Cryptography-Digest Digest #94
Cryptography-Digest Digest #94, Volume #11 Fri, 11 Feb 00 07:13:01 EST
Contents:
Re: Have you watched the movie "PI" (actually a mathematical symbol PI) of a
mathematical genius .. breaking the code .. ("Dave VanHorn")
Re: question about PKI... ("Joseph Ashwood")
Re: UK publishes 'impossible' decryption law (Anthony Stephen Szopa)
Re: Period of cycles in OFB mode ("Scott Fluhrer")
Re: Guaranteed Public Key Exchanges (Mok-Kong Shen)
Re: UK publishes 'impossible' decryption law ("vrml3d.com")
Re: Somebody is jamming my communications -- this has been happening at least in
three separate communication ([EMAIL PROTECTED])
Re: Somebody is jamming my communications -- this has been happening at least in
three separate communication (Markku J. Saarelainen)
Re: Have you watched the movie "PI" (actually a mathematical symbol PI) (Scott
Ebsen)
Re: I'm returning the Dr Dobbs CDROM (Frank M. Siegert)
PKI's and CA's ([EMAIL PROTECTED])
Which compression is best? ([EMAIL PROTECTED])
Re: Which compression is best? (Thomas Pornin)
Re: Message to SCOTT19U.ZIP_GUY ([EMAIL PROTECTED])
Re: Message to SCOTT19U.ZIP_GUY ([EMAIL PROTECTED])
Re: Persistent vs Non-Per DH for Voice ([EMAIL PROTECTED])
RE: Continually Secure Password/Pin (Gary)
Re: Which compression is best? (Mok-Kong Shen)
Re: Somebody is jamming my communications -- this has been happening at ("Douglas
A. Gwyn")
Re: Period of cycles in OFB mode (Mok-Kong Shen)
Re: Period of cycles in OFB mode (Mok-Kong Shen)
help DES encryption ("mati")
From: "Dave VanHorn" [EMAIL PROTECTED]
Subject: Re: Have you watched the movie "PI" (actually a mathematical symbol PI) of a
mathematical genius .. breaking the code ..
Date: Fri, 11 Feb 2000 06:18:46 GMT
I saw part of it and didn't like it either, but saying so on
alt.politics.org.cia, soc.culture.russian, soc.culture.israel, alt.math,
sci.crypt, and alt.2600 doesn't sound like a very good idea.
I DID trim my reply.
His selection of groups was based on some of the plot points in the movie.
The idea that you can predict the stock market by breaking some sort of
mathematical code hardly qualifies the subject for sci.crypt. It seems
more
at home on the rec.gambling forums where folks debate the merits of
betting
progressions.
That was one thing I didn't like about it.
They also used "the super chip" (almost as bad as "the disk" which is
supposed to fit whatever everyone is after.. :-P )
--
From: "Joseph Ashwood" [EMAIL PROTECTED]
Subject: Re: question about PKI...
Date: Thu, 10 Feb 2000 22:23:15 -
Search Counterpane for the analysis of SSL 3. It has the
details.
Joe
"Palmpalmpalm" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Thank you very much for kind suggestion.
By the way, what do you mean by "SSL is under secure"?
Sincerely,
palm
--
From: Anthony Stephen Szopa [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: Thu, 10 Feb 2000 22:32:58 -0800
NoSpam wrote:
Se also http://news.bbc.co.uk/hi/english/sci/tech/newsid_638000/638041.stm
"UK publishes 'impossible' decryption law"
FLASH - FOR IMMEDIATE USE
FOUNDATION FOR INFORMATION POLICY RESEARCH (www.fipr.org)
=
News Release Thurs 10th Feb 2000
=
Today Britain became the only country in the world to publish a law which
could imprison users of encryption technology for forgetting or losing
their keys. The Home Office's "REGULATION OF INVESTIGATORY POWERS" (RIP)
bill has been introduced in Parliament: it regulates the use of
informers, requires Internet Service Providers to maintain "reasonable
interception capabilities", and contains powers to compel decryption
under complex interlocking schemes of authorisation.
Caspar Bowden, director of Internet policy think-tank FIPR said, "this law
could make a criminal out of anyone who uses encryption to protect their
privacy on the Internet."
"The DTI jettisoned decryption powers from its e-Communications Bill
last year because it did not believe that a law which presumes someone
guilty unless they can prove themselves innocent was compatible with the
Human Rights Act. The corpse of a law laid to rest by Stephen Byers
has been stitched up and jolted back into life by Jack Straw"
Decryption Powers: Comparison with Part.III of Draft E-Comms Bill (July 99)
The Home Office have made limited changes that amount to window-dressing,
but the essential human rights issue remains:
(Clause 46): authorities must have "reasonable grounds to believe" the key
is in
Cryptography-Digest Digest #96
Cryptography-Digest Digest #96, Volume #11 Fri, 11 Feb 00 13:13:01 EST
Contents:
Re: Message to SCOTT19U.ZIP_GUY (SCOTT19U.ZIP_GUY)
Eurocrypt 2000 (Eurocrypt 2000)
Re: Period of cycles in OFB mode ("Scott Fluhrer")
Re: Twofish vs. Blowfish ("Scott Fluhrer")
Re: New standart for encryption software. (Albert P. Belle Isle)
Re: Period of cycles in OFB mode (Tim Tyler)
Re: Newbie Encrypt question (JPeschel)
Re: Which compression is best? (John Chandler)
Re: Which compression is best? (John Chandler)
Re: Which compression is best? (Jerry Coffin)
Re: Message to SCOTT19U.ZIP_GUY (Tim Tyler)
Re: Compression cannot prevent plaintext recognition (was Re: is signing a
signature with RSA risky?) (Tim Tyler)
Re: Message to SCOTT19U.ZIP_GUY (DTRuth)
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Message to SCOTT19U.ZIP_GUY
Date: Fri, 11 Feb 2000 17:18:14 GMT
In article 87uuf3$kvf$[EMAIL PROTECTED], [EMAIL PROTECTED] wrote:
HERE IS YOUR MESSAGE IN FULL POSTED A WHILE BACKPerhaps you and Tim
or anyone else would care to Comment on IT:
**
I know most of you will never have access to good ciphers. The NSA and
crypto gods will see to that. But it does not
mean that
you can't use some of the weak AES methods and still obtain a
far higher degree of security than what they want. Below is a
procedure that is "not all or nothing" but would allow one to encrypt
by removing the so called error recovery "feature"
that most people are stuck using.
Here it is in a nutshell You need 3 ciphers and 2 one to one
compressions to achieve the results. IF you have access to the
routines them selves it can be done in one pass since each method works
on the data previously processed but I will
explain it as 5 passes.
I am sure I wrote this from the point of view that one is using 3
seperate encryptions in series. And what could one do if one was going
to use 3 seperate encryptions of AES and one still want a way to prevent
the NSA of breaking it in an easy way. I should have added a pass zero
of compression since I usually compress first no matter what. But you
don't have to and what follows is just an easy substitution of a method
if one was going to use 3 seperate passes of AES
Pass one Encrypt with AES using weak 3 letter chaining even ECB
Pass two use Compression A "explained latter"
Pass three Encrypt with different key (with different method if one
wishes} Pass four use Compression B
Pass five Encrypt with different key
For the truely insecure among you. You can make this "all or nothing"
by reversing the byte order in the file after each
compression. But that requires whole file at one time..
yes I like to reverse the file it is a good idea if one can.
Better yet use my compression with just one pass of scott16u or
scott19u. Or failing to do that at least use one of mine with two
other AES methods.
Know for a disccusion of how to implement the Compression.
by Compression A I mean one of my one to one compressions that
uses a "condition file" with all 256 possible characters. This makes a
starting tree that can be greatly varied. But since
compression is one to one no information is added to data stream. Also
the message will as it passes through the
compression will change in length so that it is highly unlikely that
one can know where a block from the previous
encryption layer is passed to next encryption layer and it is highly
unlikely to even be the same length. For Compression B
you use a different "condition file" with all the 256 possible
characters in the file.
The input file should be at least long enogh for a few blocks to be
encrypted or you can reject the file as to short. Notice
also that each compression will most likely make the file longer and
that
the encryption methods should handle short blocks at the end of files.
Most methods already have a way to do this but if
at least one block is encrypted on each pass you can just pass the
short block without doing anything to it. Since the
state of the adapative huffman compressor will be such that the data in
last block will be transformed by the
compression.
Any thoughts on this by my nonadmirers.
David A. Scott
Sent via Deja.com http://www.deja.com/
Before you buy.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
"The road to tyranny, we must never forget, begins with the destruction of the
Cryptography-Digest Digest #98
Cryptography-Digest Digest #98, Volume #11 Fri, 11 Feb 00 15:13:01 EST
Contents:
Re: BASIC Crypto Question (Eric Lee Green)
Re: Latin Squares (was Re: Reversibly combining two bytes?) (Michael Wojcik)
Re: Latin Squares (was Re: Reversibly combining two bytes?) (Michael Wojcik)
Re: RFC: Reconstruction of XORd data (Mok-Kong Shen)
Re: Newbie Encrypt question (Ralph Hilton)
Re: I'm returning the Dr Dobbs CDROM ("Bruno LiƩnard")
Re: I'm returning the Dr Dobbs CDROM ("abe kohen")
Re: Newbie Encrypt question ([EMAIL PROTECTED])
Re: I'm returning the Dr Dobbs CDROM (Ralph Hilton)
Re: Latin Squares (was Re: Reversibly combining two bytes?) (Michael Wojcik)
PIII Random Number Generator ("Nick Shaffner")
Re: RFC: Reconstruction of XORd data (Jerry Coffin)
Re: I'm returning the Dr Dobbs CDROM (Paul Koning)
From: Eric Lee Green [EMAIL PROTECTED]
Subject: Re: BASIC Crypto Question
Date: Fri, 11 Feb 2000 12:23:44 -0700
[EMAIL PROTECTED] wrote:
Am I right to assume that Ciphers (Block and Stream Ciphers) work at the
bit level , regardless of what the data structure/format is of the
document file.
They operate upon a stream of data (whether that stream be composed of bits,
8-bit bytes, or multi-byte blocks depends upon the particular algorithm). The
actual content being encrypted is not a concern at the cipher level.
This would imply that with the same cipher (DES, IDEA, Blowfish), I can
encrypt documents, images ( .jpeg, .jif, .bmp ) , .wav files, email
attachments, word documents, .xls documents, .pdf, .ps,
.tar, .gz, .zip...whatever... is that right? The cipher only sees
bits...
Correct.
So for an email text with an attachment,
You are not talking about encryption here. You are talking about MIME
encapsulation of multi-part messages. If the parts of the message happen to be
encrypted files, so be it, MIME doesn't care what the contents are, it merely
hands it off to the appropriate decoder for that particular MIME type.
Are there some ciphers more suited to say image and formated documents
encryption, whereas others more suited to text...Or is it all bits and
bits...nothing else to consider?
Bits are bits. About the only thing to consider is that stream ciphers
(whether implemented via a block cipher and CFB, or not) are easier if you're
talking about network streams, whereas block ciphers tend to be more secure
due to the keys issue. If you're talking files, though, a data length word at
the beginning and then chopping off the result at that # of bytes will take
care of that for block ciphers.
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
--
From: [EMAIL PROTECTED] (Michael Wojcik)
Subject: Re: Latin Squares (was Re: Reversibly combining two bytes?)
Date: 11 Feb 2000 18:35:35 GMT
Reply-To: [EMAIL PROTECTED]
In article 87ohue$jt9$[EMAIL PROTECTED], "r.e.s." [EMAIL PROTECTED]
writes:
"Michael Wojcik" [EMAIL PROTECTED] wrote ...
: [re generating Latin Squares with three permutations P (one
: column), R (an ordering of rotations of P), and T (a final
: permutation of rows)]
: Question: Is the inverse of a PRT-form square always itself a PRT-
: form square? More generally, are all Latin Squares in PRT-form?
"No" to the 2nd question -- we can see that not all
Lsquares are of your PRT form, by simply comparing
with the known number of Latin Squares of given order.
Since each Lsquare created by your PRT method is the
product of three permutations of 1..N, that method
produces N!^3 distinct Lsquares. E.g. for N=10,
that's ~10^20; but there are in fact ~10^25 order-10
Lsquares. The discrepancy grows rapidly -- there're
"only" ~10^36 PRT Lsquares of order 15, compared to
an estimated ~10^86 total.
Source:
McKay, B. D. and Rogoyski, E. ``Latin Squares of Order 10.''
Electronic J. Combinatorics 2, N3 1-4, 1995.
http://www.combinatorics.org/Volume_2/volume2.html#N3
Thanks - just what I was looking for. Dan Oetting has already
supplied the construction principle for fast generation of the
inverse of a PRT square, but these questions remain interesting for
other reasons.
The relatively small number of order-256 squares that are PRT squares
(the "PRT penalty", so to speak) may not be an issue in practice,
since there are still around 10^1520 or 2^5051 PRT squares of order
256. Other weaknesses may certainly exist, but at least that's a
large enough space to make searching prohibitive. (Determining some
elements does narrow down the search, but quite a few would have to
be leaked to make the search space reasonable. Even for a PR-form
square, if we determine an entire column we have 256! possibilities
to check; if we know which column it
Cryptography-Digest Digest #97
Cryptography-Digest Digest #97, Volume #11 Fri, 11 Feb 00 15:13:01 EST Contents: Re: Compression cannot prevent plaintext recognition (was Re: is (Anton Stiglic) Re: Twofish vs. Blowfish (John Myre) Re: Bounding (p-1)(q-1) given only knowledge of pq (Anton Stiglic) Re: Newbie Encrypt question (Jerry Coffin) Re: Persistent vs Non-Per DH for Voice (Mike Rosing) Re: Period of cycles in OFB mode (Mok-Kong Shen) Re: Encryption protocol questions (Mike Rosing) Re: Newbie Encrypt question (Mike Rosing) Re: Do 3 encryptions w/ a 40-bit key = 120 bits? (Mike Rosing) Re: Do 3 encryptions w/ a 40-bit key = 120 bits? (Jerry Coffin) Re: Which compression is best? (Mok-Kong Shen) BASIC Crypto Question ([EMAIL PROTECTED]) Re: RFC: Reconstruction of XORd data (Mok-Kong Shen) Re: Using Gray Codes to help crack DES ([EMAIL PROTECTED]) Re: Twofish vs. Blowfish (Eric Lee Green) Re: PKI's and CA's (Ralph Hilton) Re: Twofish vs. Blowfish (Eric Lee Green) Re: Newbie Encrypt question (Email forms are lame) Re: UK publishes 'impossible' decryption law (David Crick) Re: Hill Climbing (Mok-Kong Shen) Re: Latin Squares (was Re: Reversibly combining two bytes?) (Michael Wojcik) From: Anton Stiglic [EMAIL PROTECTED] Subject: Re: Compression cannot prevent plaintext recognition (was Re: is Date: Fri, 11 Feb 2000 12:55:31 -0500 Tim Tyler wrote: Anton Stiglic [EMAIL PROTECTED] wrote: : Wooo, this is deviating again. Let me make this as simple as possible: : E_k: encryption algorithm using a key k, : D_k: decryption algorithm using a key k, : Z: compression function, : U: uncompression function : m: a plaintext message : So, encrypting m, would be done as follows: : -first compress m, : -then encrypt the result : That gives E_e(Z(m)), where e is the encryption key : Now, if you are testing out a decryption key d, you do : y - D_d(E_e(Z(m))) : Now, if you have the correct key y=Z(m), so you simply : unzip y , call the result x (x - U(y)), if you have the right : decrypiton key, x = m. So an attacker will simply look : for the headers in x. What if all x (such that x = U(f) for some f) have the headers the attacker is looking for? I.e. what if the information about message content available to the analyst is the same as the information about message content which was available to the author of the compressor - and the latter designed a scheme to correctly exploit it? Ah well that would be great! I'd want to be the first one to use it! But this is no longer a problem about compression functions, this turns out to be a problem of picking a function that only works on a specified subset of a larger set, this is sounding to be more like an NP-complete problem?? Anton -- From: John Myre [EMAIL PROTECTED] Subject: Re: Twofish vs. Blowfish Date: Fri, 11 Feb 2000 10:57:17 -0700 Scott Fluhrer wrote: John Myre [EMAIL PROTECTED] wrote in message snip Later in the development process, when you have an alpha or beta or something that sort of works, you can replace RC6 (if necessary) based on more recent information (like an AES decision). Umm, I don't know if that is legal. I believe that RC6 is patented, and so use of it (without RSA's permission) is illegal. If it does become the actual AES algorithm, then the patent issues go away, but that hasn't happened yet, and may never. Why wouldn't it be legal to use during development? AFAIK, patents are only relevant once you start to sell it (or the equivalent). Actually I suppose that you could get the same sort of developmental behavior by using an "encryption algorithm" that you make up yourself and is trivial. It doesn't have to be secure; it just has to have the right interface and scramble the data at least a little, so as to support testing. The important aspect I wanted to address is that allowing a change in algorithm is useful because it allows you to postpone your "final" choice, even if you don't anticipate allowing flexibility in algorithm choice as one of the product requirements. JM -- From: Anton Stiglic [EMAIL PROTECTED] Subject: Re: Bounding (p-1)(q-1) given only knowledge of pq Date: Fri, 11 Feb 2000 13:03:29 -0500 So I haven't read your post completly, but here is a quick reply: (p-1)(q-1) will have approximatly the same size as pq = n. So if you have, let's say, a 1024 bit RSA modulus, (p-1)(q-1) will be about a 1022 bit modulus. This only tells you that p-1 and q-1 is a BN of size 1022 (there are 2^1022 of them!, not much info at all). -- From: Jerry Coffin [EMAIL PROTECTED] Subject: Re: Newbie Encrypt question Date: Fri, 11 Feb 2000 11:10:07 -0700 In article 8814vm$7lv$[EMAIL PROTECTED], [EMAIL PROTECTED] says... I've been looking into data encryption lately. I want to write my
Cryptography-Digest Digest #99
Cryptography-Digest Digest #99, Volume #11 Fri, 11 Feb 00 16:13:01 EST
Contents:
Re: "Trusted" CA - Oxymoron? (Sander Vesik)
Re: Newbie Encrypt question (Jerry Coffin)
Re: Using Gray Codes to help crack DES (Paul Schlyter)
Re: NSA opens up to US News (Email forms are lame)
Re: Have you watched the movie "PI" (actually a mathematical symbol PI) of a
mathematical genius .. breaking the code .. ("Androcles")
Re: help DES encryption (Hideo Shimizu)
Re: UK publishes 'impossible' decryption law (Mike Eisler)
Re: I'm returning the Dr Dobbs CDROM ([EMAIL PROTECTED])
Re: Message to SCOTT19U.ZIP_GUY ("Peter K. Boucher")
Re: I'm returning the Dr Dobbs CDROM (Paul Koning)
Re: Guaranteed Public Key Exchanges (Paul Koning)
Re: Period of cycles in OFB mode (Paul Koning)
Re: encryption export question (Paul Koning)
From: Sander Vesik [EMAIL PROTECTED]
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Date: 11 Feb 2000 20:07:56 GMT
In sci.crypt Brian Hetrick [EMAIL PROTECTED] wrote:
"Sander Vesik" wrote...
snip
Aha. I see your point. But completely delinking from the known is,
I suspect, impossible.
Incidentally, getting a circle of false notaries is a little more
cumbersome than you describe: you need to be a notary before you can
make an identity assertion. You would need a minimum of 5 identities
going through a minimum of three notarizations each to get a circle
of notary identities sufficient to get Thawte to issue a certificate
in the name of a completely fabricated identity. (An identity
assertion is specific to a notary/asserted identity pair; a new notary
can issue only 10 identity points; a notary can issue a maximum of 35
points; a minimum of 50 points is needed for an identity to be
considered "verified;" a minimum of 100 points is needed to become a
notary.)
An attempt to verify the fabricated identity would fail, of course, as
No. It would not. It would just point at another person whose face
looked different, who possibly never had even used a computer and
who has a good alibi. A false ID that didn't verify is no good.
in the described scenario all the "notaries" would have been frauds.
But the second generation notaries -- the minimum of three "good
faith" notaries -- would have copies of the falsified identity
documents of the five fradulent notary identities. While the names,
addresses, document serial numbers, and so forth, on the falsified
documents might not be of any use, the photographs are known good --
the notaries made sure they bore a "reasonable resemblance" to the
actual persons appearing before them.
How much does it cost to have a druggy go and get himself set up as a
notary using false ID?
Get a fresh asian immigrant / inner city youth to get the notary papers
and then sell them to me?
So at least you have a collection of photographs of the person(s)
involved in the fraud, at least if the fraud is detected within five
years of it starting.
Which are probably no good. It helps only against a very small and very
undetermined adversary.
To get two or more generations of fraudulent notaries, you would
need to start with ten identities, rather than five, as you would need
ten new notary identity assertions to get enough identity points to
create a notary.
And I would not doubt Thawte is watching the patterns of which
notaries are asserting which identities, with an eye to catching
exactly such attempts to build fraudulent identities. If they weren't
before, they certainly are now. :-)
Good to hear. but if you don't want a whole second gen ring, it is a
lot harder to note. Unnoticeable second gen notaries are just slightly
more expensive than those in whose case a slight suspicion might rise.
But the whole second gen. ring is not needed. you need just some second
gen notaries.
On the whole, I suspect it would be simpler to get one set of fake
IDs than five -- and simply going to "good faith" Thawte notaries
to get a minimum of two identity assertions with a single fake ID is
substantially easier than going to "good faith" Thawte notaries a
minimum of fifteen times with five fake IDs, or thirty times with ten
fake IDs.
Assuming the selection of the Thawte notaries is wide enough and that
they are sufficently apoart geographically, that's no problem. The scheme
can work in parallel and there is no way - at the time it is done -
to in any way say that some kind of (future) fraud is involved.
The only advantage of creating fradulent notaries as a step in
creating a fradulent identity is that the fradulent identity does not
have an accessable photograph on file. But, of course, the
photographs of the person(s) involved in the fraud _are_ on file, so
I do not see the advantage there.
See above - it need not be so. The people presenting the
Cryptography-Digest Digest #100
Cryptography-Digest Digest #100, Volume #11 Fri, 11 Feb 00 18:13:01 EST
Contents:
Re: RFC: Reconstruction of XORd data (zapzing)
Re: PIII Random Number Generator (John Savard)
Re: Twofish vs. Blowfish (Albert Yang)
Re: Period of cycles in OFB mode (John Savard)
Re: help DES encryption (John Savard)
Re: Newbie Encrypt question ([EMAIL PROTECTED])
Re: Latin Squares (was Re: Reversibly combining two bytes?) (Terry Ritter)
Re: Latin Squares (was Re: Reversibly combining two bytes?) ("Tony T. Warnock")
Re: Latin Squares (was Re: Reversibly combining two bytes?) ("Tony T. Warnock")
Re: new standart for encryption software.. ([EMAIL PROTECTED])
Re: Using Gray Codes to help crack DES (Mok-Kong Shen)
Re: Which compression is best? (John Chandler)
Re: Guaranteed Public Key Exchanges (Mok-Kong Shen)
Re: Eurocrypt 2000 (David A Molnar)
Re: Bounding (p-1)(q-1) given only knowledge of pq ("Joseph Ashwood")
Re: Newbie Encrypt question ("Joseph Ashwood")
Re: RFC: Reconstruction of XORd data (Mok-Kong Shen)
Re: RFC: Reconstruction of XORd data (Mok-Kong Shen)
Re: help DES encryption (Paul Koning)
Re: Period of cycles in OFB mode (Paul Koning)
Re: Somebody is jamming my communications -- this has been happening at (Paul
Koning)
Re: "Trusted" CA - Oxymoron? ("Brian Hetrick")
From: zapzing [EMAIL PROTECTED]
Subject: Re: RFC: Reconstruction of XORd data
Date: Fri, 11 Feb 2000 20:59:53 GMT
In article [EMAIL PROTECTED],
Mok-Kong Shen [EMAIL PROTECTED] wrote:
Mok-Kong Shen wrote:
Ian Clarke wrote:
The algorithm is simple, I take the initial data, and XOR each
byte with
the previous byte (the first byte is left unchanged). This moves
forward through the string compounding the XOR at each stage (ie.
each
byte is actually XORd with all previous bytes).
The following piece of java does this: (Data is in char[] strC):
for (int x=1; xstrC.length; x++)
{
strC[x] ^= strC[x-1];
}
This is a form of what is in classical terminology termed auto-key
encryption. One can simply try all possible values of the first byte
to decrypt.
Addendum: In the present special form, the 'key' is known, namely
the first byte.
M. K. Shen
It does seem as if it could be done better.
What if one used a reasonably large-ish block,
encrypted the data in a known key, then split
the block into first half and last half,
wouldn't that do it? Wouldn't it help if
random noise were included in the block?
--
Do as thou thinkest best.
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: PIII Random Number Generator
Date: Fri, 11 Feb 2000 14:22:25 GMT
"Nick Shaffner" [EMAIL PROTECTED] wrote, in part:
So did the PIII ever ship with that cryptographic quality RNG that they
promised? If so, anyone know where I can find information on getting access
to it? www.intel.com doesn't seem to mention anything about it, and a
couple of web searches didn't turn up anything...
There is stuff about it on the Intel web site, but the RNG is not part
of the Pentium III chip; it's part of the 810 chipset. So it is
available to some Celeron users as well.
John Savard (jsavardatecndotabdotca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
--
From: Albert Yang [EMAIL PROTECTED]
Subject: Re: Twofish vs. Blowfish
Date: Fri, 11 Feb 2000 21:23:13 GMT
Thanks, Understand what you are getting at.
I was thinking the same thing, I will have a pretty common API so I can
change the backend at will and not effect the program.
I might go with Serpent, but it's slow compared to Twofish.
I was thinking about just doing a quick 10 liner XOR encryption and
decryption algorithm as a stub, but I thought, shoot, then I can plug
RC5 or RC6 in there for just a few lines more! So that's what I might
do.
But I'm hoping to finalize on an algorithm..
When's AES suppose to be picked again?
Albert
--
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Period of cycles in OFB mode
Date: Fri, 11 Feb 2000 14:32:06 GMT
Tim Tyler [EMAIL PROTECTED] wrote, in part:
In researching such questions, I uncovered what /appears/ to be an error
in Schneier's "Applied Cryptography".
On P.205, in a section called "Security problems with OFB", he writes:
``When the feedback size equals the block size, the block cypher acts as
a permutation of m-bit values (where m is the block length) and the
average cycle length is 2^m - 1.''
I believe the expected cycle length will be 2^(m - 1), and *not* 2^m - 1.
The proof of this is not quite trivial. I'll provide it only if it is needed.
I think you're right. (2^m) - 1 for an average cycle length for m-bit
values does seem a bit high. However, I would have thought the
Birthday Paradox would make
Cryptography-Digest Digest #101
Cryptography-Digest Digest #101, Volume #11 Fri, 11 Feb 00 21:13:01 EST
Contents:
Re: Bounding (p-1)(q-1) given only knowledge of pq (David Hopwood)
Re: Guaranteed Public Key Exchanges (David Hopwood)
Re: Using Gray Codes to help crack DES (David Hopwood)
Advanced Network Authentication ("Joseph Ashwood")
Re: Using Gray Codes to help crack DES (Mok-Kong Shen)
Re: RFC: Reconstruction of XORd data (Jerry Coffin)
Re: Which compression is best? (Tim Tyler)
Re: Bounding (p-1)(q-1) given only knowledge of pq (Anton Stiglic)
Re: Which compression is best? (Tim Tyler)
Re: Which compression is best? (Tim Tyler)
Re: need help with a basic C++ algorithm ([EMAIL PROTECTED])
Re: Message to SCOTT19U.ZIP_GUY (Tim Tyler)
Re: Which compression is best? ("Douglas A. Gwyn")
Re: Message to SCOTT19U.ZIP_GUY (SCOTT19U.ZIP_GUY)
Re: Which compression is best? (SCOTT19U.ZIP_GUY)
Re: help DES encryption ("Douglas A. Gwyn")
Re: Which compression is best? (SCOTT19U.ZIP_GUY)
Re: Which compression is best? (SCOTT19U.ZIP_GUY)
Date: Fri, 11 Feb 2000 06:10:36 +
From: David Hopwood [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Bounding (p-1)(q-1) given only knowledge of pq
=BEGIN PGP SIGNED MESSAGE=
Joseph Ashwood wrote:
For let me say that I'm not sure this information is new,
but to the best of my knowledge it was never told to me.
Note that finding (p-1)(q-1) is provably equivalent in difficulty
to factoring pq. So, although it is possible to put (rather loose)
bounds on (p-1)(q-1), this doesn't help to break RSA.
- --
David Hopwood [EMAIL PROTECTED]
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=BEGIN PGP SIGNATURE=
Version: 2.6.3i
Charset: noconv
iQEVAwUBOKOnxDkCAxeYt5gVAQFEmwf/X/72IDfm0JV76HipRiT0YUWMFgizWc5b
Rm3RJj7j2zegSRaJmeQ1cvhcA8TxssE2pzPeB5FtZdM8x/QKpw1ohOp/sITHRHyl
QHHVFdgfwPxPOSLmr9472BtpRY92j6xVmfyQOLwgdUBQTc5rRFEE9lsfp+7zlNmU
2Gc1D4YekmvUsAQWGVmF46w2B/r+KvBvGxaWsOx0OmHr/hlz1F/XRQoN656WeYoA
NdXK5hnh2/JZmxJLmfahEwnl9hD2F/7cpaFHDZyx3bolRYxJ8Ebq/SJp+IEV0Pkw
7RTACgI8LIvSlGm65qAjXHQj/PfvvgO9Z7WAXB1SQHKBWLawrl5SzA==
=Y1gS
=END PGP SIGNATURE=
--
Date: Fri, 11 Feb 2000 05:38:51 +
From: David Hopwood [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Guaranteed Public Key Exchanges
=BEGIN PGP SIGNED MESSAGE=
Dan Day wrote:
On Thu, 10 Feb 2000 02:29:58 +0800, No Brainer [EMAIL PROTECTED] wrote:
I was hoping there was a new protocol of some type that would allow me to
exchange public keys with integrity and take the middle man "out of the
loop" (without the need for another secure channel of course).
[...]
Well, I've got at least a partial workaround... As one of your
first messages, send your recipient an attached EXE file of a popular
sort, such as the "gerbil in the microwave" animation.
If you're sending executable files, the man-in-the-middle has another type of
attack: replace the .exe with a trojan that installs a back door, and then
runs the original executable (using the same techniques as are used by
viruses). Then even if you discover the switched public keys, the attacker
still has a back door into your system.
But at least it's a step in the right direction.
No, probably a step backwards.
- --
David Hopwood [EMAIL PROTECTED]
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=BEGIN PGP SIGNATURE=
Version: 2.6.3i
Charset: noconv
iQEVAwUBOKOgUTkCAxeYt5gVAQHw4QgAi+0qAgKsRqZ+9Gy/Hq3WzUwf6j4Qg6X6
yEr9xbXUzYNaLP5Fd8qOD0EGh1Ixm7AafrxKX1WN2rhxK03wRnkWLtqyB8G1Z7Zy
rG5kYISUdhvzQfP9Pt9BaX6WocN4hZ7keRU70uN3LfuQ8d6XfBZjhPb+lMjnJsh5
OkfpPdSlSlPL7F9s11QTmq3oz/4admrM1BgOdBN5urixMiJx3CuVx02m1H7dBa+0
BP8XhOYvh6hMrcA2VerzZ6AFdV4nbhpDHULDU2RHLSRIGjEOc4H02dif9GCpITux
/2mqWayKGbcQ1xZZ8Ot5Mouwp2DU/lnxDIWyN48tbGd8zUM4/vAIdA==
=r5cG
=END PGP SIGNATURE=
--
Date: Fri, 11 Feb 2000 05:05:57 +
From: David Hopwood [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Using Gray Codes to help crack DES
=BEGIN PGP SIGNED MESSAGE=
Dan Day wrote:
On 8 Feb 2000 23:24:52 GMT, [EMAIL PROTECTED] wrote:
count = count + 1
greycode = count ^ (count 1)
Hey, that's really slick. But I'll be damned if I can
Cryptography-Digest Digest #102
Cryptography-Digest Digest #102, Volume #11 Fri, 11 Feb 00 23:13:00 EST
Contents:
Re: Newbie Encrypt question ("Douglas A. Gwyn")
Re: Latin Squares (was Re: Reversibly combining two bytes?) (zapzing)
Re: Do 3 encryptions w/ a 40-bit key = 120 bits? ("Douglas A. Gwyn")
Re: RFC: Reconstruction of XORd data ("Douglas A. Gwyn")
Re: UK publishes 'impossible' decryption law (zapzing)
Re: Bounding (p-1)(q-1) given only knowledge of pq ("Joseph Ashwood")
Re: Bounding (p-1)(q-1) given only knowledge of pq ("Joseph Ashwood")
Re: Newbie Encrypt question ("Joseph Ashwood")
Re: Latin Squares (was Re: Reversibly combining two bytes?) ("r.e.s.")
Re: need help with a basic C++ algorithm ("Douglas A. Gwyn")
Re: Bounding (p-1)(q-1) given only knowledge of pq (David Wagner)
Re: Period of cycles in OFB mode (David Wagner)
Re: Period of cycles in OFB mode (David Wagner)
Re: Twofish vs. Blowfish (David Wagner)
Re: Twofish vs. Blowfish (David Wagner)
Re: permission to do crypto research (Wim Lewis)
Re: Twofish vs. Blowfish (David Wagner)
Re: RFC: Reconstruction of XORd data (David Wagner)
Re: permission to do crypto research (David Wagner)
Re: Period of cycles in OFB mode ("Scott Fluhrer")
Re: Persistent vs Non-Per DH for Voice (David P Jablon)
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: Newbie Encrypt question
Date: Sat, 12 Feb 2000 01:46:19 GMT
Jerry Coffin wrote:
Yes, DES includes both shifting and XORing, but those are NOT the
primary elements of the security -- though it's somewhat difficult
to talk about bits and pieces of a cipher and still say anything
meaningful, I think it's safe to say that one of the single most
important elements in the security of DES is in the S-boxes.
Indeed, the S-boxes are the only nonlinear components of DES.
The notion (of the original poster, not Jerry) that security
lies in shifting and XORing is analogous to a notion that the
operation of a computer program depends on NANDing. Undoubtedly
there is a lot of NANDing going on at a very low level in the
computer hardware, but it is the way that that activity is
organized and coordinated that actually accomplishes the useful
higher-level functions. If one tried to deal with computing by
exclusively thinking at the lowest (logic-gate) levels, one
would never be able to achieve the higher functions.
--
From: zapzing [EMAIL PROTECTED]
Subject: Re: Latin Squares (was Re: Reversibly combining two bytes?)
Date: Sat, 12 Feb 2000 01:36:12 GMT
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] wrote:
Latin squares are really only useful if the input alphabet and key
alphabet are the same size. The DES S-boxes don't have the same sizes
but seem to work OK.
Well. actually that is true by definition,
since a latin *square* must be square.
But your post gives me an interesting idea.
What if we generalize it to a latin *rectangle*?
For example, the message symbol could be
one eight bit byte, and the encrypting
symbol could be *two* eight bit bytes.
The latin rectangle would be a
256 X 65536 array of bytes,
arrainged so that every column
has one instance of every byte, and
every row has 256 instances of every byte.
OK so maybe that is a bit large for memory,
but you get the idea.
--
Do as thou thinkest best.
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: Do 3 encryptions w/ a 40-bit key = 120 bits?
Date: Sat, 12 Feb 2000 01:57:05 GMT
Mike Rosing wrote:
[EMAIL PROTECTED] wrote:
Given that 40 bit encryption is considered insecure, what about the
scenario if you take a file and use 40-bit encryption to encrypt it
3 times, would that not give it an effective key length of 120
bits, and therefore be secure?
It'll give you 41.5 bits of security.
The notion of "bits of security" is nonsense. If a random key has 40
bits, then the expected number of trial decipherments for success in
a brute-force key search against a single ciphertext is 2^39,
regardless of the complexity of each decipherment.
What gkare suggests can be read as either C = E(E(E(P,K0),K0),K0) or
C = E(E(E(P,K0),K1),K2). Brute-forcing the former is a 40-bit search;
brute-forcing the latter is a 120-bit search. But that is no
guarantee that the latter system requires 2^80 times the resources to
crack, because brute-force key search is not the only way to attack
systems. (Counterexamples are easy to find.)
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: RFC: Reconstruction of XORd data
Date: Sat, 12 Feb 2000 01:59:53 GMT
Mok-Kong Shen wrote:
One can simply try all possible values of the first byte to decrypt.
That presumes that one has both strings.
The correct answer is that it is secure (under the assumptions)
for *random* plaintext data.
