Cryptography-Digest Digest #934, Volume #13 Sun, 18 Mar 01 15:13:01 EST
Contents:
Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION (SCOTT19U.ZIP_GUY)
Safe Multiple Encryption (John Savard)
Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION (amateur)
Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION (SCOTT19U.ZIP_GUY)
Re: Latin Squares (Jim Steuert)
Re: Idea (John Joseph Trammell)
Re: Idea (SCOTT19U.ZIP_GUY)
Re: IP (David Schwartz)
Re: PGP "flaw" (Sundial Services)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION
Date: 18 Mar 2001 19:03:49 GMT
[EMAIL PROTECTED] (Henrick Hellstr�m) wrote in
<992oit$nme$[EMAIL PROTECTED]>:
>"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> skrev i meddelandet
>news:[EMAIL PROTECTED]...
>> Dear folks I know its hard to get most of you motivated.
>> But would there be interest in making a "perfect english"
>> encryption using anyone favorite fixed block size cipher.
>> Such that any wrong key would lead to valid english text.
>
>
>Been there, done that. I made such a component for Delphi a year back. It
>performs awfully, but it works, and it should still be available for
>download somewhere.
>
>
>--
>Henrick Hellstr�m [EMAIL PROTECTED]
>StreamSec HB http://www.streamsec.com
>
>
I don't know much about DELPHI except it was part of a
general motors at one time. I prefer C. Was your code
perfectly bijective from english to encrypted binary files.
In otherwords could I take a 2 or 3 byte random file and
come back with words in such a way that for "any decryption key"
tested it would generate english words that when reencrypted
would come back to the same file.
If so way to go. I would be more interested in your
dictionary file than the code. Since I have all the tools
necessary to do this in C. Just really lacking a good code
dictionary. Also I yet to see any fully bijective code
written for RIJNDEAL except the work of MATTs and the recent
thing I post where I use a batch stream and several bijective
programs to create a ture bijective encryption with RIJNDEAL to
the set of all binary 8-bit files.
David A. Scott
P.S. you never stated the name of the file that has this
having searched the net for many programs of this type I
have never come across one that does what your implying
your does. Also is not the dictionary very large is it
a seperate file. If so where is at and what is its format.
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Safe Multiple Encryption
Date: Sun, 18 Mar 2001 19:11:26 GMT
It has been noted that if one enciphers a message first by method A
and then by method B, even where method A and method B use
independently derived keys, the security of the result is not
necessarily any better than that of method A. (Method A might be a
chosen-plaintext attack on method B "in disguise".)
If the keys used for different methods of encryption applied
successively are not independent, then the last method might leak the
key it was given, helping in the attack on the earlier methods.
While these proofs seem to imply a maliciously designed cipher, one
that is merely badly designed could do the same thing, at least
partially, by accident.
Thus, it has tended to be believed that multiple encryption, except
under very carefully defined circumstances (i.e., Triple-DES) is
unwise. Yet, from an amateur perspective, looking at the difficulty of
solving pencil-and-paper ciphers as a guide, since they are
"scaled-down" encryption, that is, encryption that _can_ be broken,
and therefore encryption that can tell us how hard it is to break
things through practice, combining multiple ciphers of different types
often quickly escalates the difficulty of reading a message out of
reach.
It would therefore be very helpful if there were a set of guidelines
for safe multiple encryption.
Let us look first at the simplest case, applying multiple ciphers to a
plaintext in order.
It would seem to be true that if the following conditions were met,
multiple encipherment would be 'pretty safe', provided at least none
of the ciphers were contrived:
- each cipher step has an independent key (either genuinely
independent, or made independent through the use of a secure hash
function; the GGR scheme that David Wagner recently mentioned is also
applicable here)
- no cipher step is allowed to change the size of the plaintext; where
an IV is desired, the IV is generated independently of the cipher
step, and supplied to it from the outside
Then it seems as though the steps don't have room to either leak key
bits, or attack subsequent steps. But that isn't really quite enough.
Not being allowed to change the length of the plaintext seems to
prevent leaking information deliberately. After all, typical
compression schemes, when fed an incompressible plaintext, have to
expand it at least slightly - by one bit to say 'I didn't compress
this'.
But that does *not* actually mean that a cipher scheme couldn't be
designed to leak key bits _when_ fed compressible plaintext and yet
never expand the plaintext or lose part of it.
The cipher scheme could involve a codebook, where all the likeliest
plaintexts have equivalents ending in a lot of zeroes; but each
plaintext would still have a ciphertext of the same length.
For example: let us suppose that we treat plaintexts consisting of
ASCII text as compressible.
A codebook acting on eight-byte blocks could work as follows:
Step 1: By substitution, let us code the bytes so that they are in a
code which begins
(space) abcdefghijklmnopqrstuvwxyz-.,'"
ABCDEFGHIJKLMNOPQRSTUVWXYZ:;!? (CR) (LF)
0123456789()[]<>+=*_#$%&@{}|\ (TAB)
^`~ (the other ASCII control characters)
and the second half of which is just the high-bit characters in order.
(Or we could replicate the coding for the high-bit characters if we
think we might get plaintexts in older 8-bit representations of ASCII
that don't use zero in the extra position.)
Step 2: The first 40 bits of an encoded block consist of the least
significant five bits of each of the eight bytes in order after the
coding of step 1.
The last 8 bits of an encoded block consist of the most significant
bit of each of the eight bytes in order after the coding of step 1.
These last 8 bits will always be zero for any plaintext in seven-bit
ASCII.
Step 3: The remaining two bits of each byte are to be encoded using a
numbering that begins with the most likely case, that of all zeroes;
then the bits of the resulting number are to be reversed to be placed
in the remaining part of the encoded block.
The numbering might begin as follows:
0) 00 00 00 00 00 00 00 00
1) 00 00 00 00 00 00 00 01
2) 00 00 00 00 00 00 01 00
...
8) 01 00 00 00 00 00 00 00
and go on to include combinations with some 10 leading bits as well as
01, and then the combinations with 11 in them would be the last ones.
So this illustrates one problem: the fact that there is no expansion
or contraction of the plaintext does *not* totally eliminate the
ability of the first encipherment step to carry out a known-plaintext
attack against the next step.
Also, Applied Cryptography notes a result of Eli Biham showing that
"inner CFB" - the use of three successive separate encryptions in DES,
each one in its own CFB mode - could, but only with an attack
involving impractically large amounts of chosen ciphertext, allow
differential cryptanalysis with a complexity not much over that of
single-DES.
Then, think of the fact that DES is done in EDE mode. With three
independent keys, the possibility that the decryption key matches one
of the encryption keys, making the cipher into single-DES, weakens the
cipher, although not below the strength of a single stage either.
What kind of conditions _are_ sufficient for multiple encryption to
mean something?
Each stage must be good enough that information cannot be leaked
through it to attack the next stage. Thus, ECB mode isn't a stage by
itself, since you can place two identical blocks in the plaintext, and
know that two identical blocks are hitting the next step in the
cipher.
The stages have to be isolated from each other, so that one stage
can't resemble the decryption of the preceding stage. The
'bricklaying' version of triple-DES (which would be done in EEE mode
anyways) is a simple example of something that meets this.
Thus, one attractive idea is to include transposition steps between
block cipher encryption layers.
Another simpler thing to do is to use stream cipher layers.
And stream ciphers have one property that block ciphers don't. A block
cipher must pass the entire plaintext through in a form that can be
decrypted. So everything the block cipher did is 'visible' in a sense.
A stream cipher could, in producing a bit stream to XOR with
plaintext, have a very large internal state, and at the end of each
step, only output a fraction of that state - perhaps derived from the
state in a fashion that resembles a *secure hash function*.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION
Date: Sun, 18 Mar 2001 14:21:06 -0400
Why are you talking about plain-text? Is not a cryptanalisis above the
plain-text?
Someone can help me?
"SCOTT19U.ZIP_GUY" wrote:
>
> [EMAIL PROTECTED] (Henrick Hellstr�m) wrote in
> <992oit$nme$[EMAIL PROTECTED]>:
>
> >"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> skrev i meddelandet
> >news:[EMAIL PROTECTED]...
> >> Dear folks I know its hard to get most of you motivated.
> >> But would there be interest in making a "perfect english"
> >> encryption using anyone favorite fixed block size cipher.
> >> Such that any wrong key would lead to valid english text.
> >
> >
> >Been there, done that. I made such a component for Delphi a year back. It
> >performs awfully, but it works, and it should still be available for
> >download somewhere.
> >
> >
> >--
> >Henrick Hellstr�m [EMAIL PROTECTED]
> >StreamSec HB http://www.streamsec.com
> >
> >
>
> I don't know much about DELPHI except it was part of a
> general motors at one time. I prefer C. Was your code
> perfectly bijective from english to encrypted binary files.
> In otherwords could I take a 2 or 3 byte random file and
> come back with words in such a way that for "any decryption key"
> tested it would generate english words that when reencrypted
> would come back to the same file.
>
> If so way to go. I would be more interested in your
> dictionary file than the code. Since I have all the tools
> necessary to do this in C. Just really lacking a good code
> dictionary. Also I yet to see any fully bijective code
> written for RIJNDEAL except the work of MATTs and the recent
> thing I post where I use a batch stream and several bijective
> programs to create a ture bijective encryption with RIJNDEAL to
> the set of all binary 8-bit files.
>
> David A. Scott
> P.S. you never stated the name of the file that has this
> having searched the net for many programs of this type I
> have never come across one that does what your implying
> your does. Also is not the dictionary very large is it
> a seperate file. If so where is at and what is its format.
>
> --
> SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
> http://www.jim.com/jamesd/Kong/scott19u.zip
> Scott famous encryption website **now all allowed**
> http://members.xoom.com/ecil/index.htm
> Scott LATEST UPDATED source for scott*u.zip
> http://radiusnet.net/crypto/ then look for
> sub directory scott after pressing CRYPTO
> Scott famous Compression Page
> http://members.xoom.com/ecil/compress.htm
> **NOTE EMAIL address is for SPAMERS***
> I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION
Date: 18 Mar 2001 19:21:41 GMT
[EMAIL PROTECTED] (John Savard) wrote in
<[EMAIL PROTECTED]>:
>On Sun, 18 Mar 2001 16:09:49 GMT, "Tom St Denis"
><[EMAIL PROTECTED]> wrote, in part:
>
>>WTF? Have you ever considered the fact that RIJNDAEL is not only used to
>>encrypt english text? What if I have ASCII symbols in my text?
>
>Then you use another compression scheme. Perfect removal of entropy,
>if it were possible, would be nice, even if it doesn't buy you as much
>as might be hoped for. Whatever you use Rijndael to communicate, if
>you used a compression function perfectly suited to your plaintexts,
>cryptanalysts would have less redundancy to work on.
>
>John Savard
>http://home.ecn.ab.ca/~jsavard/crypto.htm
>
I like your anwser to Tommy better than mine but I think he is
a brain washed crypto wanna be that thinks the road to true
encryption enlightment is following a phony crypto guru. So
I doubt seriously they he would have the ability to understand.
Getting back to some of your stuff. I liked the write up on
the huffman table you did for english letters. I just wished you
did it with a space as well as the 26 letters.
If you noticed my other posts I did show how using my code and
batch DOS how to bijectively encrypt text using RIHNDAEL. It
would be better to start with a more valid huffman table than
I am using.
If you get access to good dictionary of words and how often
they occur one could easily do the same thing for ENGLISH text.
I don't mind coding it if you supply the dictionary or if you
supply the static starting hufman tree for characters with space
I would use "_" as space in table so it can be seen. I can
easily write a condition file for this.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: Latin Squares
Date: Sun, 18 Mar 2001 14:26:22 -0500
Reply-To: Jim, Steuert
Latin squares are a special case of the multipermutation idea which
is pervasive in cryptography.
If you consider the row as one input, and the column as
another input, then by holding a row constant and varying the
column, then each possible output symbol is produced.
But this is also true for a lot of other tables, such as addition,
bitwise xor, etc.
The multipermutation idea is key in the design of
good hash functions. In fact an attack on MD4
is due to the fact that the round 2 bitwise mixing function
g(x,y,z) = (x and y) or (x and z) or (y and z) is not
a multipermutation, so keeping two of these values (say y,z=0)
at 0, makes the result g always 0, no matter what the other
value x is. Because of this, the majority bitwise function was not
included
in MD5. (See "On the Need for Multipermutations: Cryptanalysis
of MD4 and Safer" by Serge Vaudenay)
In a multipermutation mixing, by setting all but one input to constant
values,
all output values are still possible, ie. the output is a permutation
of the
remaing input. Simple addition and subtraction, xor, and rotations are
multipermutations.
So is multiplication modulo a prime (any Galois Field), which provides
a
two-input multipermutation mixer of p-1 symbols (0 must be excluded).
Thus multiplication works well when (2^m)+1 is prime. Addition works
whether or not the modulus is prime, so addition mod 2^m is always
a multipermutation.
Note that multipermutations do not provide any security of themselves.
They are, however, necessary to make sure that the output is a
balanced function
of the inputs to a cryptographic primitive function. This is
a pervasive theme in cryptography.
Orthogonal Latin squares, however, can provide a way of defining
a keyed output nonlinear mixing functions of output 2n bits, based
on two inputs of n bits each. Consider
the two latin squares, and the combined square as follows:
column:
A B C D
===========
a aD bA cB dC
b cC dB aA bD
c dA cD bC aB
d bB aC dD cA
Then the operation: mix(c,B) = (c,D) (i.e. the intersection
of row c of the first table with col B of the second orthogonal
table, would be a 4-bit value c,D , which would be
a multipermutation. (Keeping the row constant, the output would
depend on all inputs). The advantage of this over just
concatenating the two input symbols (c,B) is that the output
is nonlinear and keyed based on the inputs.
Any Galois field of order p (p is prime) generates
p-1 different orthogonal latin squares of p symbols.
For example if k is a non-zero from 1 to p-1, and i is a row
from 0 to p-1, and j is a column from 0 to p-1, then
then L(x,y) = ((k*i)+j) mod p defines a latin square
of p rows and p columns. Every different value of k defines a
different orthogonal latin square. Any two of these latin
squares are orthogonal, and can be used as a keyed mixer
in the above sense.
MarinaP wrote:
> Hi,
> I am not a crypto specialist, so I hope somebody here can help me.
> Latin Squares are known to be widely used in cryptography.
> Where are Latin Squares used in cryptography?
> Where can I read about Latin Squares?
> Thanks
------------------------------
From: [EMAIL PROTECTED] (John Joseph Trammell)
Subject: Re: Idea
Date: Sun, 18 Mar 2001 19:38:30 GMT
On Sun, 18 Mar 2001 14:00:29 -0400, amateur <[EMAIL PROTECTED]> wrote:
> Give me a precise reference. I have the book of Menezes.
Schneier, p. 2, definition of "restricted algorithm".
Have you familiarized yourself with the sci.crypt.research FAQ?
http://www.landfield.com/faqs/cryptography-faq/
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Idea
Date: 18 Mar 2001 19:50:25 GMT
[EMAIL PROTECTED] (John Joseph Trammell) wrote in
<[EMAIL PROTECTED]>:
>On Sun, 18 Mar 2001 12:59:56 -0400, amateur <[EMAIL PROTECTED]> wrote:
>> If you are so confident, I will send you encrypted message with
>> the same algo and decrypt it.
>
>If you are so confident, prove to me that you're qualified to
>write a cryptosystem. :-)
>
I hate it when people think it is necessiary to prove one
is qualified to do something. Just what the hell does that mean.
If the guy is a live he is qualifed. Pices of paper usually
don't mean shit. Qualifications are used to keep the community
closed. Of couse the pompous assholes will find fault with many
of so called ametur stuff and use that as an excuse to never really
check what many ametures are doing.
Taking teaching as an example. I am a retired engineer worked
on programming inertial guidance systems on missles and aircraft.
I used calculus every day. I tutored my kids in it and they passed
the AP tests and got college credit no sweat California.
Here in Texas they have a shortage of "qualifed math teachers".
I spent a month and some bucks trying to get hired since they
say they need math teachers. First roadblock every time you turn
around the system wants more money. They wanted my college transcripts
I give them to them. They asked after I called them a few weeks
later that I did not have algebra or trig. I started college on a
math scholarshop and took calculus off the bat. That seened to
confuse them. Then they sent a list of classes I needed to take
and a schedule of fees in the thousands of dollars I would have to
pay. Thats just to get started. On top of that not really sure there
is a job there though they assure me that one is there. Guess what
your forced to pay into the teachers retirement fund. You can' get
full retirement till you work 20 years. Well as you can see I
was not applying for english teacher. But I was dam good at math
and I can see why they have a shortage of math teachers. You have
to go though hell to get the job the pay is shit and math really
is not that much of a requirement. And if your all ready retired
they want to humilate you by forceing you to pay into a retirement
system you wont live long enough to get a dime from. In my case
I don't mind the low pay. I am retired. I would do it for half the
pay. But I am short about 4 years of having 40 quarters for SSI
so way the hell work at a full time job paying into a system you
can never use. The point is one can chase a carrot only so long.
It reminds me of a friend where I use to live in CA. They had
a jewlery store. THe threat of robbery very high. THey tried to
get a permit to cary a gun. They spent years paying fees getting
evaluated by shrinks. But they where always one step short. Till
an insider told then they had the wrong politics and there would
always be another step. While they gave up until one day a friend
told they they had a permit from country. The freind inrodcued them
to the count sheriff. A few days later they got the permit.
SORRY FOR THE RANT
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: IP
Date: Sun, 18 Mar 2001 11:59:40 -0800
Mxsmanic wrote:
> "David Schwartz" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > On the other hand, having a static IP address
> > creates no new vulnerabilities ...
> A static IP address greatly diminishes anonymity, and greatly increases
> the amount of time that an attacker has to compromise a system, since
> the system is always available at the same address.
Anonymity is not a defense against any vulnerability I know of.
DS
------------------------------
Date: Sun, 18 Mar 2001 13:06:30 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: PGP "flaw"
The key, I think, is disclosure. I suspect that any employer which is
prescient enough to use PGP in the first place will also know to
disclose to employees that encrypted messages can also be disclosed
using a master, company-held second key. I also see that the PGP
vendors spoke quite frankly about the fact that this capability existed
in their software, and that they accurately described the purpose for
which it was to be used.
The flaw, as described by Bruce and others, is that Greg (the Gestapo),
or maybe Chris (the Competitor!!) could exploit this same feature to
create additional keys .. thus fooling -both- Alice, Bob, and Edward
(the Employer) into believing that their secret was "safe with the three
[and only three] of them."
It's really not so bad that a system should permit "more than two"
people to share communication -- i.e. the third-party being the employer
-- but how, indeed, DO you construct the system so that a FOURTH party,
unbeknownst to the other three, could "tap the phone, hear everything
that was said, and never be detected?"
How, indeed?
It seems to be the usual catch-22 situation. On the one hand, employers
need to be able to decrypt communications issued under their purview
(and to do so without rendering other layers of security irrelevant) ...
yet the three "trusted" parties in such communication ALSO need to
protect against the nefarious addition of an unknown FOURTH (or fifth,
or sixth...) party to their number!
After all, the true value of cryptanalysis as a form of
intelligence-gathering is not merely that the parties believe their
communications to be secure; but that they are unaware that the
communications have been compromised.
>Tom McCune wrote:
>
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> <snip>
> >Viewed in that light, then, PGP's original backdoor implementation, and
> >its need for having one, really -isn't- necessarily a dark guv'mint
> >conspiracy!
>
> Although as an employee, I wouldn't like the ADK, I agree that this meets a
> legitimate management purpose. But calling it a "backdoor" is not correct,
> and may produce unnecessary confusion.
>
> Tom McCune
> My PGP Page & FAQ: http://www.McCune.cc
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
