Cryptography-Digest Digest #177, Volume #12 Sat, 8 Jul 00 01:13:01 EDT
Contents:
Re: cray and time needed to attack (Jerry Coffin)
Re: Has RSADSI Lost their mind? (Simon Johnson)
Comment/Analysis requested Password to RawBinarykey method... (Jay Summet)
Re: AES: It's been pretty quiet for some time... (John Savard)
Re: AES: It's been pretty quiet for some time... (John Savard)
Re: Has RSADSI Lost their mind? (John Savard)
Re: A new cipher........ (David A. Wagner)
Re: AES: It's been pretty quiet for some time... (John Savard)
Re: cray and time needed to attack (Jerry Coffin)
Re: cray and time needed to attack (Roger Schlafly)
Concise Programming, Attn: Tom St. D & All (Rebus777)
Re: cray and time needed to attack (Paul Rubin)
Re: Quantum Computer similator websites with source code (ca314159)
Turning off scripting ("Greg Keogh")
Re: Any crypto jokes? (potentially OT) (Boris Kazak)
OT Question (was Re: Security in UMTS???) (Benjamin Goldberg)
Re: Information-theoretic hash question (was Re: CRC question) (Benjamin Goldberg)
Re: Turning off scripting (Benjamin Goldberg)
----------------------------------------------------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: cray and time needed to attack
Date: Fri, 7 Jul 2000 16:42:06 -0600
In article <uQ6hnz45$GA.77@cpmsnbbsa08>, [EMAIL PROTECTED] says...
[ ... ]
> I find it depressing also, but ISA is all but dead, with various vendors
> offering "legacy-free" computers, it should soon disappear entirely
I think Doug is using "ISA" as an abbereviation for Instruction Set
Architecture.
> there're still those old 8086 instructions that I wish they'd get rid of.
...which seems to indicate that you and Doug (and most of the rest of
us) agree.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
Subject: Re: Has RSADSI Lost their mind?
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Fri, 07 Jul 2000 15:42:00 -0700
Yes well, if they where leaning on Tom over RSA, then i would
have told them to cram it up their ass. It would cost them more
to prosecute than they could get outta Tom anyways.
Here's a little point anyway........
Doesn't the RSA patent say that the two numbers pick to be
multiplied to form the modulo have to be prime. I was wondering
how they could prove that primes were used without factoring the
modulo.(remeber some numbers, which are not prime, have special
properties so that the math still works)
With an OJ-Simpson class lawyer, u might be able to cast
suffient doubt that RSA was indeed the algorithm used.
Its just a stupid thought. :D
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Jay Summet <[EMAIL PROTECTED]>
Subject: Comment/Analysis requested Password to RawBinarykey method...
Date: Fri, 7 Jul 2000 16:10:12 -0700
Hello,
I have implemented a (JAVA) class that is designed to store a String using
Blowfish and DESede (TripleDES) in combination. (Xor message with random
pad, encrypt pad with one, encrypt messageXORpad with other, must decrypt
both to retrieve message... [ciphertext is double size of message] )
This is somewhat straightforward. However, I am generating a key based
upon a user supplied pass phrase. I want a different (binary/raw key) for
each algorithm (2 different keys from the same passphrase).
So, I built my own String -> raw binary array of bits/bytes method, using
hash functions (MD5 and SHA, one for each cipher). A link to direct source
code is provided at end of post, here is the overview.
We take the passphrase, and give it to the hash (say MD5). We get a hash
value out. We use the first byte of the hash value to index into the hash
value (passphrase dependant of course) and use that byte as the first byte
of our key.
To generate the next byte of our key, we use a new MD5 hash, and as input
give it:
1. the key so far (ie, 1 byte first time, 2 bytes second time, etc)
2. The original passphrase.
3. Another byte selected from the hash (indexed by the second byte of the
hash this time, so it may be different from the last byte selected for the
key, or it may be the same...)
We repeat this until the bytes of the key are filled up (24 for DESede, 56
for blowfish). (one version uses MD5, one version uses SHA1)
*I* think that this is a secure way to convert a user supplied passphrase
into a "good" (ie, random looking) key.
Am I right?
Source code is at:
http://www.summet.com/jdiary/EncryptedStringStorage.java
The methods to look at are: generateBlowfishKey and generateTripleDESKey
I'm not as worried about the actual encryption and decryption steps, but
if you want to look at them and see if I'm doing anything stupid there I
certainly wouldn't mind finding out about it!
Thanks,
Jay Summet
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: AES: It's been pretty quiet for some time...
Date: Sat, 08 Jul 2000 00:02:30 GMT
On Wed, 05 Jul 2000 14:54:16 +0300, Helger Lipmaa <[EMAIL PROTECTED]>
wrote, in part:
>Only MARS seems to be a loser.
I kind of like MARS, although I think I can see the reasons for your
comment.
But the flaws found by Bruce Schneier seem to be rather easy to
correct. Just change the structure of the cryptographic core from 8
forwards rounds and 8 reverse rounds to 4F, 4R, 4F, 4R, following
SKIPJACK. (Well, I'm not surprised the NSA knew about the boomerang
attack; that's the sort of thing they're paid to think of.)
Incidentally, my comment to NIST about making the unkeyed mixing
rounds keyed was followed by a correction which got garbled by an
E-mail snafu. What the correction was was to suggest an extra scramble
of the 17 words in the buffer, with *no* words used for subkeys,
before the XOR in of subkeys from previous rounds to make the function
non-invertible, and the two additional scrambles from which 8, rather
than 10, subkeys are taken.
For *maximum* resistance to a boomerang attack, a round structure like
4 forwards
8 unkeyed mixing
4 reverse
4 forwards
8 unkeyed mixing
4 reverse
would be ideal, but that exposes the core, covered only by the
whitening, and that would violate the design of MARS.
4 unkeyed mixing
4 forwards
4 unkeyed mixing
4 reverse
4 forwards
4 unkeyed mixing
4 reverse
4 unkeyed mixing
is the best I can come up with, although it spreads the unkeyed mixing
part kind of thin.
If this kind of fix were applied to MARS, I think it would be easily
the most secure candidate. (I freely admit, though, I am not expert
enough in cryptanalysis to be confident I haven't missed some subtle
flaw; but it appears to me, from a naive point of view, that the two
kinds of rounds in MARS are a good defence against subtle flaws.)
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: AES: It's been pretty quiet for some time...
Date: Sat, 08 Jul 2000 00:03:39 GMT
On 5 Jul 2000 11:43:22 GMT, [EMAIL PROTECTED] (Mark Wooding) wrote, in
part:
>No. IBM changed policy in round 2: MARS is free for all uses. See the
>round 2 MARS intellectual property statement.
Couldn't quite find it on the NIST site. Not sure where to look.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Has RSADSI Lost their mind?
Date: Sat, 08 Jul 2000 00:05:42 GMT
On Thu, 06 Jul 2000 18:59:00 GMT, Eric Lee Green <[EMAIL PROTECTED]>
wrote, in part:
>Note that, after September, it's perfectly legal to put the RSA PK encryption
>portion back in, since it enters the public domain at that time.
Just to nitpick in a way someone else may have already done: it would
be OK to put in independently-written code to do the RSA algorithm,
but programs from the toolkit written by RSA would remain protected by
copyright.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: A new cipher........
Date: 7 Jul 2000 17:11:09 -0700
"Simon Johnson" wrote:
> Right, this is my first 'real' cipher i've posted here.
> Its a 64-bit block cipher with a 128-bit key. There is no source
> available yet (sorry, i havn't had the time), and i've done it
> for a friend (I took D.A. Wagner's advice, and had a proper go!)
1. My advice was not to have a go at it; my advice is to use an
existing, well-studied, standard cipher.
2. The description in the PDF file makes no sense. You re-use variable
names and change the numbering from Q_0..Q_3 to Q_1..Q_4 in the middle.
I apologize, but I can't understand what the proposal is.
3. The key-schedule is weak. There is a meet-in-the-middle attack that
uses a few known texts and the equivalent of 2^96 trial encryptions.
The weakness is that the first 8 rounds depend only on the first 96
bits of the key, and the last 8 rounds on only another 95 bits of key.
This shows that the cipher has at best a 96-bit effective keylength,
shorter than what one would expect from a cipher with a 128-bit key.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: AES: It's been pretty quiet for some time...
Date: Sat, 08 Jul 2000 00:10:43 GMT
On 5 Jul 2000 11:43:22 GMT, [EMAIL PROTECTED] (Mark Wooding) wrote, in
part:
>No. IBM changed policy in round 2: MARS is free for all uses. See the
>round 2 MARS intellectual property statement.
Never mind. I found it at
http://csrc.nist.gov/encryption/aes/round2/AESAlgs/MARS/mars-ip-update.pdf
reachable from
http://csrc.nist.gov/encryption/aes/round2/r2algs.htm
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: cray and time needed to attack
Date: Fri, 7 Jul 2000 18:34:37 -0600
In article <8k5f7u$5r6$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> Are you being deliberately obtuse or are you just plain stupid?
It's funny -- I had almost exactly that sentence in the message to
which you replied, before I decided to give you the benefit of the
doubt and erased it.
> Even a machine 10x faster than a Cray C90 will take ~6 million days
> to solve the matrix mod 2.
Obviously.
> I suggest you learn how to do arithmetic. You clearly can't.
Bob, you're lying and we both know it.
Let's try this skipping the intermediate steps. The Cray C90 had a
main memory cycle time of around 30 ns (maybe faster for later
models).
Right now, Samsung is working on the Alpha 21464, which will include
memory with a cycle time of under .3 ns.
Now, if you want to talk about arithmetic ability, try this: explain
how 30 divided by .3 gives only the 10:1 improvement you cite above.
At least the way I do arithmethic, the difference is 1000:1. A
machine 1000 times faster than the C90 will obviously do the job in
roughly 60,000 days.
That's NOT the limit of currently-known technology though: it's just
(roughly) the upper limit of _production_ technology. As I _clearly_
stated in the post your originally contradicted, I was not limiting
things to current production technology, but to what's theoretically
possible in the near future.
I said an attack would be theoretically possible in the near future,
and you replied "not even close." That statement was simply
incorrect. I will make a simple assertion: if this job were to
attract sufficient interest, a machine could be built, and the first
job solved before 10 years from today.
I don't think it WILL attract sufficient interest, and I don't think
the machine will be built, but the reasons for it not being done are
economic, not technical.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: cray and time needed to attack
Date: Fri, 07 Jul 2000 17:48:50 -0700
Jerry Coffin wrote:
> Now, if you want to talk about arithmetic ability, try this: explain
> how 30 divided by .3 gives only the 10:1 improvement you cite above.
>
> At least the way I do arithmethic, the difference is 1000:1.
The way I do it, I get 100:1. I think it will be a while before
we see machines 100x the speed of a Cray C90.
------------------------------
From: [EMAIL PROTECTED] (Rebus777)
Subject: Concise Programming, Attn: Tom St. D & All
Date: 08 Jul 2000 01:19:04 GMT
This is off topic, but I thought some might
enjoy this link...
http://radsoft.net/bloatbusters/
I was directed to this site in another News Group
and as I read the pages I thought of some of you
in sci.crypt that are ANTI_BLOATWARE.
Have a look and help fight for the cause!
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: cray and time needed to attack
Date: 8 Jul 2000 01:41:04 GMT
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
>Right now, Samsung is working on the Alpha 21464, which will include
>memory with a cycle time of under .3 ns.
Gigabytes of .3 ns memory? I don't think so.
>Now, if you want to talk about arithmetic ability, try this: explain
>how 30 divided by .3 gives only the 10:1 improvement you cite above.
>
>At least the way I do arithmethic, the difference is 1000:1. A
>machine 1000 times faster than the C90 will obviously do the job in
>roughly 60,000 days.
Um, 100:1, and only for the on-chip memory.
------------------------------
From: ca314159 <[EMAIL PROTECTED]>
Crossposted-To: comp.theory
Subject: Re: Quantum Computer similator websites with source code
Date: Sat, 08 Jul 2000 01:55:14 GMT
Jeff Erickson wrote:
> ca314159 <[EMAIL PROTECTED]> writes:
>| D. Mermin poses a useful problem for only one qubit:
>| to determin the millionth bit of the binary expansion
>| of sqrt(2+x). That would be big news.
>Hardly. Given the recent computation of the trillionth(!) bit of pi
>using classical computers, why should anyone think computing bits of
>sqrt(2+x) is hard?
It was probably Mermin's point that doing something this
'trivial' with one qubit would be an upscalable test of
proficiency for quantum computer scientists.
Context sensitivity is essential. If the Dilbert space
foams like a BSE Swiss cheese, a continuous real-time
defrag is needed along with a good night's sleep and
some quantum lucid dreaming. If it awakens at all, it
might tell you something useful. But quantum computers
like people, go psychotic if their REM sleep is disturbed
by waking measurements. Alittle therapy may be required
for coherence to be regained. A Rorschach test of
free-association will reveal any problems in correlating
dualities:
"Do you see a wave or a particle ?"
"They're entangled. It sounds like one hand clapping."
"Does a falling particle make a sound when no one is there
to measure it ?"
"A bell remembers being rung."
"You will waken now. When I count to three. One, two, ..."
"Did I take the blue pill or the red pill ? I forgot."
quantum computer simulator websites with source code:
http://www.bestweb.net/~ca314159/qcs.htm
------------------------------
From: "Greg Keogh" <[EMAIL PROTECTED]>
Subject: Turning off scripting
Date: Sat, 8 Jul 2000 12:46:53 +1000
Hi Scott,
It's a real pain in the you-know-what to have to turn off scripting just to
visit your web site.
Are you sure this is necessary? I'm not aware of any virus risks from
JavaScript, and I only accept ActiveX controls from signed sources.
Demanding that visitors turn off scripting and other advanced browser
features seems to be somewhat dictatorial. I'm not sure what the point is.
Are you protecting people from your own site, or are you suggesting that
they keep browser security at the highest safety levels at all times, even
after they leave your site?
Cheers,
Greg Keogh mailto:[EMAIL PROTECTED]
(Melbourne Australia)
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Any crypto jokes? (potentially OT)
Date: Sat, 08 Jul 2000 04:22:37 GMT
Paul Pires wrote:
>
> I like it.
>
> Isn't that WOM memory.
>
> AKA, Write Only Memory
>
> Paul
=======================
A very well-known device, usually called "sink" or "null-device".
You direct all software trash towards it.
Best wishes BNK
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: OT Question (was Re: Security in UMTS???)
Date: Sat, 08 Jul 2000 04:52:00 GMT
Hrm, are the names 'KASUMI' and 'MISTY' a reference to the japanese
word/name 'Kasumi'?
David A. Wagner wrote:
>
> In article <[EMAIL PROTECTED]>,
> Michael Schmidt <[EMAIL PROTECTED]> wrote:
> > There will be a new data encryption algorithm, called KASUMI, which
> > has been developed under (more or less) public scrutiny, and is most
> > likely to be published (check the ETSI web site).
>
> It turns out it was already published briefly, then yanked from the
> website. I have a copy, for instance.
>
> Anyway, for those interested, KASUMI is a MISTY variant. I found it
> mildly surprising that a trusted cipher like 3DES was not chosen
> (perhaps there were political or economic considerations that
> outweighed the assurance issues of building a new cipher), but IMHO
> KASUMI is likely to be far better than the old GSM ciphers, so it
> seems like a substantial step forward.
>
> Next step: end-to-end security!
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Information-theoretic hash question (was Re: CRC question)
Date: Sat, 08 Jul 2000 04:52:06 GMT
What about larger hamming distances than 3?
Scott Fluhrer wrote:
>
> Benjamin Goldberg <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Hmm, what if I change it to bitlength(M) strictly-less-than 2**N,
> > rather than less-than-or-equal ? Or do I have to use 2**(N-1) for
> > it to work?
> For hamming distance of 2, yes, that works. An N-bit CRC will always
> detect a 1 or 2 bit difference for bitlength < 2**N if (and only if)
> that CRC was based on a primitive polynomial.
>
> For hamming distance of up to 3, an N-bit CRC can detect that
> different for bitlength < 2**(N-1) if that CRC is the (x+1)
> polynomial multiplied with an N-1 degree primitive polynomial
> (which is how most standard CRC polynomial are generated).
>
> >
> > Broadening the question, and asking various permutations:
> > 1) What is the maximum hamming distance that two Y-bit messages can
> > have, and still have two different X-bit hashes?
> > 2) What is the minimum hash size needed to detect differences in
> > Y-bit messages which have a hamming distance Z?
> > 3) What is the maximum message length for which an X bit hash can
> > detect differences between messages which have a hamming distance of
> > Z?
> I'll let those be exercises for the reader...
>
> >
> > Scott Fluhrer wrote:
> > >
> > > Benjamin Goldberg <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
> > > > Is it possible, for an N-bit CRC, for any n ( 1 <= n <= N )
> > > > 1-bit changes in a message M ( bitlength(M) <= 2**N ), the
> > > > output value changes?
> > > No, unless N = 1
> > >
> > > Consider the 2**N messages consisting of 2**N-1 zeros and a one,
> > > and the 1 message consisting of 2**N zeros. There is a total of
> > > 2**N+1 messages here, and each pair of messages has either 1 bit
> > > or 2 bit hamming distance. Since an N-bit CRC has only 2**N
> > > possible values, there is a collision in here somewhere.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Turning off scripting
Date: Sat, 08 Jul 2000 05:02:23 GMT
Maybe he suggests turning of scripting because he has some stupid, ugly
javascript code that prevents you from viewing the page if you have JS
turned on and cookies turned off?
Greg Keogh wrote:
>
> Hi Scott,
>
> It's a real pain in the you-know-what to have to turn off scripting
> just to visit your web site.
>
> Are you sure this is necessary? I'm not aware of any virus risks from
> JavaScript, and I only accept ActiveX controls from signed sources.
> Demanding that visitors turn off scripting and other advanced browser
> features seems to be somewhat dictatorial. I'm not sure what the point
> is. Are you protecting people from your own site, or are you
> suggesting that they keep browser security at the highest safety
> levels at all times, even after they leave your site?
>
> Cheers,
> Greg Keogh mailto:[EMAIL PROTECTED]
> (Melbourne Australia)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
