Cryptography-Digest Digest #484, Volume #13 Wed, 17 Jan 01 21:13:01 EST
Contents:
Re: Q: split keys (William Hugh Murray)
Re: Need of very simple algorithms? (Frank Wilde)
Re: Why Microsoft's Product Activation Stinks ("David C. Barber")
Re: Why Microsoft's Product Activation Stinks (zapzing)
Re: Why Microsoft's Product Activation Stinks (JCA)
Full text to the book ``Underground'' released (Julian Assange)
Re: A Small Challnge (Benjamin Goldberg)
Re: multiple anagramming? (Benjamin Goldberg)
Re: Comparison of ECDLP vs. DLP (Wei Dai)
Re: A Small Challnge ("Joseph Ashwood")
----------------------------------------------------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Q: split keys
Date: Wed, 17 Jan 2001 21:11:15 GMT
Andy Resnick wrote:
>
> As many of you may know, Newsweek had an article about the history of
> cryptograpy, and had (for me, anyways) an unusually clear explanation of
> how public/private key encryption works.
Perhaps. However, it has always reminded me of the card game Bridge;
it is easier to understand than explain. Your re-cap leaves unsettled
the question of how well they explained it. One of the complicating
factors is that most applications use both symmetric and asymmetric key
cryptography, each for different purpose and to exploit different
characteristics.
> I'm no expert. My question
> is, does the use of two keys imply that there is more than one
> transformation to properly decode an encrypted signal?
Well, there are two transformations. The first transformation is to use
your private key to recover the object (file or message) key and the
second is to recover the object using the object key. However, this is
hybrid cryptography rather than simply public/private key encryption.
This kind of hybrid crypto uses symmetric key crypto, which is fast, to
hide the object, which may be quite long, using a randomly selected
number as the (object) key. Then it uses asymmetric key crypto to
securely share that object key. The advantage of this scheme is that
one gets the speed/security of the symmetric key mechanism with the
limited prearrangement provided by the asymmetric key cryptography.
> That is, I
> recieve an signal encoded with (for example) PGP. Now, I'm too lazy to
> get the public key but I have infinite computing power (hey, this is a
> thought experiment!). It seems that I will find *two* keys to decrypt
> the message, and I have a hunch that they will be based on the two
> primes that factor a large number.
Not quite. The public and private key are mathematically related in
such a way that what is encrypted with one can only be decrypted with
the other. To send you a message, I use your public key (e,n); to read
it you use your private key (d,n).
If I give you a message in the clear and the corresponding cryptogram
encrypted under the public key (e,n), then I have implied the private
key (d,n). Unfortunately for you, infering the private key (d,n) is
computationally infeasible unless you know how to find the two prime
factors of a large number. Since doing so is believed to be
computationally infeasible then so is finding the private key.
>
> Am I somewhat on the right track here?
You tell me. Is what you got from the article consistent with what you
got from what I wrote? If so, then I take it as evidence that you are
on the right track. If not, try to recapitulate one more time.
>
> --
> Andy Resnick, Ph.D.
> Optical Physicist
> Logicon Federal Data
William Hugh Murray, CISSP
Information Protection Consultant
------------------------------
From: [EMAIL PROTECTED] (Frank Wilde)
Subject: Re: Need of very simple algorithms?
Date: 17 Jan 2001 21:31:47 GMT
In article <93q3f5$cri$[EMAIL PROTECTED]>,
r.e.s. <[EMAIL PROTECTED]> wrote:
> [...] However, http://www.counterpane.com/solitaire.html
> also implies (incorrectly) that Solitaire is reversible,
> so I think there's room for doubt.
Quite obviously, "reversible" refers to going from a given
permutation of the deck to the next one being as easy to do
as going in the opposite direction. As all of the deck-permuting
operations 1-4 are reversible, so is their composition.
This being the case, you have an effective (and affordably
efficient) means to compute the "inverse" element of
the permutation group S(54), which I'd assume the composite
operator is supposed to cover completely. (Didn't try
to prove that, though. Any takers?)
> [...] Maybe some embarassing flaws have been found?
The hopeful assumption being keystream-sequences obtained
from the sequence of permutations not being predictable
from known (or assumed) prefixes, in other words, any
(still) possible continuation being equally likely.
To be on the safe side, you should avoid your message-string's
information-theoretic content to exceed some reasonable
proportion of the keyspace, which is 54!, in other words:
232.7 bit, or 49.5 characters from a 26-letter alphabet.
Ciao,
Perle
--
____ Frank Wilde | [EMAIL PROTECTED] | +49 30 3454141
/ +-.\ Spelling errors are covert channels
| |-' | PLEASE TELL ME IF YOU RECORD MY EMAIL ADDRESS SO I CAN FORWARD CHANGES
\_|__/ Subject: Please inform <your address>
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Wed, 17 Jan 2001 15:19:27 -0700
"Kristopher Johnson" <[EMAIL PROTECTED]> wrote in
message news:oJl96.4$[EMAIL PROTECTED]...
> Office 2000 already has something like this built in. When we installed
it
> from the CD-ROM, the first time it ran it asked for registration
> information, which we supplied and which it (I assume) then sent to
> Microsoft via the Internet.
>
> We then installed it on a second computer, using the same CD. When it
first
> ran, we gave registration info and it responded with a message box saying
> "This software is already installed on another computer." Office will run
a
> certain number of times (about 50, I think), and after that point it will
> not run. The message box does provide a phone number you can call to get
> someone to fix the problem.
>
> BTW, we have an enterprise-wide license for Office 2000, so we weren't
> trying to break any laws here. And eventually we got our enterprise
license
> key to work. But it was annoying.
Is the Enterprise License key the same for all machines installed from that
single install CD? Or do you still have to track a specific activation
number for each machine?
I'm trying to decide if this new scheme is just more trouble than it's
worth.
*David Barber*
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Wed, 17 Jan 2001 22:20:44 GMT
Yup. and I have the right to say it
stinks. And warn other people about
it.
In article <oJl96.4$[EMAIL PROTECTED]>,
"Kristopher Johnson" <[EMAIL PROTECTED]> wrote:
> Office 2000 already has something like this built in. When we
installed it
> from the CD-ROM, the first time it ran it asked for registration
> information, which we supplied and which it (I assume) then sent to
> Microsoft via the Internet.
>
> We then installed it on a second computer, using the same CD. When it
first
> ran, we gave registration info and it responded with a message box
saying
> "This software is already installed on another computer." Office will
run a
> certain number of times (about 50, I think), and after that point it
will
> not run. The message box does provide a phone number you can call to
get
> someone to fix the problem.
>
> BTW, we have an enterprise-wide license for Office 2000, so we weren't
> trying to break any laws here. And eventually we got our enterprise
license
> key to work. But it was annoying.
>
> My opinion on this is that software companies have a right to put
annoying
> features in their software. And the rest of us have the right to stop
using
> annoying software.
>
> -- Kris
>
> "zapzing" <[EMAIL PROTECTED]> wrote in message
> news:944nvc$9t9$[EMAIL PROTECTED]...
> > Upcoming versions of windows may have, I
> > read, something called "product activation".
> > This means that you must call up microsoft
> > so that the OS can have permission to run.
> > I have a few questions about this. First of
> > all, under what conditions will MS
> > *refuse* to activate the product. It seems
> > to me that if they never refuse activation,
> > then putting in product activation code is
> > pretty useless. And if they do, they may
> > deny legitimate users who reconfigure their
> > systems frequently.
>
>
--
Void where prohibited by law.
Sent via Deja.com
http://www.deja.com/
------------------------------
From: JCA <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Wed, 17 Jan 2001 14:20:55 -0800
This is yet another reason to stop using
MS products.
zapzing wrote:
> Upcoming versions of windows may have, I
> read, something called "product activation".
> This means that you must call up microsoft
> so that the OS can have permission to run.
> I have a few questions about this. First of
> all, under what conditions will MS
> *refuse* to activate the product. It seems
> to me that if they never refuse activation,
> then putting in product activation code is
> pretty useless. And if they do, they may
> deny legitimate users who reconfigure their
> systems frequently.
>
> Also, what about the possibility of a major
> computer virus that requires many machines
> to restore. This would of course require
> that the OS be reactivated, but in that case
> the product reactivation lines could be
> jammed. This would make me think about it
> very carefully before I bought an OS that
> included product reactivation code.
>
> I understand MS's desire to protect their
> intellectual property, but please try to think
> of something that will not cause the collapse
> of civilization.
>
> --
> Void where prohibited by law.
>
> Sent via Deja.com
> http://www.deja.com/
------------------------------
Crossposted-To:
alt.security,alt.security.espionage,comp.os.linux.security,comp.security.firewalls,comp.security.unix,comp.security.misc,alt.hacking,misc.legal.computing,alt.2600
Subject: Full text to the book ``Underground'' released
From: Julian Assange <[EMAIL PROTECTED]>
Date: 18 Jan 2001 10:08:52 +1100
I'm very pleased to announce that thanks to Random House, Suelette
Dreyfus and myself the complete and unabridged electronic text to our
famed computer crime book ``Underground'' (approx 500 pp.) has been
publically released.
+---------------------------------------------------------+
| Format | Name | Size (bytes) |
|---------------------------------------------------------|
|---------------------------------------------------------|
| Text | underground.txt | 979993 |
|---------------------------------------------------------|
|---------------------------------------------------------|
| Text, ZIP | underground.zip | 357915 |
|---------------------------------------------------------|
|---------------------------------------------------------|
| Text, GZIP | underground.txt.gz | 355953 |
|---------------------------------------------------------|
|---------------------------------------------------------|
| Text, BZIP2 | underground.txt.bz2 | 265014 |
|---------------------------------------------------------|
|---------------------------------------------------------|
| Palm Basic Doc | underground.pdb | 519140 |
|---------------------------------------------------------|
|---------------------------------------------------------|
| Palm Teal Doc | underground-tealdoc.pdb | 520661 |
+---------------------------------------------------------+
The Palm formated files will allow you to read the book on
a Palm Pilot and various other handheld machines.
See http://www.underground-book.com/download.php3
Feel free to forward this message.
Julian.
--
Julian Assange |If you want to build a ship, don't drum up people
|together to collect wood or assign them tasks and
[EMAIL PROTECTED] |work, but rather teach them to long for the endless
[EMAIL PROTECTED] |immensity of the sea. -- Antoine de Saint Exupery
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Crossposted-To: sci.math,comp.theory
Subject: Re: A Small Challnge
Date: Thu, 18 Jan 2001 00:01:37 GMT
Mok-Kong Shen wrote:
[snip]
> (2) Are you sure that some practically useful D and E[i] and
> E[j] with E[i]!=E[j] could satisfy your following requirement
> for arbitrary m in a sufficiently large set?
>
> D(E[i](m)) = D(E[j](m)) = m
Here's an idea. RSA encryption works like the following:
a = ciphertext, b = plaintext (or vice versa)
e = encryption exponent, d = decryption exponent (or vice versa)
pq = product of two primes, p and q, which are the private key
a = b ^ e % pq
b = a ^ d % pq
1 = de % lcm(p-1,q-1)
Normally, d and e are generated once, and d is part of the private key.
After this, p and q are no longer needed seperately, and may be
discarded.
What if, instead we used p, q (seperately) as our private key, and
published just pq as our public key. To encrypt, the sender generates a
random e, and sends e it along with the message. To decrypt, the
recipient calculates the corresponding d to that e.
To make sure that e has no factors in common with lcm(p-1,q-1), the
sender generates it to be a prime number with over half as many bits as
pq.
--
Most scientific innovations do not begin with "Eureka!" They begin with
"That's odd. I wonder why that happened?"
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: multiple anagramming?
Date: Thu, 18 Jan 2001 00:01:40 GMT
Shawn Willden wrote:
>
> Mok-Kong Shen wrote:
>
> > Richard Heathfield wrote:
>
> > > You are in a shopping mall. You ask a random stranger if he
> > > happens to know the way to the park. He gives you firm and clear
> > > directions to the library. Wouldn't you be at least a little
> > > disgruntled?
> >
> > Analogy is o.k. but it must be a correct one. John Savard
> > gave the title of a book that treats the topic Mr. Goldberg
> > needed to know, while in your analogy the park has nothing to
> > do with the library (unless the library is next to the
> > park, of course).
>
> Better analogy: give him directions to the gas station, where he can
> buy a map that will show the location of the park. :-)
Some better analogies:
You for directions to the local library. You get you firm and clear
directions to a bookstore ten miles out of town.
Or you ask for directions to a public park, and are directed to a
landscaping firm who will be happy to make your backyard into a park.
Or you ask if there's a water fountain nearby, and given firm and clear
directions to a store five miles away which sells bottled water.
--
Most scientific innovations do not begin with "Eureka!" They begin with
"That's odd. I wonder why that happened?"
------------------------------
From: Wei Dai <[EMAIL PROTECTED]>
Subject: Re: Comparison of ECDLP vs. DLP
Date: Wed, 17 Jan 2001 16:47:27 -0800
In article <[EMAIL PROTECTED]>, djohn37050
@aol.com says...
> Another note, PKV is the COMPLEMENT of POP, proof of possession. Doing both
> provides high levels of assurance.
That's only true in DL or EC systems. In RSA, there is only POP, and no
PKV. So one could say RSA is simpler because you only need to do one of
these tests.
> Also, while PKV is used to detect keys that might attack your private key when
> used in DH, there are many other potential concerns with an invalid public key.
> If using an invalid key, the encryption may not be invertible and hence not
> able to be recovered by anyone or it may be invertible by anyone and hence
> recoverable by anyone.
But my point is that even if you have a valid public key, the
encryption may still not be invertible or may be invertible by anyone.
So the main purpose of PKV must be to detect keys that might attack
your private key. This does not apply in the case of RSA. If you want
to make sure that the encryption is invertible by the owner you must do
POP. This is the same between EC and RSA. If you want to make sure no
one else can invert the encryption, you must check the entire
cryptosystem for errors or back doors. This is also the same.
> And here is a crucial point, if a public key is
> invalid, EVEN IF A SIGNATURE VERIFIES, the signature should be considered
> invalid. This is because the game is not being played in the intended sandbox
> and hence all bets are off.
I don't agree with you here. It should be the key owner's
responsibility to make sure his published key is valid. Why should
everyone do extra work to validate his key when he can just do it once?
Anyway, with RSA there is no way for other people to validate his
public key, so under your definition no RSA signature can be
independently verified. Surely that's not what you want.
--
http://cryptopp.com - free C++ cryptography and compression library
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: A Small Challnge
Date: Wed, 17 Jan 2001 17:25:17 -0800
Crossposted-To: sci.math,comp.theory
> What if, instead we used p, q (seperately) as our private key, and
> published just pq as our public key. To encrypt, the sender generates a
> random e, and sends e it along with the message. To decrypt, the
> recipient calculates the corresponding d to that e.
>
> To make sure that e has no factors in common with lcm(p-1,q-1), the
> sender generates it to be a prime number with over half as many bits as
> pq.
That would work, but decryption will become even more expensive than before.
There are additional constraints that are needed. You assume that |p| = |q|
when the actual matter is |p| = |q| + k where -10% <= k <= +10%. Instead
what needs to be done is to make p and q of the form p=2p' + 1 where p' is
prime. Then you publish a maximum value of p', say p and q are nominally
512-bits, publish a minimum value of p' of 2^400. This will result in a very
large range of e's and be semi-functional (any e <= 2^400 would be valid).
However both encryption and decryption remain expensive, the encryptor has
it easy by only having to generate a number less than 2^400, which is
generally rather inexpensive, however the decryptor has to invert the
recieved public value, which becomes quite expensive. Additionally the
decryptor opens himself up to adaptive chosen e attacks, which may become an
issue. It's also worth noting that in general this is no stronger than RSA
for realistic attacks (RSA is obviously weaker against someone computing a
complete mapping of {plaintext, ciphertext} however for 1024-bit keys, that
takes 2^1000+ bits which is safe to assume are not available to anyone). In
all I think it's a good thought experiment, and may fit nicely for some
purpose, but I don't think it's functional for much of any use.
Joe
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
