Cryptography-Digest Digest #765, Volume #13 Wed, 28 Feb 01 14:13:01 EST
Contents:
Re: how long can one Arcfour key be used?? (Benjamin Goldberg)
Re: Was there ever a CRM-114 Discriminator? (Mike Rosing)
Re: => FBI easily cracks encryption ...? (Frank Gerlach)
Re: Super strong crypto (David Wagner)
Re: philosophical question? (Frank Gerlach)
Re: Keystoke recorder (Ben Cantrick)
Re: Hash strength question (Benjamin Goldberg)
Re: => FBI easily cracks encryption ...? (Paul Rubin)
Re: philosophical question? (Mike Rosing)
Re: philosophical question? (Frank Gerlach)
Re: philosophical question? (Joe H. Acker)
Re: encryption and information theory (Benjamin Goldberg)
Re: Keystoke recorder (Mike Rosing)
Re: A few questions (Benjamin Goldberg)
----------------------------------------------------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: how long can one Arcfour key be used??
Date: Wed, 28 Feb 2001 18:19:54 GMT
Tom St Denis wrote:
>
> "Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
> news:97j936$vvt$[EMAIL PROTECTED]...
> >
> > Tom St Denis <[EMAIL PROTECTED]> wrote in message
> > news:jW8n6.257260$[EMAIL PROTECTED]...
> > >
> > > "Julian Morrison" <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
> > > > "Scott Fluhrer" <[EMAIL PROTECTED]> wrote:
> > > >
> > > > >> Also, does anyone know how this varies with key length and
> > > > >> number-of-mixes (N in CipherSaber-2)?
> > > > > Is 'number-of-mixes' the number of passes you do during key
> > > > > setup (with 1 being standard RC4)?
> > > >
> > > > Yes.
> > > >
> > > > > If so, then no, that has no effect.
> > > >
> > > > Ok. How about key length? One of my intended algorithms will use
> > > > throwaway from-scratch DH to setup a key, but creating DH primes
> > > > for a full length 256 byte RC4 key would take several minutes a
> > > > pop, way too slow. (I'm doing it this way so as to have "forward
> > > > security" - once the transaction is over, there should be no way
> > > > to decrypt it from wiretap records and a siezed machine.)
> > >
> > > RC4 can't possibly use keys bigger then 1684 bits in length. So
> > > using a 256-byte key while "amazing" is actually quite useless.
> > > The intelligent thing todo is to SHA256/TIGER192/MD5128/etc your
> > > DH secret and use that as a key into RC4.
> > >
> > > > For example, CipherSaber suggests a 62 byte key + IV; for how
> > > > long could that be used?
> > >
> > > The length of the key is irrelevent. A small key makes brute
> > > force easier but once you pass 64 bits it becomes virtually impossible to
>perform the
> > > task.
> > I'm sure Tom knows, but to emphesize: that's 64 bits of entropy, not an
> > arbitrary 64 bits. 64 bits which makes up a 8 letter dictionary word is
> > quite easy to brute force if the attacker guesses that's what you did.
>
> Agreed. Of course putting ASCII into RC4 directly is a "dumb" idea. It
> severely cripples the key generation process.
>
> Tom
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Was there ever a CRM-114 Discriminator?
Date: Wed, 28 Feb 2001 12:15:40 -0600
Dennis Ritchie wrote:
> Yes, 1964. And the "poe" might have had some second-level reference
> to Edgar Allan, but the main one was "purity of essence": General Jack
> D.
> Ripper's revealed belief in fluoridation as a Commie plot that
> sapped his precious bodily fluids. If I recall correctly (it's
> been a while) the code that was eventually put into the CRM-114 was
> just the permutation "ope".
Yeah, I'd forgotten that part. Maybe why I hate trival pursuit games :-)
> > One thing I *can* testify to though: the computer room in which
> > Peter Sellers discovers the left-behind portable radio which tells
> > him civilian radio in Alaska is still on the air was an absolutely
> > accurate rendering of an IBM 7094 machine room. In fact, I'm almost
> > certain it was shot on location in a *real* such machine room.
>
> I'm pretty certain of that as well. I don't think a set designer
> would bother to reproduce the smallish extra-index-register display
> box atop the main console.
I played with one of those in high school. IBM set it up for a week and
a few of us geeks went in and played tic-tac-toe on it. The idea was
to get us sucked into computers. It worked :-)
I sure don't remember what it looked like, other than it pretty much filled
the room it was in!
Patience, persistence, truth,
Dr. mike
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Wed, 28 Feb 2001 19:18:35 +0100
Some time ago the FBI put a recording device into the PC of a mobster,
who used PGP.
I assume they did the same with that guy - or he used some incredibly
bad software.
If the NSA had broken RSA, they would never, ever tell the public.
For example, they did not immediately arrest the nuclear moles
(Rosenbergs et al), because they considered the breach of soviet codes
much more important than nuclear secrets.
I also suspect this is whole story is a hoax; why would this guy write
about "I believe I have
detected repeated bursting radio signal emanations from my vehicle" and
STILL go to the maildrop ??
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Super strong crypto
Date: 28 Feb 2001 18:27:00 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Douglas A. Gwyn wrote:
>If you
>can devise a practical attack on the example I
>posted as "phase 2", I would appreciate hearing it.
Actually, I already did that. See my previous post on
chosen-plaintext/ciphertext attacks. (And, note that I did not have to
invent an implausible-looking block cipher to make the attack work.)
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers,de.sci.informatik.misc,sci.math
Subject: Re: philosophical question?
Date: Wed, 28 Feb 2001 19:33:19 +0100
Hmm,
my philosohical input is that what we experience as "physical
randomness" might be the pseudeo-random noise generated by the huge
simulation we call "universe". In this model, the guy/gal who wrote that
simulation is "god".
Before some semi-enlightened agnostics flame me, just consider the
following: There is an experiment (don't recall its name at the moment),
which creates two photons in a single process. Both photons fly away in
opposite directions. Upon measuring the polarization of one photon, the
other photon's polarization will be "determined" with infinite speed. It
doesn't matter how far these two light particles are apart, they will
always expose this symmetry.
Now, what does this have to do with the mentioned "huge simulation" ?
Maybe it just shows that the universe is a machine with a finite number
of bits, which describe its state.
Maybe we will at some point learn much more about this machine, and
maybe "physical randomness" will appear not so random any more .....
------------------------------
From: [EMAIL PROTECTED] (Ben Cantrick)
Subject: Re: Keystoke recorder
Date: 28 Feb 2001 11:37:16 -0700
This is not really a cryptography question - you're probably better
off asking in comp.security.misc. That said...
In article <[EMAIL PROTECTED]>,
Alberto <[EMAIL PROTECTED]> wrote:
>It's seems that the easiest way to access encrypted data is to gain
>access to the target computer and install such device.
"Easiest" is a pretty subjective term. I'd think that Van Eck/Tempest
snooping would be the easiest way in terms of how much risk you have
to put yourself at. You don't have to trespass to Van Eck snoop, and
there's no way to prove you did it. The equipment is relatively expensive,
however.
>Have you ever seen one of them? How does it look like?
They come in a couple of forms. First of all, there's the plain old
software keysnoops. These are just programs that you run on the
computer. They just make a copy of all the keystrokes by monitoring
the keyboard. There are endless variations on these programs, and
almost as many ways to get them into the computer.
Then there are the hardware dongles. These are (usually) small
boxes, cylinders, or discs that you plug in between the keyboard and
the computer. They watch the data going by and record it. Generally
they can't record nearly as much data as the software types, since they
can't use the computer's hard disk as data storage.
>How can you defend yourself against this kind of attack?
Defend absolutely? I don't think you can. There are preventive
measures you can take, but no security is perfect. There's always
another way around.
You can prevent people from installing dongles by physically securing
the machine. The usual way to do this is to lock up the CPU box in a
metal cabinet and run cables back out to the keyboard and monitor. You'll
have to be careful that there isn't a plug at the keyboard end of the
keyboard cable. Even if there's not, anyone with a knife and a soldering
iron can always cut the cable and splice a bug into the cable. They can also
open up the keyboard itself with a screwdriver and install a bug inside it.
You may be better off putting the whole machine in a secured room where,
in theory at least, unauthorized people can't get to it.
Preventing people from installing software on the machine is a decent
way to prevent software keyboard snoopers from being installed. The problem
is that on current operating systems this is a lot easier said than done.
Even with the CPU box locked up, a malicious hacker can just flip open
a web browser, surf to his website where he's left the keysnooper software,
download it, and install it. And that's not even taking into account things
like BackOrifice and all the other remote attacks that can be used to
subvert your computer from across the Internet without the snooper
even having to be physically present.
Running a well-secured, open-source OS will help a lot. A good,
minimal distro of Linux (NOT, NOT, NOT Redhat. NOT EVER Redhat.)
that has been competently locked down by someone who knows what they're
doing, or the various BSD flavors, would probably work. But it may also
make the computer unusable by the people who need to use it. You pay your
money and you take your chances....
-Ben
--
Ben Cantrick ([EMAIL PROTECTED]) | Yes, the AnimEigo BGC dubs still suck.
BGC Nukem: http://www.dim.com/~mackys/bgcnukem.html
The Spamdogs: http://www.dim.com/~mackys/spamdogs
http://www.cultdeadcow.com/cDc_files/cDc-0329.txt
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Hash strength question
Date: Wed, 28 Feb 2001 18:38:21 GMT
Ack, my mistake.
What I wanted was to seed each hash context with a prefix of different
length, while still having some of the properties of using an index as a
seed. Obviously "0" and "00" are bad (call it a brain fart -- I should
have seen the problem with them myself). Maybe "01" and "001" ?
There's a couple of reasons I want to use XOR, though, things I don't
get from using a hash of hashes.
1) XOR is of course much faster.
2) Suppose that the hashes produced are 128 bits in length. Now suppose
that one bit of the input is changed. This results in one of the output
hashes changing with (1-1/2^128) probability. If I hash the hashes, the
odds of the final result changing are (1-1/2^128)^2. If I XOR the
hashes, the probability of the final result changing is (1-1/2^128).
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: 28 Feb 2001 10:39:52 -0800
[EMAIL PROTECTED] (nemo outis) writes:
> It's completely speculative on my part, but the likelihood is that the attack
> was made on the passphrase rather than the underlying algorithm.
There's some info about this in the indictment which is on the Washington
Post web site. Apparently they seized his Palm Pilot and used info from it.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers,de.sci.informatik.misc,sci.math
Subject: Re: philosophical question?
Date: Wed, 28 Feb 2001 12:41:50 -0600
Peter Osborne wrote:
> Is randomness a kind of information ?
> Is it the highest density of information (that we are not able to
> understand)?
> Is it merely the opposite of information?
You're also confusing "information" with "meaning". Everything can
also be viewed as a "signal", but we just don't know what it means.
> Can there be a fundamental difference between pseudo-randomness and
> real randomness (e.g. generated by radioactive decay or thermal
> noise), especially under these aspects mentioned above?
Yup. As Douglas pointed out PRNG use a small set of data compared with
HRNG which use the whole universe (now that's philosophy!). Unpredictable
comes from not knowing, which may be related to Heisenberg. You gain
meaning and predictablity by understanding the origins of signals. Things
appear "random" when they are unpredictable, i.e. we don't know what it
means or how it happned.
Fun stuff to think about for sure :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers,de.sci.informatik.misc,sci.math
Subject: Re: philosophical question?
Date: Wed, 28 Feb 2001 19:36:47 +0100
Before you ask; there is no way to use the mentioned symmetry to
transmit information, because you can only measure the polarization, you
cannot control it. But this method has already been used to transmit a
one-time-pad for cryptographic purposes. And if physicists do not come
up with something totally new, it is provably unbreakable.
Frank Gerlach wrote:
>
> Hmm,
> my philosohical input is that what we experience as "physical
> randomness" might be the pseudeo-random noise generated by the huge
> simulation we call "universe". In this model, the guy/gal who wrote that
> simulation is "god".
> Before some semi-enlightened agnostics flame me, just consider the
> following: There is an experiment (don't recall its name at the moment),
> which creates two photons in a single process. Both photons fly away in
> opposite directions. Upon measuring the polarization of one photon, the
> other photon's polarization will be "determined" with infinite speed. It
> doesn't matter how far these two light particles are apart, they will
> always expose this symmetry.
> Now, what does this have to do with the mentioned "huge simulation" ?
> Maybe it just shows that the universe is a machine with a finite number
> of bits, which describe its state.
>
> Maybe we will at some point learn much more about this machine, and
> maybe "physical randomness" will appear not so random any more .....
------------------------------
From: [EMAIL PROTECTED] (Joe H. Acker)
Crossposted-To: sci.crypt.random-numbers,de.sci.informatik.misc,sci.math
Subject: Re: philosophical question?
Date: Wed, 28 Feb 2001 19:38:41 +0100
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> You have gotten some nonsensical answers from "philosophers".
> From the point of view of the formal discipline of information
> theory, information is a measure of surprise in the data with
> respect to your prior expectations about the data. Therefore,
> uniformly random data conveys the maximum possible amount of
> information.
Talking about "suprise" and "expectations" is actually a
misinterpretation of information theory. I'm much too lazy to look up
the exact definition right here, but you and I know that information
theory defines "information" in probabilistic terms. Now what I was
trying to point out is that there's a large gap between that sense of
information and the sense in which we ordinarily use it. Although people
have tried to reduce the term "information" to the information-theoretic
definition (e.g. Dretske, "Knowledge and the Flow of Information"),you
cannot honestly say that they have succeeded.
One reason for the gap between these two concepts is that you have to
explicitely define in information-theory which events actually are
occurences of signs. The sign-system is closed and you abstract from the
interpretation of the signs. However, this is not how communication
between humans works. The informativity of a sign for a human depends on
factors like shared knowledge, "canonical" or "litteral" meaning and
reflexive considerations (see e.g. Lewis, "Conventions"). It also
depends on the cirumstances of use of the sign.
To randomness: The information-theoretical definition that a random sign
occurance conveys the highest amount of information (relative to the
sign-system in consideration), is quite meaningless. When I win the
jackpot, a random occurence of a sign might be very informative to me,
but when I listen to white noise in my radio, it might not. Randomness
itself does not convey any information, it is, of course, the meaning I
associate to random events (as signs) that can be informative or not.
A clear distinction between these two concepts is also relevant to
cryptography, but especially relevant to steganography. And I'm pretty
sure you are aware of that.
Regards,
Erich
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: encryption and information theory
Date: Wed, 28 Feb 2001 18:47:49 GMT
Mok-Kong Shen wrote:
>
> John Savard wrote:
> >
> [snip]
> >
> > More precisely: if the message contains N bits of information, and
> > occupies M bits of bandwidth, and the K is K bits long, the entropy
> > of the encrypted message is N+K bits, *or* M bits, whichever is
> > less.
> >
> > In the case of RSA encryption, given that you know the public key,
> > no increase of entropy takes place.
>
> In the sense of crypto, entropy is related to the difficulty
> for the opponent to decrypt, I suppose. How does one explain
> that a key enhances entropy in the symmetric case but not in
> the asymmetric case, as you stated above? Thanks.
Because RSA encryption is a known transformation which has an inverse.
Also, you can 'break' RSA encryption [by factoring] without even having
a message to look at.
With symmetric encryption, breaking the system [by brute force]
effectivly consists of subtracting the entropy of the plaintext from the
entropy of the ciphertext, producing the entropy of the key.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Keystoke recorder
Date: Wed, 28 Feb 2001 12:53:16 -0600
Alberto wrote:
>
> It's seems that the easiest way to access encrypted data is to gain
> access to the target computer and install such device.
>
> Have you ever seen one of them? How does it look like? How can you
> defend yourself against this kind of attack?
check this out:
http://www.ahandyguide.com/Directory/Computers/Security/Products_and_Tools/Keyloggers_and_Spyware/
Lock up your computer so it can't be tampered with by anyone but you.
You also need a good faraday cage to prevent EM transmission. The simplest
way to defend yourself is to not be a target :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: A few questions
Date: Wed, 28 Feb 2001 18:59:04 GMT
Simon Johnson wrote:
>
> Koen Van Baelen <[EMAIL PROTECTED]> wrote in message
> news:yHXm6.33453$[EMAIL PROTECTED]...
> > Hi everybody,
> > I've got two questions :
> >
> > 1 :
> > How can I generate real random numbers? And i don't mean the numbers
> > generated by the 'random' functions you find in all programming
> > languages. I want something that produces totally unpredictable
> > numbers. I know there's some mathematical theory for producing
> > random numbers, so if anybody knows about it, pleasy let me know!
>
> No algorithm can produce real random data; for this you need to
> exploit entropy in your computers hardware or get a piece of hardware.
Right -- for "totally inpredictable" numbers, a hardware RNG is the way
to go.
> If your after an algorithm, there are many choices, RC4 usually being
> a favorite for most things. For really secure pseudo-random numbers
> use BBS... Its simple:
>
> Pick two _large_ primes that are congruent to 3 mod 4. Mutliply the
> two together to form a large integer, n. You now no longer need the
> two primes, but they must remain secret. Now, you supply a seed, x(0)
> which is less than the size of n. Iterate the following:
>
> x(i) = x(i-1)^2 mod n
>
> The least log(2,n) bits of x(i) are the pseudo-random output for each
> iteration. This system is slow, but we know there is no faster way to
> crack this generator than factoring n into its primes. Exactly how
> hard factoring is has yet to be determined but evidence suggests its
> difficult.
Of course, the problem with BBS [and, indeed, any PRNG], is that you
have to have a good source of randomness to create your starting state.
In the case of BBS, the start state includes both the primes and x(0).
Therein lies a paradox -- you have to get randomness to make randomness.
> Basically, there are alot of PRNGs out there so be careful when you
> choose make sure that it suits your application.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
PS, although the primes and x(0) need to remain secret, the BBS n value
does not, unless it's small enough for enemies to factor. In fact, in
the system the BBS generator was designed for, n is a public key, an
encryptor generates his own x(0), uses it and n to encrypt a message,
and sends the encrypted message and the final x(i) value. The
decryptor, who knows the two primes which make up n, can calculate x(0)
from x(i), but noone else can.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
