Cryptography-Digest Digest #221, Volume #14 Tue, 24 Apr 01 02:13:00 EDT
Contents:
Re: 1024bit RSA keys. how safe are they? ("Scott Fluhrer")
Re: 1024bit RSA keys. how safe are they? ("Tom St Denis")
Request for sci.crypt FAQ. ("mathew burggraaff")
Re: Wolf's Secure Channel Theorem ("Joseph Ashwood")
Re: First cipher ("Scott Fluhrer")
Re: simple schema for encoding/decoding a 128 bits block ("user1002")
Re: ok newbie here ya go (Xcott Craver)
Re: patent this and patent that ("Roger Schlafly")
Re: XOR TextBox Freeware: Very Lousy. (Anthony Stephen Szopa)
Re: Favor needed from intl IE 5.0 user, please test this SSL site ("David Thompson")
Re: Request for sci.crypt FAQ. (Samuel Paik)
_Roswell_ episode crypto puzzle (Timothy A. McDaniel)
Re: Favor needed from intl IE 5.0 user, please test this SSL site (Paul Rubin)
----------------------------------------------------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Mon, 23 Apr 2001 20:09:29 -0700
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:9oWE6.35395$[EMAIL PROTECTED]...
>
> "George T." <[EMAIL PROTECTED]> wrote in message
> news:9c1b4h$ser$[EMAIL PROTECTED]...
> >
> > Tom St Denis wrote in message ...
> > >>
> > >> Does anyone has idea how safe RSA 1024 bit keys are? Are they safe
> enough
> > >to
> > >> be used for encrypting credit card information, travelling over the
> > >internet
> > >> and or residing on servers (email) for more than 24 hours.
> > >
> > >Do you want a yes or no answer or something with meaning?
> > >
> > >Simpler answer: If all is done well a 1024-bit RSA key is sufficient
for
> a
> > >long time assuming the key is not compromised.
> > >
> > >Not so simpler answer: Depends on for how long it's needed, how it's
> > >actually used (padding methods, protocols) and the underlying system in
> > >which it's used.
> >
> > yes, I keep in mind that the key should not be compromised. I believe
each
> > key would be used for some 6 months and then replaced by a new one.
>
> That doesn't make sense. As long as the key hasn't been compromised you
> shouldn't have to replace it. Think about it for a second. You're
assuming
> within six months of me getting your public key I will solve for your
> private key.
Actually, doing periodically rekeying is pretty standard. Even if we assume
that the RSA problem is intractable (which seems, for 1024 bit keys, to be a
reasonably safe assumption), there are other attacks that you want to limit
the damage against, such as the attacker obtaining a copy of the private key
via (say) bribing the cleaning lady to go in and grab it.
> While I agree periodic key changes (incrementals) are a good idea, your
> reasoning is flawed.
Actually, he didn't display any "reasoning" about why a key would last 6
months, he just stated that was how long it would be valid.
--
poncho
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Tue, 24 Apr 2001 03:28:45 GMT
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
news:9c2rdk$hij$[EMAIL PROTECTED]...
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:9oWE6.35395$[EMAIL PROTECTED]...
> >
> > "George T." <[EMAIL PROTECTED]> wrote in message
> > news:9c1b4h$ser$[EMAIL PROTECTED]...
> > >
> > > Tom St Denis wrote in message ...
> > > >>
> > > >> Does anyone has idea how safe RSA 1024 bit keys are? Are they safe
> > enough
> > > >to
> > > >> be used for encrypting credit card information, travelling over the
> > > >internet
> > > >> and or residing on servers (email) for more than 24 hours.
> > > >
> > > >Do you want a yes or no answer or something with meaning?
> > > >
> > > >Simpler answer: If all is done well a 1024-bit RSA key is sufficient
> for
> > a
> > > >long time assuming the key is not compromised.
> > > >
> > > >Not so simpler answer: Depends on for how long it's needed, how it's
> > > >actually used (padding methods, protocols) and the underlying system
in
> > > >which it's used.
> > >
> > > yes, I keep in mind that the key should not be compromised. I believe
> each
> > > key would be used for some 6 months and then replaced by a new one.
> >
> > That doesn't make sense. As long as the key hasn't been compromised you
> > shouldn't have to replace it. Think about it for a second. You're
> assuming
> > within six months of me getting your public key I will solve for your
> > private key.
>
> Actually, doing periodically rekeying is pretty standard. Even if we
assume
> that the RSA problem is intractable (which seems, for 1024 bit keys, to be
a
> reasonably safe assumption), there are other attacks that you want to
limit
> the damage against, such as the attacker obtaining a copy of the private
key
> via (say) bribing the cleaning lady to go in and grab it.
>
> > While I agree periodic key changes (incrementals) are a good idea, your
> > reasoning is flawed.
> Actually, he didn't display any "reasoning" about why a key would last 6
> months, he just stated that was how long it would be valid.
No he said "I keep in mind that the key should not be compromised". Either
he's a liar or he just doesn't know why he changes his key.
Note that I agree periodic changes are good, but primarily for the reason
that's it's less risky if you change your key. I.e probable cause to think
it's compromised.
Tom
------------------------------
From: "mathew burggraaff" <[EMAIL PROTECTED]>
Subject: Request for sci.crypt FAQ.
Date: Tue, 24 Apr 2001 14:26:36 +1000
Subject says it all.
I'm after a few beginner pointers and I'm sure they are covered in the FAQ,
like books to read, sites to hit etc.. I just haven't been able to find it
yet :)
Many thanks,
Mathew Burggraaff.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Wolf's Secure Channel Theorem
Date: Mon, 23 Apr 2001 21:05:39 -0700
First let me say that I think this discussion has gotten sufficiently
offtopic that we should at least take it off group.
Well with the particle model you would only have to wait long enough for a
single particle to get through so lets see that would be speed/size, or a
very, very large number.
The model makes a very big difference in this case, but both models are
valid. We do not actually move particles at the speed of light when we
"make" light, otherwise your lightbulbs would burn out much faster, so
there's a lot that we simply don't know. Of course I have completely failed
to take into account any of the apparently skewed mechanics that occur
around light speed, where it becomes possible to pass through solid material
(on occassion), time can apparently do strange things. Given these I don't
think it's possible to say for certain what the maximum speed for the switch
is, because it cannot itself toggle faster than the speed of light. Ok, I
think I've had enough loopties of mental effort, this one's beginning to
hurt. But the answer to your first question about how much information can
be in a wire, the answer is still much larger than the fastest you can
toggle a switch.
Joe
"Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9c2qk1$437k$[EMAIL PROTECTED]...
> > Of course treating light as a particle will give you different results,
> and
> > certainly they won't act at infinity like the wave method.
>
> Um, when we "make" light (EM waves) we do it with particles.
>
> Crazy ain't it!
>
>
>
>
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: First cipher
Date: Mon, 23 Apr 2001 21:40:42 -0700
Mark Wooding <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Mark Wooding <[EMAIL PROTECTED]> wrote:
>
> > > 1.) Would a separate SP network in the key schedule be a good way of
> > > confusing the relationship between the subkeys? (I don't mean
> > > modifying the cipher I posted, I'm asking in a general sense.)
> >
> > If you're thinking about the related-key slide, that's not actually
> > related to the complexity of either your key schedule stepping function
> > or the Feistel F-function.
>
> While I remember: your cipher has another of DES's weaknesses. It has
> the `complementation property': if C = E_K(P) then
> \bar C = E_{\bar K}(\bar P) (where \bar x is the bitwise complement of
> x). This can reduce the complexity of a keyspace search by a factor of
> 2 given a chosen-plaintext pair.
No, it doesn't. There are key-dependent shifts within the key schedule, and
so complementary keys do not translate to complementary subkeys.
--
poncho
------------------------------
From: "user1002" <[EMAIL PROTECTED]>
Subject: Re: simple schema for encoding/decoding a 128 bits block
Date: Tue, 24 Apr 2001 04:56:47 GMT
thanks, I did several attempts with MD4 and SHA (and different sizes for
key, hash etc.), seem very reliable.
Paolo
"Joseph Ashwood" <[EMAIL PROTECTED]> ha scritto nel messaggio
news:#iasvIDzAHA.355@cpmsnbbsa07...
> Well I'm assuming you've got a few cycles to burn on the computer to do
> this.
>
> pt1 = 96-bit block
> pt2 = first 32-bits of SHA-1(pt1 | shared secret)
> pt = pt1|pt2
> choose one
> ct = Rijndael_encrypt(pt)
> ct = RC6_encrypt(pt)
> ct = Twofish_encrypt(pt)
> ct = MARS_encrypt(pt)
> ct = Serpent_encrypt(pt)
>
> Any of those should be more than suitable, and you can use a 128, 192, or
> 256-bit shared secret key for any of them. Since you only have one block
> don't bother with a chaining mode, just use ECB.
> Joe
>
>
>
> "user1002" <[EMAIL PROTECTED]> wrote in message
> news:%hHE6.78411$[EMAIL PROTECTED]...
> > I would ask suggestions for creating a simple piece of c code for
encoding
> /
> > decoding a 128 bits block, I have a single 96 bits (3 x 32 bits words)
> > block to encode and send through the net, I know there are many
different
> > ways to encode a 96 bits block but what I need is to include some
> additional
> > data / information so that when I decode the block I obtain some sort of
> > certificate of authenticity for ALL (or almost all) the bits of the
block
> > (i.e. to know that the block has been generated by the right sender and
> not
> > by a evil-doer), I hope that an additional word (32 bits) could permit
to
> > authenticate the block, is this opinion tenable ? Could someone suggest
a
> > (possibly) simple algorithm for encoding / decoding the block ? Of
course
> > the block could include more than 128 bits if necessary.
> >
> > Thanks,
> >
> > Paolo
> >
> >
>
>
------------------------------
Subject: Re: ok newbie here ya go
From: [EMAIL PROTECTED] (Xcott Craver)
Date: Tue, 24 Apr 2001 05:09:43 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>Here's a lengthly (somewhat) ASCII message encrypted with a OTP (plain xor).
>Decrypt it using your method!
>
>35 53 5d 0a d3 2f b2 8c ef 08 8a 23 fa 2b 8a 0f
>a2 8b 8c 58 6e 89 a5 71 5c e7 5b ed b9 05 fd 0d
>cb 5b 0c c3 cf 9a 2f 53 28 c5 29 90 7d 3f 49 a3
>b4 27 d0 32 b1 21 2b ac ff 88 ef a0 70 0a 72 63
>12 fc d3 7a 93 dc 7e de 72 99 07 d9 1c a1 da 85
>cf 91 7f a7 47 a0 2c 45 0d a3 f9 41 54 66 ea 7b
>cb 08 97 ce 03 8a 8f c1 9a a1 55 93 11 7e 43 9c
>68 c4 d9 c5 26 5b 69 6a 7f a0 87 82 62 10 80 49
>f6 b4 ff 91 34 05 ac d6 c3
"I'm the Master Rapper and I'm here to say,
I love Fruty Pebbles in a major way."
>Tom St Denis
-S
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: patent this and patent that
Date: Tue, 24 Apr 2001 04:14:38 GMT
"Roger Schlafly" <[EMAIL PROTECTED]> wrote in message
news:rgRE6.58$[EMAIL PROTECTED]...
> "Dennis Ritchie" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > I observe with interest the paper by the Princeton group about
> > their analysis of the RIAA's "Hack DMCI" challenge regarding the removal
> > of digital watermarking of music. The situation was
> > discussed on /. last week. The mutterings of a lawyer and some version
> > of the paper itself are at
> > http://cryptome.org/sdmi-attack.htm
> The RIAA lawyer letter is amusing -- it threatens legal action if some
> academics reveal what they learned in the SDMI Public Challenge.
> And yes, they shouldn't be patenting something and then trying to keep
> it trade secret.
This story is now in the NYTimes.
Record Panel Threatens Researcher With Lawsuit
By JOHN MARKOFF
SAN FRANCISCO, April 23 - The recording industry has threatened a Princeton
computer scientist with legal action if his research group presents a paper
at an academic conference this week describing how it is possible to
circumvent an industry music-protection system.
The threat of legal action was made in an April 9 letter to Dr. Edward W.
Felten by Matthew Oppenheim, the head of the litigation department for the
Recording Industry Association of America.
...
But on Friday an early version of the paper and a copy of the letter from
the S.D.M.I. group were posted on a civil-liberties-oriented Web site,
(www.cryptome.org).
Princeton University officials said the posting of the paper, "Reading
Between the Lines: Lessons From the S.D.M.I. Challenge," was "inappropriate"
and was not sanctioned by the university.
http://www.nytimes.com/2001/04/24/technology/24MUSI.html
(free reg reqd)
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Mon, 23 Apr 2001 22:16:20 -0700
Joseph Ashwood wrote:
>
> I'm sorry but the distinction exists. The attacker will know. Of course your
> use of "cracker" indicates rather clearly your target level of security. A
> cracker would generally refer to someone who creates warez, an attacker can
> be defined at any level and quite commonly refers to someone who can do
> large amounts of computation.
> Joe
>
> "Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > You are only able to make this distinction because we have given the
> > distinction in our situation.
> >
> > But if the cracker cannot make this distinction then any distinction
> > does not exist and cryptanalysis is equally demonstrably infeasible.
I think your logic is cute.
You say the attacker will know. How so?
And after you tell us the answer to that question, I would like you
to ponder this point: you are playing with a professional card
cheat. Yes, you got a king high straight flush and bet the farm.
But the card cheat got a royal ace high straight flush. Yes. You
know he cheated you. But how will you prove it?
Do you get my point?
------------------------------
From: "David Thompson" <[EMAIL PROTECTED]>
Subject: Re: Favor needed from intl IE 5.0 user, please test this SSL site
Date: Tue, 24 Apr 2001 05:18:30 GMT
(posted&mailed)
Paul Rubin <[EMAIL PROTECTED]> wrote :
> If someone out there has an MSIE 5.0 or 5.01 web browser with **40
> bit** cryptography (you can check the cryptography strength by looking
> at the Help | About screen), or if you have MSIE 5.5 under Windows
> 2000 with 40 bit cryptography, could you please look at the website:
> https://www.maryland.com and then put your mouse over the little
> padlock icon and see whether you have a 40 bit or 128 bit connection.
> (Note, that says https, not http, since it is an SSL server).
On W98 2E (OEM=HP) IE5 5.00.2614.3500 40-bit:
- URL changes to (same)/index.php (presumably redirected)
- IE pops dialog "page contains both secure and insecure elements"
(searching page source, ignoring links and forms, I find 6 scripts
and 5 images (plus 1 generated by a script) using http: URLs
but I have scripts and images disabled)
- status bar does not display padlock icon at all
(not even unlocked!?)
- File - Properties shows Connection=SSL3.0,RC4-40,RSA-512
and (one) cert issued by GTE CyberTrust Root serial 035C to:
E = [EMAIL PROTECTED]
CN = www.maryland.com
O = Telepathy, Inc
L = Washington
S = DC
C = US
for an RSA-1024 key with modulus beginning D223409F
(so why does it show Connection=RSA-512??)
I can send the cert if you want it. I can't get
a protocol trace on this machine, sorry.
--
- David.Thompson 1 now at worldnet.att.net
------------------------------
From: Samuel Paik <[EMAIL PROTECTED]>
Subject: Re: Request for sci.crypt FAQ.
Date: Tue, 24 Apr 2001 05:26:10 GMT
mathew burggraaff wrote:
> Subject says it all.
If it isn't on your news server, you can pull it out of Google quite easily
by search.
Here are direct URLs into Google.
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430451&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430450&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430448&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430446&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430443&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430444&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430442&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430440&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430436&ic=1>
<http://groups.google.com/groups?q=group:sci.crypt&seld=905430435&ic=1>
--
Samuel S. Paik | [EMAIL PROTECTED]
3D and digital media, architecture and implementation
------------------------------
From: [EMAIL PROTECTED] (Timothy A. McDaniel)
Crossposted-To: rec.puzzles
Subject: _Roswell_ episode crypto puzzle
Date: Tue, 24 Apr 2001 05:34:41 +0000 (UTC)
Reply-To: [EMAIL PROTECTED]
I've not read either group before, and I'm not sure whether a
crossposting to rec.puzzles and sci.crypt is in order -- I saw only
one person doing it, and he, well, ... Please lambaste me if I have
violated the local mores.
The latest (US) episode of the TV show Roswell ... oh, spoiler warning
...
%
%
%
%
%
%
%
%
%
%
%
%
%
%
%
%
%
%
%
%
had a character sign a credit card receipt with a string of 1s and 0s.
One person posted it as
11100100100111011001
(20 bits) but the version I wrote down was without the first "1" (19
bits ... prime ... much less promising). The character is unavailable
to answer questions about the meaning, due to a serious case of dead.
Another character suspects it's a clue to how the fellow became
deaded. The one who is now metabolically challenged was a bright
student, excellent with computers. We saw the scene where he signed
the slip, and he didn't pause.
I know it's a pitiful amount of ciphertext; any ideas? I assumed the
20-bit version because of the factorization; I don't have the
videotape to hand at the moment to check. Baudot (reversed or bits
flipped) goes nowhere; the only think I noted was that each 5-bit
sequence had either 2 or 3 1s, regardless. I can help with character
names and other known plaintext: Max, Liz, Maria, Michael, Isabel,
Tess, Kyle, Vilandra, Kevar or Khevar, Antar.
--
Tim McDaniel is [EMAIL PROTECTED]; if that fail,
[EMAIL PROTECTED] is my work account.
"To join the Clueless Club, send a followup to this message quoting everything
up to and including this sig!" -- [EMAIL PROTECTED] (Jukka Korpela)
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Favor needed from intl IE 5.0 user, please test this SSL site
Date: 23 Apr 2001 22:34:53 -0700
"David Thompson" <[EMAIL PROTECTED]> writes:
> I can send the cert if you want it. I can't get
> a protocol trace on this machine, sorry.
I think it's pretty much established that it's not an SGC cert.
Thanks though.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
