Cryptography-Digest Digest #772, Volume #13 Thu, 1 Mar 01 18:13:01 EST
Contents:
Re: how long can one Arcfour key be used?? ("Henrick Hellström")
RC4 like stream cipher ("Tom St Denis")
Re: OverWrite freeware completely removes unwanted files fromharddrive (Anthony
Stephen Szopa)
Re: confused:Diffie-Hellman is key agreement, how about RSA? Is RSA both algorithm
and keyagreement? (Richard Wash)
Re: Safe to use DSS key for DH? ("Henrick Hellström")
Re: confused:Diffie-Hellman is key agreement, how about RSA? Is RSA (William Hugh
Murray)
Re: OverWrite freeware completely removes unwanted files fromharddrive (Doug Kuhlman)
Re: confused:Diffie-Hellman is key agreement, how about RSA? Is RSA both algorithm
and keyagreement? (DJohn37050)
Re: OverWrite freeware completely removes unwanted files fromharddrive (Anthony
Stephen Szopa)
Re: Urgent DES Cipher source code !!!!! ("Tom St Denis")
Re: confused:Diffie-Hellman is key agreement, how about RSA? Is RSA both algorithm
and keyagreement? ("Tom St Denis")
Re: => FBI easily cracks encryption ...? (Tony L. Svanstrom)
Re: AES FIPS ("Scott Fluhrer")
Re: AES FIPS (John Myre)
Re: How to find a huge prime(1024 bit?) (Free-man)
----------------------------------------------------------------------------
From: "Henrick Hellström" <[EMAIL PROTECTED]>
Subject: Re: how long can one Arcfour key be used??
Date: Thu, 1 Mar 2001 21:14:50 +0100
"Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
news:jW8n6.257260$[EMAIL PROTECTED]...
> RC4 can't possibly use keys bigger then 1684 bits in length. So using a
> 256-byte key while "amazing" is actually quite useless. The intelligent
> thing todo is to SHA256/TIGER192/MD5128/etc your DH secret and use that as
a
> key into RC4.
In fact, you will have key collisions for keys smaller than 1684 bits.
It is e.g. easy to construct a pair of (128+k)-byte keys (k > 1) that result
in identical key data. This is so because the last 2*k bytes of each key
corresponds to pair-wise transpositions that are applied only once. These
transpositions may be selected to be equivalent inbetween the keys and to
result in the same value of the variable j at the beginning of step 128+k+1.
Example: Assume that k = 2, that after 126 transpositions D[126] = 126,
D[127] = 127, D[128] = 128, and that J = 0 for both keys K0 and K1.
Let K0[126] = 0, K0[127] = 130, K0[128] = 129. Equivalent to (126 126)(127
127)(128 128).
J = 126 J = 127 J = 128.
Let K1[126] = 1, K1[127] = 130, K1[128] = 130. Equivalent to (126 127)(127
126)(128 128),
J = 127 J = 126 J = 128.
Let K0[I] = K1[I] for I unequal to 126, 127, 128.
I don't know for sure if there are any key collisions for smaller keys, but
I find it most likely.
--
Henrick Hellström [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: RC4 like stream cipher
Date: Thu, 01 Mar 2001 20:25:33 GMT
I invented a cute RC4 like keystream generator. It's basically a mix of RC4
and Knuth's Algorithm B (Vol2). The C code is below.
The idea is to fill a 256 byte state with a permutation of 0..255 and
maintain two 8-bit indicies into the array. To get the next byte you
perform the following.
1. t1 <= S[sx]
2. Swap S[sx] with S[sy]
3. sy <= (sx + 1) mod 256
4. sx <= t1
5. return t1
The algorithm is very fast too. I can make 16mbyte of output in about 3
seconds (this includes writting to a file) using TurboC (a 16-bit compiler).
The swap in step two is to update the state of the permutation such that it
changes over time making ("in theory") harder to break. The addition in
step 3 is to avoid small cycles much like the addition in RC4. The thing I
can't wrap my head around is if returning "sx = t1" is a good idea. In two
consecutive bytes you will know (?, sx), (sx + 1, sx'), we know now that sx'
= S[sx], so we learn a byte of the table, but since we don't know the first
sy we don't know what S[sx] has after the first byte.
However, looking at the 2nd and 3rd byte we have { (sx + 1, sx'), (sx' + 1,
sx'') } where we know the "first" sy value.
Perhaps step three should read
3. sy <= (sy + sx + 1) & 255
Thus sy is never directly revealed.
Tom
/* state */
unsigned char s[256], sx, sy;
/* get the next byte */
unsigned char nbyte(void)
{
unsigned char t1, t2;
/* get current value */
t1 = s[sx];
/* swap s[sy] with s[sx] */
t2 = s[sy]; s[sy] = s[sx]; s[sx] = t2;
/* update the indices */
sy = (sx + 1) & 255;
sx = t1;
return t1;
}
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker
Subject: Re: OverWrite freeware completely removes unwanted files fromharddrive
Date: Thu, 01 Mar 2001 12:29:37 -0800
network_noadle wrote:
>
> On Wed, 28 Feb 2001, Anthony Stephen Szopa wrote:
>
> <snipped for brevity>
> > >
> > > >
> > > >
> > > > This is no trivial matter.
> > >
> > > Of course it is.
> >
> >
> >> (snipped nonsense)
>
>
You only talk a good stick.
Yet you have done nothing but a bunch of hand waving.
If you are so knowledgeable then it should be absolutely no problem
to give us a few references from expert computer engineers /
manufacturers supporting your exact position.
You want everyone to believe that your fantasy model of optimization
is basically to effectively ignore programming instructions.
You have given us no particular facts on anything.
As I said, you have done nothing but a lot of hand waving.
Who in their right mind would give you any credibility thus far?
I won't.
------------------------------
From: Richard Wash <[EMAIL PROTECTED]>
Subject: Re: confused:Diffie-Hellman is key agreement, how about RSA? Is RSA both
algorithm and keyagreement?
Date: 01 Mar 2001 15:31:52 -0500
"david Hopkins" <[EMAIL PROTECTED]> writes:
> I see. Thank you.
>
> > Basically, Diffie-Hellman is "key agreement" because both parties have
> > to be actively agreeing on a key.
> I am studying PKCS #3: Diffie-Hellman Key-Agreement Standard from RSA.
> Is: The integer secret key z satisfies
> z = (y')x = (gx')x = (gx)x' = yx' mod p ,
>
> Is z the key agreeed by the two parties?
Yes, it is.
> So, with DH system, the key for further symmetric encyption(I mentioned it
> as session key)
> is not generated by any party, but by interaction of both party. Am I
> Correct ?
Yes. This is why it cannot be used to store keys or to transmit keys
over a non-interactive medium like email.
Also, a consequence of this is that this mechanism cannot be used to
send information (since you cannot find the discrete log of z), only
to agree on a key. The key is not chosen directly by either party.
> For the giving two party, if they do not change g, p, x and x', the session
> key(see above) seems
> be constant.
> Is it? Is there any secure flaw if it is so?
Yes, this is true. However, to be secure, the algorithm states that x
and x' (the numbers each of the parties keep secret) must be random
numbers, and should be different random numbers each time the key
agreement is performed. It is OK to keep g and p constant (and
public), but re-using them for a long time gives an attacker more time
to compute the necessary infomation to break the scheme.
Rick Wash
------------------------------
From: "Henrick Hellström" <[EMAIL PROTECTED]>
Subject: Re: Safe to use DSS key for DH?
Date: Thu, 1 Mar 2001 21:31:49 +0100
If you are free to choose the system parameters, you should probably choose
a larger q than 160 bits. AFAIK the number 160 is totally arbitrary, and is
solely determined by NIST's choice of hash function to use in conjunction
with DSA. An alternative would be to use Maurer's algorithm and get a
provable 1024 bit prime p and a provable 512 bit prime q, and use a 512 bit
hash function to produce exponents whenever applicable. Maurer's algorithm
is relatively slow of course, but you usually don't generate new primes on a
regular basis.
--
Henrick Hellström [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
"DJohn37050" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
> See IEEE 1363 for discussion on attacks. Also, you should use 1024 bit p
with
> a 160 bit q.
> Don Johnson
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: confused:Diffie-Hellman is key agreement, how about RSA? Is RSA
Date: Thu, 01 Mar 2001 20:33:07 GMT
david Hopkins wrote:
> Thank you :-). I am new to crypto, I still not very clear in some points :-(
>
> What is "key management" means?
It is the generation, control, protection, distribution or exchange, storage,
and final disposition of keys.
> Can I say that:
> 1) RSAEP (encryption primitive)/RSADP also perform the function of key
> agreement,
Probably more accurate to say that it can be used for key agreement.
> 2) In new version of PGP(5.0 + ? the version include DH/DSS)
> RSASP1( signature primitive)/RSAVP1 perform the same function of DSS,
> RSAEP/RSADP perform the same function of DH
> 3) how about ECC(elliptic curve cryptography ? Does it also perform as key
> agreement? although it is not called key agreement?
ECC is one technique for public key cryptography. Most, any, public key
algorithm can be used for key agreement.
> Thank you.
In a key negotiation or agreement protocol, such as DH, A and B talk to each
other in such a way that they both arrive at the same value in such a way that a
man, E, listening the conversation cannot figure out that number and without
the number actually being exchanged. The net result is that they share a secret
(key). When public key cryptography, such as RSA, is used for the same
application, A picks a number, encrypts it under B's public key and passes it to
B. B uses his private key to decrypt that number. E, the man in the middle,
has all of the information necessary to compute the number but not the time.
The net result is that when it is over A and B share a secret. However, in this
case, the secret did traverse the network but it was encrypted. It is a subtle
distinction. Understanding the distinction is useful but not necessary.
>
>
> David
>
> "William Hugh Murray" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > RSA is an algorithm whose primary application is key management, in
> > general. In SSL its application is to agree upon a key for an SSL
> > session. What RSA is used for in SSL could be done with DH.
------------------------------
From: Doug Kuhlman <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker
Subject: Re: OverWrite freeware completely removes unwanted files fromharddrive
Date: Thu, 01 Mar 2001 14:39:04 -0600
Anthony Stephen Szopa wrote:
>
> Who in their right mind would give you any credibility thus far?
>
> I won't.
Sometimes, it's just too easy..... I'd guess these two sentences should
clear things up, in case anyone was confused.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 01 Mar 2001 20:43:29 GMT
Subject: Re: confused:Diffie-Hellman is key agreement, how about RSA? Is RSA both
algorithm and keyagreement?
RSA is normally used to do key transport, DH is normally used to do key
agreement, they are both forms of key establishment. The diff. is that in key
transport ONE party determines the resulting shared key and in key agreement,
BOTH parties contribute to the resulting shared key.
Don Johnson
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker
Subject: Re: OverWrite freeware completely removes unwanted files fromharddrive
Date: Thu, 01 Mar 2001 13:26:26 -0800
Doug Kuhlman wrote:
>
> Anthony Stephen Szopa wrote:
> >
> > Who in their right mind would give you any credibility thus far?
> >
> > I won't.
>
> Sometimes, it's just too easy..... I'd guess these two sentences should
> clear things up, in case anyone was confused.
Talk about easy. You have opted not to participate in the thread at
all. I guess you know what you do best. Like Clint Eastwood said:
"A man has got to know his limitations."
Here is another thought for y'all to chew on:
If what the noadle has to say is true, imagine this, anyone who has,
say, a one GHz computer can process instruction code 10 times or more
faster than any peripheral device attached to it such as a hard drive,
zip drive, floppy drive can carry out the instruction.
If what the noadle says is true then nothing you instruct the computer
to do that may ever be considered redundant by his definition will ever
get executed because after all, your one GHz cpu is cranking out those
computations and source code instructions at such a fast rate all your
peripheral devices fall behind as soon as the second instruction code
is read.
The noadle just trashed any and all hope any of you have or ever had
that when you write a computer program that you can ever count on those
instructions being carried out.
FUD!
The noadle and any who believe his rubbish are absolutely LAUGHABLE!
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Urgent DES Cipher source code !!!!!
Date: Thu, 01 Mar 2001 21:54:24 GMT
"Latyr Jean-Luc FAYE" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I am working under a DOS/Windows environnement.
> I am beginning in cryptography and I want to devellop a small application
> for my own to be use between my girl and me as she is sharing his email
box
> with all his familly.
Why would you care for VHDL code then?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: confused:Diffie-Hellman is key agreement, how about RSA? Is RSA both
algorithm and keyagreement?
Date: Thu, 01 Mar 2001 22:03:22 GMT
"david Hopkins" <[EMAIL PROTECTED]> wrote in message
news:euvn6.6769$[EMAIL PROTECTED]...
> I am confused:
> Diffie-Hellman is key agreement,
> how about RSA? Is RSA self both an algorithm and a keyagreement?
RSA is an encryption algorithm. Normally used in a hybrid mode where a
symmetric key is encrypted and sent along with the encrypted message.
Tom
------------------------------
Subject: Re: => FBI easily cracks encryption ...?
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Date: Thu, 01 Mar 2001 22:12:11 GMT
Nemo psj <[EMAIL PROTECTED]> wrote:
> Makes you want to use undisclosed algorithms made with home grown stream
> ciphers doesnt it.. Because you know if it has a password box or a source
> code for it somewhere its security is basicly ZERO.
Yeah, right, if you have the source code you can crack any code... and
if you give it a password... wow... then it's so crackable... Some one
needs to do his homework...
/Tony
PS I dunno, I think I must be too tired to understand what he's really
saying...
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: AES FIPS
Date: Thu, 1 Mar 2001 14:40:29 -0800
Brian Gladman <[EMAIL PROTECTED]> wrote in message
news:ojan6.1$Jw.48@wards...
> The AES draft FIPS is now available at:
>
> http://csrc.nist.gov/encryption/aes/
>
> for comment.
I didn't see anything on modes-of-operation. Am I being even more clueless
than usual, or is it, in fact, missing?
--
poncho
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: AES FIPS
Date: Thu, 01 Mar 2001 15:57:45 -0700
Scott Fluhrer wrote:
<snip>
> I didn't see anything on modes-of-operation.
<snip>
NIST has said that they intend to have a separate FIPS
for modes of operation. (To all: check the NIST site
for lots more modes stuff.)
JM
------------------------------
From: [EMAIL PROTECTED] (Free-man)
Crossposted-To: alt.security.pgp,sci.math
Subject: Re: How to find a huge prime(1024 bit?)
Date: Thu, 01 Mar 2001 23:06:57 GMT
On Thu, 1 Mar 2001 03:59:32 GMT, "Dik T. Winter" <[EMAIL PROTECTED]>
wrote:
>In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Free-man)
>writes:
> > On Wed, 28 Feb 2001 02:51:53 GMT, "Dik T. Winter" <[EMAIL PROTECTED]>
> > wrote:
>...
> > >Well, I say it is correct. The premissa is: "there is a finite number
> > >of primes". Multiplying them all together and adding 1 shows that the
> > >resultant number is not divisible by any prime. Hence by the definition
> > >of prime it must be prime, contradicting the premissa.
> >
> > Not exactly. Under that premise, it can be proved that the number
> > product + 1 is not prime and not composite.
>
>Yes, that is something else that can be proven. Taking enough time you
>can probably prove that 2 is not prime. But you can also prove that the
>new number is prime. Whatever contradiction you get at eventually, makes
>the premissa false, and that is all that matters. A -> B is true whenever
>A is false.
>
> > >But let's analize it more completely:
> > >Def: a prime is an integer number > 1 that is not divisible by any smaller
> > > number, except 1.
> > >Theorem: a non-prime > 1 is divisible by a prime.
> > >Proof: it is divisible by a smaller number which is either prime or non-
> > > prime, so by infinite descent the result holds.
> > >Theorem: there is an infinitude of primes.
> > >Proof:
> > > Suppose there is only a finite number of primes. Multiply them all
> > > together and add 1. Suppose the result is non-prime, but according
> > > to the theorem above it should be divisible by a prime, but none of
> > > the primes fit, so it is prime.
Suppose the result is prime, does not your premise say that this prime
must be one of the finite set of primes which would lead to a
contradiction and thus prove that the result is not prime?
>>>A contradiction, we have found a
> > > new prime.
> >
> > No, because you have two "suppose"
>
>Yes, so what? The second "suppose" is immediately refuted, so only one
>"suppose" remains.
> > >
> > >The confusion is that the new number is indeed not necessarily prime, but
> > >when the premissa is "a finite number of primes" we just showed that the
> > >number *is prime*,
> >
> > No, it is shown that the number is not prime and not composite.
>
>That entirely depends on how you are wording the stuff. In my wording
>above I showed that the new number is prime. By the theorem it can't
>be composite (non-prime) because it is not divisible by a smaller prime,
>so it must be prime.
Dik, Maybe it is just a semantic difference.
Premise A : "there is a finite number of primes".
List all the primes P1, P2, ... Pn Let P = product of all these
primes and Let K = P + 1
You are saying that K must be prime because "Suppose the result (K)
is non-prime, but according to the theorem above it should be
divisible by a prime, but none of the primes fit, so it is prime."
I admit that your statement is not absolutely clear to me but I think
that I understand roughly what you are saying.
Here is my reasoning: Suppose K is prime. According to premise A,
K = Pj for some integer j from 1 to n. But this is not possible
because it would imply that Pj divides 1. Therefore, K is not prime.
Suppose K is composite. Then, according to A, there exists some Pj
such that Pj divides K. But, that is not possible because it would
also imply that Pj divides 1.
Useing A, it has been proved that K (>1) is not prime and not
composite. It does not exist. Since K = P + 1, P does not
exist. P is not an integer. Since P was constructed with A, A is
not true.
To sum up, you are saying that A implies that K is prime. I am
saying that A implies that K is prime and not prime, and this
contradiction proves that A is false.
But we all agree that A is false because it produces a contradiction.
Rich Eramian aka freeman at shore dot net
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
