Cryptography-Digest Digest #800, Volume #12 Fri, 29 Sep 00 20:13:01 EDT
Contents:
Is RC4 a serious cipher? ("David C. Barber")
Re: Is RC4 a serious cipher? (Roger Schlafly)
Re: Is RC4 a serious cipher? ("Paul Pires")
Re: Is RC4 a serious cipher? (Albert Yang)
Re: Chaos theory (Mok-Kong Shen)
Re: Deadline for AES... (Albert Yang)
Re: AES annoucement due Monday 2nd October (John Savard)
Re: Deadline for AES... (John Savard)
Re: Chaos theory (Mok-Kong Shen)
Re: RSA T-shirt (Albert Yang)
Re: Encryption Project (Albert Yang)
Re: RSA occasional failure? (Albert Yang)
Re: Is RC4 a serious cipher? (Tom St Denis)
Re: Is RC4 a serious cipher? (Simon Johnson)
Re: Encryption Project (Cornelius Sybrandy)
Re: AES annoucement due Monday 2nd October (John Myre)
Re: Is RC4 a serious cipher? (John Myre)
Re: Deadline for AES... (John Myre)
Re: Tying Up Loose Ends - Correction (Tim Tyler)
----------------------------------------------------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: Is RC4 a serious cipher?
Date: Fri, 29 Sep 2000 14:17:17 -0700
I was looking the RC4 Cypherpunks code and doesn't seem to be much more than
a simple key generator and an xor with a cycle of 256. Is this at all a
serious (read: secure) cipher?
*David Barber*
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Is RC4 a serious cipher?
Date: Fri, 29 Sep 2000 14:26:43 -0700
"David C. Barber" wrote:
> I was looking the RC4 Cypherpunks code and doesn't seem to be much more than
> a simple key generator and an xor with a cycle of 256. Is this at all a
> serious (read: secure) cipher?
Yes, it is. It has a 256-byte permutation in its internal state,
and it won't cycle for a very long time. It is a stream cipher,
and as such it has some drawbacks compared to a block cipher,
but it is considered secure if used properly.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Is RC4 a serious cipher?
Date: Fri, 29 Sep 2000 14:34:05 -0700
David C. Barber <[EMAIL PROTECTED]> wrote in message
news:8r30vs$15h8$[EMAIL PROTECTED]...
> I was looking the RC4 Cypherpunks code and doesn't seem to be much more than
> a simple key generator and an xor with a cycle of 256. Is this at all a
> serious (read: secure) cipher?
You might want to take a closer look. It is not an "XOR with a cycle of 256"
It has a 2048 bit internal state and the counter mod 256 is used as an argument
to change a portion (8 bits) of the state each iteration, in a sneaky way. This
is not
the same thing as XOR with a cycle of 256.
As far as
I know the only problems with RC4 are in the key setup, avoiding short cycles
and running it long enough (discarding output) before you start to use it. It is
special
purpose in that you can't use it to replace a block cipher. If you ever re-enter
the key
stream you have problems.
It's kinda elegant in it's simplicity.
Paul
>
> *David Barber*
>
>
>
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: Is RC4 a serious cipher?
Date: Fri, 29 Sep 2000 21:37:23 GMT
Yes, it is. It has an internal state of (256x256!) That's a pretty big
internal state.
There have been several attacks against it (The Roos one being probably
the most famous) but a lot of analysis shows that it's very strong
against both linear and differential cryptoanalysis.
There are some short periods which occur, but currently, there is no
faster attack against it than brute force.
It's secure, AND small, which is why it's one of the most widely used if
not the most widely used stream cipher in the commercial world.
Albert
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Sat, 30 Sep 2000 00:00:59 +0200
zapzing wrote:
>
> Yes well I was sort of making the
> unstated assumption that the chaotic
> system would be implemented in analog
> not in digital. Implementing a chaotic
> system in digital *would* be a bad way
> of making a PRNG, I admit.
I don't agree with your point. Maybe the state of
affairs has changed, but previously analog computing
devices couldn't match with the accuracies of digital
computers. One could utilize, I suppose, much of the
knowledge already gained by applied mathematicians in
solving problems in other fields where rounding errors
are critical. Physicists are doing computations with
chaos. At least two chaos journals give clear indication
of that.
M. K. Shen
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: Deadline for AES...
Date: Fri, 29 Sep 2000 21:48:43 GMT
The only real speculation I have, is that MARS didn't win.
It will be interesting though to see what they say on Monday, I think
they want to give "Modes of operation" a ringer through, but I don't
think they are going to open up the public comment period to
modifications to the algorithm, unless there is some major attack that
is seen which happens in that comment period, but I highly doubt it...
Albert
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: AES annoucement due Monday 2nd October
Date: Fri, 29 Sep 2000 21:43:39 GMT
On 29 Sep 2000 18:54:00 GMT, [EMAIL PROTECTED] (DJohn37050) wrote, in
part:
>And they still have the option to name a multiple of algorithms.
This is the *first* time they have, to my knowledge, laid claim to
such an option.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Deadline for AES...
Date: Fri, 29 Sep 2000 21:45:48 GMT
On Fri, 29 Sep 2000 20:42:35 +0100, "Brian Gladman"
<[EMAIL PROTECTED]> wrote, in part:
>"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> John Savard wrote:
>> > I interpret that to mean that the standard will be a draft standard
>> > only at that time.
>> So in principle the AES winner could still be improved in
>> its final version. Is that right? That wouldn't be bad.
>Although this is possible, I do not think it is very likely that this will
>happen.
>In my view the purpose of the comment period will be to make the
>specifications of the algotihm(s) and the modes of operation as precise as
>possible in order to help ensure that different implementations can
>interoperate effectively whenever necessary.
>In addition to possible new modes of operation, the issues of bit, byte and
>block numbering, and those of bit, byte and block order (endian issues) -
>which caused some difficulties in AES testing - all need to be carefully
>specified before the standard is finally approved.
Precisely. The draft standard will presumably be subject to review for
clarity and accuracy and so on, not for changes to the algorithm.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Sat, 30 Sep 2000 00:03:42 +0200
Tim Tyler wrote:
>
> Does anyone know of any definitions by which (say) modern block
> cyphers do *not* qualify as chaotic systems?
Dumb question: What corresponds in cryto to attactors,
dimensions etc. in chaos?
M. K. Shen
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: RSA T-shirt
Date: Fri, 29 Sep 2000 21:51:54 GMT
I have!
It's way too big though...
Albert
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: Encryption Project
Date: Fri, 29 Sep 2000 21:59:02 GMT
I would advise you to add a little salt to your hashes..
Also, watch out for that ASP! That thing has more holes than swiss
cheeze.
Also, if you are using database calls directly from ASP, then do the
calls as stored procedures, this way, if someone hacks asp (which is not
too difficult to do) and grabs the pre-processed code, they won't see
the internal table names, but only a single stored-procedure call.
(Also makes code shorter, and easier to maintain, as you can always
check on the db directly if the stored procedure is correct, and
probably faster too)
40 bits? Use 128 bits if you can.
Also, add javascript to force the user to make their password more than
6 characters long, and add some sort of non-alphanumeric character in
it.
I can go on and on... Security is as good as the weakest link.
I assume you have a firewall? Yes?
Albert
Robert Hulme wrote:
>
> Hi,
>
> This is my first time working with encryption - my employers have asked me
> to create a system that will allow users to access their payroll information
> via the web.
>
> I'm going to be using NT 4 Server and IIS 4.0 to create the system, using
> ASP in IIS.
>
> I can see that securing the communications between the server and the users
> web browser is fairly easy using SSL 3 by plugging a certificate into IIS
> and using 40 bit encryption (I have to use that because I'm in the UK don't
> I?), but to be really sure the system is safe even if the NT box got cracked
> I want to encrypt the records in the database...
>
> I'm new to cryptography but I thought maybe I could use some one way hash
> like MD5 to encrpyt their plaintext password and put the ciphertext in the
> database. Then I could use some suitably strong encryption with the users
> plaintext password to encryt all their other information and store the
> ciphertext of that in another field in the database.
>
> I would appreciate some comments / suggestions / general help on this
> though..
>
> As I see it I can use MD5 on the plaintext password they send, compare it to
> the MD5 encrypted password in the database and if they match use that
> plaintext string to decrypt their private information (and then display it
> on screen).
>
> In particular I wonder if people could help me with if this:
>
> a) makes any sense :0)
> b) has any glaring security holes
> c) what encryption I should use ?
>
> Generally any kind of help would be good :0)
> Thanks
> -Rob
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: RSA occasional failure?
Date: Fri, 29 Sep 2000 22:04:33 GMT
Paul Rubin wrote:
>
> [EMAIL PROTECTED] (Mark-Jason Dominus) writes:
>
> > But Fermat's theorem only applies in this case if x is not a multiple
> > of p; if x is a multiple of p then x^(p-1) (mod p) might be something
> > other than 1.
> >
> > Since x is the plaintext, it is chosen by someone who doesn't know p
> > or q. It seems that if x unfortunately turned out to be a multiple of
> > p, then the decryption process would fail and yield a gibberish
> > result.
>
> Since N=pq, the chance of a random x < N being a multiple of p is 1/q.
> Since q is normally > 10^100, this probabilit is negligible. But
> you're correct, if you pick some small primes (p=3, q=5) and try to
> work an RSA example on the blackboard and choose the wrong x, you can
> sometimes get bitten by this.
Given that the runtime as q gets bigger, this probability approaches 0
(with the growth of q), It would be the case that the probability of
this happening is the same as cracking RSA on the first try.
So given that being the case, I feel OK and can get a restful sleep. If
my RSA key is 1024 bits, and you guess it right on the first try, let me
know, then I'll begin to worry... It's really a non-issue. Keep in
mind that a meteor landing on you and killing you at the same moment you
spot Elvis on the side walk eating an ice cream cone, has a much better
chance of occuring than this...
Albert
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Is RC4 a serious cipher?
Date: Fri, 29 Sep 2000 21:59:05 GMT
In article <8r30vs$15h8$[EMAIL PROTECTED]>,
"David C. Barber" <[EMAIL PROTECTED]> wrote:
> I was looking the RC4 Cypherpunks code and doesn't seem to be much
more than
> a simple key generator and an xor with a cycle of 256. Is this at
all a
> serious (read: secure) cipher?
Well the "xor" is not the source of any possible weakness. And how do
you figure the period is 256?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Is RC4 a serious cipher?
Date: Fri, 29 Sep 2000 22:12:59 GMT
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
yup its serious. The pseudo-random stream becomes distinguishable from
random data after a couple of gigabytes. On top of this it has a high
average cycle length and is very fast in software.
I like the algorithm, other's will disagree with me. But i'd use it :)
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Cornelius Sybrandy <[EMAIL PROTECTED]>
Subject: Re: Encryption Project
Date: Fri, 29 Sep 2000 18:53:46 -0400
One other thing: make sure you use the hash function on the password before it is
sent. There are at least a couple banks that do this and I just posted my own bit
of Javascript code for SHA-1. If you don't see it, let me know and I'll send it
to you to look at.
csybrandy
Albert Yang wrote:
> I would advise you to add a little salt to your hashes..
>
> Also, watch out for that ASP! That thing has more holes than swiss
> cheeze.
>
> Also, if you are using database calls directly from ASP, then do the
> calls as stored procedures, this way, if someone hacks asp (which is not
> too difficult to do) and grabs the pre-processed code, they won't see
> the internal table names, but only a single stored-procedure call.
> (Also makes code shorter, and easier to maintain, as you can always
> check on the db directly if the stored procedure is correct, and
> probably faster too)
>
> 40 bits? Use 128 bits if you can.
>
> Also, add javascript to force the user to make their password more than
> 6 characters long, and add some sort of non-alphanumeric character in
> it.
>
> I can go on and on... Security is as good as the weakest link.
>
> I assume you have a firewall? Yes?
>
> Albert
>
> Robert Hulme wrote:
> >
> > Hi,
> >
> > This is my first time working with encryption - my employers have asked me
> > to create a system that will allow users to access their payroll information
> > via the web.
> >
> > I'm going to be using NT 4 Server and IIS 4.0 to create the system, using
> > ASP in IIS.
> >
> > I can see that securing the communications between the server and the users
> > web browser is fairly easy using SSL 3 by plugging a certificate into IIS
> > and using 40 bit encryption (I have to use that because I'm in the UK don't
> > I?), but to be really sure the system is safe even if the NT box got cracked
> > I want to encrypt the records in the database...
> >
> > I'm new to cryptography but I thought maybe I could use some one way hash
> > like MD5 to encrpyt their plaintext password and put the ciphertext in the
> > database. Then I could use some suitably strong encryption with the users
> > plaintext password to encryt all their other information and store the
> > ciphertext of that in another field in the database.
> >
> > I would appreciate some comments / suggestions / general help on this
> > though..
> >
> > As I see it I can use MD5 on the plaintext password they send, compare it to
> > the MD5 encrypted password in the database and if they match use that
> > plaintext string to decrypt their private information (and then display it
> > on screen).
> >
> > In particular I wonder if people could help me with if this:
> >
> > a) makes any sense :0)
> > b) has any glaring security holes
> > c) what encryption I should use ?
> >
> > Generally any kind of help would be good :0)
> > Thanks
> > -Rob
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: AES annoucement due Monday 2nd October
Date: Fri, 29 Sep 2000 17:09:27 -0600
John Savard wrote:
<snip>
> This is the *first* time they have, to my knowledge, laid claim to
> such an option.
Is that a troll, or did you really fail to notice what they said?
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Is RC4 a serious cipher?
Date: Fri, 29 Sep 2000 17:12:26 -0600
Paul Pires wrote:
<snip>
> It's kinda elegant in it's simplicity.
"kinda"?
Somebody at an AES conference posted that Ron Rivest is
also known as Merlin (this after coming up with the RC6a
key schedule).
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Deadline for AES...
Date: Fri, 29 Sep 2000 17:27:02 -0600
Brian Gladman wrote:
>
<snip>
> In my view the purpose of the comment period will be to make the
> specifications of the algotihm(s) and the modes of operation as precise as
> possible in order to help ensure that different implementations can
> interoperate effectively whenever necessary.
<snip more>
I agree with all the points (including the snipped ones), except
to point out that it is possible (likely in my opinion) that
the modes of operation will be addressed in a separate document.
That is the way they did it for DES; FIPS 46 for the algorithm
and FIPS 81 for the modes of operation. It doesn't look like
they've kept 81 up; all the latest stuff is in "special publications"
now (e.g. 800-20).
JM
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Tying Up Loose Ends - Correction
Reply-To: [EMAIL PROTECTED]
Date: Fri, 29 Sep 2000 23:12:12 GMT
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> I am trying to locate a method of adding the random bits in such a
:> manner that:
:>
:> 1) the recipient can unambiguously strip off the random padding;
:> 2) the attacker is given the minimum opportunity to reject keys.
[snip example]
:> I'm interested in a scheme that has a similar aim, but has the fewest
:> possible security-related side effects.
: I have an idea which is slightly better... Take the length of the
: message as a binary number in 7-bit chunks, with the last chunk being
: right aligned. Discard all leading 0-chunks. Write all but the last
: chunk as 1xxxxxxx, and write the last 7-vit chunk as 0xxxxxxx. The enemy
: can still try to decode the first few bytes and look for the length
: field being shorter than the message, BUT he won't get that string of 0s
: at the front, so he'll have slightly more work to do.
This is what I called a "self-terminating representation of the length"
three messages back. I believe you can improve on it by working in base
127, and using the 127 symbol as a terminator - rather than having 128
termination different symbols.
I was rather hoping that someone would be able to do better than this
sort of thing - since this still results in a rather large number of
"impossible" packed messages.
As an example of a scheme that doesn't have any "impossible" messages,
consider converting the plaintext to base 255, and appending a 255
terminator (before adding the random padding).
This would work OK for relatively small messages - but would bulk up
larger messages by a factor of 255/256 - which might wind up introducing
more known-probable-plaintext than a self-terminating length field
would rather quickly.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
