Cryptography-Digest Digest #26, Volume #14 Wed, 28 Mar 01 05:13:01 EST
Contents:
Re: Data dependent arcfour via sbox feedback (Mok-Kong Shen)
Re: Newbie wants to shuffle... (Mok-Kong Shen)
Re: Pike stream cipher ("Public " <[EMAIL PROTECTED]>)
Article: "Computing, One Atom at a Time" (NYTimes) (Ichinin)
Re: Newbie wants to shuffle... (wtshaw)
Re: Is this a solution to the PGP flaw ("Vlastimil Klima")
Re: Newbie wants to shuffle... ("Scott Fluhrer")
Re: What the Hell...Here's what my system can do at it's best... (John Wasser)
Re: Malicious Javascript in Brent Kohler post (those who know me have no need of my
name)
TRNG question (Benjamin Goldberg)
Re: TRNG question ("Douglas A. Gwyn")
Re: Fractal Compression - I meant ENCRYPTION (Paul Crowley)
Re: Compression-encryption with a key (Paul Crowley)
Re: Data dependent arcfour via sbox feedback (Paul Crowley)
Re: Kill-file entries for TRN to nuke the weenie! (was Re: Kill-filter expression
for script weenie) ([EMAIL PROTECTED])
vigenere cipher ("Edmond Ho")
Re: Is this a solution to the PGP flaw (Lutz Donnerhacke)
anno: Open BCrypt - command line file encryptor (Juergen Thumm)
Re: Kill-file entries for TRN to nuke the weenie! (was Re: Kill-filter expression
for script weenie) (Mathew Hendry)
Diceware Passwords (Marc)
Re: Idea (Marc)
Newbie: What is AES? (Mathias Wagner)
public key problem ("William Lai")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Wed, 28 Mar 2001 03:08:58 +0200
John Savard wrote:
>
> Ken Savage <[EMAIL PROTECTED]> wrote:
>
> >I had a look at: http://www.io.com/~ritter/DYNSUB.HTM
>
> >RC4 shuffles the sbox itself; the modification I've done does not
> >make the mixing any different. Thus, if rc4 doesn't violate the
> >patent, I don't see how this mod does.
>
> Well, 'data dependent' implied to me that the shuffling depended on
> the plaintext, which is exactly what distinguishes Dynamic
> Substitution from RC4.
I raised elsewhere the question whether schemes like
CBC, CFB would be in conflict with such patents, since
a block cipher is also a substitution. Could someone tell
and explain? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Newbie wants to shuffle...
Date: Wed, 28 Mar 2001 03:14:37 +0200
"Henrick Hellstr�m" wrote:
>
> If you start with a random (large) integer N in the range [0..n!), you could
> use the following algorithm that will bijectively assign a distinct
> permutation to each possible value of N:
>
> for i := 1 to n do S[i] := i;
> for i := n downto 2 do begin
> j := (N mod i) + 1; (* Large integer arithmetics *)
> N := N div i; (* Large integer arithmetics *)
> x := S[i];
> S[i] := S[j];
> S[j] := x;
> end;
Is that to be found somewhere in the literature? Thanks.
M. K. Shen
------------------------------
Date: Tue, 27 Mar 2001 19:27:14 -0600
From: "Public <Anonymous_Account>" <[EMAIL PROTECTED]>
Subject: Re: Pike stream cipher
[EMAIL PROTECTED] (Terry Ritter) wrote:
[snip]
> The whole point of Algorithm M is to mix two PRNG sources to get a
> stronger sequence than is available from a single PRNG.
> Unfortunately, that does not happen.
>
> The cited articles show that mixing two LCG's by MacLaren-Marsaglia
> still allows the two sources to be distinguished and one LCG attacked
> fairly independently of the other. The mixed result is said to be
> perhaps twice as strong as an unmixed LCG. This difference is
> strength attributable to the mixing process itself.
>
> But in cryptography, a factor of two in strength is almost
> meaningless. The articles thus give us some of the clearest
> demonstrations known of the lack of strength in a particular mixing
> process.
[snip]
Thanks for the references you posted. The argument about algorithm
M doesn't directly address my original question about how secure
Pike is, but I do appreciate your point about M's problems.
As I understand it, algorithm M works something like this:
(initialize an array with one key bytestream)
for x = 0 to 255
A[x] = K'[x]
next x
(select an output with another key bytestream, then replace output
with a new value from the first bytestream)
for y = 1 to m
p = K'[y + 255]
q = K"[y]
K[y] = A[q]
A[q] = p
next y
The overall effect is to pseudorandomize the order of the first
bytestream's output somewhat, which can be useful if (1) knowing the
order of output is essential to attacking the first key bytestream,
and (2) there are no correlations in the first bytestream that would
facilitate an attack against the second bytestream.
It seems to me that one could do better than this by combining two
key bytestreams with an ARC4-like cascade, where modular additions
better conceal the internal state of each parent bytestream:
(initialize an invertible 256-byte array with an initialization key)
for x = 0 to 255:
p = (p + S[x] + K_init[x]) mod 256
swap S[x] and S[p]
next x
(hop around the array with one key bytestream, with ARC4-like
modular additions and swapping to produce a new byte to be XOR'd
with the other key bytestream)
for y = 1 to m
q = (q + 1) mod 256
r = (r + S[q] + K'[y]) mod 256
swap S[q] and S[r]
s = (S[q] + S[r]) mod 256
K[x] = S[s] XOR K"[y]
There are of course variations on this one could do, like processing
the other key bytestream with yet another initialization key, using
another combination operation at the final step besides a simple XOR
(e.g. Ritter's "dynamic substitution"), etc.
Perhaps the interesting issue here is that if we are going to do
any of these ARC4-like things, what advantage do we gain over using
ARC4 itself?
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Article: "Computing, One Atom at a Time" (NYTimes)
Date: Sun, 18 Mar 2001 18:34:20 +0100
Thought it would of intrest to readers:
http://www.nytimes.com/2001/03/27/science/27QUAN.html
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Newbie wants to shuffle...
Date: Tue, 27 Mar 2001 20:36:14 -0600
In article <OZ$GiQvtAHA.353@cpmsnbbsa07>, "Joseph Ashwood"
<[EMAIL PROTECTED]> wrote:
> There's a lot of ways to buld permutations, and which one you should use
> depends on what you're doing. One algorithm (stolen from the ARCFOUR key
> setup) is:
> place the elements sequentially in an array A
> place the key in the array K, repeat it until it is as large as A
> for each element E in A
> swap(A(E), K(E))
> end for
>
There are many ways to get any number of items permuted. For building a
permutation as a key, I prefer using some text to do the job. My
algorithm Maas uses as one of its keys 52 elements:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
I can take a string of characters, using multiple repeats if necessary,
and build the permutation, like from the first 52 letters in this
sentence:
vgaETbAkcPULwFsIqhudMeiVlNQYRxGtDZBWyJCmOnKofXSzrHpj
This uses the counted hash approach. Note the position of lc a's in
sentence and the permutation. A permutation entered will pass through
directly.
--
GWB is sure one day to have a presidential library. The big
question is on which off-shore rig should it be placed.
------------------------------
From: "Vlastimil Klima" <[EMAIL PROTECTED]>
Subject: Re: Is this a solution to the PGP flaw
Date: Sun, 25 Mar 2001 19:02:54 +0200
"Nicholas" <[EMAIL PROTECTED]> wrote in message
news:99jdj9$1n9$[EMAIL PROTECTED]...
> If my understanding is correct, signatures made with the modified key
> will not be valid. Is not a solution to the crack, therefore, for
> pgp/gpg to verify any newly created signature and warn if a signature
> fails to verify?
>
It seems that the signature verification is the solution. But the
pubring.pkr could be also modified by the attacker. And there could be an
attack in the future, consisting of changing both the secring.skr and
pubring.pkr at the same time.
It seems better to check the values in secring.skr according to our
technical paper (http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf) and then, if
you want to check the signature, it is better to use values (p,q,g,y ) from
secring, because they are (after the mentioned test) valid.
Vlastimil and Tomas
> Since the extra time used for this would be a waste in situations where
> the security of the key is more certain, this should I assume be an
> option which could be turned on/off.
>
> Any comments? Is my understanding correct or incorrect?
>
> N
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Newbie wants to shuffle...
Date: Tue, 27 Mar 2001 18:54:33 -0800
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> "Henrick Hellstr�m" wrote:
> >
> > If you start with a random (large) integer N in the range [0..n!), you
could
> > use the following algorithm that will bijectively assign a distinct
> > permutation to each possible value of N:
> >
> > for i := 1 to n do S[i] := i;
> > for i := n downto 2 do begin
> > j := (N mod i) + 1; (* Large integer arithmetics *)
> > N := N div i; (* Large integer arithmetics *)
> > x := S[i];
> > S[i] := S[j];
> > S[j] := x;
> > end;
>
> Is that to be found somewhere in the literature? Thanks.
The Art of Computer Programming -- Donald Knuth.
In particular, Volume 2 ("Seminumerical Algorithms"), Second Edition (which
is what I happened to have on hand), Algorithm 3.4.2P.
--
poncho
------------------------------
Subject: Re: What the Hell...Here's what my system can do at it's best...
From: John Wasser <[EMAIL PROTECTED]>
Date: Wed, 28 Mar 2001 03:14:41 GMT
[[ This message was both posted and mailed. ]]
Now I'm getting really confused. You said that if "computer" was the
ciphertext and "actually" was the plaintext then the key could be "any
sequence in the paragraph 8 letters long". Now you give a six
character string for the key... Does that mean that the ciphertext is
six characters and the plaintext is six characters? Does the key
always have to be as long as the plaintext?
In article <[EMAIL PROTECTED]>, Keill Randor <
[EMAIL PROTECTED]> wrote:
>
> Oh Dear. I fell over my spare box of computer stuff earlier,
> and found an old graphics card I did not know I had. Ati
> crap. Still at least it still works. P.S. Unreal Tournament
> actually works (fairly well - to crap, depending on the level),
> on my old P-150, with 32mb RAM and a 12Mb Voodoo 2.
>
> the word computer could be the ciphertext, the word actually
> could be the plaintext, and the key could be any sequence in
> the paragraph 8 letters long.... (Basically turning computer
> into actually).
>
> (In the first example, the key is [ ati c]).
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Crossposted-To: alt.drugs.pot,rec.radio.swap,rec.running,rec.sport.skating.ice.figure
Subject: Re: Malicious Javascript in Brent Kohler post
Date: Wed, 28 Mar 2001 03:57:23 -0000
[f-u set to the proper place to argue about newsreaders]
<[EMAIL PROTECTED]> divulged:
>HTML 2.0 / 3.2 is plenty for e-mail markup.
it's too damn much.
--
okay, have a sig then
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: TRNG question
Date: Wed, 28 Mar 2001 04:18:46 GMT
A long while back, someone mentioned an RNG based on something called a
metastable flipflop or somesuch. I looked it up, and found this page:
http://www.imse.cnm.es/~barriga/absdigit.htm
The first three abstracts descibe what I'm looking for, but I can't find
any online versions of the publications mentioned.
>From what I recall, the idea is to have two NOT gates, wired so the
output of each goes to the input of the other, and start with both
inputs forced to an active state, and then release. The circuit rapidly
changes back and forth between both-on and both-off [aka is in a
metastable state], until it eventually stops with one on and the other
off. Which wire is on, and which is off, determines if the circuit
outputs a one bit or a zero bit.
Does anyone know of any other references to this kind of RNG, and does
anyone have comments on whether this produces real, true, randomness?
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: TRNG question
Date: Wed, 28 Mar 2001 05:38:26 GMT
Benjamin Goldberg wrote:
>> From what I recall, the idea is to have two NOT gates, wired so the
> output of each goes to the input of the other, and start with both
> inputs forced to an active state, and then release. The circuit
> rapidly changes back and forth between both-on and both-off [aka is
> in a metastable state], until it eventually stops with one on and
> the other off.
It is very hard to make such circuitry evenly balanced; it tends
to have a prefeence for one final state over the other.
------------------------------
Subject: Re: Fractal Compression - I meant ENCRYPTION
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Wed, 28 Mar 2001 05:33:07 GMT
"Simon Johnson" <[EMAIL PROTECTED]> writes:
> The fact that fractals can be used to correlate the information in a
> picture is exactly the wrong property we want. In cryptography we
> wish to decorrelate information and this is probably why its not
> much use
>
> The again, i could be completly wrong, which is probably the case =)
Sounds 100% right to me. Fractal encryption is often suggested and
doesn't work for precisely the reasons you state: it's the patterns in
chaos that make it interesting.
> and after all, i've never seen a compression algorithm adpted to
> provide secure block encryption...
Actually I believe there are stream ciphers designed to do encryption
and compression in a single step, to do with making arbitrary choices
based on the output of a CPRNG. I'd be surprised if they were secure
though; using a normal compressor and a normal stream cipher is likely
to be faster, more convenient and more secure.
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
Subject: Re: Compression-encryption with a key
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Wed, 28 Mar 2001 05:33:07 GMT
Ross Younger <[EMAIL PROTECTED]> writes:
> It is generally a Good Idea to compress your plaintext before
> encrypting -- this normally reduces the amount of ciphertext for an
> attacker to play with and reduces redundancy within (one could call
> this obfuscating the plaintext, I suppose).
Flogging a dead horse here, but:
There's no security reason to compress before encryption. If you
can't trust your cipher against a known-plaintext (or
chosen-plaintext) attack, use another cipher.
Compression before encryption is a good idea for precisely the reasons
compression is a good idea; if for some reason it's inconvenient for
your application then don't do it.
Compression after encryption is of course impossible unless the cipher
is weaker than the most amateur snake oil, or if the encoding after
encryption adds redundancy.
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
Subject: Re: Data dependent arcfour via sbox feedback
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Wed, 28 Mar 2001 05:33:08 GMT
[EMAIL PROTECTED] (Terry Ritter) writes:
> If "certain countries" is intended to slight the US, I just note that
> entirely similar patent laws are in force in Europe. Dynamic
> Substitution is not a "software patent."
If anything is a software patent, this is. Happily, however, it looks
as if it will not be possible to enforce patents against software in
Europe, though it's certainly worth keeping up the pressure to make
sure this decision is made.
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp
Subject: Re: Kill-file entries for TRN to nuke the weenie! (was Re: Kill-filter
expression for script weenie)
Date: Wed, 28 Mar 2001 06:48:43 GMT
Yikes, forgot, yes, I am using Agent.
On 27 Mar 2001 11:26:36 -0700, [EMAIL PROTECTED] (Ben Cantrick)
wrote:
>In article <1C4w6.220$[EMAIL PROTECTED]>,
>Paul Pires <[EMAIL PROTECTED]> wrote:
>><[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>>> I can't figure out how to use it! :(
>>
>>What are you useing for a news reader?
>>The place to do it and the way varies.
>>give a few clues and someone might help.
>
> His X-Newsreader line claims he's using Agent.
>
>
> -Ben
>--
>Ben Cantrick ([EMAIL PROTECTED]) | Yes, the AnimEigo BGC dubs still suck.
>BGC Nukem: http://www.dim.com/~mackys/bgcnukem.html
>The Spamdogs: http://www.dim.com/~mackys/spamdogs
>"Technically, are women's birthday suits considered double-breasted?" -Willie B.
------------------------------
From: "Edmond Ho" <[EMAIL PROTECTED]>
Subject: vigenere cipher
Date: Wed, 28 Mar 2001 00:57:35 -0800
Hello, first post. My question: by convention, is the first row of the
Vigenere table "BCDE...XYZA" or is it "ABCDE...XYZ"? Thanks in advance.
-Edmond Ho
------------------------------
From: [EMAIL PROTECTED] (Lutz Donnerhacke)
Subject: Re: Is this a solution to the PGP flaw
Date: 28 Mar 2001 09:05:01 GMT
* Vlastimil Klima wrote:
>It seems that the signature verification is the solution. But the
>pubring.pkr could be also modified by the attacker. And there could be an
>attack in the future, consisting of changing both the secring.skr and
>pubring.pkr at the same time.
Modifying both files consistently requires the knowledge of the private key
components. So if you can do it, you do not need it anymore.
>It seems better to check the values in secring.skr according to our
>technical paper (http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf) and then, if
Nope. It only address the Czech attack, not the others.
>you want to check the signature, it is better to use values (p,q,g,y ) from
>secring, because they are (after the mentioned test) valid.
*grin*
------------------------------
From: Juergen Thumm <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,comp.security.unix
Subject: anno: Open BCrypt - command line file encryptor
Date: Wed, 28 Mar 2001 11:13:23 +0200
First of all, this is "Open BCrypt", not "bcrypt".
There are many 'crypt' tools around,
so please mind the difference.
Open BCrypt symmetrically encrypts files,
just by a passphrase (no key files required),
platform-independent, with zero installation effort.
It does not invent new crypto-algorithms.
Instead, it uses a proven, yet unbroken 128-bit cipher
(rc4-compatible), and supplies a safe file format around it.
Open BCrypt runs under windows, sun, aix, hp/ux, os/390;
with minor effort, it should run everywhere.
The tool features special protection mechanisms
against brute-force, plaintext-, tampering- and
prehashed database attacks.
The sourcecode, buildscripts, documentation,
file format documentation and binaries
are available at http://go.to/bcrypt or http://e-002.com/bcrypt
Open BCrypt 1.6.0 is in use, without changes,
for over a year now - encrypting gigabytes without errors.
It provides amongst the highest security a crypto system
without keyfiles can provide. It is not sufficient for highly
important military or industrial secrets, except if you use
completely random passphrases like
mjo3MlfemfzuzKhYucnt4rvXtzm67FOzk432mviDT5on364DKh34zje61pqfAAsof
...which is rather improbable. With 'normal' passphrases,
however, it should still protect reliably against the
general hacker- or spying attack; at least much better
than many other tools of the same category.
Security remarks and comparisons are welcome, of course.
regards,
Juergen Thumm
Senior Software Engineer
[jthumm(@)e-002.com]
address altered to deflect spam.
------------------------------
From: Mathew Hendry <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: Kill-file entries for TRN to nuke the weenie! (was Re: Kill-filter
expression for script weenie)
Date: Tue, 27 Mar 2001 22:17:18 +0100
On Tue, 27 Mar 2001 11:39:24 GMT, [EMAIL PROTECTED] wrote:
>I can't figure out how to use it! :(
Copy the Agent filter string already posted, right click on one of the script
kiddie's messages and select "Add Kill Filter...". The filter dialog is fairly
easy to follow, F1 for more help...
It's worthwhile playing around with Agent's filters, they're quite powerful.
-- Mat.
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Diceware Passwords
Date: 27 Mar 2001 23:26:51 GMT
The http://www.diceware.com page suggests a method of selecting
passphrases with dice. The words that build up the passphrase
are selected from a wordlist. The page sais that each word adds
12.9 bits of entropy, because it is selected from 7776 possible
words.
Some words on the list have only 1-3 letters, for example "s".
Isn't the entropy added by "s" less than 12.9 bits? An attacker
who does not follow the Diceware scheme but attacks from another
angle (eg brute force) sees the "s" as one letter of 26, not 7776.
Why doesn't the wordlist take into account that a letter adds
max 4.6 bits of entropy, nor that in english words in fact it
adds only about 1 bit? Given that the average word length is
4.2 letters there appears to be an entropy of only 4.2 bits
per word (not 12.9).
What's wrong here? Me?
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Re: Idea
Date: 27 Mar 2001 23:26:54 GMT
>People don't use one time pads (OTP) because there is usually no
>convenient way to transmit the key. If you do find a secure way to
>transmit the key then you might as well transmit the entire message.
Well, no:
a) an OTP, sent in advance and stored, to be used on demand until
exhausted. there is no need to transmit it at the same time as the
message.
b) if sent tamper-evident, an OTP can be sent over an insecure path
and, if detected as compromised, simply be discarded. A compromised
message on the other hand would be difficult to "discard" once sent..
------------------------------
Date: Wed, 28 Mar 2001 11:31:01 +0200
From: Mathias Wagner <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Newbie: What is AES?
Greetings,
could somebody point me to a resource on the net or a book where I can
read up on AES?
Any help much appreciated!
Mathias Wagner
------------------------------
From: "William Lai" <[EMAIL PROTECTED]>
Subject: public key problem
Date: Wed, 28 Mar 2001 17:44:08 +0800
Hi all,
May I ask a question that why RSA can be used for both encryption and
signing, but El Gamal cannot be used to do so?
Thanks in advance,
William
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
