Re: [Cryptography] Perfection versus Forward Secrecy
I wouldn't mind if it had been called Pretty Good Forward Secrecy instead, but it really is a lot better than regular public key. My point was that the name is misleading and causes people to look for more than is there. There doesn't seem to be much downside to just calling it Forward Secrecy rather than Perfect Forward Secrecy. We all seem to agree that it isn't perfect, and that it is a step forward in security, at a moderate cost in latency and performance. John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why prefer symmetric crypto over public key crypto?
zooko zo...@zooko.com writes: I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin were stolen by exploiting this, for example: http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/ Was that the change that was required by FIPS 140, or a different vuln? Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
Dave Horsfall d...@horsfall.org writes: Given that there is One True Source of randomness to wit radioactive emission, has anyone considered playing with old smoke detectors? The ionising types are being phased out in favour of optical (at least in Australia) so there must be heaps of them lying around. If you're in Australia you don't need to use smoke detectors, you've got direct access to the real stuff. I've used a lump of Australian uranium ore with my geiger counter in the past. Problem is that this is hardly scalable. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Wed, Sep 11, 2013 at 4:18 PM, Perry E. Metzger pe...@piermont.comwrote: The attraction of methods that use nothing but a handful of transistors is that they can be fabricated on chip and thus have nearly zero marginal cost. The huge disadvantage is that if your opponent can convince chip manufacturers to introduce small changes into their design, you're in trouble. It seems like Intel's approach of using thermal noise is fairly sound. Is there any reason why it isn't more widely adopted? Patents? http://electronicdesign.com/learning-resources/understanding-intels-ivy-bridge-random-number-generator -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On 09/11/2013 07:18 PM, Perry E. Metzger wrote: The attraction of methods that use nothing but a handful of transistors is that they can be fabricated on chip and thus have nearly zero marginal cost. The huge disadvantage is that if your opponent can convince chip manufacturers to introduce small changes into their design, you're in trouble. Perry And this is the reason that I'd be in favour of diversity -- using sound cards, lava-lamps, etc, etc. Sources that don't explicitly identify themselves as the random number generator. There's no way for a bad actor to cover all the bases, and since these things are primarily used for things other than random-number sources, it may be hard to break them in ways that doesn't also break their primary purpose (although, if you're just mucking with the low-order noise bits of some arbitrarily-chosen digitization of a real-world source, it would be hard to tell the difference). -- Marcus Leech Principal Investigator Shirleys Bay Radio Astronomy Consortium http://www.sbrac.org ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Impossible trapdoor systems (was Re: Opening Discussion: Speculation on BULLRUN)
On 09/08/2013 11:49 AM, Perry E. Metzger wrote: That said, your hypothetical seems much like imagine that you can float by the power of your mind alone. The construction of such a cipher with a single master key that operates just like any other key seems nearly impossible, and that should be obvious. True. A universal key that uses the same decryption operation as a normal key is clearly stupid. I guess the thing I was thinking of is that the attacker knows a method that allows him to decrypt anything if he knows the IV, but cannot recover the key used to encrypt it. Which is of course a public-key system, where the decryption method is the private key and the IV is the public key. The thing I was thinking of as a key functions as a nonce or subkey which allows people unrelated to the private key holder to communicate semi-privately by shared secret, but the private key is a backdoor on their communication. Duh. Sorry, just wasn't thinking of the right parallel mapping of what I described. For the cipher itself to function as a key sort of escaped my attention. Sorry to waste time. Ray. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] NIST announcement about Dual_EC_DRBG
NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used. http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf - johnk ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Matthew Green on BULLRUN: briefly censored
http://blog.cryptographyengineering.com/2013/09/on-nsa.html Johns Hopkins University censored this exact blog post by Prof. Green, because of a complaint from its local defense contractor affiliated with NSA, the Applied Physics Laboratory (https://en.wikipedia.org/wiki/Applied_Physics_Laboratory). The university gets slight credit for backtracking one day after the censorship story hit Twitter and the press. So the blog post is now back (and is still worth reading). Here's the story: http://www.theguardian.com/commentisfree/2013/sep/10/nsa-matthew-green-takedown-blog-post-johns-hopkins http://www.techdirt.com/articles/20130909/11193024453/johns-hopkins-tells-security-researcher-to-remove-blog-post-about-nsa-encryption-attacks-university-server.shtml http://arstechnica.com/security/2013/09/crypto-prof-asked-to-remove-nsa-related-blog-post/ http://blog.cryptographyengineering.com/2013/09/a-note-on-nsa-future-and-fixing-mistakes.html Now, why is it that so many folks with links to NSA think like totalitarians? It's wonderful seeing them crawl out of the woodwork and try to give orders to the public about what it is allowed to think, what it is allowed to read, and what it is allowed to write. It's only wonderful because the huge public counter-reaction protects us -- the totalitarians reveal their true colors, but they don't actually get to tell us what to do. Thank you, fellow denizens of the world, for creating your own freedom, by making a lot of noise when some NSA-affiliated idiot tries to take it away. John PS: How much NSA tax money does JHU's Applied Physics Lab get? I don't know, but here's a guy on LinkedIn who worked at NSA in the past, works at the Lab today, and brags that he's managing a $120M contract from NSA: http://www.linkedin.com/pub/john-trent/18/a95/b04 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Wed, 11 Sep 2013 17:06:00 -0700 Tony Arcieri basc...@gmail.com wrote: It seems like Intel's approach of using thermal noise is fairly sound. Is there any reason why it isn't more widely adopted? Actually, I think things like this mostly have been missing because manufacturers didn't understand they were important. Even the Raspberry Pi now has an SoC with a hardware RNG. In addition to getting CPU makers to always include such things, however, a second vital problem is how to gain trust that such RNGs are good -- both that a particular unit isn't subject to a hardware defect and that the design wasn't sabotaged. That's harder to do. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Radioactive random numbers
On Wed, 11 Sep 2013 21:06:35 -0400 Marcus D. Leech mle...@ripnet.com wrote: And this is the reason that I'd be in favour of diversity -- using sound cards, lava-lamps, etc, etc. Sources that don't explicitly identify themselves as the random number generator. As a practical matter, though, people aren't going to put lava lamps and cameras in their colos along with every 1U box and blade server. They also won't attach them to the $40 boxes they buy at Best Buy. Good solutions probably involve hardware that is well tested, on motherboard, dirt cheap and easy for software to field validate. Yes, this is hard. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Perfection versus Forward Secrecy
On Wed, Sep 11, 2013 at 8:00 PM, John Gilmore g...@toad.com wrote: There doesn't seem to be much downside to just calling it Forward Secrecy rather than Perfect Forward Secrecy. We all seem to agree that it isn't perfect, and that it is a step forward in security, at a moderate cost in latency and performance. What's really bothered me about the phrase perfect forward secrecy is it's being applied to public key algorithms we know will be broken as soon as a large quantum computer has been built (in e.g. a decade or two). Meanwhile people seem to think that it's some sort of technique that will render messages unbreakable forever. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography