Cryptography-Digest Digest #951
Cryptography-Digest Digest #951, Volume #13 Tue, 20 Mar 01 13:13:00 EST
Contents:
Re: What do we mean when we say a cipher is broken? (John Myre)
How do you test a Blowfish encryption routine? ("Ace Bezerka")
What the Hell...Here's what my system can do at it's best... (Keill Randor -
([EMAIL PROTECTED]))
Re: Is SHA-1 Broken? (Jim Steuert)
Re: Codes that use *numbers* for keys (Mok-Kong Shen)
Re: FIPS 140-1 does not adress eavesdropping (Frank Gerlach)
Re: NSA in the news on CNN (Ichinin)
Re: Idea - (LONG) (amateur)
Re: How do you test a Blowfish encryption routine? (Frank Gerlach)
Strong Primes (Peter Engehausen)
Re: What the Hell...Here's what my system can do at it's best... (SCOTT19U.ZIP_GUY)
Re: How do you test a Blowfish encryption routine? (Frank Gerlach)
From: John Myre [EMAIL PROTECTED]
Subject: Re: What do we mean when we say a cipher is broken?
Date: Tue, 20 Mar 2001 09:31:33 -0700
(More thoughts on terminology)
If we use "broken" only when a cipher is insecure in actual
practice, we need another term for "not useless but not
exactly performing to spec, either". The phrase "academic
break" has been used, although it doesn't seem to be popular.
Perhaps this is due to the negative connotations for academia,
or maybe just because it's clumsy: who wants to say
"academically broken"?.
Perhaps we could say, for example, "flawed". "Limited"?
Doubtless there are better possibilities...
The same problem exists for "secure". In that case, I think
I'd rather use the academic point of view. That is, a cipher
is "secure" only when not even certificational attacks exist.
Thus, for me, many ciphers are neither secure nor broken:
flaws exist but cannot be practically exploited. Yet.
Actually what I'd really like is a scheme for describing
ciphers in a much more comprehensive way. The different
types of vulnerabilities and the attacks that exploit them
are not equivalent, and therefore a particular cipher can
be appropriate in once circumstance and not in another.
A lattice of evaluations, with "secure" at the top and
"broken" at the bottom, and other terms based on the types
and severity of weaknesses, could be defined. A linear
"strength" scale is just too simplistic, but we still need
a way to summarize.
(I suppose one could say that we will create (and perhaps
have, already, in AES) a secure, fast, cheap cipher, and
therefore anything else is pointless. I think that this
is wrong, because it isn't obvious that such a holy
grail is even possible. Certainly our current state of
knowledge is insufficient to prove it one way or another.)
JM
--
From: "Ace Bezerka" [EMAIL PROTECTED]
Subject: How do you test a Blowfish encryption routine?
Date: Tue, 20 Mar 2001 11:07:56 -0500
How can I test a blowfish encryption to see if it performs properly? Are
there test vectors available to use to ensure the proper operation of my
routine? What about SHA, SHA-1, and SHA256?
--
From: Keill Randor - ([EMAIL PROTECTED]) [EMAIL PROTECTED]
Subject: What the Hell...Here's what my system can do at it's best...
Date: Tue, 20 Mar 2001 16:14:56 +
What my system allows you to do, (at it's best), is turn one peice of data - (or
text), into two or more peices, (neither of which can be proven to be encrypted), in
such a way that is unsolvable - i.e. you need to know what the original peice of data
was in order to get it back - (not difficult, trust me). (In addition to being
unsolvable, it is also uncrackable). Then, you work out an alternative solution, for
the real one, which also involves an existing peice of data (or part thereof), which
cannot individually be proven to be encrypted. This is where being able to turn any
peice of data into any peice of data comes in Being able to manufacture any
solution from an encrypted (or not) peice of data or text.
This system is a TRUE asymmetrical system. The method by which you encrypt a peice of
data, may be COMPLETELY different from the method used to decrypt it.
This system obeys my three rules of encryption:
1) Make the actual solution as convoluted as necessary.
2) Have more than one viable solution, (preferably any).
3) Have no way of knowing that it's encrypted in the first place.
The following paragraphs contain all three parts to a puzzle, I do not expect you to
find them and solve it - it's merely here as a demonstration:
Keill Randor, is a name taken from a series of books written by a Canadian Science
fiction author, Douglas Hill, called the Last Legionary Quintet. (They are meant for
the teenage market, but they're still fun even now).
Oh Dear. I fell over my spare box of computer stuff earlier, and found an old
graphics car
Cryptography-Digest Digest #951
Cryptography-Digest Digest #951, Volume #12 Wed, 18 Oct 00 13:13:00 EDT
Contents:
Re: Is it trivial for NSA to crack these ciphers? (Bob Silverman)
Re: CHAP security hole question (Vernon Schryver)
Re: Is it trivial for NSA to crack these ciphers? (John Myre)
Re: FTL Computation ("Paul Lutus")
Re: Works the md5 hash also for large datafiles (4GB) ? (Tom St Denis)
Problem with the CS-Cipher (Tom St Denis)
Re: Counting one bits is used how? ("bubba")
Efficient software LFSRs ("Trevor L. Jackson, III")
Rijndael in Perl (Tony L. Svanstrom)
Re: Enigma: Stolen German Code Machine Turns Up in BBC Mailroom (Andre)
Re: CHAP security hole question ("Trevor L. Jackson, III")
Re: Efficient software LFSRs ("Trevor L. Jackson, III")
Re: How about the ERIKO-CHAN cipher? (James Felling)
From: Bob Silverman [EMAIL PROTECTED]
Subject: Re: Is it trivial for NSA to crack these ciphers?
Date: Wed, 18 Oct 2000 15:17:18 GMT
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (John Savard) wrote:
On Sat, 14 Oct 2000 13:42:06 -0500, "Stephen M. Gardner"
[EMAIL PROTECTED] wrote, in part:
could accomplish more
than a larger group of scientists working in the open
Ah, but the number of mathematicians working in the open on
cryptography is far smaller than the number working in the NSA.
This so-called fact is often quoted, but is far from the truth.
I suggest you look over the proceedings from Crypto, Euro-Crypt
and Asia-Crypt as well as some of the other conferences dealing with
crypto. COUNT the number of different authors. Also check cross-
references. The number will surprise you. The NSA/CCR does not
have anywhere close to this number of mathematicians.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: [EMAIL PROTECTED] (Vernon Schryver)
Subject: Re: CHAP security hole question
Date: 18 Oct 2000 09:24:18 -0600
In article 8sjbtt$2df$[EMAIL PROTECTED], [EMAIL PROTECTED] wrote:
...
My question is on CHAP, the Challenge Handshake Authentication Protocol.
I have found papers on the Net that publishes crpto weakness in MS
implementation of CHAP that is based on hashed password. And there
seems to be a freely available software based on data dictionary attack
to explore the security hole in MS implementation. So my question is:
Is this weakness general to CHAP itself, to just to MS implementation of
CHAP? And is there other similar authentication or security protocol
that provides better protection against attack than CHAP does?
...
MS does not have an implementation of CHAP, but a protocol that is
distinct from CHAP defined in RFC 1994. A good comparison between
MS-CHAP and the RFC 1994 standard can be found starting on page 113 of
"PPP Design, Implementation, and Debugging," second edition, by James
Carlson. Even people who are very familiar with PPP can find useful
information in Carlson's book on the PPP protocols not documented or
not fully documented in any RFC.
Carlson lists three main holes in MS-CHAP. The first is not really
a hole in MS-CHAP but the observation that it is posible to obtain
lists of passwords from Microsoft systems. Anything based on shared
secrets is no stronger than the secrecy of those secrets.
The second is that Microsoft uses a single secret to authenticate both
a source of PPP packets and access to a user account. The ability to
send PPP packets to a system is generally no worse than what can be done
to the same system through its other network connections by any random
bad guy without any secret knowledge, while access to an account is the
whole thing. Other brands of systems can distinguish the two. If a bad
guy gets a CHAP secret, all that need be compromised is IP packet access,
but an MS-CHAP secret is often useful for more serious dirty work.
The third hole is in the amazing mechanism for changing passwords
over the wire, effectively in cleartext. What more needs be said
about something like that?
I'd add a fourth hole. For years Microsoft stridently insisted that
MS-ChAP was more secure than CHAP, and incidentally had interoperability
problems with systems compliant with the open PAP and CHAP standards.
In other words, as always, beware of monopolists bearing proprietary gifts.
Vernon Schryver[EMAIL PROTECTED]
--
From: John Myre [EMAIL PROTECTED]
Subject: Re: Is it trivial for NSA to crack these ciphers?
Date: Wed, 18 Oct 2000 09:48:27 -0600
Bob Silverman wrote:
snip
I am curious about the psychology of people who ask these kinds of
questions -- questions for which it is clear that noone can answer
in a meaningful way. What is the point?
snip
Good question. But I doubt you'll get any satisfacto
Cryptography-Digest Digest #951
Cryptography-Digest Digest #951, Volume #11 Mon, 5 Jun 00 20:13:01 EDT
Contents:
Cryptographic voting (Jim Ferry)
Re: DES -- Annoyed (tomstd)
Re: Cryptographic voting (tomstd)
Re: Observer 4/6/2000: "Your privacy ends here" (leo)
Re: RSA Algorithm ("Douglas A. Gwyn")
Re: Evidence Eliminator, is it patented, copyrighted, trademarked ?
([EMAIL PROTECTED])
Re: Is OTP unbreakable? (Mok-Kong Shen)
Re: Question about recommended keysizes (768 bit RSA) (Roger Schlafly)
Re: Donald Davies has died ([EMAIL PROTECTED])
Re: Question about recommended keysizes (768 bit RSA) (Jerry Coffin)
Re: Evidence Eliminator, is it patented, copyrighted, trademarked ? (Ron B.)
Re: DVD encryption secure? -- any FAQ on it (Bryan Olson)
Re: Could RC4 used to generate S-Boxes? (Terry Ritter)
Re: DVD encryption secure? -- any FAQ on it (David A. Wagner)
Re: Question about recommended keysizes (768 bit RSA) (David A. Wagner)
Re: Cryptographic voting (Mok-Kong Shen)
Re: XTR (was: any public-key algorithm) (Bodo Moeller)
Re: Observer 4/6/2000: "Your privacy ends here" (Brian {Hamilton Kelly})
From: Jim Ferry jferry@[delete_this]uiuc.edu
Crossposted-To: sci.math
Subject: Cryptographic voting
Date: Mon, 05 Jun 2000 17:11:17 -0500
I was wondering if there's a way for a small group of people
(less than 100) to vote cryptographically. I imagine it would
work as follows:
Say everyone who is to vote comes up with a private key, and posts
a corresponding public key. From these, a joint public key is
composed. Each voter uses her private key together with the
joint public key and her (private) vote to produce a public vote.
From the set of public votes, a (public) vote tally is produced.
However, it should be pragmatically impossible to determine the
tally of any subset of (public) votes, or indeed, any information
about them that is not implicitly given by the total tally.
Is there a way to do this in the literature? (Or, better yet, is
it so trivial that it's not even in the literature?)
| Jim Ferry | Center for Simulation |
++ of Advanced Rockets |
| http://www.uiuc.edu/ph/www/jferry/ ++
|jferry@[delete_this]uiuc.edu| University of Illinois |
--
Subject: Re: DES -- Annoyed
From: tomstd [EMAIL PROTECTED]
Date: Mon, 05 Jun 2000 15:10:09 -0700
In article [EMAIL PROTECTED], Paul Koning
[EMAIL PROTECTED] wrote:
Mark Wooding wrote:
tomstd [EMAIL PROTECTED] wrote:
As part of my 'Tiny Crypt Lib' I am implementing DES (and
then
of course 3key 3des) and have possibly the smallest (and
slowest) implementation ever... problem is I can't find test
vectors for DES anywhere!!!
I looked at the FIPS-42 pages ...etc, nothing. I can't
believe
they specify DES without test vectors...
They are in a separate document. NIST special publication 800-
17.
paul
Remember back in say early this year I said "Don't use 3des
since it's slow, ugly and genrerally a pain in the arse"? Well
I believe my own words now. I hate implementing such a shitty
cipher.
I will glady just copy/paste/credit someone elses code for
3des...
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
--
Subject: Re: Cryptographic voting
From: tomstd [EMAIL PROTECTED]
Crossposted-To: sci.math
Date: Mon, 05 Jun 2000 15:22:51 -0700
In article KzV_4.351$[EMAIL PROTECTED], Jim Ferry
jferry@[delete_this]uiuc.edu wrote:
I was wondering if there's a way for a small group of people
(less than 100) to vote cryptographically. I imagine it would
work as follows:
Say everyone who is to vote comes up with a private key, and
posts
a corresponding public key. From these, a joint public key is
composed. Each voter uses her private key together with the
joint public key and her (private) vote to produce a public
vote.
From the set of public votes, a (public) vote tally is produced.
However, it should be pragmatically impossible to determine the
tally of any subset of (public) votes, or indeed, any
information
about them that is not implicitly given by the total tally.
Is there a way to do this in the literature? (Or, better yet,
is
it so trivial that it's not even in the literature?)
For a voting scheme to be usefull the talliers should not be
able to tell who voted for what, only that all votes are
valid
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
--
From: leo [EMAIL PROTECTED]
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.poli
Cryptography-Digest Digest #951
Cryptography-Digest Digest #951, Volume #9 Thu, 29 Jul 99 18:13:03 EDT
Contents:
Re: Virtual Matrix Encryption ([EMAIL PROTECTED])
Re: Q: Does ElGamal require that (p-1)/2 is also prime like DH? (Bob Silverman)
Re: The Gnu Privacy Guard ? ([EMAIL PROTECTED])
Re: RSA keys 2^64x + c versus SNFS (Bob Silverman)
Re: Compression for encryption ([EMAIL PROTECTED])
Re: How Big is a Byte? (was: New Encryption Product!) (Peter Seebach)
Cryptonomicon - low priority posting (Michael Slass)
cryptography tutorials (Bobby Heffernan)
Re: What the hell is XOR? ("Douglas A. Gwyn")
Re: ___EllipticCC on a GemXpresso JAVA card (Greg)
Problems with Cryptlib (Ron Williams)
Re: cryptography tutorials (JPeschel)
The Alphabetic Labyrinth ... and Voynich
Re: OTP export controlled? (Greg)
Re: OTP export controlled? ("Douglas A. Gwyn")
Re: Academic vs Industrial ("Douglas A. Gwyn")
Re: Anyone knows where to get original encryption source code? (Doug)
Re: Virtual Matrix Encryption (Guenther Brunthaler)
From: [EMAIL PROTECTED]
Subject: Re: Virtual Matrix Encryption
Date: Thu, 29 Jul 1999 18:43:19 GMT
Otherwise, there's no real description of the algorithm. It uses
"theoretically infinite matrices", whatever the hell they are. IMHO,
if
you want to secure your files, use PGP or another product that uses
proven algorithms.
Not too be picky but the algorithms in PGP have never been proven
secure. They appear to be. However the algorithms in PGP have a more
formal treatment (and less insane claims like OTP strength...)
VME is snake oil. They make wierd claims like 'inifite' size matrixes
which is technically impossible for computers (or at all). I would not
read about them and pretty much deny their existance.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
--
From: Bob Silverman [EMAIL PROTECTED]
Subject: Re: Q: Does ElGamal require that (p-1)/2 is also prime like DH?
Date: Thu, 29 Jul 1999 19:15:13 GMT
In article [EMAIL PROTECTED],
Anton Stiglic [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
It would take a while to find great Primes that meet this
criteria.
If you want both q and 2q+1 to be prime, the number of such pairs
up to x is C x/log^2 x + error, where C is given by a singular series.
(unless I am mistaken, this should be product(1/(1 - (2|p))/p) where
(2|p) is the Jacobi symbol)
On the other hand, the number of q is x/log x + O(x^1/2 log x) [on RH]
Thus, primes of the form 2q+1 , q prime, are indeed much rarer than
primes in general.
I had answerd this question before but my 'Reply' and 'Reply to All'
buttons
seems to have been interchanged in netscape mail?? Anyways, if you
are
looking for a prime of the form p = 2q + 1, you start by computing q.
With this form, p is what we call probably prime
Bzzt. Wrong. Thank you for playing. Characterizing p = 2q+1
as a 'probable prime' because it has this special form "Isn't
even wrong". It has NOTHING to do with probable primes. p is
a probable prime if it satisfies a^(p-1) = 1 mod p for (a,p) = 1.
Your statement "With this form, p is what we call probably prime"
is nonsense.
"
(wich is not the best term
to use, since a number is either prime or not, no probabilities
involved,
No, but the *test* declares p prime, and the *test* is wrong with
a (low) probability. Calling a number a probable prime does not
mean that it is probably prime. As you point out, that probability is
0 or 1. What it does mean is that the number passed a *procedure* which
fails with a certain probability. That is why "probable prime"
is an appropriate term.
but
anyways it is what is used). You then just test if p is in fact
prime or
not,
this does not take much time (example, Miller Rabin prob. test
algorithme
4.24 in the Big Green book (Menezes, Oorschot, Vanstone)).
If q is indeed prime, then you can trivially PROVE p is prime.
Since all the factors of p-1 are known, all you need do is demonstrate
a primitive root. In fact, all you need do to PROVE primality is
to find a depending on r such that for each r|p-1 one has
a^(p-1)/r != 1 mod p but a^p-1 = 1 mod p. (Selfridge).
Using Miller-Rabin is wrong. It will take longer and does not yield
certainty.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
--
From: [EMAIL PROTECTED]
Subject: Re: The Gnu Privacy Guard ?
Date: Thu, 29 Jul 1999 18:48:17 GMT
Well Spike I took a very quick look at it. I like the concept of a
GNU group
Cryptography-Digest Digest #951
Cryptography-Digest Digest #951, Volume #8 Fri, 22 Jan 99 21:13:02 EST
Contents:
Re: Help: Which secret key cipher? (Dorina Lanza)
Re: Help: Which secret key cipher? (Dorina Lanza)
Re: Cayley (John Savard)
Re: Pentium III... ([EMAIL PROTECTED])
Re: Strong Encryption for 8086 (16 bit) (Phil Carmody)
Re: Cayley (John Savard)
Re: Metaphysics Of Randomness ("Trevor Jackson, III")
Re: Metaphysics Of Randomness ("Trevor Jackson, III")
Re: Pentium III... (Terry Ritter)
Re: Metaphysics Of Randomness ("Trevor Jackson, III")
Re: Metaphysics Of Randomness ("Trevor Jackson, III")
S-box cycles ([EMAIL PROTECTED])
Re: Help: Which secret key cipher? ("Trevor Jackson, III")
Re: 3DES in EDE mode versus EEE mode ([EMAIL PROTECTED])
Date: Fri, 22 Jan 1999 18:23:46 -0500
From: Dorina Lanza [EMAIL PROTECTED]
Subject: Re: Help: Which secret key cipher?
Terry Ritter wrote:
On Fri, 22 Jan 1999 10:21:56 -0500, in [EMAIL PROTECTED],
in sci.crypt Dorina Lanza [EMAIL PROTECTED] wrote:
[...]
The other complaint about OTP-style security is that it takes too much pad
material. However, the density of data storage is now so high that very
infrequent use of a secure channel can support long term (months or years)
worth of traffic in most cases.
That sounds *extremely* dangerous. As long as that data exists, it is
a danger to information past and future.
True. The same applies to all crypto keys. Dpes this mean we dispose of them
after a year? No, we retain them for a long as necessary and no longer
The ideal would be to get weekly or daily pads, use what is needed,
and discard the rest. In this way any compromise of a particular pad
ends when we get a new one.
What compromise threats are you concerned about? Copying the pad? Size helps
you there.Frequent usage of a physical channel invites interception. The idea
that a "secure channel" is perfect is ludicrous given the ease with which they
can be violated. Consider that a "brute force" attack has a completely
different meaning in the real world. Thus we want to limit the risks of the
overall system by minimizing the amount of traffic that has to be physically
secured rather than logically secured.
A huge pad not only risks more messages, but, since it is held for a
long time, is more likely to be compromised.
No more so than any other key we have to hold for decades. After all, we have
to secure the plaintext somehow if it is to be retained. Whatever provision we
use fo the plain text will be suitable for the pads.
--
Date: Fri, 22 Jan 1999 18:26:23 -0500
From: Dorina Lanza [EMAIL PROTECTED]
Subject: Re: Help: Which secret key cipher?
Darren New wrote:
The ideal would be to get weekly or daily pads, use what is needed,
and discard the rest. In this way any compromise of a particular pad
ends when we get a new one.
Or... copy the pad onto a number of individual CDs/tapes/hard drives and
then blow away the DVD, using it only to transport the pad.
I think a more interesting question is whether it's possible to build a
physical environment that makes tampering impossible. I.e., unless I
personally courier it, how do I know the courier didn't copy the pad? Is
there secure envelope technology that would make it prohitively
expensive to access the DVD and put it back without someone else
noticing?
You can probably make copying arbitrarily hard by spending lots of money on
it, but an alternate path to security is to reduce the set of *people* who
have to be trusted (couriers of whatever) to the minimum by amking the best
use of the few who are most trusted. Data density help here.
--
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Cayley
Date: Fri, 22 Jan 1999 23:21:51 GMT
Mok-Kong Shen [EMAIL PROTECTED] wrote, in part:
[EMAIL PROTECTED] wrote:
The logical next step after quaternions, therefore, had to use a different
name - octaves - when it was developed...by Cayley. An octave has eight
components, one real and seven imaginary.
Could you give a literature reference to octaves? Thanks in advance.
Hmm. My reply from home hasn't showed up on this server.
Early books on vector algebra or quaternions - such as one by Tait and
Mortimer - should have such references. Even an old Britannica might.
I looked up the table in General Algebra by Kurosh.
But it shouldn't be *too* hard to hunt them down in a math library.
John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html
--
From: [EMAIL PROTECTED]
Subject: Re: Pentium III...
Date: Fri, 22 Jan 1999 22:36:32 GMT
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (John Savard) wrote:
[EMAIL PROTECTED] wrote, in part:
John, the random number generators found in hardware and software today are
almost al
