Cryptography-Digest Digest #874, Volume #12 Sun, 8 Oct 00 18:13:01 EDT
Contents:
Re: Could NSA help vigilance? (Mok-Kong Shen)
Re: FTL Computation (Wayne Throop)
Re: securely returning password info to a server from a client ("William A. McKee")
Re: Q: does this sound secure? ("William A. McKee")
Re: Pencil and paper cipher. (Simon Johnson)
Re: Q: does this sound secure? ("William A. McKee")
Re: education where ???please help (Simon Johnson)
Dense feedback polynomials for LFSR (Simon Johnson)
Re: Why wasn't MARS chosen as AES? (JCA)
Making Rijndael Even Faster (John Savard)
Re: Apologies for a faulty memory (John Savard)
Re: WEP (Ichinin)
A new paper claiming P=NP (Stas Busygin)
Re: securely returning password info to a server from a client (those who know me
have no need of my name)
Re: FTL Computation (ca314159)
Re: ISO an SHA-1 Implemention in Javascript (those who know me have no need of my
name)
Re: It's Rijndael (Will Janoschka)
Re: WEP ("madcow")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Could NSA help vigilance?
Date: Sun, 08 Oct 2000 20:36:53 +0200
John Savard wrote:
>
> Both new discoveries in mathematics, and the ever-increasing power of
> computers, mean that the cipher that is secure today might be as
> obsolete tomorrow as an 8088-based or 80286-based PC is today.
Indeed it is the certain inherent unpredictability of
human achievements and natural happenings that makes life
both difficult and interesting/exciting. Those who
worked at the time of 8080 could hardly have in their
dream that 800 MHz PCs could be purchased at supermarkets
just like other commodities there. The impact of a new
discovery in mathemetics would of course be gigantic
in comparison.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Wayne Throop)
Crossposted-To: sci.astro,sci.physics.relativity,sci.math
Subject: Re: FTL Computation
Date: Sun, 08 Oct 2000 18:08:46 GMT
: ca314159 <[EMAIL PROTECTED]>
: but all I have to do is say "ditto", and reams of semantic
: correlations are transmitted faster than they could have been if
: endcoded physically and sent out as bits. Faster than light because
: they were never sent at all. Only the pointer was sent via the
: classical channel.
You seem to be confusing a data rate with a propogation rate.
This is a category error.
Wayne Throop [EMAIL PROTECTED] http://sheol.org/throopw
"He's not just a Galaxy Ranger... he's a Super-Trooper!"
------------------------------
Reply-To: "William A. McKee" <[EMAIL PROTECTED]>
From: "William A. McKee" <[EMAIL PROTECTED]>
Subject: Re: securely returning password info to a server from a client
Date: Sun, 08 Oct 2000 19:00:45 GMT
Thomas Wu <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "William A. McKee" <[EMAIL PROTECTED]> writes:
>
> > Thanks for the replies. (I'm a real newbie at this crypto stuff.)
> >
[snip]
> >
> > I have identified that sending password equivalent data in plain text is
a
> > weakness in my current system. This is susceptible to password-guessing
> > attacks. How do I go about securing it? I would like to use a royalty
free
> > library if one exists. Plus I don't want to break any Canadian / US
export
> > laws if my software were to be used abroad.
>
> Are you talking about session encryption? There are lots of free ways
> to accomplish that. Please clarify.
>
No. I am taking about getting the initial user id and password sent from the
client to the server securely. This takes place once per user before any
session encryption occurs. I have looked into ElGamal public key encryption
and it looks like that's what I want. I am assuming the .jar files are
going to be signed by me and verified by the client's VM.
>
> --
> Tom Wu * finger -l [EMAIL PROTECTED] for PGP
key *
> E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms
in
> Phone: (650) 723-1565 exchange for security deserve
neither."
> http://www-cs-students.stanford.edu/~tjw/
http://srp.stanford.edu/srp/
Cheers,
Will.
--
William A. McKee
[EMAIL PROTECTED]
Asia Communications Quebec Inc.
http://www.cjkware.com
"We're starfleet: weirdness is part of the job." - Janeway
------------------------------
Reply-To: "William A. McKee" <[EMAIL PROTECTED]>
From: "William A. McKee" <[EMAIL PROTECTED]>
Subject: Re: Q: does this sound secure?
Date: Sun, 08 Oct 2000 19:09:00 GMT
Thomas Wu <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "William A. McKee" <[EMAIL PROTECTED]> writes:
>
> > Thomas Wu <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > "William A. McKee" <[EMAIL PROTECTED]> writes:
> > >
> > [snip]
> > >
> > > > Also, why is SRP safe against password guessing attacks? Seems like
it
> > > > suffers from the same problem I had originally in my first attempt.
> > >
> > > No it doesn't - the first attempt you described allowed an attacker
who
> > > eavesdropped on an authentication session to verify guessed passwords
> > > against the exchanged messages. This attack doesn't work against SRP
> > > because of the random secrets generated by the client and server. The
> > > NDSS paper (available from the SRP Web site) explains the protocol in
> > > more detail.
> > >
> >
> > I was considering that the password file on the server had been
compromised.
> > Could a password-guessing attack then successed?
>
> If an attacker reads the password file, then he could brute-force each
> entry and guess at the password, yes. But I believe that under your
> original scheme, an attacker who read the password file would gain
> instant access to all the accounts without even needing a
> dictionary attack. So there's an attack, but it's not the same attack.
>
Originally I stored only the hashed version of the password so an attacker
would not get instant access to password data but the password file could be
forced by a password-guessing attack. How likely is a password-guessing
attack given that the server is protected behind a firewall? Should I
encrypt the password file?
>
> There's a paper out by W. Ford and B. Kaliski from Verisign that describes
> a scheme that splits the verifiers across multiple servers so that
> a password-guessing attack requires the compromise of all the servers,
> not just one. If such a configuration is practical for your customers,
> you might want to give their paper a read.
Thanks.
>
> --
> Tom Wu * finger -l [EMAIL PROTECTED] for PGP
key *
> E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms
in
> Phone: (650) 723-1565 exchange for security deserve
neither."
> http://www-cs-students.stanford.edu/~tjw/
http://srp.stanford.edu/srp/
Cheers,
Will.
--
William A. McKee
[EMAIL PROTECTED]
Asia Communications Quebec Inc.
http://www.cjkware.com
"We're starfleet: weirdness is part of the job." - Janeway
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Pencil and paper cipher.
Date: Sun, 08 Oct 2000 19:04:48 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Roger Gammans) wrote:
> In article <[EMAIL PROTECTED]>, John Savard wrote:
> >On Sat, 07 Oct 2000 01:59:23 GMT, Benjamin Goldberg
> ><[EMAIL PROTECTED]> wrote, in part:
> >
> >>3) Move the first digit to the end of the message.
> >
> >>4) Convert digit pairs back to letters. See a and b in step 2.
> >
> >That basic principle was mentioned in David Kahn's "The Codebreakers"
> >as a common amateur system. If the only key is the code for
converting
>
> Given we have each letter as a value in GF(p^2) (p=5), are there
> any modern tricks which could be brought into play?
>
> TTFN
> --
> Roger
> Think of the mess on the carpet. Sensible people do all their
> demon-summoning in the garage, which you can just hose down
afterwards.
> -- [EMAIL PROTECTED]
>
>
A bit off topic, but if i ever need to secure stuff using a pen and
paper cipher, i convert the text to binary. The set up a pack of cards
as a self shrinking LSFR (with a feedback polynomial of order 56.) Then
say that black cards are 0 and red cards are 1.
N.B. You may need more cards than 56 cause more than half of the cards
may be the same colour.
Simon.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Reply-To: "William A. McKee" <[EMAIL PROTECTED]>
From: "William A. McKee" <[EMAIL PROTECTED]>
Subject: Re: Q: does this sound secure?
Date: Sun, 08 Oct 2000 19:11:26 GMT
Paul Rubin <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Thomas Wu <[EMAIL PROTECTED]> writes:
[snip]
>
> > Well, it used to be a hassle until prepackaged distributions for SRP and
> > PAK, etc. showed up.
>
> Is there a Java implementation of SRP that can be used in an applet?
Yes. Check out http://srp.stanford.edu/srp/ .
>
--
William A. McKee
[EMAIL PROTECTED]
Asia Communications Quebec Inc.
http://www.cjkware.com
"We're starfleet: weirdness is part of the job." - Janeway
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: education where ???please help
Date: Sun, 08 Oct 2000 19:17:24 GMT
In article <8rqd3m$pl6$[EMAIL PROTECTED]>,
"simon" <[EMAIL PROTECTED]> wrote:
> dear group i live in surrey uk and wish to learn about cryptography
> but i cannot find anywhere that offers any courses please could
anybody
> point me in a direction
> i would be very grateful
> SIMON P.........................
>
>
Yeah, i've been looking for a university course in cryptography. To be
honest i don't think there are any at undergraduate level. (maybe i'm
not looking hardenough') Prehaps we should write our own syllabus. :P
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Dense feedback polynomials for LFSR
Date: Sun, 08 Oct 2000 19:20:02 GMT
Anyone got a decent method of dense finding primitive mod 2 for use in
an LFSR? Does the method in 'Applied Cryptography' work?
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: JCA <[EMAIL PROTECTED]>
Subject: Re: Why wasn't MARS chosen as AES?
Date: Sun, 08 Oct 2000 19:42:00 GMT
Roger Schlafly wrote:
> JCA wrote:
> > ? Why wasn't MARS chosen as AES?
> > Because it was the worst candidate by a mile?
>
> It was designed by a committee at IBM.
My comment was a somewhat tongue-in-cheek
one, and so may be yours. In case it isn't, the fact
that there is a big company behind it doesn't
guarantee its quality.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Making Rijndael Even Faster
Date: Sun, 08 Oct 2000 19:38:40 GMT
Although Rijndael is a fast encipherment algorithm, it would be
possible to speed up Rijndael encipherment slightly by making one
change to the definition of the cipher.
When placing the bytes of the message in the square array used for
encipherment, instead of placing them in the order
1 5 9 13
2 6 10 14
3 7 11 15
4 8 12 16
the order should be
1 5 9 13
14 2 6 10
11 15 3 7
8 12 16 4
and when removing them to provide the ciphertext, the order in which
the bytes are found should be
1 5 9 13
6 10 14 2
11 15 3 7
16 4 8 12
instead of
1 5 9 13
2 6 10 14
3 7 11 15
4 8 12 16
This would permit implementors, with suitable changes to the key
schedule, to omit the initial and final Shift Row steps; although
these steps are neither the first nor the last step in the cipher, the
first one effectively commutes with those that precede it, and the
last one effectively commutes with those that follow it, so both are
potentially as removable, without changing the fundamental security of
the cipher, as the IP and IIP were in DES.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Apologies for a faulty memory
Date: Sun, 08 Oct 2000 19:46:55 GMT
On Sun, 08 Oct 2000 18:56:23 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Do you mean e.g. using Z_2^8 in mixing (using a different
>scheme) would be a better idea (i.e. having some variability
>of operator types)?
>I am of the opinion that having a single ByteSub and the
>same MixColumn for the entire cipher is disadvantageous
>rather essentially.
Well, I think that a completely arbitrary ByteSub which is in no way
related to the operator type used in the MixColumn would be helpful.
I do suggest in my page one way to use a second MixColumn function.
>What benefit results from having a round number that is
>divisible by the number of columns? I don't yet understand
>that.
Essentially, given two rows:
A B C D
E F G H
A will have been in the same column as each of E, F, G, and H the same
number of times if the number of rounds which include all steps is a
multiple of four.
This might be a benefit. It *has* been shown that DES is weak with an
odd number of rounds.
>Maybe I gravely misunderstood. But isn't it that both the
>block sizes and the key sizes were prescribed in the contest?
Yes; I only suggest this as causing an improvement because it appears
that the key schedule algorithm is somewhat lacking, and because the
key schedule bytes consist of the key followed by repeated functions
of the key having the same size as it. With a high quality key
schedule, this would of course be irrelevant.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: WEP
Date: Sun, 08 Oct 2000 10:04:45 +0200
Dido Sevilla wrote:
> Any 40-bit algorithm can be brute forced in a relatively short time.
> Even I, armed with spare cycles from the sixteen PIII 500's in my
> Internet Cafe (so as not to interfere with our customers' usage!), could
> probably brute force the key to any 40-bit cryptosystem in about a few
> days. If I stole the FPGAs in our microelectronics laboratory and used
> it to perform this decryption, I could probably crack it in several
> minutes; an hour maybe. See the Snake Oil FAQ. Remember 2^40 is only
> ~1 trillion. That's not a lot in these days of high processing power.
(I had 80 x PII 400 connected to distributed.net for a weekend once...)
*I* know that, but *customers* do not - *I* need a paper which say so.
Best regards,
Glenn
P.S: FPGA/ASIC chips are cheap in quantity - you don't have to steal
them.
Also - there are some unemployed HW engineers who are willing to work
for
a relativly cheap wage :o)
------------------------------
From: Stas Busygin <[EMAIL PROTECTED]>
Crossposted-To: comp.theory,sci.math,sci.op-research
Subject: A new paper claiming P=NP
Date: Sun, 08 Oct 2000 23:20:31 +0300
Dear Fellows!
A new paper has just been published in Stas Busygin's Repository
for Hard Problems Solving. It is "An Efficient Algorithm for the
Minimum Clique Partition Problem" by A. Plotnikov. Please find this
proposal on efficient solving of an NP-hard problem at:
http://www.busygin.dp.ua/clipat.html
http://www.geocities.com/st_busygin/clipat.html (mirror)
The publication policy of the repository may be found at:
http://www.busygin.dp.ua/call.html
http://www.geocities.com/st_busygin/call.html (mirror)
Best regards,
Stas Busygin
email: [EMAIL PROTECTED]
WWW: http://www.busygin.dp.ua
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: securely returning password info to a server from a client
Date: Sun, 08 Oct 2000 20:33:15 -0000
<[EMAIL PROTECTED]> divulged:
>No. I am taking about getting the initial user id and password sent from
>the client to the server securely. This takes place once per user
>before any session encryption occurs.
must it be done with your applet, or can you require registration via web
browser, which could then use "standard" ssl protection.
--
okay, have a sig then
------------------------------
From: ca314159 <[EMAIL PROTECTED]>
Crossposted-To: sci.astro,sci.physics.relativity,sci.math
Subject: Re: FTL Computation
Date: Sun, 08 Oct 2000 20:40:57 GMT
In article <eI2E5.18527$[EMAIL PROTECTED]>,
"Paul Lutus" <[EMAIL PROTECTED]> wrote:
> therefore the burden of proof is on you
You mean the burden of _disproof_ is on me;
unless of course, all of a sudden you are
uncertain about your own position and spinning
your reference frame around and around ...
http://www.deja.com/=dnc/viewthread.xp?search=thread&recnum=%3cRZ0E5.128
41$[EMAIL PROTECTED]%3e%231/1&AN=678981664&svcclass=dnserver
&frpage=viewthread.xp
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: ISO an SHA-1 Implemention in Javascript
Date: Sun, 08 Oct 2000 21:12:21 -0000
<[EMAIL PROTECTED]> divulged:
>I believe the crypto API for java includes SHA. I could be wrong but
>check the SUN web site.
umm. java != javascript. this may cause some problems.
--
okay, have a sig then
------------------------------
From: [EMAIL PROTECTED] (Will Janoschka)
Subject: Re: It's Rijndael
Date: Sun, 08 Oct 2000 21:12:27 GMT
A 256bit key for a 128bit block is fine for me
since key entry is often a problem.
end to end test -- 1ea readable PT, 1ea readable CT, and versa.
did you get the key in correctly, or is the implementation hosed.
thanks, -will-
On Sun, 8 Oct 2000 14:16:57, [EMAIL PROTECTED]
(John Savard) wrote:
>
> Just a thought: while a key to do that would not be possible to find
> if Rijndael is secure, a set of subkeys to do that is certainly
> findable; it is trivial to change even the second-last subkey to make
> a block encrypt to whatever you wish. (As the last subkey performs a
> final XOR on output, achieving this by changing it is *too* trivial.)
>
> Or one could choose a key (remember: the Rijndael key schedule begins
> with the key itself) such that "Rijndael" becomes "AES Winner" in the
> proposed format after the _first round_, although that requires a key
> twice as long as the block.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "madcow" <[EMAIL PROTECTED]>
Subject: Re: WEP
Date: Sun, 8 Oct 2000 17:14:35 -0400
RC4 is a proprietory algorithm developed by RSA
http://www.rsasecurity.com/ ), but you should be able to get the source
code of a reverse engineered version of it called "arcfour" on the web.
It's a good algorithm, but a 40 bit key is just too small these days. RC4
can have a key as big as 2048 bits. I don't think that the use of RC4 was
adopted for wireless by everyone. Some companies, like Proxim (Intermec
uses Proxim cards), use a their own "secret" algorithm for encryption. Some
companies will claim that no encryption is required, since they are using
spread-spectrum communications. Another problem with 802.11 is that the
encryption only protects the data, not the entire packet. This could be a
problem if you are using TCP/IP. You should be using a VPN to get real
security and protect your network.
Info on wireless networks:
http://www.wlana.com/
And on breaking RC4 40 in 8 days:
http://www8.zdnet.com/pcmag/issues/1508/pcmg0074.htm
and
http://catless.ncl.ac.uk/Risks/17.65.html
Ichinin <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Two questions:
>
> 802.11 states:
> "WEP algorithm based on the RC4 PRNO algorithm"
> (claimed to be developed by RSA.)
>
> - Anyone have any details about this?
>
> - Anyone have a link to the page that say that 40 bit RC4 was
> bruteforced in an very short time?
>
> Regards,
> Glenn
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
