Cryptography-Digest Digest #792, Volume #12 Thu, 28 Sep 00 19:13:01 EDT
Contents:
From byte to key ! (=?iso-8859-1?Q?Fr=E9d=E9ric?= Donnat)
Re: Deadline for AES... (Quisquater)
Re: Deadline for AES... (Bob Silverman)
Re: On block encrpytion processing with intermediate permutations (Bryan Olson)
Re: A New (?) Use for Chi ("Douglas A. Gwyn")
Re: A New (?) Use for Chi ("Douglas A. Gwyn")
Re: RSA and Chinese Reminder Theorem (Roger Schlafly)
Re: Question on biases in random-numbers & decompression ("Douglas A. Gwyn")
Re: Adobe Acrobat -- How Secure? ("David C. Barber")
Re: Deadline for AES... (John Myre)
Re: Why is TwoFish better than Blowfish? (SCOTT19U.ZIP_GUY)
Re: Josh MacDonald's library for adaptive Huffman encoding (SCOTT19U.ZIP_GUY)
Re: Deadline for AES... (Tim Tyler)
Re: A New (?) Use for Chi (John Myre)
Re: Chaos theory (John Myre)
Re: Adobe Acrobat -- How Secure? (Mark Carroll)
On-line Turing test? (John Myre)
Re: Why is TwoFish better than Blowfish? (Tom St Denis)
Re: How to get Certificate content after HTTPS Authentication (Paul Rubin)
Re: Javascript SHA-1 Implementation (Cornelius Sybrandy)
----------------------------------------------------------------------------
From: =?iso-8859-1?Q?Fr=E9d=E9ric?= Donnat <[EMAIL PROTECTED]>
Subject: From byte to key !
Date: Thu, 28 Sep 2000 20:17:35 GMT
Hi !
I'm new in cryptography , i'd like to know how you can produce (or
generate) a secret key from a byte array !. I wonder this for the RC4
and the DES algorithm .
I know that in DES you are use to only matter of 56 bits taken from 64
bits put in entry. But i don't know if you let the 8 least bits or 1 bit
each 8 bits.
If someone can help me please or give me address where i can find a
solution to my problem.
Best Regards Fred
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: Deadline for AES...
Date: Thu, 28 Sep 2000 22:31:43 +0200
Mok-Kong Shen wrote:
>
> Volker Hetzer wrote:
> >
> > The program on monday has an entry "AES and Beyond" which starts
> > "The end of the AES development process is now in sight. The
> > algorithm has been selected, and the draft standard is ready
> > for public comment."
> > Does this mean that on oct, 16 latest, the waiting will be over
> > or are the guys from the NISSC just speculating?
>
> I am interested to know how did you arrive at a 'definite'
> latest date of release? Do you have some insider info?
>
> M. K. Shen
Hum! Here the last announcement at
http://csrc.nist.gov/encryption/aes/index.html#news
September 13, 2000 - NIST is still on track to announce its proposed selection
for the AES in late summer /
early fall. HOWEVER, a specific date for the announcement has NOT been set at
this time. When a date
has been selected, it will be indicated here, to give the public as much advance
notice as possible.
Still on track ? or Track on still ?
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Deadline for AES...
Date: Thu, 28 Sep 2000 20:07:01 GMT
In article <[EMAIL PROTECTED]>,
Volker Hetzer <[EMAIL PROTECTED]> wrote:
> Hi!
> Did anyone notice the Announcement of the NISSC?
<snip>
See:
http://csrc.nist.gov/encryption/aes/
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: On block encrpytion processing with intermediate permutations
Date: Thu, 28 Sep 2000 20:21:58 GMT
Mok-Kong Shen wrote:
> I believe there is misunderstanding.
>
> Let me first say something which could indeed turn out
> to be wrong, because I am no expert. As far as I understand,
> differential analysis is commonly not a chosen-plaintext
> attack. It depends on the relatively abundant possibility
> of the opponent picking out pairs of plaintexts that satisfy
> certain fixed differences.
This is what I meant by "no evidence of any serious attempt
to understand the material." It is not appropriate to waste
everyone's time by posting what you know might be wrong (it
is) and bemoaning your lack of expertise. Spend a few
minutes of your own time and look it up.
How differential cryptanalysis usually works is not even
relevant. My attack uses differentials - pairs of
plaintexts (x, x') where we look at the XOR between x and
x', and between the ciphertexts each induces. It is
otherwise not closely related to the Biham and Shamire's
Differential Cryptanalysis, and I did not call it by that
name.
[...]
> Now, if I don't err, you were saying that if all the n blocks
> are chosen to be equal, then permutations don't cause any
> real effect and hence could be considered to be non-existant.
No. My differential pairs, x and x' are the same as each
other, except in one block. I _depend_ on the effect of the
permutations.
You didn't define what a "word" was, and I assumed word =
half-block. It's a common case, allowed though not
required, within your scheme. I stated my assumptions of
chosen plaintext and a 16-round (8 double-round) Feistel
cipher. In a chosen plaintext attack, the attacker chooses
the message size, and I chose a size of about a thousand
blocks.
We're looking at two instances of encrypting 1000 blocks,
one with input x and the other with x'. The inputs differ
in exactly one word on one block. The first double-round
will propagate some difference to both words of that block.
The first inter-round permutation will usually take the two
differing words to two different blocks.
The second double-round and permutation will usually
propagate changes to four different blocks. The third, to
eight. There are seven inter-round permutations, so the
outputs (y, y') can differ in at most 128 of the 1000
blocks. Worse, if a block is different in at some state, it
will most likely only interact with constant blocks from
that point on.
In a double-round of a classic Feistel cipher, the value of
the right block goes into the f function (with some key),
and the output is XOR'ed into the left block. Then the
value of the left block goes into the f function to munge
the right block. Consider a differential (x, x') in which
the left block of x differs from the left block of x', but
the right blocks are the same. After a double round, the
left blocks of the output have the same XOR as the input.
That's because the right blocks and key were the same, so
the output of the f function that was XOR'ed into the left
blocks was the same.
With this background, my first post in the thread should
be easier to understand.
[...]
> Let me also point out a relatively minor point. If I
> employ PRNG to do the permutation, then even during a
> session the different messages will get different
> permutations, so that, also in a chosen-plaintext
> attack, unless you use all equal words to annulate
> the permutation effect, you have to apply different
> appropritely chosen plaintexts for the different
> messages in order to realize annulation of permutation
> effect of these messages.
I assumed the attacker could get the same permutation in
different messages. Your only specific suggestion of how
the PRNG is seeded divided the message in half and used each
half to determine the permutation for the other, which is
obviously repeatable in a chosen plaintext attack. If the
attacker cannot re-start the PRNG, then choosing all blocks
of x the same, except the block that differs from x', looks
like a promising tactic.
> If I use the identity permutation
> for all cycles, then my system is in fact simply using
> E to encrypt all blocks, so we could consider that the
> difficulty of attack remains to be R. Now compare two
> cases: (1) I use the identity permutation in all cycles
> and the opponent womehow knows that fact and (2) I use
> random permutations that are different for all cycles
> and the opponent has no knowledge of these permutations
> at all. Isn't intuitively clear that case (2) is
> materially more difficult than case (1)?
Your taking something designed to be a good black-box and
exporting internal state. Look at Biham or Wagner's work on
attacking multiple-encryption modes that exchange
information between layers. Those results may be
surprising, but where I know I lack expertise, I'm more
inclined to look up my facts and less trustful of my
intuition.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: A New (?) Use for Chi
Date: Thu, 28 Sep 2000 20:20:53 GMT
David Wagner wrote:
> how could SVD be applied to this problem?
"Singular Value Analysis of Cryptograns" by Cleve Holer and
Donald Morrison, American Mathematical Monthly, Vol. 90 No. 2,
pp.78-87 (1983).
The basic idea is that a text or language is vfc (vowel-
follows-consonant) iff # vowel-vowel pairs * # consonants
< # consonant-vowel pairs * # vowels. (True iff the
proportion of vowels following vowels is less than the
proportion of vowels following consonants.) This can be
considered a "lumped parameter" form of HMM. Most natural
languages are fairly strongly vfc. The cryptanalytic goal
is to partition the ciphertext letters into two categories
(vowel vs. consonant). We start with the adjacency matrix
A (a[ij] is the # of occurrences of the i-th letter of the
cipher alphabet immediately followed by the j-th letter of
ditto). Denote the category membership vectors by V and C
(v[i] is 1 is the i-th letter of the cipher alphabet
represents a vowel, 0 otherwise; similarly c[i] indicates
representation of a consonant). The rule for vfc is then
(after simplifying) (V'AV)(C'AC) - (V'AC)(C'AV) < 0 where
' denotes matrix transpose. Given A, we want to find V
and C that satisfy that relationship. The above paper
shows how to approximate the SVD of A by the two most
significant terms (as determined by the magnitude of the
singular values): A = XSY' where XX' = X'X = I, YY' = Y'Y
= I, S = diag(s1,s2,...s26): A approx= s1x[1]y'[1] +
s2x[2]y'[2] where x[j],y[j] are rank-one matrices. The
paper adopts the partitioning rules:
v[i] = 1 if x[i,2] > 0 and y[i,2] < 0, else 0
c[i] = 1 if x[i,2] > 0 amd y[i,2] > 0, else 0
n[i] = 1 if sign(x[i,2]) = sign(y[i,2]), else 0.
(N are the unclassifiable letters; for English, plaintext
"h" usually falls into this category, also sometimes "n".)
This classification satisfies the vfc criterion (a proof
is given in the paper). The paper also gives a method of
applying this technique to a polyalphabetic substitution
once the "columns" have been identified.
The interesting thing is that the above method works well
in practice, despite the third, fourth, etc. largest
singular values being not much smaller than the first two.
I. J. Good also published on the subject, although he had
to avoid using cryptologic examples: "Some Applications of
the Singular Decomposition of a Matrix", Technometrics,
Vol. 2, No. 4, pp. 823-831.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: A New (?) Use for Chi
Date: Thu, 28 Sep 2000 20:28:48 GMT
Mok-Kong Shen wrote:
> What is SVD? Singular value decomposition?
Yes.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: RSA and Chinese Reminder Theorem
Date: Thu, 28 Sep 2000 14:07:04 -0700
Bob Silverman wrote:
> A minor nit. System of congruences. Not "system of equations".
You wouldn't be so insufferable if you were at least correct
with these trivial nits of yours.
They are congruences over the integers, or equations over
the quotient ring. Either usage is correct.
If you want to score a trivial nit, correct his spelling of the
name of the other BS man. <g>
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Question on biases in random-numbers & decompression
Date: Thu, 28 Sep 2000 20:33:36 GMT
Mok-Kong Shen wrote:
> Do you mean throwing away in the literal sense? How to
> select a scheme of optimal throwing? Wouldn't it be better
> to do some 'condensation' of the whole stuff available,
> e.g. hashing, or taking parity, etc.? Thanks.
Efficient use of available entropy is an important
consideration in many applications. One approach
(that is asymptotically optimal) is the one I
mentioned in a previous thread, "How to Turn Loaded
Dice into Fair Coins" by Juels et al., IEEE Trans.
Inf. Th., V26, N3 (May 2000), pp.911-921.
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: Re: Adobe Acrobat -- How Secure?
Date: Thu, 28 Sep 2000 14:41:01 -0700
Where would this documentation be found?
*David Barber*
"John Savard" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Thu, 28 Sep 2000 13:25:45 +0800, Dido Sevilla <[EMAIL PROTECTED]>
> wrote, in part:
>
> However, IIRC, the .PDF file format
> is fully documented
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Deadline for AES...
Date: Thu, 28 Sep 2000 15:48:59 -0600
Bob Silverman wrote:
>
> In article <[EMAIL PROTECTED]>,
> Volker Hetzer <[EMAIL PROTECTED]> wrote:
> > Hi!
> > Did anyone notice the Announcement of the NISSC?
>
> <snip>
>
> See:
>
> http://csrc.nist.gov/encryption/aes/
>
<snip>
Yes - but he's got a point. See http://csrc.nist.gov/nissc
and the top of page 5 in http://csrc.nist.gov/nissc/NCSC.pdf
for the phrase he quoted.
I suspect that NIST wants to make the announcement before
the NISSC conference starts on October 16, but hasn't
translated that into a real promise at the AES site. It
might be sooner, or they might apologize at the conference,
depending on how things go. Doubtless they have their own
internal deadlines - but would prefer not to make them
public "just in case".
Of course, it could just be as Volker speculates: that
the conference organizers are just guessing. In any
case, "October 16" is still in line with "early fall".
Note that the "Modes of Operation" gathering is right after
the NISSC conference at the same site.
JM
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Why is TwoFish better than Blowfish?
Date: 28 Sep 2000 21:45:40 GMT
[EMAIL PROTECTED] (Joseph Ashwood) wrote in <OGGv2XXKAHA.345@cpmsnbbsa09>:
>> Then please tell me the kind of guy you think the NSA would own.
>> Terry who seems not to have press conections or do you think I am
>> the type Arturo.
>
>You beat me to it. I was going to suggest that they would buy someone
>who would continually bombard intellectual conversations with his own
>not so intellectual observations, someone who seems to rather
>deliberately choose conversations that are interesting, and turn them
>into flame wars. Does this by any chance sound familiar to you?
>
>
I guess that means you know very little about the kind of people
the NSA would hire. Makes me wonder what you know about ciphers.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: comp.compression,comp.theory
Subject: Re: Josh MacDonald's library for adaptive Huffman encoding
Date: 28 Sep 2000 21:53:59 GMT
[EMAIL PROTECTED] (Mok-Kong Shen) wrote in <39D3A51F.B421C2F7@t-
online.de>:
>
>
>"SCOTT19U.ZIP_GUY" wrote:
>>
>> But doing tests on my own static huffman compression
>> ( if you don't count space for table) usually beats
>> adaptive huffman compression. But not always. Some files
>> are such that adaptive hufman compression beats the static
>> even if you don't count the table space.
>> Hay its not that hard to test this yourself, but one
>> word of warning not all adaptive huffman compression programs
>> the same most use what you called a NYT followed by the ascii
>> coding of the symbol when a new symbol is incountered in
>> the input stream. Mine do not.
>>
>> My main one starts with a full tree and then the tree
>> changes based on input. There is no reason that if you always
>> compressing simialar files not to use a different starting tree
>> and a different amount of adapting. If one is only using a certain
>> class of files. I think a mod like above would beat static most
>> of the time since you can tune it the types of file you like.
>> But like I said it is not that hard to play with it.
>
>If one starts from nothing, then one has to use NYT
>followed by ASCII or its equivalent (i.e. a 'standard'
>representation of the same space), I suppose. Otherwise
>I don't see how a new symbol could be transmitted.
Then you don't have a basic understanding of huffman
code. I get tired arguing with you. SInce you don't ever
seem to learn. Yes this is not friendly but MOK get with it.
Like I have told you many many times look at my code.
I would try to help more but past experience shows me
that you really don't want to know.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Deadline for AES...
Reply-To: [EMAIL PROTECTED]
Date: Thu, 28 Sep 2000 21:43:56 GMT
Volker Hetzer <[EMAIL PROTECTED]> wrote:
: Does this mean that on oct, 16 latest, the waiting will be over
: or are the guys from the NISSC just speculating?
No official announcement of the date has been posted yet on
http://csrc.nist.gov/encryption/aes/
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: A New (?) Use for Chi
Date: Thu, 28 Sep 2000 15:55:48 -0600
> "Singular Value Analysis of Cryptograns" by Cleve Holer and
would that be Cleve Moler?
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Thu, 28 Sep 2000 16:09:19 -0600
"Douglas A. Gwyn" wrote:
>
> zapzing wrote:
> > a sufficiently hashed chaotic RNG would not have
> > any cycles.
>
> So what? Lack of exact cycles is by no means sufficient
> for security.
And too, the only way to "not have any cycles" would
be to have an unbounded state.
JM
------------------------------
From: [EMAIL PROTECTED] (Mark Carroll)
Subject: Re: Adobe Acrobat -- How Secure?
Date: 28 Sep 2000 22:22:43 GMT
In article <8r0e0c$2dn7$[EMAIL PROTECTED]>,
David C. Barber <[EMAIL PROTECTED]> wrote:
>Where would this documentation be found?
(snip)
How hard did you look? I just typed 'portable document format
specification' into Google and got some useful links on the first
page.
-- Mark
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: On-line Turing test?
Date: Thu, 28 Sep 2000 16:30:25 -0600
I'm wondering about a certain frequent poster here.
Could it actually be a computer program? Since Eliza
et al., it has been clear that by limiting the subject
matter, we can do pretty well. And sci.crypt seems
well suited: highly technical content, with a low
expectation of competence.
The posts in question are frequent, wordy, syntactically
correct (for the most part), and rarely seem to mean
much of anything. Responses often seem to be reacting
to the words, rather than the point, and veer off into
non-sequiturs without warning.
Are we guinea pigs in an experiment?
JM
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Why is TwoFish better than Blowfish?
Date: Thu, 28 Sep 2000 22:28:29 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> I guess that means you know very little about the kind of people
> the NSA would hire. Makes me wonder what you know about ciphers.
What the heck does that mean?
The purpose of cryptography is not to stop the NSA...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: How to get Certificate content after HTTPS Authentication
Date: 28 Sep 2000 15:46:06 -0700
"Joyce" <[EMAIL PROTECTED]> writes:
> Dear all,
>
> Would you tell me how to get Client Certificate content (eg. Signature
> Algorithm, Issuer information, Subject information, Public key and etc)
> after HTTPS Client Authentication is successful ?
>
> My program is run under
> Environment: apache + openSSL + tomcat
> Platform: NT
Sci.crypt really isn't the right place for this type of question.
It's better to ask someplace like comp.infosystems.www.servers.unix.
But here goes anyway.
OpenSSL is just the SSL library--you also have to say what Apache/OpenSSL
interface you're using. Mod_ssl is the most popular one. It normally
doesn't bother providing the client certificate in order to save environment
space. If you want the certificate, put
SSLOptions ExportCertData
in your SSL host configuration in httpd.conf. That will put the
client cert contents in the SSL_CLIENT_CERT cgi environment variable.
However, the stuff inside the certificate may not be visible. You
may have to pass the certificate to OpenSSL from your application,
if you want to read its contents.
------------------------------
From: Cornelius Sybrandy <[EMAIL PROTECTED]>
Subject: Re: Javascript SHA-1 Implementation
Date: Thu, 28 Sep 2000 19:02:26 -0400
Hmm, did not know that. Guess I should have looked a bit harder. I just
looked in places that provided code for such things and it was all stuff
people made up. Oh well. At least my code is neater :-)
csybrandy
[EMAIL PROTECTED] wrote:
> Cornelius Sybrandy wrote:
> > Greetings all.
> > I've been doing some web design and I noticed a severe lack of
> > JavaScript code that hashes passwords. Out of boredom and experimenting
> > with JavaScript, I decided to create my own. I implemented a version of
> > SHA-1 in Javascript for the sole purpose of hashing passwords. There is
> > more information in the comments provided. I felt I should let this
> > application be reviewed by the group before releasing it to the world.
> > Anyway, have fun with it and let me know what you think.
>
> I have seen bank web pages that use MD5 for password hashing:
>
> https://ibanka.unibanka.lv/ib/en.htm
> https://tkb.lv/SScripts/start.plx?L=EN&P0=Netscape&P1=4
>
> == <EOF> ==
> Disastry
> http://i.am/disastry/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
