Cryptography-Digest Digest #258, Volume #14 Sat, 28 Apr 01 00:13:01 EDT
Contents:
Re: DES source-code from Applied Cryptography ("Douglas A. Gwyn")
Re: Censorship Threat at Information Hiding Workshop (Jonathan Edwards)
Re: Simple cryptography technique: sound? (Jem Berkes)
Re: Censorship Threat at Information Hiding Workshop ("Trevor L. Jackson, III")
Thames Bridge Cipher ("ben")
Re: RC4 Source Code ("Dirk Mahoney")
Re: 1024bit RSA keys. how safe are they? ("Brian Hetrick")
Re: Thames Bridge Cipher (Jim Gillogly)
Re: Wolf's Secure Channel Theorem ("Dirk Mahoney")
Re: Censorship Threat at Information Hiding Workshop (Darren New)
Re: There Is No Unbreakable Crypto (David Wagner)
Re: 1024bit RSA keys. how safe are they? ("Brian Hetrick")
Re: Combining two plaintexts into ciphertext (David Wagner)
Re: Secure Digital Music Initiative cracked? (David A Molnar)
Re: Secure Digital Music Initiative cracked? (Jim Steuert)
Re: "I do not feel secure using your program any more." (Anthony Stephen Szopa)
Re: Question on p and q ("Dopefish")
Re: Question on p and q ("Dopefish")
Re: Wolf's Secure Channel Theorem ("Mark G Wolf")
Re: Combining two plaintexts into ciphertext (John Savard)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: DES source-code from Applied Cryptography
Date: Fri, 27 Apr 2001 22:55:08 GMT
John Myre wrote:
> No, it's standard DES. The idea is to change the representation
> of the data and key so that the implementation is faster. SSLeay
> did the same thing, but IIRC explained it better.
Okay, thanks. This is something that *should* have
been commented in the source code..
------------------------------
From: Jonathan Edwards <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Fri, 27 Apr 2001 20:09:32 -0400
On Fri, 27 Apr 2001, Darren New wrote:
> Trevor L. Jackson, III wrote:
> > Hardly. By the purchase the library obtains the right to use _that_copy_ of
> > the book for any purpose it chooses.
>
> And that is exactly, 100% the right that started this thread. SMDI is trying
> to make it illegal to loan your copy of the music to someone else, yes?
No, SDMI is an attempt to make it effectively impossible to
make a digital copy of the music (because the only commercially
available devices and software that create digital copies will only do so
if the watermark is not present).
I think...
------------------------------
From: Jem Berkes <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.security,comp.os.unix.security
Subject: Re: Simple cryptography technique: sound?
Date: Fri, 27 Apr 2001 19:10:56 -0500
> > The idea I have is this. For each profile:
> > 1. Generate string from ID+host name+user ID+master password
> > 2. MD5 hash the string to get a "secret" for this profile
> > 3. XOR or add bytes from original password with this secret
> > Result: encoded password
>
> Basically the attacker can alter the file at will, in a completely
> predictable way, although he won't be able to guess the new value, and in an
> unrecoverable way. It's actually quite simple, because there is no checksum
> on the password, the attacker simply starts playing the bit-flip game on the
> password. What I'd recommend instead is (to stay roughly within the same
> vein):
> ...
Thanks for your feedback! I realize that the password check phase was
omitted... looking at it from a coding angle, I would like to re-use
code as much as possible and introduce no additional algorithms unless I
have to. Since I've already got all the MD5 stuff there do you think it
would be OK for "authentication" to just include the MD5 hash of the
master password (this way the software can check to see if it
'matches').
And yes the attacker can modify the file, but he can't extract any
useful data while doing so (my goal is to protect passwords after all)
-- the scenario is that the application's data file is intercepted or
copied... I just want to make sure that passwords can't be extracted.
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Sat, 28 Apr 2001 00:22:00 GMT
Mok-Kong Shen wrote:
> "Trevor L. Jackson, III" wrote:
> >
> > In most jurisdictions your friend _can_ sign your signature and have it
> > upheld as valid in court if you direct him to do so and, of course, testify
> > to that effect.
>
> We were discussing anyway in the context of cards. How can
> one 'sign my signature' and do it in a way that is
> the same as mine (my signature will be verified with that
> on the card by the transaction partner), unless perhaps
> he is a professional 'faker' of signatures? I can sign a
> special document authorizing someone to take money from
> my bank account etc., but then he is employing his own
> signature in such actions, isn't it?
The key concept is that the signature was created "by direction". In the
military a commanding officer is required to execute certain documents. He may
delegate that action to a subordinate who executes the CO's signature. I think
the fully elaborated form is "<required signature> by direction, <signer's
signature>", or something similar.
If the authorized person directs someone to sign for them then the resulting
(indirect) signature has all of the authority of an original (direct) signature.
In some places married couples can use this convention for each other's signature
even in the absence of an immediate directive.
------------------------------
From: "ben" <[EMAIL PROTECTED]>
Subject: Thames Bridge Cipher
Date: Sat, 28 Apr 2001 01:30:19 +0100
Hi!
I should be grateful if anyone can tell me where I can find more information
on the Thames Bridge Cipher.
Many thanks,
[EMAIL PROTECTED] - Remove NOSPAM. to reply!
------------------------------
Reply-To: "Dirk Mahoney" <[EMAIL PROTECTED] (remove the _)>
From: "Dirk Mahoney" <[EMAIL PROTECTED] (remove the _)>
Subject: Re: RC4 Source Code
Date: Sat, 28 Apr 2001 01:41:07 GMT
Tom,
I needed a small, fast and easily implemented cipher for some medium
security work I'm doing. I figured ARC4 (still gotta get used calling it
that) would be good for what I needed. I realise there are 'better' ciphers
around, but ARC4 will do what I need it to do, for now and probably the next
couple of years.
- Dirk
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:sCgG6.74136$[EMAIL PROTECTED]...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "Bill Unruh" <[EMAIL PROTECTED]> wrote in message
> news:9cc4eh$6j3$[EMAIL PROTECTED]...
> > In <6i7G6.18853$[EMAIL PROTECTED]> "Dirk
> > Mahoney" <[EMAIL PROTECTED] (remove the _)> writes:
> > >All searches I did yielded lots of nothing. RSA's site obviously
> > >had nothing, couldn't find anything in the sci.crypt FAQ,
> > >Counterpane's site wasn't helpful, neither was Rivest's (for
> > >obvious reasons), Terry Ritter's
> >
> > Actually for a long time Rivest's site DID have a pointer to the
> > ARC4 code. Do not know when it was removed.
> >
> > My (somewhat old) crypto page does contain a pointer to RC4
> > www.theory.physics.ubc.ca/pgp.html
> > ftp://sable.ox.ac.uk/pub/crypto/misc/rc4.tar.gz
>
> At anyrate we are escaping the reality that RC4 does have some nasty
> properties. It has weak keys, it leaks digraph info. No big attacks
> yet but it is crumbling. Not only that you don't know the period of
> the generator which is a good thing to know for stream ciphers.
>
> Tom
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> Comment: Key at: http://tomstdenis.home.dhs.org/key.asc
>
> iQA/AwUBOumVeQULrT+pXe8cEQIZVACgk0X5FEhSJ654sAwkdCMxXysKcYYAni/P
> hpxfPIWHEebOXVP1c0bdy9Db
> =HRpw
> -----END PGP SIGNATURE-----
>
>
>
------------------------------
From: "Brian Hetrick" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Sat, 28 Apr 2001 01:46:59 GMT
"Brian Hetrick" wrote ...
> "Bill Unruh" wrote ...
> > I think that they are a bit pessimistic. A 1024 bit RSA key is not
> > equivalent to a 64 bit secret key. The standard factoring makes it
> > equal to about a 86 bit secret key.
> > (N= 2^1024, exp(1.9*ln(N)^(1/3)*ln(ln(N))^(2/3))= .6*10^26= 2^86)
>
> Thanks, and good catch. Using the GNFS, 1024 bits is about 2^22
> times harder to factor than 512 bits, and so would take 1.28
> millennia on SETI@home, or (using the DES scaling) a year on a
> hundred million dollar engine, or a month on a billion dollar
> engine, or 30 million in capital costs at a 30% competing ROI. I'll
> need to redo the pages -- but it would still be worth factoring a
> 1024 bit CA key, and who knows what the three letter agencies
> have....
After running a few numbers through a spreadsheet, I now get about 86
million in capital costs to factor a 1024 bit number, or,
equivalently, about 10 years on a 30 million dollar device. The
results and justification are in today's version of
http://www.geocities.com/tnotary/spckeysize.html.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Thames Bridge Cipher
Date: Fri, 27 Apr 2001 19:03:07 -0700
ben wrote:
> I should be grateful if anyone can tell me where I can find more information
> on the Thames Bridge Cipher.
Say on: what is it, and what do you know of it? Maybe if nobody knows
it by that name we'll know it by another.
--
Jim Gillogly
7 Thrimidge S.R. 2001, 02:01
12.19.8.3.2, 10 Ik 20 Pop, Eighth Lord of Night
------------------------------
Reply-To: "Dirk Mahoney" <[EMAIL PROTECTED] (remove the _)>
From: "Dirk Mahoney" <[EMAIL PROTECTED] (remove the _)>
Subject: Re: Wolf's Secure Channel Theorem
Date: Sat, 28 Apr 2001 02:07:53 GMT
I don't know who originally said it (and it's common sense anyway), but I
consider my data secure when the cost of breaking the security exceeds the
cost of the data if compromised. Most data doesn't need perfect security.
Just really expensive security. I think I read this in AC2.
The good thing for me is I'm not a terrorist or a political agency, so OTPs
would be a huge overkill. That's why I was after ARC4 source code earlier.
Sure there are some 'problems' with it and there are better ciphers around,
but when it comes right down it, ARC4 is a good choice when considering the
value of the data I'm protecting with it. I have heaps of other data that
requires better security (we're a software development house, so I consider
our products' source code worthy of higher security) so I use a different
algorithm for that. I still don't need an OTP though. Very few
people/organisations actually do.
- Dirk
"Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9c28m4$4hta$[EMAIL PROTECTED]...
> > It depends on how you define secure. If your definition of "secure"
broad
> > enough then this theorem applies.
>
> Yes, exactly what is secure. I suppose in it's ultimate form it means
that
> information originating at one point can ONLY be received at the other
> point.
>
> I'm still thinking about the distinct point in space part and if it holds
> true when they are in relative motion.
>
> Oh yeah, I know, I've totally lost my marbles.
>
>
>
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Sat, 28 Apr 2001 02:13:06 GMT
Jonathan Edwards wrote:
> No, SDMI is an attempt to make it effectively impossible to
> make a digital copy of the music (because the only commercially
> available devices and software that create digital copies will only do so
> if the watermark is not present).
Which means the only way to use the music is locked to a particular device.
It's the equivalent of selling you a CD that will only play in your CD
player. To loan the CD to someone else, you have to loan them your CD player
too.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
schedule.c:7: warning: assignment makes calendar_week
from programmer_week without a cast.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: There Is No Unbreakable Crypto
Date: 28 Apr 2001 02:22:03 GMT
Henrick Hellstr�m wrote:
>As far as I understand the idea of length-doubling PRG, you have to compute
>the entire tree in advance (or at least all N branches up to the first leave
>for a message with N blocks) before you use any part of the keystream.
No, this is incorrect.
Have you read the proof of security yet?
If not, why are you commenting on something you don't know about?
------------------------------
From: "Brian Hetrick" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Sat, 28 Apr 2001 02:22:09 GMT
[Third try. At least I've had sleep today. :-) ]
"Tom St Denis" wrote ...
> Again like others you ignore the space arugment. You need (2^86)^2
> (or is sqrt?) in either case you need *at least* eight terabits (one
> terabyte) of memory. That would be hard to come by since most
> computers probably don't have that much. (x86's can't even address
> that much).
A terabyte of disk costs $3,000 today; a terabyte of 133 MHz memory
costs $287,000 today. Both of these are at retail at buy.com.
Doubtless you could get them for 10% less by looking around; doubtless
you could double those prices by requiring ECC on the memory and a 100
year MTBF on the disks; doubtless you could double the prices again by
requiring hot swap capable assemblies. If you need a 5000 MIPS
microprocessor, then don't use an x86. If you need to address a
terabyte, then don't use an x86. I don't think anyone is seriously
proposing using anything remotely like a standard desktop machine as
the basic engine in a factoring machine.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Combining two plaintexts into ciphertext
Date: 28 Apr 2001 02:24:28 GMT
Ken Savage wrote:
>uint8 plain1, plain2;
>uint8 key1, key2;
>uint16 x;
>
>Is there a GOOD function f( x, key ) such that
>
>f( x, key1 ) == plain1
>f( x, key2 ) == plain2
Why not use E_k(plain1 || plain2), where || denotes concatenation
and E_k() represents a good block cipher? Am I misunderstanding
the question?
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Secure Digital Music Initiative cracked?
Date: 28 Apr 2001 02:00:15 GMT
Jim Steuert <[EMAIL PROTECTED]> wrote:
> Thursday, they were threatened with lawsuits by the RIAA and the SDMI
> Foundation.
This is old news by now, but Felten elected not to present the paper at
IHW 2001.
http://www.cs.princeton.edu/sip/sdmi/
I can't say I blame him. It still shocks me that the RIAA can do what the
NSA did not - prevent a paper from being presented at a public conference.
It doesn't shock me too much, unfortunately. If I had any doubt about the
need for an Eternity Service before, this tends to erase such doubt.
A *personal* note- I just returned to reading news and have not had time to
read through the 90+ messages in the previous thread on this topic. From
what I can tell, it turned into a jolly old flame war about whether
(intellectual) property is theft. My view is that such a debate is a
distraction from the matter at hand.
The matter at hand is that the threat of lawsuit was used to silence a
group of researchers, (at least for now). The matter did not even come
before a court. *Whether or not* you believe in intellectual property - or
property at all- I think this is disturbing.
I don't actually want to see more discussion of this on sci.crypt (it's off
topic) - but if we do, I would like to see discussion on the *real* "lessons
learned from the SDMI challenge" - which right now seem to be "touch
powerful watermarking technologies and get sued."
-David
------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: Secure Digital Music Initiative cracked?
Date: Fri, 27 Apr 2001 22:43:28 -0400
Reply-To: Jim, Steuert
What really annoys me is that SDMI and Verance are claiming that
their techniques are still secure, while at the same time suppressing
the proof that they are not. This amounts to lying using the
the law to suppress the truth.
That is a hideous mis-use of the law, and the prime reason
why academic and intellectual freedom is so important to us,
and to our other freedoms.
-Jim Steuert
David A Molnar wrote:
> Jim Steuert <[EMAIL PROTECTED]> wrote:
> > Thursday, they were threatened with lawsuits by the RIAA and the SDMI
> > Foundation.
>
> This is old news by now, but Felten elected not to present the paper at
> IHW 2001.
>
> http://www.cs.princeton.edu/sip/sdmi/
>
> I can't say I blame him. It still shocks me that the RIAA can do what the
> NSA did not - prevent a paper from being presented at a public conference.
> It doesn't shock me too much, unfortunately. If I had any doubt about the
> need for an Eternity Service before, this tends to erase such doubt.
>
> A *personal* note- I just returned to reading news and have not had time to
> read through the 90+ messages in the previous thread on this topic. From
> what I can tell, it turned into a jolly old flame war about whether
> (intellectual) property is theft. My view is that such a debate is a
> distraction from the matter at hand.
>
> The matter at hand is that the threat of lawsuit was used to silence a
> group of researchers, (at least for now). The matter did not even come
> before a court. *Whether or not* you believe in intellectual property - or
> property at all- I think this is disturbing.
>
> I don't actually want to see more discussion of this on sci.crypt (it's off
> topic) - but if we do, I would like to see discussion on the *real* "lessons
> learned from the SDMI challenge" - which right now seem to be "touch
> powerful watermarking technologies and get sued."
>
> -David
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: "I do not feel secure using your program any more."
Date: Fri, 27 Apr 2001 20:23:03 -0700
anon wrote:
>
> Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > "I do not feel secure using your program any more."
> >
> > You sure jumped to a hasty conclusion.
> >
> > Again, using the methods of OAP-L3 to generate your random digit
> > sequences is just the first step of creating your OTPs. And since I
> > believe you would agree that even if you started with a known file
> > containing the sequences of 0123456789 of length 18,144,000 bytes
> > and this becoming very quickly practicably impossible to guess
> > using the methods from OAP-L3, then by actually generating the random
> > digit files using OAP-L3 makes this impossibility that much more
> > impossible.
>
> What will you use to reorder those data?
> Surely the process can easily be recreated, thus your data is ont safe?
>
> - Dan
>
> "clearly you are an inDUHvidual, just like everyone else" -
> unattributed.
Please, admit you do not know what you are talking about, do you.
What do you know about OAP-L3?
------------------------------
From: "Dopefish" <[EMAIL PROTECTED]>
Subject: Re: Question on p and q
Date: Sat, 28 Apr 2001 10:23:14 -0500
Phi (N) = 1 if prime
fish
--
======BEGIN SIGNATURE======
A.K.A "Dopefish" or "fish" for short on Usenet.
Microsoft? Is that some kind of toilet paper?
"Rockin' the town like a moldy crouton!"
- Beck (Soul Suckin' Jerk - Reject)
"Help me, I broke apart my insides. Help me,
I've got no soul to sell. Help me, the only thing
that works for me, help me get away from
myself."
- Nine Inch Nails (Closer)
=====BEGIN GEEK CODE BLOCK=====
Version: 3.12
GO dpu s++:++ a---- C++++ U--->UL
P L+ E? W++ N+++ o+ K--- w+>w+++++
O--- M-- V? PS+++ PE Y-- PGP t 5--
X+ R tv b+ DI D+ G-- e- h! r z
======END GEEK CODE BLOCK======
(www.geekcode.com)
======END SIGNATURE======
Brett <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Hi,
>
> Pardon if this is rediculously easy, but I consulted the FAQ
> before posting and do not find it in there.
>
> Public key cryptography relies on two very large primes p and
> q to be multiplied together to form a larger number N that makes
> up the public key. My question is: How does one find such
> large primes in the first place and verify that they are primes
> in a reasonable time. If you have a 4096-bit key, N is approx.
> 10 ^ 1233 in size. p and q must be somewhere in the 10 ^ 600
> range ... How does one go about creating a prime that big, and
> making sure it is in fact prime?
>
>
> Brett
------------------------------
From: "Dopefish" <[EMAIL PROTECTED]>
Subject: Re: Question on p and q
Date: Sat, 28 Apr 2001 10:30:27 -0500
Phi being the number of numbers that are relatively prime to N and are less
than N
fish
look up Euler's Phi Function and "The Mathematics of RSA"
--
======BEGIN SIGNATURE======
A.K.A "Dopefish" or "fish" for short on Usenet.
Microsoft? Is that some kind of toilet paper?
"Rockin' the town like a moldy crouton!"
- Beck (Soul Suckin' Jerk - Reject)
"Help me, I broke apart my insides. Help me,
I've got no soul to sell. Help me, the only thing
that works for me, help me get away from
myself."
- Nine Inch Nails (Closer)
=====BEGIN GEEK CODE BLOCK=====
Version: 3.12
GO dpu s++:++ a---- C++++ U--->UL
P L+ E? W++ N+++ o+ K--- w+>w+++++
O--- M-- V? PS+++ PE Y-- PGP t 5--
X+ R tv b+ DI D+ G-- e- h! r z
======END GEEK CODE BLOCK======
(www.geekcode.com)
======END SIGNATURE======
Brett <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Hi,
>
> Pardon if this is rediculously easy, but I consulted the FAQ
> before posting and do not find it in there.
>
> Public key cryptography relies on two very large primes p and
> q to be multiplied together to form a larger number N that makes
> up the public key. My question is: How does one find such
> large primes in the first place and verify that they are primes
> in a reasonable time. If you have a 4096-bit key, N is approx.
> 10 ^ 1233 in size. p and q must be somewhere in the 10 ^ 600
> range ... How does one go about creating a prime that big, and
> making sure it is in fact prime?
>
>
> Brett
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: Wolf's Secure Channel Theorem
Date: Fri, 27 Apr 2001 22:32:11 -0500
> The good thing for me is I'm not a terrorist or a political agency, so
OTPs
> would be a huge overkill. That's why I was after ARC4 source code
Are you sure your not a terrorist? Looks can be deceiving, especially to
oneself.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Combining two plaintexts into ciphertext
Date: Sat, 28 Apr 2001 03:35:27 GMT
On 28 Apr 2001 02:24:28 GMT, [EMAIL PROTECTED] (David Wagner)
wrote, in part:
>Why not use E_k(plain1 || plain2), where || denotes concatenation
>and E_k() represents a good block cipher? Am I misunderstanding
>the question?
I think the idea is to make plain2 deniable - or at least to keep it
well hidden - even when the message is decoded to yield plain1. And
vice versa.
Using 16-bit quantities to represent bytes, however, is not a good way
of achieving this. One should encrypt the message in larger chunks.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
