Cryptography-Digest Digest #914, Volume #13 Fri, 16 Mar 01 09:13:01 EST
Contents:
Re: Text of Applied Cryptography .. do not feed the trolls (Limits of cryptography,
wandering away from on-topic for sci.crypt, almost completely off-topic for a.s.pgp)
("Joseph Ashwood")
Re: The Art of Cryptography (was: Super strong crypto) (John Savard)
Re: Super strong crypto (SCOTT19U.ZIP_GUY)
Re: Encryption software (Joe H. Acker)
Re: Encryption software (SCOTT19U.ZIP_GUY)
Re: Zero Knowledge Proof (SCOTT19U.ZIP_GUY)
Re: Algebraic 1024-bit block cipher (Benjamin Goldberg)
Re: GPS and cryptography ("Joseph Ashwood")
Re: GPS and cryptography ("Joseph Ashwood")
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Text of Applied Cryptography .. do not feed the trolls (Limits of
cryptography, wandering away from on-topic for sci.crypt, almost completely off-topic
for a.s.pgp)
Date: Mon, 12 Mar 2001 16:01:06 -0800
Crossposted-To: alt.security.pgp,talk.politics.crypto
[this conversation has gone beyond the realistic realm of sci.crypt, and I
believe is completely removed from alt.security.pgp, maybe we should
consider removing them??? with that said , I'm still posting to all three]
"Sundial Services" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Lots of books and manuals -do- benefit from being published in PDF
> format, or otherwise.
I agree there are certain documents that are most useful to distribute in
<insert your favorite document format>, most documentation for a computer
should be kept on the computer (very much like man pages) but it's often
useful to have a page number to refer to (at least for now) and many
document forms do not address this. I do not see any reason to publish all
documents this way though. I think sitting and reading Shakespeare would
lose an awful lot if it was read on a computer tablet. That's just one
example, and happens to be the reason I own a (physical) copy of a large
number of Shakespearean texts. So I think there will always be some market
for the physical books. Now a Gibson book would seem right to read on a
tablet, it helps the theme far more than paper. I think we need to view the
choice of paper/bits as something other than just new technology replacing
old. Very similar to this is the choice of black and white film or color.
Although color is certainly the more advanced technology, black and white is
perfect for certain pictures.
> Ironically, "the piece that is not yet in place" is specifically "the
> intellectual property control piece!" And equally unfortunate, Napster
> has only served to demonstrate just how valuable that piece really is.
> Music artists around the world -- and I personally know several of them
> for whatever that might be worth -- are on the one hand delighted that
> their works are getting distribution that record companies could never
> give them .. and despairing that in the present status-quo they will not
> see a dime. In time, and I think it will be "a very short" time, that
> problem too will be remedied. By cryptography!
I disagree, cryptography cannot solve this problem. Restated this problem is
to prevent me from making something that I control absolutely from obeying
my commands. Cryptography cannot solve this problem. Instead what needs to
be addressed is the commands that I will give my computer. Currently the
general populus is willing to happily accept copies of <your choice of
media> for free, without expecting that the should give back what they can.
That is the fundamental problem. To make this work we need to do one of
several things (expessed in terms of music), move to subscription based
models (e.g. you pay $X/month to Napster Cone #478 and they give you
unlimited access to all the music), enforcement models (the record labels
get a forced stipend from every person, by law, alternately Napster Clone
#479 pays fees to the record labels for each song we download), or go back
to the level of integrity where we demand of ourselves that if we enjoy a
song we give the record label/artist money for it. The problem with these
models is they violate so many american's belief that "Land of the Free"
means that they are entitled to a life of luxury and should never have to
expend money, so many believe that we shouldn't have to pay taxes
(<sarcasm>but god forbid we reduce government or worse the
military</sarcasm>). And so we once again run into the limits of
cryptgraphy, yes it can protect information, but if Alice tells Bob
something, Bob can always post it to a message board.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: The Art of Cryptography (was: Super strong crypto)
Date: Fri, 16 Mar 2001 12:59:12 GMT
On Fri, 16 Mar 2001 10:39:19 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Could your scheme be globally characterized as consisting
>of a fairly complex (hence difficult to analyze) PRNG that
>generates dynamically the keys for block encryption? Thanks.
Well, it generates, based on a session key as input, the key for one
phase of segment encryption - XORing a quantity with the whole message
segment - and also data used to modify the keys for the block ciphers
used in the other phases.
But it's not a PRNG, at least not a conventional one, since instead of
generating its output one block at a time, it takes the long shared
key, and encrypts it (as well as, in a limited sense, hashing it) to
generate all the data used to XOR with the message segment.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Super strong crypto
Date: 16 Mar 2001 12:59:27 GMT
[EMAIL PROTECTED] (John Savard) wrote in
<[EMAIL PROTECTED]>:
>On 23 Feb 2001 04:18:34 GMT, [EMAIL PROTECTED] (David Wagner)
>wrote, in part:
>
>>After all, when Biham and Shamir wrote about differential cryptanalysis
>>of DES, they also noted that even changing the key very frequently does
>>not add much security against their attack. See ``Differential
>>cryptanalysis of the full 16-round DES'', where they say that even if
>>you change keys once every 2^14 blocks, the attacker can still recover
>>his first key after 2^47 chosen plaintexts (the same as if the key had
>>never changed). This means that, if we instantiated Gwyn's proposal
>>with DES and with key changes every 2^14 blocks, Gwyn's proposal
>>wouldn't provide any improvement in security against differential
>>cryptanalysis.
>
>This certainly is an interesting and relevant result.
>
>For changing keys once every 2^14 blocks, and yet being able to make
>use of 2^47 chosen plaintexts, presumably (except for the unicity
>distance) something like Gwyn's proposal was used, and so that means
>it is possible, at least for DES, to couple useful information through
>the key schedule.
>
If this result is true it would have to be a strong function of what
type of chaining. Lets assume its for CBC mode. If true then an easy
fix would be this. Since it takes if true 2**47 chosen plaintexts
( I guess they mean blocks ) for a single unchanging set up and if
changing the key every 2**14 is not enough to prevent this particular
type of break. Chaining the key and IV would prevent the break. Since
if it did not. You could look at one message 2**14 blocks long then
use phony message of your choice with a different key for the rest of
the messages. Which would actually mean that if a break still existed
you have just reduced the number of blocks to 2**14 which contradics
the 2***47 being needed.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (Joe H. Acker)
Subject: Re: Encryption software
Date: Fri, 16 Mar 2001 14:17:27 +0100
Joseph Ashwood <[EMAIL PROTECTED]> wrote:
> I believe we have a fundamental disagreement about one of your examples.
>
> "Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
> news:98fu0s$7sb$[EMAIL PROTECTED]...
> > PGP is vulnerable to MITM attacks
>
> Is a blatantly false statement.
>
> > in so far that
> > you usually can't be sure that the public keys you have are authentic.
>
> Completely incorrect. It's a chain of trust model, if you are going to
> insist on spouting incorrect knowledge at least spout it where no one cares.
> I know my key is authentic, I verify a certain subset of other keys as
> authentic (either through in person verification ala Cipherpunks meeting, or
> through some other established trust), and I build a trust relationship with
> them, the individuals behind those keys perform the same trust building with
> others.
But the problem is that a chain of trust model does not work, because
trust is not a transitive relation. However, I don't think this is a PGP
flaw because it doesn't force anyone to adopt a transitive view of
trust---that's up to the user.
> > For
> > example, the owner of the SMTP/POP server you are using might in theory
> > replace all PGP keys included in e-mail passing through your account and
> > thereby be able to decrypt/read/encrypt each encrypted e-mail sent later
> on.
>
> Wrong again. No entity (of believed strength) can remove the encryption
> suppllied by PGP (and it's variants) without knowledge of the private key. I
> refer to the above for trust in the private key.
I suppose that Henrick Hellstr�m was refering to the fact that MITM is
possible when Mallory has complete control over the channel used for
initial public key distribution and over the message channel. Isn't that
correct? But again, I don't know a protocol that would make
communication secure in such an evil environment...or is there?
I have another problem with PGP: I once forgot my passphrase for a
non-expiring key and didn't make a key revocation certificate, which
means that there will now be two keys (the new one and the old one)
forever on the keyserver, but I can only decrypt for one. That's really
bad... and I think this can happen to many unexperienced PGP
users.Wouldn't it be possible to require regular confirmation of key
expiry or not, instead of no expiry at all or fixed expiry? That way, if
somebody lost his passphrase to a private key, he could not confirm "no
don't expire this public key" and so the public key would expire
automatically.
Regards,
Erich
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Encryption software
Date: 16 Mar 2001 13:10:56 GMT
[EMAIL PROTECTED] (Joseph Ashwood) wrote in <#gHECd0qAHA.341@cpmsnbbsa09>:
>I believe we have a fundamental disagreement about one of your examples.
>
>"Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
>news:98fu0s$7sb$[EMAIL PROTECTED]...
>> PGP is vulnerable to MITM attacks
>
>Is a blatantly false statement.
>
>> in so far that
>> you usually can't be sure that the public keys you have are authentic.
>
>Completely incorrect. It's a chain of trust model, if you are going to
>insist on spouting incorrect knowledge at least spout it where no one
>cares. I know my key is authentic, I verify a certain subset of other
>keys as authentic (either through in person verification ala Cipherpunks
>meeting, or through some other established trust), and I build a trust
>relationship with them, the individuals behind those keys perform the
>same trust building with others.
>
What makes you belive the person you meet at the Cipherpunks meeting
is who he says he is. He may claim to be Jack. But you don't know Jack.
At the same time at the same or different he could meet the real
Jack and say he is you. The point is one or two meeting is not enough
to really know if the person is how he says he is.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Zero Knowledge Proof
Date: 16 Mar 2001 13:28:35 GMT
[EMAIL PROTECTED] (Joseph Ashwood) wrote in <OAWmbs0qAHA.341@cpmsnbbsa09>:
>I think this another one of those situations where you are not as
>knowledgable as you think.
>
I think I qualied that what I was more familar with was so
called key changes using "zero knowledge methods" But
like I stat and will state again for you entertainment.
I now Jack about "zero knowledge proof" which is different
than the area of what I have read that are called zero knowledge
methods of key exchange for public key encryption.
>A zero knowledge proof is not for the transfer of secrets. They come in
>two general flavors. First, the kind where you prove you both have
>knowledge of some secret, but you prove knowledge of that secret in such
>a way that you don't reveal the secret. A simple (flawed) example of
>this is the following: A->B: The challenge is C1
>B->A: The challenge is C2
>B->A: The hash of hash(C1 | secret) is H1
>A->B: The hash of hash(C2 | secret) is H2
>Both have proven knowledge of the secret provided that hash() is strong
>enough for the data, and a few other caveats (like it's subject to
>MITM).
>
>The second kind is public agreement of a shared secret. This is
>generally only considered a zk proof only because it uses the first to
>verify that the secret really is shared (see SRP for one example).
>
>While an attacker may guess as the secret and quickly verify it (e.g.
>having knowledge of the secret, C1, and H1 permits quick verification)
>the knowledge provided is insufficient to determine what the secret is,
>only to verify a guess. This is in very sharp contrast to your claim
>that Scott19u is superior for this purpose. If an encryption algorithm
I am not sure what your pointing as Scott19u being superior for
this purpose. Unless your talking about my last contest where "long" file
A was encrypted to file B with given Key C. My code was far superior
than any of the AES where the problem was you are also "told" there is
a file D which only differs from A in a few character near the middle.
I don't Supply D but give most of E which is D encrypted with the
given key. Only a few bytes are left unknown at the end of E.
The problem was to find those bytes or the small set of changes in
file D. THis could not be done with any of the common ciphers in
the AES runoff with any the current FIPS 3 letter joke modes of chaining.
Is the above what your referring to if not please elaborate. If
so it had nothing to do with a zkp. It was to show an example of
where the proposed methods are weak as they currently stand. Of
courst of same one has guts maybe they will allow a "wrapped PCBC"
mode for AES where one can use 3 passes with 3 different keys so that we
could have a decent encryption mode where if even one bit of
cipher text is lost or channged no block could be decrypted until
its all correct. But then that would give trouble to the NSA to
break so I want hold my breath for very long.
>of any kind is used for this the information is transmitted that permits
>not just guesses to be verified (which is debatable depending on the
>protocol), but the information is supplied where it is possible to
>recover the secret from the transmission. Additionally true zkp's have
>the quality that if B does not know the secret, that secret will remain
>unknown to B, if a secret is encrypted proving the secret would be the
>decryption, which would reveal the secret.
> Joe
>
>
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Crossposted-To:
alt.computer.security,alt.security,alt.security.pgp,comp.security.misc,de.comp.security.firewall,de.comp.security.misc
Subject: Re: Algebraic 1024-bit block cipher
Date: Fri, 16 Mar 2001 13:42:04 GMT
Alexander Ernst wrote:
>
> An objective of this cipher is to use
> pure finite group algebra for encryption and decryption.
> In this design we do not use permutations or XOR
> operations.
Any block cipher is a permutation.
Also, Looking though your source code, I see the comment:
R(a,b)=0 if a+b<65536
R(a,b)=1 if a+b>65535
a*b=a+b-R(a,b)65536
Let P be a permutation then
a*b=p^-1(p(a)+p(b)-R(p(a),p(b))65536)
How can you possibly claim not to use permutations?
> Performance of this implementation is
> approximately 4,8 Mbyte/sec.
On what type of computer? How fast does an optimized AES implementation
run on the machine you're testing on? A number means nothing without
something to compare it to.
> Measured avalanche effect is 49,7%.
Not 50%? I would probably consider your cipher broken. Any measurable
bias can be considered a break in the cipher.
> Block size is 1024 bit or 128 bytes.
Why that particular size? Aren't disk blocks usually 512 bits?
Wouldn't that make more sense?
> Secret key length is 256 bytes.
What the heck do you need with 2048 bits of entropy? Not competent
enough to think of a good key schedule?
> We use finite group of the order 65536.
What do you mean by this? I would ask if you use GF(2^16), except
that's a field, not a group. If you use a shuffled array of 65536
elements, then you're being phenomenally wasteful of memory.
> Elements of the group are words (2 bytes).
Duh. If you managed to write a 16 bit value in less than 2 bytes, I
would be amazed. If you had to write it in more than 2 bytes, I would
be disgusted.
> So we call this word architecture.
Most machines have 32 bit (4 byte) words. Seems to me you would want to
call it half-word architecture.
> 128 byte block consists of 64 words.
Are you accusing us of not being able to calculate 128/2 = 64?
I'm insulted.
> Each word is considered to be an element of group of order 65536.
Didn't you already say this?
> In our implementation we use two round approach.
Is two rounds sufficient to prevent against meet-in-the-middle attacks?
> Two groups Group1 and Group2 are derived from the
> secret key.
If they weren't derived from the key, then you would have a fixed
transformation. Stating the obvious like this lowers our perception of
your intelligence.
> A plain text block is encrypted first using Group1 and then using
> Group2.
How do you encrypt a block (1024 bit block) with a group (order 2^16)?
> Cipher block is decrypted first using Group2 and then using Group1.
This should be obvious even to the phenomenally stupid.
> Delphi source code and description in pdf are
> available for download at www.alex-encryption.de.
The implementation is in asm, with delphi as a wrapper.
Do you expect anyone to analyse you code without you giving it in clear
and concise psuedocode? Also, none of us here are gullible or stupid
enough to download untrustworthy binaries off of the web and run them,
so why do you include executables in your .zip file?
> Please, follow the link for algebraic cipher
> at the end of download list.
The cipher you have on your page which you call AES is NOT the Advanced
Encryption Standard. Do you even know what a "standard" is?
Also, does anyone besides yourself use any of your programs? I mean,
crypto is not trusted without analysis, and nothing about any of the
stuff on your page promotes any confidence in it's quality.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: GPS and cryptography
Date: Mon, 12 Mar 2001 18:14:22 -0800
Not very good. You would not have the actual of only being able to read the
message from a specific locatin on earth, all you could do is use it to key
a cipher. That is an important observation becase if you look at GPS, it is
effectively 360 degrees, plus a few places of precision for each of two
directions. Just to make things concrete, and use a planet large and more
useful for this than earth, assume a perfect sphere of circumferance (sp?)
2^32 units, and a precision down to 2^-8 units. This is vastly better
cryptographically than the earth, and it still fails for one very specific
reason. In each direction there are 2^40 possible locations, this leads to
only 2^80 security. 2^80 is the absolute minimum that is tolerable for
security. Because this planetary GPS system is larger than that of earth it
is safe to say that such a thing is not useful.
There are several additional concerns, a persons general locatin on the
planet it fairly common knowledge, for example there is no secret that I am
in the Silicon Valley, in California, so there's only maybe 16-bits worth of
variation to find my key under that system. I'm sure that similar statements
could be made about you by someone who was interested in reading your
e-mail.
Joe
"br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> What do you think about using Global Positionning System (GPS) as key to
> encryption?
> You can read a message only if your computer is a pre-defined area or
> point in the earth.
> I'm waiting for comments
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: GPS and cryptography
Date: Mon, 12 Mar 2001 18:16:42 -0800
It's far from impossible. You are depending on a piece of equipment in my
possession. Let's just go there "I have a degree in Electrical Engineering
and I'm not afraid to use it"
Joe
"br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> It's impossible.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
