Cryptography-Digest Digest #426, Volume #12 Sat, 12 Aug 00 18:13:01 EDT
Contents:
Re: Best AES candidates ?? (David Blackman)
Re: chap authentication scheme? (David P Jablon)
Re: chap authentication scheme? (David P Jablon)
Re: idear for new cipher (lordcow77)
Re: Car Radio Code Encryption. (Mok-Kong Shen)
Re: 1-time pad is not secure... (Sander Vesik)
Re: Question? (John Savard)
Re: Software license software with PK ???? (jungle)
Cryptographic Protocol Analyzer ("Eric Braeden")
Re: 1-time pad is not secure... (JPeschel)
Re: Cryptographic Protocol Analyzer (jungle)
Re: 1-time pad is not secure... ([EMAIL PROTECTED])
Re: Question? (John Savard)
Re: 1-time pad is not secure... ([EMAIL PROTECTED])
Re: Cryptographic Protocol Analyzer ("Eric Braeden")
crypto vs. psychology, was OTP as BBS generator (wtshaw)
Rebecca (John Savard)
----------------------------------------------------------------------------
From: David Blackman <[EMAIL PROTECTED]>
Subject: Re: Best AES candidates ??
Date: Sun, 13 Aug 2000 00:29:32 +1000
DJohn37050 wrote:
>
> Well, I did hear it from the horse's mouth (that is, NIST) that the IP
> statement required for all submittals was carefully crafted to not imply a
> single winner and would be valid if multiple winners were chosen.
> Don Johnson
Yes, they did hedge their bets at the start. It now looks pretty certain
there will be just one winner. Just about every public submission on
that question wanted a single winner. So did all five finalist entrants
i think.
At the start NIST might have been just a bit worried that their criteria
were too tough, and that a single algorithm might not be able to meet
all of them. That worry has since evaporated. Each of the 5 finalists
meets all the criteria, and a couple of the non-finalists probably do
too.
Given the much greater convenience all round of having a single winner,
i think it is going to happen.
------------------------------
From: [EMAIL PROTECTED] (David P Jablon)
Subject: Re: chap authentication scheme?
Date: Sat, 12 Aug 2000 14:29:56 GMT
In article <[EMAIL PROTECTED]>,
Mark Wooding <[EMAIL PROTECTED]> wrote:
>Tomas Rosa <[EMAIL PROTECTED]> wrote:
>> > The authenticator has a modulus N (prime?) and a generator g. The stuff
>> > stored in the database is
>> > username, salt s, g, N, g^ps modN
>>
>> Note about the salt: I suppose that you want to use the salt to hide
>> the property that two users with the same p will have the same entry
>> in the account database. But when N is prime (more precisely, when the
>> order of multiplicative group Z/N is known) then it is easy to compute
>> r, such that r*s mod phi(n) = 1 and then to compute g^p mod N =
>> (g^ps)^r mod N.
>>
>> Now is the attacker able to determine accounts wiht the same
>> authentication secret p.
>
>Good point. The solution is easy: discard s; store only g' = g^s.
>
>The resulting protocol has many interesting properties:
>
> * It's simulatable. Working offline, I can generate transcripts of
> plausible-looking authentications simply by making up random values
> r myself and computing g'^r and (g'^p)^r. Thus, eavesdropping
> doesn't help.
>
> * Impersonating someone is the Diffie-Hellman problem: given g'^r and
> g'^p compute g'^{rp}.
>
> * Since the server doesn't have any secrets, it can't actually
> impersonate people to other hosts which share the same correct
> password database. (If it's allowed to send bogus password
> databases about then you lose, of course.)
>
> * Distinguishing password entries for identical passwords appears
> difficult, but I can't reduce it to any standard problems.
>
> Given g_0 = g^{s_0}, y = g^{s_0 x_0}, g_1 = g^{s_1} and one of z_0 =
> g^{s_1 x_0} and z_1 = g^{s_1 x_1}, decide which of the z_i you were
> given.
I'd add one more "interesting property":
* The protocol allows an eavesdropper brute-force attack on p.
This last property means the method is broken, unless you assume that
the password p is always a unique random sufficiently large number.
And if you made that assumption, then the discussion about salt
is irrelevant.
There are many strong password protocols that can be used as a
better starting point for a good two-message protocol.
See www.IntegritySciences.com/links.html for a list.
======================================================
David P. Jablon
[EMAIL PROTECTED]
www.IntegritySciences.com
------------------------------
From: [EMAIL PROTECTED] (David P Jablon)
Subject: Re: chap authentication scheme?
Date: Sat, 12 Aug 2000 14:54:02 GMT
In article <[EMAIL PROTECTED]>,
Thomas Wu <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (Bill Unruh) writes:
>>
>> ]Just use SRP or some other well-studied password protocol. If it
>> ]requires expanding PPP authentication to handle an extra round, so be
>> ]it - the extra security is worth it.
Also, if some application requires tweaking SRP, SPEKE, etc. to get it to
fit in two rounds, that seems fine too. Three rounds are the minimum
needed for mutual explicit authentication, which is probably not
the goal here.
>> [...] >> Isn't srp
>> also vulnerable to a dictionary attack on the password database?
>
>All password-based protocols have the same issue - if you steal the server's
>secret(s), you can distinguish valid clients from invalid clients. [...]
Actually, even that problem can also be solved to some extent. To see
an example of how two or more servers can prevent stored-verifier
brute-force attack, in a strong password protocol, see
<http://www.integritysciences.com/links.html#FK00>.
======================================================
David P. Jablon
[EMAIL PROTECTED]
www.IntegritySciences.com
------------------------------
Subject: Re: idear for new cipher
From: lordcow77 <[EMAIL PROTECTED]>
Date: Sat, 12 Aug 2000 08:29:13 -0700
I think the confusion here lies in the difference between GF
(2^n) and how the field is represented. The polynomial
representation of a finite field is only one of many different
possible ways to represent the abstract mathematical structure
of a Galois field, just as "12" is a way of representing in
decimal the idea of "twelve" (with "XII" and "0xC" as other
possible representations). You have to reduce modulo a
irreduceable polynomial after your finite field multiplication
simply to generate the structure of the field.
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Car Radio Code Encryption.
Date: Sat, 12 Aug 2000 18:23:04 +0200
No Name wrote:
>
[snip]
>
> A sequence of four number digits is converted to a sequence of two hex
> bytes.
>
> For example, 1737 is converted to 69AB
[snip]
That means you have an invertible (in general one-to-many)
mapping from [0,9999] to [0,65535]. There exist in theory a
huge number of such mappings. To determine that in a
particular practical case is the very art of a cryptologist,
eventually requiring some little or substantial help from
Fortuna.
M. K. Shen
------------------------------
From: Sander Vesik <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: 12 Aug 2000 16:14:00 GMT
[EMAIL PROTECTED] wrote:
> 40 messages in the thread within 16 hours! I am truely STUNNED! :)
> I'm surprised that people brought up Chaos Theory because it just
> reassures my point. If our world is chaotic, there's no such thing as
How come?
> pure randomness. Every event will fall on "the 2-spiral" in a larger
> scope. So it's like computing 1/x, we're chasing the impossible zero
It need not. You are assuming that the chaotic system has an attractor.
It doesn't have to have one.
Indeed consider:
* chaos: arbitrarily small changes can cause an arbitrarily
large change in the outcome
* QM: Look here, you can go this far and no further. Everything
smaller is forever beyound your reach.
But of course, for OTP we only need QM, chaos is only added frills that
keeps you from predicting larger systems 8-)
> with increasing computational power. OTP is only computationally
> secure.
[snip]
> Let me try to solve this one:
> 1, 4, 18, 23, 0, 7, X. What is 'X'?
> A 2-digit number with 90% certainty. Between 10-40 with 80% certainty.
> If the list is much longer, more characteristics will emerge like this
> individual doesn't pick 5 or 9 as often...
How come? You are assuming that there is some kind - indeed, any kind -
of correlation in the sequence. That does not have to be. Each of these
can easily be the inital member of it's own sequence, generated by
just about any function f:(R[0], ...)->R. We know nothing at all about
X - it is truly random and unguessable.
> --Sisi
> Sent via Deja.com http://www.deja.com/
> Before you buy.
--
Sander
FLW: "I can banish that demon"
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Question?
Date: Sat, 12 Aug 2000 17:13:02 GMT
On Sat, 12 Aug 2000 09:55:59 -0400, "Trevor L. Jackson, III"
<[EMAIL PROTECTED]> wrote, in part:
>Melinda Harris wrote:
>> A secret document recently intercepted discloses the following:
>> A virus able to infiltrate, infect and encrypt multiple hardrives? Able to
>> infect entire networks?
>Microsoft(tm) Office 2000?
Ah, yes: and governments worldwide are going to extreme lengths to get
computer-eccentric Bill Gates to disclose the source code to the
Windows operating system, although so far only the antitrust case in
the United States has progressed very far.
While Windows NT at one time supported other architectures besides the
386 architecture, such as MIPS and the Alpha, they never did port it
to a Cray or anything like that, so we never had the chance to see how
close it could come to making a supercomputer look like a broken
abacus.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Software license software with PK ????
Date: Sat, 12 Aug 2000 13:30:45 -0400
is the payment made for software NOT enough for you ?
Benny Nissen wrote:
> My background is the need for a good public key library implementation to
> do software license software (will make a hackers key-generator useless). I
------------------------------
From: "Eric Braeden" <[EMAIL PROTECTED]>
Subject: Cryptographic Protocol Analyzer
Date: Sat, 12 Aug 2000 14:44:53 -0400
Where can I download or otherwise acquire a good
cryptographic protocol analyzer?
Thanks,
Eric
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: 1-time pad is not secure...
Date: 12 Aug 2000 18:48:15 GMT
[EMAIL PROTECTED] (Guy Macon) writes:
>Douglas A. Gwyn wrote:
>>
>>Guy Macon wrote:
>>> So why haven't you published it yourself on the Internet?
>>
>>I haven't had time to set up a Web site. Whenever I get
>>a round tuit, that will be one of the things I'll include.
>
>Email it to me and I will put it on the net for you.
Looks like there is already one on the web:
http://www.funkypages.com/hahaha.php?page=/roundtuit/index.php
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Cryptographic Protocol Analyzer
Date: Sat, 12 Aug 2000 15:05:23 -0400
what do you need to analyze ?
Eric Braeden wrote:
>
> Where can I download or otherwise acquire a good
> cryptographic protocol analyzer?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 1-time pad is not secure...
Date: Sat, 12 Aug 2000 20:17:09 GMT
I think you're muddling the issue a little. So you generate a key to be
used with 3DES... If your key generator is biased, the same problem
applies to any system. You have some keys with higher probabilities
than others. If you try the ones with highest probabilities first (on
your 3DES that is), you'll get your plaintext faster than brute-force.
In addition, since you're using 3DES not OTP, your encryption system
itself may provide loopholes for attack other than brute force. So
what's your point?
Let me put it in more details. So you generate keys for 3DES. Two
56-bit keys per encryption. Your key generator is biased. Let's say it
generates the sequence 01010 a lot just for the sake of easy
discussion. So while you're breaking 3DES, you always consider the
cases with 01010 first. That gives you an advantage. That's my point.
Same key generation problem with any system, but the situation with OTP
is worst because the key is so long -- as long as the message itself.
Maybe I'll start a thread on RSA later. :)
--Sisi
In article <uYZ$L3CBAHA.278@cpmsnbbsa07>,
"Joseph Ashwood" <[EMAIL PROTECTED]> wrote:
> I still don't think you are quite understanding. The
> complete proof of One Time Pad does not bind it exclusively
> to XOR, it is simply the only known algorithm that meets the
> qualifications. You could use a *weakened* version of OTP
> and use the pad as a key for 3DES, of course as I pointed
> out before there exists an XOR pad that will convert it to
> the plaintext. You so far have not even beginned to address
> the issue that I have brought up now 3 times. If I encrypt a
> plaintext P with a non-OTP key K using 3DES, there exists a
> OTP that will create the plaintext from the provided
> ciphertext. This is a very weakened version of OTP, so how
> do you propose to break it? I've given the hand-waving that
> makes it obvious that the pad exists, and I have stated,
> although I haven't proven it is obvious that it is true,
> that the pad contains much more regularity than a true OTP,
> so it MUST be weakened. Enjoy, we know how to break it in
> between 2^90 and 2^112.
> Joe
>
> <[EMAIL PROTECTED]> wrote in message
> news:8n2567$f9p$[EMAIL PROTECTED]...
> > Over 80 messages in this thread in less than 2 days. I'm
> really
> > stunned. Am I breaking a record?
> For longest time? or most often? *grin*
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Question?
Date: Sat, 12 Aug 2000 20:33:25 GMT
I'll have to admit to being rather annoyed at these strange postings
by Melinda Harris about the amazing cipher system "ANEC" which tell us
how wonderful it is without giving information other than information
of a tantalizing form.
However, I have managed to turn up evidence that David Matthias Mimms
is a real person after all!
David Matthias Schiesl describes himself at the guestbook
http://www.townonline.com/guestbooks/north.html
as "a freelance cryptographer, inventor of the strong encryption
program called ANEC". However, he uses Melinda Harris' E-mail address,
except that it ends in the country code "ne" instead of the top-level
domain "net".
I thought the name sounded oddly familiar, so I tried looking in sites
about the Baader-Meinhof gang! I'm glad he had nothing to do with
that; in other entries in this guestbook, he identifies himself as a
"former model and actor" in the Austin, Texas area during the 1970s.
Perhaps I saw the name before in the credits of some B-movie...
He is also a fan of Wil Hart and the Delphonics, for whatever that is
worth.
However, if he lives in Texas, "net" instead of "ne" is probably
correct.
Now, should that be /www.worldnet.att.net/~melinda.harris/, or without
the www and/or the tilde? Maybe ANEC does have a web site after all...
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 1-time pad is not secure...
Date: Sat, 12 Aug 2000 20:39:19 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> You should define what is meant by "exist".
That is... something like if our world is really random. But that's way
OT already. let's move on.
> > If you look at each individual event, it seems random. But if you
> > look at a large group of events, they follow a certain pattern.
> > That's not random.
>
> Sure "it" (the process) is. The pattern is called a "probability
> distribution".
Well we keep refining the probability distribution as we notice more
patterns. So what seems random before is not random any more. Like rain
is not random over the whole year in most places. Rain comes mostly in
spring/summer.
> > For example, one day we'll move on to nanocomputers, then current
> > RNGs will not be random any more.
>
> Sure they will. What grounds do you have for saying otherwise?
If your RNG is based on a huge cycle. Gone.
If your proof has the word NP or polynomial-time in it. Gone.
> > Another side note: How come nobody has brought up anti-matters yet?
> > It's so cool. :) Light -- photon -- is an anti-matter. Our
> > understanding on antimatters is at the beginning stage. Maybe be
some
> > antimatters can travel faster then others. And then some smart
kids,
> > probably genetically-engineered, will show that antimatters have
> > sub-antimatters...
>
> That does not correspond to "antimatter" as understood by physicists.
You sure? I thought photon was considered an antimatter. There were
other antimatters as well in the complete map...
--Sisi
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Eric Braeden" <[EMAIL PROTECTED]>
Subject: Re: Cryptographic Protocol Analyzer
Date: Sat, 12 Aug 2000 16:47:46 -0400
jungle <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> what do you need to analyze ?
>
> Eric Braeden wrote:
> >
> > Where can I download or otherwise acquire a good
> > cryptographic protocol analyzer?
>
>
I need to analyze a client/server communication system.
Eric
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: crypto vs. psychology, was OTP as BBS generator
Date: Sat, 12 Aug 2000 14:14:02 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>
> I am interested to see the result of discussions on the above
> issue, though I have nothing to contribute myself. A question
> that occurs to me though is: Is the science of crypto entirely
> separated from psychology?
>
> M. K. Shen
Psychology is as much art as science since humans are not all wired the
same and tend to rewire themselves in ungovernable ways. Since crypto
depends so much on maverick brains to conceive, use, and analyze it, it
can be less science than art at times.
Whether that which is presented about crypto as science is good science is
sometimes also subject to question. We surely can learn lots by posing
good scientific questions and actually testing hypotheses.
--
Too bad from the party members point of view that Ventura has
gone, for what the Reform Party needs is a good referee and
someone who understands how to *fix* things, before hurt sets in.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Rebecca
Date: Sat, 12 Aug 2000 21:09:32 GMT
Doubtless, many people remember the novel entitled "The Key to
Rebecca" which is a spy novel set in World War II. I had wondered why
the author happened to choose the Daphne du Maurier novel (which was
also the basis of Alfred Hitchcock's first movie) as the base for his
fictional agent's book cipher...
and in a web search, I happend across
http://www.wabash.lib.in.us/wcpl/homefront.htm
which noted that the _Kondor_ spy ring actually did use that book as
the basis for a book cipher during World War II! One learns something
new every day.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
