Re: permutations +- groups

2005-12-22 Thread John Denker
Ben Laurie wrote: Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. There are multiple misconceptions rolled together there. 1) All of the common block ciphers (good and otherwise) are permutations. To prove this, it suffices

Re: another feature RNGs could provide

2005-12-22 Thread Matt Crawford
On Dec 21, 2005, at 0:10, Ben Laurie wrote: Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. A given cipher, with a given key, is a permutation of blocks. (Assuming output blocks and input blocks are the same size.) It may

Re: another feature RNGs could provide

2005-12-22 Thread Ben Laurie
Matt Crawford wrote: On Dec 21, 2005, at 0:10, Ben Laurie wrote: Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. A given cipher, with a given key, is a permutation of blocks. (Assuming output blocks and input blocks are the

RE: another feature RNGs could provide

2005-12-22 Thread Anton Stiglic
Actually, by definition, a cipher should be a permutation from the set of plaintexts to the set of ciphertexts. It has to be 1 to 1 bijective or it isn't an encryption algorithm. Therefore, if you want an ergodic sequence of size 2^N, a counter encrypted under an N bit block cipher will do it.

Re: browser vendors and CAs agreeing on high-assurance certificates

2005-12-22 Thread James A. Donald
-- Peter Gutmann In fact the real situation is even worse than this. Although there has been plenty of anecdotal evidence of the ineffectiveness of SSL certificates over the years, it wasn.t until mid-2005 (ten years after their introduction) that a rigorous study of their

Re: another feature RNGs could provide

2005-12-22 Thread Bill Stewart
Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. Actually, by definition, a cipher should be a permutation from the set of plaintexts to the set of ciphertexts. It has to be 1 to 1 bijective or it isn't an encryption

Re: A small editorial about recent events.

2005-12-22 Thread dan
Clinton's Asst. A.G. http://www.chicagotribune.com/news/opinion/chi-0512210142dec21,0,3553632.story? coll=chi-newsopinioncommentary-hed Dick Morris http://www.drudgereport.com/flash7.htm --dan - The Cryptography Mailing

RNG quality verification

2005-12-22 Thread Philipp Gühring
Hi, I have been asked by to verify the quality of the random numbers which are used for certificate requests that are being sent to us, to make sure that they are good enough, and we don´t issue certificates for weak keys. The client applications that generate the keys and issue the

Re: another feature RNGs could provide

2005-12-22 Thread Travis H.
On 12/21/05, Perry E. Metzger [EMAIL PROTECTED] wrote: Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. Actually, by definition, a cipher should be a permutation from the set of plaintexts to the set of ciphertexts. It has to

Re: browser vendors and CAs agreeing on high-assurance certificates

2005-12-22 Thread Thor Lancelot Simon
On Sun, Dec 18, 2005 at 09:47:27AM -0800, James A. Donald wrote: Has anyone been attacked through a certificate that would not have been issued under stricter security? The article does not mention any such attacks, nor have I ever heard of such an attack. Ought we forget that two such

Re: RNG quality verification

2005-12-22 Thread Alexander Klimov
On Thu, 22 Dec 2005, Philipp [iso-8859-1] G?hring wrote: I have been asked by to verify the quality of the random numbers which are used for certificate requests that are being sent to us, to make sure that they are good enough, and we don?t issue certificates for weak keys. Consider an

Re: RNG quality verification

2005-12-22 Thread Victor Duchovni
On Thu, Dec 22, 2005 at 10:28:47AM +0100, Philipp G?hring wrote: I think the better way would be if I had a possibility to verify the quality of the random numbers used in a certificate request myself, without the dependence on the vendor. This is impossible. You don't see the raw random

Re: RNG quality verification

2005-12-22 Thread Travis H.
On 12/22/05, Philipp Gühring [EMAIL PROTECTED] wrote: So if I extract the key, remove the first and the last bit, then I should have the pure random numbers that are being used. If I do that with lots of keys, I should have a good amount of random material for the usual statistical tests. The

Comparison of secure email technologies

2005-12-22 Thread Ed Gerck
Thanks for the comments. A new version of the work paper Comparison Of Secure Email Technologies X.509 / PKI, PGP, and IBE is available at http://email-security.net/papers/pki-pgp-ibe.htm The Blog (link in the paper page) contains the most relevant public input; private input is also

Re: RNG quality verification

2005-12-22 Thread Philipp Gühring
Hi Travis, The only thing is, you cannot test in randomness, That´s true, but I can test non-randomness. And if I don´t detect non-randomness, I can assume randomness to a certain extent. and it is an abuse of statistics to make predictions about individual events -- Wasn´t that one of

RNG quality verification

2005-12-22 Thread David Wagner
Philipp G#ring [EMAIL PROTECTED] writes: I have been asked by to verify the quality of the random numbers which are used for certificate requests that are being sent to us, to make sure that they are good enough, and we don´t issue certificates for weak keys. Go tell whoever wrote your

Re: RNG quality verification

2005-12-22 Thread Peter Gutmann
Victor Duchovni [EMAIL PROTECTED] writes: On Thu, Dec 22, 2005 at 10:28:47AM +0100, Philipp G?hring wrote: I think the better way would be if I had a possibility to verify the quality of the random numbers used in a certificate request myself, without the dependence on the vendor. This is