Cryptography-Digest Digest #238, Volume #12 Mon, 17 Jul 00 17:13:01 EDT
Contents:
Re: News about quantum computer (Bill Unruh)
Carnivore and Man-in-the-middle ([EMAIL PROTECTED])
Re: what is the symmetric algorithm for protection of classified info by gov
agencies ? ("~The Seventh Sign~")
Re: RC4-- repetition length? (Guy Macon)
Re: RC4-- repetition length? (Guy Macon)
Question Regarding Encrypting CD-ROM -RW Disks (omit these words com)
DOS vs DOS (was Re: SECURITY CLEAN...) _long_ ("Rick Braddam")
Re: Random numbers and online-gambling (Guy Macon)
NEW RULES? (SCOTT19U.ZIP_GUY)
Re: Comment on [Mixmaster] version 3. [Section 3.2] (Paul Koning)
Re: mirror bit !! (Guy Macon)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: News about quantum computer
Date: 17 Jul 2000 18:16:20 GMT
In <[EMAIL PROTECTED]> Mok-Kong Shen <[EMAIL PROTECTED]> writes:
>The German newspaper Computer Zeitung reported in its 13 July
>issue that a team consisting of US and German researchers
>has succeeded to synthesize a molecule that can store 5 qubits,
>while the best previous result was 3 qubits.
??? I do not know what this means. The record is 7 bits for an NMR
system.
------------------------------
From: [EMAIL PROTECTED]
Subject: Carnivore and Man-in-the-middle
Date: 17 Jul 2000 17:34:48 GMT
As most of you already know, the FBI has announced its intention to
install the "Carnivore" packet-sniffing system in every ISP's data path,
such that all traffic passing through that ISP can be sniffed by some
Carnivore system. The stated purpose of this system is to snoop on the
contents of suspected criminals' emails when permitted by judicial
wiretap order.
Reading about it made me think about the "Man in the Middle" attack
against public key cryptosystems. In order for "Man in the Middle" to
work, the adversary must be able to intercept any communication between
any two users of the cryptosystem and replace that communication with
their own selected data.
If Carnivore is installed in every ISP, and if it were programmed to
operate in such a manner, then the FBI will be capable of reading any
communication between two users, but I am not certain whether or not it
would be capable of replacing communications as the Attack would require.
If it were installed "in-line" with the ISP's data connection, then
such substitution would be trivial, but I am not aware of information
yet released which describes Carnivore as an "in-line" system. If we
assume that Carnivore is implemented as a node in a broadcast bus (eg,
in an ethernet network) and thus is capable of reading traffic and of
generating traffic (assume arbitrary NIC addresses can be spoofed as
well), but not necessarily capable of preventing the physical link
layer from successfully transmitting any node's data to any other node,
then is it possible for Carnivore to successfully perform the Attack
against known implementations of public-key cryptosystems which use the
TCP/IP transport layer protocol?
For instance, would it be possible for the adversary to spoof a packet
from node-A to node-B which instructs node-B's network stack to discard
a TCP or IP datagram previously received by node-B from node-A, and then
provide a replacement datagram, all without node-A knowing about it?
Any input welcome.
-- TTK
------------------------------
From: "~The Seventh Sign~" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: Re: what is the symmetric algorithm for protection of classified info by gov
agencies ?
Date: Mon, 17 Jul 2000 13:33:20 -0500
the score for lost lap tops is
MI5 = 2 known to be missing
US State department = 10 known to be missing
One of the two had one turn up in a pawn shop in the UK.
Others will not tell.
MI6 = D-note (classified)
NSA = it is a mater of national security (Classified)
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Sat, 15 Jul 2000 00:59:06 -0600, Jerry Coffin <[EMAIL PROTECTED]>
> wrote:
>
> >In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> >says...
> >> FIPS 46-2, The Data Encryption Standard (DES), is the approved symmetric
> >> algorithm for protection of sensitive but unclassified information by
> >> government agencies.
> >>
> >> what is the symmetric algorithm for protection of classified info by gov
> >> agencies ?
> >
> >There is not simply one algorithm for protection of all classified
> >data, or anywhere close to it.
> >
> >About the only dependable source of specific information about a
> >specific encryption algorithm is going to be direct from the NSA
> >when/if they believe you need to know about it.
> >
> >If you want general information about how the NSA designs ciphers,
> >consider looking at SkipJack. Though _it's_ not approved for
> >classified data, I'd almost bet that they have similar ciphers that
> >are, adjusted (larger key, larger S-boxes, more rounds, etc.) to
> >provide the level of security they consider necessary.
>
> There have been some embarrassing stories in the past few months about
> laptop computers belonging to MI5 operatives being lost. IIRC none of
> the data on them was encrypted!
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: RC4-- repetition length?
Date: 14 Jul 2000 11:23:38 EDT
Andrew Carol wrote:
>
>
>In article <8kgp4i$[EMAIL PROTECTED]>, Guy Macon
><[EMAIL PROTECTED]> wrote:
>
>> If you use the implementation found at http://www.ciphersaber.gurus.com
>> (like I suggested in the last post) it won't repeat in your lifetime.
>
>It will behave EXACTLY the same as any other implementation. It's
>either RC4 or it's not. There's no room for differences.
Balderdash. RC4 is an algorithm. not an implementation. If I write
two implementations, one of which uses 7 bit ASCII for input and
output, and another which uses hexadecimal, the imlementations will
give me different results when I try to encrypt a plaintext of
A28753B2087D23465C with a passphrase of AF5F97D0. Sure, if you jump
in the midddle and see the input and output to/from the algorithm, it will
behave the same (or you made a programming error!), but the implementation
is more than just the implementation of the algorithm - it's the
implementation of the algorithm plus the I/O. In the case of ciphersaber,
the I/O section adds an itialization vector to your passphrase so that
you can use one passphrase again and again without the key repeating.
Yet no one doubts that ciphersaber is an implementation of arcfour.
(I say arcfour and not RC4 because you have no idea what the RC4 algorithm
is and neither do I)
Have you actually read the webpage I suggested? If you aren't willing
to do that much basic research, I have a killfile slot saved for you.
http://www.ciphersaber.gurus.com
http://www.lodz.pdi.net/~eristic/free/ciphersaber.html
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: RC4-- repetition length?
Date: 14 Jul 2000 11:29:12 EDT
Scott Fluhrer wrote:
>
>
>
>Bill Unruh <[EMAIL PROTECTED]> wrote in message
>news:8kgev7$nse$[EMAIL PROTECTED]...
>> What is the repetition length of the RC4 cypher? is it 256! (the number
>> of states of the matrix) or 256^2 256! (the number of states of the
>> matix times the number of different states of the counters) or something
>> much less than these? Are any keys known to give a short rep length or
>> do all keys produce the same (ie a traversal over all possible
>> permutations)?
>
>The only serious analysis I know about this is in:
>
>S. Mister, S. Tavares, Cryptanalysis of RC4-like Ciphers, in the Workshop
>Record of the Workshop on Selected Areas in Cryptography (SAC '98), Aug.
>17-18, 1998, pp. 136-148.
For an quick overview analysis of the ciphersaber implementation, see:
A Cryptanalysis of CipherSaber-1
http://ciphersaber.gurus.com/cryptanalysis.html
------------------------------
From: Barrister9@aol.(omit these words) com
Subject: Question Regarding Encrypting CD-ROM -RW Disks
Reply-To: Barrister9@aol.(omitthesewords)com
Date: Mon, 17 Jul 2000 14:35:00 -0400
I have been using Puffer and Crypta-Pix, both of which use 160 bit
Blowfish to encrypt, as well as PGP to encrypt text and binary files
residing on either my hard drive, floppy diskettes or Zip diskettes.
I've now purchased an HP CD "burner" to use to store the same
materials in CD format. I use both read only CDs and the rewriteable
kind that can be used in much the same way that diskettes can be used,
that is to write, erase, rewrite, move data around, etc.
My question is, given the nature of CDs, which, I understand, is not a
magnetic medium, can these encryption programmes be used with them in
the same way that they can be with diskettes, etc? Are there any
problems in using these forms of encryption with CDs that are
different than with the older media? Is there anything different
about wiping these CDs with the above-mentioned, or other programmes?
Are there other issues with trying to retrieve wiped data than their
are with the magnetic media.
Thank you for your assistance.
Larry
------------------------------
From: "Rick Braddam" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: DOS vs DOS (was Re: SECURITY CLEAN...) _long_
Date: Mon, 17 Jul 2000 13:49:29 -0500
Reply-To: "Rick Braddam" <[EMAIL PROTECTED]>
"Chem-R-Us" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Fafnir wrote:
> >
> > Yeah, but some of us need an os that can actually get things done.
>
> Obviously you know little about operating systems.
That's not obvious from what Fafnir said. Do you get a lot of exercise by
jumping to conclusions like that?
> Linux workstations are every bit as capable as any other workstation,
> more so than a gatesware toy-station!
At first I thought you were talking about hardware here, since you said
workstations. Then I remembered that many Linux workstations are the exact
same hardware that "gatesware" (Win95 & Win98) runs on. So you must be
talking about software. Linux and Win98?
Well, if Linux was every bit as capable as Win98, then I wouldn't have had
any problems writing CDs with my CD-RW drive after installing Red Hat 6.0
on my machine. I guess I didn't really have a problem... all I had to do
was shut down Linux and use LILO to reboot under Win98, then double-click
on the Easy CD Creator icon. Then I could write CDs all day long. Why did
I have to do that? No Linux program or driver was available for my CD-RW
drive, from anywhere. Why didn't I write my own driver or program to run
my CD-RW drive? Why should I, I already had a commercial quality program
that could "get things done", just one of tens of thousands of
applications which run on the PC platform under Windows.
My subject line? I really get a kick out of how *nix and Linux fans
compare their operating systems to Win9x. They just don't seem to have a
clue. Win9x may extend and add functionality to the underlying operating
system, but they are _not_ the operating system. If they were, there
wouldn't be a "boot to DOS" option, and you couldn't boot a Win9x system
up to just before the point where Windows loads and stop there with a
command interpreter running. Good old command.com. Running under DOS 7.0.
They did change the version string for Win98 so that DOS identifies itself
as Windows 98, but it's still DOS running command.com. And Windows is a
Graphical User Interface _application_ which uses DOS services.
The *nixes and Linux are just DOSes running csh or bash or whatever other
command shell you like. In spite of their insistance on redefining a
"real" OS as requiring it to be multi-user, an OS is just a program which
operates and controls hardware devices that are attached to or part of the
computer system, and providing services to applications so the
applications can use those devices. Multi-user is a _type_ of OS, not a
requirement for an OS to be a "real" OS, just like Tape Operating System
(TOS) and Disk Operating System (DOS) are types of OSes.
So if the *nix and Linux command-line fanatics want to compare OSes, they
would be more fair and honest if they compared to MS-DOS 7. Then I'd have
to agree that theirs is superior. They still won't run Win98's GUI
natively, though, so they are useless to me. Their GUIs also won't run
Win98 applications natively, so they are still useless to me, and millions
of other computer system users.
Technical superiority doesn't cut it by itself. In my opinion, OS/2 Warp
is still technically superior to Win98 (and NT/2K ??), but how many _new_
software titles for it do you see at your local computer store? Without
the software, it can't "actually get things done". If someone would write
30 or 40 thousand device drivers for it, and port 40 or 50 major apps to
it, it would probably take the market away from Windows. But it ain't
gonna happen.
My Linux 6.0 installation? I deleted all the files, deleted the
partitions, then added VFat32 partitions for Win98. I had booted the
system up under Linux 10 or 15 times without any problems (over a period
of several days). Then I brought the system up and started Gnome, browsed
around some, then shut down, several times -- again with no problems. I
decided to have Gnome autostart. After all, I wanted a windowing system,
not a command line system. The fifth or sixth time I brought the system up
with Gnome autostarting, it came up with a multi-colored confetti display.
No indication why, just did it. I shut the system off, rebooted, and got
the same thing again. I went digging into the book that came with the CD
and figured out how to boot the system up to a command prompt and logged
in as root. I spent hours looking through man files, info files, and
configuration files for anything which might help correct the problem, and
never found anything that worked. I didn't (and don't) have time for that,
so I removed Linux. Maybe someday I'll try it again, but I doubt it.
I'll stick with my gatesware toy-station for the time being. It does
everything I want it to and a whole lot more. Bloated software? So what.
I've got a 12.7 Gig drive in my machine now, and Gateway is advertising:
11. Seagate� 15.3GB BarracudaT Hard Drive
$102.95 after $20 instant rebate (reg. price $122.95)
that I could add right in without any hassles.
Sorry this is so long, and I don't mean to rant. If I've written anything
which can be considered derogatory to Linux or Linux users, I apologize
for it now. Such is not my intention. I agree that Linux is an excellent
OS with features (that Windows don't have) that are absolutely essential
in some situations. I don't agree that every user of a computer requires
those features at this time. Apparently even Gates & Co. agrees that those
features will be required in the future, since they've stated that Win98
will not be developed further and Win2K is the next Windows. Based on NT
instead of DOS 7, Win2K should be much harder to hack than Win98 is.
This is a lot for my $.02 worth (and maybe overpriced at that).
Rick
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Random numbers and online-gambling
Date: 15 Jul 2000 02:16:26 EDT
John Savard wrote:
>
>
>On Thu, 13 Jul 2000 15:30:02 GMT, [EMAIL PROTECTED] wrote,
>in part:
>
>>Some weeks ago I found a web-page containing
>>an analysis of an online-poker system. There
>>was described how the shuffling of the cards
>>was done and why the chosen approach was not
>>appropriate for online-gambling.
>
>A news story appeared in the local newspapers about a week ago. An
>Edmonton man had discovered a flaw in electronic slot machines.
>
>Instead of using it to rip them off, he notified Alberta gaming
>authorities.
>
>Yet, he is still facing a $15 million lawsuit from the slot machine
>manufacturer.
>
>This, of course, has significant implications for "white hat" hacking.
I am an admitted Ethical Hacker, but AFAIKT nobody has been able to link
my other identity with this one, which is my real name. He should have
used anonymity to notify the authorities.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: talk.politics.crypto
Subject: NEW RULES?
Date: 17 Jul 2000 19:42:59 GMT
Does any one know what the new rules do for those of us
interested in putting our on encryption in the net for
free mean. Or is it the same old Clinton shit in a new bag.
What is this crap about no licences but that a
commodity classifaction request being necessiary mean?
See http://www.nbnn.com/pubNews/00/152220.html
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS **no JavaScript allowed**
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed ** JavaScript OK**
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
"The road to tyranny, we must never forget, begins with the destruction
of the truth."
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Comment on [Mixmaster] version 3. [Section 3.2]
Date: Mon, 17 Jul 2000 15:26:55 -0400
Pete Chown wrote:
>
> Sorry about the late followup to this post -- I just thought of
> something.
>
> I wonder if it would be worth adding transport layer encryption to the
> communication between to Mixmasters. Suppose that the black hats were
> recording all communications going in and out of all Mixmasters.
> Subsequently they obtain the Mixmasters' private keys. Exactly how is
> immaterial; say burglary for the sake of argument.
>
> It would be nice if this did not allow them to decrypt all the
> intercepted traffic. We could add forward secrecy to the Mixmaster
> protocol by passing the messages (encrypted the same as now) over TLS.
> (Not all TLS cipher suites provide forward secrecy, but we could insist
> on, for example TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.)
Very good idea.
Another way to do this is by running IPsec tunnels between the
Mixmasters, and shipping the application traffic over those.
Rekey reasonably frequently (hourly perhaps) with PFS enabled,
and you'd be in good shape.
paul
--
!-----------------------------------------------------------------------
! Paul Koning, NI1D, D-20853
! Lucent Corporation, 50 Nagog Park, Acton, MA 01720, USA
! phone: +1 978 263 0060 ext 115, fax: +1 978 263 8386
! email: [EMAIL PROTECTED]
! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75
!-----------------------------------------------------------------------
! "A system of licensing and registration is the perfect device to deny
! gun ownership to the bourgeoisie."
! -- Vladimir Ilyich Lenin
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: mirror bit !!
Date: 16 Jul 2000 19:27:05 EDT
[EMAIL PROTECTED] wrote:
>
>
>
>
>hello
>
>Mok-Kong Shen say
>
>(2) Mirroring. This also has levels similar to swapping. At the first
>level, the bits of the word referenced are exchanged by mirroring about
>the central axis. At the second level, the mirroring is done separately
>on each half of the word. Analogously for the higher levels.
>
>could you give me some example please with 32 bit number !!!
>
(The 2nd example is backwards in binary)
)yranib ni sdrawkcab si elpmaxe dn2 etH(
0001 0010 0011 0100 0101 0110 0111 1000 bin = 12345678 hex = 305,419,896 dec
|
0001 1110 0110 1010 0010 1100 0100 1000 bin = 1E6A2C48 hex = 510,274,632 dec
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
