Cryptography-Digest Digest #894, Volume #13 Wed, 14 Mar 01 01:13:01 EST
Contents:
Re: Crypto idea (David Schwartz)
Re: An extremely difficult (possibly original) cryptogram ("George T. Chambers Jr.")
Re: One-time Pad really unbreakable? (Benjamin Goldberg)
Re: PGP "flaw" ("George T. Chambers Jr.")
Re: Applications of crypto techniques to non-crypto uses (SCOTT19U.ZIP_GUY)
Re: One-time Pad really unbreakable? ("Douglas A. Gwyn")
Re: One-time Pad really unbreakable? ("Douglas A. Gwyn")
Re: qrpff-New DVD decryption code ("Douglas A. Gwyn")
Re: Cryptoanalytic tool using dictionary for decryption of ("Douglas A. Gwyn")
Re: Online Poker RNG (Terry Ritter)
Re: NTRU - any opinions (Benjamin Goldberg)
Authentication Protocol Strength ([EMAIL PROTECTED])
Re: Applications of crypto techniques to non-crypto uses (Benjamin Goldberg)
Re: PGP "flaw" (Brian D Jonas)
Re: OverWrite: best wipe software? (Benjamin Goldberg)
----------------------------------------------------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Crypto idea
Date: Tue, 13 Mar 2001 19:07:20 -0800
"Trevor L. Jackson, III" wrote:
> No, anyone who was at least as intelligent as the intended receiver would be able
> to read messages.
I think his argument is basically that it would be more difficult to
brute-force a key if you had no idea what the 'plaintext' looked like.
However, there are so many flaws in this argument one hardly knows where
to being pointing them out. The most obvious are:
1) You can brute-force PK without knowing what the plaintext looks like
anyway. For example, brute-forcing RSA usually involves factoring a key,
which has nothing to do with the plaintext (or ciphertext for that
matter).
2) If your biggest vulnerability is that someone might exploit some
knowledge of your plaintext to brute force a key, then you've got a damn
good encryption system. I mean, that's the goal that we shoot for.
3) Many of the tricks you suggest rely upon alternate alphabets. You
would have to communicate the alphabet to the recipient in order for him
to have any hope of decoding the messages, thus decreasing their value
for obfuscation.
4) Such encryption would be extremely hard to use. You could justify
this difficulty of use if some extra security were provided for
applications that already had extremely high security. But there's no
such advantage. You could just as well take however much difficulty you
think this adds to brute-forcing, convert it into bits, and make your
key that much longer.
5) You either trust your encryption or you don't. If your encryption is
weak, at best this will give you a false sense of security.
6) This relies extensively on humans, by far the least reliable piece
of any cryptosystem.
DS
------------------------------
From: "George T. Chambers Jr." <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: An extremely difficult (possibly original) cryptogram
Date: Wed, 14 Mar 2001 03:39:22 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
"John Savard" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Sun, 11 Mar 2001 20:29:30 GMT, [EMAIL PROTECTED] (daniel
> mcgrath) wrote, in part:
>
> >Tysoizbyjoxs, this may be the most complicated code anyone has
> >ever done!
>
> If there is really any chance of that, it is hardly worth the
> effort to bother trying to solve it, since there are plenty of
> codes that are unbreakable in practice.
>
> >Can any of you work out the key?
>
> >I do want to see some comment, even if you are totally lost, as no
> >doubt quite a few of you are.
>
> In general, postings of this type are frowned upon.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
>
I agree with you totally. Even though there are many people here
extremely conversant and intelligent, there are those who would make
snide remarks about others lack of knowledge! Forgive me, but I'm
new here and I'm trying to learn all I can from the more
knowledgeable of the group. Comments like that downgrade the
usablility of the information presented here! And those of us who
post and are beginners!
George T. Chambers Jr.
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOq7nn8uhNCbr5vneEQKOigCfR0BXyiB87EBn44rq1DZpE2N3oucAoIUc
kdFsDKo6TKLTbVMtAsXcMMQn
=dbp7
=====END PGP SIGNATURE=====
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Date: Wed, 14 Mar 2001 03:47:18 GMT
Tim Tyler wrote:
>
> Dave Knapp <[EMAIL PROTECTED]> wrote:
> : On Fri, 9 Mar 2001 10:59:32 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote:
> :>Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>
> :>: In contrast, the irreducible nature of quantum randomness has been
> :>: well established by experiment and theory. It's not due merely a
> :>: lack of more detailed knowledge of the state of the system.
> :>
> :>Yet there are deterministic theories of how the world operates,
> :>which appear to be quite consistent with observation:
> :>
> :>http://www.anthropic-principle.com/preprints/manyworlds.html
> :>
> :>Q13 Is many-worlds a deterministic theory?
> :> Yes, many-worlds is a deterministic theory [...]
> :>
> :>A deterministic theory has no place for randomness.
>
> : Wrong. Thanks for playing, though. The many-worlds hypothesis (it
> : isn't a theory yet) is deterministic, but it is unable to predict
> : the results of a single observation, since the worldline in which
> : the observation will be made is unpredictable.
>
> Actually many worlds does make concrete predictions if the initial
> state is completely known. That's a consequence of its determinism.
I think you're parsing that wrong. Knapp said "the wordline in which
the observation will be made is unpredictable." You seem to be
interpreting that as "the worldline will be unpredictable." I would
interpret it as "it is not possible to predict which worldline the
observer will be in, after the observation is made."
> Consequently, DAG's statement that: "It's not due merely a lack of
> more detailed knowledge of the state of the system" is mistaken - if
> sufficiently detailed knowledge of the state of the system were
> available, prediction would be possible.
God is able to obsere the entire state of the system. Is anyone else
capable of such?
> The problem is that an embodied observer does not appear to have any
> way to obtain information about the entire state of the system.
Isn't that what Kanpp just said? It is impossible for an observer to
predict what timeline he will be in. Or rather, he'll be in both, but
he won't know... urgh, this is hard to phrase.
Imagine you are about to walk into a magical machine which duplicates
people. You walk into one doorway, and walk out of two. Will you be
able to predict, ahead of time, which doorway you will walk out of?
To God, many-worlds is both deterministic and predictable. To man,
many-world is deterministic, but not predictable. Determinism doesn't
change based on who or what the observer is, but predictability does.
Now going back a bit... Gwyn said:
> :>A deterministic theory has no place for randomness.
Now I'm rather curious. How should we define randomness? Suppose
many-worlds is fact, not hypothesis... us humans have no way of
predicting the future, but God does. Is randomness "merely" lack of
predictability? In that case, randomnes only exists for man, but not
for God...
Here's a puzzle for you... if many-worlds is real, and if God knows the
future(s), it it possible for Him to feel either hopeful or worried?
The very last Thing in Pandora's box was foreknowledge of all that was
bad about the future -- by not letting that evil escape, mankind has the
ability to hope.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: "George T. Chambers Jr." <[EMAIL PROTECTED]>
Subject: Re: PGP "flaw"
Date: Wed, 14 Mar 2001 03:59:08 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Thanks Tony,
I'm using PGP now and am becoming very satisfied with it!
George T. Chambers Jr.
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOq7sfcuhNCbr5vneEQISwgCeOd+AWzRylTHYLlhmb1MxKpFPg58AnRb+
ZNqNJAZtOK78LPUvq6TtK7Ph
=qxgL
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Applications of crypto techniques to non-crypto uses
Date: 14 Mar 2001 04:03:31 GMT
[EMAIL PROTECTED] (wtshaw) wrote in <jgfunj-1303012029190001@dial-244-
015.itexas.net>:
>In article <[EMAIL PROTECTED]>, Mok-Kong Shen
><[EMAIL PROTECTED]> wrote:
>...
>> Are there other known applications of crypto techniques to
>> non-crypto uses? Thanks.
>>
>> M. K. Shen
>
>Converting Asynchronous<->Synchronous communications is a problem which
>can be solved using two adjacent bases.
>
>The asynchronous stream would never have a repeating element whereas the
>synchronous one could. Asnchronous series should not need sync pulses and
>are therefore infinitely variable as to baud rate.
>
>Consider the usefulness of converting text to a sequence void of double
>characters, or a series of different tones, each of which is ended with
>one of another frequency.
It would be easy to convert a to a stream of characters that never
repreat. One way is just write first character as is. Then do a static
huffman decompress with a 255 leaf tree. The first character dropped.
Then every time ou decode a character you change the leaf of the nod
used for the previous. That way you never get two characters the same
in a row.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Date: Wed, 14 Mar 2001 04:12:51 GMT
Tim Tyler wrote:
> The problem I think you're tring to get at is that it is difficult
> for an embodied observer to get reliable and complete information
> about the system in the first place.
No, the point is that that is impossible even in principle.
The fact that I'm ignoring your other erroneous statements
is due to the apparent possibility of getting you to listen.
I already made the necessary points about quantum physics,
so anyone who was listening has already heard what is needed.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Date: Wed, 14 Mar 2001 04:15:03 GMT
Frank Gerlach wrote:
> I suspect the UKUSA alliance just hates OTP, because all their
> expensive equipment is useless, if OTP is used properly. Because
> of that, they are trying to undermine its credibility.
No conspiracy is needed to explain why OTP is not used for most
purposes -- it's the great practical difficulty posed by key
management for such a system.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: qrpff-New DVD decryption code
Date: Wed, 14 Mar 2001 04:25:13 GMT
John Savard wrote:
> As for the illegal reproduction of copyrighted material: yes, it is
> wrong. It's wrong because our society has decided to grant copyrights
> in order to encourage literary and artistic activity;
No, it is wrong because the producers of that material make it
available to us under certain terms that they, *as* producers,
have the right to establish, and if we take the material without
honoring the terms, it is theft of (intellectual) property.
> To most people, what is wrong about stealing is not that the thief
> has valuable things in his posession that he did not work for, but
> that the victim suffers from their absence.
Apparently what is needed is education about the concepts of
production, ownership, and property.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Cryptoanalytic tool using dictionary for decryption of
Date: Wed, 14 Mar 2001 04:28:35 GMT
Roman Szarowski wrote:
> I need something what automatically tries to analyse the cipertext
> without interaction.
Such approaches only work reliably for the simplest systems,
or for specific systems under spcific circumstances.
And they don't usually use "dictionaries" as such, but rather
statistical characterization of the source language. You can
read about some programs along these lines in Cryptologia,
for example.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Crossposted-To: rec.gambling.poker
Subject: Re: Online Poker RNG
Date: Wed, 14 Mar 2001 04:41:47 GMT
On Tue, 13 Mar 2001 21:23:33 -0500, in
<98mkni$u38$[EMAIL PROTECTED]>, in sci.crypt "Dan Kimberg"
<[EMAIL PROTECTED]> wrote:
>(cards with radioactive sources are
>cheap
I assume this implies some sort of radioactive event detector as well.
Do you have a web page reference for such a card? I have never seen
one.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: NTRU - any opinions
Date: Wed, 14 Mar 2001 05:08:01 GMT
Dr. Yongge Wang wrote:
>
> Dan Bailey <[EMAIL PROTECTED]> wrote:
> : Anyone (even those who work for Certicom!) who would like a document
> : on the extensive scrutiny NTRU has received in the literature can
> : feel free to email me. I'll be happy to oblige.
>
> : Here's the executive summary: "Better attacks or better lattice
> : reduction algorithms are required in order to break NTRU" (Nguyen
> : and Stern, in ANTS-2000).
>
> Unfortunately, I cannot agree with that. NTRU signature scheme
> presented in Crypto'00 was broken without any use of lattice
> technique.
> NTRU is not a lattice scheme. there might algebraic method to break
> it.
NTRU is a knapsack scheme. The all the old knapsack schemes were broken
with lattices. NTRU cannot be broken with current lattice algorithms
because the lattice is/would be much too big... a paraphrase of the
title of Nguyen and Stern's paper would be: "we need either some better
attack than lattice, or else a significant improvement in how lattice is
done." Disagreeing would mean that we do not need a better attack than
lattice, and that current lattice attacks work.
>
> : Cheers
> : Dan
>
> : PS Yes, I work for NTRU.
>
> : On 9 Mar 2001, DJohn37050 wrote:
>
> :> So, ECC has a space advantage and perhaps NTRU has a speed
> :> advantage on a Pentium, if you believe NTRU is strong. I notice
> :> that the NTRU sig method presented at Crypto is no where to be
> :> found (anymore) on the NTRU webstie, instead a new one from fall
> :> 2000 is being offered. What happened to the old one, did someone
> :> break it? Do you think this inspires confidence?
> :> Don Johnson
Incedentally, the fact that the old signature scheme was broken and a
new one suggested does NOT affect how well or poorly the encryption
system works -- the two use the same group (or is it field?), but a
break on one does not automatically imply a break on the other.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
Date: 14 Mar 2001 05:18:36 -0000
From: [EMAIL PROTECTED]
Subject: Authentication Protocol Strength
Hi. I've been working on developing an authentication and key
exchange protocol between two users using public keys and a trusted
server. I would really appreciate it if some readers look at this
protocol and tell post your response to any of it's flaws, or anything
about it in general.
Definition of variables:
Av = Client's private key
Ac = Client's public key
Tv = Trusted server's private key
Tc = Trusted server's public key
Outline of protocol:
Step 1 - The client generates a key pair: Av, Ac.
Step 2 - The client encrypts Ac with Tc and sends it to the server
Step 3 - The server decrypts Ac and sends the client the digital
signature
of Ac
Step 4 - The client verifies the signature using Tc
Step 5 - The client prepares a message consisting of "OK" with a
timestamp
appended to the server if verified correctly, or "NO" with a timestamp
appended if it was not verified. This message is encrypted with Tc
and
sent to the server.
Analysis of protocol in regards to MITM attacks (Mallory = MITM):
Step 1 - It is assumed no one will steal a key from the computer while
it
is generated.
Step 2 - Mallory can not decrypt the data being sent without access to
Tv.
Step 3 - Mallory can't verify the signature of the key without having
access to Ac. The worst possible situation is manipulation of the
digital
signature so it won't verify.
Step 4 - Mallory waits.
Step 5 - Mallory can't decrypt the data being sent to the trusted
server.
She can only manipulate the data being sent.
Please post any responses to this protocol in the news or please email
me.
Thank you for your time.
-George
[EMAIL PROTECTED]
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Applications of crypto techniques to non-crypto uses
Date: Wed, 14 Mar 2001 05:22:41 GMT
SCOTT19U.ZIP_GUY wrote:
>
> [EMAIL PROTECTED] (wtshaw) wrote in <jgfunj-1303012029190001@dial-244-
> 015.itexas.net>:
>
> >In article <[EMAIL PROTECTED]>, Mok-Kong Shen
> ><[EMAIL PROTECTED]> wrote:
> >...
> >> Are there other known applications of crypto techniques to
> >> non-crypto uses? Thanks.
> >>
> >> M. K. Shen
> >
> >Converting Asynchronous<->Synchronous communications is a problem
> >which can be solved using two adjacent bases.
> >
> >The asynchronous stream would never have a repeating element whereas
> >the synchronous one could. Asnchronous series should not need sync
> >pulses and are therefore infinitely variable as to baud rate.
> >
> >Consider the usefulness of converting text to a sequence void of
> >double characters, or a series of different tones, each of which is
> >ended with one of another frequency.
Tones? Like music? In a case like that, simply use one more tone than
you have symbols. For 8 symbols, use 9 tones. If the current tone
being played is x (x in 0..8), and you want to transmit symbol y (y in
0..7), switch to playing tone ((x+y+1) mod 9).
For arbitrary sized ranges, (n symbols, m tones), first use arithmetic
(or maybe huffman) coding to convert from n different symbols to m-1
different symbols, after which continuing as above is easy.
> It would be easy to convert a to a stream of characters that never
> repreat. One way is just write first character as is. Then do a
> static huffman decompress with a 255 leaf tree. The first character
> dropped.
> Then every time ou decode a character you change the leaf of the nod
> used for the previous. That way you never get two characters the same
> in a row.
This will work, I think, but it is not particularly efficient, and will
not just merely more expansion than desired, but will intruduce an
unseemly bias.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: Brian D Jonas <[EMAIL PROTECTED]>
Subject: Re: PGP "flaw"
Date: Wed, 14 Mar 2001 00:27:31 -0500
I apologize for that post on the PGP flaw. I came across the txt file and
didn't look at the date. Here is the entire article....
Security flaw discovered in Network Associates PGP software
From...
August 28, 2000
Web posted at: 10:52 a.m. EDT (1452 GMT)
by Ellen Messmer
(IDG) -- European cryptographic researchers have uncovered a serious
security flaw in both the Unix and Windows versions of Network Associates
PGP software 5.5 through 6.5.3 - a flaw that allows a savvy attacker to
alter the victim's PGP public certificate and read any message encrypted
with the altered certificate.
A certificate is software that unites the user's identity with a set of
encryption keys and is used for signing, encrypting and decrypting
messages.
European researchers Ralf Senderek and Stephen Early disclosed their
findings in a paper published Thursday online.
Network Associates acknowledged the paper's findings, emphasizing that the
company is working on a software patch to prevent any attacker from
exploiting this flaw.
"To our knowledge, no customer data has been compromised," says Mike
Wallach, president of PGP Security.
Network Associates executives originally wanted to make the software fix
for PGP available Thursday, but they now say it will be available for
download from PGP.com by 5 p.m. Friday.
The flaw centers on the way that PGP implements a so-called
"data-recovery" feature that lets an authorized third party gain access to
data encrypted with the user's PGP certificate.
"The issue is an attacker can add an additional key to the user's
public-key certificate to be used as an additional decryption key,"
acknowledges Mike Jones, PGP business line manager at Network Associates.
As it turns out, this flaw has actually existed since 1997, back when Phil
Zimmermann, the original developer of PGP, added the data-recovery feature
as he sought to commercialize the product for corporate use, Jones points
out. As a safety measure, corporations want to have a way to decrypt data
that their employees encrypt, Jones notes.
At the time, the federal government was also pushing hard to get companies
to add so-called "key escrow" type technologies to their encryption
products so that law enforcement could obtain access to encrypted data on
demand.
Network Associates bought PGP in December 1997. The three-year-old flaw,
not publicized until Thursday, lets an attacker decrypt PGP data but does
not let the attacker impersonate the PGP certificate holder, Jones
emphasizes.
Network Associates has taken offline a central server in Santa Clara,
Calif., containing PGP public-key certificates until the problem is
resolved, which should occur by tomorrow morning.
The patch that Network Associates expects to soon release will correct two
problems. It will prevent any additional decryption keys from being added
to any field in the PGP certificate. And it will also work to verify where
additional decryption keys came from to ensure there has been no tampering
of a user's certificate.
Jones expresses some anger that the European researchers publicized their
findings without first informing Network Associates of the flaw. "That was
irresponsible of them," he says.
Network Associates says the discovered vulnerability is actually quite
difficult to exploit. You have to modify the sender's public-key
certificate, make sure the sender would have a copy of that and modify the
recipient's key as well, Jones says. That is more easily said than done.
But it is certainly possible. And the PGP bug arises from the mistake that
PGP originally made in not ensuring that all the additional decryption
keys in the data-recovery field have to be signed to prevent the
tampering.
"The reason the researchers could discover it at all is because we publish
the source code for peer review," Jones adds.
However, until earlier this year, the government's encryption regulations
did not permit encryption source code to be published online. So, the PGP
source code was only available in a 43-volume, 65,000-page set of books
sold in a Palo Alto bookstore called Printer's Ink.
I guess I am still confused as to when the additional key is added. WAS
the key for law officials hardcoded and thus transparent to the
end user? Perhaps someone in touch with reality (being it that I am not)
and with more understanding of PGP can explain what this "flaw" WAS....
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker
Subject: Re: OverWrite: best wipe software?
Date: Wed, 14 Mar 2001 05:30:42 GMT
Anthony Stephen Szopa wrote:
>
> Benjamin Goldberg wrote:
> >
> > You claim to have demonstrated a "procedure whereby the OverWrite
> > ><snip>
>
> Let me ask you then, using OverWrite and my procedure of a dedicated
> hard drive partition, etc., why will not the desired file be
> thoroughly overwritten? Give us just one objection and we will
> pursue it like a pack of dogs pursues the fox.
A dedicated hdd partition will still not help the case for when the hdd
compresses sectors. Also, if my computer's cache keeps blocks in memory
for a very long time (for longer than the one, single, pc which you are
developing on), and has a very large cache (maybe even larger than the
dedicated partition), then your methods won't work.
Of course, since I don't trust your code not to be a trojan horse, and
not to contain virii, I am not going to dl it. The cost of the risk is
much much much higher than the cost of a phyisically destroyable floppy.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
