Cryptography-Digest Digest #637
Cryptography-Digest Digest #637, Volume #14 Mon, 18 Jun 01 04:13:01 EDT Contents: Re: Is ECB truly more secure than CBC? (Tim Tyler) Earpster AES: Updated Link ("James Wyatt") Re: Is ECB truly more secure than CBC? (David Wagner) Re: Anyone Heard of "Churning" (David Wagner) Re: FIPS 140-1 test (Mark Wooding) Re: Single-cycle sbox question (Benjamin Goldberg) Re: 4 more inducted into NSA Hall of Honor ("John A. Malley") Re: Single-cycle sbox question (SCOTT19U.ZIP_GUY) Re: Single-cycle sbox question (Benjamin Goldberg) Re: CipherText E-mail encryption (Bryan Olson) New Directions in Cryptography (David Hopwood) Re: SSL/TLS compression methods??? (Bryan Olson) Re: New Directions in Cryptography (Nomen Nescio) Speed of Hardware Encryption/Decryption ("S Hanks") Re: Speed of Hardware Encryption/Decryption (Bob Deblier) Re: Speed of Hardware Encryption/Decryption (Paul Rubin) Re: Speed of Hardware Encryption/Decryption ("Panu H") From: Tim Tyler <[EMAIL PROTECTED]> Subject: Re: Is ECB truly more secure than CBC? Reply-To: [EMAIL PROTECTED] Date: Sun, 17 Jun 2001 22:21:38 GMT David Wagner <[EMAIL PROTECTED]> wrote: : Tim Tyler wrote: :>* Protocol can't cope with it - e.g.: :> Multiple recipients, with new keys from a pad at midnight every night. : I don't understand. I was talking about the case where there's an existing protocol - and you can't redesign it to include your key manipulations - since that would create incompatibilities with the existing clients. :>* Recipient or sender is an embedded device - with no PRF handy. : If you can't handle a PRF, you can't handle encryption. Yes sorry - I thought you were referring to a hash. On reflection even if you had been, this objection would still be likely to be superfluous. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: "James Wyatt" <[EMAIL PROTECTED]> Subject: Earpster AES: Updated Link Date: Sun, 17 Jun 2001 22:40:41 GMT It has come to my attention that Yahoo does not like when you use their briefcase feature to provide software. I only have about 1000 download off of Download.com and they shut me down. So, if anyone would like to download a simple DOS based Rijndael program with source code you can find it at: http://www.geocities.com/jrwyatt79/Earpster.zip. Also, let me know what you think. I'm just a poor IS student and Earpster is the first program I have written that is of any use. Peace, Jim -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Is ECB truly more secure than CBC? Date: Sun, 17 Jun 2001 23:01:53 + (UTC) Tim Tyler wrote: >I was talking about the case where there's an existing protocol - and >you can't redesign it to include your key manipulations - since that would >create incompatibilities with the existing clients. Ok. I assumed we were talking about a design question. If it's an existing protocol, it seems unlikely that you'll have any choice about whether to use ECB or CBC mode, since changing the mode of operation would also create incompatibility. -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Anyone Heard of "Churning" Date: Sun, 17 Jun 2001 23:05:29 + (UTC) Stephen Thomas wrote: >Apparently, ATM Passive Optical Networks (APONs) have standardized on >an "encryption" algorithm refered to as "churning." Does anyone know >anything about this? No clue. The pointers you gave didn't give enough information to evaluate it (although it looked like it might be a weak form of substitution cipher on bytes; if this is correct, it would be trivially insecure). -- From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: FIPS 140-1 test Date: 18 Jun 2001 02:15:02 GMT Peter Gutmann <[EMAIL PROTECTED]> wrote: > As a followup question, has anyone ever looked at doing the tests > which require an FPU in an (admittedly approximate) integer-only way? > There are some embedded systems which don't do FP-maths too well. My Catacomb library has draft-FIPS 140-2 tests in integers-only. It's a very simple transformation to make on the bounds, and doesn't compromise accuracy. (I have the FIPS 140-1 tests in my CVS repository...) I don't have an integer-only version of Maurer's test, unfortunately. ;-) -- [mdw] -- From: Benjamin Goldberg <[EMAIL PROTECTED]> Subject: Re: Single-cycle sbox question Date: Sun, 17 Jun 2001 23:53:47 -0400 Henrick Hellström wrote: > > See http://www.streamsec.com/createsc.asp The proof is incuded. I > suppose that's where you
Cryptography-Digest Digest #637
Cryptography-Digest Digest #637, Volume #13 Tue, 6 Feb 01 00:13:00 EST Contents: efficient coin flipping ([EMAIL PROTECTED]) Re: ith bit of an LFSR sequence? (David Wagner) Re: Phillipine math guy claims to have fast RSA Factoring... (Bill Unruh) Re: ith bit of an LFSR sequence? ("bubba") Re: Phillipine math guy claims to have fast RSA Factoring... (Tom St Denis) Re: RSA, discrete log Both not secure... (Tom St Denis) Re: Phillipine math guy claims to have fast RSA Factoring... (Tom St Denis) Re: RSA, discrete log Both not secure... (Bill Unruh) Re: RSA, discrete log Both not secure... ("Marcin") Re: MIKE - alternative to SPEKE and PAK (Thomas Wu) Re: Pseudo Random Number Generator (Charles Lyttle) Re: DH question ("Scott Fluhrer") Re: ith bit of an LFSR sequence? ("Matt Timmermans") Re: ith bit of an LFSR sequence? (Paul Rubin) Microsoft's (Failed) Product Activation (Splaat23) on the RSA "crack" (Dido Sevilla) Re: [RSA] Hype, hoax, or ? (Dido Sevilla) Re: efficient coin flipping ("Joseph Ashwood") From: [EMAIL PROTECTED] Subject: efficient coin flipping Date: Tue, 06 Feb 2001 01:59:47 GMT The population at large agrees that flipping a coin is a good way to make a random binary decision. But it's slow. A faster method is to drop lots of coins, line them up horizontally, and read them left to right. The only reason to do such a thing is if you need to say "I made 2000 coin flips and ...". - Bob Jenkins Sent via Deja.com http://www.deja.com/ -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: ith bit of an LFSR sequence? Date: 6 Feb 2001 02:25:58 GMT Reply-To: [EMAIL PROTECTED] (David Wagner) Rob Warnock wrote: >David Wagner <[EMAIL PROTECTED]> wrote: >| [...] the i-th successor of a state s is x^i * s mod p(x), [...] > >But you can, of course, use the usual square-and-multiply techniques >on the powers of the matrix M, too. Of course. But multiplying two nxn matrices requires O(n^3) bits operations, whereas multiplying two elements of GF(2^n) requires O(n^2) bit ops. That's why I predicted that the polynomial method may be faster than the matrix method. Did I overlook something? -- From: [EMAIL PROTECTED] (Bill Unruh) Subject: Re: Phillipine math guy claims to have fast RSA Factoring... Date: 6 Feb 2001 02:59:09 GMT In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Padgett 0sirius) writes: >Guess I have two questions now that have had a chance to think about it a >bit more: >a) doesn't 1 mod = 1 ? Yes. > this makes x=0 the only value for 2^x= 1 mod N No. Mod is a many to one function. Ie there are many solutions ( infinitley many) to the equation a mod N=1 -- From: "bubba" <[EMAIL PROTECTED]> Subject: Re: ith bit of an LFSR sequence? Date: Tue, 06 Feb 2001 02:59:55 GMT Hi David, I bet you are the same David Wagner mentioned on the front page of today's Wall Street Journal. The artical was addressing security concerns of wireless networks. Here is some C code that advances an LFSR as part of a primitive polynomial search. It is plain square and multiple, but is ugly because of optimization. I have a portable version I hope to one day cleanup and post. http://sduplichan.home.att.net/primitive/primitivePolynomials.htm "David Wagner" <[EMAIL PROTECTED]> wrote in message news:95ljkt$2fg$[EMAIL PROTECTED]... > >Given i in 0..2^^n-2, what's the most efficient way to generate the LFSR > >sequence starting at the ith bit? (The best I can come up with offhand > >is the standard way of producing large exponents, that is, multiplying n > >nxn bit matrices together. Is there a better way?) > > Here's one that's probably more efficient. Let p(x) be the feedback > polynomial. Note that states can be identified with elements of > GF(2)[x]/(p(x)), and that state update is multiplication by x. Thus, > the i-th successor of a state s is x^i * s mod p(x), and x^i mod p(x) > can be computed efficiently using square-and-multiply techniques in a > possibly more efficient way than computing M^i for some matrix M. > > >Given x in 1..2^^n-1, what's the most efficient way to find i such that > >x is the ith to i+n-1th bits of an LFSR's sequence? > > This is precisely as hard as the discrete log problem in F^*, where > F = GF(2)[x]/(p(x)); it is no harder, and no easier. The best algorithm > I know of for computing discrete logs over finite fields of characteristic > 2 is due to Don Coppersmith. It is somewhat faster than corresponding > algorithms for computing discrete logs over (Z/pZ)^*, but still > super-polynomial.
Cryptography-Digest Digest #637
Cryptography-Digest Digest #637, Volume #12 Fri, 8 Sep 00 14:13:01 EDT Contents: Re: infosec career [OT?!] (rot26) Re: ExCSS Source Code (Wim Lewis) Re: Carnivore article in October CACM _Inside_Risks ("Douglas A. Gwyn") Re: ZixIt Mail (Richard Herring) Re: Losing AES Candidates Could Be a Good Bet? (Thomas Pornin) Re: ISO9796 signature format implementation (Ulrich Kuehn) Re: RSA Patent Dead Today ("Julian Lewis") Re: Losing AES Candidates Could Be a Good Bet? ("Douglas A. Gwyn") Re: Losing AES Candidates Could Be a Good Bet? (James Felling) Re: RSA Patent Dead Today (Bill Unruh) Correction to Paul Garrett's newly released crypto text (MikeAt1140) Re: Carnivore article in October CACM _Inside_Risks (-m-) Camellia, a competitor of AES ? (Mok-Kong Shen) Re: Losing AES Candidates Could Be a Good Bet? (Mok-Kong Shen) Re: Losing AES Candidates Could Be a Good Bet? (Mok-Kong Shen) Re: Camellia, a competitor of AES ? (Quisquater) Re: Carnivore article in October CACM _Inside_Risks ("MichaelC") Re: Carnivore article in October CACM _Inside_Risks (John Winters) Re: Carnivore article in October CACM _Inside_Risks ("Joshua R. Poulson") From: rot26 <[EMAIL PROTECTED]> Subject: Re: infosec career [OT?!] Date: Fri, 08 Sep 2000 14:58:43 GMT > Go for it. I didn't quite have people breaking down my door when I > finished (Ph.D.) but did have plenty of interest. And it is > EXTREMELY interesting work, IMNSHO. > > Doug Doug, thanks for the info and the positive attitude! That's exactly what I needed! Meanwhile any more suggestions? TIA rot26 Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] (Wim Lewis) Subject: Re: ExCSS Source Code Date: 8 Sep 2000 15:17:45 GMT In article <[EMAIL PROTECTED]>, Mok-Kong Shen <[EMAIL PROTECTED]> wrote: >Your remark reminds me of the fact that copyright applies >to almost every country, while patents are restricted to >the coutries where the patents are granted. So my dumb >question is: Is it possible to have a copyright on a >general encryption algorithm (instead of a patent)? I am not a lawyer, but my understanding is that copyright applies to a "fixed, tangible" expression, such as a chunk of text or a recorded image, and not to the more abstract idea which the expression expresses. Char_mander has the copyright on the ML code it posted (but has implicitly given license for it to be distributed on Usenet), but it would not violate char_mander's copyright for me to read the code, understand the algorithm, and then write my own code to do the same thing. (And I *think* that DeCSS, etc., don't violate copyright law; they violate the Digital Millennium Copyright Act, which has "copyright" in its title but isn't strongly related to previously existing copyright law except that it benefits copyright holders.) -- Wim Lewis * [EMAIL PROTECTED] * Seattle, WA, USA PGP 0x27F772C1: 0C 0D 10 D5 FC 73 D1 35 26 46 42 9E DC 6E 0A 88 The netcom address will be unreliable after September. Use the address. -- Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto From: "Douglas A. Gwyn" <[EMAIL PROTECTED]> Subject: Re: Carnivore article in October CACM _Inside_Risks Date: Fri, 8 Sep 2000 14:33:10 GMT Barry Margolin wrote: > This is why strong authentication is generally based on multiple criteria, > usually at least two of: who you are, what you know, and what you have. And the entire system seems to invariably also rely on trusting some specific agent somewhere. -- From: [EMAIL PROTECTED] (Richard Herring) Subject: Re: ZixIt Mail Date: 8 Sep 2000 15:20:58 GMT Reply-To: [EMAIL PROTECTED] In article <8paonq$irg$[EMAIL PROTECTED]>, Cork ([EMAIL PROTECTED]) wrote: > In article <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] (Steve) wrote: > > > > -BEGIN PGP SIGNATURE- > > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > Comment: PGP ADK BUG FIX: Upgrade to Ver 6.5.8 at MIT or PGP INT'L > So what & where is the best program for sending/receiving secure mail? > Thanks. There might be a clue in that signature you failed to snip... -- Richard Herring | <[EMAIL PROTECTED]> -- From: [EMAIL PROTECTED] (Thomas Pornin) Subject: Re: Losing AES Candidates Could Be a Good Bet? Date: 8 Sep 2000 15:23:00 GMT According to SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>: > I have made technigues for chainging in two directions but they do not > invovle the standard 3 letter chainning modes approved the the US FIPS > stu
Cryptography-Digest Digest #637
Cryptography-Digest Digest #637, Volume #11 Wed, 26 Apr 00 14:13:01 EDT Contents: Re: Regulation of Investigatory Powers Bill (Richard Heathfield) Re: Help: encrypting bit fields (Paul Rubin) Re: new Echelon article (David A Molnar) Re: Requested: update on aes contest (Jerry Coffin) Re: Requested: update on aes contest (Jerry Coffin) combine hashfunctions (Gregor Leander) Re: sci.crypt think will be AES? (Jerry Coffin) Re: Help: encrypting bit fields (Richard Parker) Re: combine hashfunctions (Runu Knips) Re: combine hashfunctions (Richard Parker) Re: Looking for a *simple* C Twofish source (Runu Knips) ECC's vulnerability to quantum computing ([EMAIL PROTECTED]) U-571 movie ("Don H") Re: OAP-L3: Semester 1 / Class #1 All are invited. (David Formosa (aka ? the Platypus)) Re: nss (Pavel Semjanov) AEES 16 rounds ([EMAIL PROTECTED]) Re: factor large composite (Jeffrey Williams) What came of it? (_Andy_) Re: nss (Tom McCune) GNUPG and BLOWFISH ([EMAIL PROTECTED]) Re: What came of it? (Gisle Sælensminde) Re: combine hashfunctions (Mark Wooding) Date: Wed, 26 Apr 2000 08:19:24 +0100 From: Richard Heathfield <[EMAIL PROTECTED]> Crossposted-To: alt.security.scramdisk,alt.computer.security Subject: Re: Regulation of Investigatory Powers Bill Scotty wrote: > > Richard Heathfield wrote in message > <[EMAIL PROTECTED]>... > >Scotty wrote: > >> > >> >> > >> >>But Bob is forbidden to tell Papinski that the police are involved. > >> > > >> >Who by? You're free to tell anyone that you are under investigation by > >> >the police etc. > >> > > >> > >> No not in this case, you are forbidden under penalty of 5 years > imprisonment > >> if you tell anyone except you lawyer. > > > >What if Papinski is Bob's lawyer? In other words, if your data is > >encrypted using a public key, and your lawyer holds the private key, > >then only your lawyer can decrypt the data, and you are free to tell him > >whether you are under investigation, under which circumstance he is > >presumably entitled to withhold the key as part of the lawyer/client > >confidentiality deal. > > > > No, it is a criminal offence not to disclose the key. <...reluctant snippage of excellent explanation of this...> > >Furthermore, I don't suppose there's any way of arresting a computer. It > >could be confiscated, of course, but what good will that do? > > > > > > The interpretation of the word 'key' in the bill is quite wide: > "...means any key, code, password, algorithm or other data the use of which > (with or without other keys)- > (a) allows access to the electronic data, or > (b) facilitates the putting of the data into an intelligible form; " > > If there is some algorithm that you can use to decrypt the data then you are > required to reveal it. If you do something which causes the 'key' to be > withheld or destroyed, *after* you have been served with a decryption > notice, then you are guilty of non-disclosure [that's 2 years in prison]. Thank you for your explanation of those points. It strikes me that this law will be completely useless against well-organised criminals (who will not baulk at tipping off keyholders) and in fact could not possibly be used except as an oppressive tool... ...which implies that every UK subject who has taken part in this conversation, including me, is almost certainly going to be investigated, at least in a 'background check' and possibly in more detail than that. Now, is that acceptable paranoia, or have I crossed the line? ;-) (sigh) Time to start encrypting as many "Hello world" packets as I can and flinging them to the four corners of the earth... -- Richard Heathfield "Usenet is a strange place." - Dennis M Ritchie, 29 July 1999. C FAQ: http://www.eskimo.com/~scs/C-faq/top.html 34 K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html (63 to go) -- From: [EMAIL PROTECTED] (Paul Rubin) Subject: Re: Help: encrypting bit fields Date: 26 Apr 2000 07:30:14 GMT Richard Parker <[EMAIL PROTECTED]> wrote: >Paul you might find the following paper by Bellare and Rogaway of interest. >In this paper they show how to construct a secure variable-input-length >cipher starting from any secure block cipher. > > M. Bellare and P. Rogaway, "On the Construction of Variable-Input-Length > Ciphers," Proceedings of the 6th Workshop on Fast Software Encryption, > FSE'99, Lecture Notes in Computer Science, v. 1636, Springer-Verlag, 1999. > <h
Cryptography-Digest Digest #637
Cryptography-Digest Digest #637, Volume #10 Sat, 27 Nov 99 09:13:00 EST Contents: Re: AES cyphers leak information like sieves ("Trevor Jackson, III") cookies implemented in applet? ([EMAIL PROTECTED]) Re: S/MIME plug-in for Eudora? Strong Encryption (Phil Logan-Kelly) cryptography control? ([EMAIL PROTECTED]) Re: cryptography control? (noone) Nazi Dockyard Cipher System? (UBCHI2) Question about CS-Cipher and RC5 challenge ("Hank") Re: brute force versus scalable repeated hashing (Johnny Bravo) Re: Random Noise Encryption Buffs (Look Here) (Tom St Denis) Re: FEAL-8 algorithm (Tom St Denis) Peekboo Ideas? (Tom St Denis) Re: Distribution of intelligence in the crypto field (John Savard) LeapFrog2 (Anonymous) Re: Question about CS-Cipher and RC5 challenge ([EMAIL PROTECTED]) Date: Sat, 27 Nov 1999 02:06:27 -0500 From: "Trevor Jackson, III" <[EMAIL PROTECTED]> Subject: Re: AES cyphers leak information like sieves Douglas A. Gwyn wrote: > wtshaw wrote: > > Only those who are real cranks deserve to get the shaft. His self-styled > > poetic statements are meant to light the fuses of shallow thinkers while > > should be of not regard to those who are seeking truth. Being willing to > > hop on one foot at the formal request of someone demanding that antic does > > not speak well of either party. > > Asking for civilized behavior during a technial discourse > is *not* asking anyone to (metaphorically) hop on one foot. > If the goal is to communicate and/or enlighten, offensive > behavior just gets in the way. If the barrier is too high, > most reasonable people won't bother to try to overcome it. Against this we have Franklin's observation that: "Reasonable men accomodate themselves to circumstances. Unreasonable accomodate ciscumstances to them selves. Thus all progress is due to unreasonable men." So why should anyone care about the habits of reasonable people? If a writer presents an interesting idea the offensiveness of the presentation is irrelevant to the value of the concept. One can always just consider the issue and ignore the presentation -- especially is one is "reasonable people". If a writer presents nothing interesting the manner is even less relevant. Don't bother wasting time with it.. Analogously, major business decisions are often made on the basis of trivia such as the cut of a suit or the width of a tie. In the more liberal world of engineering, ties are often missing altogether. The fact that idiots make substantial decisions based on trivia does not suggest that one can make better proposals by wearing the right suit or the right color of tie. It suggests that the quality of the concept or proposal is irrelevant to the decision process. Is that what you would suggest is going on in sci.crypt? -- From: [EMAIL PROTECTED] Crossposted-To: comp.lang.java.security,comp.lang.java.programmer,comp.lang.java.help,comp.programming,microsoft.public.java.security Subject: cookies implemented in applet? Date: Sat, 27 Nov 1999 15:18:26 +0800 Hi Do anyone know of this? Thanks Greg -- From: [EMAIL PROTECTED] (Phil Logan-Kelly) Crossposted-To: comp.security.misc,comp.security.pgp.tech,alt.security.pgp,comp.mail.eudora.ms-windows Subject: Re: S/MIME plug-in for Eudora? Strong Encryption Date: Sat, 27 Nov 1999 07:41:29 GMT =BEGIN PGP SIGNED MESSAGE= Hash: SHA1 On Wed, 10 Nov 1999 11:01:30 -0700, "Bill \"Houdini\" Weiss" <[EMAIL PROTECTED]> wrote: >On Wed, 10 Nov 1999 10:26:12 +, SkinD <[EMAIL PROTECTED]> wrote in >comp.security.misc : >Why not just use PGP? > >-- >Bill "Houdini" Weiss >PGP key: http://home.att.net/~bill_weiss/bill_weiss.asc >ICQ#: 43270740 > I have much the same need. Not because I don't use PGP but because there are those who won't use PGP but do use s/mime. So, in order to send them encrypted messages, I need a plug in for Eudora. Phil =BEGIN PGP SIGNATURE= Version: PGP Personal Privacy 6.5.1 iQA/AwUBOD+LFvCRaR234+6REQKulwCg1MR2DJbTvrAaIKtf9fJoIYNySaoAoMxF Nn9xSx2GAQ8kAEMeyojBGTYz =7E7g =END PGP SIGNATURE= Remove no.spam.at.all from posted e-mail address to reply via e-mail Due to forged posts in my name, all valid posts from Phil Logan-Kelly will be signed with PGP. PGP public key can be found at: http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xB7E3EE91 Check out the Hunger Site at http://www.thehungersite.com/ -- From: [EMAIL PROTECTED] Subject: cryptography control? Date: Sat, 27 Nov 1999 07:44:26 GMT I came across an artical that brings up some interesting points concerning government control of crypto
Cryptography-Digest Digest #637
Cryptography-Digest Digest #637, Volume #9Wed, 2 Jun 99 07:13:02 EDT Contents: Re: 576-bit blowfish?! (Boris Kazak) Simple crypto question ("SBS") Re: RSA <> std.encryption (Bo Hedemark Pedersen) Re: RSA <> std.encryption (Bo Hedemark Pedersen) Re: ScramDisk and Windows 2000 (Brad Aisa) Re: block ciphers vs stream ciphers (Bruce Schneier) Re: definition of public domain ("Roger Schlafly") ? Rc5/Rc6 key-schedule ? ([EMAIL PROTECTED]) Re: block ciphers vs stream ciphers ("Douglas A. Gwyn") Re: Obscure Code (Thomas Pornin) Re: Obscure Code ("Douglas A. Gwyn") Re: RSA <> std.encryption ("Douglas A. Gwyn") Finding a 192 bit hash (Was: Using symmetric encryption for hashing) ("Thomas J. Boschloo") Re: Reasons for controlling encryption (Bill Unruh) Re: Viability of encrypted flash cards? (Eric Smith) Re: SHA-1 output random? (Francois Grieu) From: Boris Kazak <[EMAIL PROTECTED]> Subject: Re: 576-bit blowfish?! Date: Tue, 01 Jun 1999 20:46:54 -0400 Reply-To: [EMAIL PROTECTED] Matthew Bennett wrote: > > Just to test, I tried using a key longer than 56 characters in my blowfish > implementation written C (my key is stored as an unsigned char). After > increasing the defined maximum key length in the blowfish header file, I > found I could get a different cipher-text output from changing any one of up > to ~72~ characters in my key. For example, using a 100-byte key, changing > only any of the last 27 characters of this key had no effect on the cipher > output. > > So it seemed a maximum of 72 characters were being "used" - unlike the 56 it > is supposed to be? This effect was seen in two separate blowfish source > codes. > > Could someone point out to me where I've gone wrong :) > > /\/\/\// As far as I understand, the reason for this is purely historical. Originally Blowfish was designed without the initial and final XOR-ing, so in 16-round Blowfish there were 14 entries in the P-box, totaling 56 bytes. Naturally. this was the limit for key length, and it was this number that went into the paper. Later on, the size of the P-box was increased by 4 entries, so that now the total size of the P-box is 72 bytes, but the paper was not revised. So the 56-byte limit may be regarded as an uncorrected typo, the extra 16 bytes are mixed with the same thoroughness as the rest of the crowd, and are in no sense easier to attack. So the total maximum length of Blowfish key is 72 bytes (576 bits). Period, end of story. Best wishes BNK -- From: "SBS" Subject: Simple crypto question Date: Wed, 2 Jun 1999 00:16:05 -0400 Hi all, I am wondering how I can figure out the following problem. I need to set up a licensing scheme for software we sell to avoid uncontrolled spread of the software. Setting a data structure holding the licensing information is not very tough, hoewever how to I store that somewhere one the machine since I do not want to use dongle like security. If I encrypt the licence information, the software needs to decrypt it to check it. Where do I store the key? It also needs to encrypt the data for new licenses to be issued. I need to be able to setup a non trivial authentication scheme to "tell" the software that the license is valid and should be encrypted for later check. Any help is welcomed Stephane note : I apologize for my level of english, let me know if anything needs more details. -- From: Bo Hedemark Pedersen <[EMAIL PROTECTED]> Subject: Re: RSA <> std.encryption Date: Wed, 02 Jun 1999 07:16:19 +0200 But isn't there any way that you can estimate the time to crack the privat-key in RSA? Like when you say that a 40-bit conventional key can be cracked in 10,000 secs. using a machine, that can test 10^8 keys per sec. Thanks for the quick respond, Bo "Michael J. Fromberger" wrote: > > In sci.crypt you write: > > >Is there any way to compare the security of RSA and standard > >encryption? > > Hello there, > > The answer depends on what you mean by "standard" encryption. Are you > referring to the symmetric encryption typically called "conventional" > encryption by software packages that support it? > > If so, then the short answer is 'no' -- RSA is a public-key algorithm > based on principles of number theory. Its security is thought to > depend on the difficulty of integer factorization (although there has > been, as yet, no proof of this). Most "conventional" encryption > software employs symmetric block ciphers such as 3DES, Blowfish, or > IDEA, whose security is bas