Cryptography-Digest Digest #223, Volume #12 Fri, 14 Jul 00 02:13:01 EDT
Contents:
Re: Diffie Hellman Primes : Speed Tradeoff Q ([EMAIL PROTECTED])
Re: Proposal of some processor instructions for cryptographical ("Douglas A.
Gwyn")
Re: Diffie Hellman Primes : Speed Tradeoff Q (David Hopwood)
Re: New Idea - Cipher on a Disk (Benjamin Goldberg)
Re: New Idea - Cipher on a Disk (Greg)
Re: Concepts of STRONG encryption using variable base http://www.edepot.com/phl.html
(Greg)
Re: Cryptographic Camouflage (Greg)
Re: Concepts of STRONG encryption using variable base (David Blackman)
Re: Concepts of STRONG encryption using variable base http://www.edepot.com/phl.html
(Greg)
Re: Definition question (wtshaw)
Re: New Idea - Cipher on a Disk (Greg)
Re: cray and time needed to attack (Greg)
Re: Cryptographic Camouflage ("Joseph Ashwood")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Diffie Hellman Primes : Speed Tradeoff Q
Date: 14 Jul 2000 03:10:38 GMT
[EMAIL PROTECTED] (Mark Wooding) writes:
>I'll order the Springer-Verlag CD some time soon and read the papers
>David Hopwood mentioned upthread, since this stands the most chance of
>actually answering my question, which was: what are the risks of basing
>the security of an algorithm on the difficulty of computing discrete
>logs in a subgroup of order q in the field GF(p) where p = q R + 1 for
>primes p and q, with q large enough to resist collision-finding discrete
>log attacks, p large enough to resist the GNFS and R a random composite
>number?
The risk is that if you operate under the assumption that a protocol
variable belongs to the order q subgroup without explicitly checking the
membership, an adversary may be able to obtain information about your
private key(s) by sending you elements that are not in the subgroup. So
you should either do the explicit checks or use co-factor multiplication
if you use p of this form. Fortunately there are algorithms that allow
both a^x and a^q to be computed in only slightly more time than a^x alone,
so explicit order checking can sometimes be done at very low cost.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: comp.arch
Subject: Re: Proposal of some processor instructions for cryptographical
Date: Thu, 13 Jul 2000 23:16:09 -0400
"Stefan Monnier " wrote:
> I'm sure you know that doing such things when the cast changes an
> (int*) into a (char**) is rather difficult.
Perhaps you should give an example, since such a cast on most
common architectures doesn't require any code generation at all.
------------------------------
Date: Thu, 13 Jul 2000 17:50:50 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Diffie Hellman Primes : Speed Tradeoff Q
=====BEGIN PGP SIGNED MESSAGE=====
David Hopwood wrote:
> Mark Wooding wrote:
> > Anton Stiglic <[EMAIL PROTECTED]> wrote:
> >
> > > Yes this is was first described by van Oorschot and Wiener, in a
> > > Eurocrypt 96 paper. It generalizes to using p = Rq + 1 (an attacker
> > > will have to test R values). It's a good indication that one should
> > > work in the subgroup of order q.
> >
> > It extends to the case where R is a smooth composite too, I think.
> >
> > > Lim-Lee primes, primes of the form p = 2*q_1*q_2*...*q_n + 1, where
> > > the q_i's are large work fine. You can simply work in one of the
> > > subgroups of large prime order.
> >
> > That only partially answers my question. Do we have a problem if we do
> > arithmetic mod p = q R + 1, where q is a large-ish prime, p is large,
> > and R is a random composite (therefore possibly having small factors,
> > but also likely to have fairly large ones), and work in the subgroup of
> > order q?
>
> Yes. See van Oorschot and Wiener's paper:
>
> Paul C. van Oorschot, Michael J. Wiener,
> "On Diffie-Hellman Agreement with Short Exponents,"
> Advances in Cryptology - EuroCrypt '96.
>
> Basically it's possible to combine the information gained from each small
> factor of the order, and use that to help in an attack on the main
> problem. It's sufficient for security that all the factors are > q,
> but if q is about 200 bits, say, there's no easy way to check that the
> factorisation of R satisfies this condition without making R prime.
Sorry, I got that wrong. The van Oorschot-Wiener attack only applies to
short exponents in the full group, not when a Lim-Lee prime is used,
even when R has small factors. (The reason why it doesn't work is that
the partial Pohlig-Hellman decomposition can't be computed when g is
of prime order.)
Nevertheless, I would still recommend p = qR + 1 with R prime as the
simplest and most efficient way in practice to avoid all of the attacks
on short exponents. It certainly doesn't do any harm to have R prime,
and it means that there are no elements of order less than q in the
range [2, p-2]. I.e. you can check that an element has large order very
efficiently in this case (which is important because otherwise, checks
on the order of the transmitted elements may take as much time as is
saved by using the subgroup).
> Don't rely just on summaries from this newsgroup - including mine.
That was better advice than I thought :-)
Incidentally, if p is going to be common between users, it's best to
generate it using something like:
R := next_prime(first n bits of pi)
q := next_prime(next m bits of pi)
while (qR + 1 is not prime)
q := next_prime(q+1)
where next_prime(k) is the lowest prime >= k.
Using the method of a PRNG with a public seed doesn't give quite as
much confidence that p has not been "cooked", IMHO, because an attacker
could still iterate through the possible seeds looking for a property
that causes weakness (it would have to be a fairly likely property).
Although the above algorithm can be varied slightly without causing
suspicion, there are much fewer plausible variations than seeds that
could be searched though.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOW3zIzkCAxeYt5gVAQFu8Qf9EhkerkHuHQsyfDOj/IPvsGRWQEkOTg8a
yIFRbfeDFTAd7cH4D05JvtCpRGHH0pTDd1U8c/BcPBp6gsdR66IuBuEV3jae9A8D
5ULSLJf7Ar7IGLOO6OyUec54Sp4mH6rNyuMqaVTFFLyPdE6LLAHSJcBfPnl86uOB
Urkec5f9FgurZ5hegSI6jK8DrGGduwM2EmK6izqcXN3fnvmQoWdywjmPMrDZTR50
1DJH8s4FGm2o+1a5xYoXGxLtGXr+t7UfxUOg/9hYyk5HWrPGFXjpDiqMm8CHkU6E
8nLaVafXXsX8BJHJO1tMjmGgzD31HN6lrUqfXjZtJgUuHSqKncxsuA==
=vcJL
=====END PGP SIGNATURE=====
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: New Idea - Cipher on a Disk
Date: Fri, 14 Jul 2000 04:15:56 GMT
Trevor L. Jackson, III wrote:
[snip]
> I think this concept needs a true sideband channel -- one that extends
> the interface between the drive and the world. Such extension is hard
> to do transparently.
How about a hardware solution: The encryption key is stored in a
self-erase-if-tampered-with microchip, in a case which can be plugged
into the drive. The case could either be a smartcard, or perhaps
something which can go on a normal physical keychain.
--
This is the signature worm.
Help me spread by appending me to your signature.
This is the signature worm.
Help me spread by appending me to your signature.
This is the signature worm.
Help me spread by appending me to your signature.
This is the signature worm.
Help me spread by appending me to your signature.
This is the signature worm.
Help me spread by appending me to your signature.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: New Idea - Cipher on a Disk
Date: Fri, 14 Jul 2000 04:54:40 GMT
> > The key persists with the HD power and reset.
>
> So the drive knows it's own key?
No, I miss stated that. The key persist with the HD power - meaning it
does not persist when the power goes away, and it remains even during
reset. But the latter can be optional.
> Yes, this kind of enhancement is certainly possible. Hard to
> justify though given the existence of free packages like
> PGPdisk and Scramdisk.
I can see this. But it would make encryption more pervasive in the
market place. People would opt to use it more if it came standard
with every HD. That was really my intent behind this - to get it
into the hands of every common person using a computer. Once it
is in their hands (in the fashion that I outlined that makes the
most compatibility sense to me), then it will be used.
The software that is free is not used because people don't want to
bother getting it or setting it up. But if it is built in and they
get a prompt at boot up, they will more likely use it because all they
need to do then is literally just supply a password. Everything else
is fully transparent.
Now there is one thing I would say would really hurt this approach -
that the firmware on the cipher chip would be cumbersome to upgrade
if at all. That is where free software has one over. But the absolute
transparency cannot be matched by any other solution.
> There's also the issue of the obsolescence of the encryption hardware.
Sort of like disk capacity, huh?
> I once had a machine that was one generation behind the
> state-of-the-art machine.
My machines get behind capacity every year. I just upgraded my laptop
to a 12G from a 4G. No help from the manufacturer because it is no
longer in production, but IBM makes good drives. My Travelstar 12GN
series replaced my 4GN series perfectly. The BIOS wouldn't see the
whole 12G, but Win98, Win NT4SP6, and Win2000 all did. (but now I
digress...)
> The system used disk compression that made it IO bound when it
> should have been compute bound, so I invested in an accelerator
> card for the compression mechanism. It gave me about a factor
> of two in performance.
I can see this. But placing a cipher on a disk and having many of
them is simply adding cipher processors to the system. It would be
interesting to see the results.
> ...It would be _really_ tough to sell a secure drive that was slower
> and more expensive than a bare drive plus free encryption software.
I concur. We simply have to ensure that does not happen, don't we?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Concepts of STRONG encryption using variable base
http://www.edepot.com/phl.html
Date: Fri, 14 Jul 2000 05:03:52 GMT
> We all know that encryption these days are weak. Weak in the sense
> that they are static and can be brute force searched by permutating
> through the keyspace of the encyption key.
Oh?
> For more information on BASE Encryption, read it up
> here http://www.edepot.com/phl.html
Honestly, I would prefer to read other people's comments first...
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Cryptographic Camouflage
Date: Fri, 14 Jul 2000 05:02:10 GMT
Let's take all that math away for a moment and can you please
tell us where the camouflage enters in to the strategy? What
is crypto camouflage and how is it used (without the math please)?
> Actually, I do have experience with their designs. Arcot does only
> authentication. This authentication is done as a digital
> signature, with a bit of a twist as follows:
> Original RSA parameters:
> e
> d
> pq
> Arcot Authentication Parameters:
> E = encrypted version of e (using strong methods, 3DES is the current)
> D = encrypted version of d (lightly encrypted, a strong cipher with a
small
> pin), there's actually more to it, there are some bits that are left
clear
> because they can be verified without knowlede of e
> PQ = pq in clear
>
> Authentication protocol:
> Client:
> Get challenge C from server
> Decrypt D to get probably d
> compute X= (C+ padding)^d mod PQ
> send X to the server
> Server:
> decrypt E to get e
> compute (M+padding) = X^e mod PQ
> verify M as a recent valid challenge
>
> So basically RSA is used as a secret key algorithm, and unless it
becomes
> possible to verify more information about d without knowledge of e
there is
> little question that (under reasonable pretense) it is secure. As a
> scientist I do have to tell you that YMMV and that based on
information that
> may be available at some future time my opinion could change vastly,
I also
> feel it is prudent to inform you that I work for Arcot, in case you
feel the
> need to discount me as potentially biased.
> Joe
>
> "Andrew Wong" <[EMAIL PROTECTED]> wrote in message
> news:8kk5cr$poe$[EMAIL PROTECTED]...
> > I recently came upon this product, called WebFort, developed by
Arcot
> > Systems Inc., that uses cryptographic camouflage to secure keys in a
> > software container.
> >
> > Pse advise if anyone has experience on this product and what are
your
> > comments.
> >
> > Regards,
> > Andrew
> >
> >
>
>
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Blackman <[EMAIL PROTECTED]>
Subject: Re: Concepts of STRONG encryption using variable base
Date: Fri, 14 Jul 2000 15:16:21 +1000
Greg wrote:
>
> > We all know that encryption these days are weak. Weak in the sense
> > that they are static and can be brute force searched by permutating
> > through the keyspace of the encyption key.
>
> Oh?
>
> > For more information on BASE Encryption, read it up
> > here http://www.edepot.com/phl.html
>
> Honestly, I would prefer to read other people's comments first...
Other people's opinions have been posted on this newsgroup. Nearly all
agree BASE Encryption is a joke. The guy proposing it has no idea what
encryption is for, let alone how to implement it. I would guess he is
probably a high-school student, and probably is going to fail maths.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Concepts of STRONG encryption using variable base
http://www.edepot.com/phl.html
Date: Fri, 14 Jul 2000 05:07:02 GMT
> > We all know that encryption these days are weak. Weak in the sense
> > that they are static and can be brute force searched by permutating
> > through the keyspace of the encyption key.
>
> Well you *can*, of course -- if you have the time.
How much time would a 256 bit Twofish key space require?
There are somethings that you don't have enough time for, even
if the entire universe were one big supercomputer.
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Definition question
Date: Thu, 13 Jul 2000 22:28:07 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
>
> I don't understand the question, but the answer is no.
Now....that's funny.
--
Ralph Nader must not be a politician, he makes sense. Those that
hype confusion about understandable issues are the anarchists.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: New Idea - Cipher on a Disk
Date: Fri, 14 Jul 2000 05:16:25 GMT
> There's one thing that I'm not clear about. I'm not sure what
> security needs you would be addressing with an encrypted disk?
My own. I want security to become common place. I want all disks
to become self encrypted processes. I want people to use this
stuff because it asks nothing more than a password from them
when their machine starts up. When it gets to be that transparent
and that easy to use, then people will use it far more than they
do today - even if reluctantly. I want security USED by all. I want
people to become so used to having it, that they will cry if they lose
it. Then the next step is building some type of on board encryption
onto every network card or replacing the entire TCP/IP with TCP/SIP
(secured internet protocol) - a network protocol based upon encrypted
traffic.
It is for my security needs - I want to see this next evolutionary
step in computers to take place ASAP all over the world. I want
so much security to transpire that any wire tap on the internet
is a waste of money and time - by anyone and everyone.
Privacy is not something we enjoy because most people don't use it
because most people don't know how or don't want to bother. I want
it everywhere. I want to be part of it everywhere. And I want to
make the excuses drop away quickly and effortlessly. I want there
to be absolutely no reason for a person NOT to encrypt his disk from
end to end. That is my goal.
That is the security need I am addressing. Make it everywhere,
transparent, and extremely simple to employ. Then people will use
it and those seeking to gain access to confidential data will find
all of us in a new era - an era where privacy prevails.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: cray and time needed to attack
Date: Fri, 14 Jul 2000 05:19:02 GMT
> > If I poured in $100M, how quick could I get the key
>
> Not in any reasonable length of time.
I didn't think so...
>
> > and what would that key "generally" give me in return?
>
> "Generally"? The huge expenditure would _probably_ get a message
> about the simply incredible girl some teenage boy met at the party
> after he snuck out Friday night (of course, by the time you finish
> decrypting it, he's not a teenager and doesn't live at home anymore).
No, that was not addressing my question, but you did give me the
answer - the key will deliver the entire message, correct?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Cryptographic Camouflage
Date: Thu, 13 Jul 2000 22:30:37 -0700
Stated differently the idea for the camouflage is
approximately doing the following:
Secrets A,B where A and B are keys needed for
signature/verification
Publically store
ENCRYPT(A,PIN)
ENCRYPT(B,GaurdedKey)
That is the idea for camouflage. The idea being that to
determine if you have the correct A on decryption you need
B, which is unknown.
If you want the original presentation to IEEE it's available
at http://www.arcot.com/products/arcot_ieee.pdf
Joe
"Greg" <[EMAIL PROTECTED]> wrote in message
news:8km6sb$m7n$[EMAIL PROTECTED]...
> Let's take all that math away for a moment and can you
please
> tell us where the camouflage enters in to the strategy?
What
> is crypto camouflage and how is it used (without the math
please)?
>
>
> > Actually, I do have experience with their designs. Arcot
does only
> > authentication. This authentication is done as a digital
> > signature, with a bit of a twist as follows:
> > Original RSA parameters:
> > e
> > d
> > pq
> > Arcot Authentication Parameters:
> > E = encrypted version of e (using strong methods, 3DES
is the current)
> > D = encrypted version of d (lightly encrypted, a strong
cipher with a
> small
> > pin), there's actually more to it, there are some bits
that are left
> clear
> > because they can be verified without knowlede of e
> > PQ = pq in clear
> >
> > Authentication protocol:
> > Client:
> > Get challenge C from server
> > Decrypt D to get probably d
> > compute X= (C+ padding)^d mod PQ
> > send X to the server
> > Server:
> > decrypt E to get e
> > compute (M+padding) = X^e mod PQ
> > verify M as a recent valid challenge
> >
> > So basically RSA is used as a secret key algorithm, and
unless it
> becomes
> > possible to verify more information about d without
knowledge of e
> there is
> > little question that (under reasonable pretense) it is
secure. As a
> > scientist I do have to tell you that YMMV and that based
on
> information that
> > may be available at some future time my opinion could
change vastly,
> I also
> > feel it is prudent to inform you that I work for Arcot,
in case you
> feel the
> > need to discount me as potentially biased.
> > Joe
> >
> > "Andrew Wong" <[EMAIL PROTECTED]> wrote in message
> > news:8kk5cr$poe$[EMAIL PROTECTED]...
> > > I recently came upon this product, called WebFort,
developed by
> Arcot
> > > Systems Inc., that uses cryptographic camouflage to
secure keys in a
> > > software container.
> > >
> > > Pse advise if anyone has experience on this product
and what are
> your
> > > comments.
> > >
> > > Regards,
> > > Andrew
> > >
> > >
> >
> >
>
> --
> Tyranny is kept at bay by guns and will. Our government
> knows we have the guns, but they don't know if we have
> the will. Nor do we.
> The only lawful gun law on the books- the second
amendment.
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
