Cryptography-Digest Digest #464, Volume #14 Mon, 28 May 01 15:13:00 EDT
Contents:
Re: Essay on "The need for a look at real life crypto" (Tom St Denis)
Re: To prove PGP can easily be misused... ([EMAIL PROTECTED])
Re: A generic feistel cipher with hash and gf(257) mixers (Tom St Denis)
Re: Good crypto or just good enough? (Mark Wooding)
Re: Good crypto or just good enough? (Mark Wooding)
Re: Essay on "The need for a look at real life crypto" (Tom St Denis)
Re: DES Crypto Myth?? ([EMAIL PROTECTED])
Re: Good crypto or just good enough? (Roger Fleming)
Re: The HDCP Semi Public-Key Algorithm (ammendment) (John Savard)
Re: Good crypto or just good enough? ("Sam Simpson")
Re: Euroean commision will recommend all citizens to use encryption in email next
week, because of echelon. (Ichinin)
Re: Good crypto or just good enough? (David Wagner)
Re: Euroean commision will recommend all citizens to use encryption in email next
week, because of echelon. ("Paul Pires")
Re: Re Slide Attacks (was Re: How do boomerang attacks work?) (David Wagner)
Re: How do boomerang attacks work? (David Wagner)
Re: Medical data confidentiality on network comms (Tom McCune)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Essay on "The need for a look at real life crypto"
Date: Mon, 28 May 2001 17:34:57 GMT
jlcooke wrote:
>
> The concept of what you say is right on. The essay structure isn't
> hot. But oh well, this isn't alt.pick.on.bad.writters.com.net.org
>
> Perhaps getting the message confused with specific examples is a bad
> idea. Like others have said, it looks like your aiming at someone. In
> stead of waving your hand a bigger problem, which is what I think you're
> trying to do.
Yes you are absolutely correct. It is not a good example of English
writting. I was mainly ranting.
The point of the essay was to show how using buzzwords does not send the
entire message when to be secure you need more then good algorithms.
They have to be used correctly.
I targeted PGP because it's a well known example.
Tom
>
> JLC
>
> Tom St Denis wrote:
> >
> > Based on my turn about look at computer security...
> >
> > http://tomstdenis.home.dhs.org/on.pdf
> >
> > Please comment if possible. Does this hit the mark with what you guys
> > are thinking?
> >
> > Tom
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: To prove PGP can easily be misused...
Date: Mon, 28 May 2001 16:31:39 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> >
> > Hmm might not be news to you, but think about this. What if some
> > politician happened about this and decided to trust it without
> > confirmation? Ouch... bad news...
>
> High-ranking politicians are supposed to have people
> knowledgeable in security working for them to take care
> of the privacy of their communications.
You're both wrong.
I once worked in a government department quite close to the Big Boss' office.
I could have told him everything he ever wanted to know about information
security, but it turned out that what he wanted to know about it was nothing;
tech guys like me just didn't talk to the guy (except to say hello if you
bumped into him in a corridor).
It didn't matter; his form of email security was that he didn't have a
computer and didn't use email. He didn't much like phones, either.
For the department as a whole, decisions like email policies were made by a
career bureaucrat who was much more interested in sticking to budgets (and
maybe getting kickbacks from suppliers) than tightening security. His email
policy was mainly concerned with the dire consequences of exchanging jokes by
email. I niggled the guy until eventually a couple of lines were added to a
new draft policy; they were removed straight after I left.
Most organisations, including many government organisations, have no idea
about computer security, and would be better off using ANY product - even a
stupid "snake oil" product - than they way they work at present.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Mon, 28 May 2001 17:36:21 GMT
Simon Johnson wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
>news:<[EMAIL PROTECTED]>...
> > Tom St Denis wrote:
> > >
> > > Jim Steuert wrote:
> > > >
> > > > Does anyone have an opinion on the security of
> > > > generic feistel ciphers like this? The key is mixed
> > > > in the middle rounds in a fairly simple manner.
> > > > Does this create any weakness?
> > > >
> > > > This generic feistel cipher is based on the efficient
> > > > multipermutation hash mixer routine of Bob Jenkins.
> > > > I modified his mixer algorithm to use 32-bit rotates
> > > > instead of shifts, and then I tested the statistics.
> > > > I also added a gf(257) 32-bit byte-wise multipermutation
> > > > mixer. (1 is represented by 8-bit 0x00,...,256 by 0xff)
> > > >
> > > > A multipermutation feistel mixer operation: c = a op b
> > > > is invertible, in that by fixing any input a, varying the
> > > > second input b will cause all possible values of
> > > > the output c. This preserves the equal-likelihood
> > > > of all output values, in that any single output
> > > > value is caused by exactly (2^n) different input (a,b)
> > > > pairs, out of (2^n)*(2^n) possible input pairs.
> > > > This makes each output value have prob = 1/(2^n).
> > > > Of course, the other important (avalanche,etc) qualities are
> > > > due to the properties of the gf and Bob Jenkin's mixers,
> > > > in particular his use of combined 32-bit add/sub and xor.
> > > > This was compiled with -O5 with the mingw version of gcc.
> > >
> > > This is wrong. Nice immunity to GF(2^n) differentials comes from
> > > GF(2^n) decorrelated functions (it's simple to prove it too). In
> > > GF(257) you will see GF(2^8) differentials with probs upto about 12/256
> > > if I am not mistaken.
> >
> > In GF(257) inversion ...
> >
> > To be more precise Pr[255 => 255] is 256/256, there are some 16/256,
> > 12/256 and alot of 2,4,8/256.
> >
> > So this is not a good "fixed" sbox. Note that using mults in GF(257)
> > by random values is good to a point as the average DP value for any
> > xor-pair (over all unique multiplicands (all 127*255 of them)) is fairly
> > low (this is a wild guess I should really check sometime).
> >
> > I would bet for all mults though diffs by 255 would be a source of
> > weakness... (again wild speculation)
> >
> > Tom
>
> Tom's point is correct if a difference function XOR is used D255 goes
> to D255 with probability one. However, if the difference is measured
> with subtraction in GF(257) the function will have a 'random'
> distribution of differences like it's GF(2^w)/p(x) counter-part.
>
> However, since your cipher appears to be a standard Fiestel, where the
> left and right halves are combined using XOR it is unlikely that using
> subtraction in GF(257) is a clever thing to do... so your knacked.
Very good observation Simon. Seems you are learning quickly! (Wish I
could say the same for myself and a few others in this group!)
Tom
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Good crypto or just good enough?
Date: 28 May 2001 17:39:13 GMT
Sam Simpson <[EMAIL PROTECTED]> wrote:
> Is this a suspicion or is there a proof for this somewhere?
Suppose that A is an adversary which distinguishes triple-DES from a
random permutation within some given resource bounds (say, less than
2^{56} time). Then construct an adversary B which distinguishes single-
DES by choosing two more DES keys at random, and giving A the provided
single-DES-or-random-permutation oracle and two further rounds of DES as
its oracle. B will distinguish single-DES from a random permutation in
the same resources as A except for three times as many DES encryptions.
Will that do you?
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Good crypto or just good enough?
Date: 28 May 2001 17:40:48 GMT
Stefan Lucks <[EMAIL PROTECTED]> wrote:
> However, picking between triple DES and Rijndael is a different game
> ...
This is surely food for thought, given your excellent work on attacking
triple encryption.
-- [mdw]
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Essay on "The need for a look at real life crypto"
Date: Mon, 28 May 2001 17:37:10 GMT
Mark Currie wrote:
>
> Good essay. However you state that exchanging public keys over the Internet is
> "..completely non-applicable". I don't entirely agree with this. You can
> exchange them over the internet, but you must verify the fingerprint over
> another channel i.e. read them out to each other over the telephone. Granted
> this only works when you know each other and there are many other pitfalls but
> it needed mentioning.
This is true, but currently most people will share keys via websites and
pgp servers.
Tom
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES Crypto Myth??
Date: Mon, 28 May 2001 08:47:18 -0800
"SCOTT19U.ZIP_GUY" wrote:
>
> [EMAIL PROTECTED] wrote in <[EMAIL PROTECTED]>:
>
> >Roger Fleming wrote:
> >>
> >> [EMAIL PROTECTED] wrote:
> >> [...]
> >> >It's funny how many Schneier quotes I've seen since I've been
> >> >following this newsgroup.
> >> [...]
> >> >I think my reading time was better spent with HAC. Why is Schneier
> >> >such a popular cryptographer? Is it charisma or is he a real
> >> >innovator (compared to other professional cryptographers)?[...]
> >>
> >> I think he is quoted so often because, as well as being a competent
> >> cryptographer, he is a good writer; there are many crypto "truths"
> >> that are succintly summarised by his pithy one-liners and thus very
> >> amenable to using on usenet.
> >
> >
> >I think you're right. No doubt he knows what he's doing, and as I said,
> >his
> >book is a fun read. It just that "Bruce Schneier says..." seems at
> >times
> >in this newsgroup to mean "the unquestionable leader of the crypto
> >community says..."
> >and I wondered if the number of times he gets quoted was a fair measure
> >of his
> >skill as a cryptographer (don't look too closely; there's some very bad
> >reasoning here! :) ).
> >
> >Again, he's an intelligent and successful cryptographer, but my quess is
> >that there are plenty of intelligent cryptographers out there. Maybe
> >they just aren't as quotable?
> >
>
> Please excuse me while I BRAF this phony asskissing reply
> was to much for my stomach to take.
>
> David A. Scott
[sig snip]
I think at least it's fair to say that he writes much better than you
do.
------------------------------
From: [EMAIL PROTECTED] (Roger Fleming)
Subject: Re: Good crypto or just good enough?
Date: Mon, 28 May 2001 16:50:05 GMT
Tom St Denis wrote:
>
> My old employer asked me to ask the group this question.
>
> Would you settle for crypto that is "just secure enough" or "is as
> secure as we know how to make it". Both within reason.
>
> His line of thinking was that I was a hypocrite for only having a
> dead-bolt on my door instead of a 6" steel vault door.[...]
If I lived in a neighbourhood as rough as the internet, I might go with the
bank vault if I could afford it - and comparable security to the walls,
windows, etc so it isn't a waste of time. Since I can't afford such things, I
put my most valuable stuff in a small safe, and for the rest of the house the
best locks I can afford.
By analogy, I use a very strong cipher to encrypt my email, because it's
free and a few milliseconds per email is nothing. But if I had to encrypt a
high speed data stream on a small, cheap processor, I might have to go with
something weaker.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: The HDCP Semi Public-Key Algorithm (ammendment)
Date: Mon, 28 May 2001 17:56:54 GMT
On Mon, 28 May 2001 17:20:25 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>One way to do that is to XOR the bits, as they pass from one delay
>cell to the next, with some other output of the shift registers. In
>this way, spending 2 cycles in the first one, and 1 cycle in the next
>is not the same as spending 1 cycle in the first one, and 2 in the
>next.
I came up with an even _better_ and *simpler* way to increase the
resistance of the design to correlation attacks. (Although, come to
think of it, all that's needed to negate the benefits of my second
idea would be to apply a deconvolution to the output bit sequence...so
I really need to do one more thing...)
Anyhow, a diagram and explanation is at:
http://home.ecn.ab.ca/~jsavard/crypto/co4y12.htm
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Mon, 28 May 2001 18:53:49 +0100
"Mark Wooding" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Sam Simpson <[EMAIL PROTECTED]> wrote:
>
> > Is this a suspicion or is there a proof for this somewhere?
>
> Suppose that A is an adversary which distinguishes triple-DES from a
> random permutation within some given resource bounds (say, less than
> 2^{56} time). Then construct an adversary B which distinguishes single-
> DES by choosing two more DES keys at random, and giving A the provided
> single-DES-or-random-permutation oracle and two further rounds of DES as
> its oracle. B will distinguish single-DES from a random permutation in
> the same resources as A except for three times as many DES encryptions.
>
> Will that do you?
It's certainly interesting!
I'm thinking back to a paper (probably Schneier) where they found an attack
where 2-key 3DES was stronger than 3-key 3DES. You seem to provide a proof
for a specific class of attack, but may there be other attacks where the
security [of DES and 3DES] could be found to be equivalent?
I guess I'm asking: does your proof imply that, for all attacks, 3DES is
stronger that DES?
Thanks for taking the time to answer,
--
Sam Simpson
http://www.scramdisk.clara.net/
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Euroean commision will recommend all citizens to use encryption in email
next week, because of echelon.
Date: Tue, 22 May 2001 20:38:51 +0200
Jan Panteltje wrote:
<Snip>
My 0.02 ECU's:
I have personally never sent an encrypted email.
(i've never had any use for it!), allthough i can
understand the need for others to send such emails.
I understand the corporate worries, but as a private
citisen, I don't see the threat...
What's really innoying me is SPAMMERS, not some
foreign int agency like GCHQ or NSA (...mapping who
my friends are and how often i find an exploit in
Product X and why i prefer Dr Pepper to Pepsi.)
OTOH: i guess i even have to encrypt every god
damned ICQ message soon or AOL or it's associates
will push crap into my mailbox if i don't do it.
Why don't politicians discuss the real threat; the
threat to privacy from Us corporations which also
affect other corporations?
Why do one even vote?
/Ichinin
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Good crypto or just good enough?
Date: Mon, 28 May 2001 18:34:35 +0000 (UTC)
Sam Simpson wrote:
>"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>> It's not hard to see that 3DES is no less secure than DES.
>
>Is this a suspicion or is there a proof for this somewhere?
There's a straightforward proof, which goes roughly along the
following lines. If there is a good attack on 3DES, then you
can use it as a black box to break DES as follows: pick 2 random
other DES keys, and simulate 3DES using chosen-plaintext queries
to your DES oracle along with encryption/decrypting using the
2 keys you picked; then if the 3DES attack can distinguish your
simulation from random, this distinguishes DES from random.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Euroean commision will recommend all citizens to use encryption in email
next week, because of echelon.
Date: Mon, 28 May 2001 11:33:57 -0700
A very good point. We need the E-equivalent of a picket
fence and a grumpy dog around our E-abodes. There is
no distinction between your living room and their boiler
room.
Not an action we can take (like spam filters) that
they can analize and avoid but a real discretionary barrier
that can recognize ones associate an provide a defined
boundry where crossing it is actionable.
Paul
Ichinin <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Jan Panteltje wrote:
> <Snip>
>
> My 0.02 ECU's:
>
> I have personally never sent an encrypted email.
> (i've never had any use for it!), allthough i can
> understand the need for others to send such emails.
>
>
> I understand the corporate worries, but as a private
> citisen, I don't see the threat...
>
> What's really innoying me is SPAMMERS, not some
> foreign int agency like GCHQ or NSA (...mapping who
> my friends are and how often i find an exploit in
> Product X and why i prefer Dr Pepper to Pepsi.)
>
> OTOH: i guess i even have to encrypt every god
> damned ICQ message soon or AOL or it's associates
> will push crap into my mailbox if i don't do it.
>
> Why don't politicians discuss the real threat; the
> threat to privacy from Us corporations which also
> affect other corporations?
>
> Why do one even vote?
>
> /Ichinin
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Re Slide Attacks (was Re: How do boomerang attacks work?)
Date: Mon, 28 May 2001 18:43:27 +0000 (UTC)
John Savard wrote:
>Nearly all block ciphers use different keys for each round. If the
>keys vary in a regular fashion from round to round, I suppose one
>could still perform a slide attack if one happened to find two
>suitably related keys, although that would be a very rare
>circumstance.
Yes, this is exactly Eli Biham's related-key attack introduced in his
1993 paper.
You could, if you like, think of his attack as a related-key slide attack,
as opposed to some other related-key attacks which consider differences
between keys and thus form differential related-key attacks.
His attack can easily be seen to be a strict generalization of the
slide attack. In particular, a slide attack applies just when there are
keys K so that (K,K) forms a related key pair for Biham's attack---in
other words, slide attacks apply when keys are related to themselves,
and so we might think of slide attacks as a self-related key attack.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: How do boomerang attacks work?
Date: Mon, 28 May 2001 18:45:19 +0000 (UTC)
>Your paper also mentions (page 3) that the technique requires F (which
>can include several rounds) to be a "weak" permutation.
This requirement is less strict, and can be relaxed in some cases.
See, for instance, our "Advanced Slide Attacks" paper where we attack
DESX: in that case, F denotes all of DES, and so can hardly be considered
"weak".
------------------------------
Crossposted-To: comp.security.misc
From: Tom McCune <[EMAIL PROTECTED]>
Subject: Re: Medical data confidentiality on network comms
Date: Mon, 28 May 2001 19:02:11 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Roger Fleming) wrote:
<snip>
>>We have a state wide area network that we can transfer patient
>>information over - I beieve that is encrypted - transparently to the user,
>>so I have no idea what that consists of.
>
>Are you sure it's encrypted, or does your IT department just tell you it's
>"secure"? It's pretty unusual for private WANs to be encrypted, even in state
>government applications, and pretty common for administrators to exaggerate
>the value of this sort of security to avoid spending money.
No, I'm not sure. In fact I had thought it was not, but in a recent one day
annual mandated inservice, there was a brief segment by the IT people, and
it was mentioned that this was encrypted. I don't recall which person said
it, or even whether that person saying that would likely know what he/she
was talking about, but the statement was made.
>>was that the asymmetric encryption was only required to be 1024 bit - I
>>would have thought longer term privacy would warrant 2048 bits.
>
>That's not surprising at all. RSA is still recommending 768 bits for low grade
>security and 1024 bits for long term security, a recommendation which hasn't
>changed for quite a few years. Many other authors recommend much longer
>moduli; RSA says the reason for the difference is that these authors are
>looking at work factors only, and the most costly part of the factorisation
>problem is memory bound; it doesn't matter how many distributed PCs you have,
>you have to finish the problem in a supercomputer with terabytes of fast RAM,
>and there isn't enough fast RAM in the world for a 1024 bit key. Or something
>like that.
>Whether you accept RSA's reasoning or not, 2048 seems pretty conservative
>(about 2^40 times harder than 1024), and for most purposes isn't too slow on
>modern PCs.
Why I find this surprising is the issue of long term security. I'm in the
children's unit, and who knows how this information could adversely affect
people 10, 20, or 30 years from now. I know that 1024 bit is secure at
this time, but betting on it over a period of decades seems foolish, and
esp. so when going to 2048 bits (which is still less secure than the
symmetric encryption being used) is basically at no cost to anyone. Perhaps
this number was determined in view of the S/MIME then in effect, rather than
on mathematical reality.
Tom McCune
http://www.McCune.cc
Please use PGP for Privacy & Authenticity
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
