Cryptography-Digest Digest #28, Volume #14 Wed, 28 Mar 01 14:13:00 EST
Contents:
Re: Breaking a DES encrypted code. ("Sam Simpson")
Re: Breaking a DES encrypted code. ("Mark G Wolf")
Re: Breaking a DES encrypted code. ("Sam Simpson")
Re: Breaking a DES encrypted code. ("Yaniv Sapir")
Re: Breaking a DES encrypted code. (SCOTT19U.ZIP_GUY)
Re: DES key replacement. (SCOTT19U.ZIP_GUY)
Re: Breaking a DES encrypted code. ("Mark G Wolf")
Re: Article: "Computing, One Atom at a Time" (NYTimes) ("Douglas A. Gwyn")
Re: Breaking a DES encrypted code. ("Sam Simpson")
Re: Diceware Passwords (Michael J. Fromberger)
Re: Breaking a DES encrypted code. ("Mark G Wolf")
Re: Breaking a DES encrypted code. ("Douglas A. Gwyn")
Re: DES key replacement. ("Douglas A. Gwyn")
Re: Strong primes ("Douglas A. Gwyn")
Re: Breaking a DES encrypted code. ("Mark G Wolf")
Re: Breaking a DES encrypted code. ("Mark G Wolf")
Re: Data dependent arcfour via sbox feedback (Terry Ritter)
Re: Breaking a DES encrypted code. ("Paul Pires")
Re: ECDSA question (Mike Rosing)
Re: DES key replacement. (Terry Ritter)
Re: Breaking a DES encrypted code. (Volker Hetzer)
Re: Breaking a DES encrypted code. ("Tom St Denis")
----------------------------------------------------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 18:02:37 +0100
Mark G Wolf <[EMAIL PROTECTED]> wrote in message
news:99t53e$4oto$[EMAIL PROTECTED]...
> "Sam Simpson" <[EMAIL PROTECTED]> wrote in message
> news:I9ow6.963$[EMAIL PROTECTED]...
> > Have a quick look at the *excellent* paper on this topic by David Wagner
> and
> > Steve Bellovin: http://www.research.att.com/~smb/papers/recog.pdf
>
> Your right, it's a very good paper. I haven't read all the way through,
but
> I notice that most of these decryption methods assume that the message is
in
> some sort of machine readable form like ASCII.
I believe the paper goes on to cover compressed data etc.
> What's to prevent me from
> writing a message on a piece of paper and then scrambling the image? What
> then?
Nothing, apart from the fact that a fair assumption is that your adversary
knows your method - so they'd know to look for image file headers, or
statistically test the data etc
--
Regards,
Sam
http://www.scramdisk.clara.net/
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 11:12:28 -0600
> Nothing, apart from the fact that a fair assumption is that your adversary
> knows your method - so they'd know to look for image file headers, or
> statistically test the data etc
Yeah but doesn't it make it a LOT more difficult. I can write(print)
letters in many different ways that although readily readable by a human,
would be difficult for a "machine". Wouldn't you need computers that
approach human "intelligence"?
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 18:26:53 +0100
Mark G Wolf <[EMAIL PROTECTED]> wrote in message
news:99t62f$17d2$[EMAIL PROTECTED]...
> > Nothing, apart from the fact that a fair assumption is that your
adversary
> > knows your method - so they'd know to look for image file headers, or
> > statistically test the data etc
>
> Yeah but doesn't it make it a LOT more difficult.
I guess you could write something to detect image files in a very low
hardware footprint, taking minimal time to run - the software necessary to
detect 'non-random' data (e.g. image files) is relatively small and quick to
execute.
> I can write(print)
> letters in many different ways that although readily readable by a human,
> would be difficult for a "machine". Wouldn't you need computers that
> approach human "intelligence"?
Not at all: image files still have characteristics that can be detected in
either software or hardware.
A quick test on a set of JPG files show that they fail poker and runs test
more than 90% of the time and that chi-square failed hideously every time.
--
Regards,
Sam
http://www.scramdisk.clara.net/
------------------------------
From: "Yaniv Sapir" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 19:35:24 +0200
The whole idea is to break a code for which you *don't have* the palintext
original.
Volker Hetzer <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Usually you've got a plaintext-ciphertext pair and encrypt key after
> key until they match.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Breaking a DES encrypted code.
Date: 28 Mar 2001 17:36:04 GMT
[EMAIL PROTECTED] (Mark G Wolf) wrote in
<99t53e$4oto$[EMAIL PROTECTED]>:
>"Sam Simpson" <[EMAIL PROTECTED]> wrote in message
>news:I9ow6.963$[EMAIL PROTECTED]...
>> Have a quick look at the *excellent* paper on this topic by David
>> Wagner
>and
>> Steve Bellovin: http://www.research.att.com/~smb/papers/recog.pdf
>
>Your right, it's a very good paper. I haven't read all the way through,
>but I notice that most of these decryption methods assume that the
>message is in some sort of machine readable form like ASCII. What's to
>prevent me from writing a message on a piece of paper and then
>scrambling the image? What then?
>
If it is known your using a particular program to do the encryption
there are many weaknesses added by most methods. One add weakness could
have been a "poor compressor" that is not fully bijective to the input
space of the coding method. This can sometimes lead to so many keys
thrown out that you only have one key that works and that would be the
file you encrypted no matter how bad it looks.
Another common weakness would be in using some mode where one uses
the NSA recommended padding common in most crypto system. Where when
one encrypts a file you pad to the common block length. In which
case the unencrypted file before padding is removed must be of a special
form. These kind of methods add much information as to which key
is valid and will help the attacker throw out most keys before even
getting to a possible key.
There are propably several other weakness I just listed 2
The first can be eliminated in that if compression used. Make sure
its bijective to the input space of the encrypting engine part of
process. Also its really easy to make padding fully bijective see
my comments at AES site for fixes in that area.
It will be hard for the common user to every get code where an
attacker can have a problem decideing if a certain key is correct.
Look at PGP poor compression and if the wrong key is used, The
program dectects most erros imediately since in past part of the key is
in the encrypted file. All these thing add up to many times there
is only one key that works.
But if you used BICOM which is freely available it uses a bijective
compressor and full RIJNDAEL which is totally bijective. from any
binary file to a binary file. You can test the method your
currently useing to see if its fully bijective.
Take a random file ( actaully a text file ok) Try decrypting it
whith BICOM use any key. Then encrypt result with same key
you should get your original file back. If you don't the crypto
system your using is not fully bijective and is mostly leaking
information like I mentioned above so that its easier to attack
and for an attacker to check if he has correct key.
Many will say that 256-bit key to hard to guess. First of all I
don't think that a blind search is only way. Secondly most people
choose and easy password. If you do and your using a typical
encryption product the attacker may only have to try a few thousand
keys. Each may fail. But if one passes the attacker can be pretty
sure he has the correct key without even looking at the decrypted
file. With prodcuts like BICOM every key leads to a file. ANd the
attacker has to exaim the resulting decryted file to see if it might
be a possible encrypted file.
I hope this anwsers your question
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: DES key replacement.
Date: 28 Mar 2001 17:40:00 GMT
[EMAIL PROTECTED] (Yaniv Sapir) wrote in
<[EMAIL PROTECTED]>:
>Hi all.
>
>When using DES for encryption of long messages, is it a common practice to
>replace the 64-bit key once in a while? If so, how frequent?
>
>TIA,
> Yaniv.
>
I am sure that the real key is less than 64bits. The block
size is 64bits. And even if you replaced key each block it
you would not have the security you need. Especailly if you
using englist text to be encrypted.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 11:46:22 -0600
> Not at all: image files still have characteristics that can be detected in
> either software or hardware.
>
> A quick test on a set of JPG files show that they fail poker and runs test
> more than 90% of the time and that chi-square failed hideously every time.
Well I ain't no expert at this stuff, but it seems to me that it would be
much more difficult. Informational people are kind of wacky any ways. The
time and energy it takes to do all of this stuff is kind of wasteful to
begin with. Kinda reminds of Colonel Flag from MASH. Although he was
amusing.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Article: "Computing, One Atom at a Time" (NYTimes)
Date: Wed, 28 Mar 2001 16:58:05 GMT
"SCOTT19U.ZIP_GUY" wrote:
> Maybe you could just sumarise the high points.
There was nothing new. Basically, LANL hopes to succeed this year
in running a quantum-computer program using 10 atoms.
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 18:52:36 +0100
Mark G Wolf <[EMAIL PROTECTED]> wrote in message
news:99t820$3bao$[EMAIL PROTECTED]...
> > Not at all: image files still have characteristics that can be detected
in
> > either software or hardware.
> >
> > A quick test on a set of JPG files show that they fail poker and runs
test
> > more than 90% of the time and that chi-square failed hideously every
time.
>
> Well I ain't no expert at this stuff, but it seems to me that it would be
> much more difficult.
It would be more difficult for sure, but still possible.
> Informational people are kind of wacky any ways.
Erm, cheers ;)
> The
> time and energy it takes to do all of this stuff is kind of wasteful to
> begin with. Kinda reminds of Colonel Flag from MASH. Although he was
> amusing.
Maybe you're in the wrong group then ;)
--
Regards,
Sam
http://www.scramdisk.clara.net/
------------------------------
From: Michael J. Fromberger <[EMAIL PROTECTED]>
Subject: Re: Diceware Passwords
Date: 28 Mar 2001 16:55:10 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Marc) writes:
>The http://www.diceware.com page suggests a method of selecting
>passphrases with dice. The words that build up the passphrase are
>selected from a wordlist. The page sais that each word adds 12.9
>bits of entropy, because it is selected from 7776 possible words.
>Some words on the list have only 1-3 letters, for example "s". Isn't
>the entropy added by "s" less than 12.9 bits? An attacker who does
>not follow the Diceware scheme but attacks from another angle (eg
>brute force) sees the "s" as one letter of 26, not 7776.
>Why doesn't the wordlist take into account that a letter adds max 4.6
>bits of entropy, nor that in english words in fact it adds only about
>1 bit? Given that the average word length is 4.2 letters there
>appears to be an entropy of only 4.2 bits per word (not 12.9).
>What's wrong here? Me?
Hi there,
The trouble, I think, is that you're thinking about it slightly
incorrectly. The 12.92 bits of entropy comes not from the length of
the words, but from the way they are chosen.
Suppose an attacker wants to try to guess your passphrase, which you
have chosen using Diceware. She knows the word list you used, but she
doesn't know what numbers you rolled. If we suppose that all possible
combinations of 5 6-sided dice are equally probable, that means that
you need approximately 12.9 bits to uniquely describe each possible
combination. That is also a good measure of how much "uncertainty"
the attacker has about each word. It's this uncertainty that is
important, not the symbols.
Diceware works on the principle that the words are just a convenient
mnemonic device for human beings -- the actual randomness comes from
the dice. The word-list gives us a convenient mapping between those
numbers and something we can remember.
I hope this helps clear up your confusion!
Cheers,
-M
--
Michael J. Fromberger Software Engineer, Thayer School of Engineering
sting <at> linguist.dartmouth.edu http://www.dartmouth.edu/~sting/
"Think twice, code once."
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 12:03:12 -0600
> Maybe you're in the wrong group then ;)
Oh no, don't get me wrong, wacky is good as long as it's not allowed to get
dangerous. And I love being amused.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 17:05:55 GMT
Yaniv Sapir wrote:
> From what I've read, breaking machines scan the possible key-space until
> finding the key used for encoding. Hardware for this task does it in a few
> hours. Now, say I try a randomly selected key on a 64-bit ciphertext. I get
> a 64-bit "decrypted text" as output. How can I tell if that was the
> original plain text?
Two things:
(1) This technique, known as "brute force search of the key space",
is used only when feasible. For 128-bit keys, for example, it is
not feasible on any standard computer. Even the 56-bit search for
DES that was published not long ago relied on custom hardware.
(2) When the encryption is used to keep some plaintext secret,
usually the plaintext is not a totally random collection of bits,
but rather has some structure that is readily identifiable. For
example, if it consists of ASCII text characters, every 8th bit is
0. And even if it were packed into 7-bit fields, some ASCII
characters are much more common than others. (' ' then 'e' are
most likely for an English source; EM (control-Y) is almost never
present.) There are various statistical tests of the putative
plaintext against a known source model; usually this involves a
Pearson's chi-square statistic, which is described in introductory
statistics textbooks.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: DES key replacement.
Date: Wed, 28 Mar 2001 17:06:56 GMT
Yaniv Sapir wrote:
> When using DES for encryption of long messages, is it a common practice to
> replace the 64-bit key once in a while? If so, how frequent?
No. Standard practice is to use the same key for the entire session.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Strong primes
Date: Wed, 28 Mar 2001 17:09:53 GMT
Chenghuai Lu wrote:
> How much better will strong primes (p1 = k * p + 1) be vesus ordinary
> primes?
Better for what?
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 12:04:49 -0600
> I hope this anwsers your question
... oh yeah... that answered my question... thanks.
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 12:11:00 -0600
> The whole idea is to break a code for which you *don't have* the palintext
> original.
Dosen't this really revolve around public key encryption? You input your
own plaintext and try to find the private key(s).
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Data dependent arcfour via sbox feedback
Date: Wed, 28 Mar 2001 18:12:23 GMT
On Wed, 28 Mar 2001 05:33:08 GMT, in
<[EMAIL PROTECTED]>, in
sci.crypt Paul Crowley <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (Terry Ritter) writes:
>> If "certain countries" is intended to slight the US, I just note that
>> entirely similar patent laws are in force in Europe. Dynamic
>> Substitution is not a "software patent."
>
>If anything is a software patent, this is. Happily, however, it looks
>as if it will not be possible to enforce patents against software in
>Europe, though it's certainly worth keeping up the pressure to make
>sure this decision is made.
If, by "software patent," you mean any patent which applies to
software implementation, then *most* patents on digital logic systems
would be "software patents."
Patents do not, in general, say "the monopoly only applies when the
machine plate is 1/4 inch aluminum." Instead, the same machine in any
reasonable material (e.g., plastic, steel, etc.), with any reasonable
electron valve (e.g., tube, bipolar transistor, FET, MOSFET, etc.),
and any reasonable technology (e.g., electronic hardware, electronic
software, fluidics, etc.) is also controlled. That is the way patents
have always worked. Bemoaning that is criticism of patents
themselves, as opposed to "bad" patents.
When software implementations cannot infringe, it should be possible
to avoid patents on digital systems or chips by placing the analogous
program in a fast controller or DSP processor. That would be a major
change to the patent system in any country, because the effect would
be to not give patent protection to digital systems. The obvious
response of the research and development (R&D) business would be to
invest less where expensive results cannot be protected. If the
ultimate goal is to try to limit the amount of R&D done outside
government labs and academia, this change in patent law would be a big
step in that direction.
Once again note that the IDEA cipher is patented in both the US and
Europe, and obviously does control software implementation of IDEA in
Europe. Consequently, this is not a US issue, nor is it new in either
patents or cryptography.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 10:10:08 -0800
Yaniv Sapir <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi all.
>
> Just for curiosity:
>
> From what I've read, breaking machines scan the possible key-space until
> finding the key used for encoding. Hardware for this task does it in a few
> hours. Now, say I try a randomly selected key on a 64-bit ciphertext. I get
> a 64-bit "decrypted text" as output. How can I tell if that was the
> original plain text?
I think you're sneaking up on the concept of unicity distance. Say DES
uses a 64 bit key rather than the 56bits it really uses, that you never
re-use a key and that all keys are generated randomly. If no keys in
DES are equivalent, then the adversary could never know since any
plaintext could be made from a particular ciphertext. But........
IF you could live with these conditions, the same is true for a
one time pad (OTP).
Why use DES? I'm not being cute here. Think
about it. IMHO The only reason encryption is interesting is because
it allows one more options in managing the keys, not because there
are no provably secure alternatives.
Paul
>
> TIA,
> Yaniv.
>
>
>
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: ECDSA question
Date: Wed, 28 Mar 2001 12:19:58 -0600
Cristiano wrote:
>
> In Elliptic Curve DSA:
> "[...] Compute s = k^-1 {SHA1(m) + dr} mod n [...]" (m is the message).
> Is there any problem if I use "m" instead of "SHA1(m)" (the signature
> validation works fine)?
The assumption in that description is that m >> 160 bits. If m <= 160
bits, then yes, you can use m directly. If 160< m < 320 bits, you can use
it directly with some loss of security. for m > 320 bits hashing is much
faster and more secure by a long shot.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: DES key replacement.
Date: Wed, 28 Mar 2001 18:21:31 GMT
On Wed, 28 Mar 2001 17:06:56 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>Yaniv Sapir wrote:
>> When using DES for encryption of long messages, is it a common practice to
>> replace the 64-bit key once in a while? If so, how frequent?
>
>No. Standard practice is to use the same key for the entire session.
First, a DES key is 56 bits, not 64.
Is not changing the key standard practice? Probably. Is that a good
idea for huge "sessions"? No.
Obviously, the key should be changed at least every 2**32 blocks or so
for any 64-bit-block cipher.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 20:54:08 +0200
Yaniv Sapir wrote:
>
> The whole idea is to break a code for which you *don't have* the palintext
> original.
Actually, it's a bit more complex than that.
What is conventionally understood by a "brute force attack" has two preconditions:
- A bit of ciphertext
- A way of distinguishing the right plaintext from the wrong one.
The second condition usually involves either obtaining or guessing part of the
encrypted message, like some header information. Or provoking a certain message
to be encrypted.
Things like character distributions work only if it is known that the plaintext
is a text in a given language. For one single block, this won't work.
The result of the attack is the key which then can be used to read more messages
or the remainder of the message.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 19:05:23 GMT
"Yaniv Sapir" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> This doesn't sound as the case here. When having zillions of possible
keys,
> how can one check the "sensibility" of the decrypted text? And how can it
be
> done by hardware?
Look for flags... such as all ASCII, letters in the range a..z A..Z etc...
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
