Cryptography-Digest Digest #124, Volume #14 Wed, 11 Apr 01 13:13:00 EDT
Contents:
Re: Derived Key Generation (Volker Hetzer)
Ghost in the Shell ("J. O")
Re: I got accepted (Serge Vaudenay)
Re: WANTED: Voice Encryption and Telephony Consultant ("Frog2000")
Re: Ghost in the Shell ("kroesjnov")
Re: Derived Key Generation ("dexMilano")
Re: Derived Key Generation (Volker Hetzer)
Poems ? (Frank Gerlach)
Re: Concerning United States Patent 4979832 (Dynamic Substitution) (Ken Savage)
Re: I got accepted ("Tom St Denis")
Re: Current best complexity for factoring? (Bill Unruh)
Re: Ghost in the Shell (Jeremy Bishop)
Re: Steganography with natural texts (Mok-Kong Shen)
Re: Polymorphic encription (Mok-Kong Shen)
Re: Ghost in the Shell ("kroesjnov")
Re: Current best complexity for factoring? (Jerry Coffin)
----------------------------------------------------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Derived Key Generation
Date: Wed, 11 Apr 2001 13:35:49 +0200
dexMilano wrote:
>
> Intersting approach.
> I've the same problem, I want to derive a long kay, starting from a simple
> key.
> I'm trying this:
> devide the derived key in 2 part (for example, if you nedd 56: 48 bit + 8
> bit)
[...]
Have you had a look at how the TLS protocol handles this?
They have a master secret and create key material from it.
IIRC it was something like
SHA1(Mastersecret||A)||SHA1(Mastersecret||BB)||SHA1(Mastersecret||CCC)||...
So far I haven't seen any criticism of it.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: "J. O" <[EMAIL PROTECTED]>
Crossposted-To: alt.cypherpunks,alt.security.pgp
Subject: Ghost in the Shell
Date: Wed, 11 Apr 2001 08:19:38 -0400
Good day all, I just finished wrapping up a pseudo how-to/better methods
typed of
encryption document I've called "Ghost in the Shell" and was passing it
off to the
lists, in hopes someone would find it useful, care to comment, etc.
http://www.antioffline.com/gist.html
The document takes a look @ various methods of protecting privacy, data,
including
samples using perl, stego tools, pgp, etc.,
Feel free to comment, correct, etc. positive feedback is welcomed as are
negative,
however should your reply be flame based, it will be igored entirely.
J. O / sil @ antioffline || sil @ deficiency.org
------------------------------
Date: Wed, 11 Apr 2001 16:14:12 +0200
From: Serge Vaudenay <[EMAIL PROTECTED]>
Subject: Re: I got accepted
Ian Goldberg wrote:
>
> In article <[EMAIL PROTECTED]>,
> Jerry Coffin <[EMAIL PROTECTED]> wrote:
> >In article <DOuA6.68390$[EMAIL PROTECTED]>,
> >[EMAIL PROTECTED] says...
> >
> >[ ... ]
> >
> >> > Did you try MIT or Berkeley?
> >> >
> >> > Then you could have meet Dave or Ron. I would rather meet Ron I
> >> > hear his a nice guy.
> >>
> >> In case you missed out. I ain't a yankee. Why would I go 3000 miles south
> >> for skule?
> >
> >Just for one example, consider that Niklaus Wirth (inventor of
> >Pascal, Modula, Modula II, Oberon, etc.) traveled all the way from
> >Switzerland to go to UC Berkeley.
> >
> >Berkeley is also within easy driving distance of both Sonoma and Napa
> >valleys.
>
> Being a recent Berkeley grad myself, I *highly* recommend it
> _for grad school_. But not for undergrad; too many students,
> not enough resources.
>
> >Even ignoring the education and the wine (which I'll admit most
> >people don't really appreciate until well after college age), there
> >are MANY good reasons to consider California for college, most
> >obviously the weather (and the bikini-clad women it attracts...)
>
> Note that Berkeley is in Northern California. It's not all that
> hot there. Montreal has hotter summers than San Francisco.
>
> But it's not all *that* far to do a weekend trip to SoCal, if you
> want the bikinis and the beaches.
>
> - Ian
For the weather, bikinis on the beach (by the Lake), the wine, the
ressources, I highly recommend to consider EPFL (Switzerland).
Particularly the communication systems division.
(See http://dscwww.epfl.ch)
Serge Vaudenay
(Head of the Communication System Division)
PS We do have a grad school. We do have open PhD positions.
(I have several ones in cryptography.)
------------------------------
From: "Frog2000" <[EMAIL PROTECTED]>
Subject: Re: WANTED: Voice Encryption and Telephony Consultant
Date: Wed, 11 Apr 2001 10:32:28 -0400
.
>
> Isn't cryptography restricted/illegal in France?
>
> Ken
No more than it is here, I suspect. Here=US.
------------------------------
From: "kroesjnov" <[EMAIL PROTECTED]>
Crossposted-To: alt.cypherpunks,alt.security.pgp
Subject: Re: Ghost in the Shell
Date: Wed, 11 Apr 2001 16:41:40 +0200
> http://www.antioffline.com/gist.html
first comment before reading :)
http://www.antioffline.com/gits.html
the above link is wrong :(
"Wisdom lies not in obtaining knowledge, but in using it in the right way"
kroesjnov
email: [EMAIL PROTECTED] (remove nov to reply)
UIN: 85685870
pgp fingerprint: 4251 4350 4242 7764 80DA DB1C E2B2 850A DF15 4D85
------------------------------
From: "dexMilano" <[EMAIL PROTECTED]>
Subject: Re: Derived Key Generation
Date: Wed, 11 Apr 2001 16:48:50 +0200
sorry but i didn't understand
dex
"Volker Hetzer" <[EMAIL PROTECTED]> ha scritto nel messaggio
news:[EMAIL PROTECTED]...
> dexMilano wrote:
> >
> > Intersting approach.
> > I've the same problem, I want to derive a long kay, starting from a
simple
> > key.
> > I'm trying this:
> > devide the derived key in 2 part (for example, if you nedd 56: 48 bit +
8
> > bit)
> [...]
> Have you had a look at how the TLS protocol handles this?
> They have a master secret and create key material from it.
> IIRC it was something like
>
SHA1(Mastersecret||A)||SHA1(Mastersecret||BB)||SHA1(Mastersecret||CCC)||...
> So far I haven't seen any criticism of it.
>
> Greetings!
> Volker
> --
> They laughed at Galileo. They laughed at Copernicus. They laughed at
> Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Derived Key Generation
Date: Wed, 11 Apr 2001 17:33:44 +0200
dexMilano wrote:
>
> sorry but i didn't understand
> dex
> SHA1(Mastersecret||A)||SHA1(Mastersecret||BB)||SHA1(Mastersecret||CCC)||...
> > So far I haven't seen any criticism of it.
Given one initial random string (Mastersecret) you can create
n*160 Bit of random data by concatenating the hashes of the concatenation of
the Mastersecret with different constants, i.e. "A" "BB" "CCC".
But, after checking, I saw that they changed it in the TLS spec.
Have a look at http://www.faqs.org/rfcs/rfc2246.html, section 5.
They use a different algorithm now:
5. HMAC and the pseudorandom function
A number of operations in the TLS record and handshake layer required
a keyed MAC; this is a secure digest of some data protected by a
secret. Forging the MAC is infeasible without knowledge of the MAC
secret. The construction we use for this operation is known as HMAC,
described in [HMAC].
HMAC can be used with a variety of different hash algorithms. TLS
uses it in the handshake with two different algorithms: MD5 and SHA-
1, denoting these as HMAC_MD5(secret, data) and HMAC_SHA(secret,
data). Additional hash algorithms can be defined by cipher suites and
used to protect record data, but MD5 and SHA-1 are hard coded into
the description of the handshaking for this version of the protocol.
In addition, a construction is required to do expansion of secrets
into blocks of data for the purposes of key generation or validation.
This pseudo-random function (PRF) takes as input a secret, a seed,
and an identifying label and produces an output of arbitrary length.
In order to make the PRF as secure as possible, it uses two hash
algorithms in a way which should guarantee its security if either
algorithm remains secure.
First, we define a data expansion function, P_hash(secret, data)
which uses a single hash function to expand a secret and seed into an
arbitrary quantity of output:
P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
HMAC_hash(secret, A(2) + seed) +
HMAC_hash(secret, A(3) + seed) + ...
Where + indicates concatenation.
A() is defined as:
A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))
P_hash can be iterated as many times as is necessary to produce the
required quantity of data. For example, if P_SHA-1 was being used to
create 64 bytes of data, it would have to be iterated 4 times
(through A(4)), creating 80 bytes of output data; the last 16 bytes
of the final iteration would then be discarded, leaving 64 bytes of
output data.
TLS's PRF is created by splitting the secret into two halves and
using one half to generate data with P_MD5 and the other half to
generate data with P_SHA-1, then exclusive-or'ing the outputs of
these two expansion functions together.
S1 and S2 are the two halves of the secret and each is the same
length. S1 is taken from the first half of the secret, S2 from the
second half. Their length is created by rounding up the length of the
overall secret divided by two; thus, if the original secret is an odd
number of bytes long, the last byte of S1 will be the same as the
first byte of S2.
L_S = length in bytes of secret;
L_S1 = L_S2 = ceil(L_S / 2);
The secret is partitioned into two halves (with the possibility of
one shared byte) as described above, S1 taking the first L_S1 bytes
and S2 the last L_S2 bytes.
The PRF is then defined as the result of mixing the two pseudorandom
streams by exclusive-or'ing them together.
PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
P_SHA-1(S2, label + seed);
The label is an ASCII string. It should be included in the exact form
it is given without a length byte or trailing null character. For
example, the label "slithy toves" would be processed by hashing the
following bytes:
73 6C 69 74 68 79 20 74 6F 76 65 73
Note that because MD5 produces 16 byte outputs and SHA-1 produces 20
byte outputs, the boundaries of their internal iterations will not be
aligned; to generate a 80 byte output will involve P_MD5 being
iterated through A(5), while P_SHA-1 will only iterate through A(4).
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Poems ?
Date: Wed, 11 Apr 2001 17:14:03 +0200
Whatabout Poems ?
Poems have both a semantic message *and* they are carefully crafted to
be rhyming.
"Reim Dich oder Ich friss Dich". (The peom generation doctrine).
This can be taken to the extreme of Poems, which convey more or less no
meaning, but are just made to rhyme. For stegano purposes, this lack of
semantic meaning could be exploitet without creating suspicion. ("Oh
yeah, yet another of those crazy poems").
Although I am still convinced that this just elevates the cat-and-mouse
game to a higher intellectual level, which our friends at NSAGCHQ are
happy to match.
------------------------------
From: Ken Savage <[EMAIL PROTECTED]>
Subject: Re: Concerning United States Patent 4979832 (Dynamic Substitution)
Date: Wed, 11 Apr 2001 15:37:20 GMT
John Savard wrote:
> As I quote from that patent: "Each data value from the first data
> source is transformed by substitution using one of potentially
> multiple translation tables. The translations within each table can be
> changed after each substitution operation using a changes controller.
*CAN* be changed. OTOH, it *CAN* be left alone. Thus a simple
substitution
cipher where out=sbox[in] would violate this claim. Ick.
Ken
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: I got accepted
Date: Wed, 11 Apr 2001 15:56:33 GMT
"Serge Vaudenay" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Ian Goldberg wrote:
> >
> > In article <[EMAIL PROTECTED]>,
> > Jerry Coffin <[EMAIL PROTECTED]> wrote:
> > >In article <DOuA6.68390$[EMAIL PROTECTED]>,
> > >[EMAIL PROTECTED] says...
> > >
> > >[ ... ]
> > >
> > >> > Did you try MIT or Berkeley?
> > >> >
> > >> > Then you could have meet Dave or Ron. I would rather meet Ron I
> > >> > hear his a nice guy.
> > >>
> > >> In case you missed out. I ain't a yankee. Why would I go 3000 miles
south
> > >> for skule?
> > >
> > >Just for one example, consider that Niklaus Wirth (inventor of
> > >Pascal, Modula, Modula II, Oberon, etc.) traveled all the way from
> > >Switzerland to go to UC Berkeley.
> > >
> > >Berkeley is also within easy driving distance of both Sonoma and Napa
> > >valleys.
> >
> > Being a recent Berkeley grad myself, I *highly* recommend it
> > _for grad school_. But not for undergrad; too many students,
> > not enough resources.
> >
> > >Even ignoring the education and the wine (which I'll admit most
> > >people don't really appreciate until well after college age), there
> > >are MANY good reasons to consider California for college, most
> > >obviously the weather (and the bikini-clad women it attracts...)
> >
> > Note that Berkeley is in Northern California. It's not all that
> > hot there. Montreal has hotter summers than San Francisco.
> >
> > But it's not all *that* far to do a weekend trip to SoCal, if you
> > want the bikinis and the beaches.
> >
> > - Ian
>
>
> For the weather, bikinis on the beach (by the Lake), the wine, the
> ressources, I highly recommend to consider EPFL (Switzerland).
> Particularly the communication systems division.
> (See http://dscwww.epfl.ch)
>
> Serge Vaudenay
> (Head of the Communication System Division)
>
> PS We do have a grad school. We do have open PhD positions.
> (I have several ones in cryptography.)
Tell you what. Ask the dean to accept me with a full scholarship and I will
go for a ph.d.
(BTW I am submitting a paper to SAC based on your Ideas in decorrelation
theory :-) )
Tom
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Current best complexity for factoring?
Date: 11 Apr 2001 16:18:29 GMT
In <[EMAIL PROTECTED]> Steve Portly <[EMAIL PROTECTED]> writes:
>When using RSA if you specify a larger key size, say 1024 bit key instead
>of 512 bit is there any guarantee that one of the two primes won't be as
>small as if a 512 bit key had been chosen? Are you always using primes
>from different ranges?
Yes. The primes are chosen to be 512 bits long for 1024 bit Modulus.
(leftmost of 512 bits chosen to be 1, the rest random-- test, add 2,
test, add 2 test,...., prime found. )
------------------------------
From: Jeremy Bishop <[EMAIL PROTECTED]>
Crossposted-To: alt.cypherpunks,alt.security.pgp
Subject: Re: Ghost in the Shell
Date: Wed, 11 Apr 2001 09:37:13 -0700
"J. O" wrote:
>
> Good day all, I just finished wrapping up a pseudo how-to/better
> methods typed of encryption document I've called "Ghost in the Shell"
> and was passing it off to the lists, in hopes someone would find it
> useful, care to comment, etc.
Positive feedback seems so pointless when compared to negative feedback
(except I believe we are now taught to call it 'constructive
criticism'). To begin, I think you are worrying too much. Rotating keys
every ten days, using stego, etc. seems a bit of overkill. You include a
quote from Dr. Neumann, and then proceed to ignore it for the rest of
the paper. I'll include a few points I noticed, then at the end
elaborate further on what I meant by that last sentence.
§ An expiration date does not mean a key cannot be used to decrypt or
verify a message after it expires. Your document is unclear on this,
and would give the impression that you can have 'self-destructing'
messages.
§ I believe that the characteristics of the Vigenère cipher would allow
for near-instant recovery of any non-random data encrypted with it.[1]
Are you familiar with the theory the code snippet you posted is based
on?
§ Note that any message discovered in a steganographic carrier will be
treated as an important message by an attacker. Thus, multiple levels
of steganography are not all that useful. Instead, you should only
steganize data that is statistically random as well as only using
container files that have no original to be compared to. This means
ditching the spam encoding and wiping the unmodified statue of liberty
picture.
Now, about the quote you used. I feel what is meant is that while the
cryptography is strong, it is the endpoints that are weak. Thus, you
would have a much easier time if you just emailed your messages back and
forth using PGP encryption, and they'd be just as secure.
What should be foremost on your mind is keeping your system secure. I
know that if the quantum computer sitting here on my desk crashes, I don
have a prayer of decrypting your message whether you sent it your way or
mine. This means that I will instead send you a copy of the latest
Outlook virus, of the new type that runs attachments even if you don't
click on them, and use it to install some Back Orifice variant. I will
then look for the plaintext on your computer. I will also look at what
programs you have available for steganography or whatnot just in case I
cannot find the plaintext. I would also run a keylogger, just to make
things easier for the future.
Enjoy!
[1] Something for the sci.crypt people to verify.
--
Jeremy Bishop PGP Key ID D54D 0ED6
76BE 18EB 66CE 06BC E25D 2BDB 86FA 4FB3 D54D 0ED6
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Wed, 11 Apr 2001 18:47:25 +0200
Joe H Acker wrote:
>
[snip]
> Unfortunately, I don't feel skilled enough at information theory to
> write such a paper, and I also didn't find any references about
> steganography in the above sense. And from the feedback on my posts to
> this newsgroup, I have the impression that most people (excluding you)
> are not interested in these ideas.
I believe the opposite. Steganography to hide secret
messages (I mean normal, eventually encrypted, messages
-- I am excluding for the purpose of current discussion
the topic of watermarking, in which lies apparently the
major research activity of stego today owing to commercial
interests) is of significant general interest, as there
seems to be a visible trend for the governments to issue
crypto laws like those of U.K. and, at the same time, the
problem of secure encryption has apparently been
sufficiently well solved (see AES), thus leaving stego
emerging to the front of the list of matters desirable to
be improved upon next. The problem is however that, in my
humble view, steganography is even much more difficult
to be tackled in a scientifically rigorous way than
cryptography. I think that stego has very significant
relation with cognitive psychology and perhaps also some
other fields that are barely of concern to cryptography.
The currently available (and practically interesting)
literature of steganography in the above said limited
scope being very meager (as far I am aware), there is
yet not much concrete base present for conducting
non-trivial discourse. This, I suppose, explains your
observed ('apparent') disinterest of people in the
matter.
M. K. Shen
=======================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Polymorphic encription
Date: Wed, 11 Apr 2001 18:47:18 +0200
dexMilano wrote:
>
> I think this could be an interesting thread:
>
> http://www.securitywatch.com/newsforward/default.asp?AID=6827
The available information is extremely meager and vague
in my humble opinion. All that I could discern is that
one exploits the principle of variability somehow
extensively. BTW, this maybe an interesting side-question
in view of another current thread: Does it employ a
substitution table that gets changed dynamically?
M. K. Shen
------------------------------
From: "kroesjnov" <[EMAIL PROTECTED]>
Crossposted-To: alt.cypherpunks,alt.security.pgp
Subject: Re: Ghost in the Shell
Date: Wed, 11 Apr 2001 18:46:36 +0200
Interresting article if I may say so :)
Only thing I would have done different, is the picture that you used...
Altough the picture spoofs the mind, it does not spoof the computer(2).
I assume from the look off the picture that this is a picture you got from
the i-net somewhere, and not your own picture.
What the problem is with using pictures wich are not unique(1), is that it
maybe is in a database wich your picture can be compared to, and so it will
become clear that there is 'data' in the picture you send.
But that is b*tching about little things as I know :)
the entire process was afcourse to avoid tripping over a tripwire, but you
also want to avoid detection when the picture is captured...
Oh well, enjoyed reading it.
It is simply written (not in a negative sence afcourse, it makes for easy
reading :), and you have it well documented (links etc).
1. Since picture shops now-a-days also write your personal pics on a cd-rom
for you, it should be no problem to get a unique picture - say 'a holiday
pic' - to send with the email.
2. I know, if you let the computer have a close look at both the pics you
used for your example, it is most likely the picture with the data in it is
quickly detected, since there is pattern in it.
On second thought, maybe not, since you entirely encrypted your data (that
should leave no pattern), just be sure to cut the pgp headers off, they are
easily found with a txt/hex search. I ran Encase over the pics, and it
showed nothing, so that is good :)
again, thx :) Enjoyed reading it.
"Wisdom lies not in obtaining knowledge, but in using it in the right way"
kroesjnov
email: [EMAIL PROTECTED] (remove nov to reply)
UIN: 85685870
pgp fingerprint: 4251 4350 4242 7764 80DA DB1C E2B2 850A DF15 4D85
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Current best complexity for factoring?
Date: Wed, 11 Apr 2001 11:06:54 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> When using RSA if you specify a larger key size, say 1024 bit key instead
> of 512 bit is there any guarantee that one of the two primes won't be as
> small as if a 512 bit key had been chosen? Are you always using primes
> from different ranges?
RSA itself doesn't make any requirement about the relative magnitude
of the two primes -- if you wanted to pick a 2-digit prime, say, 17
and use it with some 300-digit prime, it would still work though of
course it wouldn't be at all secure.
Most programs that implement RSA always use primes of the same number
of bits as each other. It would still work if you allowed one to
have somewhat fewer or more bits than the other. In fact, this
creates a somewhat larger key space, increasing resistance to a brute
force search of all the primes of the right size. In reality, this
makes no practical difference though. Assuming I didn't make any
foolish mistakes in the math, there should be about 3.8e151 prime
numbers of 512 bits. That's FAR too many to consider exhausting.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
