Cryptography-Digest Digest #675, Volume #13 Sun, 11 Feb 01 13:13:01 EST
Contents:
Steganography with ASCII text files (Mok-Kong Shen)
Re: Purenoise defeats Man In The Middle attack? (Paul Crowley)
Re: Steganography with ASCII text files ("news.free.fr")
Re: NPC ("Scott Fluhrer")
Arcfour in Ada, by me - is it good? (long) ("Julian Morrison")
Re: CipherText patent still pending ("Scott Fluhrer")
Re: Steganography with ASCII text files (JPeschel)
Re: Steganography with ASCII text files ("John A. Malley")
Re: Scramdisk, CDR and Win-NT (nemo outis)
Re: I encourage people to boycott and ban all Russian goods and services, if the
Russian Federation is banning Jehovah's Witnesses ....... (bleatgoat)
Re: I encourage people to boycott and ban all Russian goods and services, if the
Russian Federation is banning Jehovah's Witnesses ....... (bleatgoat)
Re: unpredicable random number generator ? ("Gilbert Brands")
Re: RSA is not secure in many instances... ("Gilbert Brands")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Steganography with ASCII text files
Date: Sun, 11 Feb 2001 15:21:12 +0100
Modern steganography is commonly done on graphical files
through manipulation of pixel values. The operations done
are in my humble view not very convenient to implement and
require, above all, the availability of graphical files.
I think therefore that it may be valuable to investigate the
possibility of using the normally more easily available ASCII
text files (as cover) instead.
In order to elicit much better ideas from the readers, I am
taking the liberty to present some preliminary thoughts about
a fairly simple, in fact trivial, scheme for discussion.
We note that in a HTML file the texts are separated into
paragraphs, in general with the tags <P> and (optional) </P>.
The browser automatically breaks lines independent of how
the user types in his material for a given paragraph
(excepting that line-breaks can be forced with <BR>). In
other words, the layout of the text of a HTML file itself
can be essentially arbitrary without effecting the appearance
of the document as displayed by the web browser. This is a
well-known feature of convenience offered by HTML and is
appreciated by all who write web documents. We can now
exploit this freedom for our purpose by having any paragraph
of a chosen (cover) text appropriately written into the HTML
file in, say, n lines (n depends on the given paragraph but
may be varied within sufficiently wide limits, if the
paragraph is not too short). With a PRNG and an agreed-upon
seed (the 'key'), or an equivalent method of choice, we can
now determine a subset of them consisting of m lines and
arrange (through appropriate allocation of the words among
the lines) to have the words in these lines in such a way
that the number of words of each line modulo 2 (i.e. even/odd)
gives a bit (0/1) that belongs to the sequence (plaintext or
ciphertext) to be transmitted. (n may refer to the whole
document instead of the individual paragraphs, if one likes.)
We note that in general the sender will not send the HTML
file but publish his document at a site such that the
receiver can access and get a copy of the HTML file at
his convenience, thus rendering it easier for the latter
to keep his anonymity.
M. K. Shen
========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
Subject: Re: Purenoise defeats Man In The Middle attack?
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Sun, 11 Feb 2001 14:40:07 GMT
"Michael Brown" <[EMAIL PROTECTED]> writes:
> However, hasn't it been proved that without prior information known only to
> the two people, MITM attacks are impossible to defeat?
It's easy to prove that with no authentication information to either
of the two people (a shared secret, public keys, a certifying
authority) a MITM attack is impossible to prevent. Supposing you
trust me, based on what you read here: how do you know I'm not a Bad
Guy copying my whole style off A N Other without Usenet access because I
thought they would be the sort of person you'd trust? That's a kind
of MITM attack.
What you *can* do is prevent MITM attacks being automated, using some
sort of interlock protocol. However, checking the interlock
conditions can't be automated either.
--
__
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
From: "news.free.fr" <[EMAIL PROTECTED]>
Subject: Re: Steganography with ASCII text files
Date: Sun, 11 Feb 2001 14:40:20 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> a �crit dans le message news:
[EMAIL PROTECTED]
>
> Modern steganography is commonly done on graphical files
> through manipulation of pixel values. The operations done
> are in my humble view not very convenient to implement and
> require, above all, the availability of graphical files.
A better choice is to take an audio file.
Open a micro, say "Hi Mike how are you ... " and put the clairtext
in the .wav file.
With a good PRNG there is not much chance to attract notice ...
Nevetheless coding HTLM pages is a good idea.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: NPC
Date: Sun, 11 Feb 2001 07:15:36 -0800
Peter Shugalev <[EMAIL PROTECTED]> wrote in message
news:9648lv$1rcl$[EMAIL PROTECTED]...
> > Peter Shugalev:
> > > I think someone tried to prove that either discrete log or
> > > factoring problem is NPC (not just NP). I'd like to see
> > > some results of these attempts.
> >
> > The attempts have, to put it bluntly, failed.
> >
> > Discrete log and factoring are poly-time reducible to
> > languages that are in the intersection of NP and CoNP. If
> > either is NP-Complete, then NP=CoNP.
> >
> > The NP ?= CoNP problem seems fundamental here. The
> > true decryption constitues a certificate for the
> > correctness or incorrectness of any cryptanalysis.
> > Thus any system that allows unique decryption (and is
> > tractable) is reducible to something in the
> > intersection of NP and CoNP.
>
> Hmm. I spent a lot of time thinking about it and it is clear - breaking of
> every cryptographic algorithm (either PKE or symmetric) is NP*co-NP
problem
> (*=intersection).
You are sure? Consider the problem for a (variable length output)
cryptographic hash function: given an output string and an integer N, does
there exist an input string of length N that hashes to that output string?
It is not immediately obvious that this is a polytime (polytime in the size
of the output, which is allowed to go to infinity) verifiable proof that a
particular output string/N does not have such an input string. Such a proof
must exist for the problem to be in coNP, of course.
--
poncho
------------------------------
From: "Julian Morrison" <[EMAIL PROTECTED]>
Subject: Arcfour in Ada, by me - is it good? (long)
Date: Sun, 11 Feb 2001 15:32:52 +0000
with Interfaces;
with Ada.Unchecked_Deallocation;
package Arcfour is
--
-- This is Alleged RC4, CypherSaber-2 variant
--
-- Key Length fixed at 240 bytes
-- IV length fixed at 16 bytes
-- Number of extra mixes fixed at 10
--
-- Facilities for random generation of key and IV
-- Key probed for badness during creation and before setup
--
-- This code has been placed in the public domain by its author
--
package Inf renames Interfaces;
type Metablock is array (Inf.Unsigned_8 range <>) of Inf.Unsigned_8;
for Metablock'Component_Size use 8;
pragma Pack (Metablock);
subtype Block is Metablock (0..255);
subtype Key is Metablock (0..239);
subtype IV is Metablock (0..15);
function Fresh_Key return Key;
function Is_Bad_Key (K : in Key) return Boolean;
function Fresh_IV return IV;
type Cryptor is limited record
S : Block; -- State
K : Block; -- Key
I : Inf.Unsigned_8;
J : Inf.Unsigned_8;
end record;
type Cryptor_Access is access all Cryptor;
Cant_Setup_Bad_Key : exception;
function Setup (K : in Key;
V : in IV) return Cryptor_Access;
function Encrypt_With (C : Cryptor_Access;
B : Inf.Unsigned_8) return Inf.Unsigned_8;
function Decrypt_With (C : Cryptor_Access;
B : Inf.Unsigned_8) return Inf.Unsigned_8
renames Encrypt_With;
procedure Free is
new Ada.Unchecked_Deallocation (Cryptor, Cryptor_Access);
end Arcfour;
================================================
with Ada.Sequential_IO;
package body Arcfour is
--
-- This is Alleged RC4, CypherSaber-2 variant
--
-- Key Length fixed at 240 bytes
-- IV length fixed at 16 bytes
-- Number of extra mixes fixed at 10
--
-- Facilities for random generation of key and IV
-- Key probed for badness during creation and before setup
--
-- This code has been placed in the public domain by its author
--
Num_Mixes : constant := 10;
package Byte_IO is new Ada.Sequential_IO(Inf.Unsigned_8);
package B renames Byte_IO;
use type Inf.Unsigned_8;
Random : B.File_Type; -- /dev/random
-- Sneaky hack
-- Force initialization code to run
function Package_Init return Boolean is
begin
B.Open (Random, B.In_File, "/dev/random");
return True;
end Package_Init;
Done_Init : constant Boolean := Package_Init;
-----------
-- Setup --
-----------
function Setup
(K : in Key;
V : in IV)
return Cryptor_Access
is
C : Cryptor_Access := new Cryptor;
N : Inf.Unsigned_8;
begin
if Is_Bad_Key (K) then
raise Cant_Setup_Bad_Key;
end if;
for F in C.S'Range loop
C.S (F) := F;
end loop;
C.K (0 .. 239) := K;
C.K (240 .. 255) := V;
for F in 0 .. Num_Mixes loop
-- CipherSaber-2
C.I := 0;
C.J := 0;
loop
N := C.I mod K'Length;
C.J := C.J + C.S (C.I) + C.K (N);
-- magic swap
C.S (C.J) := C.S (C.I) xor C.S (C.J);
C.S (C.I) := C.S (C.I) xor C.S (C.J);
C.S (C.J) := C.S (C.I) xor C.S (C.J);
exit when C.I = 255;
C.I := C.I + 1;
end loop;
end loop;
C.I := 0;
C.J := 0;
return C;
end Setup;
------------------
-- Encrypt_With --
------------------
function Encrypt_With
(C : Cryptor_Access;
B : Inf.Unsigned_8)
return Inf.Unsigned_8
is
N : Inf.Unsigned_8;
begin
C.I := C.I + 1;
C.J := C.J + C.S (C.I);
-- magic swap
C.S (C.J) := C.S (C.I) xor C.S (C.J);
C.S (C.I) := C.S (C.I) xor C.S (C.J);
C.S (C.J) := C.S (C.I) xor C.S (C.J);
N := C.S (C.I) + C.S (C.J);
return C.S (N) xor B;
end Encrypt_With;
--------------
-- Fresh_IV --
--------------
function Fresh_IV return IV is
Temp : IV;
Temp_Byte : Inf.Unsigned_8;
begin
for F in Temp'Range loop
B.Read (Random, Temp_Byte);
Temp (F) := Temp_Byte;
end loop;
return Temp;
end Fresh_IV;
---------------
-- Fresh_Key --
---------------
function Fresh_Key return Key is
K : Key;
Temp_Byte : Inf.Unsigned_8;
begin
loop
for F in K'Range loop
B.Read (Random, Temp_Byte);
K (F) := Temp_Byte;
end loop;
exit when not Is_Bad_Key (K);
end loop;
return K;
end Fresh_Key;
----------------
-- Is_Bad_Key --
----------------
function Is_Bad_Key (K : in Key) return Boolean is
begin
return (K (K'First) + K (K'First + 1)) = 0; -- magic mod
end Is_Bad_Key;
end Arcfour;
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: CipherText patent still pending
Date: Sun, 11 Feb 2001 07:28:29 -0800
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Bryan Olson wrote:
> >
> > Mok-Kong Shen wrote:
> > >
> > > Bryan Olson wrote:
> >
> > [Bryan:]
> > >>>>> Experts teaching writing say to write every day. I've never
> > >>>>> heard an expert cryptologist recommend cipher design as an
> > >>>>> exercise.
> >
> > [...]
> > > There seems to be a misunderstanding here due to presumably
> > > my poor formulation. My quoted sentence above simply
> > > served as sort of apology for my inability to clearly
> > > interpret the paragpraph of your previous post. It was
> > > then followed by my two 'conjectured' interpretations with
> > > my corresponding responses.
> >
> > The intended meaning that your analogy,
> >
> > | But don't you
> > | see that at schools the pupils are continuing to write
> > | compositions (after you have left school)? Should they
> > | stop writing??
> >
> > was nonsense. Writing is a good exercise, unlike designing
> > a cipher.
>
> I don't know any practically useful skill/ability that could
> be gained without exercises.
>
However, an additional requirement for doing exercises is being able to know
whether you've did a good job, or a poor one. If you can't tell, then
you're not likely to become better, because you have no idea which direction
is "better". That's the problem with just designing ciphers -- the novice
designer has no way of knowing if any particular design is secure, and so is
unable to know which ideas worked (and should be exploited further), and
which ideas should be abandoned. In essence, the learner is attempting to
go to Chicago, without having any clue about which direction Chicago is, or
how far he is from it. He is not real likely to get anywhere near Chicago.
In contrast, if you start by breaking ciphers, you do have positive
knowledge whether an idea worked, and so a learner can start building
knowledge of how this works.
--
poncho
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 11 Feb 2001 16:11:12 GMT
Subject: Re: Steganography with ASCII text files
Mok-Kong Shen [EMAIL PROTECTED] writes, in part:
>Modern steganography is commonly done on graphical files
>through manipulation of pixel values. The operations done
>are in my humble view not very convenient to implement and
>require, above all, the availability of graphical files.
What's difficult about finding graphical files, or, for that matter, audio
or video files?
>We note that in general the sender will not send the HTMLfile but publish his
>document at a site such that the receiver can access and get a copy of the
>HTML file at his convenience, thus rendering it easier for the latter to keep
>his anonymity.
If the sender has web access, he should be able to find plenty
of files (graphical, audio, or video) suitable to use as carriers.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Steganography with ASCII text files
Date: Sun, 11 Feb 2001 09:01:59 -0800
JPeschel wrote:
>
[snip]
>
> What's difficult about finding graphical files, or, for that matter, audio
> or video files?
>
[...]
> If the sender has web access, he should be able to find plenty
> of files (graphical, audio, or video) suitable to use as carriers.
>
Good question. I venture this may be the reasoning -
Every web browser supports HTML. Most browsers support graphical files
(JPEG, GIF). Some browsers don't support the more complex media without
us fetching plug-in modules. Given HTML is supported by every browser
type through all of their versions from the early 90s to today, using
HTML for steganography should facilitate the largest number of people to
covertly communicate with one another with steganography.
I suggest the steganographic HTML should also be in the most common HTML
format recognized by all - HTML 1.0.
>From a security viewpoint, the more people know about this means, the
easier it gets to monitor the means - "Eve" could patrol web sites with
'bots to download and autoscan the HTML files for hidden messages.
John A. Malley
[EMAIL PROTECTED]
------------------------------
Crossposted-To: alt.security.scramdisk
From: [EMAIL PROTECTED] (nemo outis)
Subject: Re: Scramdisk, CDR and Win-NT
Date: Sun, 11 Feb 2001 17:36:53 GMT
FWIW packet-writing (including/especially DirectCD?) is, if not outright
flaky, definitely not very robust. Lots of horror stories of machines or
other software hiccuping and the CDR becoming unreadable.
Regards,
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>In article <[EMAIL PROTECTED]>, Jungle wrote:
>> > As long as you accept that you can't 'write on the fly' to the disk,
>>
>> no, I can't accept this ...
>>
>> I'm using CD-R/W media for write to SD container on it without any
>problems,
>> and all files are NOT R/O as you are suggesting,
>
>I think you must be using something like Adaptec's DirectCD to make the
>CD-RW look like a normal read/write disk drive. If you're doing that then,
>yes, I expect the files you create are r/w.
>
>You should be aware that this doesn't give you a normal CD-formatted disk -
>you'll only be able to read it on machines that have suitable software (i.e.
>a copy of DirectCD).
>
>It's also not germane to OP's question, as he says he is using CD-R not
>CD-RW, and his disks will most definitely be read-only.
>
>Cheers,
> Daniel.
>
>
>
------------------------------
From: bleatgoat <[EMAIL PROTECTED]>
Subject: Re: I encourage people to boycott and ban all Russian goods and services, if
the Russian Federation is banning Jehovah's Witnesses .......
Crossposted-To: comp.security,alt.security,alt.2600
Date: Sun, 11 Feb 2001 12:50:27 -0500
John Savard wrote:
> On Sat, 10 Feb 2001 18:11:45 GMT, Markku J. Saarelainen
> <[EMAIL PROTECTED]> wrote, in part:
>
> >I encourage all people around the world to boycott and ban all Russian
> >goods and services, if the Russian Federation is banning Jehovah's
> >Witnesses .......
>
> And we can also add:
>
> - the attacks on Chechnya comitted with disregard for civilian life
>
> - the unwillingness of Russia to waive diplomatic immunity in the case
> of a drunk driver who killed a Canadian woman
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
your reasons I can buy, but the JWs can stay the hell of my doorstep on a
saturday morning as well.
------------------------------
From: bleatgoat <[EMAIL PROTECTED]>
Subject: Re: I encourage people to boycott and ban all Russian goods and services, if
the Russian Federation is banning Jehovah's Witnesses .......
Crossposted-To: comp.security,alt.security,alt.2600
Date: Sun, 11 Feb 2001 12:51:27 -0500
John M Price PhD wrote:
> In alt.2600 article <[EMAIL PROTECTED]> David Schwartz
> <[EMAIL PROTECTED]> wrote:
>
>
> : "Markku J. Saarelainen" wrote:
> :>
> :> I encourage all people around the world to boycott and ban all Russian
> :> goods and services, if the Russian Federation is banning Jehovah's
> :> Witnesses .......
>
> : Is the financial well-being of Watchtower really that important?
>
> I think it is a freedom of superstition argument. People should be
> allowed to believe whatever hoakum they desire, evidence or not.
>
I think the point of irritation is when they want to forcibly share their
superstitions with others who dont share their views.
------------------------------
From: "Gilbert Brands" <[EMAIL PROTECTED]>
Subject: Re: unpredicable random number generator ?
Date: Sun, 11 Feb 2001 18:26:46 +0100
Perhaps :
take a set of IGC's
display some bits of a result as random number,
use some other hidden bits for selecting the next IGC
Using some initalisation phase, including i.e. some random
input from the user, you will hardly have a chance to tell
where it started or goes next.
--
Gilbert Brands
E-Mail : [EMAIL PROTECTED]
Work Page : www.ewetel.net/~gilbert.brands/
===========================
Manche meinen,
Lechts und Rinks k�nne man nicht velwechsern.
Werch ein Illtum !
yomgui <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
[EMAIL PROTECTED]
> hello
>
> by unpredicable,
> I mean that knowing the algorithm
> and a serie of generated numbers
> one can't deduct the seed used to produce them.
>
> is there a such thing?
>
> thanks
>
> yomgui
------------------------------
From: "Gilbert Brands" <[EMAIL PROTECTED]>
Subject: Re: RSA is not secure in many instances...
Date: Sun, 11 Feb 2001 18:45:54 +0100
<[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
964oo8$8o$[EMAIL PROTECTED]
> In article <964kit$t1i$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> Suppose that g is a generator of Zpq* (i.e. the group of all positive
> integers less than pq, except integer multiples of p and integer
> multiples of q). Then, for each 0 < k < (p-1)(q-1), there is exactly
> one integer 0 < m < pq such that g^k = m mod pq. Suppose that m is an
Sorry, max order in Z(m) ist lcm(p-1,q-1), not phi(m) , all other orders
being divisors of max order. The number of elements of order d is not more
phi(d) in this case. You can calculate it using some application of chinese
remainder theorem, but it is rather tricky to program this.
--
Gilbert Brands
E-Mail : [EMAIL PROTECTED]
Work Page : www.ewetel.net/~gilbert.brands/
===========================
Manche meinen,
Lechts und Rinks k�nne man nicht velwechsern.
Werch ein Illtum !
> element with order 2, i.e. m^2 = 1 mod pq. Then, if g^k = m mod pq, it
> must be the case that k = (p-1)(q-1)/2. Hence, there can be only one
> integer m. Likewise, if m is an element with order 3, you have k = (p-1)
> (q-1)/3 or k = 2(p-1)(q-1)/3, etc. Furthermore, there are phi(phi(pq))-
> 1 generators of Zpq*, i.e. the numbers of positive integers greater
> than one and less than pq relatively prime to both pq and (p-1)(q-1).
> This includes a large number of primes, so the amount is clearly larger
> than one.
>
>
> Sent via Deja.com
> http://www.deja.com/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
