Cryptography-Digest Digest #573, Volume #13 Sun, 28 Jan 01 02:13:00 EST
Contents:
Re: RC6 Base Attack (Tom St Denis)
Re: Generating RSA Keys (Tom St Denis)
Re: Generating RSA Keys (Splaat23)
Re: RC6 Base Attack (Splaat23)
Re: 32768-bit cryptography (Splaat23)
Re: Paranoia ("Scott Fluhrer")
Re: MIKE - alternative to SPEKE and PAK (Thomas Wu)
Re: MIKE - alternative to SPEKE and PAK ("Michael Scott")
Re: Windows encryption: API and file system ("infinito.it")
Re: Why Microsoft's Product Activation Stinks (Matthew Montchalin)
Re: Why Microsoft's Product Activation Stinks (Matthew Montchalin)
Re: Why Microsoft's Product Activation Stinks (wtshaw)
Re: Windows encryption: API and file system (wtshaw)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: RC6 Base Attack
Date: Sat, 27 Jan 2001 23:03:51 GMT
In article <94vdou$chp$[EMAIL PROTECTED]>,
Splaat23 <[EMAIL PROTECTED]> wrote:
> I was just thinking: In the RC6 docs, they mention a meet-in-the-middle
> attack requiring 2^704 online operations. Since (according to _AC) we
> can't even get a counter through 2^220, why is this attack even
> mentioned. It just doesn't seem it could ever become feasible given the
> limits of thermodynamics.
It's to point out that while 1400-bit keys are possible in RC6 they don't
provide the security you would think.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Generating RSA Keys
Date: Sat, 27 Jan 2001 23:04:48 GMT
In article <cOHc6.760$[EMAIL PROTECTED]>,
"Adam Smith" <[EMAIL PROTECTED]> wrote:
> Hello! This is sort of an extension from my quest for RSA implementation in
> VB, but on a different note than my last message. I got an excellent big
> number package for VB, and have implemented a signature scheme pretty well,
> or at least it works with the small numbers that I have.
>
> I need to know how to generate LARGE (512+ bit) RSA keypairs. I know the
> algorithm, but not really sure how I can computer D without brute forcing
> it...anyone know where I can get this stuff?
Um use the extended GCD algorithm to find the inverse.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Splaat23 <[EMAIL PROTECTED]>
Subject: Re: Generating RSA Keys
Date: Sat, 27 Jan 2001 23:06:32 GMT
Pretty simple. Implement the Extended Euclidean GCD Algorithm (GCD -
Greatest Common Denominator), and compute the gcd(e, j(n)). J(n) = (p -
1) * (q - 1). Since ed = 1 mod j(n), and the egcd returns x, y, z such
that x*e + y*j(n) = z, the x that the gcd returns is your d as long as
z == 1 (e and j(n) are relatively prime).
- Andrew
In article <cOHc6.760$[EMAIL PROTECTED]>,
"Adam Smith" <[EMAIL PROTECTED]> wrote:
> Hello! This is sort of an extension from my quest for RSA
implementation in
> VB, but on a different note than my last message. I got an excellent
big
> number package for VB, and have implemented a signature scheme pretty
well,
> or at least it works with the small numbers that I have.
>
> I need to know how to generate LARGE (512+ bit) RSA keypairs. I know
the
> algorithm, but not really sure how I can computer D without brute
forcing
> it...anyone know where I can get this stuff?
>
> Thanks!
> Adam Smith
>
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Splaat23 <[EMAIL PROTECTED]>
Subject: Re: RC6 Base Attack
Date: Sat, 27 Jan 2001 23:08:17 GMT
I see. Makes sense - they probably should have noted that it was not a
feasible attack, but then again they were writing with a TON of implied
knowledge that I guess includes the feasibility of different work and
storage factors.
- Andrew
In article <94vk4k$hlt$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <94vdou$chp$[EMAIL PROTECTED]>,
> Splaat23 <[EMAIL PROTECTED]> wrote:
> > I was just thinking: In the RC6 docs, they mention a meet-in-the-
middle
> > attack requiring 2^704 online operations. Since (according to _AC)
we
> > can't even get a counter through 2^220, why is this attack even
> > mentioned. It just doesn't seem it could ever become feasible given
the
> > limits of thermodynamics.
>
> It's to point out that while 1400-bit keys are possible in RC6 they
don't
> provide the security you would think.
>
> Tom
>
> Sent via Deja.com
> http://www.deja.com/
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Splaat23 <[EMAIL PROTECTED]>
Subject: Re: 32768-bit cryptography
Date: Sat, 27 Jan 2001 23:15:48 GMT
Lesson I've learned in life: The more stubborn you are, the less
intelligence you have and less I should listen to you. A
realistic "Yeah, oops, it was just my uninformed opinion. Just wanted
to show the fallacy of thinking things are constant." would have
sufficed here. But no, you just had to make a smartass remark and stand
firm.
*
The NSA and the government are NOT GODS!
*
When you realize that, maybe we can realize that they ARE confined to
the same 4 dimensions (maybe 11, still, that's OT). Yes, they are sure
to have advances over civilian research, because they have more money,
but those advances are likely nowhere near as large as paranoid people
think.
- Andrew
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> [EMAIL PROTECTED] (Paul Schlyter) wrote in <94vbcu$5v7$[EMAIL PROTECTED]>:
>
> >In article <[EMAIL PROTECTED]>,
> >SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
> >
> >> Actually DES was easily crackable with custom circuits back in
> >> the early 70's at a rate much shorter than a day so where have you
> >> been.
> >
> >How much shorter than a day? An hour? A minute? Let's assume
> >10 minutes....
> >
> >> Also it appears if anything Moore's law may be a conservative
> >> estimate and that computing power is increasing much faster so you
> >> may be alive when such a dumb blind search is possible in the
> >> nonblack world.
> >
> >OK, then let's make a conservative estimate and use Moore's law:
> >
> >You claim DES was crackable by a brute-force key search in approx.
> >10 minutes back around 1970, i.e. some 372 months ago.
> >
> >Computing power doubles every 18 month's if we're conservative and
> >use Moore's law instead of some other law which predicts a faster
> >rise in computing power. Thus in 372 months, computing power has
> >increased by AT LEAT approx. 1.6 million -- probably much more,
> >according to your claim.
> >
> >Which implies that today, DES is crackable by brute force in
> >approx. 10_min/1.6_million = 0.4 milliseconds --- or less !!!!!
> >
> >Now, tell me where I can find the hardware which can crack DES
> >by a brute-force key search in just 0.4 milliseconds ....
> >
> >.... or admit that you were wrong!
> >
>
> Talk to the folks at Fort Meade I think they can help
> you if you have a valid need. But don't hold you breath
> they will most likely consider you need not valid.
>
> David A. Scott
> --
> SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
> http://www.jim.com/jamesd/Kong/scott19u.zip
> Scott famous encryption website **now all allowed**
> http://members.xoom.com/ecil/index.htm
> Scott LATEST UPDATED source for scott*u.zip
> http://radiusnet.net/crypto/ then look for
> sub directory scott after pressing CRYPTO
> Scott famous Compression Page
> http://members.xoom.com/ecil/compress.htm
> **NOTE EMAIL address is for SPAMERS***
> I leave you with this final thought from President Bill Clinton:
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Paranoia
Date: Sat, 27 Jan 2001 17:21:50 -0800
JCA <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Simon Jenkins wrote:
>
> > I have just read Stven Levy's book 'Crypto' and was again struck by the
> > description of the meeting between Whitfield Diffie and James Ellis.
> > Ellis' parting comment has him saying to Diffie, "You did more with it
> > than we did."
> >
> > As an Englishman, this is an interesting phrase - it implies that GCHQ
> > don't bother with RSA any more. If they were still using it, Ellis would
> > have said, "You've done more with it than we have."
> >
>
> Not having read the book I am somewhat in the dark here - I thought
> that Whitfield Diffie had nothing whatsoever to do with RSA.
Maybe not, but I have a suspicion he *might* have had some sort of role with
the Diffie-Hellman operation, which is a public key operation that predates
RSA. It's Simon Jenkin who said "RSA"
--
poncho
------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: MIKE - alternative to SPEKE and PAK
Date: 27 Jan 2001 18:08:38 -0800
"Michael Scott" <[EMAIL PROTECTED]> writes:
> Some months ago I mentioned an idea I had concerning a new algorithm for a
> low-entropy password-authenticated key-exchange, along the lines of SPEKE,
> PAK and SRP. Tom Wu was kind enough to make a few comments.
>
> I have since written up the idea in more detail - it may be found at
> http://www.compapp.dcu.ie/CA_Working_Papers/wp00.html#1300
I'm not I understand the performance argument presented there.
Sure, MIKE will be faster than SPEKE and PAK if DH-2 (DH with a
160-bit subgroup) is mandated, but one would expect an implementation
to use DH-1 (DH with a safe-prime p) for those protocols.
> I have three questions
>
> 1. Has it been thought of before?
> 2. Are there any security problems with it that I haven't seen?
> 3. Are there any patents that apply?
>
> It is not my intention to patent it - but I shouldn't give away what isn't
> mine.
>
> The method is rather like PAK. The main novel idea is the use of two
> independent group generators. Its main advantage is that it works well in
> any type of group (e.g. Elliptic Curves - unlike SRP), also it avoids the
That isn't really true - there is at least one published proposal for an
efficient way to do EC-SRP.
> sub-group membership problems that arise with SPEKE and PAK. In a common
> context it is maybe 5 times faster.
Could you elaborate on what these sub-group membership problems are?
My understanding was that using the parameters recommended for these
protocols (e.g. DH-1, safe prime p) would allow verifiable parameter
choices that were immune to subgroup confinement attacks.
> Mike Scott
Tom
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms in
Phone: (650) 723-1565 exchange for security deserve neither."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: MIKE - alternative to SPEKE and PAK
Date: Sun, 28 Jan 2001 02:37:16 GMT
"Thomas Wu" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Michael Scott" <[EMAIL PROTECTED]> writes:
>
> > Some months ago I mentioned an idea I had concerning a new algorithm for
a
> > low-entropy password-authenticated key-exchange, along the lines of
SPEKE,
> > PAK and SRP. Tom Wu was kind enough to make a few comments.
> >
> > I have since written up the idea in more detail - it may be found at
> > http://www.compapp.dcu.ie/CA_Working_Papers/wp00.html#1300
> > The method is rather like PAK. The main novel idea is the use of two
> > independent group generators. Its main advantage is that it works well
in
> > any type of group (e.g. Elliptic Curves - unlike SRP), also it avoids
the
>
> That isn't really true - there is at least one published proposal for an
> efficient way to do EC-SRP.
>
Can you point me at it? A neat idea in SRP is to mix both + and * operators,
but you can't do this with EC.
> > sub-group membership problems that arise with SPEKE and PAK. In a common
> > context it is maybe 5 times faster.
>
> Could you elaborate on what these sub-group membership problems are?
> My understanding was that using the parameters recommended for these
> protocols (e.g. DH-1, safe prime p) would allow verifiable parameter
> choices that were immune to subgroup confinement attacks.
>
The problem of getting the secret S into the sub-group. For both SPEKE and
PAK this requires exponentiation by (p-1)/q, which is large for the DH-2
scenario, and PAK is only presented in the DH-2 scenario. The DH-2 setting
seems to have become more popular, as in the DSS for example, and is the
method supported by standards like P1363, so MIKE may be an easier way of
adding a low-entropy secret to an existing Diffie-Hellman implementation.
Anyway the more of such protocols that are available, the better, specially
non-patented ones.
Its really quite magical to me that in the classic cryptographic setting of
Alice and Bob trying to communicate in secret, it is possible to get strong
cryptography with an easily remembered mutual secret like a four-digit PIN
number.
Mike Scott
> > Mike Scott
>
> Tom
> --
> Tom Wu * finger -l [EMAIL PROTECTED] for PGP
key *
> E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms
in
> Phone: (650) 723-1565 exchange for security deserve
neither."
> http://www-cs-students.stanford.edu/~tjw/
http://srp.stanford.edu/srp/
------------------------------
From: "infinito.it" <[EMAIL PROTECTED]>
Subject: Re: Windows encryption: API and file system
Date: Sun, 28 Jan 2001 04:49:19 -0800
"Ray Dillinger" <[EMAIL PROTECTED]> wrote in message
news:m%jc6.1952$[EMAIL PROTECTED]...
> I don't think Microsoft is in the security business at all. I think
> that they are in the business of providing the *illusion* of security
In fact, I remember an NSA* key in the symbols provided by Microsoft for
debug purposes that arose lots of questions and doubts...
They said it was an error..
Yes, it was. I agree with them: using that name and forgetting to rename /
remove it before deployment.
Furthermore, I do never forget how Microsoft has been working hard to create
its monopoly, too.
And who is now running the USA... (that's incredible!)
I think that Microsoft is a sort of the latest kind of outlaws, and this is
the reason it is so hard to send some of its managers into jail (for what
they
have done and are still doing): it reminds me the Italian situation..
I am going to use their OS because of many reasons, but not trusting them
blindly.
Alberto Vassena
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Sat, 27 Jan 2001 19:45:32 -0800
On Sat, 27 Jan 2001, Lord Running Clam wrote:
| What the good people of sci.crypt and talk.politics.crypto have been
| drilling into your dense head, the fact that missed your brain by a
| couple of feet, is that such systems can not, and do not work. Go ask
| the CIA or NSA. They will tell you that the security of any system
| lies with the *people* you trust. The people who have access.
Exactly! Exactly! You are right on the money!
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Sat, 27 Jan 2001 19:40:42 -0800
On Sat, 27 Jan 2001, Anthony Stephen Szopa wrote:
|I will ask you as I have done before to others, are you thinking
|about attacking my encryption theory or are you desirous of
|attacking my implementation of the theory?
|
|If you agree that my encryption theory is unassailable then we can
|discuss the source code.
An interesting proposition. I actually posted my own source code
around June or so. Do you think *my* source code is unassailable,
and any theory that can be extracted from it or described by it?
|But if you cannot successfully trash my encryption theory then admit
|it or show us.
|
|The theory is explained thoroughly in the Help Files available at my
|web site.
How about putting up a real BBS independent of the web? I am curious
what your theory looks like, but I really hate using the web just to
go there.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Sat, 27 Jan 2001 23:47:22 -0600
In article <[EMAIL PROTECTED]>, Anthony Stephen Szopa
<[EMAIL PROTECTED]> wrote:
>
> MS is losing a bundle on its software being pirated. You are just
> spamming when you ask who would want MSs software. The answer is
> just about everybody, especially if its free.
MS has made a bundle selling insufficient and badly designed products.
Amount of payment may have little connection to quality. Hype DOES seem
to work, AOL too.
But, crap is still crap, and transparently show the folly of being
dependant on it through its catastrophic and predictable failures. So
many find themselves stupidly tethered, and suffer so much for the greed
of so few. You too can buy deficient updates, sucker.
Swallowing the poor state of affairs only speaks for the irrational
tendency of so many to be sheep in a wolf's pen, blinded until harvested,
too late if it turns out to be mutton instead of wool.
--
Some people say what they think will impress you, but ultimately
do as they please. If their past shows this, don't expect a change.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Windows encryption: API and file system
Date: Sun, 28 Jan 2001 00:03:33 -0600
In article <m%jc6.1952$[EMAIL PROTECTED]>, Ray Dillinger
<[EMAIL PROTECTED]> wrote:
> It's not merely sloppy engineering... Think about it. It would
> have been just as easy to create the temporary file as an encrypted
> file in the first place, then copy it back over the file being
> encrypted, and *then* delete it.
>
> To call this "sloppy" is to believe that the engineer selected these
> operations and then didn't think *at all* about what order to apply
> them in. Which, I guess, you may believe if you care to, but I don't
> think anyone that flatout stupid can be an engineer in the first place.
>
> I don't think Microsoft is in the security business at all. I think
> that they are in the business of providing the *illusion* of security
> while still selling out ^H^H^H^H^H^H^H^H uh, "providing for the
> legitimate needs of law enforcement and data theives". Real security
> scares the bejabbers out of them and they're fighting it every step
> of the way.
>
> Bear
Writing temporary files or to swapable memory is *anti*security oriented,
especially since neither is necessary for encryption. These wrong headed
approaches were developed for early low-RAM computers, and infect those
who know no better or fear that we will learn easy solutions to bad
security..
--
Some people say what they think will impress you, but ultimately
do as they please. If their past shows this, don't expect a change.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
