Cryptography-Digest Digest #764, Volume #12 Sun, 24 Sep 00 20:13:00 EDT
Contents:
Re: Software patents are evil. (Jerry Coffin)
Re: Music Industry wants hacking information for cheap (Scott Craver)
LFSR document (Tom St Denis)
[Fwd: Software patents are evil.] (Darren New)
Re: What make a cipher resistent to Differential Cryptanalysis? (Mok-Kong Shen)
Re: Big CRC polynomials? ("Scott Fluhrer")
Re: What make a cipher resistent to Differential Cryptanalysis? (Mok-Kong Shen)
Re: Software patents are evil. (Bill Unruh)
Question on biases in random-numbers & decompression (Benjamin Goldberg)
Re: Software patents are evil. ("Paul Pires")
Re: RSA occasional failure? (Mark-Jason Dominus)
Re: New Strong Password-Authentication Software (Thomas Wu)
Re: What make a cipher resistent to Differential Cryptanalysis? ("Scott Fluhrer")
Re: What make a cipher resistent to Differential Cryptanalysis? (Tom St Denis)
Re: What make a cipher resistent to Differential Cryptanalysis? (Tom St Denis)
Re: New Strong Password-Authentication Software (Bill Unruh)
----------------------------------------------------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Software patents are evil.
Date: Sun, 24 Sep 2000 14:36:14 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> One might says this leveling off of innovation is characteristic of a mature
> technology. As software may be maturing we should expect to see a similar
> leveling, since there are now giants upon whose shoulders we may stand.
I quite agree -- in fact I'd go so far as to say that the line
between "maturity" and "stagnation" is a rather thin one. I'd say
that in some commercial products, it's starting to lean more closely
toward stagnation though. Just for example, it seems to me like it's
been quite a while since there was any more than minor, incremental
improvements in any of the most widely-used types of applications
(e.g. word processors or spreadsheets). I doubt anybody's yet
implemented everything that was originally envisioned for VisiCalc...
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (Scott Craver)
Subject: Re: Music Industry wants hacking information for cheap
Date: 24 Sep 2000 20:34:45 GMT
Matthew Skala <[EMAIL PROTECTED]> wrote:
>
>Alice is a bank robber; she knows that Bob, the police officer, has placed
>a surveillance camera in the bank and it's attached to a recording device
>that detects watermarks and refuses to record marked data. So she walks
>into the bank wearing a T-shirt with a watermark printed on it, or perhaps
>puts a video screen playing a watermark pattern in view of the
>camera. The recording device refuses to record it, and so her crime
>doesn't show up on the tape.
Yes, but realistically no watermark detector would ever pick up
a mark after the extremely severe distortion of playing the
content on a video screen back into a camera. Especially
since security cams are not likely to be high quality nor
recording onto DVD recorders.
And if you're planning on introducing a video screen into the bank
lobby, going to the trouble to place it just so and keep from
tilting relative to the camera, well, chewing gum over the lens
is actually cheaper and less conspicuous.
But there _is_ an application of this attack in _fragile_
watermarking! Imagine Kodak places a very breakable invisible
signal in every picture taken by one of their digital cameras
(but just robust enough that it'll survive compression and
color correction.) This way, if someone takes a picture,
pastes Bill Clinton into it, and sells it to the New York Times,
Kodak can check if and where it has been doctored.
The obvious attack on this is to take the initial picture,
doctor it, blow it up on a wall and take a picture of the whole
thing with the camera again.
>Matthew Skala
-S
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: LFSR document
Date: Sun, 24 Sep 2000 20:40:56 GMT
I am hosting the LFSR pdf mentioned earlier at
http://geocities.com/tomstdenis/files/lfsr.pdf
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: [Fwd: Software patents are evil.]
Date: Sun, 24 Sep 2000 20:56:43 GMT
This is a multi-part message in MIME format.
==============9CB8D8D638BAB60241420040
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"No wonder it tastes funny.
I forgot to put the mint sauce on the tentacles."
==============9CB8D8D638BAB60241420040
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <[EMAIL PROTECTED]>
Date: Sun, 24 Sep 2000 13:43:24 -0700
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Organization: Bookshelves and file cabinets?
X-Mailer: Mozilla 4.06 [en] (WinNT; U)
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Re: Software patents are evil.
References: <hBKw5.30993$[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
<0Gtx5.217$hu1.995@client> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> <8qbadc$t83$[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> <8qbriu$b5o$[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> <8qdf0a$dj3$[EMAIL PROTECTED]>
<HXsy5.2330$Wl.165689@news-e <[EMAIL PROTECTED]>
<8qis80$5i6$[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Bill Unruh wrote:
> ? it is a distraction only for those who hope to hide the fact.
> Arguments about the necessity of supplying incentives to individuals for
> the common good abound. It was for many years considered crucial to
> provide the incentive of monopoly to the phone company in order that
> they spend the huge capital costs necessary to wire up the nation.
Uh, no, actually. The Bell System was already pretty much a monopoly before
their monopoly status was actually acknowledged. Then they got sued under
the Sherman act, and settled in 1934, with the understanding that they could
continue to be a monopoly as long as the government controlled all the
rates. I.e., they were socialized/nationalized.
Oh, and part of that agreement was that everything Bell Labs patented would
be licensed for free.
> That
> argument has been shown to have been seriously flawed.
No. What brought it down was the advancement of technology that no longer
required wiring up the country with copper to make the phones work. Like,
say, microwave towers. Microwave, as in Microwave Communications Inc.
> Throughout the
> last century it was considered crucial to provide the incentive of
> monopoly to the railroads.
Well, yes. Or at least the incentive of eminent domain. I.e., you wouldn't
really have a monopoly if every 160 acres you had to bargain with the next
rancher for a chunk of land to run the rails down.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"No wonder it tastes funny.
I forgot to put the mint sauce on the tentacles."
==============9CB8D8D638BAB60241420040==
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: What make a cipher resistent to Differential Cryptanalysis?
Date: Sun, 24 Sep 2000 23:18:21 +0200
Tom St Denis wrote:
>
> Um the attack on blowfish is a differential attack... And it's
> possible to use structural weaknesses against the structures not the
> values. I.e I don't need to know your sbox to attack the algorithm.
>
> Take SAFER for example, change the sboxes with keyed ones and replace
> the 3PHT with something weaker (i.e an incomplete 2PHT or something).
> I could attack that and get your keys...
I was asking for literature for learning about the
attacks or you would provide sufficient material
in case you have your personal ones.
M. K. Shen
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Big CRC polynomials?
Date: Sun, 24 Sep 2000 13:48:48 -0700
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:8ql6dm$pqb$[EMAIL PROTECTED]...
> In article <1Joz5.2051$[EMAIL PROTECTED]>,
> "bubba" <[EMAIL PROTECTED]> wrote:
> > Think of feeding a random bit string to an algorithm that validates a
> > message with a
> > CRC and to an algotithm that validates with a checksum.
> >
> > Bad messages slip through with an equal probability.
> >
> > The CRC bacame popular in serial data commumications where burst
> errors
> > are much more likely than random errors. This real-world situation is
> where
> > the CRC has an enormous advantage.
>
> Um are you just a troll or what? When I send a checksum it's much
> easier for the checksum to be faked then a CRC. If you want data
> integrity use a CRC32 or a hash function.
Errr, no. A known CRC is just as trivial to fake as a checksum -- you just
make sure the bits you flip is a multiple of the generator polynomial. If
the attacker has N (where N is the size of the CRC) consecutive bits within
the file that the attacker can set arbitrarily, the attacker can easily
compute what settings those bits need to have to compensate for an arbitrary
change elsewhere in the file (and there will always be such a setting). If
the bits are not consecutive, it's still easy, but the existence of such a
setting is not guarranteed.
And, for that matter, "bubba" is correct -- CRC's are popular when detecting
random burst errors, because they are very good at it -- they can detect any
single burst error of N bits or less. Still, they are worthless against
intellegent attackers...
--
poncho
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: What make a cipher resistent to Differential Cryptanalysis?
Date: Sun, 24 Sep 2000 23:29:23 +0200
Tom St Denis wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > I have personally no experience in S-box design. But
> > I suppose one could incorporate some checks to prevent
> > very poor boxes or else simply rely on the fact that
> > the chance of their occuring is very small and there
> > are many rounds of the cipher to compensate for that.
> > One could also let the key to select from a large set
> > of tested S-boxes. There are presumably better ways,
> > but I can't tell for lack of knowledge.
>
> Speaking from an empircle stand point your idea is very flawed. Almost
> all 3x3 sboxes are ideal (low dp/lp max), most 4x4's are ok, but when
> you get to 8x8 and above most are not ideal. Actually a while ago I
> did stats on them.. I found about 99% of all 8x8's had a LPmax of about
> 34, and a DPmax of 16 or more. In fact I have yet to see a randomly
> generated 8x8 with a LPmax under 28 and a DPmax under 8...
>
> However, why does a low DPmax or LPmax have to equate to the only means
> of security? (Hint: Decorrelation Theory)
Of course one can never expect a randomly generated
S-box to be ideal. One takes the trade-off of having
lower quality aginst the opponent's knowledge of the
content of high quality fixed S-boxes.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Software patents are evil.
Date: 24 Sep 2000 21:19:03 GMT
In <[EMAIL PROTECTED]> Darren New <[EMAIL PROTECTED]> writes:
>Then you need to read my post again. We were selling the product for three
>years. Then someone else applied for a patent, and it was cheaper to license
>than fight. That, I would say, is broken.
Yes. On the other hand you could also have just kept selling, daring the
other person to take you to court. The problem is that that remedy,
court action, is often worse than the damage, even if successful.
It would be nice if there were a bureacratic way of challenging a patent
befor having to take it to court. Ie, get the patent office to
reconsider.
I have heard of a situation in which a member of a standards body then
went out and got a patent on the protocol discussed in the standards
meeting.
>I think if the only patents that got issued were for actually innovative
>stuff (like RSA, say), then it would certainly be much less painful.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Crossposted-To: comp.compression
Subject: Question on biases in random-numbers & decompression
Date: Sun, 24 Sep 2000 21:26:07 GMT
I've been looking for a way to convert a stream of unbiased random bits
into an unbiased stream of random numbers in an arbitrary range, and I
think I've hit on an idea that hasn't been suggested before:
Take an arithmetic dececoder, and initialize it to believe that the
values 0, 1, 2 are equiprobable, and no other values will occur. Then
feed it the stream of random bits. This should result in an unbiased
stream of random numbers in the range 0..2. However, I don't understand
arithmetic decompression well enough to know for certain if this will
work as I've suggested.
Does anyone know if this is right, or close to right? And if it isn't,
is using an arithmetic (de)coder on the right track to get an unbiased
distribution while discarding a minimum amount of random data from the
bit stream?
--
... perfection has been reached not when there is nothing left to
add, but when there is nothing left to take away. (from RFC 1925)
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Software patents are evil.
Date: Sun, 24 Sep 2000 15:50:46 -0700
Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Paul Pires wrote:
>
> > Twilight zone. I responded below but.....
> >
> > Is it just me or did this Re: post just get lopped off the branch
> > by Usenet? Do you see a new posting from me immediately below
> > this one? or are we still attached to the original thread?
> >
> > Don't laugh, Usenet has been really weird lately.
>
> Replications does seem to be sporadic. Did you notice a 9-point response from
me a
> day or so ago?
Nope, I saw folks response to it but the post itself was missing for me.
I have been suspecting weird for a couple of weeks ever since Cristiano
Flamed me for not responding. Your missing post confirmed it for me.
Paul
>
> >
> >
> > Bill Unruh <[EMAIL PROTECTED]> wrote in message
> > news:Pine.LNX.4.10.10009231520010.7529-
> >
> > <SNIP>
> > >
> > > Please read. prove does not mean "it follows logically and inelluctibly
> > > from some premises." A proof is a test of the truth of a statement. That
> > > is waht the patent office does. That is what the applicant must do. He
> > > must supply to the patent office all evidence which he knows of which
> > > might invalidate the patent. He must swear that this patent covers new
> > > material. These are all standards of proof. Unfortunately as you point
> > > out patent examiners do not know everything about everything and may
> > > well be convinced when they should not be. That is why bringing some
> > > sort of adversarial role into the patent process might help. Ie, a
> > > patent can be challenged via the patent office by the same process as
> > > the patent was granted.
> >
> > I'll ignore your testy intro. I know what prove means and I even guessed
> > at your usage. But, this idea above actually sounds like a good idea. I'm
> > not being nasty, I think this is neet. One problem, How can you retract,
> > or reduce a patent once granted without due process. Note: a regulatory
> > action is not due process.
> >
> > Maybe combine this with a provisional status. Something like: A patent can
be
> > forced back into the review process (1 time only) within 6mos. after
granting if
> > certain
> > challenge requirements are met. Have to be pretty strengent or it will be
weak
> > to
> > a denial of service by flood attack.
> >
> > Naw, this just won't work. if it is reducible, it is not a patent yet. No
one
> > would licence a provisional patent so you might as well not do it.
>
> Disagree. Some potential licensees might be hesitant, but others, who
examined the
> patent and found it worthy, would still enter a licensing agreement. The
patent
> applicant could easily influence this by offering more favorable terms during
the
> probation period, or making license payments conditional upon the completion
of the
> probationary period. Thus I doubt the effect would be significant.
>
>
------------------------------
Subject: Re: RSA occasional failure?
From: [EMAIL PROTECTED] (Mark-Jason Dominus)
Date: Sun, 24 Sep 2000 20:48:34 GMT
In article <[EMAIL PROTECTED]>,
Peter Pearson <[EMAIL PROTECTED]> wrote:
>Correct RSA decryption does not require that the plaintext be
>relatively prime to the modulus. I invite you to make a monkey of me
>by finding a counterexample.
Lest anyone waste time doing this, I will mention that I have already
checked every example that has p,q <= 43, x < pq, 3 <= e < 50, and
there are no failures.
Thanks also to the poster in this thread who pointed me at the Chinese
remainder theorem.
------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: New Strong Password-Authentication Software
Date: 24 Sep 2000 16:24:22 -0700
[EMAIL PROTECTED] (Bill Unruh) writes:
> In <[EMAIL PROTECTED]> Thomas Wu <[EMAIL PROTECTED]> writes:
> ]anymore. The relatively small differences between these protocols is
> ]swamped by the enormous difference between strong password protocols
> ]in general and the broken authentication protocols that still plague
> ]security software today.
>
> Agreed. The problem of course is that one person using a password
> protocol is not enough. He needs people to talk to, and he needs the
> procol to be available on all the sytems he is liable to use. ssh is
> getting to that point, despite the fact that it is not ideal as a
> protocol. Ie, what one needs is a standard--defacto or dejure.
> Of course it is not clear how that standard gets implimented.
I've heard this referred to as the "network effect" - the usefulness
of some things grows along with its popularity. One of the reasons I
used the Telnet authentication framework for the SRP distribution was
its ability to accommodate different client-server authentication methods
and interoperate cleanly with different implementations. This type of
engineering forethought is something that's just starting to happen with
the various ssh protocols/implementations/vendors/keytypes. Personally,
I'm still hoping that the weak ssh auth types die their well-deserved
deaths and get replaced by the current SRP auth method in SSH, or
something equally strong and unencumbered. Just my two cents worth...
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms in
Phone: (650) 723-1565 exchange for security deserve neither."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: What make a cipher resistent to Differential Cryptanalysis?
Date: Sun, 24 Sep 2000 16:08:25 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> "David C. Barber" wrote:
> >
> > DES, for example is considered resistant to Differential Cryptanalysis,
> > particularly in its selection of S-boxes. What about them, or any
cipher,
> > makes it DF resistant?
>
> I believe that one good way is to arrage to have the
> S-boxes of the cipher be all different and to have
> them either key-dependent or fixed but having their
> ordering dependent on the key. I like to know references
> to analysis results for such situations, if any.
>
Well, it's not a general attack, but one cipher with key dependent s-boxes
that fell to DC would be Mercy (presented at FSE 2000 by Paul Crowley). The
reference would be:
http://cluefactory.cluefactory.org.uk/paul/mercy/
BTW: I'd be skeptical of a cipher that relied to key-dependent ordering of
s-boxes to be resistant to DC. Unless it used a lot of sboxes, I'd think
the attacker would be able to guess the ordering, and attack based on that
guess. If the sboxes aren't resistent enough without the guess, I wouldn't
think that that extra work would really make the difference...
--
poncho
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: What make a cipher resistent to Differential Cryptanalysis?
Date: Sun, 24 Sep 2000 23:30:04 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Tom St Denis wrote:
> >
>
> > Um the attack on blowfish is a differential attack... And it's
> > possible to use structural weaknesses against the structures not the
> > values. I.e I don't need to know your sbox to attack the algorithm.
> >
> > Take SAFER for example, change the sboxes with keyed ones and
replace
> > the 3PHT with something weaker (i.e an incomplete 2PHT or
something).
> > I could attack that and get your keys...
>
> I was asking for literature for learning about the
> attacks or you would provide sufficient material
> in case you have your personal ones.
Sure two good papers both by Serge Vaudenay
"On Weak Keys in Blowfish"
and
"On the need for multipermutations"
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: What make a cipher resistent to Differential Cryptanalysis?
Date: Sun, 24 Sep 2000 23:31:50 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Tom St Denis wrote:
> >
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > > I have personally no experience in S-box design. But
> > > I suppose one could incorporate some checks to prevent
> > > very poor boxes or else simply rely on the fact that
> > > the chance of their occuring is very small and there
> > > are many rounds of the cipher to compensate for that.
> > > One could also let the key to select from a large set
> > > of tested S-boxes. There are presumably better ways,
> > > but I can't tell for lack of knowledge.
> >
> > Speaking from an empircle stand point your idea is very flawed.
Almost
> > all 3x3 sboxes are ideal (low dp/lp max), most 4x4's are ok, but
when
> > you get to 8x8 and above most are not ideal. Actually a while ago I
> > did stats on them.. I found about 99% of all 8x8's had a LPmax of
about
> > 34, and a DPmax of 16 or more. In fact I have yet to see a randomly
> > generated 8x8 with a LPmax under 28 and a DPmax under 8...
> >
> > However, why does a low DPmax or LPmax have to equate to the only
means
> > of security? (Hint: Decorrelation Theory)
>
> Of course one can never expect a randomly generated
> S-box to be ideal. One takes the trade-off of having
> lower quality aginst the opponent's knowledge of the
> content of high quality fixed S-boxes.
My point is that given a proper design random sboxes are almost always
ok.
Take a CAST variant... take a 4x4 MDS and four random 8x8 sboxes...
that cipher will most likely be secure (given say 16 rounds) from all
forms of statistical attacks because the diffusion is balanced and
sufficient confusion is given by the 8x8's. Now replace the MDS with a
2PHT, the cipher could be weak against say truncated differentials...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: New Strong Password-Authentication Software
Date: 25 Sep 2000 00:05:40 GMT
In <[EMAIL PROTECTED]> Thomas Wu <[EMAIL PROTECTED]> writes:
>the various ssh protocols/implementations/vendors/keytypes. Personally,
>I'm still hoping that the weak ssh auth types die their well-deserved
>deaths and get replaced by the current SRP auth method in SSH, or
>something equally strong and unencumbered. Just my two cents worth...
You once mentioned an implimentation of ssh which incorporated srp, but
I have not been able to find it again-- I thought you said freessh, but
cannot find a web site for it.
Thanks
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
