Cryptography-Digest Digest #862, Volume #12 Sat, 7 Oct 00 06:13:01 EDT
Contents:
Re: what is wrapped PCBC? (Mack)
Rijndael ([EMAIL PROTECTED])
Re: Getting best available security without knowing which cipher to use (David
Schwartz)
Re: NSA quote on AES (Eric Smith)
Re: Why wasn't MARS chosen as AES? (Eric Smith)
Error-correcting code ? ([EMAIL PROTECTED])
Re: Error-correcting code ? ("John A. Malley")
Re: NSA quote on AES ("Brian Gladman")
Re: NSA quote on AES ("Brian Gladman")
Re: NSA quote on AES ("Brian Gladman")
Re: NSA quote on AES (David Schwartz)
Re: Looking Closely at Rijndael, the new AES ("Brian Gladman")
Re: Q: does this sound secure? (Simon Johnson)
Re: NSA quote on AES (Justin)
Re: one time pad using a pseudo-random number generator (Mok-Kong Shen)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Mack)
Date: 07 Oct 2000 03:51:33 GMT
Subject: Re: what is wrapped PCBC?
>[EMAIL PROTECTED] (Mack) wrote in
><[EMAIL PROTECTED]>:
>
>>>[EMAIL PROTECTED] (Mack) wrote in
>>><20001006000832.15659.00000334@ng- fd1.aol.com>:
>>>
>>[snip]
>>>>
>>>>wrapped PCBC is basically a form of chaining similar to CBC and PCBC.
>>>>It uses multiple passes over the text wrapping the last block to the
>>>>front
>>>>
>>>>It is a form of AONT. If the encryption function is unbreakable
>>>>wrapped PCBC is unbreakable.
>>>>
>>>>example
>>>>
>>>>P1 P2 P3 P4
>>>>E1=f(P4^P1^P2)
>>>>E2=f(E1^P2^P3)
>>>>E3=f(E2^P3^P4)
>>>>E4=f(E3^P4^E1))
>>>
>>> However in scott19u E1 does not overlay P1 there is a 9 bit shit
>>>so that the file rotates 9 bits each pass.
>>
>>Interesting but it complicates the nice description. I can see the use
>>but it slows it down.
>
> Well scott16u is not slowed that much. Since I use
>an 8 bit shift. But scott19u. is dam slow with the 9 bit shift.
>I only ran it a few times on my 486. But scott19u flys on a k6-III
>that I know have.
I rather like AMD myself.
>
>>
>>>
>>>>
>>>>now here is where it gets interesting
>>>>
>>>>second round produces what we will call G
>>>>G1=f(E4^E1^E2)
>>>>G2=f(G1^E2^E3)
>>>>G3=f(G2^E3^E4)
>>>>G4=f(G3^E4^G1)
>>>>
>>>>notice that this is invertible
>>>>
>>>>In scott19u and relatives the second xor is changed to a +.
>>>>
>>>>It must be decrypted last block first to unwind it.
>>>>In particular scott19u uses large tables for f and round keys.
>>>>
>>>>This prevents 'the Onions attack' by Paul Onions which is
>>>>a form of Slide attack. It is interesting that it isn't mentioned
>>>>in David Wagner's paper on Slide attacks. I believe David may have
>>>>been around a bit when that attack was introduced.
>>>>
>>>
>>> Well at the time David Wanger brought up his slide attack
>>>he made a grand statement that it was the death of my cipher
>>>until someone tried it and mentioned some of the problems it
>>>caused for the slide attack. Wagner in only one small post
>>>admitted that the slide attack may well not work against it
>>>but that he did not really understand what my code did.
>>>I guess having the complete source code that compiles was just
>>>to hard for him to follow.
>>> Actually I suspect he never looked at it at all and was just
>>>spouting BS out his mouth. Most people who attend Berkeley are
>>>quite arrogant. I konw I have met many of them and one of my siblings
>>>went there for 3 years. But then again there are a few rare
>>>good ones from there.
>>>
>>
>>Yes but you think he would have given Paul some credit.
>
> Well I think the so called crypto gods only go around
>patting each other on the back. A ture independent thinker
>like Paul Onions is an embarassment to them. Its obvious
>he seems much sharper than Mr Wagner who has trouble reading
>code. I wonder how you followed my code when the so called
>experts could not. I don't see Mr Onions writting very ofen
>but I like his thoughts on various things.
>
I do coding work professionally. Your code isn't the clearest
but it isn't the most opaque either. It tends to be efficient
which generally leaves out clarity. I generally write two versions
for code which will be publically available. One that is clear
and one that is efficient. That is if I can't do both at the same
time.
>
>>
>>>
>>>>I posted a paper about it a long time back in sci.crypt.research
>>>>I introduced IS8, RS8 and M8 of those only M8 had round keys
>>>>and is still unbroken. It is in the north american crypto archive
>>>>as X8.ZIP
>>>>
>>>
>>> I remeber but for some reasom I thought your name was Maack
>>>but then again I can't spell worth shit.
>>>
>>
>>No the account I was using then was [EMAIL PROTECTED]
>>
>
> I do remember you. It just names are hard. I know it was
>a different spelling of Mack but considering my dsylxeia
>I think I got pretty dam close.
>
>
>
>David A. Scott
>--
>SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
> http://www.jim.com/jamesd/Kong/scott19u.zip
>Scott famous encryption website **now all allowed**
> http://members.xoom.com/ecil/index.htm
>Scott LATEST UPDATED source for scott*u.zip
> http://radiusnet.net/crypto/ then look for
> sub directory scott after pressing CRYPTO
>Scott famous Compression Page
> http://members.xoom.com/ecil/compress.htm
>**NOTE EMAIL address is for SPAMERS***
>I leave you with this final thought from President Bill Clinton:
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED]
Subject: Rijndael
Date: Sat, 07 Oct 2000 03:45:07 GMT
Hi. I'm pretty new to learning about the Rijndael algorithm. I have
looked over TwoFish and RC6 and haven't had many problems. I have a
question that I was hoping someone could help me with. On page 5 of the
"Rijndael Block Cipher" guide, it talk about division or the polynomial
modulo m(x). How do I divide polynomials?
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Getting best available security without knowing which cipher to use
Date: Fri, 06 Oct 2000 21:08:09 -0700
Mack wrote:
> > Obviously, if you're only missing 128 bits of the message, it can't be
> >harder than 2^128 to recover the whole message.
> > DS
> That is a pretty big only ....
Of course. :)
DS
------------------------------
From: Eric Smith <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: 06 Oct 2000 21:28:53 -0700
[EMAIL PROTECTED] (UBCHI2) writes:
> Let's see a definitive statement that they can't break the AES.
Yeah, like they'd issue such a statement. Ha!
------------------------------
From: Eric Smith <[EMAIL PROTECTED]>
Subject: Re: Why wasn't MARS chosen as AES?
Date: 06 Oct 2000 21:29:46 -0700
[EMAIL PROTECTED] (UBCHI2) writes:
> Why wasn't MARS chosen as AES?
Because Rijndael met the criteria better. Read the report.
------------------------------
From: [EMAIL PROTECTED]
Subject: Error-correcting code ?
Date: Sat, 07 Oct 2000 05:45:27 GMT
I asked this before but didn't get anywhere; probably not on this group.
Does anyone know an algorithm, simple or well-documented (like, source code)
enough that an idiot like me can implement it, for error-correcting short
strings of digits ?
So that if someone writes down "123454321" and someone reads it back as
"123454327" or "lZ34S43Zl" that I can recover the original number.
Stuff I've found like Reed-Solomon assumes a 2^n byte block like a disk
sector, or goes deep into theory without any simple examples.
--
Andrew Daviel
PGP id 0xC7624B49
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Error-correcting code ?
Date: Fri, 06 Oct 2000 23:04:09 -0700
[EMAIL PROTECTED] wrote:
>
> I asked this before but didn't get anywhere; probably not on this group.
>
> Does anyone know an algorithm, simple or well-documented (like, source code)
> enough that an idiot like me can implement it, for error-correcting short
> strings of digits ?
> So that if someone writes down "123454321" and someone reads it back as
> "123454327" or "lZ34S43Zl" that I can recover the original number.
>
> Stuff I've found like Reed-Solomon assumes a 2^n byte block like a disk
> sector, or goes deep into theory without any simple examples.
Why not a Hamming code? The Hamming rule shows that four parity bits
can provide error correction for five to eleven data bits, so each
(8bit) byte gets a (4bit) nibble of error correcting bits, so the data
format can be 2 data bytes followed by one error correcting byte (2
nibbles) covering that byte pair.
See
http://www.rad.com/networks/1994/err_con/hamming.htm,
http://tinah.mslab.usna.edu/docs/ebooks/book/node79.html,
http://www.mdstud.chalmers.se/~md7sharo/coding/main/node31.html
for theory and examples.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Sat, 7 Oct 2000 08:57:17 +0100
"Bill Unruh" <[EMAIL PROTECTED]> wrote in message
news:8rluk5$9pi$[EMAIL PROTECTED]...
> In <AapD5.32676$Cl1.682791@stones> "Brian Gladman" <[EMAIL PROTECTED]>
writes:
>
[snip]
> ]> The get-out clause reduces the positive statement about intended use
> ]> to meaninglessness.
>
> ]What you mean is that *you* see this statement as meaningless because you
> ]judge that NSA is being insincere in making it.
>
> ]I take a different view, namely that this is a sincere statement of
support
> ]and that NSA does intend to use the algorithm for protecting some US
> ]national security information. Their policy does not surprise me since
> ]there are very good reasons for doing this.
>
> Well, I also see it as a statement like the famous reference
> "You will be fortunate indeed to get this person to work for you."
>
> It can be interpreted in various ways. Their statement can be interpreted
in a
> way so as state that they regard it as weak
> It should serve the nation well.= The biggest danger facing the nation is
> people hiding their nefarious activities from enforcement agencies. This
> standard should serve the nation well in aleviating that danger.
>
> In particular, NSA intends to use the AES where appropriate= It is
appropriate
> where the communication should appear to be secure, but not be.
>
>
> in meeting the national security information protection needs =We need
open
> and transparent government.
>
> Ie, this is hardly an unambiguous statement of support. Now, it may just
be
> the statement of a bureaucrat who no longer knows how to make definite
> unambiguous statements.
I agree that it is subject to interpretation but it is not meaningless for
all who read it.
The problem for many who comment on such matters is that they see everything
that NSA says as dishonest to the point that they would only accept an NSA
statement as one made in good faith if it happened to agree with their own
personal views. Indeed, if such an unlikely situation ever arose I rather
suspect that they would shift their views to maintain their perception of
NSA as a dishonest organisation.
I am absolutely certain that NSA attempts to manipulate the perceptions of
outsiders by issuing statements designed to be misinterpreted. This does
mean that considerable care is needed in reading them. I hence don't blame
people for being sceptical about their content but they won't always be
right in taking this line.
Brian Gladman
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Sat, 7 Oct 2000 09:23:56 +0100
"Mack" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> >
> >"Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> >> Brian Gladman <[EMAIL PROTECTED]> wrote:
> >> : "SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote:
> >> :> [EMAIL PROTECTED] (David Crick) wrote in
<[EMAIL PROTECTED]>:
> >>
> >> :> >"The National Security Agency (NSA) wishes to congratulate the
> >National
> >> :> >Institute of Standards and Technology on the successful selection
of
> >an
> >> :> >Advanced Encryption Standard (AES). It should serve the nation
well.
> >In
> >> :> >particular, NSA intends to use the AES where appropriate in meeting
> >the
> >> :> >national security information protection needs of the United States
> >> :> >government."
> >> :>
> >> :> These are weseal words if nothing else. To say they will use it
> >> :> where its appropraite does not mean anything at all. They may
> >> :> only use it in the sense of decoding messages. And they don't say
> >> :> where its appropriate for them to use. But I guess it is to much
> >> :> to expect an honest anwser from them.
> >>
> >> : Once again we can see that accuracy and objective analysis are not
among
> >> : your stronger abilities.
> >>
> >> : You see 'where appropriate' as a 'let out' clause but you fail to
notice
> >> : that the statement also says that NSA intends to use the AES in
meeting
> >the
> >> : national security ***information protection*** needs of the United
> >States
> >> : government".
> >>
> >> : There are none so blind as those who will not see.
> >>
> >> The get-out clause reduces the positive statement about intended use
> >> to meaninglessness.
> >
> >What you mean is that *you* see this statement as meaningless because you
> >judge that NSA is being insincere in making it.
> >
> >I take a different view, namely that this is a sincere statement of
support
> >and that NSA does intend to use the algorithm for protecting some US
> >national security information. Their policy does not surprise me since
> >there are very good reasons for doing this.
> >
> > Brian Gladman
> >
>
> Certainly AES is appropriate for sensitive non-classified data. After the
> Skipjack fiasco the NSA is being much more careful.
>
> But I don't see the NSA using a public algorithm for classified data.
> Security by obscurity is still an added layer of security. If it is
> only a thin veil it may be all that is necessary to prevent some
> information from falling into the 'wrong' hands.
The point at which cryptographic systems are broken by breaking the
algorithms used are now in the past so there is no significant value in
hiding the algorithm for the purpose of security through obscurity. Any
small residual value is more than offset by other factors that work in the
opposite direction.
The real art now is to build an actual implementation that is as strong as
algorithm itself and this is a very difficult undertaking where the 'closed
world' is still quite a way ahead of the 'open world'. I am hence fairly
certain that the techniques that NSA use to implement Rijndael for
classified information protection will themselves remain classified.
Brian Gladman
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Sat, 7 Oct 2000 09:27:41 +0100
"UBCHI2" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> The NSA message could be interepreted differently. That the NSA intends
to use
> the encryption for the "information protection needs" of the government
could
> mean that it needs to make your communications unprotected to meet it's
needs.
>
> Let's see a definitive statement that they can't break the AES. Otherwise
it's
> just DES with a 10 year lag.
And perhaps you would like to confirm that you would believe such a
statement if they made it.
Brian Gladman
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Sat, 07 Oct 2000 01:21:04 -0700
Brian Gladman wrote:
> I am absolutely certain that NSA attempts to manipulate the perceptions of
> outsiders by issuing statements designed to be misinterpreted. This does
> mean that considerable care is needed in reading them. I hence don't blame
> people for being sceptical about their content but they won't always be
> right in taking this line.
When a statement appears to be carefully crafted, I assume it means
exactly and only what it says. I disregard all implications. I think
this is the correct way to read NSA statements.
DS
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: Looking Closely at Rijndael, the new AES
Date: Sat, 7 Oct 2000 09:46:02 +0100
"John Myre" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Thomas Pornin wrote:
> <snip>
> > Not quite. OTP is ultimately secure against passive attacks
> > (eavesdropping) but not at all against active attacks (the bad guy
> > intercepts and modifies the message).
> <snip>
>
> This observation leads to one that is also commonly made,
> but not as well appreciated: the word "secure" is not well
> defined. The best way to view the situation is not by the
> kind of attack, but with the kind of security OTP offers.
>
> It has perfect secrecy, with no authentication.
>
> In the common case where you want authentication as well
> as secrecy, then you have to choose an authentication
> method. This is true for most encryption methods. For
> example, none of the common modes for block ciphers (ECB
> and so on) provide really great authentication, and some
> are really bad.
>
> There's no reason why one couldn't use OTP in real life,
> with authentication: add a MAC. (Granted, there are
> details, like the relative security of the MAC vs OTP,
> and getting the protocol and the implementation right,
> but all that work is needed, regardless.)
>
Interestingly the AES "Modes of Operation" workshop will meet shortly and
there are proposals for new modes designed to provide 'almost free'
authentication as a byproduct of secrecy.
However it is not clear to me that they do what is claimed since I am always
somewhat suspicious of getting something for (almost) nothing. Perhaps
worse, I think IBM has patented them and this might cause problems if they
were adopted.
Brian Gladman
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Q: does this sound secure?
Date: Sat, 07 Oct 2000 09:03:19 GMT
In article <[EMAIL PROTECTED]>,
"William A. McKee" <[EMAIL PROTECTED]> wrote:
> I have to ask the user for an user id and password in a Java applet
(client)
> then validate it on a server. Does this sound like a secure scheme?
>
> 1) the server issues a random session key (32 bits).
No, 32-bit session is not big enough.
Enuff said. How is this session key distributed?
> 2) the user id and password are hashed (MD5) by the client.
> 3) the session key and hash key from 2 are hashed (MD5).
> 4) the user id and hash key from 3 are sent to the server.
> 5) the server looks up the user id in a password file then hashs the
session
> key and the stored hash key (previously computed, the same as in 2).
> 6) the two hash keys (from 3 and 5) are compared.
>
>7) the server issues a "PASS" if 6 compares true (and moves into
a "logged
> on state") else it issues a "FAIL"
That's fine. ;)
>
> Passwords are at least 6 characters long with at least one non-alpha
> character.
>
> Is there any advantage to using SHA instead of MD5?
SHA-1 is more secure against the birthday attack, hrm.
> I also have a registration dialog box in the client that asks for a
new user
> id and password. The data is hashed as in 2 and the user id and hash
key
> are sent directly to the server to be added to the password file.
Does this
> compromise security?
> TIA,
> William A. McKee.
>
>
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Justin <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Sat, 7 Oct 2000 05:30:03 -0400
On Sat, 7 Oct 2000, David Schwartz wrote:
> Brian Gladman wrote:
>
> > I am absolutely certain that NSA attempts to manipulate the perceptions of
> > outsiders by issuing statements designed to be misinterpreted. This does
> > mean that considerable care is needed in reading them. I hence don't blame
> > people for being sceptical about their content but they won't always be
> > right in taking this line.
>
> When a statement appears to be carefully crafted, I assume it means
> exactly and only what it says. I disregard all implications. I think
> this is the correct way to read NSA statements.
How intelligent. I completely agree. The govenment is going to publicly
advocate that it use rijndael for nonclassified documents. Nobody would
ever get pissed off at the NSA and go public with this info. Nobody
inside another branch would ever leak the "memo from above" that says
don't even think of using rijndael. Since nobody else could ever discover
this attack, and since they have a history of improving [1] important
algorithms, the NSA would much rather spend a few weeks gathering
plaintext for a cryptographic attack than set up a monitoring van outside
your house. It's much easier. Really. And unless you are pretty keen on
computer security, the NSA may be able to hack your computer, saving them
the time of deploying a van.
The NSA is also going to ignore the fact that there is strong crypto
available outside their control, and that high profile groups that pose a
security threat to the US will never trust AES. They're also going to
ignore the long and successful history of disinformation and be stupid
enough to make their public statement ambiguous enough that it MIGHT be
interpreted in a way that is the truth (that they can crack AES).
Now assume, for a second, that none of that was sarcastic. You think the
NSA found a way to crack rijndael that three years of independent public
analysis didn't reveal? Even better, you think this attack applies only
to rijndael? Are you this dumb all the time or only on usenet?
You're also forgetting that since the NSA is in bed with the DXA, anything
that gets approved for export is also crackable. Which means you can
throw out your entire ssl library, pgp, and just about everything else on
your machine that does any sort of crypto.
[1] Improving DES against differential attacks, which were unknown at the
time, as well as changing keys from 64 to 56 bits to reflect the real "bit
strength" of the algorithm. You're right here too, of course, since they
must have made another attack easier by making differential harder.
justin
--
Nature has made up her mind that .. None learned the art of archery from
what cannot defend itself shall .... me who did not make me, in the end,
not be defended. --Emerson ...... the target. --Saadi of Shiraz
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: one time pad using a pseudo-random number generator
Date: Sat, 07 Oct 2000 12:05:24 +0200
[EMAIL PROTECTED] wrote:
>
> If more people use it, and more try to break it and can't, it gives a
> better assurance of safety. There is so much effort in analysing block
> ciphers, and hash functions today, but little effort on random number
> generators.
I personally believe that the fact that more efforts
have apparently been done to study modern block encryption
than stream encryption is largely due to historical chance
effects and not on inherent grounds of crypto. Perhaps
it is something not unlike the developements in mode,
e.g. in the style of dresses of ladies. Since a good
block cipher on the other hand can serve as a source
of pseudo-random bits, the tendency seems understandable.
But who knows if the wind wouldn't blow in another direction
in the future?
M. K. Shen
=============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
