Cryptography-Digest Digest #129, Volume #12 Wed, 28 Jun 00 11:13:00 EDT
Contents:
Re: Another chaining mode (Runu Knips)
what does it mean: "to find collision in bytes" ("MP")
Re: RPK ([EMAIL PROTECTED])
Re: Yardley: Codebreaking or Torture (John Savard)
Re: Compression & Encryption in FISHYLAND (John Savard)
Re: Another chaining mode (Mark Wooding)
Re: Sellotape and scotch tape ("Scott Fluhrer")
Re: Yardley: Codebreaking or Torture (jungle)
Which algorithm? (dexMilano)
very large primes ([EMAIL PROTECTED])
Re: Algo's with no easy attacks? ("Nick Davies")
Re: Yardley: Codebreaking or Torture (Mark Wooding)
Re: Which algorithm? (Mark Wooding)
Re: very large primes (Mark Wooding)
Re: Thoughts on "Cracking" of Genetic Code (JCA)
Re: scramdisk and e4m security problem? (Michael Gu)
Re: How Uncertain? (Tim Tyler)
Re: Compression and known plaintext in brute force analysis (restatements caused by
the missing info .... thread) (Guy Macon)
Re: very large primes (John Myre)
Re: Dynamical Cryptography algorithm (Mark Wooding)
----------------------------------------------------------------------------
Date: Wed, 28 Jun 2000 13:10:43 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Another chaining mode
Mark Wooding wrote:
> Runu Knips <[EMAIL PROTECTED]> wrote:
> > I had another idea about chaining modes. Instead of using the
> > block cipher as a blackbox, one could parameterize it with
> > the last block,
>
> This sounds like an excellent way to make chosen plaintext attacks more
> effective! Choosing values which get inserted into the middle of a
> cipher seems much more useful than merely adjusting what gets put in at
> the top and looking at what comes out the bottom. ;-)
>
> I wholeheartedly approve. <fx: gleefully rubs hands together>
Hmm good point. :)
------------------------------
From: "MP" <[EMAIL PROTECTED]>
Subject: what does it mean: "to find collision in bytes"
Date: Wed, 28 Jun 2000 13:30:57 +0200
What does that term mean in cryptoanalysis ??
Martin
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RPK
Date: Wed, 28 Jun 2000 11:31:39 GMT
Based on what the authors say, its main advantage is to work very well
with a connectionless protocol like UDP, you can miss bits of your
message and be able to decode the rest. It is based on a "on-the-fly"
cipher/decipher synchronisation of the encryptor source and the
decryptor destination.
In article <8j8f13$be0$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
> In article <[EMAIL PROTECTED]>,
> Doug Kuhlman <[EMAIL PROTECTED]> wrote:
> > What is RPK? I've never heard of it....
>
> I think it's been discussed here in the past.
>
> If I remember correctly, it combines Diffie-Hellman over GF(2^n) with
> some home-brew stream cipher over GF(2^n), re-using the same field
> representations for both. Diffie-Hellman over GF(2^n) is a fine idea;
> building your own stream cipher rarely is.
>
> Anyway, I don't know of any advantage to RPK over just using
> Diffie-Hellman and your favorite cipher (Blowfish, 3DES,
Rijndael, ...).
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Yardley: Codebreaking or Torture
Date: Wed, 28 Jun 2000 13:11:04 GMT
On 28 Jun 2000 03:39:41 GMT, [EMAIL PROTECTED] (UBCHI2) wrote, in
part:
>I am reading Yardley's book called the Chinese Black Chamber. In it he admits
>to using sodium pentothal and a second drug on captured prisoners in order to
>get them to reveal Japanese encryption techniques.
>Was he a master codebreaker or a torturer? Has history treated him too well?
>Certainly, his codebreaking techniques would be considered human rights abuses
>today.
Considering the way the Japanese treated prisoners of war, or the way
they behaved in cities they occupied, that resisting conquest by them
was a desperate matter, not one that could be taken casually enough to
allow squeamishness to hamper it should be obvious. And the use of
drugs in this fashion would have seemed humane compared to direct,
conventional techniques of torture.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Compression & Encryption in FISHYLAND
Date: Wed, 28 Jun 2000 13:21:48 GMT
On 27 Jun 2000 21:47:56 -0700, [EMAIL PROTECTED] (Kurt Shoens)
wrote, in part:
>Is the "minor problem" really worth any attention at all?
Maybe not. Claiming that solving it is a _sine qua non_, I agree, is
wrongheaded, and this is the sort of thing that makes Mr. Scott get
tiring rather quickly.
So I'm not going to defend the importance of solving the problem. As
my web pages deal with cryptographic systems throughout history, and
people had on occasion used systems weaker than an AES finalist, I can
defend discussing such issues there simply because this was a
consideration that at one time was more important than it is now.
In general, however, if people are going to the trouble of encrypting
their messages, it is possible that their desire these messages not be
read may posess some degree of ... emotional intensity. Historically,
again, as the most notable traditional use of cryptography was for
communications in wartime, lives may have depended on this.
Hence, any problem that it is _possible_ to correct, particularly at
reasonable cost and effort, is likely to be addressed in practice
regardless of how minor it may be. It is also a truism that over the
ages, many cryptographic systems thought to be absolutely secure in
fact had weaknesses that were overlooked by their designers and users;
thus, it does make sense to take even the AES winner, and try to use
it in such a way that *if* it did turn out to have a weakness, it
would be impossible to exploit that weakness (i.e., use whitening or
other measures to prevent known-plaintext attacks) to read the
messages sent before the weakness became known.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Another chaining mode
Date: 28 Jun 2000 13:31:21 GMT
Runu Knips <[EMAIL PROTECTED]> wrote:
> Mark Wooding wrote:
> > Runu Knips <[EMAIL PROTECTED]> wrote:
> > > I had another idea about chaining modes. Instead of using the
> > > block cipher as a blackbox, one could parameterize it with
> > > the last block,
> >
> > This sounds like an excellent way to make chosen plaintext attacks more
> > effective! Choosing values which get inserted into the middle of a
> > cipher seems much more useful than merely adjusting what gets put in at
> > the top and looking at what comes out the bottom. ;-)
> >
> > I wholeheartedly approve. <fx: gleefully rubs hands together>
>
> Hmm good point. :)
Maybe this an appropriate point to mention a possible chaining mode I
thought up a while ago. It's not very practical, and I don't actually
recommend its use. It halves the speed of a block cipher, and works
best on ciphers with a large block size. It also propagates errors
rather effectively (which probably isn't a good thing). Let's call it
half-block chaining (HBC).
We split the plaintext and ciphertext blocks into two halves, and I'll
write (x', y') = E_k(x, y) to denote that the result of encrypting the
plaintext half-pair (x, y) is (x', y').
Let the plaintext to be encrypted be x_0, x_1, ... Choose a half-width
initialization vector y_0. We then define the ciphertext z_0, z_1,
... and the remaining y_i by the simple relation:
(z_i, y_{i+1}) = E_k(x_i, y_i) i >= 0
Clearly, we need to decrypt *backwards* to get this to actually work
properly.
I can't see that this weakens the cipher in any particularly meaningful
way: after all, any known- or chosen-plaintext attack translates
immediately into a similar attack against the underlying cipher. Even
so, I don't think doing silly things with chaining modes is a good idea.
-- [mdw]
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Sellotape and scotch tape
Date: Wed, 28 Jun 2000 06:35:39 -0700
John Myre <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> This is way off-topic, except that Sellotape was actually
> mentioned in another post.
>
> I forget, there is a word for when a brand name becomes the
> (de facto) general term. Good examples in the US include
> zipper, kleenex, and the aforementioned scotch tape. In each
> case, using the "proper" generic term is rare. Anybody
> remember what this is called?
>
> Meanwhile, this is the first I've heard of Sellotape. Is it
> sold in the US? Is Scotch tape sold in the UK?
>
> Is there a term for the reverse process? That is, a general
> term that is appropriated as a brand name. Examples could
> include PC (the IBM one) and Windows (Microsoft).
ObNit: "PC" is not an example. The first usage of the term (AFAIK), either
as the abrieviation, or the full term "Personal Computer", was as the
product name (and marketing hype) of the "IBM PC". If anything, it's an
example of a brand name becoming a generic name (and yes, I forget what
that's called too).
--
poncho
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Yardley: Codebreaking or Torture
Date: Wed, 28 Jun 2000 10:08:44 -0400
John Savard wrote:
> And the use of
> drugs in this fashion would have seemed humane compared to direct,
> conventional techniques of torture.
"conventional techniques of torture" beautiful expression ...
------------------------------
From: dexMilano <[EMAIL PROTECTED]>
Subject: Which algorithm?
Date: Wed, 28 Jun 2000 14:03:54 GMT
Our try to implement TEA in WML script was unsuccesful.
I have problem with the algorithm because after few cicle I have an
overflow error (all serious language don't stop after overflow but set
the equivalen value with the number of bit (they cut the extra bit).
So all algorithm with "cicling" are not useful.
DO you know other kind of algorithm I can use.
I thought to substitution but it's too simple.
DO you know some kind of variation i can use to make it more secure.
thx
dex
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: very large primes
Date: Wed, 28 Jun 2000 14:08:51 GMT
is (n!-1) always a prime, and does anyone know of a proof or disproof?
thanks,
vedaal
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Nick Davies" <[EMAIL PROTECTED]>
Subject: Re: Algo's with no easy attacks?
Date: Wed, 28 Jun 2000 16:24:17 +0100
"Eric Lee Green" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> matt wrote:
> > I don't have much experience in matters such as this, so are there
> > any/many algorithms which are freely available, which don't suffer
> > from any known attacks such as this.
>
> No commonly-accepted public algorithm, such as 3DES, IDEA, Blowfish, or
> Twofish, has known attacks upon the algorithm itself. However, a secure
> algorithm is no help if you do not have a secure protocol.
>
> For example, one early version of Windows NT password handling sent an
> encrypted version of the password across the network to the NT server,
which
> the NT server then compared against its own copy of the password and then
said
> "Okay, this guy has permission to log in to me." The problem was that
there
> was no "salt" value mixed in with the password. Thus someone could
intercept
> the encrypted password using a network sniffer tool, then log in and send
> that same encrypted password -- despite not knowing the plaintext of the
> password (i.e., the encryption algorithm was secure). Thus an unauthorized
> person could gain access to the server.
>
> This is called a "replay" attack. It is typical of the kinds of attacks
> against modern networked systems, none of which directly attack the
cipher,
> but, rather, attack the system around it. Heading off replay attacks means
> using sequence numbers, salt values, message authentication digests, and
> public key encryption
You forgot to mention Derived Unique Key Per Transaction. A replay attack is
prevented because a sequence numebr is used to produce a new encryption key,
based on a base derivation key, known to both ends.
Nick Davies
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Yardley: Codebreaking or Torture
Date: 28 Jun 2000 14:25:18 GMT
jungle <[EMAIL PROTECTED]> wrote:
> "conventional techniques of torture" beautiful expression ...
See, for example Krousher, Richard W., `Physical Interrogation
Techniques', published by Loompanics.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Which algorithm?
Date: 28 Jun 2000 14:30:42 GMT
dexMilano <[EMAIL PROTECTED]> wrote:
> I thought to substitution but it's too simple.
> DO you know some kind of variation i can use to make it more secure.
You could try implementing RC4. It's very simple. See, for example
ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/rc4.revealed.gz
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: very large primes
Date: 28 Jun 2000 14:41:48 GMT
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> is (n!-1) always a prime, and does anyone know of a proof or disproof?
8! - 1 = 40319 = 23 x 1753
-- [mdw]
------------------------------
From: JCA <[EMAIL PROTECTED]>
Subject: Re: Thoughts on "Cracking" of Genetic Code
Date: Wed, 28 Jun 2000 07:55:47 -0700
Though a nice achievement I think there is too much in
the way of media hoopla about it. My understanding (and
I'd very much like for someone with nontrivial genetics
and biochemistry savvy to comment on this) is that they
now know what precise sequence of the four bases comprise
the human DNA.
It's like being able to tell the exact string of symbols that
constitute, say, The Tiger, Rustaveli's Georgian epic. If you
know no Georgian and want nevertheless to understand the
poem then this is the point at which the real work begins.
In a nutshell, what has been achieved is fine, but a piece
of cake when compared with what is left to do.
Information System wrote:
> I know that this is off the explicit subject of the
> group, but I am interested in the reaction of others to the
> wording of news stories that state that the genetic code has
> been "cracked," drawing comparisons to a cryptographic
> solution. As I understand it, what has been accomplished is
> the compilation, in crypto terms, of a complete and possibly
> accurate transcription of the ciphertext. This is a
> beginning, but hardly a "cracking." As a continuation of the
> original thought, my other question is to ask if anyone has any
> thoughts on the potential or actual applications of
> cryptanalytic techniques to the decoding of DNA in the sense
> of decoding meaning from existing sequences, or even encoding
> desired messages to create desired results.
>
> Ernest Brandt
------------------------------
From: Michael Gu <[EMAIL PROTECTED]>
Subject: Re: scramdisk and e4m security problem?
Date: Wed, 28 Jun 2000 14:58:33 GMT
Mack wrote:
> >They seems to be using per sector CBC block cipher mode. I think there
> >are lot of 'blank' sectors - sectors with all 0's on a disk, and that
> >will produce a lot of sectors with same cipher code. Thus, an attacker
> >can obtain the cipher of all 0's easily -- might aid the attack greatly
> >to crack the code.
> >
> >
> >I wonder is there any answer to this problem?
> >
>
> Yes use an different IV for each sector
> try MD5(sector number | key) or some
> variation like that. Or even DES(key,sector number).
> That should complicate things a good bit.
>
> Mack
> Remove njunk123 from name to reply by e-mail
Ok, this does complicate things, but by how much?
The attacker can use the same IV to get the plain text. The problem now is
that he is not sure which block is all zero. But I guess he can try it out,
by assuming it is all zero.
I was thinking of something different. Maybe we can use a key-IV-initiated
PRNG to xor-the sector before encrypting it. That way, an attacker would
not be able to know the plain text. It's seems to be a more complicated
calculation, however.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: How Uncertain?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 28 Jun 2000 14:09:29 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
[entropy?]
: There is a certain asymptotic "entropy per character"
: in newsgroup traffic, reflecting the predictability
: of the next character from what has gone before. It
: appears that there are at least 6 bits of entropy per
: 8-bit octet of uncompressed newsgroup plaintext,
: maybe closer to 7.
Curious. According to BS's AC, the entropy per byte of English text is
somewhere around 1.5 bits/byte (see p. 234).
I doubt usenet messages are terribly different. Your estimate would
make more sense if it referred to the /lack/ of entropy.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ This tagline no verb.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Compression and known plaintext in brute force analysis (restatements
caused by the missing info .... thread)
Date: 28 Jun 2000 11:03:42 EDT
Darren New wrote:
>
>zapzing wrote:
>> If you still disagree, I challenge you to
>> present a "compression" algorithm that will
>> compress *all* files without loss of
>> information.
>
>Actually, it's theoretically impossible, assuming the input alphabet is the
>same as the output alphabet. Otherwise, one could keep feeding the output
>back into the input until you reached a minimum size (1 byte or whatever).
>
Nonsense! I just sat down and wrote such a compression routine. It works
fine and. after a little tweaking, compressed my RedHat Linux CD down to
a single bit!
I have a couple of minor bugs in the extraction routine, but I should have
those fixed before lunch...
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: very large primes
Date: Wed, 28 Jun 2000 08:58:53 -0600
[EMAIL PROTECTED] wrote:
>
> is (n!-1) always a prime, and does anyone know of a proof or disproof?
>
(5! - 1) = 7 * 17
(In case it isn't clear to anyone, the above is a simple
counterexample, and therefore an immediate disproof. One
ought usually to check a few cases first.)
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Dynamical Cryptography algorithm
Date: 28 Jun 2000 15:06:17 GMT
Sylvain Martinez <[EMAIL PROTECTED]> wrote:
> 1) It is dynamical, the user by changing parameters really change the
> way the algorithm works. I know that blowfish let you choose the size
> of the block you want to crypt but I think BUGS goes a little further.
Quick! Tell Bruce Schneier! I'm sure he'd be delighted to know that
Blowfish has a variable block size.
> 2) It is different from the existing cryptography algorithm as it does
> not use complex mathematical formulas but logical algorithm.
Which particular ciphers are you thinking of here? Please ensure that
your answer clearly distinguishes your cipher from RC4, SEAL, CAST128,
Khufu, DES, and Hasty Pudding in this respect.
> 3) The algorithm has been designed to take advantage of any type of
> integer width (16,32,64,128,etc)
> If you crypt a file using 32 bits integer you can only decrypt it if you
> use again 32 bit integers...
Then it's a family of incompatible algorithms.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
