Cryptography-Digest Digest #851, Volume #13 Sat, 10 Mar 01 03:13:01 EST
Contents:
Re: PKI and Non-repudiation practicalities ("Lyalc")
Re: what is the use for MAC(Message Authentication Code ), as there can be digital
signature? ("Joseph Ashwood")
Re: qrpff-New DVD decryption code (Nicol So)
Re: Digital enveloppes ("John A. Malley")
Re: I encourage people to boycott and ban all Russian goods and (kyra)
DES Weak Keys (Dan Seur)
Re: Voting ("Greg Ofiesh")
Re: Meaninog of Kasumi (Paul Crowley)
Re: Really simple stream cipher (Paul Crowley)
Re: => FBI easily cracks encryption ...? ("Douglas A. Gwyn")
Re: Super strong crypto ("Douglas A. Gwyn")
Re: Dayton's Code Breakers ("Douglas A. Gwyn")
Re: Sad news, Dr. Claude Shannon died over the weekend. ("Douglas A. Gwyn")
Re: qrpff-New DVD decryption code ("Douglas A. Gwyn")
Re: DES Weak Keys ("Douglas A. Gwyn")
Re: boycott Russia.... ("Ren�")
Re: boycott Russia.... ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: PKI and Non-repudiation practicalities
Date: Sat, 10 Mar 2001 16:13:28 +1100
those who know me have no need of my name wrote in message ...
><OEcq6.505$[EMAIL PROTECTED]> divulged:
>
>>The AADS model can allow the individual to generate their own
>>keys/certificate -
>
>can allow, but do you really expect the banking industry (to name but one i
>think likely to object) to accept it?
Well, in somne cases, it makes for good customer retention. A convention
PKI certificate allows you to get a certificate at bank A, then use it at
bank B, C,D ...
If the bank can encourage you to register for a 1:1 relationship, you are
arguably less likely to switch. And this is a miniscule part of the
marketing/commercial dimension of conventional PKI.
>and for those without "additional" means of generating a new secret it
>still means an extended delay before they are again able to conduct
>transactions.
A local bank insists on storing the certificate to the PC. If your PC
busts/is replaced, you must manually either a) re-register; b) work out how
to export to a floppy; or c) rebuild the existing hard disk. And so does
the tax office, an ex-Government owned betting agency, and the they all have
massive user support overheads.
What's the difference between the 2 environments we've been discussing?
Not much in terms of total disruption, although the disruption may occur in
different ways.
And about the same as most shared secret models.
>further, while your description is slightly different than mine, you still
>describe exactly what i did, to wit, you are without access to the
>materials or services controlled by the compromised secret until the
>replacement is generated and communicated to all linked institutions.
>granted each material or service becomes available as the associated
>institution is notified, so that you can sequence according to need vs
>convienience. but that still leaves quite a lot of work to do to get it
>all done. (i don't like most of those credit card "registries" as it is,
>and it looks like aads would make them almost a necessity.)
About the same as most shared secret models and all CRL based models
>i also missed what the expected mechanism is to properly certify that you
>are the correct party to declare a particular secret as compromised,
>especially in anonymous (cash-like) situations.
That is always the revocation challenge, PKI, shared secret or whatever.
Commercially, I (non-lawyer that I am) think most companies would revoke on
the suspicion of compromise, to avoid their own negligence liability for
insisting something is safe for a relying party to act upon, when it may not
be.
>>This is what you do now with a wallet full of cards,
>
>taken for a moment to be credit/debit card only: only if i lose the entire
>wallet. leaving one card somewhere means a single call, and leaves me with
>the utility of all the remaining cards. and it has, in general, no effect
>at all on my ability to access my various accounts, perhaps via the
>internet.
>i'm not against aads, at all. in fact i think i like it quite a bit. but
>there seem to be issues that have yet to be fully explored, e.g., unless
>each institution or anonymous situation is (or can be) provided with
>different "public" secret the potential for abuse of privacy is huge.
Commercial implementation issues are outside the standard as with all well
crafted standards.
Lyal
>--
>okay, have a sig then
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: what is the use for MAC(Message Authentication Code ), as there can be
digital signature?
Date: Wed, 28 Feb 2001 16:31:07 -0800
Absolutely, just glance back at the history of this group a couple weeks,
you'll see that I personally was looking for a signature algorithm to work
at 10000 signature/second. It doesn't exist, but MAC functions at that speed
number in the tens if not hundreds.
Joe
"david Hopkins" <[EMAIL PROTECTED]> wrote in message
news:IHgn6.4605$[EMAIL PROTECTED]...
> Thank you.
> So at present , is it still useful?
> (make a digital signature will take less than 2 second at present)
>
> "Anton Stiglic" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > david Hopkins wrote:
> > >
> > > Why use for MAC(Message Authentication Code ),
> > > as there can be digital signature?
> > >
> > > thanks
> >
> > Because MACs are typically much faster to compute.
> > Same kind of tradeoff like between symmetric
> > encryption schemes and public key encryption schemes.
>
>
------------------------------
From: Nicol So <[EMAIL PROTECTED]>
Subject: Re: qrpff-New DVD decryption code
Date: Sat, 10 Mar 2001 00:39:20 -0500
Reply-To: see.signature
"Douglas A. Gwyn" wrote:
>
> The really dumb thing about such media copy-protection schemes
> (including Macromedia for VHS tapes) is that they often cause
> problems for legitimate purchasers, but wholesale piracy
> operations are hardly deterred at all, since they can afford
> to hack into a playback system to tap off the signal at the
> highest available quality point and write that onto the dupes.
While specific implementations of copy protection may unnecessarily
interefere with legitimate use of consumer equipment and purchased
content, the concept of deploying *some* measures of copy protection
makes a lot of sense from the perspective of the content owners.
Unauthorized copying and distribution of copyrighted material is
combatted using a combination of legal and technical means. It is true
that commercial pirates can defeat copy protection easily, but the
distribution of pirated _media_ in the US apparently is well under
control by the use of legal means, making it not a big problem.
On the other hand, small time piracy, when practiced by a large number
of individuals, can translate to a big loss for the content owners. The
most worrisome kind of hacks is the kind that is easily duplicable with
widely available consumer equipment and minimal skill. What a defeatable
analog copy protection does is to raise the bar so that most consumers
don't have either the tool or the skill to make copies. Being
bulletproof is not the goal (and is unachievable for analog formats).
BTW, Macrovision is the name of the analog copy protection technology
vendor; Macromedia is an unrelated company.
--
Nicol So, CISSP // paranoid 'at' engineer 'dot' com
Disclaimer: Views expressed here are casual comments and should
not be relied upon as the basis for decisions of consequence.
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Digital enveloppes
Date: Fri, 09 Mar 2001 21:42:54 -0800
br wrote:
>
> I have invented a digital enveloppes where you may put any plain text
> and send it.
> What I have to do to patent it?
>
> Thank you for your kelp
>
Well, first things first - check out prior art. There are quite a few
patents already covering "digital envelopes."
You want to make sure that what you did (and we didn't get many details)
is truly novel and is not obvious. You'll need to examine all the claims
of prior patents directly or indirectly related to "digital envelopes"
to make sure you have something worth patenting. (I won't go into the
issue of the value of a patent in the crypto world. Many have argued
this issue in this USENET group, pro and con. You have decided to seek
the patent so I take that as evidence you value this legal protection.)
The process of securing a patent depends on the country where you seek
to secure the patent AFAIK.
The rules and procedures for filing patents in the USA are not exactly
the same as for filing in Canada, Europe (quite a few countries there)
or Japan.
There's an on-line patent database referenced frequently in the USA at
http://www.delphion.com/
I just ran "cryptographic envelope" through the US patent search engine
and found this patent from IBM on their cryptolope invention:
http://www.delphion.com/details?pn=US05673316__
This single patent is referenced by 13 more patents granted after it,
and this single patent references 9 previous patents.
So you have some work to do to identify how and why your invention is
different, and what unique claims you can make for your invention
different from all of that prior work should you seek to patent your
invention in the USA.
If you convince yourself you have something no one else has thought of,
you can take your findings from your own patent search to a patent
attorney who can help you prepare the application, OR, you can use them
to prepare your own application per the laws of the country within which
you file. Most governments post information about patents.
General information on US patents may be found at
http://www.uspto.gov/web/offices/pac/doc/general/
For Canada I located this URL:
http://strategis.ic.gc.ca/sc_mrksv/cipo/patents/pt_main-e.html
The info I've provided is broad and sketchy, but it's a start.
Hope this helps,
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: kyra <[EMAIL PROTECTED]>
Crossposted-To: comp.security,alt.security,alt.2600
Subject: Re: I encourage people to boycott and ban all Russian goods and
Date: Fri, 09 Mar 2001 23:45:05 -0600
Lorne wrote:
> We must always remember that just because we are paranoid, that does not
> meant they are not after us.
>
LOL
that used to be my sig at one time ;)
great phrase
--
kyra
Give a man a fish, feed him for a day.
Teach a man to fish, feed him for a lifetime,
http://aleeya.net/
------------------------------
Date: Fri, 09 Mar 2001 23:27:43 -0500
From: Dan Seur <[EMAIL PROTECTED]>
Subject: DES Weak Keys
Does anyone know if the list of weak DES keys is in the public domain?
------------------------------
From: "Greg Ofiesh" <[EMAIL PROTECTED]>
Subject: Re: Voting
Date: Fri, 9 Mar 2001 22:30:11 -0800
The only way to be absolutely certain that the ballots were not
tampered with is to put them on paper, slide the paper into a glass
box on display for all to see, then count them in full view of anyone
who wishes to watch later that night. No high tech anything. Just
paper and pen marks.
Old, cheap, reliable, just about as fool proof as one can get. So you
realize that those in power must move away from this type of voting
to a high tech voting system. Otherwise, we would actually have our
votes counted.
Those who count the votes are the ones that count. Those who cast
the votes don't count at all. They just vote.
"Simon Johnson" <[EMAIL PROTECTED]> wrote in message
news:985srp$29m$[EMAIL PROTECTED]...
>
> Paul Rubin <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Benjamin Goldberg <[EMAIL PROTECTED]> writes:
> > > The voting machines in NY, while a bit old, fit this requirement quite
> > > well. However, I will admit that there are some ways improvements
could
> > > be made. The NY machines have (IIRC) a mechanical counter, which has
an
> > > odometer-like display.
> >
> > I bet by mounting a small hidden microphone on or near one of those
> > machines, you could tell who was being voted for, because the internal
> > levers make different sounds. So much for the secret ballot.
>
> Not if the machine is contained in a vacuum, but this is getting a bit
> ridiculous.
>
> Simon.
>
>
------------------------------
Subject: Re: Meaninog of Kasumi
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Sat, 10 Mar 2001 06:32:26 GMT
Arturo <aquiranNO$[EMAIL PROTECTED]> writes:
> KASUMI is the name of the encryption algorithm to be used in
> third-generation mobile phones. My question is, what does that workd stand for?
> Does it have any meaning? TIA
More to the point, if they're so early in their standardisation
process that they've only recently published this block cipher and
invited analysis, is it too late for them just to switch to Rijndael?
If KASUMI is by the designers of MISTY then it will be a well-designed
algorithm, but what makes it more suitable than Rijndael for this
purpose?
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
Subject: Re: Really simple stream cipher
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Sat, 10 Mar 2001 06:32:26 GMT
"Paul Pires" <[EMAIL PROTECTED]> writes:
> A freindly suggestion? Feel free to disagree. Being one of Pancho's
> recent recipients of cryptanalytic wizzardry, I have set a personal
> rule. Don't post a fix to a flaw for AT LEAST, 100 times longer than
> it takes you to figure out the fix and re-write the code or two weeks,
> wichever is longer. Trust me, you will profit from it. Scott is a good
> teacher and often leaves a part of the lesson for the pupil to figure
> out.
Entirely agreed! In my case, Scott has actually proposed fixes to my
cipher that would address the problems he found, but I'm still very
wary of proposing a new version until I'm sure I've rooted out the
deep problems with the cipher.
Amusingly, we're presenting attacks on each other's ciphers at FSE
2001 in Japan at the begining of April! Here's an attack on poncho
and David McGrew's LEVIATHAN by me and Stefan Lucks:
http://www.cluefactory.org.uk/paul/crypto/leviathan/
His attack on my Mercy isn't online AFAIK, but here's some information
about it:
http://www.cluefactory.org.uk/paul/mercy/fluhrer-dc.html
So if we get the chance I'll ask him about how to fix Mercy when I
see him in Japan, and have a go at fixing LEVIATHAN too...
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: => FBI easily cracks encryption ...?
Date: Sat, 10 Mar 2001 07:34:05 GMT
Paul Rubin wrote:
> Cryptanalysis benefits linearly from computer speedups-
> -cryptography benefits exponentially.
That depends on a simple model that just doesn't match actual
techniques (which are not dominated by linear searching),
and no, I can't offer descriptions of these. You can find
analogies, though, in other important problems solved through
numerical methods.
> ... The worst failures are usually protocol failures ...
Certainly, protocol failures are usually easier to exploit,
and historically they are very likely to occur.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Super strong crypto
Date: Sat, 10 Mar 2001 07:24:39 GMT
David Wagner wrote:
> whole series of possible defenses we could use. For instance:
> (i) Gwyn's super-strong crypto; or,
> (ii) Triple the number of rounds; or,
> (iii) Use GGM's PRG-doubling, as I described previously.
> How do we choose which one to use? What methodology do we use to
> evaluate the alternatives? (This is a serious question.)
The simple answer is, you need to develop the methodology; it's
not currently in textbooks.
> It also raises the following question. I can imagine some criteria
> and methodologies which lead one to prefer (ii) or (iii), but I have
> a hard time imagining a methodology where (i) would be the preferred
> alternative. Can you help remedy my poor imagination?
First I will object to your characterization of (i). I have
not advertised my straw man as "strong crypto"; that was just
the name somebody else used to start the thread, that caused
me to raise the issue of overuse of a small amount of unknown
(key) and a possible method for overcoming that, within an
important realistic scenario (one-way channel, small amount
of shared secret (initial key) storage, requirement for low
encryption burden forcing symmetric system, highly competent
and motivated enemy cryptanalysts). The three phases of my
straw man took the initial simple notion of shipping new key
(encrypted under old) so that both ends would possess it and
tweaked it to improve throughput (partial key refresh) and
eliminate whole classes of "easy" attacks (by injecting noise
where it would most interfere with those classes). What I
was trying to do was to investigate the possibilities, and to
encourage others to follow their own paths along similar
lines; a couple have done so, and I've received some useful
feedback outside this forum.
Now, as to (ii), there is not currently any demonstration
that that addresses the main issue. Such a demonstration
would have to rigorously connect minimum work factor for
cryptanalysis with the structure of the encryption algorithm.
I am sure there often are such connections, but absent the
general theory one can only *guess* what the relation might
be; a wrong guess could be catastrophic. *** This area is
so central to "strong crypto" that for years I have urged
people to work on developing the theory. *** The end product
would most likely allow a lower bound to be placed on the work
that *must* be done for any successful attack (meaning to
exceed some specified likelihood threshold for solution).
(Almost all the "easy" theory currently at hand gives only
*upper* bounds for work with the likelihood threshold fixed
at 1.0 (sometimes 0.5); that is *useless* for establishing
a "strong crypto" property.) Another likely outcome of such
a theory would be a measure of what quantity of PT can be
protected (for specified available amount of work and
threshold) by a given system *using a specified amount of
random key*. (Similar to Shannon's unicity criterion, but
taking into account work factor, which in turn takes into
account system structure.) Whatever that amount of PT is,
it is *finite* (and I'd bet, far less than most folks seem
to believe), so no amount of pseudo-random complexity is
beyond attack given a long enough (contiguous) CT capture.
That was my *starting point*; if you can refute it, great!
Otherwise, alternatives that do not involve adding entropy
fail to address this concern.
We need a *science* here, which is likely to have a strong
"engineering" flavor. I didn't say I was going to lay such
a theory out on a plate for you. But I do want to get you
thinking and working along these lines so we can start
getting closer to the goal of *truly* "strong crypto", to
replace the wishful thinking that people are relying on today.
[end soap box]
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Dayton's Code Breakers
Date: Sat, 10 Mar 2001 07:35:16 GMT
Jim Haynes wrote:
> Another source of information ...
And the latest issue of Cryptologia has more information on
Turing's visit to Dayton.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Sad news, Dr. Claude Shannon died over the weekend.
Date: Sat, 10 Mar 2001 07:36:34 GMT
Jim Haynes wrote:
> ... Maxwell pulled together the entire theory of electromagnetism,
Yes, it was indeed a great job of integration.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: qrpff-New DVD decryption code
Date: Sat, 10 Mar 2001 07:52:16 GMT
Nicol So wrote:
> While specific implementations of copy protection may unnecessarily
> interefere with legitimate use of consumer equipment and purchased
> content, the concept of deploying *some* measures of copy protection
> makes a lot of sense from the perspective of the content owners.
My complaint is being treated in advance as having criminal intent
and as a consequence getting reduced product quality. There are
enough crappy products in this world already without *intentionally*
making things more aggravating for the innocent purchaser.
> On the other hand, small time piracy, when practiced by a large
> number of individuals, can translate to a big loss for the content
> owners. The most worrisome kind of hacks is the kind that is easily
> duplicable with widely available consumer equipment and minimal skill.
Yeah, we heard that first with tape recorders (wire recorders were
before my time), reel-to-reel, then cassette, then DAT, now CD-R
and DVD-R. The fact is, I buy lots of factory recorded content
for my own use and don't duplicate it for friends, let alone to
make a profit, nor do I encourage friends to make copies for me
nor do I knowingly purchase pirate content. I was raised to
understand the importance of ethical behavior. The problem is one
of philosophic education of the general public, and the more that
attention is focused on other secondary issues, the worse the
problem will get. People need to appreciate that piracy is not
romantic, it's disgusting.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: DES Weak Keys
Date: Sat, 10 Mar 2001 07:53:20 GMT
Dan Seur wrote:
> Does anyone know if the list of weak DES keys is in the public domain?
? They're listed in textbooks.
------------------------------
From: "Ren�" <[EMAIL PROTECTED]>
Crossposted-To: comp.security,alt.security,alt.2600
Subject: Re: boycott Russia....
Date: Sat, 10 Mar 2001 00:54:08 -0700
_What_ Russian products? Do they actually _make_ something? Other than that,
that's fine with me. Not that I care too much for these pestering Witnesses,
but I can tolerate them. Russians on the other hand..I fucking hate
them...come to think it, yes, Russia makes the famous AK's....which suck...
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: boycott Russia....
Date: Sat, 10 Mar 2001 08:05:41 GMT
"Ren�" wrote:
> ...come to think it, yes, Russia makes the famous AK's..
> ..which suck...
Most experienced riflemen who have used AK-47s don't find that
they suck. Indeed in 'Nam many troops kept an AK-47 that they
had captured because they preferred it to our own M-16.
Russian military manufacturing philosophy has been quite
different from ours, as is especially evident in their fighter
aircraft. They met their particular set of requirements.
Followups should be sent to rec.guns.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
