Cryptography-Digest Digest #842, Volume #12 Wed, 4 Oct 00 19:13:01 EDT
Contents:
Re: Counterpane Funny Stuff (John Myre)
Re: the trusth about rijndael cracked by biham (Simon Johnson)
Re: The best way to pronounce AES (Mok-Kong Shen)
Re: Is there any keyed MD5 or Blowfish encryption software out there? (Jim Gillogly)
Re: Choice of public exponent in RSA signatures (John Myre)
Re: NSA quote on AES (SCOTT19U.ZIP_GUY)
Re: Choice of public exponent in RSA signatures (David Wagner)
Encryption problem ("ed dominguez")
Re: SHA C++ Implementation ([EMAIL PROTECTED])
Re: OPEN LETTER ABOUT Rijndael to sci.crypt (Michael Elkins)
Re: It's Rijndael (Ryan McBride)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Dave Howe)
Re: The best way to pronounce AES (Tom St Denis)
Re: SHA C++ Implementation (Jim Gillogly)
Re: Encryption problem ("Paul Pires")
Re: The best way to pronounce AES ("Paul Pires")
Re: It's Rijndael (David Crick)
HELLO?!?!?! Where are you, Jim Gillogly? I wish you would respond!!! (About
cryptograms) (daniel mcgrath)
----------------------------------------------------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Counterpane Funny Stuff
Date: Wed, 04 Oct 2000 15:02:54 -0600
"SCOTT19U.ZIP_GUY" wrote:
<snip>
> Dam must have missed it. Theres to much read it all.
> Though Serpent seems related to lucifer that lead to DES
> maybe some one can make a conection of Rin... what ever it is.
<snip>
Well, one of the authors is named Daemen...
I was, um, startled, by some of the stuff that turned
up when I did a web search on that.
JM
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: the trusth about rijndael cracked by biham
Date: Wed, 04 Oct 2000 21:14:49 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Allen Ethridge) wrote:
> [EMAIL PROTECTED] wrote in <8rfopa$85o$[EMAIL PROTECTED]>:
>
> >I thought there was more people reading sci.crypt
> >but nope, only 100 people
> >
> >It's a little newsgroup here
>
> I imagine quite a lot of us, like myself, didn't find it necessary to
> actually go to the web site to determine that your post was bogus.
>
> --
> "Sadness falling like burned skin."
>
My troll detector was instantly alerted, and i lost intrest in you're
claim at that exact instant.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: The best way to pronounce AES
Date: Wed, 04 Oct 2000 23:54:33 +0200
Scott Craver wrote:
>
> I know I have no authority to decide these things, but I
> strongly feel that "AES" should be pronounced, "uh-YES."
Side question: As far as I know, the 'standard' British
English is the Oxford English. Which is the corresponding
one for American English? Thanks.
M. K. Shen
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Is there any keyed MD5 or Blowfish encryption software out there?
Date: Wed, 04 Oct 2000 21:48:25 +0000
[EMAIL PROTECTED] wrote:
> I am asking for an MD5 or Blowfish algorithm because these, I am told,
> are widely accepted encryption schemes that can be used outside of the
> US (unlike DES)
The people who are telling you this need to be giving you better
advice. MD5 is a hash algorithm, not an encryption algorithm, which
means it produces random-looking garbage from data without using a
key, and is not reversible. If you needed a hash algorithm today
you'd probably use SHA-1 anyway, since Dobbertin did some nice work
on MD5 which, though it doesn't break it, raises suspicions. RSA Labs,
the inventors of MD5 (Rivest, to be more specific) recommends not
using MD5 in new applications. Blowfish is widely accepted, but you
might as well use its successor Twofish, a strong semi-finalist AES
candidate. Blowfish, Twofish and DES can all be used outside of the
US; DES is the only one of these for which you'll have an easy time
getting an export license, because it's significantly weaker than
the other two.
> Does software already exist already, or am I searching for a holy grail?
Lots of software exists, but I think you need to get professional
help to build your app if it's going to be used for critical data.
--
Jim Gillogly
Mersday, 13 Winterfilth S.R. 2000, 21:41
12.19.7.10.17, 13 Caban 20 Chen, First Lord of Night
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Wed, 04 Oct 2000 15:43:49 -0600
Joseph Ashwood wrote:
<snip>
> factoring algorithms come in three
> general types, those that factor is the same time regardless of factor
> sizes, those that factor faster numbers with smaller factors faster, and
> those that exploit some artifact of the prime choosing methods. Only the
> first two matter for this decision (the third is in the generation which is
> seperate).
Ok.
> The 2-prime version clearly has an advantage against n-prime RSA
> simply from the fact that the primes cannot be larger than the primes for
> 2-prime when the factoring algorithm works faster with smaller factors.
It has the advantage when considering just the algorithm(s) that
get faster with smaller factors.
> When
> the algorithm takes the same time regardless of factor size, the 2 proposals
> are equal.
Right. And if that is the fastest algorithm in all cases
of interest, then of course the proposals have equal security.
> I have no proof that it must remain this way, but I have seen
> evidence only that numbers with 2 factors must be at least as hard to factor
> as n-prime, therefore lacking evidence to the contrary I will retain my
> stand that 2-prime RSA is at least as strong as n-prime RSA.
<snip>
Which is fine, but that is not the same as saying that
n-prime is necessarily *weaker*. The contention has been
that, in the range of moduli that might be considered
secure (say, 1024 bits), that (for example) 3 primes are
just as secure. Since 3 primes can be faster, it has the
advantage.
The factoring method that gets faster as the factors get
smaller is slower than the method which ignores factor
size when there are two factors; and the slower method
*does not catch up* with only three factors. So it is
still slower, and so factoring is still just as hard, and
so RSA is still exactly as secure as before with three
factors instead of two. At some point, too many primes is
bad. But two primes is not the optimum.
JM
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: NSA quote on AES
Date: 4 Oct 2000 21:47:14 GMT
[EMAIL PROTECTED] (David Crick) wrote in <[EMAIL PROTECTED]>:
>"The National Security Agency (NSA) wishes to congratulate the National
>Institute of Standards and Technology on the successful selection of an
>Advanced Encryption Standard (AES). It should serve the nation well. In
>particular, NSA intends to use the AES where appropriate in meeting the
>national security information protection needs of the United States
>government."
These are weseal words if nothing else. To say they will use it
where its appropraite does not mean anything at all. They may
only use it in the sense of decoding messages. And they don't say
where its appropriate for them to use. But I guess it is to much
to expect an honest anwser from them.
>
> Michael J. Jacobs
> Deputy Director for Information Systems Security
> National Security Agency
>
>- http://www.nist.gov/public_affairs/releases/aescomments.htm
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Choice of public exponent in RSA signatures
Date: 4 Oct 2000 21:59:35 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
What you're missing is that factoring methods which depend only on the
size of n dominate the factoring methods which are faster when n has
small prime factors ... at least today.
So it's not a priori obvious that 3-prime RSA is necessarily weaker
than 2-prime RSA; it depends on the relative performance of, e.g.,
the ECM and NFS factoring algorithms.
------------------------------
From: "ed dominguez" <[EMAIL PROTECTED]>
Subject: Encryption problem
Date: Wed, 4 Oct 2000 16:02:58 -0500
We were toying with the idea of creating a small "price is
right" game at work. We have a hefty prize and we were deciding
how to give it away and we thought about giving the price to
that one that found out what the price is.
Problem is, some always knows the price. So we decided
to make this price random, although realistic. We decided
to encrypt this and store it on a file. But then, brute
forcing your way to the real price is trivial.
How can I implement a program that will encrypt a random number but
that its so secure that even the programmers cant brute-force it
in small amount of time (days,weeks) ?
I am not a student of crypto, so maybe this is a faq. I RTFF (faq)
but couldnt find an answer for this.
Thanks in advance
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SHA C++ Implementation
Date: Wed, 04 Oct 2000 22:01:55 GMT
> What mean you by "do not seem to work"? I used the code from the
> ftp.funet.fi archive, and it works just fine, except that it's code
> implementing the OLD Secure Hash Algorithm (SHA) as described in FIPS
> 180, and requires setting a compile time conditional for it to become
> FIPS 180-1-compliant. What platform are you testing it on? The C
> implementations you've found probably work well enough, only you might
> not be using them properly.
>
> --
> Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
> ICSM-F Development Team, UP Diliman +63 (917) 4458925
> OpenPGP Key ID: 0x0E8CE481
I'm using codewarrior for the macintosh and the code I found is at
"http://www.unix-ag.uni-kl.de/~conrad/krypto/passphrase-
faq.html#appendixD" It gives me errors on the "#ifndef ONT_WRAP" and the
"#endif ONT_WRAP" lines. When I comment those out, the program runs and
prints someting out on the screen and then quits before I can read the
message. If I run the program again, my computer freezes. I'm using a
macintosh G4 OS9, so I doubt that there's a problem with the computer I'm
using. I've worked on writing my own SHA code in C++, but I'm getting
TOTALLY different S function outputs than what is supposed to be there.
-GH
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Michael Elkins)
Subject: Re: OPEN LETTER ABOUT Rijndael to sci.crypt
Date: Wed, 04 Oct 2000 22:15:21 GMT
On 4 Oct 2000 17:55:19 GMT, SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
wrote:
>How ever I would like to propose a chainning mode so people
>who encypt files can do a few things that the NIST chainning
>methods will not allow them to do. The problem with any
>encryption chainning mode is that they do not hide the underlying
>cipher from attack so that it is easy for someone to gain a list
>of ciphertext plaintext block pairs. I have been corresponding with
>NIST but I feel it is leading to nowhere. Just like the false promises
>of the guy who encouraged my to write a paper for ACM. My proposal
>is this. We design chainning modes that hide the ciphertext plaintext
>pairs along with test vectors to check the implimentation.
> We design modes that do the following. A single bit change in the
>input file changes the whole output file. The length of the output
>file matches the length of input file.
How do you propose that the impelemtations of a crypto algorithm be tested
if there are no test vectors to work with? In general, algorithms which
rely on the nondisclosure of the logic are a bad idea.
It is not very feasable to build a table of plaintext-ciphertext pairs.
If you consider a 128-bit key with an 8-byte block size, that would be a
table 2^128 * 2^64 = 2^8192 entries.
The use of CBC mode prevents patterns in the plaintext
from showing up in the ciphertext. Each block is XOR'd with the previous
block. Given different IV's, the same file will have completely different
ciphertext.
If you want the ciphertext to be the same length as the plaintext, use CFB
mode. It allows you to encrypt 1-bit at a time if you like, or any other
unit <= block size of the cipher algorithm you are using.
me(at)sigpipe(dot)org
------------------------------
From: Ryan McBride <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Wed, 04 Oct 2000 22:16:40 GMT
Brian Gladman wrote:
> But there are more useful things to discuss now we know that the AES is
> Rijndael since this algorithm specifies block lengths that have been outside
> the AES specification.
>
> It will be interesting to discover whether the AES standard will stick with
> its existing specification or whether it will be extended to include the
> longer block length options that Rijndael provides.
I doubt that they will extend it. I think their argument would be that
variants outside the original specification have not received adequate
scrutiny. But it may be something that they choose to revisit in the
future.
-Ryan
--
Ryan McBride - [EMAIL PROTECTED]
Systems Security Consultant
Countersiege Systems Corporation - http://www.countersiege.com
------------------------------
From: Dave Howe <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Date: Wed, 04 Oct 2000 23:18:16 +0100
In our last episode (<alt.security.pgp>[Wed, 04 Oct 2000 03:02:53
GMT]), Jacques Therrien <[EMAIL PROTECTED]> said :
>There are however incompatibilities with 4096-bit RSA keys. For instance
>in PGP 6.x., those RSA keys cannot be used for encryption.
>I am not sure what would happen if one tried to verify a message signed
>with such an RSA key -- I would assume that would not work either.
It doesn't - I signed a HTML file with my 4096RSA a few weeks back,
and the 6.x users onlist couldn't verify it. I must admit I find this
more than mildly suspicous - 5.x *does* verify and use those keys ok.
--== DaveHowe ( is at) Bigfoot dot com ==--
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: The best way to pronounce AES
Date: Wed, 04 Oct 2000 22:22:43 GMT
In article <8rg42r$f7p$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Scott Craver) wrote:
> I know I have no authority to decide these things, but I
> strongly feel that "AES" should be pronounced, "uh-YES."
>
> Like Mr. Dingle or whoever it was from the train station in
> the old Jack Benny radio
show. "auhYEEEEEEEEEEEEEEEEEEEEEESSSS????"
I say it like "ez" (long not e-z). as in sounds like "says".
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: SHA C++ Implementation
Date: Wed, 04 Oct 2000 22:34:28 +0000
[EMAIL PROTECTED] wrote:
> I'm using codewarrior for the macintosh and the code I found is at
> "http://www.unix-ag.uni-kl.de/~conrad/krypto/passphrase-faq.html#appendixD"
That's the old (SHA-0) version of my code. After NIST came out with
their small fix, I updated it. You can find a fresher version in
various places around the Net, including
http://packetstorm.securify.com/crypt/applied-crypto/sha.tar.gz
> It gives me errors on the "#ifndef ONT_WRAP" and the
> "#endif ONT_WRAP" lines. When I comment those out, the program runs and
Some compilers don't like anything after the #endif, so you can just
remove the "ONT_WRAP" on the #endif line if that's what Codewarrior's
problem is.
As it says in the comments, you compile with -DONT_WRAP if you want
to use the functions in another program; otherwise it compiles a
wrapper so you can test SHA-1 (with the later version) directly.
> prints someting out on the screen and then quits before I can read the
> message. If I run the program again, my computer freezes. I'm using a
> macintosh G4 OS9, so I doubt that there's a problem with the computer I'm
> using. I've worked on writing my own SHA code in C++, but I'm getting
> TOTALLY different S function outputs than what is supposed to be there.
I don't know anything about freezing the Mac, but if you modify
the program all bets are off. Regarding the different S function
outputs -- try the SHA-1 version rather than the SHA-0 version you
picked up... maybe they'll match.
--
Jim Gillogly
Mersday, 13 Winterfilth S.R. 2000, 22:29
12.19.7.10.17, 13 Caban 20 Chen, First Lord of Night
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Encryption problem
Date: Wed, 4 Oct 2000 15:37:39 -0700
ed dominguez <[EMAIL PROTECTED]> wrote in message
news:8rg66p$9kt$[EMAIL PROTECTED]...
> We were toying with the idea of creating a small "price is
> right" game at work. We have a hefty prize and we were deciding
> how to give it away and we thought about giving the price to
> that one that found out what the price is.
>
> Problem is, some always knows the price. So we decided
> to make this price random, although realistic. We decided
> to encrypt this and store it on a file. But then, brute
> forcing your way to the real price is trivial.
>
> How can I implement a program that will encrypt a random number but
> that its so secure that even the programmers cant brute-force it
> in small amount of time (days,weeks) ?
I don't think this is a Crypto problem. The problem is that the universe
your price lives in is too small if it is (realistic). I could write you a
routine
that would pad it out and encrypt it so that the universe expired from heat
death
But that just means that an attacker will ignore the code and guess the
price directly. Note: Brute force = guessing.
Do what the Casinos do for Keno. Make the price so big that no-one
can guess it. Keno has 64 numbers right? 12 spot is the big hit. That's
something like 64 to the 12th. or 2^72. That'll work But I won't try your
game :-)
Paul
>
> I am not a student of crypto, so maybe this is a faq. I RTFF (faq)
> but couldnt find an answer for this.
>
> Thanks in advance
>
>
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: The best way to pronounce AES
Date: Wed, 4 Oct 2000 15:39:07 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Scott Craver wrote:
> >
> > I know I have no authority to decide these things, but I
> > strongly feel that "AES" should be pronounced, "uh-YES."
>
> Side question: As far as I know, the 'standard' British
> English is the Oxford English. Which is the corresponding
> one for American English? Thanks.
Bamma, I reckon.
Paul
>
> M. K. Shen
------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Wed, 04 Oct 2000 23:49:12 +0100
Ryan McBride wrote:
>
> > But there are more useful things to discuss now we know that the AES is
> > Rijndael since this algorithm specifies block lengths that have been
> > outside the AES specification.
> >
> > It will be interesting to discover whether the AES standard will
> > stick with its existing specification or whether it will be extended
> > to include the longer block length options that Rijndael provides.
>
> I doubt that they will extend it. I think their argument would be that
> variants outside the original specification have not received adequate
> scrutiny. But it may be something that they choose to revisit in the
> future.
NIST's Rijndael discussion forum:
10/3/2000 9:40:31 AM
From: Jim Foti
Subject: Re: Rijndael block sizes vs. AES block sizes
Paulo-
In the draft standard, we intend to specify only the combinations that
have been studied so far: 128-bit blocks with 128-, 192-, and 256-bit
keys.
Yes, the algorithm can be implemented with larger block sizes (which
we identified in our report under Sec. 3.9), but before specifying those
options in a standard, there would HAVE to be more analysis.
To-date, I have not seen any such analysis - security or otherwise -
on Rijndael with 256-bit blocks.
Of course, if people are willing to contribute that type of analysis
during the upcoming comment period on the draft standard, then we
will certainly take it into consideration.
Regards,
Jim
--
+-------------------------------------------------------------------+
| David A. Crick <[EMAIL PROTECTED]> PGP: (OCT-2000 KEY) 0xE0F73D98 |
| Damon Hill Tribute Site: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
+-------------------------------------------------------------------+
------------------------------
From: [EMAIL PROTECTED] (daniel mcgrath)
Crossposted-To: rec.puzzles
Subject: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would respond!!! (About
cryptograms)
Date: Wed, 04 Oct 2000 23:04:31 GMT
On Tue, 26 Sep 2000 19:15:12 +0000, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>daniel mcgrath wrote:
>> Jim, I can't find your suggestion about how to make the solving of the
>> cryptograms more interesting for more people. Or maybe you are
>> talking about your mention of Kerckhoffs' Rule in the "WOF" thread?
>
>Yes: it's S.O.P. in the crypto biz to assume the enemy knows everything
>about your cryptosystem except the message key for this particular msg or
>group of msgs. For hobbyists who have lots of interesting puzzles to
>work on, if we don't see the idea right off it may not be interesting to
>put in the kind of effort that would be required to crack it from
>ciphertext only. My suggestion: since nobody has cracked your
>messages (and few people have reported trying to crack them), you may
>be able to breathe new life into the puzzle by describing the system
>but not giving the particular key used to encrypt that set of messages.
>The trickling of hints doesn't seem to be generating more interest.
The system used is one of changing bases (base 10 is derived from
another base).
Internally, it's all binary (base 2).
Is this what you wanted?
ADDENDUM FOR SECOND POSTING OF MESSAGE
Why is Jim Gillogly so often not responding to my posts regarding the
cryptograms? I have even been sending these messages to him as e-mail
AS WELL AS posting them and he STILL won't saying anything. Where is
he? I wish he would respond!!!
Once again, regarding Kerckhoff's Rule:
The system used is one of changing bases (base 10 is derived from
another base).
Internally, it's all binary (base 2).
Is this what you wanted?
==================================================
daniel g. mcgrath
a subscriber to _word ways: the journal of recreational linguistics_
http://www.wordways.com/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
