Cryptography-Digest Digest #446, Volume #11 Thu, 30 Mar 00 01:13:01 EST
Contents:
Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL" (Anonymous)
Key exchange using Secret Key Encryption ([EMAIL PROTECTED])
old factoring ("Tom St Denis")
Re: Examining random() functions (Johnny Bravo)
Re: Using Am-241 to generate random numbers (Jerry Coffin)
Re: Examining random() functions (Johnny Bravo)
Looking for some help on RSA public key/private key generation
([EMAIL PROTECTED])
Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL" (Your Name)
Re: Legal question ? ([EMAIL PROTECTED])
Re: Does the NSA have ALL Possible PGP keys? ("Douglas J. Renze")
Re: Crypto API for C (Arlin Collins)
Re: Does anybody know of a secure FTP server? (Abid Farooqui)
Re: Legal question ? ([EMAIL PROTECTED])
Re: Does anybody know of a secure FTP server? (Abid Farooqui)
----------------------------------------------------------------------------
Date: Thu, 30 Mar 2000 04:10:01 +0200
From: Anonymous <[EMAIL PROTECTED]>
Subject: Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL"
>>> What this means in effect, no one will want to use encryption in
>>> case they forget their password and end up in jail.
>>
>> Which is precisely their goal, of course.
>> ...
>> The best slave is one who puts on his own shackles. Your country has a
>> bad case of the liberal-socialist disease going back decades. The country
>> formerly known as the USA also has this disease but for not as long so
>> the decay isn't as pronounced. Yet.
>
> It's farther gone than you seem to realize. Consider the close
> analogy with the so-called "smart gun" legislation that gun haters
> have recently proposed. Maryland is on the brink of passing a law
> requiring such technology (which has not been developed beyond the
> laboratory stage yet) in every handgun sold within a few years.
> The obvious goal, which of course differs from the stated goal, is
> simply to prevent sales, or failing that, to reduce the positive
> value of guns to the point that people won't want them any more.
No, I realize the rot has gone much further, I was just limiting the scope
of my statement to this one topic. To attempt to view the rot as a whole is
to risk insanity ( or complete demoralization at the very least). The govt
of the USSA has been nibbling at our freedoms for decades; over the last
20 years the nibbling has given way to bites, and over the last ten years
the bites have given way to large chunks. At present most of the powers and
protections afforded the citizenry by the Constitution are in tatters. Here's
a mind-blower - TV shows that glorify police brutality!!
> One wonders whether the politicians in power actually think that
> their constituency are the career criminals; they sure act like it.
When it is they themselves that are the criminals. And why should they care,
as long as we keep voting for them? A famous quote states, "People get the
government they deserve". Which is a pretty harsh condemnation IMHO.
Steve
(living in the USSA)
PS - since you brought up the gun topic, where are the estimated 190 million
gun owners that are *not* NRA members? Out to lunch? MIA? If every firearm
owner in Amerika told his or her elected public officials that the gun issue
is their "litmus test" for getting their vote the whole gun controversy would
be finished in 10 minutes. The end of firearm ownership by civilians in the
USSA will be brought about by these 190 million uninvolved people in much the
same way as those in GB/NZ/Canada/Austrailia who sat around with their heads
in the sand thinking "It can't happen here". Until it did.
"All that evil needs to triumph is for good to do nothing."
�
------------------------------
From: [EMAIL PROTECTED]
Subject: Key exchange using Secret Key Encryption
Date: Thu, 30 Mar 2000 02:49:32 GMT
Please excuse a newbie question.
I am looking for a method of key exchange that only involves secret key
encryption. The method should also be immune to man-in-the-middle
attack. The scenario I am looking at is described below.
Alice and Bob are complete strangers and have only one channel of
communication. The Channel being the Internet. They only have at their
disposal a secret key encryption method. For the sake or argument, this
method is Bob Schnier's Twofish. It can be assumed that Alice and Bob
are both connected to the internet concurrently, so multiple pass
protocals can be used. How can Alice and Bob start communicating and
protect their messages.
Thank you very much for your help.
Petang
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: old factoring
Date: Thu, 30 Mar 2000 03:28:43 GMT
I am trying out pollard-rho factoring [currently of an 80 digit no]. I was
just wondering could I replace f(x) with a linear congruetial generator? Or
is their specific properties of the quadratic I must keep?
Thanks,
Tom
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: Examining random() functions
Date: Wed, 29 Mar 2000 22:40:02 -0500
On Wed, 29 Mar 2000 18:47:22 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote:
>However, there are *some* places where deviations from randomness always
>imply weakness - for example, if you're generating an independent stream
>for use with a stream cypher, and *that* fails tests for randomness, then
>that usually translates pretty directly into a security problem.
I was talking about the general case, it would be trivial to design a
secure cipher with output that shows extreme bias by being bigger than the
plaintext. Think RC4, with byte "255" being output twice between actual
cipher bytes. Like any of the DieHard tests, please use with common
sense. :)
--
Best Wishes,
Johnny Bravo
"The most merciful thing in the world, I think, is the inability
of the human mind to correlate all it's contents." - HPL
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Using Am-241 to generate random numbers
Date: Wed, 29 Mar 2000 20:47:04 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> > Radiotelescopes? What would be wrong with a fairly ordinary optical
> > telescope and a CCD camera?
>
> Since he wants to record identical information at multiple sites he probably has to
> avoid the twinkle effect that would distort optical recordings.
I must have missed where it said he wanted that.
> AFAIK, the atmospheric cell size is much smaller than the wavelength of
> radio signals, so radio twinkle shouldn't be an issue.
No, but interference almost certainly is -- I'm reasonably certain
this wouldn't work. If (for example) you want to get really random
IVs for your messages or produce really random session keys, a
telescope would work quite nicely. Trying to "transmit" the key by
having two people get the same key off of a telescope is extremely
unlikely to work dependably (if at all).
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: Examining random() functions
Date: Wed, 29 Mar 2000 22:46:25 -0500
On Wed, 29 Mar 2000 23:52:16 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>> See the tests in the DieHard test suite. Rather than first just tell
>> you to go get it, I'm running output from your program though the suite as
>> I type this. I put further comments below. DieHard has quite a few
>> tests, descriptions of which will be on each section I include below.
>> I ran your program with a Random(255) and output each value as a byte into
>> a file for testing. After I got the results I reran the program with a
>> different seed and tested it again, where the results were different
>> between runs (one failure and one success) I ran it a third time with yet
>> another seed and only performed those tests to get a majority. :)
>
>I wonder whether it is possible to have some software to
>postprocess the normally voluminous Diehard output to result in
>one single measure of goodness or it is the case that by the
>nature of the test at hand human decision capabilities (which
>presumabably differ from person to person) are unconditionally
>needed.
It wouldn't be too hard, but such output would be less than useful. I
could have distilled my DieHard analysis of the given RNG into.
Large Bias has been detected in the output.
That does nothing to tell anyone how many tests failed and by what
margins. For example the RNG failed one class of tests every time. As
such a single word output is nearly useless as a diagnostic tool. And it
could just be a fluke. At the 95% level a good RNG should actually fail
5% of the tests, those failures have to be judged compared to the rest of
the tests over multiple runs.
--
Best Wishes,
Johnny Bravo
"The most merciful thing in the world, I think, is the inability
of the human mind to correlate all it's contents." - HPL
------------------------------
From: [EMAIL PROTECTED]
Subject: Looking for some help on RSA public key/private key generation
Date: Thu, 30 Mar 2000 04:04:40 GMT
How do I generate the public key from the private key without making my
computer choke?
Thanks very much.
Gordon
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,uk.politics.censorship
Subject: Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL"
From: [EMAIL PROTECTED] (Your Name)
Date: Thu, 30 Mar 2000 04:12:47 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
>
>On Tue, 28 Mar 2000 22:15:57 GMT, [EMAIL PROTECTED] (Dan Day) wrote:
>
>>On Mon, 27 Mar 2000 19:19:11 +0100, "PJS" <[EMAIL PROTECTED]> wrote:
>>>>
>>>>2 - Get on to your MP and complain like hell!
>>>-----------
>>>3 - Assassinate Jack Straw.
>>
>>Now we know why England cleverly banned most civilian firearms
>>in advance, before they started passing the oppressive laws.
>
>Not just England. Scotland and Wales as well!
And every other country also. The ruleing class does not want
to be told to bacdafucup.
Rich Eramian aka freeman at shore dot net
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Legal question ?
Date: Thu, 30 Mar 2000 04:19:04 GMT
In article <
2fyE4.175$[EMAIL PROTECTED]>,
"Adam Durana" <
[EMAIL PROTECTED]
t> wrote:
>
>
> Then obviously your "techniques" are not that good then. Perhaps you have
> confused yourself and you think you are trying to post to a newsgroup when
> you really trying to send email, in which case D. Menscher maybe blocking
> my-deja.com because people use those addresses to spam all the time.
You are wrong. I tried creating a new thread
in this forum with no relation whatsoever to
D. Menscher's actual post or email address
other than similar written content. I was able
to post a different message in the same
thread that contained Menscher's post (as well
as other threads). Perhaps someone other than
Big Brother was fooling around or perhaps the
screw-up is innocent but if it is the error is
more than just spam domain.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Douglas J. Renze" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Wed, 29 Mar 2000 23:13:12 -0600
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:89oavl$anv$[EMAIL PROTECTED]...
> In article <ZZlu4.1850$[EMAIL PROTECTED]>,
> "Dead Kennedy" <[EMAIL PROTECTED]> wrote:
> > If nothing else, PGP encryption ain't making things any easier for the
> > spooks at the
> > nsa. that's a good thing...
>
> I will let you in a secret. I use PGP to hide things from *you* as
> well.
>
> Why everyone picks on the NSA is beyond me. 99.9999% of all crypto is
> to stop thieves from stealing stuff, or forging stuff then the NSA from
> stealing your thoughts.
>
> If you honest think the NSA or CIA or FBI or ... will just passively
> monitor your communication instead of busting down your door and
> throwing you in jail for oh say four years, you are wrong. The sad (?)
> truth is the NSA just doesn't care about you [or me], however millions
> of thieves do :)
If the NSA, CIA, or FBI wants your PGP key, they've probably also already
got a pretty heavy body of message traffic and a pretty good idea what's in
that traffic; it's not worth it for a fishing expedition. If that's the
case, they've got a lot of ways to get your key. They can pick you up and
pump you full of pentathol. They can beat it out of you. Probably the
fastest way would be to put a gun to your son/daughter/wife's head and say,
"Give me the key or I'll pull the trigger."
Any one of those would be effective. I know the last of the 3 would
definitely work for me.
------------------------------
From: [EMAIL PROTECTED] (Arlin Collins)
Subject: Re: Crypto API for C
Date: 30 Mar 2000 07:00:07 GMT
Tom St Denis ([EMAIL PROTECTED]) wrote:
: I have yet another release of my CB for C. This one includes many more
: functions. Such as BBS random bit geneation, or the ability to use 'truly'
: random bit sources to seed the faster secure rng. I added a few hash
: functions [namely tiger and haval] and added a few ciphers as well.
: If you notice any bugs, or problems please email me.
: Thanks for your time.
: Tom
: If you want to check it out, you can at http://24.42.86.123/cb.html
and "mirrored" at http://405427835/cb.html ;)
Thanks, Tom, for your generosity.
------------------------------
From: Abid Farooqui <[EMAIL PROTECTED]>
Subject: Re: Does anybody know of a secure FTP server?
Date: Thu, 30 Mar 2000 05:30:00 GMT
Hmm ... interesting. I had not even thought of that but then again I have not
developed in CGI. I have read about it quite a bit from an architectural point
of view. From my understanding, the developer has to be very very careful
writing CGI otherwise backdoors may be opened and for what I am doing security
is paramount. Even if I design a system that uses CGI and test the hell out of
it, I cannot be certain that future CGI programmers in this project who may be
asked to maintain or add functionality will have the same dedication when
someone else (not me) is looking over their shoulders( or they may be pushed to
shorten their time to market, in this crazy business world). I was looking at
Java applet servlet usage because as far as I know and have researched (and I
might be wrong here) Java servlets give better speed performance if RAM is
enough and also the threads class in Java makes it easy to program this kind of
a thing for multi-processor machines. If one is going to use 16+ processor
machine then one should also try to make the best of it.
Any thoughts or comments are welcome. I was also looking hard at SSL accelerator
boards like the ones that Nuno mentioned in the post above. I found that Compaq,
Rainbow etc do make these boards and multiple boards can be used in parallel to
take the load off SSL encryption/decryption from the CPU and to gain speed
advantage over software encryption/decryption. I am using IBM HTTP Server right
now which is an apache based server with SSL and LDAP support but I can easily
switch to any Apache based SSL server like StrongHold etc. The question is has
anyone seen one of these boards work with Apache and what did they think of it.
Do you still need to load the SSL module in Apache or the boards take over the
crypto typr functions from CPU at the hardware level.
Thanks
Abid Farooqui
Niklas Frykholm wrote:
> >Secondly, you mentioned that the best solution is to use Https to transfer
> files.
> >The problem there is that I want my users to be able to upload files to the
> >webserver as well as download them from the webserver. I would in this case
> have to
> >write a trusted Java applet that can access local machine's I/O and thus
> give them
> >the ability to select the files that they want to upload to the webserver
> securely.
>
> Not really. The <INPUT TYPE=file> HTML-tag might be just what you need. It
> allows the user to upload a file as a part of a CGI-query.
>
> // Niklas
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Legal question ?
Date: Thu, 30 Mar 2000 05:50:30 GMT
In article <8bu7lp$2q9$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> I wonder... How come "I am not paranoid but the government is covertly
> persecuting me" always sounds like an old lady claiming that "I do not
> believe in ghosts but they exists"?
>
I am *not* paranoid- in fact, I wouldn't
care if the government, for whatever reason,
wanted to waste its time spying on me. [The
U.S. government has shown it is a true genius
at wasting time and resources]. I don't use
this pc or the web for anything that requires
secured info and even if I were I wouldn't care
if Big Brother (BB) were watching because I
probably wouldn't be trying to secure the info
from BB anyways.
I do *not* have the feeling that I'm being
persecuted by the government. BB limits what
itself and the Media are allowed to divulge but
this is not necessarily persecution- it could
be for legitimate security reasons. Unlike
Andy Grove I do *not* believe that "only the
paranoid survive".
> Are you able to post other messages to D. Menscher? Do you know of anyone who
> is able to post messages to D. Menscher? Have you tried to call him and ask
> him if he is blocking your messages himself?
>
This is irrelevant because I tried to post a
new thread in this forum with no relation
whatsoever to Menscher's actual post or email
address other than similar written content. I
was able to post a different message in the
same thread that contained Menscher's
original post (as well as other threads).
Perhaps someone other than BB was fooling
around or perhaps the screw-up was innocent
but if so it was more than just spam domain
error. Again, in a new thread, I will try to post
the NCSC bot info.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Abid Farooqui <[EMAIL PROTECTED]>
Subject: Re: Does anybody know of a secure FTP server?
Date: Thu, 30 Mar 2000 05:35:50 GMT
Read my post above about why I wanted to stay away from CGI but my knowledge on the
subject is limited so correct me wherever you feel like I may be wrong.
FireWall rules ... are they really a problem when all connections to the ftps server
will be initiated by the client sides. Wouldn't client firewalls let the data come in
because they will recognize that their side had initiated the connection??
What if the FTPS server was made to run on a well publicized port ( well publicized in
the sense that all clients will be aware of which port the ftps service is running on)
and hence once they setup their firewalls they don't have to worry about it again.
Thanks
Abid Farooqui
Lincoln Yeoh wrote:
> On Tue, 28 Mar 2000 00:48:41 GMT, Abid Farooqui <[EMAIL PROTECTED]>
> wrote:
>
> >Secondly, you mentioned that the best solution is to use Https to transfer files.
> >The problem there is that I want my users to be able to upload files to the
> >webserver as well as download them from the webserver. I would in this case have to
> >write a trusted Java applet that can access local machine's I/O and thus give them
> >the ability to select the files that they want to upload to the webserver securely.
>
> No java applet is needed. Just send the following form to the client
> <form ENCTYPE="multipart/form-data" name=uploadform method=post
> action="cgi-bin/upload">
> <input type=File name="uploadedfile" size=20>
> <input type="submit" value="Upload">
> </form>
> Then write the required CGI program (perl + CGI.pm may help), and voila.
>
> Works transparently whether with http or https.
>
> I don't recommend SSL ftp because you WILL have problems going through
> firewalls. And firewalls are rather common nowadays.
>
> Ftp is not straightforward because the protocol involves TWO connections,
> and there are also two flavours in the protocol, PORT and PASV.
>
> For PORT,
> Client makes control connection to server.
> Client _tells_ the server where it will be listening and the server makes
> the data connection to client to do the actual transfer.
>
> For PASV
> Client makes both connections. But the server tells the client where to
> connect to.
>
> Thus for normal unencrypted ftp to work through NAT devices (some firewalls
> use network address translation), the devices have to actually look at the
> ftp conversation, and change the relevant bits. This would be rather
> difficult for SSL'ed ftp.
>
> For normal unencrypted ftp to work through a typical firewall ftp proxy,
> you have to connect to the firewall proxy first and then only go out.
> Either that or the firewall may transparently intercept the communications
> (in which case often there will be the same problem as with NAT, esp if the
> protected network is using non Internet reachable addresses). Thus you may
> have to write a ssl ftp proxy where the SSL connections terminate at the
> proxy and new connections are made from there.
>
> So the situation is:
> if your client is behind a NAT firewall, you should use PASV SSL ftp, that
> way the firewall doesn't need to look at what the client says. It just
> passes what the server says to the client and the client makes the
> connection, and things are good.
>
> But if the server is ALSO behind a NAT firewall you're screwed. Because the
> server will be telling the client to connect to A,B,C,D,X,Y and the
> server's NAT firewall isn't going to be able to change those to the right
> values.
>
> Summary:
> The client behind NAT would prefer PASV SSL ftp.
> The server behind NAT would prefer PORT SSL ftp.
> If NAT is on both sides, you're screwed.
> Proxying firewalls - requires custom ssl ftp proxy.
> Transparent proxying firewall - similar to NAT problem.
>
> As you can see SSL'ized ftp is not a firewall friendly protocol. Don't use
> it unless you really have to.
>
> I wonder why they decided to use two connections for FTP. I guess so you
> can abort transfers? But so many servers don't seem to handle aborts
> properly anyway.
>
> Cheerio,
>
> Link.
> ****************************
> Reply to: @Spam to
> lyeoh at @[EMAIL PROTECTED]
> pop.jaring.my @
> *******************************
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
