Cryptography-Digest Digest #878, Volume #11 Sun, 28 May 00 09:13:00 EDT
Contents:
Re: encryption without zeros (Guy Macon)
Re: Is OTP unbreakable? (Guy Macon)
Re: PGP wipe how good is it versus hardware recovery of HD? (Guy Macon)
Re: Source for SHA-1 and Export Control ("Bob Deblier")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (David Boothroyd)
Traffic Analysis Capabilities (Anonymous Remailer)
Re: Traffic Analysis Capabilities (Paul Rubin)
Re: Source for SHA-1 and Export Control
Re: Traffic Analysis Capabilities (Guy Macon)
Re: Hill's algorithm (Mark Wooding)
Re: Source for SHA-1 and Export Control (Mark Wooding)
Re: Another sci.crypt Cipher (Mark Wooding)
Re: Another sci.crypt Cipher (Mark Wooding)
Re: Another sci.crypt Cipher (tomstd)
Re: Self Shrinking LFSR (tomstd)
Re: No-Key Encryption (tomstd)
Re: Matrix key distribution? (tomstd)
The TC1 permutation (tomstd)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (U Sewell-Detritus)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: encryption without zeros
Date: 28 May 2000 05:15:05 EDT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>In article <rb-17BAC7.22362727052000@news>, [EMAIL PROTECTED] wrote:
>>
>>I would like to use some strong encryption but need to have
>>the output not have any zeros (needs to fit into zero-terminated
>>data chunks). What would be the smallest and fastest way to mask
>>the zeros? I've seen some people expand every 7 bits to 8, but
>>that seems wasteful (expands to 114% of original size, or so) and
>>takes time (every output byte needs to be shifted).
>>
>>Just for kicks, I'm currently using bit-shifting only, which will
>>never produce a zero from a non-zero byte. I guess that's not
>>a strong encryption routine, though. Is there any strong routine
>>which doesn't make zeros from non-zero data?
>
>Designate a symbol as an escape character. Escape out the zeros
>and double the escape character to indicate itself. It should
>expand the message less than 1%.
That only works if you never have two zeros next to each other.
Question for [EMAIL PROTECTED]: Please detail how important it is
to you to keep the string small, keep the computation fast,
etc.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Is OTP unbreakable?
Date: 28 May 2000 05:23:24 EDT
In article <8gqeoq$5u4$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>
>In article <[EMAIL PROTECTED]>,
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>> > > The OTP does not offer any authentication.
>> Greg wrote:
>> > How rediculous. OTP offers the same level of authentication as
>> > most other private keys in a public key cryptosystem. If you have
>> > the key, then you can sign the document. That is all authentication
>> > means.
>>
>> Authentication is more than that. For example, in the OTP
>> scenario, the encrypted message can be intercepted, a guess
>> made as to some portion of the probable plaintext (for example
>> a stereotyped beginning such as "For information only."),
>> that portion of the key recovered, and a different plaintext
>> substituted (e.g. "For immediate action."). The legitimate
>> receiver has no way to know that the message is not what the
>> legitimate originator sent. With a proper authentication
>> scheme, such spoofing would almost certainly be detected.
>
>Sorry, I never imagined that any assumption, especially one
>so specifc as your example, would ever be valid. Be that as
>it may, OTP continues to provide the mechanisms for authentication.
>If you form a check sum (for example) and encrypt it as the end
>of the message, you use the OTP to produce the authentication
>that you claim OTP does not provide.
No. If I use any of the standard authentication protocols,
someone who knows my plaintext but not my key and who can
intercept my ciphertext and replace it with his own cannot
send a message that looks like I sent it. In the case of
checksum followed by OTP encryption, he can. This is the
classic man-in-the middle attack combined with the classic
known/chosen plaintext attack. Good security systems resist
these attacks, singly or in combination. OTP doesn't.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: PGP wipe how good is it versus hardware recovery of HD?
Date: 28 May 2000 05:38:25 EDT
In article <gJ0Y4.839$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>
>>I have a program called shredder which I believes overwrites a file 7
>>times with random data to try and prevent hardware recovery of deleted
>>files aka the story in the WSJ. Does PGP wipe function do this or does
>>it only overwrite once?
>>
>
>Salutations,
>PGP wipe utility overwrites the victim file 7 or more times, I am not
>certain about the actual number of overwriting that occurs but I am
>confident that it is more than one.
Your confidence is misplaced. It may be LESS than one.
You see, modern operating systems and disk drive controllers do lots of
tricks to make your applications run faster. If you have a SCSI controller
with elevator seek write capability, for instance, it may very well take
your 7 writes, throw away the first 6 as making no difference to the end
result, write the 7th to another section of the physical disk, and update a
pointer so that your application sees it in the old location. The only way
to even come close to a "secure wipe" on a variety of systems is to control
the low level details of the disk drive electronics. PGP doesn't do this.
Nor should it.
There is a better solution: only store encrypted data on the hard disk.
>As for hardware recovery, overwriting a
>file with random data is a good precaution but it is not a 100% sure way to
>securely erase a file--however I do stress that it is better than nothing.
Exactly right.
------------------------------
From: "Bob Deblier" <[EMAIL PROTECTED]>
Subject: Re: Source for SHA-1 and Export Control
Date: Sun, 28 May 2000 09:47:59 GMT
"Jamie Nettles" <[EMAIL PROTECTED]> wrote in message
news:rBYX4.2265$[EMAIL PROTECTED]...
> Where could I find source code for SHA-1 and what's the deal on export?
>
>
The beecrypt cryptography library is downloadable from Virtual Unlimited's
website (http://beecrypt.virtualunlimited.com/) in the Netherlands. It
contains SHA-1 source code...
Sincerely
Bob Deblier
------------------------------
From: [EMAIL PROTECTED] (David Boothroyd)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Sun, 28 May 2000 11:01:39 +0000
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> On Mon, 8 May 2000 14:31:20 +0100, "NoSpam" <[EMAIL PROTECTED]>
> wrote:
>
> >plans were already far advanced for a law that would stop ILOVEYOU ever
> >happening again. Yes, it's that darn RIP bill, still struggling to find
> >supporters in the real world"
>
> If they want to stop I Love you virii, why dont they just get
> everybody to use a secure mail reader? surely it wouldnt cost them a
> lot to switch to somerthing secure, like pine, or any other *nix mail
> reader, or even some windows readers are not too bad. Why spent money
> on a bill that restricts human rights when you could have abetter
> solution for all for free?
The Regulation of Investigatory Powers Bill has nothing to do with stopping
computer virus programs. It simply regulates what state bodies can do in
investigating communications for illegal activity.
The proposals in the Bill are exactly the same as the ones Labour suggested
before the election so there really isn't anything for anyone to get
worked up about. The Conservatives were planning mandatory key escrow.
------------------------------
From: Anonymous Remailer <[EMAIL PROTECTED]>
Subject: Traffic Analysis Capabilities
Date: Sun, 28 May 2000 12:05:01 +0200 (CEST)
is this just paranoia? http://cryptome.org/tac-rp.htm
any comments?
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Traffic Analysis Capabilities
Date: 28 May 2000 10:13:29 GMT
In article <[EMAIL PROTECTED]>,
Anonymous Remailer <[EMAIL PROTECTED]> wrote:
> is this just paranoia? http://cryptome.org/tac-rp.htm
> any comments?
It's interesting but by and large kind of silly. I believe the
traffic analysis issues are real, as is the idea that some remailers
may be compromised or simply operated by the opponent. The
codebreaking stuff is science fiction.
Btw, if the NSA can break 1024 bit RSA, they have fundamentally better
math than the rest of us do and can probably break >1024.
------------------------------
From: <[EMAIL PROTECTED]>
Crossposted-To: nl.comp.crypt,talk.politics.crypto
Subject: Re: Source for SHA-1 and Export Control
Date: Sun, 28 May 2000 06:27:30 -0400
I have a short DOS version at
http://members.xoom.xom/afn21533/sha1.zip
which meets all the vectors including the 1,000,000 'a's.
===========
My home page URL=http://members.xoom.com/afn21533/ Robert G. Durnal
Hosting HIDE4PGP, HIDESEEK v5.0, TinyIdea, BLOWFISH, [EMAIL PROTECTED]
and tiny DOS versions of RC6, RIJNDAEL, SAFER+, and [EMAIL PROTECTED]
SERPENT. Working on key exchange at present.
On Sat, 27 May 2000, Jamie Nettles wrote:
> Where could I find source code for SHA-1 and what's the deal on export?
>
>
>
>
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Traffic Analysis Capabilities
Date: 28 May 2000 06:29:03 EDT
In article <[EMAIL PROTECTED]>,
Anonymous Remailer <[EMAIL PROTECTED]> wrote:
> is this just paranoia? http://cryptome.org/tac-rp.htm
> any comments?
This site led me to a GREAT one.
http://astimage.daps.dla.mil/quicksearch/
"direct access to nearly 100,000 full text DoD Specifications and
Standards available in the DoD master repository - does a not
require an account and password and makes documents available to
the public free of charge."
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Hill's algorithm
Date: 28 May 2000 10:16:57 GMT
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> I'm thinking of using Hill's algorithm [or rather a variant thereof] as
> block cipher. But I'm not sure how secure it is.
>
> Here's some psuedo-code I made up for 128bit blocks:
Four 16-bit words gives you 64 bits, not 128.
> do
> encryption-key = generate-4x4-matrix-of-16bit-values();
> until( determinant(encryption-key) is odd );
You're likely to be plagued by weak keys here. For example,
[ a 0 0 0 ]
[ 0 b 0 0 ]
[ 0 0 c 0 ]
[ 0 0 0 d ]
isn't going to be any help to anyone.
The matrix multiplication is the bit which provides (almost) all of your
inter-word diffusion, and all of your good nonlinearity.
> /* unless you have a better way of making an invertable matrix */
Someone (I can't remember who) suggested using some fixed invertible
matrices X, X^{-1} and using triangular matrices which are known to be
invertible between them.
> A ^= (B>>8); B ^= (C>>8);
> C ^= (D>>8); D ^= (A>>8);
Hmmm. That smells familiar.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Crossposted-To: nl.comp.crypt,talk.politics.crypto
Subject: Re: Source for SHA-1 and Export Control
Date: 28 May 2000 10:20:20 GMT
Jamie Nettles <[EMAIL PROTECTED]> wrote:
> Where could I find source code for SHA-1 and what's the deal on export?
I've suddenly remembered: there's SHA-1 code in my Storin submission.
http://www.excessus.demon.co.uk/crypto/storin-1.0.1.tar.gz
It's optimized for smallness rather than speed.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Another sci.crypt Cipher
Date: 28 May 2000 11:04:23 GMT
Mark Wooding <[EMAIL PROTECTED]> wrote:
> Hmm. You lower the probabilities quite a bit. I still have some
> 13-round characteristics but they have probability 2^-63.
I wasn't having a good day yesterday, clearly. All of my
characteristics did one round too many!
In fact, for the single S-box application of the real TC1, I get a
16-round characteristic with p = 2^-60. For my erroneous TC1-variant
with the S-boxes in the other order, I can get as far as 2^-57.
My results are summarized below, given as (approximate) negative base-2
logs.
Rounds 13 14 15 16
Real TC1 48 54 60 60
Reversed TC1 45.6 51 56.5 57
Double-F TC1 56 63 -- --
I suspect that the 13-round column is the one to look at. It's
interesting to note that my reversed TC1 is about 8 times weaker than
the real thing.
Apologies for the confusion.
My program is now available to all as
http://www.excessus.demon.co.uk/crypto/tc1-diff.c
It now has extensive internal documentation (I wrote some comments) and
is generally a bit more presentable.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Another sci.crypt Cipher
Date: 28 May 2000 11:09:42 GMT
Mark Wooding <[EMAIL PROTECTED]> wrote:
> My results are summarized below, given as (approximate) negative base-2
> logs.
>
> Rounds 13 14 15 16
>
> Real TC1 48 54 60 60
> Reversed TC1 45.6 51 56.5 57
> Double-F TC1 56 63 -- --
>
> I suspect that the 13-round column is the one to look at. It's
> interesting to note that my reversed TC1 is about 8 times weaker than
> the real thing.
It's also occurred to me that double appliation of the round function
doesn't actually provide as much security benefit as increasing the
number of rounds to 24 or whatever would make the cipher at a similar
speed.
-- [mdw]
------------------------------
Subject: Re: Another sci.crypt Cipher
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 28 May 2000 05:00:34 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Mark Wooding) wrote:
>Mark Wooding <[EMAIL PROTECTED]> wrote:
>
>> Hmm. You lower the probabilities quite a bit. I still have
some
>> 13-round characteristics but they have probability 2^-63.
>
>I wasn't having a good day yesterday, clearly. All of my
>characteristics did one round too many!
>
>In fact, for the single S-box application of the real TC1, I
get a
>16-round characteristic with p = 2^-60. For my erroneous TC1-
variant
>with the S-boxes in the other order, I can get as far as 2^-57.
>
Good job breakin TC1 :-)
>My results are summarized below, given as (approximate)
negative base-2
>logs.
>
> Rounds 13 14 15 16
>
> Real TC1 48 54 60 60
> Reversed TC1 45.6 51 56.5 57
> Double-F TC1 56 63 -- --
Well one of my first ciphers this doesn't look too shabby.
>I suspect that the 13-round column is the one to look at. It's
>interesting to note that my reversed TC1 is about 8 times
weaker than
>the real thing.
You mean you used sboxes[3..0] instead of [0..3]?
>Apologies for the confusion.
>
>
>My program is now available to all as
>
> http://www.excessus.demon.co.uk/crypto/tc1-diff.c
>
>It now has extensive internal documentation (I wrote some
comments) and
>is generally a bit more presentable.
Well congrats, and your program is nice looking too.
I think it's funny that I counted active sboxes upto seven
compositions of F yet you still found a break for it past that.
What did I do wrong?
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Self Shrinking LFSR
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 28 May 2000 05:02:00 -0700
In article <[EMAIL PROTECTED]>,
lordcow77 <[EMAIL PROTECTED]> wrote:
>How did you generate the poly?
I used maple and the following script:
n := 64;
eq := Randpoly(n, x) mod 2; while (Primitive(eq) mod 2) <> true
do eq := Randpoly(n, x) mod 2; od;
BTW I uploaded a 'fixed' copy of slfsr.c if anyone is
interested, it says 'revised' at the top.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: No-Key Encryption
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 28 May 2000 05:07:06 -0700
In article <[EMAIL PROTECTED]>, Michael Pellaton
<[EMAIL PROTECTED]> wrote:
>In the literature about cryptography I often read about the
three
>different types of encryption - symmentric, asymmetric and no-
key
>encryption. I found plenty implementations of the symmetric and
the
>asymmetric methode. Is there any implementation of no-key
ecnryption
>available?
>
No-key encryption doesn't make sense at all. Where did you hear
about that?
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Matrix key distribution?
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 28 May 2000 05:09:00 -0700
In article <[EMAIL PROTECTED]>, Benjamin Goldberg
<[EMAIL PROTECTED]> wrote:
>Michael Brown wrote:
>>
>> Benjamin Goldberg <[EMAIL PROTECTED]> wrote in article
>> <[EMAIL PROTECTED]>...
>> > Perhaps this seems like a silly question, but what if
matrix C isn't in
>> > any special format, but whose only property is that it's
non-invertable?
>> For C to be singular either one (or more) row(s) has to be a
combination of
>> the other rows or one (or more) column(s) have to be a
multiple of the
>> other columns. The matrix C is based on the first idea with
the second row
>> being a multiple, in this case m, of the first row. I suspect
that is still
>> would be insecure if the matrix C used the other method
though.
>
>Don't forget that we're working in modulo 2^32 ... There is
therefor
>another,
>simpler way to make C be non-invertable: Make all 4 numbers
even.
>
>
But then all the output numbers will be even. That may not be a
desirable property.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: The TC1 permutation
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 28 May 2000 05:26:27 -0700
If anyone is interested I did a little program to draw the bit
permutation. The input 'leads' are at the top, and output leads
at the bottom.
It may be of some help for even better attacks :-)
http://www.tomstdenis.com/tc1perm.gif
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (U Sewell-Detritus)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: 28 May 2000 12:32:10 GMT
In <[EMAIL PROTECTED]>,
David Boothroyd <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] wrote:
>> On Mon, 8 May 2000 14:31:20 +0100, "NoSpam" <[EMAIL PROTECTED]>
>> wrote:
>>
>> >plans were already far advanced for a law that would stop ILOVEYOU ever
>> >happening again. Yes, it's that darn RIP bill, still struggling to find
>> >supporters in the real world"
>>
>> If they want to stop I Love you virii, why dont they just get
>> everybody to use a secure mail reader? surely it wouldnt cost them a
>> lot to switch to somerthing secure, like pine, or any other *nix mail
>> reader, or even some windows readers are not too bad. Why spent money
>> on a bill that restricts human rights when you could have abetter
>> solution for all for free?
>
>The Regulation of Investigatory Powers Bill has nothing to do with stopping
>computer virus programs.
The supposed anti-viral properties of RIP is just one of many
half-truths belching out of Patricia Hewitt's department.
BTW, that's Patricia Hewitt the 'e-minister' - she who cannot program
her video-recorder and she who was head of research at 'New Labour's favourite
accountant', Arthur Andersen at the time of the DeLorean scandal.
i.e. don't trust her.
Thatcher, bless her heart, tried to recover the GBP200m missing from the
public purse. When Tory plc pulled the plug on Andersen's gov't
contracts, Andersen was effectively consigned to a life in the wilderness.
But Andersen made the shrewd move of courting anyone with any leverage in the
Labour Party - Hewitt fitted the bill *nicely* : maleable and dumb.
Just watch those HMG contracts for Andersen come a' rolling in once again.
(see Mail On Sunday, 16 Jan 200: Chancellor Brown:
"Where did you get that flat, where *did* you get that flat?")
>[RIP] simply regulates what state bodies can do in
>investigating communications for illegal activity.
And who will be investigating the illegal activity of the investigators?
Duncan Campbell?
http://www.gn.apc.org/duncan/
>
>The proposals in the Bill are exactly the same as the ones Labour suggested
>before the election so there really isn't anything for anyone to get
>worked up about.
The Labour party promised a free-vote on fox hunting. Look what that proved
to be, in reality.
Don't be deceived by RIP either [*]
>The Conservatives were planning mandatory key escrow.
Bully for them. Key escrow was forced onto the agenda by Washington to
bolster the UKUSA arrangement.
Just like RIP, it is invaluable to the crooked little men in power.
==========================================================================
[*] "Law Enforcement" is a protective shield for all the other government
activities ... We're talking about foreign intelligence, that's what
all this is about. There is no question [that] 'law enforcement' is
a smoke screen."
David Herson, head of EU Senior Officers' Corp, Information Security, EU
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
