Cryptography-Digest Digest #514, Volume #14 Mon, 4 Jun 01 12:13:01 EDT
Contents:
Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA
Loki) (Tony L. Svanstrom)
Keyed hash functions (Tim Tyler)
Re: OAP-L3: "The absurd weakness." (Tim Tyler)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
WEB PAGES (SCOTT19U.ZIP_GUY)
Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA
Loki) ("Cernunnus")
Re: Def'n of bijection (Phil Carmody)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA
Loki) (Thomas Shaddack)
Re: IPSec question ("Scott Fluhrer")
Re: Sv: Top Secret Crypto (Ichinin)
Re: WEB PAGES (Mikael Lundqvist)
Re: about DH parameters & germain primes (Anton Stiglic)
----------------------------------------------------------------------------
Crossposted-To:
alt.privacy,alt.security,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles /
AKA Loki)
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Date: Mon, 04 Jun 2001 13:21:19 GMT
EE Support <[EMAIL PROTECTED]> wrote:
> We estimate 50% at least of posts on this newsgroup are fakes designed to
> remove your Internet privacy.
"We're right, and the ones that say that we're wrong are lying."
You sure you guys aren't working for the gov? hehe
/Tony
--
########################################################################
I'm sorry, I'm sorry; actually, what I said was:
HOW WOULD YOU LIKE TO SUCK MY BALLS?
- South Park -
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Keyed hash functions
Reply-To: [EMAIL PROTECTED]
Date: Mon, 4 Jun 2001 13:16:06 GMT
MACs are purpose-built keyed hash functions - but I understand that they
are usually regarded as not having to resist some of the attacks that
unkeyed hash functions should defend against.
ISTM that keyed hash functions are desirable for use in
counter-driven-hash-based PRNGs - where use of an unkeyed hash
would be vulnerable to a (birthday-like) "precomputation" attack -
using widely spaced values of the counter, and then waiting for
one to come up.
Are such "keyed hash functions" recognised as a primitive cryptographic
type, distint from MACs?
Alternatively, is there any precedent for the use of a MAC in a
counter-driven PRNG?
[Note: I *don't* want to talk about hash(CTR|KEY) schemes]
--
__________
|im |yler Try my latest game - it rockz - http://rockz.co.uk/
------------------------------
Crossposted-To: alt.hacker,talk.politics.crypto
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: OAP-L3: "The absurd weakness."
Reply-To: [EMAIL PROTECTED]
Date: Mon, 4 Jun 2001 13:24:25 GMT
In sci.crypt Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
: Taneli Huuskonen wrote:
:> Do you remember someone claiming they could break OAP-L3 Version 5 and
:> challenging you in public? Did anything come of it?
:>
:> Here's a URL to refresh your memory:
:>
:>
:http://groups.google.com/groups?hl=en&lr=&safe=off&ic=1&th=8b16a21ca43f3359,2&seekm=8u9t8s%2466h%241%40nnrp1.deja.com
: I looked over my web site and scanned the Version 5 info.
: There are several implementations explained. Which implementation
: of Version 5 are you referring to?
It sounds like nothing came of it.
Szopa didn't come through on Taneli Huuskonen's challenge either.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Mon, 4 Jun 2001 13:41:31 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
: news:[EMAIL PROTECTED]...
:> :> Roger Fleming <[EMAIL PROTECTED]> wrote:
:> :> : [EMAIL PROTECTED] wrote:
:> That was an example of how to do it simply - not an example of how
:> to do it efficiently. Getting diffusion across a whole key is not
:> rocket science - but it /can/ be computationally expensive, relative
:> to the effort necessary with smaller keys.
: If you're not discussing how todo it efficiently there is no point now is
: there?
Efficiency is generally low on my list of priorities. Security is often
near the top. I'm a believer in Knuth's "premature optimisation is the
root of all evil" dictum.
:> :> Hmm. This is what I was afraid of. Trusting that one's cypher's won't
:> :> be broken is not something that everyone is prepared to do.
:> Anyway, trusting that one's cypher's won't be broken is not something that
:> everyone is prepared to do - and the mere possibility of things like
:> quantum computers being built in secret to crack AES messages rapidly will
:> be enough to deter some people from using it.
: That's a bogus arguement and you know it. [...]
I'm defending the thesis that "Trusting that one's cypher's won't
be broken is not something that everyone is prepared to do". This
appears to me to be a true statement.
: Provided QC actually comes to exist in a state to solve such problems,
: so few people will have access to it that it won't matter.
Hmm - I don't buy the ideas expressed there.
I'd put myself down as quite a Quantum Computation sceptic - but I
don't think it's obviously going to be out of the question for
government organisations - and I definitely don't think that
a cypher-cracker owned a the government "doesn't matter".
: Besides using this arugment against you, I don't want to use *your* cipher
: because QC will break it too. [...]
I'm sure that if an AES cracker could be built along these lines, then
something similar would work on other similar systems. However, there's a
question of economics to consider:
Today there's a DES-cracker - but if you use some obscure variant of DES
(that is not in theory any more secure) your messages will be /much/
harder to crack - because you can't simply plug your message into the
existing DES cracker and turn the handle - you may have to build a whole
new machine.
This may be "securtiy through obscurity" - but that's not necessarily to
be sneezed at. To quote BS from AC (p.301):
``Almost any change to DES will be more annoying; maybe the resultant
cypher will be easier to break, but the NSA might not have the resources
to devote to the problem.''
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: comp.compression
Subject: WEB PAGES
Date: 4 Jun 2001 13:57:57 GMT
Dear Anyone
I have been having a terible time even accessing my site
at http://members.nbci.com/ecil/index.htm
it seems problems are only getting worse. Does
anyone have recomendations as to where a alternative
free webpage hosting occurs.
Thank You.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "Cernunnus" <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles /
AKA Loki)
Date: Mon, 4 Jun 2001 09:30:07 -0500
"EE Support" <[EMAIL PROTECTED]> wrote in message
news:X1AS6.18400$[EMAIL PROTECTED]...
> snip all the crap from EE <
Rather that lower myself to your level, I'll just say "GO AWAY!" Eric Lee
Green and P. Dulles have been in this group longer that you spamming
ne'er-do-wells. Leave us alone. I get enough spam already; I don't need it
in USEnet too.
--
[EMAIL PROTECTED] (remove the goddess to reply)
The most incomprehensible thing about
the world is that it is at all comprehensible.
--Albert Einstein--
------------------------------
From: Phil Carmody <[EMAIL PROTECTED]>
Subject: Re: Def'n of bijection
Date: Mon, 04 Jun 2001 14:59:14 GMT
John Savard wrote:
>
> On Mon, 04 Jun 2001 02:58:38 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> wrote, in part:
>
> >The point about D.Scott's style of bijection is that it maps
> >an infinite discrete set into itself, but with infinite sets
> >you need to avoid applying intuition learned from experience
> >with finite sets. It has *very* different properties from,
> >say, a bijection of 128 bits onto 128 bits.
>
> True. But I don't think Mr. Scott is the one committing the fallacy
> here. His bijection _is_ a bijection, it's just that it doesn't map
> the set of "files up to n bytes long" to the set of "files up to n
> bytes long" at any point along the way. Which is entirely OK; it's
> saying that prevents the infinite set from mapping to itself which
> would be a fallacy.
Can I throw in a few interpretations please?
David (Scott) 's term "Bijection" is a mapping such that the domain
(compressed files) is the totality of the set of finite files
representable on the file system
or
Every representable file (in the file system) is the image of a (unique)
source file under the compression mapping.
Notes
- David's not the only one using this definition.
- Whether the thing is a 'Compression' or not is actually irrelevant
(and thus any size comparison is irrelevant) as the identity mapping has
this property.
- 'files' are elements of the set of <length, data> where the length is
finite and unambiguously defines the number of atoms (indivisible units
of data) in data. The data itself does not need to indicate its own
length. The 'file system' maintains and provides both the length and the
data.
It's an interesting property. I consider it to be like pushing all the
bubbles under new wallpaper to the edge to removing them - i.e. it's
'neat', in the 'tidy' sense, and not always worth the effort for
everyone. It's also impossible if you're wallpapering the /entire/
inside of the ISS (yes, including over all the panels and everything).
(And data sources without a <length,data> representation are unable to
have the same 'bijective' property.)
Phil
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Mon, 4 Jun 2001 15:31:27 GMT
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
: His mind as captured some words from one of his crypto gods that CTR is
: provably sercure. [...]
I read an rather eloquent defense of counter mode not very long ago:
http://www.cs.berkeley.edu/~daw/papers/ctr-aes00.ps
``Comments to NIST Concerning AES-modes of Operations: CTR-mode Encryption''
- Helger Lipmaa, Phillip Rogaway, and David Wagner''
It formalises the 1-byte message -> 1-byte cyphertext idea by saying:
``Messages of arbitrary bit�length. Unlike other common modes of
operation, handling messages of arbitrary bit� length is made
trivial. No bits are wasted in doing this---the ciphertext C is
of the same length as the plaintext M''.
It also claims security:
``In fact the standard cryptographic assumption about a block cypher's
security [...] is enough to prove the security of CTR mode encryption''.
I can only guess that they think that a message only having 256 possible
decrypts is considered acceptable :-(
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: [EMAIL PROTECTED] (Thomas Shaddack)
Crossposted-To:
alt.privacy,alt.security,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles /
AKA Loki)
Date: Mon, 4 Jun 2001 15:34:29 +0000 (UTC)
"EE Support" <[EMAIL PROTECTED]> wrote in
<X1AS6.18400$[EMAIL PROTECTED]>:
>proven lies, misinformation and propaganda
<snipped cranky, useless rantings of no worth whatsoever>
Oh no!
It's here again!
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: IPSec question
Date: Mon, 4 Jun 2001 08:31:16 -0700
Gordon Burditt <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> IPSec with ISAKMP uses certificates or a shared secret to establish
> a working key which is changed periodically.
>
> Employee A and Company B have a VPN setup using IPSec. The key is
> automatically changed every 10 minutes or 5 MB, whichever happens
> first. Unknown to either, The Bad Guy(tm) is recording all their
> traffic including the ISAKMP key exchange. (No man-in-the-middle
> attack, no spoofing. Just passive recording.) A month later, The
> Bad Guy(tm) pulls a kick-in-the-door-guns-ablazin attack and captures
> one end of the VPN setup.
Well, to answer this properly, I need to get more information on what
exactly you mean "the key is automatically changed every 10 minutes", and
"captures one end of the VPN setup"
First off: the key. There are really two keys (actually, more than that,
but to answer your question, it can be simplified to this):
- There is an IPSec key that is used to encrypt traffic.
- There is an IKE (ISAKMP) key that is used to encrypt communication used to
negotiate the IPSec key.
In implementations I've seen, the IPSec key can be changed more often than
the IKE key. Which key (or is it both) are automatically changing? In
addition, there is an option (called "PFS"), which creates an IPSec key that
is independent of the IKE key (by running a separate DH exchange), which is
important for your question.
Second: captures one end of the VPN setup. Does this mean that:
- The Bad Guys(tm) captures the current setup (including preshared keys, and
certificates), but not the current keys
- The Bad Guys(tm) captures everything, including the keys that are in use.
To answer your question (which has the same answers for shared secrets and
certificates), if the Bad Guy captures just the current setup, then no
traffic is compromised. The Bad Guy can then pretend to be the system he
just captured, or run man-in-the-middle attacks on it, but that's about it.
This happens because IKE does a DH exchange as part of initializing the IKE
keys, and the current setup gives the attacker no information on what the DH
shared secret is.
If the Bad Guy captures the current setup and the keys, then (obviously) the
last 10 minutes of traffic is compromised. In addition, if PFS was not
used, then all the traffic that was sent using IPSec keys generated using
the current IKE keys are also compromised -- if you change IKE keys once
every 10 minutes, that's limited, but if you used the same IKE keys for the
past month, you're SOL. However, if PFS was used, then only the traffic
sent with the current IPSec keys are compromised.
>
> If a shared secret was being used, and it is captured, how much
> traffic is now compromised? The last 10 minutes or a whole month?
>
> If certificates were being used and the public certificate for both
> systems and the private key for this end (but not the one for the
> other end) is captured, how much traffic is now compromised (besides
> any stuff found unencrypted on the captured system)?
>
> Does the periodic key change help at all in this situation?
Assuming the attacker doesn't get the current keys, not really. If you
assume the attacker can, yes, it does, and PFS (or short lived IKE keys)
helps even more (but it is expensive).
--
poncho
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Sv: Top Secret Crypto
Date: Mon, 04 Jun 2001 18:46:49 +0200
Peter Nielsen wrote:
>
> It is very easy to refer to:
> http://www.interhack.net/people/cmcurtin/snake-oil-faq.html
> or something similar.
Yes it is...
>
> But that kind of information's are the first you throw yourself into when
> you have interest in encryption.
When choosing crypto products, it is wize to be sceptical.
> Instead of smart remarks which appear to the material which awn put into
> this newsgroup (probably as an advertisement for the program) I think
> that you must expect a serious contribution, which means that you test the
> program and examine how it works.
He talks about OTP's and PK crypto in one program as
well as claiming the code to be unbreakable, that rates
high on my snakeoil-o-meter.
> From this you then could discuss if there were some things in the program,
> which perhaps could be changed or added. The comments which have appeared up
> to now indicate arrogance and lack of interest in learning a new and
> exciting program to know.
Why? Already written my own Network comm's program
that do key exchange and use self destructing session
keys, but i don't go around and say it's unbreakable
because i know better. One have to think of security
as a concept; when one place a secret into a system,
crypto strenght doesn't mean jack s**t.
.Reg's
Ichinin
------------------------------
From: Mikael Lundqvist <[EMAIL PROTECTED]>
Crossposted-To: comp.compression
Subject: Re: WEB PAGES
Date: Mon, 04 Jun 2001 17:59:20 +0200
Reply-To: [EMAIL PROTECTED]
"SCOTT19U.ZIP_GUY" wrote:
> Dear Anyone
> I have been having a terible time even accessing my site
> at http://members.nbci.com/ecil/index.htm
> it seems problems are only getting worse. Does
> anyone have recomendations as to where a alternative
> free webpage hosting occurs.
> Thank You.
>
Hi David.
You should talk with them first. Your homepage seems to have been
removed.
But if you're tired of all the trouble, is here a list:
http://directory.google.com/Top/Computers/Internet/Web_Design_and_Development/Hosting/Free/Personal/
I don't know what could be the best choice. It's up to you.
Regards,
--
Mikael Lundqvist
mailto:[EMAIL PROTECTED]
http://hem.spray.se/mikael.lundqvist/
Occam's Razor:
"Keep things simple!"
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: about DH parameters & germain primes
Date: Mon, 04 Jun 2001 12:05:44 -0400
The trick is to simply work in a subgroup of prime order q
of Z*p, for some large q.
In a subgroup of prime order q, the order of any element
will divide q, so it's either q or 1, only the element
1 has this order. 0 is not in Z*p,
so if you are working in the multiplicative group Z*p, you
usually never consider it.
So if p is such that (p-1)/2 is also prime, than the order
of the group Z*p will be 2*(p-1). Since the order of any element
must divide 2*(p-1), all element have order 1, 2, (p-1) or 2*(p-1).
(since p-1 is prime).
You simply want to avoid the subgroups of order 1 and 2 (the other
two are large enough), so you
can choose any g except one that generates one of these two subgroups.
g = 1 generates the group of one element {1}, and -1 := p-1
generates the group of order 2, consisting of elements {1, -1},
so you simply want to avoid these two generators.
--Anton
quequ wrote:
>
> Hi, I've found this tip about Diffie-Hellman parameters:
>
> "If p, (p-1)/2 both prime, then you can just use any
> g you please [other than 0, 1, and -1], and you'll
> get a very large order [at least (p-1)/2]"
>
> It's right?
>
> I've tried a 1024bit germain prime P and the generator G set to (P-1)/2.
> Are these good parameters?
>
> thanks to all
>
> quequ
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
