Cryptography-Digest Digest #284, Volume #11 Thu, 9 Mar 00 03:13:01 EST
Contents:
Re: sci.crypt Cipher Contest Web Site ([EMAIL PROTECTED])
Re: NIST, AES at RSA conference ([EMAIL PROTECTED])
Re: Actually, I have a sign "Be Aware of Dog" on the garage door of the (Outsider)
Re: NIST, AES at RSA conference ([EMAIL PROTECTED])
Re: Court cases on DVD hacking is a problem for all of us (tapeguy)
I have found that RC4 stinks.. (Nemo psj)
Re: Passphrase Quality ? (jungle)
A few basic questions... ("G. R. Bricker")
Re: Passphrase Quality ? (Johnny Bravo)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: sci.crypt Cipher Contest Web Site
Date: Thu, 09 Mar 2000 05:00:31 GMT
Mr Durana,
The contest sounds like fun. I will be happy to participate.
I would suggest that the criteria for orginality be broad. For
instance, DES style algorithms should certainly be allowed while an
obvious DES knock off would be eliminated. Truly unique ciphers are
almost sure to be insecure.
I have written a cipher as an educational tool for myself. With a good
key schedule, it should make a good entry.
As for security, all entries should resist all known attacks. Any
attacks found should count against a cipher. Distant second criteria
should be speed, memory use, ease of implementation, elegance and
simplicty. The advanced ciphers should be useable in any mode and as a
hash function.
It will be tough to meet all the criteria. Just look at the AES
candidates that have been eliminated. The fun is in the trying.
--Matthew
In article <WPAx4.1$[EMAIL PROTECTED]>,
"Adam Durana" <[EMAIL PROTECTED]> wrote:
> I put together a web site with the a draft of the requirements for
entries.
> I need feedback on the requirements and suggestions from everyone
planing on
> participating so the majority of people will be happy with the
requirements.
> The site is at http://www.wizard.net/~echo/crypto-contest.html I'm
going to
> start posting all the emails and posts on the web site concerning the
> contest so everyone can be sure I'm being fair. If anyone is
interested in
> helping me with the web site I would greatly appreciate it.
>
> Two questions while you are looking at this...
>
> Does anyone think resistance to linear and differential analysis is
too much
> to ask of the intermediate category?
>
> and
>
> Would anyone object to me participating in the contest? I hope the
winners
> of each category will be selected by eliminating the other entries as
people
> break them, so I would not be selecting the winner. And if it came
down to
> a tie of some sort we could have a general vote to select the best
entry
> according to the requirements.
>
> It would be a good idea to post your suggestions as well as email
them to me
> so everyone can make sure I am taking all suggestions into account.
>
> - Adam
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST, AES at RSA conference
Date: Thu, 09 Mar 2000 06:06:05 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> [EMAIL PROTECTED] (Bo Dömstedt) wrote, in part:
>
> >Terry Ritter has presented a whole bunch of convincing
> >arguments. Not even a formal mathematical proof
> >would convince some people.
>
> Funny you should say that, because one of the major problems with his
> argument is that, while he correctly (I'm convinced) that his
proposal
> is an effective method of achieving considerably stronger encryption
> in practice, his rationale for establishing the need for stronger
> encryption than just using Triple-DES or the AES is the lack of a
> _formal mathematical proof_ that they're strong enough. Since even
> after his proposal is applied, this lack still exists, I'm not
> surprised that a number of people have essentially replied, "what's
> the point"?
Frankly, I'm surprised that you -- and, presumably, they -- continue
to miss the point. This continued confusion almost seems willful.
Correct: The problem we have with cryptography is that it cannot
be treated like virtually any other product in society. Only
cryptography has us depend upon something which not only cannot
be proven; strength which cannot even be tested or success
verified. Because we all depend upon "common sense" built up
from our experiences in other contexts, this uniqueness is a
very serious problem.
Yes, the problem is that cipher strength cannot be proven. Yes,
after my proposals are applied, cipher strength *still* cannot
be proven. But since that is not the intent of my proposals,
that seems hardly to be a telling argument.
The intent of my proposals is to address the possibility that
the single cipher we would normally use forever is in fact
insecure. This is a single-point fault, and we cannot test for
such faults, nor can we prove they do not exist. Because a
broken cipher will reveal our data forever, we must change
ciphers to regain security, so we must have different ciphers
to change to, and we must have a system which supports changing
ciphers with minimal intrusion.
I hope this is the last time I see the specious argument
against my proposals from this particular author.
> Now, there is a comeback to that: if, whatever you do, you can't
prove
> your ciphers will keep your secrets, then, doesn't it at least seem
> reasonable to do *whatever you can* to improve your chances - and so,
> if your computer can encrypt your message in Triple-DES or AES in the
> 'blink of an eye', wouldn't it be more sensible to let the computer
> take 5 seconds to encrypt your message _as thoroughly as is currently
> practical_ if your secrets are important to you?
>
> However, what I feel is the real obstacle to any widespread use of
> something like Terry Ritter's multi-ciphering proposal is this:
>
> The prospect of someone coming up with an attack against one of the
> current five AES finalists, for example, that renders it dangerously
> weak seems remote to many people, including myself. The prospect that
> someone might find a much improved method of factoring, or a much
> better way to find discrete logarithms, seems like a considerably
more
> realistic threat.
Frankly, I find the above logic seriously disturbing: It
essentially consists of "I think a cipher is secure, therefore
it must be secure." That is wishing, not science.
There is a lot of arrogance to the idea that the repetitive
application of the same simple ciphering functions in "rounds"
is not a fundamentally breakable construction.
In any case, the issue is not the strength which we cannot
know, but instead the data risk which we can. If we really
have something at risk, we simply cannot continue to depend
on one cipher to carry that load over all time. If we do,
we are making our precious data the ideal target.
> Since his proposal or similar methods cannot address that threat, and
> since a great many people _insist_ on the convenience of public-key
> encryption for key management in most applications, the lack of
> interest his proposal is generating is not surprising.
Presumably, public-key methods can be increased in strength
arbitrarily. Multiple such methods also could be used in
sequence, for example. While my proposals have been directed
to the data cipher, they are easily and immediately extended
to public-key ciphers as well. Obviously.
And how are *you* able to measure this "interest"? What
do you expect? Most users aren't going to understand any
of this, and banks, for example, are just happy to use
the standard cipher which indicates due diligence. Why
would you expect the earth to move? And when it doesn't,
why is that evidence against my proposals?
> This is true even if that lack of interest is not fully legitimate:
> even if existing practice _is_ genuinely inadequate.
>
> John Savard (jsavard<at>ecn<dot>ab<dot>ca)
> http://www.ecn.ab.ca/~jsavard/crypto.htm
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Outsider <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,soc.culture.russian,soc.culture.nordic,soc.culture.israel,soc.culture.europe
Subject: Re: Actually, I have a sign "Be Aware of Dog" on the garage door of the
Date: Thu, 09 Mar 2000 07:35:44 +0100
Reply-To: [EMAIL PROTECTED]
Markku J. Saarelainen wrote:
>
> Actually, I have a sign "Be Aware of Dog" on the garage door of the
> house, where I am living until I take the world's longest love train
> ride to Vladivostok, Russia.. The sign itself is a lie .. I have no dog
> . actually it is just the deception .. you see often the security is
> based on deception.
>
> Yours,
>
> Markku
If you want a good sign, place a sign that says the following on
your front and back doors.
===============================
Trespassers will be shot.
Survivors will be shot again.
(picture of gun)
===============================
--
Regards,
Outsider
"Don't overestimate the decency of the human race." -- H.L. Mencken
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST, AES at RSA conference
Date: Thu, 09 Mar 2000 06:31:14 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> Tim Tyler wrote:
> > I'd agree that it makes sense to alter the cypher algorithm *in the
way
> > that Ritter recommends* - i.e by combining multiple independent
encryption
> > schemes, each with their own key.
>
> In other words, it makes sense to lengthen the key.
No.
It always makes sense to have a long-enough key, but once
we have it, that's enough key.
What we don't have is the assurance that the cipher will
provide strength related to key size. What we then have
to worry about is the cipher. And we can have no
assurance about the ultimate strength of any cipher.
> The real question is, is that the most effective way to use a
> given set of key bits? My C/A experience suggests that they
> would be better employed in keying a single, integrated system
> rather than partitioned among independently operating,
> noninteracting subsystems.
Ciphers generally have enough keying nowadays, and we
generally can afford both to have and transport very
long keys. This is not the issue it once was.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: tapeguy <[EMAIL PROTECTED]>
Subject: Re: Court cases on DVD hacking is a problem for all of us
Date: Thu, 09 Mar 2000 06:39:31 GMT
OT but relevant to those concerned: there have been many folks that I
have read about in usenet threads using the OnStream tape drives with
DeCSS to make copies of DVDs. I know from first hand experience that
it works very good. The OnStream drive works like a drive letter under
windows and plays the movies back directly from the tape drive with no
problems. Storage capacity of up to 5 full length DVDs per tape and
retail costing of the drive starting at under $300.
It ain't going to affect the DVD industry in the slightest, but DeCSS
and the OnStream drive let me use DVD in the same way I used to use
VHS. When was the last time anyone complained that the vide tape
market was a threat to Hollywood?
Regards,
TapeGuy
In article <87nq00$9o8$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Eric Lee Green ([EMAIL PROTECTED]) wrote
> ]Michael Kagalenko wrote:
> ]> I wonder how the data transfer rate required for DVD playback
compres
> ]> with data transfer rate of tape drives. May be, DVDs can be
copied to
> ]> digital tape ?
> ]
> ]You would need a minimum of a NS-20 tape drive. Nope, that wouldn't
> ]work, because NS-20 tape drives transfer data at a rate of 1 megabyte
> ]per second on their best days. Not to mention that NS-20 media costs
> ]$35, which is about the same that a DVD movie costs in the first
place.
> ]
> ]An Ecrix VXA would probably work better, since it transfers data at
> ]around 2.5 megabytes per second (check out
http://www.linuxtapecert.org
> ]for some benchmark data that we've done on various tape drives),
but it
> ]uses 8mm media that costs $69 apiece. Again, a DVD movie costs around
> ]$35. Whoopsie daisy!
> ]
> ]Well, let's see. DDS-4 DAT (4mm) will do, hmm, 2.5 megabytes per
second,
> ]and the media costs around $30 apiece. Of course, the drives
themselves
> ]currently cost anywhere from $1100 to $1500. Yeah, I can see people
> ]spending thousands of dollars on tape drives in order to pirate DVD
> ]movies onto media that's not much cheaper than just buying the bloody
> ]movie in the first place.
>
> Thanks for clarification. I am not familiar with hard numbers for
> those types of media. What is the cheapest per byte storage format
> that can be used by an individual computer user ? ( Stamping DVDs
> on masss-production lines is probably the cheapest per byte storage
> format). A pirate could store movie on some intermediate medium, and
> copy DVD to his hard drive for a playback.
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Nemo psj)
Subject: I have found that RC4 stinks..
Date: 09 Mar 2000 06:58:48 GMT
Recently i have been working on a stream cypher i have created this
cyphers strength comes from parts of the enigma machines setup and part of the
programs ability to change the password after encrypting each letter. So i
decided along with some suggestions from people to include in the password
change a more well tested and known algy. So i pick up an implementation of
RC4 and try to incorpaereate it. Unfortunatly i find it has a giant flaw if
your try to continuasly encrypt something like "&#$#!!~$×6ì" with somehting
like "))_+{}<?><@(^¼" it will eventually return "". Now maybe the
implementation of it is wrong so i'll post the code below but if its not well i
guess i have to search for another one.
http://www.puregold.cjb.net for more info
This is in VB6
Option Explicit
Dim s(0 To 255) As Integer 'S-Box
Dim kep(0 To 255) As Integer
Dim i As Integer, j As Integer
'For the file actions
Dim path As String
Public Sub RC4ini(Pwd As String)
Dim temp As Integer, a As Integer, b As Integer
'Save Password in Byte-Array
b = 0
For a = 0 To 255
b = b + 1
If b > Len(Pwd) Then
b = 1
End If
kep(a) = Asc(Mid$(Pwd, b, 1))
Next a
'INI S-Box
For a = 0 To 255
s(a) = a
Next a
b = 0
For a = 0 To 255
b = (b + s(a) + kep(a)) Mod 256
' Swap( S(i),S(j) )
temp = s(a)
s(a) = s(b)
s(b) = temp
Next a
End Sub
Public Function EnDeCrypt(plaintxt As Variant) As Variant
Dim temp As Integer, a As Long, i As Integer, j As Integer, k As Integer
Dim cipherby As Byte, cipher As Variant
For a = 1 To Len(plaintxt)
i = (i + 1) Mod 256
j = (j + s(i)) Mod 256
' Swap( S(i),S(j) )
temp = s(i)
s(i) = s(j)
s(j) = temp
'Generate Keybyte k
k = s((s(i) + s(j)) Mod 256)
'Plaintextbyte xor Keybyte
cipherby = Asc(Mid$(plaintxt, a, 1)) Xor k
cipher = cipher & Chr(cipherby)
Next a
EnDeCrypt = cipher
End Function
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Passphrase Quality ?
Date: Thu, 09 Mar 2000 07:09:58 GMT
wrong assumption,
you can be killed by torture & have your key ...
wrong assumption,
when authorities need to get the key by torture == they need the KEY BUT NOT
the person killed ...
killing is assumed as the authorities has been defeated ... no much help for
the killed as the result of the ordeal ...
Johnny Bravo wrote:
>
> On Wed, 08 Mar 2000 23:29:20 GMT, [EMAIL PROTECTED] (Ian L.
> Romkey) wrote:
>
> >Seriously, all my system <http://www.5x5poker.com/grid/> does is give you
> >the option of destroying your password so that not even you can ever
> >recover it. In most real-world cases, there's no actual risk of torture
>
> If someone is going to torture you for the password, they will torture
> you anyway.
I will say batter is batter & is batter ... anyway ...
> They certainly have nothing to lose in trying,
the problem in not in what THEY have to lose, but what you have to lose ...
> since your
> chances of lying to them about the password to avoid torture approach
> 100%. When you are dead they can be reasonably sure you didn't know the
> passphrase.
wrong assumption,
you can be killed by torture & have your key ...
wrong assumption,
when authorities need to get the key by torture == they need the KEY BUT NOT
the person killed ...
------------------------------
From: "G. R. Bricker" <[EMAIL PROTECTED]>
Subject: A few basic questions...
Date: Thu, 09 Mar 2000 07:13:38 GMT
I'm fairly new at this stuff, so please excuse the ignorance.
I caught the crypto bug by reading Seizing the Enigma and The Code Book. I
started cracking the codes in the back of The Code Book when I realized I
would need to dust off my programming skills. Actually, "dusting off" was
quickly replaced by "unearth". It's amazing how quickly you forget this
stuff when you haven't used it for awhile.
Anyway, I found some programs like Cryptaid and Tact which were helpful,
but not quite what I was looking for. So, what the heck, I started writing
my own text analysis program which would be more geared toward crypto than
standard text. If nothing else, it's good practice. I've also managed to
come across the Lanaki lecture series. Unfortunately, this prompted me to
start adding things to my analysis program which is now beginning to turn
into some godawful spaghetti code.
My first question is this. Given a crypto text, is there some way to
determine what type of encryption was used? Are there ways that some of you
saavy crypto guys can look at a text and say, "Well, it's plainly obvious
that this was ecrypted using RSA. You can tell by ...(blah blah)". It seems
that this is a basic step according to the OP-Nav document referred to in
the Lanaki lectures. I'm not trying to determine if a text has been
encrypted using some new, novel algorithm. Just the main culprits (DES,
RSA, etc.). Are there characteristics which give the type of encryption
away?
My second question is this. I've got Aristocrats, Patristocrats,
Homophones, and Vigneres ciphers down fairly pat. I'm ready to move on to
the next level. I have a reasonably good math background (though I'm no
math major). I've had Calc, DiffEQ, and even a course in complex variable
analysis (I'd rather chop off an arm than go through THAT one again). It's
all rusty (as is my programming), but I can bull my way through it. So my
question is... what would be a good book (or website) for someone at my
level. My guess is that I'm passing from beginner to a lower intermediate
level in cryptanalysis. Please keep in mind that I'm a relatively poor
son-of-a-gun.
My third and final question. As long as I'm writing a text ananlysis
program geared toward crypto, is there anything that you think I should
include as a "basic" tool that would be useful in most situations. If you
have any ideas which I can implement, I'll try to include them. It may take
some time. Remember that I am an "Iron Man" programmer, meaning that I've
"rusted on my laurels". But, I will post anything useful that I've
programmed. What basic tools would you like to see in your crypto toolbox.
I'm more interested in cracking codes than creating them (at least at
present). Frankly, I'm surprised at how badly I've been bitten by the
crypto bug. What a great hobby. I apologize for any typos in this message.
Any mistakes are entirely due to my cat, who can type 100 words a minute,
but can't spell worth a hoot.
-Thanks
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Passphrase Quality ?
Date: Thu, 09 Mar 2000 02:39:41 -0500
On Tue, 07 Mar 2000 01:38:20 GMT, "Stephen P." <[EMAIL PROTECTED]> wrote:
>neat, so the password is removed from the computer and human memory. the
>grid can be shredded. seems to provide 'distance' as long as there's a way
>to readily dispose of/shred etc. the grid.
>
>steve
Just make sure your path is long enough to provide security in case a
copy of the grid is taken from you or copied, 6 bits for the starting
location, and roughly 3 bits for every additional character. A 15
character path only provides 48 bits of keyspace, a very short brute
search indeed.
Memorizing three short paths of 5 chars each would increase this to 54
bits, still too short for adequate security. To get an 80 bit password a
single path of 26 characters would need to be memorized, or three separate
paths of 8 characters each.
--
Best Wishes,
Johnny Bravo
"The most merciful thing in the world, I think, is the inability
of the human mind to correlate all it's contents." - HPL
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
