Cryptography-Digest Digest #545, Volume #12 Sat, 26 Aug 00 21:13:01 EDT
Contents:
Re: Best way! (Wim Lewis)
Re: PGP bug (Lemon Kairy)
Re: PRNG Test Theory ([EMAIL PROTECTED])
Re: Serious PGP v5 & v6 bug! (Ralf Muschall)
Re: Bytes, chars, and I/O (Mark McIntyre)
Re: wincrypt.h ("Jeffrey Walton")
Re: PRNG Test Theory ("Paul Pires")
Re: 7 mil, how this usage of PGP has been calculated ? (jungle)
Re: PRNG Test Theory ([EMAIL PROTECTED])
Re: Test on pseudorandom number generator. ("Paul Pires")
Re: PRNG Test Theory ("Paul Pires")
Re: Memory usage ("Jeffrey Walton")
New Site, Purple/Enigma/Sigaba/Russia Emulators (Charles Petersen)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Wim Lewis)
Subject: Re: Best way!
Date: 26 Aug 2000 22:45:00 GMT
In article <WyPp5.181559$[EMAIL PROTECTED]>,
Big Boy Barry <[EMAIL PROTECTED]> wrote:
>I have read several articles outlining that the government can crack PGP.
>There is no way in denying that. Even if it was rumors, I wouldnt want to
>base all my encryption on rumors. So I am better of using other means of
>encryption other than PGP.
You're basing your encryption on rumors anyway, you know. What makes you
think that what you read here is any more or less reliable than some
random scare piece you didn't fully understand about PGP?
Anyway, PGP (or some other implementation of the same format, such
as GnuPG) is still the most secure thing you're likely to find for
sending email. Understanding key management and the physical security
of your computer is still vital to actual security, though.
--
Wim Lewis * [EMAIL PROTECTED] * Seattle, WA, USA
PGP 0x27F772C1: 0C 0D 10 D5 FC 73 D1 35 26 46 42 9E DC 6E 0A 88
The netcom address will be unreliable after September. Use the hhhh address.
------------------------------
From: [EMAIL PROTECTED] (Lemon Kairy)
Subject: Re: PGP bug
Date: Sat, 26 Aug 2000 22:48:52 GMT
[EMAIL PROTECTED] wrote:
>A bug has been found in PGP that allows hackers to read
>encrypted messages, the BBC reports.
Do you ever read messages here, or do you just write?
--
"Lemon Kairy" is actually 2751 469038 <[EMAIL PROTECTED]>.
01234 56789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: PRNG Test Theory
Date: Sat, 26 Aug 2000 22:47:16 GMT
In article <JCVp5.6906$[EMAIL PROTECTED]>,
"Paul Pires" <[EMAIL PROTECTED]> wrote:
>
> <[EMAIL PROTECTED]> wrote in message
> news:8o95ea$6h3$[EMAIL PROTECTED]...
> > In article
> <6rUp5.6797$[EMAIL PROTECTED]>,
> > "Paul Pires" <[EMAIL PROTECTED]> wrote:
> > >
> > > Tim Tyler <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > > [EMAIL PROTECTED] wrote:
> > > >
> > > > : Since any PRNG test can tell when a stream of bits
> is empiracly
> > random
> > > > : [...]
> > > >
> > > > Hmm. Personally, I'd have phrased it as: "no PRNG
> test alone is
> > likely to
> > > > tell you when a stream of bits is empirically random".
> > > >
> > > > If you use every test known to man - and they are all
> passed - that
> > might
> > > > qualify the resulting stream as "empirically random".
> > > >
> > > > : that should suggest that any PRNG test can be turned
> into a PRNG
> > itself.
> > > >
> > > > As you mention you might expect - since PRNG tests
> aren't designed
> > for
> > > > this job - unless you included a whole battery of such
> tests, the
> > results
> > > > would pass that particular test used well, and fail
> other ones
> > miserably.
> > > >
> > > > I expect using a whole battery of tests would probably
> result in an
> > > > extremely slow and cumbersome PRNG.
> > >
> > > Yes but there is an interesting question here. Can
> rejecting Non-
> > random
> > > (determined by any means) ever result in random? My Knee
> jerk
> > reaction is no
> > > but I never thought of it that way before.
> >
> > Which is why I posed it.
> >
> > Let's build a prng with the runs test, poker test,
> ones/zero test,
> > DNA/OPSO test, birthday test, that given 'n' prior bits
> will output the
> > better of the two bits. Technically the output must pass
> all the tests
> > better then any other output.
>
> Let's make it easy. Let's say that you posess a random
> evaluation oracle. "REO" (just made it up). It perfectly
> evaluates the provisional output for randomness. If it's
> choice conforms to randomness, then there is a chance, at
> each step that 1' test better, 0's test better, 1 & 0 are
> both "good" and 1 & 0 are both putrid. The second or third
> condition halts your process since a choice cannot be made.
> So you use a coin flip to pick.
>
> Question: Why didn't you just use the coin flip in the first
> place?
>
> My second problem is that any random source when viewed at a
> certain granularity will occasionally pop out some results
> that look ordered. This is natural. If you feed your gizmo
> truely random input and you remove these pieces, aren't you
> making the output less random?
>
> And last, A certificational weakness. If you feed this gizmo
> it's own output, along with the the choice not taken at each
> step, it will never choose the choice not taken. Pretty
> identifiable. You could put in a coin flip every once and
> awhile to fix it.
>
> Question: Why didn't you just use the coin flip in the first
> place?
>
> Just seems to me that it's like trying to make something
> less determinant by adding determination. A feedback loop.
> In nature, these are generally very cyclic and ordered.
Your last sentence will hold from any fixed period prng.
The goal of my idea is to make a prng that passes all tests you send
it. I suggest that it will most likely not get stuck thinking either
bit is exactly probable (50/50). Even so it could just default to a 1
or 0 bit output.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Ralf Muschall <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 & v6 bug!
Date: 26 Aug 2000 21:52:12 +0200
Keith <[EMAIL PROTECTED]> writes:
> I disagree with this statement about PGP. PGP can be used for any purpose to
> protect data on a computer. Some of the things that PGP can help protect:
Yes, it can. But this does not mean that it is the right tool for
these jobs. It has been invented for secure transmission, and the
extension of it's usage to encrypting local files caused the
introduction of features which are prone to abuse or bugs.
> 1. Any file on a computer system.
On local system, (a) symmtric methods are good enough and (b) file system
encryption is better (since it protects swapped data, filenames and
deleted data as well).
> 2. PGP detached signatures can be used to protect files from being tampered
There are two kinds of tampering that need to be protected against:
(a) Transmission errors. CRCs are optimized to detect these (they
are designed to have a good detection rate for those errors which
occur often), but generally considered too weak. MD5 hashes
usually suffice.
(b) Hostile tampering by somebody transmitting the data. Here the
checksum has to be protected using asymmetric crypto, otherwise
the attacker could change the data and recompute the hash.
> BTW, if you are the same person that discovered the ADK exploit, thanks for
I'm not related to anybody in this field. I just think that the whole
ADK stuff is a bad idea, even without bugs (but discussing this would
probably spawn political flamewars).
Ralf
------------------------------
From: Mark McIntyre <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c
Subject: Re: Bytes, chars, and I/O
Date: Sun, 27 Aug 2000 00:07:02 +0100
Reply-To: [EMAIL PROTECTED]
On Fri, 25 Aug 2000 20:44:31 +0100, David Hopwood
<[EMAIL PROTECTED]> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Kelsey Bjarnason wrote:
>>
>> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
>> news:[EMAIL PROTECTED]...
>> > Kelsey Bjarnason wrote:
>> > > We don't. However, we cannot blithely assume that char "precisely"
>> > > fits a byte ...
>> >
>> > It is not a "blithe assumption". It is embedded in the use of
>> > those terms in the C standard, which I helped write.
I think you must have dozed during that session then !
>> 6.5.3.4 The sizeof operator
>>
>> [#2] The sizeof operator yields the size (in bytes) of its
>> operand, which may be an expression or the parenthesized
>> name of a type.
<snippage>
>>
>> [#3] When applied to an operand that has type char, unsigned
>> char, or signed char, (or a qualified version thereof) the
>> result is 1.
<snippage>
>> Nope; neither of those do it.
>
>Yes, they do. The first sentence of #2 and the first sentence of #3
>together imply that "the size of operands of type char, unsigned char,
>or signed char, is 1 byte".
This is an old debate. The quotes from the standard merely ensure that
C compilers must return 1 for sizeof(char). How many bits are in the
object pointed to, the standard does not say. It does say how many are
used tho - CHAR_BITS. The implementation could use 23 bits for a char,
and still return 1. even if CHAR_BITS were 8.
However its totally moot since sizeof returns 1 which is all that
matters.
>> #2 refers to the size "in bytes"; if a "byte" on the implementation
>> is 16 bits, but a char 8, the implementation is still free to refer
>> to both as having size 1.
>
>Indeed an 8-bit char can be *represented* as a 16-bit machine byte,
>but the size of a byte as defined in the C spec is still 8 bits in
>that case.
I think not. The C standard does not define a byte, except in abstract
terms.
>As for implementations where files could not be transferred portably
>between languages, I'm sure that users would complain vociferously.
They do, frequently. Ever tried to transfer data between IBM, Unix and
Intel?
--
Mark McIntyre
C- FAQ: http://www.eskimo.com/~scs/C-faq/top.html
------------------------------
Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: wincrypt.h
Date: Sat, 26 Aug 2000 19:14:41 -0400
It shows up in WinError.h of the April 1999 and April 2000 SDK
"Kevin Crosbie" <[EMAIL PROTECTED]> wrote in message
news:8nuleu$[EMAIL PROTECTED]...
Does anyone know where I can get the latest wincrypt.h which includes the
function CertGetNameString and identifier: CRYPT_E_UNKNOWN_ALGO
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: PRNG Test Theory
Date: Sat, 26 Aug 2000 16:32:57 -0700
<[EMAIL PROTECTED]> wrote in message
news:8o9hdg$jd3$[EMAIL PROTECTED]...
> In article
<JCVp5.6906$[EMAIL PROTECTED]>,
> "Paul Pires" <[EMAIL PROTECTED]> wrote:
> >
> > <[EMAIL PROTECTED]> wrote in message
> > news:8o95ea$6h3$[EMAIL PROTECTED]...
> > > In article
> > <6rUp5.6797$[EMAIL PROTECTED]>,
> > > "Paul Pires" <[EMAIL PROTECTED]> wrote:
> > > >
> > > > Tim Tyler <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
> > > > > [EMAIL PROTECTED] wrote:
> > > > >
> > > > > : Since any PRNG test can tell when a stream of
bits
> > is empiracly
> > > random
> > > > > : [...]
> > > > >
> > > > > Hmm. Personally, I'd have phrased it as: "no PRNG
> > test alone is
> > > likely to
> > > > > tell you when a stream of bits is empirically
random".
> > > > >
> > > > > If you use every test known to man - and they are
all
> > passed - that
> > > might
> > > > > qualify the resulting stream as "empirically
random".
> > > > >
> > > > > : that should suggest that any PRNG test can be
turned
> > into a PRNG
> > > itself.
> > > > >
> > > > > As you mention you might expect - since PRNG tests
> > aren't designed
> > > for
> > > > > this job - unless you included a whole battery of
such
> > tests, the
> > > results
> > > > > would pass that particular test used well, and
fail
> > other ones
> > > miserably.
> > > > >
> > > > > I expect using a whole battery of tests would
probably
> > result in an
> > > > > extremely slow and cumbersome PRNG.
> > > >
> > > > Yes but there is an interesting question here. Can
> > rejecting Non-
> > > random
> > > > (determined by any means) ever result in random? My
Knee
> > jerk
> > > reaction is no
> > > > but I never thought of it that way before.
> > >
> > > Which is why I posed it.
> > >
> > > Let's build a prng with the runs test, poker test,
> > ones/zero test,
> > > DNA/OPSO test, birthday test, that given 'n' prior
bits
> > will output the
> > > better of the two bits. Technically the output must
pass
> > all the tests
> > > better then any other output.
> >
> > Let's make it easy. Let's say that you posess a random
> > evaluation oracle. "REO" (just made it up). It perfectly
> > evaluates the provisional output for randomness. If it's
> > choice conforms to randomness, then there is a chance,
at
> > each step that 1' test better, 0's test better, 1 & 0
are
> > both "good" and 1 & 0 are both putrid. The second or
third
> > condition halts your process since a choice cannot be
made.
> > So you use a coin flip to pick.
> >
> > Question: Why didn't you just use the coin flip in the
first
> > place?
> >
> > My second problem is that any random source when viewed
at a
> > certain granularity will occasionally pop out some
results
> > that look ordered. This is natural. If you feed your
gizmo
> > truely random input and you remove these pieces, aren't
you
> > making the output less random?
> >
> > And last, A certificational weakness. If you feed this
gizmo
> > it's own output, along with the the choice not taken at
each
> > step, it will never choose the choice not taken. Pretty
> > identifiable. You could put in a coin flip every once
and
> > awhile to fix it.
> >
> > Question: Why didn't you just use the coin flip in the
first
> > place?
> >
> > Just seems to me that it's like trying to make something
> > less determinant by adding determination. A feedback
loop.
> > In nature, these are generally very cyclic and ordered.
>
> Your last sentence will hold from any fixed period prng.
Good point. Closer to my point would be, "Trying to make
something less determinant by basing the control of the
mechanism opon the character of it's output" i.e. feedback.
I don't have a problem with determanace (Probably a
requirement for a PRNG) but with the feedback based upon
evaluation notion.
>
> The goal of my idea is to make a prng that passes all
tests you send
> it. I suggest that it will most likely not get stuck
thinking either
> bit is exactly probable (50/50). Even so it could just
default to a 1
> or 0 bit output.
You could do that. If it was employed rarely it would
probably be an undetectable bias. If every fourth iteration,
it would be pretty bad. So it seems that it is an issue of
degree and not kind and as such cannot be answered by a
hypothetical discussion.
Code this puppy up and I'll play with it :-)
Thanks for the talk.
Paul
>
> Tom
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: 7 mil, how this usage of PGP has been calculated ?
Date: Sat, 26 Aug 2000 19:42:16 -0400
I will when I will have his address ...
those who know me have no need of my name wrote:
>
> <[EMAIL PROTECTED]> divulged:
>
> >PGP is used by 7 million people worldwide, according to Wallach ...
> >how this usage of PGP has been calculated ?
>
> perhaps you should be asking wallach.
>
> my guess is due to download counters, or just plain "marketing statistics."
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: PRNG Test Theory
Date: Sun, 27 Aug 2000 00:12:02 GMT
In article <XvYp5.7662$[EMAIL PROTECTED]>,
"Paul Pires" <[EMAIL PROTECTED]> wrote:
> You could do that. If it was employed rarely it would
> probably be an undetectable bias. If every fourth iteration,
> it would be pretty bad. So it seems that it is an issue of
> degree and not kind and as such cannot be answered by a
> hypothetical discussion.
>
> Code this puppy up and I'll play with it :-)
Well one problem I can think of is the history. If you buffer only the
last 'n' bits and 'n' bits of output are known... well you can see
where I am going with this.
What tests should I put in it? The Fips 140-2 tests? (I think that's
the #)? Any references? I would love to try it out.
> Thanks for the talk.
No prob, it's a neat idea, and a good use of sci.crypt.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Test on pseudorandom number generator.
Date: Sat, 26 Aug 2000 17:23:10 -0700
Cristiano <[EMAIL PROTECTED]> wrote in message
news:8o9c7u$oc2$[EMAIL PROTECTED]...
> With my english I don't understand very well your >answer.
>
> Diehard is only a (complicated) test, but others test >such as Maurer (capable
to detect very little defect in >the numbers generators) don't detect these
bigs >differences.
It doesn't work that way. None of these "sophisticated" tests confirm goodness,
they just highlight badness from time to time. You have a problem with one of
the best PRNG tests availiable. You failed a sanity check on your numbers by an
experienced professional, Douglas Gwyn, address that... or not.
>
> My 40 bits samples (if you want, you can see my >reply to Mok-Kong Shen) is
because I wrote my >prog about 1 year ago and my only matter was: if with >my
cryptography program I generate a key of n bytes, >what is the probability that
another user generate the >same key?
> Theoretically the answer of Douglas (for n=5, >p=91/10^14) is right, but in
practice? I choose n=5 >only for practical reasons (n=6 generate only few
>collisions to compare the several generators, n=4 is >not very significative as
key length).
You are mixing names and requirements. It seems that you are pointing to the
lack of collisions as a benefit of your PRNG. You give the example of using it
to generate keys as and point out it's statistics as a goodness.
Which is it? a PRNG or a key generation method biased to overcome what problem?
Calling it a PRNG seems to be an oximoron. A Pseudo (non) Random Number
generator.
If it's the former, it's no good. If it's the latter, why is this behaviour
advantageous and what risk does it address?
>
> Wouldn't XORing one of your data sets with the >reference set make a result
set with a scarceity of >consecutive 0 values? If with "reference set" you mean
>the keys generated at the step 1, how can I do this?
I'd append your list to itself until it was a hundred times larger and then do
the XOR. Why? I don't know. It just popped out of ....my head. It's something
I'd check.
>The data set is 4*10^9 bits while the reference set is >only 1/100 of this. Why
do you want to try this >XORing?
Like I said, I'm learning about the tests in diehard and it sounded like a fun
thing to do. As an exercise, it probably won't have a higher failure rate than
any of the other weird things I do.
I'd like to play with your code and diehard. But I don't wan't to compile your
source. Do you have an executable that will run under DOS or in a DOS window and
some simple instructions on proper use?
>
> Thank you very much for interest.
No problem, I have tons of it. Want to trade me some intelligence for some of
it?
Paul
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: PRNG Test Theory
Date: Sat, 26 Aug 2000 17:38:58 -0700
<[EMAIL PROTECTED]> wrote in message news:8o9mc8$olp$[EMAIL PROTECTED]...
> In article <XvYp5.7662$[EMAIL PROTECTED]>,
> "Paul Pires" <[EMAIL PROTECTED]> wrote:
> > You could do that. If it was employed rarely it would
> > probably be an undetectable bias. If every fourth iteration,
> > it would be pretty bad. So it seems that it is an issue of
> > degree and not kind and as such cannot be answered by a
> > hypothetical discussion.
> >
> > Code this puppy up and I'll play with it :-)
>
> Well one problem I can think of is the history. If you buffer only the
> last 'n' bits and 'n' bits of output are known... well you can see
> where I am going with this.
>
> What tests should I put in it? The Fips 140-2 tests? (I think that's
> the #)? Any references? I would love to try it out.
Whoa big fella. Give it a couple of days. Mull it around a bit. What's the rush?
Procrastination can be a powerfull tool if used properly.
Paul
>
> > Thanks for the talk.
>
> No prob, it's a neat idea, and a good use of sci.crypt.
>
> Tom
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: Memory usage
Date: Sat, 26 Aug 2000 20:48:53 -0400
Any particular platform in mind?
If Windows, you could allocate for the sboxes from the application heap, and
lock the pages. Allocaton granularity on all Windows platforms if 64KB (so
you'll get 2 OS allocations). On an x86, the page size is 4KB, so you need
128KB/4KB or 32 pages. VirtualLock allows you to lock upto 30 without
increasing the working set size. So, call SetWorkingSetSize to bump up.
Only lock the pages in the "meat and potatoes" of the algorithm, and the
unlock.
<[EMAIL PROTECTED]> wrote in message news:8nsqav$3d7$[EMAIL PROTECTED]...
Is taking 128kb for precomputed-tables for a cipher taboo in the
desktop world? I want to make a 128-bit cipher using a pair-wise
decorrelation module as the F function, this requires multiplication in
GF(2^64) which can be a pain in the but.
So I decided todo eight 8x64 sboxes that emulate a GF multiplication
for each round. I am thinking of eight rounds for the cipher so it
will need 8x8x8x64x256=131072. The cipher will be very fast (only
eight look ups/xor per round) but require ram.
So is 128kb too much in a desktop world? My guess is no, but I would
like some opinions...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Charles Petersen <[EMAIL PROTECTED]>
Subject: New Site, Purple/Enigma/Sigaba/Russia Emulators
Date: Sat, 26 Aug 2000 17:52:55 -0700
I thought you all might like to check out my new site.
http://dev.thinkquest.org/C004911/
It has a simulation and explanations of the cryptography used by the
major powers of World War II. This includes java applets that emulate
the Purple, Enigma, Sigaba, Russian Espionage Cipher, and a public
domain Bombe. In addition, there is a public forum reminiscent of
slashdot for discussion of all things cryptological. Comments welcome,
check it out!
Thanks
Charles Petersen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
