Cryptography-Digest Digest #224, Volume #11 Tue, 29 Feb 00 21:13:02 EST
Contents:
Re: US Intelligence Community does spy on international business (all kinds of
businesses) -- see my images and earlier posting since April 1999 for o
([EMAIL PROTECTED])
Re: code still unbroken (Xcott Craver)
Re: Passwords secure against dictionary attacks? (Bill Unruh)
Re: OAP-L3 Encryption Software - Complete Help Files at web site (Xcott Craver)
Export Rules (tboldt)
Re: Passwords secure against dictionary attacks? (jungle)
Re: Passwords secure against dictionary attacks? (jungle)
Re: Passwords secure against dictionary attacks? (jungle)
Re: Can someone break this cipher? ("Trevor Jackson, III")
Re: Passwords secure against dictionary attacks? (jungle)
Re: Passwords secure against dictionary attacks? (jungle)
Re: Status of alleged *THIRD* key in MS Crypto API ? ("Trevor Jackson, III")
Re: Passwords secure against dictionary attacks? (jungle)
Re: Passwords secure against dictionary attacks? (jungle)
Re: Best language for encryption?? ("Trevor Jackson, III")
Re: Passwords secure against dictionary attacks? (jungle)
Re: Passwords secure against dictionary attacks? (jungle)
Re: code still unbroken ("Trevor Jackson, III")
Re: Passwords secure against dictionary attacks? (jungle)
Re: Passwords secure against dictionary attacks? (jungle)
Re: Passwords secure against dictionary attacks? (jungle)
Re: OpenSSL and Netscape (Paul Rubin)
Re: Passwords secure against dictionary attacks? (jungle)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.politics.org.cia,soc.culture.israel,alt.security
Subject: Re: US Intelligence Community does spy on international business (all kinds
of businesses) -- see my images and earlier posting since April 1999 for o
Date: Wed, 01 Mar 2000 00:04:56 GMT
"Markku J. Saarelainen" <[EMAIL PROTECTED]> wrote:
>Basically, I was within the program and system of the US Intelligence
>Community that was spying on other businesses and individuals.
Well only an idot could not interpet what Schlisenger had to say on the
Ex-CIA Directors Panel on C-Span. The others tried to deflect what he
said; but did not do a good job of it!
Schlisenger also said we should deal with psychos to get intelligence =
You can't getgood intelligence on terrorists from a ladies flower
arranging club!!! = Whcih I would say why not! Thier girl friends like
to arrange flowers don't they! Schlisenger is just mad becuase his
psycho Killers in Certain countries don't seem to have as much power as
they use to!
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Subject: Re: code still unbroken
Date: 1 Mar 2000 00:13:24 GMT
lordcow77 <[EMAIL PROTECTED]> wrote:
>There's a similar game theory problem that I love. There is a
>free lottery where each person can submit as many entries as
>they choose. At the end of a specified duration, one entry is
>chosen at random and the prize is given to them, with the catch
>that the prize is divided by the total number of entries
>received. What is the optimal strategy for one person acting
>individually, with no collusion between parties, to maximize the
>total payout at the end of the lottery?
This is Hofstadter's lottery, which was more an exercies
in "hyperrationality" than actual probability or game theory.
It was intended to illustrate the effects of everyone,
independently, acting slightly greedy, instead of assuming
that a large number of people will do exactly the same.
If you don't know the strategy employed by the other players,
the optimal solution is to submit 0 entries, since the
chances are that the expected payout is less than the cost
of your time and a stamp. In fact, one entry to Hofstadter's
lottery was a postcard with some number followed by as many
factorial signs as could fit.
-X
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: 1 Mar 2000 00:37:23 GMT
In <LAYu4.2373$[EMAIL PROTECTED]> "Gordon LaVere"
<[EMAIL PROTECTED]> writes:
]Is there a program maybe a hash oprogram that would take my 8 or more letter
]plain text pass phrase and give me a suitable. Truly random pass word.
Sure. Any good hash will do what you want. (Clearly it is NOT TRUELY
random, since it is created with your passphrase).
MD4,MD5,SHA1,crypt(3),...
]I could remember mary had a little lamb. Then I got " $r9,e>iwlu". IT
]would repeat the process
]the same each and every time. Hmmmmmm I supose the bad guy could get the
]same program and try all
]of the words . . How would he know when he hit the right combination ?
by comparing to the output. eventually you need an output (eg a hashed
passphrase) and he can compare his output to yours. Note that this gives
additional protection as an arbitrary length passphrase can be used. It
does not however ultimately increase the theoretical strength of say
crypt(3).
]Since he world never see
]$r9,e>iwlu. Is just my simple mind or could SH-1 do that?
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: OAP-L3 Encryption Software - Complete Help Files at web site
Date: 1 Mar 2000 00:35:37 GMT
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
>
>If I wrote a program that says it will add any two numbers and
>give you the result all you would need to do is run it with test
>data and see if it works.
What, every possible pair of two numbers?
Your example is too simplistic, also. We can tell if a
randomly chosen test datum works with adding two numbers.
We can't tell if a randomly chosen key matches your algorithm
unless we have a good, explicit, rigorous description of your
algorithm (enough that someone else could program it as well,)
so we can predict the right output.
Even then, we might not be able to tell if your code secretly
crippled the keyspace, intentionally or not. That might sound
paranoid, but I think you deserve a litte dose of paranoia aimed
at you the way you've treated other people here.
>This is what you can do with OAP-L3. All the test data and
>explanations are provided.
Notice, by the way, that in order to test your software, we'd have
to have code for the algorithm one way or another: if you don't
provide it, someone would have to implement it, to verify that
your program produces the same answer. Otherwise, how would we
know if a "test case" produced the right answer, other than by
your own say-so?
If testing requires that the tester has algorithm source code
anyways, and testing is necessary before people trust it, why
not reveal the source? Source will eventually have to be made
public. You could at least reveal source for the algorithm,
but not the rest of your program; that shouldn't be a lot.
-S
------------------------------
Date: Tue, 29 Feb 2000 19:27:00 -0500
From: tboldt <[EMAIL PROTECTED]>
Subject: Export Rules
As I interpret the Federal Register publication in January, those were
'proposed' rules and don't go into effect until 5-9-2000.
Agree/Disagree ??
If proposed, then we are still under the old rules ????
Anybody know for sure ???
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 00:58:28 GMT
John Galt wrote:
>
> If you
> are looking for a password that is easy for you, then you must also realize
> that it will be relatively easy to attack.
totally wrong assumption ...
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:01:27 GMT
combining words for passphrase is generally very common & standard one
publishing it here did not make it less safer ...
John Underwood wrote:
>
> On Tue, 22 Feb 2000 at 23:29:35, Ilya <[EMAIL PROTECTED]>
> wrote in alt.security.pgp:
> (Reference: <zZEs4.2145$[EMAIL PROTECTED]>)
>
> >
> >Is it secure to take two words and join them together, such as:
> >
> >crypto/life cyber@machine green-dog Loud!Music
> >
> >I find that they are really easy to remember, especially if the word
> >combination has some meaning to the user. I have been told that such
> >combinations are vulnerable to dictionary attacks. I think that they are not
> >vulnerable to dictionary attacks since the password is not a word, it combines
> >two words and is meaningless and can only be brute-forced.
> >
> >Any input on that?
>
> It would have been considerably safer before you published your
> intention of doing that.
combining words for passphrase is generally very common & standard one
publishing it here did not make it less safer ...
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:12:36 GMT
good example how to remember it !!!
NutWrench wrote:
>
> Hi Ilya,
> One way to have a easily-remembered password that defeats dictionary based
> attacks is to enter your passphrase, but press the key which is above and to
> the left or right of the actual key. For example, if your password is
> 'bullwinkle', instead of pressing 'b' press 'h' (above and to the right).
> The typed text for 'bullwinkle' would then be: 'h8pp39jop4' :o)
------------------------------
Date: Tue, 29 Feb 2000 20:22:36 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Can someone break this cipher?
JPeschel wrote:
> [EMAIL PROTECTED] writes, in part:
>
> >In a previous article, <[EMAIL PROTECTED]> writes:
> >>If you mean the ciphertext is truly random, I think you
> >>have said the thing that cannot be.
> >
> >I would not say that. It is actually quite simple to generate a truly random
> >cipher:
> >
> >1. Burn a CD-R filled with random data. Use this as a key.
>
> Your key, not the cipher, is truly random.
To the extent the key is random (unpredictable) so is the ciphertext.
>
>
> >3. Now the agent only has to scramble the (presumably short) plain text
> >messages he has to send to the home office by xor-ing them with random data
> >from the CD-R.
>
> After a message is XORed with the random data from the CD, the message
> may look truly random, but it isn't.
Sure it is. It is just as unpredictable as the key. If you cannot predict
byte/bit N of the key given bytes/bits 1..N-1 of the key then you cannot predict
byte/bit N of the ciphertext given bytes/bits 1..N-1 of the ciphertext. Even
knowing the plaintext does not help.
> If the message were truly random, it
> could not be decrypted.
True, but what's the point of a noise message? Misdirecting traffic analysis?
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:16:08 GMT
[EMAIL PROTECTED] wrote:
>
> QWERTY offsets are not very secure. A typcial dictionary
> attack interation would go: 1) Dictionary, 2) Reverse Dictionary, 3)
> QWERTY Offset Dictionary, 4) Alpha offset Dictionary,
>
> If bullwinkle is in my dictionary, interation number 3 would get you.
how do you creating dictionary for ?
dictionary attack are for password & NOT for PASSPHRASE
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:18:28 GMT
Jens Haug wrote:
>
> We try to crack our users' passwords every now an then. Once the
> cracker program found out one consisting of two greek words which
> make no sense together. :-0
> Don't use *any* word in *any* language!
how did you build your dictionary for crack ?
------------------------------
Date: Tue, 29 Feb 2000 20:27:34 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Status of alleged *THIRD* key in MS Crypto API ?
"David A. Wagner" wrote:
> In article <[EMAIL PROTECTED]>,
> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> > Microsoft explained the origin of the secondary key and the
> > origin of its name;
>
> Really? Where? All I saw was hardly credible explanations by
> PR folks, that were pretty transparently not the whole story if
> you understood the technical issues.
>
> > whether or not you believe them, surely you
> > can't think the NSA sticks its name on things it covertly touches.
>
> You misunderstood. The allegation wasn't that *NSA* stuck its name
> on the key; the allegation was that Microsoft employees, knowing that
> this key was requested/required/whatever by the NSA, assigned the name,
> not expecting that it would ever see the light of day, but due to some
> freak, in one release the symbol-name was released to the world, and
> someone happened (by chance) to notice.
I don't think this level of involvement on the part of the NSA is very
credible. Sure, some serious boners do happen no matter how careful one
is, but don't you think the scenarios regarding rogue elements within
Micros~1 are enough to explain the key?
There is no reason to believe that the NSA's review had anything to do with
the creation of the extra keys, and every reason to believe that the PR
people seized upon the review as a way of sharing the blame with another
entity that would predictably not comment, even to refute false PR.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:20:11 GMT
JimD wrote:
>
> How about ten English words with different punctuation symbols
> as word separators?
perfectly safe, did you calculated key space for it ?
give example ...
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:22:04 GMT
JimD wrote:
>
> (>> >Don't use *any* word in *any* language!) isn't my
> quote.
why not ?
------------------------------
Date: Tue, 29 Feb 2000 20:37:04 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Best language for encryption??
Adam Durana wrote:
> > Surely, as I eventually work with your algorithm, I will see what you have
> > done in C, write it in C myself, and also do it in BASIC. The big
> > advantage of how I do things in BASIC is in the GUI I use. I tend to
> > convert numbers to compressed strings, and work with them that way, but I
> > can set the math to bigger ranges with compiler options.
>
> BASIC is great for learning structured programming,
How did you reach this conclusion???
> but no one should
> consider using it for applications where speed is an issue. I've always
> thought of it this way, the easier it is for a human to understand the code
> the slower it will run on a computer. If you could program in machine
> language your program would be the fastest possible, assuming you know what
> you are doing.
Usually not. The selection/design of algorithms has far more influence than the
selection of language. Quicksort in interpreted Lisp is going to be faster than
bubble sort in microcode for a sufficiently large number of elements
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:31:20 GMT
Dave Howe wrote:
>
> In our last episode (<alt.security.pgp>[Fri, 25 Feb 2000 07:17:11
> GMT]), [EMAIL PROTECTED] said :
> >JimD wrote:
> >> >Don't use *any* word in *any* language!
> >>
> >> How about ten English words with different punctuation symbols
> >> as word separators?
> >
> >do you mean that 'English' is not '*any* language' ? :-)
> Hmm. if I had to come up with a rule of thumb here, I would count any
> english word (or $LANGUAGE word for that matter)
> as being two random characters;
for me it is 4 random characters ...
> so ten english words with non-space separators would be
> equivilent to a 29-character truely random password - which is
> definitely non-trivial to crack.
your assumption creates 10 to power of 30 key space = impossible to crack today
& you are saying "non-trivial"
very funny ...
my assumption [ 4 random characters ] provide key space of 10 to power of 48
I will leave you for evaluation ...
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:36:23 GMT
Guy Macon wrote:
>
> In article <[EMAIL PROTECTED]>, DHowe@hawkswing (Dave Howe) wrote:
>
> >Hmm. if I had to come up with a rule of thumb here, I would count any
> >english word (or $LANGUAGE word for that matter) as being two random
> >characters; so ten english words with non-space separators would be
> >equivilent to a 29-character truely random password - which is
> >definitely non-trivial to crack.
>
> Two characters can have 65,536 possible values
how did you come to this number ?
> (much less if
> you only use what's available on your keyboard). There are many
> more english words than that. Throw in one easy to remember
> nonword like fnurbish or queekle and you make a dictionary attack
> a LOT harder.
not harder but impossible ...
we are talking dictionary attack, not key space brute attack
which is definitely different ...
> >However, it is also non-trivial to type - particularly in password
> >mode when you can't see the text.
who did say that you need to type it ?
------------------------------
Date: Tue, 29 Feb 2000 20:45:27 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: code still unbroken
Xcott Craver wrote:
> lordcow77 <[EMAIL PROTECTED]> wrote:
> >There's a similar game theory problem that I love. There is a
> >free lottery where each person can submit as many entries as
> >they choose. At the end of a specified duration, one entry is
> >chosen at random and the prize is given to them, with the catch
> >that the prize is divided by the total number of entries
> >received. What is the optimal strategy for one person acting
> >individually, with no collusion between parties, to maximize the
> >total payout at the end of the lottery?
>
> This is Hofstadter's lottery, which was more an exercies
> in "hyperrationality" than actual probability or game theory.
> It was intended to illustrate the effects of everyone,
> independently, acting slightly greedy, instead of assuming
> that a large number of people will do exactly the same.
>
> If you don't know the strategy employed by the other players,
> the optimal solution is to submit 0 entries, since the
> chances are that the expected payout is less than the cost
> of your time and a stamp. In fact, one entry to Hofstadter's
> lottery was a postcard with some number followed by as many
> factorial signs as could fit.
This is not the same game. In the proposed game one there is a 1:1
relationship between entries and the odds of winning. In Hofstadter's
game each entry was weighted by the number it contained. Thus to enter
9!!!!!.... in the proposed game would require that many stamps.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:40:52 GMT
good to the ground & intelligent reasoning ...
Runu Knips wrote:
>
> JimD wrote:
> > How about ten English words with different punctuation symbols
> > as word separators?
>
> Even with only spaces in between this would be okay, because there
> are far too many possibilities for such keys that even fighting
> them with a dictionary would not succeed.
very good, just on target
> Only don't use some
> sentence from a book,
but use your secret preferences,
that way 4 words in passphrase will be impossible to key space search ...
> or else the attacker can still try to
> use a libary (but at the moment, this would be hard to do).
>
> Btw, such long passwords are called passphrases.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:42:12 GMT
Ross Richards wrote:
>
> Having to type 10 english words with punctuation in would not go down
> well with users who have screen saver passwords.....
this discussion is NOT for pass for SCR saver ...
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:48:03 GMT
when you will remember your passphrase, they are numerous techniques to get it
"from you" in couple of minutes ...
Guy Macon wrote:
>
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (JimD)
>wrote:
> >
> >How about ten English words with different punctuation symbols
> >as word separators?
> >
>
> Way too hard to remember.
the trick is to NOT remember it [ long one ] ...
when you remember your pass & on request will not provide it, you are in court
contempt, obstructing of justice ...
think of something else ...
Eleven or twelve english words with no
> punctuation symbol as the word separator would be easier to remember
> and would still be resistant to any concievable passphrase guessing
> attack in the forseeable future.
you are perfectly right, impossible to crack ...
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: OpenSSL and Netscape
Date: 1 Mar 2000 01:51:47 GMT
Nigel Smart <[EMAIL PROTECTED]> wrote:
> In fact there seems no way of installing a new root CA into Netscape.
>Now I can think of a number of reasons why people may not think this
>a good idea, but its a bit of a pain if you want to show the students
>how Netscape uses certs etc to sign/encrypt mail. Does anyone know a
>way around this ? (Which of course does not entail buying some
>commercial product etc etc).
Put the cert on a web server and send it to the browser with
mime type application/x-x509-ca-cert. Some servers automatically
use that mime type when the file extension is ".crt" or ".cacert".
See the root cert page off www.thawte.com for some examples.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 01 Mar 2000 01:52:43 GMT
is your only purpose in life to remember your passphrase ?
Guy Macon wrote:
>
> My current passphrase (which I use only with ciphersaber
> [ http://ciphersaber.gurus.com ] has 54 total characters,
> four punctuation characters, three high order ASCII characters,
> four numbers, and about 50% short english words.
are you serious about it ?
such a pain for no gain ...
is your only purpose in life to remember your passphrase ?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
