Cryptography-Digest Digest #828, Volume #12 Tue, 3 Oct 00 15:13:00 EDT
Contents:
Re: Advanced Encryption Standard - winner is Rijndael ("AlienZen")
Re: key management on static system (Andru Luvisi)
Re: Authenticating a PIN Without Compromising the PIN (Paul Rubin)
Re: Choice of public exponent in RSA signatures (Roger Schlafly)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Simon Johnson)
Re: Choice of public exponent in RSA signatures (Roger Schlafly)
Rijndael test vectors (Roger Schlafly)
Re: Advanced Encryption Standard - winner is Rijndael (Jim Gillogly)
Re: is NIST just nuts? (Simon Johnson)
Re: Choice of public exponent in RSA signatures (Quisquater)
Re: Problem question ("mike boyle")
Re: Choice of public exponent in RSA signatures (Quisquater)
Re: Authenticating a PIN Without Compromising the PIN (Philip MacKenzie)
Re: is NIST just nuts? ("Joseph Ashwood")
Re: Signature size (DJohn37050)
Re: Rijndael test vectors (John Myre)
Re: Rijndael test vectors ("Brian Gladman")
Re: Choice of public exponent in RSA signatures (DJohn37050)
----------------------------------------------------------------------------
From: "AlienZen" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Tue, 3 Oct 2000 13:04:32 -0500
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (jungle) wrote in <[EMAIL PROTECTED]>:
>
> >read again my press note, it is there ...
> >
> >additionally it is in Published in the January 2, 1997 issue of the
> >Federal Register: DEPARTMENT OF COMMERCE National Institute of Standards
> >and Technology [Docket No. 960924272-6272-01] RIN 0693-ZA13 document ...
> >
> >"It is intended that the AES ... algorithm capable of protecting
> >sensitive government information ..."
> >
> >David Schwartz wrote:
> >>
> >> "SCOTT19U.ZIP_GUY" wrote:
> >>
> >> > Also the US does not consider it secure encough
> >> > for classed information.
> >>
> >> Do you have a reference for this claim?
> >
> >
> >
>
> Your own quote it is intended that AES ... protecting
> sensitive government information. Sensitive is not even
> considered classifed. It is below confidential info and
> is to low to be considered classifed.
>
I really must take issue on this point. All private information is
'sensitive'. When writing the press release and the article for the federal
register, some PR lacky had to pick a word. That lacky used the word
sensitive. I really don't think it is being used in the context you have
applied it, as in the 'official government designation of minimal security
for non-critical information'.
I would like to present the question again,
Do you have any reference for your claim that the US does ~NOT~ consider it
secure enough for classified (Or higher level) security?
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: key management on static system
Date: 03 Oct 2000 10:57:31 -0700
"Jason R. Coombs" <[EMAIL PROTECTED]> writes:
[snip]
> Our difficulty lies in that we would like to distribute this key on the CD,
> but have it more-or-less inaccessible to anyone but the program. Is there a
> well-known mechanism for protecting such a key?
[snip]
No can do. Just make 'em sign an NDA.
Andru
--
Andru Luvisi, Programmer/Analyst
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Authenticating a PIN Without Compromising the PIN
Date: 03 Oct 2000 11:17:27 -0700
Guy Lancaster <[EMAIL PROTECTED]> writes:
> If it's possible, how could a protocol authenticate a user's
> PIN without revealing information that would make it
> relatively easy to determine the actual PIN value?
> PINs are commonly used to authenticate users of trusted
> machines but is there any way that they can be secure for
> use over untrusted networks? I'm beginning to think that
> the answer is no.
It can be done. See http://srp.stanford.edu.
> Here's a scenario. We want to allow authorized users of a
> service to access that service over an untrusted network
> such as the Internet. We provide a small device that can
> connect via this network. These devices are not keyed
> to specific users and are readily accessible.
You should issue every user their own device (e.g. a smart card).
If attackers can tamper with the devices before legitimate users
use them, it's all over.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Tue, 03 Oct 2000 11:17:08 -0700
Paul Schlyter wrote:
> Testing for divisibility with 3 may be fast, but generating a new
> prime if p-1 turns out to be divisible by 3 is much slower.
Yes, but you can screen p to make sure the p-1 is not divisible
by 3 *before* the (slow) test to see if p is prime.
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,alt.security.scramdisk
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Date: Tue, 03 Oct 2000 18:10:32 GMT
In article <8rd3gg$1ri$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Rich Wales) wrote:
> > "pgp651" wrote:
> >
> > > Mr. Zimmermann, Mr. Price when can we expect this feature?
> > > After RSA patent hoopla is over, isn't now the time to
> > > implement 4k RSA keys into PGP v262?
> >
> > I don't work for NAI and can't speak for them, but I wouldn't hold
my
> > breath waiting for NAI to release =any= updates to PGP 2.6.2. This
> > version of PGP is over four years old, and (for better or worse)
they
> > have gone on to newer versions.
> >
> > If anyone is going to modify PGP 2.6.2 (or, more appropriately, the
> > bug-fixed international version, 2.6.3ia) to accommodate larger
keys,
> > it will presumably be a third party not connected to NAI. Actually,
> > I believe some groups have already done this. Have you checked out
> > the CKT version, for example?
>
> Why the hell would you use a RSA key over 1024 bits anyways?
>
> Are people plain stupid, paranoid or know something I dont?
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
Well, i suppose its all about how long you want you're secret to
last. Wether its nessary to have a key so large that it couldn't be
cracked before the heat death of the universe depends on the
application obviously.
Having said this though, I think i agree with you though, using keys
bigger than 1024-bit is equal in stupidity to iterating DES 128 times.
It reduces performance so much, its not worth using.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Tue, 03 Oct 2000 11:24:03 -0700
Francois Grieu wrote:
> [EMAIL PROTECTED] (DJohn37050) wrote:
> > The MOST info about an RSA key is revealed when using 2 or 3 for the
> > public exponent. For example, 1/2 the high order bits of d (the private
> > exponent) are revealed.
>
> Quite an interesting remark. Can the amount of information leaked
> on d be quantified as a function of e, to weight the justification
> of e=2^16+1 rather than e=3 on these grounds ?
No secret info is leaked in either case. If the RSA key is public,
and you know one factor, you can do a division to get the other.
So in an info-theoretic sense, only half the secret key bits are
really secret, because half the bits (the 2nd prime) can be deduced
from the other half (the 1st prime).
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Rijndael test vectors
Date: Tue, 03 Oct 2000 11:27:30 -0700
I looked at the official Rijndael test vectors, but I had trouble
making sense of them. Eg, the vectors below appear to be for
PlainText all zeros, Key all zeros, IV (if applicable) all zeros.
But if IV=0, shouldn't the ECB be the same CipherText as the CBC?
=========================
FILENAME: "ecb_e_m.txt"
Electronic Codebook (ECB) Mode - ENCRYPTION
Monte Carlo Test
Algorithm Name: Rijndael
Principal Submitter: Joan Daemen
=========================
KEYSIZE=128
I=0
KEY=00000000000000000000000000000000
PT=00000000000000000000000000000000
CT=C34C052CC0DA8D73451AFE5F03BE297F
=========================
FILENAME: "cbc_e_m.txt"
Cipher Block Chaining (CBC) Mode - ENCRYPTION
Monte Carlo Test
Algorithm Name: Rijndael
Principal Submitter: Joan Daemen
==========
KEYSIZE=128
I=0
KEY=00000000000000000000000000000000
IV=00000000000000000000000000000000
PT=00000000000000000000000000000000
CT=8A05FC5E095AF4848A08D328D3688E3D
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Tue, 03 Oct 2000 18:40:17 +0000
AlienZen wrote:
> I would like to present the question again,
> Do you have any reference for your claim that the US does ~NOT~ consider it
> secure enough for classified (Or higher level) security?
The US (NIST in particular, advised by the NSA) takes no position on
whether it is secure enough for classified data, since it's not to be
used for classified data. The first paragraph of the NIST report
released yesterday (it's good reading, folks, give it a try) says:
The overall goal is to develop a Federal Information Processing
Standard (FIPS) that specifies an encryption algorithm capable of
protecting sensitive (unclassified) government information well
into the twenty-first century.
The process of designing and testing algorithms for classified
material is (in every country that I know about) not a public
process. In the U.S. it's handled by NSA, and we get very
little insight into the process. It wouldn't make sense for
the NSA to offer the kind of assurance you'd like to see, as
for example by saying "The U.S. Gov't with all its resources
could not break information encrypted with the AES within three
decades, so everyone can feel safe using it for your most secret
secrets." If it was true and it was believed, then no Foreign
Office would be using the crap algorithms their cocky programmers
told them were secure -- they'd be using something they <knew> was
good enough. If it was true and not believed, then people in
industry would shy away from AES because they thought it could
be broken -- after all, the Gov't wouldn't say it couldn't break
it unless it actually could, shutting off that source of intel.
If it was false and the academics eventually duplicate the crack,
the gov't gets a black eye, either from being found to be lying
or being found to be incompetent, depending on the perception of
whether they were being straightforward.
Sorry, that was long-winded. No, the AES is not to be used for
classified information, whether or not it's strong enough.
--
Jim Gillogly
Hevensday, 12 Winterfilth S.R. 2000, 18:24
12.19.7.10.16, 12 Cib 19 Chen, Ninth Lord of Night
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 18:26:33 GMT
In article <8ravpq$c1n$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> > [EMAIL PROTECTED] (alex) wrote in
> <8rajuk$r1h$[EMAIL PROTECTED]>:
> >
> > >you could email monika lewinsky, she could perhaps ask the
President
> for
> > >that.
> > >
> > >
> > >Tom St Denis <[EMAIL PROTECTED]> a �crit dans le message :
> > >8raips$vsd$[EMAIL PROTECTED]
> > >> As if that was picked... From what I understand it's not at all
> close
> > >> to the securest block cipher. Will aes specify that cipher with
> more
> > >> rounds? What a shame...
> > >>
> > >> I demand a recount! Twofish should have won!
> > >>
> > >> Tom
> > >>
> >
> > I guess Tommy still does not understand. Real security has
> > little to do with the contest. I am not sure two fish is secure
> > but the government has to pick a cipher the NSA could break or they
> > would not allow it to be used. I just hope it modivates him to find
> > a break. It is even possilble the NSA may yet want another
alogorithm
> > so we may magically see a break in this cipher or a weakness so that
> > another one of there choice could be placed out there.
>
> I doubt they picked Rijndael because it's ultimately insecure. I just
> would have picked a cipher that resisted the cryptanalysis so far.
>
> For all purposses Rijndael is still secure since 10 rounds cannot be
> broken. But this parallels the arguments 30 years ago against short
> keys...
>
> Tom
I'd like to take a different view to both of you here (just for a
change). Prehaps Two-Fish is _actually_ less secure than Rijndael, in
light of attacks the NSA have that are not in the public domain. I
understand that DES was used for non-classifed material in the US
government. If AES is to be used the same way, then it would not be in
their intrest to pick an algorithm they could easily break right?
Who knows, the changing of the S-BOXES for the first proposal for DES
was misterious 20 years ago - prehaps once again, the NSA's reasoning
may become known a few years down the line......
I'm taking an open mind. :)
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Tue, 03 Oct 2000 20:55:09 +0200
Francois Grieu wrote:
>
> [EMAIL PROTECTED] (DJohn37050) wrote:
>
> > The MOST info about an RSA key is revealed when using 2 or 3 for the
> > public exponent. For example, 1/2 the high order bits of d (the private
> > exponent) are revealed.
>
> Quite an interesting remark. Can the amount of information leaked
> on d be quantified as a function of e, to weight the justification
> of e=2^16+1 rather than e=3 on these grounds ?
the point is the following one:
e * d = 1 mod phi (n) (or lambda (n) )
it means (for 2 prime factors)
e * d = a * (p -1) * (q - 1) + 1 > n
1 < a < e (it means a = 2 when a = 3)
or
a
d = --- * (n - p - q + 1) + (1 / e)
e
it is not so far from
a
d = --- * n for the most significant bits (around the halve of the length
because
e p and q are around the halve of n in
length)
for e = 3,
2
d = --- n for the most significant bits (the halve) is an easy guess.
3
If e is about 16 bits you reveal less information than for e = 3.
(I don't see how to guess the correct a at the moment, if possible)
but in some way this remark is always useful.
There was a nice presentation by Peter Landrock during the rump session of
crypto 97 about blackmailing a bank by revealing byte by byte its secret
key: see http://www.iacr.org/conferences/c97/c97rump.txt
(let us remark the titles at 8:05, 9:36 and 10:23).
------------------------------
From: "mike boyle" <[EMAIL PROTECTED]>
Subject: Re: Problem question
Date: Tue, 03 Oct 2000 18:45:14 GMT
Ernest Dumenigo <[EMAIL PROTECTED]> wrote in message
news:8rb1ol$[EMAIL PROTECTED]...
> I've been working on some of the problems given in Military
> Cryptanalytics, while reading it, and I am completely stuck on one of the
> problems, and have not been able to solve it!!
>
> The Plain text has been broken up into five letter groups, and each
> letter put in alphabetical order in each group:
>
> ORSUU ABIMR AEHNS ENSUV ADKOR ADEGM EEINN EMNVY EELSS S
>
> What I have come up with (and don't know if its right or wrong) is:
> Our submarine has ENSUV ADKOR ADEGM nine enemy vessels
>
> Can anyone make sense of that middle part? Or am I completely off track?
>
> --
> -----
> Ernest
Well, I can get:
our sumbarine has sunk or evaded AGM nine enemy vessels
Is that any help ?
Mike Boyle
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Tue, 03 Oct 2000 20:59:48 +0200
Roger Schlafly wrote:
>
> Francois Grieu wrote:
> > [EMAIL PROTECTED] (DJohn37050) wrote:
> > > The MOST info about an RSA key is revealed when using 2 or 3 for the
> > > public exponent. For example, 1/2 the high order bits of d (the private
> > > exponent) are revealed.
> >
> > Quite an interesting remark. Can the amount of information leaked
> > on d be quantified as a function of e, to weight the justification
> > of e=2^16+1 rather than e=3 on these grounds ?
>
> No secret info is leaked in either case. If the RSA key is public,
> and you know one factor, you can do a division to get the other.
> So in an info-theoretic sense, only half the secret key bits are
> really secret, because half the bits (the 2nd prime) can be deduced
> from the other half (the 1st prime).
You're right from an info-theoretic point of view but see my remark about
timing and other attacks.
------------------------------
From: Philip MacKenzie <[EMAIL PROTECTED]>
Subject: Re: Authenticating a PIN Without Compromising the PIN
Date: Tue, 03 Oct 2000 14:36:24 -0400
Paul Rubin wrote:
>
> Guy Lancaster <[EMAIL PROTECTED]> writes:
> > If it's possible, how could a protocol authenticate a user's
> > PIN without revealing information that would make it
> > relatively easy to determine the actual PIN value?
> > PINs are commonly used to authenticate users of trusted
> > machines but is there any way that they can be secure for
> > use over untrusted networks? I'm beginning to think that
> > the answer is no.
>
> It can be done. See http://srp.stanford.edu.
>
Or for a protocol with a formal proof of security, check out PAK at
http://www.bell-labs.com/user/philmac/pak.html
I think PAK it is also more amenable to being used with
elliptic curve or XTR crypto, which may make it more
suitable for small low-power devices.
By the way, a description of the protocol used in PAKtelnet
and PAKftp is now available from that site.
-Phil
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 3 Oct 2000 11:49:26 -0700
> :> It wasn't the fastest on hardware (Serpent, Rijndael)
>
> : Hardware is *not* where we will see alot uses of it.
>
> I thought that was a pretty central design consideration.
>
> AES will be used in smart cards and the like.
And DES was supposed to be used primarily in hardware. I think based on
experience it's safe to say that software speed and hardware efficiency (in
terms of transistors) are probably the important factors. If the software is
fast, then it's most popular incarnations will be fast. For real speed
freaks the number of connections that can be simultaneously maintained are
probably going to be of the most interest, for them few trasistors = lots of
chips = many connections = good, while lots of transistors = fwe fast chips
= few connections = not as good. Rijndael meets this requirement fairly
well. What we need to remember is that raw speed is also not the only
factor. Just a fairly simple example, Yahoo doesn't really care whether they
can serve every connection at 200kbs, especially is it means they can serve
1/10 of the demand. OTOH if they can serve 200% of their demand but they
have to do it at 50kbs, they would certainly be much happier, and few would
be the wiser, or even care.
Joe
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 03 Oct 2000 18:58:51 GMT
Subject: Re: Signature size
See also the PV submision for short sigs.
Don Johnson
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Rijndael test vectors
Date: Tue, 03 Oct 2000 12:54:23 -0600
Roger Schlafly wrote:
>
> I looked at the official Rijndael test vectors, but I had trouble
> making sense of them.
<snip>
> Electronic Codebook (ECB) Mode - ENCRYPTION
> Monte Carlo Test
<snip>
> Cipher Block Chaining (CBC) Mode - ENCRYPTION
> Monte Carlo Test
<snip>
The Monte Carlo Test encrypts a bunch of times (i.e.,
re-encrypts the output). I don't remember the details,
but presumably NIST defines it carefully somewhere.
JM
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: Rijndael test vectors
Date: Tue, 3 Oct 2000 20:04:30 +0100
"Roger Schlafly" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I looked at the official Rijndael test vectors, but I had trouble
> making sense of them. Eg, the vectors below appear to be for
> PlainText all zeros, Key all zeros, IV (if applicable) all zeros.
> But if IV=0, shouldn't the ECB be the same CipherText as the CBC?
No - the cipher blocks are passed through the algorithm 10000 times in each
of these tests, not just once.
However, the ECB_VK and ECB_VT test vectors use the algorithm just once.
You will not be surprised to know how often I have 'debugged' other people's
code because of this!
Brian Gladman
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 03 Oct 2000 19:06:14 GMT
Subject: Re: Choice of public exponent in RSA signatures
Yes, the reveal top half of d was from Peter's talk. Without the bottom half
of d, the secret is safe However, this situation is disadvantageous for a few
reasons.
1) If d is encrypted by a symmetric cipher (as is often the case), this reveals
some plaintext/ciphertext pairs to the adversary.
2) An adversary MIGHT be able to use the info about the top half of d to fine
tune a timing or power attack, as he KNOWS the answer for some bits. So it
could be used in a combo attack. Remember, attackers cheat.
Don Johnson
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
