Cryptography-Digest Digest #74, Volume #12 Tue, 20 Jun 00 20:13:01 EDT
Contents:
Re: Generating Keys for 3DES ("Joseph Ashwood")
Re: Is Gretchen down? ("Joseph Ashwood")
Re: Linear Feedback Shift Register *with* lock-up? ("Trevor L. Jackson, III")
Re: oneway encryption for password ("Joseph Ashwood")
Re: Is this a HOAX or RSA is REALLY broken?!? (Eric Smith)
Re: mother PRNG - input requested (Eric Smith)
Re: Extended Euclidean Algorithm ([EMAIL PROTECTED])
Re: Observer 4/6/2000: "Your privacy ends here" ("Tim Cocks")
Re: Weight of Digital Signatures ("Lyalc")
Re: Sapphire II Stream Cipher (Rex Stewart)
Re: Flattening of frequency distributions ("Joseph Ashwood")
Re: Is this a HOAX or RSA is REALLY broken?!? (Roger Schlafly)
Re: Online Text Encryption ("Joseph Ashwood")
Re: Is this a HOAX or RSA is REALLY broken?!? (James Pate Williams, Jr.)
Re: S/MIME + Netscape v47 serious problem in symmetric encryption ... (jungle)
How encryption works (infamis at programmer.net)
Re: DVD encryption secure? -- any FAQ on it (Wim Lewis)
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Generating Keys for 3DES
Date: Tue, 20 Jun 2000 13:59:26 -0700
The strength will be reduced to whatever the strength of the password is,
however using SHA-1 is worthwhile, for several reasons:
1) If the attacker wants to attack the password there's an extra layer for
them to go through, but still no more real entropy than in the password
2) If the attacker attacks the cipher you have 160-bits of apparent entropy
(different from real entropy)
and others, but these are the most important
It just makes life more difficult for the attacker, which is exactly what is
desirable.
Joe
> In a slightly related question, what if you want to do 3DES from
> a password that happens to be less than 160 bits? Say the users
> are too lazy to enter long passwords; could you still use SHA1 to
> create a useful 160 bits from a 56 bit password?
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Is Gretchen down?
Date: Tue, 20 Jun 2000 14:06:54 -0700
Crossposted-To:
alt.security.pgp,comp.security.firewalls,alt.privacy.anon-server,alt.privacy
Only if the monitor equipment used a complete TCP/IP stack. If the stack was
incomplete to the point where it was incapable of sending (which would be
desirable), and looked like a simple passthrough to both ends, there is no
reason that it would show up on traceroutes, except possibly as a fraction
of a millisecond delay (remember it doesn't have to do any routing, just
forwarding). It would be very possible to perform, even just a small
amplifier and a strip of wire would expose the information on radio waves,
which could then be monitored remotely, and all you'd see would be leakage
unless you looked at the source. And as I pointed out before, why tap the
wires in the bottom of the briny blue, it's just as easy to tap the few
hundred feet before it goes under.
Joe
"Patrick Farrell" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> It would in theory show up in the trace routes if you did that however.
>
> Patrick
------------------------------
Date: Tue, 20 Jun 2000 17:34:31 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: comp.theory,sci.math
Subject: Re: Linear Feedback Shift Register *with* lock-up?
Ponder wrote:
> I'm looking to use a Linear Feedback Shift Register to implement
> a counter with minimal resources (i.e. fewer gates and wires than
> an additive incrementor). I've seen quite a bit of cryptographic
> literature on how to use an N-bit LFSR to count through (2^N)-1
> values before repeating. There is one value (usually all 0's or
> all 1's) where the LFSR would be "stuck" at the same value as
> it counts.
>
> What I'm really looking for, though, is an LFSR that counts
> through 2^N values and then *does* get stuck in the last state.
> This way when I find it stuck, I would know that it counted through
> all the values since its initial state. There would be one
> "minimal" value for the initial state, that would cause it to
> count through all 2^N values before sticking; if I want to count
> fewer steps I would pick an initial value further along the
> sequence.
>
> Does anyone out there know how to do this? I've looked at some
> of the polynomial theory on LFSR's, but guess that it only
> applies to counters that actually loop through a sequence rather
> than iterating through a sequence and looping on a final value.
Assume you have a two-cycle LFSR with periods 1 and 2^N-1, and that the
singular cycle has the value zero (the classic situation for a maximal-period
LFSR). One way to do state locking with minimal hardware is to use two gates
to detect a special pattern and then use a gate to lock the register. The
detector can be a two-input nand fed by bit N-1 and a wired-nor of all the
other bits. This will detect a single pattern from all other patterns. When
the register has bit N-1 set and all other bits reset the detector will
produce a low. With any other value the detector will produce a high.
The state lock is simply a two-input and feeding the input bit of the
register. The and gate is driven by a control line and the output of the
feedback combiner (which usually drives the register input bit directly).
With the control line high the and gate is transparent and the register
operates normally. With the control line low the and gate feeds zeros into
the register.
By attaching the detector output to the state lock input (control line),
you'll have a latching register. Fed any non-zero value it will cycle until
it reaches the value with one in bit N-1 and zero in all other bits. A normal
LFSR in this condition would recycle the single bit back to the input bit.
But the detector changes state and the state lock eats the last remaining
bit. With the register filled with all zeros the detector changes state
again, and the register cycles normally, but it cycles in the degenerate
singular state, and is thus locked.
> Also, is there a good algorithm for converting the elements of
> an LFSR sequence into the actual value of the count? (Or more
> precisely, for mesuring the number of iterations between two
> values). For small N you could just count through the sequence
> until you find a match, but I'm interested in N around 32 or 64
> so this would take too long.
Going from a count to the state is straight forward because you can perform
one iteration of a state change matrix for each bit and arrive at the desired
state in N such steps (each step is an O(N^3) though). Going from a state to
a count is harder. I know of no efficient mechanism for this calculation.
>From your original description you have no need of this transform. Is there
something else you can tell us about what you are trying to accomplish?
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: oneway encryption for password
Date: Tue, 20 Jun 2000 14:45:38 -0700
> what are salts?
In this case a salt is a long term readably stored random number. It is used
as such (in the course of a very rudimentary login):
1) user sends username
2) user sends password
3) Server looks up corresponding salt (stored in cleartext) and enciphered
password
4) Server creates K, where K = concatenation of salt and password
5) Server performs the SHA-1 hash of K
6) Server checks to see that K = enciphered password
7) User authenticated, let them in
The salt should be unique for each user, or as close to unique as viable
(username is a possible value).
Joe
------------------------------
From: Eric Smith <[EMAIL PROTECTED]>
Subject: Re: Is this a HOAX or RSA is REALLY broken?!?
Date: 20 Jun 2000 15:29:29 -0700
"Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
> However, no system with the general conceptual ability of a normal
> 10-year-old human has yet been demonstrated.
Heck, I'd be impressed if they reached the conceptual ability of a
2-year-old. I suspect that the gap from the current state to the
equivalent of a 2-year-old is *much* larger than the gap from the 2-year-old
to adult.
------------------------------
From: Eric Smith <[EMAIL PROTECTED]>
Subject: Re: mother PRNG - input requested
Date: 20 Jun 2000 15:32:41 -0700
"David S. Hansen" <[EMAIL PROTECTED]> writes:
> What are your thoughts on a PRNG with a 32-bit seed but a
> big-ass period, such as MOTHER - for the purposes of
> medium-security crypto apps?
If seed is only 32-bit and your messages aren't long, does having
a PRNG period longer than 2^32 really gain anything?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Extended Euclidean Algorithm
Date: 20 Jun 2000 18:42:32 -0400
> Simon Johnson <[EMAIL PROTECTED]> wrote:
>> Also: i'm told it can solve the following problem:
>>
>> 6y + 7x + 14z mod n - where n is known........
I think you mean, solve (for x):
ax=k mod b
(a,b,k known). This only has a solution of k is divisible by the
GCD(a,b) (greatest common divisor of a and b, since if ax=k mod b and d
divides a and b, ax-k is divisible by d (since it is divisible by b, being
congruent to zero mod b) and since d divides ax-k and also a, it must divide
k).
For a,b relatively prime (GCD(a,b)=1), the extended Euclidean Algorithm gives
integers m,n with ma+nb=1 (in general ma+nb=GCD(a,b) is the output from the
Extended Euclidean Algorithm). The m value satisfies ma=1 mod b.
How to solve 3x=13? Multiply each side by 1/3 (the multiplicative inverse
of 3).
In the modular case,
ax=k mod b, do the same. Multiply each side by the multiplicative inverse of
a modulo b. What is that? It is the "m" that the Extended Euclidean Algorithm
gave you. So multiply each side by m to get x:
max=mk mod b
(ma)x mod b is just 1*x=x mod b so the solution is:
x=mk mod b.
------------------------------
From: "Tim Cocks" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Tue, 20 Jun 2000 23:25:16 +0100
> > >> > I tried to access the Shayler web site listed below but could not.
> This
> > >was
> > >> > said to be due to an HTTP error 403 - Forbidden.
I don't pretend to be an amazing expert on webservers, but in my experience
this is generally down to the OS the webserver is running on. In my
experience, you could be either:
a) Trying to get a directory listing because there is no default document
(Common under NT)
b) Trying to get access to a file on the webserver that the user running the
server process does not have access to (Common under poorly setup Un*x
boxes)
c) Something completely different
It looks to me like it was /.ed and had to be pulled down somehow (or the
webserver program is doing this because too many people are accessing the
file and the OS won't let the program have any more handles - therefore the
server /assumes/ it can't get a handle coz it doesn't have access)
Tim Cocks
[EMAIL PROTECTED]
(C'mon. Spam me. There you go bots, there's my e-mail address. It even
works. Go on. I dare ya.)
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Weight of Digital Signatures
Date: Wed, 21 Jun 2000 08:49:19 +1000
In this scenario, the technology of a PIn is coupled with the ATM
technology, which is coupled with DES encryption, DES key management, and
PIN issuing technologies, finally coupled to an ATM printed receipt as a
backup transaction record.
take the receipt to your bank, and ask them the verify the transaction
record is correct from start to finish (ie the processing from ATM to
account ).
lyal
Mok-Kong Shen wrote in message <[EMAIL PROTECTED]>...
>
>
>"Douglas A. Gwyn" wrote:
>
>> Greg wrote:
>> > ... Kudos to all who have had any
>> > hand in helping the government see the light (finally)...
>>
>> Unfortunately, that probably means that even when an insecure
>> digital signature scheme is used, you cannot refuse personal
>> responsibility when you're forced to use it anyway.
>
>Indeed it seems impossible to totally eliminate the risk. But consider
>a parallel issue: If I get $100 from a teller machine and my account
>is deducted $500, could I do anything?
>
>M. K. Shen
>
>
------------------------------
From: Rex Stewart <[EMAIL PROTECTED]>
Subject: Re: Sapphire II Stream Cipher
Date: Tue, 20 Jun 2000 22:49:53 GMT
I am not a professional cryptographer by any stretch of the
imagination, but I did a pretty thourough examination of his
cypher before I decided to use it.
It has some similarities to RC4 but with an extra twist that
it feeds information from both the plaintext and the cyphertext
streams into the system. This allows it to be used repeatedly
with a single key, unlike standard stream cyphers.
While feeding back information from either plaintext OR
cyphertext streams is considered a dangerous practice - he
used both, which complicates attacks somewhat, and I don't
think anyone has come up with any useful attacks.
--
Rex Stewart
PGP Print 9526288F3D0C292D 783D3AB640C2416A
In article <8ig5uh$fff$[EMAIL PROTECTED]>,
"Andrej Madliak" <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> Does anybody know more about the Sapphire II Stream Cipher
> (attacks, weaknesses, has been broken, etc.)?
>
> The cipher is used in ATBASH2 package by M. J. Johnson...
>
> Thanks in advance,
>
> Andrej
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
> Comment: Quis custodiet ipsos custodes?
>
> iQA/AwUBOUuK1YaZUlJQw2ggEQIgfgCfdKEG4pzKlgkbRX17fPmnAiL1RYUAoM8n
> X1E+WhZg2dklP+Xl/PRLLGiN
> =fH3e
> -----END PGP SIGNATURE-----
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Flattening of frequency distributions
Date: Tue, 20 Jun 2000 15:48:33 -0700
Well if one isn't overly concerned with the bandwidth taken up, and an
approximation of the biases for each symbol, it should be possible to do the
following:
Assign a set of symbols (from a statistically significant range) to each
input symbol, such that if a symbolA:symbolB occurance ratio is n, the set
of symbols for symbolA is n times the set of symbols for symbolB.
when preparing for encryption, substitute for each symbol by replacing it
with a randomly chosen value from it set of replacements
(after each message recompute the biases, and distribute in some fashion,
the table does not need to be secret)
This will result in streams that approach uniform appearance of symbols,
although it happens at a cost of possibly significant bandwidth. Since this
is simply an inverse style compression, it may make more sense in most
circumstances to use the same information to compress the data, but since
you only asked for alternatives.
Another fairly slow way that should balance the frequency a fair amount.
Have a second shared secret, use that as a key for RC4 (or another pRNG with
characteristics that would make it possible), use the entire state as a
substitution block such as (in C) output = RC4[input], with a significant
number of pRNG iterations between. You could also use a pRNG to create the
s-block by simply iterating it until each value has been presented, and
using that in the same way. I can't prove that the output will be uniform,
but it should normally be close enough to make little difference,
unfortunately it comes with the overhead of transferring another secret, and
maintaining it a secret.
Joe
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Is this a HOAX or RSA is REALLY broken?!?
Date: Tue, 20 Jun 2000 16:17:59 -0700
Eric Smith wrote:
> > However, no system with the general conceptual ability of a normal
> > 10-year-old human has yet been demonstrated.
>
> Heck, I'd be impressed if they reached the conceptual ability of a
> 2-year-old. I suspect that the gap from the current state to the
> equivalent of a 2-year-old is *much* larger than the gap from the 2-year-old
> to adult.
Yes. A 2-year-old has no trouble distinguishing a dog from a cat.
The best AI programs cannot.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Online Text Encryption
Date: Tue, 20 Jun 2000 16:21:10 -0700
> Also flames are not usually the kind of feedback one expects
> from the level of professionalism that is usually shone on this newsgroup,
You must be new here.
Welcome, but I do have a few problems with your algorithm. Adding a time
value doesn't do much to increase security. When DES was first used for UNIX
passwords, it took almost exactly 1 sec to perform the necessary 16
encryptions, now we perform these operations much, much faster.
The gains will be minimal, and linear by nature, specifically going from 1
encryption to 2 doubles the time, going from 1 encryption to 3 triples the
necessary time, but the actualy difference in gains are only 50% comparing
the 2, going further n versus n+1 has a gain of (n+1)/n, a decreasing value
with higher n. In contrast the speed of computers is increasing
approximately exponentially, giving 2^n, my math at say 40 years, computers
will have increased in speed by a factor of 2^40, but by iterating 40 times
(hence the comparison of n) will be a rather small finite number, let's say
less than 1000000, giving an advantage of 2^20 to the computing power.
Also, we can't forget the fact that an attacker will have some knowledge of
how long an individual has waited for an encryption, generally within a
factor of 2, making it unnecessary to even check if the password verifies
against the maintained hash. Also the attacker may speed things up even more
based on that knowledge of the hash by checking data value against it
without attempting to decrypt, vastly speeding up the search for the key by
eliminating large quantities of potential keys.
I also noticed that inspite of the changing values in your rather hideous
looking GIF, the last few values never change.
Joe
------------------------------
From: [EMAIL PROTECTED] (James Pate Williams, Jr.)
Subject: Re: Is this a HOAX or RSA is REALLY broken?!?
Date: Wed, 21 Jun 2000 00:04:31 GMT
On Tue, 20 Jun 2000 16:17:59 -0700, Roger Schlafly
<[EMAIL PROTECTED]> wrote:
>Eric Smith wrote:
>> > However, no system with the general conceptual ability of a normal
>> > 10-year-old human has yet been demonstrated.
>>
>> Heck, I'd be impressed if they reached the conceptual ability of a
>> 2-year-old. I suspect that the gap from the current state to the
>> equivalent of a 2-year-old is *much* larger than the gap from the 2-year-old
>> to adult.
>
>Yes. A 2-year-old has no trouble distinguishing a dog from a cat.
>The best AI programs cannot.
try http://www.20q.net/
==Pate Williams==
[EMAIL PROTECTED]
http://www.mindspring.com/~pate
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp.discuss
Subject: Re: S/MIME + Netscape v47 serious problem in symmetric encryption ...
Date: Tue, 20 Jun 2000 19:56:28 -0400
you are totally wrong ...
with v1 I'm encrypting to 128 & 168 bits ...
version has nothing to do with it ...
Padgett 0sirius wrote:
>
> > Anyway, it would be interesting to find out why it keeps reporting
> > how to find that it is reporting ONLY and not practically using only 40
> >bits encryption ?
>
> Because it is S/MIME v2 which had as a MUST 40 bit symmetric. OTOH S/MIME
> v3 (RFC 2630-2634) requires strong encryption matching FIPS 140-1.
------------------------------
From: [EMAIL PROTECTED] (infamis at programmer.net)
Subject: How encryption works
Date: 20 Jun 2000 23:59:13 GMT
Ok, I've read this newsgroup's faq, some other texts out there, and some
presentations on cryptography, but I just don't understand it. Only partially.
For example, this is something I read somewhere:
====================
n,e=public key, n = (prime num. p * prime num. q), M=message
d=private key
encryption: C=M^e mod n
decryption: M=C^d mod n
[say p=5, q=7, e=3]
p*q = 35
d=e^(-1) mod ((p-1)(q-1))
=16
====================
I understand most of it except....
1) is n or e the public key?
2) if M=message, is this the checksum of the whole message, of 1 character,
blocks of characters, or what?
3) the line with "d=....". When I did this out, (3^(-1)) mod ((4)(6)) didn't
equal 16... I got 1/3.
Other questions:
I have pgp5.5. They key's properties said Diffie-Hellman/DSS, with CAST cipher.
What in the world does this mean? Isn't DH/DSS the encryption, so why need CAST
[or IDEA which I saw on other keys]?
I haven't read about any encryption methods that have broken, which didn't use
a brute force attack. Are there any and how did the decryption work?
When I export my public key to people, which is a DH/DSS CAST ciph. 2048/1024
bit key, the key is in plaintext [like Hkel3jadAio3nDlLoWX ...]. 2048bit[or is
it 1024?] / 8bit(per byte) = 256. but my key is > 256 bytes.
I don't plan to make some great encryption method and get famous or anything, I
just want to know how this works because I think it's very interesting. I'm
only 14, so bear with me...
------------------------------
From: [EMAIL PROTECTED] (Wim Lewis)
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: 20 Jun 2000 23:59:40 GMT
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
>That's the point -- the music industry believes that it has
>the right, under copyright law, to license DVDs for MSWin
>but not Linux. It has no interest in the Linux market because
>Linux users have an attitude that software should be free.
>Locking out the Linux market is a legal thing to do under
>copyright law, contrary to the above. Because CSS helps lock
>out Linux users, it is a copy protection mechanism, and
>circumventing it is now illegal under the DCMA.
Ummmm? Surely playing a legally-acquired DVD on my legally-acquired
computer in the legally-approved manner (no public performance or anything)
counts as "use", not "copying". I'm even playing it in the DVDCCA-endorsed
geographical region.
Granted, it's "use" on hardware/software that it wasn't designed to be used
on. But the DMCA specifically *allows* reverse-engineering for compatiblity,
which is what this is.
It's interesting that DeCSS was attacked, but related work (including,
as far as I can tell, the work DeCSS was based on) was not attacked.
DeCSS is a Windows program. The related stuff is targeted at Linux.
No, I don't know what this implies.
(Man, every time I look at the DMCA I'm astounded at what a bad piece of
law it is...)
--
Wim Lewis * [EMAIL PROTECTED] * Seattle, WA, USA
"If you torture the data enough, nature will always confess." (R H Coase)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
