! This is the best laugh I've had all week!
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
From: "A [Temporary] Dog" <[EMAIL PROTECTED]>
Subject: Re: Can someone break this cipher?
Date: Sun, 27 Feb 2000 12:26:48 -0500
On Sun, 27 Feb 2000 16:16:05 GMT, [EMAIL PROTECTED] (Mary -
Jayne) wrote:
>Could anyone willing to do so please solve the challenge at
>
>http://www.xarabungha.btinternet.co.uk/xicipher/xichallenge.htm
The above link is 404 compliant. Did you mean -
http://www.xarabungha.btinternet.co.uk/xicrypt/xichallenge.htm
>I designed the algorithm and if it can be readily broken, then it is useless.
The challenge at xicrypt/xichallenge.htm doesn't give any details of
the algorithm, just a bunch of raw ciphertext. In general, "can you
break this cipher" posts are a bad idea. In particular, even with a
complete description, you'll have a hard time getting knowledgable
people to analysis your cipher. Without a description, no one will
bother.
>Your destructive assistance would be appreciated.
--
- A (Temporary) Dog |"Intelligent, reasonable
The Domain is *erols dot com* |people understand that -
The Name is tempdog |unfortunately, we're dealing
http://users.erols.com/tempdog/ |with elected officials"
Put together as name@domain | - name withheld
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: 27 Feb 2000 12:43:19 EST
In article <[EMAIL PROTECTED]>, DHowe@hawkswing (Dave Howe) wrote:
>Hmm. if I had to come up with a rule of thumb here, I would count any
>english word (or $LANGUAGE word for that matter) as being two random
>characters; so ten english words with non-space separators would be
>equivilent to a 29-character truely random password - which is
>definitely non-trivial to crack.
Two characters can have 65,536 possible values (much less if
you only use what's available on your keyboard). There are many
more english words than that. Throw in one easy to remember
nonword like fnurbish or queekle and you make a dictionary attack
a LOT harder.
>However, it is also non-trivial to type - particularly in password
>mode when you can't see the text.
When I decided on my 54 character passphrase, I wrote a program on
an old non-networked 486 to test me on it twice a day. I practiced
until I was very fast and accurate at touchtyping it. When I worked
on high security projects I got in the habit of putting a thick piece
of black felt over my hands as I type in my password.
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: Can someone break this cipher?
Date: Sun, 27 Feb 2000 13:05:17 -0500
You should publish your algorithm if you truly want to test its security,
not just post some cipher text. I think it was John Savard that posted some
suggested guidelines for challanges such as this, they were very good, I
suggest you follow them. The more information you can provide about the
algorithm, the more people will try to crack it. A lot of the times when an
algorithm is posted people do not even have to try to break it, they just
identify were it could be broken. Also if you want anyone to trust your
algorithm you are going to have to make it public eventually. Personally I
don't tend to pay much attention to challanges were people just dump a bunch
of ciphertext and say break this.
- Adam Durana
"Mary - Jayne" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Could anyone willing to do so please solve the challenge at
>
> http://www.xarabungha.btinternet.co.uk/xicipher/xichallenge.htm
>
> I designed the algorithm and if it can be readily broken, then it is
useless.
> Your destructive assistance would be appreciated.
>
>
> Regards,
>
> MJ
>
> http://www.xarabungha.btinternet.co.uk/
>
> http://website.lineone.net/~c.j.stevens/
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Can someone break this cipher?
Date: 27 Feb 2000 18:20:26 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Mary - Jayne) writes:
>Could anyone willing to do so please solve the challenge at
>http://www.xarabungha.btinternet.co.uk/xicipher/xichallenge.htm
>I designed the algorithm and if it can be readily broken, then it is useless.
>Your destructive assistance would be appreciated.
So why are you trying to reinvent the wheel? If this is a game for you,
then go ahead. If you want to use this to actually hide material whose
exposure would do you serious harm, then use something which has been
seriously tested. Cryptanalysis is serious, and not easy stuff. Why
would a serious cryptanalist want to spend his time looking at your
cypher? If you want to fool your self no one will be terribly interested
( except perhaps your enemies). On the other hand if you start trying to
sell this, then you are opening your self up for damages if you make
claims about its security.
PS-- Nosuch web page exists.
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Can someone break this cipher?
Date: Sun, 27 Feb 2000 18:52:03 GMT
This is the beginning of your plaintext.
This message is intentionally left unencrypted.
��� ��� �� ���������, ������ �����,
��� ��� � ����� ��������� �������� �� ������.
� ����� ������ ������� ����� ������� �����
������� ���� �� ������, ���� ������ ������!
Best wishes BNK
=========================Reply Separator==========================
Mary - Jayne wrote:
>
> Could anyone willing to do so please solve the challenge at
>
> http://www.xarabungha.btinternet.co.uk/xicipher/xichallenge.htm
>
> I designed the algorithm and if it can be readily broken, then it is useless.
> Your destructive assistance would be appreciated.
>
> Regards,
>
> MJ
>
> http://www.xarabungha.btinternet.co.uk/
>
> http://website.lineone.net/~c.j.stevens/
------------------------------
From: [EMAIL PROTECTED] (JimD)
Subject: Re: On jamming interception networks
Reply-To: JimD
Date: Sun, 27 Feb 2000 19:00:27 GMT
On Sun, 27 Feb 2000 06:12:19 GMT, [EMAIL PROTECTED] (Steve K) wrote:
>Pretty good ideas. IMO "they" probably don't try to decrypt random
>text, since that's practically always going to be an exercise in
>futility.
How will they tell 'random' text from enciphered text?
(Apart from with considerable difficulty?)
--
Jim Dunnett.
dynastic at cwcom.net
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
