Cryptography-Digest Digest #541, Volume #12      Sat, 26 Aug 00 11:13:01 EDT

Contents:
  Re: cryptlib (Matt Johnston)
  Re: PGP 6.5.8 test: That's NOT enough !!! (Keith)
  Re: Serious PGP v5 & v6 bug! ("gleu")
  Re: Bytes, octets, chars, and characters ("David Thompson")
  Re: Best way! ([EMAIL PROTECTED])
  Re: PRNG Test Theory ([EMAIL PROTECTED])
  Re: Serious PGP v5 & v6 bug! (Keith)
  Re: Best way! ("Big Boy Barry")
  Quake III Arena authentication (Mathew Hendry)
  Re: stegonographic overuse (John Savard)
  Re: You _DONT_ want a quantum computer. (John Savard)
  Re: Best way! ([EMAIL PROTECTED])
  Re: Best way! ([EMAIL PROTECTED])
  Re: PGP 6.5.8 test: That's NOT enough !!! ("Michel Bouissou")
  Re: PROMIS-software for worldwide spy network by US/Isreal (Timothy M. Metzinger)

----------------------------------------------------------------------------

From: Matt Johnston <[EMAIL PROTECTED]>
Subject: Re: cryptlib
Reply-To: [EMAIL PROTECTED]
Date: Sat, 26 Aug 2000 20:29:57 +0800

Rémi FOREST wrote:

> Does anyone here use cryptlib
> (http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ ) for programming ?
> How secure is it ?

I haven't actually used it, but i believe that it has a fairly good 
reputation, as does the author.

Matt Johnston.

------------------------------

From: Keith <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP 6.5.8 test: That's NOT enough !!!
Date: Sat, 26 Aug 2000 05:56:32 -0700
Reply-To: "Keith" <[EMAIL PROTECTED]>

=====BEGIN PGP SIGNED MESSAGE=====


On Sat, 26 Aug 2000 12:49:17 +0200, Michel Bouissou 
 <8o87bf$p7m$[EMAIL PROTECTED]> wrote:

>Where previous versions would show this key as having an ADK, and use
>the forged ADK, the "fixed" PGP 6.5.8 shows the forged key as being a
>normal, valid key, without any ADK.

There is no way for PGP to detect a forged key. That is what a signature and
trust values are for. As long as PGP removes and/or doesn't recognize the
forged ADK on a tampered key, which will lead to the encryption of a file or
message to the forged ADK, then that is the proper action. 



=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: pgp keys available at http://strongsignals.com/pgpkeys.txt

iQEVAwUBOae+QHbKVHAo46vlAQEXhQgAsz6jNjGzBYeaT4Bpu+h1M3kgeHepXFfk
n86dx+j54MTiUj6y0fkgmtT2CR5Ev/hdqpLlDOdpOD3IoSJ3jFN1P2kZJWepdr+a
Aj4i1NVvwfrt5OFMtxlPtCr3GXv6e6JiGsTcoIeq5RmFm16BFHh2Zldryv5qfL+R
9HxWtMzoWPq5DZbg6+ZflaprV+VsnpPeWkObcFwryq/ZgrS8eXMrAFsQE7YoNJQB
5JgB2TXJSLp/tklR3blToA1XjSefbfZwJZ2YJfoq/n+jm1xC1sb+hSwrxiJS6RlK
u8qgTzkZenIUSXudLk3szp+JG/Cp5gBZaYmGarNpK5VwbplFi+1dBA==
=8L4/
=====END PGP SIGNATURE=====

-- 
Best Regards,

Keith
=============================================================================
Where do you discover free software for Windows? Strongsignals DOT COM is a 
great place to start: http://Strongsignals.com   "If a man hasn't discovered
something that he will die for, he isn't fit to live." --Martin Luther King, Jr
============================================================================

------------------------------

From: "gleu" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Sat, 26 Aug 2000 13:57:36 +0100


Ralf Muschall <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Ron B. <[EMAIL PROTECTED]> writes:
>
> > as the perfect employee.  If Jane is has a heart attack, has a fatal
> > accident or for other reasons beyond her control is not available to
> > decrypt important data, the company may have legitmate reasons to
>
> Then it should be simple to ask the sender to resend the message,
> encrypted with Jane's successor's (or chief's) public key. In this
> situation, the sender has full power to decides who may read his
> messages, not some third person not authorized by him.
>
And what about the not-so-perfect employee which the company decides to sack
and the company still wishes to have access to the employee messages/data
... because they are relevant and legitimately belong to the company ?

>
> Remember that pgp is not for ecrypting locally stored data, like
> backups etc. (symmetric methods are better for this purpose), but only
> for the safe *transport* of messages.
>
> Ralf



------------------------------

From: "David Thompson" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c,alt.folklore.computers
Subject: Re: Bytes, octets, chars, and characters
Date: Sat, 26 Aug 2000 13:03:44 GMT

John Savard <[EMAIL PROTECTED]> wrote :
...
> However, in the past, it had been customary to refer to a six-bit area
> in a computer's memory, where such an area was the span of memory
> occupied by a character of a text, as a character.
>
Not necessarily six bits.  It is usual to refer to the storage for one
(fixed-length) character code as a character, yes, of course,
and six bits is enough for one (Roman) alphabet, (decimal) digits,
and modest punctuation and specials (e.g. BCDIC).

> The term byte did not come into general use until computers stored
> characters in 8-bit areas.
>
I don't think so.  The PDP-8 had 6-bit bytes (often but
not always used for characters) by 1966, which is
close to the first S/360, which AFAIK was the first
*widespread* machine using and addressing an 8-bit byte.
The PDP-10 (and -6?) at very nearly the same time,
as others have already said, had variable bytes,
most commonly 6, 7, 9.

What is true is that since S/360, and then Intel and other
microprocessors, 8-bit bytes have become the "normal" case,
as has byte addressability (sometimes with restrictions).

> The term 'octet' is a technical term, mainly found in international
> standards for ASCII.
>
In formal (often international) standards, yes.
ASCII is not an international standard, although there are several
for character codes based on and intentionally similar to ASCII.

But "octet" is used much more in communications standards,
especially modems and networking.  Including Internet RFCs,
at least the early ones written before people started believing
IBM etc. brainwashing, although it is arguable whether these
are "formal" standards, and whether they were "international"
when written although they have become so.  (Note that the
*implementation* of a comms standard, e.g. man sockets,
is entirely justified in talking about bytes in memory *of the
local platform* which correspond to octets "on the wire".)

> ... To refer to the storage elements of an IBM 1401 as other
> than characters would be confusing, and not in accord with the
> historical usage. No one is likely to be inclined to call them either
> bytes or septets.
>
True, since in those days the term "byte", if used at all,
was meant to emphasize a sub-addressable unit.

> Variable-length characters might be found on external media, and might
> appear in data streams going to and from devices such as printers and
> modems, but typically characters in such a form would be converted to
> a uniform-length form for use in memory, to permit manipulation.
>
I'm not sure "typically".  UTF-8 seems to be fairly popular, as were
other escape/shift methods in the past.  "... preferably ... to permit
_easy_ manipulation" I could agree with.

--
- David.Thompson 1 now at worldnet.att.net








------------------------------

From: [EMAIL PROTECTED]
Subject: Re: Best way!
Date: Sat, 26 Aug 2000 13:07:24 GMT

In article <7zEp5.19300$[EMAIL PROTECTED]>,
  "Big Boy Barry" <[EMAIL PROTECTED]> wrote:
> Hello,
>
>     What is the best way to send encrypted email. Encrypted email that
> cannot be cracked by any means. I know for sure that PGP is not
secure. So
> please give me the best way to send encrypted email. Thank you.
>
>

How do you know PGP is insecure?

Tom


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: [EMAIL PROTECTED]
Subject: Re: PRNG Test Theory
Date: Sat, 26 Aug 2000 13:05:53 GMT

In article <[EMAIL PROTECTED]>,
  Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> [EMAIL PROTECTED] wrote:
> >
> > Since any PRNG test can tell when a stream of bits is empiracly
random,
> > that should suggest that any PRNG test can be turned into a PRNG
itself.
>
> To my humble knowledge such a test tells you (with respect to
> a certain 'pattern' and at a certain confidence level) whether
> non-randomness is likely to be there, nothing more. Passing
> a multitude of different tests of extensive outputs from a
> source enhances the expectation that the source approximates
> well a really random one so that the opponent very likely may
> not be able to know how to exploit any weakness that is not
> yet detected by you.
>
> Your claim that any PRNG test can be turned into a PRNG is
> not understandable for me, especially when several tests
> are considered. Take for example the frequency test and
> the serial test (at lag 1). Could you please elaborate on
> your idea in some concrete manner with a good example
> of generation of a number of successive bits? (Even for a
> single test you have yourself shown the difficulty, if I
> don't err. You want the resulting output to pass all tests
> being considered simultaneously, don't you?)

What you have is "state" where you make each possible output in the
next step.  Then you test to see which is "more" random.  The one that
is will be outputted and added to the state.

Tom


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: Keith <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: Sat, 26 Aug 2000 06:23:14 -0700
Reply-To: "Keith" <[EMAIL PROTECTED]>

=====BEGIN PGP SIGNED MESSAGE=====

On 25 Aug 2000 01:52:42 +0200, Ralf Muschall 
 <[EMAIL PROTECTED]> wrote:

>Remember that pgp is not for ecrypting locally stored data, like
>backups etc. (symmetric methods are better for this purpose), but only
>for the safe *transport* of messages.

I disagree with this statement about PGP. PGP can be used for any purpose to
protect data on a computer. Some of the things that PGP can help protect:
1. Any file on a computer system.
2. PGP detached signatures can be used to protect files from being tampered
with by letting a user know if a file has been modified. A simple opening up
of a directory viewing program and a double clicking the filename.exe.sig will
let you know if a executable has been changed for example
3. Of course PGP can be used to protect email and any attachments.

BTW, if you are the same person that discovered the ADK exploit, thanks for 
the terrifc work and I'm sure you will receive a just reward from the 
computer science field.



=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: pgp keys available at http://strongsignals.com/pgpkeys.txt

iQEVAwUBOafEmXbKVHAo46vlAQGVhgf+LaZr3KUpzIBtwjNZ00gjt94ODPGU3w3b
SPPuTwp2FdJBXpgvYSBq5R2IrqyizbymjW3LDablbJxs6OK3wYqYnYBuawX2upms
7sLpD1XWvyhIF+CG8gAzHIwIXUWV2Ay5c4b79a6DBiacfkzpfC5DkaNVI7M+rfv+
HBR929WDvXgJoaIkortqmvlybtZBP3pnP5KZ4n9lDPJ6/tbAT8QW1wUtEhkXg0d7
ejP0eL0ahBHEYdSHmiO8vLxEqAs85IoGnA1MXXEm9T4gA2IYS7pN4iTieQUwl8C/
cO4uwwjjjnfGmrE3HtFyLPKppuqBAAVBFx57y5ar/N8K3tqA3fc2pQ==
=HgeF
=====END PGP SIGNATURE=====

-- 
Best Regards,

Keith
=============================================================================
Where do you discover free software for Windows? Strongsignals DOT COM is a 
great place to start: http://Strongsignals.com   "If a man hasn't discovered
something that he will die for, he isn't fit to live." --Martin Luther King, Jr
============================================================================

------------------------------

From: "Big Boy Barry" <[EMAIL PROTECTED]>
Subject: Re: Best way!
Date: Sat, 26 Aug 2000 13:25:10 GMT

I have read several articles outlining that the government can crack PGP.
There is no way in denying that. Even if it was rumors, I wouldnt want to
base all my encryption on rumors. So I am better of using other means of
encryption other than PGP.

Still nobody answered my question. What is the best way to send encrypted
email. You know I cant build a quantum computer! Thanks...



<[EMAIL PROTECTED]> wrote in message news:8o8fe4$f5u$[EMAIL PROTECTED]...
> In article <7zEp5.19300$[EMAIL PROTECTED]>,
>   "Big Boy Barry" <[EMAIL PROTECTED]> wrote:
> > Hello,
> >
> >     What is the best way to send encrypted email. Encrypted email that
> > cannot be cracked by any means. I know for sure that PGP is not
> secure. So
> > please give me the best way to send encrypted email. Thank you.
> >
> >
>
> How do you know PGP is insecure?
>
> Tom
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.



------------------------------

From: Mathew Hendry <[EMAIL PROTECTED]>
Subject: Quake III Arena authentication
Date: Sat, 26 Aug 2000 14:45:14 +0100

Anyone have any details on the authentication scheme used by Quake III Arena?

There are three parties involved: game client, game server, and authentication
server. The game client is issued with a CD key, which is transmitted (in some
form) to the game server when an online multiplayer game is started. The game
server forwards it to the authentication server (run by the game's publisher),
which tells the game server if the client should be allowed to connect.

What I'm wondering is, what method is used to prevent a modified game server
(anyone could set one up) gaining access to the plaintext CD key, and operating
as a "key harvester". Some small details released by Id Software suggest DES is
used at some stage. Any further pointers?

-- Mat.


------------------------------

From: [EMAIL PROTECTED] (John Savard)
Subject: Re: stegonographic overuse
Date: Sat, 26 Aug 2000 13:41:38 GMT

On Sat, 26 Aug 2000 11:49:27 GMT, [EMAIL PROTECTED] wrote, in
part:
>Detonate <[EMAIL PROTECTED]> wrote:

>> embedding an encrypted message into a gif file is fine and all, but if
>> somebody was eavesdropping on my email and i was repeatedly sending gifs,

>Yes, no, maybe? Sending large amounts of jpegs may simply indicate
>that you and your friends are going to go blind at an early age. ;)

Just recently, I was in a computer book store, looking to see if
Secrets and Lies was in yet, and I broke down and bought a book (by
Artech House: "Information Hiding") on steganography.

Before that, I would have commented that sending _.GIF_ files instead
of _.JPG_ files would indeed be suspicious - and the former format,
being lossless, lends itself to steganography. And this is true,
because the simpler methods work most easily this way.

Although I had heard of watermark methods claimed to work on .jpg
images, I have now learned more about the methods that work with this
format: actually adding the hidden information to the image after
compression is possible, for example.

John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm

------------------------------

From: [EMAIL PROTECTED] (John Savard)
Subject: Re: You _DONT_ want a quantum computer.
Date: Sat, 26 Aug 2000 13:43:02 GMT

On Sat, 26 Aug 2000 18:42:17 +0800, "Detonate" <[EMAIL PROTECTED]>
wrote, in part:

>_NONE_ of your games will work. (!)

What's wrong with owning two computers? Maybe the new generation of
games with better graphics available in the future time when these
become accessible will _require_ a quantum computer!

John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm

------------------------------

From: [EMAIL PROTECTED]
Subject: Re: Best way!
Date: Sat, 26 Aug 2000 14:01:29 GMT

In article <WyPp5.181559$[EMAIL PROTECTED]>,
  "Big Boy Barry" <[EMAIL PROTECTED]> wrote:
> I have read several articles outlining that the government can crack
PGP.
> There is no way in denying that. Even if it was rumors, I wouldnt
want to
> base all my encryption on rumors. So I am better of using other means
of
> encryption other than PGP.
>
> Still nobody answered my question. What is the best way to send
encrypted
> email. You know I cant build a quantum computer! Thanks...

Obviously you have no clue what you are talking about.

PGP is still secure iff you do not share your keys indirectly.  Or if
you use PGP 2.6.2.

You can always try the Entrust package or GnuPG, or write your own.

Tom


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: [EMAIL PROTECTED]
Subject: Re: Best way!
Date: Sat, 26 Aug 2000 14:12:28 GMT

In article <8o8iji$i97$[EMAIL PROTECTED]>,
  [EMAIL PROTECTED] wrote:
> Obviously you have no clue what you are talking about.
>
> PGP is still secure iff you do not share your keys indirectly.  Or if
> you use PGP 2.6.2.
>
> You can always try the Entrust package or GnuPG, or write your own.
>

You are the one who misunderstands the flaw in the PGP key packet
specification. Even if you take all the precautions possible against
someone attaching an ADK to your public key and use PGP 2.6.2, somebody
else might not be so careful when they are sending a message to you.
They could have have obtained your public key and checked the key
fingerprint and signature: doing either would not have detected the
presence of an ADK without special effort. BTW, if you have to share
keys directly, why are you using a PKCS. The flaw in PGP is real, and
presents a potential DoS, if not a practical security risk. Which is
not to say that the encryption used in PGP is not neccesarily strong,
but the weakest link in a cryptosystem is usually the protocol or
implementation.

It's not iff, just if. Sharing keys directly is not a sufficient
condition for the secure use of PGP. Your advice to the OP to write his
or her own security package is just wrong.


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: "Michel Bouissou" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP 6.5.8 test: That's NOT enough !!!
Date: Sat, 26 Aug 2000 16:30:03 +0200

=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1

"Keith" <[EMAIL PROTECTED]> a écrit dans le message news:
[EMAIL PROTECTED]
>
> There is no way for PGP to detect a forged key. That is what a
> signature and trust values are for. As long as PGP removes and/or
> doesn't recognize the forged ADK on a tampered key, which will lead
> to the encryption of a file or message to the forged ADK, then that
> is the proper action.

You're wrong.

An ADK should NEVER sit outside of the hashed part of the
self-signature.

An ADK sitting in the non-hashed part clearly indicates that this ADK
has been forged, and PGP *SHOULD* blow sirens when such a situation
occurs.

[EMAIL PROTECTED]

=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Corrigez le bug PGP ADK. Installez PGP 6.5.8 ou plus recent.

iQA/AwUBOafGW47YarFcK+6PEQL8/gCgziGyjPrAgXW2jTzb25kZaSY4IrgAniiK
m3qMC/TkmjkeqQtWQwCuhmdO
=A5Bc
=====END PGP SIGNATURE=====




------------------------------

From: [EMAIL PROTECTED] (Timothy M. Metzinger)
Date: 26 Aug 2000 14:31:45 GMT
Subject: Re: PROMIS-software for worldwide spy network by US/Isreal

In article <NCBp5.663$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Mike
Andrews) writes:

>It's worse than that! What was a computer that handled Top Secret
>data doing connected to _ANY_ sort of external network -- even 
>the Public Switched Telephone Network? It makes no sense at all.

That should read ESPECIALLY the PSTN!

There are, of course, local and wide area networks certified to handle Top
Secret (and more closely held) information.

Of course, many writers wouldn't recognize an encryptor, so perhaps the
information is misleading.


Timothy Metzinger
Commercial Pilot - ASMEL - IA   AOPA Project Pilot Mentor
'98 M20J - N1067W
Pipers, Cessnas, Tampicos, Tobagos, and Trinidads at FDK


------------------------------


** FOR YOUR REFERENCE **

The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:

    Internet: [EMAIL PROTECTED]

You can send mail to the entire list (and sci.crypt) via:

    Internet: [EMAIL PROTECTED]

End of Cryptography-Digest Digest
******************************

Reply via email to