Cryptography-Digest Digest #471, Volume #13 Mon, 15 Jan 01 09:13:01 EST
Contents:
Re: Cavell Challenge #1 (Richard Heathfield)
Re: SHA-1 of a streaming datastream (Ichinin)
Re: NSA and Linux Security (Mok-Kong Shen)
Re: rc4 in javascript bug ([EMAIL PROTECTED])
Re: Challenge/response with MD5 (Niklas Frykholm)
Re: NSA and Linux Security (digiboy | marcus)
Re: SHA-1 of a streaming datastream (Tom St Denis)
Re: NSA and Linux Security (digiboy | marcus)
Re: NSA and Linux Security (digiboy | marcus)
Re: NSA and Linux Security (digiboy | marcus)
I hate Open SSL!!!!! ("Verd")
Re: NSA and Linux Security (digiboy | marcus)
Cavell challenge #2 (Richard John Cavell)
Re: NSA and Linux Security (digiboy | marcus)
Re: Problem with Lanaki Lession #1 ("Rob Marston")
Re: Is this triple-DES variant secure? ("Jakob Jonsson")
----------------------------------------------------------------------------
Date: Mon, 15 Jan 2001 08:21:57 +0000
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: Cavell Challenge #1
Richard John Cavell wrote:
>
> Excellent. I shall post Challenge #2 in rec.puzzles.
I look forward to seeing your puzzles in their proper context. If I see
them in rec.puzzles, I might even have a genuine go at solving them.
Please remember, however, to make sure that your puzzles are not
"cooked" like this one was, a fact which I exploited in this thread.
<snip>
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
K&R answers, C books, etc: http://users.powernet.co.uk/eton
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Subject: Re: SHA-1 of a streaming datastream
Date: Mon, 15 Jan 2001 08:37:30 GMT
see Section 8 ~"alternative computation" on
http://csrc.nist.gov/publications/fips/fip180-1/fip180-1.txt
Regards,
Ichinin
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: NSA and Linux Security
Date: Mon, 15 Jan 2001 10:57:11 +0100
"Douglas A. Gwyn" wrote:
>
> Strong claims require strong evidence to support
> them. In the case of this so-called "Echelon"
> claim, the evidence offered up is puny in the
> extreme.
The problem with all secret operations is that no common
people know (assuming that these are not mal-functioning)
what is exactly going on. So one has to rely on some
control committees or the like. But this only shifts the
problem one level and doesn't solve the inherently
unsolvable problem, since on the one hand humans are
fallible under temptations and on the other hand there
are competing interests (from personal to international).
One can thus believe certain matters in one extreme or the
other. Such beliefs are surely very subjective and are
influenced by one's specific experiences in life through
analogies. If one has always had good experiences in life,
then one tends to believe that everybody in the world
is kind and benign. If one has plenty of bad experiences
in life, then one tends to believe that there are many
many criminals, etc. It's sort of extrapolation that,
not unlike even in mathematics, may or may not produce the
correct results. Personally, I think that I am biased
somewhat towards the second above said extreme, though
not in that very extreme. In my youth I was in the first
extreme and had, in particular, an absolute esteem for all
clergymen, a belief which I unfortunately happened to have
to revise later.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: rc4 in javascript bug
Date: Mon, 15 Jan 2001 10:15:01 GMT
Thanks for sharing that Benjamin, I'll try this out.
In the meantime, I used hex encoding/decoding at it works fine. I split
the screen in 2 frames, the top one loads what needs to be encrypted or
decrypted, it automatically knows if it's plain or hex encoded
encrypted text by checking if in the 16 first characters, all
characters are valid hex digits, if yes it decodes and decrypts
otherwise it encrypts and encodes and then fills the bottom from with
the output that can be copied and pasted in the body of an html file.
The good thing is that if the encrypted file is opened outside a
frameset, as a stand-alone file, I can trigger countermeasures like
faking a HTTP 404 error.
Alban.
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (Niklas Frykholm)
Subject: Re: Challenge/response with MD5
Date: 15 Jan 2001 10:13:03 GMT
>Each end calculates the response by doing a MD5 over a shared secret and
>the challenge, and then sends the response to the other end.
>...
>But I am bit worried about information about the shared secret being
>leaked by the MD5 response, and that someone could send challenges and
>receive the response and thereby detect some parts of the shared secret.
>So I am considering changing response into two parts: yet another random
>block and the MD5 of the shared secret, the random challenge and the
>random block. Would this by more secure?
I do not know of any attacks based on "partially chosen hashes". Of course,
such attacks could appear in the future, but so could any number of other
attacks, predicting the future is hard. I guess it all depends on your level of
paranoia.
You should probably make the challenge include the identities of the client
and the server to prevent an attacker from relaying a challenge to another
machine which uses the same secret.
// Niklas
------------------------------
From: digiboy | marcus <[EMAIL PROTECTED]>
Subject: Re: NSA and Linux Security
Date: Mon, 15 Jan 2001 12:14:22 GMT
In article <93t38o$78o$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
> That's ridiculous! That's called subversion of the rule of law.
..but you're proving my point just there. The military/intelligence
agencies know that in certain cases the public just wouldn't accept
what they're doing to maintain economic balance and national security.
Hence there's a good deal of sub-secrecy.
--
[ marcus ] [ http://www.cybergoth.cjb.net ]
[ ---- http://www.ninjakitten.net/digiboy ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SHA-1 of a streaming datastream
Date: Mon, 15 Jan 2001 12:15:28 GMT
In article <93ucsa$um8$[EMAIL PROTECTED]>,
Ichinin <[EMAIL PROTECTED]> wrote:
> see Section 8 ~"alternative computation" on
>
> http://csrc.nist.gov/publications/fips/fip180-1/fip180-1.txt
>
> Regards,
> Ichinin
So what? A circular queue of 16 32-bit words is 512 bits of data my friend.
I don't care how you work with it, sha needs 512-bits of message to work
(unless it's the last block and you pad it).
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: digiboy | marcus <[EMAIL PROTECTED]>
Subject: Re: NSA and Linux Security
Date: Mon, 15 Jan 2001 12:21:46 GMT
In article <93t410$78o$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
> At a minimum:
> Publish a credible denial (none of this evasions nonsense).
But if they've said "they do not do so", as someone else said, when
people make allegations against them with no evidence this _is_ all the
denial they have to give. Whether it's credible or not in these cases is
up to the individual to decide.
> Establish a clear policy that giving intelligence to US companies
> is forbidden, even indirectly (e.g., through a White House agency),
> even if only as a by-product of allowed interceptions (e.g., even
> if those communications were targeted for some other reason, and
> then only later discovered to also be of relevance to commercial
> intelligence).
That would be assuming they don't _actually_ do it though.
(I've realised you say this later.)
> Communicate this policy clearly to all NSA employees. Get buy-in
> from the employee culture. Place it in employee manuals. Create
> truly anonymous tip-lines for NSA employees to report violations.
> Establish strict penalties and procedures for violators.
Well they have to sign official secrets acts etc etc anyway, so the
privacy factor is well known on an individual level.
> And so on.
> All of the above can be performed -- and can be documented -- without
> endangering national security.
These more simple things are already in place. It hinges on the fact of
whether or not they're actually permitted at some level to specifically
pass on information to companies. (Oh, another small complication arises
when the company has been set up by the intelligence agencies
themselves. What is it counted as? Or what if the intel is passed to a
legimate subsidiary of an intel org and then sold on? Etc etc etc.
I could go on and on.)
> Assuming the allegation is wrong, that is!
Hehe exactly.
> This may not prevent violations,
> but it's already a lot better than what we've got today.
But what _do_ we have today? Now there's a question.
--
[ marcus ] [ http://www.cybergoth.cjb.net ]
[ ---- http://www.ninjakitten.net/digiboy ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: digiboy | marcus <[EMAIL PROTECTED]>
Subject: Re: NSA and Linux Security
Date: Mon, 15 Jan 2001 12:39:04 GMT
In article <[EMAIL PROTECTED]>,
Shawn Willden <[EMAIL PROTECTED]> wrote:
> Gathering intelligence data on U.S. citizens via exchange agreements
> with other countries (UKUSA), however, is a violation of their legal
> charter as far as I understand it.
Actually, although this is probably not quite the case, but there seems
to be a nice little loophole in the fact that they say they don't get US
citizen intel from their _allies_. Of course gaining the needed
knowledge from your enemies is perfectly acceptable and, as such, is a
main basis for weeding out spies, etc.
--
[ marcus ] [ http://www.cybergoth.cjb.net ]
[ ---- http://www.ninjakitten.net/digiboy ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: digiboy | marcus <[EMAIL PROTECTED]>
Subject: Re: NSA and Linux Security
Date: Mon, 15 Jan 2001 12:36:04 GMT
In article <93r444$3qv$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
> Do we have any oversight of this form today?
> (If we do, we ought to find them some good publicists!)
On a further note, I went to their website to find out exactly what
oversight is in place today, and found info in ther faq :
http://www.nsa.gov/about_nsa/faqs_internet.html#rights
I imagine the congressional oversight is independent enough to be, well,
independent. Who knows of course.
Furthermore with regards to the US 4th Amendment well : "unreasonable
searches and seizures" is surely something that can easily be stretched
with qualifications. What _is_ a reasonable search? If you are searching
communications and flagging only messages that, say, have a high number
of phrases and keywords (not forgetting structure) relating to terrorist
activities, has that been a reasonable search?
Anyway, the police seem to stretch it enough, I can imagine the NSA have
found many more loopholes.
--
[ marcus ] [ http://www.cybergoth.cjb.net ]
[ ---- http://www.ninjakitten.net/digiboy ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Verd" <[EMAIL PROTECTED]>
Subject: I hate Open SSL!!!!!
Date: Mon, 15 Jan 2001 12:54:17 GMT
Hi, I'm the graduated student of Korea's University.
I and my lab designed some application that make secure session between
client and server for some project.
Used openssl 0.95b, and it worked well, before encounting this problem.
The problem is we cannot read der coded certificate....
On pem type certificate, we used pem_read function...
but, on reading der type certificate, I haven't got a clue of using which
function...
Any Kind One Who Knows this and give me a answer exist?
I will wait for your replies...
Please..help me...
Thanks..
Wish my best regards...to..all of you....
------------------------------
From: digiboy | marcus <[EMAIL PROTECTED]>
Subject: Re: NSA and Linux Security
Date: Mon, 15 Jan 2001 13:13:52 GMT
> > I suppose that the truth of your sentence, when applied
> > to any country, is conditioned on its status of democracy,
> > which, BTW, might vary with time, as history shows.
Quite. I was applying it to the current structures in UKUSA
countries.
In article <[EMAIL PROTECTED]>,
Rich W. <[EMAIL PROTECTED]> wrote:
>
> Exactly.
>
> Who said we aren't going to get someone who's a little more ruthless
> and grabs some power?
Quite hard to do in such countries. Regardless any legislature would
then go out the window, making any discussion one way or the other about
civil rights rather pointless.
> Have you learned nothing from history? I'm afraid I find you to be
> more than frightening, and more than naive.
And you must then be frighteningly paranoid and insecure. Just about the
right mix of feelings that (collectively) would make a group attempt to
grab power from a relatively stable governmental system.
--
[ marcus ] [ http://www.cybergoth.cjb.net ]
[ ---- http://www.ninjakitten.net/digiboy ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Richard John Cavell <[EMAIL PROTECTED]>
Subject: Cavell challenge #2
Date: Tue, 16 Jan 2001 00:22:22 +1100
My second challenge is in rec.puzzles.
=============================================================
Richard Cavell - [EMAIL PROTECTED]
Newsgroups - Please keep any discussion on the group, and copy your
replies to me via email. (Server problems). Sending me bulk email
guarantees a nasty response.
Judge Thomas Penfield Jackson on Bill Gates: "He has a Napoleonic concept
of himself and his company, an arrogance that derives from power"
=============================================================
------------------------------
From: digiboy | marcus <[EMAIL PROTECTED]>
Subject: Re: NSA and Linux Security
Date: Mon, 15 Jan 2001 13:23:21 GMT
In article <93t4ch$7d5$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
> Legal procedures may be different now, but the general
> reason for concern remains much the same, as far as I can see.
But what _is_ the reason for concern? In the UK these type of activites
have been in operation since WWI. I haven't yet spotted any significant
threat to our own civil rights in that time (regardless of the
wonderful US high-school teachings of "subjects vs citizens").
I see no difference in the US where they've been in operation to a major
extent _at least_ since pre-WWII.
You can have all the fears you want to fill your brains with (I'd fear
getting hit by a bus more) but the primary questions is, how have these
operations affected _you_ to get so up in arms?
I don't see any of what I've stated on this thread as being naive.
Obviously though. Naivety has mostly arisen when people believe the face
of the law, or statements, or refuse to see the wider picture, the other
applications of intel, or naively believe the one-sided arguements from
conspiracy theorists.
--
[ marcus ] [ http://www.cybergoth.cjb.net ]
[ ---- http://www.ninjakitten.net/digiboy ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Rob Marston" <[EMAIL PROTECTED]>
Subject: Re: Problem with Lanaki Lession #1
Date: Mon, 15 Jan 2001 13:38:47 -0000
> I've been looking at the Lanaki Lesson #1 at
>
>
>
http://www.und.nodak.edu/org/crypto/crypto/lanaki.crypt.class/lessons/lesson
> 01.zip
I see the posting broke this link, well the bit I'm having problems
with looks like this...
POSITION AND FREQUENCY TABLE
Time to put to good use the barrage of data presented. Given
the next slightly harder cryptogram, and ignoring again a
pattern word attack, we can develop some useful tools. [Much
of what I am covering can be done automatically by computer but
then your brain goes mushy for failure to understand the
process.]
A-2. [no clue] S-TUCK
V W H A Z S J X I H S K I M F M W C G M V W O J S I F -
A G F J A Q Q M N R J K Z M G R S W M F. J A T W X H -
A W F. F I Q Q W F F X I H F K H B A O Z J S M A H H F.
T G A H P K D X M A W O V F S A R F X H K I M A F S.
[ Hyphens mean a continuation of a word.]
First we perform a CT Frequency Count.
F A H M W S I J K X G Q O R V Z T B C D N P
13 11 9 9 8 7 6 6 5 5 4 4 3 3 3 3 2 1 1 1 1 1
We have 106 letters. 20% are considered low frequency.
20% of 106 = 21. Counting from right to left we have O, R, V,
Z, T, B, C, D, N, P. We mark A-2. with a dot over each
appearance. We also enter the frequency data under the CT.
Next we develop a CT Letter Position Chart.
deduced
F : I 2 3 - 3 2 E PT equiv's
A 11 : / / ..... /// / i
B 1 : . v
C 1 : / w
D 1 : / x
F 13 : / / ..... / ///// s
G 4 : / / a
H 9 : // // . / / // l
I 6 : / ... // u
J 6 : // / .. / t
K 5 : // / . / o
M 9 :/ // / .. // r
N 1 : / y
O 3 : / / n
P 1 : / b
Q 4 : / / . / c
R 3 : .. / p
S 7 : / / .... / h
T 2 : / / m
V 3 : / . / d
W 8 : / // .. / / / e
X 5 : /// // f
Z 3 : .. / g
===
106
Columns represent the initial, first, second, third letters,
final and two preceding antepenultimate letters. Dots for any
other position in word.
> and I'm having problems getting his Tally chart to work.
>
> The first line of the "Next we develop a CT Letter Position Chart"
> chart is given as
>
> A 11 : / / ..... /// /
>
> This seems to indicate that the number of words who's third
> Character is an A is one.
>
> Now when I look at A-2 I find that three words have their
> third character set to A, these are...
>
> 1) XHAWF
> 2) TGAHPKD
> 3) XMAWOVFSARF
>
> Now I understand that word (1) is only five letters long so
> the A is probably treated as a middle letter and not a third
> Letter! But this still leaves me with two other words where
> Lanaki only scores one.
>
> Can anybody tell me what I'm doing wrong?
>
> Rob
>
------------------------------
From: "Jakob Jonsson" <[EMAIL PROTECTED]>
Subject: Re: Is this triple-DES variant secure?
Date: Mon, 15 Jan 2001 14:50:20 +0100
Let's see if I interpreted your scheme correctly... You have initialization
vectors F1[1] and F2[1] (public I assume), and to encrypt the kth block you
compute
F1[k+1] = F1[k] + E(M[k], Ki)
F2[k+1] = D(F1[k+1], Kj)
C[k] = E(F2[k] + F2[k+1], Ki)
(+ = xor). For odd k, i=1 and j=2, and for even k, i=2 and j=1.
Maybe I have misinterpreted your scheme, but I believe that the scheme I
just described is vulnerable to a chosen plaintext attack. Guess K1 and put
M = D(F1[1], K1). Encrypt M M M M M. This gives
F1[2] = F1[1] + E(M, K1) = 0
C[1] = E(F2[1] + D(0, K2), K1)
F1[3] = E(M, K2)
F1[4] = E(M, K2) + F1[1]
F1[5] = F1[1]
F1[6] = 0
F2[5] = D(F1[1], K1) = M
F2[6] = D(0, K2)
C[5] = E(F2[5] + F2[6], K1) = E(M + D(0, K2), K1).
You verify whether your guess of K1 is correct or not by applying D with K1
to C[1] and C[5]; the xor sum should be
M + D(0, K2) + F2[1] + D(0, K2) = M + F2[1].
Please tell me if you believe that there is a flaw in my attack.
Jakob
"Kenneth Almquist" <[EMAIL PROTECTED]> skrev i meddelandet
news:93qfb2$[EMAIL PROTECTED]...
> If triple-DES is used in CBC mode, then it is not possible to pipeline
> the process because the output of one triple-DES encryption must be
> xor-ed with the input to the next triple-DES encryption. An alternative
> is to xor each intermediate encryption values with the preceding
> intermediate value. The following pseudocode shows what I mean:
>
> temp := E(P[i], K1) xor F1[i]
> F1[i+1] := temp
> temp := E(temp, K2)
> F2[i+1] := temp
> C[i] = E(temp xor F2[i], K1)
>
> In this code,
> E(text, key) is DES encryption,
> D(text, key) is DES decryption,
> P and C are the plaintext and cyphertext, respectively,
> K1 and K2 are DES keys which together form the triple-DES key,
> and F1 and F2 are feedback variables.
>
> This can be pipelined very deeply. The dependency between pipeline stages
> is that an xor operation must be performed to compute F1[i+1] from F1[i].
> If the time required by this xor (and associated wiring delays) is 1/4
> of the time required for a DES round, we could create a 192 stage pipeline
> resulting in very high throughput.
>
> High throughput is no good if the encryption can be broken. In fact, the
> above scheme is vulnerable to the following chosen plaintext attack. We
> start by guessing the value of K1. To see if we have guessed correctly,
> we set P[i] = P[i+1] = D(0, K1). Then F1[i+1] = F1[i], so F2[i+1] =
F2[i].
> Therefore C[i+1] = E(F2[i+1] xor F2[i], K1) = E(0, K1). If this last
> equation holds, then we have almost certainly guessed K1 correctly.
>
> There are 2**56 possible values for K1, and since triple-DES works on
> 64 bit blocks, the cypher is presumably rekeyed every 2**32 blocks.
> Since it takes two blocks to check a guess for K1, we would expect to
> get a match about once every 2**57 blocks, meaning we recoved one K1
> value for every 2**25 keys. Getting the value of K2 is a problem if
> we don't know F1 and F2, but perhaps a differential attack could get
> us K2 in fewer than 2**112 steps.
>
> To avoid this chosen plaintext attack, I propose swapping K1 and K2
> on alternate rounds. In pseudocode, this looks like:
>
> temp := E(P[i], K1) xor F1[i]
> F1[i+1] := temp
> temp := E(temp, K2)
> F2[i+1] := temp
> C[i] = E(temp xor F2[i], K1)
>
> temp := E(P[i+1], K2) xor F1[i+1]
> F1[i+2] := temp
> temp := E(temp, K1)
> F2[i+2] := temp
> C[i+1] = E(temp xor F2[i+1], K2)
>
> A variant of the previously described attack could be used against this
> construct, but it would require guessing *both* K1 and K2, so it would
> have no advantage over an exhaustive search. Can anyone suggest another
> way to attack this construct?
> Kenneth Almquist
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
