Cryptography-Digest Digest #150, Volume #12 Mon, 3 Jul 00 02:13:01 EDT
Contents:
Re: Double Encryption Illegal? (Steve Rush)
Re: A simple all-or-nothing transform (David Hopwood)
PRNG for steganography (davitf)
Re: Hashing Function (not cryptographically secure) (Benjamin Goldberg)
Re: Sellotape and scotch tape (Steve Rush)
Crypto Contest: CHUTZPAH... (Boris Kazak)
Re: A simple all-or-nothing transform (SCOTT19U.ZIP_GUY)
RE: Elliptic Curves encryption (TAY YUE WENG)
RE: ANSI X9.62 and X9.63 (TAY YUE WENG)
Re: Has RSADSI Lost their mind? ("Lyalc")
Re: ANSI X9.62 and X9.63 (Anne & Lynn Wheeler)
Cooking up MAC keys (Dido Sevilla)
Re: A simple all-or-nothing transform (Benjamin Goldberg)
Re: Hashing Function (not cryptographically secure) ("Scott Fluhrer")
Re: source code for a basic cryptography programm ("Joseph Ashwood")
Re: Hashing Function (not cryptographically secure) (Benjamin Goldberg)
Decrypting MD5 ("Gail")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Steve Rush)
Subject: Re: Double Encryption Illegal?
Date: 03 Jul 2000 00:30:34 GMT
>I heard that something like above 128 bit encryption is illegal. I
>read it from some reliable source, but don't remember where. So the
>statement sounds right to me.
>I am not sure why this law exists, but to best of my knowlege there is
>a maximum level of encryption that is legal. Maybe it's so that if
>terorists transfer messages, government should be able to use the
>messages in court.
All of the limits on cypher strength that I've heard of pertain to exported
products. Anyway, how can a cryptanalyst deduce what the key length was, given
only cyphertext?
==========================================================================
==============
If it's spam, it's a scam. Don't do business with Net abusers.
------------------------------
Date: Sun, 02 Jul 2000 22:28:52 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: A simple all-or-nothing transform
=====BEGIN PGP SIGNED MESSAGE=====
Mok-Kong Shen wrote:
> Let n (n even) message blocks P_1, P_2, ..., P_n be given.
> We build their xor-sum S = Sum(P_j) j= 1, 2, ..., n.
> Let B_i = P_i + S. Then the ciphertext blocks are given by
> C_i = E(K, B_i).
>
> The receiver first decrypts to obtain B_i and computes
> Sum(B_j) = (n+1)*S = n*S + S = S (since n is even) and can
> subsequently recover the plaintext blocks P_i from B_i.
AONTs are by definition unkeyed. If we assume therefore that K is
known, this doesn't satisfy the security requirements for an
all-or-nothing transform, because given one known plaintext and
two ciphertext blocks, the unknown plaintext can be determined without
having the rest of the ciphertext:
Given K, P_i, C_i, C_j,
S = D(K, C_i) XOR P_i
P_j = D(K, C_j) XOR S
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOV+ymTkCAxeYt5gVAQFlaQf+OirWx+tsJhk71aS7hWK1Egn+fdLu5IBM
LC9BL7a1BZpaDgZL6v3QfO0KCRor0XvP9oPPjMWfTV3m4p0ctuZQg4MbK8lvOS2w
fR4Sqxgx1m2XskhrCehwtSGFcAGNw2RO/BGfei0YiKfuhU2LCuw1kj1/WNcA9cfZ
ZmK0E82aoUIlIUjH8AL5Y3nuq1pt8QSp3UGJCuJNNrdgZwFjZXcDuS57eZbzG1wo
pAUxhBj27mPmpKkVqdv8Qkx+Q3IiWh8Jha4mX5JZsbdcUuWwnaTkkSUZYRMl2urT
A3/1Mv5qWOoiMf3h7cy2k7dsWlemWQewRgrdZ23TI4svyHIgv3UOvA==
=VGkW
=====END PGP SIGNATURE=====
------------------------------
From: davitf <[EMAIL PROTECTED]>
Subject: PRNG for steganography
Date: Mon, 03 Jul 2000 00:30:39 GMT
Hello,
I am writing a steganography program which will write data in the
least-significant bits of an image. I am going to use a pseudo-random
number generator, initialized with an user-supplied key, to choose the
position in the picture to write each bit of the message.
So I have to choose a PRNG. I want it to be both secure, simple to
implement and fast (because many numbers will have to be generated,
even for small amounts of data). I was thinking of using one based on
RC4. It would work like this:
Initialize the RC4 state array with the key (just like when using it for
encryption). Then, for each bit to write, generate 4 bytes with the RC4
encryption routine and convert them to a 32-bit number. Compute the
remainder of this number by the size of the image to determine the
position to write the bit.
Is this algorithm secure? I was also thinking of basing the generator in
other well-known encryption algorithms or hash functions, such as
Blowfish and SHA-1. Would it be better (or worse) to use a hash
function instead of an encryption algorithm? Are there any algorithms
better suited for this situation?
Also, the data is going to be encrypted before being written in the
image. Will the program be less secure if the data is encrypted with
the same encryption algorithm in which the PRNG is based?
Thank you in advance,
Davi Figueiredo
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Hashing Function (not cryptographically secure)
Date: Mon, 03 Jul 2000 00:44:52 GMT
Simon Johnson wrote:
[snip]
>
> Padding: if (length of message) mod 64 != 0 then message =
> message & length of document & trailing 0's (to make: len
> (message) mod 64 = 0)
>
> Hashing: for the 0 to i blocks: Hash = block[0] XOR block[1]
> XOR........ block[i]
>
> Any suggestion for this check digit system?
It's bad ... don't use it; use a 64-bit CRC instead. With an N-bit
crc, if two messages differ by N bits or fewer, they will *always*
have different CRC values. With your method, suppose I have 60 64-bit
blocks, and I use your hash function... If I change the last bit in all
those blocks, the hash remains the same. If I uses CRC64, changing the
last bit in all 60 blocks will result in a different result.
Also, a conditional pad isn't exactly a good idea. It would be better
to *always* [or never] pad and append length of the message. Also, if
doing so, put the 0's between the last meesage-byte and the binary
message length. [And, make sure you specify weather your 'length'
should be big-endian or little-endian]
------------------------------
From: [EMAIL PROTECTED] (Steve Rush)
Subject: Re: Sellotape and scotch tape
Date: 03 Jul 2000 00:50:52 GMT
>ObNit: "PC" is not an example. The first usage of the term (AFAIK), either
>as the abrieviation, or the full term "Personal Computer", was as the
>product name (and marketing hype) of the "IBM PC".
I distinctly recall articles in magazines like "Byte" that used the terms
"personal computer" and "PC" before IBM was ready to admit that there could
*be* any such animal.
==========================================================================
==============
If it's spam, it's a scam. Don't do business with Net abusers.
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Crypto Contest: CHUTZPAH...
Date: Mon, 03 Jul 2000 02:39:58 GMT
I took a look at the cipher CHUTZPAH, which was submitted for sci.crypt
cipher contest on May, 23, 2000.
The cipher appears to be a simple XORing of the 256-bit plaintext block
with some key material, complicated by the internally built-in block
chaining mode. The successive 256 bits to XOR with each next block are
computed dependent on the value obtained in encryption of the previous
block.
To further complicate the matters, plaintext encryption does not start
immediately, but only after encrypting a session-dependent IV. The
"key status" of this IV is prepended to the encrypted message so that
decryption would be possible at reception side.
Without going into details about the proposed method of key processing
and modifications, here is the outline of an attack that could
possibly reconstruct the 256 bits of XORing key material
(hence the key itself) in as few as 2 trial decryptions.
Tha attack follows the pattern of "chosen ciphertext" attack and must
be based on some intercepted ciphertext. Attacking ciphertexts will
consist of 2 blocks each:
(1) 256-bit block of IV "key status" (from intercepted ciphertext)
(2) test blocks of 256 bit each. The format of these blocks is like
following:
00000...000 ; 00000...001
Decrypting these blocks through the CHUTZPAH engine will produce the
256-bit of XORing key material. Changing the last bit of plaintext
between 0 and 1 allows to pinpoint the location of the starting byte
in the ciphertext, in case of bit rotations of the block.
Sorry if I have misunderstood something (could very well happen).
Best wishes BNK
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: A simple all-or-nothing transform
Date: 3 Jul 2000 02:40:25 GMT
[EMAIL PROTECTED] (Mok-Kong Shen) wrote in <395FB184.37D26C8D@t-
online.de>:
>
>Rivest has in a well-known paper introduced the all-or-nothing
>transform, which forces the analyst to decrypt all blocks of a
>message, thus effectively increasing the key space with a
>few bits.
>
>However, his scheme is rather complicated in my humble view.
>In the following I like therefore to present an alternative
>scheme for discussion. I shall assume, however, that the
>number of blocks of the given message is even, i.e. one has
>to append a random block if the number of the proper message
>blocks is odd. (Note that in Rivet's scheme, which doesn't
>have this restriction, the message length is always increased
>by one block in the encryption process.)
>
>
..<<SNIP>>..
Actually if you use SCOTT19U or SCOTT16U you can get
a "form of all or nothing" encryption that treats the
whole file as a single block without changing the file
length at all if one wishes.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS **no JavaScript allowed**
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed ** JavaScript OK**
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
"The road to tyranny, we must never forget, begins with the destruction
of the truth."
------------------------------
From: TAY YUE WENG <[EMAIL PROTECTED]>
Subject: RE: Elliptic Curves encryption
Date: Mon, 03 Jul 2000 11:15:09 +0800
Dear all,
Does any body know how to make use of Elliptic Curves public key and
private key to encrypt? I have learn how to generate the public and
private key for EC but I don't know which algorithms to use and how to
use for encryption and decryption purposes. Or does anybody aware of
which website to go to? Please email me if you have some knowledge
about it.
Thanks!
Regards,
Tay Yue Weng
------------------------------
From: TAY YUE WENG <[EMAIL PROTECTED]>
Subject: RE: ANSI X9.62 and X9.63
Date: Mon, 03 Jul 2000 11:26:06 +0800
Does anybody know where can I download these copies if it is free? Can
someone send a copy to me if membership is required?
Thanks
Tay Yue Weng
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Has RSADSI Lost their mind?
Date: Mon, 3 Jul 2000 14:06:08 +1000
RSADSI did buy the Australian company whose key employees wrote the
opensource SSLEAY.
The licensing issues are a different matter.
lyal
[EMAIL PROTECTED] wrote in message
<395fcb6a$1$jutvvv$[EMAIL PROTECTED]>...
>Below is a couple of messages posted to the OpenSSL users mailing list.
>Seems someone down at RSADSI has lost it. I found the part about them
>*owning* EAY quite amusing. I wounder if anyone bothered telling him that
>he is considered owned property of RSADSI.
>
>
>-------------------------------------------------------------------------
>The following message is forwarded to you by "William H. Geiger III"
><[EMAIL PROTECTED]> (listed as the From user of this message). The
>original sender (see the header, below) was [EMAIL PROTECTED] and
>has been set as the "Reply-To" field of this message.
>-------------------------------------------------------------------------
>>Return-Path: <[EMAIL PROTECTED]>
>>Received: from ossp.org (ossp1.ossp.org [62.208.181.50])
>> by domains.invweb.net (8.9.3/8.9.3) with ESMTP id QAA12892
>> for <[EMAIL PROTECTED]>; Wed, 28 Jun 2000 16:38:05 -0400
>>Received: by mail.ossp.org (Sendmail 8.10.2+/smtpfeed 1.07) for
openssl-users-L2
>> id e5SKaOM89942; Wed, 28 Jun 2000 22:36:24 +0200 (CEST)
>>Received: by mail.ossp.org (Sendmail 8.10.2+) via ESMTP for
<[EMAIL PROTECTED]>
>> from opensource.ee.ethz.ch id e5SKaNV89938; Wed, 28 Jun 2000 22:36:23
+0200 (CEST)
>>Received: by en5.engelschall.com (Sendmail 8.9.2/smtpfeed 1.06) for
openssl-users-L
>> id WAA24723; Wed, 28 Jun 2000 22:36:19 +0200 (MET DST)
>>Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for
<[EMAIL PROTECTED]>
>> from gateway.hie.com id WAA24709; Wed, 28 Jun 2000 22:36:15 +0200 (MET
DST)
>>Received: by gateway.hublink.com with Internet Mail Service (5.5.2650.21)
>> id <N2DACG2H>; Wed, 28 Jun 2000 16:30:38 -0400
>>Message-ID: <[EMAIL PROTECTED]>
>>From: Bill Rebey <[EMAIL PROTECTED]>
>>To: [EMAIL PROTECTED]
>>Subject: Legality - just heated up
>>Date: Wed, 28 Jun 2000 14:30:38 -0600
>>X-Old_TimeStamp: Wed, 28 Jun 2000 16:30:38 -0400
>>MIME-Version: 1.0
>>X-Mailer: Internet Mail Service (5.5.2650.21)
>>Content-Type: text/plain;
>> charset="iso-8859-1"
>>Sender: [EMAIL PROTECTED]
>>Precedence: bulk
>>Reply-To: [EMAIL PROTECTED]
>>X-Sender: Bill Rebey <[EMAIL PROTECTED]>
>>X-List-Manager: OpenSSL Majordomo [version 1.94.4]
>>X-List-Name: openssl-users
>>Status:
>
>I just got off the phone with, among others, John Riley at RSA. He's
>claiming things like (paraphrased):
>
>"It's flat out illegal to use OpenSSL for Commercial purposes" "Even if
>you use OpenSSL, it still uses RSA technologies that you have to pay
>royalties for (regardless whether it uses RSA encryption or not)" "We own
>EAY, thus we own SSLeay/OpenSSL"
>
>He's leaning on us to pay $70K up front, plus $636 in royalty fees for
>every copy of our product that we sell!!
>
>Can anyone clarify any of this for me?
>
>Is there another group that I should mail to that would be a more
>appropriate or authoritative audience for such legal questions?
>
>Thanks again,
>
>Bill Rebey
>
>
>
>-----Original Message-----
>From: Bill Rebey
>Sent: Wednesday, June 28, 2000 4:06 PM
>To: [EMAIL PROTECTED]
>Subject: Legality
>
>Hi all,
>
>Assuming I ever get OpenSSL figured out and working, I need to know about
>the legality of using OpenSSL.
>
>I am using it in a Commercial product.
>
>What can and can't I use? I control both the client and server, so the
>brand of encryption that I use is not important. What's far more
>important is that I avoid using anything that requires licensing,
>royalties, fees, etc.
>
>Is there a definitive source for this information somewhere?
>
>Thanks for any help you can offer,
>
>Bill Rebey
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
>-----------------------------------------------------
> -- End of forwarded message
>-----------------------------------------------------
>
>
>--
>---------------------------------------------------------------
>William H. Geiger III http://www.openpgp.net
>Geiger Consulting
>
>Data Security & Cryptology Consulting
>Programming, Networking, Analysis
>
>PGP for OS/2: http://www.openpgp.net/pgp.html
>E-Secure: http://www.openpgp.net/esecure.html
>---------------------------------------------------------------
>
------------------------------
Subject: Re: ANSI X9.62 and X9.63
Reply-To: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
Date: Mon, 03 Jul 2000 04:06:20 GMT
TAY YUE WENG <[EMAIL PROTECTED]> writes:
> Does anybody know where can I download these copies if it is free? Can
> someone send a copy to me if membership is required?
see
http://www.x9.org/ for more information
--
Anne & Lynn Wheeler | [EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.garlic.com/~lynn/ http://www.adcomsys.net/lynn/
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Cooking up MAC keys
Date: Mon, 03 Jul 2000 12:36:03 +0800
Is the method of using the session key (key used to actually encrypt the
data to be sent) with every other nibble complemented (XORed with
0xf0f0f0f...) a good way of generating a key for use as a MAC using the
same encryption algorithm (in CBC-MAC mode) used to encrypt the data
itself? For what popular encryption algorithms is this method unsafe to
use? Apart from generating a completely new independent key, what other
methods can be used that are not much more complicated?
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
ICSM-F Development Team +63 (917) 4458925
University of the Philippines Diliman
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: A simple all-or-nothing transform
Date: Mon, 03 Jul 2000 05:00:21 GMT
SCOTT19U.ZIP_GUY wrote:
[snip]
>
> Actually if you use SCOTT19U or SCOTT16U you can get
> a "form of all or nothing" encryption that treats the
> whole file as a single block without changing the file
> length at all if one wishes.
Also, you can use lja1 with the block length set to
the length of the file. Of course, the fact that
lja1 takes N**2 time where N is the blocklength might
turn you off to the idea. OTOH, with the 'round' parameter
set to 2, it's secure against all known attacks except
brute force, AFAIK, and it has a keyspace of 1676 bits,
which makes that particular attack rather difficult.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Hashing Function (not cryptographically secure)
Date: Sun, 2 Jul 2000 21:59:46 -0700
Benjamin Goldberg <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Simon Johnson wrote:
> [snip]
> >
> > Padding: if (length of message) mod 64 != 0 then message =
> > message & length of document & trailing 0's (to make: len
> > (message) mod 64 = 0)
> >
> > Hashing: for the 0 to i blocks: Hash = block[0] XOR block[1]
> > XOR........ block[i]
> >
> > Any suggestion for this check digit system?
>
> It's bad ... don't use it; use a 64-bit CRC instead. With an N-bit
> crc, if two messages differ by N bits or fewer, they will *always*
> have different CRC values. With your method, suppose I have 60 64-bit
> blocks, and I use your hash function... If I change the last bit in all
> those blocks, the hash remains the same. If I uses CRC64, changing the
> last bit in all 60 blocks will result in a different result.
Actually, a N-bit CRC has the property that the CRC's of two messages differ
if the bit differences are confined to an area at most N bits in length.
His hash has precisely that property, and in retrospect, it's not
surprising: the last step is essentially a 64-bit CRC with the polynomial
x**64 + 1 (!).
--
poncho
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: source code for a basic cryptography programm
Date: Sun, 2 Jul 2000 22:28:12 -0700
I'm sorry, I don't think you've quite made yourself clear.
What exactly are you trying to do? Are you looking to
encrypt something?, Are you looking to decrypt something?,
why the specifics that it must be seperated by a period or
semicolon?
There are so many possibilities, I could spit one out in the
time it took me to write this, but I honestly have no clue
what you mean.
Joe
"Reiter Tommi" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi,
> I need a source code in C++ which translates a text in
ASCII each ASCII
> code seperated with a point or better semicolon.
>
> Can anybody help me?
>
> CU Tommi
>
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Hashing Function (not cryptographically secure)
Date: Mon, 03 Jul 2000 05:47:31 GMT
Scott Fluhrer wrote:
>
> Benjamin Goldberg <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Simon Johnson wrote:
> > [snip]
> > >
> > > Padding: if (length of message) mod 64 != 0 then message =
> > > message & length of document & trailing 0's (to make: len
> > > (message) mod 64 = 0)
> > >
> > > Hashing: for the 0 to i blocks: Hash = block[0] XOR block[1]
> > > XOR........ block[i]
> > >
> > > Any suggestion for this check digit system?
> >
> > It's bad ... don't use it; use a 64-bit CRC instead. With an N-bit
> > crc, if two messages differ by N bits or fewer, they will *always*
> > have different CRC values. With your method, suppose I have 60
> > 64-bit blocks, and I use your hash function... If I change the last
> > bit in all those blocks, the hash remains the same. If I uses
> > CRC64, changing the last bit in all 60 blocks will result in a
> > different result.
> Actually, a N-bit CRC has the property that the CRC's of two messages
> differ if the bit differences are confined to an area at most N bits
> in length.
> His hash has precisely that property, and in retrospect, it's not
> surprising: the last step is essentially a 64-bit CRC with the
> polynomial x**64 + 1 (!).
I'm not so sure of the accuracy of your description of what an N-bit CRC
does... I challenge you to find two messages that differ by 2 bits,
with more than 16 bits between the differing bits, but which have the
same CRC16 value.
------------------------------
From: "Gail" <[EMAIL PROTECTED]>
Subject: Decrypting MD5
Date: Mon, 3 Jul 2000 02:00:11 -0500
Reply-To: "Gail" <[EMAIL PROTECTED]>
Anyone know the best approach to decrypting something encrypted using MD5?
The key is unknown, unless of course you know where it could be stored on a
linux system. or how to figure it out if you know how the line looks before
encryption.
Thanks
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
