Cryptography-Digest Digest #453, Volume #12 Tue, 15 Aug 00 18:13:01 EDT
Contents:
Re: Looking for password statistical data ([EMAIL PROTECTED])
Re: Unauthorized Cancel Messages ([EMAIL PROTECTED])
Re: BBS agreement? (Doug Kuhlman)
Re: Not really random numbers (James Felling)
Re: 1-time pad is not secure... (Sniggerfardimungus)
Re: Unauthorized Cancel Messages (Mok-Kong Shen)
Re: Impossible Differentials of TC5 (James Felling)
Re: The quick brown fox... (Paul Howard)
Re: Looking for a DES or RSA chip with write-only key. ("David C. Barber")
Re: BBS agreement? (Mok-Kong Shen)
Re: Crypto Related Professional Attitude (Mok-Kong Shen)
Re: Looking for a DES or RSA chip with write-only key. ("Eric Braeden")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Looking for password statistical data
Date: Tue, 15 Aug 2000 20:12:41 GMT
Anders Thulin <[EMAIL PROTECTED]> wrote:
> As to password-by-dice, assuming full disclosure of
> password file: 8 digits in the range 1-6 can be tested in
> short order -- a 233 MHz PII computer manages around 3000 guesses/second,
> I believe, and that's slow these days. There will probable be some kind of
> word dictionary attacks done before anyone tries password-by-dice,
> but even so, I expect them to be tried fairly early in the process,
> especially as they cover a search sub-space.
It, of course, depends on the algorithm, but crypt(3) can be made to
run at about the quoted speed on a midrange Pentium. Needless to say,
knowing a password was entirely digits would substantialy reduce the
difficulty of guessing it. ;)
That brings up the real problem with fixed-length passwords. Knowing
the value (or possible) values of a character at any position greatly
reduces the amount of time needed to guess the entire word.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Unauthorized Cancel Messages
Date: Tue, 15 Aug 2000 20:19:06 GMT
Jim <[EMAIL PROTECTED]> wrote:
> Could that be why, on some servers, I don't see my own
> posts? Others do - obviously, because they reply to them,
> but I only see my own posts when someone quotes me!
Every news node will keep articles a different length of time before
expiring them, and every one gets them at a different time, depending
on when they arrive. So it's not unusual to see slightly different
groups at different times.
In your case, however, it may be as simple as Agent assuming you've
already seen your own messages.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: Doug Kuhlman <[EMAIL PROTECTED]>
Subject: Re: BBS agreement?
Date: Tue, 15 Aug 2000 14:53:20 -0500
Mok-Kong Shen wrote:
>
> Doug Kuhlman wrote:
> >
> > Hey all! I'd like to try to bring some of the BBS discussion to some
> > sort of agreed-upon conclusions. I *think* everyone has agreed to the
> > following:
> >
> > 1. Finding a cycle (any length) in BBS allows factoring the modulus
> > 2. Long cycles *do* exist with properly chosen BBS primes
> >
> > These two are a large part of the BBS paper.
> >
> > 3. Short cycles exist
> > 4. The chance of landing on a short cycle is microscopic [1]
> > 5. This chance is so small as to be unimportant in practice
> >
> > I think we have agreed to:
> >
> > 6. Using BBS with no cycle check gives an attacker no advantage in
> > factoring
> >
> > What is not agreed upon is the terminology to be used. This, while
> > important, seems to be the least of our concerns.
>
> Why are you so impatient? Couldn't you wait a little bit
> till the BBS-thread become quiescent??
>
> M. K. Shen
Cause I feel like that thread is spinning out of control (has spun
already?) and I wanted to see if we could find some agreement in a post
that might be read by people who are sick of seeing the OTP and BBS
thread posts....
Doug
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Not really random numbers
Date: Tue, 15 Aug 2000 15:26:19 -0500
> <snip>
>
> >
> > I must state this. Files of this nature can be manufactured by other PRNG's. They
> > will be manufactured as quickly if not more so, and as securely, if not more so.
>May I
> > suggest an apropriately tweaked RC4, or BBS for your use. The issue is it will
>take ~1
> > hour of operator time to start generating good data with your mechanism, and it
>will
> > also take more than a bit of time after that to actually generate the numbers.
>OTOH,
> > it will take 1 minute to setup a good RC4 generator, and it will have generated a
> > reasonable quantity of data( equivalent to your files) in under a half hour.( I
>think
> > the fact that it takes less of MY time, and is done before OAP/OAR gets started is
>a
> > HUGE advantage.) BBS is slower, but substantially more secure. It will probably
>take
> > 5 minutes of my time to setup, and generate an amount of data sulficient to be
>useful
> > in several hours. This is speed wise compeditive with your system, and is going to
>be
> > more secure than your system in general.
> >
> > >
> > >
> <snip>
>
> > RC4, BBS, and all others when saved to files encrypt just as fast as your method
>-- The
> > issue for the user is forufold
> >
> > 1) how much of my( the user) time do I wish to invest. (ideally as little as
>possible)
> >
> > 2)how much computer time do I wish to invest (ideally as little as possible)
> >
> > 3) how much space on my machine/ the remote machine do I want to use for this, (
> > ideally as little as posssible)
> >
> > 4) How long is key data going to be lurking in an available form in my/remote PC. (
> > ideally for as short a period as possible)
> >
> > versus RC4 you lose on all 4 points.
> > versus BBS you lose on points 1,3,4 and cannot deliver security with an equivalent
> > degree of confidence.
> >
> > You have a second rate stream cypher -- it is slower than most BLOCK algroithims.
>I
> > admit that using large "random files" will give a speed enhancement, but they add
> > secondary points of attack to your algorithim, and any other stream cypher, and
>most
> > block cyphers can do the same trick faster.
>
> I think your confidence level is not warranted.
>
> "is going to be more secure than your system in general." This is
> clearly over reaching.
Does your system have a mathematic proof which indicates that a break of the system is
equivalent to the solution of the QRP problem? Or tying a its dificulty of breaking to
the
same? If so then feel free to attack BBS, but for well chosen values BBS has a known
minimum
level of security, and cannot have "bad keys". Your system can have bad keys, and has
no
minimum guaranteed security level. I feel that this results in a system " more secure
in
general" than yours.
>
>
> "1) how much of my( the user) time do I wish to invest. " This is
> certainly a (modest) concern. It is answered by asking yourself how
> much more secure is OAP-L3 than other methods.
It is no more secure than any other PRNG. It is less secure than BBS( in general) and
can
probably compare to RC4 with a sulficient investment of operator time. OTOH RC4 is
faster,
takes less effort to setup properly, and is simpler to use for equivalent quality
random
numbers.
> As you should know,
> OAP-L3 uses no mathematical equations in generating random numbers.
Really?
>
> There is no modulo operation, for instance.
None by that name -- but you do out put your numbers with discarded values( I believe
any
value of 3*255 or higher is discarded in post processing when you are combining the
three
streams -- if that is not mudulo truncation what is it?
> In other words, there
> are no inherent constraints in the random number generation process.
Please define "constraints" -- I think you constrain your generator in any number of
ways --
>
> With no constraints there is no way to trivialize cracking the
> random number generator.
There are no such known ways of using such versus any other crypto grade PRNG
> This may make the additional time worth
> it. Besides, the time need be invested only once since you will be
> able to generate more random numbers than you could ever possibly
> need with very very little additional effort.
>
> "2)how much computer time do I wish to invest?" This point also
> addresses the limited cost of using OAP-L3. You cannot simply look
> at cost. As above you must look at what you are getting for your
> cost. See below.
>
> "3) how much space on my machine/ the remote machine do I want to use
> for this,..." This is a valid cost concern. See below.
>
> "4) How long is key data going to be lurking in an available form in
> my/remote PC." This is valid security concern.
>
> Here is my response to the remaining concerns:
>
> You may be aware that OAP-L3 Version 4.1 / 4.2 is the original
> implementation of the theory / concept. This implementation has
> the cost concerns that you have a legitimate reason to point out.
> And you may not be willing to incur these costs.
>
> My proposed implementation for Version 5.0 is available at
> http://www.ciphile.com from the What's Ahead web page.
>
> Version 5.0 is explained in detail in the files available for
> download by clicking the blue anchors located at the bottom of
> this page: Version 5.0 Tables file and the associated Version
> 5.0 Text file.
>
> Version 5.0 will not require you to generate random number files
> beforehand. Permanent hard drive space will not be required because
> the key / encryption data will be kept on floppy. This pretty much
> dispels #2, #3, & #4.
>
> I addressed #1 initially, above.
>
> Depending on which variation of version 5.0 one uses, the
> encryption time will vary.
>
> Here is a brief description. Full details by clicking the blue
> anchors at the bottom of the What's Ahead web page.
>
> ("E" notation means that a number expressed as 5E6 = 5 x 10^6 or
> 5,000,000.)
>
> With only 2920 data bytes you will be able to generate 9.2E15 random
> numbers from 0 - 255 with a security level equivalent to 2000 bits;
RC4 with a combiner
with only 300 data bytes get security equivalent to 2000+ bits
>
>
>
> or with only 4600 data bytes you will be able to generate 2.3E17
> random numbers from 0 - 255 with a security level equivalent to
> 10,000 bits;
RC4 with a combiner
with only 2000 data bytes get security greater than 10000 bits
>
>
> or with only 1,271,000 data bytes (fits on one floppy) you will be
> able to generate 1.3E36 random numbers from 0 - 255 with a security
> level equivalent to 100,000 bits.
Imagine typing in 1271000 random characters. Sound fun to you. It sure does not sound
fun to
me.
RC4 with a combiner
with only 20000 bytes of data get security superior to 100000 bits.
>
>
> The Version 5.0 Tables file and the associated Version 5.0 Text file
> describe how this is done.
>
> You don't need to keep the key / encryption data on your computer.
> Keep it on a floppy disk.
Get the floppy stolen and copied. You still have a single point of failure which
compromises
the whole system, and which cannot easily be rekeyed.
> Insert it when needed then remove.
>
> Thanks for your consideration.
You just don't get it. your method is less effective, more difficult, and slower than
other
public domain methods. Why should it be used?
------------------------------
From: ronb.cc@usu@edu (Sniggerfardimungus)
Subject: Re: 1-time pad is not secure...
Date: 15 Aug 00 14:05:50 MDT
In article <[EMAIL PROTECTED]>, Tim Tyler <[EMAIL PROTECTED]> writes:
> ``There is a branch of theology that seems to be influencing people
> who don't know the root source of the ideas they hold.''
>
> This looks more like psychoanalysis than memetics to me.
>
> Also, there's no need to patronise me. I'm quite aware of the
> similarities and differences between psychoanalysis and memetics.
Evidently you don't. Psychoanalysis is an application of psychology as a
medicine - i.e., a one-at-a-time subject study. Memetics is a study of how
ideas propegate through a mass. The concepts could not be much more different
without one of them leaving the realm of the human mind.
rOn
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Unauthorized Cancel Messages
Date: Tue, 15 Aug 2000 22:54:08 +0200
Jim wrote:
>
> Could that be why, on some servers, I don't see my own
> posts? Others do - obviously, because they reply to them,
> but I only see my own posts when someone quotes me!
>
> Just some newsgroups on some news-servers.
>
> (Using Free Agent).
Do you use more than one news-serever? On the same
news-server I can't imagine that your original post
could arrive later than the follow-up of someone
else. I did on the other hand have experience in
a mailing list where on many occasions (the echo of)
my posts arrived much later than the follow-ups of
others. I never know the reason why but I surmise
that probably has something to do with the management
work of the list owner, the list being a monitored
one.
M. K. Shen
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Impossible Differentials of TC5
Date: Tue, 15 Aug 2000 15:56:51 -0500
tomstd wrote:
> David Eppstein <[EMAIL PROTECTED]> wrote:
> >In article <[EMAIL PROTECTED]>,
> tomstd
> ><[EMAIL PROTECTED]> wrote:
> >
> >> Ok still at some point you must attack the 64/32/16 bit
> >> feistels. I want to know how you do that please.
> >
> >As I understand it, you don't. You just attack the 128-bit
> ones,
> >treating everything else as a black-box F-function.
>
> Technically the F function has a 128 byte (1024 bit) round key
> associated with it. It's not as simple as the round key being
> xor'd in though... I still don't see how the attack works, if
> it does even at all.
>
> Tom
>
> -----------------------------------------------------------
>
> Got questions? Get answers over the phone at Keen.com.
> Up to 100 minutes free!
> http://www.keen.com
As I have not studdied TC5 in depth I can't give you an exact recipe for
making this work, but here is the basic thing. ( in its simplest form.)
Given you have an impossible differential , and some
plaintext/cyphertext pairs.
You look at the first pair (p(1),c(1)).
You can, using an impossible differeential, eliminate some specific
forms for the key -- ( maybe bit 5 cannot be set or bit 7 xor bit 9 must
be 0 or some hideously complicated relationship cannot exist)
you look at the next pair (p(2),c(2)) this will force different
realtionships upon the key.
once you have exhausted all N such pairs you will have reduced the
effective possible keyspace for the cypher as it must possess keys that
fit the N such relationships determined by the pairs. Then you
exhaustively search this reduced keyspace.
Mind you, it is possible that the impossible differential attack may not
be highly productive as the N pairs may not exhibit usefully different
realtionships, but thats how it is done.
------------------------------
From: Paul Howard <[EMAIL PROTECTED]>
Subject: Re: The quick brown fox...
Date: Tue, 15 Aug 2000 20:53:01 GMT
How about this, that I saw a while ago in comp.fonts :
New job: fix Mr. Gluck's hazy TV, PDQ!
Exactly 26 letters! (plus punctuation and capitalization)
-- Paul
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: Re: Looking for a DES or RSA chip with write-only key.
Date: Tue, 15 Aug 2000 14:22:29 -0700
That seems a bit insecure -- sending all your messages with a single key.
Just my $/50.
*David Barber*
"Sniggerfardimungus" <ronb.cc@usu@edu> wrote in message
news:[EMAIL PROTECTED]...
> I'm looking for a DES or RSA chip with one unique quality - I want to be
able
> to burn the key into the thing and have it permanant and non-readable...
in
> some physical fashion, the key on the chip needs to be inaccessible. Is
there
> any IC out there that does this, or am I going to have to go to the
drawing
> boards on this one?
>
> rOn (note the email address munging.)
>
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: BBS agreement?
Date: Tue, 15 Aug 2000 23:48:46 +0200
Doug Kuhlman wrote:
>
> Mok-Kong Shen wrote:
> >
> > Doug Kuhlman wrote:
> > >
> > > Hey all! I'd like to try to bring some of the BBS discussion to some
> > > sort of agreed-upon conclusions. I *think* everyone has agreed to the
> > > following:
> > >
> > > 1. Finding a cycle (any length) in BBS allows factoring the modulus
> > > 2. Long cycles *do* exist with properly chosen BBS primes
> > >
> > > These two are a large part of the BBS paper.
> > >
> > > 3. Short cycles exist
> > > 4. The chance of landing on a short cycle is microscopic [1]
> > > 5. This chance is so small as to be unimportant in practice
> > >
> > > I think we have agreed to:
> > >
> > > 6. Using BBS with no cycle check gives an attacker no advantage in
> > > factoring
> > >
> > > What is not agreed upon is the terminology to be used. This, while
> > > important, seems to be the least of our concerns.
> >
> > Why are you so impatient? Couldn't you wait a little bit
> > till the BBS-thread become quiescent??
>
> Cause I feel like that thread is spinning out of control (has spun
> already?) and I wanted to see if we could find some agreement in a post
> that might be read by people who are sick of seeing the OTP and BBS
> thread posts....
If it is spinning out of control, how could you CLAIM that
everybody has come to agree on what you listed above?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Tue, 15 Aug 2000 23:48:56 +0200
Ichinin wrote:
>
> I do not see this newsgroup as serious, i see it as a
> "playground" if, you all excuse me, for new ideas aka,
> and a place to ask for information.
>
> If i want to read about serious crypto stuff, i'll
> simply order the newest cd from springer. For those
> who want to learn about crypto, i suggest you ignore
> the bickering of the "big shots" (if you people
> pardon my choise of words), read all that is to read
> from them and make up your own mind, since most ideas
> have N-sides.
>
> Example(s):
>
> 1. Most experts here say "Researched Static S-Boxes
> are the best", because they have been taught that.
> As a home researcher myself, having been taught
> nothing, think that "self modifying code" is the best,
> since it is harder to "lock your sights onto", and
> some papers indicate that secret self-generated
> s-boxes is a simple way to twart differential
> cryptanalysis.
>
> (I cannot tell which Sboxes are in use, you cannot
> know which s-boxes are in use, because to know which
> s-boxes are in use, you need to know the K, and
> since the S-Boxes change, not position, but 100% of
> their contence - this _MAY_ be VERY hard to analyse
> depending on how you implement the S-Box modification
> code.)
>
> 2. Previously, i also asked a question about if the concept
> of randomness could be used to identify a secure output
> sequence of all the crypto components (Keyschedule,
> SBoxes + the rest of the stuff) and if you could use that
> method on different types of data to determine what kind
> of algorithm you'd use for application XYZ.
>
> That idea was ridiculed by someone who clearly didn't
> even understand what the hell i was talking about, and
> someone else thought it was funny, i ask _WHY_?
>
> What it comes down to: We all have different oppinions
> and we should all respect them.
Crypto is some sense a subtle art. As science it is in
my opinion certainly not comparable to mathematics.
That's why certain stuffs are difficult to discuss in
clear-cut terms. It is however not uncommon that elsewhere
there are also non-unique answers. Ask e.g. in CS which is
THE best sorting algorithm.
I agree that a part of the issues you refered to has
probably something to do with the persons taking part
in the discussions, but that's only a part. Very
unfortunately (or fortunately, depending on your view
point), our group is rather hetrogeneous, not only in
knowledge background but also in interest, devotion,
motivation, energy, available time and last but not
least in the style of discussion that is deemed to
be appropriate/desirable. This last aspect seems to
be intimately related to what you regard as 'non-
seriousness'. In another thread, I made a proposal
with the goal to ameliorate the matter (from my
personal view point), thus possibly rendering the
output of the group more efficient and interesting
and useful to more people. I fairly doubt at the
current moment, though, that the majority would
favour my idea rather than maintain the status quo,
to which you have given the denotation 'playground'.
(One should observe though, that a REAL playground
does have its essential merit. It offers you (and
everybody) distraction, compensates your daily
stress and improves your health.)
M. K. Shen
------------------------------
From: "Eric Braeden" <[EMAIL PROTECTED]>
Subject: Re: Looking for a DES or RSA chip with write-only key.
Date: Tue, 15 Aug 2000 17:36:32 -0400
Sniggerfardimungus <ronb.cc@usu@edu> wrote in message
news:[EMAIL PROTECTED]...
> I'm looking for a DES or RSA chip with one unique quality - I want to be
able
> to burn the key into the thing and have it permanant and non-readable...
in
> some physical fashion, the key on the chip needs to be inaccessible. Is
there
> any IC out there that does this, or am I going to have to go to the
drawing
> boards on this one?
>
> rOn (note the email address munging.)
>
This is very possible. You could use one of the more secure FPGAs and
burn in any key you want. I do not know of a commercial chip that does
this. It would not be cheap. Email me if you want more info in the secure
FPGA route.
Eric
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
