Cryptography-Digest Digest #315, Volume #13 Tue, 12 Dec 00 14:13:01 EST
Contents:
Re: Newbie ([EMAIL PROTECTED])
YAPRNG (Richard Heathfield)
Re: Unguessable sequence of unique integers? ("Brian Gladman")
Is brute for the only way? (Terry Neckar)
Re: What's better CAST in PGP or Blowfish 128bit? (Ray Dillinger)
Re: PGP Symmetric Algo (Tom St Denis)
Re: 64bit CRC (Tom St Denis)
Re: YAPRNG (Tom St Denis)
Re: Sr. Cryptographer/mathematician (Tom St Denis)
Re: YAPRNG (Simon Johnson)
Re: Sr. Cryptographer/mathematician (Tom St Denis)
Re: About governments and my ex-relatives in Finland and the U.S.A. ... basically my
ex-spouse had around 350000 US dollars and then my ex-relatives (Finland and US )
collaborated in their efforts to force me to leave the U.S.A. without any of this
money ... (Derek Bell)
Re: Is brute for the only way? (Simon Johnson)
Re: Unguessable sequence of unique integers? (Simon Johnson)
Re: binary vs. text w/ regard to digital signatures (denis bider)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Newbie
Date: Tue, 12 Dec 2000 17:03:56 GMT
<snip>
> It's totally improper to ask people to break a cipher given
only a
> sample of its output. After all, suppose my cipher is that '1' means
> 'now is the time for all good men' and '2' means 'to come to the aid
of
> their party'. I could then challenge anyone to decrypt '12' and they
> would certainly fail. That doesn't mean my cipher is strong!
But it does mean that you apparently do not distinguish between code
and cipher. Interesting.
Sent via Deja.com
http://www.deja.com/
------------------------------
Date: Tue, 12 Dec 2000 17:17:29 +0000
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: YAPRNG
Yet Another PRNG question, I'm afraid.
PRNGs are weak because they are, ultimately, predictable. But what if we
introduce a complication?
Consider two PRNGs, both of which are known to an attacker (i.e. he is
in possession of both algorithms).
I'll call them R1() and R2(). Each has a big ol' period. 2 to the
something impressive. I think 64 is impressive. I could be wrong about
that, I guess. 128 ought to be even more impressiverer (tm). Or
whatever. Something that perhaps isn't quite big enough on its own,
but...
S1 = a seed for R1.
S2 = a seed for R2.
Both of these have to be known to sender and recipient (which raises the
problem of key distribution).
Encryption and decryption are the same (I think):
t = R1(S1)
u = R2(S2)
for(i
{
C[i] = P[i] ^ (t ^ u);
t = R1(t)
u = R2(u)
/* or here's an interesting variation */
/* v = t;
/* t = R1(u) */
/* u = R2(v) */
}
Or maybe we'd use any old encryption algorithm, and use R1() and R2()
purely for parallel key generation between the two parties.
What is the weakness in the above strategy? (There has to be one, or you
guys would have snapped this up long ago...)
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: Unguessable sequence of unique integers?
Date: Tue, 12 Dec 2000 17:38:59 -0000
"Johan Hanson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hello.
>
> I am looking for an algorithm for a generator of a sequence
> of unique and unguessable 32-bit integers.
> The number of integers created by the sequence must be
> very large, i.e. in the 32-bit range and no two values
> in the sequence must overlap until a fairly large number
> (a minimum of 2^24 or so) of values have been found.
What time and space constraints must the algortihm meet?
Brian Gladman
------------------------------
From: Terry Neckar <[EMAIL PROTECTED]>
Subject: Is brute for the only way?
Date: Tue, 12 Dec 2000 18:06:33 GMT
Without doing a brute force program, does anyone know of a reverse
algorithm for the following?
If I know what the ending value of answer is, how can I quickly solve
for the value of key?
==============================================
answer = 1;
for(x=0; x<5432; x++)
answer = (answer * key) % 27218753;
==============================================
Thanks,
Terry
------------------------------
From: Ray Dillinger <[EMAIL PROTECTED]>
Subject: Re: What's better CAST in PGP or Blowfish 128bit?
Date: Tue, 12 Dec 2000 18:19:42 GMT
Oh yeah, some other stuff I forgot to mention.... When you erase
cleartext or keys from a hard drive, you have to write over it
with random data about 20 times so that if someone blackbags the
hard drive, he can't reconstruct it later from the traces that
overwritten dox leave on your hard drive. What the digital head
reads as a 1 or 0, an analog head will read as 0.79947, and someone
can deduce what was written there up to ten generations before.
When you use the standard windows "print" function to print something,
Windows makes a temporary copy of it on the disk. That copy has to
be secure-erased or "wiped" too.
When you pipe input to something on the command line, Windows will
create a temporary file containing it. Gotta detect that, find the
sectors where it was stored, and "wipe" them too.
If you use OLE or regular DLL's, someone can write a hostile version
of the client or a hostile version of the DLL and subvert your system.
It's always best to compile statically with no exposed API. Short
of that, you have to verify the DLL's using a signature or hash of
their bits so your software will *KNOW* it's using the right version.
Oh, and of course an attacker will often try to subvert your system
by substituting a hacked version of the program that doesn't complain
about his rogue DLL or whatever -- so your program ought to check its
own integrity too, using a signature again.
You can be a *mathematical* cryptographer just by studying math; but
if you want to be a *practical* cryptographer, you have to know every
goddamn detail of the operating system and hardware you're working
with. Very few people can be practical cryptographers.
Ray Dillinger <[EMAIL PROTECTED]> wrote:
: Noname <[EMAIL PROTECTED]> wrote:
: : Yes, I need to learn and therefore I'm here:o)). Is it a problem? I cannot
: : know everything:o)). I am coder and I need to include encryption into my
: : product.
: : And that's all. So for me is crypting only algorithm with input and output.
: Well, that's not quite true, depending on the degree of security
: you want. In order to implement crypto that can't be bypassed,
: you have to get down'n'dirty with the hardware when you're doing
: your implementation. It's not just input and output. You can
: implement a good encryption function perfectly in terms of input
: and output, and people will still hack into your customers' secret
: files.
: For example, if you store your key in a local variable while you're
: computing ciphertext, and you let the system reclaim that memory
: when the routine exits, you are leaving a copy of the key lying
: around. A hacker will run another program to allocate the next
: frame buffer, the system will probably hand it the memory you just
: let go of, and guess what -- that other program can use it to
: "guess" your key.
: Dynamically allocated and stack allocated variables -- be SURE
: to overwrite them before deallocating them. This even goes all
: the way out to the math routines, etc, that you've got in the
: standard libraries and never think about.
: Hmm, what else? Oh yeah, something else you probably don't normally
: think about. When the system runs low on physical memory, it swaps
: processes to disk. Including their local variables. Including the
: key if you've got it stored in a local variable. And yes, someone
: who seriously wants to hack your program *will* come in with a
: utility that takes snapshots of the swap space and uses that to
: make password guesses...
: Anything that could contain a key or plaintext, needs to be
: "volatile" so that the system can't swap it to disk.
: Hmm, what else? Oh, another thing you don't normally think about.
: If you're using a GUI front end, and you're displaying your keys
: or your plaintext, then your window classes have copies of it. So
: you've got to go in there and make sure *they* are also declaring
: things volatile, overwriting local variables before exit, etc.
: These are the major ways that systems can have good crypto algorithms
: and still get nailed in the real world. There are others. The point
: is that a good cipher and a correct implementation does not make a
: secure product -- at least not by themselves. If you want to do it
: right, you have to have a good cipher and an implementation that is
: both correct and utterly paranoid about leaving traces anywhere
: on the system.
: If you are interested in the kind of gaffes made by major software
: manufacturers, go to www.counterpane.com and read the crypto-gram
: newsletter archives. Search for the word "doghouse" or "dog-house"
: in each of a dozen different crypto-gram newsletters. You'll find
: interesting things.
: Now, if after that crash course in how to not do it, you still feel
: that you can write good cryptographic code without dedicating a chunk
: of your life to it, be my guest and good luck. But don't think in
: terms of inputs and outputs -- think in terms of sheer paranoia and
: how an attacker might come after the key or plaintext.
: Bear
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: PGP Symmetric Algo
Date: Tue, 12 Dec 2000 18:15:50 GMT
In article <915l1r$ro9$[EMAIL PROTECTED]>,
"ink" <[EMAIL PROTECTED]> wrote:
>
> "Tom St Denis" dropped into the real world with a crash and
proclaimed...
>
> > My abilities? I am no more then a the average avid amateur. And
> > forgive me for answering like that but truly that question gets
asked
> > about three times a week. Why not read posts beforing posting if
you
> > are a newbie?
>
> Neither am I more than an amateur. And even if this question gets
> posted several times a week (though I haven't seen it yet this week),
> it's still not stupid. A simple reference would do. Calling it stupid
> borders on being an insult. At least that's how I would feel it.
>
> No offence intended, just my humble 2c worth.
No problem, I will be a little more curteous.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: 64bit CRC
Date: Tue, 12 Dec 2000 18:17:47 GMT
In article <[EMAIL PROTECTED]>,
Mihai Preda <[EMAIL PROTECTED]> wrote:
> Hi,
> please excuse me if my message is not adequate for this list.
>
> I need two independent 32bit fingerprints for a message. I think CRC
> would be a good choice (I don't need security).
> Now, what should I prefer:
> a) compute two 32bit CRCs(with different polynomials)
> b) compute one 64bit CRC, and use the lower and higher order 32bits as
> the two fingerprints.
>
> In either case, could you direct me to some available source code
> implementing this? (or, where can I get good 32bit or 64bit
> polynomials?)
Well a single 64-bit CRC would be better. I think a n-bit CRC has the
property that it can detect all errors under n-bits in length and most
others with high probability. Two 32-bit CRCs may only detect errors
upto 32-bits in length at which point they would collide with higher
probability (1/2^32 vs 1/2^64).
I dunno off hand. You could always use a hash such as SHA-1.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: YAPRNG
Date: Tue, 12 Dec 2000 18:15:10 GMT
In article <[EMAIL PROTECTED]>,
Richard Heathfield <[EMAIL PROTECTED]> wrote:
> Yet Another PRNG question, I'm afraid.
>
> PRNGs are weak because they are, ultimately, predictable. But what if
we
> introduce a complication?
A secure PRNG is deterministic as well. Your criteria for "weak" is
insufficient.
>
> Consider two PRNGs, both of which are known to an attacker (i.e. he is
> in possession of both algorithms).
>
> I'll call them R1() and R2(). Each has a big ol' period. 2 to the
> something impressive. I think 64 is impressive. I could be wrong about
> that, I guess. 128 ought to be even more impressiverer (tm). Or
> whatever. Something that perhaps isn't quite big enough on its own,
> but...
>
> S1 = a seed for R1.
> S2 = a seed for R2.
>
> Both of these have to be known to sender and recipient (which raises
the
> problem of key distribution).
>
> Encryption and decryption are the same (I think):
>
> t = R1(S1)
> u = R2(S2)
>
> for(i
> {
> C[i] = P[i] ^ (t ^ u);
> t = R1(t)
> u = R2(u)
if R1/R2 are linear (as in LFGs or LFSRS) then the scheme is trivial to
break.
> /* or here's an interesting variation */
> /* v = t;
> /* t = R1(u) */
> /* u = R2(v) */
Note that many PRNGS such as LFGs/LFSRS have more then one word of
state. (often many) so it's not a simple assignment like that.
Swapping states between algorithms eliminates the proof of period and
can reduce the effective period of the underlying PRNG.
> Or maybe we'd use any old encryption algorithm, and use R1() and R2()
> purely for parallel key generation between the two parties.
Or use Knuth's Algorithm M for which there is no known practical
attacks.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Sr. Cryptographer/mathematician
Date: Tue, 12 Dec 2000 18:21:01 GMT
In article <1ZrZ5.287$[EMAIL PROTECTED]>,
"Matt Timmermans" <[EMAIL PROTECTED]> wrote:
> Your rather gritty usenet manner is sometimes entertaining, Tom, but
there
> are many reasons to be more civil.
"You're rather..." hehehehe... Just trying to have some fun.
> For instance:
>
> "Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> news:915fi8$fve$[EMAIL PROTECTED]...
> > In article <2IfZ5.17746$[EMAIL PROTECTED]>,
> > "Kevin" <[EMAIL PROTECTED]> wrote:
> > > WE ARE LOOKING FOR EXPERT CRYPTOLOGISTS
> > > in Ottawa, Canada
> > > [...]
> > > You will have experience in 1 or more of these
> > [...]
> > > - Computaional complexity theory
> >
> > "Computational" also referred to "Combinatorics"
>
> Not true in this sense, but that's not important...
>
> > > - Number theory
> > > - Numerical analysis
> >
> > These two are the same!
>
> Also not true, but the fun part comes later...
>
> > > You will aslo be expected to design new applications in
> > > the above areas for incorporation into our secret-hiding, tamper
> > > proof software encoding tools [...]
> >
> > Tamper proof encoding tools? Shaw right.
> >
> > [...]
> >
> > Well I live in ottawa (Kanata specifically) you can contact me at
> > tomstdenis@yahoo if you like.
> >
>
> Ottawa is not _that_ big a city, Tom -- you already work there!
And your point being?
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: YAPRNG
Date: Tue, 12 Dec 2000 18:22:39 GMT
In article <[EMAIL PROTECTED]>,
Richard Heathfield <[EMAIL PROTECTED]> wrote:
> Yet Another PRNG question, I'm afraid.
>
> PRNGs are weak because they are, ultimately, predictable. But what if
we
> introduce a complication?
>
If its a cryptographically secure PRNG, then this isn't the case. If
you are arguing that all PRNGS are insecure due to brute-forcing of the
key-space, simply make an instant of the algorithm were the key-size is
enormas.
An example of this is the LSFR. One picks a primitive polynomial mod 2,
whoose order is equal to the number of bits wide the register is. If x
is the size of the register then (2^X)-1 bits can be generated before
the pseudo-random sequence repeats.
LSFR's are insecure as they come. But by adding a simple complication,
you can make them secure.
For a better explanation consult 'Applied Cryptography'
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Sr. Cryptographer/mathematician
Date: Tue, 12 Dec 2000 18:20:18 GMT
In article <915k33$m6t$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> > In article <2IfZ5.17746$[EMAIL PROTECTED]>,
> > "Kevin" <[EMAIL PROTECTED]> wrote:
>
> >> - Computaional complexity theory
>
> > "Computational" also referred to "Combinatorics"
>
> Ummmmm..... no, not even close.
Well something dealing with complexity is normally a combinatoric
thing... well from what I have seen, sorry.
> >> - Number theory
> >> - Numerical analysis
>
> > These two are the same!
>
> Again, not even remotely close.
How do they differ? Number theory is the analysis of fields, rings,
structures and the relationship between different groups, etc.
Numerical analysis is...?
> You seem to have posted trying to show that the original poster didn't
> know what they were talking about, but unfortunately you stepped in it
> pretty big time showing that you need some big clues...
I try :-)
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Derek Bell <[EMAIL PROTECTED]>
Crossposted-To: alt.2600,alt.security,comp.security
Subject: Re: About governments and my ex-relatives in Finland and the U.S.A. ...
basically my ex-spouse had around 350000 US dollars and then my ex-relatives (Finland
and US ) collaborated in their efforts to force me to leave the U.S.A. without any of
this money ...
Date: 12 Dec 2000 18:35:47 -0000
In sci.crypt John Savard <[EMAIL PROTECTED]> wrote:
: It is possible to have an ex-spouse. But ex-blood-relatives are a bit
: harder to come by.
What if they've turned into vampires? That would make them ex-blood
relatives at least! ;-)
Derek
--
Derek Bell [EMAIL PROTECTED] | Socrates would have loved
WWW: http://www.maths.tcd.ie/~dbell/index.html| usenet.
PGP: http://www.maths.tcd.ie/~dbell/key.asc | - [EMAIL PROTECTED]
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Is brute for the only way?
Date: Tue, 12 Dec 2000 18:26:24 GMT
In article <[EMAIL PROTECTED]>,
Terry Neckar <[EMAIL PROTECTED]> wrote:
> Without doing a brute force program, does anyone know of a reverse
> algorithm for the following?
>
> If I know what the ending value of answer is, how can I quickly solve
> for the value of key?
>
> ----------------------------------------------
> answer = 1;
>
> for(x=0; x<5432; x++)
> answer = (answer * key) % 27218753;
>
> ----------------------------------------------
>
> Thanks,
> Terry
>
>
Yes, factor the modulo: 27218753 into its primes, then express the
problem as:
answer = (answer * (key^5432)) % 2721873
Then, you should be able to solve for the key using the euclidean
algorithm.
Yours,
Simon
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Unguessable sequence of unique integers?
Date: Tue, 12 Dec 2000 18:32:04 GMT
In article <[EMAIL PROTECTED]>,
moc.qit@nahoj wrote:
> Hello.
>
> I am looking for an algorithm for a generator of a sequence
> of unique and unguessable 32-bit integers.
> The number of integers created by the sequence must be
> very large, i.e. in the 32-bit range and no two values
> in the sequence must overlap until a fairly large number
> (a minimum of 2^24 or so) of values have been found.
>
> I suppose I could do this by using a simple counter
> and encrypting the result with a symmetric algorithm.
> Is there a good freely available implementation of a simple
> algorithm?
>
> .. but more interestingly, is there any better way of creating
> the sequence?
>
> Thanks in advance for any replies.
> / Johan
>
> (my reply-email is backwards)
>
Clock an additive generator twice (with a 2^32 word length)
if the first output is greater than 2^31 then the output is the second
word, if the first output is less, dump both words and start again.
Another option, is to use an additive generator clock it once, then
iterate it that many times, the last output is the output of the
function.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (denis bider)
Subject: Re: binary vs. text w/ regard to digital signatures
Date: Tue, 12 Dec 2000 18:50:29 GMT
On Tue, 12 Dec 2000 02:31:24 GMT, Benjamin Goldberg
<[EMAIL PROTECTED]> wrote:
>I have one minor nitpick here. Some characters, such as n with a ~ over
>it, have two graphically identical encodings -- as a single [combined]
>symbol, and as a letter (the n) followed by a non-spacing symbol (the
>~). This applies to most of the letters of latin-1 which have the high
>bit set; they have their own encodings, and they can be encoded as the
>letter, followed by a non-spacing form of the overmark.
A good point. The specification mandates that in such cases, the most
compact form is the one that must be used. Eventually, validation of
this rule ought to be implemented in the parser, too - however, some
additional studying of the Unicode specification on my behalf will be
necessary before that. :-)
Kind regards,
denis
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
