Cryptography-Digest Digest #287, Volume #11 Thu, 9 Mar 00 13:13:01 EST
Contents:
Re: A few basic questions... (John)
Re: Where do I get it? (John)
Re: PGP Decoy? ("Thomas J. Boschloo")
Re: avoid man-in-the-middle known plaintext attack using a stream cipher (David A.
Wagner)
test (Sang Geun Han)
Re: very tiny algorithm - any better than XOR? (David A. Wagner)
test only (Sang Geun Han)
Re: Pseudo-One Time pad here. Critiques? (Albert Yang)
Proof of Plaintext Knowledge (Irene Gassko)
Re: Best language for encryption?? ("Steve A. Wagner Jr.")
Re: CONFERENCE ON NATURALISM -- FINAL NOTICE (John Myre)
Re: Cellular automata based public key cryptography (Tim Tyler)
Re: Pseudo-One Time pad here. Critiques? (Andru Luvisi)
Re: Cellular automata based public key cryptography (Tim Tyler)
Re: NIST, AES at RSA conference (Tim Tyler)
Re: Cellular automata based public key cryptography (Mok-Kong Shen)
Re: NIST, AES at RSA conference ("Steve A. Wagner Jr.")
----------------------------------------------------------------------------
Subject: Re: A few basic questions...
From: John <[EMAIL PROTECTED]>
Date: Thu, 09 Mar 2000 07:27:40 -0800
I agree. I've done some analysis on crypto-systems. You are
right, sometimes, even the good ones, can "look bad" if you just
go by the data. I have seen crypto-texts from good crypto-
systems fail mathematical tests drastically.
Let me try to remember. Oh, I was using short passwords
like "a" "b" "cat", stuff like that. Some crypto-systems can
actually pass on the statistical and math tests, but if you
brute-forced them, you'd come up with the plaintext quite fast.
I had another password, something like "mavkiom" that was dismal
in the statistical and repetition realm. I assumed, hmmm, maybe
it's just because it starts with an "m" and ends with one.
Other "more random" 7 and 8 digit passwords were "ok." I have
heard that passwords can be to short, but also they can be too
long. One thing, nobody will remember a real long password. I am
working on a system that has 2^65535&8 byte key length. Probably
overkill, but hmmm, has anyone done it?
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Where do I get it?
From: John <[EMAIL PROTECTED]>
Date: Thu, 09 Mar 2000 07:39:07 -0800
Thanks, but did I miss something? It looked like that site was
selling, or giving me apps, not source. There was a lot of
stuff about crime, the government, etc.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp.discuss,alt.security.scramdisk
Subject: Re: PGP Decoy?
Date: Thu, 09 Mar 2000 16:47:54 +0100
=====BEGIN PGP SIGNED MESSAGE=====
Russell Horn wrote:
>
> For example, I have sensitive information in a word file. When I encrypt
> it, I provide the word document and, say, a midi file. I am then forced
> by police or whoever to "reveal" my public key. I do so, but release my
> secondary key. They use this on the file which happily decrypts to a
> midi file instead of the sensitive word document.
The police will wonder what is in the rest of the cyphertext. It is hard
to hide the fact that the file consists of two parts, one that decrypts
to the midi file and an other 'unused' part. The police will want both
keys if they are clever.
Maybe Steganography will do the job for you. You can then just hide the
word document inside a .wav, .bmp or .gif file. Scramdisk 3 will do this
when it is finaly released I believe I heard the author say in
news:alt.security.scramdisk. In the mean time you can use Scramdisk
2.02h <http://www.scramdisk.clara.net> end make a vitual encrypted
volume inside a large 16 bit .wav file (which will also raise suspision
unfortunately).
An other option is the OTP or one time pad. It needs a key that is as
large as the data you are trying to encrypt, so you won't be able to
remember it and need to store it. That is most unfortunate. Basically
you use a special function XOR that mixes the bits and bytes of your key
and the data together using the rule {0 XOR 0 = 1 XOR 1 = 0 and 0 XOR 1
= 1 XOR 0 = 1}. The trick here is that if you XOR the data together with
the key twice, you get back the original data, but you can also
calculate a second key that produces any inconspicious data you want.
> The UK is about to introduce legislation whereby there would be a
> presumption of guilt on anyone not disclosing a public key on the
> request of a magistrate. Wouldn't a system like this be an ideal
> solution.
I think such regulation is bad because it reverses the rule "innocent
till proven guilty". What happens is that they can put you to jail if
the data becomes corrupt somehow or if the stress makes you forget your
key. You'd better delete all encrypted documents and container that you
don't use anymore because even I have had passwords on word documents
that I had forgotten. Fortunately Word's encryption technology was very
weak and I had broken it in the blink of an eye with the proper cracking
tool, but what if..
Real bad asses on the other hand, will keep using crypto and not reveal
their key because unencrypted they would be in for a longer sentice. I
really hope we never get such laws in Holland!
> Does anyone see any problems?
Yes, lots ;-) It is just not fair. Maybe in the future there will be a
program that let's you record analogue radio shows to your harddisk,
allows you to use steganography with strong encryption on it and lets
you compose audio cd's with secret stuff.
I cross posted a bit because I believe the subject would be more on
topic there. Hope noone minds,
Thomas
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
iQB5AwUBOMe5cgEP2l8iXKAJAQE9IgMdEPsp2ssHYpzjs6mlMzNxzrTOdGGPujyl
3QzQmcdgHBWIIe1K9js7gEj9K8iV+mSkC7ZeKLKFNPYu4XAdLUSmGwZZ6jLooHzm
b0REzVC5nxOUyrreunmyjvfCZu0nBlF6IMaJAA==
=rTJC
=====END PGP SIGNATURE=====
--
Atari Teenage Riot: "Life is like a video game with no chance to win"
PGP key: http://x11.dejanews.com/getdoc.xp?AN=453727376
Email: boschloo_at_multiweb_dot_nl
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: avoid man-in-the-middle known plaintext attack using a stream cipher
Date: 9 Mar 2000 07:38:49 -0800
In article <8a0tv2$eu4$[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> wrote:
> P[I]: Ith byte of plain text,
> C[I]: Ith byte of cipher text,
> S[I]: Ith byte of an OTP,
> B[I]: The 16-bit feedback buffer at step I, where B[0] is the IVector,
> B[I,0], B[I,1]; The least and most significant byte of B[I] respectively.
> E_K: A 16-bit table lookup cipher.
>
> The symbol "|" denotes concatenation. B[I] = B[I,0]|B[I,1].
>
> Encryption algorithm:
> 1. B[I] := E_K(B[I-1,1]|C[I-1] xor S[I-1])
> 2. C[I] := P[I] xor B[I,0] xor S[I]
>
> Decryption algorithm:
> 1. B[I] := E_K(B[I-1,1]|C[I-1] xor S[I-1])
> 2. P[I] := C[I] xor B[I,0] xor S[I]
Because the feedback "pipe" is only 16 bits wide, there are plenty
of birthday attacks here one may mount. In particular, if you modify
two adjacent bytes of ciphertext, the probability that this change
fails to propagate is something like 1/2^16, so just try 2^16 times;
and it may be possible to get that down to something like trying 2^9
times (using the birthday paradox).
------------------------------
From: Sang Geun Han <[EMAIL PROTECTED]>
Subject: test
Date: Thu, 09 Mar 2000 11:24:55 -0500
test
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: very tiny algorithm - any better than XOR?
Date: 9 Mar 2000 07:49:26 -0800
In article <[EMAIL PROTECTED]>,
Samuel Paik <[EMAIL PROTECTED]> wrote:
> What if, in addition to CBC, you xor a counter into the plaintext? This
> would seem to increase the number of blocks before the birthday paradox
> starts revealing information.
I don't think it helps; information starts to leak at the same
"square root" point.
------------------------------
From: Sang Geun Han <[EMAIL PROTECTED]>
Subject: test only
Date: Thu, 09 Mar 2000 11:27:56 -0500
test only
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: Pseudo-One Time pad here. Critiques?
Date: Thu, 09 Mar 2000 16:35:45 GMT
Go into more detail about the IV for me if you would. This is an
ongoing evolving project for me, and so trust me, I will not skip any
suggestions that are made that make sense. I will however not implement
any changes that I am not fully sure why they are so...
I'm writing this for php, the web scripting language, and so it comes
with MD5 on it as a function, so I'm using it. SHA-1 or Tiger would be
better choices for a hash, but I haven't had time to write it out in php
as a function yet. I'll get to it eventually.
I'll make the 32 nibbles into 16 bytes, that increases my possibilities
by from 16 to 256, that is correct.
Thanks so far for the suggestions,
Albert
------------------------------
From: Irene Gassko <[EMAIL PROTECTED]>
Subject: Proof of Plaintext Knowledge
Date: 9 Mar 2000 16:40:01 GMT
I am interested in any information about PPTK. Would be grateful
for related papers or pointers to them.
TIA,
Irene
------------------------------
From: "Steve A. Wagner Jr." <[EMAIL PROTECTED]>
Subject: Re: Best language for encryption??
Date: Thu, 09 Mar 2000 13:13:49 -0800
Indeed, pal, but on cryptography.org are links to thousands of links outside
of the U.S.. I failed to mention that in my post. Sorry.
Runu Knips wrote:
> "Steve A. Wagner Jr." wrote:
> > http://www.cryptography.org/ has C reference code for many algorithms.
>
> HAHAHAHA. ;-(((((((((((
>
> There are also people in the world which live _OUTSIDE_ the US !!!!!!!
> Yes, and outside Canada !!!
>
> Trash that damned URL....
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: CONFERENCE ON NATURALISM -- FINAL NOTICE
Date: Thu, 09 Mar 2000 10:00:09 -0700
John Savard wrote:
>
> Visiting their web site, however, showed that my suspicions were
> mistaken; the MPC does have an agenda, all right, but it is apparently
> the opposite of the one their notice gives the impression of having.
You mean, the opposite of the impression you got.
I have not visited their web site, and I have a different impression
of their "agenda" from their post in sci.crypt. It appears to me
to be an attempt to address the question: are "Science" and "Religion"
necessarily in conflict, or not?
For me, the key statement is:
> Is it, perhaps, possible to offer cogent philosophical and even
> scientific arguments that nature does point beyond itself?
^^^^
That is, can we find (scientific) evidence for miracles.
Leaving questions of motivation aside, I find this subject quite
interesting.
You have to presume that there is a scientific explanation for
something in order to search for it; you may be certain or not but
you have to act as if the explanation is there. If you say
"miracle" then you are done, and can never discover anything else.
An interesting question is, is it logically possible to prove that
no scientific explanation could exist for something? For example,
could you do a computation and show, numerically, that life simply
cannot arise naturally? On the other hand, could we (Goedel-like),
show that such a proof is impossible, regardless of the state of
"scientific" knowledge?
John M.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Cellular automata based public key cryptography
Reply-To: [EMAIL PROTECTED]
Date: Thu, 9 Mar 2000 16:40:18 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] wrote:
:> > Doesn't this mean that an ordinary CA is as powerful as a
:> > universal TM? Could you give references? Thanks.
:> Yes, CA and TM are equivalent. [...]
: I am yet having some 'logical' problem. If CA and TM are equivalent
: and, according to a post of Tim Tyler, CA and FSM can be coverted
: to each other, then there seems to be something that is not in order,
: for FSM and TM are not equivalent, if I don't err.
*Finite* CA and FSM are equivalent in power.
Some *infinite* CA and TMs are equivalent in power.
No *finite* CA (or other FSM) is equivalent to a TM in its ability to
evaluate large, complex functions - since they run out of memory.
It's unlikely that you can actually build infinite CA - or a TM - due to
problems vaguely to do with the decay of all the material particles in
the universe.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Lead me not into temptation - I can find it all by myself.
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: Pseudo-One Time pad here. Critiques?
Date: 09 Mar 2000 08:58:11 -0800
Albert Yang <[EMAIL PROTECTED]> writes:
> Go into more detail about the IV for me if you would. This is an
> ongoing evolving project for me, and so trust me, I will not skip any
> suggestions that are made that make sense. I will however not implement
> any changes that I am not fully sure why they are so...
What you're doing is basically generating "random" numbers that you
XOR with the plaintext to get the ciphertext. To decrypt, you
generate the same "random" numbers again, and XOR them with the
ciphertext to get the plaintext.
So far, so what.
Now, let's ignore the generator for a moment, and assume you use the
same "random" numbers to encrypt two messages:
Ciphertext_1 = Plaintext_1 XOR Pad
Ciphertext_2 = Plaintext_2 XOR Pad
Now if an attacker intercepts both Ciphertext_1 and Ciphertext_2, they
can XOR them together. XOR is associative and communitive, so:
Ciphertext_1 XOR Ciphertext_2
= (Plaintext_1 XOR Pad) XOR (Plaintext_2 XOR Pad)
= Plaintext_1 XOR Plaintext_2 XOR (pad XOR Pad)
= Plaintext_1 XOR Plaintext_2 XOR 0
= Plaintext_1 XOR Plaintext_2
Now they can guess at probable plaintexts and XOR them against this.
If they get something that looks like plaintext, they probably hit
it. Once you get part of the plaintext, you use that to guess
probable plaintexts at one end or the other of what you have, and you
can make your guess based on *either* of the plaintexts you have. As
Schnier puts it wrt solitair, you may not be able to recover the
plaintexts given their difference, but an experienced cryptographer
can.
The idea behind an IV is not to generate the same "random" number for
more than one message. A typical block cipher operating in OFB mode
would look something like this:
Ciphertext_0 = Pad_0 = IV
Pad_i = E_k(pad_{i-1})
Ciphertext_i = Plaintext_i XOR Pad_i (for i >= 1)
In this case, E_k(x) is just md5(x+k). The first plaintext is called
plaintext_1.
By starting with a different IV each time, the Pad_i's that are
generated are different each time. Of course, the recipient needs to
know the IV in order to start decryption, however the IV can be made
public since it can't be encrypted without the key, so you might as
well just stick it at the start of the ciphertext.
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Cellular automata based public key cryptography
Reply-To: [EMAIL PROTECTED]
Date: Thu, 9 Mar 2000 16:53:31 GMT
[EMAIL PROTECTED] wrote:
: [EMAIL PROTECTED] wrote:
:> To my mind, gate arrays and spatially non-uniform CA are very similar
:> systems.
: Right, the goal would be to have an
: architecture (a combination of CA and gate
: arrays) that allows many gate operations to
: be done simultaneously and also at sites
: irregularly distributed throughout the
: structure. It seems to me this could help with
: quantum computing but do you think it could
: also be beneficial for cryptography?
I certainly think cellular automata are relevant to cryptography.
CA with spatially non-uniform rules seem very relevant to me.
Their main advantage is a very efficient hardware implementation.
I mentioned that there are a large number of methods of generating
invertible systems using CA.
Some of these are a little like Feistel networks. Some of them are
like linking together arrays of Latin squares. Some of them - as
far as I know - have never before seen application in cryptography.
The combination of rapid hardware speed, and alternative theoretical
approaches to building invertable systems, seems to me to bode well
for an arranged marriage with cryptography.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
The more I learn about people, the more I like my cat.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Reply-To: [EMAIL PROTECTED]
Date: Thu, 9 Mar 2000 17:13:01 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> I'd agree that it makes sense to alter the cypher algorithm *in the way
:> that Ritter recommends* - i.e by combining multiple independent encryption
:> schemes, each with their own key.
: In other words, it makes sense to lengthen the key.
Ritter's not *just* talking about lengthening the key. His proposals
include shuffling the cypher algorithms used. *Only* increasing the
length of the key - without constantly renegotiating the algorithms
employed - would not have quite the same effect.
: The real question is, is that the most effective way to use a
: given set of key bits? My C/A experience suggests that they
: would be better employed in keying a single, integrated system
: rather than partitioned among independently operating,
: noninteracting subsystems.
If you want maximum strength, using non-interacting sub-systems is
practically guaranteed to be a bad way to utilise the key.
In no way does Ritter's scheme attempt to get the greatest possible
security from a given length of key.
What it does is recombine a number of known algorithms in a manner that
is likely to significantly increase the overall strength.
Would you be better off using a single algorithm, with a long key?
In /theory/, perhaps yes. However, using a single algorithm means
any attack on the algorithm may break the system wide open.
Consider a trivial example - a RNG-based stream cypher:
Say you have a choice between using either some combination of an LCG,
an LFSR and a self-shrinking generator, or one of these systems with
three times as large a key.
Now attacking the combined system may be a bit tricky - while breaking
any of the individual components - even with the much larger key - may be
much simpler.
The time taken for an attack scales with the size of the key only while
the cypher remains relatively uncompromised. If some flaw is found,
a larger key size may not make that much difference.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
ASCII to ASCII, DOS to DOS.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cellular automata based public key cryptography
Date: Thu, 09 Mar 2000 19:01:36 +0100
Tim Tyler wrote:
>
>
> *Finite* CA and FSM are equivalent in power.
>
> Some *infinite* CA and TMs are equivalent in power.
>
> No *finite* CA (or other FSM) is equivalent to a TM in its ability to
> evaluate large, complex functions - since they run out of memory.
>
> It's unlikely that you can actually build infinite CA - or a TM - due to
> problems vaguely to do with the decay of all the material particles in
> the universe.
Thanks for the explanation. I like to ask a further dumb question.
The CA I have seen are two dimensional. If I understand you correctly,
an infinite two dimensional CA can be equivalent to a TM. Would an
infinite three dimensional CA, which could certainly be built, be
able to provide more power than a TM? If not, are there any reasons
to support that argument? Thanks.
M. K. Shen
------------------------------
From: "Steve A. Wagner Jr." <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Date: Thu, 09 Mar 2000 14:36:55 -0800
Hmm, still not a new idea. I had the same idea. Not many people are as paranoid
as you may think. PGP users are happy with 128bit keysizes and will be satisfied
with that for many years.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
