Cryptography-Digest Digest #578, Volume #12 Thu, 31 Aug 00 06:13:00 EDT
Contents:
Re: QKD and The Space Shuttle (Mok-Kong Shen)
Re: Idea for creating primes (Mok-Kong Shen)
Re: Patent, Patent is a nightmare, all software patent shuld not be (Mok-Kong Shen)
Re: Patent, Patent is a nightmare, all software patent shuld not be (Mok-Kong Shen)
Re: Patent, Patent is a nightmare, all software patent shuld not be (Mok-Kong Shen)
Need help would like to learn crypto in regular way if possible formal (Mohammed
Anish ND/EHD/EIPS)
Re: PGP ADK Bug: What we expect from N.A.I. ("Rick Braddam")
Re: "Warn when encrypting to keys with an ADK" (Phil Harrison)
Re: PGP 6.5.8 test: That's NOT enough !!! (Phil Harrison)
Re: PGP 6.5.8 test: That's NOT enough !!! (Ron B.)
Re: PGP ADK Bug: What we expect from N.A.I. ("Michel Bouissou")
Re: I need ADK tampered key that PGP will not detect ADK, on it ... ("Michel
Bouissou")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.space.shuttle,talk.politics.crypto
Subject: Re: QKD and The Space Shuttle
Date: Thu, 31 Aug 2000 10:28:49 +0200
David A Molnar wrote:
>
[snip]
> The problem with all of these protocols is that if an adversary can
> replace the random beacon with his own source, all bets are off.
> So some people would *like* to see a satellite in the sky broadcasting
> random bits to the world. There will still be issues with ground-side
> jamming and with authentication of the satellite, though, which are
> not yet fully ironed out (at least not that I've seen).
Isn't the trouble in principle the same with certification
where one needs some trust/belief on a third party, in
other words there is some non-objectivity that can NEVER
be entirely disposed of?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Idea for creating primes
Date: Thu, 31 Aug 2000 10:28:54 +0200
Scott Fluhrer wrote:
>
> Simple: 2 is a factor of p-1, so start there, at k=(p-1)/2. And, with that
> k, if g^k mod p is anything other than 1 or -1, we know (Fermat's Little
> Theorem) that p wasn't prime. Most composites will fail that test, and that
> test is approximately as expensive as running a single iteration of
> Miller-Rabin.
If g^((p-1)/2) mod p is -1 and g^(p-1) mod p is 1, one has
to do further tests as stated in the original post. Eventually
these may fail either because g is the wrong one or because p
is not prime. Do you happen to have references showing how
small/big these (non-productive) efforts are (in particular
with respect to an arbitrary p of the sort considered here
which can be prime or composite)? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Patent, Patent is a nightmare, all software patent shuld not be
Date: Thu, 31 Aug 2000 10:29:07 +0200
qun ying wrote:
>
> There are 2 more patents:
[snip]
Maybe all that is in the end not bad at all. If these
patents cause PK to be untimately economically uninteresting
for the users, it will give some genious minds the momentum
to invent some entirely new direction in cryptography.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Patent, Patent is a nightmare, all software patent shuld not be
Date: Thu, 31 Aug 2000 10:28:59 +0200
Paul Pires wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote
> > It's probably unlikely but on the other hand also can't be
> > excluded that the firms selling PK products do nothing in
> > the issue and simply pass the fees they'll eventually pay to
> > that patent holder on to the consumers. That would be bad.
>
> Id say unlikely is mild. "When hell freezes" over is more like it.
> The price a product brings is what the market will bear. If
> they could increase the price without repercussions now, they
> would do it now and pocket the profit without a second thought.
> There is no scenario where the "payee's" are going to take
> this philosophically. This Patent irritates you but it has to have
> every licensee of PK pissing blood. Just this being present is
> going to cost them.
>
> They are going to see significant costs to evaluate their risk and
> position regardless of any royalty payments they may or may not
> have to make due to this patent.
I can only partially agree with you. The market is however
never 'rational' in my view. (Look at the stock market for
an extreme example.) If there is some 'cause', that could
cause a raise in price even much more than what really
corresponds to the actual increase in production cost,
with all firms acting thereby sort of in coorporation
rather than in competition. Now the customer who needs a
certain product has no choice but accepting the higher
price. I believe that this 'dynamic' is one of the
reasons that lead to the fact that the world frequently
experiences inflations but seldom deflations. (At least
I personally have never known a deflation in my life.)
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Patent, Patent is a nightmare, all software patent shuld not be
Date: Thu, 31 Aug 2000 10:45:41 +0200
Sundial Services wrote:
>
> But part of the problem is that so many of the patents that have been
> issued are specious -- nothing more than lawyer-bait -- but nonetheless
> on the books. For example, IBM patented the idea of using a
> compare-and-swap instruction to modify the header-pointer of a linked
> list! Now, I read several textbooks, including some OS texts from the
> 1960's, that described exactly the same notion -- many years before the
> patent was issued -- but there it is nonetheless, on the books. Very
> typical of the noise that is produced when companies feel obligated to
> try to patent "anything and everything" and the patent-examiners can
> hardly be expected to know the difference.
>
> The patent examiners are, of course, extremely hard-working people who
> have an unbelievable(!) workload ahead of them every single day ... but
> I really do feel that in far too many cases, patent-law as presently
> applied to computer software in the United States causes far more
> pointless lawyering than it does provide real protection. This is
> certainly not agreeing with the phrase "all software patent should not
> be allowed," but it does agree with "Patent, Patent is a nightmare."
> Right now -- it is!
In another vein, it may be interesting to look at the issue
of patenting human genomes. I personally find it difficult
to know how much actually politics, economy, ethics, moral,
etc. etc. participate in that. Maybe there is hardly any
'justice' in this world. All that is determined by a small
minority and the rest simply 'believes' in them or has
no opportunity to oppose.
M. K. Shen
========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Mohammed Anish ND/EHD/EIPS <[EMAIL PROTECTED]>
Subject: Need help would like to learn crypto in regular way if possible formal
Date: Thu, 31 Aug 2000 11:01:29 +0200
hi ,
Sorry folks for asking this ,I am fascinated by cryptography .It all
started off when I read an article by one Mr Narayanan (if I remeber
rightly) in Science today years back .From then on I wanted to learn
cryptography.
I managed to get a copy of Applied cryptography (sorry first I got a
xerox in 96 now I do have a legitimate copy) .BTW I am an Indian that
explains it , both the laxity of Intellectual property rights and
unavailbility of books. Then I found MOV (HAC ) on the net .The maths in
it is a bit tough.
I have done my graduation in medical sciences ,but my interst in
security and crypto prevented me from getting into practice. I then
started working with different firms in area of security .In the mean
while I did manage to work in Indain Institue of Sciences on Intrusion
Detection Systems for some time under Prof Balakrishnan .As I could find
any much of work on crypto ,I left the place and joined EHPT on thier
security team.
I would be very happy to pursue my graduate studies in CS in some good
university in the area of security and cryptography.I dont think I am a
bad student .I did manage to top a few eams regionally and nationally .
Could any of you help me in any way to do a regular course in crypto .If
not would it be possible for any of you to guide me through my journey
into the world of cryptography.
thanks in advance
Anish
------------------------------
From: "Rick Braddam" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP ADK Bug: What we expect from N.A.I.
Date: Thu, 31 Aug 2000 01:45:12 -0500
Reply-To: "Rick Braddam" <[EMAIL PROTECTED]>
Just a couple of opinions:
"David A. Wagner" <[EMAIL PROTECTED]> wrote in message
news:8okbcg$574$[EMAIL PROTECTED]...
> Mark Wooding <[EMAIL PROTECTED]> wrote:
> > I disagree that it's a totally daft feature.
> >
> > There is a definite requirement for an employer to want to recover
> > messages sent to an employee in the course of his or her job if the
> > employee is unable to decrypt messages for some reason (e.g., run over
> > by a bus, disgruntled and left, or whatever).
>
> But for email!?
>
> There is an important distinction between escrowing communications
> and escrowing stored data. Escrowing communications is rarely sensible.
You don't think that just the presence of an ADK would dissuade employees
from including their employer's proprietary information in outgoing email?
Information such as cost vs price, inventory levels, production rates,
budgets, preparation for patent applications, etc? If an employee did send
such information to unauthorized destinations, the ADK would make
detection and prosecution possible, too.
> Escrowing stored data -- also called "making backups" -- may well make
> a lot of sense for some businesses.
I think of escrowing data as storing it in secure containers like
ScramDisk or PGPDisk. Making a backup would be saving a copy of the secure
container in a second location.
> Compare to what the law-enforcement agencies want: they want escrow
> of communications keys and don't care so much about storage keys.
I think it would be unwise to assume what (some) law enforcement agencies
want based on what they've asked for. They might not ask for that which
they are very sure they have no chance of getting *at the present time*.
It could be very useful to a detective or investigator to be able to open
secure (scramdisk, PGPDisk) containers in hope that they would contain
evidence of criminal transactions.
> That's backwards from what businesses are typically likely to want.
>
> I think I first saw this point raised by Matt Blaze.
I don't like the idea of government escrowed keys, but I think that in a
business environment escrowed keys or an ADK could be essential. For
personal use, I might use an ADK to help secure information I wanted my
heirs to be able to access to enable settling my estate (such as it is). I
would, of course, have other "normal" keys to protect information they
would have no use for if I wanted to keep that information private.
Rick
------------------------------
From: Phil Harrison <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: "Warn when encrypting to keys with an ADK"
Date: Thu, 31 Aug 2000 09:46:10 +0100
In article <[EMAIL PROTECTED]>, Rich
Wales <[EMAIL PROTECTED]> writes
>Phil Harrison wrote:
>
> > Then they must also get the additional key onto the
> > keyring of the sender.
>
>I'm curious about this requirement. In order to get ADK's to work --
>especially in situations where companies want to make them mandatory
>(such as by configuring their mail servers to block incoming or out-
>going encrypted messages that aren't accessible via the company's ADK)
>-- it seems to me that one would want/need PGP to fetch the ADK auto-
>matically from a key server (or, at least, prompt the sender that the
>ADK is needed and ask for permission to go get it).
>
>Do the commercial Windows versions of PGP 5/6 do this? Or do they
>simply skip over an ADK reference in a recipient's key if the ADK is
>not present in the sender's keyring? If the ADK is skipped for this
>reason, is the sender notified?
>
They prompt you to fetch the second key (but IIRC you get the option to
skip it). The fixed versions will still do this with legitimate ADK's
but just ignore the forged ones.
> > Finally they must hope that the sender does not notice
> > that there was an ADK there and does not check with the
> > recipient.
>
>An ADK on what is supposed to be a personal, non-work key should
>definitely be considered suspicious.
>
>Less obvious, I fear, is the situation where an employee's key already
>contains a legitimate ADK reference, but an attacker manages to add a
>second, unauthorized ADK to it. The addition won't be flagged if the
>sender is using a buggy PGP; he/she will see that an ADK is present,
>but if he/she already knew this (or if the recipient confirms that an
>ADK is in use), the sender might not bother to investigate further.
>
Assuming again that the sender also had the public key for the forged
ADK on their keyring.
--
Phil Harrison
------------------------------
From: Phil Harrison <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP 6.5.8 test: That's NOT enough !!!
Date: Thu, 31 Aug 2000 09:55:40 +0100
In article <8oklam$7oc$[EMAIL PROTECTED]>, Philip Stromer <pstromer@my-
deja.com> writes
>
>I still don't understand the ADK issue; I installed the Hotfix, ran the
>PGPRepair command line utility (it said none of my keys were tampered
>with), so now I'm fully safe once again. Right...or wrong?
>
The parts that are under your control are safe. You will not be
encrypting to a bogus ADK when you use PGP. However, there is the
possibility that someone could attach a bogus ADK to your public key,
get it on someone else's keyring and intercept messages that are
encrypted to you if that person has not also updated their version of
PGP.
So you need to also make sure that your corespondents are aware of this
bug and get them to make sure they have a legitimate copy of your key.
--
Phil Harrison
------------------------------
From: Ron B. <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP 6.5.8 test: That's NOT enough !!!
Date: Thu, 31 Aug 2000 09:33:18 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On 30 Aug 2000 22:09:54 -0700, [EMAIL PROTECTED] (Rich Wales) wrote:
>Philip Stromer wrote:
>
> > I still don't understand the ADK issue; I installed the
> > Hotfix, ran the PGPRepair command line utility (it said
> > none of my keys were tampered with), so now I'm fully
> > safe once again. Right...or wrong?
>
>Fully safe? No. Partly safe? Yes.
>
>There are two sides to the "rogue ADK" problem, namely:
>
>(1) Are you encrypting to rogue ADK's planted on other people's
> keys?
>
>and
>
>(2) Are other people, encrypting messages intended for you,
> also encrypting to a rogue ADK planted on your key?
>
>You can deal with the first issue all by yourself -- by making sure
>you're using encryption software which doesn't use unauthorized
>ADK's (or, perhaps, software which doesn't recognize ADK's at all).
>
>You can NOT deal with the second issue all by yourself. You would
>need to make sure that EVERYONE sending encrypted messages to you is
>using encryption software which won't be fooled by unauthorized
>ADK's. Even if you, yourself, are running a bug-free PGP, you could
>still
>get victimized by the ADK bug if someone else with a buggy PGP sends
>you an encrypted message.
>
>This means, in particular, that even people using encryption
>software that doesn't recognize ADK's at all -- such as PGP 5.0 or
>GnuPG --
>are still vulnerable to the bug if users of susceptible PGP versions
>send them encrypted material.
>
>The only truly foolproof way to avoid the effect of unauthorized
>ADK's -- coming or going -- would seem to be to use a pre-5.0 PGP
>(i.e., one of the 2.6.x versions). The older (version-3) key packet
>format used by 2.6.x has no provision for ADK information -- legit-
>imate or not -- so no attacker can slip bogus ADK info into your
>key, and so no one can inadvertently copy a message for you to an
>ADK (even if they use a later PGP to encrypt to your 2.6.x key).
>
>You could, of course, carefully analyse each encrypted message you
>receive for unexplained recipient info (which might represent an
>unauthorized ADK). This is, however, not easy to do -- and even if
>you manage to do it, the best you can hope for is to discover an
>intrusion after at least one message sent to you has been
>compromised.
>
>Rich Wales [EMAIL PROTECTED]
>http://www.webcom.com/richw/ PGP 2.6+ key generated 2000-08-26; all
>previous encryption keys REVOKED. RSA, 2048 bits, ID 0xFDF8FC65,
>print 2A67F410 0C740867 3EF13F41 528512FA
Not easy to do? When decrypting a message, PGP shows the keys that
the message is encrypted to. Even if it is a key not on the ring it
will show "unknown key". This is automatic. Hardly "not easy to do".
=====BEGIN PGP SIGNATURE=====
Version: PGP 6.5.8
iQA/AwUBOa4l/gzUoy7OvTSOEQKQWgCgzILwSnkWcPJtdBqdqRblBj3S964AoK+J
qJHqaMdP2oXhSRry281I++um
=BJRU
=====END PGP SIGNATURE=====
------------------------------
From: "Michel Bouissou" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP ADK Bug: What we expect from N.A.I.
Date: Thu, 31 Aug 2000 11:38:06 +0200
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
David Hopwood <[EMAIL PROTECTED]> a �crit dans le message :
[EMAIL PROTECTED]
>
> Michel Bouissou wrote:
> > In any case, this "ADK / ARR" feature is a very sensible thing,
>
> You probably meant "sensitive". "Sensible" it definitely isn't!
Yes, sorry for the mistake.
Some folks already noticed me of this "translation" error by e-mail.
I'm french and sometimes the exact translation into english is not so
easy ;-)
Well, so I meant "something that is potentially dangerous and one
should be very cautious about".
Best regards.
- --
Michel Bouissou <[EMAIL PROTECTED]> PGP DH/DSS ID 0x5C2BEE8F
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Corrigez le bug PGP ADK. Installez PGP 6.5.8 ou superieur.
iQA/AwUBOa4ZbI7YarFcK+6PEQIZ5wCgyqJU1/JhhH1TBG/A5y1JpVF40xMAoOSz
ykvLeC0pQJ3uYF66mVxBwGN8
=PEBK
=====END PGP SIGNATURE=====
------------------------------
From: "Michel Bouissou" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: I need ADK tampered key that PGP will not detect ADK, on it ...
Date: Thu, 31 Aug 2000 11:51:55 +0200
Rich Wales <[EMAIL PROTECTED]> a �crit dans le message :
[EMAIL PROTECTED]
>
> Even if I, personally, don't have the time or expertise to study and
> evaluate the source myself, having it readily available means other
> people with those skills =will= have an opportunity to study it and
> publicize any flaws they might find.
Even though, the fact that people have the opportunity to review and check
the source code doesn't give any clue whether or not this was actually done
(unless some visible report is published).
The very discovery of the ADK bug by Ralf Senderek proves that:
- Existing bugs in software like PGP may eventually be discovered *someday*
when somebody both competent and motivated takes the time and effort to have
a close look at it;
- But these bugs still can stay unnoticed for years.
Therefore, I conclude that every company that wants to market trustable and
reliable crypto software should:
- Make the source code available for public peer-review
- Make the complete documentation about the algorithms, protocols and
formats available
(This, PGP already does and has done for long)
But also:
- Have some INDEPENDANT and well-know experts in the field review the
software and independantly publish a report about their findings.
Because this is the only way to demonstrate that the software has
*effectively* been per-reviewed in a satisfactory manner.
--
Michel Bouissou <[EMAIL PROTECTED]> PGP DH/DSS ID 0x5C2BEE8F
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
