Cryptography-Digest Digest #40, Volume #14 Fri, 30 Mar 01 03:13:00 EST
Contents:
Re: How good are ... ? ("Douglas A. Gwyn")
Re: Encryption of Encrypted Material results in strength??? ("Douglas A. Gwyn")
Re: An extremely difficult (possibly original) cryptogram ("Douglas A. Gwyn")
Re: An extremely difficult (possibly original) cryptogram (daniel mcgrath)
Re: An extremely difficult (possibly original) cryptogram (Jim Gillogly)
Re: Data dependent arcfour via sbox feedback (Benjamin Goldberg)
Re: Malicious Javascript in Brent Kohler post (Benjamin Goldberg)
Re: An extremely difficult (possibly original) cryptogram (daniel mcgrath)
BIJECTIVE RIJNDAEL WITH AUTHENTICATION (SCOTT19U.ZIP_GUY)
Re: Idea - (LONG) ("John A. Malley")
Re: Idea - (LONG) ("John A. Malley")
Re: Idea - (LONG) (SCOTT19U.ZIP_GUY)
Re: Idea - (LONG) ("John A. Malley")
Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged (Rich
Wales)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: How good are ... ?
Date: Fri, 30 Mar 2001 00:12:13 GMT
Peter Engehausen wrote:
> How strong are chiphers who work *only* with pseudorandom numbers...?
> It surely depends on the generator, but if it's an average one,
> initialized by a good pass phrase?
> How can they be broken? Any usefull links or papers known?
There are numerous articles in the literature; I found at
least six in the index to Cryptologia alone.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Encryption of Encrypted Material results in strength???
Date: Fri, 30 Mar 2001 00:15:30 GMT
Jim Gillogly wrote:
> Curtis Williams wrote:
> > ... if I encrypt plaintext P with Mars, and then using a separate
> > ... pass phrase, encrypt the resultant ciphertext with twofish, is
> > the resultant strength less than the original encryption?
> No.
More precisely, there is no reason to think so, and considerable
reason to think otherwise. (More key entropy is used, and it would
take a remarkable amount of "resonance" of the two encryption methods
to offset that advantage.)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: An extremely difficult (possibly original) cryptogram
Date: Fri, 30 Mar 2001 00:18:36 GMT
daniel mcgrath wrote:
> Jim, Doug -- how are you doing?
I'm not working on it; I have other projects.
------------------------------
From: [EMAIL PROTECTED] (daniel mcgrath)
Crossposted-To: rec.puzzles
Subject: Re: An extremely difficult (possibly original) cryptogram
Date: Fri, 30 Mar 2001 00:47:01 GMT
On Thu, 29 Mar 2001 23:05:46 +0000, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>daniel mcgrath wrote:
>
>> Jim, Doug -- how are you doing?
>
>I've moved on again. See, for example, the challenge cryptogram at:
>http://www.theregister.co.uk/content/28/17882.html
So when will you get back to my cryptograms?
==================================================
daniel g. mcgrath
a subscriber to _word ways: the journal of recreational linguistics_
http://www.wordways.com/
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: An extremely difficult (possibly original) cryptogram
Date: Thu, 29 Mar 2001 17:27:46 -0800
daniel mcgrath wrote:
> So when will you get back to my cryptograms?
I don't know. There are lots of interesting things to work on.
Have you looked at the Voynich Manuscript, for example?
However, you still haven't given your impressions of this paragraph,
which several of us have said in different words.
>> As people (including me) keep saying, a very strong
>>algorithm will still be strong even if everything except the key
>>used for that message has been totally exposed. Even if you give
>>away the plaintext to all but the last 10% of a message, this
>>should give the cryptanalyst no help in decrypting the last 10%.
>>A few people enjoy working on ciphertext-only challenges in unknown
>>cipher systems, but for most that gets very old in a hurry.
--
Jim Gillogly
Sterday, 8 Astron S.R. 2001, 01:24
12.19.8.1.13, 7 Ben 16 Cumku, Sixth Lord of Night
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Fri, 30 Mar 2001 02:36:01 GMT
Henrick Hellstr�m wrote:
>
> "Terry Ritter" <[EMAIL PROTECTED]> skrev i meddelandet
> news:[EMAIL PROTECTED]...
[snip]
> > Once again note that the IDEA cipher is patented in both the US and
> > Europe, and obviously does control software implementation of IDEA
> > in Europe. Consequently, this is not a US issue, nor is it new in
> > either patents or cryptography.
>
> Could you please tell me in what European country IDEA is patented?
> Monaco? Liechtenstein? Andorra? Malta? ;-)
The Principality of Sealand?
The Duchy of Grand Fenwick?
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Malicious Javascript in Brent Kohler post
Date: Fri, 30 Mar 2001 03:13:42 GMT
Darren New wrote:
>
> > Thanks. If that's the worst thing to be expected from
> > any javascript, then I wouldn't care.
>
> It's not. That just happens to be what this piece did. And every
> Javascript implementation is different, so what they can do varies.
> You probably don't even want your email address being posted up on a
> web site by the javascript.
>
> > Allow me another
> > question of ignorance: What about stuffs that contains
> > ActiveX? (I have no knowledge of ActiveX at all.)
>
> As far as I understand it, an ActiveX thingie is a raw executable
> running with your permissions when you run it. The only protection is
> that it's signed. But it's quite capable in general of deleting all
> your files after uploading them to someone else, installing new
> software, etc.
And for that matter, the fact that an ActiveX thingie is signed is no
protection whatsoever. It being signed only means that you can identify
the person who wrote it, not that it won't screw you over. And if the
author of the mallicious code is smart, it will likely erase itself
(signature and all) after it's done it's dirty work, so you'll have to
rely on your own fallible memory to know where it came from.
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
From: [EMAIL PROTECTED] (daniel mcgrath)
Crossposted-To: rec.puzzles
Subject: Re: An extremely difficult (possibly original) cryptogram
Date: Fri, 30 Mar 2001 04:37:36 GMT
On Thu, 29 Mar 2001 17:27:46 -0800, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>However, you still haven't given your impressions of this paragraph,
>which several of us have said in different words.
>
>>> As people (including me) keep saying, a very strong
>>>algorithm will still be strong even if everything except the key
>>>used for that message has been totally exposed. Even if you give
>>>away the plaintext to all but the last 10% of a message, this
>>>should give the cryptanalyst no help in decrypting the last 10%.
>>>A few people enjoy working on ciphertext-only challenges in unknown
>>>cipher systems, but for most that gets very old in a hurry.
I already 72361 you about 71112 general system 0263205 used, didn't 3?
"7. He further said:
The system used is one of changing bases (base 10 is derived from
another base).
Internally, it's all binary (base 2)."
I'll give 94091 another hint: 71112 system is 54006 of fractionation.
==================================================
daniel g. mcgrath
a subscriber to _word ways: the journal of recreational linguistics_
http://www.wordways.com/
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: BIJECTIVE RIJNDAEL WITH AUTHENTICATION
Date: 30 Mar 2001 04:32:44 GMT
I have code at my site: http://members.nbci.com/ecil/rijnbest.zip
to run it you also need bicom see matt's site at
http://www3.sympatico.ca/mtimmerm/bicom/bicom.html
with dos batch files. that does the following
These bat streams allows one to map bijectively from the space of
all files made of any length strings of the symbols in cond1x.bat
along with any possible 5 byte hash value to a unique file that
is in the space of all strings made from the symbol set in cond2x.bat
Every possible cipher file made of a string of symbols from cond2x.bat
maps uniquely to a 5 byte hash and a string of symbols in cond1x.bat
for any key.
THIS IS RIJNDAEL FULL ENCRYPTION WITH 40 BIT AUTHENTICATION AND
FULL BIJECTIVEITY
an example is below:
when you run the encryption bat file below:
bicomea test2.txt test2.bea dog cat
the input file is:
0000 54 4F 44 41 59 5F 49 53 5F 54 48 45 5F 46 49 52 *TODAY_IS_THE_FIR*
0010 53 54 5F 44 41 59 5F 4F 46 5F 54 48 45 5F 52 45 *ST_DAY_OF_THE_RE*
0020 53 54 5F 4F 46 5F 59 4F 55 52 5F 4C 49 46 45 . *ST_OF_YOUR_LIFE*
number of bytes is 47
the output file is:
0000 54 45 42 59 42 53 54 4E 41 56 48 4C 5F 4D 4E 44 *TEBYBSTNAVHL_MND*
0010 4D 44 4F 4F 5F 49 47 56 53 45 4D 53 44 46 46 4B *MDOO_IGVSEMSDFFK*
0020 58 49 4F 4F 49 41 44 4F 41 43 4F 4D 4F 45 45 4A *XIOOIADOACOMOEEJ*
0030 58 46 5F 53 43 44 5F . . . . . . . . . *XF_SCD_*
number of bytes is 55
when you run the decryption byte file below:
bicomda test2.bea test2.bda dog cat
test2.bda natches test2.txt and the authentication codes match
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.nbci.com/ecil/index.htm
Scott LATEST UPDATED sources for scott*u.zip
http://radiusnet.net/crypto/archive/scott/
Scott famous Compression Page
http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
A final thought from President Bill: "The road to tyranny,
we must never forget, begins with the destruction of the truth."
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Idea - (LONG)
Date: Thu, 29 Mar 2001 21:09:27 -0800
David Wagner wrote:
>
> John A. Malley wrote:
> >We tend to forget that perfect secrecy without an OTP is possible for a
> >finite number of messages as illustrated by the example provided in the
> >post.
>
> Obviously it's possible to do this without an OTP, but as far as I
> can tell, the resulting systems are no more practical than a OTP is,
> so what's the point?
I was thinking about a proof for or against the existence of a block
cipher algorithm exhibiting perfect secrecy.
Such a block cipher algorithm
1) takes an n-bit block of plaintext,
2) takes an n-bit key chosen uniformly at random from the set of 2^n
possible keys,
and
3) maps each n-bit plaintext string p_i to each n-bit ciphertext string
c_j by exactly one key k_l out of the 2^n keys.
This block cipher algorithm exhibits perfect secrecy per Shannon's
definition, and does so for a finite key size.
Can such a block cipher algorithm exist?
( I looked to the DES. The DES uses a 56 bit key on a 64 bit plaintext
so that violates 1) and 2). Quisquater and Delascaille demonstrated
DES-collisions where encrypting the same plaintext with two different
keys yielded the same ciphertext. That violates 3). The DES as-is cannot
achieve perfect secrecy. None of this means a block cipher with perfect
secrecy cannot be made, though. :-) )
Suppose it's impossible to construct a block cipher algorithm with
perfect secrecy, and there's a proof, a deep reason why it can't
happen. Wouldn't this tell us something fundamental about the
achievable security of block cipher algorithms?
Suppose it is possible to construct a block cipher algorithm with
prefect secrecy, and there's a proof. This would tell us something
fundamental about the achievable security of block cipher algorithms.
Maybe certain features in the algorithm prevent perfect secrecy; maybe
other permit it.
IMO such a proof ( for or against ) could influence the design
direction of block cipher algorithms.
For all I know, someone's already published such a proof and I've just
never come across it in my limited readings so far. :-)
Is there such an analysis?
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Idea - (LONG)
Date: Thu, 29 Mar 2001 21:12:03 -0800
Please see my reply to Prof. Wagner in this same thread - I elaborated
what I was searching for with respect to block ciphers and perfect
secrecy.
I hope it clarifies my question.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Idea - (LONG)
Date: 30 Mar 2001 05:45:29 GMT
[EMAIL PROTECTED] (John A. Malley) wrote in
<[EMAIL PROTECTED]>:
>
>David Wagner wrote:
>>
>> John A. Malley wrote:
>> >We tend to forget that perfect secrecy without an OTP is possible for a
>> >finite number of messages as illustrated by the example provided in the
>> >post.
>>
>> Obviously it's possible to do this without an OTP, but as far as I
>> can tell, the resulting systems are no more practical than a OTP is,
>> so what's the point?
>
>I was thinking about a proof for or against the existence of a block
>cipher algorithm exhibiting perfect secrecy.
>
>Such a block cipher algorithm
>
>1) takes an n-bit block of plaintext,
>2) takes an n-bit key chosen uniformly at random from the set of 2^n
>possible keys,
>
>and
>
>3) maps each n-bit plaintext string p_i to each n-bit ciphertext string
>c_j by exactly one key k_l out of the 2^n keys.
>
>This block cipher algorithm exhibits perfect secrecy per Shannon's
>definition, and does so for a finite key size.
I'm not sure about a "pefect secerecy" as Shannon would call it
but he also talks about "ideal systems" where one can have a finite
key. And not have encough infomrmation to know for certainy what
the solution is no matter how much cipher text is recieved. But
one crieteria to get it means you need infinite error propagation
something the government people never allowed in there 3 letter
weak chaining modes.
For some strange reason so called crypto gods have in the pass
frowned upon massive error propagation.
>
>Can such a block cipher algorithm exist?
>
>( I looked to the DES. The DES uses a 56 bit key on a 64 bit plaintext
>so that violates 1) and 2). Quisquater and Delascaille demonstrated
>DES-collisions where encrypting the same plaintext with two different
>keys yielded the same ciphertext. That violates 3). The DES as-is cannot
>achieve perfect secrecy. None of this means a block cipher with perfect
>secrecy cannot be made, though. :-) )
>
>Suppose it's impossible to construct a block cipher algorithm with
>perfect secrecy, and there's a proof, a deep reason why it can't
>happen. Wouldn't this tell us something fundamental about the
>achievable security of block cipher algorithms?
>
>Suppose it is possible to construct a block cipher algorithm with
>prefect secrecy, and there's a proof. This would tell us something
>fundamental about the achievable security of block cipher algorithms.
>Maybe certain features in the algorithm prevent perfect secrecy; maybe
>other permit it.
>
>IMO such a proof ( for or against ) could influence the design
>direction of block cipher algorithms.
>
>For all I know, someone's already published such a proof and I've just
>never come across it in my limited readings so far. :-)
>
>Is there such an analysis?
>
>
>John A. Malley
>[EMAIL PROTECTED]
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.nbci.com/ecil/index.htm
Scott LATEST UPDATED sources for scott*u.zip
http://radiusnet.net/crypto/archive/scott/
Scott famous Compression Page
http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
A final thought from President Bill: "The road to tyranny,
we must never forget, begins with the destruction of the truth."
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Idea - (LONG)
Date: Thu, 29 Mar 2001 22:26:24 -0800
"John A. Malley" wrote:
>
>
> I was thinking about a proof for or against the existence of a block
> cipher algorithm exhibiting perfect secrecy.
>
> Such a block cipher algorithm
>
> 1) takes an n-bit block of plaintext,
> 2) takes an n-bit key chosen uniformly at random from the set of 2^n
> possible keys,
>
> and
>
> 3) maps each n-bit plaintext string p_i to each n-bit ciphertext string
> c_j by exactly one key k_l out of the 2^n keys.
>
> This block cipher algorithm exhibits perfect secrecy per Shannon's
> definition, and does so for a finite key size.
>
> Can such a block cipher algorithm exist?
Oops, need to make it clear:
Can a product cipher (or specifically a Feistel cipher) block cipher
algorithm with perfect secrecy exist?
------------------------------
From: [EMAIL PROTECTED] (Rich Wales)
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: New PGP Flaw Verified By Phil Zimmerman, Allows Signatures to be Forged
Date: 30 Mar 2001 07:38:15 -0000
Earlier, I wrote:
> > [In PGP 2.6.3ia] (n=pq is verified in keymgmt.c, line 626).
> > I'm not sure whether this single test suffices to make PGP
> > 2.6.3ia immune to the ICZ attack or not.
Lutz Donnerhacke replied:
> It does not.
And, now that I think I understand the ICZ paper, I agree -- because
the ICZ attack on an RSA secret key involves a random modification,
not of "p" or "q", but of "pInv" (which is supposed to be p^-1 mod q).
The attack requires the real "p" and "q", together with a bogus "pInv".
To be sure, the attacker won't know the unencrypted value of the modi-
fied "pInv" (i.e., he won't know the precise effect of his tampering
with the original encrypted "pInv" value) -- but he doesn't need to,
because the mere fact that the modified "pInv" is different from the
true value is enough to give away the secret key parameters.
But since the attack does require the real "p" and "q", a test verifying
these values will not -- by itself -- provide protection. Thus, PGP
2.6.3ia would appear to be vulnerable to the ICZ attack. At the very
least, I would assume that a validity test on "pInv" must be added in
order to protect against the attack.
BTW, the fact that the real "p" and "q" must be used is why the attack
requires the victim to be tricked into signing something using the
doctored secret key -- something that can only be done by someone who
knows the pass phrase (i.e., the victim). Validity tests on "p" and/or
"q" are probably superfluous from the standpoint of the ICZ attack --
since a mangled "p" or "q" will cause the attack to fail anyway -- but
I suppose it isn't a bad idea to check "p" and "q" anyway, just in case
some similar attack exists that could exploit such a change.
Rich Wales [EMAIL PROTECTED] http://www.webcom.com/richw/pgp/
RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41 528512FA
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
