Re: A-B-a-b encryption
martin f krafft wrote: > > it came up lately in a discussion, and I couldn't put a name to it: > a means to use symmetric crypto without exchanging keys: > > - Alice encrypts M with key A and sends it to Bob > - Bob encrypts A(M) with key B and sends it to Alice > - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob > - Bob decrypts B(M) with key B leaving him with M. > > Are there algorithms for this already? What's the scheme called? > I searched Schneier (non-extensively) but couldn't find a reference. Perhaps you want to try looking at the various blinding algorithms by Chaum (and Wagner, also Brands). These use schemes that are transitive (if that's the word). iang - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: A-B-a-b encryption
At 03:19 AM 11/14/2003, martin f krafft wrote: it came up lately in a discussion, and I couldn't put a name to it: a means to use symmetric crypto without exchanging keys: - Alice encrypts M with key A and sends it to Bob - Bob encrypts A(M) with key B and sends it to Alice - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob - Bob decrypts B(M) with key B leaving him with M. Are there algorithms for this already? What's the scheme called? I searched Schneier (non-extensively) but couldn't find a reference. I don't know what it's called, but it's vulnerable to man-in-the-middle unless you've got some way to authenticate the parties (because Alice has no way to tell if she's decrypting Bob's B(A(m)) or Mallet's M(A(m)). And if you've got some way to authenticate the parties (a shared secret or a public key or something), it's probably easier to leverage that into an encryption key. - Tim PS - I'm looking for a full-time job. My resume is at http://www.dierks.org/tim/resume.html . Looking for architecture or technical management jobs; I'm in New York, NY, but I am willing to relocate. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Roundtrip Blinding (was: A-B-a-b encryption)
On Fri, 14 Nov 2003, martin f krafft wrote: >it came up lately in a discussion, and I couldn't put a name to it: >a means to use symmetric crypto without exchanging keys: > > - Alice encrypts M with key A and sends it to Bob > - Bob encrypts A(M) with key B and sends it to Alice > - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob > - Bob decrypts B(M) with key B leaving him with M. > >Are there algorithms for this already? What's the scheme called? >I searched Schneier (non-extensively) but couldn't find a reference. This is a roundtrip blinding message protocol. First of all, you mean asymmetric crypto (where encryption key != decryption key). The problem with this is that there are very few encryption algorithms that this will work with and all the ones I know have serious problems in modes where this is possible. In general, decrypt(a, encrypt(b, encrypt(a, M))) != encrypt(b, M) in most secure cipher systems. RSA will do this - but in modes where stunts like this are possible, it means you're using "straight" RSA -- ie, without padding the blocks with randomness. And this leaves RSA open to some types of attacks that are very difficult to allow for in a secure system. Where RSA is used in this mode (for blinding digital cash, etc) it is used in a very stylized and restricted way, blinding "tokens" whose interpretation and use is very limited. Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: A-B-a-b encryption
martin f krafft wrote: it came up lately in a discussion, and I couldn't put a name to it: a means to use symmetric crypto without exchanging keys: - Alice encrypts M with key A and sends it to Bob - Bob encrypts A(M) with key B and sends it to Alice - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob "Decrypting" B(A(M)) with key A will typically result in another encryption: a(B(A(M))), not B(M). The operations are not associative, commutative or distributive, so this will not work. - Bob decrypts B(M) with key B leaving him with M. Rgds, - Dave. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: XML-proof UIDs
At 05:52 AM 11/14/2003, Eugen Leitl wrote: Does anyone have robust code to generate globally unique IDs which won't break XML parsing, and work on several platforms? I was thinking of using an entropy pool to seed a cryptographic PRNG, used to generate a sequence of SHA-1 hashes, dumped to an XML-armored representation. This is what GUIDs/UUIDs were designed for, and they're used broadly. They're standardized in ISO 11578 [1], although there's a very similar public description in an expired Internet Draft [2]. Microsoft also publishes a description of how they generate their GUIDs, but I can't find it right now. - Tim [1] http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=2229&ICS1=35&ICS2=100&ICS3=70 [2] http://www.ics.uci.edu/~ejw/authoring/uuid-guid/draft-leach-uuids-guids-01.txt PS - I'm looking for a full-time job. My resume is at http://www.dierks.org/tim/resume.html . Looking for architecture or technical management jobs; I'm in New York, NY, but I am willing to relocate. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: A-B-a-b encryption
On Fri, Nov 14, 2003 at 09:19:25AM +0100, martin f krafft wrote: > it came up lately in a discussion, and I couldn't put a name to it: > a means to use symmetric crypto without exchanging keys: > > - Alice encrypts M with key A and sends it to Bob > - Bob encrypts A(M) with key B and sends it to Alice > - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob > - Bob decrypts B(M) with key B leaving him with M. > > Are there algorithms for this already? What's the scheme called? "Stupid crypto", probably. Unless I'm missing something, this only works if A(A(M)) = M. Symetric crypto, not just symetric keys. NEVER willingly give the cryptanalyst the same message encrypted with the same system using two different keys. For the simple case, suppose F(X) = X ^ S (exclusive or with a string generated from the key). Then M = A(M) ^ B(M) ^ B(A(M)), right? Probably something similar for other symetric systems. -- [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Are there...one-way encryption algorithms
Enzo asked, > Are there one-way encryption algorithms guaranteed to be injective > (i.e., deterministically collision-free)? Or are there > theoretical reasons against their existence? > > I'm looking for algorithms where every piece of code and data > is public, thus excluding conventional enciphering with a secret key. Sounds like you look for One Way Permutations... which of course exist (if one-way functions do). But before we get into details, it'll be useful if you specify your needs more precisely since imprecision is the mother of weaknesses and break-ins. BTW I've updated my foils on encryption and hashing which cover much of this topic (see in site if interested). Best, Amir Herzberg http://amir.herzberg.name - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: XML-proof UIDs
> Does anyone have robust code to generate globally unique IDs which won't > break XML parsing, and work on several platforms? Look at the "UUID namesapce for URN's" internet-draft. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Clipper for luggage
Bill Frantz <[EMAIL PROTECTED]> writes: >I usually travel with zipper closed duffel bags. I fasten the zipper closed >with a screw link. Anyone can unscrew the link and get into the bag, but it >does effectively keep the zipper closed in transit. I suppose it also >provides some level of security because someone wanting to do a quick grab >from luggage will probably pick a less-secured piece. When true locks are banned, that's actually a rather good protection mechanism, constituting a type of hashcash for luggage. Someone who's looking for targets of opportunity and has a choice between a Clipper-locked container they can get into almost unnoticed in 5 seconds or something where it'll take a minute or two of obvious fiddling will presumably go for the Clipper-lock. Just don't go overboard with those custom foot-long screw machined "locks". Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Are there...
Enzo Michelangeli wrote: >...one-way encryption algorithms guaranteed to be injective (i.e., >deterministically collision-free)? Every encryption algorithm is injective, otherwise decryption would be ambiguous. In other words, if x and x' are two different plaintexts, then E_k(x) != E_k(x'). >I'm looking for algorithms where every piece of code and data is public, >thus excluding conventional enciphering with a secret key. Ok, in that case, use a public-key encryption algorithm. Same deal. And, if you want to ensure that E_k(x) != E_k'(x') whenever (k,x) != (k',x'), define E_k(x) = (k, EE_k(x)) where EE is some public-key encryption algorithm; EE_k(x) denotes the result of encrypting plaintext x under public key k. It can't hurt security to include the public key in the ciphertext. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
XML-proof UIDs
Does anyone have robust code to generate globally unique IDs which won't break XML parsing, and work on several platforms? I was thinking of using an entropy pool to seed a cryptographic PRNG, used to generate a sequence of SHA-1 hashes, dumped to an XML-armored representation. Thanks. -- Eugen* Leitl http://leitl.org";>leitl __ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE pgp0.pgp Description: PGP signature
A-B-a-b encryption
it came up lately in a discussion, and I couldn't put a name to it: a means to use symmetric crypto without exchanging keys: - Alice encrypts M with key A and sends it to Bob - Bob encrypts A(M) with key B and sends it to Alice - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob - Bob decrypts B(M) with key B leaving him with M. Are there algorithms for this already? What's the scheme called? I searched Schneier (non-extensively) but couldn't find a reference. Thanks, -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! time wounds all heels. -- groucho marx pgp0.pgp Description: PGP signature
Re: 'Smart stamps' next in war on terrorism
"The postal notice itself says this is the first step to identify all senders, so this is not a matter of paranoia, this is reality. The post office is moving towards identification requirements for everyone," said Chris Hoofnagle, associate director of the Electronic Privacy Information Center. Mr. Hoofnagle scoffed at the notion identification could prevent crimes such as the anthrax attacks on members of Congress and news media two years ago. "Anyone resourceful enough to obtain anthrax can get a stamp" without going through the new channels, Mr. Hoofnagle said. A Treasury Department report from the Mailing Industry Task Force also recommended that "the industry promote development of the 'intelligent' mail piece by collaborating with the Postal Service to implement standards and systems to make every mail piece - including packages - unique and trackable." "What happens if I buy stamps and you need one, is it legal for me to give it to you?" Mr. Hoofnagle said. If this foolishness is implemented I'm sure stamp exchanges will become routine at many public and private meetings. Such exchanges could become a good business opportunity. Ari Schwartz, associate director for the Center for Democracy and Technology, said intelligent mail can play an important role and improve the mail system. However, privacy issues must be seriously addressed, and moving forward with the rules on bulk mail could alleviate some concerns, he said. "There is a right to anonymity in the mail. If you look back in the history of this country, the mail has played an important role in free expression and political speech and anonymous mail has provided that," Mr. Schwartz said. As others have mentioned, the Supreme Court has ruled that anonymous correspondence is supported under freedom of political speech. The USPS is a quasi-governmental organization with exclusive legal rights to transport and deliver first-class mail to our mail boxes. Exactly the kind of mail, which if anonymous could be protected speech. It seems fair to me that if the USPS wanted to foreclose on our ability to use anonymous first-class mail then they should be willing to give up the exclusivity of their first-class mail franchise, so competitors who will offer this can deliver to postal mail boxes. steve - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Protection against offline dictionary attack on static files
Arcane Jill wrote: > <... a way to make decryption more expensive ...> I think it is a neat idea. I think it is best understood as a kind of "key-stretching" akin to iterated hashing of a password, as in: Secure Applications of Low-Entropy Keys (1998) John Kelsey, Bruce Schneier, Chris Hall, David Wagner http://citeseer.nj.nec.com/kelsey98secure.html I invented it myself at one point, and then subsequently learned that it had already been published. Here are some notes I wrote about it earlier this year: """ I've learned that Udi Manber, Martín Abadi [1], Mark Lomas, and Roger Needham [2] have already published one of my ideas -- that of an extra "salt" used to hash passwords, erased, and then brute-force-rediscovered when needed. This kind of thing reassures me that my own part-time, self-directed crypto research isn't too far off the mainstream. Manber's paper [3] is earliest, but Abadi's [4] (published as a Technical Report) contains extra goodies such as consideration of off-line brute force attacks on weak keys used in communication protocols and a comparison to the more widely used key- strengthening of iterated hashing. [1] http://www.cse.ucsc.edu/~abadi [2] http://research.microsoft.com/users/needham/ [3] http://citeseer.nj.nec.com/manber96simple.html [4] http://www.cse.ucsc.edu/~abadi/Papers/pwd-revised.ps """ Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Fwd: New PGP Universal beta: PGP and S/MIME
fyi - Forwarded message from Lucky Green <[EMAIL PROTECTED]> - Cpunks, I spent the last few months working at PGP on a nifty new solution to an old problem: how to get email encryption deployed more widely without requiring user education. Since ideas for solving this problem have been discussed on this mailing list for over 10 years now, some of you might wish to take a peek at the solution that we came up with. The public beta of PGP Universal 1.1 is now yours to download for free from http://www.pgp.com/products/beta1.1.html One of the many interesting features of our approach is the ability to secure all users of a mail server, without the users needing to understand what encryption is or does, no need for MUA-specific plugins, interchangeable use of PGP keys or S/MIME, and much more. And yes, you can still keep your 4096-bit RSA key on your PC only. I am using PGP Universal myself. It is really cool. Note that the download of PGP Universal is 322MB in size and requires a dedicated x86 server to install. Have fun, --Lucky Green <[EMAIL PROTECTED]> - End forwarded message - -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! "der beruf ist eine schutzwehr, hinter welche man sich erlaubterweise zurückziehen kann, wenn bedenken und sorgen allgemeiner art einen anfallen." - friedrich nietzsche pgp0.pgp Description: PGP signature
RE: Protection against offline dictionary attack on static files
Jill's approach to key stretching is not quite the same as the traditional iterated hash. It imposes no cost at encryption time, you only have to work at decryption. This might be valuable when you want to save your files as the Gestapo is breaking down your door. I've been working on a similar method for use as an anti-censorship tool. Files would be encrypted with a random key and posted on the Internet. The key size would be selected to require a long time to crack: hours, days or even weeks. People in countries behind national Internet filtering could download these files and crack them, possibly telling friends the recovered key. Censors would have to expend a lot of effort trying to learn the files that contained forbidden ideas. It would be inexpensive to create many different encryptions of the same file and mirror them in multiple locations or to flood them on Usenet. The URLs of good stuff could be spread by word of mouth. Arnold Reinhold At 2:26 PM -0500 11/12/03, Steve Wang wrote: Check PKCS #5: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arcane Jill Sent: Thursday, October 23, 2003 3:21 AM To: [EMAIL PROTECTED] Subject: Protection against offline dictionary attack on static files Hi, It's possible I may be reinventing the wheel here, so my apologies if that's so, but it occurs to me that there's a defence against an offline dictionary attack on an encrypted file. Here's what I mean: Say you have a file, and you want to keep it secret. What do you do? Obviously you either encrypt it directly, or you store it in an encrytped volume (thereby encrypting it indirectly). Problem? Maybe an attacker can somehow get hold of the encrypted file or volume ... maybe your laptop gets stolen maybe other people have access to your machine. In principle, you're protected by your passphrase, but if an attacker can get hold of the file, they can try an offline dictionary attack to guess your passphrase, so unless you're very good at inventing high entropy passphrases /and remembering them without writing them down/, there may still be a risk. Here's the defence: To encrypt a file: Generate a random number R between 0 and M-1 (for some fixed M, a power of 256) Type in your passphrase P Let S = R || P (where || stands for concatenation) Let K = hash(S) K is now your encryption key. R is to be thrown away. To decrypt the same file: Generate a random number r between 0 and M-1 Type in your passphrase P for (int i=r; ; i=(i+1)%M) { Let S = I || P Let K = hash(S) Try to decrypt using key K } This places a computational burden on your PC at decrypt-time. The larger you choose M, the more CPU time it will take to figure out K. So, you choose M such that it takes your PC about one second to find K, then your attacker will experience the same burden - but multiplied a squillionfold (a "squillion" being the entropy of your passphrase). This means that even if your passphrase consists of just two words from a dictionary, /and/ your attacker suspects this, it will still take him or her over a hundred and fifty years to decrypt (assuming your attacker has a PC of equivalent power). Even if your attacker has a faster PC than you, it will still be relatively easy to pick a strong-yet-memorable passphrase, since better tech can only ease the attacker's problem, not remove it. All of a sudden, weak passphrases turn into strong ones, and strong passphrases turn into computationally infeasible ones. Is this useful? Has anyone come up with it before? (Someone must have ... but I don't recall seeing the technique used in applications) Jill - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]