Cryptography-Digest Digest #230
Cryptography-Digest Digest #230, Volume #14 Wed, 25 Apr 01 12:13:01 EDT Contents: Re: 1024bit RSA keys. how safe are they? (Paul Schlyter) Re: 1024bit RSA keys. how safe are they? (Paul Schlyter) Re: Censorship Threat at Information Hiding Workshop (Mark Wooding) hellman (Brian D Jonas) Re: primitive elements in GF(2^W) (Mark Wooding) Re: primitive elements in GF(2^W) (Tom St Denis) Re: hellman (Tom St Denis) Re: Censorship Threat at Information Hiding Workshop (Tom St Denis) impossible diff against RC5 (Tom St Denis) Re: OTP WAS BROKEN!!! (FM) Your input on New Encrypter is appreciated. (Frog2000) Re: OTP was brokenNOT! (Keill Randor) Re: Derived Key Generation (Peter Gutmann) Re: SHA PRNG (Peter Gutmann) Re: hellman (Michael Scott) Re: SHA PRNG (Tom St Denis) Re: hellman (Tom St Denis) Re: hellman (Michael Scott) Re: hellman (Tom St Denis) From: [EMAIL PROTECTED] (Paul Schlyter) Subject: Re: 1024bit RSA keys. how safe are they? Date: 25 Apr 2001 12:51:38 +0200 In article h54F6.38511$[EMAIL PROTECTED], Tom St Denis [EMAIL PROTECTED] wrote: Brian Hetrick [EMAIL PROTECTED] wrote in message news:vR3F6.31938$[EMAIL PROTECTED]... George T. wrote... Does anyone has idea how safe RSA 1024 bit keys are? Are they safe enough to be used for encrypting credit card information, travelling over the internet and or residing on servers (email) for more than 24 hours. My own estimate is that the actual cost of brute forcing a 1024 bit RSA key is about $150,000. See http://www.geocities.com/tnotary/spcx509.html and http://www.geocities.com/tnotary/spckeysize.html. I bet I could break a 1024-bit RSA key I make with under 15 seconds of work on a normal desktop computer. Why would you need 15 seconds to do that? You already know the key, don't you? Now, how much time whould you need to break a 1024-bit RSA key made by someone else in a proper way? -- Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF) Grev Turegatan 40, S-114 38 Stockholm, SWEDEN e-mail: pausch at saaf dot se orpaul.schlyter at ausys dot se WWW: http://hotel04.ausys.se/pauschhttp://welcome.to/pausch -- From: [EMAIL PROTECTED] (Paul Schlyter) Subject: Re: 1024bit RSA keys. how safe are they? Date: 25 Apr 2001 12:52:03 +0200 In article 3u4F6.31953$[EMAIL PROTECTED], Brian Hetrick [EMAIL PROTECTED] wrote: I interpreted the question as a query on the difficulty of brute-forcing a 1024 bit RSA key. Brute-forcing a key is trying all possible key values until you eventually find the correct key. But you don't brute-force RSA keys, instead you factor the modulus of the key, and once you know the factors it's trivial to compute the secret exponent from the public exponent. Factoring an RSA key, even with a naive factoring algorithm, is many order of magnutudes faster than brute-forcing the key, i.e. trying all possible key values until you find the right key. Factoring an RSA key also needs no plaintext-ciphertext pair. If you brute-force a key, you do need a plaintext-ciphertext pair. Therefore RSA keys are never brute-forced -- they're factored. -- Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF) Grev Turegatan 40, S-114 38 Stockholm, SWEDEN e-mail: pausch at saaf dot se orpaul.schlyter at ausys dot se WWW: http://hotel04.ausys.se/pauschhttp://welcome.to/pausch -- From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: Censorship Threat at Information Hiding Workshop Date: 25 Apr 2001 11:57:01 GMT Trevor L. Jackson, III [EMAIL PROTECTED] wrote: Of course one can take Stallman's position and deny the possibility of intellectual property. It appears TStD routinely makes this mistake. I think you're maligning both Richard Stallman and Tom St Denis. Stallman doesn't deny the possibility of intellectual property, just its utility. And I think labelling this position a `mistake' is somewhat presumptious. -- [mdw] -- From: Brian D Jonas [EMAIL PROTECTED] Subject: hellman Date: Wed, 25 Apr 2001 07:45:17 -0400 This is concerning diffie hellman key exchanges. I've found mixed info on what the generator G should be. The java package sets it to a certain number by default (cannot post that number from where I am). Other places indicate using a 2 will not compromise the security. So my question is... Should G be anything special (size,type) ? Furthermore should K be of any certain size . I know less than P,not prime,random, but should the size be set to say 1/2 of P ? Dealing with: A=G^K mod P Thanx group, Brian J. -- From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: primitive elements
Cryptography-Digest Digest #230
Cryptography-Digest Digest #230, Volume #13 Mon, 27 Nov 00 06:13:01 EST
Contents:
Re: hardware RNG's (David Schwartz)
Re: collision probability with file checksums ("bubba")
Re: Is Feistel Block Cipher With Known Key An All Or Nothing Transform? (John Savard)
Re: Effects of successful break - a "what if"-scenario? (John Savard)
Re: collision probability with file checksums (David Schwartz)
Re: Effects of successful break - a "what if"-scenario? (Bill Unruh)
Re: Data Encryption Standard ?? (Bill Unruh)
Re: collision probability with file checksums (wtshaw)
Re: Cyrptography Digest Archive ? ("Will Anthony")
Re: collision probability with file checksums ("Scott Fluhrer")
Re: Proof of posession (csbh@(THESE)datahit.com (Coridon Henshaw))
This place Pays out great and its FUN ([EMAIL PROTECTED])
Re: Data Encryption Standard ?? ("kihdip")
Re: [Question] Generation of random keys (Per Claesson)
P/w based authentication and key exchange (Per Claesson)
Re: Effects of successful break - a "what if"-scenario? (Mok-Kong Shen)
From: David Schwartz [EMAIL PROTECTED]
Subject: Re: hardware RNG's
Date: Sun, 26 Nov 2000 16:12:50 -0800
David Schwartz wrote:
Dan Oetting wrote:
3. [Statistics] of, pertaining to, or characterizing
a set of items every menber of which has an equal chance
of occurring with a particular frequency.
This is a poor description of the statistical meaning. If this were
correct, for example, no random distribution could have a mode. Every
statistician I've ever known has used 'random' to describe distributions
that were had a mode and a standard deviation. Heck, even gaussian
distributions are described as random with respect to the values of
individual members of a set whose distribution is described as gaussian.
DS
By the way, I can cite dozens of usages if you'd like, for example
http://www.wku.edu/~neal/statistics/poisson.html
In each case, a distribution is described as 'random' despite all
possible values not having equal frequency.
DS
--
From: "bubba" [EMAIL PROTECTED]
Subject: Re: collision probability with file checksums
Date: Mon, 27 Nov 2000 01:09:40 GMT
If I understand the claim of SHA-1 correctly, finding a colliding file
would take as many attempts as guessing a 160-bit number. In other
words, it could take 2^160 tests worst case, or 2^159 average. So
even the ability to make 2^150 tests would require an enormous
amount of luck in addition. The ability to make 2^80 tests would be
useful only if you had 2^80 machines working in parallel.
"Ed L Cashin" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Hello. A file integrity verification product like tripwire uses
different algorithms to compute checksums for files. By comparing the
checksums of a file with known state to the current file's checksums,
it's possible to find out whether the file contents have been
modified.
If the system uses just one 160-bit algorithm, say SHA-1, for doing
the checksums, then what are the chances that an intruder could make a
malicious file that has the same checksum as the file's known-state
checksum?
I only have slightly old references at hand (Schneier 1996 and Menezes
et al. 1997) for figuring out the numbers. Using numbers from the
latter (Applied Handbook of Cryptography, p. 337), I'm trying to
figure out how secure it is to use SHA-1 all by itself to detect file
modification:
1) Attacker can do 2^80 brute-force tests
2) 160-bit digest requires 2^160 brute-force tests
3) Attack is infeasible by a long shot.
... does that hold up?
--
--Ed Cashin PGP public key:
[EMAIL PROTECTED] http://www.coe.uga.edu/~ecashin/pgp/
--
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Is Feistel Block Cipher With Known Key An All Or Nothing Transform?
Date: Mon, 27 Nov 2000 01:18:34 GMT
On Sun, 26 Nov 2000 11:47:05 -0500, Gary [EMAIL PROTECTED]
wrote, in part:
When a 'secure' Fesitel cipher is used on a block with a publicly known key
and some of the resulting block is removed. Does the bita that have been
removed have to be brute forced or is there a faster way?
If the Feistel block cipher really is secure, indeed there is no
relationship that can be exploited between the plaintext that lead to
ciphertexts with the same bits except for a few.
So there is not a faster way...but there is an exception.
Brute-forcing the removed bits will give you many possible plaintexts.
But how can you tell if they are correct? So you need to know
something about the plaintext, such as that it might consist of only
printable ASCII characters.
If the number of removed bits has more possibilities
Cryptography-Digest Digest #230
Cryptography-Digest Digest #230, Volume #11 Wed, 1 Mar 00 18:13:01 EST
Contents:
Re: Crypto.Com, Inc. ([EMAIL PROTECTED])
Re: Where's the FAQ (Matt Curtin)
You see Vakoilia Mannerheim was not in any way connected or linked to ("Markku J.
Saarelainen")
You see Vakoilia Mannerheim was not in any way connected or linked to ("Markku J.
Saarelainen")
And when you read my postings since April, 1999 .. you find out one ("Markku J.
Saarelainen")
And my coming out party has contrinued one year ... just following the ("Markku J.
Saarelainen")
Re: On jamming interception networks (Mok-Kong Shen)
Re: On jamming interception networks (Mok-Kong Shen)
Re: Q: 'Linear encipherment' (Mok-Kong Shen)
very tiny algorithm - any better than XOR? (Carl Byington)
Far out crypto claims ([EMAIL PROTECTED])
Re: Crypto.Com, Inc. (John Savard)
Re: First contact, establishing password without public keys (Bill Unruh)
Re: Crypto.Com, Inc. (Xcott Craver)
Re: very tiny algorithm - any better than XOR? (John Myre)
...but what about my cipher? ([EMAIL PROTECTED])
Re: very tiny algorithm - any better than XOR? (Terje Mathisen)
Re: Best language for encryption?? (Paul Schlyter)
Re: Best language for encryption?? (Paul Schlyter)
Re: differential cryptanalysis (David A. Wagner)
Re: Passwords secure against dictionary attacks? (Johnny Bravo)
Re: Passwords secure against dictionary attacks? (Wally Whacker)
Re: Crypto.Com, Inc. (Mok-Kong Shen)
Re: On jamming interception networks (Mok-Kong Shen)
From: [EMAIL PROTECTED]
Subject: Re: Crypto.Com, Inc.
Date: Wed, 01 Mar 2000 19:59:20 GMT
In article jgfunj-010300440001@dial-
243-027.itexas.net,
[EMAIL PROTECTED] (wtshaw) wrote:
In article 89jcq9$5vq$[EMAIL PROTECTED], Matt Blaze [EMAIL PROTECTED] wrote:
... I'm worried about serious harm to my own reputation
should people erroneously conclude that this "Crypto.Com, Inc."
outfit has something to do with me. In particular, the Business Wire
press release states:
"... The technology provides for absolute security on open circuits
between two users without the use of a key. The new cryptography
concept creates absolutely unbreakable ciphers allowing software to be
absolutely secure for the Internet, networks, and telephone lines. ..."
This seems a bit of a strong statement. The only theory that might be
applied there would be of quantum mechanics design, which has not proven
practical for current needs.
Quantum cryptography requires the use of
keys.
I have no idea what "the technology" is, but one of the first things that
beginning students of cryptography learn is Shannon's proof that the
only "absolutely unbreakable" cipher that can possibly exist for "open
circuits" is the one-time pad, which not only requires the use of a key,
but that the key be at least as long as the message and used only once.
Shannon was functionally wrong, but lots of what he said is of great
importance. The error was not in what he understood, OTP, but in that it
was too simple to say that it is the only choice. This means he did not
know or allow for development that might solved the problem, scientific
allowance that he should have respected.
Shannon's theory only rules out the repetition
of the key. Based on the repetitive use of 2
different sequences of quantum or classical
states, Arindam Mitra has developed a
"practical key distribution technique which is
absolutely secure both for classical and
quantum keys" ( //arXiv.org/abs/quant-ph/
9912074 )
--
Many are waking up to the reality of insecurity; imagine that!
You can work against itor go back to sleep and become a victim.
Users have the right to know if software can abuse their privacy.
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Matt Curtin [EMAIL PROTECTED]
Subject: Re: Where's the FAQ
Date: 01 Mar 2000 15:15:26 -0500
"Andy" == Andy [EMAIL PROTECTED] writes:
Andy There are umpteen million FAQs on encryption, but is there one
Andy for sci.crypt and sci.crypt.research?
Usenet Frequently Asked Questions (FAQ) archives are available around
the Internet. Web versions can be found at:
ftp://rtfm.mit.edu/pub/usenet-by-hierarchy/ [MIT, Canonical site, text-only]
http://www.cs.ruu.nl/cgi-bin/faqwais[Utrecht University, Netherlands]
http://www.lib.ox.ac.uk/internet/news/ [Oxford University, UK]
http://www.faqs.org/[Internet FAQ Consortium, US]
Andy Is there a recommended readling list?
Yes, see the FAQs.
--
Matt Curtin [EMAIL PROTECTED] http://www.interhack.net/people/cmcurtin/
--
From: "Markku J. Saarelainen" [EMAIL PROTECTED]
Crossposted-To:
alt.politi
