Re: Query about hash function capability

2005-08-05 Thread Jason Holt


On Thu, 4 Aug 2005, Arash Partow wrote:

ie: input1 : abcdefg - h(abcdefg) = 123
   input2 : gabcdef - h(gabcdef) = 123
   input3 : fgabcde - h(fgabcde) = 123


I don't have a formal reference for you, but this seems intuitively correct to 
me: put the strings in a canonical form so that all equivalent strings reduce 
to the same string, then hash conventionally.  Eg., for rotation, the 
canonical form of a string is the rotation which gives the smallest value when 
the string is considered a binary number.  In other words, alphabetize all the 
rotations and then take the first one.


-J

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Escaping Password Purgatory

2005-08-05 Thread Jerrold Leichter
|  Computer Hardware Software
|  Escaping Password Purgatory
|  David M. Ewalt,  08.03.05, 3:00 PM ET
| 
|  ... I think I have passwords for
|  over 47 different applications both internal and external that I access,
|  and I've acquired those IDs and passwords over several years, says Wayne
|  Grimes, manager of customer care operations for the U.S. Postal Service.
| 
| Try Site Password, 
| http://www.hpl.hp.com/personal/Alan_Karp/site_password/.  It takes a 
| good master password, and a site name, and hashes them together to produce 
| a site-specific password.
| 
Hmm.  I came up with the same idea a while back - though with a different 
constraint:  I think it's reasonable to trade off the one-wayness of the
hash for the ability to work out the password with pencil and paper when
necessary.  Various classic pencil-and-paper encryption systems can be bent
to this purpose.  Since the volume of data encrypted is very small and it's
hard for an attacker to get his hands on more than tiny samples - a given
web site only sees its own password - you don't need much strength to give a
reasonable degree of protection.
-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Query about hash function capability

2005-08-05 Thread Jerrold Leichter
| Hi all,
| 
| My question relates to hash functions in general and not specifically
| cryptographic hashes. I was wondering if there exists a group of hash
| function(s) that will return an identical result for sequentially
| similar yet rotate/shift wise dissimilar input:
| 
| ie: input1 : abcdefg - h(abcdefg) = 123
| input2 : gabcdef - h(gabcdef) = 123
| input3 : fgabcde - h(fgabcde) = 123
| 
| Here a,b,c,d,e,f,g represent symbols (ie: groups of bits with equivalent
| group sizes etc...)
| 
| I know that one simple hash method would be to add the symbols
| together, but the results would also be equivalent if say the symbols
| were in any order, also collisions would occur with other totally
| dissimilar sequences that happen to have the same sum as the sequence.
| 
| Is there anything out there research/papers etc, or is this a meaningless
| avenue of enquiry?
| 
| 
| any help would be very much appreciated.
Rotate the input string until it has the smallest possible value among all 
possible rotations.  Possible rotations are those that you want to consider 
equivalent under the hash - if you want just ab and ba as ASCII strings to 
be equivalent, then allow only rotations in units of bytes.  If you also want 
0xc2c4 - the result of rotating that pair of bytes left by one bit - to be 
equivalent, include bit rotations in the possible rotations.  Finally, hash 
using any standard algorithm.  (What this is doing is partitioning the set of 
inputs into equivalence classes - where two inputs are in the same equivalence 
class if they are intended to hash to the same value - and then replacing the 
input string by a unique representative of the equivalence class.  You can 
define equivalence classes any way you like, as long as you can compute a 
unique representative.  For example, a hash that ignores upper/lower case
distinctions is trivially realized by replacing all letters in the input with 
their lower-case equivalents.  That just chooses the all-lower-case version as 
the representative of the set of case-equivalent versions of the string.

-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cross logins

2005-08-05 Thread James A. Donald
--
James A. Donald
  Is it possible for two web sites to arrange for
  cross logins?

Steve Furlong
 Does this question have a practical end in mind? If
 so, can you simplify matters by running both web sites
 on the same host?

The situation envisaged is that A.com is known to B.com,
and trusted by them, but B.com is unknown to A.com.

The context is that I observe in existing internet
currencies a lot of remarkably clumsy procedures to
verify that X is the rightful account holder of account
Y.   Typically the web site that you are trying to
register with will make a microspend to your account,
and you then have to demonstrate knowledge of that
microspend

It is apparent that tools to facilitate transactions
need to be integrated with nym management software and
reputation management software.

This was discussed long ago, back in the days of the
extropian list, even before the cypherpunks lis, but
though a decade has passed, such an integrated tool set
does not yet exist. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 YrtMBO44wxxM/nfE5hCE0yaIbuhetu6o+aOu+A3/
 4RIHu0PHIJAOz2EHYlgoyDbkJ12edbzWDPGlDCJy7



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Phil Zimmermann defends his VoIP crypto

2005-08-05 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 5 Aug 2005 12:07:11 -0400
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R.A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Phil Zimmermann defends his VoIP crypto
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://blogs.zdnet.com/Ou/?p=87

  | George Ou | ZDNet.com

 8/5/2005
  Phil Zimmermann defends his VoIP crypto

 -Posted by George Ou @ 2:06 am
 Security
  Infrastructure

 In response to my last blog Does Phil Zimmermann need a clue on VoIP?,
 Phil Zimmermann writes this letter defending his recent VoIP demonstration.
 The reason why they (Skype) can make a PKI work so seamlessly is because
 they have a proprietary closed system, where they control everything- the
 servers, the clients, the service provider (namely, Skype), the protocol,
 everything.  If I had that luxury, I could make a PKI work too.  Where PKI
 runs into trouble is when you try to make it work in a heterogeneous
 environment with different service providers with competing interests.  The
 trust model becomes unwieldy.  That's what killed PKI based email
 encryption schemes like PEM and MOSS.  And it has effectively paralyzed
 S/MIME too, because no one uses S/MIME to encrypt their email, despite
 S/MIME's massive deployment advantage owing to its inclusion in Microsoft
 products.  S/MIME requires a PKI to be up and running before you can use
 it, which means the activation energy is too high.  That's why
 essentially all the encrypted email in the world today is encrypted with
 PGP, or other OpenPGP products, which require little activation energy.
 My secure VoIP protocol also requires almost no activation energy, so I
 expect it to do well.  The other VoIP client features that make Skype so
 adaptable to NAT/firewall environments can be implemented in any VoIP
 client, even one that uses my crypto protocol.  The VoIP client I used in
 my prototype was not even mine, it was an open source VoIP client I found
 on the Internet.  I just added my crypto protocol to it for prototyping.
 For a real product, I plan to license a mature full-featured commercial
 VoIP client and add my crypto to that.  I'll make sure it has all the
 NAT/firewall traversal features it needs before I license it.
 I'm surprised you built your case on Skype's non-PKI features, and then
 used that to suggest I haven't a clue.  I don't claim my core competency is
 building the best VoIP client, which is why I'll use someone else's VoIP
 client as a starting point. But I've been thinking about trust models, key
 management, and PKI since before there were any PKIs.  I've picked up at
 least one or two clues along the way.  Maybe more than the makers of
 PKI-based email encryption standards that have been so easily swept aside
 by PGP.
 Regards,
 Phil

 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Does Phil Zimmermann need a clue on VoIP?

2005-08-05 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 5 Aug 2005 12:06:24 -0400
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R.A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Does Phil Zimmermann need a clue on VoIP?
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://blogs.zdnet.com/Ou/?p=86

 | George Ou | ZDNet.com

 8/4/2005
  Does Phil Zimmermann need a clue on VoIP?

 -Posted by George Ou @ 11:52 am
 Security
  Infrastructure

 Updated: 8/5/2005 @ 4:06 am Phil Zimmermann of PGP fame, a legend in the
 cryptography world, was cooking up a new secure VoIP brew at last week's
 Black Hat conference-but could he be just a little bit out of touch?  As
 much as I respect the man's intellectual prowess and his contribution to
 the field of cryptography, I don't think I can say the same about his
 product design skills.  Product design and product marketing is less about
 intellectual prowess than understanding the needs of the average human
 user.  When I read about Zimmermann's recent VoIP demonstration at Black
 Hat, it made me doubt his product design skills even more.
 Phil Zimmermann criticizes existing VoIP cryptographic solutions for
 relying on PKI.  Given the fact that Zimmermann's PGP technology has always
 been an alternative to PKI based technologies, one can expect a bit of a
 natural bias against PKI-based solutions.  Just about every other
 PKI-alternative cryptography company has gone as far as declaring PKI dead
 even tough PKI has been thriving for the last decade with E-Commerce
 leading the charge in a massive global PKI implementation.  I've personally
 designed and deployed many PKI solutions for large corporations for all
 sorts of security applications ranging from remote VPN access to wireless
 LAN security, and I can attest that the technology is simple, scalable, and
 reliable.  It's an undeniable fact that any solution that promises to
 bypass PKI always end up being more trouble than it's worth.
 One of the biggest recent successes in VoIP or any application class is the
 phenomenon of Skype.  Skype has managed to gain more users in a single year
 than all of the other VoIP software solutions put together; at last count,
 there were about 148 million downloads of Skype.  Millions of people use it
 every day without even knowing that they are using PKI technology with
 1024-bit RSA keys for secure authentication and 256-bit military grade AES
 encryption.  While other vendors talk the talk about cryptography and how
 nice it would be if only people would use it, Skype actually deployed the
 biggest secure VoIP communications scheme ever using a seamless PKI
 implementation.  Most people just never knew it because Skype spent less
 time talking about it than implementing it.  Looking at Zimmermann's
 PKI-less VoIP cryptography scheme, I doubt it will be as seamless a
 solution.
 On the connectivity side, Zimmermann's demonstration at Black Hat showed
 why Skype still reigns supreme over everyone else.  As a matter of fact,
 Zimmermann's demo almost never left the ground because of router traversal
 problems.  While firewall and router traversal problems aren't uncommon
 among most VoIP solutions, it is one of the biggest impediments (next to
 inadequate or missing microphones on the modern personal computer) to the
 success of VoIP.  The reason Skype exploded onto the scene was that they
 alone understood that the average computer user is in no mood to mess with
 firewall rules, port triggers, and NAT traversal problems and
 probably doesn't even know or care what I'm talking about.  Skype wrapped
 their entire VoIP payload into a simple firewall- and NAT-friendly packet
 and used the power of peer-to-peer technology to make Skype work under any
 environment.  All the complexity is hidden under the hood and even grandma
 can now use PC telephony.
 Skype has set the gold standard for ease-of-use and seamless security.
 Any VoIP solution from this point forward that fails to meet this standard
 will be dead on arrival.  Although it may be too early to tell how
 Zimmermann's solution will fare in the end, it certainly doesn't appear to
 be off to a good start.  Maybe I'm being a bit harsh on a solution that is
 still a work in progress or maybe Zimmerman thinks I'm way off base.  Phil
 if you're reading this and you want to tell me I'm wrong and why, I'll be
 more than happy to post your reply.

 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 

[Clips] Knowing me, knowing you

2005-08-05 Thread R.A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 5 Aug 2005 15:08:12 -0400
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R.A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Knowing me, knowing you
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.guardian.co.uk/print/0,3858,5254923-103572,00.html

Guardian |

 Knowing me, knowing you

 George Orwell would be shocked at the popular support for the spread of
 surveillance technology, writes Victor Keegan
 Victor Keegan
 Thursday August 4, 2005

 Guardian Unlimited
 There is not much doubt now that the world has entered the age of
 surveillance - with the UK at the leading edge. Britain now has over 4
 million CCTV cameras in operation, the guardian angels of a secular
 society. If a referendum were to be held in the wake of the terrorists'
 attacks recommending cameras on every street it would probably be carried
 overwhelmingly. This is slightly surprising, not just because of the
 long-term implications for civil liberties, but because video cameras do
 not seem to have acted as a deterrent to terrorists, even though they have
 made it easier to identify them afterwards, whether dead or alive.

 The main means of tracking terrorist suspects down has been the monitoring
 of mobile phone conversations. Not only can operators pinpoint users to
 within yards of their location by triangulating the signals from three
 base stations, but - according to a report in the Financial Times - the
 operators (under instructions from the authorities) can remotely install
 software onto a handset to activate the microphone even when the user is
 not making a call. Who needs an ID card when they can do that already?

 On top of all this official scrutiny, there is a growing fashion for mutual
 personal surveillance from the millions of smart phones with built-in
 cameras and video functions that are getting more powerful by the week. It
 won't be long, doubtless, before miniaturised cameras will be embedded in
 spectacles enabling footage to be sent on the hoof to a remote website for
 archival purposes.

 Technology has undoubtedly helped terrorists get organised. The internet is
 a source for fundamentalist proselytising, information about activities
 such as bomb making and links to like-minded people, while mobile phones
 provide constant communication and, in some instances, detonators.

 Technology also offers unprecedented ways to track criminals down. But each
 advance in technological detection produces a counter-reaction from
 terrorists. Just as there has been a move away from laundering money
 through the international banking system (towards cash transactions)
 because of improved governmental monitoring, so the events of the past
 month could persuade terrorists to abandon mobile phones in favour of more
 primitive forms of communication such as one-to-one conversations.

 As technology continues to advance at a breathtaking pace, the future scope
 for finding out who we are is quite awesome. The current issue of Business
 Week lists the ways in which we can be uniquely identified from DNA and
 radio frequency identification tabs (RFID) to body odour, breath or saliva.
 There are even scientists working on gait recognition so future video
 cameras can pick us out from the way we walk in a crowd.

 The danger from all this is that few people will object as long as there is
 a serious threat of terrorism. But once (if?) the threat subsides, the
 infrastructure of surveillance will remain. Then it might not be the police
 reconstructing a fuzzy image from a crowd to catch a terrorist but an
 employee of the imaging company extorting money from someone found in a
 compromising position. As one Business Week contributor observed: We get
 most of our security from liberty. If George Orwell were alive now (21
 years after the London he depicted in 1984) he would be astonished by the
 fact that the sort of surveillance he feared is supported not by a
 government imposing it from above on an unwilling population but by a
 groundswell of popular support. That's not a problem at the moment. But it
 will be in future, either if we sign away civil liberties permanently in
 response to a temporary emergency or if the cost of installing the
 infrastructure becomes so huge that it erodes our personal prosperity.
 Either way, Bin Laden would have won.

 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 

Re: [Clips] Does Phil Zimmermann need a clue on VoIP?

2005-08-05 Thread Victor Duchovni
On Fri, Aug 05, 2005 at 12:07:44PM -0400, R.A. Hettinga wrote:

  http://blogs.zdnet.com/Ou/?p=86
  | George Ou | ZDNet.com
 
  Just about every other
  PKI-alternative cryptography company has gone as far as declaring PKI dead
  even tough PKI has been thriving for the last decade with E-Commerce
  leading the charge in a massive global PKI implementation.  I've personally
  designed and deployed many PKI solutions for large corporations for all
  sorts of security applications ranging from remote VPN access to wireless
  LAN security, and I can attest that the technology is simple, scalable, and
  reliable.  It's an undeniable fact that any solution that promises to
  bypass PKI always end up being more trouble than it's worth.

That is sure some sweet coolaid George got his hands on! I wonder where
I could get some. :-)

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: draft paper: Deploying a New Hash Algorithm

2005-08-05 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Steve Furlong writes:
 [Moderator's note: ... attackers are often cleverer than protocol
 designers. ...

Is that true? Or is it a combination of

(a) a hundred attackers for every designer, and
(b) vastly disparate rewards: continued employment and maybe some
kudos for a designer or implementer, access to $1,000,000,000 of bank
accounts for an attacker


I'd have phrased it differently than Perry did.  I'd say that the 
attackers are often cleverer *about security* than protocol designers, 
because insecurity is their specialty.  Ordinary protocol desingers are 
good at designing those protocols, but they haven't been trained to 
think about security.  Here's how I put it in my talk at the IETF 
plenary last night:

\ns{Patterns of Thought}  
\item   Serial number 1 of any new device is delivered to your enemy.
\item   You hand your packets to your enemy for delivery.
\item   Your enemy is just as smart as you are.  If we haven't seen
a given class of attack yet, it's because it hasn't been necessary;
simpler attacks have worked well enough.  (Besides, how do you know
if you'll actually notice it?)
\endns


--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]