Cryptography-Digest Digest #30, Volume #14 Wed, 28 Mar 01 17:13:01 EST
Contents:
Re: Newbie wants to shuffle... (Mok-Kong Shen)
Re: vigenere cipher (wtshaw)
Re: Strong primes (John Savard)
Re: Breaking a DES encrypted code. (Mok-Kong Shen)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged ("Tomas
Rosa")
Re: Data dependent arcfour via sbox feedback (Terry Ritter)
Re: Estimation of the keygen time (Paul Rubin)
Re: Encryption of Encrypted Material results in strength??? (Tramm Hudson)
Re: Breaking a DES encrypted code. (SCOTT19U.ZIP_GUY)
Re: Newbie wants to shuffle... (SCOTT19U.ZIP_GUY)
forgot the unix crypt(1) passwd to some old files (Dan Jacobson)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged ("Tomas
Rosa")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Newbie wants to shuffle...
Date: Wed, 28 Mar 2001 23:11:45 +0200
"Henrick Hellstr�m" wrote:
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> >
> >
> > Scott Fluhrer wrote:
> > >
> > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > >
> > > > "Henrick Hellstr�m" wrote:
> > > > >
> > > > > If you start with a random (large) integer N in the range [0..n!),
> you
> > > could
> > > > > use the following algorithm that will bijectively assign a distinct
> > > > > permutation to each possible value of N:
> > > > >
> > > > > for i := 1 to n do S[i] := i;
> > > > > for i := n downto 2 do begin
> > > > > j := (N mod i) + 1; (* Large integer arithmetics *)
> > > > > N := N div i; (* Large integer arithmetics *)
> > > > > x := S[i];
> > > > > S[i] := S[j];
> > > > > S[j] := x;
> > > > > end;
> > > >
> > > > Is that to be found somewhere in the literature? Thanks.
> > > The Art of Computer Programming -- Donald Knuth.
> > >
> > > In particular, Volume 2 ("Seminumerical Algorithms"), Second Edition
> (which
> > > is what I happened to have on hand), Algorithm 3.4.2P.
> >
> > But in Knuth one has in your notation j:=floor(i*U)+1;
> > where U is a uniformly distributed between 0 and 1. It
> > is not immediately clear that your using a single random
> > integer value N in [0, n!) achieves exactly the same. Could
> > you explain a bit? Thanks.
>
> Firstly, my algorithm is a simplification of one part of the Steak Cipher
> key set up scheme. I use a single large integer value, because it is part of
> the key.
>
> My algorithm is exhaustive because the series of j:s in Knuth's algorithm
> could be put as the sum (...(j{0}*n + j{1})*(n-1) + ...), and that sum would
> be equal to N in my algorithm. It is really only arithmetic with a large
> integer expressed in a dynamic base. You could prove bijectivety in
> virtually the same way you prove that any integer can be unequivocally
> expressed in any nonzero base.
The proof of equivalence might be simple, but I don't
know a ready proof. That's why I was asking for a literature
reference.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: vigenere cipher
Date: Wed, 28 Mar 2001 14:52:33 -0600
In article <99s921$qeu$[EMAIL PROTECTED]>, "Edmond Ho"
<[EMAIL PROTECTED]> wrote:
> Hello, first post. My question: by convention, is the first row of the
> Vigenere table "BCDE...XYZA" or is it "ABCDE...XYZ"? Thanks in advance.
>
> -Edmond Ho
It depends on whose convention. Most of these table ciphers can be done
in a variety of ways. I favor a single table approach without side
scales; this would put A in all four corners, a Beaufort table. Given
key, ciphertext, and plaintext letters, if the other two are on adjacent
edges, then you find the one below in the body of the table:
Beaufort--K Variant--Pt Vigenere--Ct
--
GWB is sure one day to have a presidential library. The big
question is on which off-shore rig should it be placed.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Strong primes
Date: Wed, 28 Mar 2001 20:36:53 GMT
On Wed, 28 Mar 2001 17:09:53 GMT, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote, in part:
>Chenghuai Lu wrote:
>> How much better will strong primes (p1 = k * p + 1) be vesus ordinary
>> primes?
>Better for what?
Basically, the reason for that question is, at present it is believed
that strong primes are better for Diffie-Hellman, but they are not
relevant for RSA.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Wed, 28 Mar 2001 23:26:42 +0200
Mark G Wolf wrote:
>
> > Not at all: image files still have characteristics that can be detected in
> > either software or hardware.
> >
> > A quick test on a set of JPG files show that they fail poker and runs test
> > more than 90% of the time and that chi-square failed hideously every time.
>
> Well I ain't no expert at this stuff, but it seems to me that it would be
> much more difficult. Informational people are kind of wacky any ways. The
> time and energy it takes to do all of this stuff is kind of wasteful to
> begin with. Kinda reminds of Colonel Flag from MASH. Although he was
> amusing.
One could in fact scramble the pixels, rendering the
work of the opponent more difficult. On the other hand,
it is to be noted that, using an image file as described,
the volume of the encrypted message is very m�ch larger
than that of the plaintext. In my humble view, it is in
general not too hard to find ways to achieve good
encryption, if one is ready to accept the cost of
'sufficiently' high bandwidth and/or processing expenses.
M. K. Shen
------------------------------
From: "Tomas Rosa" <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy.anon-server,alt.security.pgp,comp.security.pgp.discuss,comp.security.pgp.resources,comp.security.pgp.tech
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: Mon, 26 Mar 2001 11:05:21 +0200
Would like to know, why are you working with the press release of the
*company* (it is not our job to do press release papers), while talking
about crypto in the time when the full crypto-paper exists?
By the way, we looked at the press release paper and we have to say, that it
was not so bad. Quoting: "...A slight modification of the private key file
followed by capturing a signed message is enough to break the private
key..." - doesn't it specify the threat model clearly?
We apologize that the paper was delayed after the press release, but it was
available in the time you were writing your post.
Tom & Vlastimil
"Frank Gerlach" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Bill Unruh wrote:
>
> > In <[EMAIL PROTECTED]> Frank Gerlach <[EMAIL PROTECTED]>
writes:
> >
> > ]Next time, please clearly state the THREAT MODEL. Telling people that
write
> > ]access to the secret key is necessary would have been easily possible.
Also, if
> > ]you call your self "cryptologist", be a little more scientific and less
> > ]marketing-driven. Helps your reputation.
>
> I was referring to their very first announcement, which sounded pretty
dramatic. It
> turns out that only people, who have their private key writable are
affected. This is
> qualifies for marketing-driven scaremongering in my opinion.
>
> >
> >
> > ?? The secret key is encrypted precisely because the threat model that
> > someone can read your secret key file is real potential threat. The
possibility to
> > write to the file is not far behind being able to read it.
> > I have no idea if they released this for self aggrandizement, but that
> > is also totally irrelevant. They have identified a weakhess in the
> > OpenPGP specification. It is a real weakness of much greater threat that
> > others that PGP already protects itself against. It needs to be fixed.
> > It is not hard to fix which is good, but that does not mean it is
> > inconsequential. It is definitely a breaking of the protocol.
> > Remember, crypto is not the algorithm, it is the whole chain, which
> > includes key protection. Would you have been as sanguine had they shown
> > that the enryption of the secret key wa flawed and anyone could simply
> > read it off from the secret key file.? After all that would require that
> > someone else have read permission to the file, and anyone who was
> > careful would never allow someone else to read their secret key file. I
> > would sure call that a lousy--broken-- protocol.
>
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Data dependent arcfour via sbox feedback
Date: Wed, 28 Mar 2001 21:42:22 GMT
On Wed, 28 Mar 2001 21:09:11 +0200, in
<99td0b$me4$[EMAIL PROTECTED]>, in sci.crypt "Henrick
Hellstr�m" <[EMAIL PROTECTED]> wrote:
>"Terry Ritter" <[EMAIL PROTECTED]> skrev i meddelandet
>news:[EMAIL PROTECTED]...
>>
>> On Wed, 28 Mar 2001 05:33:08 GMT, in
>> <[EMAIL PROTECTED]>, in
>> sci.crypt Paul Crowley <[EMAIL PROTECTED]> wrote:
>>
>> >[EMAIL PROTECTED] (Terry Ritter) writes:
>> >> If "certain countries" is intended to slight the US, I just note that
>> >> entirely similar patent laws are in force in Europe. Dynamic
>> >> Substitution is not a "software patent."
>> >
>> >If anything is a software patent, this is. Happily, however, it looks
>> >as if it will not be possible to enforce patents against software in
>> >Europe, though it's certainly worth keeping up the pressure to make
>> >sure this decision is made.
>>
>> If, by "software patent," you mean any patent which applies to
>> software implementation, then *most* patents on digital logic systems
>> would be "software patents."
>
>More precisely: In Europe you cannot patent mathematical, intellectual and
>organizational methods. There has to be some psysical manifestation
>involved.
Oh, please. Software *never* functions by itself. Software *always*
depends upon hardware to function. There are *always* "physical
manifestations" whenever software functions. If *that* is the issue,
there is no issue. Nobody cares about software codes which are never
executed. Execution is the whole point of software.
>For instance, I doubt that you may patent the circuit scheme of a
>processor,
On what planet do you live? Do you really imagine that processor
circuits are *not* patented all the time?
>but you may patent the physical chip (defined in the patent
>claims by, among other things, its circuits) and the process by which you
>manufacture the chip. This ought to mean e.g. that an Intel patent of
>Pentium-cpus would not collide with an Athlon patent of AMD-cpus.
That won't work. A patent which included an entire chip, and which
only covered exactly that chip, would be almost useless except to a
company which already had a monopoly. The slightest change would be
enough allow someone to implement effectively the same design, without
having had to pay for the logic and circuit design.
>[snip]
>> When software implementations cannot infringe, it should be possible
>> to avoid patents on digital systems or chips by placing the analogous
>> program in a fast controller or DSP processor. That would be a major
>> change to the patent system in any country, because the effect would
>> be to not give patent protection to digital systems. The obvious
>> response of the research and development (R&D) business would be to
>> invest less where expensive results cannot be protected. If the
>> ultimate goal is to try to limit the amount of R&D done outside
>> government labs and academia, this change in patent law would be a big
>> step in that direction.
>
>Yes. Either that or the opposite: Since digital systems cannot be
>sufficiently protected, new systems have to be developed all of the time and
>be kept secret until they reach the market, so that the companies doing
>research sustain a start over pirate manufacturers.
But they wouldn't be "pirate" manufacturers if the law is set up the
way you want -- they would be ordinary manufacturers without a design
arm.
I would think that few great minds would want to participate in an
industry which required a full revenue return be generated in the
months before lower-priced competitors came on line.
>> Once again note that the IDEA cipher is patented in both the US and
>> Europe, and obviously does control software implementation of IDEA in
>> Europe. Consequently, this is not a US issue, nor is it new in either
>> patents or cryptography.
>
>Could you please tell me in what European country IDEA is patented? Monaco?
>Liechtenstein? Andorra? Malta? ;-)
It's not my patent, but it is well known in cryptography. Are you
unfamiliar with the concept of a European Patent Office?
As far as I know there is a Swiss patent, and also a European patent
from the EPO. Excuse me for imagining that a European patent would
demand respect throughout Europe, but I am certainly no expert on
European patent law.
If the patent did not generally apply, I am surprised that we did not
see someone offer PGP software with IDEA for commercial use from such
a country. As far as I know, commercial use is prohibited without
license. That would be limiting the software, of course.
By way of Google (most pages concern PGP):
"
Encryption patent issues
The IDEA[tm] block cipher is patented by Ascom-Tech AG. The Swiss
patent number is PCT/CH91/00117, the European patent
number is EP 0 482 154 B1, and the U.S. patent number is US005214703.
IDEA[tm] is a trademark of Ascom-Tech AG. There is no
license fee required for noncommercial use. Commercial users may
obtain licensing details from Dr. Dieter Profos, Ascom-Tech AG,
Solothurn Lab, Postfach 151, CH-4502 Solothurn, Switzerland, Tel +41
65 242 885, Fax +41 65 235 761.
You can use IDEA encryption for noncommercial communications without a
license from Ascom-Tech; commercial use is prohibited
without a license. If you don't want to obtain a license from
Ascom-Tech, use Blowfish, DES, or key file encryption instead.
"
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Estimation of the keygen time
Date: 28 Mar 2001 13:47:18 -0800
Chenghuai Lu <[EMAIL PROTECTED]> writes:
> I'm using the vendor-supplied CSP and can't be completely sure what
> it's doing. But yes, it typically takes 30-60 seconds. Doing it on
> the workstation takes under a second. The keygen time on the card is
> about what I'd expect based on the signing speed of the card.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Can Rubin or some one share with me the method how to estimate the
> keygen time based on signing speed?
>
> Thanks.
Basically you'd expect keygen to take on the order of 30x longer than
signing, based on the idea that you run a Fermat test (i.e. a modexp)
on a bunch of candidate primes until you get two that pass the test.
------------------------------
From: [EMAIL PROTECTED] (Tramm Hudson)
Crossposted-To: alt.computer.security
Subject: Re: Encryption of Encrypted Material results in strength???
Date: 28 Mar 2001 21:21:25 GMT
[ Posted and cc'd to cited author ]
Ben.Russo <[EMAIL PROTECTED]> wrote:
> I have been told that encrypting an encrypted message actually decreases
> the security.
That's why rot13 is not considered a viable encryption system. Certain
TLA's would prefer if we use rotN where N % 26 == 0. So don't double
encipher your content with rot13 -- triple encoding is more secure.
Other people have posted more serious answers...
Tramm
--
o [EMAIL PROTECTED] [EMAIL PROTECTED] O___|
/|\ http://www.swcp.com/~hudson/ H 505.323.38.81 /\ \_
<< KC5RNF @ N5YYF.NM.AMPR.ORG W 505.986.60.75 \ \/\_\
0 U \_ |
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Breaking a DES encrypted code.
Date: 28 Mar 2001 21:44:21 GMT
[EMAIL PROTECTED] (Peter Engehausen) wrote in
<[EMAIL PROTECTED]>:
>
> Take a random file ( actaully a text file ok) Try decrypting it
> whith BICOM use any key. Then encrypt result with same key
> you should get your original file back. If you don't the crypto
> system your using is not fully bijective and is mostly leaking
> information like I mentioned above so that its easier to attack
> and for an attacker to check if he has correct key.
>
>Dear David!
>
>Did I get you right? There are cryptosystems which encrypt and decrypt
>good but decrypt and
>encrypt poorly?
>
>Hm... Thanks,
>Peter
>
Dear Peter not with standing the flood of comments from Joe
who is still unhappy that I caught him in mistakes in just what
Shannon says about encryption.
there are crypto systems ( actaully most of them ) that allow
you to encrypt any file. The encryption is correct in that if
you use the correct key you get the exact same input back.
Where the systems are flawed is in the fact an attacker can
check almost immediately if he has the correct key. Since
most of the time the system will either not decrypt a wrong
file or if it does it will not encrypt to the same file.
One way to check if a system can handle any output file is
to test the decryption of a arbitary file and use any key
then see if it encrypts back to same file.
Even if you look at the online books on crypto they start
my describing a typical encryption system Where your message
space is mapped one to one to the cipher space.
Eack key does a unique Transform to that space. If you test
a message in that space decrypting with a false key should
take you back to the message space but with a differnet message.
BICOM which Joe and several so called phony crypto people hate
it. Since it is less apt to be tampered with. You can take any
binary file and call it input or output and it will mapp to a
unique file either by decrypting with key or encrypting with any
key. Something that you will not see in other known implimentations
of full keyed RIJNDAEL.
Don't trust me or Joe not even Little Tommy try it your self
and see. You maybe surprised.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Newbie wants to shuffle...
Date: 28 Mar 2001 21:49:55 GMT
[EMAIL PROTECTED] (Mok-Kong Shen) wrote in
<[EMAIL PROTECTED]>:
>
>
>"Henrick Hellstr�m" wrote:
>>
>> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
>> >
>> >
>> > Scott Fluhrer wrote:
>> > >
>> > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>> > > >
>> > > > "Henrick Hellstr�m" wrote:
>> > > > >
>> > > > > If you start with a random (large) integer N in the range
>> > > > > [0..n!),
>> you
>> > > could
>> > > > > use the following algorithm that will bijectively assign a
>> > > > > distinct permutation to each possible value of N:
>> > > > >
>> > > > > for i := 1 to n do S[i] := i;
>> > > > > for i := n downto 2 do begin
>> > > > > j := (N mod i) + 1; (* Large integer arithmetics *)
>> > > > > N := N div i; (* Large integer arithmetics *)
>> > > > > x := S[i];
>> > > > > S[i] := S[j];
>> > > > > S[j] := x;
>> > > > > end;
>> > > >
>> > > > Is that to be found somewhere in the literature? Thanks.
>> > > The Art of Computer Programming -- Donald Knuth.
>> > >
>> > > In particular, Volume 2 ("Seminumerical Algorithms"), Second
>> > > Edition
>> (which
>> > > is what I happened to have on hand), Algorithm 3.4.2P.
>> >
>> > But in Knuth one has in your notation j:=floor(i*U)+1;
>> > where U is a uniformly distributed between 0 and 1. It
>> > is not immediately clear that your using a single random
>> > integer value N in [0, n!) achieves exactly the same. Could
>> > you explain a bit? Thanks.
>>
>> Firstly, my algorithm is a simplification of one part of the Steak
>> Cipher key set up scheme. I use a single large integer value, because
>> it is part of the key.
>>
>> My algorithm is exhaustive because the series of j:s in Knuth's
>> algorithm could be put as the sum (...(j{0}*n + j{1})*(n-1) + ...),
>> and that sum would be equal to N in my algorithm. It is really only
>> arithmetic with a large integer expressed in a dynamic base. You could
>> prove bijectivety in virtually the same way you prove that any integer
>> can be unequivocally expressed in any nonzero base.
>
>The proof of equivalence might be simple, but I don't
>know a ready proof. That's why I was asking for a literature
>reference.
>
>M. K. Shen
>
I know I am late in this thread. But shuffling is a lot
like creating a single cycle look up table. My code both
scott19u and scott16u have to use a large shuffling of the
file. If you want to check the method I used. You can look
at the source code.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Dan Jacobson <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: forgot the unix crypt(1) passwd to some old files
Date: 28 Mar 2001 15:43:41 +0800
Now that I've managed to get a version of crypt(1) running, it seems
that I remembered the wrong password or something...
Being that the Crypt Breakers Workbench is far from compilable these
days, I'm now thinking I will send one of my more boring encrypted
files, to a volunteer, you, who will 'crack' it and send me the
password, which I will then use to read all the rest of those old
files, because I only used one passwd. Or is it not that easy?
[To send me, first decrypt my silly anti spam address.]
Richard Stallman was right. Thinking I would prevent others from
seeing my files all I ended up doing in the long run was locking
myself out.
Good thing I don't really need that data [I think?]. I just don't
like the feeling that I can't take all my lifetime bytes with me [to
the grave and beyond] ("you can't take it with you...)
--
http://www.geocities.com/jidanni Tel886-4-25854780 e-mail:restore .com.
------------------------------
From: "Tomas Rosa" <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy.anon-server,alt.security.pgp,comp.security.pgp.discuss,comp.security.pgp.resources,comp.security.pgp.tech
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: Mon, 26 Mar 2001 11:59:24 +0200
OK, but TAMPERING is just particular cryptanalysing tool.
Good encryption (as the method for preserving data confidentiality) shall be
resistant to known "sound" cryptanalysing techniques. So, it has to be
resistant to sound tampering techniques too. So, the encryption of private
key in OpenPGP is not good.
Feel a like to write it in lemmas? ;-)
Tom and Vlastimil
PS: We would like to note that we really don't do marketing stunt. Hope
somebody will trust us.
"Frank Gerlach" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tomas Rosa wrote:
>
> > Despite of some claims from the wired article, we note that the attack
is
> > realistic.
>
> Despite your marketing stunt I am goig to respond.
>
> > We think that everybody would agree that any kind of information which
is
> > referred to as *encrypted information* shall be able to be stored
anywhere
> > without the risk of its disclosure.
>
> Disclosure or MODIFICATION ??
>
> >
> >
> > There shall be no reason to store your private key, which is properly
> > encrypted, in the deposit. We have shown that in the case of the OpenPGP
> > format the encrypted private key MUST NOT be stored in the place, where
the
> > attacker can access and modify it. From here we conclude that private
keys
> > are NOT PROPERLY ENCRYPTED in the OpenPGP format and derived
applications.
>
> They are not secured against TAMPERING.
>
> >
> >
> > So, from the cryptologic point of view, the attack is pretty serious.
>
> Also from a marketing point of view it makes sense to call your discovery
> serious.
>
> >
> > Moreover it is also realistic. In the networked systems users usually
would
> > like to store their containers with private keys in some shared place to
be
> > able to have their keys ready to use on any workstation in the network.
>
> Yeah, anytime. Too difficult to store some kilobytes on a floppy. Too
heavy, to
> bulky, those 3.5 inch floppies.
>
> > Note
> > that this is the default option in the PGP. In such scenario it is clear
> > that the user has very little or no control on the encrypted private
key.
> > Anybody who can modify this information when it is going through the
network
> > can carry out the attack. Of course your network administrator is the
first
> > person who can be the attacker.
>
> Your network adimistrator will most probably replace PGP itself with a
> trojan-horsed version, if he wants your key.
>
> > We think that users shall not have to care
> > about such thinks (when their private keys are properly encrypted, of
> > course). Btw: wasn't it the main idea behind the whole PGP to give its
users
> > "Pretty Good Privacy" in such environments?
>
> >
> > So, from the practical point of view, the attack is pretty realistic.
>
> Maybe *you* are storing your secret key on a shared drive.
Security-concious
> people store it on a floppy disk, which the physically control.
>
> >
> >
> > More information will be available in the crypto-paper, which will be
> > released soon at www.i.cz.
>
> Next time, please clearly state the THREAT MODEL. Telling people that
write
> access to the secret key is necessary would have been easily possible.
Also, if
> you call your self "cryptologist", be a little more scientific and less
> marketing-driven. Helps your reputation.
>
> Thanks a lot !
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
