Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #13 Mon, 5 Mar 01 14:13:01 EST
Contents:
Re: => FBI easily cracks encryption ...? (Fogbottom)
Re: Rabin's Unbreakable Code ([EMAIL PROTECTED])
Ronald Lauder, Wave Communication, RSL Communications, Jews, Finnish Government,
Lipponen from Markku (Los Angeles) ([EMAIL PROTECTED])
Re: HPRNG (Mike Rosing)
Re: OverWrite freeware completely removes unwanted files fromharddrive ("Dan Beale")
Re: => FBI easily cracks encryption ...? (Fogbottom)
Re: beyond "group signatures": how to prove sibling relationships?
([EMAIL PROTECTED])
Re: super strong crypto, phase 3 (David Wagner)
A question to John Savard ("Roman E. Serov")
Re: => FBI easily cracks encryption ...? (Fogbottom)
Re: passphrase question ([EMAIL PROTECTED])
Re: Monty Hall problem (was Re: philosophical question?) (Fred Galvin)
Re: Monty Hall problem (was Re: philosophical question?) (Arturo Magidin)
Re: Again on key expansion. ("Cristiano")
Date: 5 Mar 2001 18:21:35 -
From: [EMAIL PROTECTED] (Fogbottom)
Subject: Re: => FBI easily cracks encryption ...?
Crossposted-To: alt.security.pgp,talk.politics.crypto
In article <1aIo6.71775$[EMAIL PROTECTED]>
"Mxsmanic" <[EMAIL PROTECTED]> wrote:
> In defense of the FBI, I think that FBI agents are better
trained by
> orders of magnitude than the average municipal or state cop.
There is a
> gulf of difference between the two, from what I've understood.
You've been watching "The FBI Story" a bit too often.
The one (and probably only) thing J. Edgar Hoover accomplished
in his career was to set up an FBI propaganda machine that
Joseph Goebbels would have envied. Now that J. Edgar is
roasting in Hell, many of the FBI's foibles are coming to light.
It's true that there are some local cops who are very poorly
trained, especially in rural areas that can't afford to send
them to police academies or which appoint the mayor's brother in
law as police chief.
But in general, local cops are just as well trained as FBI
special agents and actually have far more street experience.
> Nevertheless, it is true that law-enforcement agencies of all
types tend
> to attrack control freaks and people with violent tendencies.
It is
> difficult to screen for such people, and additionally they are
such a
> large part of the pool of available labor for these
occupations that
> screening them out completely would leave most agencies crying
for
> recruits.
--
From: [EMAIL PROTECTED]
Subject: Re: Rabin's Unbreakable Code
Date: 05 Mar 2001 10:22:37 -0800
[EMAIL PROTECTED] (Ben Cantrick) writes:
> The sender and receiver have to agree on a time to start recording
> the random bits that are being continually broadcasted, and also how
> many bits to record. And then they have to store the bits so they
> can use them to encrypt the message later.
Plus they agree on a pseudo random number generator to tell which
subset of the bits to keep, they don't just grab a bunch of
consecutive bits.
> At this point, you start to get an idea as to why most crypto
> people aren't that excited about Rabin's idea. If you can securely
> tell someone a piece of info, like a time and a number of bits, why
> didn't you just give them a one-time encryption pad while you were
> at it? That also has the advantage that nobody can record your
> one-time pad because it's not being broadcast to the public.
And by the same reasoning, AES is useless, "because if you can
securely tell someone a piece of info, like the AES key, why didn't
you just give them a one-time encryption pad while you were at it?"
Obviously, the point is that the size of the shared secret needed to
agree on how to index into the broadcast is much smaller than the size
of a full one-time pad. You combine a small-sized shared secret with
large-sized broadcast data to get the effect of a large-size OTP.
> About all Rabin's scheme buys you is that you don't have to know how
> to build a decent random number generator. In all other respects it's
> just a standard one-time pad.
Nonsense, building a decent RNG is crucial for Rabin's scheme, because
it depends on the randomness of the shared bit string. And it is not
at all like a standard OTP because the whole point is that the size of
the shared secret is small.
Alpha
--
From: [EMAIL PROTECTED]
Crossposted-To: alt.security,comp.security,alt.2600
Subject: Ronald Lauder, Wave Communication, RSL Communications, Jews, Finnish
Government, Lipponen from Markku (Los Angeles)
Date: 5 Mar 2001 18:25:09 GMT
During my information search yesterday I discovered some
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #12 Sun, 1 Oct 00 19:13:01 EDT
Contents:
How Colossus helped crack Hitler's codes (Helger Lipmaa)
Re: Chaos theory ("CMan")
Re: Chaos theory ("CMan")
Re: Question on biases in random-numbers & decompression (Mok-Kong Shen)
Re: Question about encryption. (Tom St Denis)
Re: Why is TwoFish better than Blowfish? (Anonymous)
Re: Adobe Acrobat -- How Secure? (Tom St Denis)
Re: Which is better? CRC or Hash? (Tom St Denis)
Re: Adobe Acrobat -- How Secure? ("Douglas A. Gwyn")
Re: Question about encryption. (Paul Rubin)
Shareware Protection Schemes ("musashi_x")
Slow but unbreakable? (Simon Johnson)
Re: Shareware Protection Schemes (Ichinin)
Re: The algorithm that can be broken by the U.S. mil and NSA/CIA/FBI wins check
out the developers they just want to violate people's freedom of speech rights
... (John Savard)
Re: How Colossus helped crack Hitler's codes (John Savard)
Re: Adobe Acrobat -- How Secure? (Tom St Denis)
Re: Slow but unbreakable? (Tom St Denis)
Re: Deadline for AES... ("Paulo S. L. M. Barreto")
Re: Deadline for AES... ("Paulo S. L. M. Barreto")
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: How Colossus helped crack Hitler's codes
Date: Sun, 01 Oct 2000 22:14:34 +0300
Quite interesting report at
http://www.telegraph.co.uk/et?ac=003549412141223&rtmo=wAfMMQKb&atmo=gg3K&pg=/et/00/9/30/ncol30.html
---
THE full story of how Hitler's secret codes were
cracked by a rudimentary
computer was told officially for the first time
yesterday.
The Government Communications Headquarters at
Cheltenham declassified a
two-volume technical report on Colossus, the
forerunner of the post-war digital
computer that saw the first practical use of
large-scale program-controlled
computing. Released through the Public Record
Office, the 500-page report
features photographs, specifications and detailed
notes about Colossus and other
code-breaking devices.
The report also contains the blueprint of Colossus
2, an upgraded "production
model". This began operation on June 1, 1944, in
time to decipher messages
confirming that Hitler had swallowed the Allies'
deception campaigns, giving them
the confidence to go ahead with the invasion of
Europe.
More Colossi followed at the rate of about one a
month and by the end of the war
there were 10 at Bletchley Park, the secret
codebreaking establishment in
Buckinghamshire.
[...]
--
From: "CMan" <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Sun, 1 Oct 2000 11:03:44 -0700
What is INTERESTING is a subjective and relative term so filled with value
judgment as to be meaningless in this context.
Perhaps you should take a lesson from the poetry of Gerard Manely Hopkins
who notes in his work "Binsey Poplars" some things having to do with chaos:
MY aspens dear, whose airy cages quelled,
Quelled or quenched in leaves the leaping sun,
All felled, felled, are all felled;
Of a fresh and following folded rank
Not spared, not one
That dandled a sandalled
Shadow that swam or sank
On meadow and river and wind-wandering weed-winding bank.
etc...
Surely Spock, upon first hearing about Chaos theory as a student in a Vulcan
kindergarten would have raised one eyebrow and uttered the word
"interesting."
An example of a well known interesting fact is that the teaching of Chaos
theory in the classroom is not allowed in Kansas.
JK
--
CRAK Software
http://www.crak.com
Password Recovery Software
QuickBooks, Quicken, Access...More
Spam bait (credit E. Needham):
root@localhost
postmaster@localhost
admin@localhost
abuse@localhost
webmaster@localhost
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> : Tim Tyler wrote:
> :> Jim Gillogly <[EMAIL PROTECTED]> wrote:
>
> :> : In mathematics, however, chaos lies on the boundary between
> :> : order and disorder, and is a study of systems that have behavior
> :> : that's largely predictable statistically...
> :>
> :> Not necessarily correct - chaotic systems can be highly disordered.
>
> : Gillogly was closer to the mark.
>
> Except for the fact that he stated that "chaos lies on the boundary
> between order and disorder" - which isn't right at all - while
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #11 Thu, 18 May 00 07:13:01 EDT Contents: Re: AES Comment: the Hitachi patent (Mok-Kong Shen) Re: What is a good Encryption program?? ([EMAIL PROTECTED]) Re: AEES-Cascade ([EMAIL PROTECTED]) Re: About Hardware RNG (Guy Macon) Re: zeroknowledge.com and freedom.net - Snake oil? (Guy Macon) Re: Interesting differentials in BREAKME (Mark Wooding) Re: Blowfish and Weak Keys (Mark Wooding) From: Mok-Kong Shen <[EMAIL PROTECTED]> Subject: Re: AES Comment: the Hitachi patent Date: Thu, 18 May 2000 10:37:39 +0200 Jerry Coffin wrote: > > A comprehensive patent databank is offered by IBM on the > > internet, if I don't err. > > A database, yes. Comprehensive, no. > > > Now MARS comes from IBM. IBM is such > > a big firm and has itself numerous and numerous patents and hence > > must have a large staff of very competent patent specialists. I can't > > imagine that it could be a very difficult task for IBM to do a search > > for potential patent conflicts with MARS, if it ever cares to do so. > > Yes and no -- conducting a search for potential conflicts is easy. > Being sure you've caught all possible conflicts is impossible. About > the best you can hope for is to be reasoanbly sure that you've caught > most of the most relevant conflicts, and even that takes a great deal > of time, effort and skill to do well. Are you seeking 'perfection' in this world?? If you do something and achieve something, it is anyway better than you do nothing and achieve nothing. Should we do or do nothing to curb the damages being done to the natural environments? One's health is never perfect. Should one take care to cure some of the big illness or should we wait till the science has advanced to such a point that curing ALL illness in one shot no longer ''takes a great deal of time, effort and skill to do well'' ?? Searching for patent conflicts in the present case might be an onerous task within the resource framework of the authors of Rijndael and Serpent but certainly not for IBM! And in my humble view it is also the responsibility of NIST to investigate patent matters from the very beginning of AES project. As I said previously, apparently no serious effort has EVER been undertaken by any party involved in AES up till now. M. K. Shen == http://home.t-online.de/home/mok-kong.shen -- From: [EMAIL PROTECTED] Subject: Re: What is a good Encryption program?? Date: Thu, 18 May 2000 08:33:15 GMT =BEGIN PGP SIGNED MESSAGE= Hash: SHA1 Tim Tyler wrote: > : FYI: 56 bit DES is about E +19. 128 bit DES is E +38. > > 2^56 ~= 10^17, not 10^19. right, 0.72E16 > DES uses a 64-bit (10^19) key - but a byte of > it is not used as key material. heh, DES uses 56 bit key > Also, what is 128-bit DES? there is no such thing there is only 112 and 168 bit tripleDES == == Disastry http://i.am/disastry/ http://disastry.dhs.org/pgp.htm <-- PGP half-Plugin for Netscape http://disastry.dhs.org/pegwit <-- Pegwit - simple alternative for PGP remove .NOSPAM.NET for email reply =BEGIN PGP SIGNATURE= Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1 iQA/AwUBOSOOqDBaTVEuJQxkEQI3bwCgmLEC7tEfBGqjDqh1q8pnJerMhWUAoMMr X9IADIp+ACgnCYkuCtYNsncy =q95P =END PGP SIGNATURE= -- From: [EMAIL PROTECTED] Subject: Re: AEES-Cascade Date: Thu, 18 May 2000 08:24:27 GMT David, Thank you very much for your reply. #Assuming you are using a modern fast PC, #this seems quite slow. It is only a question of time and development. There are a lot of other factors that should be taken into account. For example: level of security. #You should get pretty close to 50% change with a one bit #change in input or key. Otherwise the big boys will break #your cypher pretty easily, as soon as they can be bothered #trying. 1. I suppose that Avalanche Effect idea is not to change one bit but to change an amount of information in plain text. 2. I am not sure that all this criteria may be applied directly to cascade architecture, which seams to be very complex for cryptanalysis. Best regards. Alex. Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] (Guy Macon) Subject: Re: About Hardware RNG Date: 18 May 2000 04:53:25 EDT In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: > >[EMAIL PROTECTED] (Guy Macon) wrote: > >>How does the circuit determine the threshhold to compare the noise to >>in order to decide whether to call the current bit a 1 or a 0? Is this >>a logic input, comparator, op-amp, Transistor (FET or bipolar?) or what? > >My circu
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #10 Wed, 29 Dec 99 15:13:01 EST
Contents:
Re: Video card reconfiguration ("Julien Dumesnil")
Where can I get DVD Decoding Software? ([EMAIL PROTECTED])
Re: Where can I get DVD Decoding Software? ("anonymous intentions")
Re: Where can I get DVD Decoding Software? (Troed)
Re: Secure Delete Not Smart (Jim)
Re: Economic Espionage Act of 1996 and the U.S.A. government's violations (Jim)
Re: Secure Delete Not Smart (Mark D)
Re: More idiot "security problems" ("Trevor Jackson, III")
Re: Encryption: Do Not Be Complacent (jose)
AES wise? (Anonymous)
Diffie-Hellman ("Daniel Roethlisberger")
Re: Grounds for Optimism (David Crick)
Re: AES wise? (John Savard)
Advise on / e-money / e-cash / anon-cash / please (pgp651)
Re: File format for CipheSaber-2? (Johnny Bravo)
Cryptography in Tom Clancy (John Savard)
Re: Attacks on a PKI (Anne & Lynn Wheeler)
Re: Attacks on a PKI (Anne & Lynn Wheeler)
From: "Julien Dumesnil" <[EMAIL PROTECTED]>
Subject: Re: Video card reconfiguration
Date: Wed, 29 Dec 1999 18:36:59 +0100
> Doesn't seem likely to me.
>
> Why not get Motorola's AIM evaluation board, development libraries, etc.
John,
I'm sure I've read this info somewhere (don't remember where tho...)
Anyway the idea is _not_ to use specialised hardware. but to use a board
that could
be bought through any computer hardware reseller... And reprogram it to be
faster than
any PIII at doing cypher manipulation.
Don't know if you get my drift...
Regards,
julien
--
From: [EMAIL PROTECTED]
Subject: Where can I get DVD Decoding Software?
Date: Wed, 29 Dec 1999 17:14:02 GMT
I am looking for a software program that will decode the DVD protection
that is enabled on many DVD disks. I have heard so much talk on this,
and I must have this program. I'm sure it's floating around out there,
but if anyone knows of where I can download a DVD copy protection
decoder, that would be great.
Thanks
ICQ# 42616768
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: "anonymous intentions" <[EMAIL PROTECTED]>
Subject: Re: Where can I get DVD Decoding Software?
Date: Wed, 29 Dec 1999 09:37:30 -0600
You must have just missed it. Someone posted it in either sci.crypt or
alt.security.pgp this morning. Dec 29 1999 ~7am PST I would check these
groups (sync) on the usenet again it was 23K and it was the source code and
mak file. Though it sounds like people are going down for posting it, and of
course, you could be a fed. Find it while you can.
:)
<[EMAIL PROTECTED]> wrote in message news:84df0i$1lq$[EMAIL PROTECTED]...
> I am looking for a software program that will decode the DVD protection
> that is enabled on many DVD disks. I have heard so much talk on this,
> and I must have this program. I'm sure it's floating around out there,
> but if anyone knows of where I can download a DVD copy protection
> decoder, that would be great.
>
> Thanks
>
> ICQ# 42616768
>
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
--
From: [EMAIL PROTECTED] (Troed)
Subject: Re: Where can I get DVD Decoding Software?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 29 Dec 1999 17:39:53 GMT
[EMAIL PROTECTED] wrote:
>I am looking for a software program that will decode the DVD protection
>that is enabled on many DVD disks. I have heard so much talk on this,
>and I must have this program. I'm sure it's floating around out there,
>but if anyone knows of where I can download a DVD copy protection
>decoder, that would be great.
Infoseek gives a nice list if you ask it for "DeCSS"
(By not giving you a direct link I'm making it a bit harder for the
lawyers who at this very moment are trying to make linking to other
sites illegal)
___/
_/
Nazister, rasister och andra dårar - ger bara sig själva kalla kårar
--
From: [EMAIL PROTECTED] (Jim)
Subject: Re: Secure Delete Not Smart
Date: Wed, 29 Dec 1999 17:57:44 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 28 Dec 1999 23:52:00 -0500, "Trevor Jackson, III" <[EMAIL PROTECTED]>
wrote:
>Jim wrote:
>> >The best answer is to never store plaintext. The information must be encrypted as
>> >it is stored. Disk encryption software does this for you.
>>
>> So you're recommending that one always works within an enciphered volume
>> or partition?
>>
>> If so, ought you to secure delete plaintext versions which have not
>> been taken outside the enciphered volume?
>
>That is unnecessary. The principle of an encryp
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #9 Wed, 30 Jun 99 13:13:02 EDT
Contents:
Re: Secure link over Inet if ISP is compromized. ("Gene Sokolov")
Re: Secure link over Inet if ISP is compromized. (S.T.L.)
Re: Kryptos article (wtshaw)
Re: How do you make RSA symmetrical? ("Anton Stiglic")
Re: A Quanitative Scale for Empirical Length-Strength (wtshaw)
Re: SSL Overhead (Kent Briggs)
Re: MP3 Piracy Prevention is Impossible (Reuben Sumner)
Re: A Quanitative Scale for Empirical Length-Strength (Jim Gillogly)
Re: A Quanitative Scale for Empirical Length-Strength (wtshaw)
Re: Kryptos article (John Myre)
Re: Can Anyone Help Me Crack A Simple Code? (John Savard)
Re: Can Anyone Help Me Crack A Simple Code? (John Savard)
Re: BAN Logic considered useful? (Don Davis)
Re: RSA or DIFFIE-HELLMANN (Lutz Donnerhacke)
RSA or DIFFIE-HELLMANN (chicago)
Re: A Quanitative Scale for Empirical Length-Strength (wtshaw)
Re: new book (John Savard)
Re: trapdoor one way functions (Nicol So)
D - CD-R encryption (Dupavoy)
Re: A Quanitative Scale for Empirical Length-Strength (Mok-Kong Shen)
Re: Why Elliptic Curve Cryptosystem is stronger with shorter key length? (Robert
Harley)
Re: Windows9x Crypt Function ("Andrew Whalan")
From: "Gene Sokolov" <[EMAIL PROTECTED]>
Subject: Re: Secure link over Inet if ISP is compromized.
Date: Wed, 30 Jun 1999 17:46:40 +0400
Alan Braggins <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
It helps to read the original post. Or at least a post one up in the thread.
--
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: Secure link over Inet if ISP is compromized.
Date: 30 Jun 1999 14:17:44 GMT
<>
By compromised, do you mean monitored or prevented? If you monitor a
face-to-face conversation between me and Bob, then we can still exchange public
keys and know we can communicate safely. Of course, Bob may be an agent for the
other side anyways.
-*---*---
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED!2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.orgMOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*---
Card-holding member of the Dark Legion of Cantorians, the Holy Order of the
Catenary, the Great SRian Conspiracy, the Triple-Sigma Club, the Union of
Quantum Mechanics, the Polycarbonate Syndicate, and People for the Ethical
Treatment of Digital Tierran Organisms
Avid watcher of "World's Most Terrifying Causality Violations", "When Kaons
Decay: World's Most Amazing CP Symmetry Breaking Caught On [Magnetic] Tape",
"World's Scariest Warp Accidents", "World's Most Energetic Cosmic Rays", and
"When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #6: Thou Shalt Always Obey CPT Symmetry.
--
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Kryptos article
Date: Wed, 30 Jun 1999 09:12:20 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> David Wagner wrote:
> > It's amazing how much of a difference it makes. I almost wish
> > someone reputable would lie to the world and claim such-and-such
> > a cipher can be broken, just to see what the results are. :-)
>
> They wouldn't have to lie -- history tells us that most ciphers are
> breakable under favorable circumstances, when the right approach is
> found. Sometimes it takes a lot of work to find a suitable approach!
Putting Jim on the task would be hugely more useful than puting almost any
else I know, with a few exceptions. Sharpshooters are proven highly
useful even in times when just firing as many weapons in the general
vicinity of the target is a conventional norm. There is a big difference
between a lucky shot, and one who makes himself appear lucky, but both can
happen.
--
It's always possible that a politician is acting out of principles.
--Michael Kinsley of Slate.com
--
From: "Anton Stiglic" <[EMAIL PROTECTED]>
Subject: Re: How do you make RSA symmetrical?
Date: Wed, 30 Jun 1999 10:43:57 -0700
> The whole point to PKC is to have a well defined public-key
> cryptosystem.
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #8 Tue, 29 Dec 98 00:13:03 EST
Contents:
Re: Session keys in Elliptic Curve (Mr. Tines)
Re: seeking SSH shell account (James J. Lippard)
Re: History of Cryptanalysis (Bruce Schneier)
Re: RSA-Broken!!! (Bruce Schneier)
Re: DS5002FP Secure Micro Crypted Buses (Andy Glew)
Re: symmetric encryption with a user-supplied password
Re: symmetric encryption with a user-supplied password
Re: History of Cryptanalysis (MKinneyJR)
seeking SSH shell account ("jason hathaway")
Re: seeking SSH shell account (James Pate Williams, Jr.)
Opinions on S/MIME (Brad Aisa)
AFAIK (Andy)
Re: RSA-Broken!!! (Bruce Schneier)
Re: ppdd - Encrypted filesystem (incl root filesystem) for Linux - rev (Brad Aisa)
Re: RSA-Broken!!! (Dr. Yongge Wang)
Re: DS5002FP Secure Micro Crypted Buses (Peter Gutmann)
Decoder for Reed-Solomon codes? ([EMAIL PROTECTED])
Re: seeking SSH shell account (James Pate Williams, Jr.)
seeking SSH shell account ("jason hathaway")
From: Mr. Tines <[EMAIL PROTECTED]>
Subject: Re: Session keys in Elliptic Curve
Date: 27 Dec 1998 19:00 +
###
On 27 Dec 1998 16:34:52 +0100, in <[EMAIL PROTECTED]>
Anonymous <[EMAIL PROTECTED]> wrote.
> -BEGIN PGP SIGNED MESSAGE-
>
> Mr. Tines wrote:
>
> >> Mr. Tines wrote:
> >> >In the simple case of elliptic curve encryption where
> >> >there is a known generator point P, with secret key x,
> >> >and public key P,P*x then key exchange could be
> >> >accomplished by taking random r and transmitting P*r,
> >> >and using (P*x)*r as the session key - so to that extent
> >> >the EC algorithm participates in the key generation.
> >>
> >> So the session key itself is not completely random?
> >
> >A random number (r) times a constant (P*x) is just
> >a re-scaled random number (or given that we're
> >working in a finite arithmetic, a random number over
> >a shuffled range). There's no loss of entropy; the
> >session key P*x*r has as much entropy as the original r.
>
> There is as much entropy as with the original r, however
> the session key is not completely random since it can be
> mathematically reconstructed. Completely random session
> key would be unrecoverable, right?
Taking a trivial example; consider a much smaller
arithmetic, say arithmetic mod 8; where P=3, and
x=5 say. In this case r is a random number 1-7,
with an equal probability of occupying each value.
We have P*x = 7, and for each r, the value of P*x*r
is
r 1234567
P*x*r 7654321
While it is fortuitous in this case that the numbers
are reversed, the important point is that each value
appears once - so the resulting key is equiprobably
any of the numbers 1-7, so is just as random as the
original.
The reconstruction of the session key is not from thin
air, but by passing an intermediate value P*r
r 1 2 3 4 5 6 7
P*r3 6 1 4 7 2 5
again, equiprobably occupying each of the possible values.
> Forgive me for being a bonehead, but could you please
> detail this a bit further? For this approach to work,
> the comstant (P*x) must be something from which the
> x can't be easily determined by knowing P.
That's the trapdoor function in elliptic curve cryptography;
performing the division P*x/P requires one to extract
discrete logarithms in this arithmetic - which is a hard
problem of similar nature to the factorization used for
RSA.
> >What I would do would be to generate 256 bits of
> >entropy, slice into two 128-bit halves, expand each
> >to 160 bits using SHA-1 or RIPEM, and transmitting two
> >packets, P*r1 and P*r2. Then concentrate the entropy
> >down again by using MD5(P*x*r1)+MD5(P*x*r2) (where +
> >denotes concatentaion of bit-streams, and MD5 denotes
> >an agreed 128-bit hash) as the 256-bit session key.
>
> Am I correct in understanding that r is the result of
> this process of slicing and concentrating, and altough
> you transmit two packets, the original 256 bits of
> entropy are never used as r, not even when encrypting?
Yes, I would not use the raw 256 bits, but some shuffled
quantity of equivalent entropy that can be computed
by both the two parties without needing to do anything
equivalent to breaking the cryptosystem.
> Then comes to the question, how to generate
> 256 bits of entropy, provided you need to
> generate it transparently and in software?
PGP uses timing intervals between keystrokes; I have
used the low bits of mouse pointer motion and the
content of the message to be encrypted, hashed down[*];
Java's self-proclaimed secu
