Cryptography-Digest Digest #923, Volume #13 Sat, 17 Mar 01 00:13:00 EST
Contents:
Re: How to eliminate redondancy? ("Trevor L. Jackson, III")
Re: Random and RSA (those who know me have no need of my name)
Re: Correct Posting: Shannon & Repeating Emanations (Steve Portly)
Re: Factoring RSA ("Scott Fluhrer")
Re: Factoring RSA ("Scott Fluhrer")
Re: What do we mean when we say a cipher is broken? (Was Art of ("Trevor L.
Jackson, III")
Re: Random and RSA (those who know me have no need of my name)
Re: SSL secured servers and TEMPEST (those who know me have no need of my name)
Re: Dumb inquiry.... ("Scott Fluhrer")
Re: Computing power in the world ("Trevor L. Jackson, III")
Re: SSL secured servers and TEMPEST ("Trevor L. Jackson, III")
Re: Quantum Computing & Key Sizes (Bill Unruh)
Re: Key Recovery System/Product (those who know me have no need of my name)
Re: IP ("Michael Brown")
Re: Q: IP ("Michael Brown")
Re: Factoring RSA ("Michael Brown")
Re: IP (David Schwartz)
Re: Q: IP (David Schwartz)
Re: Q: IP (David Schwartz)
----------------------------------------------------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: How to eliminate redondancy?
Date: Sat, 17 Mar 2001 03:27:43 GMT
"Douglas A. Gwyn" wrote:
> "Trevor L. Jackson, III" wrote:
> > Given a highly redundant plaintext one can eliminate the redundancy
> > by masking with a good PRNG.
>
> I guess at this point we ought to ask what people mean by "redundancy".
> To me, that scheme doesn't reduce redundancy by more than the bits in
> the PRNG parameters. It does make it more "latent", however.
The same complaint can be leveled against any lossless transform.
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Random and RSA
Date: Sat, 17 Mar 2001 03:32:34 -0000
<98toab$s8t$[EMAIL PROTECTED]> divulged:
>3648619747307346288823659931102648912027984439975493780829346715987758
>2636039597999594334596226827651997112107402848167549330863512457575218
>8698619439169071545606986083121263673550943113237113839445816060239485
>0876228509053691549723304802264024332397042389689297353137878157027748
>3241354391156478887788970461
is that one of the current challenges?
--
okay, have a sig then
------------------------------
From: Steve Portly <[EMAIL PROTECTED]>
Subject: Re: Correct Posting: Shannon & Repeating Emanations
Date: Fri, 16 Mar 2001 22:37:49 -0500
Frank Gerlach wrote:
> (linux and netscape... :-( )
>
> Maybe a quick-and-dirty information-theoretic calculation can give a clue
> on the relationship of SNR and signal repetitions.
>
> In the following, these Variables are used:
>
> DS digital signal containing target signal
> TS target signal
> C Transmission rate in bit/s
> B Bandwith in Hz
> SNR Signal to Noise Ratio in 1/1
> fc Clock Frequency of the signal in Hz
> R repetitions of signal
> fr target signal repetition rate in 1/s
> l length of the target signal in bits
> t recording time
>
> Shannon:
> C=B*log2(1+SNR)
>
> Assuming the targeted signal TS is part of of a simple digital (binary)
> signal DS, a rough estimation of DS' bandwith is
>
> B=fc.
>
> For an exact calculation,an integral of the fourier transformation of the
> signal DS would have to be used. Still, B=fc appears to be a good
> approximation.
>
> The maximum transmission rate of DS is
> C=fc*log2(1+SNR)
>
> The percentage of TS data transmitted is
>
> p=(fr*l)/fc
>
> This means that the maximum TS transmission rate Cts is
>
> Cts=C*p
>
> Cts=C*fr*l/fc
>
> To successfully intercept the target signal, the minimum recording time is
>
> t=l/Cts
>
> t=l/(fc*log2(1+SNR)*fr*l/fc)
>
> t=1/(fr*log2(1+SNR))
>
> Two interesting points:
> -the minimum monitoring time is directly related to the frequency of the
> repetition of the target signal
> -neither length of target signal nor the base frequency of the signal is
> relevant !!
>
> Some sample calculations:
> Repetition rate 100/s
> SNR(dB)=-10 ->.00002020150249261588 (h)
> SNR(dB)=-40 ->.01925505103726054377 (h)
> SNR(dB)=-70 ->19.25408931159198693411 (h)
> SNR(dB)=-100 ->19254.08835140925966709589 (h)
> SNR(dB)=-130 ->19254091.56377203118620638112 (h)
>
> This means that cryptographic devices should be designed for -100dB SNR,
> whilst -70 dB should be enough for displays. This assumes that no critical
> data
> is displayed for more than 8 hours at a time.
On a mobile device the most difficult source of emissions to shield is the
front of the display.
I have used clear conductive plastic sheeting which drops emissions by at
least 20 dB from lessemf.
http://lessemf.com/plastic.html
I tested the product with an ohm meter and it performs true to form. It
darkens the screen only slightly when used in one layer and is easy to work
with. If you change it periodically it even works well with pen based systems
the sputter is somewhat resilient. Are there any better retail sources that
the pros use?
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Factoring RSA
Date: Fri, 16 Mar 2001 19:28:51 -0800
Dann Corbit <[EMAIL PROTECTED]> wrote in message
news:ifws6.141$xh6.657@client...
> "br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > You wrote :
> > "I can't say that I really understand how your algorithm works, since S
> > does not change during the iterations. Perhaps I fail to understand
> > some
> > fundamental piece of the algorithm.
> >
> > Suppose as sample n=1633
> > you have to try gcd( (10^1633)- 1,1633)
> > gcd( (10^1632)-1,1633)
> > etc... until S= (10^816) - 1
> >
> > Is it clear?
>
> What you are trying is clear now.
>
> Suppose we are trying to factor a mere 56 bit number. How long will your
> algorithm take? For instance, suppose you are wondering about this
number:
> 72057594037927907 = 768467471 x 93767917
Actually, by computing everything mod N, a single iteration of the above is
actually feasible. However...
>
> 10^72057594037927907-1 has a lot of bits! Do you have a computer at your
> disposal that can hold this number?
Far worse, he's cycling through 10^N-1 to 10^((N+1)/2) - 1. That's (N-1)/2,
and since for a real problem, N will be a 1024 bit number, that's a *lot* of
iterations. Unless you have some good reason that it's likely to find an
answer in the first, say, 2**128 iterations or so, this doesn't look likely.
Glancing at the math behind it, one would expect it to take O(q) iterations,
where q is the size of the smaller factor. This isn't any better than trial
division.
>
> I don't think it is a good idea to use this method. I think it will be
> impossibly slow on very easy problems.
> --
> C-FAQ: http://www.eskimo.com/~scs/C-faq/top.html
> "The C-FAQ Book" ISBN 0-201-84519-9
> C.A.P. FAQ: ftp://cap.connx.com/pub/Chess%20Analysis%20Project%20FAQ.htm
>
>
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Factoring RSA
Date: Fri, 16 Mar 2001 19:32:58 -0800
br <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> My idea is very simple : if you multiply every prime number P by X, P*X
> will be equal to 999999999999999999 ( (10^k) - 1) for k near the value
> n. You can prouve that in the neighbour of (10^n) - 1 (just few values
> of k), you will find P or Q.
You can? I do not believe that it is true. It is true that, if n=p*q (p,q
!= 2,5), then mod( 10^k-1, n ) != 1 for some k s.t. n >= k > n-p, and that
mod will likely not be n. However, I don't think you can either prove or
prouve anything significantly tighter.
--
poncho
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Date: Sat, 17 Mar 2001 03:46:33 GMT
John Savard wrote:
> On Fri, 16 Mar 2001 13:42:32 -0600, [EMAIL PROTECTED] (wtshaw) wrote,
> in part:
>
> >A more important question to me is what ciphers
> >have a useful unicity distance, and how large are they.
>
> Unicity distance is an information-theoretic quantity, and depends
> solely on the size of the key.
Eh? Your statement implies that the entropy of the plaintext plays no
role in the calculation of unicity distance. I understood that to be
false.
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Random and RSA
Date: Sat, 17 Mar 2001 03:49:10 -0000
<[EMAIL PROTECTED]> divulged:
>Try this algo to factor N.
>Let S= (10^k) - 1
>for k=N to (n/2) step -1
>Let c=gcd(S,N)
>if c<>1 or c<>N then c is a solution.
>
>I know that it's hard to hudge number but try it I think that you will
>find a solution in less than an hour.
the last rsa factoring challenge to be completed required 7.4 months for a
155 digit number, and required a network of over 290 computers. if you can
find a way to do it in an hour you will be quite famous. this algorithm
doesn't appear to work that quickly.
--
okay, have a sig then
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: SSL secured servers and TEMPEST
Date: Sat, 17 Mar 2001 03:50:51 -0000
<[EMAIL PROTECTED]> divulged:
> -are there any key usage policies *in use* to make this kind of
>attack impossible (such as temporary certificates signed with the
>"master" certificate of the site) ?
typically ssl accelerators are loaded with the private key. so the
accelerator uses the key itself, it isn't transferred for each session
setup.
--
okay, have a sig then
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Dumb inquiry....
Date: Fri, 16 Mar 2001 19:42:43 -0800
<[EMAIL PROTECTED]> wrote in message
news:4XLr6.168$[EMAIL PROTECTED]...
>
> Mok-Kong Shen wrote in message <[EMAIL PROTECTED]>...
> >
> A point of note is that the matrix of PHT is not symmetrical,
> >while yours is.
>
>
> Hmm, I'll need to think on that. Thanks for pointing out the obvious. I
> didn't consider that.
Of course, whether symmetrical is good or bad depends on the rest of the
system.
- If a system is asymmetric, then the attacker can view the system in two
distinct ways, and chose to attack the way that makes the job easiest for
him. For example, in the PHT, the attacker can look at a differential in X
(which doubles X and moves that additive differential into Y), or he can
look at a differential in Y (which gets copied over to X). A system that is
secure against one may be vulnerable to the other.
- If a system is symmetric, then the attacker might be able to take
advantage of the symmetry. For example, with your method, the attacker
knows that he has a differential that swaps the inputs, then the output
differential swaps the outputs, even if he has no idea what the inputs are.
--
poncho
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Computing power in the world
Date: Sat, 17 Mar 2001 04:02:31 GMT
Frank Gerlach wrote:
> AirBete wrote:
>
> > Hi all,
> >
> > What is the up-to-date estimate of the total computing power in the world in
> > mips-years?
>
> MIPS-years are a silly metric.
> Its like asking "how many Megawatt-hours of processing capacity are there ?"
In context yes, in general no. A MIPS-year is an useful metric for measuring the
quantity of computation rather than the rate of computation. Factoring this
composite, minimizing that sales route, or extracting a 3DES key from a
plaintext/ciphertext pair are all tasks whose size might be measured in
MIPS-years. In those contexts using MIPS would be silly.
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: SSL secured servers and TEMPEST
Date: Sat, 17 Mar 2001 04:04:18 GMT
Steve Portly wrote:
> Frank Gerlach wrote:
>
> > >
> > >
> > > Analog media, like tape may be possible - are there any media that can store
> > > 2Ghz of bandwidth.
> >
> > May calculation was as follows: a Video Signal has about 5 MHz of Bandwith. Just
> > split that 2 GHz signal into 2000/5=400 5 MHz bands, transform them into the
> > 0..5 MHz base band and then you "just" need 400 VCRs to store the signal. If you
> > strip a VCR (Video Cassette Recorder) of all unecessary stuff and mount it in
> > racks, those 400 VCRs should fit into a 32 metric ton truck trailer. Of course,
> > there must be a very precise phase signal recorded on every tape and the motors
> > should be high quality to assure low phase jitter.
> > Have two trucks, one is monitoring, while the other is loading fresh tapes in a
> > safe location.
> > After some days of monitoring you airlift the tapes with a C-141 to wherever
> > your acres of processing power are.
>
> In terms of threat assessment isn't there another level of threat? My threat is not
> from the NSA or the FBI since I don't break the law.
This is a common, but often erroneous assumption.
> My concerns lie more along the
> lines of street hackers and private investigators. I think there are some common
> sense things you can do to protect your privacy and intellectual property. One of
> the first things everybody warns newbies to do to in order to reduce their emissions
> is make sure the equipment is properly grounded. With a rudimentary receiver I was
> able to isolate the frequency of my keyboard and found that keystrokes are quite
> easy to capture. Further testing showed that although grounding prevents shock and
> equipment damage, household wiring has far too high a resistance to make any
> difference in emissions. Since the keyboard emanations are outside the case they
> would be one of the most likely targets of an amateur snoop. Also since the
> keyboard operates off a rather long interrupt it would be relatively easy to isolate
> using slightly more sophisticated equipment. Rather than go to the expense of
> properly filtering and grounding my desktop computer (which could be quite costly) I
> found it easier to just use a lower emissions portable computer for confidential
> material. With just a little work you can apply some non invasive faraday shielding
> to a smaller unit and reduce the native emissions by 20 decibels or so. The faraday
> shielding turns the unit into a capacitor that pulses at a fixed lower frequency.
> Since most of the energy is discharged in the fixed pulse, less of the readable
> frequency is available to the snoop. There are plenty of public resources available
> about this topic so I won't go into detail. The bottom line is if you are limited
> on funds as I am, you can still get a surprising amount of emissions reduction on
> your own.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Quantum Computing & Key Sizes
Date: 17 Mar 2001 04:13:28 GMT
In <[EMAIL PROTECTED]> Stanley Chow <[EMAIL PROTECTED]> writes:
]Bill Unruh wrote:
]>
]> However, in doing a database search Grover's algorithm only changes the
]> search from N to sqrt(N) where N is the size of the database
]> (2^(keylength)) which is the basis for his comment. HOwever it is
]> entirely possible that there is a QC algorithm which could turn any
]> given secret key algorithm into a polynomial time one as well.
]If I remember correctly, their is a proof that sqrt(N) is in fact
]a tight bound. Something about the superpositions taking that many
]steps to "smear" into the right places. I think the paper in the
]LANL preprints and is probably by Grover.
That theorem is for a truely random databae search. But a cryptosystem
is not random. It is a very speicific set of operations. Thus it is
possible that a QC could use the specific operations which make the
cryptosystem to find the key in many fewer than sqrt N steps. After all,
one could put factoring int a database search form ( try all numbers
between 1 and sqrt N to see which is a factor) and thus use the Grover
algorithm to say that factoring takes N^(1/4) steps. However this is
wrong. You can do it in order ln(N)^2 steps because of the specific
non-random relation of the factor to the number.
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Key Recovery System/Product
Date: Sat, 17 Mar 2001 04:29:33 -0000
<98q2ht$e32$[EMAIL PROTECTED]> divulged:
>Is there a feasible approach other than key recovery? Thanks, all.
you could change the way you encrypt, so that it would work like pgp adk's.
--
okay, have a sig then
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: IP
Date: Sat, 17 Mar 2001 17:36:48 +1300
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> Probably a very dumb question: If I connect to the internet
> via a provider, do I have a fixed (and always same) IP
> assigned by my ISP? I heard that ISPs assign (or may assign)
> dynamically variable IPs to their customers. Is that right
> or wrong? Thanks.
>
> M. K. Shen
Due to the way that WIndows (and Linux, as far as I can tell) does dial-up
IP negotiation, you often end up with the same address for several sessions.
This is because (for some reason) it requests the same address. You only get
a new one if your last one is being used.
---
Michael Brown
Physics is no fun if you disregard friction.
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: Q: IP
Date: Sat, 17 Mar 2001 17:38:52 +1300
"Fred" <[EMAIL PROTECTED]> wrote in message
news:jCxs6.3957$[EMAIL PROTECTED]...
> Hello,
>
> Yea sure, but personal firewall are cheap cost low protection.
> They protect attacks from wanabie hackers with there Trojan software
> or other time of attack. Personnal firewall are not a problem for
> experimented crackers. But, 95% of the time, professional firewall
> are not too.
>
> If you are a normal home user, and dont have anything of
> important to protect, and just need a protection about wannabe, why
> dont use personnal firewall? They do the job! Nobody need a
> professional firewall, and full security system to protect there
> normal files ( letters, not so important text, etc ).
>
> Salutations,
>
>
> Fred
Hmm, maybe my NAT modem followed by a two-486 DMZ setup is a little extreme
then :)
In case you're wondering why, it because I had two 486/100s to spare and
picked up a few free network cards.
---
Michael Brown
Physics is no fun if you disregard friction.
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: Factoring RSA
Date: Sat, 17 Mar 2001 17:45:08 +1300
"Dann Corbit" <[EMAIL PROTECTED]> wrote in message
news:o1vs6.134$xh6.721@client...
> Have you had a look at Chris Cauldwell's prime page?
>
> He lists some very efficient techniques for factoring.
I know I'm getting repetitive, but could someone also look at my factoring
page :P
http://odin.prohosting.com/~dakkor/rsa/
---
Michael Brown
Physics is no fun if you disregard friction.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: IP
Date: Fri, 16 Mar 2001 20:49:27 -0800
Michael Brown wrote:
> Due to the way that WIndows (and Linux, as far as I can tell) does dial-up
> IP negotiation, you often end up with the same address for several sessions.
> This is because (for some reason) it requests the same address. You only get
> a new one if your last one is being used.
Which makes Windows policy of breaking all TCP connections on a hangup
seem even more boneheaded. Requesting the same address is the right
thing to do. However, for security reasons, your ISP really shouldn't
allow your IP to be reused immediately unless it can confirm that it's
assigning it back to the same user, which most can't.
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Q: IP
Date: Fri, 16 Mar 2001 20:52:21 -0800
"Dr. Yongge Wang" wrote:
> It is not only dynamic, for many times you only get a internal IP address,
> that is, not recognizable by the outside world. The ISP gateway may
> use NAT protocols to translate your IP. Have a look at the RFC1631
A company that did that would not be providing Internet access.
Numerous protocols would be broken by that, including any that involved
encryption with IP addresses in the payload. It would break IP posters.
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Q: IP
Date: Fri, 16 Mar 2001 20:53:47 -0800
Mok-Kong Shen wrote:
> Thanks for the informations. I asked the question because
> I read a newspaper article saying that having a fixed IP
> means that attackers have a fixed target to work on, while
> with dynamically assigned IPs one is rather anonymous, being
> only one element of a more or less large set belonging
> to the same ISP, and is thus advantageous in that respect.
> In case this statement of the newspaper is incorrect, please
> kindly tell.
>
> M. K. Shen
In reality dynamically assigned IPs are known to be rich in insecure
computers and are constantly swept and probed.
DS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
