Cryptography-Digest Digest #991, Volume #12 Tue, 24 Oct 00 03:13:01 EDT
Contents:
Re: Hypercube/FFT encryption (Terry Ritter)
Re: A naive question (Sundial Services)
Re: new to data encryption please help (Sundial Services)
Re: Timestamping ("Kevin Crosbie")
Re: My comments on AES (Bruce Schneier)
Re: My comments on AES (Bruce Schneier)
Re: On block encryption processing with intermediate permutations (Bryan Olson)
Re: My comments on AES (Scott Craver)
Re: On block encryption processing with intermediate permutations (Bryan Olson)
Re: CHAP security hole question (Bill Unruh)
Re: Timestamping ("Ed Suominen")
Re: new to data encryption please help ("John A. Malley")
Re: Finding Sample implementation for DES and IDEA (Dido Sevilla)
I can post absolutely anything on the Internet for you to download. (Anthony Stephen
Szopa)
Re: Actually I want FBI and INS deport me from the U.S.A. to Europe so that I can
have more fun .... (Arturo)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Hypercube/FFT encryption
Date: Tue, 24 Oct 2000 01:25:18 GMT
On Mon, 23 Oct 2000 04:26:15 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt Benjamin Goldberg
<[EMAIL PROTECTED]> wrote:
>[...]
>Attached as a .txt document is my new cipher, based on the idea of the
>use of a hypercube (in parallel programming) to most efficiently
>distribute data. A bit of looking around, and I learned that similar
>ideas had been done (Terry Ritter, Tom Denis). However, Ritter's cipher
>uses a layer of unkeyed mixing, followed by keyed substitution, which is
>quite different from what I want.
Balanced Block Mixing -- which was first described right here on
sci.crypt in 1994, and which became an issued patent in 1997 -- is
basically the use of orthogonal Latin squares as block cipher mixing
elements. This addresses a need to construct arguably perfect mixing
between blocks of reasonable size, which then can be applied in
FFT-like patterns to cover blocks of arbitrary power-of-2 size. In
this way, cipher block size can vary dynamically, on a block-by-block
basis, with no change at all to the ciphering code.
Not only does nothing about Balanced Block Mixing restrict it to being
necessarily unkeyed, but in 1998 I described in great detail just how
one might go about keying such structures. See:
http://www.io.com/~ritter/ARTS/NONLBBM.HTM
where, among other things, we learn how to construct vast numbers of
different orthogonal Latin squares and choose among them with keying
values.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
Date: Mon, 23 Oct 2000 18:36:53 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: A naive question
In fact this is precisely what packages such as PGP do. A random
"session key" is chosen for -each- message using a cryptographically
strong PRNG, and this session-key is enciphered in the message heading
using the public key or keys.
Many public-key cryptosystems are time-consuming, and might be less
secure for encrypting large amounts of data vs. small amounts. Many
private-key cryptosystems are extremely fast and can even be implemented
in hardware. So the combination of two systems is an effective
tradeoff.
"Eve" is thwarted from learning anything useful by comparing two PGP
messages, because the message-body is encrypted using a pseudo-random
key, which is both random and unknown. The only thing that is encrypted
in the same key (the public key) is a random number, and a very short
one at that.
>John Savard wrote:
>
> On Tue, 24 Oct 2000 00:25:15 +0200, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote, in part:
>
> >Is there anything wrong with the following?
>
> >Let there be a master key Q. To send message blocks P
> >with a sufficiently strong algorithm E, we pick a random
> >number R, obtain K = E(Q,R) and send R and blocks E(K,P)
> >to the recipient.
>
> Given that E(Q,R) means "R, encrypted with key Q", there is nothing
> wrong with that, although it is more conventional to send K and blocks
> E(R,P) to the recipient. In that case, Q is called the "key-exchange
> key".
>
> It is a standard practice, and useful in reducing the number of times
> one has to use time-consuming public-key algorithms.
>
------------------------------
Date: Mon, 23 Oct 2000 18:38:44 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: new to data encryption please help
Ash, "please ignore John completely." ;-) His site is =excellent.=
You could, and you should, spend many hours perusing it.
>John Savard wrote:
>
> On Mon, 23 Oct 2000 02:53:45 GMT, [EMAIL PROTECTED] wrote, in
> part:
>
> > i would like to know any online references for beginners and if
> >possible books .
>
> My web site, although far from perfect, has lots of fascinating
> details on many cipher systems, starting from paper and pencil ones,
> and going up to the present day.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Kevin Crosbie" <[EMAIL PROTECTED]>
Subject: Re: Timestamping
Date: 24 Oct 2000 02:05:55 GMT
I user the verisign server for packaging my applets. I'm not sure of the
format of the returned signature... Is it a PKCS7 message wrapping a hash?
Cheers,
Kevin
"David Schwartz" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> Kevin Crosbie wrote:
> >
> > Hi all,
> >
> > I am writing a program to sign some data, and I wanted to add a
timestamp to
> > this. I figure that I just hash the signed data that I have, and send
that
> > off to a notary service, they attach their signature and public key, and
> > sent it back, allowing me to verify that it was timestamped at that
time.
> >
> > Does anyone know of a good free service which does that, or if not, some
> > service which does that for a fee.
>
> Verisign has a timestamp server that's freely available. The protocol
> for using it is one of the PKIX standards, but it's a PITA. I don't know
> of any libraries to make this easier.
>
> DS
------------------------------
From: Bruce Schneier <[EMAIL PROTECTED]>
Subject: Re: My comments on AES
Date: Mon, 23 Oct 2000 21:38:33 -0500
On Mon, 23 Oct 2000 20:51:55 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>
>
>James Felling wrote:
>>
>> I believe that given any of the Candidates being declared the AES. There
>> will exist an accademic attack versus that cypher before 2006. It is
>> simply a matter of enough effort being applied against it. I do not
>> believe that any cypher can hold against that kind of attention without
>> some minor flaw being found. I have a feeling that this is what Bruce is
>> thinking as well.
>
>I have a problem with the definition of 'academic' attack.
>Suppose that a new cipher has yet no known attack excepting
>brute force. By how much improvement must an attack at
>least have in order to be qualified as an academic attack,
>or does any epsilon improvement counts, no matter how
>neglibly small that is?
That is my definition. An academic attack is one that is more
efficient than brute force, even if it is only a small amount more
efficient.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Tel: 408-556-2401
3031 Tisch Way, Suite 100PE, San Jose, CA 95128 Fax: 408-556-0889
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: Bruce Schneier <[EMAIL PROTECTED]>
Subject: Re: My comments on AES
Date: Mon, 23 Oct 2000 21:39:39 -0500
On Mon, 23 Oct 2000 22:19:18 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>
>
>James Felling wrote:
>>
>> An accademic attack is ANY attack that improves upon brute force. If you can
>> eliminate even a single key from the pool of potential candidates via
>> mathematical means it is a valid accademic attack. Heck if you can assign an
>> ordering of likelyhood to potential keys that is an attack. Any method that is
>> more efficient than straight brute force is an attack.
>
>For me that has the flavour of department stores of
>having $99.99 instead of $100.00 counting as a discount.
Indeed. It is an "academic discount," but not a discount that has any
practical meaning. Sort of like the difference between an academic
break of a cipher and a break that actually makes a difference in
practice.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Tel: 408-556-2401
3031 Tisch Way, Suite 100PE, San Jose, CA 95128 Fax: 408-556-0889
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: On block encryption processing with intermediate permutations
Date: Tue, 24 Oct 2000 03:27:01 GMT
Mok-Kong Shen wrote:
> James Felling wrote:
> > No. I am NOT claiming a long message. What is being
> > done is a single block(u,v) is submitted and encrypted.
> > producing output (x,y). If the PRNG is keyed in the
> > proper manner(i.e. Message M with key K at time T
> > encodes to a different value than Message M with Key
> > K at time T+1), then there are 64 possible outputs from
> > this program, which will apear at random and one can by
> > repeatedly submiting 1 block messages to the system
> > eventually see in the outputs all 64 possible messages.
> > Then one may submit 2 block messages in the same manner.
> > This will produce a substantially larger space of
> > possible outputs( and once a sulficient proportion of
> > those are collected the "special" pairs drop out, and
> > the attack procedes as normal.
> >
> > Mr. Olson is not submitting a stream of messages, he is
> > submitting very small messages repeatedly. This allows
> > him to use statistical tools to pull out the special
> > pairs, and then make the attack.
Exactly. Thanks.
> The PRNG is set only once at the start of the session, so
> different messages tends to get different permutations.
> It is in my view favourable for Bryan Olson's attack to use
> a sufficiently long single message than using many messages.
> But that probably isn't important for the issue, if I don't
> err.
No. The attack is as Felling stated. My post of
14 Oct 2000 which presented the attack reads, in part:
| First I'll encrypt the same single-block message a few
| hundred times. Call the plaintext (u, v), where u and v are
| the two words of the block.
[...]
| Again we use
| the same message many times, but this time the message is
| two blocks (four words) long. The two blocks are the same
| as each other, and the same as our one-block plaintext for
| which we got the 64 possible outcomes. If the one-block
| message we used was (u, v) then the two-block message is
| (u, v, u, v).
Trying to use long messages seems decidedly unfavorable.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Scott Craver)
Subject: Re: My comments on AES
Date: 24 Oct 2000 03:33:49 GMT
>Rob Warnock <[EMAIL PROTECTED]> wrote:
>: Tim Tyler <[EMAIL PROTECTED]> wrote:
>: | Stephen M. Gardner <[EMAIL PROTECTED]> wrote:
>: | : Now what makes you think that he said it was breakable.
>: |
>: | ``I believe that within the next five years someone will discover an
>: | academic attack against Rijndael.''
>
>: You just *love* quoting stuff way out of context to twist its meaning,
>: don't you? [...]
>I quoted the bit where he said he expected a break within five years.
A break? Or an academic attack?
I know, fuzzy semantics, but by saying "break" you are surely
exaggerating his statement. Especially when immersed in a
paragraph explicitly designed to prevent the simplification
you just committed.
>Quoting more would have been redundant - that single sentence
>answers the question exactly and precisely - and the rest is not
>relevant to it.
I dunno; I certainly read it differently when I saw it
in context of the whole paragraph. The sentence alone is
at best neutral-sounding, while the whole paragraph is
positive and reassuring.
-S
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: On block encryption processing with intermediate permutations
Date: Tue, 24 Oct 2000 03:47:56 GMT
Mok-Kong Shen wrote:
> Suppose one encrypts many double blocks (u, v, u, v) in
> a very long message
[...]
> I am afraid
> that, by going through 8 cycles it would be extremely
> hard to identify a path like (u,v,u,v)-->(x,y,x,y)-->
> (e,f,e,f) .... --> (j,k,j,k) (say) by examining the
> frequency distribution alone.
I think we've established that the above is a
misunderstanding of the attack. In the first part of the
attack, a single block (two words) constitutes the entire
message. In the second part, the entire message is two
blocks (four words) in size. The attacker encrypts the same
short messages many times. He does not concatenate them
into one long message and encrypt at once.
The probabilities given in the attack description refer to
encryption of the one-block (two-word) message and the
two-block (four-word) message.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: CHAP security hole question
Date: 24 Oct 2000 04:30:21 GMT
In <8sksoq$b87$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
There are at least four versions of chap. The original version was
chap 05 ( because 05 is the identification number for that particular
version of chap). It uses MD5 as a hash. It is not too bad from a
security standpoint, except that an enemy can do a dictionary search on
the messages that pass over the wirte and that it requires clear text
storage of passwords on the server.
chap 80 comes in two versions. MS original verion was aparently a very
sorry excuse for an authentication scheme and was torn apart b y Bruce
Schneier I elieve and others. MS then "fixed" it and made is somewhat
more secure, but still no paragon. On recent systems (NT, 2000) they
also implimented another version, version 81, about which I know
little, but it does not strike me with confidence. It is usually also
associated with an MS proprietary encryption protocol to encrypt the ppp
packets.
Now, If they really had done something useful ( eg obviated the need for
cleartext password storage, eliminated the possibility of dictionary
attacks on the material which goes over the wire etc) but instead they
created three incompatible versions with no clear advantage over anthing
else.
]What are other authentication and key-exchange protocols besides CHAP?
PAP. It is even less secure.
Now, remember that chap and pap are ppp authentication schemes. They
should not be used or considered for anythging but ppp. For general
authentication use something like SRP, which gives authentication both
ways, and also does not allow dictionary attacks on the stuff over the
wires.
]It seems to me that CHAP originated from PPP. I am trying to search
That is where it is used and should be limited to.
]for all authentication and key-exchange protocols so that I can compare
]which one can better suit my need. BTW, my need is, first, to
]authenticate a user, second, to prevent socket connections from
]unauthenciated user.
???
------------------------------
From: "Ed Suominen" <[EMAIL PROTECTED]>
Subject: Re: Timestamping
Date: Mon, 23 Oct 2000 21:39:49 -0700
See http://www.itconsult.co.uk/stamper.htm
I use the "proof of posting certificates"
(http://www.itconsult.co.uk/stamper/post.htm) regularly, and it seems pretty
well thought out. The price (free) is certainly right.
Ed Suominen
Registered Patent Agent
Web Site: http://eepatents.com
PGP Public Key: http://eepatents.com/key
"Kevin Crosbie" <[EMAIL PROTECTED]> wrote in message
news:8t2fqa$[EMAIL PROTECTED]...
> Hi all,
>
> I am writing a program to sign some data, and I wanted to add a timestamp
to
> this. I figure that I just hash the signed data that I have, and send
that
> off to a notary service, they attach their signature and public key, and
> sent it back, allowing me to verify that it was timestamped at that time.
>
> Does anyone know of a good free service which does that, or if not, some
> service which does that for a fee.
>
> Thanks a million,
>
> Kevin
>
>
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: new to data encryption please help
Date: Mon, 23 Oct 2000 22:46:49 -0700
[EMAIL PROTECTED] wrote:
>
> hi
> i am a biology student with nothing whatsoever to do with encryption
> yet i have written some programs to do the same just for fun but now i
> want to learn the real methods of doing it. Can anyone please help me ?
> i would like to know any online references for beginners and if
> possible books .
Here's a suggested reading list to get started - a grounding in the
theory and practice of cryptology:
"Cryptography, Theory and Practice" by Douglas R. Stinson,
"Decrypted Secrets, Methods and Maxims of Cryptology" by F.L. Bauer,
"Cryptanalysis, A Study of Ciphers and Their Solution" by Helen Fouche
Gaines,
"Applied Cryptography, Protocols Algorithms and Source Code in C" by
Bruce Schneier
and "Making, Breaking Codes, an Introduction to Cryptology" by Paul
Garrett.
For good background in cryptanalysis read any of these from Aegean Park
Press:
"Military Cryptanalysis Parts I, II, III and IV" by William F.
Friedman
or
"Military Cryptanalytics, Part I, Vol. 1 and 2, and Part II, Vol. 1 and
2" by William F. Friedman and L.D. Callimahos
or both sets. The latter set is later.
( Douglas Gwyn recently indicated Mr. Callimahos *may* be interested in
an on-line crypto-workshop forum. I for one would be interested in
learning from him. I'd do crypto homework if he assigned it posted on
the web. On-line lectures/interaction prove more problematic given the
East Coast-West Coast time zone differential.)
Any of these books are available from Barnes and Noble (bn.com) or
Amazon.com. Aegean Park Press has its own web site at
http://www.aegeanparkpress.com
"The Handbook of Applied Cryptography" is a must-have reference
generously made available by its authors at
http://cacr.math.uwaterloo.ca/hac/
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: Finding Sample implementation for DES and IDEA
Date: Tue, 24 Oct 2000 14:38:39 +0800
Steven Wu wrote:
>
> Hi everyone,
>
> I am a student and currently interesting in block ciphers. Could
> anyone tell me where to find source code for these two standards ?
>
I would hardly call IDEA suitable for any kind of useful standard.
Nobody can use it unless they pay royalties, and I think that it kinda
keeps "legitimate" (as in cryptographic researchers) people from doing
cryptanalysis of it. And you can't use it in Free Software. Why work
for free to make someone else rich? Much better would be to study DES,
and its forthcoming successor AES/Rijndael, or any of the other AES
second round candidates: MARS, RC6, Serpent, or Twofish. With the
exception of RC6, all of these algorithms are public domain, and anyone
is free to study, implement, and use them as they see fit.
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
ICSM-F Development Team, UP Diliman +63 (917) 4458925
OpenPGP Key ID: 0x0E8CE481
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.freespeech,talk.politics.misc
Subject: I can post absolutely anything on the Internet for you to download.
Date: Mon, 23 Oct 2000 23:54:04 -0700
I can post absolutely anything on the Internet for you to download.
Although I did think of it spontaneously, I do realize and have to
admit I thought of it a few days after reading about Publius.
Scientific American
http://www.sciam.com/2000/1000issue/1000techbus1.html
Publius Site
http://www.cs.nyu.edu/~waldman/publius/publius.html
Here is how it works:
Let's say you have a software program that has been deemed illegal
to distribute, and illegal to link to a site where it is available
for download.
Yet you want to make the software available for download.
I will give the basics then some suggestions.
Basics:
Do not identify the file in any manner.
Encrypt the file using simple XOR with random data then make the
encrypted file available for download.
Because the file is secretly encrypted no one can object since it
is only a file composed of gibberish or garbage or otherwise useless
data.
Make the secret key available for download. Because the secret key
is also gibberish or garbage or otherwise useless data no one can
object.
You may want to distribute the key through the underground or
black-market or some such secure or less obvious channel.
Then the recipient can XOR the key with the encrypted file to
generate the prohibited software or file.
Suggestions:
Break the encrypted file into two or more pieces to be assembled
after downloading all parts. This is so no one can say the single
encrypted file available for direct download is the exact same
length as the prohibited file.
Or you can simply generate random data to the exact length of the
prohibited software and post this. This file is truly gibberish
or garbage or useless data.
Then write a program that generates a key such that when this key is
XORed with the file containing gibberish or random data, the result
is the prohibited software.
Basically this is what Publius does with the added features of
breaking up the key, posting the key parts and the prohibited
file on to many many different servers across the Internet, allowing
the entire key to be generated by combining only 20% of the key
parts, etc.
But then I suppose the government will outlaw the posting or making
available for download any file that is or appears to be random data.
But you can use any file. Here's an example: create a file
containing the text from an online encyclopedia. Then distribute
a key such that when this key is XORed with the encyclopedia text
file it results in the prohibited software.
Your only minor problem is distribution of the key.
So for all you defeatists out there, I guess the government can
always prohibit posting or making any file available on the Internet
to stop the transfer of prohibited material over the Internet.
Oh, well.
------------------------------
From: Arturo <[EMAIL PROTECTED]=NOSPAM>
Subject: Re: Actually I want FBI and INS deport me from the U.S.A. to Europe so that I
can have more fun ....
Date: Tue, 24 Oct 2000 08:50:07 +0200
On Sun, 22 Oct 2000 12:52:57 +0100, "Edward Taylor" <[EMAIL PROTECTED]>
wrote:
>You want more fun in Europe? Hell - here in britain we used to be freee. But
>now we have the regultary of investigatiory powers bill. In America you
>can't encrypt beyond a certain level right? Well, we can, but we have to
>tell the police when they want to read our mail. Suppose that's allright if
>you're not doing anything illegal ... however ...
>
>
You´re cordially invited to sunny Spain. Great food (specially against
cholesterol), good weather, siesta in summer ... and no crypto regulations yet.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
