Cryptography-Digest Digest #559, Volume #13 Fri, 26 Jan 01 15:13:01 EST
Contents:
Re: Dynamic Transposition Revisited (long) (AllanW)
Re: Snake Oil (SCOTT19U.ZIP_GUY)
Re: Knots, knots, and more knots (Matthew Montchalin)
Re: Decode Algorythim ("Joseph Ashwood")
Re: Steak Stream Cipher ("Joseph Ashwood")
Re: Mr Szopa's encryption (was Why Microsoft's Product Activation Stinks) ("Joseph
Ashwood")
Re: Why Microsoft's Product Activation Stinks (Anthony Stephen Szopa)
Encryption Program (Benjamin)
Re: What do you do with broken crypto hardware? (Bill Unruh)
Q: File Extension .$#! - Which Encryption Program?!? (Thomas Propst)
----------------------------------------------------------------------------
From: AllanW <[EMAIL PROTECTED]>
Subject: Re: Dynamic Transposition Revisited (long)
Date: Fri, 26 Jan 2001 19:33:06 GMT
[EMAIL PROTECTED] (Terry Ritter) wrote:
>
> On Tue, 23 Jan 2001 08:29:16 -0800, in
> <[EMAIL PROTECTED]>, in sci.crypt "John A. Malley"
> <[EMAIL PROTECTED]> wrote:
>
> >Terry Ritter wrote:
> >>
> >[snip]
> >
> >> >This may be a good place to continue the cryptanalysis of the
strength
> >> >of the DT cipher. A PRNG with N! states to make every
permutation of
> >> >the bits in an N bit block can only generate some of the possible
> >> >sequences of permutations. There are (N!)! possible sequences of
> >> >permutations.
> >>
> >> There are (N!)**S possible sequences of permutations, of sequence
> >> length S.
> >
> >Please help - where did I go wrong in calculating the total number of
> >possible sequences of the N! total possible permutations?
> >
> >Here's my reasoning -
> >
> >Given N bits there are N! different, unique ways to permute those
bits -
> >the N! unique permutations. They make a set P.
> >
> >I number the permutations in the set from 1 to N!. How many
different
> >ways can I sequence the members of the set of permutations? Or in
other
> >words, how many different ways can I write down (list) the elements
of
> >P? Let the number of elements in P be M, so
> >M = N!. The number of unique listing sequences of the M elements is
the
> >number of permutations of the M elements of P, which is M!. Since M =
> >N!, then M = (N!)!.
> >
> >So that's how I derived the number of ways the individual elements of
> >the set of permutations of an N bit block can be listed out as a
> >sequence.
>
> OK, I had no idea what you were doing. Of course, I still have no
> idea where you are going. Do you have any idea how big (N!)! is?
> Even 128! is 3.85620482e+215, and the factorial of that is some number
> which is about 2.75610295e+218 bits long. (From
>
> http://www.io.com/~ritter/JAVASCRP/PERMCOMB.HTM#Factorials
>
> ).
>
> Surely, there is no reason to imagine that permutations must all occur
> before repeating. In fact, that would be a weakness.
>
> The design goal is to allow the very same permutation to occur on the
> next block, and then rely on the almost infinitesimal probability of
> any particular permutation occurring to be assured that it will almost
> never happen. The goal is to make the permutation selection for each
> and every block independent, with equal probabilities.
>
> We can see the selected permutation as a "value," in a sequence of
> values, exactly the same way we get random values from an RNG, or the
> way we think of sequences as some number of symbols, each one chosen
> from a set. It is a weakness for a random generator to produce a
> value which will not then re-occur until the generator recycles.
>
> >> >AFAIK it's safe to say the PRNG generates N! sequences
> >> >(assuming the set of seed values is equal to the set of possible
outputs
> >> >of the PRNG, both sets are of order N!.) Only N!/ (N!)! of the
sequences
> >> >can ever be seen.
> >>
> >> ??
> >
> >There are M! ways to list the M values from 1 - M.
>
> These are called permutations.
>
> >A PRNG outputs lists
> >(sequences) of the values between 1-M.
>
> Some RNG's are like that. Don't do that.
>
> >The PRNG starts from a seed
> >value s and makes a list of the M values. Each list is different.
The
> >PRNG can only make as many unique lists of the M values are there are
> >unique seeds s. Let the order of the set S of seed values be K.
Then
> >the PRNG can only make K out of M! listings (sequences) of the M
values
> >from 1 - M. So the PRNG only produces a fraction K / M! of the total
> >possible sequences of the M values.
>
> Internally, there is some concept of a huge cycle which is shuffled by
> an RNG -- the internal state -- but that concept is not necessarily
> the output value. Surely, when we have a huge internal state, we do
> not imagine that we must take the whole amount of that state as the
> RNG result. When we do not, any particular value can re-occur on the
> very next RNG step.
>
> The Additive RNG is discussed in Knuth II. And even though those are
> tiny, it should be clear that, in an Additive RNG, values can and do
> repeat. The intent is to make the probability of that immeasurably
> close to independent selection.
>
> >Let the set S be the set of M output values of the PRNG. The order
of
> >the set M is M. Then the PRNG only produces a fraction M / M! of the
> >total possible sequences of the M values.
> >
> >So let M = N! (the number of possible permutations of N bits). The
set
> >of seed values S for this PRNG is the set of numbers from 1 through
M!
> >The PRNG generates a number from 1 through M! to choose the
permutation
> >to apply to the ith bit block. (This is the most abstract view of the
> >PRNG's role in the DTC.)
> >
> >This PRNG can produce only M = N! possible output sequences of
> >permutations. That's why I state the PRNG produces a fraction M! /
(M!)!
> >of the total possible listings of the M! permutations of the N bits.
> >
> >Why is this derivation wrong?
>
> Well, it is only wrong if it isn't a step toward your goal. But I
> don't see where you are going. It certainly is an upper limit!!!
>
> There is some truth to it, but the implication I get is that once a
> particular permutation occurs, it cannot re-occur until the RNG has
> cycled, which is false. The sequence of permutations will of course
> start to repeat after the RNG has cycled enough to produce the exact
> same internal state at the start point of the shuffling process (which
> may well take many, many full RNG cycles). But a single RNG cycle
> length is, of course, far beyond what could be traversed in practice.
>
> The problem appears to be based on a fundamental misunderstanding of
> how RNG's produce output values. Presumably there is a generalization
> from simple RNG's to strong ones. It either does not apply, or is
> trying to compute something to which I assign little significance.
I think John A. Malley was trying to find the number of
possible outputs of the PRNG and compare it to the number of
states of the bit-balanced plaintext block. There is more than
one way to do the shuffle, but if you're selecting N numbers
of value 0 to (N-1) then there are N**N possibe outputs for
the PRNG, and (N!)/((N/2!)(N/2!)) possible states for the
plaintext.
Which illustrates one of Terry Ritter's original points: There
are many more possible outputs from the PRNG than there are
states for the plaintext, so that for any one
plaintext/ciphertext combination there is no way to tell what
the PRNG outputs were.
--
[EMAIL PROTECTED] is a "Spam Magnet," never read.
Please reply in newsgroups only, sorry.
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Snake Oil
Date: 26 Jan 2001 19:29:56 GMT
[EMAIL PROTECTED] (Eric Lee Green) wrote in
<[EMAIL PROTECTED]>:
>On Thu, 25 Jan 2001 03:35:16 GMT, Splaat23 <[EMAIL PROTECTED]> wrote:
>>In article <[EMAIL PROTECTED]>,
>>> Take my encryption software. Give it a go. Prove to us you can
>>> break it. Give us your most tenuous reasonable explanation on how you
>>> would go about it.
>>>
>>> Or do you just talk about snake oil having never known what it really
>>> is?
>>
>>Sounds great. I'll think I'll try. First though, what is the reward for
>>cracking your weak encryption? Are you going to offer us anything for
>>our time? Certainly there is no data worth cracking you code (because
>>you have no real users).
>>
>>And, unless you're offering more money, we'd like the source code as
>>well. Trust us, we're not like Microsoft - we won't steal your code and
>
>You mean this guy's still hanging around wasting our time?
>
>When I wanted encryption for the product that my employer is shipping
>shortly, I didn't mess around with any amateur junk algorithms. The
>symmetric encryption is Rijndael, it uses Diffie-Hellman for key
>exchange (that will become RSA soon, since the RSA patent has now
>expired, at the time it did not make sense to license B-Safe given
>that the patent was going to expire soon), it uses MD5 for message
>digest. Why in the world should I use some algorithm that as far as I
>can tell is snake oil? ("as far as I can tell" meaning, as far as I
>know, no reputable cryptoanalysts have examined the source code and
>algorithm and attempted to find breaks in it.) And why would I *PAY*
>for the privilige, when Rijndael and RSA and MD5 are *free*? What, you
>think I'm a moron?
>
Why in the world would anyone fully trust AES encryption when it
is the result of a government contest. It most likely is very easy
for the NSA to break it or it would be allowed for top secrect encryption.
If you realy want to be secure and if you don't trust certain products
you can use several in series. Also though most so called snake oil
products are weak since they can be easily broken. Many are most likely
extremely strong but carry the snale oil label so that the NSA can
trick people into not using them.
Take scott16u.zip for example Wagner had labled it snake oil and
claim his slide attach could break it. Of course when push came to
shove he was full of shit. But the snake oil label stayed. I even had
cash contest of such a form that the AES codes could not do. Still no
one was able to solve any of the problems.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Subject: Re: Knots, knots, and more knots
Date: Fri, 26 Jan 2001 11:32:31 -0800
On Thu, 25 Jan 2001, Matthew Montchalin wrote:
||Except we have to describe how those bits got there, from the previous
||state. Thus, the punchcard, and what it dictates, is very important.
||
|||Also, I'd argue that 10100111 is more complex than either of them.
|
|But the length of the rope has not changed, and by feeding the same
|length into this permutation machine, over and over again, you will
|eventually reach a repeated state. The number of iterations, N,
|defines the true efficiency of the encryption machine.
A 2-dimensional rope behaves differently than a 3-dimensional rope;
it either has kinks or it doesn't. Thus, feeding a finite length
of 2-dimensional rope into a permutation machine will either kink
it to a theoretical maximum, or unkink it. The number of times, N,
that it is fed into the machine before returning to an initial
state, is the true efficiency of the machine. The bigger the
number, the more efficient the machine.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Decode Algorythim
Date: Fri, 26 Jan 2001 11:30:31 -0800
I also assume this is homework for some class.
> Message^13(Mod C)=Encrypted
> C bind the key
> Only problem is that I have lost my notes as to what the decryption
> algorytim is and ideas??
13d = 1 mod phi(C)
Message = Encrypted^d mod C
It's called RSA.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Steak Stream Cipher
Date: Fri, 26 Jan 2001 11:34:40 -0800
<[EMAIL PROTECTED]> wrote in message
news:94rm7d$eaa$[EMAIL PROTECTED]...
> For immediate reference: Permute does not "do" anything. It is a
> predefined process which is implemented by pre-calculation and the
> result has already been merged into the "Steak_Data" table.
This tells me why the code and algorithm didn't appear to match, the code is
at least semi-optimized. While optimized code is very useful, I too would
like to see a very strictly done mathematically expressed specification,
with accompanying unoptimized code. We can all supply large quantities of
examples if you need us too (I'd suggest the AES finalist specifications,
and the cryptonessie specifications).
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Mr Szopa's encryption (was Why Microsoft's Product Activation Stinks)
Date: Fri, 26 Jan 2001 11:21:40 -0800
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
"Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> There are certain agreed upon criteria upon which an encryption
> scheme is to be attacked. Yours is completely different from this
> and obviously unacceptable. This criteria is well known and is not
> arbitrary. It is a logical set of criteria based upon real world
> circumstance and situation.
Actually you are right there are specific criteria upon which to attack a
cipher. That criteria is amazingly simple, it is simply "Anything you can
attack." Attempts to indicate that a person is cheating at attacking a
cipher, is surely stupid, in this case it's something like Japan claiming
the US cheated during WWII by using atomic weapons, it works therefore it
justifies itself (although much like the use of atomic weaponry the decision
is still much debated).
> The answer of why your suggestion doesn't weaken the encryption is
Umm, not quite. The statement that you have intimate knowledge of the entire
state of a deterministic machine, dictates that you can compute the output,
in this case it also means you can compute the input.
[snip Szopa's continuing stupidity]
Joe
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Fri, 26 Jan 2001 11:39:58 -0800
Richard Heathfield wrote:
>
> Lord Running Clam wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > On Fri, 26 Jan 2001, Richard Heathfield <[EMAIL PROTECTED]> wrote:
> > >Anthony Stephen Szopa wrote:
> > >>
> > >> Pointless program where to stop software piracy could increase
> > >> revenues by tens of billions of dollars each year? Pointless?
> > >
> > >Pretty much, yes. It's like trying to protect Pythagoras' Theorem.
> > >Counter-productive.
> >
> > Excuse me, but is this little piece from alt.security.pgp relevant to your
> > flamewar?
> >
> > http://www.deja.com/[ST_rn=ps]/getdoc.xp?AN=720256016&fmt=text
>
> Yes, indeed. I think it sums up one of the points nicely. If Microsoft
> want copy protection to actually work, they need to do it in hardware.
> That way, the cost of making a copy is likely to exceed the cost of
> buying one in the shops. Of course, I'm not convinced that anyone's
> going to buy any Microsoft hardware more complicated than a mouse, but
> that's for each user (or IT dept) to decide, of course.
>
> As for the flamewar, well, I'm not terribly interested in prolonging it.
> But 'twas mildly diverting while it lasted. :-)
>
> --
> Richard Heathfield
> "Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
> C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
> K&R answers, C books, etc: http://users.powernet.co.uk/eton
You have proved you do not understand what MS is doing.
Essentially MS is relying on hardware and software.
They are ferreting out any and all data from your computer either
from software, firmware, or hardware that will uniquely identify
it.
You don't have to buy or be sold any new hardware or software or
firmware.
But if you do and change significantly your computers configuration,
which might also change the unique identification of your computer
then you would need a new password according to MS's anti-piracy
"innovation" and mine as well since MS's anti-piracy "innovation" is
at least partly based upon my anti-piracy invention.
Take that, you!
------------------------------
From: Benjamin <[EMAIL PROTECTED]>
Subject: Encryption Program
Date: Fri, 26 Jan 2001 19:37:41 GMT
Reply-To: [EMAIL PROTECTED]
Hello,
My name is Benjamin and currently our company is looking for a
command line based encryption program that we can automate. I
understand that certain tools exist under various *nix operating
systems. Unfortuantly, under the circumstances that we are in we are
only able use this program in a Windows based environment. Does such a
tool exist in the windows environment? If so, where might i find this
program? I have done various searches on the internet and on security
sites and have had no such luck. Any information that may be passed
along is greatly appreciated. Again, many thanks in advance!
Benjamin Branch
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: What do you do with broken crypto hardware?
Date: 26 Jan 2001 19:52:50 GMT
In <[EMAIL PROTECTED]> Paul Rubin <[EMAIL PROTECTED]> writes:
]"Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
]> There should be a "zeroize" button or else removing the power
]> should ensure zeroization. The policy document should come
]> with the hardware, and the local crypto control officer should
]> be trained in the proper procedures.
]The keys in the modules I'm using are internally stored in flash memory,
]so removing power won't erase them. Erasure is a powered operation that
]involves writing zeros to the flash, like erasing sectors on a disk.
]There's a button on the module that erases the keys, but of course
]it's only known to do that if the module is working, and the question
]was about what to do when the module is broken. If the module is
]broken, the zeroize button might not work.
]So what then?
Pull the flash Roms and destroy them. They are not expensive.
]Btw, the module is FIPS 140-1 certified but didn't come with any
]policy documents of that type. I suppose I should ask the vendor
]how its other customers deal with this question.
You should have done you r homework earlier. I would suggest getting a
different vendor. This one does not have your security at the top of his
mind.
------------------------------
From: Thomas Propst <[EMAIL PROTECTED]>
Subject: Q: File Extension .$#! - Which Encryption Program?!?
Date: Fri, 26 Jan 2001 20:54:22 +0100
Reply-To: [EMAIL PROTECTED]
sorry to bother you, but does anybody know?
regards, tom.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
