Cryptography-Digest Digest #21, Volume #11 Mon, 31 Jan 00 02:13:01 EST
Contents:
Re: Intel 810 chipset Random Number Generator (Michael Kagalenko)
Re: NIST, AES at RSA conference (wtshaw)
Re: Intel 810 chipset Random Number Generator (John A. Sidles)
Re: Mac encryption algorithm - joke :-) (wtshaw)
Re: Court cases on DVD hacking is a problem for all of us (wtshaw)
Re: What is the status of AES? (Sandy Harris)
Re: Court cases on DVD hacking is a problem for all of us (Highdesertman)
Re: Court cases on DVD hacking is a problem for all of us (Sandy Harris)
How to Annoy the NSA ([EMAIL PROTECTED])
How to annoy the NSA & break almost any code ([EMAIL PROTECTED])
Re: Re: How to password protect files on distribution CD ("Bill \"Houdini\" Weiss")
Re: KEA gains something with RSA instead of D-H (John Savard)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Michael Kagalenko)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 31 Jan 2000 04:04:59 GMT
Reply-To: [EMAIL PROTECTED]
Jerry Coffin ([EMAIL PROTECTED]) wrote
]In article <872l01$[EMAIL PROTECTED]>,
][EMAIL PROTECTED] says...
]
][ ... ]
]
]> I think you got his claim backwards (not suprising given that he
]> really doesn't make any sense at all 99% of the time!) He is saying
]> that the "thermal drift" (which he says happens when the temperature
]> of the crystal is kept constant, so it's not what you are thinking
]> it is) of (frequency?) diverges from the starting point in the same
]> manner that a particle does under brownian motion AND THAT THIS
]> DIVERGENCE STAYS THE SAME EVEN WHEN YOU TURN OFF THE POWER
]> OVERNIGHT!!!
]
]Well, I guess I'll admit I'm not sure what he's saying -- it appears
]to me that he frequently makes a claim in one direction about the
]theory, but then turns around and specifically disclaims having said
]anything about what would result from that theory.
Uh-oh, now you are quite simply lying.
]> Have you ever seen the output of a player behave like that?
]
]I've never seen the output from much of any oscillator act that way.
]I can't imagine how you'd put such an oscillator to use in any design
]I've ever seen.
You are hardly qualified to answer the question, since neither
you nor Macon so far figured out what the behavious that I am describing
is.
]> Neither have I. Only aging of the quartz acts
]> like that, and he specifically excluded that as a possibility.
]>
]> He is right about one thing, though. Nobody understands his theory.
]
]...including him, I'm reasonably certain.
Well, nope - and I would appreciate it if you refrain from lying
about matters on the premanent record at Deja.com
]In any case, it seems to me that we're kicking a dead horse. It all
]comes down to one simple fact: a crystal oscillator is a lousy source
]of entropy. I'm reasonably certain that if you try to use crystal
]oscillators in something similar to the way he envisions, nearly all
]the entropy you get will be from other sources.
Nope - that is incorrect. And you can't evven begin to assess that,
until you figure out what effect I am talking about.
] Just for example, you
]could take two oscillators, run them at what was supposed to be 180
]degrees out of phase, mix the results (which should obviously cancel),
]and amplify the difference.
That has absolutely nothing with the method that I described several
times over.
]This _would_ have the jitter mixed into the output signal, but the
]majority of the output would be due to noise and distortion in your
]oscillators, mixer, amplifier, etc.
]
]It's a bit like the situation with using a TV as a cosmic ray
]detector. If you tune to a channel with no signal, some of the "snow"
]comes from cosmic rays. Unfortuntely, other sources account for the
]vast majority of what you see, and there's no real way to tell what
]parts came from where...
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: NIST, AES at RSA conference
Date: Sun, 30 Jan 2000 21:32:10 -0600
In article <OMMG6Pva$GA.255@cpmsnbbsa02>, "Joseph Ashwood"
<[EMAIL PROTECTED]> wrote:
...
> The point here is that since all cryptography functions can
> be abstracted to function(key, in , out), where there may be
> some additional work to accomodate IVs before creating the
> key in the function,...
Even without being concerned with IV's, this is a wrong. As long as you
believe it is right, you have missed the message that algorithms based on
another paradigm can be fairly simply made quite stronger than those that
follow your rule.
--
A big-endian and a little-endian have been spotted sitting at a
campfire pointing at each other as they argued over who got hit
with the most errors.
------------------------------
From: [EMAIL PROTECTED] (John A. Sidles)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 31 Jan 2000 04:20:27 GMT
>>Noise does not change crystal oscillation frequency, even
>>instantaneously. The crystal continues to physically flex and vibrate
>>at exactly the same frequency.
Dear sci.crypt folks
The question of whether the noise output from a thermally
excited oscillator is really "random" is quite fascinating.
We observe this noise all the time in our force microscope
experiments, and we spend a lot of time wondering whether
it is really random.
We will consider any thermally excited oscillator -- like a
piezoelectric crystal, or a force microscope cantilever, or an LC
circuit. With all feedback circuits turned off, it is easy to
measure the damping time $\tau = \omega_0/Q$ of the oscillator.
Here:
$\tau$ = damping time of the oscillator
$\omega_0$ = resonant frequency
$Q$ = quality (dimensionless)
Typical values of Q can be anywhere from 300 (for LC circuits)
to 1000,000 (for cryogenic crystals).
To make a clock, we install an active feedback circuit (typically
a phase-lock loop "PLL") and operate the device as a free-running
oscillator. The device is now characterized by two more
parameters:
$E$ = energy of the oscillator
$\tau_{PLL}$ = time constant of the PLL
See Horowitz and Hill "The Art of Electronics" for a very good
discussion of PLL circuits.
We will design our PLL (and it is not hard to realize in practice)
such that
$\tau_{PLL} >> \tau$ (slow PLL time constant)
We will also assume that the PLL adds negligible noise to the
circuit; this also is possible to realize in practice, but can
be challenging.
Now, in the absence of thermal noise, the frequency of the
excited oscillator would be perfectly constant. But of course,
thermal noise always *is* present, and it is not too hard to show
that it is indistinguishable from an equivalent "jitter" in
$\omega_0$ whose spectral density $S_{\omega_0}$ is
S_{\omega_0} = ( \omega_0/Q ) (k_B T / E)
where $k_B$ is Boltzman's constant and $T$ is the ambient
temperature. Note that this formula applies to all kinds of
free-running oscillators. It represents the thermodynamic
limit of their accuracy.
We see that accurate clocks, whatever their type, require (1) low
temperature $T$, (2) high quality $Q$, and (3) large excitation
energy $E$.
Any circuit that
(1) monitors the free-running oscillator, and
(2) computes the instantaneous frequency $\omega$, and
(3) low-pass filters the measurement with some time
constant $RC << \tau_{PLL}$
will supply random noise. This noise will be of the so-called
Ornstein-Uhlenbeck type, i.e., Gaussian noise with an
exponential decorrelation time RC.
Of course, the above discussion is quite idealized -- it is much
less clear that there is any easy way to extract cryptologically
impeccable random bits from, e.g., the clock circuit of an INTEL cpu.
On the other hand, there is at least the possibility that
thermal noise observed by a continuous quantum measurement
process could be proved to be random in the strict
information-theoretic sense of Chaitin and Kolmogorov --
see http://xxx.lanl.gov/abs/quant-ph/9612001.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Mac encryption algorithm - joke :-)
Date: Sun, 30 Jan 2000 21:48:02 -0600
In article <871fgn$qh0$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
Schlyter) wrote:
> In article <[EMAIL PROTECTED]>, Andy <[EMAIL PROTECTED]> wrote:
>
>
> > I went to a new restaurant for a curry the other day. I was
> > supprised that they served the desert first,..
> My kids would love that -- they *always* ask for the dessert first! :-)))
>
It's nice that some others find the jargon a bit funny too. My addition follows:
--
A big-endian and a little-endian have been spotted sitting at a
campfire nibling on bytes and pointing at each other as they
argued about who got hit with the most errors.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Court cases on DVD hacking is a problem for all of us
Date: Sun, 30 Jan 2000 22:06:44 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> ... Sorry boys, but
> you can't have it both ways. You can't say that you have the right to
> crack a proprietary software encryption system and distribute that
> information and then demand the right to absolute privacy of our own
> data.
>
> It is important for us as a community to be able to see some shades of
> grey. Certainly it is essential that we retain the right to analyze
> published encryption code for flaws. This is how it was discovered
> that such "trusted" algorythms as DES were actually insecure and open
> to attack.
>
> But we must also recognise that the purpose of crypto is to protect
> the privacy of others. That *includes* corporate privacy, and the
> protection of proprietary information. We may not like having to
> swallow that, as we like to focus on individual privacy. Nonetheless,
> we no more have a right to crack and distrubute DVD crypto, than the
> government has the right to hold escrow keys on our data. I know there
> are many who will violently oppose this point of view, but I believe
> if we are to survive, and our views are to be accepted by society, a
> middle ground will have to be found.
>
Middle ground is nice to contemplate, but difficult to obtain when rights
are handled as perks to be doled out. Making a system propriatory as an
excuse for using a poor one is not very bright on the part of the
manufacturer. Neither is the escrow argument since the government is made
of individuals not any more honest than the rest of society.
Middle ground means something that is acceptable by both sides, and little
of that kind of territory in found in arguements advanced. Thanks for
trying, but keep thinking, as only a few have not made that kind of
effort.
--
A big-endian and a little-endian have been spotted sitting at a
campfire nibling on bytes and pointing at each other as they
argued about who got hit with the most errors.
------------------------------
From: [EMAIL PROTECTED] (Sandy Harris)
Subject: Re: What is the status of AES?
Date: 31 Jan 2000 05:07:20 GMT
[posted and mailed]
[EMAIL PROTECTED] (Ed Pugh) spake thus:
>I am wondering whether the cipher for the AES has been chosen yet.
>
Expected to be done this summer.
>If so, which one was chosen? If not, what ciphers are on the
>current "short list"? What is the schedule for the AES project?
Mars, Rijndael, Twofish, RC6, Serpent.
>I am also wondering whether any of the candidates have been
>implemented in any high-speed ASIC device (other than 3DES if
>that is, indeed, a candidate).
>
>Is there a web site which keeps up-to-date news on the AES?
www.nist.gov/aes
>Also
>is there a web site that details comparitive strengths and weaknesses
>of the different ciphers being considered for the AES or one which
>lists high-speed chip implementations?
There's data at the Block Cipher Lounge, on pages reporting timing results
from Brian Gladman and Helger Lipmaa. I've no URLs to hand.
------------------------------
From: [EMAIL PROTECTED] (Highdesertman)
Subject: Re: Court cases on DVD hacking is a problem for all of us
Date: Mon, 31 Jan 2000 05:26:57 GMT
Reply-To: [EMAIL PROTECTED]
And let me reiterate by quoting the meat of my original post:
"Sorry boys, but you can't have it both ways. You can't say that you
have the right to crack a proprietary software encryption system and
distribute that information, and then demand the right to absolute
privacy of our own data."
This is really a summary of the post and my point in general. You may
take issue with some of the other statements I made, but this really
is ground zero.
cheers,
Mathew
On Sun, 30 Jan 2000 22:06:44 -0600, [EMAIL PROTECTED] (wtshaw) wrote:
>Middle ground is nice to contemplate, but difficult to obtain when rights
>are handled as perks to be doled out. Making a system propriatory as an
>excuse for using a poor one is not very bright on the part of the
>manufacturer. Neither is the escrow argument since the government is made
>of individuals not any more honest than the rest of society.
>
>Middle ground means something that is acceptable by both sides, and little
>of that kind of territory in found in arguements advanced. Thanks for
>trying, but keep thinking, as only a few have not made that kind of
>effort.
>--
>A big-endian and a little-endian have been spotted sitting at a
>campfire nibling on bytes and pointing at each other as they
>argued about who got hit with the most errors.
------------------------------
From: [EMAIL PROTECTED] (Sandy Harris)
Subject: Re: Court cases on DVD hacking is a problem for all of us
Date: 31 Jan 2000 05:34:57 GMT
[EMAIL PROTECTED] (Highdesertman) spake thus:
>And here we have a problem of public perception versus reality:
Yes, and you've fallen into sharing a manipulated perception.
>Did any of you consider that as a result of this hacking, we are
>likely to see a surge of pirating of DVD's?
I considered /whether/ that could happen and, since it clearly cannot, it
would be absurd to consider /that/ it would.
DeCSS does not break a copy protection scheme or make "pirating" DVDs
easier. That is already trivially easy; a bit-for-bit copy of any DVD
will play on all the players the original would.
DeCSS allows two things that the incompetent encryption was suppoesed
to stop:
1) It allows DVDs to be played on machines with DVD drives but without
the licensed DVD software.
2) I'm not sure if it defeats the 'zone codes' that prevent disks sold
in North America from playing on European players and so on, but if
not, it will eventually I'm sure.
We could (and the lawyers certainly will!) argue about whether:
having bought a perfectly legal disk and drive, I can then play
that disk on that drive with free software, or whether I must
license their software
whether, in order to write compatible free software, it is
legitmate to reverse engineer theirs
I'd give an emphatic 'yes' on both points.
This is not about protecting the rights of movie copyright holders
(except perhaps their "right" to control marketing via zones). The
ebcryption scheme provides no protection against production of "pirate"
copies, and DeCSS does not reduce that protection.
It is about preserving the licensing revenues of the creators of the
incompetent encryption system.
------------------------------
From: [EMAIL PROTECTED]
Subject: How to Annoy the NSA
Date: Mon, 31 Jan 2000 05:53:13 GMT
To annoy the NSA start
spreading this news. Soon, if not
already, it will be possible to
build a quantum computer that
can solve NP-Complete & #P
Complete problems. This
computer would thus be able to
crack any code except for those
encrypted via a one- time pad
key cipher or certain types of
quantum cryptography. To begin
to see how to build one of these
devices check out this physics
paper //xxx.lanl.gov/abs/
quant-ph/9910073 BTW,
analog computing appears to be
greater than digital computing.
This is why scientists are
working on quantum, DNA,
molecular, etc. computers.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: How to annoy the NSA & break almost any code
Date: Mon, 31 Jan 2000 06:07:46 GMT
You can probably annoy the NSA by spreading
this news. Soon, if not already, it will be
possible to build a quantum computer that can
solve NP- Complete and #P Complete
problems. Thus, such a device could decipher
any code except for those encrypted via a one-
time pad key cipher or possibly certain types
of quantum cryptography (both of which are
very rarely used). To begin seeing how this
might work check out this physics paper:
//xxx.lanl.gov/abs/quant-ph/9910073
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Bill \"Houdini\" Weiss" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.unix,comp.security
Subject: Re: Re: How to password protect files on distribution CD
Date: Sun, 30 Jan 2000 23:37:14 -0700
Reply-To: [EMAIL PROTECTED]
On Sun, 30 Jan 2000 20:31:51 +0000, Dave Howe <DHowe@hawkswing> wrote
in comp.security.unix :
>In our last episode (<alt.security.pgp>[Sun, 30 Jan 2000 02:07:24
>GMT]), [EMAIL PROTECTED] (Dave Mundt) said :
>> This is true. The fact of the matter is that NO encryption scheme
>>is totally impervious to attack. However, the point is, of course, to
>>make it simpler for the average user to bite the bullet, whine and pay
>>the cost of the dongle.
> Hmm. I don't know about the average user, but it is not THAT unusual
>for me to buy the full, legal copy, but use the crack anyhow - I have
>external parallel-port devices (CDR writer and scanner) that don't
>like having the dongle there, and then there is the risk of physical
>damage to my parallel port from sheer weight of dongles. If I ever get
>raided (not much chance) I have box, original CD, dongle and receipt
>to show them - I can't see myself in violation of anything but the
>click-install licence, and they aren't enforcable in .uk....
<snip>
I've wondered recently, what is the cost of some decent-speed DES
hardware? Because, one would make a hell of a dongle. Have the
program call the hardware to do vital parts of the code, and make the
hardware fast enough that the calls can be big enough to make the
program really fucking cumbersome to use without it. Added to
real-time editing software, or something like that, it may be hard to
crack.
--
Bill "Houdini" Weiss
--
11th commandment - Covet not thy neighbor's Pentium.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: KEA gains something with RSA instead of D-H
Date: Mon, 31 Jan 2000 06:32:26 GMT
On 30 Jan 2000 16:30:42 -0800, [EMAIL PROTECTED]
(David Wagner) wrote, in part:
>In article <[EMAIL PROTECTED]>,
>John Savard <[EMAIL PROTECTED]> wrote:
>> Hence, if a protocol like KEA were used, sending two session keys in
>> opposite directions simultaneously, but with RSA instead of
>> Diffie-Hellman, with the XOR of the two session keys being used as the
>> actual session key, communications would remain secure *even if the
>> private key of one party had been compromised*.
>Good point! I haven't seen this observation before.
>Does anyone have any clue why KEA uses XOR to combine the two session
>keys, instead of simply hashing them with (say) SHA-1?
I thought KEA used addition, but I didn't look to closely. Actually,
the XOR of two numbers, each one of which is believed to be secure and
random, is easier to analyze than a hash - one can be confident the
result is as good as the better of the two. So a hash is not helpful
or necessary.
But upon reflection, my good point may not have been so good after
all. In RSA, e is the public key, and d is the private key - and d is
persistent.
In Diffie-Hellman, A^x is the public key, and x is the private key -
but x does not need to be persistent, and is not in KEA. Hence, from
one point of view, there is "nothing to betray" on either side.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
