Cryptography-Digest Digest #932, Volume #11 Sat, 3 Jun 00 17:13:01 EDT
Contents:
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Jim)
Re: Need "attack time" measurements on a toy cipher... (long) ("TheGPFguy")
Re: Concerning UK publishes "impossible" decryption law (John G. Otto)
Re: Free Software ("TheGPFguy")
Re: TC3 Update (David A. Wagner)
Re: No-Key Encryption (John Savard)
Re: Weak Keys in TC3 (David A. Wagner)
Re: Need "attack time" measurements on a toy cipher... (long) ("Paul Pires")
Re: Need "attack time" measurements on a toy cipher... (long) (tomstd)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Your Name)
Re: Need "attack time" measurements on a toy cipher... (long) ("Joeseph Smith")
Re: http://www.infraworks.com product ("Trevor L. Jackson, III")
Re: http://www.infraworks.com product ("Paul Pires")
Re: No-Key Encryption (Greg)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Jim)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Sat, 03 Jun 2000 17:35:06 GMT
Reply-To: Jim
On Fri, 02 Jun 2000 23:58:43 GMT, [EMAIL PROTECTED] (Your Name) wrote:
>On Fri, 02 Jun 2000 17:48:03 GMT, [EMAIL PROTECTED]
>(Jim) wrote:
>
>>On Thu, 1 Jun 2000 19:52:30 +0100, "Scotty" <[EMAIL PROTECTED]> wrote:
>>
>>>Think about it, unknown to you, a friend whom you communicate with
>>>regularly, is arrested in a drugs bust. The police turn up and want your
>>>keys to decrypt all your communications. How will that look to a jury if you
>>>forget your keys? The police can say you have been in regular communication
>>>with a known drug dealer and they suspect your trips abroad have been used
>>>to import drugs etc. On the 'balance of probability' it looks already as if
>>>you're guilty of refusing a reasonable request to hand over your keys.
>>
>>And if you've been into drug-dealing in a big way, the two years
>>in jail is cheap at the price...
>
>My fascist-communist-totalitarian government (U.S.)
Isn't that a contradiction in terms?
--
amadeus at netcomuk.co.uk
nordland at lineone.net
g4rga at thersgb.net
------------------------------
From: "TheGPFguy" <[EMAIL PROTECTED]>
Subject: Re: Need "attack time" measurements on a toy cipher... (long)
Date: Sat, 03 Jun 2000 18:40:59 GMT
Scott Fluhrer <[EMAIL PROTECTED]> wrote in article =
<8hbhjh$3p$[EMAIL PROTECTED]>...
> Stupid question: why don't you go on the Web, and get a pre-written =
version
> of DES or TwoFish or some other well known generally accepted cipher. =
It
> should take *less* time to use that than to write up and test your =
home-brew
> cipher, and will almost certainly be more secure.
> BTW: I'd spend the time you saved fixing up the key generator. Weak =
key
> generation is a much greater weakness than a vaguely bad block cipher, =
and
> unless you fix up both weaknesses, the entire system is pretty much
> worthless.
Yes, I can easily download code for Twofish and Yarrow and be done with =
it.
I will probably end up doing just that, after all is said and done.
Sigh.
My purpose is not really to produce a secure encryption of these =
parameters, it would be like putting a $1000 hardened lock on your =
bathroom door. One good shove putting my back into it, and I can walk =
right in without even attacking the lock. I don't want them making =
(dumb) "strongest link" assumptions.
My purposes in posting my question are:
1. Be able to simply and categorically state the attack time for =
Vigenere-type ciphers.
2. Begin learning a little about cryptanalysis by seeing how this toy =
cipher is attacked.
------------------------------
From: [EMAIL PROTECTED] (John G. Otto)
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,alt.security.scramdisk,alt.privacy
Subject: Re: Concerning UK publishes "impossible" decryption law
Date: Sat, 03 Jun 2000 12:01:28 -0700
> richard.herring wrote:
>> (dredd) wrote:
>> and I have heard that 56 k has been decoded by authorities.
> 56-*bit*? PGP may be crackable with available computer power, but
> triple-DES is probably still way beyond that kind of attack.
DES, single, double or triple was designed to allow governments
to crack it.
128 bit PGP has been cracked according to announcements
posted here some time ago. 1024 carefully generated
bits would seem the way to go... for now.
--
John G. Otto Nisus Software, Engineering
http://www.nisus.com
NisusWriter -- powerful word processor for the Macintosh
QUED/M -- Quality software source editor with macros
Nisus E-Mail -- easy and powerful
Opinions expressed are not those of Nisus Software.
------------------------------
From: "TheGPFguy" <[EMAIL PROTECTED]>
Subject: Re: Free Software
Date: Sat, 03 Jun 2000 19:01:29 GMT
George Peters <[EMAIL PROTECTED]> wrote in article =
<[EMAIL PROTECTED]>...
> There is a suite of encryption products you should explore.
[...]
> It's a self extracting exe and you simply
> run setup.exe after extracting.
[...]
> Would enjoy your comments about the software...My computer gurus think
> it's pretty good stuff!
Anyone else find it suspicious that this "pretty good stuff" is in a =
"self extracting" exe.
I bet! Does it run on just any old processor and OS, or just on a =
particular pairing that's in widespread use and is particularly =
susceptible to various strains of digital virii?
:-)
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: TC3 Update
Date: 3 Jun 2000 12:23:44 -0700
In article <[EMAIL PROTECTED]>,
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> Umm, I might be mistaken, but *not* all nonzero elements have
> multiplicative inverses... If an element has a common factor with q
> that is greater than 1, then there is no multiplicative inverse, I
> think. Consider GF(8), and the number 4.
No. To clear this up: GF(8) is not the same as the integers modulo 8.
GF(p^n) is a field, and thus all non-zero elements do have multiplicative
inverses. The integers modulo 8 are not a field.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: No-Key Encryption
Date: Sat, 03 Jun 2000 19:28:51 GMT
On Sat, 03 Jun 2000 19:19:14 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Hence the type of operands on both sides of the operator '*' are
>the same.
Their type, but not necessarily their function. You can't just assume
things.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Weak Keys in TC3
Date: 3 Jun 2000 12:28:23 -0700
In article <[EMAIL PROTECTED]>,
David Hopwood <[EMAIL PROTECTED]> wrote:
> ... which is arguably more a weakness of Davies-Meyer than of the block
> cipher. Correct me if I'm wrong, but Davies-Meyer is a construction for
> which it's difficult to prove anything concrete relating the security
> of the resulting hash function to the security of the block cipher.
> Personally, I don't like it at all; it assumes too much about the
> cipher's key schedule (which is demonstrated by quite a few known attacks
> against Davies-Meyer with particular ciphers, that do not significantly
> affect the security of those ciphers for encryption).
Yes, that's a good point.
But, sadly, I don't know of any alternative that fixes these problems.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Need "attack time" measurements on a toy cipher... (long)
Date: Sat, 3 Jun 2000 12:35:31 -0700
I know you set up a pretty good work plan for the folks in here to follow
but you have to understand that no one here is very good at coloring inside
the lines.
Your basic statement is self contradictory. You state that there is a short
secrecy horizon, that the same key is always used and yet you claim the
plaintext is unknown. All plaintext or just the stuff inside your security
horizon ?
If any attribute of any past plaintext becomes known, your current security
starts to fall to "defeat in detail" take for example the length of any one
plaintext.
<snip>
5. Iterate across this padded plaintext "P". The ciphertext is "C" and
the key is "K".
a. TempChar = (P[i] + C[i-1]) mod 256
b. C[i] = (TempChar + K[i]) mod 256
At the beginning of the loop, set TempChar = P[0].
<endsnip>
Unless I missed something,
I know a P[6] (the value of the length), I know C[5] and C[6], I can
solve for TempChar. I now know one of your key values K[6]. I now know the
length of EVERY message you encrypt. If you put in the post pad to address a
weakness, the adversary will thank you for the tip, ignore the content of
the pad and look for clues in how and why you stuck it on. You are not
making it more secure you are drawing a bullseye to the weakness.
Don't even worry about an algorithm until you have an assessment of the real
situation and the key management worked out.
Not much reason to take it past here. This was five minutes work by the
slowest guy in the room. Don't beat your head on a wall. Every process has a
sequence. An excerpt from the Vikings handbook, "Remember Gunther, It's
rape, then pillage, then burn".
You can keep patching it and reposting, or you can learn more or you can
walk off in frustration. The result of the first two are the same. Four
years from now you will be posting responses and wondering how heck you got
here.
Paul
By the way, when you see the term "Stupid" associated with something you
post, that's sci.crypt for "I'm not housebroken". If your bosses need
security and are unwilling to invest in it, don't be a weenie, tell them
they are Stupid. "Weenie" is sci.crypt for employed.
TheGPFguy <[EMAIL PROTECTED]> wrote in message
news:01bfcd82$7497a100$[EMAIL PROTECTED]...
Hi, folks.
I'm a software developer working for a fairly large client. They want to
store some parameters of low-to-medium sensitivity on a network drive in
enciphered form. My direct management doesn't want to spend any time
implementing a real cipher, so I built a toy one. Please, let's not spawn a
thread about why they should use a real cipher, I already know the reasons.
I'm moderately versed in implementing cryptography, but not at ALL versed in
cryptanalysis.
What I'd like to know is how long it *actually* takes to crack the simple
cipher shown below.
Any takers?
Here are the details:
1. This is a known ciphertext, unknown plaintext attack.
2. All of the data were enciphered with the SAME KEY.
3. The key length is longer than any of the enciphered data.
4. The key was generated with an INSECURE random number generator.
(It's probably a linear congruential generator.)
5. Attack by any method you choose. Show the plaintext of each parameter
you successfully retrieve. All parameter's plaintext are printable ASCII.
If you can also retrieve the key, show it as well (as a set of hex pairs,
i.e. A5 FF 02 7B...).
6. Clearly describe the attack you used.
7. IMPORTANT: Time Yourself. Include any time you spend in writing code.
I'm trying to find out how fast the initial attack is, not repeated attacks
once compromised.
8. Please post the results in this newsgroup.
[The background reasons for all this are: (a) I know how long a
knowledgeable programmer will take to find the secured copy of the
application; (b) I know how long it will take him/her to retrieve the
parameters by running the app in a debugger; (c) I know how long it will
take to then misuse those parameters. This toy encipherment only has to
delay a cryptanalyst the same amount of time as a+b+c.]
THE ALGORITHM (a toy cipher -- given in encipher order, reverse to
decipher)
1. Compute the length of the ASCII plaintext. Encode this length as a
single ASCII character. (The length therefore is limited to 255 or less.)
2. Prefix the plaintext with this ASCII character.
3. Prefix the result with an additional 6 chars of random garbage data.
(Remember, I'm using an insecure PRNG.)
4. Append to the result, 4 - 40 chars of random garbage data, to obscure
the plaintext length.
(When deciphering, the receiver will use the length character (from
steps 1-2) to know where the real data stops and this garbage data starts.)
5. Iterate across this padded plaintext "P". The ciphertext is "C" and
the key is "K".
a. TempChar = (P[i] + C[i-1]) mod 256
b. C[i] = (TempChar + K[i]) mod 256
At the beginning of the loop, set TempChar = P[0].
* * *
SAMPLE DATA
This is binary octet data shown as ASCII hex pairs. The hex pairs are
(obviously) all run together. The bracketed headings are just random ID's
to separate each pair of parameters. This format is readable by a variety
of parsers including the INI functions in the Micro[cough!] Win32 API.
[MBAZ]
PARM1=21E9C63A63159BF28A3B17D71291105E7988824A39FF504DA27EC10798A7FA325ACB97
94A838D8A30A67E855
PARM2=33582DFADF72006C11D0AAB485F5FB76C497EA182A250C38593E301EB6F93E07A8002D
BDC48A84247BEB32EE13
[MBAB]
PARM1=BE27EF66A8941A7109BA7E45B8557C3952F9414BE87D009C9F3AD5F141290046464697
E4D1A9CCEE3E6F5C3905122D3C62DF89
PARM2=AD792A2E50A12F852ADCB7CFA010168EDCAF02F964E3A229
[MBAE]
PARM1=E5A9547CA376FC53EB9C634C8678D06C43FCDDBCBF5E15625229F8AADD6A19A0612EFA
EF5781A0A8F7EA7DB31A8E6D3D29
PARM2=5FDE9FB05025B316B67309E2B3212AAF07DA5A53C2265776EA9949F5651BAE5EF32459
CC8D6F6E612BC2A7082D
[MCAB]
PARM1=E92EE360C2A52C831BCC90A6204D114E5EF97AB2339604CE7E82D66E6994CDFC7526F0
DF663B
PARM2=D1A5D2B641F987E8974A0D25F6666CE4320556709B470FEA83F73C043D52D10D594673
F0C154C6FBFC
[MCAZ]
PARM1=5EBE7B38AB51D82FC778546A73FA7784FC1AEB2D
PARM2=38C37A0C61800E680DC097A374E4EA65B386D7DC6673F17ED5535624
[MLAB]
PARM1=9172928B1BFE84DB7324E8DE6E19E5030AF95F07EDF2
PARM2=1A2775893CD462C37225E800D14147BF0DE031AA477B36F93531FF9ED3A545D3D5F9C9
76307E106B273E1BAFCCE06A44
[MXAZ]
PARM1=DE451D9C2BF077CE6617F309E89563511A0B8D06EC578687A0AAE5BFE3662BE843E097
B0D41787FEFF
PARM2=7B608583B0D05EB84F17DCFECF3F45C00EE12F6378DE261257335EA56295E54F21C797
D568
[MUAZ]
PARM1=755BEE1023E66DC45C0DE9FFB4427A34AF6E5B0C31
PARM2=2FA3003E83FF86DD75260218A130E1A3C907E768C8B201F425D3E652A76B554F2534FF
3401D6
[MOAB]
PARM1=F4C2AABCF0DD63BA5203C7812B30347F8B4360
PARM2=9FDF820CFDF583E38E4A0D25F6666CE43205542F1A8757BBA38434C7965CC346705684
2961720C51CA834078C6208C8E48CD5AB8EB45D6ABC574F1
[MOAZ]
PARM1=AB11098B9856DD34CC7D596F084DE09E87A28D5F7B2E8F16
PARM2=292C4224319927953AF9BEE0B12127A2F0C312B4750E2CDF11
[MXAB]
PARM1=61834B7BD3C54BA23AEBAF2940B5E66C63556D9627959C18BB11D761864FF358F6E57D
2F972EDF4AD6B6FCE8E891542E
PARM2=D78616F2F1D361C26D1FF810E15157CF1DF03E314B9185CAF7B98CE6FF95DC0CAAF5D3
D526EA78738EECC3DAFF
* * *
Thanks a bunch in advance!
Have fun cracking!!
------------------------------
Subject: Re: Need "attack time" measurements on a toy cipher... (long)
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 03 Jun 2000 12:50:23 -0700
In article <01bfcd86$af466080
$[EMAIL PROTECTED]>, "TheGPFguy" <[EMAIL PROTECTED]>
wrote:
>
>
>tomstd <[EMAIL PROTECTED]> wrote in article =
><[EMAIL PROTECTED]>...
>> It looks awefully like a Vinegere cipher.
>
>Yup.
>
>>=20
>> If you know the reasons for using better cipher and choose not
>> to you are being stupid, and so is your boss.
>
>"No" and "Yes" respectively. =20
>
>I'm going to tuck away this example in my briefcase and pull it
out =
>every time someone says "oh, we don't need anything really
secure." My =
>standard statement is "this won't keep a knowledgable
cryptanalyst out =
>of your data for any length of time whatsoever." The standard
response =
>query seems to be "well, how long is THAT?" Right now I don't
really =
>know if it's 5 minutes or 20.
>
>Also, they don't have any good solution to the key management
problem, =
>so it really doesn't need to be any stronger than a couple
hour's =
>wall-time delay.
>>=20
>> Heck even XTEA is better then nothing and takes 3 seconds to
>> implement.
>>=20
>
>Okay... I hereby downgrade my statement in my first message
to "...I'm =
>*mildly* versed in implementing crypto."
>:-)
>What's XTEA?
Goto http://tomstdenis.com/crypto/ and look it up :)
It's a fairly simple cipher, appears secure. If you need better
grounds of security try one of the AES candiadates.
It's ok not to be the best in the world, as long as you try, and
are open to suggestions. Heck I am just barely versed in
cryptanalysis yet I try my hand at it...
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Your Name)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Sat, 03 Jun 2000 19:54:16 GMT
=====BEGIN PGP SIGNED MESSAGE=====
On Sat, 03 Jun 2000 17:35:06 GMT, [EMAIL PROTECTED]
(Jim) wrote:
>On Fri, 02 Jun 2000 23:58:43 GMT, [EMAIL PROTECTED] (Your
>Name) wrote:
>
>>On Fri, 02 Jun 2000 17:48:03 GMT,
>>[EMAIL PROTECTED] (Jim) wrote:
>>
>>>On Thu, 1 Jun 2000 19:52:30 +0100, "Scotty"
>>><[EMAIL PROTECTED]> wrote:
>>>
>>>>Think about it, unknown to you, a friend whom you communicate
>>>>with regularly, is arrested in a drugs bust. The police turn up
>>>>and want your keys to decrypt all your communications. How will
>>>>that look to a jury if you forget your keys? The police can say
>>>>you have been in regular communication with a known drug dealer
>>>>and they suspect your trips abroad have been used to import drugs
>>>>etc. On the 'balance of probability' it looks already as if
>>>>you're guilty of refusing a reasonable request to hand over your
>>>>keys.
>>>
>>>And if you've been into drug-dealing in a big way, the two years
>>>in jail is cheap at the price...
>>
>>My fascist-communist-totalitarian government (U.S.)
>
>Isn't that a contradiction in terms?
Nope. Collectivists do not care very much for individual rights.
They stomp on individuals and their freedoms in the name of
the "greater good", "society", "humanity", "the children", "nation",
"fatherland", etc.
Rich Eramian aka freeman at shore dot net
PS. I love my PGP 653
=====BEGIN PGP SIGNATURE=====
Version: N/A
iQCVAwUBOTliPyioDGsIW4XRAQFuhgP8D5Rx7tioL1OugE4n2CxTy3pbcC/6gO/b
mlzLDAu0stu6w29C1s3llpiP+6dB6zWa/QX0EfWfo9Vl+SFXhjfRFRt4nOTEN+/u
mV9XmeHmPWqPYGScxKWeSSFhwwSzY1oQifO6ObfU0IWFmQmTWMPFZNubc/7LF68r
lqQaHRWFAqc=
=XY/P
=====END PGP SIGNATURE=====
------------------------------
From: "Joeseph Smith" <[EMAIL PROTECTED]>
Subject: Re: Need "attack time" measurements on a toy cipher... (long)
Date: Sat, 03 Jun 2000 20:16:51 GMT
This is a Vigenere cipher of the which includes "auto-key"
(adding C[i-1] to P[i]), which is actually what Vigenere
originally included in his cipher, though it was dropped
from the cipher that now has his name
(C[i] = P[i] + k[i mod keylen]).
This cipher will take one to two hours to break depending
on how long the key is, or if the key length is as long as the
message length, then how many messages are encrypted with
the same key. Lets assume you have two or more messages
encrypted with the same key, the steps are:
1. Remove the effect of auto-key, by subtracting the C[i-1]
term from all the characters in C[] to make D[]
2. For each character of the key (one at a time) try all 256
possible values and decrypt the matching D[i] position to
see if you get reasonable looking plaintext in that position
of all messages. For example, if the plaintext is ASCII, then
a lowercase letter is a good sign.
3. Repeat step 2 for successive bytes of the key and look
for reasonable letter pairs and trigrams in the plaintext of
each message.
For a good starting place on the cryptanalysis of simple
ciphers try the website for the American Cryptogram
Association:
http://www.und.nodak.edu/org/crypto/crypto/acahtml.html
Joe
TheGPFguy wrote in message <01bfcd8b$3e958dc0$[EMAIL PROTECTED]>...
My purposes in posting my question are:
1. Be able to simply and categorically state the attack time for
Vigenere-type ciphers.
2. Begin learning a little about cryptanalysis by seeing how this toy
cipher is attacked.
------------------------------
Date: Sat, 03 Jun 2000 16:44:26 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: http://www.infraworks.com product
Mark Wooding wrote:
> Thomas Kellar <[EMAIL PROTECTED]> wrote:
>
> > I have been receiving advertisements from a company called the
> > Infraworks Corporation. They apparently have made a new product they
> > cann InTether that they claim can control access to files of any sort.
>
> It's codswallop[1]. Utter codswallop.
>
> If they try to sell this in the UK, they will be liable in law for
> misrepresentation of goods.
>
> [1] Lovely word. Don't get much of an opportunity to use it.
Doesn't it usually have a prefix of "a load of" or "a load of old"?
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: http://www.infraworks.com product
Date: Sat, 3 Jun 2000 13:55:41 -0700
"unique enabling technologies (Viagra?) and multiple layers of protection
(Depends?) provide impenetrable protection (Trojan?) "
Is all marketing babble just the snipping and re-arranging of sound bites?
They should forget the data product (if in fact there is one) and mass
produce a linguistic LEGO kit for emerging (hatching?) marketeers.
Paul
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Date: Sat, 03 Jun 2000 20:51:12 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Greg wrote:
>
> > Well, first they are keys because they unlock the secret. Second,
> > it is not a keyless cryptosystem but a keyless mistake. There is
> > no way that one can determine who is reading the message unless
> > a receiver's public key or a common secret key is known to the
sender.
>
> I suppose there can be situations, though, where authentication is not
> an issue and there is no active opponent, i.e. no manipulations.
Perhaps I am wrong, but it would seem that if encryption was
necessary then it is because an enemy could step in and do something
and that warrants authentication of the recepient.
--
There is only one gun law on the books- the second amendment.
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
