Cryptography-Digest Digest #919, Volume #13 Fri, 16 Mar 01 16:13:01 EST
Contents:
Re: SSL secured servers and TEMPEST (Steve Portly)
Re: GPS and cryptography (Tony L. Svanstrom)
Re: NTRU - any opinions (Robert Harley)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(wtshaw)
Re: One-time Pad really unbreakable? (Tim Tyler)
Re: Potential of machine translation techniques? ("Henrick Hellstr�m")
Re: Q: IP ("Dr. Yongge Wang")
Re: What do we mean when we say a cipher is broken? (Was Art of (Mok-Kong Shen)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(wtshaw)
Re: Random and RSA (br)
Re: Q: IP ("Henrick Hellstr�m")
Re: One-time Pad really unbreakable? (Mok-Kong Shen)
Re: Factoring RSA ("Dann Corbit")
Re: NTRU - any opinions (DJohn37050)
----------------------------------------------------------------------------
From: Steve Portly <[EMAIL PROTECTED]>
Subject: Re: SSL secured servers and TEMPEST
Date: Fri, 16 Mar 2001 14:41:55 -0500
Frank Gerlach wrote:
> >
> >
> > Analog media, like tape may be possible - are there any media that can store
> > 2Ghz of bandwidth.
>
> May calculation was as follows: a Video Signal has about 5 MHz of Bandwith. Just
> split that 2 GHz signal into 2000/5=400 5 MHz bands, transform them into the
> 0..5 MHz base band and then you "just" need 400 VCRs to store the signal. If you
> strip a VCR (Video Cassette Recorder) of all unecessary stuff and mount it in
> racks, those 400 VCRs should fit into a 32 metric ton truck trailer. Of course,
> there must be a very precise phase signal recorded on every tape and the motors
> should be high quality to assure low phase jitter.
> Have two trucks, one is monitoring, while the other is loading fresh tapes in a
> safe location.
> After some days of monitoring you airlift the tapes with a C-141 to wherever
> your acres of processing power are.
In terms of threat assessment isn't there another level of threat? My threat is not
from the NSA or the FBI since I don't break the law. My concerns lie more along the
lines of street hackers and private investigators. I think there are some common
sense things you can do to protect your privacy and intellectual property. One of
the first things everybody warns newbies to do to in order to reduce their emissions
is make sure the equipment is properly grounded. With a rudimentary receiver I was
able to isolate the frequency of my keyboard and found that keystrokes are quite
easy to capture. Further testing showed that although grounding prevents shock and
equipment damage, household wiring has far too high a resistance to make any
difference in emissions. Since the keyboard emanations are outside the case they
would be one of the most likely targets of an amateur snoop. Also since the
keyboard operates off a rather long interrupt it would be relatively easy to isolate
using slightly more sophisticated equipment. Rather than go to the expense of
properly filtering and grounding my desktop computer (which could be quite costly) I
found it easier to just use a lower emissions portable computer for confidential
material. With just a little work you can apply some non invasive faraday shielding
to a smaller unit and reduce the native emissions by 20 decibels or so. The faraday
shielding turns the unit into a capacitor that pulses at a fixed lower frequency.
Since most of the energy is discharged in the fixed pulse, less of the readable
frequency is available to the snoop. There are plenty of public resources available
about this topic so I won't go into detail. The bottom line is if you are limited
on funds as I am, you can still get a surprising amount of emissions reduction on
your own.
------------------------------
Subject: Re: GPS and cryptography
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Date: Fri, 16 Mar 2001 19:47:25 GMT
br <[EMAIL PROTECTED]> wrote:
> The Gps is used as a condition to read the message.
> Suppose that you have a key to open my kitchen and you don't have a have
> access to my house.
> GPS is the key of the house.
No, I just look at a map, take the numbers and feed them into [software]
instead of letting it take it from a receiver.
> Everyone know the hashing function of your position. Is a public key.
That you won't be able to explain in a valid crypto-way.
> The software when receiving a crypted message destroy it if the position
> is different and allow it if it matches.
1) the message could be read on it's way to the software and then fed to
the program as many times as you want to.
2) the program could be taken apart and rewriten, leaving out the
destroy-part.
> So the software has to be hard to break.
Impossible; if it can be executed people can find out how it works.
/Tony
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: NTRU - any opinions
Date: 16 Mar 2001 20:39:44 +0100
Benjamin Goldberg <[EMAIL PROTECTED]> writes:
> DJohn37050 wrote:
> > ECC is very suited to constrained environments, having short keys and
> > sigs and simple key gen. [...]
> ECC keygen is fast, but only if you already have a curve selected. If
> you need to generate a curve, too, then it's damn slow.
I have recently written a very fast implementation of a new method for
counting points on random elliptic curves, which is 4 to 5 times
faster (and uses much less memory) than the recent Satoh-FGH algorithm
which was already a lot faster than previous methods.
A year or two ago, Johnson and Menezes wrote that generating a secure
random elliptic curve was a "complicated and cumbersome task"
requiring "a few hours on a workstation" for 200 bits.
It now takes me 10 seconds.
Generating a 113-bit curve for short-term security e.g., for
key-exchange in the WAP standard, takes 8 seconds with just a
StrongARM chip and 36 K of RAM.
Regards,
Rob.
.-. [EMAIL PROTECTED] .-.
/ \ .-. .-. / \
/ \ / \ .-. _ .-. / \ / \
/ \ / \ / \ / \ / \ / \ / \
/ \ / \ / `-' `-' \ / \ / \
\ / `-' `-' \ /
`-' http://www.xent.com/~harley/Top.html `-'
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
Date: Fri, 16 Mar 2001 13:42:32 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> John Savard wrote:
> > A cipher is broken when that cost is less than infinity.
>
....
> Very different definition; it is not a statement about the cipher but
about the
> resources available. It ignores time. Cost is a function of where one is in
> time and also how much elapsed time to read the message. Cost is lower to
> recover the data slowly than to recover it quickly. Indeed this definition is
> so qualitatively different from the first as to make my point; i.e., the word
> has no agreed upon single meaning.
>
> Since statements about the security of an algorithm are statements about
> application and environment, value of the data and the threat, a cipher can be
> both "broken" and secure at the same time. Whether or not an adversary has
> the capability to do something is not nearly as important as whether or not
> they would. Long before one has exhausted the adversary's resources one has
> exhausted their motive.
>
> > A
> > cipher is *not* broken when the messages sent in it actually _cannot_
> > be read.
>
> And of course, you still have not addressed how much you are prepared to spend
> to achieve this. I am sure that you will settle for zero, a number no more
> likely than infinity.
>
The Shannon idea of unicity distance goes with the idea that cost is not a
factor; the solution cannot be bought with any amount of time or money
spent on usual analysis. A more important question to me is what ciphers
have a useful unicity distance, and how large are they.
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 16 Mar 2001 19:43:45 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Since http://people.ne.mediaone.net/davidelm/epr.htm, the work of
:> Caroline Thompson, etc, locality seems to have returned to physics,
:> and with it the viability of hidden variables.
:> http://www.physicsmyths.org.uk/#hidden has a concise explanation of
:> why the supposed demonstrations of the non-existence of hidden
:> variables were wrong.
: Unfortunately for your case, the cited work is not generally accepted
: by workers in quantum physics. It mischaracterizes the situation and
: offers no explanation for why phase matters. Meanwhile, developers
: of the "quantum entanglement" approach have made real contributions
: to better understanding these phenomena, unlike the people you cited.
I'm slightly suprised by this response - since I was under the impression
that you recognised that Bell's and Aspect's results relating to locality
had been revisited with differing results as far as locality goes.
The alternative physics and cosmology FAQ expresses the situation cleanly:
DO THE EPR/BELL INEQUALITY/ASPECT EXPERIMENTS PROVE ACTION AT A DISTANCE
OR FTL TRAVEL?
No. It is generally agreed that these experiments cannot be used to send
information FTL (faster than light) between the two detectors by
changing the angles of the polarisers. This admission clearly
demonstrates that there is no transfer of information at FTL and no
action at a distance. Everything else that is promoted in that regard is
just building mumbo-jumbo on a house of cards. A simple logical
explanation for the EPR results is that the probability of detection of
photons is proportional to COS^2 of the angle between the polariser and
the photons polarisation. Serious errors of sample selection are made in
the standard explanation. A comparison is made between two samples which
are biased by the selection mechanism and they are assumed to be the
same. For a detailed description of this explanation see David Elm's EPR
explanation and Caroline Thompson's EPR papers.
[http://homepages.kcbbs.gen.nz/af/alt-faq.htm]
Anyway, I would point out that my case in no way depends on locality.
Bohm's family of non-local hidden variables theories was never
thrown into question by the Bell and Aspect results in the first place.
The issue with detecting randomness in fundamental physics is much
the same as testing for randomness in crypto. You can use tests to
demonstrate that a stream in non-random, but you can never conclude
from tests that it is genuinely random.
Also, I would reiterate the point that I made at the start of this
debate, that whether you can get hold of demonstrably trustworthy OTP
data does not depend on the details of quantum physics - to repeat what
I said then, quantum physics is a red herring in this debate.
I cannot see why is it still under discussion.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: Potential of machine translation techniques?
Date: Fri, 16 Mar 2001 21:07:43 +0100
"Richard Herring" <[EMAIL PROTECTED]> skrev i meddelandet
news:98qruc$a96$[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>, Mok-Kong Shen
([EMAIL PROTECTED]) wrote:
> EU languages form a very restricted subset of all natural
> languages. Apart from Finnish they are all either Germanic or
> Romance.
The Gaelic languages, spoken on Ireland (were Irish is an official
language), Isle of Man and in Scotland, are Celtic languages. Greek forms
it's own subfamily of Indo European languages. So there are at least three
non Germanic, non Romance official langagues in the present 15 EU countries.
As far as I know all documents are also translated to the languages of the
two remaining EES countries (Norway and Iceland, Germanic languages), as
well as to the languages of the candidate countries, e.g. Estonia (related
to Finnish), Poland, the Czeck Republic, Slovenia (Slavic languages),
Hungary (remotely related to Finnish) and Cyprus (Greek and Turkish, the
latter yet another non Indo European languange).
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: "Dr. Yongge Wang" <[EMAIL PROTECTED]>
Subject: Re: Q: IP
Date: 16 Mar 2001 20:09:25 GMT
Mike Rosing <[EMAIL PROTECTED]> wrote:
: Mok-Kong Shen wrote:
:>
:> Probably a very dumb question: If I connect to the internet
:> via a provider, do I have a fixed (and always same) IP
:> assigned by my ISP? I heard that ISPs assign (or may assign)
:> dynamically variable IPs to their customers. Is that right
:> or wrong? Thanks.
: It's usually dynamic. That way the ISP only needs 20% as many
: ip numbers as it has customers. Most probably have as many ip
: numbers as they have modems so they can keep everyone who gets
: in happy.
It is not only dynamic, for many times you only get a internal IP address,
that is, not recognizable by the outside world. The ISP gateway may
use NAT protocols to translate your IP. Have a look at the RFC1631
: Check your TCP/IP software. It should have a box checked for
: dynamic allocation.
: Patience, persistence, truth,
: Dr. mike
--
========================
Yongge Wang
http://cs.uwm.edu/~wang/
========================
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Date: Fri, 16 Mar 2001 21:07:57 +0100
wtshaw wrote:
>
> The Shannon idea of unicity distance goes with the idea that cost is not a
> factor; the solution cannot be bought with any amount of time or money
> spent on usual analysis. A more important question to me is what ciphers
> have a useful unicity distance, and how large are they.
> --
> Most [cryptographic] algorithms are based on assumptions which
> could turn out to be false. -- Ron Rivest
I am not sure that one needs to be an 'idealist', demanding
absolutely unbreakable ciphers for real-world applications.
If the cost of analysis is way beyond what the opponent can
afford (possible at all or economically justifiable),
doesn't that mean real and practical and entirely sensible
security for the user? BTW, I guess that the quote from
Rivest's applies to ALL crypto algorithms in practice that
claim to be very strong.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
Date: Fri, 16 Mar 2001 13:51:50 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> I say, "A cipher is clearly insecure when the of cost of a cryptanlyitic
attack is
> lower than the value of success." I normally measure the cost of attack
as work,
> access, indifference to detection, special knowledge, and time to
detection and
> corrective action (WAIST). The value of success can be measured in dollars or
> alternative values such as vengeance.
>
> Because vengeance is hard to measure and crypto is cheap, I use it in
such a way as
> to raise the cost of attack several orders of magnitude higher than the
value of
> success.
>
But, measures of strength need not be subjective. An absolute scientific
statement that a one cipher can be more secure and have a longer unicity
distance than another can be an objective fact not based on the value of
the messages involved.
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: br <[EMAIL PROTECTED]>
Subject: Re: Random and RSA
Date: Fri, 16 Mar 2001 15:28:07 -0400
If secure = hard to attack so random = hard to attack
secure = random
:))))
Is it a false deduction?
"Douglas A. Gwyn" wrote:
>
> br wrote:
> > Factoring N is it so hard?
> > If the use of pseudorandomness function is not secure, why RSA is
> > seen as secure. When you multiply two prime big numbers, the
> > operation is not random? P has a sequence of digits that is non
> > ramdom, Q too.
> > So I don't understand?
> > If someone can break a pseudo-random function, why can't he break a
> > deterministic function?
>
> You seem to seek a shortcut to knowledge. However, there is a lot
> more to cryptology than simply thinking "random <=> secure". In
> the case of RSA, the system can *in principle* be cracked, but the
> best ways anyone has thought of to attack it, apart from a small
> number of special cases, are equivalent to finding the prime
> factors. For large numbers, *this is hard* using even the best
> known techniques. (RSA's Web site has some large products-of-two-
> primes that you can win money by factoring, if you want to try.)
> If the best known attacks against a system require more computation
> than is available, in order to have an appreciable chance of success,
> then the system can be considered secure, except possibly against
> attacks we do not yet know about.
> There is no single method for inverting all encryption functions,
> so the ability to crack some PRNGs does not necessarily imply that
> one can break all other deterministic systems.
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: Q: IP
Date: Fri, 16 Mar 2001 21:39:14 +0100
"Mok-Kong Shen" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
> Thanks for the informations. I asked the question because
> I read a newspaper article saying that having a fixed IP
> means that attackers have a fixed target to work on, while
> with dynamically assigned IPs one is rather anonymous, being
> only one element of a more or less large set belonging
> to the same ISP, and is thus advantageous in that respect.
> In case this statement of the newspaper is incorrect, please
> kindly tell.
You should not rely on that your ISP is changing your IP regularly, unless
you explictly connect and disconnect several times a day (like most people
do with 56K modems). If you have ISDN, ADSL or some other kind of connection
that allows you to stay online 24-7, it may very well happen that you will
get a "dynamic" IP that in practice never changes.
As for your second question, if you have a 56K modem you don't have to worry
about people to use your HD as an extension of their own. But that has more
to do with the fact that you're not online 24-7 and that your connection is
slow. I you are seriously worried a dynamic IP is no replacement for a
personal firewall and a sound security policy.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Date: Fri, 16 Mar 2001 21:37:07 +0100
Tim Tyler wrote:
>
[snip]
> The issue with detecting randomness in fundamental physics is much
> the same as testing for randomness in crypto. You can use tests to
> demonstrate that a stream in non-random, but you can never conclude
> from tests that it is genuinely random.
I wonder whether it isn't the case that, through the
act of setting up the concept of 'perfect randomness', we
have from the very beginning deprived ourselves (by
definition) the possibility of verifying the presence of
'perfect randomness' in any concrete case, since we know,
among others, that human perceptions of the world (with
biological capabilities assisted by whatever man-made
apparatus) can never be perfect, there being not only
errors but sometimes even illusions (that's why there
exist at any period theories in all branches sciences
which get continuously improved, revised or even thrown
away as time passes).
M. K. Shen
------------------------------
From: "Dann Corbit" <[EMAIL PROTECTED]>
Subject: Re: Factoring RSA
Date: Fri, 16 Mar 2001 12:51:18 -0800
"br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Try this algo to factor N.
> Let S= (10^k) - 1
> for k=N to (n/2) step -1
> Let c=gcd(S,N)
> if c<>1 or c<>N then c is a solution.
>
> It's hard to compute hudge number. But with computers able to manage a
> hudge number, it's feasible.
Do yourself a favor and only test odd numbers. Doubles the speed of the loop.
Here is an efficient GCD, with a nice Maple implementation:
http://citeseer.nj.nec.com/cache/papers2/cs/5083/http:zSzzSzwww.math.ncsu.eduz
Sz~kaltofenzSzbibliographyzSz99zSzKaMo99.pdf/kaltofen99genericity.pdf
I can't say that I really understand how your algorithm works, since S does
not change during the iterations. Perhaps I fail to understand some
fundamental piece of the algorithm.
I once had a similar notion, except that I took a product of known primes up
to some K. For instance, if you form a product of all primes from 2 up to the
largest prime in [0..2^32] then GCD of that product with any number up to
2^64th will partly factor it unless it is prime.
However, this is a horrible algorithm and not at all impractical.
Have you had a look at Chris Cauldwell's prime page?
He lists some very efficient techniques for factoring.
Even so, it is very expensive to factor large numbers. A product of two large
primes is dauntingly difficult to factor. The RSA challenges (for instance)
very effectively show that it is not cost effective to try to break RSA for
even modest modulus sizes.
If you look at the actual CPU hours, it is a stupefying total. And the
algorithms used are among the best known for problems in that particular size
range.
--
C-FAQ: http://www.eskimo.com/~scs/C-faq/top.html
"The C-FAQ Book" ISBN 0-201-84519-9
C.A.P. FAQ: ftp://cap.connx.com/pub/Chess%20Analysis%20Project%20FAQ.htm
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 16 Mar 2001 21:04:06 GMT
Subject: Re: NTRU - any opinions
Congratulations, Robert, in advancing the state of the art of point counting.
Don Johnson
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
