Cryptography-Digest Digest #316, Volume #11 Sun, 12 Mar 00 15:13:00 EST
Contents:
Re: Help ("rosi")
Re: RSA as symmetric algorithm ([EMAIL PROTECTED])
Re: Actually, I have a sign "Be Aware of Dog" on the garage door of the house,
where I am living .. it is a lie .. (Outsider)
Re: Concerning UK publishes "impossible" decryption law ("Test")
Re: RSA as symmetric algorithm (David A Molnar)
Re: Concerning UK publishes "impossible" decryption law ("Test")
sci.crypt Cipher Contest (Peter Rabbit)
Re: Sending secure mail (Jerry Park)
Re: sci.crypt Cipher Contest (David A Molnar)
Re: sci.crypt Cipher Contest ("Adam Durana")
Concerning UK publishes "impossible" decryption law (Withheld)
Re: If we spent as much time.. (Withheld)
Random permutations (Mok-Kong Shen)
Re: Passphrase Quality ? (Mok-Kong Shen)
Re: Help ("Adam Durana")
Re: NIST, AES at RSA conference (David Hopwood)
----------------------------------------------------------------------------
From: "rosi" <[EMAIL PROTECTED]>
Subject: Re: Help
Date: Sun, 12 Mar 2000 12:25:59 -0500
Adam Durana wrote in message ...
>RSA's CCP is totally bunk. We talked about this a few days ago, you might
[snip]
Dear Adam,
Thanks for the reply.
I can not say CPP is 'total bunk' (assuming we have the same notion of
'total bunk'). Yet I think you are right and I also made the point explicit
that
'Breakwater' is not to totally solve the problem, but to easy some pain.
However, I would like to push the envelop a bit and see how well we can
do. My feeling is that this is not a solvable problem, yet a practical
approach
may cover a bit of ground. I can be totally wrong though.
I say you are right and CPP may not be 'total bunk' is because of two
things. I did not read the entire CPP paper (as I explained that I could
not
get to read page 5). Therefore, I am not sure how to categorize CPP yet.
You are right because as you mentioned (which I could have misunderstood)
that DOS attacks can 'bunk' CPP with 100,000 machines sending data
to a single machine. This is one of the the problems that I firmly believe
not
solvable. I can say, I believe, that you are right in this sense even
without
reading the entire CPP paper, because with the first four pages, especially
the assumptions, I should not be too far off.
If the CPP paper people say, look, our solution is under the assumptions
we laid out, then I take that to say: our solution is not a total solution.
Even
taking these assumptions, I find it hard to digest in a strict sense. Let me
be
a bit concrete. I believe most people would agree that changing the contents
of a database is change to the database. Suppose that we only allow people
to insert records and never to modify a 'record' and say that we did not
give
people the ability to change the database, then that would sound extremely
weird. So if you allow IP-spoofing and at the same time assume attackers
can not modify the contents of packets (which I do not want to debate), I do
not think I can take it very smoothly in the context of the flooding attack.
Now back to 100,000 machines. My previous e-mail is brief enough to not
say enough. I said 'Breakwater' will be only a partial solution because that
is behind an implicit assumption dealing with the 100,000-machine type of
scenarios. The assumption is that I assumed (we can debate this in
practical situations with perhaps concrete implementations even) the link
is saturated before the server. This means that the server can read off the'
port(s) requests faster than the bandwidth of the link. Possible? Feasible?
We have to look in practical situations.
First, 100,000-machine scenario is both possible and feasible, but rare.
In one sense, we can truthfully admit that we fail. However, there can be
two
ways to interpret this in practical terms. One is that the router(s) and/or
the
link fail to handle this situation. Well, if anybody can solve this, that
would be
a breakthrough. The other is the link is able to carry the load, but the
server
fails to. But that depends on why the server can not. If (BIG IF) the server
can
muster 100,000 plus delta machines to deal with it, the problem can still be
taken care of (sort of). But the immediate question following is: what is
this
delta and how to achieve it?
Now let me assume (just an assumption) that the server can have a
router (routers) with higher capacity than the link and routes (route)
requests to 100,000 plus delta machines to process and let me assume
that 100,000 plus delta machines can handle the load of the requests
(not just reading them off the net but able to process them appropriately),
then things look better. One scenario is that there are high capacity links
that we do not have fast enough routers for. Simple. We fail.
How can an organization guaranteed to have 100,000 machines?
(Even if you do, the attack may employ 100,001) We can not. Simple.
We admit failure. But 'virtual' server may be possible. I can not
remember if it was you who posted 'Free services with tokens/
puzzles', but that is a wonderful idea. I am not saying that the
actual design or implementation trying to take care of extreme
situation will be simple or even possible, I am saying that there can
be partial solutions that may handle most of the 'more practical'
situations. Once again, we have a very, very simple, and total
'solution' to this: our honesty. We admit that we fail miserably. I
do not think that can be that big of a deal.
Once again, thank you very much for the reply. If it is not too
much trouble, I would really appreciate it if you could tell me in
brief how, if possible, to read the entire CPP paper.
I would like to re-emphasize that Breakwater is not to solve
the problem, it hopefully may easy some pain. If (BIG IF) 50
100MHz machines can saturate the link(s) with 'straight'
duming, then practically the server can (largely) handle the
situation not considering link saturation server's problem.
Please do not disappoint me. :) It made such 'big' news
and I can hardly believe that there is no interest in a partial
solution.
--- (My Signature)
------------------------------
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: RSA as symmetric algorithm
Date: Sun, 12 Mar 2000 09:34:44 -0800
It will be too slow.
antirez wrote:
> What happen if I use RSA as symmetric algorithm?
> When the attacker knows the public key RSA
> security is related to the fact that the attacker is
> unable to factorize N. Even if there are no proofs
> this seems more solid that the normal strength
> paradigm of the common block ciphers, since if
> there is a way to obtain the message without
> factorize N this way can be used as a fast
> factorialization method. And if the public key
> is not available? The fast way to break RSA is
> the brute force (i.e. try all the N)?
> If this is the case I guess that if before to
> encrypt the message M with RSA I encrypt it with
> a belived strong block algoritm like 3DES it's
> really hard for the attacker to cryptanalize
> this scheme. What do you think about this?
> I fear this is a FAQ, in this case sorry.
>
> --
> antirez
> email: antirez@linuxcare dot com
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: Outsider <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,soc.culture.russian,soc.culture.nordic,soc.culture.israel,soc.culture.europe
Subject: Re: Actually, I have a sign "Be Aware of Dog" on the garage door of the
house, where I am living .. it is a lie ..
Date: Sun, 12 Mar 2000 18:38:51 +0100
Reply-To: [EMAIL PROTECTED]
Gary Watson wrote:
>
> JimD <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > On Thu, 09 Mar 2000 08:04:12 -0700, "Tony T. Warnock"
> > <[EMAIL PROTECTED]> wrote:
> >
> > >Outsider wrote:
> > >
> > >>
> > >> If you want a good sign, place a sign that says the following on
> > >> your front and back doors.
> > >>
> > >> ===============================
> > >> Trespassers will be shot.
> > >> Survivors will be shot again.
> > >>
> > >> (picture of gun)
> > >>
> > >> ===============================
> > >
> > >I once saw a similar sign that said: "Trespassers will be shot. Survivors
> > >will be held for ransom."
> >
> > In our local computer shop: 'What remains of anyone caught shoplifting
> > will be handed over to the police'.
> >
> > --
> > Jim Dunnett.
> > dynastic at cwcom.net
>
> The problem comes when you actually shoot some MFSOB. The DA will use your
> sign as evidence of intent. The next of kin of the MFSOB will sue you and
> that clever sign will cost you whatever money you've got.
>
> --
Yes, but it was half serious, half tongue in cheek.
I have also seen other signs:
======================================
This house guarded by Smith & Wesson
(picture of gun)
======================================
======================================
This house guarded by shotgun
three days a week
(picture of shotgun)
You guess which three
======================================
--
Regards,
Outsider
"Don't overestimate the decency of the human race." -- H.L. Mencken
------------------------------
From: "Test" <[EMAIL PROTECTED]>
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,alt.security.scramdisk,alt.privacy
Subject: Re: Concerning UK publishes "impossible" decryption law
Date: Sun, 12 Mar 2000 10:53:44 -0700
Sounds like securetrayutil would be his best bet. True, it won't work after
the computer is turned off, but it'll work right up until then, and he can
activate it remotely.
http://www.fortunecity.com/skyscraper/true/882/SecureTrayUtil.htm
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: RSA as symmetric algorithm
Date: 12 Mar 2000 17:38:01 GMT
antirez <[EMAIL PROTECTED]> wrote:
> paradigm of the common block ciphers, since if
> there is a way to obtain the message without
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> factorize N this way can be used as a fast
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> factorialization method. And if the public key
^^^^^^^^^^^^^^^^^^^^^^^^
For a public key exponent e relatively prime to phi(n),
this actually isn't known. Taking square roots reduces to
factoring, but the case of more general exponents is not known.
In fact, there is some (theoretical) evidence that RSA with e=3
may not be equivalent to factoring.
Check http://crypto.stanford.edu/~dabo/abstracts/no_rsa_red.html
That being said, it's still a hard problem.
Thanks, -David
------------------------------
From: "Test" <[EMAIL PROTECTED]>
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,alt.security.scramdisk,alt.privacy
Subject: Re: Concerning UK publishes "impossible" decryption law
Date: Sun, 12 Mar 2000 11:10:16 -0700
No wait! Couldn't he load the encrypted data into RAM and then wipe the HD.
Then anyone who turned off the computer before he unloaded the data would
erase it for him.
------------------------------
From: Peter Rabbit <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: sci.crypt Cipher Contest
Date: Sun, 12 Mar 2000 18:21:09 GMT
I think you started out with a good idea; namely to have a cipher
contest. This would stimulate a lot of people to use their imaginations
to code a cipher, but then you, immediately, close the door by imposing
restrictions like... Block Cipher, 64 bit key, 128 bit key etc. A lot of
people have no idea what that means. They may code that way without
knowing that they are coding that way. Why only block ciphers? RC4 is a
stream cipher that is fast, beautiful and extremely hard to crack,
especially if you add salt.
So while I like your idea of a contest, IMHO "the restrictions suck".
This NG is, partially, about getting others interested in the subject
and not about weeding out the NEWBIES.
Regards, Peter Rabbit
------------------------------
From: Jerry Park <[EMAIL PROTECTED]>
Subject: Re: Sending secure mail
Date: Sun, 12 Mar 2000 12:23:03 -0600
Seeker wrote:
> How can I send secure mail to people who might not have PGP, et al on their
> end? I'm looking for a seamless solution where they don't have to do
> anything (or very little) to read the mail, but I want to know the mail is
> generally safe from sniffing. Thanks.
Depends on what 'generally safe' means and whether the recipient needs to do
anything.
Digital certificates require each party to acquire and install, and require
each party to exchange information, but are basically automatic after that.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: sci.crypt Cipher Contest
Date: 12 Mar 2000 18:47:07 GMT
> So while I like your idea of a contest, IMHO "the restrictions suck".
> This NG is, partially, about getting others interested in the subject
> and not about weeding out the NEWBIES.
or those who don't like symmetric ciphers. although a "public key cipher
contest" would probably not have too many entrants...
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: sci.crypt Cipher Contest
Date: Sun, 12 Mar 2000 14:12:39 -0500
You people don't understand, to have a contest, which requires entries to
compete against each other, all the entries have to share certain
similarities. You can't compare a stream cipher to a block cipher, or a
block cipher with a 64bit block size to a block cipher with a 128bit block
size. All entries have to be trying to accomplish the samething, and the
winner is the entry that accomplishes this "thing" in the best way. Someone
who does not know what a block cipher is, probablly won't enter the contest.
Plus this is a contest of cipher design, and part of designing a cipher is
meeting what is required of the cipher. If there were no restrictions
everyone would submit whatever and it would just be a mess of unrelated
ciphers.
- Adam
------------------------------
From: Withheld <[EMAIL PROTECTED]>
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,alt.security.scramdisk,alt.privacy
Subject: Concerning UK publishes "impossible" decryption law
Date: Sun, 12 Mar 2000 17:10:27 +0000
Reply-To: Withheld <[EMAIL PROTECTED]>
The concept of noise surrounding a message was used as far back as world
war II, and possibly sooner.
To show how absurd the new proposed legislation is, consider this
scenario:
Encrypt a file, and either email it or copy to disk and post, to Jack
Straw (UK Home Secretary for those non-UK readers). Then tip off the
police that the minister has encrypted files. If he fails to produce the
key he becomes eligible, under his own legislation, to spend two years
of his life behind bars. If he were to make the mistake of pleading to
the public, perhaps even to advise the prime minister of what was going
on, immediately his sentence gains three years.
Theoretically I wonder if a corrupted file that had not yet been deleted
were to be regarded as an encrypted. Windows might just land us all in
jail!
In article <[EMAIL PROTECTED]>, Jon Kettenhofen
<[EMAIL PROTECTED]> writes
>Perhaps there is a covert reason for this legislation. Consider this scenario.
>
>Someone, via email or otherwise, publishes text which M5 and associates (e.g.
>NSA)
>cannot decrypt even with all their rocket science computers. The gov't (M5 in
>dsguise)
>could then
>force the person to reveal the key and if he/she could not produce it, they
>would jail
>(or threaten to jail) him/her.
>
>Since cryptophobia is paranoia on the part of governments,
>it is very likely that many will publish such texts either explicity or
>anonymously
>just to frustrate the governments and tie up their resources. Such strategies
>have
>probably already been used by our own government and foreign espionage groups
>for
>just such a purpose - it's like creating a distraction (or noise) so that a real
>message will be overlooked.
>
>These faux messages can be easily produced via one-way hashes,
>pads or even random number generators and if done intelligently (I would bet
>that the
>governments have ways of eliminating messages which cannot possibly contain any
>decipherable information) can tie up the energies of not a few cryptanalists and
>computers.
>
>So the law can be used to expose troublemakers as well as new encryption schemes
>-
>if they catch they perpetrators. It means that the governments cannot withstand
>the privacy (secrecy) of the individual.
>
>The best defence against this tyranny is to VOTE!
>
>
>"Ian L. Romkey" wrote:
>>
>> Warning: Reluctantly crossposted to five groups. Use your own judgement.
>>
>> I just read an article about new encryption legislation in the UK in Lauren
>> Weinstein's Privacy Forum newsletter. The article begins:
>>
>> >Today Britain became the only country in the world to publish a law which
>> >could imprison users of encryption technology for forgetting or losing
>> >their keys.
>>
>> See the newsletter here: <http://www.vortex.com/privacy/priv.09.10>
>>
>> Background info is available here: <http://www.cyber-rights.org/crypto/>
>
>
--
Withheld
------------------------------
From: Withheld <[EMAIL PROTECTED]>
Subject: Re: If we spent as much time..
Date: Sun, 12 Mar 2000 17:22:22 +0000
Reply-To: Withheld <[EMAIL PROTECTED]>
In article <[EMAIL PROTECTED]>, Steve A. Wagner Jr.
<[EMAIL PROTECTED]> writes
>If we spent as much time studying crytography and trying to crack and
>improve the most respected and current crypto algorithms, we'd have much
>more secure alternatives for the future. Instead, everyone wants to
>sport a unique cipher with their name on it. Could the large population
>of cipherpunks channel their efforts toward real crypto....
Not necessarily the case. Personally my maths is pretty strong but still
not up to the standard to do the more advanced crypto stuff. I'm still
interested in how strong crypto works, and in the process of learning
it's only natural to devise an alternative method of encryption, even if
only to test the theories I am learning.
But, I agree the people that think up the XOR cipher, or the one time
pad, again and again and think they've come up with the latest thing
nobody else has thought of, they get a little boring at times...
>
>And if you lack the math background for this, as I do, there's nothing
>wrong with designing software and hardware that use known and proven
>security protocols.
Absolutely, but someone with no brain at all is still entitled to
consider their own ciphers if they so choose. There's no automatic
obligation on anyone interested in a field to focus their efforts on any
specific aspect of that field.
We'd obviously get ahead as a species more if everyone did pull
together, but some want to help the pack, some want to go it alone.
That's life.
>Just a thought.... Please comment.
>
>Putting on my flame-retardant vest now.
I'm sure you won't need it to protect yourself against this post :-)
--
Return address removed for anti-spam purposes.
Email replies to news at maelstrom dot demon dot co dot uk
Email replies to this address may be copied to relevant newsgroups
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Random permutations
Date: Sun, 12 Mar 2000 20:27:40 +0100
The common method of generating a random permutation is that
due to Durstenfeld (see Knuth), utilising uniformly distributed
real-valued random numbers in (0, 1] to swap pair of elements.
Since such random numbers are most often derived from integer-
valued random numbers through division operations, an alternative
method suggests itself, basing on the idea underlying the
well-known procedure in classical cryptography of selecting the
columns of a polyalphabetic substitution table with the aid of a
given key. That is, one attaches to the elements to be permuted
a field which is filled with the integer-valued random numbers
(one for each element). Subsequently one sorts such records
according to the said field. I guess that this method of doing
random permutations (which evidently has nothing new in it) is
equivalent (in quality) to that of Durstenfeld. Any comments?
Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Passphrase Quality ?
Date: Sun, 12 Mar 2000 20:27:47 +0100
r.e.s. wrote:
>
> I figured it was prohibited because of what I mentioned, e.g. touch the grid in any
>way as you read along a path, and even the smallest traces may leave the grid
>advertising the password it's supposed to hide. (In trying to judge the security of
>this method, I think the physical grid itself should be regarded as accessible to an
>opponent.) On the other hand, the following esimates suggest that in practice the
>entropy per passsword-character is probably far less than one might naively suppose.
>
> If this method is nevertheless going to be used, I would say to make sure that all
>the grid characters are different, and that the path is as complex as possible, as
>long as you are sure to remember it. In particular, don't constrain the path to be
>connected laterally/diagonally. For a grid of m distinct characters, the best you
>could do for an n-character password would be independent uniform selection of each
>character, i.e. log2(m) bits of entropy per pw-character. For an 8x8 grid of
>distinct chars, that's 6 bits/pw-char.
> If you limit the path to be connected laterally/diagonally, then that bound drops to
>about (1/n)log2(64*(6.6)^(n-1))=2.7 + 3.3/n, say about 3 bits/pw-char. This is due
>to the fact that there are 64 choices for the first pw char, and either 3, 5, or 8
>possible choices for the others, averaging 6.6 choices per char. In practice the
>entropy would be much less than these bounds because the paths that we can remember
>constitute a *very* small fraction of the total, I believe.
To avoid the surface from being damaged, one could have a transparent
protecting layer, say glass, etc. Further, the grid could be replaced
at appropriate intervals. Certainly, given the grid, the opponent
knows that adjacent characters of the password are adjacent on the
grid and that essentially reduces the number of possible passwords,
as you pointed out. I think that a 9*9 grid would be good for
implementation, since there are more than 81 different keys that can
be conveniently typed in from the keyboard.
M. K. Shen
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: Help
Date: Sun, 12 Mar 2000 14:35:48 -0500
Headline: "RSA Security annouces solution to recent attacks."
Thats all RSA was after, the publicity.
I would have to say a server's connection should always become saturated
before the server does. If the opposite of this is true that means your
server cannot handle all the possible traffic that can come down your pipe,
which is a bad thing. I don't see CCP solving the problems it was designed
to solve. But to the average person who does not understand the finer
points of how networks or DOS attacks work, CCP might seem like a solution.
I don't mean you, because you seem to understand what you are talking about,
but to the average CEO of a company it might seem like a viable solution.
There are a lot of things you can do to make DOS attacks less effective, but
in the end if an attacker has enough reasources then he/she will always
prevail.
- Adam
------------------------------
Date: Sun, 12 Mar 2000 19:47:14 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: NIST, AES at RSA conference
=====BEGIN PGP SIGNED MESSAGE=====
"Douglas A. Gwyn" wrote:
> "David A. Wagner" wrote:
> > Here's where I got lost. If F,G,G',H are all independently keyed,
> > under what definition of security can that be considered less secure
> > than FG or G'H?
>
> The assumption was that FH is readily crackable, but FG and G'H
> are not. For example, suppose F, G, G', and H each uses 32 bits
> of key and that FH can be cracked using radically less work than
> a brute-force key search, but FG and G'H cannot. 2^-32 of the
> time, the composite system cracks immediately; that is much worse
> than either separate system FG or G'H.
This reasoning is faulty. 2^-32 of the time, G in FG has a known key
(just guess the key, and with probability 2^-32 you'll be right with a
single guess). Therefore for this example, FG is as weak as F just
as often as FGG'H is as weak as FH.
I believe your reasoning for the more general case is just as faulty
(provably so, if the output of F can be assumed to be sufficiently
random not to facilitate an attack on GG'H, or for chosen plaintext
attacks).
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEUAwUBOMrPwzkCAxeYt5gVAQHb+Af42ILHGqvBWutuBHqTJ6N2L9qsIeM0H4ep
1CIZQrTabmMOhHiRMtHMtovBkkyJgUoHCuI+nSagGtKoDagmLr677SeXRVPnNeNP
xR5+pjNLvzcYjeB+Wo6JmNwthFtoGECEhN5HjdqL3mvHIEAZfIIX81GJKG3Q2Viz
IARBUfA80f6WgDzil9aoJmX1XUiP9Dutl6yLjaKSwLAr1JnS8MkkQU0TtMPIcBQA
qUeuPNThMIJbXmyBV/GzX21cHJBW97nt1o3BKxQV/bFEf1DiH73u3wJMujVYqG2G
qZ43VcZ3d36vFQAr436w9ykFepNLyWGPh/fL7zW166Bca44Xo0eJ
=CrvH
=====END PGP SIGNATURE=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
