Cryptography-Digest Digest #673, Volume #13 Sun, 11 Feb 01 03:13:01 EST
Contents:
Re: Password authentication with symmetric key exchange (Thomas Wu)
Re: CipherText patent still pending ("Douglas A. Gwyn")
Re: Mono cipher, genetic algorithm .. appropriate "Crossover?" ("Douglas A. Gwyn")
Re: The Kingdom of God ("Douglas A. Gwyn")
Re: NPC ("rosi")
Re: RSA is not secure in many instances... ("Douglas A. Gwyn")
Re: NPC ("rosi")
Re: Some basic questions ("Douglas A. Gwyn")
Re: Can anyone decrypt this ? ("Michael Brown")
Re: Purenoise defeats Man In The Middle attack? ("Michael Brown")
Re: Purenoise defeats Man In The Middle attack? ("Douglas A. Gwyn")
Re: RSA is not secure in many instances... (David Wagner)
Re: RSA is not secure in many instances... ("Douglas A. Gwyn")
Re: Can anyone decrypt this ? (Richard Heathfield)
Re: Purenoise defeats Man In The Middle attack? (Paul Crowley)
----------------------------------------------------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: Password authentication with symmetric key exchange
Date: 10 Feb 2001 20:49:38 -0800
[EMAIL PROTECTED] writes:
> This is not a too original password authentication scheme. I would
> however appreciate comments of any kind.
>
> Purpose:
> Prevent copy-and-paste attacks on the authentication protocol, where
> the attacker eavesdrops the authentication part of a session, and
> manages to log in later by resending the information.
Perhaps you'd get a better response if you could say how this protocol
is an improvement over the existing standard strong password authentication
protocols like SRP, SPEKE, or PAK, in any way, such as security or
performance. From glancing at your brief description, it appears to
use a "public system key", so it doesn't offer any performance
advantage over the status quo, and it appears to be breakable by an
eavesdropper with a dictionary.
Tom
> Design notes:
> The client might choose to abort after step 1 or 3, and if the server
> allows it, thereby login at a lower security level.
>
> Prerequisites:
> Alice (server) has Bob�s (the client�s) username and password. A public
> system key for Steak.
>
> Variables:
> Salt<i>: 64-bit integer
> H<j>: 256-bit integer
> PK<k>: 256-bit integer
> CPK<k>: 256-bit integer
>
> Functions:
> Steak Steak encryption
> SteakDecrypt Steak decryption
> Zero(n): n bits of zeroes.
> Concat(s,t): concatenation of bit strings s and t.
>
> Legend
> := assignment
> , statement separator
> The result of a function is trashed if it is not assigned to a
> variable.
>
> Output:
> Key: 256-bit integer
> Success: True/False
>
> Protocol:
> 1. Bob to Alice: Bob�s username
> 2.0a Alice: Salt1 := random
> 2. Alice to Bob: Salt1
> 3.0b Bob: Salt2 := random
> 3.1b Bob: PK1 := random
> 3.2b Bob: Initialize Steak, Steak(Salt1), Steak(Salt2),
> Steak(Bob�s password)
> 3.3b Bob: H1 := Steak(Zero(256)), CPK1 := Steak(PK1)
> 3. Bob to Alice: Salt2, H1, CPK1
> 3.0a Alice: Initialize Steak, Steak(Salt1), Steak(Salt2),
> Steak(Bob�s password)
> 3.1a Alice: if not (Steak(Zero(256)) = H1) then
> exit with Success := False.
> 3.2a Alice: PK1 := SteakDecrypt(CPK1)
> 4.0a Alice: Salt3 := random
> 4. Alice to Bob: Salt3
> 5.0b Bob: Salt4 := random
> 5.1b Bob: PK2 := random
> 5.2b Bob: Initialize Steak, Steak(Salt3), Steak(Salt4),
> Steak(Concat(Bob�s username,PK2))
> 5.3b Bob: H2 := Steak(Zero(256)), CPK2 := Steak(PK2)
> 5. Bob to Alice: Salt4, H2, CPK2
> 5.0a Alice: Initialize Steak, Steak(Salt3), Steak(Salt4),
> Steak(Concat(Bob�s username,PK2))
> 5.1a Alice: if not (Steak(Zero(256)) = H2) then
> exit with Success := False.
> 5.2a Alice: PK2 := SteakDecrypt(CPK2)
> 6.0 Both: Key := PK2, Success := True
>
>
> Sent via Deja.com
> http://www.deja.com/
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms in
Phone: (650) 723-1565 exchange for security deserve neither."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: CipherText patent still pending
Date: Sun, 11 Feb 2001 00:07:05 -0500
Mok-Kong Shen wrote:
> Analysis used to play a fairly strong role in classical
> crypto literatures. I personally find this deficit in
> modern textbooks to be deplorable.
Most of the modern textbooks (as opposed to lay introductions)
cover so-called "linear cryptanalysis" and "differential
cryptanalysis", as well as "meet-in-the-middle" attacks,
how to crack the knapsack system, and various simple attacks
against public-key based protocols. The sad fact is that
there has been little public progress in effective
cryptanalysis of most modern ciphers, especially general
attacks suitable for survey textbooks.
> ... My personal opinion about analysis is that,
> while it is a necessary foundation, it is, due to
> limited total time available, uneconomical to spend
> all time for the subject to that, trying to attack a
> very large number of the older ciphers. For it is the
> essence/principle of the attacks that is to be captured
> and not the number of successful attacks that is
> important.
Unfortunately, it is nearly *impossible* to learn some
of the most important cryptanalytic principles without
investing hard work into trying to crack actual systems.
Like many important insights, you have to experience
satori before you adequately understand; merely being
told the principles won't resonate properly. I suggest
working your way up to and through the Zendian problem
before worrying about more, newer cryptanalytic
technology. It has a lot to teach via practical
experience.
> Sorry, I might have simply gravely overlooked. I don't
> remember to have seen a (really) new method of attack of
> any (respectable) cipher or an (essential) improvement of
> old ones in posts in our group.
>From time to time I've mentioned applicable technology.
Unfortunately I have to watch what I say about it, and
be sure that I can point to public sources for the
information.
For example, hidden Markov models. Have you tried using
that technology in any cryptanalysis yet?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Mono cipher, genetic algorithm .. appropriate "Crossover?"
Date: Sun, 11 Feb 2001 00:14:23 -0500
No matter what the details of the genetic-algorithm implementation,
100-character cryptograms are unlikely to be solved unless you use
a large linguistic database. I suspect digram scoring won't suffice.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: alt.security,comp.security,alt.2600
Subject: Re: The Kingdom of God
Date: Sun, 11 Feb 2001 00:15:14 -0500
Tom St Denis wrote:
> "drumstik" <[EMAIL PROTECTED]> wrote:
> > Smile! There is no god.
> And if there was would it matter anyways?
Yeah, he sure wouldn't waste His time in this thread.
------------------------------
From: "rosi" <[EMAIL PROTECTED]>
Subject: Re: NPC
Date: Sun, 11 Feb 2001 01:04:04 -0500
Scott Fluhrer wrote in message <962ltq$lc0$[EMAIL PROTECTED]>...
>
>rosi <[EMAIL PROTECTED]> wrote in message
news:962jrv$cie$[EMAIL PROTECTED]...
>> Scott Fluhrer wrote in message <95vvfp$q25$[EMAIL PROTECTED]>...
>> >
>> >Benjamin Goldberg <[EMAIL PROTECTED]> wrote in message
>> >news:[EMAIL PROTECTED]...
>> >> Peter Shugalev wrote:
>> >Actually, it is possible that P!=NP, and yet NP complete problems could
>be
>> >solved in subexponential/superpolynomial time. This would imply that
all
>> NP
>> >problems could be solved in subexponential time.
>> >
>>
>> Does it seem harder or easier to prove 'P!=NP' vs 'NP problems are
>> at most subexponetial in complexity'? Just curious.
>
>Well, one simple proof that NP problems are subexponential would be to
>demonstrate a subexponential algorithm for an NP complete problem (any one
>will do). The only slight problem with this proof technique is finding
such
>an algorithm, but I will leave that as an exercise for the reader...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I agree and will do the same.
>
>I don't know if we even have an idea what a proof of P!=NP would even look
>like, so it would *seem* harder to prove...
I was curious and meant to direct the question to all. Thanks for the
opinion
which counts as one.
And truly appreciate the discussion.
--- (My Signature)
>
>--
>poncho
>
>
>
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: RSA is not secure in many instances...
Date: Sun, 11 Feb 2001 00:22:16 -0500
You guys lost me. So what is the status of:
> If c has a small cycle, then m can easily be recovered.
How likely is it?
------------------------------
From: "rosi" <[EMAIL PROTECTED]>
Subject: Re: NPC
Date: Sun, 11 Feb 2001 01:09:38 -0500
Benjamin Goldberg wrote in part in message
<[EMAIL PROTECTED]>...
>rosi wrote:
>>
>> Benjamin Goldberg wrote:
>> >Peter Shugalev wrote:
>> >>
>> >
>> >The knapsack problem is NP complete, but the most of the PKE systems
>> >which use it are broken due to lattice attacks (their method of
>> ^^^^^
>>
>> I do not think we are conclusive that 'it' is an NPc problem used.
>
>The knapsack problem is NPC. Most PKE systems which try to use the
>knapsack problem are flawed, due to the existance of practical attacks.
>
Right. knapsack _IS_ NPc. I, in the least, know not if MH is. Then it
comes back to the same question: what is meant by 'based on'. If it (MH
I mean) is not NPc in the first place (even if 'based on'), then being
'flawed' must be more precisely defined before I know what to say to.
>
>> >transforming a hard problem into a PKE system is flawed). The only
>> >knapsack-like system which isn't broken by lattice attack is NTRU.
>>
>> I seem to understand that NTRU tried to stay away from the word
>> 'knapsack'. Just a quite incomplete observation.
>
>This is for publicity reasons -- anything with the word knapsack in it
>will have predjudice against it from the outset, because of how many
>earlier knapsack systems were broken. I believe that NTRU does use the
>knapsack problem, but unlike earlier knapsack systems, the size of
>lattice required to break it would be infeasibly large.
>
I said, "a quite incomplete observation". Again, knapsack and
knapsack-like
may be different. And a rose by any other name would smell just as sweet.
Let me have it a bit light. You do not mean that people seeking truth, like
mathematicians, smell like car-dealers nowadays? :) Personally, I do not
mind if some do either. :)
Is it the size (of lattice)? Just would like to re-assured. Thanks
>> >I don't know of any other NPC problems which are used as ciphers.
>> >Maybe someone else does?
>>
>> Again, I am a bit choosy here. I doubt if we are that keen on
>> another as of now. One NPc is, based on the current state of the art,
>> quite good enough.
>> (Can be wrong, but c stands for complete)
>
>True enough, but practically noone uses NTRU, afaik. Thus, we still
>might want a PKE based on an *different* NPC problem -- something other
>than knapsack.
>
Warm feelings or not is a different story, IMHO. If my sense is right,
you
are not talking about a particular realization.
I am not 100% sure. Sony or some have licensed NTRU. (Please correct
me if I am wrong here, and thanks).
Here again, we are back at square one. 'based on' (as I understand it)
is
just not good enough. If you mean knapsack is ok, but when you implement
one, it falls (and almost immediately --- my addition), I very strongly
doubt. There
is no proof in that direction. More formally, the majority of the complete
classes
(in favor of the plural) are mutually poly-reducible, and that is why 'one
is quite
good enough'. Is there another more convenient for implementation or
for comprehension? Quite possible. No one should give up the search and I
solute Peter and you for the efforts.
>Keep in mind that which crypto system is used depends on people getting
>[or not getting] a warm-and-fuzzy-feelling. Noone feels WAFFy about
>knapsack problems.
>
This is very beautiful. It is largely true (for reasons obvious). If
people
get conclusions from brains instead of feelings, we would not be in
such a 'mess', would we? More than often, I do from feelings and who am
I to blame? If 'empiricalism' is out of the picture, we would be in a bigger
mess, I suppose. But that does not imply the conclusions we draw are any
wiser. What is a secure system is possibly not accepted as quickly and
what is accepted may not be secure (no intention to go in the direction of
defining security). What is accepted stands a larger chance (statistically,
and there are ... and ... and statistics) of being secure and what is secure
will eventually be accepted. But such an attitude may just be regarded as
arrogance of academia, and that is understandable. Anyway, if we are
to be on the same page, we have to be sure if we are dealing with it under
the light of pragmatism.
Thanks a million.
--- (My Signature)
>--
>A solution in hand is worth two in the book.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Some basic questions
Date: Sun, 11 Feb 2001 00:25:36 -0500
Paul Crowley wrote:
> I saw a book called "Cryptography Decrypted" in my local bookshop
> recently that seems to be aimed at this market. From a quick glance
> it seemed reasonably accurate.
It would probably do okay for the very beginner. It does explain
a lot about the application of public-key technology, slanted
toward e-commerce. There are several errors of detail and
oversimplifications, but nothing that is likely to mislead the
reader too much.
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: Can anyone decrypt this ?
Date: Sun, 11 Feb 2001 18:35:14 +1300
>
>
> --
> Regards
> Eric
>
>
>
Unfortunately, you don't make many friends around here posting attachments
...
Michael
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: Purenoise defeats Man In The Middle attack?
Date: Sun, 11 Feb 2001 18:39:26 +1300
"John Savard" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Sat, 10 Feb 2001 13:26:28 -0500, Rich W. <[EMAIL PROTECTED]>
> wrote, in part:
>
> > "Patent Pending secure key exchange protocol that defeats the 'Man In
> >The Middle Attack.'"
Hehe. I can just see the patent application. "Improved method of key
distribution" going on to detail swapping of keys via courier.
However, hasn't it been proved that without prior information known only to
the two people, MITM attacks are impossible to defeat?
>
> That's entirely possible, if the two parties have a secret shared in
> advance. Although, from the sound of it, I don't feel encouraged about
> the site you are quoting from.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
Michael
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Purenoise defeats Man In The Middle attack?
Date: Sun, 11 Feb 2001 00:54:00 -0500
Michael Brown wrote:
> However, hasn't it been proved that without prior information known
> only to the two people, MITM attacks are impossible to defeat?
With a public-key protocol, it is possible, assuming a reliable
certification process has been established. The MITM cannot forge
private-key encrypted messages from either Alice or Bob if their
public keys are correctly known to each other.
Now, Alice might have *always* been talking to the MITM, whose
key was certified by Alice, instead of to Bob. But in that case
the certificate did not identify the MITM as Bob but rather as
the actual MITM.
If there is not a reliable certification process then an MITM
attack can succeed, assuming that the MITM can *always* intervene
when Alice and Bob communicate. (Otherwise they could simply
exchange a new nonce every message, and include the previous
nonce for verification of continuity. When the MITM misses a
message, he cannot provide the correct nonce in the next message.)
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: RSA is not secure in many instances...
Date: 11 Feb 2001 06:32:08 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Douglas A. Gwyn wrote:
>> If c has a small cycle, then m can easily be recovered.
>How likely is it?
Very unlikely. See Section 9 of <http://eprint.iacr.org/2001/007/>.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: RSA is not secure in many instances...
Date: Sun, 11 Feb 2001 01:58:47 -0500
David Wagner wrote:
> ... See Section 9 of <http://eprint.iacr.org/2001/007/>.
Thanbks for the reference. I note that in another paper in
the IACR collection during the past year, a decimation attack
against a certain class of stream ciphers was described,
which so far as I know is the first public appearance of this
technique. That is perhaps relevant to another current thread
concerning lack of descriptions of C/A methods.
------------------------------
Date: Sun, 11 Feb 2001 07:10:57 +0000
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: Can anyone decrypt this ?
Eric wrote:
>
[Subject line reads "Can anyone decrypt this ?"]
> --
> Regards
> Eric
>
> Name: Win 2000 Accerelated Exam Notes.doc
> Win 2000 Accerelated Exam Notes.doc Type: Microsoft Word Document
>(application/msword)
> Encoding: x-uuencode
Yes. It says
"Microsoft Word Document" and "Encoding: x-uuencode".
Tough one.
Has it occurred to you to read the FAQs?
And don't post binary attachments to text newsgroups please.
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
K&R answers, C books, etc: http://users.powernet.co.uk/eton
------------------------------
Subject: Re: Purenoise defeats Man In The Middle attack?
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Sun, 11 Feb 2001 07:42:26 GMT
Rich W. <[EMAIL PROTECTED]> writes:
> "Uses 128 rounds of a ridiculously strong 3072 bit paranoid
> encryption that far exceeds even military standards!"
> "Patent Pending secure key exchange protocol that defeats the 'Man In
> The Middle Attack.'"
> "Every single part of PureNoise�is proprietary and is made of
> standard algorithms and protocols improved to leave eavesdroppers
> absolutely without a chance!"
The smell of snake oil is enough to hurt the nostrils! Run, don't
walk, away from this product.
--
__
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
