Cryptography-Digest Digest #641, Volume #11 Wed, 26 Apr 00 22:13:01 EDT
Contents:
Re: Magnetic Remenance on hard drives. (jungle)
Re: OAP-L3: Semester 1 / Class #1 All are invited. (Xcott Craver)
Re: What does XOR Mean???!!! (Tim Tyler)
OAP-L3: What is the period of the generator? (Xcott Craver)
Re: GNUPG and BLOWFISH (Andrew)
Re: Requested: update on aes contest ("Trevor L. Jackson, III")
Re: Requested: update on aes contest (Jerry Coffin)
Re: quantum computation FAQ? (John Bailey)
Re: Career Opportunities @ Cloakware ("Trevor L. Jackson, III")
Re: Requested: update on aes contest (stanislav shalunov)
Re: Requested: update on aes contest (Jerry Coffin)
Re: Requested: update on aes contest (Jerry Coffin)
----------------------------------------------------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Magnetic Remenance on hard drives.
Date: Wed, 26 Apr 2000 19:12:31 -0400
in the past, several of the market data recovery companies refused to attempt
to recover data wiped by pgp 3 pass from floppy disk ...
without even trying to attempt it ...
this is just A PAPER, PAPER FANTASY ... or academic dislocation ...
I have to this day the floppy that has been wiped [ by accident ] by one of the
company employers ...
do you like to help to recover data from it ?
it is just a floppy disk ... wiped only with 3 passes under pgp ...
Jonathan Thornburg wrote:
>
> In article <[EMAIL PROTECTED]>,
> Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
> >Do you have a reference handy?
>
> It's not a commercial service, but
>
> > ## http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
> >
> > Secure Deletion of Data from Magnetic and Solid-State Memory
> >
> > Peter Gutmann
> > Department of Computer Science
> > University of Auckland
> > [EMAIL PROTECTED]
> >
> > This paper was first published in the Sixth USENIX Security Symposium
> > Proceedings, San Jose, California, July 22-25, 1996
>
> explains how/why data recovery *is* both possible and practical,
> in some detail.
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Semester 1 / Class #1 All are invited.
Date: 26 Apr 2000 23:12:53 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>
>What if the user doesn't follow your rules? It's really simple to screw
>it up then since the entire security is conjectured to be on the seed.
>And don't tell me "the user is just plain stupid" because it's human
>nature to cheat lie and take the easy way.
This is the dancing pigs principle. Any sufficiently restrictive
security requirement, if it can be circumvented, will be
circumvented.
And you can't blame the user for not strictly following the
instructions if the instructions are asinine. Asking,
for instance, a user to stop typing and shake a can of beans
in order to operate a piece of software is just that kind of
instruction. Mr. Szopa is apparently not aware of the speed
of computers nowadays, if he believes that pausing to perform
some calculation by hand is a reasonable request of a user.
Generating a key by this method takes HUNDREDS OF MILLIONS,
maybe BILLIONS OF MICROSECONDS!!
Perhaps if Mr. Szopa's web browser required him to stand up
and perform 10 jumping jacks every time he clicks 30 links
or so, he would rethink his system.
>Why do you rely on unorthodox numbers? Like it has 87 billion possible
>seeds, and 259,200 arrays, and they are permutations of 0-9... Have you
>taken one class in comp sci or cryptography? BTW with 87 billion
>possible seeds thats about 2^70.5, so if thats your key size (I may have
>misinterpreted this) it's kinda small doncha think?
Wait, what? What? 87 billion is about 2^36.
In any case, this is a common theme in crypto snake-oil:
a cipher designer unaware of what we mean by "large" or "fast"
or "efficient." A "large" keyspace is not billions. It used
to be billions of billions, and is now billions of billions
of billions. A "fast" system is fast on the order of computer
speeds, not on the order of human card-shuffling speeds.
An "efficient" system doesn't achieve the security of comparable
systems with huge keys or huge amounts of time. This is not
just an efficiency issue but a security one: each extra bit
of key or operation should massively improve the security,
or the operations are suspect.
Bob Knauer, who designed an OTP-like system using music CDs
as keys, went on the principle that the number of music CDs
at the record store is "enormous." Depending on the record
store, you may be looking at a 20-bit key. (He also wins, by
the way, the award for the most insane and time-consuming key
generation method. Sorry Anthony!) This was simply someone
who at the time was thinking on a different scale in terms
of keysize, cost, time, and difficulty of attacks.
-S
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: What does XOR Mean???!!!
Reply-To: [EMAIL PROTECTED]
Date: Wed, 26 Apr 2000 23:05:23 GMT
R124c4u2 <[EMAIL PROTECTED]> wrote:
[EQV?]
: Here is what I should have said in my initial post:
: Of all the possible boolean operators available to a computer programmer, xor
: is unique in that: blah, blah, blah.
I expect us pedants would then have advised you that various hardware
description languages - such as VHDL and Verilog provide explicit support
for the "XNOR"/"ENOR" instruction - as do some species of machine code ;-)
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Be good, do good.
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Crossposted-To: talk.politics.crypto
Subject: OAP-L3: What is the period of the generator?
Date: 26 Apr 2000 23:34:20 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>
>I may be a bit slow...So what is the period? Why are you using 0-9?
>Will it work in under a kb of ram?
As hard as it may be to get explicit details or pseudocode
for Anthony's algorithm, I think the question of his generator's
period is very basic, very simple, very fair.
Anthony, you should know the period of your pseudo-random
number generator. This is not an iron-clad indicator of
security, but something people must know in order to assess it.
It is also a very basic question asked of generators. I think
it is reasonable to ask you to please provide this one bit of
information. No, it isn't in the help files.
Further, if you can't compute the period of your generator,
then arguably you don't know enough about it, or of the underlying
mathematics, to make definite and authoritative statements about
its security. Providing us with at least this much, perhaps
with proof, would greatly bolster confidence in your algorithm.
Could you please, please, please, please tell us the period
of your pseudo-random number generator?
-Scott
</NICE>
------------------------------
From: Andrew <[EMAIL PROTECTED]>
Subject: Re: GNUPG and BLOWFISH
Date: Wed, 26 Apr 2000 20:26:00 -0400
GnuPG (and other pgp programs) expect the data to be in PGP's format,
which is not raw encrypted data.
There are several open implementations of blowfish that encrypt/decrypt
raw data, such as the one in the back of _Applied Cryptography_, or you
can use the 'openssl bf -d' command, which does blowfish decryption on
files.
------------------------------
Date: Wed, 26 Apr 2000 20:58:09 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Requested: update on aes contest
Jerry Coffin wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
> [ ... ]
>
> > N.B. the figure of 50 years might cover the period in which AES ciphers are
> > used to encrypt information, but the lifetime of such encrypted information is
> > probably much longer. I'd guess at least 100 years (50 year lifetime in
> > 2050), and perhaps as much as 150 (100 year lifetime in 2050).
>
> I was already taking that into account -- even if we assume Moore's
> law holds out that long, a 256-bit key should still be immune to
> exhausting the key space for more than 150 years.
Well, the numbers look right, but CS is only around 50 years old. I'm not
comfortable relying upon a difficulty floor that has to hold for more than three
times that length of time. Could anyone have predicted in 1975 what computers will
look like in 2050?
Maybe when you merge qbits into a condensed state you get strange effects like
super-entanglement or something that would give QC a true exponential improvement
over classical designs. I have no concrete concept of what the future 100 years
from now might hold, but I am certain that our best predictions will turn out to be
too timid. It's the nature of forecasting. Either the forecast sounds
spectacularly silly or it's too timid.
>
>
> Of course, it's much safer to make a prediction more than a century
> into the future than one that might be disproven while people still
> remember it. <G> OTOH, John Dvorak's spent years making predictions
> that were proven wrong almost before they were printed, and the last
> time I noticed, he was still getting paid to do it!
Like shock radio and the "enquiring minds want to know" magazines, all of which are
for-profit endeavors, those predictions are for entertainment. Even Pournelle, who
is otherwise a credible writer, has to entertain. My favorite is his claim to have
investigated the buggiest of the software packages he gets and found them to be
written in C.
My personal prediction is that Moore's law will age ungracefully, providing less and
less improvement, until something comes along that revolutionizes the industry and
restores the exponential. Repeat the cycle ad nauseum.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Requested: update on aes contest
Date: Wed, 26 Apr 2000 18:53:43 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> I don't see what we can discuss further in this thread if you don't
> agree with the statement "It's more probable that Twofish or RC6 or
> Serpent will be broken at some point than that Serpent will be broken
> at some point." (Choice of ciphers in this example is arbitrary.)
>
> The only situation where this wouldn't be true is when we have
> absolutely no doubts that neither of them can possibly be ever broken.
Quite the contrary. You're considering two things as equivalent that
are really entirely separate issues. Assuming all the ciphers are
reasoanbly well designed, etc., then YES, three ciphers are likely to
contain about three times as many weaknesses as one cipher.
That does NOT however, translate to triple the chance of one of them
being broken. You're apparently assuming that the limiting factor is
the existence of a weakness that could be exploited. I believe that
is fundamentally wrong. The limiting factor is the pool of talent
available to find and exploit weaknesses in ciphers. There are very
few serious cryptanalysts in the world, and most of even that small
group have to spend most of their time doing other things.
Reducing the number of ciphers is a bit like buying a 1 GHz computer
in the hopes that it'll help you write faster. The real limit in
most cases, is of course the speed at which we can type. Even on a
machine that was obsolete years ago, the CPU could keep up with the
fastest typists on earth and still spend most of its time idle. Even
assuming you found an incredibly fast typist, the keyboard interface
would usually limit things long before you could use up more than a
few percent of the bandwidth of a modern CPU.
In much the same way, with ciphers the limiting factor is not the
existence of weaknesses. It's the human factor: the time and effort
required for the small pool of talent to find and exploit the
weaknesses that exist.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (John Bailey)
Subject: Re: quantum computation FAQ?
Date: Thu, 27 Apr 2000 01:03:36 GMT
On 23 Apr 2000 04:13:02 GMT, David A Molnar <[EMAIL PROTECTED]>
wrote:
>I've drafted an outline of a possible FAQ which follows this message.
>Comments appreciated. Everything from "we don't need no steenkin' FAQ"
>to "it's been done before and done better" to "you're not qualified to
>write it" to specific comments on formatting, addition or deletion of
>questions, and so on.
Based on the apparent interest, I have brought my page on quantum
computing up to date. Feel free to use any material that would be
useful.
http://www.frontiernet.net/~jmb184/interests/quantum_computing/
John
------------------------------
Date: Wed, 26 Apr 2000 21:13:09 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Career Opportunities @ Cloakware
Marlies Vincken wrote:
> Cloakware Corporation
...
> "our revolutionary, patent-pending tamper-proof software technology"
...
Would you care to explain this apparent silliness?
------------------------------
Subject: Re: Requested: update on aes contest
From: stanislav shalunov <[EMAIL PROTECTED]>
Date: Thu, 27 Apr 2000 01:30:28 GMT
Jerry Coffin <[EMAIL PROTECTED]> writes:
> That does NOT however, translate to triple the chance of one of them
> being broken.
I never said chances would "triple."
Resources that can be dedicated to any task are limited.
Breaking AES is no different in this respect.
Your reasoning--that having multiple ciphers improves security--would
apply as well to, e.g., bastion hosts with different operating systems
that separate an internal network from a public one.
In your world, having multiple bastion hosts will somehow help you.
I know it won't "help" me, even though all the same considerations
apply: limited number of experts, vulnerabilities probably exist
but it takes a lot of effort to find them.
Furthermore, in case of cryptography some of the results will be very
likely kept secret (those obtained by government agencies). How much
resources (talent, hardware, etc.) they have is debatable, but it's
likely at least comparable with what the public has.
They can well concentrate on breaking one cipher out of several
and find efficient ways to break it. The civilian resources
would be spread to several ciphers, reducing chances of discovery
of weaknesses that are already known and kept secret.
--
stanislav shalunov | Speaking only for myself.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Requested: update on aes contest
Date: Wed, 26 Apr 2000 19:40:49 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> > I was already taking that into account -- even if we assume Moore's
> > law holds out that long, a 256-bit key should still be immune to
> > exhausting the key space for more than 150 years.
>
> Well, the numbers look right, but CS is only around 50 years old. I'm not
> comfortable relying upon a difficulty floor that has to hold for more than three
> times that length of time. Could anyone have predicted in 1975 what computers will
> look like in 2050?
Note that was very careful to say "if we assume Moore's law holds
out" -- I'm not trying to say that it will, only that if it does,
this is how the math works out.
> My personal prediction is that Moore's law will age ungracefully, providing less and
> less improvement, until something comes along that revolutionizes the industry and
> restores the exponential. Repeat the cycle ad nauseum.
To some extent, this is what has been happening all along -- if you
look at things in a microscopic scale, Moore's law has never applied.
The "curve" has never been entirely smooth, as a true exponential
function would be -- instead, it's always been made up of a series of
steps, that happen to resemble exponential when you ignore the steps.
I expect this to remain similar for two reasons, one technical and
one economic.
The technical reason is fairly simple: it usually takes time and
effort to take a technically feasible concept (e.g. quantum
computation) and turn it into an econically feasible reality. We
know quantum computers are possible, but we're a long ways from them
being feasible and useful. There's likely to be a long, slow process
of making them more and more feasible over time until they match the
capabilities of conventional computers at least for some tasks -- at
that point, they'll start to infiltrate the marketplace. Given the
current (limited) group of algorithms, at least at first they'll
likely be restricted to specialized jobs (most likely database
engines) and over time people will figure out ways to apply them to a
wider variety of tasks (or tailor more tasks to the capabilities,
which comes out about the same) and eventually, they may come into
dominance.
The economic reason is similar: assume for the moment that had a CPU
design that was compatible with an Intel, ran twice as fast, and cost
only one tenth as much to build. You're NOT likely to immediately
put it on the market at one tenth the price Intel charges: instead,
you recoup your R&D investment by charging only _slightly_ less than
Intel (or most likely, just a bit less than AMD) would for roughly
similar capabilities. Intel and AMD would (of course) respond by
cutting their prices (and profit margins) to remain competitive.
You'd respond by reducing your prices, and so on. This lets you get
as much money as possible by selling as many chips as possible at
relatively high profit margins.
Intel and AMD would respond in another way though: they'd immediately
start doing research into how you managed to do the job so much
better than they did. It's a near-certainty that long before you put
them out of business, that they'd have figured out how to roughly
match your technology, and they'd start to compete with roughly
similar profit margins again.
The end result of these is that changes in prices happen relatively
gradually, NOT as massive leaps. History confirms this reasoning:
computers have progressed from mechanical to electric to tubes to
transistors to ICs of ever-growing size and integration, but the
progression along the price scale has always been smoothed out by
technology and (being frank about it) greed. Ultimately, prices are
determined more by perceived value (or what the market will bear)
than by anything like a constant profit margin.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Requested: update on aes contest
Date: Wed, 26 Apr 2000 20:08:07 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> Jerry Coffin <[EMAIL PROTECTED]> writes:
>
> > That does NOT however, translate to triple the chance of one of them
> > being broken.
>
> I never said chances would "triple."
Pick another number between 1 and 3 and the same reasoning applies.
> Your reasoning--that having multiple ciphers improves security--would
> apply as well to, e.g., bastion hosts with different operating systems
> that separate an internal network from a public one.
>
> In your world, having multiple bastion hosts will somehow help you.
> I know it won't "help" me, even though all the same considerations
> apply: limited number of experts, vulnerabilities probably exist
> but it takes a lot of effort to find them.
Assuming you're talking about something like multiple layers of
firewalls/proxy servers (and not multiples running in parallel) then
yes, the same general reasoning applies. I can't imagine how you'd
think this wouldn't increase security. You could argue (and you
might be right) that the increase in security would be too small to
justify the time, effort, cost, etc., involved, but that's a
different question.
> Furthermore, in case of cryptography some of the results will be very
> likely kept secret (those obtained by government agencies). How much
> resources (talent, hardware, etc.) they have is debatable, but it's
> likely at least comparable with what the public has.
Of course -- but this has no real effect at all.
To put it algebraicly, we don't have to know the exact value of X to
know that X/3 is smaller than X. We only need to know that X is
positive for this to remain true.
> They can well concentrate on breaking one cipher out of several
> and find efficient ways to break it. The civilian resources
> would be spread to several ciphers, reducing chances of discovery
> of weaknesses that are already known and kept secret.
Assume for the moment that NIST decided all five finalists were AES
ciphers. Further assume that you choose exactly one of those for
your use. Assume still further that ALL the civilian AND government
cryptanalysts decide to attack that cipher to the exclusion of the
other four.
This gives you essentially the worst case scenario. Now take
particular note of the fact that it's _exactly_ the same scenario
that arises if only one cipher is chosen for AES -- you have exactly
one cipher, and anybody trying to attack AES _is_ trying to attack
the one cipher you've chosen.
At _absolute_ worst, multiple ciphers ends up identical to a single
cipher. In reality, the exact degree of improvement is open to
debate, but I don't see any real room for question there will be at
least SOME.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
