Cryptography-Digest Digest #974, Volume #12 Sat, 21 Oct 00 23:13:01 EDT
Contents:
Pencil and paper cipher (Benjamin Goldberg)
Re: Entropy and RC4 (Benjamin Goldberg)
Re: Help identifiing password encryption scheme? (Tony L. Svanstrom)
Re: Storing an Integer on a stream (Benjamin Goldberg)
Re: Rijndael in Perl (Vernon Schryver)
Re: Hypercube structure / balanced block mixing (Andreas Gunnarsson)
Re: BIOS password, will it protect PC with PGPDisk against tampering ? ("bubba")
Re: new SNAKE web page ([EMAIL PROTECTED])
Re: Visual Basic ("Adam Smith")
Re: Hypercube structure / balanced block mixing (Benjamin Goldberg)
Re: RSA codes (Benjamin Goldberg)
----------------------------------------------------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Pencil and paper cipher
Date: Sun, 22 Oct 2000 01:10:06 GMT
Part of this may sound similar to my last suggested pencil and paper
cipher (10/06/00)... this one isn't like that one much at all.
Pad the plaintext to 2**N letters. Convert to GF(5)^2 (omit the letter j
to get 25 letters). Take, as your key, a polyalphabetic substitution
with domain and range GF(5)^2. Perform balanced block mixing. As the
mixing function, take two GF(5) values, concatenate them, pass them
through the sbox, then split them. There will be N-1 intermediate,
partially enciphered texts; throw these out. If you want, you can,
instead of padding and doing *balanced* block mixing, skip the padding,
and do some kind of *almost* balanced block mixing.
--
"Mulder, do you remember when I was missing -- that time that you
*still* insist I was being held aboard a UFO?"
"How could I forget?"
"Well, I'm beginning to wonder if maybe I wouldn't have been
better off staying abo-- I mean, wherever it was that I was
being held." [from an untitled spamfic by [EMAIL PROTECTED]]
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Entropy and RC4
Date: Sun, 22 Oct 2000 01:10:10 GMT
Tom St Denis wrote:
>
> In article <rOHH5.120$[EMAIL PROTECTED]>,
> "George Gordon" <[EMAIL PROTECTED]> wrote:
> > Other people have asked similar questions here, but let me ask a
> > very specific one.
> >
> > Assume that you initialise RC4 using a 128-bit key. Then you output
> > exactly 16 bytes worth of the stream. (I don't care how many loops
> > you do for the initialisation)
> >
> > OK, how could you determine how much of the entropy in the 128-bit
> > key is preserved in the 16 byte stream if 1) you assume RC4
> > specifically? 2) you assume a perfectly uniform distribution?
>
> I would say if the 128-bits of input is truly random then your 16 byte
> output is truly random. Not that that is 100% true, but the best
> analysis requires 2^30 bytes before the lsb will show off it's
> weakness.
Sadly, this isn't quite correct. Using RC4 cipher in this way is like
using a hash function. There is the birthday paradox to consider. If
you input each 128 bit key once, and for each take a 128 bit output,
there will be collisions.
If you don't understand why, consider the difference between a random
oracle that maps {0,1}^128 -> {0,1}^256, taking 128 bits of the result,
and a random that maps {0,1}^128 -> {0,1}^128. The second will have no
collisions (it's like a block cipher), the first should have quite a
few. The second is a random permutation, the first is random selection
with replacement.
The only way to preserve 100% of your 128 bits of entropy, 100% of the
time, is to take your 128 bits, and encipher it with a secret,
permanently fixed key. There will be no collisions, and therefor not
loss of entropy.
--
"Mulder, do you remember when I was missing -- that time that you
*still* insist I was being held aboard a UFO?"
"How could I forget?"
"Well, I'm beginning to wonder if maybe I wouldn't have been
better off staying abo-- I mean, wherever it was that I was
being held." [from an untitled spamfic by [EMAIL PROTECTED]]
------------------------------
Subject: Re: Help identifiing password encryption scheme?
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Date: Sun, 22 Oct 2000 01:31:56 GMT
Ethics <[EMAIL PROTECTED]> wrote:
> "jungle" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Ethics wrote:
> > ===
> > > would be greatly appreciated, as the old BBS sysop up and left,
> >
> > your best bet would be to find him ...
> No kidding... but he left very unsatisfied with his employers, because they
> found him drastically breaking their computer policies... so it's not like
> he is going to tell us his password.
If that's the case then it's time to call your lawyers.
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
on the verge of frenzy - i think my mask of sanity is about to slip
---���---���-----------------------------------------------���---���---
\O/ \O/ �99-00 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Crossposted-To: comp.compression
Subject: Re: Storing an Integer on a stream
Date: Sun, 22 Oct 2000 01:38:44 GMT
Tim Tyler wrote:
>
> : Andras Erdei wrote:
> :> The method i like most is fibonacci coding:
[snip]
> :> IIRC this encoding is asimptotically optimal.
>
> "Severly sub-optimal" is how I would describe it, especially in the
> context of padding schemes.
Asimptotically optimal means that as the value encoded increases, the
method gets closer to the minimum number of bits needed to encode that
number. The length an integer in base 2, not including the bits needed
t store the length (ie, an EOF, or whatever), is O(log2(N)). For
numbers approaching infinity, an asimtotically optimal encoding takes
O(log2(N)) bits, and *does* include length information.
For pure base 2, we need to first write how many bits are written; To
do that, we need to encode a number on the bitstream. To write the
length of the binary number, what method would you suggest?
> Padding with a format that can't use repeated 1s could only ever be
> anywhere near optimal for small values.
>
> Since when larger and larger values are used, methods which can use a
> greater range of symbols will systematically trounce it, it's hard to
> see how it could be described as "asymtotically optimal".
What do you mean "a greater range of symbols?" There are only two
different symbols at the bit level, 0 and 1. The integer 15 is stored
as 8 bits, including the terminator.
As for byte level encodings, what method would you suggest as being
best?
--
"Mulder, do you remember when I was missing -- that time that you
*still* insist I was being held aboard a UFO?"
"How could I forget?"
"Well, I'm beginning to wonder if maybe I wouldn't have been
better off staying abo-- I mean, wherever it was that I was
being held." [from an untitled spamfic by [EMAIL PROTECTED]]
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Crossposted-To: comp.lang.perl.misc
Subject: Re: Rijndael in Perl
Date: 21 Oct 2000 10:45:04 -0600
In article <8srmlj$a1g3$[EMAIL PROTECTED]>,
Rob Warnock <[EMAIL PROTECTED]> wrote:
>Runu Knips <[EMAIL PROTECTED]> wrote:
>+---------------
>| > attacker looks at what's "left behind" (tempfiles, diskswapping...).
>|
>| Is it actually possible with Windows or Linux to get memory which isn't
>| swappable ? As an ordinary user process, or as a administrator process ?
>+---------------
>
>Most Unixes -- e.g., Linux, FreeBSD, SGI's Irix, many others -- have
>"mlock(2)" or "mpin(2)" or "plock(2) ...
Yes, but do those functions guarantee that memory will never be
written to some kind of backing store? It's one thing to tell the
operating gystem that some memory must remain in fast memory but
something else to ask that some bits never be leaked to anything
that might be considered semi-stable storage.
>Dunno 'bout Windows, though...
I don't see any relevant knobs in my set of WIN32 documentation, although
there are controls on various aspects of memory.
You can tell Windows 95/98 to not do any swapping, and perhaps that
would be enough. You can do similar or equivalent things on many UNIX
system. For example, your program might open the raw partition which
you've assigned for swapping and scribble on it.
It seems to me that if you really care, you must do the sorts of things
that professionals do, including treating any stable storage that has been
in the same system with your secrets as potentially containing your
secrets. You must also take generous view of the notion of "system,"
including considering the parts that are connected only by network stuff.
Anyone who has been to even a moderately secret government installation
knows that while you can often take in disks and such, you can't get them
out in a useful form.
Vernon Schryver [EMAIL PROTECTED]
------------------------------
From: Andreas Gunnarsson <[EMAIL PROTECTED]>
Subject: Re: Hypercube structure / balanced block mixing
Date: Sun, 22 Oct 2000 03:52:26 +0200
On Sun, 22 Oct 2000, Benjamin Goldberg wrote:
> After posting this, I did discover a recursive function for printing out
> the edges of a hypercube, and suspect that this (or a stack) is the only
> way of getting a hypercube functionally (without a lookup table).
Maybe this is what you want:
void
hypercube(int order)
{
int c, e;
for (c = 0; c < (1 << order) - 1; c++) {
for (e = 1; e < (1 << order); e <<= 1) {
if ((c ^ e) & e)
printf("%d, %d\n", c, c ^ e);
}
}
}
Andreas
--
Andreas Gunnarsson <[EMAIL PROTECTED]>
Carlstedt Research & Technology
Phone: +46 31 7014268
Mobile: +46 70 4262889
Fax: +46 31 101987
------------------------------
From: "bubba" <[EMAIL PROTECTED]>
Subject: Re: BIOS password, will it protect PC with PGPDisk against tampering ?
Date: Sun, 22 Oct 2000 02:04:15 GMT
This program can be easily modified to log keys:
http://www.sysinternals.com/ctrl2cap.htm
I consider this a huge hole in typical corporate security. I can call
network support at my company and complain about some network
problem. They support person will log into my machine with an
administrator user name and password. I could be capturing this
with a key logger.
"pgp651" <Use-Author-Supplied-Address-Header@[127.1]> wrote in message
news:[EMAIL PROTECTED]...
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Isn't the time for good key logger ?
> To log all activities and store in encrypted form for possible
investigation ?
>
> Any suggestions for free key logger that will run in undetected mode and
save
> all keys in encrypted file on user H/D ?
>
> On Thu, 19 Oct 2000, "bubba" <[EMAIL PROTECTED]> wrote:
> >Backdoor BIOS passwords for many computers can be found on the
> >net. In addition, I doubt many BIOS password schemes involve
> >modern encryption algorithms. But your worry seems legitimate. I
> >could build a PGP replacement executable that operated normally
>
> What will happen when intruder will use they copy of PGP, which is not
stealth
> tampered ?
>
> >and correctly, except that it maintained a stealth list of all passwords
> >entered.
> >
> >
> >"pgp651" <Use-Author-Address-Header@[127.1]> wrote in message
> >news:[EMAIL PROTECTED]...
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >>
> >> When you need to protect PC [ win95/98 is running on it ] against
physical
> >> tampering [ to sneak into PC some backdoor software, software key
loggers,
> >> replacements of encryption binaries ... ] on PC that has wide & open
> >> physical access to it, what would be the most cost effective solution ?
> >>
> >> The people in question are using & are customized with encryption for
> >> e-mail, PGP and with hard disk encryption, PGPdisk.
> >>
> >> They have good protection in case of virus infection, the online active
> >> VShield is intercepting all disk activities.
>
> ~~~
> This PGP signature only certifies the sender and date of the message.
> It implies no approval from the administrators of nym.alias.net.
> Date: Sat Oct 21 22:16:25 2000 GMT
> From: [EMAIL PROTECTED]
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQEVAwUBOfIVu05NDhYLYPHNAQG++Qf+MMn5fkLUVRb592PRfxb4GzmmnfSvvdXg
> 1vnciQZKpuhHJN5IFKpav6C4whquOnZIu/hKkKAwUY0JRgANO+F9TDPJ2rFSl/HD
> VPkeZadOLM9rlbeBXaz8n6rRKtzOoVsuu7YVPyKKtDSeuT+CHhoWMBVsVyRDeNfb
> XDe7IPHn8PG6kx+MBdFI+LC9XIhytCYeFSbJWfTPkwT1yVpEqCuQsvWBAsRJVpqe
> r9CjJLkyhpZBN5aP2lCfVsGr8YatRyj07rLIFEVGuMTjBzDeucLHE2OsYvvCjwXv
> AsNWhs6a7YnPo8broczGaCroHI1v2N3tP7cmfunMo1PrQUTznq4dVg==
> =WHAt
> -----END PGP SIGNATURE-----
>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: new SNAKE web page
Date: Sun, 22 Oct 2000 02:16:46 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> [EMAIL PROTECTED] wrote:
> > The old SNAKE web page died of natural causes a while back,
> > and Ive just found some space for it...
> >
> > SNAKE:
> > http://www.kripto.org/snake
> >
> > It hasnt changed much in recent times, but I guess thats a
> > good thing :-)
>
> The specification is not complete - the function f is not given.
> It's not really possible to analyse it properly without knowing f.
f() can be any function which constructs a large safe prime p,
as a function of k, P and R. "safe" meaning p=2q+1 where q is
also prime.
But, for the sake of clarity, here is a brief description of
the f() function which I intend to use in the SNAKE library...
f(k,P,R)=m[H(k,P,R) mod N]
where m is an array of N safe prime numbers, for which g is a
primitive root. I intend to populate this table by calculating
1024 different 1024bit safe prime numbers by choosing a 1024
bit value for g, then finding...
p=g+x^2, where x < sqrt(p-1)
which will guarantee g is a primitive root for all m[]
Since we're just doing a simple lookup this f() function
should be very fast. Each snake part (DH value) therefore
represents 10bits of password entropy, so if you used a 3
part SNAKE key exchange and a password with 30 or more bits
of entropy you would have a 1 in 2^30 (~1 billion) chance
of guessing an effective P value. Obviously, you can use
a bigger prime array, or more SNAKE parts, if you want to
increase the maximum password entropy that effects the
session key.
I may choose to just store the array of x values, offsets
or deltas in the table to save space. If this is done the
whole m[] table with 1024 primes will be between 4Kb and
8Kb in size.
Im generating m[] at the moment... only 200 to go :)
Regards,
PG.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Adam Smith" <[EMAIL PROTECTED]>
Subject: Re: Visual Basic
Date: Sun, 22 Oct 2000 02:42:57 GMT
I beg to differ...namely for programs that are to be released. I have
always found that it is much simpler to incorporate someone's source code
into your .exe that attach a .ocx and have all of the problems that come
with registering and calling it!
http://www.senseofsecurity.com/sharenc.asp << Doesn't necessarily appeal to
only encryption, but about shareware encryption schemes and the like..
Best regards,
Adam Smith
"Sundial Services" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Yes, bit, they exist and someone has already posted one.
>
> What's more practical is to get (or buy) a cipher package that, ideally,
> is packaged as an ActiveX (OCX) control. Then simply call its methods
> appropriately. DLLs (dynamic link libraries) can also be called from VB
> although it takes a little bit more work.
>
> Cipher algorithms usually require so much "bit twiddling" that it is
> much more efficient for the cipher core to be done in a compiled
> language. Visual Basic is simpler for the less compute-intensive tasks.
>
>
> >binary digit wrote:
> >
> > Anyone know where I can find some encryption algorithms that have been
coded
> > in Vb and have good documentation on them?
>
> ------------------------------------------------------------------
> Sundial Services :: Scottsdale, AZ (USA) :: (480) 946-8259
> mailto:[EMAIL PROTECTED] (PGP public key available.)
> > Fast(!), automatic table-repair with two clicks of the mouse!
> > ChimneySweep(R): "Click click, it's fixed!" {tm}
> > http://www.sundialservices.com/products/chimneysweep
>
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Hypercube structure / balanced block mixing
Date: Sun, 22 Oct 2000 02:50:24 GMT
Andreas Gunnarsson wrote:
>
> On Sun, 22 Oct 2000, Benjamin Goldberg wrote:
>
> > After posting this, I did discover a recursive function for printing
> > out the edges of a hypercube, and suspect that this (or a stack) is
> > the only way of getting a hypercube functionally (without a lookup
> > table).
>
> Maybe this is what you want:
>
> void
> hypercube(int order)
> {
> int c, e;
>
> for (c = 0; c < (1 << order) - 1; c++) {
> for (e = 1; e < (1 << order); e <<= 1) {
> if ((c ^ e) & e)
> printf("%d, %d\n", c, c ^ e);
> }
> }
> }
Well, I did want an iterative method, and you do output the right edges,
but the ordering that you output doesn't reflect the structure of the
hypercube, and the method you used for finding the edges is pretty
durned unintuitive. Not to mention, it does 2**(2*order) "if" tests.
An example of it's output: hypercube(3), with results:
0, 1
0, 2
0, 4
1, 3
1, 5
2, 3
2, 6
3, 7
4, 5
4, 6
5, 7
6, 7
This is sorted! The iterative method I found (after a couple hours
thought) for doing it is:
void hypercube( int order ) {
int i, j, k;
for( i = 0; i < order; ++i )
for( j = 0; j < (1<<order); j += (2<<i) )
for( k = 0; k < (1<<i); ++k )
printf("%d, %d\n", j+k, j+k+(1<<i) );
}
This prints out for hypercube(3):
0, 1
2, 3
4, 5
6, 7
0, 2
1, 3
4, 6
5, 7
0, 4
1, 5
2, 6
3, 7
See how different the ordering is? Making a diagram from this is pretty
easy. Also, there only as many tests done as needed.
--
"Mulder, do you remember when I was missing -- that time that you
*still* insist I was being held aboard a UFO?"
"How could I forget?"
"Well, I'm beginning to wonder if maybe I wouldn't have been
better off staying abo-- I mean, wherever it was that I was
being held." [from an untitled spamfic by [EMAIL PROTECTED]]
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: RSA codes
Date: Sun, 22 Oct 2000 03:05:14 GMT
Bob Silverman wrote:
>
> In article <8smnbo$pjg$[EMAIL PROTECTED]>,
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> > In article <8smm3b$op0$[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] wrote:
> > > Just a small question. RSA relies on people not being able to work
> > > out the prime numbers that where used to generate the keys right?
> > > Well, can't we just adapt the knapsack solution to break the key
> > > down into it's part.
> >
> > Actually it's relies on the difficulting of finding logarithms
> > modulo the composite.
> >
> > I fail to see how the "knapsack problem" applies...
>
> This last comment does not surprise me. Tom often comments
> on subjects for which he has inadequate knowledge.
At least he's willing to admit to himself and us where he is ignorant;
as the saying goes, "A wise man knows what he knows, and knows what he
doesn't know." There are some people who post on a topic on which they
know little or nothing about, and believe [incorrectly] that they *do*
have adequate knowledge.
Saying "I don't see how X applies" is not the same as saying "X doesn't
apply." If Tom had said the latter, you'd have a right to be annoyed at
his ignorance; as it is, saying "I don't see how X applies" could be
construed as meaning, "Someone tell me if and how X applies?" I don't
see anything at all wrong with that.
--
"Mulder, do you remember when I was missing -- that time that you
*still* insist I was being held aboard a UFO?"
"How could I forget?"
"Well, I'm beginning to wonder if maybe I wouldn't have been
better off staying abo-- I mean, wherever it was that I was
being held." [from an untitled spamfic by [EMAIL PROTECTED]]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
