Cryptography-Digest Digest #235, Volume #12 Sun, 16 Jul 00 21:13:00 EDT
Contents:
Re: SECURITY CLEAN freeware text editor in win95 ? (Roger Schlafly)
Blowfish Algorithm ("Garrett Kajmowicz")
TC5 Algorithm Update (tomstd)
Re: SECURITY CLEAN freeware text editor in win95 ? (Jerry Coffin)
Re: Defeating the RIP bill (JimD)
Re: Hashing Function (David A. Wagner)
Re: xor confusion! ([EMAIL PROTECTED])
Re: General Question on cryptography (Mok-Kong Shen)
Re: xor confusion! ([EMAIL PROTECTED])
Re: Hashing Function (Mark Wooding)
Re: xor confusion! ([EMAIL PROTECTED])
Re: SECURITY CLEAN freeware text editor in win95 ? (jungle)
Re: SECURITY CLEAN freeware text editor in win95 ? (jungle)
Re: SECURITY CLEAN freeware text editor in win95 ? (jungle)
stes-0.0.0 released (was: Steganographic encryption system) (phil hunt)
Re: Steganographic encryption system (phil hunt)
Re: Win2000 Encryption (Steve Rush)
Re: Hashing Function (David Hopwood)
Re: unambiguous polynomial computation and crypto (David Hopwood)
Announce: Catacomb 2.0.0pre6 now available (Mark Wooding)
----------------------------------------------------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: SECURITY CLEAN freeware text editor in win95 ?
Date: Sun, 16 Jul 2000 11:16:29 -0700
Jerry Coffin wrote:
> To have a reasoanble assurance of secure erasure, you need to get the
> FS to tell you what parts of the disk are occupied by the temp file,
> and then overwrite those parts of the disk.
Even then, you wouldn't be safe from a determined attacker who
is willing to take an analog look at what is really on the disk.
------------------------------
From: "Garrett Kajmowicz" <[EMAIL PROTECTED]>
Subject: Blowfish Algorithm
Date: Sun, 16 Jul 2000 14:51:35 -0400
As a cryptography newbie, I've decided to take the first step by writing
an implementation of Blowfish-16, as per the specs listed at
www.cryptography.org
The 3 questions I have are:
1) The F() function splits the 32-bit word into 4 bytes in full
implementation. With Blowfish-16, do I split the 8-bit byte into 4 2-bit
chunks?
2) If 1 is true, then what do I use instead of mod 232?
3) Where can I get a very good in-deapth file on modern cryptography on
the 'net?
Thanks for all the help!
Garrett Kajmowicz
[EMAIL PROTECTED]
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
Subject: TC5 Algorithm Update
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 16 Jul 2000 11:59:00 -0700
I found what David was talking about his attack on TC5 is a
modification of his attack on Knufu. The problem is that his
attack requires sending differences through rounds that have a
very low probability of success. Namely in the four rounds he
must send a difference through one round in the first half and a
round in the second half.
Essentially his attack won't work because the probability of
sending the difference is much too low. In fact it's well below
2^-120 for a single round.
Also I found that I can reduce the rounds in the 32, 64 and 128
bit Feistels to three rounds to reduce memory and time
requirements with the same bounds on linear and differential
attacks.
I will post a more "mature" paper (I noticed spelling and
grammatical errors in the original paper) later when I actually
get my net access.
David, could you explain how your attack would work better? Am
I correct in suggesting it is like the attack on Knufu?
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: SECURITY CLEAN freeware text editor in win95 ?
Date: Sun, 16 Jul 2000 13:07:18 -0600
In article <[EMAIL PROTECTED]>, roger_95073@my-
dejanews.com says...
> Jerry Coffin wrote:
> > To have a reasoanble assurance of secure erasure, you need to get the
> > FS to tell you what parts of the disk are occupied by the temp file,
> > and then overwrite those parts of the disk.
>
> Even then, you wouldn't be safe from a determined attacker who
> is willing to take an analog look at what is really on the disk.
Right -- exactly how often you need to overwrite the data (if, indeed
_any_ number is really sufficient) is an entirely separate question.
Assuming that you decide _some_ number of overwrites is sufficient,
you still basically need to following the same procedure, finding
what area of the disk is involved, and overwriting the area rather
than treating it as a file.
There's the added complexity of the fact that drives/controllers with
built-in caching (which is nearly ALL drives anymore) may coalesce
writes, so you may need to do extra work to ensure that when you
decide to overwrite data N times, that there are really N writes to
the disk, and not just N writes to cache followed by 1 write to the
physical disk.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (JimD)
Subject: Re: Defeating the RIP bill
Date: Sun, 16 Jul 2000 18:05:01 GMT
Reply-To: JimD
On Sat, 15 Jul 2000 19:03:06 +0100, "Michael Tickle"
<[EMAIL PROTECTED]> wrote:
>"Kad" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>: I just thought I would make a suggestion as to how easy it
>is
>: to write a crypto program which makes the RIP bill the
>lame duck
>: it already is
>
>I am new to this group, so I don't want to seam out of
>place, but... Would it not be easier set up hotmail
>accounts or similar in the names of all the people evolved
>with RIP. Then send encrypted data to them. Tell the
>police the data transferred is of interest to them. Then
>the police will ask to see the decrypted data.
They'll probably also want to see you for wasting their
time.
>The receivers can not do this and are thus sentenced to 2 years
>in prison. I know this idea is a little rough around the
>edges, but you get the idea
--
Jim Dunnett.
g4rga at thersgb.net
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Hashing Function
Date: 16 Jul 2000 12:13:18 -0700
In article <[EMAIL PROTECTED]>,
Simon Johnson <[EMAIL PROTECTED]> wrote:
> We first start by picking a random strong prime , P, which is at
> least 128-bits long. We then pick a generator, G, at random [...]
>
> To hash a document we divide the plain-text into blocks of
> length of equal to the max size of p. We then do the following
> for I number of blocks:
>
> For i = 1 to number of blocks
> Q = g^(Plain-text_i) mod p
> Hash = (Hash + Q) mod p
If I understand correctly, it's utterly insecure.
Permuting the order of the plaintext blocks leaves the hash unchanged,
giving a trivial collision-finding attack.
Taking discrete logs mod the 128-bit prime P (which is easy) allows you
to find pre-images for any given digest, so it's not one-way, either.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: xor confusion!
Date: Sun, 16 Jul 2000 19:14:07 GMT
Yes, that helped greatly. Thanks!
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Larry Himes) wrote:
> [EMAIL PROTECTED] wrote in <8kqg8j$m5v$[EMAIL PROTECTED]>:
>
> >i don't quite understand how the XOR operation works. i was reading
> >about it in Applied Cryptography, by Bruce Schneier. the explaination
> >was rather brief, so I decided to make a program that generated two
> >random integers and XORed them. i understand why the same number
twice
> >will return zero, but i don't get how 6 xor 3 can be five (that's one
> >of the pairs i got). any help is greatly appreciated!
> >
>
> 6 = 110 (base 2)
> 3 = 011 (base 2)
> 5 = 101 (base 2)
>
> Does that help??
>
> >--spud
> >
> >
> >Sent via Deja.com http://www.deja.com/
> >Before you buy.
> >
>
> --
> Save a meezer: http://www.siameserescue.org/
> --------------------------------------------
> Remove my Zorch before sending mail.
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: General Question on cryptography
Date: Sun, 16 Jul 2000 21:31:22 +0200
John Savard wrote:
> Mok-Kong Shen<[EMAIL PROTECTED]> wrote, in part:
>
> >One author of a paper, though, has the opinion that under certain
> >circumstances the assumption that the opponent has knowledge of the
> >algorithm could be weakened. I gave a citation of that some time back.
>
> It certainly is advantageous if one can keep an algorithm secret,
> because it makes brute-force search rather more open-ended.
>
> But I think that there is no good reason not to design our algorithms
> to be strong enough to be safe if known: even if we pursue additional
> strength by keeping them secret. For most users of cryptography,
> though, this is not an option, because it is the publicly known
> algorithms that have been reviewed by the competent specialists.
I agree with you (and hence not with the author mentioned). A very
large organization might have the expertise to design good algorithms,
but then, because of the number of people involved, it is very difficult
to keep these secret, independent of the problem of quality. Among
others, there is the issue of disgrunted employees. (I happen to know,
though, an industrial firm that uses a secret algorithm in certain of its
products.) A single person can easily keep secrets but is very likely to
be blind to the weakness of his designs.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: xor confusion!
Date: Sun, 16 Jul 2000 19:18:51 GMT
Thanks! I didn't understand that XOR was a bitwise operation, and from
the different results I got, I thought that you added the numbers or
something. Guess not!
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Hashing Function
Date: 16 Jul 2000 19:22:33 GMT
Simon Johnson <[EMAIL PROTECTED]> wrote:
> We first start by picking a random strong prime , P, which is at least
> 128-bits long.
What is a `strong' prime in this context? The usual meaning of `strong'
primes concerns systems based on the integer factorization problem.
> We then pick a generator, G, at random (this is easy since exactly
> half of the elements in GF(P) are primitives)
Ahh. These are properly called `safe' primes, I believe.
> To hash a document we divide the plain-text into blocks of
> length of equal to the max size of p. We then do the following
> for I number of blocks:
>
> For i = 1 to number of blocks
> Q = g^(Plain-text_i) mod p
> Hash = (Hash + Q) mod p
>
>
> Though very slow, it does have some nice properties, e.g. We
> know for every plain-text length of one block has its own
> individual hash i.e. Collision rate is the lowest possible.
And then you go and spoil it all by adding the blocks together. Tut
tut. Any reordering of the blocks is a second preimage.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: xor confusion!
Date: Sun, 16 Jul 2000 19:25:59 GMT
Thanks everyone for all your help. Now I finally understand that sonofa!
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: SECURITY CLEAN freeware text editor in win95 ?
Date: Sun, 16 Jul 2000 17:21:20 -0400
Jerry Coffin wrote:
>
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> says...
> > thanks,
> >
> > I will stay in 30 kb limitation of notepad [ it is very clean ] ...
> > for other staff, EditPad 351 [ it creates / deletes intermittent temp files ]
>
> Simply deleting a temp file is rarely sufficient to accomplish much
> of anything: you need to ensure that the disk space the temp file
> occupied is overwritten with some other information.
yes,
for not secure info EditPad v351, despite the fact it creates & deletes temp
files on the fly ...
[ wipe free space clean up ONLY after use ] ...
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: SECURITY CLEAN freeware text editor in win95 ?
Date: Sun, 16 Jul 2000 17:22:43 -0400
Roger Schlafly wrote:
>
> Jerry Coffin wrote:
> > To have a reasoanble assurance of secure erasure, you need to get the
> > FS to tell you what parts of the disk are occupied by the temp file,
> > and then overwrite those parts of the disk.
>
> Even then, you wouldn't be safe from a determined attacker who
> is willing to take an analog look at what is really on the disk.
wipe free space, instead ...
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: SECURITY CLEAN freeware text editor in win95 ?
Date: Sun, 16 Jul 2000 17:24:47 -0400
make sure that you are using REAL WIPE utility ...
Jerry Coffin wrote:
> There's the added complexity of the fact that drives/controllers with
> built-in caching (which is nearly ALL drives anymore) may coalesce
> writes, so you may need to do extra work to ensure that when you
> decide to overwrite data N times, that there are really N writes to
> the disk, and not just N writes to cache followed by 1 write to the
> physical disk.
------------------------------
From: [EMAIL PROTECTED] (phil hunt)
Crossposted-To: comp.os.linux.development.apps,uk.comp.os.linux
Subject: stes-0.0.0 released (was: Steganographic encryption system)
Date: Sun, 16 Jul 2000 21:39:04 +0100
Reply-To: [EMAIL PROTECTED]
On Wed, 12 Jul 2000 02:51:16 +0100, Michael Rozdoba <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
> phil hunt <[EMAIL PROTECTED]> wrote:
>> Got it in one. I imagine there's other benefits as well, but not having
>> a background in cryptography, I wouldn't know what they are.
>
>Any idea when you might have some code for us to play with?
Now.
It's on the web at <http://www.comuno.com/linux/stes/stes-0.0.0.tgz>.
This is a highly unfinished version, as the version number suggests: it
encrypts but it doesn't decrypt. I've included a README file which explains
how it works.
I'm also hoping that those who know more about encryption than me will
find any security holes that exist in my scheme.
--
***** Phil Hunt ***** send email to [EMAIL PROTECTED] *****
Moore's Law: hardware speed doubles every 18 months
Gates' Law: software speed halves every 18 months
------------------------------
From: [EMAIL PROTECTED] (phil hunt)
Crossposted-To: comp.os.linux.development.apps,uk.comp.os.linux
Subject: Re: Steganographic encryption system
Date: Sun, 16 Jul 2000 22:57:25 +0100
Reply-To: [EMAIL PROTECTED]
On Fri, 14 Jul 2000 18:19:47 +0100, Bob Billing (AKA Uncle Bob)
<[EMAIL PROTECTED]> wrote:
>Phil Britton wrote:
>
>> You mean the sort of country that Jack Straw is trying to turn Britain into
>
> Trying?
>
> Seriously though I've been following this with some interest, as an
>encryption system like this would enable binary files to be encrypted in
>transit, and to be given a "watermark" which could be used to prove
>fairly conclusively which file was which. I may have a commercial use
>for this.
>
>--
>I am Robert Billing, Christian, inventor, traveller, cook and animal
>lover, I live near 0:46W 51:22N. http://www.tnglwood.demon.co.uk/
>"It burned me from within. It quickened; I was with book as a woman
>is with child." CS Lewis - Till we have faces, Ch 21.
Bob,
just to let you know, I received your email. I haven't replied as unfortunately
I don't seem to be able to send email at the moment.
--
***** Phil Hunt ***** send email to [EMAIL PROTECTED] *****
Moore's Law: hardware speed doubles every 18 months
Gates' Law: software speed halves every 18 months
------------------------------
From: [EMAIL PROTECTED] (Steve Rush)
Subject: Re: Win2000 Encryption
Date: 16 Jul 2000 23:27:52 GMT
>> Does anyone know if win2k does swap file erasure at shutdown?
>
>It can, but it doesn't necessarily. Whether it does or not can be
>set either as a policy for an entire domain or as a setting local to
>a particular computer.
Let me guess: by default, Win2K not only doesn't erase the swapfile on
shutdown, but sets every security parameter to "wide open."
Has anyone checked to see if Win2K stores the decryption key in the file?
==========================================================================
==============
If it's spam, it's a scam. Don't do business with Net abusers.
------------------------------
Date: Sun, 16 Jul 2000 14:32:05 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Hashing Function
=====BEGIN PGP SIGNED MESSAGE=====
Simon Johnson wrote:
> Although this hashing method is really impractical, i thought
> i'd tie up what i have learnt about primitive elemets GF(P) and
> design a simple ( though it's probably been done before ) hasing
> algorithm.
>
> We first start by picking a random strong prime , P, which is at
> least 128-bits long. We then pick a generator, G, at random
> (this is easy since exactly half of the elements in GF(P) are
> primitives)
>
> To hash a document we divide the plain-text into blocks of
> length of equal to the max size of p. We then do the following
> for I number of blocks:
>
> For i = 1 to number of blocks
> Q = g^(Plain-text_i) mod p
> Hash = (Hash + Q) mod p
>
> Though very slow, it does have some nice properties, e.g. We
> know for every plain-text length of one block has its own
> individual hash i.e. Collision rate is the lowest possible.
It also has some fairly nasty properties, for example:
- the hash of a message is independent of the ordering of blocks,
so collisions on messages longer than one block are trivial to
find,
- given two related messages, it is possible to cancel out the
contributions of any blocks that are the same in both messages
(which leads to a number of other attacks if used to construct
a MAC or similar),
- on a single block, the function has some undesirable patterns
such as hash(x+y) = hash(x)*hash(y).
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOXG5KTkCAxeYt5gVAQGrXgf+KvnvyO0xxtl6lG8xcR5b6KkzqFmx9n4B
aV7K52gp7mUW6U/jFcke3M5RrbyVUx2LnjHB1JP0GpOBgyCQoTdJUo5ghj8ufVYP
xnO9FOgmrEooBptDLVWd+qSMPIkzkzXlm+r/Y23nt5B1NJ/6Mvx9+hpbKXbqO1hD
n2m7Ynk9GpurYCgylc9csNmxmIGjlEl0EL6vwo8Ha/mb7fyWCaRXMalaqzrrojT5
LOkHttbKYtBrSRcDym3Eyd2JbwFd1Y+NL9w63ODTcme+p8HlA0WJcNwaYsPBPamb
XsJX8t4h4VFEKsCABP+XizlkatumH9JEfIXwIPVSGhYfedtWU8GWAA==
=hqhE
=====END PGP SIGNATURE=====
------------------------------
Date: Sun, 16 Jul 2000 14:57:44 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: unambiguous polynomial computation and crypto
=====BEGIN PGP SIGNED MESSAGE=====
David A Molnar wrote:
[snip description of UP and statement that one-way functions exist
iff P != UP]
Does a "one-way function" in this case have to be deterministic?
Definitions (feel free to suggest improvements):
A "deterministic one-way function" is a function f : A -> B,
where given a random b from the distribution [f(a) : a <- A] it is
almost always hard to find a' in A such that f(a') = b.
A "non-deterministic one-way function" is actually a pair of
functions f : A x Coins -> B' and test : A x B' -> {0, 1}, where
- for all coins in Coins, f(a, coins) = b' implies test(a, b') = 1,
- for all a in A, given a random b' from [f(a, coins) : coins <- Coins],
it is almost always hard to find a' in A such that test(a', b') = 1.
You can use the latter kind of function for many of the same things
as the former. I haven't seen proofs of this, but it wouldn't surprise
me if you could construct all of symmetric cryptography using non-
deterministic one-way functions. My question is whether the existence
of these functions is also dependent on P != UP.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOXG+uDkCAxeYt5gVAQHdPwgAuUe6ZgqrNFq8B1mqri+hvVarqm9xjPV5
uSuGlXla0rs8goHfYIlYW8NJQbh0LJoPTm2WPCV6Ws7afr4Hou2B2jBRleesaxrh
wCJ4dpjnqeBTjzShfnEx9R73kFcOFTc5lAoBWRrAeIYSzMKc7kbemxGbmgAw3/94
kmqj1PzBN4fniLCrV8VDZdRjO6wykCNmQp8NMBhM4z8kgOL4ZzvBsf/ux+9gpmfY
N9Gc3U7nJmIYoUJyg6yzyg9WZSogXlqMaRpG74aTVEbLJzwuEeKTRSxyy3MoxlYF
c8hvI4tYWR5Kl3/OGFWvgTLv+IxGgVkHjqt7El1GA78reETNl5o6pQ==
=O+bS
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Announce: Catacomb 2.0.0pre6 now available
Date: 16 Jul 2000 20:17:07 GMT
I've just uploaded 2.0.0pre6 of my Catacomb library, which may be
downloaded from http://www.excessus.demon.co.uk/misc-hacks/#catacomb.
I've been busy. The new version has Square, TEA, XTEA and Skipjack
ciphers, and Anderson and Biham's Tiger hash function. It also has
Lim-Lee prime generation, and another big pile of bug fixes.
Catacomb is free software: you may modify and/or redistribute it under
the terms of the GNU Library General Public License.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
