Cryptography-Digest Digest #283, Volume #12 Tue, 25 Jul 00 02:13:00 EDT
Contents:
RE: Signed Data ("Kevin Crosbie")
Re: Q: Cascading multiple block algorithms (Bryan Olson)
Re: VCR+ ("Helpful")
Re: books by W. F Friedman ("John A. Malley")
Re: Hash function? (Boris Kazak)
Database encryption ("Kevin Crosbie")
Re: Hash function? (Boris Kazak)
Re: Proving continued possession of a file (Andru Luvisi)
Re: Another cipher, ready to be shot down. (Boris Kazak)
Re: Another cipher, ready to be shot down. (David A. Wagner)
Cryptonomicon ref (Jason Kanter)
Re: Cryptonomicon ref ("Jeff Moser")
testing post ("hotline")
Playing with an 8 bit cipher. (Mack)
----------------------------------------------------------------------------
From: "Kevin Crosbie" <[EMAIL PROTECTED]>
Subject: RE: Signed Data
Date: 24 Jul 2000 21:41:25 EDT
have been trying to use that code, and I'm getting the error code
: -2146893802 Keyset Does Not Exist. I thought it was a permission
problem, so I have set the keys stored in the registry under
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineKeys\ all with
FULL CONTROL for every user. The problem still occurs.
Sorry to be bringing up problems like these, but I have never used VB or
VBScript before.
Any ideas?
Cheers,
Kevin
"Hans Husman" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> >Från: Kevin Crosbie [mailto:[EMAIL PROTECTED]]
> >
> >
> >Till: [EMAIL PROTECTED]
> >
> >Ämne: Re: Signed Data
> >
> >
> >Does that need to come down as a signed CAB?
>
> No. The Microsoft CryptoAPI is installed on all
> Windows 95/98 OSR2, Windows 98, Windows NT > 4.0,
> Windows 2000 and all that has Internet Explorer
> 4.0 or later installed.
>
> >Signtext also needs to access the Public and Private exponents of the
> >X509Certificate. Can VBScript do this?
>
> Yes. The Internet Explorer make use of a keystore
> created and used by the Microsoft CryptoAPI. You should
> be able to access this store just as any other store
> through the CryptoAPI. However I don't remeber the name
> of the store.
>
> As an example of how to use the CryptoAPI you can look
> at the following simple example I wrote as answer for a
> similar question. The example written in Visual Basic
> createas a message digest. To create a signature you
> would also want to call:
>
> BOOL WINAPI CryptSignHash(
> HCRYPTHASH hHash, // in
> DWORD dwKeySpec, // in
> LPCTSTR sDescription, // in
> DWORD dwFlags, // in
> BYTE *pbSignature, // out
> DWORD *pdwSigLen // in/out
> );
>
>
>
> Option Explicit
>
> ' The CSP we use.
> Private Const SERVICE_PROVIDER As String = "Microsoft Base Cryptographic
> Provider v1.0"
>
> ' Key module.
> Private Const KEY_CONTAINER As String = ""
>
> ' Full RSA.
> Private Const PROV_RSA_FULL As Long = 1
>
> ' Other stuff.
> Private Const CALG_RC4 As Long = 26625
> Private Const AT_KEYEXCHANGE As Long = 1
> Private Const SIMPLEBLOB As Long = 1
> Private Const RC4KeyLen As Long = 2621440 '8388608
> Private Const CALG_MD5 As Long = 32771
> Private Const HP_HASHVAL As Long = 2
>
> ' ----------------------------------------------------------------
> ' Functions we need.
> ' ----------------------------------------------------------------
>
> Private Declare Function CryptAcquireContext Lib "advapi32.dll" _
> Alias "CryptAcquireContextA" _
> (ByRef phProv As Long, ByVal pszContainer As String, _
> ByVal pszProvider As String, ByVal dwProvType As Long, _
> ByVal dwFlags As Long) As Long
>
> Private Declare Function CryptReleaseContext Lib "advapi32.dll" _
> (ByVal hProv As Long, _
> ByVal dwFlags As Long) As Long
>
> Private Declare Function CryptCreateHash Lib "advapi32.dll" _
> (ByVal hProv As Long, _
> ByVal algid As Long, _
> ByVal hKey As Long, _
> ByVal dwFlags As Long, _
> ByRef phHash As Long) As Long
>
> Private Declare Function CryptHashData Lib "advapi32.dll" _
> (ByVal hHash As Long, _
> ByVal phData As String, _
> ByVal dwDataLen As Long, _
> ByVal dwFlags As Long) As Long
>
> Private Declare Function CryptGetHashParam Lib "advapi32.dll" _
> (ByVal hHash As Long, _
> ByVal dwParam As Long, _
> ByRef phData As Any, _
> ByRef pdwDataLen As Long, _
> ByVal dwFlags As Long) As Long
>
> Private Declare Function CryptDestroyHash Lib "advapi32.dll" _
> (ByVal hHash As Long) As Long
>
>
> Public Function testMD5(ByRef data As String, ByRef phData() As Byte) As
> Boolean
> ' Note phData need to have the length of 16.
> On Error GoTo errorhandler
>
> Dim hash As Long
> Dim hashlen As Long
> Dim hCryptProv As Long
>
> hashlen = 16
>
> If CryptAcquireContext(hCryptProv, "", SERVICE_PROVIDER, _
> PROV_RSA_FULL, 0) = 0 Then
> GoTo errorhandler
> End If
>
> If CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, hash) = 0 Then
> GoTo errorhandler
> End If
>
> If CryptHashData(hash, data, Len(data), 0) = 0 Then
> GoTo errorhandler
> End If
>
> If CryptGetHashParam(hash, HP_HASHVAL, phData(0), hashlen, 0) = 0 Then
> GoTo errorhandler
> End If
>
> If (hash <> 0) Then
> CryptDestroyHash (hash)
> End If
>
> If (hCryptProv <> 0) Then
> CryptReleaseContext hCryptProv, 0
> End If
>
> testMD5 = True
>
> Exit Function
>
> errorhandler:
>
> If (hash <> 0) Then
> CryptDestroyHash (hash)
> End If
>
> If (hCryptProv <> 0) Then
> CryptReleaseContext hCryptProv, 0
> End If
>
> testMD5 = False
>
> End Function
>
>
>
>
>
> --------------------------------------------------------------------------
--
> ---------
>
> Hans Husman
>
> Security Specialist
>
> Mynta Management & IT AB
>
> [EMAIL PROTECTED]
>
> http://www.mynta.se
>
> --------------------------------------------------------------------------
--
> ---------
>
> Prenumerera på något av Myntas nyhetsbrev!
>
> Mynt@. Ett nyhetsbrev från en elektronisk affärsvärld.
>
> Säker med Mynta. En elektronisk tidning om datasäkerhet.
>
> Skicka ett mail till [EMAIL PROTECTED] och ange vilket nyhetsbrev du vill
ha.
>
> --------------------------------------------------------------------------
--
> ---------
>
>
>
>
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Q: Cascading multiple block algorithms
Date: Tue, 25 Jul 2000 01:44:05 GMT
Mok-Kong Shen wrote:
> Many thanks for providing certain explanations. But at this point I
> still have a question: If the system does not directly allow the
> oppoent to choose plaintext (to the cascade, i.e. input to the first
> algorithm), then he has even less opportunity to exert influence on
> what the second algorithm gets as input.
The point is that it is possible that the attack does not
work given the original plaintext distribution, but does
given the distribution induced by the interposed cipher.
The attacker no longer needs to choose plaintext, because
the cipher has given him the plaintext he needs.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Helpful" <[EMAIL PROTECTED]>
Crossposted-To: alt.video.vcr,alt.2600
Subject: Re: VCR+
Date: Tue, 25 Jul 2000 02:11:47 GMT
Or go directly to the actual URL:
http://www.winternet.com/~gginc/java/vcr1.html
When using ASKJEEVES you can get the real URL by hitting the
'Remove Frame' button at the top of the frame, just below the
advertising bar.
- H
Bob Kow wrote in message ...
>If you can copy/paste this entire URL, you can find a calculator for what
>you want. If you have a problem with that, just log on to www.ask.com
>which is ASKJEEVES and ask the question there. That's how I got it.
>
>http://www.ask.com/main/metaAnswer.asp?metaEngine=directhit&origin=0&MetaUR
L
>=http://www.winternet.com/~gginc/java/vcr1.html&qcategory=sci_&metaTopic=G&;
G
>+Inc's+VcrPlus(TM)+Pluscode+Java+Page&ItemOrdinal=0&logQID=A41E9F19E054D411
A
>7AF009027737F04
>=======================================================================
>
>(<[EMAIL PROTECTED]> wrote in message news:8l4hsn$qb3$[EMAIL PROTECTED]...
>> Is there any publicly available software tool that can generate the
>> VCR+ code?
>>
>> Bon.
>>
>>
>> Sent via Deja.com http://www.deja.com/
>> Before you buy.
>
>
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: books by W. F Friedman
Date: Mon, 24 Jul 2000 19:30:07 -0700
Charles Blair wrote:
>
> I've gotten a catalogue from Aegan Park Press, including several
> books by Friedman. These include 4 volumes called ``Military Cryptanalysis''
> and another series ``Military Cryptanalytics,'' by Friedman and
> Callimahos.
>
> Could somebody familiar with these comment on the amount of overlap,
> and also whether more recent works (e.g., the ``Decrypted Secrets''
> book by Bauer) contain equivalent material?
This came up in a thread back in May of this year.
Douglas Gwyn posted:
"Much of Military Cryptanalytics (Callimahos & Friedman) is an updated
and extended version of Military Cryptanalysis (Friedman only).
(MilCryp Part III contains all new material, basically reprinted from
the NSA Technical Journal, but it's not available to the public.) If
one were to buy just one set, therefore, I'd recommend the Callimahos
series. Start with Part I, Vol. I & II, if you can't afford to buy
the whole set at once, and when you have mastered that buy Part II
(both volumes)."
I bought the Military Cryptanalysis series and am (still) working
through ALL of the examples. I'd say it was worth it. The Military
Cryptanalytics series is next on my list.
I recommend Bauer's book (I think the second edition just came out,
too) as an overview of the subject. There are no exercises, no examples
to work. Get the Military Cryptanalytics series if you want to try
cryptanalysis first hand and get a feel for the thrill of cracking
ciphers.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Hash function?
Date: Tue, 25 Jul 2000 02:36:05 GMT
Scott Fluhrer wrote:
>
> I found a bug in my code that printed out the colliding messages -- they
> were both 61749 bytes long, my print routine only printed the first 16
> bytes.
>
> Also, could you publish a reference implementation? Preferably in C? I
> went through your description again, and my implementation looks like it
> does exactly that. One ambiguity I did notice wasn that, when you "split
> _product_ into 4 bytes from prod[0] to prod[3]", you didn't specify how to
> do this. I assumed you used bigendian ordering, that is prod[0] is the most
> significant byte -- you used bigendian ordering everywhere else.
>
> If you assume little-endian ordering there, I found a pair of colliding
> messages 132742 bytes long. If you are using little-endian ordering, I'll
> send them to you.
>
> And, once I have the word on what the ordering is, I'll see if I can find a
> shorter pair of colliding messages.
> ******************
> > existing difference will show up when you will concatenate buffer[0]
> > and buffer[1] to make a new multiplier. As a result, 3 more bytes to the
> > right will be affected, and this difference will persist in the buffer.
*****************
> You misunderstood my approach: I chose a byte that makes up for the
> difference in buffer[0] before the rotate, and so that buffer[15] always has
> zero differential (after the first byte, where I didn't bother tracking the
> differential). Since buffer[15] always has zero differential (after the
> first step), buffer[3] through buffer[14] always has zero differential after
> startup.
>
> And, I'm not trying to explicitly make the difference not persist -- I'm
> keeping it localized, and hoping it acts like a random function on 24 bits.
>
> If you print out the internal buffers, you should see that, after all 16
> bytes, that buffer[3] through buffer[15] was a zero differential -- if it
> doesn't, the approach is wrong (or I took the wrong ambiguity mentioned
> above).
>
> > 3) I am going to introduce printf() into my implementation and
> > illustrare what happens in course of your attack, with all intermediate
> > buffer contents, multiplicands, products, etc. This will take me an
> > evening or two.
> > 4) Thank you for naming the algorithm.
> Seemed appropriate...
>
> --
> poncho
***************
Yes, on the first reading I misunderstood your approach, now everything
is clear. The idea occurred in my head as well that 16-bit multiplicand
yielding 32-bit product might be kind of short. Essentially what you
demonstrated was a random chance of difference turning equal to 0.
The ordering is big-endian, and probably you overestimate when you
talk about random function on 24 bits. It is more like 16 bits in this
situation, since the MSB is already shifted out, the new MSB is
compensated with the correct choice of input, so 16 bits remain for
randomness. The 2 message lengths are right on target.
So what next? The reference implementation does not make much sense
in view of this weakness, and BTW, there is all probability that your
implementation does the right thing.
Basically there are some ideas of how to improve the behavior of this
baby. First, increase the size of the multiplier to 32 or even 64 bits.
That will immediately improve the diffusion and make the randomness play
not on 16 bits, but on a far larger scale. Second, improve the confusion
in the MSB, make the problem of finding a suitable alternative entry
computationally hard (I still have no definite idea, how to implement
this, may be a couple of PHT's with the neighboring bytes will help).
And then, maybe, simply change the direction of the rotate?
Anyway, I promise to be back (not very soon, job and family
permitting).
Best wishes BNK
------------------------------
From: "Kevin Crosbie" <[EMAIL PROTECTED]>
Subject: Database encryption
Date: 24 Jul 2000 22:41:15 EDT
Has anyone got any ideas on this:
I need to secure data inside an oracle database. The data can be
manipulated(encrypted) before entry, and can then be decrypted on access.
Basically I don't want to need to store a secret key on the system that
someone can get access to and see all of the sensitive data. I also need
this to be quite fast.
Every way I look, I see that there is a single system secret which will be
the hole in the system.
My system takes in requests which I must store, in encrypted form. Hashing
is useless, because I still need the data afterwards.
Is a hardware solution the only real secure solution? or is there a
protocol out there which would solve what I'm trying to do?
Regards,
Kevin
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Hash function?
Date: Tue, 25 Jul 2000 02:41:43 GMT
Sander Vesik wrote:
>
> Boris Kazak,
>
> Why don't you just post the code somewhere on the web and send in an URL?
>
> Sander
>
> FLW: "I can banish that demon"
====================
First, after Scott Fluhrer's analysis it does not make much sense.
He showed a definite weakness, which must be taken care of.
Second, I do not have a Web site, however, I promise to post the
code after correcting the above mentioned weakness.
Best wishes BNK
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: Proving continued possession of a file
Date: 24 Jul 2000 19:44:47 -0700
Here's an idea:
Define Gen(n,b,i) = b + n*i Pick primes p and q. Let n = p*q.
When alice gets the file, she breaks it up into blocks of some size,
and numbers them x_1 through x_m.
She computes: summary = (x_1^Gen(1, b, i)) * (x_2^Gen(2, b, i)) * ... mod n
She saves p, q, n, b, i, and summary in quick-access memory (hard
drive?) and puts the file away on a tape.
When she wishes to confirm that Bob still has the file, she generates
a random value, r. She sends Bob:
b*r mod (p-1)*(q-1)
i*r mod (p-1)*(q-1)
n
Bob computes, and sends to Alice:
(x_1^Gen(1, b*r, i*r)) * (x_2^Gen(2, b*r, i*r)) * ... mod n
Alice raises this result to r^-1 mod (p-1)*(q-1) and verifies that it
matches the saved summary value.
Will this work?
Andru
--
Andru Luvisi, Programmer/Analyst
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Another cipher, ready to be shot down.
Date: Tue, 25 Jul 2000 03:04:34 GMT
Scott Fluhrer wrote:
>
> > Take a look at www.dimension.h3o.org/~pabalo/SC3.pdf
> That doesn't appear to be available...
>
> --
> poncho
====================
Try <http://dimension.h3o.org/~pabalo/SC3.pdf> without www
Best wishes BNK
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Another cipher, ready to be shot down.
Date: 24 Jul 2000 20:42:31 -0700
Simon Johnson <[EMAIL PROTECTED]> wrote:
> Take a look at www.dimension.h3o.org/~pabalo/SC3.pdf
This has a complementation property. I think we can say it is insecure.
Flip the high bit of R_2 in the plaintext, and the high bit of R_2
in the ciphertext will be flipped (and everything else left unchanged).
In other words, the ciphertext leaks one bit of information on each plaintext.
Not such a great property.
By the way, your algorithm description is lacking. It doesn't provide
enough information to implement your cipher: are you using big-endian or
little-endian notation? is R_0 the high-order or low-order byte of the
half of the plaintext? etc.
Also, in the future it would be a good idea to do some analysis of your
own first, before posting any further ciphers. Does it resist differential
attack? Does it resist linear attacks? Etc. If you'd done that here, you
would have discovered the flaw very quickly.
------------------------------
From: Jason Kanter <[EMAIL PROTECTED]>
Subject: Cryptonomicon ref
Date: Mon, 24 Jul 2000 21:16:48 -0700
Greetings. Many of you must have read Cryptonomicon. Can anyone give me the
page number of the discussion of how to eat Cap'n Crunch cereal? Thanks, and
apologies for this strange question.
------------------------------
From: "Jeff Moser" <[EMAIL PROTECTED]>
Subject: Re: Cryptonomicon ref
Date: Mon, 24 Jul 2000 23:42:36 -0500
> Greetings. Many of you must have read Cryptonomicon. Can anyone give me
the
> page number of the discussion of how to eat Cap'n Crunch cereal? Thanks,
and
> apologies for this strange question.
p477
------------------------------
From: "hotline" <[EMAIL PROTECTED]>
Subject: testing post
Date: Tue, 25 Jul 2000 15:08:33 +1000
hi, this is a test posting
------------------------------
From: [EMAIL PROTECTED] (Mack)
Date: 25 Jul 2000 05:13:36 GMT
Subject: Playing with an 8 bit cipher.
I have been playing with an 8-bit cipher.
The basic idea is that you take the array
from SQUARE as the s-box.
the round consists of simply substituting
then adding a key byte mod 256.
No fancy key schedule.
Not very elegant.
But very simple.
Could be useful for making
key dependent s-boxes.
Potentially subject to related key attacks.
Changing one key byte in a linear manner
cycles the location of each byte through
every position in a somewhat nonlinear
manner. This makes the distribution of
resulting s-boxes very "smooth".
Suggestions? Comments?
===============================================================
typedef unsigned char byte8; /* 8 bit */
typedef unsigned short word16; /* 16 bit */
byte8 S_GAMMA[0x100] =
{0xb1,0xce,0xc3,0x95,0x5a,0xad,0xe7,0x02,0x4d,0x44,0xfb,0x91,0x0c,0x87,0xa
1,0x50,
0xcb,0x67,0x54,0xdd,0x46,0x8f,0xe1,0x4e,0xf0,0xfd,0xfc,0xeb,0xf9,0xc4,0x1
a,0x6e,
0x5e,0xf5,0xcc,0x8d,0x1c,0x56,0x43,0xfe,0x07,0x61,0xf8,0x75,0x59,0xff,0x0
3,0x22,
0x8a,0xd1,0x13,0xee,0x88,0x00,0x0e,0x34,0x15,0x80,0x94,0xe3,0xed,0xb5,0x5
3,0x23,
0x4b,0x47,0x17,0xa7,0x90,0x35,0xab,0xd8,0xb8,0xdf,0x4f,0x57,0x9a,0x92,0xd
b,0x1b,
0x3c,0xc8,0x99,0x04,0x8e,0xe0,0xd7,0x7d,0x85,0xbb,0x40,0x2c,0x3a,0x45,0xf
1,0x42,
0x65,0x20,0x41,0x18,0x72,0x25,0x93,0x70,0x36,0x05,0xf2,0x0b,0xa3,0x79,0xe
c,0x08,
0x27,0x31,0x32,0xb6,0x7c,0xb0,0x0a,0x73,0x5b,0x7b,0xb7,0x81,0xd2,0x0d,0x6
a,0x26,
0x9e,0x58,0x9c,0x83,0x74,0xb3,0xac,0x30,0x7a,0x69,0x77,0x0f,0xae,0x21,0xd
e,0xd0,
0x2e,0x97,0x10,0xa4,0x98,0xa8,0xd4,0x68,0x2d,0x62,0x29,0x6d,0x16,0x49,0x7
6,0xc7,
0xe8,0xc1,0x96,0x37,0xe5,0xca,0xf4,0xe9,0x63,0x12,0xc2,0xa6,0x14,0xbc,0xd
3,0x28,
0xaf,0x2f,0xe6,0x24,0x52,0xc6,0xa0,0x09,0xbd,0x8c,0xcf,0x5d,0x11,0x5f,0x0
1,0xc5,
0x9f,0x3d,0xa2,0x9b,0xc9,0x3b,0xbe,0x51,0x19,0x1f,0x3f,0x5c,0xb2,0xef,0x4
a,0xcd,
0xbf,0xba,0x6f,0x64,0xd9,0xf3,0x3e,0xb4,0xaa,0xdc,0xd5,0x06,0xc0,0x7e,0xf
6,0x66,
0x6c,0x84,0x71,0x38,0xb9,0x1d,0x7f,0x9d,0x48,0x8b,0x2a,0xda,0xa5,0x33,0x8
2,0x39,
0xd6,0x78,0x86,0xfa,0xe4,0x2b,0xa9,0x1e,0x89,0x60,0x6b,0xea,0x55,0x4c,0xf
7,0xe2} ;
byte8 convert(byte8 key[32],byte8 byte)
{
int i;
for (i=0;i<32;i++)
byte=S_GAMMA[byte]+key[i];
return byte;
}
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
