Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #13 Mon, 5 Mar 01 14:13:01 EST Contents: Re: => FBI easily cracks encryption ...? (Fogbottom) Re: Rabin's Unbreakable Code ([EMAIL PROTECTED]) Ronald Lauder, Wave Communication, RSL Communications, Jews, Finnish Government, Lipponen from Markku (Los Angeles) ([EMAIL PROTECTED]) Re: HPRNG (Mike Rosing) Re: OverWrite freeware completely removes unwanted files fromharddrive ("Dan Beale") Re: => FBI easily cracks encryption ...? (Fogbottom) Re: beyond "group signatures": how to prove sibling relationships? ([EMAIL PROTECTED]) Re: super strong crypto, phase 3 (David Wagner) A question to John Savard ("Roman E. Serov") Re: => FBI easily cracks encryption ...? (Fogbottom) Re: passphrase question ([EMAIL PROTECTED]) Re: Monty Hall problem (was Re: philosophical question?) (Fred Galvin) Re: Monty Hall problem (was Re: philosophical question?) (Arturo Magidin) Re: Again on key expansion. ("Cristiano") Date: 5 Mar 2001 18:21:35 - From: [EMAIL PROTECTED] (Fogbottom) Subject: Re: => FBI easily cracks encryption ...? Crossposted-To: alt.security.pgp,talk.politics.crypto In article <1aIo6.71775$[EMAIL PROTECTED]> "Mxsmanic" <[EMAIL PROTECTED]> wrote: > In defense of the FBI, I think that FBI agents are better trained by > orders of magnitude than the average municipal or state cop. There is a > gulf of difference between the two, from what I've understood. You've been watching "The FBI Story" a bit too often. The one (and probably only) thing J. Edgar Hoover accomplished in his career was to set up an FBI propaganda machine that Joseph Goebbels would have envied. Now that J. Edgar is roasting in Hell, many of the FBI's foibles are coming to light. It's true that there are some local cops who are very poorly trained, especially in rural areas that can't afford to send them to police academies or which appoint the mayor's brother in law as police chief. But in general, local cops are just as well trained as FBI special agents and actually have far more street experience. > Nevertheless, it is true that law-enforcement agencies of all types tend > to attrack control freaks and people with violent tendencies. It is > difficult to screen for such people, and additionally they are such a > large part of the pool of available labor for these occupations that > screening them out completely would leave most agencies crying for > recruits. -- From: [EMAIL PROTECTED] Subject: Re: Rabin's Unbreakable Code Date: 05 Mar 2001 10:22:37 -0800 [EMAIL PROTECTED] (Ben Cantrick) writes: > The sender and receiver have to agree on a time to start recording > the random bits that are being continually broadcasted, and also how > many bits to record. And then they have to store the bits so they > can use them to encrypt the message later. Plus they agree on a pseudo random number generator to tell which subset of the bits to keep, they don't just grab a bunch of consecutive bits. > At this point, you start to get an idea as to why most crypto > people aren't that excited about Rabin's idea. If you can securely > tell someone a piece of info, like a time and a number of bits, why > didn't you just give them a one-time encryption pad while you were > at it? That also has the advantage that nobody can record your > one-time pad because it's not being broadcast to the public. And by the same reasoning, AES is useless, "because if you can securely tell someone a piece of info, like the AES key, why didn't you just give them a one-time encryption pad while you were at it?" Obviously, the point is that the size of the shared secret needed to agree on how to index into the broadcast is much smaller than the size of a full one-time pad. You combine a small-sized shared secret with large-sized broadcast data to get the effect of a large-size OTP. > About all Rabin's scheme buys you is that you don't have to know how > to build a decent random number generator. In all other respects it's > just a standard one-time pad. Nonsense, building a decent RNG is crucial for Rabin's scheme, because it depends on the randomness of the shared bit string. And it is not at all like a standard OTP because the whole point is that the size of the shared secret is small. Alpha -- From: [EMAIL PROTECTED] Crossposted-To: alt.security,comp.security,alt.2600 Subject: Ronald Lauder, Wave Communication, RSL Communications, Jews, Finnish Government, Lipponen from Markku (Los Angeles) Date: 5 Mar 2001 18:25:09 GMT During my information search yesterday I discovered some
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #12 Sun, 1 Oct 00 19:13:01 EDT Contents: How Colossus helped crack Hitler's codes (Helger Lipmaa) Re: Chaos theory ("CMan") Re: Chaos theory ("CMan") Re: Question on biases in random-numbers & decompression (Mok-Kong Shen) Re: Question about encryption. (Tom St Denis) Re: Why is TwoFish better than Blowfish? (Anonymous) Re: Adobe Acrobat -- How Secure? (Tom St Denis) Re: Which is better? CRC or Hash? (Tom St Denis) Re: Adobe Acrobat -- How Secure? ("Douglas A. Gwyn") Re: Question about encryption. (Paul Rubin) Shareware Protection Schemes ("musashi_x") Slow but unbreakable? (Simon Johnson) Re: Shareware Protection Schemes (Ichinin) Re: The algorithm that can be broken by the U.S. mil and NSA/CIA/FBI wins check out the developers they just want to violate people's freedom of speech rights ... (John Savard) Re: How Colossus helped crack Hitler's codes (John Savard) Re: Adobe Acrobat -- How Secure? (Tom St Denis) Re: Slow but unbreakable? (Tom St Denis) Re: Deadline for AES... ("Paulo S. L. M. Barreto") Re: Deadline for AES... ("Paulo S. L. M. Barreto") From: Helger Lipmaa <[EMAIL PROTECTED]> Subject: How Colossus helped crack Hitler's codes Date: Sun, 01 Oct 2000 22:14:34 +0300 Quite interesting report at http://www.telegraph.co.uk/et?ac=003549412141223&rtmo=wAfMMQKb&atmo=gg3K&pg=/et/00/9/30/ncol30.html --- THE full story of how Hitler's secret codes were cracked by a rudimentary computer was told officially for the first time yesterday. The Government Communications Headquarters at Cheltenham declassified a two-volume technical report on Colossus, the forerunner of the post-war digital computer that saw the first practical use of large-scale program-controlled computing. Released through the Public Record Office, the 500-page report features photographs, specifications and detailed notes about Colossus and other code-breaking devices. The report also contains the blueprint of Colossus 2, an upgraded "production model". This began operation on June 1, 1944, in time to decipher messages confirming that Hitler had swallowed the Allies' deception campaigns, giving them the confidence to go ahead with the invasion of Europe. More Colossi followed at the rate of about one a month and by the end of the war there were 10 at Bletchley Park, the secret codebreaking establishment in Buckinghamshire. [...] -- From: "CMan" <[EMAIL PROTECTED]> Subject: Re: Chaos theory Date: Sun, 1 Oct 2000 11:03:44 -0700 What is INTERESTING is a subjective and relative term so filled with value judgment as to be meaningless in this context. Perhaps you should take a lesson from the poetry of Gerard Manely Hopkins who notes in his work "Binsey Poplars" some things having to do with chaos: MY aspens dear, whose airy cages quelled, Quelled or quenched in leaves the leaping sun, All felled, felled, are all felled; Of a fresh and following folded rank Not spared, not one That dandled a sandalled Shadow that swam or sank On meadow and river and wind-wandering weed-winding bank. etc... Surely Spock, upon first hearing about Chaos theory as a student in a Vulcan kindergarten would have raised one eyebrow and uttered the word "interesting." An example of a well known interesting fact is that the teaching of Chaos theory in the classroom is not allowed in Kansas. JK -- CRAK Software http://www.crak.com Password Recovery Software QuickBooks, Quicken, Access...More Spam bait (credit E. Needham): root@localhost postmaster@localhost admin@localhost abuse@localhost webmaster@localhost [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > Douglas A. Gwyn <[EMAIL PROTECTED]> wrote: > : Tim Tyler wrote: > :> Jim Gillogly <[EMAIL PROTECTED]> wrote: > > :> : In mathematics, however, chaos lies on the boundary between > :> : order and disorder, and is a study of systems that have behavior > :> : that's largely predictable statistically... > :> > :> Not necessarily correct - chaotic systems can be highly disordered. > > : Gillogly was closer to the mark. > > Except for the fact that he stated that "chaos lies on the boundary > between order and disorder" - which isn't right at all - while
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #11 Thu, 18 May 00 07:13:01 EDT Contents: Re: AES Comment: the Hitachi patent (Mok-Kong Shen) Re: What is a good Encryption program?? ([EMAIL PROTECTED]) Re: AEES-Cascade ([EMAIL PROTECTED]) Re: About Hardware RNG (Guy Macon) Re: zeroknowledge.com and freedom.net - Snake oil? (Guy Macon) Re: Interesting differentials in BREAKME (Mark Wooding) Re: Blowfish and Weak Keys (Mark Wooding) From: Mok-Kong Shen <[EMAIL PROTECTED]> Subject: Re: AES Comment: the Hitachi patent Date: Thu, 18 May 2000 10:37:39 +0200 Jerry Coffin wrote: > > A comprehensive patent databank is offered by IBM on the > > internet, if I don't err. > > A database, yes. Comprehensive, no. > > > Now MARS comes from IBM. IBM is such > > a big firm and has itself numerous and numerous patents and hence > > must have a large staff of very competent patent specialists. I can't > > imagine that it could be a very difficult task for IBM to do a search > > for potential patent conflicts with MARS, if it ever cares to do so. > > Yes and no -- conducting a search for potential conflicts is easy. > Being sure you've caught all possible conflicts is impossible. About > the best you can hope for is to be reasoanbly sure that you've caught > most of the most relevant conflicts, and even that takes a great deal > of time, effort and skill to do well. Are you seeking 'perfection' in this world?? If you do something and achieve something, it is anyway better than you do nothing and achieve nothing. Should we do or do nothing to curb the damages being done to the natural environments? One's health is never perfect. Should one take care to cure some of the big illness or should we wait till the science has advanced to such a point that curing ALL illness in one shot no longer ''takes a great deal of time, effort and skill to do well'' ?? Searching for patent conflicts in the present case might be an onerous task within the resource framework of the authors of Rijndael and Serpent but certainly not for IBM! And in my humble view it is also the responsibility of NIST to investigate patent matters from the very beginning of AES project. As I said previously, apparently no serious effort has EVER been undertaken by any party involved in AES up till now. M. K. Shen == http://home.t-online.de/home/mok-kong.shen -- From: [EMAIL PROTECTED] Subject: Re: What is a good Encryption program?? Date: Thu, 18 May 2000 08:33:15 GMT =BEGIN PGP SIGNED MESSAGE= Hash: SHA1 Tim Tyler wrote: > : FYI: 56 bit DES is about E +19. 128 bit DES is E +38. > > 2^56 ~= 10^17, not 10^19. right, 0.72E16 > DES uses a 64-bit (10^19) key - but a byte of > it is not used as key material. heh, DES uses 56 bit key > Also, what is 128-bit DES? there is no such thing there is only 112 and 168 bit tripleDES == == Disastry http://i.am/disastry/ http://disastry.dhs.org/pgp.htm <-- PGP half-Plugin for Netscape http://disastry.dhs.org/pegwit <-- Pegwit - simple alternative for PGP remove .NOSPAM.NET for email reply =BEGIN PGP SIGNATURE= Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1 iQA/AwUBOSOOqDBaTVEuJQxkEQI3bwCgmLEC7tEfBGqjDqh1q8pnJerMhWUAoMMr X9IADIp+ACgnCYkuCtYNsncy =q95P =END PGP SIGNATURE= -- From: [EMAIL PROTECTED] Subject: Re: AEES-Cascade Date: Thu, 18 May 2000 08:24:27 GMT David, Thank you very much for your reply. #Assuming you are using a modern fast PC, #this seems quite slow. It is only a question of time and development. There are a lot of other factors that should be taken into account. For example: level of security. #You should get pretty close to 50% change with a one bit #change in input or key. Otherwise the big boys will break #your cypher pretty easily, as soon as they can be bothered #trying. 1. I suppose that Avalanche Effect idea is not to change one bit but to change an amount of information in plain text. 2. I am not sure that all this criteria may be applied directly to cascade architecture, which seams to be very complex for cryptanalysis. Best regards. Alex. Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] (Guy Macon) Subject: Re: About Hardware RNG Date: 18 May 2000 04:53:25 EDT In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: > >[EMAIL PROTECTED] (Guy Macon) wrote: > >>How does the circuit determine the threshhold to compare the noise to >>in order to decide whether to call the current bit a 1 or a 0? Is this >>a logic input, comparator, op-amp, Transistor (FET or bipolar?) or what? > >My circu
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #10 Wed, 29 Dec 99 15:13:01 EST Contents: Re: Video card reconfiguration ("Julien Dumesnil") Where can I get DVD Decoding Software? ([EMAIL PROTECTED]) Re: Where can I get DVD Decoding Software? ("anonymous intentions") Re: Where can I get DVD Decoding Software? (Troed) Re: Secure Delete Not Smart (Jim) Re: Economic Espionage Act of 1996 and the U.S.A. government's violations (Jim) Re: Secure Delete Not Smart (Mark D) Re: More idiot "security problems" ("Trevor Jackson, III") Re: Encryption: Do Not Be Complacent (jose) AES wise? (Anonymous) Diffie-Hellman ("Daniel Roethlisberger") Re: Grounds for Optimism (David Crick) Re: AES wise? (John Savard) Advise on / e-money / e-cash / anon-cash / please (pgp651) Re: File format for CipheSaber-2? (Johnny Bravo) Cryptography in Tom Clancy (John Savard) Re: Attacks on a PKI (Anne & Lynn Wheeler) Re: Attacks on a PKI (Anne & Lynn Wheeler) From: "Julien Dumesnil" <[EMAIL PROTECTED]> Subject: Re: Video card reconfiguration Date: Wed, 29 Dec 1999 18:36:59 +0100 > Doesn't seem likely to me. > > Why not get Motorola's AIM evaluation board, development libraries, etc. John, I'm sure I've read this info somewhere (don't remember where tho...) Anyway the idea is _not_ to use specialised hardware. but to use a board that could be bought through any computer hardware reseller... And reprogram it to be faster than any PIII at doing cypher manipulation. Don't know if you get my drift... Regards, julien -- From: [EMAIL PROTECTED] Subject: Where can I get DVD Decoding Software? Date: Wed, 29 Dec 1999 17:14:02 GMT I am looking for a software program that will decode the DVD protection that is enabled on many DVD disks. I have heard so much talk on this, and I must have this program. I'm sure it's floating around out there, but if anyone knows of where I can download a DVD copy protection decoder, that would be great. Thanks ICQ# 42616768 Sent via Deja.com http://www.deja.com/ Before you buy. -- From: "anonymous intentions" <[EMAIL PROTECTED]> Subject: Re: Where can I get DVD Decoding Software? Date: Wed, 29 Dec 1999 09:37:30 -0600 You must have just missed it. Someone posted it in either sci.crypt or alt.security.pgp this morning. Dec 29 1999 ~7am PST I would check these groups (sync) on the usenet again it was 23K and it was the source code and mak file. Though it sounds like people are going down for posting it, and of course, you could be a fed. Find it while you can. :) <[EMAIL PROTECTED]> wrote in message news:84df0i$1lq$[EMAIL PROTECTED]... > I am looking for a software program that will decode the DVD protection > that is enabled on many DVD disks. I have heard so much talk on this, > and I must have this program. I'm sure it's floating around out there, > but if anyone knows of where I can download a DVD copy protection > decoder, that would be great. > > Thanks > > ICQ# 42616768 > > > > Sent via Deja.com http://www.deja.com/ > Before you buy. -- From: [EMAIL PROTECTED] (Troed) Subject: Re: Where can I get DVD Decoding Software? Reply-To: [EMAIL PROTECTED] Date: Wed, 29 Dec 1999 17:39:53 GMT [EMAIL PROTECTED] wrote: >I am looking for a software program that will decode the DVD protection >that is enabled on many DVD disks. I have heard so much talk on this, >and I must have this program. I'm sure it's floating around out there, >but if anyone knows of where I can download a DVD copy protection >decoder, that would be great. Infoseek gives a nice list if you ask it for "DeCSS" (By not giving you a direct link I'm making it a bit harder for the lawyers who at this very moment are trying to make linking to other sites illegal) ___/ _/ Nazister, rasister och andra dårar - ger bara sig själva kalla kårar -- From: [EMAIL PROTECTED] (Jim) Subject: Re: Secure Delete Not Smart Date: Wed, 29 Dec 1999 17:57:44 GMT Reply-To: [EMAIL PROTECTED] On Tue, 28 Dec 1999 23:52:00 -0500, "Trevor Jackson, III" <[EMAIL PROTECTED]> wrote: >Jim wrote: >> >The best answer is to never store plaintext. The information must be encrypted as >> >it is stored. Disk encryption software does this for you. >> >> So you're recommending that one always works within an enciphered volume >> or partition? >> >> If so, ought you to secure delete plaintext versions which have not >> been taken outside the enciphered volume? > >That is unnecessary. The principle of an encryp
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #9 Wed, 30 Jun 99 13:13:02 EDT Contents: Re: Secure link over Inet if ISP is compromized. ("Gene Sokolov") Re: Secure link over Inet if ISP is compromized. (S.T.L.) Re: Kryptos article (wtshaw) Re: How do you make RSA symmetrical? ("Anton Stiglic") Re: A Quanitative Scale for Empirical Length-Strength (wtshaw) Re: SSL Overhead (Kent Briggs) Re: MP3 Piracy Prevention is Impossible (Reuben Sumner) Re: A Quanitative Scale for Empirical Length-Strength (Jim Gillogly) Re: A Quanitative Scale for Empirical Length-Strength (wtshaw) Re: Kryptos article (John Myre) Re: Can Anyone Help Me Crack A Simple Code? (John Savard) Re: Can Anyone Help Me Crack A Simple Code? (John Savard) Re: BAN Logic considered useful? (Don Davis) Re: RSA or DIFFIE-HELLMANN (Lutz Donnerhacke) RSA or DIFFIE-HELLMANN (chicago) Re: A Quanitative Scale for Empirical Length-Strength (wtshaw) Re: new book (John Savard) Re: trapdoor one way functions (Nicol So) D - CD-R encryption (Dupavoy) Re: A Quanitative Scale for Empirical Length-Strength (Mok-Kong Shen) Re: Why Elliptic Curve Cryptosystem is stronger with shorter key length? (Robert Harley) Re: Windows9x Crypt Function ("Andrew Whalan") From: "Gene Sokolov" <[EMAIL PROTECTED]> Subject: Re: Secure link over Inet if ISP is compromized. Date: Wed, 30 Jun 1999 17:46:40 +0400 Alan Braggins <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... It helps to read the original post. Or at least a post one up in the thread. -- From: [EMAIL PROTECTED] (S.T.L.) Subject: Re: Secure link over Inet if ISP is compromized. Date: 30 Jun 1999 14:17:44 GMT <> By compromised, do you mean monitored or prevented? If you monitor a face-to-face conversation between me and Bob, then we can still exchange public keys and know we can communicate safely. Of course, Bob may be an agent for the other side anyways. -*---*--- S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED!2^3021377 - 1 is PRIME! Quotations: http://quote.cjb.net Main website: http://137.tsx.orgMOO! "Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8 E-mail block is gone. It will return if I'm bombed again. I don't care, it's an easy fix. Address is correct as is. The courtesy of giving correct E-mail addresses makes up for having to delete junk which gets through anyway. Join the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my .sig is shorter and contains 3379 bits of entropy up to the next line's end: -*---*--- Card-holding member of the Dark Legion of Cantorians, the Holy Order of the Catenary, the Great SRian Conspiracy, the Triple-Sigma Club, the Union of Quantum Mechanics, the Polycarbonate Syndicate, and People for the Ethical Treatment of Digital Tierran Organisms Avid watcher of "World's Most Terrifying Causality Violations", "When Kaons Decay: World's Most Amazing CP Symmetry Breaking Caught On [Magnetic] Tape", "World's Scariest Warp Accidents", "World's Most Energetic Cosmic Rays", and "When Tidal Forces Attack: Caught on Tape" Patiently awaiting the launch of Gravity Probe B and the discovery of M39 Physics Commandment #6: Thou Shalt Always Obey CPT Symmetry. -- From: [EMAIL PROTECTED] (wtshaw) Subject: Re: Kryptos article Date: Wed, 30 Jun 1999 09:12:20 -0600 In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote: > David Wagner wrote: > > It's amazing how much of a difference it makes. I almost wish > > someone reputable would lie to the world and claim such-and-such > > a cipher can be broken, just to see what the results are. :-) > > They wouldn't have to lie -- history tells us that most ciphers are > breakable under favorable circumstances, when the right approach is > found. Sometimes it takes a lot of work to find a suitable approach! Putting Jim on the task would be hugely more useful than puting almost any else I know, with a few exceptions. Sharpshooters are proven highly useful even in times when just firing as many weapons in the general vicinity of the target is a conventional norm. There is a big difference between a lucky shot, and one who makes himself appear lucky, but both can happen. -- It's always possible that a politician is acting out of principles. --Michael Kinsley of Slate.com -- From: "Anton Stiglic" <[EMAIL PROTECTED]> Subject: Re: How do you make RSA symmetrical? Date: Wed, 30 Jun 1999 10:43:57 -0700 > The whole point to PKC is to have a well defined public-key > cryptosystem.
Cryptography-Digest Digest #807
Cryptography-Digest Digest #807, Volume #8 Tue, 29 Dec 98 00:13:03 EST Contents: Re: Session keys in Elliptic Curve (Mr. Tines) Re: seeking SSH shell account (James J. Lippard) Re: History of Cryptanalysis (Bruce Schneier) Re: RSA-Broken!!! (Bruce Schneier) Re: DS5002FP Secure Micro Crypted Buses (Andy Glew) Re: symmetric encryption with a user-supplied password Re: symmetric encryption with a user-supplied password Re: History of Cryptanalysis (MKinneyJR) seeking SSH shell account ("jason hathaway") Re: seeking SSH shell account (James Pate Williams, Jr.) Opinions on S/MIME (Brad Aisa) AFAIK (Andy) Re: RSA-Broken!!! (Bruce Schneier) Re: ppdd - Encrypted filesystem (incl root filesystem) for Linux - rev (Brad Aisa) Re: RSA-Broken!!! (Dr. Yongge Wang) Re: DS5002FP Secure Micro Crypted Buses (Peter Gutmann) Decoder for Reed-Solomon codes? ([EMAIL PROTECTED]) Re: seeking SSH shell account (James Pate Williams, Jr.) seeking SSH shell account ("jason hathaway") From: Mr. Tines <[EMAIL PROTECTED]> Subject: Re: Session keys in Elliptic Curve Date: 27 Dec 1998 19:00 + ### On 27 Dec 1998 16:34:52 +0100, in <[EMAIL PROTECTED]> Anonymous <[EMAIL PROTECTED]> wrote. > -BEGIN PGP SIGNED MESSAGE- > > Mr. Tines wrote: > > >> Mr. Tines wrote: > >> >In the simple case of elliptic curve encryption where > >> >there is a known generator point P, with secret key x, > >> >and public key P,P*x then key exchange could be > >> >accomplished by taking random r and transmitting P*r, > >> >and using (P*x)*r as the session key - so to that extent > >> >the EC algorithm participates in the key generation. > >> > >> So the session key itself is not completely random? > > > >A random number (r) times a constant (P*x) is just > >a re-scaled random number (or given that we're > >working in a finite arithmetic, a random number over > >a shuffled range). There's no loss of entropy; the > >session key P*x*r has as much entropy as the original r. > > There is as much entropy as with the original r, however > the session key is not completely random since it can be > mathematically reconstructed. Completely random session > key would be unrecoverable, right? Taking a trivial example; consider a much smaller arithmetic, say arithmetic mod 8; where P=3, and x=5 say. In this case r is a random number 1-7, with an equal probability of occupying each value. We have P*x = 7, and for each r, the value of P*x*r is r 1234567 P*x*r 7654321 While it is fortuitous in this case that the numbers are reversed, the important point is that each value appears once - so the resulting key is equiprobably any of the numbers 1-7, so is just as random as the original. The reconstruction of the session key is not from thin air, but by passing an intermediate value P*r r 1 2 3 4 5 6 7 P*r3 6 1 4 7 2 5 again, equiprobably occupying each of the possible values. > Forgive me for being a bonehead, but could you please > detail this a bit further? For this approach to work, > the comstant (P*x) must be something from which the > x can't be easily determined by knowing P. That's the trapdoor function in elliptic curve cryptography; performing the division P*x/P requires one to extract discrete logarithms in this arithmetic - which is a hard problem of similar nature to the factorization used for RSA. > >What I would do would be to generate 256 bits of > >entropy, slice into two 128-bit halves, expand each > >to 160 bits using SHA-1 or RIPEM, and transmitting two > >packets, P*r1 and P*r2. Then concentrate the entropy > >down again by using MD5(P*x*r1)+MD5(P*x*r2) (where + > >denotes concatentaion of bit-streams, and MD5 denotes > >an agreed 128-bit hash) as the 256-bit session key. > > Am I correct in understanding that r is the result of > this process of slicing and concentrating, and altough > you transmit two packets, the original 256 bits of > entropy are never used as r, not even when encrypting? Yes, I would not use the raw 256 bits, but some shuffled quantity of equivalent entropy that can be computed by both the two parties without needing to do anything equivalent to breaking the cryptosystem. > Then comes to the question, how to generate > 256 bits of entropy, provided you need to > generate it transparently and in software? PGP uses timing intervals between keystrokes; I have used the low bits of mouse pointer motion and the content of the message to be encrypted, hashed down[*]; Java's self-proclaimed secu