Cryptography-Digest Digest #902, Volume #11 Wed, 31 May 00 13:13:00 EDT
Contents:
Re: DVD encryption secure? -- any FAQ on it (Guy Macon)
Re: No-Key Encryption (John Savard)
Re: Implementation of crypt(3) (David R Conorozzo)
Re: Math problem (P=NP) prize and breaking encryption (Daniel A. Jimenez)
Re: list of prime numbers (Paul Koning)
Re: Does it even matter? ("dlk")
Re: Implementation of crypt(3) ([EMAIL PROTECTED])
Re: PGP wipe how good is it versus hardware recovery of HD? (Richard Herring)
Re: DVD encryption secure? -- any FAQ on it (Roger Schlafly)
Re: Anti-Evidence Eliminator messages, have they reached a burn-out po (Mark Wooding)
Re: HTML encryption (Mark Wooding)
Re: Is OTP unbreakable?/Station-Station (Tim Tyler)
Re: Is OTP unbreakable?/Station-Station (Tim Tyler)
Re: Is OTP unbreakable?/Station-Station (Mark Wooding)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: 31 May 2000 10:15:49 EDT
Casper H.S. Dik - Network Security Engineer wrote:
>
>
>[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]
>
>Roger Schlafly <[EMAIL PROTECTED]> writes:
>
>>I don't think they really cared how strong it was. They
>>just wanted strong enough that it would be considered a
>>copy protection mechanism, and thus trigger the legal
>>protections of the Digital Millennium Copyright Act.
>>It is not illegal to circumvent weak encryption in the US
>>under this law.
>
>
>Except, of course, that it's not a copy protection mechanism at all,
>despite what they say.
>
>You can do bit-by-bit copying of DVD disks and they'll play in
>any player; no need to decrypt.
>
It doesn't stop me from making metal masters and stamping out copies
by the tens of thousands. either.
>What the encryption does achieve is disallowing non-licensed players,
>and that seems to be bordering on the illegal.
I found it ...interesting... that the net effecty was to allow
Microsoft Windows to play DVDs but prevent Linux from playing DVDs.
Make you wonder, doesn't it?
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: No-Key Encryption
Date: Wed, 31 May 2000 14:08:27 GMT
On Mon, 29 May 2000 23:03:12 GMT, Bryan Olson <[EMAIL PROTECTED]>
wrote, in part:
>Suppose we limit ourselves to the associative operation
>case. Does there exist an associative operation "*" such
>that the protocol illustrated above is secure? I don't
>know.
Such an operator at least seems very likely to be insecure, because of
the following.
The scheme requires that, for the operator used, the inverse operator
exist, to allow the legitimate recipients to decipher their messages.
Let us denote the operator by *, and the inverse operator /.
1) A sends M*A.
2) B replies with M*A*B
3) A calculates M*A*B/A, to obtain M*B, which is sent to B. This works
if * is commutative, but it also works if * is exponentiation, since
(M^A)^B equals (M^B)^A, as both equal M^(A*B). Note, though, that if *
is exponentiation, M*A/M is not A.
If * is commutative, the scheme is trivially breakable. If it is
associative, it seems to at least have a property strongly resembling
commutativity, but A*B could lose information about B instead.
If * is associative, and M*A*B = M*B*A for any M,A,B, then the
following procedure will find Q*A and Q*B for any Q, even if it
doesn't find M:
having intercepted M*A, M*A*B, M*B, evaluate Q*M*A*B, and divide it by
M*A or by M*B.
If finding Q*A for any Q lets you find A, then you can find M; this
seems to be a serious weakness for any associative operator.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
From: David R Conorozzo <[EMAIL PROTECTED]>
Subject: Re: Implementation of crypt(3)
Date: Wed, 31 May 2000 10:49:23 -0400
Found one...
http://www.task.gda.pl/pub/security/crypto/LIBS/libdes/
David R Conorozzo <[EMAIL PROTECTED]> wrote in message
news:8h35pt$rh1$[EMAIL PROTECTED]...
> I need to find a C implementation of the Unix/Linux crypt function that is
> used to store passwords. Does anyone know where such an implementation
> lies?
>
> Thanks,
> David Conorozzo
>
>
------------------------------
From: [EMAIL PROTECTED] (Daniel A. Jimenez)
Subject: Re: Math problem (P=NP) prize and breaking encryption
Date: 31 May 2000 10:05:10 -0500
In article <8guqcr$m75$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
>Axel Lindholm <[EMAIL PROTECTED]> wrote:
>> Ah, while I'm still typing I might as well ask if someone ever tried dealing
>> with SAT and came up with some results or perhaps know a good webpage
>> dealing with SAT? My numbertheory mentor gave me a small compendium about it
>> once but, sadly enough, I seem to have lost it.
> Afraid I don't know what the best algorithm for SAT is now. The classic
>reference on this sort of thing is Garey & Johnson's _Computers and
>Intractability_, but I am not sure whether an updated version exists or
>where it might be.
The current best algorithms for SAT are variations of the Davis-Putnam
algorithm. The last time I checked (a few years ago), the best version
work in O(1.497^n) worst case time, where n is the number of variables
in the formula. I once wrote a program that transformed a positive integer
into a formula whose only satisfying assignment was the factors of
the integer (or no satisfying assignment, if the integer was prime).
I tried it out with a decent Davis-Putnam implementation. As I recall,
factoring 32-bit numbers turned out to take several minutes, and 64-bit
numbers would never complete. If someone came up with a low order
polynomial time algorithm for SAT, then factoring would be easy and that
person would have proved P = NP (= coNP). This is unlikely to
happen :-)
See the comp.theory FAQ list for more on NP-completeness:
http://www.cs.unb.ca/~alopez-o/comp-faq/faq.html
--
Daniel Jimenez [EMAIL PROTECTED]
"I've so much music in my head" -- Maurice Ravel, shortly before his death.
" " -- John Cage
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: list of prime numbers
Date: Wed, 31 May 2000 10:52:18 -0400
Axel Lindholm wrote:
> ...But if you know how the primes in your RSA system are
> generated that might help alot.
>
> Concider the Lucas-Lehmers test of finding primes that fit the description
> 2^p-1, where p is a prime. If you knew the RSA system generated their primes
> that way you could start looking for a divider to the public modulus on that
> form that's less than the squareroot of the public modulus.
True. But that would be a severely defective implementation. No proper
implementation uses special form primes like that.
(A more common defect is bias or inadequate seeding in the random number
generator used to initialize the key generation process. That's a far
more subtle flaw.)
> The list of
> these numbers surely would be alot smaller than a list of all known primes
> of approx. 10^150.
Naturally, since the latter has about (10^150)/550 entries and the
former
only a few hundred...
paul
------------------------------
From: "dlk" <[EMAIL PROTECTED]>
Subject: Re: Does it even matter?
Date: Wed, 31 May 2000 15:12:36 GMT
Tom,
I'm no crypto-expert (way, way far from it!) but I'm a hell of coder and I
know talent when I see it. You got it. Don't give up.
Do:
Finish high school.
Get into a college (any will do) and get that silly piece of paper.
Think of it like a ticket: most HR types don't know an s-box from
a swizzle stick, but they do know diplomas. That hill gets a lot
steeper without one, trust me, I know of what I speak on this - nothing
quite galls one as severely as watching someone whose work
*you've* done be promoted because they have a degree and you
don't. While in college don't dodge the "non-tech" electives, being
able to communicate _effectively_ to the "non-tech types" is key
and those studies do help.
Take said ticket and grab a job for a few years, paying close
attention to the how's and why's of business, then:
Chart your own course. You'll go far, methinks. Hell, mebbe
someday this old, broke-down coder will be petitioning
*you* for a job!
Along the way, yeah, ya might have to jockey a mop or two,
or flip a burger or three, or wait tables, or whatever, but it
provides the means ($$$) to the end (not $$$, personal
satisfaction). I didn't want to hear it (more than 25 years ago)
but.... patience really is a virtue. 'Twas a hard learned lesson
that one was.
Take care,
Dave Keever
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Implementation of crypt(3)
Date: Wed, 31 May 2000 15:39:34 GMT
David R Conorozzo <[EMAIL PROTECTED]> wrote:
> David R Conorozzo <[EMAIL PROTECTED]> wrote in message
> news:8h35pt$rh1$[EMAIL PROTECTED]...
>> I need to find a C implementation of the Unix/Linux crypt function that is
>> used to store passwords. Does anyone know where such an implementation
>> lies?
For Linux it's a bit more complicated than that, I'm afraid. Modern
Linux systems offer you a choice of either traditional crypt(3) or an
md5 based hashing scheme. While the symbols in the glibc libcrypt seem
to indicate md5 is present there, it's not documented. There _is_
source for the md5 scheme in the pam sources though. So, we have:
1. GNU libc contains a seperate download which is basically UFC crypt(3).
2. libdes also contains crypt(3) and tends to heavily outperform the
UFC version, at least on Intel cpus.
3. John the Ripper (a password cracker) contains an x86 assembly
version which really screams. (Note, we're getting much harder to read
as time goes on ;)
4. The pam sources include the md5-based algorithm used on most recent
installs.
There are also a number of _other_ algorithms used in various flavors
of *nix, all of wich are probably less common than either of the
above. And, not used on Linux systems.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (Richard Herring)
Subject: Re: PGP wipe how good is it versus hardware recovery of HD?
Date: 31 May 2000 15:33:57 GMT
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, tomstd
([EMAIL PROTECTED]) wrote:
> Er, all you need todo is overwrite a file once to completely
> kill the information.
> Despite what others think, once you overwrite the information on
> disk once or twice, it's completely gone. This is because the
> hard disks are so dense there is no room for 'extra' noise.
> The HD recovery attacks mainly would work on floppy disks since
> each drive is not aligned the same (got this info from a
> friend).
There you are. It's perfectly safe to wipe once, because Tom's
friend says so. If necessary you can stake your life on that fact.
--
Richard Herring | <[EMAIL PROTECTED]>
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: Wed, 31 May 2000 09:01:09 -0700
Guy Macon wrote:
> Casper H.S. Dik - Network Security Engineer wrote:
> >Except, of course, that it's not a copy protection mechanism at all,
> >despite what they say.
> >
> >You can do bit-by-bit copying of DVD disks and they'll play in
> >any player; no need to decrypt.
Yes, but it is a copy protection system in that it is used
to enforce copyrights. See below.
> >What the encryption does achieve is disallowing non-licensed players,
> >and that seems to be bordering on the illegal.
>
> I found it ...interesting... that the net effecty was to allow
> Microsoft Windows to play DVDs but prevent Linux from playing DVDs.
That's the point -- the music industry believes that it has
the right, under copyright law, to license DVDs for MSWin
but not Linux. It has no interest in the Linux market because
Linux users have an attitude that software should be free.
Locking out the Linux market is a legal thing to do under
copyright law, contrary to the above. Because CSS helps lock
out Linux users, it is a copy protection mechanism, and
circumventing it is now illegal under the DCMA.
If you don't believe, check the legal cases. The RIAA started
winning in court when the DCMA took effect on Jan. 1, 2000.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Crossposted-To: alt.privacy,alt.privacy.anon-server,alt.security.pgp
Subject: Re: Anti-Evidence Eliminator messages, have they reached a burn-out po
Date: 31 May 2000 16:14:19 GMT
Joe@Joe's.bar&grill.org <Joe@Joe's.bar&grill.org> wrote:
> On Sat, 27 May 2000 22:15:07 GMT, [EMAIL PROTECTED] (Steve) wrote:
> >Every EE thread I've seen for weeks now has been started by EE
> >spam.
>
> Get real! They reply to scurrilous attacks. Unless you wish to claim
> that they themselves are "planting" these attacks.
There were no attacks on EE in sci.crypt. This thread is only in
sci.crypt because EE support spammed us.
I've not used the software, I've no idea who's telling porkie pies, and
I quite honestly don't care. The EE people have not endeared themselves
to me, though, and I've no intention of ever rewarding them for spamming
Usenet groups and trying to sell proprietary software.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: HTML encryption
Date: 31 May 2000 16:18:08 GMT
Niklas Frykholm <[EMAIL PROTECTED]> wrote:
> The best you can hope to achieve is obscurity. This will probably
> stop some people, but noone who is serious about stealing your
> source.
Can you explain to me how this will help? Why can't I just copy[1] the
`obscured' text? Why won't that work just as well?
[1] I object to the word `steal' here.
-- [mdw]
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?/Station-Station
Reply-To: [EMAIL PROTECTED]
Date: Wed, 31 May 2000 16:09:29 GMT
Guy Macon <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
:>Bryan Olson <[EMAIL PROTECTED]> wrote:
:>: The method presented by ciphermax is flawed, but a one-time
:>: random key does offer provable authentication, and no other
:>: technique does.
:>The "proof" also depends on an unprovable assumption - the existence of an
:>unguessable random stream.
: If you are trotting out the old "there is no randomness" saw, the
: no hidden variables theory of quantum mechanics says that you are
: wrong. [...]
I regard whether randomness exists as essentially a philosophical
question - I doubt I'll ever know, one-way of the other. Any law of
physics employs that employs the notion of randomness should probably
remain agnostic about the question of whether the randomness is the
product of an underlying determinism.
With regards to the "no hidden variables theory of quantum mechanics" I
don't believe such a theorem exists. What I *do* think exists is a
disproof of a particular type of local hidden-variable theory (often
discusses in the context of the EPR experiments). This is a very far
cry from a proof that randomness exists in nature.
AFAIUI - there are versions of QM with no reliance on randomness. I
believe the MW interpretation does not necessarily employ randomness at
all. Where conventional CI logic dictates some random event occurs, in the
MWI, all possible outcomes of the event occur - and the question about
"which universe actually happens?" is a totally meaningless one.
: If you are trotting out the old "quantum mechanics may be
: wrong" argument, then you are merely restating the general principle
: that *EVERY* "proof" depends on an unprovable assumption - true
: but boring.
Many such assumptions are widely accepted. Assert 1+1=2, and there will
be few naysayers.
The assumption in question here (the existence of random streams) is
one that might be well be wrong - indeed we may not ever know if it is
right or wrong.
IMO, it should be conservatively assumed to be wrong, until some
demonstration that it's correct is provided - since security-related
systems are built which depend on it. This is a bit different to being a
widely accepted axiom, IMO. I don't accept it.
: If you are falling back to the "randomness exists but
: you can't prove a perfect way to turn it into random bits" idea, I
: can, by using the principle of XOR removing any bias that is not
: shared by all input sources, make the probability so small that
: the Brownian motion and proton decay scenarios I described are
: relative certainties compared to the chance of the stream being
: guessable.
To start with, I am not "falling back". My position remains the same.
In practice, I doubt you can do what you are claiming here. If you claim
that you can produce a stream of randomness with .9999...999999 bits of
entropy per bit, I expect I can hypothesise the existence of a powerful
adversary, capable of manipulating the streams you're XORing together,
interfering with the components in your equipment - and so forth - in such
a way to invalidate your claim.
Considerations relating to generating randomness for cryptographic
purposes should include the possibility that your enemy is listening -
and possibly interfering. With this possibility, you can no longer be so
certain of the randomness of your streams.
The probability of this sort of thing happening is very hard to estimate.
It depends on the power of your (unknown) adversary.
:>These sorts of concern always make me uneasy about the use of the term
:>"provable" in relation to secrecy, or authentication.
:>
:>It seems to me that "provable" security is almost a sort of academically-
:>respectable snake-oil marketing technique :-|
: Only if the claimant tries to jump from provable secrecy, provable
: authentication, etc. to provable *security*. [...]
Hmm. I regard "secrecy" and "authentication" to be real-world ideas, just
as much as "security".
[snip]
:>The word "proof" seems designed to produce a feeling of security and
:>invulnerability which is - in fact - a mistaken idea, since the "proof"
:>often does not prove inviolability at all (rather it is based on reducing
:>the probability of a break to some known small level)
: ..which is about as small as the possibility that I can read your
: mind because my neurons just happen to be firing in the same
: pattern as yours...
Perhaps. It depends on what security level is chosen by the participants.
High security usually has some sort of price on it - in terms of signature
length or whatever.
:> - and is based on unproven premises in the first place.
: Is not.
I refer to the supposition of the existence of a random stream, shared
between two distant parties and no others. I regard this as an unproven
premise. I don't believe there's any evidence that such circumstances
can ever be realised in practice.
:>Authentication and security are real-world concepts, which are
:>fundamentally not amenable to notions of mathematical proof.
:>
:>I wish some less potentially misleading term could be employed.
: Now who's talking about being misleading? You go on and on about
: "proof" and suddenly at the end switch to "mathematical proof"
: ( a much harder thing to achieve! ) and say that isn't misleading?
Perhaps. If the sort of "proof" under discussion were the sort that
convicts criminals in courts, then I would not object at all. It is the
association with the idea of /mathematical/ proof that raises my hackles -
and these security proofs certainly appear to be mathematical in nature.
Yes, there /are/ mathematical proofs of security - but they all appear
to be based on never-never-land assumptions that aren't known to hold in
the real world. As soon as you try to apply them to do anything in
connection with communication, the absoluteness of the proof of
secrecy, security, or whatever crumbles.
: You say that the average person should be concerned about the
: (very real) difference between a probability of zero and a
: probability of one in two to the many tens of thousands power
: and say that isn't misleading?
The average person isn't concerned with what cryptographers mean when they
talk about "provable" security. They'll no-doubt continue to make their
decisions by a product's reputation, and by what it says on the box.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ I'm pink :. I'm spam
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?/Station-Station
Reply-To: [EMAIL PROTECTED]
Date: Wed, 31 May 2000 16:17:19 GMT
Joaquim Southby <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]> Tim Tyler, [EMAIL PROTECTED] writes:
:>There's nothing terribly unusual about chosen plaintext attacks - or
:>man-in-the-middle attacks.
:
: The unusual part is that he proposed obtaining plaintext and then somehow
: intercepting the corresponding enciphered text. Oh, and let's not forget
: the caveat that the interception must be performed so that the message
: doesn't reach the receiver and that neither the sender nor the receiver
: are aware of the act. Would this work if the sender secures his
: plaintexts? No. Would this work if the enciphered message was
: broadcast? No. Would it work more than once? No (unless you have some
: very obtuse targets).
I don't agree with the spirit of any of this. For example are you
considering that you can jam a receiver, to prevent the original message
being received? The scenario does not depend on transmission down cables.
I feel you're in danger of under-estimating your potential adversaries.
If you're working in security and are actually trying to protect
something of value, I believe it can sometimes help to try to
*over*-estimate the abilities of your adversaries, to give your systems
some safety margin, in case your estimate of their resources was in error.
After all, there are probably some pretty damn powerful adversaries out
there - though /hopefully/ they won't be interested in your traffic ;-)
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Is OTP unbreakable?/Station-Station
Date: 31 May 2000 16:52:46 GMT
Tim Tyler <[EMAIL PROTECTED]> wrote:
> Many such assumptions are widely accepted. Assert 1+1=2, and there
> will be few naysayers.
Irrelevant pedantry: that's not an unproven assertion; it's a
definition.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
