Cryptography-Digest Digest #912, Volume #13 Fri, 16 Mar 01 06:13:01 EST
Contents:
Re: SSL secured servers and TEMPEST (Paul Rubin)
Re: An extremely difficult (possibly original) cryptogram ("Henk van Voorthuijsen")
Re: The Art of Cryptography (was: Super strong crypto) (Mok-Kong Shen)
Re: Super strong crypto ("Bryan Olson")
Re: qrpff-New DVD decryption code (Joe H. Acker)
Re: qrpff-New DVD decryption code (Joe H. Acker)
Re: SSL secured servers and TEMPEST ("Bryan Olson")
Re: TV Licensing (Was: => FBI easily cracks encryption ...?) (Arturo)
----------------------------------------------------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: SSL secured servers and TEMPEST
Date: 16 Mar 2001 01:13:01 -0800
Frank Gerlach <[EMAIL PROTECTED]> writes:
> > The one FIPS 140-1 level 4 module that I know anything about (IBM 4758)
> > went to serious lengths to avoid leaking any data through EM emissions.
> Could you please explain how FIPS 140-1 level 4 does adress TEMPEST ? It
> adresses EMI/EMC, which is of course a precondition for good shielding,
> but it is in no way sufficient.
> Maybe you can quote the 140-1 section on defending against
> eavesdropping. From what I have read, it says absolutely nothing about
> that.
>From what I've heard, the 4758 designers worked quite hard to protect
4758 internal data from leakage, whether or not that was a 140-1
requirement.
------------------------------
From: "Henk van Voorthuijsen" <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: An extremely difficult (possibly original) cryptogram
Date: Fri, 16 Mar 2001 10:15:04 +0100
Reply-To: "Henk van Voorthuijsen" <[EMAIL PROTECTED]>
>
> >6. Daniel gave a big clue, as follows:
> >
> > You came 620711143 close with 54006 of the 806648
> > first hypotheses 711015 you had 450103. The code
> > 696690137 used here, 27465680662, is based 7774
> > the same 20650362042 idea as 71112 system used
> > 1743 my cryptograms.
> [...]
> >Evidently 620711143 means very or fairly or rather or something like
that.
>
620711143 = "rather"?
7774 = "upon"?
1743 = "by"?
696690137 = "system"?
> >54006 probably means "one".
> >806648 may mean "very".
> >711015 may mean "that".
> >450103 may mean "made".
> >71112 = "the"?
> >20650362042 may mean "basic" or "fundamental".
I would say it's in the "c" range, right?
Henk
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: The Art of Cryptography (was: Super strong crypto)
Date: Fri, 16 Mar 2001 10:39:19 +0100
John Savard wrote:
>
[snip]
> Thus, on my site, at the bottom of the page
>
> http://home.ecn.ab.ca/~jsavard/crypto/co041205.htm
>
> under the heading "The Aryabharata Cipher, and Two-Timing Pads", I
> have my own little contribution to the search for a 'super-strong'
> enciphering mode.
>
> Two parties that wish to communicate share a key that is more than
> twice as large as any message block, and when they send a message,
> they send, using a public-key cipher, a set of four session keys for
> each block in the message.
>
> Because of the way in which keys used in encipherment are derived from
> the shared large secret key, it appears to me that it is very
> difficult to recover that key, even if the public-key encryption used
> to pass session keys is broken. Of course, for an improved form of
> triple encryption, a method with speed on the order of that for
> hextuple encryption might seem to be overreaching itself if it
> attempts to claim the best security for the time required.
Could your scheme be globally characterized as consisting
of a fairly complex (hence difficult to analyze) PRNG that
generates dynamically the keys for block encryption? Thanks.
M. K. Shen
------------------------------
From: "nospam"@"nonsuch.org" ("Bryan Olson")
Subject: Re: Super strong crypto
Date: Fri, 16 Mar 2001 09:47:15 GMT
In article <[EMAIL PROTECTED]>, Douglas A. Gwyn wrote:
>Bryan Olson wrote:
>> It's awkward. It requires a source of true random numbers,
>> bloats the ciphertext and has to execute the key scheduler
>> repeatedly.
>
>For any reasonable security one needs a source of randomness
>anyway, e.g. to generate an IV.
No. We do need randomness to generate the initial key, but
after that no more is required. Generating the IV's
requires only a non-repeating source, not a random one.
>Each block uses
>a small fraction of channel capacity (12.5% in the example)
Modestly awkward.
>I guess you
>mean something within the block cipher function
Yes.
>if so, then so what -- it might slow down execution for some
>choices of block function, but that's not "awkward".
And that alone makes your scheme is significantly slower for
most real ciphers (the one exception I know of is Skipjack).
In all, quite awkward.
>Yes, "super strong crypto" ought to involve a degree of
>proof that (listen!) *simply is not available*.
I agree.
>One can,
>however, *anticipate* the features of a relevant theory
>should it ever emerge, and one of those features would be
>a way to connect the system structure, source language
>properties, key and CT length, etc. to produce a *lower
>bound* for the amount of computation needed by the analyst
>to attain a given recovery rate (for specified scenario).
No one has disagreed that showing a lower bound on
computation would be a reasonable proof of security. The
only one who insisted on couching the presentation in
information theoretic terms was you. The information
theoretic analysis shows that your scheme expands the
ciphertext by at least as much as it extend the amount of
ciphertext sent with (information theoretic) security;
there's no net gain.
Would theorems on computational security come out
differently? We'll know when we have them. You have no
rational justification for anticipating that a rigorous
theory, were it developed, would show your scheme secure
and/or modern block ciphers insecure.
>It is quite evident that that could be effectively inverted
>to produce an *upper bound* on the amount of CT using a
>fixed key before an assumed available amount of analyst's
>computational resources could be expected to recover the
>secret information with high enough probability to pose a
>real threat.
Sure, there might be theorems discovered that could give us
computational upper bounds and lower bounds on both a block
cipher in a conventional mode, and in your mode. You have
no such theory so drawing the conclusion about what it would
say is nonsense. Your system bloats the ciphertext, so even
if cryptanalysis requires more ciphertext, your mode may
provide it.
>*Absent the actual theory*, it then becomes
>a matter of judgment just how much CT that might be; from
>my own experience as a cryppie I don't think it would take
>a whole lot, as you can tell from my suggested example.
>Wagner's attacks showed that the mode of operation *by
>itself* doesn't make for a strong system, but then that is
>not what I suggested.
Wagner also asked you to precisely state your assumption. I
believe his attacks were usually consistent with what you
had stated when he formed them.
>What I want feedback on is only
>possible protocol problems (as of phase 3) that could
>introduce new vulnerabilities at least as great as the ones
>being obscured. Take as a given that the block function
>requires some feasible but substantial amount of computation
>to invert, call it K, and see if there is a way to crack the
>overall scheme with on the order of K amount of computation.
>If so, is there a simple fix?
Probably. Add more rounds, super-encrypt, use the
randomizing techniques from Crypto 82. These are likely to
be strictly stronger, and in some cases can be shown to be
at least as strong. Like your suggestion, they should not
be confused with provable security.
>And if not, then my goal is
>achieved -- without weakening the system, for a small amount
>of trade-off whole classes of C/A attacks have been spoiled.
>In that case, this *would* be a real contribution toward
>"super strong crypto" *even though we don't yet have a good
>theory*.
Your paragraph above is the kind of thing I described as
hypothesizing a weakness and conjecturing a fix. You have
no reason to believe K is generally tractable, and no way to
show that your scheme would make the work factor
intractable.
I suggest you re-read David Wagner's posts. You have no
proof, but you think your modification should improve
security. We therefore evaluate it among many other
techniques which seem to improve security.
[...]
>The mention of Ciphile Software was apparently meant as an
>insult, but it's entirely irrelevant.
It was relevant to what you wrote. You acted like the
burden rested upon others to disprove the security of your
scheme. Not so: it was you who insisted that the topic was
provable security. Not-so-far-disproven security is
commonplace and easily attained.
--Bryan
------------------------------
From: [EMAIL PROTECTED] (Joe H. Acker)
Subject: Re: qrpff-New DVD decryption code
Date: Fri, 16 Mar 2001 11:09:29 +0100
Matthias Bruestle <[EMAIL PROTECTED]> wrote:
> Mahlzeit
>
>
> Joe H. Acker ([EMAIL PROTECTED]) wrote:
> > Matthias Bruestle <[EMAIL PROTECTED]> wrote:
> > > Douglas A. Gwyn ([EMAIL PROTECTED]) wrote:
> > > > Matthias Bruestle wrote:
>
> > > How do you define moral or ethics? If it is what most people do,
> > > than copying of music is probably not theft.
>
> > My God! It is *of course NOT* what most people do! As a German like you,
> > I hate to bring this example, but do you believe that in the 3rd Reich
> > in Nazi German what most people did was moral or ethical behavior?
> > Certainly not! What the majority does or thinks can never be taken as an
> > argument for or against moral judgements.
>
> Probably most people in Nazi Germany thought is was ethical and probably
> most people outside thought is was not ethical. Most people probably think
> now, that sex before marriage is ethical, but this was certainly not
> always so. Who is right and who is wrong and why?
In the case of Nazi German, I can definitely assure you that they were
wrong, because they did not even respect fundamental human rights. I
don't believe that you are unsure about that, but if in doubt, try to
apply Kant's categorical imperative.
> > > If a minority is
> > > enough to define morale/ethics, which minority will that be?
>
> > Morale/ethics is not defined, it is found and explored.
>
> By whom?
By anyone who has the will to explore ethical questions. The purpose of
ethics is not to make people good or happy, it is only intended as a
help for peope who want to be good but don't know how.
> > Look, it's not a good base for laws or ethics, but in this case even
> > your own moral judgement might help: If you invent something ingenious
> > that would make you rich (say, an unbreakable cipher or the best
> > pop-song ever), and if sombody takes it away from you. Wouldn't you
> > think that this is theft?
>
> "Intellectual Property" (which is a rather broad area to be named with
> a single term) can not really be taken away. If you find a suitecase
> on the street, you wonder "whos suitecase is this?" If you have an idea
> while showering, you most certainly do not ask you "do I steal someones
> intellectual property by using my idea?"
>
> > I don't know what your profession is, but if you would work as a book
> > author, journalist, photographer, artist or the like, you certainly
> > would not claim that it's okay to steal your work and spread it for
> > free.
>
> If I get paid to write software or articles the person who paid me
> can decide what to do with it and I'm happy, if he decides to spread it
> for free. If I do not get paid for writing a piece if software or an
> article it is free software/text and I allow other people to get rich
> with it by placing it under BSD2 license.
>
> > Nobody arrests a student who copies a book he has taken out of a
> > library, because it is so expensive.
>
> If he only copies parts of it, it is not even illegal.
>
> > Digital copy protection does not work and just gets on the nerves of
> > honest buyers, that's why its bad.
>
> And because it makes impossible to do things people are allowed to do.
>
> > Not because everybody should steal
> > the work of artists and other creatives who most often have a hard
> > enough time to make a living anyway.
>
> And not every copying is stealing. If I buy an Audio CD-R� of which
> I think about US$ 1 goes to the musics industry, and copy music of
> this industry onto it, do you think this is stealing? If the musics
> industry makes it impossible to copy music onto this CD-R, do you think
> this is stealing?
>
> > Okay, enough OT talk.
>
> Ok. Last posting from me.
>
>
> Mahlzeit
>
> endergone Zwiebeltuete
>
> --
> PGP: SIG:C379A331 ENC:F47FA83D I LOVE MY PDP-11/34A, M70 and MicroVAXII!
------------------------------
From: [EMAIL PROTECTED] (Joe H. Acker)
Subject: Re: qrpff-New DVD decryption code
Date: Fri, 16 Mar 2001 11:09:30 +0100
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> Joe H. Acker wrote:
> >
> > Matthias Bruestle <[EMAIL PROTECTED]> wrote:
> >
> > > Mahlzeit
> > >
> > >
> > > Douglas A. Gwyn ([EMAIL PROTECTED]) wrote:
> > > > Matthias Bruestle wrote:
> > > > > It is theft if the legal system thinks it is theft.
> > >
> > > > Theft is a moral/ethical concept, logically prior to legality.
> > >
> > > How do you define moral or ethics? If it is what most people do,
> > > than copying of music is probably not theft.
> >
> > My God! It is *of course NOT* what most people do! As a German like
> > you, I hate to bring this example, but do you believe that in the 3rd
> > Reich in Nazi German what most people did was moral or ethical
> > behavior? Certainly not! What the majority does or thinks can never be
> > taken as an argument for or against moral judgements.
>
> The problem with bringing up Nazis, is that *they* didn't believe that
> what they did was unethical or immoral. In fact, if you were to accept
> one single premise -- that anyone who isn't a male aryan isn't a person
> -- you would consider everything they did to be perfectly reasonable.
> Further, and possibly more importantly wrt your argument, the way they
> acted towards those who they *did* consider persons, was as moral and as
> ethical as you or I would act towards each other. The only thing that
> made them evil was their perception and treatment of non-aryans as
> non-persons.
No, you're wrong in several ways. First, the single premise you mention
does not morally justify any actions. There is no way to derive moral
judgements from observation of nature. That's a logical fallacy
("naturalistic fallacy"). Second, even if you consider the naturalistic
fallacy to be a correct reasoning, their premise was wrong, so it
doesn't justify any conclusions at all. Third, they didn't act morally
or ethically correct to other people they considered to be persons. And
as a last, wether someone believes something is unethical or not does
not decide wether it's unethical or not (that would be a categorial
mistake).
It was my fault to bring up that example, I should have chosen one that
is less emotionally heated. Nevertheless, what some of the replies to my
post (not yours) seem to indicate is a certain confusion about what
ethics and moral is for. The purpose of ethics is not to make people act
morally right, but to explain to people *how* to do it when they *want*
to act morally right and are in doubt.
Some of the answers to my post bring up a very old topic. The replies
basically have repeated an argument of the Sophists against Sokrates
some 2500 years ago. I don't think it's very useful to bring up the next
2500 years of discussion about that arguments in sci.crypt. So perhaps
just one quick note: If the majority of people decided what's right or
wrong, then you couldn't even morally judge actions of ancient regimes
or epoches. Which majority would count, the one we have nowadays or the
one then? Same reasoning applies to different cultures now, when you
compare and try morally judge their actions (for example when one
country declares war against another country without apparent reason).
In brief, it is not even necessary to show why the majority is not the
base of any moral, it is enough to show that if you took the majority as
a base, the base would not be sufficient to make moral judgements at
all.
But I didn't want to bring up any general discussion about ethics
anyway. My point was rather, that everyone has a sense for moral
judgements that is more or less developed. If somebody cannot recognize
a theft as a theft, then something went wrong in his education. I don't
believe that any of the posters in defence of spreading the work of
artists for free---artists that try to make a living--- does not feel
that it's wrong to do so. Perhaps it's easier for me to feel that
because some of my friends are artists and I know how hard it is for
them to make a living. (And no, conscience is not a sufficient base for
moral either, it should work in this case but doesn't work in general.)
Greetings,
Erich
------------------------------
From: "nospam"@"nonsuch.org" ("Bryan Olson")
Subject: Re: SSL secured servers and TEMPEST
Date: Fri, 16 Mar 2001 10:22:26 GMT
Frank Gerlach wrote:
[...]
>For each SSL session establishment [...] will *always*be the same
[...]
>The attacker could record the emanations for days or even weeks [...]
>then let the "square acres of signal processors" do sophisticated
>filtering on the recorded signal.
Well, a few thougts:
The number of samples one needs is proportional to the
square of the noise/signal ratio. I'm not a signals expert,
but we should be able to attenuate the signal and add noise
to make collecting the samples intractable. (On the other
hand, Paul Kocher tells a power-analysis joke something like
"Give me your electric bills and eventually I can tell you
your private key.")
A hole in the shielding does not simply emanate in proportion
to its size. RF wavelengths through a fiber-size hole
should be diffraction limited to the point of uselessness.
The private key need not be the same every time; adding any
multiple of lambda=LCM(p-1)(q-1) to d gives us an alternate
private key. This is a variant of Kocher's defense against
RSA timing attacks. We could keep a table of about 100
multiples of lambda. Every time we use the private d, we
choose one of the table entries, call it t[i]. If x<d, we
change d by adding in t[i], if d>x, we subtract t[i]. Then
we change t[i] by adding or subtracting some linear
combination of a few other table entries. No decryption
exponent or multiple of lambda gets used more than a few
times.
--Bryan
------------------------------
From: Arturo <aquiranNO$[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: TV Licensing (Was: => FBI easily cracks encryption ...?)
Date: Fri, 16 Mar 2001 11:23:10 +0100
On Fri, 16 Mar 2001 00:37:06 GMT, [EMAIL PROTECTED] (Jim D)
wrote:
>On Thu, 08 Mar 2001 10:31:23 +0100, Arturo <aquiranNO$[EMAIL PROTECTED]> wrote:
>
>>(BTW, in Spain my children can watch Teletubbies for free. Add that to our
>>wonderful weather and good wine...)
>
>You call that plonk good wine.....?
I mean the wine we do not sell to foreign guys ...;-)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
