Cryptography-Digest Digest #305, Volume #11 Sat, 11 Mar 00 10:13:01 EST
Contents:
Re: Cheating in co-operative open-source games, how can we protect from it? (Lincoln
Yeoh)
Re: NIST, AES at RSA conference ("Douglas A. Gwyn")
Re: why xor?(look out,newbie question! :) ("Douglas A. Gwyn")
Re: How does % operator deal with negative numbers? ("Stewart Gordon")
Re: public key encryption ("Tom St Denis")
Re: Q: Voice encryption ("Tom St Denis")
Re: Big Float project ("Tom St Denis")
Re: des des3 for hp-ux c++ ("Tom St Denis")
Re: An RC5-like cipher ("Tom St Denis")
Cyber Patrol 4 reversed ([EMAIL PROTECTED])
Re: Free-MAC mode (antirez)
Re: public key encryption ("Marianne Laws")
Re: An RC5-like cipher (Samuel Paik)
Re: How does % operator deal with negative numbers? (Daniel James)
Re: Server Config: How allow both 128-Bit and 40-Bit browsers ? ("Phil")
Re: sci.crypt Cipher Contest Web Site (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Lincoln Yeoh)
Subject: Re: Cheating in co-operative open-source games, how can we protect from it?
Date: Sat, 11 Mar 2000 11:10:30 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 08 Mar 2000 13:44:43 GMT, "Peter Henningsen" <[EMAIL PROTECTED]> wrote:
>and promoting artificial life entities. In all these cases, files on the
>user's computer must be protected from tampering by the user himself. Since
>we are developing free games, and cannot afford to do much processing on
>central servers, it is not an option either to run the code on a server for
>protection.
How much processing is needed?
I think it has to be centralised for security. To minimise tampering and
cheating you must put the important bits under your control. So the clients
basically make "requests" but the server actually approves stuff and makes
sure that everyone is "living" in the same consistent world. Those that
aren't are sent to limbo.. You cannot let the clients directly control
reality. Clients just control their actions.
Since you say it will be free and open source, if the load is too great
other people could set up multiple servers right?
Cheerio,
Link.
****************************
Reply to: @Spam to
lyeoh at @[EMAIL PROTECTED]
pop.jaring.my @
*******************************
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Date: Sat, 11 Mar 2000 11:15:53 GMT
"David A. Wagner" wrote:
> Here's where I got lost. If F,G,G',H are all independently keyed,
> under what definition of security can that be considered less secure
> than FG or G'H?
The assumption was that FH is readily crackable, but FG and G'H
are not. For example, suppose F, G, G', and H each uses 32 bits
of key and that FH can be cracked using radically less work than
a brute-force key search, but FG and G'H cannot. 2^-32 of the
time, the composite system cracks immediately; that is much worse
than either separate system FG or G'H. Some of the "work factor"
required to crack the system evaporates when the innards simplify,
so the naive multiplication of the work factors overestimates the
actual requirement.
Although my example illustrated just one loophole with an exact
cancellation of half of each of the concatenated components, for
a full analysis one also needs to consider the cases where there
is a *partial* simplification. If the interfacing system
structures can "beat against" each other in this way, perhaps
with multiple levels cancelling out, there is a substantial
reduction in expected work per break, although exploiting that
may not be feasible. (This calculation may remind one of
Feynman diagrams.)
As an extreme case, consider a concatenation where for certain
keys there is a full inside-out cancellation so that the full
encryption reduces to the identity transformation. We would
certainly consider the existence of such keys a flaw in a block
cipher design.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: why xor?(look out,newbie question! :)
Date: Sat, 11 Mar 2000 11:47:18 GMT
Mok-Kong Shen wrote:
> I am afraid that so much words of you don't really help me at all.
> Given two bit sequences x_i and y_i, please kindly write down
> the 'test statistic' for independence, i.e. an expression in terms
> of x_i and y_i, so that I can actually compute that and look into the
> statistics tables to see if my results are satisfactory at a
> given confidence level. And please exlain how you come to that
> particular test statistic, i.e. why it 'tests' the property
> 'independence'. Please also list your assumptions, if any.
You were already directed to Pearson's chi-square statistic as one
standard test. The "so much words" were an essential caveat: if
you blindly follow a recipe and don't understand how to interpret
the results, you will draw erroneous conclusions from the test.
I don't see much point in my trying to write a whole essay about
it here, when you can learn about Pearson's chi-square statistic
from any decent introductory college statistics textbook. The
formula itself is very simple, and you can find C code for it and
also for my preference for such tests (Kullback's � statistic),
including the associated significance functions, in various
places on the Internet, e.g. URL
http://the.wiretapped.net/security/cryptography/literature/applied-crypto/i-hat.zip
(The above URL may have been broken into multiple lines by the
time you see it.) The included documentation is in the form of
UNIX manual page sources (eqn|troff -man), which can be read in
the raw source form if you have no way to format them.
Note that these tests will compare bit-by-bit in parallel, not
looking for correlations at offsets other than 0, nor for
patterns within a stream. But they are a good place to start.
------------------------------
From: "Stewart Gordon" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.javascript
Subject: Re: How does % operator deal with negative numbers?
Date: Sat, 11 Mar 2000 12:02:27 -0000
Paul Rubin <[EMAIL PROTECTED]> wrote in message
news:8abov8$u33$[EMAIL PROTECTED]...
> Common Lisp defines trunc-mod and floor-mod as separate functions.
> I've often felt languages like C and Javascript should have a separate
> floor-mod operator (maybe %_ instead of %).
In my opinion, floor-mod should be the standard operator, and trunc-mod
should be separate. I can see floor-mod as being more practically useful,
as well as being more mathematically 'correct' as a modulo operator.
What does casting to an int do in C, or parseInt in JS ... floor or trunc?
Stewart.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: public key encryption
Date: Sat, 11 Mar 2000 12:28:24 GMT
Marianne Laws <[EMAIL PROTECTED]> wrote in message
news:y9ky4.29$[EMAIL PROTECTED]...
> Hi! I am researching public key encryption for a Uni assignment.
> Can anyone recommend useful sites on the WWW on the subject.
>
> Thanks for your help in advance,
> Marianne.
>
I would suggest to read a few good books. But if you want I can email the
RSA paper to you. Do you need info on Public Key Architechs?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Q: Voice encryption
Date: Sat, 11 Mar 2000 12:30:14 GMT
JimD <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Fri, 10 Mar 2000 20:03:50 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]>
> wrote:
>
> >For voice encryption, there are analog scramblers and digital
> >scramblers. Is there anything against using both with the
> >expectation of obtaining a higher security or does one use in
> >fact both in practice? What are the algorithms used in the
> >common types of digital voice scramblers? Thanks.
>
> Digital ciphony gives better quality and is much more secure, given
> that the (stream) cipher it uses is well designed, and provided that
> you have the bandwidth to transmit it.
>
> Analogue ciphony depends on splitting the audio bandwidth into
> discrete bands and transposing these bands within the telephone
> bandwidth according to a key. There are other schemes. See Kahn,
> 'The Codebreakers' for an interesting examination of analogue ciphony.
>
> Digital ciphony samples the amplitude of the analogue audio waveform
> at a high rate (8 kHz or more) and converts these samples to a binary
value.
> The binary output can then be XOR-ed with a key stream to produce a
> pseudo-random cipher output. The process is reversed at the receiving
> end: cipher stream is XOR-ed with the identical key stream to reproduce
> the deciphered digital samples, which then go through a digital to
> analogue converter to end up as (hopefully!) the original audio.
>
> There is a third type: a vocoder, but that's another story.
I don't follow. A Vocoder is a codec that models the vocal tract for
higher compression ratios over waveform coders. How is that an encryption
technique?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Big Float project
Date: Sat, 11 Mar 2000 12:37:52 GMT
Mike Rosing <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> >
> > I have seen only complex conjugates... (a + bi)(a - bi)... I am doing
> > algebra right now, and doing calc next semester.
>
> OK, let's start with that. The first thing to do is to create variables
> which exist on the complex plain. So z = (a + ib) and (a,b) are
> arbitrary.
>
> With z, we can do the same algebra you do with real numbers. For
> example,
> z^2 + 3z - 5 = 0 is an equation which we can solve for z.
So I can expand that to (a + ib)(a + ib) + 3(a + ib) -5 = 0, a^2 + 2aib +
(ib)^2 + 3a + 3ib - 5 = 0, a^2 + 3a + 2aib + ib^2 - 5 = 0.
>
> Another thing we can do is compute the "norm" of z, it's length. That's
> where the complex conjugate is useful. z * z' = N(z).
What is z' is that (a - ib) ?
> Life gets interesting when we combine the two. N(z^n) has to get bigger
> when N(z) > 1 and smaller when N(z) < 1. The circle N(z) = 1 is pretty
> special (in engineering especially) and points on the circle which
> satisfy the equation z^n = 1 are called "nth roots of unity".
I assume n is a real? How do you find n?
> You can easily picture all this by drawing a 2D graph representing the
> complex plain. An nth root of unity is just the circle divided into
> n parts. As you take powers of z which lie on the "unit circle", you
> just go around the circle. So another way to think about z is as a
> vector. If N(z) != 1, then the vector motion of z^k spirals outward
> from the unit circle. It's pretty cool to plot.
My class didn't plot them, we just solved em using the good ole quadratic
formula...
> That's what the big floats do, follow z^k out to where it gives the
> number
> of points on a specific elliptic curve. For Koblitz curves it turns out
> that N(t^m - 1) = #E for GF(2^m) fields. Almost seems too simple :-)
Not for me :)
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Crossposted-To: alt.comp.freeware,comp.security.misc
Subject: Re: des des3 for hp-ux c++
Date: Sat, 11 Mar 2000 12:40:14 GMT
Michael Burrows <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi
> Please could you let me know where I could get des or des3 for hp-ux c++
>
> Thanks
> Mike
>
Um, no. DES sucks. Why use it?
tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: An RC5-like cipher
Date: Sat, 11 Mar 2000 12:42:30 GMT
Samuel Paik <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Here is a cipher that is a like RC5, but can be implemented with fewer
> instructions that RC5 for block sizes greater than 16 bits, on the
> Atmel AVR architecture. I do not have a clue to the security of this
> cipher, although I believe that n rounds of this cipher is at least
> as strong as n-2 round RC5.
>
> RC5 encryption is as follows:
>
> A = A + S[0];
> B = B + S[1];
> for (i = 2; i <= 2*R+1; i++)
> {
> A = A ^ B;
> A = ROTL(A, B); /* Rotate A left by B bits */
> A = A + S[i];
> SWAP(A, B); /* Swap contents of A and B */
> }
>
> Eliminate whitening step and reorder operations.
>
> for (i = 0; i <= 2*R+1; i++)
> {
> B = B + S[i];
> A = A ^ B;
> A = ROTL(A, B);
> SWAP(A, B);
> }
I don't like this. the modification of A and B is entirely linear. I can
for example work A backwards one round by doing
SWAP(A, B)
A = ROTR(A, B)
A = A ^ B
Since I am a amateur cryptanalysis and I just broke one round in 3 seconds.
I would say this cipher is weak.
Tom
------------------------------
From: [EMAIL PROTECTED]
Subject: Cyber Patrol 4 reversed
Date: 11 Mar 2000 04:49:14 -0800
[Note: this article may be especially of interest to sci.crypt readers
because it includes a description, on a simple level, of how to reverse
the CRC32 algorithm. That's a topic that was recently discussed here.]
March 11, 2000 - ANNOUNCEMENT
Cyber Patrol(R) 4, a "censorware" product intended to prevent users from
accessing undesirable Internet content, has been reverse engineered by
youth rights activists Eddy L O Jansson and Matthew Skala. A detailed
report of their findings, titled "The Breaking of Cyber Patrol(R) 4", with
commentary on the reverse engineering process and cryptographic attacks
against the product's authentication system, has been posted on the World
Wide Web at this address:
http://hem.passagen.se/eddy1/reveng/cp4/cp4break.html
The abstract of the report:
Several attacks are presented on the "sophisticated anti-hacker
security" features of Cyber Patrol(R) 4, a "censorware" product intended
to prevent users from accessing Internet content considered harmful.
Motivations, tools, and methods are discussed for reverse engineering
in general and reverse engineering of censorware in particular. The
encryption of the configuration and data files is reversed, as are the
password hash functions. File formats are documented, with commentary.
Excerpts from the list of blocked sites are presented and commented
upon. A package of source code and binaries implementing the attacks
is included.
Eddy L O Jansson
[EMAIL PROTECTED]
http://hem.passagen.se/eddy1/index.html
Matthew Skala
[EMAIL PROTECTED]
http://www.islandnet.com/~mskala/
--
Matthew Skala "Ha!" said God, "I've got Jon Postel!"
[EMAIL PROTECTED] "Yes," said the Devil, "but *I've* got
http://www.islandnet.com/~mskala/ all the sysadmins!"
------------------------------
From: antirez <[EMAIL PROTECTED]>
Subject: Re: Free-MAC mode
Date: Sat, 11 Mar 2000 12:58:38 GMT
In article <8ac1m0$hk9$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
> In article <8ac1it$90l$[EMAIL PROTECTED]>, antirez
<[EMAIL PROTECTED]> wrote:
> > This should be safe even if the attacker known M, comments?
>
> As in every other MAC-without-a-secret scheme I can think of,
> chosen-plaintext truncation attacks allow forgery with your scheme.
> See my post on Free-MAC, and change what needs to be changed.
Sorry, but I cant understand how the truncation attack works against
my scheme. For a given message M the MACed ciphertext C is obtained
as C = Ek(M||RANDOM||SHA1(M,RANDOM)) so there isn't a fixed block.
How can I set M' to forge M if this scheme avoid a fixed block?
If the explanation is boring I'll happy if somebody give me a pointer
to some paper about this attack.
--
antirez
email: antirez@linuxcare dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Marianne Laws" <[EMAIL PROTECTED]>
Subject: Re: public key encryption
Date: Sun, 12 Mar 2000 00:28:11 +1100
Thanks for your reply Tom. I would greatly appreciate your help by emailing
me the RSA paper to [EMAIL PROTECTED] .
I found a book online at http://www.cacr.math.uwaterloo.ca/hac/ "Handbook
of Applied Crytography" by Alfred J Menezes, Paul C. van Oorschot and Scott
A Vanstone which is very helpful.
Would you be able to tell me which books you recommend that I read. I am
not quite sure what you mean by public key architechs, but if you have any
info I would really appreciate it.
Once again, thank you for your offer of assistance and I look forward to
hearing from you again.
Marianne.
Tom St Denis wrote in message ...
>
>Marianne Laws <[EMAIL PROTECTED]> wrote in message
>news:y9ky4.29$[EMAIL PROTECTED]...
>> Hi! I am researching public key encryption for a Uni assignment.
>> Can anyone recommend useful sites on the WWW on the subject.
>>
>> Thanks for your help in advance,
>> Marianne.
>>
>
>I would suggest to read a few good books. But if you want I can email the
>RSA paper to you. Do you need info on Public Key Architechs?
>
>Tom
>
>
------------------------------
From: Samuel Paik <[EMAIL PROTECTED]>
Subject: Re: An RC5-like cipher
Date: Sat, 11 Mar 2000 14:05:27 GMT
Tom St Denis wrote:
> > for (i = 0; i <= 2*R+1; i++)
> > {
> > B = B + S[i];
> > A = A ^ B;
> > A = ROTL(A, B);
> > SWAP(A, B);
> > }
>
> I don't like this. the modification of A and B is entirely linear. I can
> for example work A backwards one round by doing
Well, it isn't linear, it just is completely independent of any key bits
and completely determined by known to the attacker data.
The first and last rounds aren't much more than window dressing--which I
implied in my statement that this was probably as strong as RC5 with two
fewer rounds.
However, it is worse than that: my actual code (which was in this Atmel
assembly) did not match the C code I posted! Argh!
--
Samuel S. Paik | http://www.webnexus.com/users/paik/
3D and multimedia, architecture and implementation
You dont know enough about X86 or kernel architectures to argue with me.
- <38b2dc12$0$[EMAIL PROTECTED]> "Leon Trotsky" to Terje Mathisen
------------------------------
From: Daniel James <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.javascript
Subject: Re: How does % operator deal with negative numbers?
Date: Sat, 11 Mar 2000 14:22:58 GMT
Reply-To: [EMAIL PROTECTED]
In article <8adcvf$i6b$[EMAIL PROTECTED]>, Stewart Gordon wrote:
> In my opinion, floor-mod should be the standard operator, and trunc-mod
> should be separate. I can see floor-mod as being more practically useful,
> as well as being more mathematically 'correct' as a modulo operator.
>
> What does casting to an int do in C, or parseInt in JS ... floor or trunc?
There's been lengthy thread on the bahaviour of the C/C++ % operator in
comp.lanf.c++.moderated in the last couple of weeks.
In that thread Andrew Koenig posted the following:
----
[snip]
Is it desirable that (-a)/b == -(a/b) ?
Is it desirable that (a/b)*b + (a%b) == a ?
If the answer to both these questions is yes, then a%b has to be <=0
when a<=0. That is, we could add a third question:
Is it desirable that (a%b)>=0 whenever b>=0?
and the answer would also be yes. The problem is that all three questions
cannot have yes answers at the same time, so you have to choose which
one will be answered no.
A long time ago, Dennis Ritchie decided that the right answer to
these questions is ``whatever the hardware gives you.'' And, as it
happens, all division hardware I've seen gives the remainder the sign
of the dividend, not the divisor.
[snip]
----
------------------------------
Reply-To: "Phil" <[EMAIL PROTECTED]>
From: "Phil" <[EMAIL PROTECTED]>
Subject: Re: Server Config: How allow both 128-Bit and 40-Bit browsers ?
Date: Sat, 11 Mar 2000 15:43:19 +0100
Thanks.
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:8aco8e$om2$[EMAIL PROTECTED]...
> In article <33by4.95$h21.96311@news>, Phil <[EMAIL PROTECTED]> wrote:
> >How can I configure the SSL-Settings of a Webserver (IIS 5.0) to be
> >compantible with browsers of 128-Bit keysize AND browsers of 40-Bit
keysize
> >(often used in Europe) ?
>
> It will work automatically.
>
> >I want to use 128-Bit SSL with 128-Bit Browsers in order to achieve a
high
> >level of encryption.
> >But i'd like to use exactly the same html-pages for all 40-(or 56-) bit
> >Browsers too.
> >
> >QUESTION:
> >- Is this impossible ? (if I choose 'REQUIRE 128-Bit encryption' in my
> >IIS-Settings)
>
> Choosing "require 128 bit encryption" means 128 bit encryption is
required.
> If you don't choose "require 128 bit encryption", then other lengths will
> also work.
>
> >- How can the webserver dynamically detect which SSL-keysize to use ?
>
> "40-bit encryption" is sort of a misnomer. All the encryption is 128
> bits. With "40-bit" browsers, 88 of the bits are revealed in the
> clear and only 40 are secret, but that doesn't enter into the
> cryptography. So the server does the same thing either way. It
> doesn't have to dynamically detect anything.
>
> The browser does this, not the server.
> >- Will I have to use two different directories (one with normal
encryption
> >for 40-bit browsers / and one with 128-bit encryption) ?
>
> No.
>
>
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: sci.crypt Cipher Contest Web Site
Date: Sat, 11 Mar 2000 15:56:39 GMT
In article <[EMAIL PROTECTED]>, Eric Lee Green <[EMAIL PROTECTED]> wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>> >sci.crypt context a good idea. A final note: if the AES finalist
>> >security is so important *why* the submissions given so importance
>> >to speed?
>> The why is that the NSA found out it is much easyer for it to break
>
>Well, we all know that you believe the NSA is listening to your every breath,
>but anyhow, I think one reason for thinking about speed with AES is because
>3DES, which is quite secure but is slower than dog snot, has proven to be
>unusably slow in many situations. Now that network communications regularly
I agree that 3DES is very slow but I do not agree that it is secure. The
problem with what your sugguesting is that speed is needed for certain types
of conections where one does not want an ease dropper to have imediate
knowledge of what is going on between 2 systems on the internet. But just
becasue speed is an issure with live connections. It does not mean that the
encryption used for such connections needs to be the same encryption one uses
to keep files and certain types of data secure. High speed encryption has its
place. But it is not the anwser to the keeping of ones special files and email
secure from the meddlings of the NSA. To use such high speed encryption
dor ones personnel files is foolish.
>happen at 100mbit speeds, an encryption algorithm capable of encrypting only
>10mbit/sec on a Pentium II isn't too useful. And note that 100mbit is slow
>nowdays -- gigabit Ethernet is now becoming usual in large corporations,
>though not yet at the desktop level.
>
>As for why people would use WinDoze if they thought speed was important,
>there's a big difference between a typical desktop computer and the kinds of
>places where speed is important -- like, say, a server that's having to
>maintain dozens of encrypted connections to remote branch offices. Windows is
>almost unheard of in such high security/high availability environments.
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
"The road to tyranny, we must never forget, begins with the destruction of the
truth."
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
