Cryptography-Digest Digest #287, Volume #12 Wed, 26 Jul 00 00:13:01 EDT
Contents:
Re: Rabin's information dispersal algorithm (Helger Lipmaa)
Re: School question for you regulars. ("Joseph Ashwood")
Re: Rabin's information dispersal algorithm (Helger Lipmaa)
TheArgon Site ("George Gordon")
FAQ ("LecturaX Porodum")
R: CD destruction ("James Goebel Junghanns")
Re: School question for you regulars. ("Trevor L. Jackson, III")
Re: School question for you regulars. ("Trevor L. Jackson, III")
How is the security of Outlook Express encryption ? ("���[��")
Re: FAQ (Mok-Kong Shen)
Re: Playing with an 8 bit cipher. (Mack)
Re: 8 bit block ciphers (Mack)
Re: School question for you regulars. (Eric Lee Green)
Re: Cryptographic Camouflage (Steve Meyer)
----------------------------------------------------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: Rabin's information dispersal algorithm
Date: Wed, 26 Jul 2000 01:49:07 +0300
David A Molnar wrote:
> John Myre <[EMAIL PROTECTED]> wrote:
> > Wei Dai wrote:
> > <snip>
> >> IDA is a method of producing k pieces from a message such that any n of
> >> them can be used to recover the message.
>
> > Is this the same thing as a "secret sharing scheme"?
>
> Not quite.
> Shamir's secret sharing scheme provides the property you refer to below
> : that no information is leaked from any of the shares about the original
> file. Rabin's IDA does *not* have that property, and consequently acheives
> smaller share size.
>
> IDA is used in other contexts than cryptography where security and
> integrity are provided in different ways -- we used it in the
> Free Haven Project http://www.freehaven.net/ to cut down on server
> load. The INDIA project is an example of a distributed file system
> design which uses it for similar reasons
> http://www.eecs.harvard.edu/~india/ (I think that link works...)
What is the difference with error-correction codes? :) The IDA description at
INDIA website sounded very much like the Reed-Solomon code.
Helger
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: School question for you regulars.
Date: Tue, 25 Jul 2000 13:51:34 -0700
> If not in a computer science cirriculum, where the heck do people
> learn programming skills?
Please excuse my writing, I'm trying not to laugh. Your comparison to a
black art is unfortunately quite accurate, by staying only inside the
curriculum you will learn very little, little enough in fact that my OS
professor actually suggested downloading, reading, and understanding the
Linux kernel _instead_ of taking the class. You gain knowledge of how to
program by doing it, all school will teach you is how to write things the
compiler will understand, and how to design algorithms.
Software Engineering is even worse in this respect, you learn Software
Engineering only through doing, and in school they simply don't have the
time to engineer a decent scale project. So you do most of your real
learning on the job, that's why they pay you more as you get more
experience, you get better.
Joe
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: Rabin's information dispersal algorithm
Date: Wed, 26 Jul 2000 01:54:33 +0300
Helger Lipmaa wrote:
> David A Molnar wrote:
>
> > John Myre <[EMAIL PROTECTED]> wrote:
> > > Wei Dai wrote:
> > > <snip>
> > >> IDA is a method of producing k pieces from a message such that any n of
> > >> them can be used to recover the message.
> >
> > > Is this the same thing as a "secret sharing scheme"?
> >
> > Not quite.
> > Shamir's secret sharing scheme provides the property you refer to below
> > : that no information is leaked from any of the shares about the original
> > file. Rabin's IDA does *not* have that property, and consequently acheives
> > smaller share size.
> >
> > IDA is used in other contexts than cryptography where security and
> > integrity are provided in different ways -- we used it in the
> > Free Haven Project http://www.freehaven.net/ to cut down on server
> > load. The INDIA project is an example of a distributed file system
> > design which uses it for similar reasons
> > http://www.eecs.harvard.edu/~india/ (I think that link works...)
>
> What is the difference with error-correction codes? :) The IDA description at
> INDIA website sounded very much like the Reed-Solomon code.
Oh well, reading Rabin's original paper gave the answer :-)
Helger
------------------------------
From: "George Gordon" <[EMAIL PROTECTED]>
Subject: TheArgon Site
Date: Tue, 25 Jul 2000 17:07:44 -0400
Hi group,
Can anyone help this poor site? I think it's of some value to the community.
http://www.theargon.com
Regards,
George
------------------------------
From: "LecturaX Porodum" <[EMAIL PROTECTED]>
Subject: FAQ
Date: Tue, 25 Jul 2000 23:22:17 +0200
Where can I find the sci.crypt FAQ?
LeX
------------------------------
From: "James Goebel Junghanns" <[EMAIL PROTECTED]>
Subject: R: CD destruction
Date: Tue, 25 Jul 2000 23:12:05 +0100
This may well be an unsound idea, but the last time I had to destroy a CD-R
I just nuked it in the microwave. As the microwaves result in extremley high
temperatures underneath the polymer surface, ie, on the metallic substrate,
I presume large enough amounts of data are literally vapourised so as to
make any attempt at recovering data unfeasible.
As a bonus you get a great pyrotechnic display, as well.
Paul Rubin <[EMAIL PROTECTED]> wrote in message
8liksc$prp$[EMAIL PROTECTED]
> In article <[EMAIL PROTECTED]>,
> Sundial Services <[EMAIL PROTECTED]> wrote:
> >Come to think of it, the way I'd destroy a CD-R or CD-RW disk is with a
> >buffing wheel or polishing wheel. If the NSA can reconstruct the data
> >in that little pile of green plastic dust on the floor of the workshop,
> >they can be my guest. So to speak.
>
> I tried that (wire wheel on CD-R). You don't get little pieces of
> dust. You get big slabs of mylar-like data layer with sharp edges to
> poke your fingers when you try to pick them up. It is a mess. I
> don't recommend it. Further, the pieces are big enough to read data
> from with a microscope. I'd expect about the same results from fine
> grained sandpaper since the data layer simply isn't held on that tight.
> If I have to destroy a CD-R again, I'll use a torch.
------------------------------
Date: Tue, 25 Jul 2000 19:05:08 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: School question for you regulars.
"James Pate Williams, Jr." wrote:
> On Tue, 25 Jul 2000 03:24:12 -0400, "Trevor L. Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> >The Gorf wrote:
> >
> >> I hope this is acceptable to post, but if I offend I apologize in advance.
> >> I am eager to start my Coolege career but am unsure of what direction to go.
> >> I am very interested in Computer Science, but I fear that while I will build
> >> strong programming skills, I might not gain the solid math I want. On the
> >> other hand if I go Mathemtaics I may lose programming skills
> .
> >Schools are _much_ better at teaching mathematics than they are at teaching
> >programming skills. Thus majoring in math is quite likely to give you a
> >reasonable grounding in mathematics. Majoring in CS is unlikely to give you a
> >reasonable grounding in programming skills.
> >
> >Note that programming skills are not the same as computer science.
> >
> If not in a computer science cirriculum, where the heck do people
> learn programming skills? Do you expect technical schools or on the
> job training to be used to teach programming skills? Software
> engineering is a science not a black art passed down by practitioners
> to apprentices.
This assertion is contrary to my experience (although I wish it were true). While
there is considerable science available for use by software engineers, in practice,
little of it is ever utilized. Is management a science? In theory yes, in
practice, rarely ever. I suspect the reasons are the same: lack of adequate
metrics.
For topical relevance, is cryptography a science? We're in a sci.* newsgroup, but
according to Lincoln, calling a tail a leg still leaves a dog with four legs, not
five. I suspect the professional practitioners of cryptography would like it to be
less of a black art than it currently is (in both senses of "black art")..
> Most techical school computer programming graduates
> have very limited knowledge of modern software engineering practices.
Yes. The same is true in slightly lesser extent from famous universities. Part of
the gap exists because the field is moving relatively quickly, and it takes a
respectable amount of time for the advances to get into textbooks and textbooks to
get into the curriculum. This is complicated by the fact that the current crop of
students probably grew up with computers while the senior instructional staff did
not.
------------------------------
Date: Tue, 25 Jul 2000 19:09:26 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: School question for you regulars.
Joseph Ashwood wrote:
> > If not in a computer science cirriculum, where the heck do people
> > learn programming skills?
> Please excuse my writing, I'm trying not to laugh. Your comparison to a
> black art is unfortunately quite accurate, by staying only inside the
> curriculum you will learn very little, little enough in fact that my OS
> professor actually suggested downloading, reading, and understanding the
> Linux kernel _instead_ of taking the class. You gain knowledge of how to
> program by doing it, all school will teach you is how to write things the
> compiler will understand, and how to design algorithms.
>
> Software Engineering is even worse in this respect, you learn Software
> Engineering only through doing, and in school they simply don't have the
> time to engineer a decent scale project. So you do most of your real
> learning on the job, that's why they pay you more as you get more
> experience, you get better.
There's also the inversion of complexity. Typical system programing courses
will spend up to half their time on the task scheduler and the data structures
that support it, and little or no time on the intricacies of file system
design. Now a scheduler can be written in a page of code. A file system
takes on the order of a ream. Which is a more important area for a CS
graduate to comprehend?
------------------------------
From: "���[��" <[EMAIL PROTECTED]>
Subject: How is the security of Outlook Express encryption ?
Date: Wed, 26 Jul 2000 07:23:18 +0800
Does anyone know what is the key lenght of Outlook Express's singing/encryption ?
And is it safe enough ?
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: FAQ
Date: Wed, 26 Jul 2000 01:56:14 +0200
LecturaX Porodum wrote:
> Where can I find the sci.crypt FAQ?
The complete FAQ has most recently been posted on 20th July
in the group. Don't you see it?
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Playing with an 8 bit cipher.
Date: 26 Jul 2000 02:22:18 GMT
>
>
>This cipher can be tranformed to be :
>
>________________________________________________________
>unsigned char sbox[256] = { ... as above ... };
>unsigned char tbox[256];
>
>void setkey (unsigned char key[32])
>{
> unsigned char ch;
> int i, j;
> for (i = 0; i != 256; ++i) {
> ch = i;
> for (j = 0; j != 32; ++j) {
> ch = sbox[ch] + key[j];
> }
> tbox[i] = ch;
> }
>}
>
>unsigned char convert (unsigned char ch)
>{
> return tbox[ch];
>}
>________________________________________________________
>
>Can you see that this cipher is nothing but a simple
>substitution ? Even plaintext attacks are not that
>hard to do. Just drop the idea you have to use 8 bit
>blocks because you're low on memory. Implement
>Twofish, it requires only 64 byte RAM and offers you
>the full security of a modern cipher.
>
>
>
Yes this is equivalent. But if you don't have 256 bytes
to play with it is not possible to simply convert it into
a table.
This takes only the memory to store the key. It does
not require additional memory. The table can be stored
in ROM. The counter would be a register as would the
data byte.
Even Twofish is a simple substitution given the appropriate
size s-box (not practical but true).
This is to be part of a larger function. Its use is an s-box.
Additionally the block size of twofish is not
appropriate. Blowfish would be the more logical choice.
Lastly using 64 bytes of memory is more than is available.
When using embeded applications with only 64 bytes of
memory it really isn't practical to use all of it for the
encryption.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: 8 bit block ciphers
Date: 26 Jul 2000 02:29:24 GMT
>Mack wrote:
>> Accept I don't have 64 bytes to play with.
>
>He also said before:
>> I am looking for something that could be implemented without
>> having the entire table in memory. For example only using
>> 32 bytes.
>
>You said 'for example' so I thought you meant 'for example'.
>Well, with only 32 byte, I guess you still can implement
>Twofish or Serpent, at least in a 128 bit only version.
I do have 64 bytes total. But all of it can't be used for
the encryption. 8 of it has another use.
>
>You have to drop the factory key of Twofish, for example,
>and compute the elements of the vector S again and again,
>but it should be possible. Or you have to transform the
>key bits of Serpent forward and back in every round.
>
>
Now this is something to look into. Has anyone implemented
minimum memory versions of Serpent and Twofish? The block sizes
aren't really appropriate but they could be used.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: School question for you regulars.
Date: Wed, 26 Jul 2000 03:14:42 GMT
Joseph Ashwood wrote:
>
> > If not in a computer science cirriculum, where the heck do people
> > learn programming skills?
> Please excuse my writing, I'm trying not to laugh. Your comparison to a
> black art is unfortunately quite accurate, by staying only inside the
> curriculum you will learn very little
This, as with all things, depends greatly upon what school you went to
and what curriculum you followed at that school. What I learned whilst
getting a CS degree was math -- lots of math, top-down design, data
structures, fundamental algorithms. I learned how to program, on the
other hand, by hacking on my home computer.
In short, a good CS department is very math-heavy and theory heavy, and
depends upon you hacking upon your own home computer to learn
programming. As one of my professors put it, any half-competent code
monkey can learn how to write programs in his spare time, if you could
not do that you did not belong in the department, his job was to teach
you good design principles and the theory necessary to build good
algorithms.
I taught myself Pascal, BASIC, "C", various assembly languages, etc.,
but what I learned in college was more important. Things like hash
tables and b-trees and best places to apply them, finite state machines,
data flow, top down design, structured programming, things like that.
I have encountered code written by people without formal training in
computer science, and most of it is cr*p, with the exception of those
few who recognize that there is more to creating programs than just
sitting at a keyboard and playing code monkey (people who have gone out
and taught themselves the stuff I learned in college). But most of the
arrogant little twits write incomprehensible spaghetti code that is
inefficient and bloated. One little jerk scanned a database looking for
records, displayed them to the screen, then when it came time to save
changes he scanned the database AGAIN, looking for those very same
records to calculate an average, rather than saving the detail data in
an array somewhere... and then the arrogant twit insisted there was no
problem with his code, even after I pointed out that he was taking 40
seconds to average and save a screen full of data when that was entirely
unacceptable, that he was updating records on disk that were unchanged
and thus was swamping the poor little IDE hard drive on the system, and
even after I pointed out to him what he was doing wrong and what he
needed to do in order to fix it, he refused to do anything about it.
After he was fired for refusing to fix his problems and an experienced
programmer was assigned to the project, the time required to average and
save a screenfull of data went to practically realtime, and the code
actually SHRUNK by several hundred lines... but then, she knew what she
was doing (she'd actually taught programming at the technical college
level for many years).
, little enough in fact that my OS
> professor actually suggested downloading, reading, and understanding the
> Linux kernel _instead_ of taking the class. You gain knowledge of how to
> program by doing it, all school will teach you is how to write things the
> compiler will understand, and how to design algorithms.
You speak as if how to design algorithms is not worthwhile knowledge.
> Software Engineering is even worse in this respect, you learn Software
> Engineering only through doing, and in school they simply don't have the
> time to engineer a decent scale project. So you do most of your real
> learning on the job, that's why they pay you more as you get more
> experience, you get better.
Absolutely. On the other hand, the principles you learn in a good
Software Engineering class are very valuable there, especially if you
take them to heart. I document the hell out of my software. My partner
in crime -- err, design -- does not. The difference is that I have had a
Software Engineering course and plenty of real-world experience, while
he has had the real-world experience WITHOUT the background in software
engineering. He's a damn good programmer, and while I designed the
overall framework of the project and the basic concepts and algorithms
to be used, he's doing a great job of filling in the details. But before
I moved into that role, when he was the project architect, he was
thrashing bad. He was reading every fad-of-the-week software engineering
book trying to get the background that he was missing, and while I
suspect he would eventually have gotten it right, if he'd had a good
theoretic background in the subject in the first place things would not
have been so rough on him. But then again, he's one of the rare
self-taught programmers who understands the limitations of not having a
college education... something that most of the arrogant twit
programmers I've encountered do not understand, thinking somehow that
the ability to write 100 lines of code per minute makes them god's gift
to programming.
To summarize: 1) A good CS curriculum is very math-heavy. You can get a
feel for the CS curriculum by looking at the college catalog and
counting the math credits on it. 2) A good CS curriculum prepares you
for later professional life by giving you the theoretical background to
go onwards in the field. When I graduated from college, Pascal and Ada
were the latest and greatest, and object-oriented programming was some
weird stuff that you did with Smalltalk that had no practical
application. Today, Pascal and Ada are practically extinct, I'm
programming in languages unknown 15 years ago, object oriented
programming is old hat (the latest buzzword is "component oriented
programming", apparently), and I'm writing programs to control hardware
that would have been science fiction when I graduated college. While it
took a long time to pay off my CS degree (student loans), I count it as
an investment well worth it.
PS: Do I come off as arrogant in my characterization of some of the
twits I've encountered? If so, good. I don't have time for people
unwilling to listen to experience. I try my best to listen thoughtfully
and comment and contribute to my co-workers ideas, and have no patience
with those unwilling to return the favor. It shows blatant disrespect
and lack of professionalism, and I am long past the point where I have
to pander to that kind of nonsense. And you know something? It's proven
to be the best way of telling the wheat from the chaff... the good
programmers know that they don't know everything and are always willing
to listen and try to learn new things, while the bad ones are arrogant
twits who know it all and who refuse to believe that anybody outside
their heads has anything to contribute. Strange, that the people who are
worst at their job have the highest opinion of themselves, eh?
--
Eric Lee Green There is No Conspiracy
[EMAIL PROTECTED] http://www.badtux.org
------------------------------
From: [EMAIL PROTECTED] (Steve Meyer)
Subject: Re: Cryptographic Camouflage
Reply-To: [EMAIL PROTECTED]
Date: 26 Jul 2000 03:50:11 GMT
I think the word you want is "steganography" that I thinks means
information hiding. I do not know its usage history.
/Steve
On Tue, 18 Jul 2000 11:42:32 -0700, Joseph Ashwood <[EMAIL PROTECTED]> wrote:
>Unfortunately I need to correct one of the statements I made in this thread,
>apparently I'm not supposed to refer to the camouflage as encryption
>(although my standard definition applies*), so the actual obfuscation of the
>key is performed as:
>ENCRYPT(e, ServerKey)
>camouflage(d, PIN)
> Joe
>
>* My standard definition for cryptography is (editted for content) "The art
>of [messing] [data] up so that no one else can un[mess] it" (originally
>stated by a friend of mine without content editting)
>
>
--
Steve Meyer Phone: (415) 296-7017
Pragmatic C Software Corp. Fax: (415) 296-0946
220 Montgomery St., Suite 925 email: [EMAIL PROTECTED]
San Francisco, CA 94104
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
