Cryptography-Digest Digest #217, Volume #14 Mon, 23 Apr 01 16:13:01 EDT
Contents:
Re: SHA prng ("Dobs")
Re: Gurus: Please show weaknesses in this ("M.S. Bob")
Re: OTP WAS BROKEN!!! (Ben Cantrick)
Re: OTP WAS BROKEN!!! ("Tom St Denis")
Re: compare PRNG ("Tom St Denis")
Re: OTP WAS BROKEN!!! (newbie)
Re: RSA-like primes p and q ("Tom St Denis")
Re: OTP WAS BROKEN!!! (newbie)
Re: SHA prng ("Jack Lindso")
Re: XOR TextBox Freeware: Very Lousy. ("Joseph Ashwood")
Re: XOR TextBox Freeware: Very Lousy. ("Joseph Ashwood")
Who Has The Answers? ("OverTime")
Re: C code for GF mults ("Brian Gladman")
----------------------------------------------------------------------------
From: "Dobs" <[EMAIL PROTECTED]>
Subject: Re: SHA prng
Date: Mon, 23 Apr 2001 20:49:24 +0200
I know that I should read more books about cryptography but I can read only
books which are available on the web, recantly I've ordered 'The art of
computer programming and the Amazon send me the 2 edition from 1938, I have
no so much money to take the risk- I am still student:) :(((((( and the
distance is to long for me to argue with them
(((
Anyway thats really great I can count on U.
U�ytkownik Tom St Denis <[EMAIL PROTECTED]> w wiadomo�ci do grup dyskusyjnych
napisa�:hdYE6.35777$[EMAIL PROTECTED]
>
> "Dobs" <[EMAIL PROTECTED]> wrote in message news:9c1hko$9c8$[EMAIL PROTECTED]...
> > I know that to generate secure random number first I need to collect R
> bits
> > of entropy and then use HASH(R) which will give me 160-bit string called
> > message digest which is said to be random number.
>
> Wrong. if R is not random then neither is HASH(R). The hash will at best
> compress the entropy in R downto a shorter string.
>
> > However I have a problem collecting entropy because it is really very
> > difficult to make it use in my program.
> > Can I just generate random number R by function
> > srand( (unsigned)time( NULL ) ) instead of collecting entropy and than
> HASH
> > (R).Would it be random number and would it be secure PRNG which could be
> > used in cryptography aims?????
>
> You really should read more texts before writting any secure programs.
> You're obviously new to the scene (which is cool). Unfortunately too many
> people get hold of super DES or something and feel they can write their own
> secure applications.
>
> If you made your string R with only (about) 32-bits of entropy I could guess
> the output of the hash prng with about 2^32 work which is not a heck of
> alot.
>
> Tom
>
>
------------------------------
From: "M.S. Bob" <[EMAIL PROTECTED]>
Subject: Re: Gurus: Please show weaknesses in this
Date: Mon, 23 Apr 2001 19:52:39 +0100
Brett wrote:
>
> I'm new to this group, but wonder if I can generate
> interest in the following method of encryption, in hopes
> that some of the more experienced of the group can point
> out its weaknesses (if any).
micro-mini-FAQ:
sci.crypt FAQ Question 2.3 "How do I present a new encryption scheme in
sci.crypt?"
<http://www.faqs.org/faqs/cryptography-faq/part02/>
The rest of the FAQ
<http://www.faqs.org/faqs/cryptography-faq/>
RSA Security's Cryptography FAQ
<http://www.rsasecurity.com/rsalabs/faq/>
BTW, I think this is now available as a book, or at least there is now
a book from RSA Security that is very similiar in nature. _Cryptography
Decrypted: A Pictorial Introduction to Digital Security_ by H. X. Mel,
Doris M. Baker, Steve Burnett ISBN 0201616475.
Memo to the Amateur Cipher Designer
<http://www.counterpane.com/crypto-gram-9810.html#cipherdesign>
So, You Want to be a Cryptographer
<http://www.counterpane.com/crypto-gram-9910.html>
Why Cryptography Is Harder Than It Looks
<http://www.counterpane.com/whycrypto.html>
Security Pitfalls in Cryptography
<http://www.counterpane.com/pitfalls.html>
Why Cryptosystems Fail
<http://www.cl.cam.ac.uk/users/rja14/wcf.html>
Programming Satan's Computer
<http://www.cl.cam.ac.uk/ftp/users/rja14/satan.pdf>
I would strongly recommend at least one historic book on cryptography.
Whether it is the "bible", _The Codebreakers_ by David Kahn or the quick
and gentle, _The Code Book_ by Simon Singh, or one of dozens about the
Engima in WWII, read at least one real life account of how cryptographic
systems have failed "in the field."
This is an attempt to help make your experience here less painful, less
angst-filled, and to get you up to speed quickly. Just me trying to
help, so you and everyone else can have a postive experience here.
Good luck.
------------------------------
From: [EMAIL PROTECTED] (Ben Cantrick)
Subject: Re: OTP WAS BROKEN!!!
Date: 23 Apr 2001 13:06:09 -0600
In article <9c01vj$[EMAIL PROTECTED]>,
Ben Cantrick <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
>newbie <[EMAIL PROTECTED]> wrote:
>>THE NUMBER OF MESSAGES WHICH HAVE A SENSE IS INFINITESIMAL COMPARING TO
>>THOSE WHICH DOES NOT HAVE A SENSE!!!!!!!!!!!!!!!!!!!
>
> Infinity squared is bigger than infinity, but it's still impossible
>to pick the correct message out of an infinite number of equiprobable
>choices.
Let me be more exact in my language...
The controversy seems to revolve around my use of different "sized"
(if you will) infinities. I won't go into set theory or try and define
what I was saying rigorously, because there's no point. Because there
aren't an infinite number of possible decryptions of a one-time pad anyway.
Using infinity (or infinities) to describe the number of solutions was
nonsensical and incorrect. There is a very hard upper bound on the number
of possible decryptions of an OTP encyphered message. It's 2^(number of
bits in the cyphertext). (What a shocking revelation, eh? ;])
What I should have said is that it doesn't matter whether you're dealing
with 1 bit or 1000 bits, if all possible decryptions of an OTP are equally
probably (which they are, with a truly random pad[1]), you have no way
to decide which of the possible decryptions are the right one. Even if
you brute-force the entire keyspace, you will simply generate every
possible decryption. All of which are equiprobable. Even if you then
cull out the "nonsensical" entries, all the remaining "sensible" entries
are still all equiprobable. You have no way to decide which is the
right one.
So you are reduced to "best guess". Which sometimes may work. That's
fine - sometimes you can guess what your enemies are thinking. Nothing
magical about guessing right once in a while. But the occasional good
guess is a far, far cry from "breaking OTP" in the commonly accepted
sense of "breaking" a cypher.
The OTP
IIIIIIIIIIIIII
Can equally well decode to:
ATTACK AT DAWN
or
WITHDRAW FORCE
Depending on the pad. You have no way to tell. Brute-forcing the
"IIIII" OTP message will produce both of the above, and many more
"sensible" decryptions. And all of them are equiprobable - given
a truly random pad.[1]
-Ben
=====
[1] I refuse to get in a debate about whether it's possible to make a
truly random pad or not. For the sake of the discussion, grant me that
it's possible and we somehow have one. If you want to tell me about your
latest analysis techniques to break supposedly "truly random" number
generators, I'd love to hear about it - but in another thread.
--
Ben Cantrick ([EMAIL PROTECTED]) | Yes, the AnimEigo BGC dubs still suck.
BGC Nukem: http://www.dim.com/~mackys/bgcnukem.html
The Spamdogs: http://www.dim.com/~mackys/spamdogs
"Does narcissism count as a hobby?" -Shawn Latimer
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 19:12:19 GMT
"newbie" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> The sender does not re-use the key!!!!!!
> I simulate re-using the key!!!!
That's impossible. How can you simulate using something you don't have?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: compare PRNG
Date: Mon, 23 Apr 2001 19:13:26 GMT
" ink" <[EMAIL PROTECTED]> wrote in message
news:9c1ost$ne7$[EMAIL PROTECTED]...
>
> "Tom St Denis" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> news:_9YE6.35771$[EMAIL PROTECTED]...
> >
> > "Dobs" <[EMAIL PROTECTED]> wrote in message
news:9c1hkn$9c8$[EMAIL PROTECTED]...
> > > How can I decide that one PRNG is better and more secure than other .
Do I
> > > have to test them for randomness. Is it true that the more random the
> > number
> > > is the more secure PRNG is?
> >
> > You analyze the algorithm not the output.
>
> C'mon... instead of just critizising, mention DieHard. That will at least
> give *some* indication on how *good* or random the output of a PRNG
> is.
>
> I don't have a link, though, maybe somebody could provide that?
All diehard can tell you is "given my battery of tests this output seems to
be [not] very well distributed". It's not a secure/unsecure test.
Tom
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 15:08:38 -0300
k belong to domain of all possible messages Xored with C.
I compute this : Possible message Xor Cipher of the sender = possible k.
I an list all the keys.
But I still do not know which key was used.
If you have the possible keys you can consequently test the key.
It is very simple.
You are sure that the key used to encipher belong to this domain.
Consequently you can encipher another with your test-key.
If your test-key = key used to encipher, it is like if the sender re-use
the key.
But the sender DID NEVER RE-USE HIS KEY.
Joe H Acker wrote:
>
> newbie <[EMAIL PROTECTED]> wrote:
>
> > I'm going to be more clear.
> > If the sender re-use his key to encrypt any message, I will certainly
> > recover the 2 plaintext.
>
> All right, as noted by others, it's not an OTP in this case.
>
> > HE DID NOT. He use only once his PAD.
>
> Sounds good.
>
> > What I'm trying to exploit is nothing more than REUSING HIS OWN PAD.
> >
> > I do not wich key he used.
> > But if I re-use every time, the key obtained by Xoring PM (i) and his
> > ciphertext. I make this hypothesis : if the key I re-use is IDENTICAL to
> > HIS KEY, I'm sure that is the key he used. And the plaintext is
> > uncovered.
>
> Okay, in this case you've guessed the key. Or, if you want to say so,
> you've guessed the ciphertext. But you don't know his key as you don't
> know the plaintext, so you don't know wether the key k' you re-use is
> identical to his key. That's obvious.
>
> > But my testing-key k' is different from k, than P ( is his plaintext )
> > Xor (k Xor k') will with high probability give a text with no sense.
>
> Yes. But you have your ordered list of probable senseful plaintexts,
> ordered on their probability of occurance as estimated by you. That
> severely limits the total search space and that can be useful. I don't
> think anyone disagrees on this. However, if the above gives a message
> with sense...will that help you determining the plaintext?
>
> > I exploit 2 things :
> >
> > - matching my hypothetical key with his key
>
> Here you probably mean something different. You don't know his key.
>
> > - the probability that any text (with sense) if Xored with random key (
> > k Xor k'; k different from k') will not give me NECESSARLY A text (with
> > sense). If k' is equal to k , I'm sure 100 % that I could obtain by
> > simplification his PLAIN-TEXT.
>
> But the crucial point is that you do not know k. Hence, you cannot
> determine wether k' is equal to k.
>
> It seems you want to approximate k or p. What fact (correlation, bias,
> unequality or whatever you think it is and however you describe it) do
> you intend to use as a way to approximate k or p?
>
> You're talking about intentionally re-using k. You cannot do that,
> because you don't know k. What you probably mean and said elsewhere, you
> re-use the ciphertext as key. That's the step that is unclear to me and
> probably others. How exactly does this operation help you decide which
> of the messages in PM(i) is the actual plaintext?
>
> Regards,
>
> Erich
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: RSA-like primes p and q
Date: Mon, 23 Apr 2001 19:15:50 GMT
"Dobs" <[EMAIL PROTECTED]> wrote in message news:9c1t2h$o04$[EMAIL PROTECTED]...
> It was in algorithm in Menezes book 'Handbook of applied cryptography' :)
Um I looked at chapter 3 and they mention (under the RSA problem) "two
distinct odd primes p and q". That's all.
Maybe you are thinking (or they were discussing) "strong primes" which were
used to stop early factoring algorithms. They are not relevant today.
Tom
> U�ytkownik Tom St Denis <[EMAIL PROTECTED]> w wiadomo�ci do grup
> dyskusyjnych napisa�:J8YE6.35769$[EMAIL PROTECTED]
> >
> > "Dobs" <[EMAIL PROTECTED]> wrote in message
news:9c1hkl$9c8$[EMAIL PROTECTED]...
> > > In one of the algorithm there was written that I need RSA-like primes
p
> > and
> > > q . What does 'RSA-like' mean.
> > > Does it only mean that I need big primes numbers (at least 512
> > > bits)???????????????????????
> > >
> >
> > Where the heck did you hear "rsa-like primes"? It's a meaningless term.
> >
> > RSA just requires two large primes...
> >
> > Tom
> >
> >
>
>
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 15:14:11 -0300
First of all, do you agree with my statement before continuing?
Just this statement.
> Suppose a child that use only 4 words.
> He use OTP to send a message. Ok
>
> I have the ciphertext 01001001010101
>
> I compute Word(1) Xor Cipher = k'1. I'm going to obtain a possible key
> Word (2) Xor cipher= k'2
> Word (3) Xor cipher = k'3
> Word (4) Xor cipher = k'4
>
> It is sure that the key I'm looking is one of k'(i) i=1 to 4.
>
> Is that statement true???????
>
>
>
> Tom St Denis wrote:
> >
> > "newbie" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > I'm going to be more clear.
> > > If the sender re-use his key to encrypt any message, I will certainly
> > > recover the 2 plaintext.
> >
> > If the sender "re-use his key to encrypt any message" then he's not using an
> > OTP. Si le person utiliser leur clef deux fois ou plus ce n'est pas un OTP
> > donc votre poste n'est pas applicable aux sujet de la poste. Is that clear?
> > (my french is rusty...)
> >
> > > HE DID NOT. He use only once his PAD.
> > > What I'm trying to exploit is nothing more than REUSING HIS OWN PAD.
> >
> > Then don't claim it as a break for an OTP. It's a break of a Vinegere
> > cipher nothing more.
> >
> > Tom
------------------------------
From: "Jack Lindso" <[EMAIL PROTECTED]>
Subject: Re: SHA prng
Date: Mon, 23 Apr 2001 22:41:43 +0200
Try reading HAC (Handbook of Applied Crypto), it's available freely from :
http://cacr.math.uwaterloo.ca/hac/
And is an excellent reference on crypto with not so small a touch into the
math.
Cheers.
--
Anticipating the future is all about envisioning the Infinity.
http://www.atstep.com
====================================================
"Dobs" <[EMAIL PROTECTED]> wrote in message news:9c1tn0$qse$[EMAIL PROTECTED]...
> I know that I should read more books about cryptography but I can read
only
> books which are available on the web, recantly I've ordered 'The art of
> computer programming and the Amazon send me the 2 edition from 1938, I
have
> no so much money to take the risk- I am still student:) :(((((( and the
> distance is to long for me to argue with them
> (((
> Anyway thats really great I can count on U.
>
> U�ytkownik Tom St Denis <[EMAIL PROTECTED]> w wiadomo�ci do grup
dyskusyjnych napisa�:hdYE6.35777$[EMAIL PROTECTED]
> >
> > "Dobs" <[EMAIL PROTECTED]> wrote in message
news:9c1hko$9c8$[EMAIL PROTECTED]...
> > > I know that to generate secure random number first I need to collect R
> > bits
> > > of entropy and then use HASH(R) which will give me 160-bit string
called
> > > message digest which is said to be random number.
> >
> > Wrong. if R is not random then neither is HASH(R). The hash will at
best
> > compress the entropy in R downto a shorter string.
> >
> > > However I have a problem collecting entropy because it is really very
> > > difficult to make it use in my program.
> > > Can I just generate random number R by function
> > > srand( (unsigned)time( NULL ) ) instead of collecting entropy and
than
> > HASH
> > > (R).Would it be random number and would it be secure PRNG which could
be
> > > used in cryptography aims?????
> >
> > You really should read more texts before writting any secure programs.
> > You're obviously new to the scene (which is cool). Unfortunately too
many
> > people get hold of super DES or something and feel they can write their
own
> > secure applications.
> >
> > If you made your string R with only (about) 32-bits of entropy I could
guess
> > the output of the hash prng with about 2^32 work which is not a heck of
> > alot.
> >
> > Tom
> >
> >
>
>
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Mon, 23 Apr 2001 12:22:00 -0700
Crossposted-To: talk.politics.crypto,alt.hacker
"Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> Read the US Patent Office definition of a OTP.
Well seems to me that I'd rather deal with the mathematic definition as
supplied by me and others on many occassions.
> And by the way, does it matter to a cracker whether or not the random
> number files used to XOR messages were from a genuine OTP or from an
> unreproducable group of random number files?
Unreproducability is not the issue, entropy content is the issue. If you can
prove that your files are purely entropic (which I can prove they aren't by
the fact that they are larger than the initial seed) then the difference
lies only in the name.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Mon, 23 Apr 2001 12:24:05 -0700
I'm sorry but the distinction exists. The attacker will know. Of course your
use of "cracker" indicates rather clearly your target level of security. A
cracker would generally refer to someone who creates warez, an attacker can
be defined at any level and quite commonly refers to someone who can do
large amounts of computation.
Joe
"Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> You are only able to make this distinction because we have given the
> distinction in our situation.
>
> But if the cracker cannot make this distinction then any distinction
> does not exist and cryptanalysis is equally demonstrably infeasible.
------------------------------
From: "OverTime" <[EMAIL PROTECTED]>
Subject: Who Has The Answers?
Date: Mon, 23 Apr 2001 23:57:54 +0800
halo,
is there anyone has the problem answers of the book -
Cryptography and Network Security principles and practice (2nd edition)?
or i have to buy an Instructor's Manual, that will cost a lot. ><
anyway, thx. ;)
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: C code for GF mults
Date: Mon, 23 Apr 2001 21:09:00 +0100
"Mike Rosing" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Brian Gladman wrote:
> >
> > I believe that there will also be an explanation along the lines you
suggest
> > in terms of the n'th roots of unity. These roots can be expressed in
terms
> > of finite fields (the cyclotomic fields) as well as in terms of complex
> > numbers. The relationship between the n'th roots of unity expressed in
> > terms of complex numbers and in terms of finite fields is itself an
> > interesting aspect of the subject.
>
> Thanks for the explanation, I see how it doubles now. How do you connect
> complex numbers with finite fields? I just worked out GF(16) elements in
> a GF(148) field by solving g^16 = g over GF(148). This is simple. But
it's
You mean GF(128) don't you?
> the same as g^15 = 1 (I checked, my answers do that too). How can I
connect
> the 15th root of unity in the complex plane with the g's I found in
GF(148)?
> (It does seem pretty interesting!)
The relationship is a homomorphism between different representations of a
cyclic group with 15 elements.
GF(16) is a field in which the non-zero elements form a cyclic group with
respect to multiplication (with subgroups or order 3 and 5). The 15'th roots
of unity in the complex plane also form a cyclic group with respect to
multiplication with the same structure. So a relationship can be
established between generators in the two different group reprsentations
that will map one of these groups onto the other.
Brian Gladman
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
