Cryptography-Digest Digest #641, Volume #13 Tue, 6 Feb 01 12:13:00 EST
Contents:
Re: efficient coin flipping (Richard Heathfield)
Re: lypanov ? (Anh Vu Tran)
Re: Different cipher type (Benjamin Goldberg)
One way function for Passwords. ("Moritz Voss")
Finite field/polynomial mathematics ("Brendan Lynskey")
Re: [RSA] Hype, hoax, or ? (James Wolfe)
Re: OverWrite freeware completely removes unwanted files from hard drive ("John
A.Malley")
Re: Rijndael's resistance to known plaintext attack ([EMAIL PROTECTED])
Re: OverWrite freeware completely removes unwanted files from hard drive ("Tor
Rustad")
Re: One way function for Passwords. (Ichinin)
Callback security (Steve Amor)
Re: Questions about Diffie-Hellman (Eric Lee Green)
Re: Scramdisk, CDR and Win-NT (Michael Robbins)
Re: On combining permutations and substitutions in encryption (David Wagner)
Nobody is on nobody�s side.... no contract truely signed ...no lover ever faithful
... (Markku J. Saarelainen)
Re: DH question (DJohn37050)
Re: OverWrite freeware completely removes unwanted files from hard drive (Daniel)
Re: Phillipine math guy claims to have fast RSA Factoring... (DJohn37050)
Actually I monitored activities of this NSA�s P1363 Group for many years .....
actually was just around 5 % of my interest in this specific fields .... I have always
liked non-random random number ...I like to use ever changing environment for
randomness (Markku J. Saarelainen)
Re: Mod function (Nemo psj)
----------------------------------------------------------------------------
Date: Tue, 06 Feb 2001 14:25:00 +0000
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: efficient coin flipping
Mok-Kong Shen wrote:
>
> [EMAIL PROTECTED] wrote:
> >
> > The population at large agrees that flipping a coin is a good way to
> > make a random binary decision. But it's slow.
> >
> > A faster method is to drop lots of coins, line them up horizontally, and
> > read them left to right. The only reason to do such a thing is if you
> > need to say "I made 2000 coin flips and ...".
>
> A faster way is to cast dice. Cast a bunch of dice at once
> and convert the base 6 digits obtained. One can get packages
> of plastic dice very cheap in toy shops.
Recently, a shopkeeper was given (just?) cause to doubt my sanity,
because I bought 13 packets of 5 dice (65 dice altogether) in one
transaction. I had pretty much this kind of thing in mind.
> The imperfection
> present cancels out in some sense due to the fact that
> many dice are used and taken in some random order and
> that a base conversion takes place, I suppose. (It also
> seems unlikely that bias is intentionally made for such
> products.) I use dice to determine my password.
Thanks to the 1970s/80s phenomenon of "Dungeons and Dragons", you should
find it relatively easy to obtain 8-sided dice, which would give you
three bits per throw (either subtract 1 from each roll, or re-mark 8 as
0). In the UK, try "Games Workshop" (if it's still solvent, which I
believe it is). Elsewhere, I don't know.
I still have a 30-sided die which I purchased in those halcyon days. If
only it were 32-sided! :-)
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html
------------------------------
From: Anh Vu Tran <[EMAIL PROTECTED]>
Subject: Re: lypanov ?
Date: Tue, 06 Feb 2001 14:13:29 +0100
Well I was confusing the two following things :
- the Lyapunov fractals
- the Bacon code.
Bacon code is used like this:
A = aaaaa I/J = abaaa R = baaaa
B = aaaab K = abaab S = baaab
C = aaaba L = ababa T = baaba
D = aaabb M = ababb U/V = baabb
E = aabaa N = abbaa W = babaa
F = aabab O = abbab X = babab
G = aabba P = abbba Y = babba
H = aabbb Q = abbbb Z = babbb
Now my problem is solved.
John Savard wrote :
>
> On Mon, 05 Feb 2001 10:45:22 +0100, Anh Vu Tran
> <[EMAIL PROTECTED]> wrote, in part:
>
> >I would like informations about lypanov, i don't know anything about it.
> >It is said to decrypt cyphers containing a and b like that:
>
> >abbab aaabb baabb....
>
> >Am I right ?
>
> Lyapunov?
>
> http://spanky.triumf.ca/www/fractint/lyapunov_type.html
>
> has something about patterns of a's and b's being used to produce
> designs called Lyapunov fractals.
>
> http://wilson.simplenet.com/chaos/lyapunov/
>
> has a bit more about it.
>
> So I don't think it will really help in cracking a Baconian cipher...
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Different cipher type
Date: Tue, 06 Feb 2001 13:23:20 GMT
It's not favored simply because you don't know that there aren't weak
keys. Some keys are secure, some aren't.
Also, there is the possibility of timing attacks, if the different
operations take different amounts of time.
--
A solution in hand is worth two in the book.
Who cares about birds and bushes?
------------------------------
From: "Moritz Voss" <[EMAIL PROTECTED]>
Subject: One way function for Passwords.
Date: Tue, 6 Feb 2001 14:32:16 +0100
Hello...
I don't know much abour encryption and number theory. This is why I ask in
the first place, please bear with an utter newbie.
I LotusNotes 4.6, there was a Password function hat took a string (password)
of almost any length (minimum 5 characters AFAIK) and turned it into another
string.
So, for example the string
"short password"
became something like (random character, just supposed to look like the
real thing)
{h4hj46gg23vbm52upue64lj-54bjbwe24lb5jm45jlgs-24g4h5h3jko7}
A co-developer told me that it was not possible to reverse engineer /any/
suitable password from that new string.
Now, how does that work? Or was the guy just not well-informed enough and
there is a way to crack these passwords?
I'm planning on writing a program which allows remote logins, and I need to
store the passwords in a secure manner; this is how I was going to do it -
store the result strings.... the user will transmit his/her password through
an ssh login; and the program will check whether the passwords result string
matches the original string
I was also looking into Agner Fog's Ranrot random number generators, he
claims if the seeds and parameters are unknown, you cannot easily reverse
engineer the seed from the number you have...essentially, when I interpret
my password as binary data, I could just plug it into such a function and
have a reasonably safe number sequence.
Or? I have no clue about number theory (yet)...
Thanks for any 'comments',
Moritz Voss.
------------------------------
From: "Brendan Lynskey" <[EMAIL PROTECTED]>
Subject: Finite field/polynomial mathematics
Date: Tue, 6 Feb 2001 13:59:46 -0000
Sorry for posting such a basic request, but does anyone out there know of a
well-made tuorial that covers the above types of mathematics?
- Thanks
------------------------------
From: James Wolfe <[EMAIL PROTECTED]>
Subject: Re: [RSA] Hype, hoax, or ?
Date: Tue, 06 Feb 2001 09:16:53 -0500
Here is the text of a letter from Ron to a user that wrote him about it. It was
posted on Slashdot:
Thanks for checking with me.
A fellow by the name of Leo de Velez from the Phillipines had
thought he had broken RSA, and a reporter colleague wrote up
this story and published it. This is probably what you have heard
about.
Mr. Velez also wrote to me with his ideas. Unfortunately for him,
his approach is actually much *slower* than the naive approach to
factoring by trial division by 2, 3, 4, .... His approach doesn't
improve on any known techniques, and doesn't constitute a
"break" of RSA at all.
If you write to Mr. Velez (leo at teammail dot com) he will
confirm...
Thanks again for checking...
Feel free to quote me...
Cheers,
Ron Rivest
Padgett 0sirius wrote:
> http://www.mb.com.ph/INFO/2001-02/IT020201.asp
> or is this old news ?
>
> A. Padgett Peterson, P.E. CISSP: Cybernetic Psychophysicist
> http://www.freivald.org/~padgett/index.html
> to avoid antispam use mailto:[EMAIL PROTECTED] PGP 6.5 Public Key Available
------------------------------
From: "John A.Malley" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Tue, 06 Feb 2001 07:15:43 -0800
Anthony Stephen Szopa wrote:
>
> Joseph Ashwood wrote:
[...]
>
> "...those patterns can be stripped away..."
>
> How? With cleanser and lots of elbow grease. What are you talking
> about here? What utter BS.
>
> I suppose we have your good word on this.
>
Here's a good web site that answers questions like these - I found it
helpful. It explains the physics of erasing recordable media and the
physical signatures that may remain after erasing with fixed patterns,
just as cited by Mr. Ashwood:
http://www.cs.auckland.ac.nz/~pgut001/secure_del.html
It also provides references for further reading on the subject.
Hope this helps,
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Rijndael's resistance to known plaintext attack
Date: Tue, 06 Feb 2001 15:14:56 GMT
In article <[EMAIL PROTECTED]>,
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> SCOTT19U.ZIP_GUY wrote:
> >
> > [EMAIL PROTECTED] (Joseph Ashwood) wrote:
> > >
> > >"Marcin" <[EMAIL PROTECTED]> wrote:
> > >> Hello,
> > >> Can someone comment or refer me to the analysis on resistance of
> > >> Rijndael to known plaintext attacks?
> > >> Thanks,
> > >> Marcin Kurzawa
> > >
> > >As it stands now, with any even remotely reasonable amount of
> > >known-plaintext (anything less than the 2^100+ bits) reveals very
> > >little. I'd expect that for the forseeable future, as long as you
> > >don't go above 2^90 bits of text there won't be any reasonable
attack
> > >against Rijndael.
> > > Joe
> >
> > Actaully with a few 100 bytes of text its highly unlikely that
> > two seperate keys could exist for a given plain text cipher text
> > pair. So in theory there most likely is a solution to the problem
> > with very short amounts of data. The only real questions are
> > if the solution is well known outside of possible the NSA.
> > It may well be in our life times that no such solution will
> > me made available to the public. But from an informational point
> > of view there most likely is an break. If some one can find it.
>
> Moron. Joe was not talking about unicity distance. He was talking
> about things like linear or differential analysis, or other forms of
> analysis which require known/chosen plaintext.
>
> If you only have a few blocks (unicity distance) of known plaintext,
the
> only attack you can mount is brute force. Only someone as mind
> bogglingly obtuse as yourself would consider doing brute force on a
key
> of 128 or more bits.
>
No I would not sugguest doing s blind brutw force attack on such
a key. All I'm suggesting is the there may be a form of unknown
plaintext attack that requires far less plaintext than stated.
Attackers can be far more creative then you or the previous
writer give credit. I think your the moron for failing to take
that into account.
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Tor Rustad" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Tue, 6 Feb 2001 16:41:26 +0100
"Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> Joseph Ashwood wrote:
>
> You are nuts.
???
> "...those patterns can be stripped away..."
>
> How? With cleanser and lots of elbow grease. What are you talking
> about here? What utter BS.
Next time you *try* to write such erase SW, as a *minimum* read DOD
5220.22-M first.
Of course you should *not* overwrite with *only* known patterns!
I am not up to date with the state-of-the-art in recovering data, nor are
*you*, that information is classified.
A well respected company in Norway, IBAS (www.ibas.com), does a pretty good
recovery job in many cases, but AFAIK they will have trouble with recovering
overwritten data. However, IBAS is *not* at military level on this, and
there might be better comercial companies around at this.
Your SW was snake oil anyway.
--
Tor <torust AT online DOT no>
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Subject: Re: One way function for Passwords.
Date: Tue, 06 Feb 2001 15:41:18 GMT
Hi.
One way hash functions (OWHF) create so called hashes = could be
explained as breaking a plate on the floor; you know it WAS a plate,
you know the result (the hash), and you won't sit there for 5-7 days
glueing together the pieces of the floor; it's too complicated and new
plates are cheap.
(By the way; OWHF generate way more pieces on the floor)
Yes, Passwords that have been run through a OWHF is not
directly "breakable", but you can make guesses.
A Dictionary attack:
A dictionary attack is simply running a file with words into a OWHF and
comparing the output with the hash you wish to "break".
(Note: I use short 16 bit hash values because my Afternoon break is
almost over; normally you get 128-160 bit hashes out of MD5 and SHA-1)
You hash your password "SECRET" into 0xA7F9 and store or send it
somewhere.
I intercept your hashed key and launch the (offline) dictionary attack
with a computer.
The following is basically what the computer is doing:
The computer guess that your password is "BEERMILKSHAKE", that hashes
into 0x8F72 = Wrong password.
(let's try next word)
The computer guess that your password is "SCOTTYBEAMMEUP", that hashes
into 0x7F6A = Wrong password.
(let's try next word)
The computer that your password is "SECRET", that hashes into 0xA7F9
and Tadaaa! It have sucessfully guessed your key.
Now what? - We add "Salt":
A Salt is a N bit random number that is concatenated to a plaintext
BEFORE hashing to make dictionary attacks such as the above harder,
i.e. you have to try the size of the Random Number times the number of
plaintexts in your dictionary file to be able to retrieve the original
password.
If i concatenate a 2^12 (4096 combinations) random number, you have to
make 4096 * words in your dictionary (assuming it contain the correct
password!) guesses to sucessfully retrieve the password.
As you may see, it is easy to retrieve a password and make 4096
guesses, than to guess a password with a dictionary file of ~34000
words * a 2^16 (65536) = You have to make 2228224000 guesses instead of
4096.
I hope this explains how a OWHF work and how you can use it.
You can read more in Applied Cryptografy and Handbook of Applied
Cryptografy. (check with Amazon.com)
Regards,
Ichinin
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Steve Amor <[EMAIL PROTECTED]>
Subject: Callback security
Date: Tue, 06 Feb 2001 15:49:10 +0000
Reply-To: [EMAIL PROTECTED]
Can anyone tell me the security problems with modems that use a simple
password and callback facility. I'm not interested in how secure the
password is, just the callback part of it.
Thanks.
------------------------------
From: [EMAIL PROTECTED] (Eric Lee Green)
Subject: Re: Questions about Diffie-Hellman
Reply-To: [EMAIL PROTECTED]
Date: 6 Feb 2001 08:18:55 -0600
On Tue, 06 Feb 2001 07:59:54 +0000, Julian Morrison
<[EMAIL PROTECTED]> wrote:
>btw, what size is the key you get out of this? or is that choosable? (I'm
>thinking of RC4-ing with the key, and RC4 has a very fixed
>initial-seed-size.
You probably need to pick up a good book somewhere.
Current research suggests that a 1024-bit key used in DH is secure for
the near future. If you want to be secure for the next 100 years or
so, you could use a 2048-bit key, but for normal use that's ridiculous
overkill. If you want to key up RC4 based upon the agreed-upon shared
key, I would suggest that you use a key derivation function of some
kind, such as feeding the resulting 1024-bit key through MD5. You may
even simply choose some bits out of the shared key as the RC4 key and
not bother with a key derivation function. From a mathematical
standpoint that may not be 100% kosher, but from a practical
standpoint, any collisions in the prime field caused by the fact that
you're not using a prime generator in the final calculation probably
would not be enough to give an attacker any real benefit given how
hard the 1024-bit discrete logarithm problem is in the first place.
(Somebody PLEASE correct me if I'm wrong on the math, I'm an engineer,
not a mathematician!).
>> Not sure what you are getting at here.
>
>a --keyA-->b
>
>b now knows the secret
>
>b --keyB, RC4[secret](message)-->a
>
>a needs keyB to know the secret so it can decrypt the message.
>Is that how it works?
That's how it works. However, you do not want to chat the public and
keys "in the clear" every time, because that makes you succeptible to
man-in-the-middle attacks. You probably want to use this as part of a
generalized communications protocol, where rekeys take place from time
to time (key agility) but where the key exchanges take place encrypted
with the old key (except for the initial key exchange, which must
either be "in the clear" or via an out-of-band mechanism such as
person b carrying person a's public key with him and leaving his
public key with person a when he leaves home). Such protocols
generally include a message digest for each packet that includes a)
the identifier of who's sending the message, b) the data, and c) a
message digest that is MD5(message+shared_key). Such protocols also
usually include sequence numbers and challenge values in packets in
order to prevent replay attacks. You really should look at something
like OpenSSL ( http://www.openssl.org ) rather than think about
re-inventing the wheel. I personally re-invented the wheel, but that
was because the project I did started before the RSA patent ran out,
and thus I could not legally use OpenSSL for commercial software
within the US at that time. But then, I have a sneaky mind that loves
thinking of threat models and such, I really wouldn't recommend it for
people who are sane (grin).
--
Eric Lee Green Linux Subversives
[EMAIL PROTECTED] http://www.badtux.org
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: Michael Robbins <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk
Subject: Re: Scramdisk, CDR and Win-NT
Date: Tue, 06 Feb 2001 16:08:52 GMT
> Do you mean 'create an image of <=650Mb on a hard drive, mount it and
> fill it full of data then write it to a CD and have RO access', if so
> then just buy a copy of Scramdisk for NT and this will work fine.
Thank you.
I just bought it--I'm waiting for the password. So you're saying I can
access the CDR as if it were not encrypted without writing it back to
the hard drive? Are there any tricks I should be aware of? Any
specific vulnerabilities I should be immediately concerned with?
--
Michael Robbins, CFA
Director, Debt Capital Markets
Canadian Imperial Bank of Commerce, World Markets
New York
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: On combining permutations and substitutions in encryption
Date: 6 Feb 2001 16:31:28 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Benjamin Goldberg wrote:
>Or, to put it another way, suppose you have AES with a 192 bit key.
>Write the relationship between the key bits, the plaintext bits, and the
>ciphertext bits as a 3SAT problem. Does this conversion take polynomial
>in terms of 192, or superpolynomial in terms of 192?
Polynomial in 192.
(Strictly speaking, this language is meaningless; it only makes
sense to speak of polynomial in an asymptotic sense. Still, I think
that the answer "polynomial in 192" gets at what you were asking in
the most efficient possible way, even if it is mathematically gibberish.)
------------------------------
From: Markku J. Saarelainen <[EMAIL PROTECTED]>
Crossposted-To: alt.security,comp.security,alt.2600
Subject: Nobody is on nobody�s side.... no contract truely signed ...no lover ever
faithful ...
Date: Tue, 06 Feb 2001 16:30:49 GMT
And when he gives me reasons
To justify each move
They're getting harder to believe
I know this can't continue
I've still a lot to prove
Everybody's playin' the game
but nobody's rules are the same
Never make a promise or plan
Take a little love where you can
Never stay too long in your bed
Never lose your heart, use your head
http://www.calpoly.edu/~bmarx/chess/br_lyrics.html#10
http://www.broadwaymidi.com/MIDI/Chess-NobodysSide1.mid
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 06 Feb 2001 16:46:28 GMT
Subject: Re: DH question
Yes, if using a cyclic generator, then the abelian requirement is met, and this
is the typical way to do it. But the normal way of stating the REQUIREMENT for
DH is to say, srat with an abelian group. Then the math works.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Daniel)
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Tue, 06 Feb 2001 16:52:50 GMT
On Tue, 06 Feb 2001 02:33:28 -0800, Anthony Stephen Szopa
<[EMAIL PROTECTED]> wrote:
>Daniel wrote:
>> Let us not forget what it would cost to have a HardDisk scanned up to
>> 11 layers deep. Usually, those HD which contained "critical
>> information" but are no longer used are destroyed (mechanical + heat).
>> That's the only assuring way :)
>>
>> best regards,
>>
>> Daniel
>
>
>What are you talking about: "11 layers deep".
>
>Don't be ridiculous.
I'm sorry, but why do you give me such a rude answer?
for more info on the subject, check NISPOM - DoD5220.22-M
Software claiming to live up to this standard can be found on :
http://www.pt.lu/comnet/desc/shredder.html
best regards,
Daniel
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 06 Feb 2001 16:59:50 GMT
Subject: Re: Phillipine math guy claims to have fast RSA Factoring...
Ron Rivest was gentle with him. hear hear
Don Johnson
------------------------------
From: Markku J. Saarelainen <[EMAIL PROTECTED]>
Crossposted-To: alt.politics.org.cia,soc.culture.nordic,soc.culture.russian
Subject: Actually I monitored activities of this NSA�s P1363 Group for many years
..... actually was just around 5 % of my interest in this specific fields .... I have
always liked non-random random number ...I like to use ever changing environment for
randomness
Date: Tue, 06 Feb 2001 16:54:44 GMT
Saniel Bleichenbacher, a member of Bell Labs' Information Sciences
Research Center, recently discovered a significant flaw in the random
number generation technique used with the widely implemented Digital
Signature Algorithm (DSA).
Bleichenbacher first presented his findings on November 15, 2000, at a
meeting of the IEEE P1363 working group. The conference, on standard
specifications for public-key cryptography, was hosted by the National
Security Agency at its headquarters in Fort Meade, Md.
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (Nemo psj)
Date: 06 Feb 2001 17:02:55 GMT
Subject: Re: Mod function
in VB mod is already built in
Buf = 500 mod(255)
that will mod 500 to 255
nice ha? I can give a a hand made one if you need it e-mail me.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
