Cryptography-Digest Digest #484, Volume #14 Thu, 31 May 01 16:13:01 EDT
Contents:
Re: National Security Nightmare? (John Hairell)
Re: Good place to start? ("The archgimP")
Re: crypt education ("M.S. Bob")
Re: OAP-L3: "The absurd weakness." (James Felling)
Re: National Security Nightmare? (Paul Rubin)
Re: Best, Strongest Algorithm (wtshaw)
Re: Medical data confidentiality on network comms (wtshaw)
Re: Stream Cipher combiners (Mark Wooding)
Re: Is this a weakness in RSA key generation? (Mark Wooding)
Re: Quantum Computers with relation to factoring and BBS (Mark Wooding)
Re: Fast 8-bit mults on smartcards (Mark Wooding)
Re: Definition of 'key' (wtshaw)
Re: National Security Nightmare? (Mok-Kong Shen)
Re: Diffusion limits in block ciphers (David Wagner)
Re: Help with RSA ("Joseph Ashwood")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Hairell)
Subject: Re: National Security Nightmare?
Date: Thu, 31 May 2001 18:40:14 GMT
On 30 May 2001 22:32:53 GMT, [EMAIL PROTECTED] (JPeschel)
wrote:
>> Sam Yorko [EMAIL PROTECTED] writes, in part:
>
>>I guess what I really meant is if someone confronted me with an NSA
>>badge, how in the world could I verify this?
>
>Don't worry. No one will.
Exactly right - you will not be "confronted" by anybody wearing an
official NSA badge, as they are used for internal access and not in
external relations with the public. I believe there's an NSA
directive about not showing ID/security badges to the public. Also,
NSA is not a law enforcement organization and has no need to have
"agents" with badges of any sort accosting members of the general
public.
NSA does have a DOD police force which has law enforcement/security
functions (they have a SWAT team, for example), but their functions
are limited to NSA areas, and unless you are speeding on Route 32 (in
which case either a Ft. Meade MP or a uniformed DOD Police officer
will issue you a ticket) or are attempting to jump the fence to see
how long it will take the dogs to find you, you have no need to worry.
As with most federal agencies, verification of employment for a person
can be verified by calling the agency in question. NSA is in the
phone book.
NSA employees are not prohibited from stating where they work, but
it's far easier for them to say they work for the Department of
Defense to avoid questions.
I live within 5 miles of NSA and many of my neighbors work there.
None of them wear their badge off of Ft. Meade. An Air Force crypto
guy I worked with once was required to turn his badge in on a daily
basis - it wasn't allowed to leave the NSA building. He got it
re-issued on a daily basis after his ID was re-verified every morning
when he went in to work.
NSA is big on biometrics research, for some strange reason ;-)
John Hairell ([EMAIL PROTECTED])
------------------------------
From: "The archgimP" <althalus@excitedotcom>
Subject: Re: Good place to start?
Date: Thu, 31 May 2001 19:45:51 +0100
Thanx people; if I don't post for a while it's cos I'm reading.. lol
--The archgimP
--Let's get reading....
"The archgimP" <althalus@excitedotcom> wrote in message
news:[EMAIL PROTECTED]...
> Hi;
>
<SNIP>
------------------------------
From: "M.S. Bob" <[EMAIL PROTECTED]>
Subject: Re: crypt education
Date: Thu, 31 May 2001 19:48:46 +0100
Matt wrote:
>
> Greetings, all,
>
> I'm considering go back to college for a double major in computer science
> and mathematics. I've had a lot of schooling, but never finished a degree.
> I'm very interested in cryptography and security and am looking for
> recommendations on what types of classes will best help me understand the
> field. The math I've already had included calculus, differential equations,
> math modeling, statistics, and systems engineering of the
> queueing/least-path/cpm type. My computer experience includes some
> programming I've picked up on my own and network administration work.
You'll want to study some pure math, statistics, and some theoretical
computer science (i.e. not just programming).
More specifically:
Number theory
Abstract or Modern Algebra
Statistics
Information Theory
Combintorics
Optimization
Complexity
Algorithm Analysis
Software Engineering
Formal Languages
Assembly Language
Digital Electronics
Machine Organization
Signal Processing (EE)
(Some of these are more for engineering than an academic cryptographer,
think Power Differential Attack, Timing Attacks of smart cards.)
The focus varies depending on how much you prefer to analysis and design
algorithms, verus implementing and analying implementations, but you
need be strong on both sides of the fence. Schneiner has some short
essays, including in his Crypto-gram newsletters.
Self-Study Course in Block Cipher Cryptanalysis
http://www.counterpane.com/self-study.html
Memo to the Amateur Cipher Designer
http://www.counterpane.com/crypto-gram-9810.html#cipherdesign
So, You Want to be a Cryptographer
http://www.counterpane.com/crypto-gram-9910.html#SoYouWanttobeaCryptographer
In Code by Sarah Flannery
http://www.profilebooks.co.uk/procat/2001/flannery_01.htm
http://www.amazon.co.uk/exec/obidos/ASIN/1861972717/
Zen and the Art of Motorcycle Maintaince by by Robert M. Pirsig
just because I think if you can read that you can read actual crypto
papers :-)
Avi Rubin's list of crypto and security courses
http://avirubin.com/courses.html
Hope that helps you get a feel for things.
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Thu, 31 May 2001 14:03:34 -0500
Anthony Stephen Szopa wrote:
> James Felling wrote:
> >
> ><sniping previous posts>
>
>
> Sorry to break your bubble
>
> Tell me, do you have very many stupid people who pay you money for
> expounding such logic as you have demonstrated in your past three
> or four posts? Wait! Don't answer that right now. First read the
> following.
>
> As you will see from looking at the first 105 permutations that the
> first 5 digits are: 0 1 2 3 4. No matter how many times you run
> your 105! process these first five digits of the group of 105
> permutations will always be the same.
What are you talking about. Given a generic permutation of 105 elements the first 5
elements are always the same. Huh? Where do you get that. This is like saying I take a
deck of 105 cards, and shuffle them and the first 5 cards will be the same no matter
how it is done. ( You have obviously misunderstood me or you do not understand the
mechanisms permutation)
>
>
> Now if you are aware of the way OAP-L3 works, you will know that
> this will result in very very poor random digit output: basically
> unusable.
You said it not I. Further given your gross misinterpretation of what I said your
conclusions based upon that misinterpretation follow, but they are wrong if you
actually understand what I said.
<snip rant based upon a severe misinterpretation of what I said>
I never sugested a family of 105 permutations, I suggested that mix a mix file is
imbeded in the family of order 105 permutations. You should be able to see that. If
you cannot see why then you have so little understanding of your methods that I
despair of ever explaining them to you.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: 31 May 2001 12:10:05 -0700
[EMAIL PROTECTED] (John Hairell) writes:
> NSA employees are not prohibited from stating where they work, but
> it's far easier for them to say they work for the Department of
> Defense to avoid questions.
Some NSA people at a crypto conference I went to a few years ago said
that, up to a few years prior to that, they were required to say
"Dept. of Defense" rather than NSA, but the requirement had recently
been relaxed. Nowadays there are NSA people crypto conferences (hi!)
who have "<name>, National Security Agency" printed on their
conferences badges, and they mix in just fine with everyone else, give
presentations, etc. I believe their presentations have to be cleared
before they can be given to the "public", but that's all behind the
scenes.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Best, Strongest Algorithm
Date: Thu, 31 May 2001 12:47:22 -0600
In article <[EMAIL PROTECTED]>, David Hopwood
<[EMAIL PROTECTED]> wrote:
> It's not quite impossible to achieve semantic security without using random
> data (you could use the current time as a salt, for instance, or other data
> that is unlikely to repeat), but using random data is usually the easiest
> and most robust approach.
>
There is nothing robust about a salt as is often used. You are thinking
in flyweights when you should be contemplating gross tonnage.
--
Sign for the White House lawn:
WARNING! Irresponsible Parents Live Here.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: comp.security.misc
Subject: Re: Medical data confidentiality on network comms
Date: Thu, 31 May 2001 12:39:54 -0600
In article <9f5te9$rg8$[EMAIL PROTECTED]>, "Niels Ferguson"
<[EMAIL PROTECTED]> wrote:
>
> Many problems can be solved by having a system in which people have
> access, but _every_ access is reported to the patient in question. This
> requires some low-level authentication to know who was accessing the
> data. It is probably good enough to stop most of the abuse. Certainly
> in the US with its class-action lawsuits a tracking system would deter
> systematic illegal use of medical data. If the abuse of the data is legal,
> you don't need a technical solution but a political one.
>
This is not a meaningful line of logic. A copy can be copied or tapped as
transfered. Once access is obtained, there is surely no realistic means
of tracking where it might go. The nature of digital information is that
it does not act like paper or outdated related thinking.
A patient's records should be controlled by the patient and doctor
involved. All access should require original and revokable permission.
Data bases are only justified when individual patient identification is
forbidden. Otherwise, use is an invasion of privacy, no buts about it, no
tolerance given, and woe be to those who trangress the doctor-patient
relationship.
--
Sign for the White House lawn:
WARNING! Irresponsible Parents Live Here.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Stream Cipher combiners
Date: 31 May 2001 10:14:08 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> BTW did I finally get it right? i.e the multiplicative subgroup is Z*/nZ
> all (modulo n)...? or is it just Z/nZ
The * should be a superscript, and needs to be applied to the whole
ring, not just Z. So the correct name for the multiplicative group is
(Z/nZ)^*.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Is this a weakness in RSA key generation?
Date: 31 May 2001 10:52:38 GMT
David Hopwood <[EMAIL PROTECTED]> wrote:
> That is indeed how it was stated in the original RSA paper:
>
> Ron Rivest, Adi Shamir, Leonard Adelman,
> "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,"
> MIT Laboratory for Computer Science and Department of Mathematics.
> Communications of the ACM, February 1978, Volume 21, Number 2, pp. 120-126.
> http://theory.lcs.mit.edu/~rivest/rsapaper.ps or
> http://citeseer.nj.nec.com/rivest78method.html
>
> However, it's sufficient that d*e = 1 (mod lcm(p-1, q-1)).
To be fair, the paper does actually mention this (top of page 13 in the
1977-09-01 revision). This is now the recommended way of doing RSA key
generation in PKCS#1.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Quantum Computers with relation to factoring and BBS
Date: 31 May 2001 12:41:59 GMT
Bodo Moeller <[EMAIL PROTECTED]> wrote:
> So what we two probably should have done is point out that the
> question "Is factoring in P?" does not make much sense because "P" is
> about semi-decision procedures and "factoring" is not a decision
> problem.
But since there is a polynomial-time algorithm for extracting a
nontrivial factor of a number n if and only if there is a polynomial-
time algorithm for solving the decision problem, we don't actually have
a problem here.
[Decision-problem to factoring: use binary search; factoring to
decision-problem: extract all factors -- there are a polynomial number
of them -- and answer the question.]
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Fast 8-bit mults on smartcards
Date: 31 May 2001 12:31:39 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> Why not make an entire 128-bit block cipher out of a huge 16x16 MDS in
> GF(2^8)[2]/p(x)? The biggest problem is all the multiplications you
> must perform. Then I got to thinking this.
GF(2^8)[2]? Wossat? I presume you mean F_{2^8} represented as F_2(x)
with x a root of a degree-8 monic irreducible polynomial p(x) \in
F_2[x]. I've sometimes seen that written F_2[x]/(p(x)) although the
denominator has the wrong form. (Or you can write F_q as GF(q).)
> Why not take a 512kbit EPROM (16-bit addressable) and just make the high
> order and low order addresses point to the result of the
> multiplication. You than have todo 256 lookups and 240 xor operations
> todo the mult. which is slow on it's own but the diffusion power would
> be awesome.
Not really. You claim (correctly) that any two-round trail has 17
active S-boxes. This is not quite as good as four Rijndael, in which
any four-round trail has 25 active S-boxes. To actually have any
advantage, then, one round of your enormous linear transformation would
have to be as fast as 1.36 rounds of Rijndael's ShiftRow and MixColumn.
It isn't. To compute a byte of Rijndael's linear transformation you
need four lookups and three XORs. For this implementation, you also
need only 1K of tables -- the rest can be computed by shifting, because
Rijndael's MDS matrix is circulant -- which leaves more than enough
space for an inverse table in your enormous ROM.
Your construction is also vulnerable to the Square attack.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Definition of 'key'
Date: Thu, 31 May 2001 12:59:44 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Patrick Aland) wrote:
> I was talking to someone today and we were trying to come up with a
> good formal definition of a key (in regards to cryptography, no
> car/house/etc key comments please :) )
> Now after looking through the few crypto books I have (Applied crypto,
> etc) they don't seem to have a good definition either.
> Can anyone help me out?
>
> Thanks.
As usual, the most likely responses you have gotten are rather poor.
A key is information is a form defined by the structure of the current
algorithm with can be used to encrypt and/or decrypt other data.
The type of information units involved is defined by the number system
implemented, not necessarily bits.
--
Sign for the White House lawn:
WARNING! Irresponsible Parents Live Here.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: Thu, 31 May 2001 21:24:55 +0200
Volker Hetzer wrote:
>
> Mok-Kong Shen wrote:
> > At the international level, all democratic
> > countries coorperate for purposes of furthering the
> > well-being of the people and maintaining the eternal peace
> > of the world, isn't it?
> Yeah, and all cooperate very well in polishing the bottom of the earth disc.
>
> That's why I'd like to abolish the concept of "country".
> They seem to exist only in order to set people against each other.
Where there exist mutual interests (here of the politicians),
there exist quite naturally cooperations. Interests of
the common people are normally of secondary (if not tertiary)
importance.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Diffusion limits in block ciphers
Date: Thu, 31 May 2001 19:44:03 +0000 (UTC)
>For an n-bit block cipher, plaintext bits 0 through n-1 can only affect
>ciphertext bits 0 through n-1. Input changes in one block have
>absolutely no effect on the outputs of other blocks.
I don't really understand what you mean by the latter sentence.
Diffusion between blocks is outside of the domain of the block cipher;
that's the responsibility of the chaining mode. And good chaining modes
(e.g., CBC, CFB, ...) do ensure sufficient diffusion to stop attacks.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Help with RSA
Date: Thu, 31 May 2001 11:44:58 -0700
[To those more experienced: I will be using words that are not wholly
accurate because I find that people that haven't been around math/crypto
people for a long time generally get a blank smile when I start using words
like "entropy"]
"Uros Podlogar" <[EMAIL PROTECTED]> wrote in message
news:9f4svv$29u$[EMAIL PROTECTED]...
Everyone else has done a good job of telling you the common first round of
errors, so I won't bore you with those. However there are a few issues that
you are probably not even aware of with using RSA. You need to verify that
the value being encrypted is random enough to not be guessed, and that it
occupies most of the modulus space. The most standard way of doing this is
OAEP (explained later). This may or may not be useful for you because OAEP
can only encrypt a small amount of data at a time. Also for large
encryptions it is generally far better to use RSA to encrypt a small key to
a symmetric algorithm because the symmetric algorithms are an order of
magnitude faster.
Key size in RSA is a major consideration, as I'm sure you know, what you may
not be aware of is that 512-bit RSA is insecure, there have been 2 public
breakings of a 512-bit RSA-type modulus that I am aware of. Both of these
factorings were done in reasonable amounts of time, with modest resources.
So make sur eyou use at least 768-bit and preferably 1024-bit.
Joe
Encrypting with RSA
Assuming you want to encrypt data directly it's fairly simple given a hash
function (say SHA-1)
split the data into a chunk the size of the hash function (for SHA-1 this is
160 bits)
Generate a random number R (make sure you use a good random number
generator) of size(N)-size(hash)-1 bits
the value you actually put through the RSA equations is R | hash(R) XOR data
where | is concatentation
Decryption is simple from the RSA equation you get R | hash(R) XOR data
parse it into R and S (where S is the hash(R) XOR data portion)
h = hash(R)
data = S XOR h
Is you don't want to encrypt the data directly with RSA, but instead want to
key a symmetric cipher with it
You can use OAEP (the previous encryption), but it is better to do it this
way
Generate a random number R of size(n)-1 bits
Send R through the RSA equations
key the symmetric cipher with hash(R)
Decryption
Send the recieved data through the RSA equations
retrieve R
key the symmetric cipher with hash(R)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
