Cryptography-Digest Digest #33, Volume #14 Thu, 29 Mar 01 01:13:01 EST
Contents:
Re: Encryption of Encrypted Material results in strength??? ("Scott Fluhrer")
Re: Breaking a DES encrypted code. ("Douglas A. Gwyn")
Re: texts on factoring? (Paul Rubin)
Re: Crypto in VB3 (Glenn Baddeley)
Re: texts on factoring? ("Tom St Denis")
Re: texts on factoring? ("Carpe Diem")
Re: anno: Open BCrypt - command line file encryptor (Rob Warnock)
Re: texts on factoring? (David A Molnar)
Re: texts on factoring? (David A Molnar)
Re: texts on factoring? ("Tom St Denis")
Re: Pike stream cipher (Paul Crowley)
Re: Valid condition for multiplicative generator? (Paul Crowley)
Re: A future supercomputer ("Trevor L. Jackson, III")
Re: What do we mean when we say a cipher is broken? ("Trevor L. Jackson, III")
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be
([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Crossposted-To: alt.computer.security
Subject: Re: Encryption of Encrypted Material results in strength???
Date: Wed, 28 Mar 2001 17:49:27 -0800
Ben.Russo <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Friends,
>
> I have been told that encrypting an encrypted message actually decreases
the security.
> I am not a cryptographer, but will accept that on faith.
That is actually not true, if the keys used during both encryptions are
independently chosen. If they are, then it is easy to see that the
resulting message is, at worst, at least as strong as the first encryption.
Suppose not -- suppose there exists an efficient method for attacking a
doublely-encrypted message . Then, if an attacker receives a
singly-encrypted message, all he would need to do is select a random key,
encrypt the message with it, and then use the efficient method for breaking
the doubly-encrypted message.
Note that, if the two encrypts use related keys, the above thereom does not
apply, and the reencryption may, in fact, reduce the strength, or eliminate
it entirely.
>
> Theory aside, and considering only practical results:
> I have a situation where I am setting up a VPN Mesh network between
several office sites over the internet and am going to use CISCO IOS IPSec
VPN's.
> How much real world difference would it make to a potential cracker if I
had SSH or SSL sessions being routed through the VPN?
> Or should I really block that type of traffic and insist that users use
telnet and http instead?
There is no need. IPSec and SSL (and presumably SSH) select their own keys
to do the actual encryption, and don't tell them to anyone else. Hence, the
above thereom applies[1].
[1] Ok, the above thereom applies only the the SSL protected traffic -- it
doesn't really tell us if there is some magic way to rederive the IPSec
keys. Well, IPSec is designed to be secure with chosen plaintext, so that
really isn't a problem either.
--
poncho
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Breaking a DES encrypted code.
Date: Thu, 29 Mar 2001 02:11:22 GMT
William Hugh Murray wrote:
> Which is why it is bad practice to reuse keys ...
yada, yada -- it's not like the Germans had much choice.
DES key *is* generally reused -- for subsequent blocks
in the same session. Therefore even though it might
appear that nothing was gained by cracking the first
block using known plaintext, it is *only* for the first
block that the plaintext needed to be known, and all the
unknown plaintext later in the same session is the payoff
for the attack.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: 28 Mar 2001 18:22:08 -0800
"Tom St Denis" <[EMAIL PROTECTED]> writes:
> I have the complete Knuth set and he only discusses Pollard-Rho, Fermat and
> a sieve method. Nothing terribly advanced...
>
> I will look up the Koblitz book.
Koblitz has a very readable treatment of ECM and the quadratic sieve,
but says nothing about the number field sieve, at least in the edition
I have (there's a newer one now). I think NFS might not have been
invented when the 1st edition came out.
You might also look at the MIRACL library which includes
straightforward implementations of all these methods except NFS. It's
possibly not the most efficient code in the world but it's easy to see
what it's doing.
------------------------------
From: Glenn Baddeley <[EMAIL PROTECTED]>
Subject: Re: Crypto in VB3
Date: Thu, 29 Mar 2001 12:55:55 +1000
Hard wrote:
> On Fri, 23 Mar 2001 21:55:21 -0500, "Ryan M. McConahy"
> <[EMAIL PROTECTED]> wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >I'm wrather new to VB (I used VBDOS!). Can you tell me what to do
> >with the "byte" types? VB3 doesn't seem to support them. And how
> >would I fix the 16bit/32bit thing?
> >
> >Thanks in advance,
> >
> >Ryan M. McConahy
> >
> >Hard wrote in message <[EMAIL PROTECTED]>...
> >>On Mon, 19 Mar 2001 15:56:10 -0500, "Ryan M. McConahy"
> >><[EMAIL PROTECTED]> wrote:
> >>
> >>>-----BEGIN PGP SIGNED MESSAGE-----
> >>>
> >>>To: sci.crypt
> >>>Subject: Crypto in VB3
> >>>
> >>>Does anyone know of any libraries/DLLs/source code that I could use
> >>>in Visual Basic 3?
> >>>
> >>>Thanks in advance.
> >>>
> >>>Ryan M. McConahy
> >>>
> >>>-----BEGIN PGP SIGNATURE-----
> >>>iQA/AwUBOrZyMqFn8yalvjU2EQLmbgCfQjFk8V8ezHINCRlShQQCofcWFpwAmwQZ
> >>>2B/fTUpE3E7T6isFRQmGNo31
> >>>=1vLJ
> >>>-----END PGP SIGNATURE-----
> >>>
> >>
> >>Go here: http://zarr.net/vb/download/encryption.asp
> >>
> >>This code is for 32-bit VB, but you may be able to get it to work in
> >>VB3 by keeping track of variables (long is 16-bit in VB3 but is
> >>32-bit in current versions, etc.)
> >>
> >>The MD5 code is questionable (didn't pass vector tests) but the
> >>SHA-1 and the RC4 are good (pass vector tests), although slow. The
> >>mime
> >>(base64) encoding and decoding also works well.
> >>
> >>There are also modules for CRC calc, LZW compression of strings,
> >>Gost2, and SkipJack encryption, although I haven't tested them.
> >>
> >>All in all, it is a fairly fun package for horsing around in VB.
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: 6.5.8ckt http://www.ipgpp.com/
> >Comment: KeyID: 0xA167F326A5BE3536
> >Comment: Fingerprint: 838C 815E 5147 2168 5A76 16F1 A167 F326 A5BE 3536
> >
> >iQA/AwUBOrwMlaFn8yalvjU2EQJzKACgyvb3PrZyuPtmRiVGjHaYmeuaR1gAoO9n
> >X9TdI+pF11+D4oXb3RhHuKMB
> >=Ml/S
> >-----END PGP SIGNATURE-----
> >
> >
>
> Well it has been a while since I used VB3 but I believe you just
> double each successive term
>
> byte in 32-bit is integer in VB3
> integer in 32-bit is long in VB3
> long in 32-bit is double in VB3
>
> I think...
>
> Give it a kick
VB3 runs in the 16 bit Windows environment.
"integer" is a 16 bits 2's complement integer
"long" is a 32 bits 2's complement integer
The nearest thing to a byte (8 bit) is a string * 1, but you cant do
arithmetic on it directly (need to use chr() and asc() functions to
convert to/from an integer, which is a real pain).
HTH,
Glenn.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: Thu, 29 Mar 2001 03:14:08 GMT
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> writes:
> > I have the complete Knuth set and he only discusses Pollard-Rho, Fermat
and
> > a sieve method. Nothing terribly advanced...
> >
> > I will look up the Koblitz book.
>
> Koblitz has a very readable treatment of ECM and the quadratic sieve,
> but says nothing about the number field sieve, at least in the edition
> I have (there's a newer one now). I think NFS might not have been
> invented when the 1st edition came out.
I want to pick up the text (it's 45$ at amazon). Too bad I don't have a
credit card... arrg... have to go bug my parents... You know that's funny
that I can make 22g a year and still not get a credit card.. no fun...
> You might also look at the MIRACL library which includes
> straightforward implementations of all these methods except NFS. It's
> possibly not the most efficient code in the world but it's easy to see
> what it's doing.
I would rather see a text that I could read (and re-read, and re-read
and....) to actually understand it.
In my homebrew program I am writting I use pollard-rho, pollard-"p-1",
pollard-"p+1" (you can add instead of subtract in the inner loop and it
works too) and fermat DOS.
I want to add a non smooth version such as the QS or MPQS... My goal is just
to understand this stuff not break RSA-200 ..etc...
Tom
------------------------------
From: "Carpe Diem" <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: Wed, 28 Mar 2001 21:24:43 -0600
I do not know about any book specifically written about factoring. I believe
that factoring techniques are mostly described in papers and that is what
you should read (after you get the necessary mathematical background). That
is the best way I see to learn about it.
Now for what regards the algebraic number theory this is a wide question. If
you really want to learn algebraic number theory first you must have a good
grasp of algebra, and elementary number theory. This way you will get two
different ways to think about it: the elementary one and the abstract one.
For number theory there are a lot of books. I read you are still in high
school. I think Number theory by G. Andrews is a good start because it
begins with the basics (perhaps you can skip some chapters). Artin's Algebra
is a great book for algebra, full of examples explanations and exercises to
work on yourself (it assumes a mathematically mature student).
Then you can pass on algebraic number theory. On of the greatest books
written on the subject is Number Theory by Helmut Hasse. This is my favorite
book on the subject. But beware, because it is abstract and you will not
find examples. On the other hand when you begin studying algebraic number
theory you are supposed to have the background. It is graduate level.
If anybody finds any mistake on what I said or disagrees, please comment on
it.
-- Carpe Diem
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:khww6.157024$[EMAIL PROTECTED]...
> I was wondering what are the "good" texts on algebraic number theory and
> factoring ?
>
> --
> Tom St Denis
> ---
> http://tomstdenis.home.dhs.org
>
>
------------------------------
From: [EMAIL PROTECTED] (Rob Warnock)
Crossposted-To: comp.security.misc,comp.security.unix
Subject: Re: anno: Open BCrypt - command line file encryptor
Date: 29 Mar 2001 03:55:52 GMT
Juergen Thumm <[EMAIL PROTECTED]> wrote:
+---------------
| It does not invent new crypto-algorithms.
| Instead, it uses a proven, yet unbroken 128-bit cipher
| (rc4-compatible), and supplies a safe file format around it.
+---------------
Is your system (including "safe file format") compatible with
CipherSaber <URL:http://ciphersaber.gurus.com/>?? If not, why not?
-Rob
=====
Rob Warnock, 31-2-510 [EMAIL PROTECTED]
SGI Network Engineering <URL:http://reality.sgi.com/rpw3/>
1600 Amphitheatre Pkwy. Phone: 650-933-1673
Mountain View, CA 94043 PP-ASEL-IA
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: 29 Mar 2001 03:45:13 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> I was wondering what are the "good" texts on algebraic number theory and
> factoring ?
The suggestions in the rest of this thread are very good - *especially* the
one about "learn abstract algebra." (More on that in a separate post).
I note that there's a book specifically on "The Development of the Number
Field Sieve."
http://www.amazon.de/exec/obidos/ASIN/3540570136/artvisitwww/028-9578572-8643751
you may also check out the bibliography at
http://www.npac.syr.edu/factoring/overview.html#NFS
which has pointers to various papers on NFS. Including an implementation
report from CRYPTO '93 (you have access to the Springer-Verlag CRYPTO CD?)
-David
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: 29 Mar 2001 03:53:45 GMT
Carpe Diem <[EMAIL PROTECTED]> wrote:
> begins with the basics (perhaps you can skip some chapters). Artin's Algebra
> is a great book for algebra, full of examples explanations and exercises to
> work on yourself (it assumes a mathematically mature student).
Yes - which is why it may not be the best first choice as an algebra
textbook for self-study. The "math 101" class here at Harvard uses Fraleigh's
_A First Course in Abstract Algebra_. I didn't use it when I took
the class, but I've heard good things about it.
thanks,
-David
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: Thu, 29 Mar 2001 04:07:00 GMT
"David A Molnar" <[EMAIL PROTECTED]> wrote in message
news:99ub49$oc6$[EMAIL PROTECTED]...
>
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> > I was wondering what are the "good" texts on algebraic number theory and
> > factoring ?
>
> The suggestions in the rest of this thread are very good - *especially*
the
> one about "learn abstract algebra." (More on that in a separate post).
>
> I note that there's a book specifically on "The Development of the Number
> Field Sieve."
>
http://www.amazon.de/exec/obidos/ASIN/3540570136/artvisitwww/028-9578572-864
3751
I have read a few papers on the NFS alot of it is not complete... i.e they
use sentences and say "See [14] for more". I will pick up Koblitz book
tommorow (well I will order it then) and read up...
Thanks,
Tom
------------------------------
Subject: Re: Pike stream cipher
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Thu, 29 Mar 2001 04:44:51 GMT
"Tom St Denis" <[EMAIL PROTECTED]> writes:
> Is this group just wildly incompotent or am I just in every killfile for
> trying to be intelligent?
Please consider that there may be other possibilities. It's surely
obvious that the competence of the people in this group varies hugely;
while we do have our David A Scott's and Anthony Szopa's, we also have
David Wagner and Scott Fluhrer. If your articles aren't attracting
reasoned discussion from the better people in the group, thinking
about why may be a better strategy; railing rudely and trying to
alienate the people who know what they're talking about could be
counterproductive.
And if you are in every killfile, it will be because of expressions
like "blow me goat boy" rather than because you are trying to be
intelligent.
If you really think the group is that useless, leave; there is never
any point in railing against an entire newsgroup. I find very little
of the content here useful, but I have a very effective scorefile to
help pick out the good stuff.
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
Subject: Re: Valid condition for multiplicative generator?
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Thu, 29 Mar 2001 04:44:50 GMT
"Yaniv Sapir" <[EMAIL PROTECTED]> writes:
> Just a newbie question: if, as claimed, "We can't distinguish a
> physically-random generator from a pseudorandom generator by statistical
> tests on the output stream", why bother making physical devices?
Short answer: A pseudorandom generator stretches a small random
quantity (perhaps 128 bits) into what appears to be a large random
quantity. If you don't even have a small random quantity, you need
somewhere to get them from.
In theory, then, you only ever need 128 bits of entropy in the history
of a system, but then you'd have to protect those 128 bits insanely
hard. It's better to "top up" the entropy of your pseudorandom
generator with real randomness from time to time, to limit the damage
from compromise of the generator state.
Look at the design of Yarrow to see how this is done.
http://www.counterpane.com/yarrow.html
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: A future supercomputer
Date: Thu, 29 Mar 2001 05:14:10 GMT
Mok-Kong Shen wrote:
> Quisquater wrote:
> >
> > In this thread nobody was able to give any url: hot air?
> > Please if you have the news you've the link: give it.
>
> http://www.ibm.com/news/1999/12/06.phtml
>
> http://www.research.ibm.com/bluegene/
>
> BTW, I read that ASCI White has about 1/1000th of the estimated
> computational power of the human brain. So with Blue Gene a
> machine could have a solid foundation to attempt to compete
> with a human being.
This uses a very crude definition for "computational power of the human
brain". A better model might be a bigger collection of stupider
processors.
The human brain has ~1e10 neurons. So a comparable model might be 1e10
processing nodes of some moderate power.
Is a neuron smarter than a 1 MHz Z80 with 64K? Given the sophistication
of the chemistry, almost certainly.
Is a neuron smarter than a 1GHz Alpha with 4G? It could be, but I'd
guess not.
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: What do we mean when we say a cipher is broken?
Date: Thu, 29 Mar 2001 05:42:58 GMT
John Myre wrote:
> Paul Crowley wrote:
> > "Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
> <snip>
> > > if the adversary cannot recover any of the
> > > hidden information then he cannot be said to have broken the system.
> <snip>
> > if there's a cheaper way than brute force for an attacker to
> > distinguish the pseudo-random stream from a truly random stream.
> <snip>
>
> And here we have a fundamental difference between "academic"
> and "practical" cryptology. Since both ways of looking at
> the problem are useful, the terminological discrepancy is
> unfortunate.
>
> I think that in this instance I would side with the "practical"
> definition, since it is clearly a more severe condition. If a
> cipher is "broken" by a distinquisher, does a practical break
> make it "exploded" or "incinerated" or what? And do we say
> that RC4 is "broken"?
It may be useful to consider the term "broken" to be a variant of of the
verb "to break". Given that a cipher is expected to provide a certain work
factor ratio between the expected and unexpected recipients, one can break a
cipher multiple times by finding successively more powerful attacks.
In this light RC4 makes an interesting example. If its first description
included the fact of the slight imbalance in the output, then was it broken
(in the sense of of being imperfect) at the time of publication? I suspect
not.
Now, if RC4's first description did not include the fact of the output
imbalance, then the revelation of the behavior of the cipher would be a
break (a hair-line crack).
If next year someone turns that imbalance into an impractical but
theoretical attack that reduces the size of the key space to be searched,
the revelation of the attack would break the cipher a little bit more.
>From this perspective a broken/not broken predicate is not very useful.
Consider breaking some old rotted branch with breaking living wood. Anyone
who has wrestled with a live branch has had an experience similar to
applying a certificational weakness as the basis for an attack -- typically
fruitless. While solving a simple substitution is like an old, rotted
branch. Eminently breakable.
------------------------------
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
From: [EMAIL PROTECTED]
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be
Date: Thu, 29 Mar 2001 06:01:25 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Tom McCune wrote:
> This attack is described as including "capturing a signed message." Does
> this also apply to signed files?
yes
> Also to "encrypted and signed"
> messages/files?
no.
unless it's encrypted to attackers key.
== <EOF> ==
Disastry http://i.am/disastry/
http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon
^--GPG for Win32 (supports loadable modules and IDEA)
^---PGP 2.6.3ia-multi03 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
AES, 3DES ciphers and MD5, SHA1, RIPEMD160 hashes)
=====BEGIN PGP SIGNATURE=====
Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1
iQA/AwUBOsKzkzBaTVEuJQxkEQL3ggCgh1JB7XaRKiHsaDQGlo1+EC7GpzAAoM/a
PcJpGj4ZpyotCNnDiqK/FRL/
=AFuA
=====END PGP SIGNATURE=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
