Cryptography-Digest Digest #683, Volume #13 Tue, 13 Feb 01 03:13:01 EST
Contents:
Re: Super strong crypto ("Joseph Ashwood")
Re: Should I store a copy of gpg source code with my archive? (jtnews)
question about java Cryptix library (Rusty Wright)
Re: Rnadom Numbers ("Douglas A. Gwyn")
Re: What is kerebos? (B. Wooster)
Re: What is kerebos? (John Savard)
Re: Should I store a copy of gpg source code with my archive? ("Joseph Ashwood")
Re: What is kerebos? (Darren New)
Re: What is kerebos? (David Hamer)
Re: What is kerebos? (B. Wooster)
Re: What is kerebos? (JPeschel)
Subtle RC4 implementation mistake (was: Arcfour in Ada, by me - is it good?) (Ian
Goldberg)
Re: Subtle RC4 implementation mistake (was: Arcfour in Ada, by me - is it good?)
(Paul Rubin)
Re: Subtle RC4 implementation mistake (was: Arcfour in Ada, by me - is (Roger
Schlafly)
Re: Subtle RC4 implementation mistake (was: Arcfour in Ada, by me - is it good?)
(JPeschel)
Re: Purenoise defeats Man In The Middle attack? ("Michael Brown")
AES in PGPi? ("Matthew J. Ricciardi")
Minimal-space authentication algorithm (H. Peter Anvin)
Re: AES in PGPi? ("kihdip")
Re: AES in PGPi? ("Matthew J. Ricciardi")
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Super strong crypto
Date: Mon, 12 Feb 2001 15:25:03 -0800
Don't worry, we've all been there, although most of us have taken much more
twisting paths than, "Hey <insert name> you're going to work on crypto."
Let's see. I guess I'll begin with what strong cryptography is and is not,
or rather whet we know and what we don't know. We don't know which algorithm
is strongest, but we do know maximum values for it's strength. For example
take DES (it's a FIPS publication) it takes a 56-bit key, and a 64-bit
input, it encrypts to a 64-bit output. From this information you can
determine an initial maximum security value of 56-bits (the size of the
key). Through the 2 decades it's been around it has been subjected to a
massive number of differing attacks, and has fairly well withstood them all.
It's current maximum security is ~48-bits.
At best we can give you that kind of information. Now as to what is the
strongest encryption, as far as we know. You could just take RSA and use
gigabit sized keys, but I don't think that's the kind of thing you're
looking for. Instead I'd suggest you look at the AES finalists. Any of the 5
of them should be strong enough for most things. Since you are military you
may be able to get approved hardware through the command chain, the
hardware will also benefit from various extra pieces of knowledge that are
not generally available to the public.
Joe
------------------------------
Date: Mon, 12 Feb 2001 18:54:35 -0500
From: jtnews <[EMAIL PROTECTED]>
Subject: Re: Should I store a copy of gpg source code with my archive?
Paul Rubin wrote:
>
> jtnews <[EMAIL PROTECTED]> writes:
> > I'm storing away some CD-RW disks with encrypted data
> > from gpg.
> >
> > Do I also need to store a copy of the source code
> > to gpg with the CD-RW disk? Or is the encrypted
> > data format stable enough that I don't have to
> > worry about problems retrieving my data afterwards.
>
> GPG follows the OpenPGP spec which is described in an internet RFC
> so the format should be pretty stable. But who knows if the software
> itself might become illegal? I'd say save a copy.
how can the software become illegal?
isn't it too late once you let the cat
out of the bag?
------------------------------
From: Rusty Wright <[EMAIL PROTECTED]>
Subject: question about java Cryptix library
Date: 12 Feb 2001 15:59:46 -0800
I'm investigating converting some software that uses the Java JCE
compatible libraries from Cryptix (www.cryptix.org). This software is
used on a web server and sets a cookie, and the contents of the cookie
are encrypted. The consumer of this cookie is on another system and
they have specified that the cookie must be encrypted with the
following parameters:
algorithm: DES
method: CBC
padding: OneAndZeroes
The software I'm converting it to, PHP, uses the mcrypt library and it
doesn't provide any way to specify the padding. So I'm assuming that
it's using a padding of None.
If I encrypt a string with DES/CBC and a padding of None, will someone
be able to decrypt it if they specify a padding of OneAndZeroes? In
other words, is a padding of None a superset of OneAndZeroes, or vice
versa, or are they not interchangable at all?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Rnadom Numbers
Date: Mon, 12 Feb 2001 23:29:08 GMT
Joseph Ashwood wrote:
> ...
That was interesting, perhaps helpful, but the simple fact is
that one cannot determine the actual "information" (negentropy)
in a stretch of data on an absolute basis, but only relative to
some assumed state of knowledge (pre-existing store of information).
For example, whatever "entropy" is assigned to a stretch of N bits
is surely not doubled merely by repeating the N bits twice in a
row. In cryptology particularly, very high-order correlations
can be so important that any information estimate based on lower
order correlations can be wildly inaccurate. (A la Kullback it
would be terms in a divergent series.) My opinion is that this
whole approach to measuring "randomness" is fundamentally unsound
and that what is needed is to determine what support the available
data gives to the hypothesis that the source is suitably random.
It sounds like the same thing but works differently in practice.
------------------------------
From: B. Wooster <[EMAIL PROTECTED]>
Subject: Re: What is kerebos?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 13 Feb 2001 00:23:48 GMT
Ahh. I see. Hmmm... maybe they'll have a picture of me under
'jackass' ...lol.
In any case, I think I'm correct on both counts. The mythical dog is
spelled Cerebos, but the security product (algorithm? protocol?) is
spelled Kerebos.
____________________________
> On Mon, 12 Feb 2001 09:41:43 -0000, "Sam Simpson" <[EMAIL PROTECTED]> wrote:
>I was referring specifically to the Subject of this thread ;)
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: What is kerebos?
Date: Tue, 13 Feb 2001 00:46:07 GMT
On Tue, 13 Feb 2001 00:23:48 GMT, B. Wooster <[EMAIL PROTECTED]>
wrote, in part:
>In any case, I think I'm correct on both counts. The mythical dog is
>spelled Cerebos, but the security product (algorithm? protocol?) is
>spelled Kerebos.
Cereberus and Kerberos; however, the latter is also a closer
transliteration of the original *Greek* name of the mythical dog,
while the former came to us by way of Latin.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Should I store a copy of gpg source code with my archive?
Date: Mon, 12 Feb 2001 16:40:31 -0800
"jtnews" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> how can the software become illegal?
> isn't it too late once you let the cat
> out of the bag?
It could become illegal the same way drugs become illegal. Someone with the
right power decides thath having them around is detrimental, so they make
them illegal. Cryptography seems to be a fairly perpetual target because
most people think it's useless unless you're military or performing illegal
activities. As such it would not be wholly unpopular to outlaw cryptography,
which would immiediately make gpg (and pgp) illegal.
Joe
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: What is kerebos?
Date: Tue, 13 Feb 2001 01:51:07 GMT
John Savard wrote:
> Cereberus and Kerberos; however, the latter is also a closer
> transliteration of the original *Greek* name of the mythical dog,
> while the former came to us by way of Latin.
And of course, arguing with latin characters about the right spelling of a
greek word....
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
Ignorance can be cured. Naivety cures itself.
------------------------------
Date: Mon, 12 Feb 2001 21:00:44 -0500
From: David Hamer <[EMAIL PROTECTED]>
Subject: Re: What is kerebos?
"B. Wooster" wrote:
>
> Ahh. I see. Hmmm... maybe they'll have a picture of me under
> 'jackass' ...lol.
>
> In any case, I think I'm correct on both counts. The mythical dog is
> spelled Cerebos, but the security product (algorithm? protocol?) is
> spelled Kerebos.
You're not correct abou the dog..! In Greek mythology
this was Cerberus...
If my childhood memory still serves me 'Cerebos' was the
name of a table salt producer in the UK [circa 1950(?)]...
DHH
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
David Hamer The Crypto Simulation Group
[EMAIL PROTECTED] or [EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
From: B. Wooster <[EMAIL PROTECTED]>
Subject: Re: What is kerebos?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 13 Feb 2001 02:16:04 GMT
> On Mon, 12 Feb 2001 21:00:44 -0500, David Hamer <[EMAIL PROTECTED]> wrote:
>"B. Wooster" wrote:
>>
>> Ahh. I see. Hmmm... maybe they'll have a picture of me under
>> 'jackass' ...lol.
>>
>> In any case, I think I'm correct on both counts. The mythical dog is
>> spelled Cerebos, but the security product (algorithm? protocol?) is
>> spelled Kerebos.
>
>You're not correct abou the dog..! In Greek mythology
>this was Cerberus...
>
>If my childhood memory still serves me 'Cerebos' was the
>name of a table salt producer in the UK [circa 1950(?)]...
>
=================================================
Damn. I'm always getting those two confused!
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 13 Feb 2001 03:31:00 GMT
Subject: Re: What is kerebos?
B. Wooster [EMAIL PROTECTED] writes:
>> On Mon, 12 Feb 2001 21:00:44 -0500, David Hamer <[EMAIL PROTECTED]> wrote:
>
>>"B. Wooster" wrote:
>>>
>>> Ahh. I see. Hmmm... maybe they'll have a picture of me under
>>> 'jackass' ...lol.
>>>
>>> In any case, I think I'm correct on both counts. The mythical dog is
>>> spelled Cerebos, but the security product (algorithm? protocol?) is
>>> spelled Kerebos.
>>
>>You're not correct abou the dog..! In Greek mythology
>>this was Cerberus...
>>
>>If my childhood memory still serves me 'Cerebos' was the
>>name of a table salt producer in the UK [circa 1950(?)]...
>>
>-------------------------------------------------
>
>Damn. I'm always getting those two confused!
>
Maybe you've had one too many Salty Dogs.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Ian Goldberg)
Subject: Subtle RC4 implementation mistake (was: Arcfour in Ada, by me - is it good?)
Date: 13 Feb 2001 04:07:54 GMT
I doubt many people took the time to actually look at this. It's in *Ada*
after all. I happen to know Ada, so I did, and found (though you wouldn't
have to actually know Ada to see this) a *really* subtle implementation
bug.
Here's what will happen if you use this code for your crypto:
o It will always *work*; that is, decryption is, correctly, the opposite
of encryption, so long as both sides use this code.
o Most of the time, it will match RC4 exactly for short messages, so you
may not even spot the problem if you test it against a correct
implementation.
o However, for long messages, the keystream will eventually become all
0's.
Yes, you read right. At first, it looks just like RC4, but soon, the
"ciphertext" is just the plaintext. (Remember Morris's Law?)
That's a pretty amazing bug, isn't it? Here's the culprit:
> -- magic swap
> C.S (C.J) := C.S (C.I) xor C.S (C.J);
> C.S (C.I) := C.S (C.I) xor C.S (C.J);
> C.S (C.J) := C.S (C.I) xor C.S (C.J);
As "every" CS student knows, the above is a way to swap two variables
without any extra storage. What many people fail to realize is that
it's only valid if you actually have two *different* variables (note that
I didn't say two variables with different _values_).
What happens in your above code if C.S(C.J) is the same *variable* as
C.S(C.I); that is, if C.J = C.I ? Answer: regardless of the inital value
of C.S(C.I), you end up with C.S(C.I) = 0. Wow. So after about 256
bytes of output (that's around how long it'll take before we expect C.I
to equal C.J), one of the Sbox elements gets magically turned into a 0.
Keep going, and eventually *all* of your Sbox will be 0's, and your
"RC4" implementation turns into the identity transform.
But again, if you use this same code on both sides, you won't notice
that anything went wrong. And you'll probably get the correct ciphertext
for short messages. *Way* subtle.
RC4 implementors: be *very* careful when you implement...
[Note that I stopped looking when I found this; I'm not claiming the
rest of the code is correct.]
- Ian
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Subtle RC4 implementation mistake (was: Arcfour in Ada, by me - is it
good?)
Date: 12 Feb 2001 20:17:33 -0800
[EMAIL PROTECTED] (Ian Goldberg) writes:
> I doubt many people took the time to actually look at this. It's in *Ada*
> after all. I happen to know Ada, so I did, and found (though you wouldn't
> have to actually know Ada to see this) a *really* subtle implementation
> bug.
So where did you FIND this implementation? In a fielded product? ;-(
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Subtle RC4 implementation mistake (was: Arcfour in Ada, by me - is
Date: Mon, 12 Feb 2001 20:33:20 -0800
Ian Goldberg wrote:
> RC4 implementors: be *very* careful when you implement...
Scary example. Is there a test vector for a few bytes after a
million iterations?
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 13 Feb 2001 04:53:58 GMT
Subject: Re: Subtle RC4 implementation mistake (was: Arcfour in Ada, by me - is it
good?)
Paul Rubin [EMAIL PROTECTED] writes:
>[EMAIL PROTECTED] (Ian Goldberg) writes:
>> I doubt many people took the time to actually look at this. It's in *Ada*
>> after all. I happen to know Ada, so I did, and found (though you wouldn't
>> have to actually know Ada to see this) a *really* subtle implementation
>> bug.
>
>So where did you FIND this implementation? In a fielded product?
He found it in Julian Morrison's post, "Arcfour in Ada, by me - is it good?"
from Sunday.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: Purenoise defeats Man In The Middle attack?
Date: Tue, 13 Feb 2001 18:33:58 +1300
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Michael Brown wrote:
> > However, hasn't it been proved that without prior information known
> > only to the two people, MITM attacks are impossible to defeat?
>
> With a public-key protocol, it is possible, assuming a reliable
> certification process has been established. The MITM cannot forge
> private-key encrypted messages from either Alice or Bob if their
> public keys are correctly known to each other.
>
> Now, Alice might have *always* been talking to the MITM, whose
> key was certified by Alice, instead of to Bob. But in that case
> the certificate did not identify the MITM as Bob but rather as
> the actual MITM.
>
> If there is not a reliable certification process then an MITM
> attack can succeed, assuming that the MITM can *always* intervene
> when Alice and Bob communicate. (Otherwise they could simply
> exchange a new nonce every message, and include the previous
> nonce for verification of continuity. When the MITM misses a
> message, he cannot provide the correct nonce in the next message.)
Sorry. I should have made it clear that I was talking about a MITM like a
ISP or something. All the stuff has to go through one thing (sorry: all the
data has to go through one communication channel makes more sense :).
Michael
------------------------------
From: "Matthew J. Ricciardi" <[EMAIL PROTECTED]>
Subject: AES in PGPi?
Date: Tue, 13 Feb 2001 01:36:06 -0500
I recently downloaded the latest version of PGPi and found that it contained
an AES algorithm, along with the usual TripleDES, CAST, etc. Is this
Rijndael or some other AES? The online help provided no assistance in the
matter and was clearly out of date since it described Twofish as one of the
5 finalists still in the running for AES. Also, is one of the available
algorithms in PGPi generally preferred over the others?
I intend to use the software primarily for encrypting ASCII text and other
small files for transmission via electronic mail.
Thanks,
Matt Ricciardi
[EMAIL PROTECTED]
------------------------------
From: H. Peter Anvin <[EMAIL PROTECTED]>
Subject: Minimal-space authentication algorithm
Date: 12 Feb 2001 22:53:07 -0800
Hello, and pardon me for asking a basic question (I'd call it a newbie
question, but I'm a long-time lurker);
I'm looking for an encryption and/or authentication algorithm (the
latter is actually more important) that can be implemented in minimal
code space -- literally every byte counts. I have looked at TEA,
including the extensions by Needham and Wheeler (Oct 1997), but some
of the back archives of this group seem to imply that it may not be
that good of a cipher algorithm. I wonder if anyone could comment on
this, or perhaps suggest alternatives.
Thanks,
-hpa
P.S. There is no "hard limit", but something that counts in kilobytes
is probably much too big.
--
<[EMAIL PROTECTED]> at work, <[EMAIL PROTECTED]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: AES in PGPi?
Date: Tue, 13 Feb 2001 08:15:42 +0100
*The* AES algorithm can only be Rijndael, but to be sure you'll have to
compare the sourcecode to the Rijndael paper.
The other algorithms from the AES effort are usually known as candidates.
If the algorithms Serpent, Twofish, RC6 and MARS are present aswell as 'AES'
(and Rijndael is missing), then Rijndael is probably = AES.
To be certain you should apply a few test vectors to verify the identity of
the algorithm.
Kim
"Matthew J. Ricciardi" <[EMAIL PROTECTED]> wrote in message
news:VD4i6.507$[EMAIL PROTECTED]...
> I recently downloaded the latest version of PGPi and found that it
contained
> an AES algorithm, along with the usual TripleDES, CAST, etc. Is this
> Rijndael or some other AES? The online help provided no assistance in the
> matter and was clearly out of date since it described Twofish as one of
the
> 5 finalists still in the running for AES. Also, is one of the available
> algorithms in PGPi generally preferred over the others?
>
> I intend to use the software primarily for encrypting ASCII text and other
> small files for transmission via electronic mail.
>
> Thanks,
>
> Matt Ricciardi
> [EMAIL PROTECTED]
>
>
------------------------------
From: "Matthew J. Ricciardi" <[EMAIL PROTECTED]>
Subject: Re: AES in PGPi?
Date: Tue, 13 Feb 2001 02:29:42 -0500
Ordinarily, I also would have assumed that AES must be Rijndael. However, I
was confused by the accompanying help file which states, "Twofish is one of
five algorithms that the U.S. National Institute of Standards and Technology
(NIST) is considering as a replacement for the current Advanced Encryption
Standard (AES)." I wasn't aware that there was a AES before Rijndael but am
concerned that this "former AES" (whatever it may be) is being incorrectly
offered under the AES name. Perhaps they meant to indicate that it was
being considered as a replacement for DES?
Matt Ricciardi
[EMAIL PROTECTED]
"kihdip" <[EMAIL PROTECTED]> wrote in message
news:96am8u$hbv$[EMAIL PROTECTED]...
*The* AES algorithm can only be Rijndael, but to be sure you'll have to
compare the sourcecode to the Rijndael paper.
The other algorithms from the AES effort are usually known as candidates.
If the algorithms Serpent, Twofish, RC6 and MARS are present aswell as 'AES'
(and Rijndael is missing), then Rijndael is probably = AES.
To be certain you should apply a few test vectors to verify the identity of
the algorithm.
Kim
"Matthew J. Ricciardi" <[EMAIL PROTECTED]> wrote in message
news:VD4i6.507$[EMAIL PROTECTED]...
> I recently downloaded the latest version of PGPi and found that it
contained
> an AES algorithm, along with the usual TripleDES, CAST, etc. Is this
> Rijndael or some other AES? The online help provided no assistance in the
> matter and was clearly out of date since it described Twofish as one of
the
> 5 finalists still in the running for AES. Also, is one of the available
> algorithms in PGPi generally preferred over the others?
>
> I intend to use the software primarily for encrypting ASCII text and other
> small files for transmission via electronic mail.
>
> Thanks,
>
> Matt Ricciardi
> [EMAIL PROTECTED]
>
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
