Cryptography-Digest Digest #123, Volume #12 Wed, 28 Jun 00 07:13:01 EDT
Contents:
Re: Yardley: Codebreaking or Torture (Paul Rubin)
Re: On a notation issue of Feistel ciphers (Runu Knips)
Re: TEA question (Bo Lin)
Another chaining mode (Runu Knips)
Re: Compression and known plaintext in brute force analysis (restatements caused by
the missing info .... thread) (Tim Tyler)
Re: Dynamical Cryptography algorithm (Sylvain Martinez)
Re: Surrendering Keys, I think not. (Alan Braggins)
Re: Dynamical Cryptography algorithm (Sylvain Martinez)
Biometrics statistics... ("Ip Ting Pong, Vincent")
Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED])
Cryptography FAQ (02/10: Net Etiquette) ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Yardley: Codebreaking or Torture
Date: 28 Jun 2000 07:56:57 GMT
In article <[EMAIL PROTECTED]>,
UBCHI2 <[EMAIL PROTECTED]> wrote:
>I am reading Yardley's book called the Chinese Black Chamber. In it he admits
>to using sodium pentothal and a second drug on captured prisoners in order to
>get them to reveal Japanese encryption techniques.
I read that book many years ago and don't remember it too well, but
IIRC some of it was in the 1930's and some was during WWII. I don't
know if the prisoners were POW's or captured spies. If they were
POW's, then yeah, drugging them is a no-no even in wartime (Geneva
convention). If they were spies, I don't know if the Convention
applies. I don't know if that type of drugging would constitute
torture either. In any case, nobody ever said Yardley did things by
the book.
>Was he a master codebreaker or a torturer?
Are those opposing concepts? Every cryptographer knows that the weakest
part of most security systems is the people who use them. Yardley knew
that too, and used the knowledge.
Has history treated him too well?
History doesn't treat him as a nice guy, if that's what you mean.
>Certainly, his codebreaking techniques would be considered human
>rights abuses today.
Again, it's supposed to be a central assumption in cryptography
that the attacker is a bad guy and doesn't play by the rules.
I understand and sympathize with the point you're trying to make, but
on a newsgroup of security implementers, the main lesson I can think
of from your article is, if you're trying to design good security
systems (military systems anyway), design them to hold up even if your
agents are tortured, since your opponent will not necessarily fight
fair. War is not the boy scouts.
------------------------------
Date: Wed, 28 Jun 2000 09:59:30 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: On a notation issue of Feistel ciphers
tomstd wrote:
> With three words you have an unbalanced feistel cipher. They
> are not particularly usefull for encryption (but good as hash
> functions).
Hmm I really have to get more material about
hash functions...
> Check this out.
>
> A = A + F(C)
> B = B + F(A)
> C = C + F(B)
>
> Looks good because the previously modified word is going through
> the F function the avalanche will be high... but let's look at
> decryption.
>
> C = C - F(B)
> B = B - F(A)
> A = A - F(C)
>
> Now it's all backwards the previous word is not the input so the
> avalanche is much less.
In my new cipher 'PARANOIA' I use a formula
like this:
A = A @ X(B, C, D, E, F, G, H)
B = B @ X(C, D, E, F, G, H, A)
[...]
H = H @ X(A, B, C, D, E, F, G)
I think thats a possible extension of the
'ordinary' Feistel.
------------------------------
From: Bo Lin <[EMAIL PROTECTED]>
Subject: Re: TEA question
Date: Wed, 28 Jun 2000 08:56:08 +0100
dex,
You need to understand why an irrational number is preferred and why the
golden ratio is the best for TEA.
Bo Lin
Motorola
dexMilano wrote:
>
> Why we have to use the golden number ...
> Why cannot we use 1569234 for example?
>
> thx
>
> dex
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
Date: Wed, 28 Jun 2000 10:16:48 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Another chaining mode
I had another idea about chaining modes. Instead of using the
block cipher as a blackbox, one could parameterize it with
the last block, i.e. its mask could be changed from
encrypt: key * input -> output
decrypt: key * input -> output
to
encrypt: key * block * input -> output
decrypt: key * block * input -> output
where block is used in the cipher itself. For example, in my
last cipher, Paranoia, one could xor the round value a with
one of the values of that block (according to some schemata).
The advantage compared to the original CBC is that, for
a C(i-1) <> 0:
ENC(P(i) XOR C(i-1)) <> ENC(P(i)) = ENC(P(i) XOR 0)
while ENC2(P(i), C(i-1)) = ENC2(P(i), 0) is always possible.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Compression and known plaintext in brute force analysis (restatements
caused by the missing info .... thread)
Reply-To: [EMAIL PROTECTED]
Date: Wed, 28 Jun 2000 08:04:09 GMT
zapzing <[EMAIL PROTECTED]> wrote:
: And another problem: suppose a random (or already encrypted)
: file is encrypted. Then an amount of predictable
: information will be added to a file that was previously
: perfectly unpredicatble.
Since most people agree that in practice, this is often true, a
simple solution should be employed:
*Don't* feed plaintext with statistically random characteristics straight
into your compressor, if you can avoid doing so.
Random plaintexts are typically expanded only to a small degree (compared
to the extent to which a patterend file is compressed) [This can happen
as there are so many more "random" files than there are "patterned"
ones].
As a result, the problem is rarely severe - but feeding random files to
ones compressor basically gives the /opposite/ of most of the normal
benefits of compression - it bulks up your files, gives the analyst more
cyphertext, and makes the cyphertext less statistically random.
David Scott has advocated compressing apparently random data with his
reverse parsing schemes. In these his aim is apparently to allow
information from later parts of the plaintext come to affect all earlier
parts (in order to confound analysis based on partial known plaintexts)
by reusing an existing component.
I expect he'd agree that *if* a component could be found which produced
much the same effect, *without* making the file any larger, that would be
preferrable.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: Sylvain Martinez <[EMAIL PROTECTED]>
Subject: Re: Dynamical Cryptography algorithm
Date: Wed, 28 Jun 2000 09:43:37 GMT
> Instead of a spec sheet, it would have been useful to tell us what
> specifically makes your algorithm unique, to stimulate interest in
> going to
>
> http://www.bcrypt.com/
I believe it is unique because:
1) It is dynamical, the user by changing parameters really change the
way the algorithm works. I know that blowfish let you choose the size of
the block you want to crypt but I think BUGS goes a little further.
2) It is different from the existing cryptography algorithm as it does
not use complex mathematical formulas but logical algorithm.
3) The algorithm has been designed to take advantage of any type of
integer width (16,32,64,128,etc)
If you crypt a file using 32 bits integer you can only decrypt it if you
use again 32 bit integers...
Therefore you can make this algorithm platform dependant in a way.
The standard is 32 bits, so you can crypt/uncrypt on any OS/hardware
If you want more information, please let me know and I'll post more.
The technical documentation on http://www.bcrypt.com should also give
you all the information needed.
>
> which URL does not seem to have a DNS entry...so it didn't work for
> me.
Arg ! sorry, you should read:
http://www.bcrypt.com
I can't believed I made a mistake in the url !!!
well... lets say I have encrypted it ;o)
(not using BUGS algorithm ...)
cheers,
Sylvain.
--
---
Unix security administrator
BUGS crypto project: http://www.bcrypt.com
http://www.encryptsolutions.com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Alan Braggins <[EMAIL PROTECTED]>
Subject: Re: Surrendering Keys, I think not.
Date: 28 Jun 2000 10:55:13 +0100
Simon Johnson <[EMAIL PROTECTED]> writes:
> Lets get this straight, before i start, the idea for the system i
> am proposing is to stop the police gaining circumstanial evidence
> against you.
>
> The prosecutors could say: 'He's using encryption and not
> handing over the keys, therefore he's got something to hide.'
No. Under the RIP, the prosecutors could say "We had reasonable
grounds to believe he was using encryption, he hasn't handed over the
keys, and he can't prove (on the balance of probabilities) he didn't
have the keys, therefore he is committing a criminal offence."
See http://www.stand.org.uk/
------------------------------
From: Sylvain Martinez <[EMAIL PROTECTED]>
Subject: Re: Dynamical Cryptography algorithm
Date: Wed, 28 Jun 2000 09:51:45 GMT
In article <8jbi76$[EMAIL PROTECTED]>,
"Ryan Nicoletti" <[EMAIL PROTECTED]> wrote:
> Hello everyone!
>
> I was interested in checking out the site, Sylvain, so I found that
you made
> just a slight typo in the URL, and I figured I'd let anyone else who
cares
> to have the link that the site can be found at:
> http://www.bcrypt.com
>
Thank you !
Sorry about the typo...
--
---
Unix security administrator
BUGS crypto project: http://www.bcrypt.com
http://www.encryptsolutions.com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Ip Ting Pong, Vincent" <[EMAIL PROTECTED]>
Subject: Biometrics statistics...
Date: Wed, 28 Jun 2000 17:38:39 +0800
Hi all,
Sorry, I don't know if it's the right newsgroup to post this article.
I think I have came across an aritcles stating the probability of 2
identical fingerprint, face, palm patterns, like for 2 fingerprint to be
identical, the odds may be 1 in 10^10, etc.
However, I can't recall exactly where did I read such articles.
Would any one please tell me where can I find this kind of references about
biometrics statistics?
Thanks alot.
Vincent
------------------------------
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (01/10: Overview)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 28 Jun 2000 10:26:40 GMT
Archive-name: cryptography-faq/part01
Last-modified: 1999/06/27
This is the first of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read this part before the rest. We
don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
Disclaimer: This document is the product of the Crypt Cabal, a secret
society which serves the National Secu---uh, no. Seriously, we're the
good guys, and we've done what we can to ensure the completeness and
accuracy of this document, but in a field of military and commercial
importance like cryptography you have to expect that some people and
organizations consider their interests more important than open
scientific discussion. Trust only what you can verify firsthand.
And don't sue us.
Many people have contributed to this FAQ. In alphabetical order:
Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison,
Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti,
William Setzer. We apologize for any omissions.
Archives: sci.crypt has been archived since October 1991 on
ripem.msu.edu, though these archives are available only to U.S. and
Canadian users. Another site is rpub.cl.msu.edu in /pub/crypt/sci.crypt/
from Jan 1992.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
The fields `Last-modified' and `Version' at the top of each part track
revisions.
1999: There is a project underway to reorganize, expand, and update the
sci.crypt FAQ, pending the resolution of some minor legal issues. The
new FAQ will have two pieces. The first piece will be a series of web
pages. The second piece will be a short posting, focusing on the
questions that really are frequently asked.
In the meantime, if you need to know something that isn't covered in the
current FAQ, you can probably find it starting from Ron Rivest's links
at <http://theory.lcs.mit.edu/~rivest/crypto-security.html>.
If you have comments on the current FAQ, please post them to sci.crypt
under the subject line Crypt FAQ Comments. (The crypt-comments email
address is out of date.)
Table of Contents
=================
1. Overview
2. Net Etiquette
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
3. Basic Cryptology
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
3.2. What references can I start with to learn cryptology?
3.3. How does one go about cryptanalysis?
3.4. What is a brute-force search and what is its cryptographic relevance?
3.5. What are some properties satisfied by every strong cryptosystem?
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
3.8. What are the basic types of cryptanalytic `attacks'?
4. Mathematical Cryptology
4.1. In mathematical terms, what is a private-key cryptosystem?
4.2. What is an attack?
4.3. What's the advantage of formulating all this mathematically?
4.4. Why is the one-time pad secure?
4.5. What's a ciphertext-only attack?
4.6. What's a known-plaintext attack?
4.7. What's a chosen-plaintext attack?
4.8. In mathematical terms, what can you say about brute-force attacks?
4.9. What's a key-guessing attack? What's entropy?
5. Product Ciphers
5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, and OFB encryption?
6. Public-Key Cryptography
6.1. What is public-key cryptography?
6.2. How does public-key cryptography solve cryptography's Catch-22?
6.3. What is the role of the `trapdoor function' in public key schemes?
6.4. What is the role of the `session key' in public key schemes?
6.5. What's RSA?
6.6. Is RSA secure?
6.7. What's the difference between the RSA and Diffie-Hellman schemes?
6.8. What is `authentication' and the `key distribution problem'?
6.9. How fast can people factor numbers?
6.10. What about other public-key cryptosystems?
6.11. What is the `RSA Factoring Challenge?'
7. Digital Signatures
7.1. What is a one-way hash function?
7.2. What is the difference between public, private, secret, shared, etc.?
7.3. What are MD4 and MD5?
7.4. What is Snefru?
8. Technical Miscellany
8.1. How do I recover from lost passwords in WordPerfect?
8.2. How do I break a Vigenere (repeated-key) cipher?
8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
8.4. Is the UNIX crypt command secure?
8.5. How do I use compression with encryption?
8.6. Is there an unbreakable cipher?
8.7. What does ``random'' mean in cryptography?
8.8. What is the unicity point (a.k.a. unicity distance)?
8.9. What is key management and why is it important?
8.10. Can I use pseudo-random or chaotic numbers as a key stream?
8.11. What is the correct frequency list for English letters?
8.12. What is the Enigma?
8.13. How do I shuffle cards?
8.14. Can I foil S/W pirates by encrypting my CD-ROM?
8.15. Can you do automatic cryptanalysis of simple ciphers?
8.16. What is the coding system used by VCR+?
9. Other Miscellany
9.1. What is the National Security Agency (NSA)?
9.2. What are the US export regulations?
9.3. What is TEMPEST?
9.4. What are the Beale Ciphers, and are they a hoax?
9.5. What is the American Cryptogram Association, and how do I get in touch?
9.6. Is RSA patented?
9.7. What about the Voynich manuscript?
10. References
10.1. Books on history and classical methods
10.2. Books on modern methods
10.3. Survey articles
10.4. Reference articles
10.5. Journals, conference proceedings
10.6. Other
10.7. How may one obtain copies of FIPS and ANSI standards cited herein?
10.8. Electronic sources
10.9. RFCs (available from [FTPRF])
10.10. Related newsgroups
------------------------------
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (02/10: Net Etiquette)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 28 Jun 2000 10:26:41 GMT
Archive-name: cryptography-faq/part02
Last-modified: 94/06/13
This is the second of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
Read news.announce.newusers and news.answers for a few weeks. Always
make sure to read a newsgroup for some time before you post to it.
You'll be amazed how often the same question can be asked in the same
newsgroup. After a month you'll have a much better sense of what the
readers want to see.
2.2. Do political discussions belong in sci.crypt?
No. In fact some newsgroups (notably misc.legal.computing) were
created exactly so that political questions like ``Should RSA be
patented?'' don't get in the way of technical discussions. Many
sci.crypt readers also read misc.legal.computing, comp.org.eff.talk,
comp.patents, sci.math, comp.compression, talk.politics.crypto,
et al.; for the benefit of people who don't care about those other
topics, try to put your postings in the right group.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt either.
2.3. How do I present a new encryption scheme in sci.crypt?
``I just came up with this neat method of encryption. Here's some
ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
doubt questions like this are the most annoying traffic on sci.crypt.
If you have come up with an encryption scheme, providing some
ciphertext from it is not adequate. Nobody has ever been impressed by
random gibberish. Any new algorithm should be secure even if the
opponent knows the full algorithm (including how any message key is
distributed) and only the private key is kept secret. There are some
systematic and unsystematic ways to take reasonably long ciphertexts
and decrypt them even without prior knowledge of the algorithm, but
this is a time-consuming and possibly fruitless exercise which most
sci.crypt readers won't bother with.
So what do you do if you have a new encryption scheme? First of all,
find out if it's really new. Look through this FAQ for references and
related methods. Familiarize yourself with the literature and the
introductory textbooks.
When you can appreciate how your cryptosystem fits into the world at
large, try to break it yourself! You shouldn't waste the time of tens
of thousands of readers asking a question which you could have easily
answered on your own.
If you really think your system is secure, and you want to get some
reassurance from experts, you might try posting full details of your
system, including working code and a solid theoretical explanation, to
sci.crypt. (Keep in mind that the export of cryptography is regulated
in some areas.)
If you're lucky an expert might take some interest in what you posted.
You can encourage this by offering cash rewards---for instance, noted
cryptographer Ralph Merkle is offering $1000 to anyone who can break
Snefru-4---but there are no guarantees. If you don't have enough
experience, then most likely any experts who look at your system will
be able to find a flaw. If this happens, it's your responsibility to
consider the flaw and learn from it, rather than just add one more
layer of complication and come back for another round.
A different way to get your cryptosystem reviewed is to have the NSA
look at it. A full discussion of this procedure is outside the scope
of this FAQ.
Among professionals, a common rule of thumb is that if you want to
design a cryptosystem, you have to have experience as a cryptanalyst.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
