Re: [cryptography] DES history
A question about DES. Did anyone ever try map or graph the routes through the S-boxes? I mean pictorially. Do the routes produce some kind of wave or path, that have (or have not) relationships with the other routes? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] FW: Request - PKI/CA History Lesson - the definition of trust
You're right yes ( I did forget :), but if a DNS can somehow guarantee a correct hostname-IPAddress mapping, then it can also guarantee a correct hostname-public key ( or self signed certificate) mapping. WebServers would present a self-signed certificate with the public key to HTTPS(TLS) clients, and the client side PKIX chain validation would need to be modified to validate the public key matches that which is in the DNS. You're not the first person to think of this idea, and might want to read RFCs 6698 and 6394. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DES history
On 05/05/2014 09:08 PM, Givon Zirkind wrote: A question about DES. Did anyone ever try map or graph the routes through the S-boxes? I mean pictorially. Do the routes produce some kind of wave or path, that have (or have not) relationships with the other routes? This is a vague question, but here is a somewhat specific answer that may entirely miss what you are asking. Any wave or path in the output would suggest (to me anyway) that linear pieces of the input are mapped to more or less linear pieces in the output (because any curve is just a number of connected straight lines, as far as these concepts transfer to discrete spaces). Such dependencies in the S-Box would suggest a high linearity, which makes the cipher weak to differential cryptanalysis [1]. This is highly undesirable, and must be avoided. It is well known that the DES S-Boxes were specifically designed (by the NSA, no less, back in the good ol' days) to protect against that attack. This means that any trivial plotting of the DES S-Boxes should show a highly non-linear output dependency from the input. As for the inter-dependencies between the different routes: S-Boxes (in general) can be pairwise equivalent modulo some trivial transformation (linear, affine, CCZ), and such equivalent could be plotted showing an interesting (in this case even linear, affine or CCZ) relationship. You can find an analysis of the interdependency of the S-Boxes used in various ciphers in [2] A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms (Biryukov et al), Section 5. Specifically, for (DES (Section 4.2, 5.3): The algorithm showed that no affine equivalences exist between any pair of S-boxes, with the single exception of S4 with itself., which was apparently already derived by looking at patterns in the lookup table in a 1976 paper by Hellman et al, Results of an initial attempt to cryptanalyze the NBS Data En-cryption Standard. I don't know (but also haven't checked) of any low-degree (quadratic, cubic) versions of the linear (or affine) analysis mentioned. [1] http://en.wikipedia.org/wiki/Differential_cryptanalysis [2] http://www.cosic.esat.kuleuven.be/publications/article-16.pdf Does this answer your question? Thanks, Marcus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DES history
On 05/05/2014 10:37 PM, Marcus Brinkmann wrote: On 05/05/2014 09:08 PM, Givon Zirkind wrote: A question about DES. Did anyone ever try map or graph the routes through the S-boxes? I mean pictorially. Do the routes produce some kind of wave or path, that have (or have not) relationships with the other routes? [...] I don't know (but also haven't checked) of any low-degree (quadratic, cubic) versions of the linear (or affine) analysis mentioned. Replying to myself, a quick google search turns up a quadratic analysis: Natalia N. Tokareva, k-Bent functions and quadratic cryptanalysis of block ciphers http://mc3.i3s.unice.fr/seminaires/seminaires_mc3/2007_2008/08-08-08_tokareva.pdf Page 42: We test permutations with the most high nonlinearity NL = 4 recommended for using in S-boxes of GOST 28147-89, DES, s3DES and found that for all of them (excepting one) our crypt-analysis gives quadratic relations with probability 7/8 whereas any linear equality has probability not more then 3/4. Well, in any case, glancing over that paper may give you an idea what is involved today in such analysis: They are definitely not done visually, but involve a lot of higher algebra. It's not 1976 anymore :) Thanks, Marcus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DES history
On Mon, 5 May 2014, Marcus Brinkmann wrote: It is well known that the DES S-Boxes were specifically designed (by the NSA, no less, back in the good ol' days) to protect against that attack. If I recall Schneier, the S-boxes were *modified* by the NSA, not designed. -- Dave ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DES history
A question about DES. Did anyone ever try map or graph the routes through the S-boxes? I mean pictorially. Do the routes produce some kind of wave or path, that have (or have not) relationships with the other routes? Mentioned in Schneier, I believe. -- Dave ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DES history
On 6 May 2014 at 8:35, Dave Horsfall wrote: On Mon, 5 May 2014, Marcus Brinkmann wrote: It is well known that the DES S-Boxes were specifically designed (by the NSA, no less, back in the good ol' days) to protect against that attack. If I recall Schneier, the S-boxes were *modified* by the NSA, not designed. More than that, the modifications *improved* the S-boxes --- they made DES resistent to differential attacks that [AFAIK] weren't yet known in the civilian community. I think it was only after a few years that the impact of their changes was understood [and that it was a good thing]. /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:ber...@fantasyfarm.com Pearisburg, VA -- Too many people, too few sheep -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DES history
On 05/06/2014 01:20 AM, Bernie Cosell wrote: On 6 May 2014 at 8:35, Dave Horsfall wrote: On Mon, 5 May 2014, Marcus Brinkmann wrote: It is well known that the DES S-Boxes were specifically designed (by the NSA, no less, back in the good ol' days) to protect against that attack. If I recall Schneier, the S-boxes were *modified* by the NSA, not designed. More than that, the modifications *improved* the S-boxes --- they made DES resistent to differential attacks that [AFAIK] weren't yet known in the civilian community. I think it was only after a few years that the impact of their changes was understood [and that it was a good thing]. On rereading the Wikipedia article on DES history, the whole story seems to be considerably muddier than I recalled at first. On the one hand, the article cites Schneier Applied Cryptography (2nd ed.). p. 280, quoting Alan Konheim (one of the designers of DES) with: We sent the S-boxes off to Washington. They came back and were all different. On the other hand the article says that Steven Levy (Crypto) claims that IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret. Yet again the United States Senate Select Committee on Intelligence is cited with: In the development of DES, NSA [...] indirectly assisted in the development of the S-box structures. Also, the article cites a declassified NSA book on cryptologic history with: NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. I guess a more careful review of the evidence is required to make heads and tails of it. Thanks, Marcus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Request - PKI/CA History Lesson - the definition of trust
On 2014-05-05, at 1:12 PM, pjklau...@gmail.com pjklau...@gmail.com wrote: -Original Message- From: Jeffrey Goldberg [mailto:jeff...@goldmark.org] Just because you are talking to the right IP address doesn't mean you are talking the right host. You're right yes ( I did forget :), but if a DNS can somehow guarantee a correct hostname-IPAddress mapping, then it can also guarantee a correct hostname-public key ( or self signed certificate) mapping. Ah. OK. Thanks for spelling that out for me. Now it makes sense. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography