Cryptography-Digest Digest #35, Volume #14 Thu, 29 Mar 01 09:13:01 EST
Contents:
Re: texts on factoring? (Mok-Kong Shen)
Re: Malicious Javascript in Brent Kohler post ("Henrick Hellström")
Re: What do we mean when we say a cipher is broken? (Mok-Kong Shen)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged (Lutz
Donnerhacke)
Re: Clarification about the Czech attack to PGP (Lutz Donnerhacke)
Re: Data dependent arcfour via sbox feedback (Mok-Kong Shen)
Re: Breaking a DES encrypted code. (Mok-Kong Shen)
Re: rc4 (Mok-Kong Shen)
Re: WinZip and other Zip Archivers (Mok-Kong Shen)
Re: Data dependent arcfour via sbox feedback ("Henrick Hellström")
Re: texts on factoring? ("Tom St Denis")
Re: texts on factoring? ("Tom St Denis")
Re: anno: Open BCrypt - command line file encryptor (Juergen Thumm)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged (Tom
McCune)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged (Lutz
Donnerhacke)
Question on the Quadratic Sieve ("Tom St Denis")
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged (Imad R.
Faiad)
Re: Data dependent arcfour via sbox feedback (Lassi =?iso-8859-1?Q?Hippel=E4inen?=)
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged (Lutz
Donnerhacke)
Re: Strong primes ("Henrick Hellström")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: Thu, 29 Mar 2001 10:58:31 +0200
Tom St Denis wrote:
>
> In my homebrew program I am writting I use pollard-rho, pollard-"p-1",
> pollard-"p+1" (you can add instead of subtract in the inner loop and it
> works too) and fermat DOS.
BTW, does anyone have a pointer to a good (easily
understandable) and sufficiently concrete explanation
of Polard's kangaroo method? Thanks.
M. K. Shen
------------------------------
From: "Henrick Hellström" <[EMAIL PROTECTED]>
Subject: Re: Malicious Javascript in Brent Kohler post
Date: Thu, 29 Mar 2001 11:13:22 +0200
If you want to absolutely sure, leave it alone. An ActiveX does not have to
have been tampered with to be malicious. It might be malicious by original
design. Some ActiveX files have been signed, but do you trust VeriSign and
Microsoft enough to trust such files?
--
Henrick Hellström [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
"Mok-Kong Shen" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
>
>
> "Henrick Hellström" wrote:
> >
> > An ActiveX can do virtually anything an exe can do. You might convert
any
> > kind of application into an automation server, and an ActiveX control is
> > just a special case of an automation server with some additional methods
in
> > it's interface. That is, an ActiveX control must have entry points for
> > certain COM calls, but besides that there are few restrictions. For
> > instance, ActiveX is commonly used as a way to use components coded and
> > compiled in C++ in VB code.
>
> Thanks. Just to be entirely sure that I understand, let
> me ask once again: If I get something from the internet
> and I don't have the knowledge to examine whether it
> could be malicious, is a good virus scanner sufficient
> for protection? If not, is there any secure mechanism
> available or do I otherwise have to leave the stuff
> untouched, if I want to be absolutely secure? Thanks.
>
> M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: What do we mean when we say a cipher is broken?
Date: Thu, 29 Mar 2001 11:14:56 +0200
"Trevor L. Jackson, III" wrote:
>
[snip]
> From this perspective a broken/not broken predicate is not very useful.
> Consider breaking some old rotted branch with breaking living wood. Anyone
> who has wrestled with a live branch has had an experience similar to
> applying a certificational weakness as the basis for an attack -- typically
> fruitless. While solving a simple substitution is like an old, rotted
> branch. Eminently breakable.
Good point. I think though that a term like 'theoretically
broken' could convey the fact that a currently unpractical
attack has be found.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Lutz Donnerhacke)
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: 29 Mar 2001 09:15:39 GMT
* [EMAIL PROTECTED] wrote:
>Lutz Donnerhacke wrote:
>> * Rich Wales wrote:
>> >I'm not sure whether this single test suffices to make PGP 2.6.3ia
>> >immune to the ICZ attack or not.
>>
>> It does not.
>
>why ?
The Czech attack modifies u (pInv). Is it that hard to read a paper before
discussing it?
>your test does the same thing (checks if n==pq), doesn't it ?
No. The n=pq test is made to prevent a mountable buffer overflow by a
variant of this attack.
>(another part of your test checks if sig is valid after signing)
That's the point. Please read the Bellcore paper about DFA. It introduces
the theory used by the Czech guy. The really new idea is to modify the
secret key data instead of penetrating the ALU.
------------------------------
From: [EMAIL PROTECTED] (Lutz Donnerhacke)
Subject: Re: Clarification about the Czech attack to PGP
Date: 29 Mar 2001 09:16:48 GMT
* Volker Hetzer wrote:
>Lutz Donnerhacke wrote:
>> PGP was created on a set of principles:
>> 1 Run on a single user, single tasking OS without networking capabilities.
>Email encryption without network capabilities and for one user?
PGP runs on an other maschine than the network.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Thu, 29 Mar 2001 11:22:52 +0200
Lassi Hippeläinen wrote:
>
> Please remember that the EPO is NOT the Patent Office of the EU. Both
> have common member countries, but both also have members that are not
> members in the other one. They are independent international
> organisations with different charters.
Your 'both' suggests that there is a 'Patent Office of the EU'.
Are you sure?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Breaking a DES encrypted code.
Date: Thu, 29 Mar 2001 11:42:27 +0200
William Hugh Murray wrote:
>
> John Savard wrote:
>
> > Either you know the original plaintext - a "known-plaintext" attack -
> > or you have partial knowledge of it. For example, the plaintext might
> > be uncompressed ASCII characters. In that case, have, say, seven
> > blocks of ciphertext, and for each key, decrypt as many of them in
> > turn as needed until you find the MSB of any byte equal to 1; if all
> > are zero, you may have found the right key.
>
> Which is why it is bad practice to encrypt a message with a strong and obvious
> patter like ascii characters. One should always hide any exploitable pattern in
> the plaintext before encrypting it.
On the other hand, to eliminate the patterns before
encryption does involve cost. It seems to be the opinion
of many that, if one has a sufficiently strong cipher,
one needn't care that.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: rc4
Date: Thu, 29 Mar 2001 11:42:37 +0200
Edmond Ho wrote:
>
> Could someone point me to an authentic version of RC4 C source code? I
> currently have two compiled versions that are imcompatible (ie, the
> ciphertext from one does not decrypt properly with the other). The source
> code that I currently have is from
> http://www.cypherspace.org/~adam/rsa/rc4c.html (the first one) and
> http://www.cypherspace.org/~adam/rsa/rc4.c. Thanks in advance.
RC4 is proprietary. So, if you don't get it from RSA,
you could hardly have any absolute guarantee of autenticity.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: WinZip and other Zip Archivers
Date: Thu, 29 Mar 2001 11:42:32 +0200
[EMAIL PROTECTED] wrote:
>
> Zip encryption is week (although it's better than just xoring)
> there is known plaintext attack that requires only known 13 bytes
> and then it can be broken in few hours
>
> but there are some other archivers that use better crypto
Could you name one/some? (BTW, an archiver that has apparently
quite nice functionalities and is free is Powerarchiver,
though I know nothing about its crypto feature.)
M. K. Shen
------------------------------
From: "Henrick Hellström" <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Thu, 29 Mar 2001 12:38:57 +0200
No, I am not sure. EU-patents was one of the issues at the Stockholm summit
recently, and I recall that no consensus was reached. It appears as if EPO
is what Lassi Hippeläinen says it is, an international organization.
However, what I stated about it's authorities seems to be true. EPO does in
general not have the authority to issue any patents, but only take care of
the application process in the member states. Hence, an EPO "European
patent" is not valid in a particular state until the national patent office
in that state has approved the application.
Corrections, anyone?
--
Henrick Hellström [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
"Mok-Kong Shen" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
>
>
> Lassi Hippeläinen wrote:
> >
>
> > Please remember that the EPO is NOT the Patent Office of the EU. Both
> > have common member countries, but both also have members that are not
> > members in the other one. They are independent international
> > organisations with different charters.
>
> Your 'both' suggests that there is a 'Patent Office of the EU'.
> Are you sure?
>
> M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: Thu, 29 Mar 2001 11:07:23 GMT
"Stefan Katzenbeisser" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
>
> > I have read a few papers on the NFS alot of it is not complete... i.e
they
> > use sentences and say "See [14] for more". I will pick up Koblitz book
> > tommorow (well I will order it then) and read up...
>
> You might also try to read
> ftp://ftp.informatik.th-darmstadt.de/pub/TI/lecture_notes/factoring.ps.gz
> The text is really a good introduction to the field. The first 2.5
sections
> should be readable with only a basic understanding of number theory...
This is a cool paper :-)
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: texts on factoring?
Date: Thu, 29 Mar 2001 11:10:54 GMT
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> writes:
> > I have read a few papers on the NFS alot of it is not complete... i.e
they
> > use sentences and say "See [14] for more". I will pick up Koblitz book
> > tommorow (well I will order it then) and read up...
>
> Tom, there are a bunch of articles in various places that explain the
> NFS in general terms. That's nice for some purposes but I'm assuming
> you want to actually understand the algorithms to the level of being
> able to implement them from knowledge of how they work (rather than
> typing in formulas). I think the NFS is far too complicated to
> understand at your current math level. The more elementary methods
> including the ECM are probably within reach.
True. I have implemented all the factoring algorithms from Knuth except the
continued fraction one. I get the basics behind the math, currently trying
to teach myself the QS method. I get how it works I just don't get how the
matrix is formed (I have a paper that gives an example but I am not sure...)
> As for algebra books, I've seen Artin's and liked it; Fraleigh's is
> widely used but I'm not so crazy about it. I used van der Waerden's
> which is a classic, but I think considered fuddy duddy by today's
> standards. Herstein has a new one that looks good--his earlier
> "Topics in Algebra" is wonderful, but maybe a little hard to get
> started with. It's often helpful to get several books and flip
> between them when the explanation of a topic is confusing.
I have a few books on Algebra already I will check out some more later...
first I want to get Koblitz.
> Finally I like the book "Concrete Mathematics" by Knuth, Graham, and
> Patashnik, though it's not an algebra book. It's mostly the same math
> you get by osmosis from Knuth TAOCP vol 1, but presented in a slower
> paced and more organized way.
>
> You're probably at the point where you should be taking university
> math classes. Can your high school set you up with something like
> that?
I am not in high school anymore I graduated in January. Stuck going to
college in May ... joy...
Thanks for the reply,
Tom
------------------------------
From: Juergen Thumm <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,comp.security.unix
Subject: Re: anno: Open BCrypt - command line file encryptor
Date: Thu, 29 Mar 2001 13:37:16 +0200
no, it's not.
the concept of CipherSaber is fascinating, on first look -
due to it's simplicity - also a principle of Open BCrypt.
unfortunately, CipherSaber is *too* simple.
- with a combined dictionary/brute-force attack,
using, let's say, a 200.000 words dictionary and a small array
of GHz Pentiums, it should be a matter of minutes
to crack stuff encrypted with CipherSaber
and a medium-complex passphrase like 'dogbert493cheez'.
not due to rc4 weaknesses, of course -
but as there are no delaying steps in the mapping
from passphrase to the rc4 key,
the attacker can try an excessive number of passphrases in short time.
- tampering is not detected. random bit flips in the
encrypted data will lead to flipped bits in the decrypted output.
- file truncation is not checked for. cutting bytes
from the encrypted data leads to truncated decrypted output.
- and to split some hairs, it will not care about ASCII/EBCDIC
passphrase conversion on os/390.
to repeat, the idea of CipherSaber really is good, to teach people
about security. but only with some disclaimers in the same sentence.
regards,
juergen thumm
------------------------------
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
From: Tom McCune <[EMAIL PROTECTED]>
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: Thu, 29 Mar 2001 11:46:28 GMT
=====BEGIN PGP SIGNED MESSAGE=====
In article <[EMAIL PROTECTED]>, Imad R. Faiad
<[EMAIL PROTECTED]> wrote:
>I can confirm that validation tests are performed
>for RSA private keys prior to using them in PGP
>5.0, 5.5.3, 6.0.2, 6.5.1, and 6.5.8.
>
>Hope the above helps.
Yes - thank you very much.
I understand that 2.6.3ia also does a check. If 2.6.2 also does, that
would seem to cover nearly all RSA usage.
=====BEGIN PGP SIGNATURE=====
Version: PGP 7.0.3
Comment: My PGP Page & FAQ: http://www.McCune.cc
iQEVAwUBOsMhCjYk/PXew/BzAQEj6Af+IAS3802fBIm/q+yKcqIp7AekUfkeeVZR
6q4u3iTvCrBgI2qRs8YrON1tY8AwGNVJ7QRr/OHgKYag4woLAZRU1NGkK2Z66ReB
f5o2pJpd/0fP+n5EoWEPLt7rmG1WDMRwsgDez/fy44+5tAxD72zzhNDl+5Bk4u5R
E6XmIZ1gvRapJQd8Z1ObHuFE9fkYnEsg/sUXWWImX+0B3aXMuspcumbzVfy63el/
yb08FF5/4xqmq8kwutCVLz7268jB2ZdI5wBMjch49QQhKyqaNgaZZJ9wkfUFTZNK
/djI0xfWkHebpZ8v5ywLZSfjGAZbwxe7XAdIvu+LUR/Gh9O/ryCLmA==
=MzBw
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Lutz Donnerhacke)
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: 29 Mar 2001 12:04:02 GMT
* Tom McCune wrote:
><[EMAIL PROTECTED]> wrote:
>>I can confirm that validation tests are performed
>>for RSA private keys prior to using them in PGP
>>5.0, 5.5.3, 6.0.2, 6.5.1, and 6.5.8.
>>
>>Hope the above helps.
>
>Yes - thank you very much.
>
>I understand that 2.6.3ia also does a check. If 2.6.2 also does, that
>would seem to cover nearly all RSA usage.
Unless nobody really reads the attack paper, you may discuss everything you
like but gain not protection: The attacked secret key holds (sic!) the
following equitions: n = p*q, e*d % n = 1, but not u*p % q = 1.
DAMNED. If such messages occur more often, I choose another field to play at.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Question on the Quadratic Sieve
Date: Thu, 29 Mar 2001 13:19:12 GMT
Please forgive my misunderstandings if any...
If I get the QS right you are trying to find a pair X, Y in Zn (n = # to
factor) such that X != +/- Y, and X^2 = Y^2 mod n. This is because if this
is true then (x - y)(x + y) = kn and then (x-y) might be a divisor of n.
Then the idea progresses by trying to find numbers Xi and their roots Yi
such that Xi^2 = Yi (mod p). My first question is how do you pick these
numbers (Xi I mean)? Are you picking numbers that are small AND have
residues or ?? Second question is what is p? Is that an element of the
factor base (i.e the list of small primes chosen)? Once you find all the
residues how do you make use of them?
Then you are supposed to form a polynomial such as
product from {i=0 to l} of Xi^(Ei) is equal to the product from {i=0 to l}
Yi^(Fi) (all mod n).
Several questions here (first is that even remotely right?) first I know
that Ei and Fi must sum to 0 mod 2 (i.e even powers). But how do you pick
Ei and Fi? As I understand it the correct pattern of Ei and Fi (or is there
only one bit string?) comes from gauss reducing a binary matrix? How do you
build this matrix?
I really just want to get into the jist of things. I know I probably have
gotten this all wrong so if you reply: be kind :-)
Thanks
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: Imad R. Faiad <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: Thu, 29 Mar 2001 16:19:44 +0200
=====BEGIN PGP SIGNED MESSAGE=====
Greetings,
The following checks are performed in
PGP 5.0 and above:-
d < n
p is odd
q is odd
n=p*q
d*e = 1 mod (p-1)
d*e = 1 mod (q-1)
p^-1 mod q < q
(p^-1 mod q ) * p = 1 mod q
Shouldn't the above be sufficient to render
such attacks useless?
Just wondering.
Best Regards
Imad R. Faiad
On 29 Mar 2001 12:04:02 GMT, in comp.security.pgp.discuss [EMAIL PROTECTED]
(Lutz Donnerhacke) wrote:
>* Tom McCune wrote:
>><[EMAIL PROTECTED]> wrote:
>>>I can confirm that validation tests are performed
>>>for RSA private keys prior to using them in PGP
>>>5.0, 5.5.3, 6.0.2, 6.5.1, and 6.5.8.
>>>
>>>Hope the above helps.
>>
>>Yes - thank you very much.
>>
>>I understand that 2.6.3ia also does a check. If 2.6.2 also does, that
>>would seem to cover nearly all RSA usage.
>
>Unless nobody really reads the attack paper, you may discuss everything
>you like but gain not protection: The attacked secret key holds (sic!) the
>following equitions: n = p*q, e*d % n = 1, but not u*p % q = 1.
>
>DAMNED. If such messages occur more often, I choose another field to play
>at.
=====BEGIN PGP SIGNATURE=====
Version: 6.5.8ckt http://www.ipgpp.com/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOsMoMbzDFxiDPxutAQGJmQgAg4kHDkL1BlfyGoJYOVQ9YFO7zEc7Lxfp
lRiaOiIUoDPKDdiqovQjEWQcJSPoPAlf4lL4+iNuL+frMCJJhj1AzcN7lFeukMPW
beB/ph/WaIGv1/7ak/+pGbx/Fkv5dbLngpiytVcKdGOoHTbNo4tq2qRL23TfRipX
s4DOIMTy4gvxQDRPA7ZZEJ3j1sfPu3WWua7Kf5afVFyDYvI/kUdC/UrfjJ3SJ5YT
F7gnXyKYu1fGhXy/e2AWWV0DDEKbtAWtnQKz09ygLfnNuGSfNT6tpH1trhnrs5q4
v5f9dH8xZOwqAZj6M6wfRkoLaBmCRmzgit0ihcVP0moaKNLwlO9WdQ==
=PrwT
=====END PGP SIGNATURE=====
------------------------------
From: Lassi =?iso-8859-1?Q?Hippel=E4inen?= <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Thu, 29 Mar 2001 13:37:01 GMT
Mok-Kong Shen wrote:
>
> Lassi Hippeläinen wrote:
> >
>
> > Please remember that the EPO is NOT the Patent Office of the EU. Both
> > have common member countries, but both also have members that are not
> > members in the other one. They are independent international
> > organisations with different charters.
>
> Your 'both' suggests that there is a 'Patent Office of the EU'.
> Are you sure?
>
> M. K. Shen
Sorry, a slip of a non-native speaker. 'Both' refers to EPO and EU.
AFAIK, there is no "EU Patent Office."
-- Lassi
------------------------------
From: [EMAIL PROTECTED] (Lutz Donnerhacke)
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: 29 Mar 2001 13:33:36 GMT
* Imad R. Faiad wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>The following checks are performed in
>PGP 5.0 and above:-
>
>d < n
>p is odd
>q is odd
>n=p*q
>d*e = 1 mod (p-1)
>d*e = 1 mod (q-1)
>p^-1 mod q < q
>(p^-1 mod q ) * p = 1 mod q
p^-1 mod q is stored as u.
>Shouldn't the above be sufficient to render
>such attacks useless?
They are enough. But if someone really checks all these points, I won't
trust the resulting product.
------------------------------
From: "Henrick Hellström" <[EMAIL PROTECTED]>
Subject: Re: Strong primes
Date: Thu, 29 Mar 2001 16:06:43 +0200
"Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
news:39vw6.156761$[EMAIL PROTECTED]...
>
> "Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> news:P_tw6.156323$[EMAIL PROTECTED]...
> > And more exact it's the kind of primes where q is prime and so is p = 2q
+
> > 1. That way q is a large sub-group of Z*p.
>
> Err.. that's Z*q is a large sub-group of Z*p.
No. If p = 2q+1, then there is a subgroup of Z*(p) of order q, but it is
usually not Z*(q). For instance, it is possible to select p so that 2 is a
generator of Z*(p), and 2 is a member of Z*(q).
Example: The subgroup of Z*(5) of order 2 consists of {1,4}.
--
Henrick Hellström [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
