Cryptography-Digest Digest #239, Volume #11 Thu, 2 Mar 00 16:13:01 EST
Contents:
Re: On jamming interception networks (Mok-Kong Shen)
Re: Best language for encryption?? (wtshaw)
Re: Best language for encryption?? (wtshaw)
Re: Best language for encryption?? (wtshaw)
Re: Best language for encryption?? (wtshaw)
Re: Best language for encryption?? (wtshaw)
Re: Echelon (jungle)
Re: Best language for encryption?? (wtshaw)
Re: Best language for encryption?? (wtshaw)
Re: Crypto.Com, Inc. (wtshaw)
Re: Crypto.Com, Inc. (wtshaw)
Re: I was just wondering... (wtshaw)
Re: Best language for encryption?? (Jerry Coffin)
Re: Plain-text attack on ZIP file (JPeschel)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On jamming interception networks
Date: Thu, 02 Mar 2000 20:23:39 +0100
In this thread I have suggested to employ a webpage for
publication of 'artificial' secret messages (consisting of random
hex sequences) as well as occassionally real secret messages,
with the goal to jam the ubiquitous interception machinaries.
With that scheme the sender and the receiver are annonymous, the
messages being sent from neutral sites e.g. internet cafes.
It is of interest that I just received the following attachment
which someone forwarded to a mailing list. In it a more concrete
project is described. I myself haven't yet studied the stuff in
detail, but I guess it is certainly very interesting.
M. K. Shen
========================================
========================================
(((I urge you to donate some of your computational/networking
resources to the Freenet project, even if it's a single xDSL
box. Details how to help see Latest News below.)))
http://freenet.sourceforge.net/
"I worry about my child and the Internet all the time, even though
she's too young to have logged on yet. Here's what I worry about. I
worry that 10 or 15 years from now, she will come to me and say
'Daddy, where were you when they took freedom of the press away from
the Internet?'" -Mike Godwin
FreeNet
Latest News
18th Feb 2000 - Now is your chance to help Freenet is now in its
testing phase, to facilitate this we need people who can run a Freenet
node on their computers. To participate you will need a computer
capable of running java 1.1 which has a permanent connection to the
Internet, a fixed IP address, and is not behind a firewall. If you
have access to such a beast and would like to help the Freenet project
please click here for instructions on how to install a Freenet server.
What is Freenet?
The Freenet project aims to create an information publication system
similar to the World Wide Web (but with several major advantages over
it - see next section), where information can be inserted into the
system and associated with a "key" (the key is normally some form of
description of the data such as "freenet source code V1.0"). Later
anyone else can retrieve the data using the appropriate key. In this
respect it is a little like the World Wide Web which requires a "URL"
to retrieve a particular document. To participate in this system
users will simply need to run a piece of Java software on their
computer, and optionally use a client to insert and remove information
from the system. Anyone can write a client (or indeed a server)
however the reference implementations will be written in Java. If you
are interested in why someone might want to create a system like
Freenet please take a look at the philosophy page.
Why is Freenet interesting?
Click on any of the following reasons for more information about each:
Freenet does not have any form of centralised control or
administration
It will be virtually impossible to forcibly remove a piece
of information from Freenet
Both authors and readers of information stored on this
system may remain anonymous if they wish
Information will be distributed throughout the Freenet
network in such a way that it is difficult to determine
where information is being stored
Anyone can publish information, they don't need to buy
a domain name, or even a permanent Internet
connection
Availability of information will increase in proportion to
the demand for that information
Information will move from parts of the Internet where
it is in low-demand to areas where demand is greater
What is Freenet's current status?
Much of the server is complete, and a command line client (which is
developed in parallel and shares some code with the server) is also
nearing completion. As of 8th Feb 2000 the following remains to be
done:
Some minor changes to message behaviour
Fix hashing on Liberator (a contributed Perl
implementation of a Freenet client)
Implement tunneling (a mechanism which will
dramatically improve Freenet response times)
Speed up handshaking mechanism (which will also
improve response times)
Conduct a wide-scale multi-node beta-test (at present
most tests have been conducted by running several nodes
on the same computer).
You should subscribe to the announcement mailing list to be informed
of major releases (this is a low traffic mailing list).
Can I help?
Yes, definitely. If you have Java programming experience, or are
familiar with cryptography then you will be particularly useful, but
everyone is welcome. If you just want to find out more make sure you
have read everything on this site - and then join the General mailing
list. If you are keen to contribute, first take a look at the code in
CVS, then you should join the Development mailing list and let us know
what you think you can do.
Why implement the first Freenet server in
Java?
Because:
Java is the most cross-platform language currently
available
There are free Java implementations available such as
Kaffe, we will ensure that Freenet is always compatible
with these versions even if Sun attempt to make it more
difficult for free Java implementations to keep up.
Java has excellent network support
Java is easier to debug than other languages such as C++,
and this lets us get on with the business of implementing
Freenet quickly and reliably!
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Best language for encryption??
Date: Thu, 02 Mar 2000 12:26:56 -0600
In article <[EMAIL PROTECTED]>, lordcow77
<[EMAIL PROTECTED]> wrote:
> In BASIC, I believe that goto can transfer control to arbitrary
> parts of the code (which is not much of a problem..."Functions?
> What functions? Execution contexts? Threads? External linkage?
> What's that?"), whereas in C, the goto can only go to a label in
> the same block or function.
>
Again, I use functions in Basic, even can divide the program into separate
compiled object files, which I don't do myself as I prefer a one file
approach. Unrestricted branching is always best left to inside one
function, or in the main program. Care must be taken in crypto tomake
anything to do with pRNG's internal to one function or make them globally
tracked.
--
Bush would drop the MS suit if elected because since he is FOR
fraud, abuse, privacy invasion, squashing the little guy if he gets
in the way. Obviously, he is consistently NOT for compassion.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Best language for encryption??
Date: Thu, 02 Mar 2000 12:31:13 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
> > <[EMAIL PROTECTED]> wrote:
> > > Even compiled BASIC doesn't support efficient linked data structures,
> > > etc. (Or if it does, it's via a nonstandard extension, not BASIC.)
> > You are going out of you way to qualify Basic as not being extendable.
>
> No, but if it looks like Ada, then you shouldn't be calling it BASIC.
OK, it's FutureBasic, with the standard BASIC as a fully implemented
subset. It is written for the Mac, that has parallels in structure, even
with the old MS Basic that is Mac compatible.
--
Bush would drop the MS suit if elected because since he is FOR
fraud, abuse, privacy invasion, squashing the little guy if he gets
in the way. Obviously, he is consistently NOT for compassion.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Best language for encryption??
Date: Thu, 02 Mar 2000 12:37:41 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
>
> "Structured programming" denotes a specific programming style,
> typified by limiting control flow to the use of sequencing,
> alternation, and repetition. It also has a heavy emphasis on
> functional modularity, for which BASIC's GOSUB is woefully
> inadequate.
I call individual functions by name. Basic has gone through a few
revisions as has C.
GOSUB subroutines are not the same thing as functions, which I use
exclusively instead of GOSUB's...but, they are still allowed.
>
> I don't know where you get the idea that BASIC involves event
> loops, etc.; perhaps by confusing it with Microsoft's so-called
> "Visual Basic"?
Visual Basic guided by the Invisible Hand....What a security disaster that is!
--
Bush would drop the MS suit if elected because since he is FOR
fraud, abuse, privacy invasion, squashing the little guy if he gets
in the way. Obviously, he is consistently NOT for compassion.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Best language for encryption??
Date: Thu, 02 Mar 2000 12:47:48 -0600
In article <89l423$9t4$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
Schlyter) wrote:
> > How does one measure the effectiveness of a goto?
>
> By the amount one can obfuscate the code with these goto's... :-)
Could be, probably knit a few programs that way myself in the sixties, but
goto's are great for unconditional branching when you need them, like
professional expediters in some companies that get around all the
paperwork any which way they can.
>
> > Whatever the units are, I suspect that between signal() and longjump()
> > C can probably match it.
>
> Not quite: a BASIC program can GOTO a line number it hasn't executed
> yet, while C cannot longjump() to a place it hasnt setjump()'ed yet.
>
You just solved a problem I have been having in C, make it run through a
set of dummy values to get all the labels identifed...what a crock, but
I'll do it. I don't normally use line numbers as later Basic does not
need them as words work fine, as in this:
GOTO "exit"
--
Bush would drop the MS suit if elected because since he is FOR
fraud, abuse, privacy invasion, squashing the little guy if he gets
in the way. Obviously, he is consistently NOT for compassion.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Best language for encryption??
Date: Thu, 02 Mar 2000 12:56:20 -0600
In article <89l43v$9vk$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
Schlyter) wrote:
> In article <[EMAIL PROTECTED]>,
> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>
>
> #include <stdio.h>
>
> #define PRINT int main() { printf (
> #define END "\n" ); return 0; }
>
> PRINT "Hello, world"
> END
>
What about:
PRINT "Goodby, Mr. Gates.":END
I suppose one could easily replace <stdio.>, etc., and the commands they
might support with politically incorrect speech. The problem is the
encouragement of non-standard jargon that can make code non-transportable
and even, dare we say, more cryptic.
--
Bush would drop the MS suit if elected because since he is FOR
fraud, abuse, privacy invasion, squashing the little guy if he gets
in the way. Obviously, he is consistently NOT for compassion.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: Echelon
Date: Thu, 02 Mar 2000 19:55:03 GMT
excellent remarks !!!
John Underwood wrote:
>
> Surely the whole point of a passphrase is that it is something that you
> can remember easily and no-one else would thing of. I have one but I am
> not going to tell you:
That way you will force attacker to go for brut force on pass text only,
practically almost impossible to made for almost all applications / accesses.
Most of the simplest pass guarded entries has other precautions to stop input
after predetermined unsuccessful attempts.
The dict attack will be useless on it.
When you design your own "PRIVATE" algorithm that will encode sentence text to
pass text 40 char long, no one [ "ever" ] now will crack it.
Additionally, you have the option to improve your pass text encode "PRIVATE"
algorithm any time you wish when technology improves.
This pass text should be your MASTER PASS TEXT, one that will open all other
encryption. This is multilevel encryption, at least 2 levels will be
practically sufficient.
The key here is :
for your "PRIVATE" encoding algorithm, it could be very simple one but "no-one
else would thing of" it, as John pointed out.
> Find a sentence which you can remember easily - and will do so when you
> need it to access your key. It could even be a well-known one (apart
> from the problem that if anyone sees part of it they will know the
> rest). If people don't think of you as some-one who recites nursery
> rhymes to himself, "Mary had a little lamb" might do (it is a bit
> short). Second lines are sometimes better, though. You could then play
> around with a bit, change the order or words or reverse the meaning, or
> write part of it backwards and also do something with the capitals.
> However, whatever you do, it must be something you can remember.
> --
> John Underwood
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Best language for encryption??
Date: Thu, 02 Mar 2000 13:02:54 -0600
In article <89l42r$9uc$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
Schlyter) wrote:
>
> If you want to go farther than that in C, use setjump/longjump instead.
> These are library functions which allow you to jump between functions.
> longjump() is most often used to directly jump out of several nested
> function calls, in e.g. an error situation.
>
> And then you also have signal().....
>
No mention of these is in the literature I have on C/C++, more than you
can carry at once, which makes my point...that there is too little
standardization in how the languages are fully used, as opposed to a set
of commands that are easily learned, at least by many who I have taught.
--
Bush would drop the MS suit if elected because since he is FOR
fraud, abuse, privacy invasion, squashing the little guy if he gets
in the way. Obviously, he is consistently NOT for compassion.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Best language for encryption??
Date: Thu, 02 Mar 2000 13:09:30 -0600
In article <89m4k9$aik$[EMAIL PROTECTED]>, "Brian Hetrick"
<[EMAIL PROTECTED]> wrote:
> Arguing about which language is "best" is like arguing about which color is
> "best."
>
> Can we get back to what sci.crypt is supposed to be about, now?
It's been a while since this pot boiled, so I suppose we will let it
simmer for another year or two.... again. I'm doing may part to become
more flexible, but I know what I like, quick implementations of crypto
that work to my expectations.
--
Bush would drop the MS suit if elected because since he is FOR
fraud, abuse, privacy invasion, squashing the little guy if he gets
in the way. Obviously, he is consistently NOT for compassion.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Crypto.Com, Inc.
Date: Thu, 02 Mar 2000 13:19:01 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> Another possibility: Telepathy! Believe it or not, it was only
> a few days ago that pre-cognition of animals and such stuffs
> were earnestly discussed in a French radio broadcast.
>
Do you suppose that we can better communicate with BXA this way, or is
that the technique they are trying to use in lieu of seeding email to us.
--
Bush would drop the MS suit if elected because since he is FOR
fraud, abuse, privacy invasion, squashing the little guy if he gets
in the way. Obviously, he is consistently NOT for compassion.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Crypto.Com, Inc.
Date: Thu, 02 Mar 2000 13:41:07 -0600
In article <89kgnr$nfh$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Xcott Craver) wrote:
> wtshaw <[EMAIL PROTECTED]> wrote:
>
> >Since a OTP is a poor cipher due to awkward key
> >structure, it does not guaratee perfect security by itself, but just about
> >guarantees its own insecurity. If you deal with cryptographic algorithms
> >in a vacuum, that is not the real world.
>
> First of all, this was part of the point of his work. He _showed_
> that the theoretical upper bound of cipher security could not
> be met without a cipher with unrealistic properties. If you
> accuse Shannon of ignoring practical considerations, then you
> miss the point. Indeed, you wouldn't be able to write the above
> paragraph without his work on the subject. You're practically
> echoing him.
Mathematics builds models that physics can't build perfectly and physics
finds stuctures that mathematics cannot fully describe. That which is
practical is of use to both.
>
> Secondly, _all_ theory to some extent must be done in a vacuum.
> If you insist on considering all aspects when developing the theory,
> you can't do anything. You could just as easily accuse any
> researcher in cryptography of not considering real-world issues,
> by identifying some real-world flaw in their invention.
>
Perfection is a goal that is never reached. While it important to
understand the goal, if you destroy the imperfect in life, nothing is
left. It is just as important to have some standards that reject grossly
inferior works as not worth much or you have nothing worth saving.
Likewise, it is necessary to appreciate the good mixed with the bad as
something which always exists, but the proportions need not favor the
negative side by choice or ignorance. It is good to try to realize all
major flaws
Down to ciphers, it is best when looking for good strength not to be so
nearsighted so as to miss what Shannon showed, that a measure of strength
can be associated with the amount of ciphertext necessary to solve for
unambigious keys. It is important that the present AES process is missing
that boat, calling it irrelevant, or seeking just a little more strength
rather than what is needed..
--
Present Government Security is a sandcastle build on a beach
beside a lagoon at low tide. Figure that they will expense it all
before figuring out what is wrong with their planning personel.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: I was just wondering...
Date: Thu, 02 Mar 2000 13:52:12 -0600
In article <89l4n6$4f4$[EMAIL PROTECTED]>, "Julian Lewis"
<[EMAIL PROTECTED]> wrote:
> Once upon a time, there was a guy who read a book by Simon Singe
> called the code book, and as a result he got interested in encryption.
> Naturally he installed PGP on his computer, and got some of his friends
> to do likewise, so that he could have fun exchanging encrypted emails,
> well boys will be boys, you know how it is. One day he sent an encrypted
> email to a friend, and guess what, although it was encrypted in his out
> box, it arrived in plain text at his friends in box. Ohhh replied his friend
> "careful, you forgot to encrypt that one !!". "No I didn't", the man
> replied,
> I guess it must just be a bug in outlook !!!
>
Surely there was a problem when the encrypted copy Simple Simon was
intended to receive was switched with the plaintext copy THEY wished to
save. ;)
--
Present Government Security is a sandcastle build on a beach
beside a lagoon at low tide. Figure that they will expense it all
before figuring out what is wrong with their planning personel.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Best language for encryption??
Date: Thu, 2 Mar 2000 13:51:22 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
> <[EMAIL PROTECTED]> wrote:
>
> > wtshaw wrote:
> > > I do use a compiled BASIC, not interpreted.
> >
> > Even compiled BASIC doesn't support efficient linked data structures,
> > etc. (Or if it does, it's via a nonstandard extension, not BASIC.)
>
> You are going out of you way to qualify Basic as not being extendable.
It looks to me like you've completely missed what he's talking about.
> If it were not simple enough to write a complex Basic application in one
> file generally, you might be right.
He said "linked data structures." That's not referring to linking
modules of a program together. It's talking about creating things
like linked lists, binary trees, R-B trees, AVL trees, hash tables
that use linked-lists for collision resolution, etc. There's no
reasonable way of doing any of these things in the typical
implementation of BASIC.
IMO, languages, even programming languages, are about expressing
ideas. BASIC makes it difficult to even express ideas that require
pointers to implement. It's long been agreed by most that we think
primarily in language, and if we use a language that makes it
difficult to express a concept, that also makes it difficult to think
about the concept until we think up a vocabulary to express the ideas
more easily.
> Choice of programming language is a minor one of your choices. Pick wisely
> as to platform first, then pick a language and define a style.
Yes and no. Choosing a language in which to implement a particular
program is indeed hardly worth discussing in most cases. OTOH, the
languages you choose to learn have lasting and pervasive effects, not
only on the projects you implement, but even on your ability to think
clearly about entire classes of problems.
In fairness, I should add that neither C nor C++ is the be-all or
end-all in this respect. Just for example, I'm strongly of the
opinion that nobody can really be a good programmer without knowing
some form of functional language like LISP or ML to at least some
degree. Even if you never write a single production program in such
a language, knowing the language helps you acquire the vocabulary
needed to think in a clear and straightforward manner about many
problems that can appear nearly unapproachable if all you know is
someething like BASIC.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Plain-text attack on ZIP file
Date: 02 Mar 2000 20:52:20 GMT
"Graeme Elliott" [EMAIL PROTECTED] writes, in part:
>I am trying a plain-text attack on a zip file using pkcrack and AZPR using a
>fragment of plaintext that exists in encrypted form inside the archive. I
>have followed the guidelines precisely by compressing the plaintext with the
>same software and same settings as the encryted file. However when I try to
>decrypt the file using the above software, it always fails by not finding
>any keys.
>If I do the above but dont compress the zip or the plaintext then I get the
>correct keys in a matter of minutes.
When you are using pkcrack with compressed files make
sure the compressed ciphertext is 12 bytes longer than
the compressed plaintext. So long as you are using
right plaintext, the attack should work.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
