Cryptography-Digest Digest #888, Volume #13 Tue, 13 Mar 01 22:13:01 EST
Contents:
Re: PGP "flaw" (Tony L. Svanstrom)
Re: qrpff-New DVD decryption code (John Savard)
Re: Online Poker RNG ("Dan Kimberg")
Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED])
Cryptography FAQ (02/10: Net Etiquette) ([EMAIL PROTECTED])
Cryptography FAQ (03/10: Basic Cryptology) ([EMAIL PROTECTED])
----------------------------------------------------------------------------
Subject: Re: PGP "flaw"
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Date: Wed, 14 Mar 2001 02:16:29 GMT
Neil Couture <[EMAIL PROTECTED]> wrote:
> Brian D Jonas wrote:
>
> > I suppose everyone here already knows about the PGP "flaw" that has been
> > in the PGP program for the last 4 years? It's no wonder that the inventor
> > of PGP has left the company.... Media can call it a "flaw" but we all know
> > it is a back door that uses the public key method...
"A back door that uses the public key method"... OH NO!!! Not the
dreaded "public key method"!!!!
(Sorry, I just had to. =)
> > here is a quote from cnn.com's report on it
> >
> > "As it turns out, this flaw has actually existed since 1997, back when
> > Phil Zimmermann, the original developer of PGP, added the data-recovery
> > feature as he sought to commercialize the product for corporate use, Jones
> > points out. As a safety measure, corporations want to have a way to
> > decrypt data that their employees encrypt, Jones notes. "
> >
> > ok so what was the point of encryption again ? I forgot....
> can you post an url for this? is this a flaw corresponding to a
> mathematical attacks?
Nah, this is the ADK-bug...
Basically the problem was this:
They added the feature that a key could contain a "please encrypt to
this key too"-flag, but the bug allowed anyone to add such a key to any
public key out there and it was still used by PGP (as in "the versions
from NAI").
It was fixed months ago.
/Tony
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: qrpff-New DVD decryption code
Date: Wed, 14 Mar 2001 02:08:58 GMT
On Sat, 10 Mar 2001 07:52:16 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote, in part:
>People need to appreciate that piracy is not
>romantic, it's disgusting.
I certainly am disgusted by the activities of some pirates based in
Thailand and other countries towards the Vietnamese boat people.
As for the illegal reproduction of copyrighted material: yes, it is
wrong. It's wrong because our society has decided to grant copyrights
in order to encourage literary and artistic activity; it is,
therefore, a failure to abide responsibly by the commitments made by
the society in which one lives.
However, perhaps because this is felt to be too complicated for most
people to understand, or because copyright is not dealt with in the
Old Testament, most industry efforts to educate the public in this
area have focussed on equating illegal reproduction to stealing.
To most people, what is wrong about stealing is not that the thief has
valuable things in his posession that he did not work for, but that
the victim suffers from their absence.
When a copy is made, the original doesn't go missing. Thus, this false
attempt by copyright owners to claim that they have a _natural law
right_ to copyright protection directly, rather than having rights
from the natural law right to have contractual agreements abided by
combined with the government's past choice to enter into the covenant
which the existence of copyright law represents, runs into a roadblock
of common sense, and derails.
Since illegal copying of copyrighted materials creates (in the short
term, for the malfeasors) wealth - multiple useful copies exist where
only one did before - people will only be amenable to persuasion to
adopt the point of view that such copying is a bad thing when they are
not in the position of sorely begrudging the cost of legitimate
copies.
It's not at all surprising, therefore, that copyright owners are
fighting with tooth and claw to protect themselves, in ways that
affect people who wish, for example, to simply make their own home
movies.
Rather than attempt to meditate on the morality of all this, I simply
note that if there is so little respect for copyrights on the part of
Joe Average, this also means that, had the DMCA been put to a national
referendum, perhaps it might have lost. If this is indeed the case, we
have a situation where the law fails to reflect the will of the people
(due, presumably, to such factors as the need for campaign
contributions, and, in the U.S., the Congressional committee system)
and this is an additional source of lack of respect for such laws.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Dan Kimberg" <[EMAIL PROTECTED]>
Crossposted-To: rec.gambling.poker
Subject: Re: Online Poker RNG
Date: Tue, 13 Mar 2001 21:23:33 -0500
"Tony L. Svanstrom" <[EMAIL PROTECTED]> wrote:
> Graham Ribchester <[EMAIL PROTECTED]> wrote:
> > From what i remember when I emailed them that question amongst many. The
> > deck is shuffled using a generator which creates the "random" numbers
based
> > upon the movements of every players' mice.
>
> Which would mean that a player could do a lil bit of drawkcab compiling
> and/or packetsniffing and then feed the server his own "randomness"...
> and then he could provide up to 9/10 of the "randomness"...
Paradise claims to XOR together things from all connected clients as well as
some low-order bits from their CPU clock to get their random seed. Although
XOR is a poor choice (we'd prefer MD5), and it would be nice if they used a
few more reliable sources of entropy (cards with radioactive sources are
cheap and many modern motherboards are equipped to report thermal
measurements), I don't think you'll have much luck trying to bias the server
this way. Not unless you can get most/all of the users to use your hacked
client.
It sounds like you're assuming there is a separate seed for each table,
which I don't think is the case for Paradise (although their description is
a bit fuzzy). Even if that's the case, though, it's not immediately clear
that controlling 9/10 of the entropy sources is helpful. But it's more
helpful with XOR than it would be with MD5.
dan
------------------------------
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (01/10: Overview)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 14 Mar 2001 02:40:22 GMT
Archive-name: cryptography-faq/part01
Last-modified: 1999/06/27
This is the first of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read this part before the rest. We
don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
Disclaimer: This document is the product of the Crypt Cabal, a secret
society which serves the National Secu---uh, no. Seriously, we're the
good guys, and we've done what we can to ensure the completeness and
accuracy of this document, but in a field of military and commercial
importance like cryptography you have to expect that some people and
organizations consider their interests more important than open
scientific discussion. Trust only what you can verify firsthand.
And don't sue us.
Many people have contributed to this FAQ. In alphabetical order:
Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison,
Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti,
William Setzer. We apologize for any omissions.
Archives: sci.crypt has been archived since October 1991 on
ripem.msu.edu, though these archives are available only to U.S. and
Canadian users. Another site is rpub.cl.msu.edu in /pub/crypt/sci.crypt/
from Jan 1992.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
The fields `Last-modified' and `Version' at the top of each part track
revisions.
1999: There is a project underway to reorganize, expand, and update the
sci.crypt FAQ, pending the resolution of some minor legal issues. The
new FAQ will have two pieces. The first piece will be a series of web
pages. The second piece will be a short posting, focusing on the
questions that really are frequently asked.
In the meantime, if you need to know something that isn't covered in the
current FAQ, you can probably find it starting from Ron Rivest's links
at <http://theory.lcs.mit.edu/~rivest/crypto-security.html>.
If you have comments on the current FAQ, please post them to sci.crypt
under the subject line Crypt FAQ Comments. (The crypt-comments email
address is out of date.)
Table of Contents
=================
1. Overview
2. Net Etiquette
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
3. Basic Cryptology
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
3.2. What references can I start with to learn cryptology?
3.3. How does one go about cryptanalysis?
3.4. What is a brute-force search and what is its cryptographic relevance?
3.5. What are some properties satisfied by every strong cryptosystem?
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
3.8. What are the basic types of cryptanalytic `attacks'?
4. Mathematical Cryptology
4.1. In mathematical terms, what is a private-key cryptosystem?
4.2. What is an attack?
4.3. What's the advantage of formulating all this mathematically?
4.4. Why is the one-time pad secure?
4.5. What's a ciphertext-only attack?
4.6. What's a known-plaintext attack?
4.7. What's a chosen-plaintext attack?
4.8. In mathematical terms, what can you say about brute-force attacks?
4.9. What's a key-guessing attack? What's entropy?
5. Product Ciphers
5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, and OFB encryption?
6. Public-Key Cryptography
6.1. What is public-key cryptography?
6.2. How does public-key cryptography solve cryptography's Catch-22?
6.3. What is the role of the `trapdoor function' in public key schemes?
6.4. What is the role of the `session key' in public key schemes?
6.5. What's RSA?
6.6. Is RSA secure?
6.7. What's the difference between the RSA and Diffie-Hellman schemes?
6.8. What is `authentication' and the `key distribution problem'?
6.9. How fast can people factor numbers?
6.10. What about other public-key cryptosystems?
6.11. What is the `RSA Factoring Challenge?'
7. Digital Signatures
7.1. What is a one-way hash function?
7.2. What is the difference between public, private, secret, shared, etc.?
7.3. What are MD4 and MD5?
7.4. What is Snefru?
8. Technical Miscellany
8.1. How do I recover from lost passwords in WordPerfect?
8.2. How do I break a Vigenere (repeated-key) cipher?
8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
8.4. Is the UNIX crypt command secure?
8.5. How do I use compression with encryption?
8.6. Is there an unbreakable cipher?
8.7. What does ``random'' mean in cryptography?
8.8. What is the unicity point (a.k.a. unicity distance)?
8.9. What is key management and why is it important?
8.10. Can I use pseudo-random or chaotic numbers as a key stream?
8.11. What is the correct frequency list for English letters?
8.12. What is the Enigma?
8.13. How do I shuffle cards?
8.14. Can I foil S/W pirates by encrypting my CD-ROM?
8.15. Can you do automatic cryptanalysis of simple ciphers?
8.16. What is the coding system used by VCR+?
9. Other Miscellany
9.1. What is the National Security Agency (NSA)?
9.2. What are the US export regulations?
9.3. What is TEMPEST?
9.4. What are the Beale Ciphers, and are they a hoax?
9.5. What is the American Cryptogram Association, and how do I get in touch?
9.6. Is RSA patented?
9.7. What about the Voynich manuscript?
10. References
10.1. Books on history and classical methods
10.2. Books on modern methods
10.3. Survey articles
10.4. Reference articles
10.5. Journals, conference proceedings
10.6. Other
10.7. How may one obtain copies of FIPS and ANSI standards cited herein?
10.8. Electronic sources
10.9. RFCs (available from [FTPRF])
10.10. Related newsgroups
------------------------------
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (02/10: Net Etiquette)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 14 Mar 2001 02:40:22 GMT
Archive-name: cryptography-faq/part02
Last-modified: 94/06/13
This is the second of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
Read news.announce.newusers and news.answers for a few weeks. Always
make sure to read a newsgroup for some time before you post to it.
You'll be amazed how often the same question can be asked in the same
newsgroup. After a month you'll have a much better sense of what the
readers want to see.
2.2. Do political discussions belong in sci.crypt?
No. In fact some newsgroups (notably misc.legal.computing) were
created exactly so that political questions like ``Should RSA be
patented?'' don't get in the way of technical discussions. Many
sci.crypt readers also read misc.legal.computing, comp.org.eff.talk,
comp.patents, sci.math, comp.compression, talk.politics.crypto,
et al.; for the benefit of people who don't care about those other
topics, try to put your postings in the right group.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt either.
2.3. How do I present a new encryption scheme in sci.crypt?
``I just came up with this neat method of encryption. Here's some
ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
doubt questions like this are the most annoying traffic on sci.crypt.
If you have come up with an encryption scheme, providing some
ciphertext from it is not adequate. Nobody has ever been impressed by
random gibberish. Any new algorithm should be secure even if the
opponent knows the full algorithm (including how any message key is
distributed) and only the private key is kept secret. There are some
systematic and unsystematic ways to take reasonably long ciphertexts
and decrypt them even without prior knowledge of the algorithm, but
this is a time-consuming and possibly fruitless exercise which most
sci.crypt readers won't bother with.
So what do you do if you have a new encryption scheme? First of all,
find out if it's really new. Look through this FAQ for references and
related methods. Familiarize yourself with the literature and the
introductory textbooks.
When you can appreciate how your cryptosystem fits into the world at
large, try to break it yourself! You shouldn't waste the time of tens
of thousands of readers asking a question which you could have easily
answered on your own.
If you really think your system is secure, and you want to get some
reassurance from experts, you might try posting full details of your
system, including working code and a solid theoretical explanation, to
sci.crypt. (Keep in mind that the export of cryptography is regulated
in some areas.)
If you're lucky an expert might take some interest in what you posted.
You can encourage this by offering cash rewards---for instance, noted
cryptographer Ralph Merkle is offering $1000 to anyone who can break
Snefru-4---but there are no guarantees. If you don't have enough
experience, then most likely any experts who look at your system will
be able to find a flaw. If this happens, it's your responsibility to
consider the flaw and learn from it, rather than just add one more
layer of complication and come back for another round.
A different way to get your cryptosystem reviewed is to have the NSA
look at it. A full discussion of this procedure is outside the scope
of this FAQ.
Among professionals, a common rule of thumb is that if you want to
design a cryptosystem, you have to have experience as a cryptanalyst.
------------------------------
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (03/10: Basic Cryptology)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 14 Mar 2001 02:40:23 GMT
Archive-name: cryptography-faq/part03
Last-modified: 93/10/10
This is the third of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
3.2. What references can I start with to learn cryptology?
3.3. How does one go about cryptanalysis?
3.4. What is a brute-force search and what is its cryptographic relevance?
3.5. What are some properties satisfied by every strong cryptosystem?
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
3.8. What are the basic types of cryptanalytic `attacks'?
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
The story begins: When Julius Caesar sent messages to his trusted
acquaintances, he didn't trust the messengers. So he replaced every A
by a D, every B by a E, and so on through the alphabet. Only someone
who knew the ``shift by 3'' rule could decipher his messages.
A cryptosystem or cipher system is a method of disguising messages so
that only certain people can see through the disguise. Cryptography is
the art of creating and using cryptosystems. Cryptanalysis is the art
of breaking cryptosystems---seeing through the disguise even when
you're not supposed to be able to. Cryptology is the study of both
cryptography and cryptanalysis.
The original message is called a plaintext. The disguised message is
called a ciphertext. Encryption means any procedure to convert
plaintext into ciphertext. Decryption means any procedure to convert
ciphertext into plaintext.
A cryptosystem is usually a whole collection of algorithms. The
algorithms are labelled; the labels are called keys. For instance,
Caesar probably used ``shift by n'' encryption for several different
values of n. It's natural to say that n is the key here.
The people who are supposed to be able to see through the disguise are
called recipients. Other people are enemies, opponents, interlopers,
eavesdroppers, or third parties.
3.2. What references can I start with to learn cryptology?
For an introduction to technical matter, the survey articles given
in part 10 are the best place to begin as they are, in general,
concise, authored by competent people, and well written. However,
these articles are mostly concerned with cryptology as it has
developed in the last 50 years or so, and are more abstract and
mathematical than historical. The Codebreakers by Kahn [KAH67] is
encyclopedic in its history and technical detail of cryptology up
to the mid-60's.
Introductory cryptanalysis can be learned from Gaines [GAI44] or
Sinkov [SIN66]. This is recommended especially for people who want
to devise their own encryption algorithms since it is a common
mistake to try to make a system before knowing how to break one.
The selection of an algorithm for the DES drew the attention of
many public researchers to problems in cryptology. Consequently
several textbooks and books to serve as texts have appeared. The
book of Denning [DEN82] gives a good introduction to a broad range
of security including encryption algorithms, database security,
access control, and formal models of security. Similar comments
apply to the books of Price & Davies [PRI84] and Pfleeger [PFL89].
The books of Konheim [KON81] and Meyer & Matyas [MEY82] are quite
technical books. Both Konheim and Meyer were directly involved in
the development of DES, and both books give a thorough analysis of
DES. Konheim's book is quite mathematical, with detailed analyses
of many classical cryptosystems. Meyer and Matyas concentrate on
modern cryptographic methods, especially pertaining to key management
and the integration of security facilities into computer systems and
networks. For more recent documentation on related areas, try
G. Simmons in [SIM91].
The books of Rueppel [RUE86] and Koblitz [KOB89] concentrate on
the application of number theory and algebra to cryptography.
3.3. How does one go about cryptanalysis?
Classical cryptanalysis involves an interesting combination of
analytical reasoning, application of mathematical tools, pattern
finding, patience, determination, and luck. The best available
textbooks on the subject are the Military Cryptanalytics series
[FRIE1]. It is clear that proficiency in cryptanalysis is, for
the most part, gained through the attempted solution of given
systems. Such experience is considered so valuable that some of the
cryptanalyses performed during WWII by the Allies are still
classified.
Modern public-key cryptanalysis may consist of factoring an integer,
or taking a discrete logarithm. These are not the traditional fare
of the cryptanalyst. Computational number theorists are some of the
most successful cryptanalysts against public key systems.
3.4. What is a brute-force search and what is its cryptographic relevance?
In a nutshell: If f(x) = y and you know y and can compute f, you can
find x by trying every possible x. That's brute-force search.
Example: Say a cryptanalyst has found a plaintext and a corresponding
ciphertext, but doesn't know the key. He can simply try encrypting the
plaintext using each possible key, until the ciphertext matches---or
decrypting the ciphertext to match the plaintext, whichever is faster.
Every well-designed cryptosystem has such a large key space that this
brute-force search is impractical.
Advances in technology sometimes change what is considered
practical. For example, DES, which has been in use for over 10 years
now, has 2^56, or about 10^17, possible keys. A computation with
this many operations was certainly unlikely for most users in the
mid-70's. The situation is very different today given the dramatic
decrease in cost per processor operation. Massively parallel
machines threaten the security of DES against brute force search.
Some scenarios are described by Garron and Outerbridge [GAR91].
One phase of a more sophisticated cryptanalysis may involve a
brute-force search of some manageably small space of possibilities.
3.5. What are some properties satisfied by every strong cryptosystem?
The security of a strong system resides with the secrecy of the key
rather than with the supposed secrecy of the algorithm.
A strong cryptosystem has a large keyspace, as mentioned above. It
has a reasonably large unicity distance; see question 8.8.
A strong cryptosystem will certainly produce ciphertext which appears
random to all standard statistical tests (see, for example, [CAE90]).
A strong cryptosystem will resist all known previous attacks. A
system which has never been subjected to scrutiny is suspect.
If a system passes all the tests mentioned above, is it necessarily
strong? Certainly not. Many weak cryptosystems looked good at first.
However, sometimes it is possible to show that a cryptosystem is
strong by mathematical proof. ``If Joe can break this system, then
he can also solve the well-known difficult problem of factoring
integers.'' See part 6. Failing that, it's a crap shoot.
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
Cryptanalytic methods include what is known as ``practical
cryptanalysis'': the enemy doesn't have to just stare at your
ciphertext until he figures out the plaintext. For instance, he might
assume ``cribs''---stretches of probable plaintext. If the crib is
correct then he might be able to deduce the key and then decipher the
rest of the message. Or he might exploit ``isologs''---the same
plaintext enciphered in several cryptosystems or several keys. Thus
he might obtain solutions even when cryptanalytic theory says he
doesn't have a chance.
Sometimes, cryptosystems malfunction or are misused. The one-time pad,
for example, loses all security if it is used more than once! Even
chosen-plaintext attacks, where the enemy somehow feeds plaintext into
the encryptor until he can deduce the key, have been employed. See
[KAH67].
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
Some don't know any better. Often amateurs think they can design
secure systems, and are not aware of what an expert cryptanalyst
could do. And sometimes there is insufficient motivation for anybody
to invest the work needed to crack a system.
3.8. What are the basic types of cryptanalytic `attacks'?
A standard cryptanalytic attack is to know some plaintext matching a
given piece of ciphertext and try to determine the key which maps one
to the other. This plaintext can be known because it is standard (a
standard greeting, a known header or trailer, ...) or because it is
guessed. If text is guessed to be in a message, its position is probably
not known, but a message is usually short enough that the cryptanalyst
can assume the known plaintext is in each possible position and do
attacks for each case in parallel. In this case, the known plaintext can
be something so common that it is almost guaranteed to be in a message.
A strong encryption algorithm will be unbreakable not only under known
plaintext (assuming the enemy knows all the plaintext for a given
ciphertext) but also under "adaptive chosen plaintext" -- an attack
making life much easier for the cryptanalyst. In this attack, the enemy
gets to choose what plaintext to use and gets to do this over and over,
choosing the plaintext for round N+1 only after analyzing the result of
round N.
For example, as far as we know, DES is reasonably strong even under an
adaptive chosen plaintext attack (the attack Biham and Shamir used). Of
course, we do not have access to the secrets of government cryptanalytic
services. Still, it is the working assumption that DES is reasonably
strong under known plaintext and triple-DES is very strong under all
attacks.
To summarize, the basic types of cryptanalytic attacks in order of
difficulty for the attacker, hardest first, are:
cyphertext only: the attacker has only the encoded message from which
to determine the plaintext, with no knowledge whatsoever of the
latter.
A cyphertext only attack is usually presumed to be possible, and
a code's resistance to it is considered the basis of its
cryptographic security.
known plaintext: the attacker has the plaintext and corresponding
cyphertext of an arbitrary message not of his choosing. The
particular message of the sender's is said to be `compromised'.
In some systems, one known cyphertext-plaintext pair will
compromise the overall system, both prior and subsequent
transmissions, and resistance to this is characteristic of a
secure code.
Under the following attacks, the attacker has the far less likely
or plausible ability to `trick' the sender into encrypting or
decrypting arbitrary plaintexts or cyphertexts. Codes that resist
these attacks are considered to have the utmost security.
chosen plaintext: the attacker has the capability to find the
cyphertext corresponding to an arbitrary plaintext message of his
choosing.
chosen cyphertext: the attacker can choose arbitrary cyphertext and
find the corresponding decrypted plaintext. This attack can show
in public key systems, where it may reveal the private key.
adaptive chosen plaintext: the attacker can determine the cyphertext
of chosen plaintexts in an interactive or iterative process based on
previous results. This is the general name for a method of attacking
product ciphers called `differential cryptanalysis'.
The next part of the FAQ gives the mathematical detail behind the
various types of cryptoanalytic attacks.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
