Cryptography-Digest Digest #712, Volume #13 Sun, 18 Feb 01 21:13:01 EST
Contents:
Re: "Shuffled ARC4" revisited ("r.e.s.")
Re: Key expansion. ("Mario Contestabile")
Re: Hardware RNG - Where can I order one? ("Mario Contestabile")
Re: "Shuffled ARC4" revisited ("r.e.s.")
Re: Subtle RC4 implementation mistake ("Vic Drastik")
Re: CipherText patent still pending ("Douglas A. Gwyn")
Re: "Shuffled ARC4" revisited ("Douglas A. Gwyn")
Re: National Security Nightmare? (Jim)
Re: �������� �� ������ �� ������ (Jim)
Re: Fractal encryption? ("Simon Johnson")
Re: The Kingdom of God (William Hugh Murray)
Re: The Kingdom of God (nemo outis)
Re: Steganography with ASCII text files (Bram Labarque)
Re: The Kingdom of God (William Hugh Murray)
----------------------------------------------------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: "Shuffled ARC4" revisited
Date: Sun, 18 Feb 2001 14:08:30 -0800
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote ...
| "r.e.s." wrote:
| > For any stream cipher, it seems to be a potential weakness
| > that each encrypted byte can be matched to the corresponding
| > byte of known plaintext.
|
| That's not a general property of stream ciphers.
It is in the present context of byte-stream ciphers.
If we generalize to stream ciphers using other than
byte-size symbols, then the same property exists in
those terms. Have I missed something constructive
in your comment?
--r.e.s.
------------------------------
From: "Mario Contestabile" <[EMAIL PROTECTED]>
Subject: Re: Key expansion.
Date: Sun, 18 Feb 2001 17:03:40 -0500
The algorithm described in "Secure Applications of Low-Entropy Keys"
http://www.counterpane.com/low-entropy.pdf uses several iterations of a Hash
to 'stretch' a key with a salt. Wouldn't this make for a better key
expansion method?
--
Mario Contestabile
[EMAIL PROTECTED]
> Use hashing algorithm like MD5 (128bits) or SHA-1 (160bits). These algos
> will convert a variable length text to a fixed digest (of sizes mentionned
> above). This digest has 2 characteristics: you can't recover the original
> password with it and it is relatively unique to the hashed string (if you
> change only one character, the whole 128 bits will change). Normally, for
> symmetrical key encryption, it is recommended to use a random x-bits key
to
> encrypt the message and append to the cipher encryption of your random key
> with the hash of your password.
...
> > I have a password constituted from few characters and I want to expand
it
> > (to at least 128 bits) for use it like session (secret) key for an
> algorithm
> > to symmetrical key (e.g. rijndael).
> > How could I do?
------------------------------
From: "Mario Contestabile" <[EMAIL PROTECTED]>
Subject: Re: Hardware RNG - Where can I order one?
Date: Sun, 18 Feb 2001 17:29:31 -0500
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Janusz A. Urbanowicz) writes:
>
> > "The Death" <[EMAIL PROTECTED]> writes:
> >
> > > Where can i buy a good hardware RNG that i can connect to my PC and
use to
> > > generate secure random bits?
> >
> > Get a motherboard that is Intel 810 or 815 based. It has one.
>
> Is there a simple way to tell if my mb supports this? It's a Thinkpad
> a20p laptop, PIII processor. Thanks.
You can download and try to install the The Intel� Security Driver from
http://developer.intel.com/design/software/drivers/platform/security.htm
It'll fail if your hardware doesn't support it (not 810, 815, 820, 840 and
850)
--
Mario Contestabile
[EMAIL PROTECTED]
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: "Shuffled ARC4" revisited
Date: Sun, 18 Feb 2001 14:32:22 -0800
"Trevor L. Jackson, III" <[EMAIL PROTECTED]> wrote ...
| "r.e.s." wrote:
|
| > For any stream cipher, it seems to be a potential weakness
| > that each encrypted byte can be matched to the corresponding
| > byte of known plaintext. My pedestrian thinking is that an
| > opponent might discover some exploitable properties of the
| > stream cipher -- properties of ARC4'S state evolution, say --
| > and since plaintext and ciphertext bytes are readily matched,
| > there is then nothing to deter that exploitation. It seems
| > reasonable to consider hardening against even such abstractly
| > conceived threats.
|
| Since the result of adding a permutation to a stream cipher is
another
| stream cipher we can conclude that the weakness you presume, that of
| mapping the keystream to the plaintext, is endemic to stream ciphers
and
| cannot be addressed by producing a variant stream.
|
| Whatever alignment weakness you find in the original cipher will
still be
| present in the variant cipher because it, too, has a 1:1 alignment
of keys
| and text.
Yes, combining a *byte-stream* cipher with post-encryption
shuffling of the bytes within each block of its output
could be seen as a "block-stream" cipher that replaces a
byte-stream vulnerability with a block-stream vulnerability.
But your conclusion does not follow, since, although the two
stream ciphers suffer from the same *type* of vulnerability,
it doesn't follow that their practical consequences are
comparable. Surely the matching of PT to CT byte-by-byte
tends to be of more concern than only matching block-by-block.
--r.e.s.
------------------------------
From: "Vic Drastik" <[EMAIL PROTECTED]>
Subject: Re: Subtle RC4 implementation mistake
Date: Mon, 19 Feb 2001 09:41:40 +1100
> I doubt many people took the time to actually look at this. It's in *Ada*
> after all. I happen to know Ada, so I did, and found (though you wouldn't
> have to actually know Ada to see this) a *really* subtle implementation
> Here's what will happen if you use this code for your crypto:
> o It will always *work*; that is, decryption is, correctly, the opposite
> of encryption, so long as both sides use this code.
> o Most of the time, it will match RC4 exactly for short messages, so you
> may not even spot the problem if you test it against a correct
> implementation.
> o However, for long messages, the keystream will eventually become all
> 0's.
> Yes, you read right. At first, it looks just like RC4, but soon, the
> "ciphertext" is just the plaintext. (Remember Morris's Law?)
> That's a pretty amazing bug, isn't it? Here's the culprit:
> > -- magic swap
> > C.S (C.J) := C.S (C.I) xor C.S (C.J);
> > C.S (C.I) := C.S (C.I) xor C.S (C.J);
> > C.S (C.J) := C.S (C.I) xor C.S (C.J);
Here is a similar bug from the Python Crypto Toolkit - this is the
initialisation routine from the Sapphire stream cipher :
static void Sapphireinit(self, key, keylen)
Sapphireobject *self;
unsigned char *key;
int keylen;
{
int i;
unsigned char toswap, keypos, rsum, swaptemp;
for (i = 0; i < 256; i++) self->state[i] = i;
keypos = 0;
rsum = 0;
for (i = 255; i >= 0; i--)
{ unsigned int retry_limiter=0, mask=1;
while (mask < i)
mask = (mask << 1) + 1;
do
{
rsum = self->state[rsum] + key[keypos++];
if (keypos >= keylen)
{
keypos = 0;
rsum += keylen;
}
toswap = mask & rsum;
if (++retry_limiter > 11)toswap %= i;
} while (toswap > i);
swaptemp = self->state[i];
self->state[i] = self->state[toswap];
self->state[toswap] = swaptemp;
}
rotor=self->state[1];
ratchet=self->state[3];
avalanche=self->state[5];
last_plain=self->state[7];
last_cipher=self->state[rsum];
}
Consider the statement
if (++retry_limiter > 11) toswap %= i;
What happens when i reaches 0 ? Nothing , 4095 times out of 4096. But ,
with a probability of 1 in 2**12 , the code will try to calculate toswap
MODULUS zero , which will cause an error.
The soloution ? Simplicity itself - the last iteration of the for loop is
simply not required , because it is trying to find a random index in the
range [0,0] with which to swap the zero-th array variable, so just make the
lower limit of the for loop 1 rather than 0.
This is an individual's error , because I have seen other Sapphire
implementations which implement the PRNG as a separate routine , and
explicitly check for i==0. The implementor in this case rolled the two
routines into one and unfortunately decided to omit this vital check. His
testing , of course , found no errors because he probably ran far fewer than
4096 tests :-)
Vic
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: CipherText patent still pending
Date: Sun, 18 Feb 2001 22:38:12 GMT
Benjamin Goldberg wrote:
> Yes, it could be. I was merely objecting to your [sarcastic?]
> statement that the scientific community "knows" that it is one
> or the other.
My point was, assume that it *is* known that P=NP; what difference
does it actually make? It would *not* mean that suddenly,
effective methods of cracking all PK cryptosystems magically
became available.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: "Shuffled ARC4" revisited
Date: Sun, 18 Feb 2001 22:39:54 GMT
"r.e.s." wrote:
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote ...
> | "r.e.s." wrote:
> | > For any stream cipher, it seems to be a potential weakness
> | > that each encrypted byte can be matched to the corresponding
> | > byte of known plaintext.
> | That's not a general property of stream ciphers.
> It is in the present context of byte-stream ciphers.
> If we generalize to stream ciphers using other than
> byte-size symbols, then the same property exists in
> those terms. Have I missed something constructive
> in your comment?
Yes, namely that stream ciphers can be "autokey" or convolutional.
In which case there is little to distinguish them from block
ciphers on this score.
------------------------------
From: dynastic @cwcom.net (Jim)
Subject: Re: National Security Nightmare?
Reply-To: Jim
Date: Sun, 18 Feb 2001 22:46:43 GMT
On Sun, 18 Feb 2001 12:12:36 +0000, John Naismith <[EMAIL PROTECTED]>
wrote:
>On Sat, 17 Feb 2001 19:23:34 GMT, dynastic @cwcom.net (Jim) wrote:
>
>>Exactly the same thing happens here. Where's here? The so-called United
>>Kingdom.
>>
>>Crypto isn't banned, but they can demand your keys, and if you fail to
>>provide them they lock you up.
>
>The way to defeat this is quite simply not to know what your
>passphrase is. Sounds weird? I'll try to explain. Use a PRNG to
>generate, say a 100 character passphrase. Now there's no way you can
>remember this. You can now legitimately claim that you do not know
>your passphrase. Encrypt it (or them if you need multiple passphrases)
>into one file for which you *do* know the passphrase and cut/paste
>them when you need to use them. Now hide the encrypted file in a
>BMP/JPEG/whatever and upload it to your webpages or some other remote
>storage. You then aren't even storing it locally, and can keep a
>"corrupted" copy locally and express astonishment when your known
>passphrase doesn't unlock it. It wouldn't take much to create some
>files in the same directory that would indicate that the machine
>crashed with the file open and corrupted it (running Windows, or
>having kids helps here <g>).
Good thinking!
>
>>Russia isn't unique in being an undemocratic country!
>
>Indeed. Jack Straw is somewhat to the right of Ghengis Khan ;-)
Some say he's so far left he's right. Circular politics.
Being a socialist myself, I wouldn't wipe my arse with him!
--
___________________________________________
Posted by Jim Dunnett
We've spent three matches chasing
a football. -- Kevin Keegan.
dynastic at cwcom.net
nordland at lineone.net
'We have to control the number of people
travelling' -- GNER spokesman.
__________________________________________
------------------------------
From: dynastic @cwcom.net (Jim)
Subject: Re: �������� �� ������ �� ������
Reply-To: Jim
Date: Sun, 18 Feb 2001 22:46:44 GMT
On Sat, 17 Feb 2001 16:01:38 -0500, "Ryan M. McConahy"
<[EMAIL PROTECTED]> wrote:
>What the heck is this???
Russian.
--
___________________________________________
Posted by Jim Dunnett
We've spent three matches chasing
a football. -- Kevin Keegan.
dynastic at cwcom.net
nordland at lineone.net
'We have to control the number of people
travelling' -- GNER spokesman.
__________________________________________
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Fractal encryption?
Date: Sun, 18 Feb 2001 23:48:34 -0000
S. Welsh wrote in message <1iFh6.6017$[EMAIL PROTECTED]>...
>Group,
> I am not a crypto expert, indeed I have only basic knowlege of
>encryption techniques. However, I am curious to know if such a programme
>exists that allows one to use a fractal rather than a textual code to
>encrypt a document. If this sort of thing is purely Star Treknology, then
>please tell me, likewise if it is not!
>
>Thanks in advance,
>
>Sam.
Yeah, Star trek Generations :)
I have pondered this question myself in the past and have concluded that
Fractal Encryption is not a clever scheme.
It is easy to see why, take a look at a typical fractal, say the mandelbrot
set, there are large areas where it is plain black. In order for a fractal
to be a good cipher, it would have to produce white noise really.... Stick
with Rijndael :)
Simon.
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security,comp.security,alt.2600
Subject: Re: The Kingdom of God
Date: Mon, 19 Feb 2001 01:27:44 GMT
"Douglas A. Gwyn" wrote:
>
> William Hugh Murray wrote:
> > SHE would not waste her time in this thread.
>
> No, "she" implies definite knowledge of feminity,
> while "he" is neutral. I know that the leftists
> have corrupted our educational sytem to the extent
> that "political correctness" is being taught with
> its bogus notions about the English language as
> well as other things, but instead of giving in to
> such philosophical terrorism it should be resisted.
Perhaps. The problem with your position is that as a result of the
pervasive use of the masculine, many people have come to believe that
not only does God have gender but also that that gender is masculine.
They go on to the position that because God is masculine that that is
the superior gender. It does not take much theology to recognize that
God would be, by definition, greater than gender, would transcend
gender. I use the feminine, not because I pretend to know God's gender
but because I want to provoke people into thinkig about it. I certainly
do not do it to be "correct," politically or otherwise.
------------------------------
Crossposted-To: alt.security,comp.security,alt.2600
From: [EMAIL PROTECTED] (nemo outis)
Subject: Re: The Kingdom of God
Date: Mon, 19 Feb 2001 01:42:07 GMT
One of my pet peeves is the PC application of "their" instead of "his" in
order to avoid gender bias, as in "everyone should do their duty," and the PC
alternation of "his" and "hers" and "she" and "he." However, I can
cheerfully accept, as not too violent to the language, some recent usages
such as metonymy by substituting "chair" for "chairman." The most egregious
example I have encountered (and, believe me, other neologisms, such as
"herstory" make me wince) is "person-person" for "mailman."
OTOH I once read a copy of the British criminal code from the turn of the
century in which rigid application of the English grammatical principle of
using the male gender to stand for all mankind was preposterous. Paraphrasing,
one section of it said, "If any person procure for himself [sic] a miscarriage
[i.e., abortion], he [sic] shall be guilty of a felony."
Regards,
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>William Hugh Murray wrote:
>> SHE would not waste her time in this thread.
>
>No, "she" implies definite knowledge of feminity,
>while "he" is neutral. I know that the leftists
>have corrupted our educational sytem to the extent
>that "political correctness" is being taught with
>its bogus notions about the English language as
>well as other things, but instead of giving in to
>such philosophical terrorism it should be resisted.
------------------------------
From: Bram Labarque <[EMAIL PROTECTED]>
Subject: Re: Steganography with ASCII text files
Date: Mon, 19 Feb 2001 01:53:46 GMT
On Sun, 11 Feb 2001 15:21:12 +0100, Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> Modern steganography is commonly done on graphical files
> through manipulation of pixel values. The operations done
> are in my humble view not very convenient to implement and
> require, above all, the availability of graphical files.
> I think therefore that it may be valuable to investigate the
> possibility of using the normally more easily available ASCII
> text files (as cover) instead.
>
> In order to elicit much better ideas from the readers, I am
> taking the liberty to present some preliminary thoughts about
> a fairly simple, in fact trivial, scheme for discussion.
>
> We note that in a HTML file the texts are separated into
> paragraphs, in general with the tags <P> and (optional) </P>.
> The browser automatically breaks lines independent of how
> the user types in his material for a given paragraph
> (excepting that line-breaks can be forced with <BR>). In
> other words, the layout of the text of a HTML file itself
> can be essentially arbitrary without effecting the appearance
> of the document as displayed by the web browser. This is a
> well-known feature of convenience offered by HTML and is
> appreciated by all who write web documents. We can now
> exploit this freedom for our purpose by having any paragraph
> of a chosen (cover) text appropriately written into the HTML
> file in, say, n lines (n depends on the given paragraph but
> may be varied within sufficiently wide limits, if the
> paragraph is not too short). With a PRNG and an agreed-upon
> seed (the 'key'), or an equivalent method of choice, we can
> now determine a subset of them consisting of m lines and
> arrange (through appropriate allocation of the words among
> the lines) to have the words in these lines in such a way
> that the number of words of each line modulo 2 (i.e. even/odd)
> gives a bit (0/1) that belongs to the sequence (plaintext or
> ciphertext) to be transmitted. (n may refer to the whole
> document instead of the individual paragraphs, if one likes.)
>
> We note that in general the sender will not send the HTML
> file but publish his document at a site such that the
> receiver can access and get a copy of the HTML file at
> his convenience, thus rendering it easier for the latter
> to keep his anonymity.
>
> M. K. Shen
> ------------------------
> http://home.t-online.de/home/mok-kong.shen
Hello
I just wanted to mention there is a program SNOW that I think fits part your
description:
It uses ASCII plaintext. Maybe its technique is usable/extendable to HTMLtext or
HTMLformatting.
http://www.darkside.com.au/snow/index.html
Greetings Bram
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security,comp.security,alt.2600
Subject: Re: The Kingdom of God
Date: Mon, 19 Feb 2001 01:50:50 GMT
"Trevor L. Jackson, III" wrote:
> > Yes. And your security point is what? In any case, by definition,
> > God's will is done.
>
> This thesis (sorry) implies that resistance to god's will is futile, and
> reduces most theological texts (Book of Mormon, Koran, Bible, etc.) into
> attitude adjustments. Whither free will?
>
> The presumed congruence between divine and human wills makes the precedence
> ambiguous. Just who is the willer and who is the willee, god or the human?
Did you ever think about the lyrics of the song "If I ruled the world?"
Do you remember the line in the movie "Oh God" in which God says, "I
never figured out how to make something with an inside and no outside,"
or, "I made math too hard." How about St. Anselm's proof for the
existence of God?
Let us not forget where this thread began and start to take it too
seriously. However, I do not think that the positions are
irreconcilable. If there is free will for man, it is because God
consents to it. Man did not create it and could not rebel without the
freedom to do so. If God consents to it, then, by definition, it is
God's will. If God is anything like Markku J. Saarelainen
<[EMAIL PROTECTED]> seems to think of him/her as being, then
he/she does not have to consent to free will for man if he/she does not
want to. This is of course the inconsistency in the position that
started the thread. Indeed, it is the central problem of that theology
that wants to portray God as all loving and good and wants to put all
the responsibility for evil in the world on man or Satan. I do not
pretend to know the answer but I can certainly appreciate the question.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
