Cryptography-Digest Digest #528, Volume #13 Tue, 23 Jan 01 05:13:01 EST
Contents:
Re: Why Microsoft's Product Activation Stinks (Anthony Stephen Szopa)
Re: cryptographic tourism in Russia ("Vladimir Katalov")
Re: Easy question for you guys... (Anders Thulin)
another Microsoft lawsuit on the horizon (Matthew Montchalin)
Re: Dynamic Transposition Revisited (long) (Terry Ritter)
Re: Dynamic Transposition Revisited (long) (Terry Ritter)
Re: collisions risks of applying MD5 or SHA1 to a 48-bit input (Serge Paccalin)
Re: Some help please (Jim Gillogly)
Re: Some help please ("Douglas A. Gwyn")
Re: Easy question for you guys... (Anders Andersson)
Re: Some help please ("Jakob Jonsson")
----------------------------------------------------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Mon, 22 Jan 2001 23:30:18 -0800
Richard Heathfield wrote:
>
> Anthony Stephen Szopa wrote:
> >
> <snip over 200 lines>
> >
> > So that's all I have to say for a while.
>
> Is that a promise?
Here is a guy who spits on the souls of anyone for no damned reason.
I told you that I am the inventor that will save people tens or
hundreds of billions of dollars in lost revenue and you verbally
shit on me with your sarcasm.
Did you develope an anti-piracy computer software module that will
prevent perhaps half at a minimum of the illegal copying of
computer software in the world? Do you know how important a
contribution this is?
I can prove that I did this. And if I eventually do prove it
publicly everyone will know you are a fool. But most importantly
you will know. I think you probably already know you are a fool.
I am certainly one of a very very few and perhaps the only person in
the world who can prove that they did it before MS. I am not going
to divulge my thought processes here or my plans or my actions
regarding the implications of this situation at this time, as I have
said. I am actively pursuing my interests.
I think I read that there is about $50 billion dollars worth of
computer software piracy going on every year.
You must be a real high achiever to top this. Tell your friends
what a proud soul you are and give them the example you posted here
and explain to them why you are the one to be so sarcastic. What
are your qualifications?
I would tell them that you are a high risk gambler and that they
should stay as far away from you as possible. You just can't
believe that I did what I say I did, can you? You think you can
make the jump and take the leap to ridicule me. You have no proof
that I am lying. Yet you risk your reputation. As I said, you have
poor judgment although you have calculated that you are on solid
ground. Quicksand, yes. You are in quicksand and there will be no
one to come to your aid. Just wait and see.
If and when the proof comes out I hope someone brings it to you
attention.
I was waiting for a worm to show their slime. You finally showed up.
What is a fool? A fool is a person who plays an Eric Clapton song
on their own guitar. He plays the song perhaps even as good as Eric
Clapton. And then he thinks he is as great an artist as Eric
Clapton.
You are an even greater fool than this because you would play the
air guitar while listening to Eric Clapton and really believe you
are as great a musician and artist as Eric Clapton.
Can you feel your heart literally shrinking? You will.
Thanks a lot.
AS
Gee, you didn't get any more significant information from me about
my claim?
Too bad.
------------------------------
From: "Vladimir Katalov" <[EMAIL PROTECTED]>
Subject: Re: cryptographic tourism in Russia
Date: Tue, 23 Jan 2001 10:54:23 +0300
Eric Lee Green wrote in message ...
>Hmm... a point there, given that the government there is now run by a
>former intelligence officer and that they've a nasty habit of
>imprisoning Americans that they think are nosing around in the wrong
>place...
>
>A friend of a friend spends time in Russia from time to time (he
>supposedly is a school teacher, but has this strange habit of turning
>up wherever things are heating up... e.g. Columbia during the worst of
>the drug wars, Poland when Solidarity kicked out the Communist
>government, Russia during the failed coup, ...). The stories I hear
>are pretty bad -- things apparently got pretty lawless for a while,
>the old government had virtually collapsed into meaninglessness, and
>the new government apparently is overreacting by attempting to clamp
>down harshly on all the lawlessness. I'm not sure I'd be adventurous
>enough to plan a trip to Russia right now.
Exactly. A trip to Russia might be really dangerous nowadays... I don't
want to scare you, but the situation here looks very similar to Chicago
in 30's.
St Petersburg is a bit better (more safe) than Moscow. You will not find any
crypto-related stuff there (except the office of our company :), but there
are a
lot of other interesting places to see.
--
Sincerely yours,
Vladimir
Vladimir Katalov
Managing Director
Elcom Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:[EMAIL PROTECTED]
http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/ems.html (Email Management Software)
http://www.elcomsoft.com/prs.html (Password Recovery Software)
------------------------------
From: Anders Thulin <[EMAIL PROTECTED]>
Subject: Re: Easy question for you guys...
Date: Tue, 23 Jan 2001 07:59:52 GMT
CoyoteRed wrote:
> I want to take four 8 bit numbers and create an number that can't be
> converted back by an amateur. Resolution can be 12 - 16 bits.
Amateur? As someone said, amateurs run faster than anyone else.
I suspect you mean that the method cannot easily be discovered.
But you don't say what kind of input the presumptive breaker has
to work with: one single number, 10, or all 50? And you don't say
what other related information he has access to, either, for this
task of breakage. For instance, why can't he just ask everyone on
the bulletin board to send him their IP addresses? If that works, no
algorithm break will be required.
And is it considered a break to discover only one IP-to-ID
match, or does it have to be more? 10? or no break until all of them
have been discovered?
You also seem to assume that all posters will have static and
unchanging IP addresses. Have you verified that that assumption
is correct? And will remain so for the forseeable future?
No DHCP serving involved? No proxies or other address translation
schemes involved? No poster using another system for a while?
And are the posters satisifed by being numbers? They won't prefer
something less difficult to recall?
I think you risk deciding an implementation before you have
ironed out the basic design issues.
> Here is what I'm trying to do. I want to take an IP number and give it
> a not-so unique number. The number of IP's to be converted range maybe
> in the 10-50 range, so I think that should be sufficient.
If there are no more than that, assign the ID numbers 1..50 to the
IP numbers on a first come first served basis. Keep that translation
table a secret -- that is, ensure your computer can't be broken into,
and that the postings don't mention IP numbers, personal names, or whatever
that can be used to recreate the table.
Or use N random numbers from any reliable source of such numbers,
if you feel easier about that. It may make it less obvious to an
'amateur' that table lookup is involved.
Both the IP-to-id number translation and the reverse is easily done
by table lookup.
>Here's the kicker, I want to use simple math that is available in
>Perl, in the fewest lines possible, and be easy enough to understand
>that almost anyone can follow the math.
Table lookup is as easy as it gets. But since you seem to be more
concerned about 'fewest line of code' than actual functionality, I'm
dropping out. I'm beginning to suspect this is a class assignment, and
you worry about not being able to explain it satisfactorily.
--
Anders Thulin [EMAIL PROTECTED] 040-10 50 63
Telia ProSoft AB, Box 85, SE-201 20 Malm�, Sweden
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: or.politics,talk.politics.crypto,misc.legal,us.legal
Subject: another Microsoft lawsuit on the horizon
Date: Tue, 23 Jan 2001 00:02:43 -0800
On Mon, 22 Jan 2001, Anthony Stephen Szopa wrote:
|I am certainly one of a very very few and perhaps the only
|person in the world who can prove that they did it before MS.
Okay.
|I am not going to divulge my thought processes here or my plans
|or my actions regarding the implications of this situation at
|this time, as I have said.
Everything may come out in the wash. (Ahem, that means at the
pre-trial hearings that are concerned with 'discovery.') But some
states allow for preservation of trade secrets. You should
talk to your atty about the desirability of issuing gag orders,
and then discuss the matter of sanctions for those observers
(paralegals, newspaper reporters, &c.) who violate the gag orders.
I think there was a recent article in the Oregon Law Review a
few months ago about this in Oregon courts, and how the open
courts clause of the Oregon constitution, combined with the
provision guaranteeing freedom of expression, makes it very
difficult for courts to respect trade secrets. (I ought to read
that article over again, but don't know where I put it down....
it's here somewhere. If I find it, I'll pass the citation on to
you so that you can read it.)
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Dynamic Transposition Revisited (long)
Date: Tue, 23 Jan 2001 08:20:25 GMT
On Tue, 23 Jan 2001 06:54:04 GMT, in
<gU9b6.849$[EMAIL PROTECTED]>, in sci.crypt "Matt
Timmermans" <[EMAIL PROTECTED]> wrote:
>"Terry Ritter" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> Essentially the problem is one of ambiguity: the idea that Kahn is
>> talking about a real, practical OTP, when in fact he can only be
>> talking about the theoretical OTP. For example, he starts out saying:
>
>Real practical OTP's do exist, and have been used to good effect. It's not
>that hard to generate effective keying material -- you could use dice or
>radioactive decay, for example. Getting the key to the intended recipient
>of messages is a problem, but it's the almost the same problem you have with
>regular symmetric ciphers. The only differences here are that the key is
>big, and it doesn't last forever. If you can meet someone personally every
>month or so and exchange CDRs, and if you have a sound card, you have can
>have your regular communications protected by a perfectly viable, practical,
>and provably secure OTP.
>
>The problem newbies have understanding OTP is not in assuming that it's
>provably secure (because it is),
No, it is not, at least not when used in practice. Normally, only the
theoretical model of an OTP can be proven secure.
>but in mistaking keyed PRNG output for an
>actual random message key. The newbie cryptographer likes the idea of
>provable security, but hates those nasty key requirements, so he invents a
>marvelous new version of "OTP" that is practical because only a short key is
>required, and the long message key can be generated from this seed. Pretty
>much all of the cryptosystems that pop up here claiming to be OTP are not --
>OTP is well defined, and it requires a _random_ key as long as all of the
>messages your ever going to send with it, and it requires that no part of
>that key ever be divulged or reused.
>
>Oh well, newbies invent broken stuff all the time, but it certainly _is_
>possible to make real one-time pads in practice, so the provable security of
>OTP does not apply to theoretical systems only.
The provable security of the OTP *does* apply to theoretical systems
only.
Assume the supposedly "random" pad you have is in fact predictable.
Surely you will not argue that a "OTP" with a completely predictable
sequence is secure. But wait! Isn't the OTP *proven* secure?
For proven OTP security it is not sufficient simply to use the
sequence only once. It is *also* necessary for the sequence to be
"random," or more explicitly, "unpredictable."
The problem with this requirement is that we cannot measure an
arbitrary sequence and thus know how unpredictable it is. Nor can we
assemble all sorts of measurements of radioactive events or other
random sources with the guaranteed assurance of unpredictability that
proof requires. That does not mean that most sequences we develop
will not be very strong, what it means is that we cannot prove it.
No practical OTP can be proven secure unless the sequence it uses can
be proven to be unpredictable, and that is generally impossible.
>And any "OTP" that
>satisfies the definition of the term is, in fact, provably secure.
Now we are getting into the worst sort of circular definition: If we
try to build an OTP, we are expecting to in fact get an OTP. If later
we find that our information has been extracted from the cipher -- if
we find it was not, after all, "provably secure" -- it is a bit cute
to be told: "Oh, I guess it must not have been a real OTP after all."
If we cannot tell whether or not a system is an OTP before it is found
weak, there is no point in having the concept of OTP.
>OTP is
>also the simplest provably secure cipher we can have until we prove that
>P!=NP, unless you're prepared to define polynomial-time lower bounds for
>known-plaintext attacks as "security".
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Dynamic Transposition Revisited (long)
Date: Tue, 23 Jan 2001 08:30:01 GMT
On Mon, 22 Jan 2001 21:26:33 -0800, in
<[EMAIL PROTECTED]>, in sci.crypt "John A. Malley"
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>[snip]
>>
>> Every possible permutation can be constructed with approximately equal
>> probability provided only that we have enough state in the RNG, and in
>> practice we can easily build efficient RNG's with that property.
>>
>> What we cannot do is construct any possible sequence of permutations.
>
>This may be a good place to continue the cryptanalysis of the strength
>of the DT cipher. A PRNG with N! states to make every permutation of
>the bits in an N bit block can only generate some of the possible
>sequences of permutations. There are (N!)! possible sequences of
>permutations.
There are (N!)**S possible sequences of permutations, of sequence
length S.
>AFAIK it's safe to say the PRNG generates N! sequences
>(assuming the set of seed values is equal to the set of possible outputs
>of the PRNG, both sets are of order N!.) Only N!/ (N!)! of the sequences
>can ever be seen.
??
>There *may* be exploitable relationships between successive permutations
>due to this, but I can't point to any yet, just a hunch. Permutations
>with certain characteristics may always follow others with other
>characteristics - or perhaps permutations with certain characteristics
>can never follow permutations with other characteristics. Look for
>dependencies between successive permutations that hold without knowing
>the exact permutations involved.
As I see it, the issue is not so much that there are no exploitable
relationships (although I certainly would not expect anything easy
from a well-engineered RNG), as it is that one cannot sense those
relationships from the ciphertext results.
The transformation from plaintext to ciphertext is just one
bit-permutation. But when we have bit-balanced plaintext, many
different bit-permutations will produce the exact same ciphertext.
Furthermore, the permutation is not re-used; we don't have the
opportunity to inject data changes and see where they end up. We
don't have any ability to know what any particular permutation
actually is.
>How about a permutation's cycle decomposition - its type? (If
>permutation pi() has a_i cycles of length i , where 1 <= i <= N , then
>the type of permutation pi() is the partition [1^a_1, 2^a_2, 3^a_3, ...
>N^a_N] of N.)
Yes, yes, yes, but you can't see the permutation itself, only the
result, which is the ciphertext. No 1:1 relationship exists.
Known-plaintext and ciphertext does not expose the permutation.
>I'd try to find any relationships between the cycle
>decompositions/types of the successive permutations produced by the PRNG
>output fed through the shuffling algorithm. I'd look for a way to
>predict the cycle decomposition/type of the next permutation generated
>given the current permutation's cycle decomposition/type - and I'd look
>for any "forbidden" transitions - is it impossible (due to the nature of
>the shuffling algorithm and the PRNG) for permutations of certain cyclic
>decompositions/type to be followed by permutations of some other cyclic
>decomposition/type.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Serge Paccalin <[EMAIL PROTECTED]>
Subject: Re: collisions risks of applying MD5 or SHA1 to a 48-bit input
Date: Tue, 23 Jan 2001 09:36:44 +0100
On/Le Tue, 23 Jan 2001 05:18:08 GMT,
[EMAIL PROTECTED] wrote/a �crit
in/dans sci.crypt...
> Hi all,
>
> I would appreciate help in the following matter: we need to differentiate
> some entities based on a 48-bit value but are not very happy with storing
> the
> value itself. Would MD5 or SHA1 be recommended given the input is so short?
> I have strong doubts (including the possibilities of calculating the hash
> table offline for all 2^48 values) but thought of bouncing the idea with
> better informed people. The hash would not be used for authentication
> purposes (or at least not alone).
Er, if you get identical 48-bit values for several entities, hashing
those 48-bit values won't help, because the hashes will be identical
too.
--
___________
_/ _ \_`_`_`_) Serge PACCALIN -- [EMAIL PROTECTED]
\ \_L_) L'hypoth�se la plus �labor�e ne saurait
-'(__) remplacer la r�alit� la plus bancale.
_/___(_) -- San-Antonio (1921-2000)
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Some help please
Date: Tue, 23 Jan 2001 09:08:53 +0000
Todd Luther wrote:
>
> I received this following msg, I believe it is using some simple
> monoalphabetic cipher, but I am lacking time and expertise to decrypt
> it....anyone have any ideas and if so can you please send me a reply as soon
> as possible to [EMAIL PROTECTED]
>
> Thanks!
>
> zyvikvzrklodsm celcdsdedsyx
It is indeed monoalphabetic substitution. Keep trying, and try
the easiest things you can think of first.
--
Jim Gillogly
Hevensday, 2 Solmath S.R. 2001, 09:06
12.19.7.16.8, 7 Lamat 11 Muan, Fourth Lord of Night
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Some help please
Date: Tue, 23 Jan 2001 09:13:53 GMT
Todd Luther wrote:
> zyvikvzrklodsm celcdsdedsyx
DECHOUDLORPING ATRAINITINES
I hope that helps..
Seriously, there are too few characters to break this
unless it's a simple substitution, and with no idea of
the subject matter it might as well be the above...
------------------------------
Date: Tue, 23 Jan 2001 10:31:51 +0100
From: Anders Andersson <[EMAIL PROTECTED]>
Subject: Re: Easy question for you guys...
CR wrote:
> > I want to take four 8 bit numbers and create an number that can't be
> > converted back by an amateur. Resolution can be 12 - 16 bits.
Andrew wrote:
> You could obviously just use the first n bits of a SHA-1 hash. But even
> that will not prevent a brute-force attack which, with on 2^32 possible
> inputs, will not be difficult. The inputs aren't even random - there is
> not a full 32 bits of entropy in an IP address. Plus, collisions can be
> generated with fewer inputs that that even.
>
> - Andrew
Well, brute-forcing 2^32 can be slow, provided the computation itself is
slow. Hashes are usually designed to be fast, but if you are willing to
spend around 10 millisecond on the computation, brute-searching the
keyspace will take the better part of a year on equivalent hardware.
(Compare the article on "key-stretching" on Counterpane's home page.) This
might be enough to protect against the presumed attacker, depending on the
time one is willing to invest in the computation.
CR also wrote:
> > Here's the kicker, I want to use simple math that is available in
> > Perl, in the fewest lines possible, and be easy enough to understand
> > that almost anyone can follow the math. But be unable to reverse the
> > process easily.
Well, so the question is what you can do easily in Perl, which is hard to
reverse, takes about x milliseconds (for a suitable x), and cannot be
computed all that much faster using some other language. I don't know Perl
much, unfortunately, but I suppose the "simple math" is really a decent
bignum package which isn't too slow? (I seem to recall seeing RSA in 3 lines of
Perl, so...) Off the top of my head, without thinking it through too much,
I'm thinking modular exponentiation, done twice. The first time just to
get a larger exponent from the 32 bits, the second with a larger modulus
as the actual time-consuming computation.
Pick one large prime p_0 and a generator g_0 for the multiplicative
group modulo p_0. I don't know what the proper size is; I'd have to do
timings for that, which I'm too lazy for, but I'm guessing 4096 bit.
Then, pick a smaller prime p_1 and corresponding generator g_1. The size of
p_1 can be varied to fine tune the system to get the desired execution time,
I'm guessing a few hundred bits. This is all done once and for all, the
primes should be embedded in the program. Then the program simply computes:
modexp(g_0, modexp(g_1, x, p_1), p_0) % 0x10000
where x is the 32-bit number. modexp(a,b,c) is taken to mean a to the b-th
power modulo c (I have no idea what the Perl syntax might be...).
/Anders
--
Anders Andersson <[EMAIL PROTECTED]>
"I am, therefore I'll think" (from 'Atlas Shrugged' by Ayn Rand)
------------------------------
From: "Jakob Jonsson" <[EMAIL PROTECTED]>
Subject: Re: Some help please
Date: Tue, 23 Jan 2001 10:45:40 +0100
> I received this following msg, I believe it is using some simple
> monoalphabetic cipher, but I am lacking time and expertise to decrypt
> it....
It couldn't possibly be monoalphabetic substitution, because the 2nd and 4th
letters are different. This is, of course, polyalphabetic substitution.
:)
Jakob
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
