Cryptography-Digest Digest #121, Volume #12 Wed, 28 Jun 00 03:13:01 EDT
Contents:
Re: Certificate authorities (CAs) - how do they become trusted (jungle)
Re: simple crypting (jungle)
Comment/Analysis requested Password to RawBinarykey method... (Jay Summet)
Re: Variability of chaining modes of block ciphers ("Scott Fluhrer")
Re: scramdisk and e4m security problem? (Mack)
Does anyone have code for generating primitive polynomials? (Mack)
Re: Idea or 3DES (Jim Gillogly)
Bug in reference implementation (Runu Knips)
----------------------------------------------------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Certificate authorities (CAs) - how do they become trusted
Date: Wed, 28 Jun 2000 01:10:34 -0400
[EMAIL PROTECTED] wrote:
> In doing a bit of research on internet security I naturally came
> across "Certificate authorities (CAs)" (ie: Verisign, twaite, etc) ...
> can anyone tell me (or give me a URL) from where these companies get
> *their* certification - who says they are 'trusted'
themselves ...
trusted ? no way ...
the trust warranty is about a nickel ...
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: simple crypting
Date: Wed, 28 Jun 2000 01:16:14 -0400
for fun ? no ...
for profit ? maybe ...
for fame ? could be ...
start by offering, say $10,000.00, you may be lucky ...
[EMAIL PROTECTED] wrote:
>
> if i post e crypted message here...
> is there anyone here who could decrypt it?
------------------------------
From: Jay Summet <[EMAIL PROTECTED]>
Subject: Comment/Analysis requested Password to RawBinarykey method...
Date: Tue, 27 Jun 2000 22:17:38 -0700
Hello,
I have implemented a (JAVA) class that is designed to store a String using
Blowfish and DESede (TripleDES) in combination. (Xor message with random
pad, encrypt pad with one, encrypt messageXORpad with other, must decrypt
both to retrieve message... [ciphertext is double size of message] )
This is somewhat straightforward. However, I am generating a key based
upon a user inputed pass phrase. I want a different (binary/raw key) for
each algorithm (2 different keys from the same passphrase).
So, I built my own String -> raw binary array of bits/bytes method, using
hash functions (MD5 and SHA, one for each cipher). A link to direct source
code is provided at end of post, here is the overview.
We take the passphrase, and give it to the hash (say MD5). We get a hash
value out. We use the first byte of the hash value to index into the hash
value ("randomly") and use that byte as the first byte of our key.
To generate the next byte of our key, we make a new MD5 hash, and as input
give it:
1. the key so far (ie, 1 byte first time, 2 bytes second time, etc)
2. The original passphrase.
3. Another byte selected from the hash (indexed by the second byte of the
hash this time, so it may be different from the last byte selected for the
key, or it may be the same...)
We repeat this until the bytes of the key are filled up (24 for DESede, 56
for blowfish). (one version uses MD5, one version uses SHA1)
*I* think that this is a secure way to convert a user supplied passphrase
into a "good" (ie, random looking) key.
Am I right?
Source code is at:
http://www.summet.com/jdiary/EncryptedStringStorage.java
The methods to look at are: generateBlowfishKey and generateTripleDESKey
I'm not as worried about the actual encryption and decryption steps, but
if you want to look at them and see if I'm doing anything stupid there I
certainly wouldn't mind finding out about it!
Thanks,
Jay Summet
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Date: Tue, 27 Jun 2000 22:12:57 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Mark Wooding wrote:
>
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > Mark Wooding wrote:
> > > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > > > Scott Fluhrer wrote:
> > >
> > > [snip]
> > >
> > > > > You are distorting the discussion context. We are discussing the
> > > > > possibilities to obtain some improvements upon a given cipher with
> > > > > some chaining modes, not discussing using two or more ciphers.
> > > >
> > > > I think that Scott is trying to say that if you're not happy with
your
> > > > cipher's security, you're best off preprocessing with another cipher
> > > > rather than playing with fancy chaining modes.
> > >
> > > That's right. Hence my answer to him.
> >
> > But your answer doesn't address his point.
> >
> > The point is that you're using the wrong fix. The right fix is a good
> > cipher. Use one.
>
> You snipped out what Scott Fluhrer worte and then provided the wrong
> argument. Here is what he wrote before my sentences quoted above:
The argument appears to have wandered over to what I meant. Let me settle
the argument: I did not initially mean anything nearly as intellegent as
what Mr. Wooding ascribed to me (that is, to obtain security, you're far
better off relying on primitives that have been designed specifically for
security, in the specific ways they were intended to be used).
However, I retroactively endorse it, and call it a fine (if unintended)
moral.
> And even if that's not a concern, it'd be a shame to blow off a good
boss
> with one quirk. Alternative strategy: implement the amateur crypto
> design,
> but preprocess the plaintext just a bit, so of like a "prewhitening"
> phase.
> For example, pass it through Rijndael first. (1/2 :-)
>
> He gave even an example to pass the plaintext to Rijndel to preprocess
> and then to the cipher that one has at hand. So there are TWO ciphers
> in his argument! (Whether it is sensible to do that is not the point
here.)
> And I was answering exactly to that point of Scott Fluhrer.
If you recall, a precondition to the scenario was that you had to use you're
boss'es friend's home grown cipher. I was just presenting a practical way
to do that, while getting reasonable security.
>
> > > > I suspect that it can't exist. Indeed, I suspect that, if we know
our
> > > > adversary's capabilities that accurately, we probably don't need
> > > > cryptography at all, because we can determine a communication
channel
> > > > which is already secure against him.
> > >
> > > If you know the computer of the opponent, then you can calculate the
> > > time for brute forcing.
> >
> > Ahhh! I see your problem. Have you learned nothing from the years
> > you've been reading sci.crypt? Brute force is not the only way to
> > attack ciphers!
>
> Again you missed what Scott Fluhrer and I was discussing. The point at
> issue was his questioning whether there could be a case at all where one
> can fairly accurately estimate the opponent's capability. I answered that
> there can be (though rare) cases where one has information of the power
> of his computer and that he is using brute force. Please read the relevant
> discussions between Scott Fluhrer and I, before you simply jump in,
> ignoring the stuffs we were discussing.
Also, note that with the "home grown" cipher above, even if you know
precisely the computational capability of the opponent, it's rather hard to
get a handle on how much effort the cipher will take to break -- it might
easily yield to a much-better-than-brute force, but nonobvious, attack.
--
poncho
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: scramdisk and e4m security problem?
Date: 28 Jun 2000 05:42:31 GMT
>They seems to be using per sector CBC block cipher mode. I think there
>are lot of 'blank' sectors - sectors with all 0's on a disk, and that
>will produce a lot of sectors with same cipher code. Thus, an attacker
>can obtain the cipher of all 0's easily -- might aid the attack greatly
>to crack the code.
>
>
>I wonder is there any answer to this problem?
>
Yes use an different IV for each sector
try MD5(sector number | key) or some
variation like that. Or even DES(key,sector number).
That should complicate things a good bit.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Does anyone have code for generating primitive polynomials?
Date: 28 Jun 2000 05:56:14 GMT
I am looking for some good code for generating primitive polynomials.
Pointers are appreciated. UBASIC is my first choice of
languages. Something in C is also acceptable (with or without
a LIP library).
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Idea or 3DES
Date: Wed, 28 Jun 2000 05:59:00 +0000
"Trevor L. Jackson, III" wrote:
> Incorrectly. The case would not have been made, and PRZ indicted, if the USG was
> unwilling. The appropriate explanation for a dropped case is inability.
And, in fact, PRZ was <not> indicted. That is to say, the USG was unwilling
to indict him. Why are you still trying to justify your error?
--
Jim Gillogly
Mersday, 5 Afterlithe S.R. 2000, 05:58
12.19.7.5.19, 6 Cauac 2 Tzec, Second Lord of Night
------------------------------
Date: Wed, 28 Jun 2000 08:54:36 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Bug in reference implementation
Runu Knips wrote:
> I've written a very simple cipher, Paranoia. It should
> appear soon on the contest page (well unless there was
> an error in it). It is basically a (big) modification
> of RC5, which uses 32 instead of 5 bits in each round
> for bit transformations.
I've found a bug in the implementation :-(. I've already
sended a new version to the contest.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
