Cryptography-Digest Digest #144, Volume #12 Sat, 1 Jul 00 03:13:01 EDT
Contents:
Re: searching for a special GUI crypto tool (JPeschel)
Re: Newbie question about factoring ("Scott Fluhrer")
Re: Sellotape and scotch tape ("Scott Fluhrer")
Re: An encryption protocol, version 2 (David A. Wagner)
Re: An encryption protocol, version 2 (David A. Wagner)
Re: Encryption and IBM's 12 teraflop MPC...... ("CrakMan")
Re: Newbie question about factoring ([EMAIL PROTECTED])
Re: Newbie question about factoring (Daniel A. Jimenez)
Re: Encryption and IBM's 12 teraflop MPC...... ([EMAIL PROTECTED])
Re: Newbie question about factoring (David Blackman)
Re: Remark on practical predictability of sequences ("John A. Malley")
Re: Another chaining mode (Benjamin Goldberg)
Re: very large primes (Benjamin Goldberg)
Re: An encryption protocol, version 2 (Dido Sevilla)
Re: Certificate authorities (CAs) - how do they become trusted authorities ?? (Greg)
Re: Certificate authorities (CAs) - how do they become trusted authorities ?? (Greg)
Re: Is this a HOAX or RSA is REALLY broken?!? (Greg)
Re: Another chaining mode (Boris Kazak)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: searching for a special GUI crypto tool
Date: 01 Jul 2000 01:14:26 GMT
Thanks, Jim. That should settle it.
Joe
Jim Gillogly [EMAIL PROTECTED] writes:>tl_jergen wrote:
>>
>> In article <[EMAIL PROTECTED]>,
>> [EMAIL PROTECTED] (JPeschel) wrote:
>> > I've never heard of the stuff on the French
>> > web page you mention, but Gregory Braun's
>> > Crypto 3.5 is snake-oil.
>>
>> I cant phantom why on earth you think Crypto 3.5 is snakeoil. It uses
>> the Blowfish algy in this proggy. Do you really think you can break
>> Blowfish!!! Do you really have informations for us on easy ways to break
>> 2^128 bits encryption. I think *not*!!! You better do more studying
>> before you suggest to us that Blowfish & this proggie are snakeoil!
>
>Joe has backup for this assertion. See:
>http://www.fortunecity.com/skyscraper/coding/379/caz6a.htm
>which can be reached from Joe's page at:
>http://members.aol.com/jpeschel/crack.htm
>
>Executive summary: Casimir says Braun only pretends to use Blowfish, but
>actually uses a weak proprietary algorithm, and he tells how to break it.
>--
> Jim Gillogly
> Sterday, 7 Afterlithe S.R. 2000, 19:06
> 12.19.7.6.1, 8 Imix 4 Tzec, Fourth Lord of Night
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Crossposted-To: comp.theory
Subject: Re: Newbie question about factoring
Date: Fri, 30 Jun 2000 18:02:27 -0700
Dido Sevilla <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] wrote:
> >
> > In the FAQs for sci.crypt and rsasecurity.com
> > it is stated that the security of RSA depends
> > (partially) on the assumption that factoring is
> > hard. Does this mean the assumption that
> > factoring is NP-hard and, if not, then how
> > hard? Also, can factoring be described as a
> > decision problem?
>
> Factoring is not NP-hard (at least, not if P!=NP). Just very, very
> difficult. All known algorithms for factoring take time proportional to
> the size of the number being factored. No one has been able to find an
> algorithm for factoring that takes time proportional to a polynomial in
> the number of digits of the number to be factored (or equivalently, the
> logarithm of the number to factor). Factoring has already been
> classified as an NP-incomplete problem, not an NP-complete one. Unless
> someone has come up with a polynomial-time algorithm for converting
> factoring into satisfiability or some other proven NP-complete
> problem...
To be pedantic, no one has shown whether Factorization is NP-hard or not.
Yes, we have some suggestive evidence that it is not (eg. it being NP-hard
would imply a subexponential solution of all NP problems, and would imply
that NP=coNP, neither of which appear especially likely), but that evidence
is not mathematical proof.
Without such a proof, no one who knows anything about the subject would
classify it as NP-complete, or NP-incomplete.
--
poncho
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Sellotape and scotch tape
Date: Fri, 30 Jun 2000 18:21:52 -0700
John M. Gamble <[EMAIL PROTECTED]> wrote in message
news:8jjg7j$sbj$[EMAIL PROTECTED]...
> In article <8jcvsn$8ck$[EMAIL PROTECTED]>,
> Scott Fluhrer <[EMAIL PROTECTED]> wrote:
> >
> >John Myre <[EMAIL PROTECTED]> wrote in message
> >news:[EMAIL PROTECTED]...
> >>
> >> This is way off-topic, except that Sellotape was actually
> >> mentioned in another post.
> >>
> >> I forget, there is a word for when a brand name becomes the
> >> (de facto) general term. Good examples in the US include
> >> zipper, kleenex, and the aforementioned scotch tape. In each
> >> case, using the "proper" generic term is rare. Anybody
> >> remember what this is called?
> >>
> >> Meanwhile, this is the first I've heard of Sellotape. Is it
> >> sold in the US? Is Scotch tape sold in the UK?
> >>
> >> Is there a term for the reverse process? That is, a general
> >> term that is appropriated as a brand name. Examples could
> >> include PC (the IBM one) and Windows (Microsoft).
> >ObNit: "PC" is not an example. The first usage of the term (AFAIK),
either
> >as the abrieviation, or the full term "Personal Computer", was as the
> >product name (and marketing hype) of the "IBM PC". If anything, it's an
> >example of a brand name becoming a generic name (and yes, I forget what
> >that's called too).
>
> Er, no actually. PC was the term for personal computer before IBM
> marketroids tried to hijack the name (for a while, successfully). If
> you can find some old Byte magazines you can confirm this.
Ok, I'll take your word for it. Maybe it just wasn't used in my neck of the
woods at the time... (odd, I was reading Byte pretty faithfully back
then...)
>
> Or, if you are willing to take my word for it, i could tell you of a
> certain low level of resentment amongst the early computer users
> (personal or otherwise) against IBM for such a manuever.
>
> This was, after all, back in the days when there were a lot more PC
> (IBM or otherwise) companies than there are now, and CP/M was still a
> viable competitor vs. MS-DOS (i was working for a company that had to
> support a program that ran on either system at the time).
Actually, if we are talking about immediately before the IBM PC was
released, IBM was considered a mainframe (read: dinosaur) manufacturer, and
CP/M (actually, CP/M80) ruled.
And yes, I was also at a company that did dual development on CP/M86 and
MS-DOS, until it because obvious no one was using CP/M86. Switching from
MS-DOS to CP/M86 was a major pain, because the only editor under MS-DOS at
the time (the dreaded EDLIN) required you to hit "CTL-BREAK" to exit insert
mode, which the CP/M86 editor interpreted as "exit, and don't save". Those
were not the days...
--
poncho
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: An encryption protocol, version 2
Date: 30 Jun 2000 18:16:01 -0700
In article <[EMAIL PROTECTED]>,
Mark Wooding <[EMAIL PROTECTED]> wrote:
> 1. C_i --> S: i
> 2. S --> C_i: E_{K_i}(T_S, N_0, K)
> 3. C_i --> S: E_K(T'_{C_i}, N_1)
> 4. S --> C_i: E_K(T'_S, N_2)
> 5. C_i --> S: E_K(M, H(M))
More analysis:
1. If E_.(.) represents just encryption (with no integrity protection,
i.e., no MAC), then there may be attacks. Use a MAC.
2. As Mark Wooding says, E_K(M, H(M)) does not provide integrity protection
if H is any unkeyed hash. (I've posted why numerous times, and I think
there is an explanation in _The Handbook of Applied Cryptography_.)
Use a MAC.
3. If the K_i's are public keys, beware: the server is never authenticated.
In this case, the server should sign (T_S, N_0, K) before encrypting.
In general:
I'm not sure that it's a good idea to invent your own key-distribution
protocol -- they are extremely subtle and it is easy to make mistakes.
Is there any reason you can't use an existing one from the literature?
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: An encryption protocol, version 2
Date: 30 Jun 2000 18:20:29 -0700
In article <[EMAIL PROTECTED]>,
Dido Sevilla <[EMAIL PROTECTED]> wrote:
> Perhaps I
> should just use my encryption algo. as my MAC, or are there problems
> with using a block cipher as a MAC.
It's fine to use your block cipher in a CBC-MAC mode as your MAC.
But: Use independent keys for the MAC and for encryption; and, to
prevent certain attacks on CBC-MAC, encrypt its output an extra time
with a third key.
------------------------------
From: "CrakMan" <[EMAIL PROTECTED]>
Subject: Re: Encryption and IBM's 12 teraflop MPC......
Date: Fri, 30 Jun 2000 19:30:55 -0700
>From what I know about computer simulation (I have written more than a few)
the need for fast interprocess communication is all over the map. Some
problems need essentially no communication, others are absolutely bound by
this factor. There are a zillion shades of gray in between.
A brute force key search DOES lend itself very well to the low communication
end of the spectrum but I can see how implementing some fancy tricks to
focus the search could easily alter this situation.
JK
--
CRAK Software
http://www.crak.com
Password Recovery Software
QuickBooks, Quicken, Access...More
Spam bait (credit E. Needham):
root@localhost
postmaster@localhost
admin@localhost
abuse@localhost
webmaster@localhost
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] wrote:
> > The problems with a massively parallel array of general-purpose CPUs
> (as in the RS/6000) are twofold: (1) Not every problem lends itself
> to partitioning into a zillion parallel tasks; and (2) Bookkeeping
> (coordination) can sometimes be a major problem.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.theory
Subject: Re: Newbie question about factoring
Date: Sat, 01 Jul 2000 02:49:04 GMT
There is a pretty involved article in the P/NP problem at
www.claymath.org/prize_problems/p_vs_np.htm The last time I went there
they had a full mathematical explanation by Steven Cook, including
stuff on the difficulty of factoring.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Daniel A. Jimenez)
Crossposted-To: comp.theory
Subject: Re: Newbie question about factoring
Date: 30 Jun 2000 22:28:52 -0500
In article <8jj7u8$o3$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>Thanks for the reply. Since you seem to be an
>expert I will ask you another question:
>
>In RSA's FAQ it also states that Shor's
>(quantum) algorithm for factorization could do
>factoring in polynomial time if properly
>implemented. Additionally, it was proven that
>Shor's algorithm cannot be generalized for
>*all* NP problems. Does this imply that
>factoring *cannot* be NP-complete, or what
>does it mean?
I don't know the answer to this question, but since it was directed to me
I'll take a shot at it and invite the real experts to do the same.
It is unlikely that any result known today would easily imply that factoring
or any other non-trivial NP problem is not NP-complete, because a corollary
of such a result would be P!=NP and would have been immediately publicized in
this and other fora. I could be wrong, but I don't think that the existence
of Shor's algorithm implies much about the classical complexity of factoring.
I haven't kept up with current research in quantum computing, but I
believe that the question of whether a quantum computer is as powerful as a
non-deterministic Turing machine, in terms of polynomial-time reducibility,
is still open.
--
Daniel Jimenez [EMAIL PROTECTED]
"I've so much music in my head" -- Maurice Ravel, shortly before his death.
" " -- John Cage
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Encryption and IBM's 12 teraflop MPC......
Date: Sat, 01 Jul 2000 03:39:05 GMT
CrakMan <[EMAIL PROTECTED]> wrote:
> From what I know about computer simulation (I have written more than a few)
> the need for fast interprocess communication is all over the map. Some
> problems need essentially no communication, others are absolutely bound by
> this factor. There are a zillion shades of gray in between.
The ASCI machines from IBM may, in fact, have significant internode
communication. They're connected by special hardware, not a normal
network. IBM has years of experience in this field, so it's not
unreasonable to assume communication is at speeds close to the system
bus. I apologize if my original comment wasn't quite clear.
On the other hand, it is peculiar that the most recent ASCI machines
have been tightly clustered SMPs. Half the reason is probably cost,
the other half being the impossibility of cramming that many FLOPS
into a single box. Still, it would appear that whatever systems they
use to simulate atomic detonations are optimised for the NUMA case.
Apparantly, IBM is also marketing the technology, so I'm sure better
specs are out there. If you have a few bucks extra, you can even pick
up a system for your basement. ;)
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: David Blackman <[EMAIL PROTECTED]>
Crossposted-To: comp.theory
Subject: Re: Newbie question about factoring
Date: Sat, 01 Jul 2000 14:06:20 +1000
[EMAIL PROTECTED] wrote:
>
> In the FAQs for sci.crypt and rsasecurity.com
> it is stated that the security of RSA depends
> (partially) on the assumption that factoring is
> hard. Does this mean the assumption that
> factoring is NP-hard and, if not, then how
> hard?
Others have given the right answer here: it's probably not NP-hard, but
that's ok. It just has to be hard enough for the size number you choose,
so that it can't practically be done.
> Also, can factoring be described as a
> decision problem?
Factoring is not a decision problem. But you can construct decision
problems that are essentially the same as factoring. One example is:
Does N have a factor of the form A * x + B (where A and B are given
integer constants and x is any positive integer) ?
I think Adleman (of RSA fame) did some work on that one.
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Remark on practical predictability of sequences
Date: Fri, 30 Jun 2000 22:17:59 -0700
Mok-Kong Shen wrote:
>
> I am not sure that I understand you correctly. Are you endorsing my
> view that it is o.k. to use a common PRNG with all parameters
> secret to generate sequences for input to a good block cipher for
> obtaining practically (not provably) non-predictable sequences?
We've moved from the original idea that "if one feeds a pseudo-random
sequence to a good cipher, the resulting output sequence is practically
unpredictable" to "if one feeds a pseudo-random sequence to a good block
cipher, the resulting output sequence is practically unpredictable."
At first blush it seems ok.
I hesitate with a resounding endorsement out of caution. I take little
comfort in relying on secret parameters for LCG, LFSR or Non-LFSR
PRNGs. Personally I would like to learn more about potential attacks
relating the predictability of the next state of the PRNG from its past
states to characteristics in the ciphertext output of the block cipher
- with knowledge of the PRNG parameters and algorithm but the initial
seed secret.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Another chaining mode
Date: Sat, 01 Jul 2000 05:29:31 GMT
Mok-Kong Shen wrote:
[snip]
> So what do you mean by doing decryption in the 'reverse direction'
> above?
I'm not certain, but what I *think* is happening, is that the message is
split into half-blocks, and encrypted in the following manner:
pt[i] = i'th half-block of plaintext
ct[i] = i'th half-block of ciphertext
i ranges from 1..n For pt
IVa = a unique initialization vector
IVb = H( IV || pt[1..n] )
To encrypt we do the following:
( ct[1], tmp[1] ) = E( IVa || pt[1] )
( ct[i], tmp[i] ) = E( tmp[i-1] || pt[i] )
( ct[n+1], ct[n+2] ) = E( tmp[n] || IVb )
Now consider decrypting:
( tmp[n], IVb ) = D( ct[n+1] || ct[n+2] )
( tmp[n-1], pt[n] ) = D( ct[n], tmp[n] )
...
( tmp[i-1], pt[i] ) = D( ct[i] || tmp[i] )
...
( IVa, pt[1] ) = D( ct[1] || tmp[1] )
Saying tmp[i-1] depends on tmp[i] is the same as saying that tmp[i]
depends on tmp[i+1]... which means we must decrypt the last block first.
*Grin* Of course, it's possible that I've just come up with an entirely
different chaining scheme, which happens to have the same backwards-
decryption requirement.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: very large primes
Date: Sat, 01 Jul 2000 05:29:36 GMT
Douglas A. Gwyn wrote:
>
> Dann Corbit wrote:
> > http://mathworld.wolfram.com/Prime-GeneratingPolynomial.html
[snip]
> "However, there exists a polynomial in 10 variables with integer
> coefficients such that the set of primes equals the set of
> positive values of this polynomial obtained as the variables run
> through all nonnegative integers, although it is really a set of
> Diophantine equations in disguise (Ribenboim 1991)."
Sounds cool. But... what is that polynomial-in-10-variables?
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: An encryption protocol, version 2
Date: Sat, 01 Jul 2000 13:24:55 +0800
"David A. Wagner" wrote:
>
> In general:
> I'm not sure that it's a good idea to invent your own key-distribution
> protocol -- they are extremely subtle and it is easy to make mistakes.
> Is there any reason you can't use an existing one from the literature?
Such as what? I'm not sure if my employer's library possesses papers or
journals about cryptography. The number of crypto books is not
extremely large either, for reasons that should be clear on reading my
sig (this is changing, but not quickly enough to help me). Basically,
I've tried to create a stripped-down version of Kerberos using more
modern encryption algorithms. Existing methods such as SSL or full
Kerberos are too much for my client machines to use.
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
ICSM-F Development Team +63 (917) 4458925
University of the Philippines Diliman
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Certificate authorities (CAs) - how do they become trusted authorities ??
Date: Sat, 01 Jul 2000 05:58:23 GMT
> > IMHO, CAs are to solve a business model by tricking the
> > consumer into unwarranted confidence of security.
>
> > The only question you have to ask yourself is, "Does it make
> > sense to you?" It sure does not to me.
>
> What would you do instead to deal with the issues for which CAs are
> selling themselves as solutions?
CAs are a product of someone's imagination (as are all inventions)
that was ment to help the security model. But the entire security
model is flawed. CAs are just one aspect of that model.
To answer your question what would I do, I have already abandoned
the security model. The industry driven by money and the need to
create e-commerce at all costs refuses to. But I can assure you
that as soon as the correct model comes along, it will take the
industry by storm.
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Certificate authorities (CAs) - how do they become trusted authorities ??
Date: Sat, 01 Jul 2000 06:03:12 GMT
> > > In doing a bit of research on internet security I naturally came
> > > across "Certificate authorities (CAs)" (ie: Verisign, twaite, etc)
> > > ... can anyone tell me (or give me a URL) from where these
> > > companies get *their* certification - who says they are 'trusted'
> > > ?? ...I suppose I am asking as well what/who is the root of all
> > > authorities!
> >
> > Yes you are, no there is no answer, and that is the problem that CAs
> > face.
> >
> > IMHO, CAs are to solve a business model by tricking the consumer
> > into unwarranted confidence of security.
> >
> > The only question you have to ask yourself is, "Does it make sense
> > to you?" It sure does not to me.
>
> Sure it does. This is no different than many, many things in the
> normal world. Why should we trust a CA? Why should we trust a bank?
> Why do we trust any individual or organization?
Because there are laws protecting us from inside bank fraud. I know
of no such laws protecting us from inside CA fraud. Do you?
Furthermore, this is not an issue of e-commerce on par with paper
commerce. e-commerce is different in that it CAN BE FOOL PROOF if
done correctly. No one has figured out how "correctly" is to work
yet. Like PGP and the idea of secret key exchange - that idea or
invention came along just at the right time because the internet
was emerging. e-commerce needs to wait for its proper invention
to make it just as certain as PGP makes security between two private
parties certain.
> The way we go about determining whether or not some entity is
> trustworthy ultimately boils down to a simple process of first
> trusting them, and then seeing if we get screwed.
You have a strange way of learning. I read the law and the fine
print myself before I sign on the line.
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Is this a HOAX or RSA is REALLY broken?!?
Date: Sat, 01 Jul 2000 06:04:48 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> Greg wrote:
> > Give all of this, it would appear to be an intel op against European
> > banks by possibly Isreali intelligence using the news paper as a
pawn.
>
> One doesn't need to assume a conspiracy when plain ignorance
> would explain it just as well.
One need not excuse the possibilities when a simple explanation
is available either.
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Another chaining mode
Date: Sat, 01 Jul 2000 06:26:56 GMT
Mok-Kong Shen wrote:
> I am mainly interested in what you meant by the expression of doing
> decryption of your cipher in the 'reverse' direction? I don't see
> anything different from a normal cipher in this context.
>
> M. K. Shen
=================
Nothing particularly mysterious - while you encrypt the file, you start
at the beginning and consecutively encrypt all blocks one after another
towards the end of the file.
With conventional chaining modes you can start decryption also at the
beginning of the file and progress towards the end.
With Half-Block-Chaining mode you must start decryption from the end
of the file and return back to the beginning. In other words,
conventional
chaining modes allow you to work with file as FIFO (First In, First
Out),
the HBC mode implies working with the file as LIFO (Last In, First Out).
BTW, programmers sometimes refer to FIFO as "queue" and LIFO as "stack".
(Being a FORTH programmer, I learned to appreciate stacks a lot).
Other than that, no difference, you are right.
Best wishes BNK
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
