Cryptography-Digest Digest #766, Volume #13 Wed, 28 Feb 01 17:13:00 EST
Contents:
Re: Sad news, Dr. Claude Shannon died over the weekend. (Charles Blair)
Re: COMP128 (Marc)
Re: => FBI easily cracks encryption ...? (William Hugh Murray)
Re: In RSA, how d is calculated? ("david Hopkins")
what is the use for MAC(Message Authentication Code ), as there can be digital
signature? ("david Hopkins")
Re: Keystoke recorder (William Hugh Murray)
Re: super-stong crypto, straw man phase 2 (William Hugh Murray)
The AES draft FIPS is out!!! (Volker Hetzer)
Re: Keystoke recorder (Ichinin)
Re: philosophical question? (Johannes H Andersen)
Re: Improved stream cipher? (was: Re: Simple, possibly flawed, stream cipher)
("Henrick Hellstr�m")
Re: CipherText patent still pending ("Prichard, Chuck")
Re: The AES draft FIPS is out!!! ("Tom St Denis")
Re: encryption and information theory (Mok-Kong Shen)
----------------------------------------------------------------------------
Subject: Re: Sad news, Dr. Claude Shannon died over the weekend.
From: [EMAIL PROTECTED] (Charles Blair)
Date: Wed, 28 Feb 2001 19:26:06 GMT
I have a recollection of an interview with Claude Shannon in
Cryptologia shortly after the Hodges biography of Turing was published.
Shannon said that he did NOT talk about cryptography with Turing---
perhaps both men were concerned about security.
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Re: COMP128
Date: 28 Feb 2001 19:30:28 GMT
>By having IMSI and KI and also some special hardware
>("Session-Interface" / "Inverse Reader", about 100$) you are able to
>emulate a SIM card on a fast PC, thus phoning for free.
Don't forget that you don't "phone for free". You don't create
"new" IMSI+KI pairs, but clone the identity of someone else. And,
to do so you need physical access to his SIM and his PIN (unless
you build a malicious base station).
A by far easier method of "phoning for free" is to just insert
his SIM (which you already have) into a mobile, enter his PIN
(which you already know) and call whoever you want to talk to.
Note also that D2 - under public pressure - have limited their
SIMs to not respond to more than 10000 challenges. You're not
able to carry out the necessary 150000 calculations.
I see only few good applications of the COMP128 hack. I'd like
to see an enhanced SIM, for example, one with more phonebook
entries or SMS end-to-end encryption, or a SIM switcher with 2
or more identities that cycle on every powerup (much like the
dual sim batteries). I hardly believe that any of this will
ever become reality though.
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Wed, 28 Feb 2001 19:26:36 GMT
nemo outis wrote:
> It's completely speculative on my part, but the likelihood is that the attack
> was made on the passphrase rather than the underlying algorithm.
>
> The primary methods include direct observation (e.g., keylogger,
What I had in mind. Installed only after he became a target.
> video,
> Tempest) and dictionary/brute-force attacks on the passphrase.
>
> There is the possibility of known-plaintext attacks on the cipher by using a
> honeypot with alluring information that is likely to be transmitted in
> enciphered form verbatim (in whole or part).
>
> There is also the very real possibility of human foibles such as carelessness
> revealing the encryption.
>
> Rarely is the cipher the weak link in the chain.
Agreed.
> However, from the nature
> of this case there is a genuine possibility that the most powerful methods and
> unlimited resources were (successfully?) applied to decryption.
In days to weeks? Perhaps against the pass-phrase in that time. Maybe even
against 56 bits but why would a spy be using that? A spy that it took them 15 years
to catch?
> So the real question is: Has the NSA tipped its hand or is this just their SOP
> of obfuscation?
Perhaps. I find it easier to believe that the FBI lies than that the NSA leaks or
even cooperates.
> Regards,
>
> In article <di3n6.7849$[EMAIL PROTECTED]>, "Open FleshWound"
> <[EMAIL PROTECTED]> wrote:
> >FBI: Hanssen suspected he was under surveillance
> >
> >february 27, 2001
> >Web posted at: 9:36 PM EST (0236 GMT)
> >
> >
> >From staff and wire reports
> >
> >WASHINGTON -- Accused spy Robert Hanssen suspected he was under government
> > surveillance, telling his
> >Russian contacts "something has aroused the sleeping tiger," the FBI said in an
> > affidavit released
> >Tuesday.
> >
> >The comment came from a letter that FBI officials said was encrypted on a
> > computer diskette found in
> >a package -- taped and wrapped in a black plastic trash bag -- that Hanssen
> > dropped underneath a
> >foot bridge in a park in Northern Virginia, immediately before his arrest.
> >
> >The FBI decrypted the letter and described it in an affidavit filed in support
> > of its search
> >warrant.
> >
> >
> >Hanssen, a 25-year veteran in the FBI and a counterintelligence expert, was
> > arrested February 18 and
> >charged with spying for the Soviet Union and later Russia over a period of 15
> > years, dating back to
> >the waning days of the Cold War.
> >
> >FBI Director Louis Freeh said Hanssen, 56, was paid $1.4 million in cash and
> > diamonds for passing
> >top-secret information to Russians.
> >
> >He was arrested after FBI agents watched him allegedly drop off a package of
> > classified information
> >at a park near his northern Virginia home, which was to be picked up by his
> > Russian handlers.
> >
> >The package and letter retrieved by authorities were meant for his Russian
> > handlers, FBI officials
> >said.
> >
> >"Dear Friends," the letter reads, according to the affidavit. "I thank you for
> > your assistance these
> >many years. It seems, however, that my greatest utility to you has come to an
> > end, and it is time to
> >seclude myself from active service.
> >
> >"Since communicating last, and one wonders if because of it, I have been
> > promoted to a higher
> >do-nothing senior executive job outside of regular access to information within
> > the
> >counterintelligence program. It is as if I am being isolated. Furthermore, I
> > believe I have detected
> >repeated bursting radio signal emanations from my vehicle ... Something has
> > aroused the sleeping
> >tiger. Perhaps you know better than I."
> >
> >Hanssen also said he strongly suspected the Russians "should have concerns for
> > the integrity of your
> >compartment concerning knowledge of my efforts on your behalf."
> >
> >
> >
> >
------------------------------
From: "david Hopkins" <[EMAIL PROTECTED]>
Subject: Re: In RSA, how d is calculated?
Date: Wed, 28 Feb 2001 19:38:37 GMT
I saved it months ago. I cann't find the url now. Sorry.
"Ryan M. McConahy" <[EMAIL PROTECTED]> wrote in message
news:3a9c4bd8$0$30009$[EMAIL PROTECTED]...
> Where is the website for the RSA demonstration that you got that from?
>
>
>
>
------------------------------
From: "david Hopkins" <[EMAIL PROTECTED]>
Subject: what is the use for MAC(Message Authentication Code ), as there can be
digital signature?
Date: Wed, 28 Feb 2001 19:41:53 GMT
Why use for MAC(Message Authentication Code ),
as there can be digital signature?
thanks
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Keystoke recorder
Date: Wed, 28 Feb 2001 19:49:21 GMT
Ben Cantrick wrote:
> This is not really a cryptography question - you're probably better
> off asking in comp.security.misc. That said...
>
> In article <[EMAIL PROTECTED]>,
> Alberto <[EMAIL PROTECTED]> wrote:
> >It's seems that the easiest way to access encrypted data is to gain
> >access to the target computer and install such device.
>
> "Easiest" is a pretty subjective term. I'd think that Van Eck/Tempest
> snooping would be the easiest way in terms of how much risk you have
> to put yourself at. You don't have to trespass to Van Eck snoop, and
> there's no way to prove you did it. The equipment is relatively expensive,
> however.
I think about the cost of attack as work, access, indifference to detection,
special knowledge, and time to detection and corrective action (WAIST). These are
fungible; the more of any one of these I have, the less I require of the others.
This accounts for the difference. If I have access and am indifferent to
detection, I can minimize work with breaking and entering. If I am sensitive to
detection or do not have access but do not mind work or care how long it takes,
then I use eavesdropping. Clearly there are preferences but it can be very
objective. Try it, you'll like it.
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: super-stong crypto, straw man phase 2
Date: Wed, 28 Feb 2001 19:51:35 GMT
"Douglas A. Gwyn" wrote:
> William Hugh Murray wrote:
> > In any case, most of us do not worry about keeping secrets from
> > nation states for a long time.
>
> Well, you should!
I admit that I do like to confound authority.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: The AES draft FIPS is out!!!
Date: Wed, 28 Feb 2001 21:18:19 +0100
Check http://csrc.nist.gov/encryption/aes/ .
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Keystoke recorder
Date: Sat, 24 Feb 2001 14:34:05 +0100
Alberto wrote:
>
> It's seems that the easiest way to access encrypted data is to gain
> access to the target computer and install such device.
>
> Have you ever seen one of them?
Yupp..
> How does it look like?
basically:
1 part keyboard (or window) hook
+
1 ounce of Windows sockets
+
2 spoons of tricking the user to run the code (i.e. add a "dancing pig")
> How can you
> defend yourself against this kind of attack?
Educated the users. Enforce user policies. Utilise host + Network based
intrusion detection systems.
> Thanks.
> Alberto
No problemo.
Regards,
Ichinin
------------------------------
From: Johannes H Andersen <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers,de.sci.informatik.misc,sci.math
Subject: Re: philosophical question?
Date: Wed, 28 Feb 2001 20:32:33 -0800
Reply-To: [EMAIL PROTECTED]
Simon Johnson wrote:
>
> Dirk Van de moortel <[EMAIL PROTECTED]> wrote in
> message news:9g5n6.35596$[EMAIL PROTECTED]...
> > "Peter Osborne" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > > Hi there!
> > >
> > > RANDOMNESS / RANDOM NUMBERS
> > >
> > > Maybe that point is not that simple at all, maybe it concerns too
> > > many topics like statistics, math, cryptanalysis and even religion...
> > >
> > > As I dealed with cryptography and HRNG circuits, I often ask myself:
> > >
> > > Is randomness a kind of information ?
> > > Is it the highest density of information (that we are not able to
> > > understand)?
> > > Is it merely the opposite of information?
> > >
> > > Can there be a fundamental difference between pseudo-randomness and
> > > real randomness (e.g. generated by radioactive decay or thermal
> > > noise), especially under these aspects mentioned above?
> >
> > Not so philosophical: I think, if I remember well, that information can be
> > defined as something that provides an answer to a Yes-No question.
> > I don't think randomness can do this.
>
> Randomness is the same as unpredictability. When unpredictability is at its
> maximum, information content is also at its maximum. To demonstrate this,
> think of compression. If i compressed this text, the information per
> character in the compressed document would clearly be greater than if it
> were not compressed. Yet on visual inspection of the compressed data, it
> appears more random.
>
> Simon.
Quite true. If the compressed data appear to have some structure, then this
structure can exploited to compressed the data even even more. At the final
stage, the compressed data appear completely random.
However, the unpredictability of randomness looks like a paradox. E.g.
pseudo-random numbers are entirely predictable. Also, If a truly randomly
generated sequence is stored; next time it is used it is predictable?
However, unpredictability is somewhat subjective, depending on the knowledge
of the system. Only quantum unpredictability is fundamental, or so we
have been told by the great masters. Perhaps randomness can't be completely
defined, yet we know it when we see it.
Johannes
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: Improved stream cipher? (was: Re: Simple, possibly flawed, stream cipher)
Date: Wed, 28 Feb 2001 21:49:11 +0100
"Benjamin Goldberg" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
> Henrick Hellstr�m wrote:
> > Here is a similar cipher that shouldn't be vulnerable to Scott Fuhler's
> > attack. These are the changes:
> >
> > * Instead of initializing x to 1, x is initialized to state[7].
>
> If this is done, then we no longer can do hardware pipelining to one
> clock per byte.
That is possibly true, but the initialization of x to 1 was what ultimately
made Scott Fluhrer's attack possible.
> > * Instead of adding either 0 or 1 to state[i] depending on a single
> > bit of x, x is added to state[i].
>
> Hmm. Perhaps, but does it actually make analysis harder?
Statistical attacks, yes - linear analysis, possibly no.
> > * In order to prevent attacks that exploit differential relations on
> > state[i], the state array is shifted up one byte and state[0] is set
> > to the value of the cipher text.
>
> Mixing in the ciphertext does not necessarily help, and may hurt,
> especially if a chosen ciphertext attack is allowed.
Generally speaking, perhaps, but it is not trivially true in this case.
> In fact, we may even be able to find some [fixed!] chosen plaintext
> which causes the cipher state to synchornize to some particular value,
> or which will cause the exact state [or a trivially reversible transform
> of it] to be outputed.
Hm, no, such an a attack would be provably impractical. Synchronization just
_might_ happen as a result of a chosen plain text or chosen cipher text
attack, but only with the same probabiltity as if it would occur by chance.
The proof is simple: We are able to choose state[0] since (state1[0] =
CipherText0). Note that (state1[1] = (state0[0] + state0[7]) mod 256).
Hence, state1[1] will only take the desired value if state0[7] already has
the desired value, and the probability of that is 1/256. Furthermore, the
value of state1[7] depends with an equal weight on all values
state0[0],...,state0[7], so there is no way to get state[7] to converge
separately from all of the other values.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: "Prichard, Chuck" <[EMAIL PROTECTED]>
Subject: Re: CipherText patent still pending
Date: Wed, 28 Feb 2001 21:14:21 GMT
A good algorithm does does a fair amount of work to obfuscate a message
by creating possible solutions, and then articulating one of them.
Simply knowing the logic that was applied does not render the message
insecure unless the key is known. Poor algorithms can be attacked through
flaws in the encryption scheme, good ones cannot.
I have done some analysis of the algorithm based an a matrix of possible
solutions added by the the algotithm itself. The algorithm is very
simple, yet difficult to analyse because of the data-dependent shifts and
options. From this analysis, I determined that there are more solutions
if some mask characters are added to to what I call the modified key used
in the second round. So I added this to the algorithm, alterring a single
line of code.
It is not a block cipher, and key length is unknown. An experienced
attacker can look at a message and suspect that some characters are
spaces. This is a possible weakness. But there is a stagerred pattern of
applied bits, and it is allot of work guessing what this bit pattern will
be based on the frequency of spaces in the plaintext. When several mask
values are substituted in the modified key, the resulting message is
improved.
The algorithm supports two modes, but I am only interested in
substantiating the worth of the more sophisticated mode that creates a
key attribute, a truncated modified key, and rotates the modified key,
replacing some values with mask elements.
The resulting message has been double ciphered with a pattern that does
not repeat fot n^2 - n elements. In many applications this can exceed the
length of a string, giving an attacker no repeating sequence to find. The
message would seem to have a fair amount of integrity, provided a
sophisticated root key has been used, and that the original message has
some diversity.
The implementation is simple, and has many possible applications.
I could mathematically introduce CipherText with the following
explanation:
(Assume zero offset,, symmetric mode to derive the simplest mathematical
explanation)
To encode a message M with eight elements: M(0..7):
Taking a root key R with four elements: R(0..3)
Determining its attribute: A = {0 ^ R(0) + A^R(1) + A^R(2)+A^R(3)}
The Modified rootkey is first reversed and then truncated on one end.
So that: R' = R(3..1) or R' = R(2..0)
Then a rotation is applied to R' and a mask value is inserted with each
shift from the array:
[9,29,19,6,13,5,24,25,19,7,21,9,3,30,10,15,19,18,22,19,8,18,30,1,11,2,27,
27,15,27,1,15]
So for each possible shift there are 32 possible added solutions.
R'_SHIFT = A % length (R) so that R' then becomes either (in the case
that none of the above values have been substituted) :
R' = R(2,1,0)
R'=R(0,2,1)
R'=R(1,0,2)
R'= R(3,2,1)
R'=R(1,3,2)
R'=R(2,1,3)
Then CIPHER_SHIFT = LENGTH(M) % LENGTH(R)
8 % 4 = 0 (No shift)
So that for cipher pass one applying R to M:
C(0) = chr((ord(R(0)-32) ^ ord(M(0)-32)) + 32)
C(1) = chr((ord(R(1)-32) ^ ord(M(1)-32)) + 32)
C(2) = chr((ord(R(2)-32) ^ ord(M(2)-32)) + 32)
C(3) = chr((ord(R(3)-32) ^ ord(M(3)-32)) + 32)
C(4) = chr((ord(R(0)-32) ^ ord(M(4)-32)) + 32)
C(5) = chr((ord(R(1)-32) ^ ord(M(5)-32)) + 32)
C(6) = chr((ord(R(2)-32) ^ ord(M(6)-32)) + 32)
C(7) = chr((ord(R(3)-32) ^ ord(M(7)-32)) + 32)
And for cipher pass 2 applying R' ro C:
Then CIPHER_SHIFT = LENGTH(M) % LENGTH(R')
8 % 3 = 2 (2 shift for first cipher)
C'(0) = chr((ord(R'(2)-32) ^ ord(C(0)-32)) + 32)
C'(1) = chr((ord(R'(0)-32) ^ ord(C(1)-32)) + 32)
C'(2) = chr((ord(R'(1)-32) ^ ord(C(2)-32)) + 32)
C'(3) = chr((ord(R'(2)-32) ^ ord(C(3)-32)) + 32)
C'(4) = chr((ord(R'(0)-32) ^ ord(C(4)-32)) + 32)
C'(5) = chr((ord(R'(1)-32) ^ ord(C(5)-32)) + 32)
C'(6) = chr((ord(R'(2)-32) ^ ord(C(6)-32)) + 32)
C'(7) = chr((ord(R'(0)-32) ^ ord(C(7)-32)) + 32)
C' is the resulting ciphertext message.
To illustrate the strength of the algorithm:
If a known key R and a known plaintext message M are given, how many
solutions or possibilities exist for C'?
This ratio would be a fair indication of the amount of work done by the
algorithm to encrypt the message.
Initially one thinks there are few solutions and from the cancelling
caused by double ciphers it looks quite easy. The problem is perplexing
when expanding the keys.
I call this my 'reverse matrix' analyisis. It shows the deversity of
possible solutions encountered in developing a reversing algorithm or
decryption tool for CipherText.
-Charles Prichard
"Benjamin Goldberg" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...> Prichard, Chuck wrote:
> [snip]
> > The resulting bit pattern that is applied to a message when a
> > sophisticated root key is used has a fair amount of integrity, and
the
> > algorithm itself though simple, cannot be reverse engineered.
>
> Earlier, I said "prove it" to this part of your post. This was a silly
> mistake of mine. I should have said, "Who the bleep cares that it
can't
> be reverse engineered? You've already *given* us the algorithm!"
>
> --
> A solution in hand is worth two in the book.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: The AES draft FIPS is out!!!
Date: Wed, 28 Feb 2001 21:54:54 GMT
"Volker Hetzer" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Check http://csrc.nist.gov/encryption/aes/ .
> Greetings!
> Volker
A postscript is available at
http://tomstdenis.home.dhs.org/nist_aes.ps.gz
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: encryption and information theory
Date: Wed, 28 Feb 2001 23:05:25 +0100
Benjamin Goldberg wrote:
>
> Mok-Kong Shen wrote:
> >
> > John Savard wrote:
> > >
> > [snip]
> > >
> > > More precisely: if the message contains N bits of information, and
> > > occupies M bits of bandwidth, and the K is K bits long, the entropy
> > > of the encrypted message is N+K bits, *or* M bits, whichever is
> > > less.
> > >
> > > In the case of RSA encryption, given that you know the public key,
> > > no increase of entropy takes place.
> >
> > In the sense of crypto, entropy is related to the difficulty
> > for the opponent to decrypt, I suppose. How does one explain
> > that a key enhances entropy in the symmetric case but not in
> > the asymmetric case, as you stated above? Thanks.
>
> Because RSA encryption is a known transformation which has an inverse.
>
> Also, you can 'break' RSA encryption [by factoring] without even having
> a message to look at.
>
> With symmetric encryption, breaking the system [by brute force]
> effectivly consists of subtracting the entropy of the plaintext from the
> entropy of the ciphertext, producing the entropy of the key.
>From the point of view of the opponent, I don't see
any 'inherent' difference between breaking, say, RSA and
AES. Both require 'efforts'.
I think that one has in the asymmetic case to consider the
'entropy' of the private key. For, while in the symmtric
case one has a single key, in the asymmetric case it is
the ensemble of the public and the private key that
constitutes the 'key' that we have to consider in the
current context.
M. K. Shen
===========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
