Cryptography-Digest Digest #613, Volume #12 Tue, 5 Sep 00 00:13:01 EDT
Contents:
Re: Capability of memorizing passwords (Mok-Kong Shen)
Re: Serpent S-boxes (again) (Mok-Kong Shen)
Re: more on that neat prime generator (Mok-Kong Shen)
Re: Steganography vs. Security through Obscurity (Mok-Kong Shen)
Re: RSA Patent. (Paul Rubin)
Re: security warning -- "www.etradebank.com" ("Harvey Rook")
Re: RSA Patent. (S. T. L.)
R: R: R: R: R: R: R: Test on pseudorandom number generator. ("Cristiano")
Re: RSA public exponent (DJohn37050)
Re: RSA Patent. (DJohn37050)
Re: Suggestion ("Kristopher Johnson")
Re: QKD and The Space Shuttle (Markus Mehring)
Re: Serpent S-boxes (again) (Mack)
Re: 4x4 s-boxes (Mack)
Re: 96-bit LFSR needed (Mack)
Re: Extending RC4 to 16 bits (Guy Macon)
Re: Serpent S-boxes (again) (Gregory G Rose)
Re: Steganography vs. Security through Obscurity (Guy Macon)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Capability of memorizing passwords
Date: Tue, 05 Sep 2000 00:27:49 +0200
Runu Knips wrote:
>
> Mok-Kong Shen wrote:
> > It is often said that it is difficult for people to
> > memorize random passwords (commonly 8 characters). I am
> > very surprised to read in a magazine that the record of
> > memorizing a bit sequence, given a time of 30 minutes, is
> > 2745 bits! So brain's capability of processing random
> > stuffs doesn't seem to be too bad after all.
>
> But even recent version of, say, Linux, doesn't offer
> more than 8 character long passwords ! So what is the
> use of remembering longer passwords ?!?!? :-(((
You misunderstood me. I meant that there should be no
problem for people to remember a password of 8 characters
that are random.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Serpent S-boxes (again)
Date: Tue, 05 Sep 2000 00:27:30 +0200
Mack wrote:
>
> This tends to be the problem with documentation in general.
> The same person (group) produces the product and the
> documentation. The net effect being that certain basic
> definitions are assumed. However these definitions
> are seldom universal. The problem is not limited to
> ciphers it is a problem with documentation in general.
I don't agree with that. For a good cipher it is not
sufficient that anyone can do an implementation and is
sure of conform with anyone else's implementation. It is
ALSO essential that the rationales of every part can be
understood by those who care to know. If, taking the
example of the present issue, the authors had during
their design time some concrete design critiria for the
S-Boxes, isn't it quite trivial to put these onto paper?
(To avoid the proper document to be too thick, one could
issue an supplementary document explaining the rationales.
See e.g. the programming language ADA.) For ciphers
that are to be 'universally' used like AES, in view of
the security problems (freedom of backdoors etc.), the
possibility (by the public) of obtaining a proper and
complete understanding is absolutely indispensible in my
humble view. For, in the other case, there is something
mysterious, secret and hence suspicious, which is one
of the very typical characteristics of snake-oil,
unfortunately!
M. K. Shen
========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: more on that neat prime generator
Date: Tue, 05 Sep 2000 00:27:57 +0200
[EMAIL PROTECTED] wrote:
>
> Bob Silverman <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED] wrote:
> > > Bob Silverman <[EMAIL PROTECTED]> wrote:
> > > > [EMAIL PROTECTED] wrote:
> > > > > I was thinking, you could start lower, making 128-bit primes
> with
> > my
> > > > > method
> > > >
> > > > "My" method? How strange of you to claim ownership of something
> > > > that is well known and has been so for some time.
> > > >
> > > > Might I suggest you do a literature search? Look up "Maurer"
> > > > and "Shawe-Taylor".
> > >
> > > And you talk to us about useless junk posts? What a hypocrit.
> >
> > Exactly what is useless about pointing out that your claim of
> > ownership of these methods is bogus and that they are well known?
> >
> > You did say "my" method.
>
> Oh I am so sorry great math lord, your heinous. I meant "my method I
> am talking about". Not "my" method. Geez I got the idea from Applied
> Crypto anyways!
As a third person in this discussion point, I must say that
your choice of the word 'my' was at least very unfortunate.
For, under the context of your posts in this thread and
in a previous thread, one is quite likely (in fact quite
naturally) to interpret that 'my' to mean ownership. Perhaps
'the method I described' instead of 'my method' would have
been a bit better.
May I ask you to avoid in future stuffs that belong to
the category of 'personal' matters (including criticizing
the low knowledge level of some apparent beginners who
post to the group)? Please support to let our group to
have a good atmosphere of scientific and objective
discussions and to be free of personal querrels. Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography vs. Security through Obscurity
Date: Tue, 05 Sep 2000 00:29:35 +0200
Guy Macon wrote:
>
> Point a camera at the PC and record the keystrokes.
> Police do this sort of thing all of the time.
That applies the same for accessing a web page as
for accessing a newsgroup, I suppose.
> I am not talking about "zeroknowledge or whatever".
> I am talking about the system described at
> http://www.zeroknowledge.com/
> which most assuredly does not leave such a trace.
I don't know what that 'system' does. But, if anything
electrical in connection with that system goes out from
a cable from, for example, you home, that can be
monitored and registered, I believe.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Crossposted-To: talk.politics.crypto
Subject: Re: RSA Patent.
Date: 4 Sep 2000 22:28:08 GMT
In article <[EMAIL PROTECTED]>,
Rich Wales <[EMAIL PROTECTED]> wrote:
>algorithm before applying for a patent, so that the US government
>couldn't impose a secrecy order on their invention (something that
>almost certainly would have happened if they had applied for a patent
>first). While the US permits publication of an invention prior to
>filing for a patent, most other countries do not. Thus, by making
>sure their algorithm would be widely known, they gave up the chance
>to get it patented anywhere except in the US (something which would
>have been problematic anyway if a US secrecy order had happened).
This is a myth. Adi Shamir at Crypto (conference in Santa Barbara) a
few years ago came right out and said that they weren't thinking about
patents at the time they published. This was reported in the
newsgroup by none other than David Sternlight who was there and heard
it and was shocked (though it was what the rest of us thought all along).
------------------------------
From: "Harvey Rook" <[EMAIL PROTECTED]>
Subject: Re: security warning -- "www.etradebank.com"
Date: Mon, 4 Sep 2000 17:15:16 -0700
Why is 6 chars unacceptable? We are not talking about a piece of unguarded
data that your opponent has unlimited access to. Consider...
-The accounts lock up after 3 wrong tries.
-Reactivation requires you to call in.
-When you call in you must know some personal information
(SSN/Address/Mothers Madden Name/Amount of last deposit or withdrawal )
-After you've presented the personal information, you get to pick a new
password, any password you want.
-After reactivation, the account holder is sent a piece of snail mail
informing them of the recent password change.
This policy is not uncommon-- every online bank or brokerage that I have
looked at, follows it.
The vulnerability is not a small password space. So, 6 chars is acceptable.
Harvey Rook
[EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote in message news:8p1587$oru$[EMAIL PROTECTED]...
> I saw one of their commercials on TV so I checked out the site. They
> only allow passwords *upto* six chars which is totally unacceptable.
>
> Do not use their service.
>
> Tom
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: [EMAIL PROTECTED] (S. T. L.)
Date: 05 Sep 2000 00:15:28 GMT
Subject: Re: RSA Patent.
/*The patent expires on 20 September. Some people, e.g., those who don't
like RSA Security, or patents in general, or have been otherwise
inconvenienced by the RSA patent, are thinking about having a party to
celebrate.*/
Yeah, I made a dinky little (~1000-bit maximum) program that does RSA on TI-92+
calculators, and RSA Security dragged their heels for months in response to a
simple request for permission. They were talking about signing stuff and
everything; it's a CALCULATOR program, as if that would cost them even $0.01 in
sales. Screw them, only a couple of weeks left now!
-*---*-------
S.T.L. My Quotes Page * http://quote.cjb.net * leads to my NEW site.
My upgraded Book Reviews Page: * http://sciencebook.cjb.net *
Optimized pngcrush executable now on my Download page!
Long live pngcrush! :->
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: R: R: R: R: R: R: R: Test on pseudorandom number generator.
Date: Tue, 5 Sep 2000 02:31:26 +0200
ERRATA-CORRIGE:
> > >If the bits to hash are 2, 10 or 20 bits of a BBS output I think this
is
> not
> > >a big problem.
> > >If I take more bit I violate the strength of BBS if somebody can
examine
> the
> > >output of BBS. But if I hash its output nobody can learn about BBS.
> > >I don't use the whole BBS state because the result is very bad.
> >
> > Really? That would be an interesting result. If BB&S generates a
> > poor sequence when the whole state is used (that is, when treated like
> > a normal statistical RNG), the main effect of the required few-bit
> > sampling may be to hide this situation from analysis.
>
> This is a delicate question. I'll try to expound it.
>
> Only for test purpose, I use a BBS modulus of no more than 32 bits, so
that
> x*x will be no more than 64 bits (my compiler can handle 64 bits in an
> efficent way). In my tests I have seen that a small n don't affect the
> result (n is big only for security reasons). That is, by using a 512 bit n
> or more the tests give about the same results.
WRONG!! My mistake.
For BBS generator this only happen with little numbers. With n of about
100-150 bits, only Diehard fail but the others tests pass.
With a modulus of more than 300 bits a BBS generator taken with whole state
seems to be always a good PRBG (obviously not cryptographically secure).
For FIPS 186 generator, on the contrary, Maurer's test is not very good
(p~1%), Diehard fail big, the others tests are good.
An interesting thing to observe is that if I calculate the mean of the
sequence taken as bytes, in a "normal" generator it is about 127.5 (as
expected), while if I do the same with FIPS 186 generator the mean is about
124 (for this reason I said "the bits are not equally distribuited" in this
kind of generators mod 2^m-x).
Sorry for my mistake.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: RSA public exponent
Date: 05 Sep 2000 01:29:03 GMT
e should be odd, else it is not RSA, it is Rabin.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: RSA Patent.
Date: 05 Sep 2000 01:31:11 GMT
You are wrong about RSA not being trademarked, I think. See RSA Security web
page for more info.
Don Johnson
------------------------------
From: "Kristopher Johnson" <[EMAIL PROTECTED]>
Subject: Re: Suggestion
Date: Tue, 05 Sep 2000 02:10:35 GMT
The idea (I guess) is that if a vendor believes in their product, then they
won't mind publishing an important asset (such as their source code)
encrypted with it.
As another poster suggested, the source code should be available anyway, and
wouldn't be too valuable if the encryption can be cracked. Maybe a better
demonstration would be to post the CEO's credit-card statements or something
like that.
(I liked it when the leaders of Ambrosia Software promised to eat live bugs
if any bugs were found in their code.)
- Kris
"Runu Knips" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Delanyo Ofori wrote:
> > All encryption vendors should encrypt their source with their product
and
> > make it available for download
>
> ???
>
> Whats the sense of this suggestion ???
------------------------------
From: Markus Mehring <[EMAIL PROTECTED]>
Crossposted-To: sci.space.shuttle,talk.politics.crypto
Subject: Re: QKD and The Space Shuttle
Date: Mon, 04 Sep 2000 14:58:08 +0200
On Mon, 4 Sep 2000 12:42:21 +1000, "Justin Wigg" <[EMAIL PROTECTED]>
wrote:
>Actually the STS and NSTS (National Space Transportation System) program
>names were dropped in the mid-late 1990s. The official program name is now
>the "Space Shuttle Program". How about that?
They've never transported much Space, not to mention National Space, so I
guess that makes sense...
On the other hand... I mean, it doesn't exactly shuttle much either... :o)
CU! Markus, scnr
--
http://www.geocities.com/Area51/Vault/8611/
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Serpent S-boxes (again)
Date: 05 Sep 2000 02:48:08 GMT
>
>Mack wrote:
>>
>> This tends to be the problem with documentation in general.
>> The same person (group) produces the product and the
>> documentation. The net effect being that certain basic
>> definitions are assumed. However these definitions
>> are seldom universal. The problem is not limited to
>> ciphers it is a problem with documentation in general.
>
>I don't agree with that. For a good cipher it is not
>sufficient that anyone can do an implementation and is
>sure of conform with anyone else's implementation. It is
>ALSO essential that the rationales of every part can be
>understood by those who care to know. If, taking the
>example of the present issue, the authors had during
>their design time some concrete design critiria for the
>S-Boxes, isn't it quite trivial to put these onto paper?
>(To avoid the proper document to be too thick, one could
>issue an supplementary document explaining the rationales.
>See e.g. the programming language ADA.) For ciphers
>that are to be 'universally' used like AES, in view of
>the security problems (freedom of backdoors etc.), the
>possibility (by the public) of obtaining a proper and
>complete understanding is absolutely indispensible in my
>humble view. For, in the other case, there is something
>mysterious, secret and hence suspicious, which is one
>of the very typical characteristics of snake-oil,
>unfortunately!
>
I totally agree with you. But the problem with
documentation is that what is perfectly clear to
the writer is often totally opaque to the reader.
>M. K. Shen
>------------------------
>http://home.t-online.de/home/mok-kong.shen
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: 4x4 s-boxes
Date: 05 Sep 2000 03:04:51 GMT
>Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>: Terry Ritter wrote:
>
>:> While the FT originally defined "bent," most modern treatments use
>:> the FWT.
>
>: ? What does the definition of bent function look like in terms
>: of Walsh transforms?
>
>Bent function <-> "All entries in the WT have the same magnitude".
>
>: Is it as simple as the FT version?
>
>It's extremely simple.
>
>:> As far as I know, in modern open cryptography, these concepts
>:> [maximal nonlinearity and uniform Fourier weights] are the same.
>
>: They can't be the same, because the latter defines a bent function
>: but you guys are claiming that bent functions aren't maximally
>: nonlinear.
>
>Only Tom's claiming that AFAICS. Everyone else appears to be disagreeing.
I believe tom's claim was that maximally non-linear functions were not
balanced. As was mine. I could be wrong about tom's claim.
My specific claim was that Bent functions only exist on equations
of 2*n variables, are not balanced, and are maximally non-linear. Hence
cannot produce bijective s-boxes.
>--
>__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
> |im |yler The Mandala Centre http://mandala.co.uk/ Breast is best.
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: 96-bit LFSR needed
Date: 05 Sep 2000 03:06:33 GMT
>Mack <[EMAIL PROTECTED]> wrote:
>
>[the version currently on Scott's site...]
>
>: The version I have does not have an attribution of
>: authorship. I thought it came from Scott Nelsons site. [...]
>
>Aha! ;-) ftp://helsbreth.org/pub/helsbret/random/
>has a more recent version than the one I'm looking at in lfsr_src.zip.
>I was looking at the lfsr_s.c file instead. Thanks.
>
>: Sounds like the original version used a seive. [...]
>
>It did. It practically ground to a halt around 2^64 on my machine.
Glad to be of service. I hope to find a site soon for some of
my code.
>--
>__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
> |im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Extending RC4 to 16 bits
Date: 05 Sep 2000 03:14:27 GMT
David Hopwood wrote:
>
>Barry Adams wrote:
>
>> The questions are how mathematically sound is the algorithm?
>> Of the top of my head i would think that huge state space would make
>> for a hard to decryption cipher, but will it be well randomized
>> especially with small keys.
>
>No, the state won't be well randomised. I would recommend rethinking
>the key scheduling entirely for a 16-bit RC4.
>From a practical standfpoint of someone like me who is playing
with RC4 in order to learn, how would I go about changing the
key schedule? Would starting with a larger key change it?
Should I run the algoprithm on random data for a while before
I start encrypting my plaintext?
------------------------------
From: [EMAIL PROTECTED] (Gregory G Rose)
Subject: Re: Serpent S-boxes (again)
Date: 4 Sep 2000 20:19:19 -0700
>>sure of conform with anyone else's implementation. It is
>>ALSO essential that the rationales of every part can be
>>understood by those who care to know. If, taking the
>>example of the present issue, the authors had during
>>their design time some concrete design critiria for the
>>S-Boxes, isn't it quite trivial to put these onto paper?
I guess I'm confused again. Page 4 of the paper
introducing Serpent-1 (the AES candidate) explains
exactly their criteria, justification, and algorithm for
generating the S-boxes.
It is a pity that they goofed, and one of the
sboxes is only of order 2 and not 3, but it
appears to have been an honest mistake.
I guess this could be considered an example of
"proof by assertion", but, has anyone actually
checked the stated algorithm to see if it does
produce the chosen s-boxes?
Greg.
--
Greg Rose INTERNET: [EMAIL PROTECTED]
QUALCOMM Australia VOICE: +61-2-9181 4851 FAX: +61-2-9181 5470
Suite 410, Birkenhead Point http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 B5 DF 66 95 89 68 1F C8 EF 29 FA 27 F2 2A 94 8F
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Steganography vs. Security through Obscurity
Date: 05 Sep 2000 03:30:19 GMT
Mok-Kong Shen wrote:
>
>Guy Macon wrote:
>
>> Point a camera at the PC and record the keystrokes.
>> Police do this sort of thing all of the time.
>
>That applies the same for accessing a web page as
>for accessing a newsgroup, I suppose.
Your are confusing the detection of who sent a message with
the detection of who recieved it again. Newsgroups are for
hiding who recieved it. I mentioned the the camera in the
context of hiding who sent it. The police can trace it back
to the Internet Cafe, Library, etc, which right away gives
them the city you are in. After that, the camera catches you
sending a future message. Not very secure at all.
>> I am not talking about "zeroknowledge or whatever".
>> I am talking about the system described at
>> http://www.zeroknowledge.com/
>> which most assuredly does not leave such a trace.
>
>I don't know what that 'system' does.
Then go to http://www.zeroknowledge.com/ and find out!
Either that or don't post on the subject. This is a sct.*
newsgroup. We are supposed to be presenting informed
opinions. Posting about something without spending five
minutes following the URL is what they do in talk.*...
> But, if anything electrical in connection with that
> system goes out from a cable from, for example, you
> home, that can be monitored and registered, I believe.
First, they don't know which of the many Zeroknowledge
users sent it. Even Zeroknowledge doesn't know that.
Second, even if they do know, waht goes out of your
home in encrypted. A Assure you that Zeroknowledge
is way more secure than your "post from an Internet
Cafe" idea.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
