Cryptography-Digest Digest #557, Volume #13 Fri, 26 Jan 01 15:13:01 EST
Contents:
Re: Why Microsoft's Product Activation Stinks ("David C. Barber")
Between Silk and Cyanide ("Roger Peniston-Bird")
Re: Why Microsoft's Product Activation Stinks (Lord Running Clam)
Re: Why Microsoft's Product Activation Stinks ("Paul Pires")
Re: Why Microsoft's Product Activation Stinks ("Joe Green")
Re: Decode Algorythim (Mike Rosing)
Re: Dynamic Transposition Revisited (long) ("Tony T. Warnock")
Re: finding inverses and factoring (Bryan Olson)
Re: Paranoia (digiboy | marcus)
Re: How many bits of security can a password give? ("Joseph Ashwood")
Re: RC4 Security ("Joseph Ashwood")
Re: Random stream testing. (long) ("Joseph Ashwood")
Re: TSEPRNG, a secure RNG ? ("Joseph Ashwood")
Re: Cryptographic Camouflage ("Joseph Ashwood")
----------------------------------------------------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Fri, 26 Jan 2001 10:42:15 -0700
"Richard Heathfield" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Yes, indeed. I think it sums up one of the points nicely. If Microsoft
> want copy protection to actually work, they need to do it in hardware.
> That way, the cost of making a copy is likely to exceed the cost of
> buying one in the shops. Of course, I'm not convinced that anyone's
> going to buy any Microsoft hardware more complicated than a mouse, but
> that's for each user (or IT dept) to decide, of course.
Now there's a thought. Include unlock information in a MS mouse making it a
combination mouse/dongle. The cost of the extra mouse h/w would likely be
more than recovered by increased revenues due to the reduction in piracy.
This is MY idea, published here. You must PAY ME to use it, and quote it as
Prior Art in any patent application. :^)
*David Barber*
------------------------------
From: "Roger Peniston-Bird" <[EMAIL PROTECTED]>
Subject: Between Silk and Cyanide
Date: Fri, 26 Jan 2001 17:47:38 GMT
I happened to be rereading Leo Marks' book when I heard the sad news of his
death.
It's a fascinating book, sad, funny, moving, exasperating, deep, flippant...
and frustrating that it raises a lot of questions that it does not answer,
For instance, what happened to Giskes, who captured so many agents sent to
the Netherlands? Did he survive the war? What was the system whereby
Pandarus could pass on security checks to other agents without being able to
remember them himself?
It also appears from Silk and Cyanide that 'indecipherables' were tackled by
SOE's FANYs with no more sophisticated equipment than squared paper, whilst
Bletchley was using 'bombes', punched tape, etc. True or false? And did
anyone think of trying to use ULTRA material to check whether the Dutch
network was compromised? What did Marks know of ULTRA?
However, what frustrated me most was chapter 5, in which Marks shows how to
crack messages in the poem code 'with a depth of two'.
For a start, the initial crib uses a (deliberate) misprint... a misspelling
of the name 'Ozanne'. ( In practice this would be like trying to crack a
cypher by using "De Gaullle" as a crib instead of "De Gaulle"). And then,
comparing the coded messages (p. 46 in the paperback) with the original ones
(p54) one discovers there is an F in the original first message and none in
the scrambled version, i.e. pair No.42 on page 54 is not to be found on
p.46. And conversely pair No.53 on p.46 does not occur on P 54.
When he has cracked the cyphers, Marks breaks the news to Ozanne that if one
can determine the process that results in the original letters changing
their positions between the original message and its encipherment, one would
be in possession of the transposition key by which both messages had been
encoded and hence be able to decrypt any other message based on the same
key, "The mathematics involved would be basic but fiddling, and I asked
Ozanne if he would like to see the process for himself or accept my word
that within a very short time we could mathematically construct the entire
transposition key... My word was instantly accepted."
So, alas, we are not enlightened as to how the transposition key was
reconstructed, but are simply told it starts 1,16,17, 23 etc.
In chapter 3 (p32-3) Marks tells us all messages were encoded on a pair of
transposition keys. Once he had encoded his message using the first one, the
agent had to reencode it using a second transposition key based on another
five words from his poem."The agent used his transposition keys to put his
clear text through a series of complex convolutions......" but that if the
Germans had broken one of his messages they could mathematically
reconstruct the words of the poem the agent used as the basis for his
initial transposition."
At this point I am left wondering how, given the original sequence of
letters - from having cracked the cypher - and having got the sequence as
encrypted, it is possible with basic fiddly maths to determine the two
transition keys. So could someone please explain this or tell me where I
might find the answer? Then I could try and work out the second key for
myself.
Secondly, given the sequence starting 1, 16, 17,23 which is the original
key, Marks tells Ozanne that it would take the coders of Grendon twenty
minutes of so to convert those figures into the original words from which
they came. "Did he wish to see the process for himself, or would he accept
my assurance?" Sadly, Ozanne accepts the assurance, so we do not learn how
this process works either.
I presume, however, that one assumes 1 probably stands for 'A' and
substitutes letters for numbers with an eye to their frequency of
occurrence. In the example in the book, for instance, 1,2 and 3 are A and 4
and 5 are B. And U is 26.
So substituting 5,6,3 with B?A it becomes evident that 6 is likely to be E
rather than C or D. I guess the girls of Grendon could also do the Times
crossword as composed by Leo Marks also within twenty minutes!
------------------------------
Date: Fri, 26 Jan 2001 12:04:27 -0600
From: Lord Running Clam <Use-Author-Address-Header@[127.1]>
Subject: Re: Why Microsoft's Product Activation Stinks
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
=====BEGIN PGP SIGNED MESSAGE=====
On Fri, 26 Jan 2001, Richard Heathfield <[EMAIL PROTECTED]> wrote:
>Lord Running Clam wrote:
>> Excuse me, but is this little piece from alt.security.pgp relevant to your
>> flamewar?
>>
>> http://www.deja.com/[ST_rn=ps]/getdoc.xp?AN=720256016&fmt=text
>
>Yes, indeed. I think it sums up one of the points nicely. If Microsoft
>want copy protection to actually work, they need to do it in hardware.
>That way, the cost of making a copy is likely to exceed the cost of
>buying one in the shops. Of course, I'm not convinced that anyone's
>going to buy any Microsoft hardware more complicated than a mouse, but
>that's for each user (or IT dept) to decide, of course.
>
>As for the flamewar, well, I'm not terribly interested in prolonging it.
>But 'twas mildly diverting while it lasted. :-)
They can be fun.
Before M$ go hunting for hardware dongle manufacturers, they might want to
check out what happened to all those things you used to have to buy and
plug into the parallel port.
Of course, they won't learn anyway. They seem to be paid up subscribers to
Henry Ford's "History is, more or less, bunk" philosophy.
LRC.
- --
The bigger the humbug, the better people will like it.
~ Phineas Taylor Barnum.
=====BEGIN PGP SIGNATURE=====
Version: N/A
iQEVAwUBOnCv8oer+ijnZohVAQFomQf7B/ezIDBMxlHNDwsORxCReBt2Ocvngzyf
V+Aq23cr1a+L1UKj4pVVmjf3DKSvwtTvgmI+x4ucvlqBgBUCw5txBezh/7tHdOVJ
2hw24akYsoiXFQuOFm0YZsNSN6MTZLX1ZLXAfqVJoB9TQCJ/GQccMtL7WupxguHG
g579r2YraNHewKfSdrR89yZkuYOkA0D232p32OgHh6qtVk+jk/vbVSy+jxDUtFdv
k7Tu9qosY0RN2wCI9EQ7RmBOkaht8vnlwXG7X2N7B+QVulprNlST4/f12ATCIrzd
2X0TkBe8/iApd0z4q1ga0oGzHxqP8rX5Pk5HzyaGY76fd69TH92EcA==
=jl0D
=====END PGP SIGNATURE=====
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Fri, 26 Jan 2001 10:12:41 -0800
Richard Heathfield <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
<snip>
> As for the flamewar, well, I'm not terribly interested in prolonging it.
> But 'twas mildly diverting while it lasted. :-)
You must have better flame skills than I. I took a swing at "Szopa on a
Rope-a"
And this is all I got back.
"I cannot post my reply. It would be too informative."
Some of us are just not very talented I guess.
Paul
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: "Joe Green" <[EMAIL PROTECTED]>
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Fri, 26 Jan 2001 11:13:20 -0700
"David C. Barber" <[EMAIL PROTECTED]> wrote in message
news:94scrr$8gc$[EMAIL PROTECTED]...
> "Richard Heathfield" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
>
> > Yes, indeed. I think it sums up one of the points nicely. If Microsoft
> > want copy protection to actually work, they need to do it in hardware.
> > That way, the cost of making a copy is likely to exceed the cost of
> > buying one in the shops. Of course, I'm not convinced that anyone's
> > going to buy any Microsoft hardware more complicated than a mouse, but
> > that's for each user (or IT dept) to decide, of course.
>
> Now there's a thought. Include unlock information in a MS mouse making it
a
> combination mouse/dongle. The cost of the extra mouse h/w would likely be
> more than recovered by increased revenues due to the reduction in piracy.
>
> This is MY idea, published here. You must PAY ME to use it, and quote it
as
> Prior Art in any patent application. :^)
You cannot patent an idea. You could however have a patentable arrangement
for a new type of mouse. On the otherhand, by publishing it here, you have
placed it in the public domain and if you have not previously filed for a
patent, then
anyone is free to use it. Is that not correct?
As for the whole notion of "copyrights", everyone has the right to make
copies for
his own use. No vendor has ever been successful in this since we all have
the right
to make copies that back up our purchase of the original.
In Canada, making more than a dozen copies for sale within a six month
period is
a criminal offence. So all the shrink wrap efforts to "legalize" an
otherwise illegal
copyright "contact" cannot prevail. Contracts have to be contracts. They
cannot
be mouseclicks that allow some installation process to proceed. The two
parties
must clearly understand the binding terms and conditions, and these all
follow
legislation when they are in the form of tickets to the movies, which is
where most
of this is headed.
>
> *David Barber*
>
>
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Decode Algorythim
Date: Fri, 26 Jan 2001 12:14:57 -0600
Yeah wrote:
>
> Ok i am writing a program now that uses the encryption key:
>
> Message^13(Mod C)=Encrypted
>
> C bind the key
>
> Only problem is that I have lost my notes as to what the decryption
> algorytim is and ideas??
If this is homework, you'd better study a bit harder. You need find a
number x which satisfies 13*x = 1 mod (C-1).
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: Dynamic Transposition Revisited (long)
Date: Fri, 26 Jan 2001 12:07:40 -0700
Reply-To: [EMAIL PROTECTED]
I have a suggestion for the initial statistical-balance step (to reduce
the later balance extensions.) XOR the input with a DeBruijn sequence.
For example a simple method would be to XOR the sequence 0101010101....
Better would be 001100110011.... and even better 0001011100010111.... In
the latter case, the XORing sequence is one byte long so one might
improve things by rotating this sequence between bytes. Longer
sequences are possible 0000100110101111 could be used on pairs of
bytes--with rotation.
A wierder method (that I developed for a hand-held calculator) works as
follows: pick a magic prime P (9949 is good) set up an accumulator A=P/2
(4975 or 4974), the do the following for each input bit x(j):
A=2A+x(j); if(A<P) then y(j)=0 else y(j)=1; A=A-P endif
This works of 2 is a primitive root of P. (Even better if 4 is also a
primitive root.)
The whole thing works better in base 3 using P=487.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: finding inverses and factoring
Date: Fri, 26 Jan 2001 18:59:44 GMT
David A Molnar wrote:
[...]
> Thanks much for the explanation!
Welcome. I didn't figure this out myself either. PKCS#1
cites:
G.L. Miller. Riemann's hypothesis and tests for
primality. Journal of Computer and Systems
Sciences, 13(3):300-307, 1976.
for showing that d and the public key gives p and q. I never
looked the paper up, but so I don't know for sure that it's
the same method (which I got from Susan Langford).
> I've noticed you give Python source for several
> other queries; looks like a language to pick up.
Python rocks! There are (free) distributions for popular
platforms at www.python.org, and it has always installed (and
uninstalled) cleanly for me.
I find that Python code usually comes out short and (IMHO)
clear. Since long integers (of arbitrary size) are built in,
I can present complete samples that are not limited to toy
sizes.
--Bryan
Sent via Deja.com
http://www.deja.com/
------------------------------
From: digiboy | marcus <[EMAIL PROTECTED]>
Subject: Re: Paranoia
Date: Fri, 26 Jan 2001 18:56:26 GMT
In article <[EMAIL PROTECTED]>,
JCA <[EMAIL PROTECTED]> wrote:
> On the other hand, I would easily believe
> that it would be in the interests of such an organization to spread
> rumours and innuendo about what it can or can't do.
There's actually advantages to the public thinking either way...
Personally, though, I think they _can_ break RSA easily. However I
don't think that this is what the quote meant.
--
[ marcus ] [ http://www.cybergoth.cjb.net ]
[ ---- http://www.ninjakitten.net/digiboy ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: How many bits of security can a password give?
Date: Wed, 24 Jan 2001 11:50:11 -0800
"Erik Runeson" <[EMAIL PROTECTED]> wrote in message
news:94nafd$lff$[EMAIL PROTECTED]...
> I'm trying to find an upper limit to how strong a
> regular password can be.
Depends on the password. If you let the user choose an English word, it is
rather predictably 1 bit of entropy per character. If you require that there
be at least one capital, they will almost certainly capitalize the first
letter, so maybe .25 bits of entropy added. Adding a number on the end adds
an average of log2(10) although it will be biased towards 1. So your normal
passwords would have anywhere from 6 to ~12 bits of entropy. If you choose
the values randomly, then it depends on your selection method. If you move
up to passphrases, most people will still choose weak passphrases, but they
will necessarily be stronger, because the limitations on the 1 bit entropy
per character, mean that as they use longer passphrases you get more
entropy. If you educate them to use random capitalization that can be your
best friend, it adds a pure 1 bit of entropy per character. If they use
diceware, along with random capitalization you are in very good shape and
they will probably have more entropy in their passphrase then you will
harvest in your verification.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: RC4 Security
Date: Wed, 24 Jan 2001 14:57:13 -0800
> 1. How can someone know the amount of bits of an encryption?
The simple answer is take the length of the key.
> 2. How can someone determine if an encrypted file or an encryption
algorithm
> is secure?
The simple answer is that you check to make sure it uses a well regarded
algorithm in a strong way.
Both of these answers vastly oversimplify the fact that we are not really
sure of the answers. To answer either of these question we first have to
answer "What is the cryptographic strength of algorithm A?" the best answer
we can give to that is "We only know of attacks that reduce it to X time and
we (do not) expect future advancements in the near future." As to why we
can't measure absolute cryptographic strength, for the simple reason that we
don't know everything, we know the two extremes, OneTimePad has
mathematically proven security bounds, and plaintext also has known security
bounds. We can only say of everything else that it is no more secure than
OTP and no less secure than the plaintext with absolute certainty. We can
say we believe that there will only be trivial advances against an
algorithm, but that is only belief not hard fact.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Random stream testing. (long)
Date: Wed, 24 Jan 2001 15:19:04 -0800
Crossposted-To: sci.crypt.random-numbers
"Paul Pires" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In learning about testing PRNG's and RNG's I have
> run into a confusion. How it "must be" is different from
> how it is discussed. Perhaps I misunderstand.
I don't see much misunderstanding on your part, most ly just bad writing.
>
> Note:
> Throughout this discussion the usefulness of random
> testing will be questioned. Obviously, it is useful in
> eliminating putrid concepts. The focus here is on how
> this endeavor can be improved to quantify differences
> between "Good & Practical" sources.
It's good to question everything, especially before you start betting money
on it.
>
> Maybe I am re-stating the obvious but, here goes.
>
> First off, the notion that this is testing the randomness
> of the data. It seems obvious to me that it is only
> comparing the results to an expectation of how
> random data would look according to very narrow
> criteria. It say's nothing about the data's randomness
> per se but only how it compares to a theoretical result,
> according to a very limited criteria. No test can detect
> randomness.
That is correct, what the tests do is they build a likelihood that under the
constraints of the test that the input was generated by a deterministic
machine, or as another view it measures the entropy per area as supplied by
a particaular model and makes an entropy estimate.
>
> Second, the notion of evaluating a single test result
> seems bizarre. The documentation for these tests
> invariably say something like "A value of 99% is an
> indication that it is most probably not random"
> How could this be? If it is a comparison to a random
> expectation and if random is unbounded, then any
> result value could be the result of a random process.
> The results could only be meaningful when a large
> population of results are evaluated against an expected
> distribution.
Correct. What you need to do is examine the test itself, determine what the
likelihood that a pure random source will achieve each measurement, and test
your source to get close to that distribution.
> Out of one-hundred tests run, 50% of them should score
> 50%, 25% should score 75 or 25% etc. In this context,
> a value of 1% or 99% is affirming as you would expect
> one to occur.
That's not quite correct. What needs to happen is that assuming an equal
distribution on the output of the test, each value of the percent should be
equally likely with your input to match the behavior of the pure random
source.
> One might make the case that this is a distinction without
> much difference. While there isn't a lot of justification for
> picking one sample size over another besides "Bigger is
> better, there is a big difference in looking at an single
> artifact versus a population.
Right, you need to look at not only large samples, but a large number of
large samples to begin to build up the necessary information. And always
remember that the tests are looking for specific behavior of random models,
with any given set large or small there is a likelihood of occurance or lack
of occurance.
>
> K-S tests and P values don't help much as they are a
> blind alley. Do a hundred tests and gather a hundred
> P values. Do a K-S on the P values and what does that
> single result tell you? Nothing. You have just turned a
> population into an artifact. You could do this a hundred
> times and get a population of 100 composite results. How
> is that better or more revealing data than the 10,000
> P values it was made from?
It may reveal patterns that would have otherwise gone unnoticed. That is
their only real purpose. The other purpose is so that people with little
education in the matter can quickly judge a claim about a PRNG.
> I've almost worked myself into a paradox here. Single
> results are meaningless and group results are
> incomprehensible. What's left?
What you can do is examine the group of results to see if they exhibit
random behavior, that is useful.
>
> Grouped results could be useful. I suspect that they
> are and that the old salts around here have a pretty
> good grip on how to deal with them. The suggestion
> above on checking the distribution of values versus
> checking the probability of any one value seems to increase
> sensitivity. Marginally bad PRNG's make horrendously
> bad distributions when viewed this way. In a small sample,
> a bias could live within the noise band. As the sample gets
> larger, a bump on the curve becomes noticeable above the
> noise.
That right, that's why I recommend making tests on at least 128MB value
sets, testing as many of them as possible, checking them against each other
as much as possible, checking polynomial functions of them, etc to see if
they maintain good random distribution through the tests. Of course this
only tells you that you don't have the right test.
>
> We need another knob on the box. We can currently switch
> between different tests that are more sensitive to different
> root causes but the tests are not sensitive enough. Can anyone
> tell the difference between good PRNG output and RNG output?
Actually it's been mathematically proven (I'm sure someone else can supply
the name for me) that given the output of a questionably random source you
cannot determine if the source is random.
> Many say that RNG output is better quality than PRNG output
> but I have never seen a demonstration of such an evaluation.
> The two have different qualities e.g. entropy content but I
> don't think anyone could spot the difference in a blind taste test.
> Remember, we are talking about the attributes of the output,
> not the method
Well RNG output has 1 bit of entropy per bit, (Deterministic)PRNG output has
a fixed k bits of entropy scattered throughout the infinite output (although
the entropy in a given bit is likely to diminish to true 0 near the end
versus near the beginning).
>
> There is also a need for a qualitative measure for all tests. There
> are no universal units for discussing performance. Right now
> someone can say "I did not fail Diehard or NIST suite or ent" but
> one cannot say that they passed or by what margin.
How do you pass a test that you MUST fail a certain percentage of the time
to actually pass it?
> Perhaps
> there is a way where an analog result rather than the digital
> Pass/Fail can be constructed. If this where done, apples to apples
> evaluation of different sources could be evaluated where their
> relative strengths and weaknesses could be compared in detail.
Not really, I actually went through this a few months ago to attempt to get
a good handle on the requirements for a specification. Several of us
considered a massive number of variables, and we simply could not reach a
conclusion that did not require infinite resources of one kind or another.
We gave up and said 1000 DIEHARD tests of 100MB series all consequetively
done with keying controlled by the testers, and they must fail each test at
least 3 times, and no more than 80 times. You know what we found, we
couldn't find any PRNGs that passed our criteris consistently, because we
naturally scaled it up for actual testing (I think we went with 5 of 9 or
something equally pointless). When we spec'd it we didn't think the bar was
raised too far.
> this information would help in correlating certain structures and
> actions to behaviors. It could also serve as a basis for and monitor
> of confidence. Rate the methods that have been hacked based on
> the PRNG. Rating these PRNG's against the field should yield
> fascinating results regardless of how they turn out. A web page
> where every known PRNG or RNG gathering scheme could be
> listed with it's performance to various tests, at different sensitivities
> would be pretty neeto.
But how do you judge it's performance, like I said a true random source MUST
fail the test a certain percentage of the time.
> Don't wake me up, It is such a lovely dream.
The sad part is, many of us have tried to get close to that dream, we just
haven't made it, and it might not be possible.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: TSEPRNG, a secure RNG ?
Date: Wed, 24 Jan 2001 15:43:34 -0800
"Dan Parisien" <[EMAIL PROTECTED]> wrote in message
news:PlJb6.118149$[EMAIL PROTECTED]...
> (I'm actually pretty offended by the statement not to produce the source)
I'm sorry you feel that way. Generally we are against the posting of code
because it takes more space than it is worth on here. For example it is much
easier to say sign it with DSA than
BN_rand(...)
..
...
...
...
..
[snip another 15 lines]
> > Input such as your algorithm can output can
> > be fed to a PRNG like Yarrow
> That's what I'm trying to avoid...
You really shouldn't try to avoid something like yarrow, in fact you are
creating a very basic one. Yarrow is just designed so that it can make use
of more sources of entropy than just the task scheduler.
> I'll get more input on this... I think the theory behind this prng is
> sound...
I don't think the theory behind the prng is sound enough. I should not have
to prove that a deterministic process cannot produce entropy. I should not
have to prove that the task scheduler is wholey deterministic. From these
two statements we can conclude that the task scheduler cannot create
entropy, there may be entropy that it expresses because of other processes
on the system which interact with humans, access the disk, read from the
network, etc, but the task scheduler itself, the one piece that you are
relying completely on cannot create entropy. I know this sounds very cold
and very hard, but that's just the way sci.crypt is, like any other group we
have our group behavior, ours just tends to me more rock like than most.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Cryptographic Camouflage
Date: Wed, 24 Jan 2001 11:23:47 -0800
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > http://www.delphion.com/details?pn=US06170058__ .
> I haven't looked at the detailed document. But the formulation
> of the short description appears indeed to be puzzling. It
> seems to claim that, since entering something (whether right
> or wrong) into the device and there always comes out something,
> an outsider can't know from this fact (alone) whether what was
> entered is correct or not. But that's a trivial, isn't it?
Actually it's not so trivial because what is being discussed is the private
key for RSA. In order to make it so you have to take certain precautions and
do several interesting things. Mostly it consists of making public certain
parts of the private key which would be known anyway (e.g. the top bit is a
1), encrypting the private key with a short secret, and encrypting the
public key strongly (we use 3DES). So it is not just by the decrypted
potential private key alone that they must determine it, but they also have
the encrypted value of e, and the cleartext N that can be used for leverage.
So it's not as trivial as it first seems (I will admit I was very much a
skeptic about whether or not the patent would/should be granted), but I
believe it is still rather trivial. That was my alterior motive for bringing
it everyone's attention, it's patented so none of us can use it without
paying at least royalties, I wouldn't want one of us to get in trouble for
doing something obvious.
Joe
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
