Cryptography-Digest Digest #886, Volume #12 Tue, 10 Oct 00 08:13:00 EDT
Contents:
OT: What is "freeware"? (Runu Knips)
NIST RNG Tests ([EMAIL PROTECTED])
Re: MITM attack ("kihdip")
Re: NSA quote on AES ("Brian Gladman")
Re: NSA quote on AES ("Brian Gladman")
Re: A new directory hierarchy standard - need opinions (jtnews)
Re: Any products using Rijndael? ("Sam Simpson")
Re: Microsoft CAPI's PRNG seeding mechanism (Volker Hetzer)
Re: Any products using Rijndael? (Runu Knips)
Re: A new paper claiming P=NP (David Bernier)
Re: MITM attack ([EMAIL PROTECTED])
Re: NIST RNG Tests (Mok-Kong Shen)
Re: Looking for paper (Mok-Kong Shen)
Re: A new paper claiming P=NP (Dima Pasechnik)
Re: AES Runner ups (Runu Knips)
pkcs#10 request and Microsoft CA ([EMAIL PROTECTED])
Is the contest dead ? (Runu Knips)
Re: NIST RNG Tests ([EMAIL PROTECTED])
Rijndael test vectors ([EMAIL PROTECTED])
Rijndael test vectors - trouble ([EMAIL PROTECTED])
Re: Microsoft CAPI's PRNG seeding mechanism (Tim Tyler)
Re: Microsoft CAPI's PRNG seeding mechanism ([EMAIL PROTECTED])
Re: MITM attack (Guy Macon)
Re: Microsoft CAPI's PRNG seeding mechanism (Tim Tyler)
Re: NSA quote on AES (Tim Tyler)
What is meant by non-Linear... ("Rob Marston")
Re: Microsoft CAPI's PRNG seeding mechanism (Guy Macon)
Re: NSA quote on AES (Tim Tyler)
Re: NSA quote on AES (Tim Tyler)
Re: Need help: considerations for IV and Keysetup ([EMAIL PROTECTED])
Re: On block encryption processing with intermediate permutations (Bryan Olson)
----------------------------------------------------------------------------
Date: Tue, 10 Oct 2000 09:36:20 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: OT: What is "freeware"?
Paul Schlyter wrote:
> So I'd like to ask the participants in this NG: how do you
> define "freeware"? And in particular: is "public domain" one
> class of "freeware", or is it distinct from "freeware"?
This is not a NG for discussing this, however, I define
"freeware" as "free software" in the meaning of "free
beer". OpenSource software (see www.opensource.org for
exact definition, this term is often misunderstood) and
Public Domain are only special cases of freeware. It
just means 'no direct commercial gain', i.e. you have
maybe to pay for the costs of copying that software,
but not for the software itself.
------------------------------
From: [EMAIL PROTECTED]
Subject: NIST RNG Tests
Date: Tue, 10 Oct 2000 07:26:08 GMT
Hi all,
I have finally managed to compile the new NIST Random Number Generator
tests. However, i don't have any data to make sure the code does what
it's supposed to do. Could anyone supply me with some data they have
used and then i could compare my results with theirs?
Thank you for your help,
Brice.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: MITM attack
Date: Tue, 10 Oct 2000 10:01:23 +0200
I think you're right that a MITM attack would be difficult to do in real
life.
But just as you pointed out, you cannot know where your packets will go, and
thus they *could* be routed through the same channel somewhere on their way.
An attacker who wants to use a MITM would probably gather information on his
'prey' and use this information to pick a spot where to attack.
As long as there is the slightest risk (even in theory only) you cannot
afford to disregard it.
Kim
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Tue, 10 Oct 2000 09:02:15 +0100
"Greggy" <[EMAIL PROTECTED]> wrote in message
news:8rtu2u$3jk$[EMAIL PROTECTED]...
>
> > I can draw the conclusion that NSA will use AES to
> > protect some US national security information - not
> > just 'something', which is much less specific.
>
> You said you "can", but I don't see how. They never touched on this
> mater in their statement.
In my view it did, by saying:
"NSA intends to use the AES where appropriate in meeting the
national security information protection needs of the United States
government"
Brian Gladman
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Tue, 10 Oct 2000 09:10:13 +0100
"Greggy" <[EMAIL PROTECTED]> wrote in message
news:8rttnt$389$[EMAIL PROTECTED]...
[snip]
> No, I think what he means is that it is insincere because it is coming
> from an insincere agency cloaked in insincerity and it offers no
> meaningful information for any of us to glean from.
[snip]
It is ok to indicate what information *you* can (and cannot) obtain from a
statement.
It is an ignorant misunderstanding of the nature of information to suggest
that, because you cannot obtain information from it, nobody else can either.
I can obtain information from the statement. I am sad for you that you
cannot do this but that is your problem, not mine.
Brian Gladman
------------------------------
From: jtnews <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.linux.development.system,comp.os.linux.admin,comp.os.linux.networking,comp.os.linux.setup
Subject: Re: A new directory hierarchy standard - need opinions
Date: Tue, 10 Oct 2000 08:20:02 GMT
Ok, I see your point. However, how much different is this from
using HelixCode update? If you gain control of the central server
and everyone updates, everyone gets hosed. The only insurance
against this is the signature. If this is enough protection
then why can't a similar signature type system be developed for
entire directory hierarchies? Can NFS be enhanced so that
you can have signed directories based on something like gpg?
Alexander Viro wrote:
>
> Spoofing of all kinds. Wide-open to middleman attacks. Traffic analysis
> gives a _lot_ of interesting information. Any routing problems on major
> ISP immediately turn into massive DoS. Too many points where single failure
> brings a lot of damage. And server itself becomes extremely tasty morsel
> for every cracker on the planet - get in and you've got all clients.
> Could you spell "DDoS of really majestic proportions"? Could you spell
> "gain control over server, change the clients' idea of the IP of said
> server redirecting them to your mirror, then get the fsck out of server
> restoring everything in pristine condition"? Could you spell "mother of
> all class action lawsuits as soon as the shit will hit the fan"? Same
> applies for DNS spoofing, etc. The question with security problems is
> not "if", it's "when and how hard". Shit _will_ hit the fan and with your
> scheme consequences of a single compromise are going to be really nasty.
> Please, get real.
>
> --
> "You're one of those condescending Unix computer users!"
> "Here's a nickel, kid. Get yourself a better computer" - Dilbert.
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Any products using Rijndael?
Date: Tue, 10 Oct 2000 09:03:35 +0100
<SNIP>
> Twofish round function output is really making me sick lately. It
> doesn't look like a "wide data path" to me and could be a big
source of
> troubles.
<SNIP>
My we are fickle Tom...this time last week you were jumping up and
down because Twofish wasn't selected ;)
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Microsoft CAPI's PRNG seeding mechanism
Date: Tue, 10 Oct 2000 10:36:12 +0200
Tim Tyler wrote:
>
> In sci.crypt.random-numbers ink <[EMAIL PROTECTED]> wrote:
> : Jack Love dropped into the real world with a crash and proclaimed...
> :> JCA <[EMAIL PROTECTED]> wrote:
>
> :>> MS is well-known for not taking security seriously.
> :>
> :>Windows 2k was recently given a C2 rating.
Any source for this?
> : Only if you don't connect it to a network...
> http://www.win2000mag.com/Articles/Index.cfm?ArticleID=3143
This is abut NT 3.51 and the article is from 1998.
Greetings!
Volker
--
The early bird gets the worm. If you want something else for
breakfast, get up later.
------------------------------
Date: Tue, 10 Oct 2000 10:44:56 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Any products using Rijndael?
Sam Simpson wrote:
> > Twofish round function output is really making me sick lately. It
> > doesn't look like a "wide data path" to me and could be a big
> > source of troubles.
>
> My we are fickle Tom...this time last week you were jumping up and
> down because Twofish wasn't selected ;)
Well, he's young and flexible. ;-)
But I would like to understand what this 'wide data path'
problem should be... after all, I started recoding my
Twofish implementation yesterday (Iiiks non-female GF
things again ;-) ) and I found no 'non-wide data paths'
... maybe he's talking about the 2PHT, which he would
have liked to replace with a MDS ?
Would be amusing if Tom would break Twofish :-)
------------------------------
From: David Bernier <[EMAIL PROTECTED]>
Crossposted-To: comp.theory,sci.math,sci.op-research
Subject: Re: A new paper claiming P=NP
Date: Tue, 10 Oct 2000 08:36:29 GMT
In article <8rucpt$iec$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Bill Unruh) wrote:
> In <[EMAIL PROTECTED]> Nico Benschop <[EMAIL PROTECTED]>
writes:
>
> ]Mike Oliver wrote:
> ]> > Ah, but that "...or worse" gives them an out. If reviewing a
proof
> ]> > is P-time, but *finding* the proof is *worse* than NP-time,
> ]> > then reviewing can still be easier than finding without
> ]> > contradicting P=NP.
> ]>
> ]> At the risk of playing clueless straight man here, let me point
> ]> out that if validating a proof is P, then finding a proof is
> ]> ipso facto NP, since you can guess the proof and then check
> ]> if your guess is correct in P time.
> ] ^^^^^^^^^^^^^
>
> ]I don't know about "ipso facto", but should'nt that be P instead of
NP ?
>
> No. He means that if checking whether the proof is correct is P then
by
> definition, finding the proof is NP. It cannot be "worse" than NP.
Suppose P is a proof in ZFC of FLT similar to Wiles', but with
proofs of all lemmas and all background material included
(i.e. a self-contained proof). I wonder what the order of magnitude
of the length of P might be...
David Bernier
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: MITM attack
Date: Tue, 10 Oct 2000 08:36:13 GMT
Excuse me for the ignorance but could you explain what MITM is?
Thank you,
Brice.
In article <8ruhti$hg1$[EMAIL PROTECTED]>,
"kihdip" <[EMAIL PROTECTED]> wrote:
> I think you're right that a MITM attack would be difficult to do in
real
> life.
> But just as you pointed out, you cannot know where your packets will
go, and
> thus they *could* be routed through the same channel somewhere on
their way.
>
> An attacker who wants to use a MITM would probably gather information
on his
> 'prey' and use this information to pick a spot where to attack.
>
> As long as there is the slightest risk (even in theory only) you
cannot
> afford to disregard it.
>
> Kim
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: NIST RNG Tests
Date: Tue, 10 Oct 2000 11:07:55 +0200
[EMAIL PROTECTED] wrote:
> I have finally managed to compile the new NIST Random Number Generator
> tests. However, i don't have any data to make sure the code does what
> it's supposed to do. Could anyone supply me with some data they have
> used and then i could compare my results with theirs?
As discussed recently, the package could have some problems
on PC. Please contact the implementors at NIST and let us
know that the suite runs correctly on PC and about the
checks you mentioned.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Looking for paper
Date: Tue, 10 Oct 2000 11:11:33 +0200
Benjamin Goldberg wrote:
>
> I recall seeing a paper where data was compressed using a static huffman
> tree (with 0 and 1 labels on the branches randomly swapped), and the
> tree hidden... and analysis was done to attempt to recover the tree. I
> don't, however, recall *where* I saw the paper... I think it was a .ps,
> or .ps.gz, not a .pdf or .html document.
I think your memory may not be correct on this issue.
This is the scheme that I recently posted to the group.
I don't think there is already result of analysis study
on that, if anyone has attempted that in the mean time.
It seems to be too early to expect that.
M. K. Shen
------------------------------
From: Dima Pasechnik <[EMAIL PROTECTED]>
Crossposted-To: comp.theory,sci.math,sci.op-research
Subject: Re: A new paper claiming P=NP
Date: 10 Oct 2000 10:58:59 +0200
Stas Busygin <[EMAIL PROTECTED]> writes:
> Paul Rubin wrote:
> >
> > Any chance of providing a pdf file? The .ps.zip and .ps.gz files are
> > hard to view in a browser.
> Sorry, not just now. I have a limited space on the web server.
You don't have to provide .ps.zip files if you provide .ps.gz.
WinZip can deal with .gz files just fine...
---
Dmitrii
------------------------------
Date: Tue, 10 Oct 2000 11:12:06 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: AES Runner ups
Greggy wrote:
> So if Rijndael is the winner, are there any runner ups that
> would take its place if a significant weakness were
> discovered soon?
Rijndael is very good in many respects, only security itself
isn't that extreme. It is the fastest in hardware and very
fast in software.
RC6 cannot be used without a license from RSADSI, so don't
use it. Too, it is not very optimal for hardware (no key
agility), and impossible for lowend architectures (smartcards).
MARS has been optimized by Coppersmith (considered the best
cryptanalyst of the world by many people) and others against
'unknown attacks'. It is considered secure, but has a new
design, which cause people not to trust it too much. It
is not good in hardware, and I think also impossible for
lowend architectures.
Twofish is a redesign of Blowfish to meet the requirements
of the AES contest. It is considered very secure. Too, it
is very fast in software and flexible. Its hardware speed
is however said to be not that good, and many people say
it is too complex.
Serpent is a very simple design which is based on DES, but
extended in a very nifty way so it is pretty fast in software
(compared to DES). At the same time, they have put very many
rounds (32) in Serpent which slowed the cipher down again,
but made it also very, very secure. Serpent is the slowest
in software, but the second fastest (and very cheap) in
hardware. AFAIK it is the most secure of all ciphers.
Twofish and Serpent where my personal favorites. Rijndael
was however optimal for the tight requirements of many
people, noticeably for software implementations in lowend
architectures (where Twofish is also well, but Twofish
isn't that good in hardware).
Btw, another really good cipher is AFAIK CAST-128 which
didn't made it to the second round but is used, for
example, in GnuPG.
------------------------------
From: [EMAIL PROTECTED]
Subject: pkcs#10 request and Microsoft CA
Date: Tue, 10 Oct 2000 09:14:20 GMT
Hello,
I am trying to send a pkcs#10 certificate request to the Microsoft CA.
The "Certificate Enrollment Control" of Microsoft allows to create a
pkcs#10 request and everything works fine with this request. But I want
to send a request with a public key generated by myself. Therefore, I
created a standard pkcs#10 request (with IAIK) and now CA is not able to
read the attributes of this request.
Can anyone help me with this problem?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Tue, 10 Oct 2000 11:22:53 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Is the contest dead ?
It seems to me, that nobody has added any new
ciphers to the Crypto Contest since July 7, while
there are 5 unbroken ciphers from June and 5
unbroken ciphers from May. Now we have September.
Has the guy running the contest stopped working
on it ?
http://www.wizard.net/~echo/crypto-contest.html
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST RNG Tests
Date: Tue, 10 Oct 2000 09:29:49 GMT
I have actually compiled the code on a Sun computer running the Solaris
OS. I was hoping maybe that version would work properly. I have run it
on some data but i can't check it against anything.
The test data mentioned in the user documentation provided by NIST
doesn't seem to be present when i unpack the compressed files (sts.tar &
sts.data.tar).
I will email the implementors to see if they can provide me with test
data.
Brice.
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> [EMAIL PROTECTED] wrote:
>
> > I have finally managed to compile the new NIST Random Number
Generator
> > tests. However, i don't have any data to make sure the code does
what
> > it's supposed to do. Could anyone supply me with some data they have
> > used and then i could compare my results with theirs?
>
> As discussed recently, the package could have some problems
> on PC. Please contact the implementors at NIST and let us
> know that the suite runs correctly on PC and about the
> checks you mentioned.
>
> M. K. Shen
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Rijndael test vectors
Date: Tue, 10 Oct 2000 09:58:21 GMT
Hi all!
I'm doing some test with Rijndael sources distributed by their authors,
and I'm having some problems:
Reference ANSI C source code seems to work right in my machine (intel
x86) and compiler (Borland Builder), and produces the right output.
BUT, the fast implementation 2.4 produces a wrong output; I've tried
with STRICT_ALIGN, but doesn't seem to fix the problem.
Any tip about what's going on?
Thanks a lot,
Eneko Lacunza.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Rijndael test vectors - trouble
Date: Tue, 10 Oct 2000 10:18:45 GMT
Hi all!
I'm doing some test with Rijndael sources distributed by their authors,
and I'm having some problems:
Reference ANSI C source code seems to work right in my machine (intel
x86) and compiler (Borland Builder), and produces the right output.
BUT, the fast implementation 2.4 produces a wrong output; I've tried
with STRICT_ALIGN, but doesn't seem to fix the problem.
Any tip about what's going on?
Thanks a lot,
Eneko Lacunza.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Crossposted-To: sci.crypt.random-numbers
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Microsoft CAPI's PRNG seeding mechanism
Reply-To: [EMAIL PROTECTED]
Date: Tue, 10 Oct 2000 10:23:18 GMT
In sci.crypt.random-numbers Greggy <[EMAIL PROTECTED]> wrote:
: Uh, why would you even consider using CAPI?
: For more information, see http://www.ciphermax.com/ecc/Technology.html
: for why I ask...
That's about the old NSA_Key thing - which I imagine is completely
worthless - and no foundation on which to base a decision about which
crypto API to use.
I wonder if their crypto API uses proprietary algorithms to encourage
vendor lock-in ;-)
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Microsoft CAPI's PRNG seeding mechanism
Date: Tue, 10 Oct 2000 11:14:54 GMT
All this debate on the "security" of M$'s CAPI does still not answer
the question how the Api CryptGenRandom seeds random data. I guess some
reverse engineering is required here, if there is no further info from
M$ itself.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: MITM attack
Date: 10 Oct 2000 11:20:24 GMT
William A. McKee wrote:
>
>
>How likely is a MITM attack on an internet connection from an ISP like BELL
>(ADSL from server to BELL) to a client anywhere in the world? I would think
>that because the packets can be routed just about anywhere and everywhere,
>MITM would be very difficult. I could be wrong.
>
( I like to define terms like Man In The Middle when I use them in
a context where someone might not know the meaning. Otherwise it's
just an OTLA. )
If the man in the middle happens to be a BELL employee or someone with
a court order that tells BELL to cooperate, it's a sure thing.
Besides, in real life your packets tend to take the same path.
run TRACEROUTE again and again and see for yourself.
Obscure Three Letter Acronym.
------------------------------
Crossposted-To: sci.crypt.random-numbers
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Microsoft CAPI's PRNG seeding mechanism
Reply-To: [EMAIL PROTECTED]
Date: Tue, 10 Oct 2000 11:01:25 GMT
In sci.crypt Tim Tyler <[EMAIL PROTECTED]> wrote:
: In sci.crypt.random-numbers Greggy <[EMAIL PROTECTED]> wrote:
: : Uh, why would you even consider using CAPI?
: : For more information, see http://www.ciphermax.com/ecc/Technology.html
: : for why I ask...
: That's about the old NSA_Key thing [...]
There is some stuff about the CrAPI in there as well - sorry.
It talks about a virus intercepting traffic through the API,
and broadcasting the plaintext.
If you have a viral infection it can probably read all your keystrokes
and broadcast all your documents anyway - but having a cryptography API
that allows such interception if it is possible to prevent it
does not sound like a good move.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Reply-To: [EMAIL PROTECTED]
Date: Tue, 10 Oct 2000 11:05:30 GMT
Greggy <[EMAIL PROTECTED]> wrote:
:> : What you mean is that *you* see this statement as meaningless
:> : because you judge that NSA is being insincere in making it.
:> I don't doubt their sincerity.
: NSA Sincerity - isn't that an oxymoron? How can a super secret agency
: be sincere in what they say?
They can really mean it - I don't think it's an oxymoron.
Here I don't doubt that they meant what they said - just that they
didn't actually say anything very much.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ ILOVEYOU.
------------------------------
From: "Rob Marston" <[EMAIL PROTECTED]>
Subject: What is meant by non-Linear...
Date: Mon, 9 Oct 2000 17:59:05 +0100
> In this sense a product cipher should act as a ``mixing''
> function which combines the plaintext, key, and ciphertext in a
> complex nonlinear fashion
A newbie question I know but the FAQ uses the word 'nonlinear'
in this way and I'm not really sure what it means...
I assume it means that where
y = f(x)
is so complex that
x = F(y)
is difficult/impossible to compute? Right or Wrong?
Rob
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Microsoft CAPI's PRNG seeding mechanism
Date: 10 Oct 2000 11:39:17 GMT
dbt wrote:
>
>Jack Love <[EMAIL PROTECTED]> says:
>>> MS is well-known for not taking security seriously.
>>>
>>Windows 2k was recently given a C2 rating.
>
>C2 is extremely meaningless. It's a marketing label required to get your
>foot in the door for most government contracts.
>
I disagree. C2 and its cousins are well though out security systems.
The real question is whether Windows 2k really has a C2 rating.
Windows NT 4.0 has a C2 rating, but only if you don't connect it to a
network. and you secure the hardware - essentially meaning that you
can't get into a NT box (without guessing the password) by typing at the
keyboard. Big yawn.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Reply-To: [EMAIL PROTECTED]
Date: Tue, 10 Oct 2000 11:14:30 GMT
David Schwartz <[EMAIL PROTECTED]> wrote:
: I'm 1000% confident that even if the NSA could break Rijndael, they
: would never let that information leak. [...]
Have you heard of Jack Dunlap? Martin and Mitchell? I'd recommend
checking out some of the relevant history before you let your measures of
certainty get much above 99%.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Reply-To: [EMAIL PROTECTED]
Date: Tue, 10 Oct 2000 11:20:15 GMT
Brian Gladman <[EMAIL PROTECTED]> wrote:
: The point at which cryptographic systems are broken by breaking the
: algorithms used are now in the past [...]
I doubt this is true.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Free gift.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Need help: considerations for IV and Keysetup
Date: Tue, 10 Oct 2000 11:40:42 GMT
Benjamin, I think you misunderstood some things I said earlier. Lemme
explain:
>> A standard win32-gui application receives a password from the user
>> and communicates with the kernel driver.
>
> You *only* have a gui for activating the driver, no DOS version of the
> program? What if someone wants to use it in a .bat?
I am talking of a kernel driver here, to be more specific, a filter
driver, for Windows NT machines. It filters all requests to scsi tape
drives. The GUI is needed to enable/disable that filtering process, and
also to receive the user password and wanted cipher.
Hence, I don't understand the puprose of a dos version, or the use of a
batch file. If you run a tape backup program in dos mode under windows
nt, then it will use the aspi apis... which ultimately have to go
through my filter driver.
>> Considerations:
>> 1) Password Setup.
>> I want to use the highest strength of the chosen Cipher, i.e. 256bit.
>> How do I receive a 256bit key? I could generate 256bit pseudorandom
>> bits, save them in a key file, and ask the user to hide that file
>> well (e.g. on a floppy disk, steganography etc.).
>
> Using psuedorandom bits is never a good idea for a cipher key, unless
> they're generated by seeding a CSPRNG with the password... in which
> case, you are, in effect, taking a hash of the password. Why not just
> use a purpose built hash function in the first place?
Why is that a bad idea? Take the user key, which could be hashed. The
user key is then used to decrypt the masterkey (which was prior
encrypted with the user key); the masterkey itself was generated using
a PRNG, and is used in all further decryption/encryption processes of
the tape.
> I would advise you get two hashes using two structurally different
> hash algorithms (like SHA1 and RIPEMD), and take the first 256 bits
> from the concatenation of the results.
I don't think it is a good idea to use two hashes of the same
passphrase, and then simply concatenate the digests together to 256bit.
I remember someone explaining once in this forum why that would
actually reduce the effective bitsize.
> Also, if you're wondering how someone could think up (and remember)
> 256 bits of entropy, simply suggest that they use some poetry. Most
> people already know some poetry (from elementary or high school). Or
> a line or two from a play or movie.
Aren't paraphrases from a poem, play, or movie all candidates for a bad-
chosen-password making dictionary attacks much easier??
Greets
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: On block encryption processing with intermediate permutations
Date: Tue, 10 Oct 2000 11:41:40 GMT
Mok-Kong Shen wrote:
> Bryan Olson wrote:
> > Mok-Kong Shen wrote:
[...]
> > > Permutations are discrete entities. Nevertheless, one can
> > > say that there are permutations that are close to one
> > > other, i.e. neighbours. What if I use permutations that
> > > are not the identity but close to it? Does it mean that
> > > the job then becomes 'suddently' extremely easy as you
> > > claimed?
> >
> > Please do not fabricate claims or quotes and attribute them to
> > me.
>
> Is the following a genuine quote from a previous post of
> yours or not???
Of course, and it would take you mere seconds to
confirm.
> > > Olson:
> > > | You specified a pseudo-random permutation. I wrote that a
> > > | block with the properties that support the attack probably
> > > | exists among about a thousand blocks. If the identity is
> > > | one of the inter-round permutations, such a block will not
> > > | exist.
>
> If the answer is 'no' please kindly say that and clearly.
> If the answer is 'yes', then my response was the following
> in my last post (which you however snipped):
>
> In practice it is not easy to obtain good PRNG and hence
> good random permutations. To get bad ones, including the
> identity, is rather simple. According to your previous
> post, I could make one of the inter-round permutations to
> be the identity and be immune to your attack. That's no
> problem for me, if necessary. There being n rounds (cycles),
> I can afford to have one inter-round permutation being
> the special one, the identity.
I don't see how it could possibly be unclear what scheme
my attack applies to. The modified scheme is not relevant
to the questions at issue.
> So through this trivial modification (simply leaving out
> one inter-round permutation, while maintaining the other
> inter-round permutations as before) my scheme becomes
> immune to your attack according to what is quoted from
> you above exactly. Do you have anything to say to that
> now??
The FAQ says it well:
If you don't have enough experience, then most likely
any experts who look at your system will be able to find
a flaw. If this happens, it's your responsibility to
consider the flaw and learn from it, rather than just
add one more layer of complication and come back for
another round.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
