Cryptography-Digest Digest #198, Volume #14 Sat, 21 Apr 01 08:13:00 EDT
Contents:
Re: DES Optimizaton - Can Someone Explain? ("Bryan Olson")
Cryptanalysis Question: Determing The Algorithm? (pjf)
Re: Will this defeat keyloggers ? ("Lyalc")
Censorship Threat at Information Hiding Workshop (Jonas)
Re: MS OSs "swap" file: total breach of computer security. (Marc)
Punsh your keyboard for randomness (was Re: C Encryption) (Marc)
Re: MS OSs "swap" file: total breach of computer security. (Marc)
The Extended Euclidian Algorithm (The original, not modular!) ("The Death")
Re: Random and not random (Mok-Kong Shen)
Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen)
Re: Note on combining PRNGs with the method of Wichmann and Hill ("Brian Gladman")
Re: OTP breaking strategy (Mok-Kong Shen)
----------------------------------------------------------------------------
From: "nospam"@"nonsuch.org" ("Bryan Olson")
Subject: Re: DES Optimizaton - Can Someone Explain?
Date: Sat, 21 Apr 2001 08:33:47 GMT
Kevin D. Kissell wrote:
>I noted the bit-numbering assumption, and the index transformation
>necessary to treat the permutated S-box outputs as a linear array.
>In any case, the discrepancy in results that I'm seeing does not
>correspond to an endianness inversion nor to an index scrambling.
>Each entry in my generated tables has the same number of bits
>set as the corresponding entry that one finds in the text, but the bit
>positions differ in a non-obvious way.
If you look at the inner loop, you'll see that the bits of
the half-block that go *into* each s-box are not the same as
indicated in the DES spec. For example look at what goes
into s-box 8; the bits come from the end of the word. In
DES expansion, one bit is supposed to wrap around from the
other end.
The half-blocks are stored with their bits in a pre-permuted
order. This saves one rotation operation per half-round.
The outputs of the s-boxes have the bits positions adjusted
for the efficient order. (I have not actually traced
through to see if this completely explains your
observation.)
Now I'll add a piece of unsolicited advice. A bunch of us
have studied the intricacies of DES and learned the various
implementation tricks. There's also lots of good free code
anyone can use (try Phil Karn's). Now DES is on the way
out, and the value of these skills is modest and falling. I
think you could gain more by studying other systems.
--Bryan
------------------------------
From: [EMAIL PROTECTED] (pjf)
Subject: Cryptanalysis Question: Determing The Algorithm?
Date: Sat, 21 Apr 2001 08:44:17 GMT
I was giving a talk today about cryptography for my coworkers, and the
question came up: If someone gets a chunk of cyphertext that they are
trying to cryptoanalyze, how do they determine what algorithm was
used, and does that even matter?
Since everything I've ever read about cryptanalysis suggests that the
security lies entirely in the secrecy of the key, not the algorithm,
and thus it is assumed that the cryptanalyst knows the details of the
algorithm, I was stumped.
How does one determine what algorithm was used for a block of
cyphertext (assume it's long enough to be cracked by known methods for
any given algorithm, i.e. it's not a OTP), and does that even matter?
Thanks for the help.
-pjf
--
[EMAIL PROTECTED]
http://www.staticengine.com
Developer, KnowWonder Inc.
Musician, Static Engine
---
Digital Certificates provide no actual security for
electronic commerce; it's a complete sham.
-Bruce Schneier, Secrets & Lies
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Will this defeat keyloggers ?
Date: Sat, 21 Apr 2001 19:54:19 +1000
Not necessarily.
Attacks that capture the screen image around the click site (e.g. as a BMP)
as send the off already exist.
Capturing the image was necessary for a keypad that relocated on the screen
poisition each click: the numbers stayed in the same order, but the effect
would be the same. This was used in at least 3 on-line banking soluitions i
know of, but has been sidelined by the technically simpler but less secure
browser + PC keyboard.
Lyal
Paul Rubin wrote in message <[EMAIL PROTECTED]>...
>[EMAIL PROTECTED] (Nemo psj) writes:
>> You could just make a keypad on the screen and have them clikc in the
>> passphrase.... In this way the only keys registerd are the mouse clicks.
>
>The mouse clicks raise windows events just like keystrokes do.
>So the logger might also log the mouse clicks.
>
>However, if the letters/digits on the keypad were displayed in a
>random order and changed after every click, that also sounds like
>a good solution.
------------------------------
From: Jonas <[EMAIL PROTECTED]>
Subject: Censorship Threat at Information Hiding Workshop
Date: Sat, 21 Apr 2001 06:12:34 -0400
It seems the US record industry tries to prevent publication
of an academic paper next week at the Information Hiding
Workshop in Pittsburgh:
http://cryptome.org/sdmi-attack.htm
This rather pathetic attempt to intimidate highly respected
authors by having lawyers send letters to their employers
is far from suited to provide any confidence whatsoever
in the SDMI approach, especially since the paper
doesn't really introduce any dangerously new attack
technology but just simply confirms that various by now
well established and published techniques for disrupting
multimedia watermarking schemes can also be applied
successfully to the algorithms presented in the SDMI
challenge. SDMI/RIAA just tries to kill the messenger
instead of realizing that it is building on flawed
technology.
If such behaviour becomes more common practice, then the
DMCA will ultimately be responsible for why conferences on
the open discussion of the limitations of security
technology should better be held outside US territory and
should be organised by program chairs from countries
with a constitutional guarantee for the freedom of
academic research and teaching. You might want to make
your representatives in congress aware of what the DMCA
is being used for today.
:-(
============================================================
Get your FREE web-based e-mail and newsgroup access at:
http://MailAndNews.com
Create a new mailbox, or access your existing IMAP4 or
POP3 mailbox from anywhere with just a web browser.
============================================================
------------------------------
From: [EMAIL PROTECTED] (Marc)
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: MS OSs "swap" file: total breach of computer security.
Date: 21 Apr 2001 10:28:21 GMT
>The ONLY possible attack is: When Windows is NOT running or the disk has
>been dismanteled from the system for analysis on another system.
Nothing more than a boot disk is required to boot another OS.
>I don't see any problem with the pagefile, explain me, what's wrong?????
Well the problem is that if anyone is interested in the swapfile, he
can easily leave the scope of Windows. Making the file unaccessable
from Windows itself does not add security, it merely keeps you from
accidently crashing the computer by messing with the file.
The 00-overwrite feature adds security, although it is possible to
recover the previous data - at a high financial investment.
An attacker might also simply keep Windows from overwriting it, eg by
cutting the electricity supply to your office before raiding it (or
whatever scenario you prefer).
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Punsh your keyboard for randomness (was Re: C Encryption)
Date: 21 Apr 2001 10:28:22 GMT
> printf("djlkakjfdLI3nklFD9Fklklfasj(3jmklFD3#@23jklas;j(32lkjr*");
>
> This encryption program has perfect security - the output is
> essentially
>random and has no dependecy whatsover on the input.
Well the output is far from random... There are a lot of groups that
are amazingly easy to reach on QUERTY keyboards, such as "jlk" or "fd",
"nkl", "mkl", "as", "lkj" etc. Also, there are really a lot of lower
case letters. The special chars do not appear at all in the first half,
obviously you found that they would make a good figure after half the
message was already typed..
Etc. There's a lot of weakness in this output.
Anectode: when registering on Napster recently, I entered a "name" by
just hitting the keyboard at random, something along the lines of
"asdfsdfgsf". To my surprise (?) it already _was_ registered, and not
just once: adding a "1" to it didn't work either. Those random character
strings are far from random.
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Re: MS OSs "swap" file: total breach of computer security.
Date: 21 Apr 2001 10:28:24 GMT
>One solution that just might be effective against disk forensics (but
>not trojans) is to create three or more random keys, store these keys in
>global memory, start up three different processes to manage each of
>these keys, and use the keys to encrypt all sensitive internal data.
I work on an encryption driver for Win9x PCs that encrypts all data that
is written to disk, including the operating system itself, the temp
folders and the swapfile. Once the computer is turned off, the disk
is secure against those who do not know the passphrase.
------------------------------
From: "The Death" <[EMAIL PROTECTED]>
Crossposted-To: alt.sources.crypto,sci.math
Subject: The Extended Euclidian Algorithm (The original, not modular!)
Date: Fri, 20 Apr 2001 14:07:14 +0200
Where can i find the extended euclidian algorithm to find x and y (given a
and b) such that xa + yb = GCD(a,b) ???
10x in advanced,
The Death
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Random and not random
Date: Sat, 21 Apr 2001 12:42:56 +0200
John Savard wrote:
>
[snip]
> So by using both the COTP, and the *true* OTP, or UOTP, plus layers of
> conventional encryption, one has better confidence in one's message
> being obscured! It is mathematically unbreakable, because a UOTP is
> used; it is obscured, because a COTP is used, it is not easily
> readable if a breakdown happens in handling the large masses of key
> material, because a conventional cipher is used.
[snip]
Dumb question: What is the function of the conventional
cipher (i.e. it seems to be redundant here)?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sat, 21 Apr 2001 12:42:31 +0200
Bryan Olson wrote:
>
> In article <[EMAIL PROTECTED]>, Mok-Kong Shen wrote:
> >
> >
> >Bryan Olson wrote:
> >>
> >> Mok-Kong Shen wrote:
> >> >Bryan Olson wrote:
> >> >>
> >> >> Mok-Kong Shen wrote:
> >> >> > Mok-Kong Shen wrote:
> >> >> > > The PRNGs are assumed to be independent (I forgot to
> >> >> > > explictly say that) and uniform.
> >> [Snip...]
> >> >> > Addendum: The scheme of Wichmann and Hill is intended
> >> >> > to get a more uniform stream from a number of not well
> >> >> > uniform streams.
> >> [...]
> >>
> >> [Bryan]
> >> > You now say the
> >> > intentions contradict what you just said was assumed.
> >>
> >> > 'What' I said contradicts 'what' I assumed?
> >>
> >> Yes. The edits above should make that clear.
> >
> >You snipped the part that is essential for the point
> >you raised here.
>
> Sorry, I didn't mean to snip any point.
>
> > So I reproduce that below:
> >
> > Addendum: The scheme of Wichmann and Hill is intended
> > to get a more uniform stream from a number of not well
> > uniform streams. The assumption I made above that
> > the PRNGs are uniform is for discussion of the
> > theoretical point you raised which I quote below:
> >
> > The modification destroys an important property of
> > the basic combination method: as long as the streams
> > are independent, if any of the streams are uniform
> > then the sum is uniform.
> >
> > So in that situation we assume that there are uniform
> > streams to start with.
> >
> >Essential is my last sentence above. The quote from
> >you mentioned 'uniform'. Actually the scheme of Wichmann
> >and Hill is intended to get more uniform streams from
> >not so uniform ones. So we couldn't, strictly speaking,
> >argue about your quote (and hence your claimed
> >'distruction') at all, since we don't have any 'exactly'
> >'uniform' streams.
>
> Nonsense. Your note implies cryptographic use, not the
> original intended use.
I certainly imply crypto use. Otherwise I wouldn't have
posted to this group. What's wrong that I introduced
something that is in my view useful to crypto to the
group? Could you clear exlain the point of yours here?
I don't understand you.
>
> >(Should I on this ground have said that
> >the material of your quote is 'irrelvant' and stopped the
> >discussion on that with you?) On the other hand, it is
> >obvious that the theorem involved in you quote above is
> >'theoretically' interesting, for it forms the base on
> >which the scheme of Wichmann and Hill is oriented (just
> >like a good pseudo-random bit sequence is oriented
> >towards the theoretical ideally random sequence).
>
> The theorem is important. It also has a significant
> cryptographic corollary: if there is any one stream the
> attacker cannot distinguish from uniform, then he cannot
> distinguish the Wichmann-Hill combination from uniform
> (again assuming the streams are independent). That is false
> for your scheme. We can also show that the attacker cannot
> predict the Wichmann-Hill sum any more accurately than he can
> predict the least predictable of the streams. Again this is
> false for your scheme.
Don't forget, and I had also said previously, that Wichmann
and Hill is destined for practical cases where one doesn't
have any exactly unform streams and tries to obtain
a more uniform one from less uniform ones. Since, as
you also pointed out, Wichmann and Hill was originally
not for crypto, why would one (in that situation) use his
scheme if one already had a uniform stream? About the
issue of deterioration of uniformity, we can wait for the
result of Brian Gladman, from which one will see whether
introducing multipliers with only small deviation from
1.0 shows up in the statistical tests. (Gladman claimed
the combination is very non-uniform.)
>
> >Therefore, in order to avoid general readers wondering
> >why we started to discuss about 'uniform' while there is
> >no exact uniformity present, I put out the addendum. Is
> >that clear to you now?
>
> It's nonsense still.
>
> >> >> No. You stated a bogus result. What evidence we have
> >> >> indicates that your it's false.
> >> >
> >> >'What' is the bogus result?
> >>
> >> "thus rendering the analysis more difficult." There is no
> >> support for this assertion in the note or in the follow-ups.
> >
> >The original Wichmann and Hill scheme gives e.g.
> >
> > R = r1 + r2 + r3 mod 1
> >
> >The modified one gives
> >
> > R = c1*r1 + c2*r2 + c3*r3 mod 1
> >
> >What the opponent has is R. Assuming he had a method
> >to get the components r1, r2 and r3 from R, he would
> >have more difficulty to do in the second case, since
> >the c1, c2 and c3 are unknown to him, isn't it?
>
> Are you joking? What is the justification for that
> assumption? Can you in general get the components from the
> sum? Can you in realistic cases?
>
> If you are asked to compare schemes A and B, you can't
> simply assume scheme A is broken and conclude scheme B looks
> better. Cryptosystems don't fall just because you assume
> they do.
>
> Still a completely bogus result. No justification.
If in the first case one can't obtain r1, r2, r3 from
R, then all is very well. It follows that one also can't
obtain c1*r1 etc. and hence r1 etc. If, to take an
extreme case, he knows for one value of R the corresponding
values of r1 and r2, he can determine r3 in the first
scheme but not in the second scheme (assuming c1 etc.
are unknown). Isn't that clear?
>
> > (He
> >has somehow to determine these unknowns.) One could
> >certainly dispute about how much is that 'more'. But
> >that there is some 'more' should be evident.
>
> What is evident is that you have not looked seriously at the
> properties of the Wichmann and Hill scheme.
>
> >> >'What' is the evidence?
> >>
> >> As stated in the strand. The modification throws away
> >> important properties of the scheme. The resulting stream
> >> can come out worse than an individual component stream.
> >
> >Partly covered above. For the rest: See my follow-up
> >to Brian Gladman, who claimed essentially the same as
> >you but in a more concrete way. I have asked him to redo
> >his chi-square tests and present the results.
>
> You were the advocate of that particular test. Where are
> your results?
Not MY results. His results! Unfortunately his results
did not conform to common practice in statistics. I
therefore asked him to revise his experiments.
> >As said
> >there, I never exclude the possibilty of my making
> >blunders, anywhere, anytime. But I want to see concrete
> >refutations rather than fuzzy categorical claims of
> >my being wrong without any accompanying supporting
> >materials.
>
> Utter hypocrisy. Your claims have only nonsense behind
> them. There's nothing fuzzy in the theorems we can show
> about Wichmann- Hill.
I like to use this opportunity to once again ask Brian
Gladman to present to us his revised results, helping
to settle the dispute. I should appreciate very much,
if he could do the work at his earliest convenience.
It shouldn't take much work, since only the number
of categories needs to be changed in the program.
The sample size could be reduced to at least one tenth
of the original one, as I suggested, so computing time
shouldn't be an issue. (Copy of this post is addressed
to him.)
M. K. Shen
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sat, 21 Apr 2001 12:55:42 +0100
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
[snip]
> of the general readers, I like to request you to present your results in a
terse manner as follows:
[snip]
I only provided the chi-squared values in order to to show that this was not
a sensible thing to do. In consequence I do not intend to do any more work
on this because I consider it unecessary to apply such techniques to data
that can be seen by simple inspection to be distributed very differently to
that which is expected. However, there is nothing to stop you doing further
work on this if you wish since I have already provided all the basic
information that is needed.
But a few minutes of high school maths is all that is necessary to show that
with:
(1) two random variables (A) and (B) that are uniformly distributed on
[0.0:1.0);
(2) two numbers, a and b, both of which are close to, but not equal to, 1.0;
(3) a third variable (C) = {a * (A) + b * (B)} mod 1.0;
the random variable (C) is not uniformly distributed on [0.0:1.0).
You originally disputed this but it seems, later, that you might have
recognised that the distribution would only be uniform if at least one of
the multipliers was 1.0.
Do you still dispute my claim that the variable (C), as defined above, has a
non-uniform distribution on [0.0:1.0)?
Brian Gladman
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP breaking strategy
Date: Sat, 21 Apr 2001 13:47:31 +0200
newbie wrote:
>
> Your article is nothing more than a duplicata of Jendal and cie.
> Do not try please to deny it.
What are you talking about here??? On seeing the reference
you gave, I posted at once a folow-up (I hadn't time to
examine it fully -- I still await one relevant paper from
the library and intend to post my result sometime) in the
thread (where you posted) 'GCHQ turned me away...' of
03 Apr 2001 23:17:19 +0200 the following:
I think that 'newbie' was writing outside of context of
this thread and was referring to a discussion in a thread
initiated under the name 'amateur' (concerning OP's claimed
new 'idea'), in which I mentioned a post of mine of last year
where I discussed a general substitution scheme employing a
number of Huffman codes with homophones and dummies, much in
the fashion of polyalpabetic substitutions. Obviously he
wanted to say that this material has been treated before by
Jendal, Kuhn and Massey. I haven't yet carefully studied
the paper, but it seems that 'newbie' is right (or at least
largely so).
What 'more' should I have said than the above???
> If you are so sure post the two texts at the same time to let others
> appreciate if it is not duplicata.
I don't understand what you mean with the above sentence?
Which two texts? Do you mean that my original article
(of Oct last year) duplicates the ideas of others as you
said previously? I suppose that you know (if not,
then learn from here as your first experience) that
in science, due to the fact that an author cannot do
a 'complete' search of all the available literatures,
duplications cannot be entirely avoided. In journals
the referees are there to highly reduce (not entirely
eliminate) the chance of duplications. Papers e.g.
in Russian are generally less known to people in the
English speaking world. Thus previously there were
quite some duplication of works of Russian and English
authors, though the situation has greatly ammeriorated
through more translations being done and availability
of good literature data bases and review journals.
> I know that I'm newbie. I recognize that I have more to learn. I'm just
> discovering what cryptography is. I learn more posting and reading posts
> than reading books.
Why don't you read a bit more books, as others have
suggested?? The stategy to exploit the good will of help
of others of the group to save your own effort of reading
books is 'egoistic' and is a very unfair attitude towards
the others. The others will certainly be happy to help you
when you have difficulties to understand certain passges
in the texts of books, but they are not there to save you
the time of reading books. Do you, for example, expect
your friends to read (for you to conveniently hear) a
criminal roman, simply because you are too lazy to read
the book yourself? (Childrens do ask adults to read, but
that's because they can't yet read well themselves.)
Appropriate to do is therefore one of the following:
(1) Cite certain paragraph of a book which you can't
properly understand and ask others to help you capature
its meaning. (2) Put up your own arguments that (seemingly)
indicates that what is said in a book is wrong and ask
others whether the author of the book could have erred.
Take the case of OTP, which is the present thread, you
have in (2) to show in a concrete way that the proof of
security of OTP in the literature is wrong in your view,
i.e. point out the exact places of the text where in your
opinion the author has stated something which he shouldn't
have done because that's logically wrong in your view.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
