Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?
TLS was designed to support multiple ciphersuites. Unfortunately this opened the door to downgrade attacks, and transitioning to protocol versions that wouldn't do this was nontrivial. The ciphersuites included all shared certain misfeatures, leading to the current situation. On the other hand, negotiation let us deploy it in places where full-strength cryptography is/was regulated. Sometimes half a loaf is better than nothing. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] prism-proof email in the degenerate case
The simple(-minded) idea is that everybody receives everybody's email, but can only read their own. Since everybody gets everything, the metadata is uninteresting and traffic analysis is largely fruitless. Some traffic analysis is still possible based on just message originator. If I see a message from A, and then soon see messages from B and C, then I can perhaps assume they are collaborating. If I A's message is significantly larger then the other two, then perhaps they're taking some kind of vote. So while it's a neat hack, I think the claims are overstated. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] P=NP on TV
Last week, the American TV show Elementary (a TV who-done-it) was about the murder of two mathematicians who were working on proof of P=NP. The implications to crypto, and being able to crack into servers was covered. It was mostly accurate, up until the deux ex machine of the of the NSA hiding all the loose ends at the last minute. :) Fun and available at http://www.cbs.com/shows/elementary/video/ -- Principal Security Engineer Akamai Technology Cambridge, MA ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PRISM-Proofing and PRISM-Hardening
Bill said he wanted a piece of paper that could help verify his bank's certificate. I claimed he's in the extreme minority who would do that and he asked for proof. I can only, vaguely, recall that one of the East Coast big banks (or perhaps the only one that is left) at one point had a third-party cert for their online banking and that it encouraged phishing of their customers. See also http://en.wikipedia.org/wiki/Phishing#cite_note-87 and http://en.wikipedia.org/wiki/Phishing#cite_note-88 which say simple things like show the right image don't work. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PRISM-Proofing and PRISM-Hardening
I know I would be a lot more comfortable with a way to check the mail against a piece of paper I received directly from my bank. I would say this puts you in the sub 1% of the populace. Most people want to do things online because it is much easier and gets rid of paper. Those are the systems we need to secure. Perhaps another way to look at it: how can we make out-of-band verification simpler? -- Principal Security Engineer Akamai Technology Cambridge, MA ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] About those fingerprints ...
Yesterday, Apple made the bold, unaudited claim that it will never save the fingerprint data outside of the A7 chip. Why should we trust Cook Co.? I'm not sure it matters. If I want your fingerprint, I'll lift it off your phone. -- Principal Security Engineer Akamai Technology Cambridge, MA ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
➢ then maybe it's not such a silly accusation to think that root CAs are routinely distributed to multinational secret ➢ services to perform MITM session decryption on any form of communication that derives its security from the CA PKI. How would this work, in practice? How would knowing a CA's private key give them knowledge of my key? Or if they issued a fake certificate and keypair, how does that help? They'd also have to suborn DNS and IP traffic such that it would, perhaps eventually or perhaps quickly, become obvious. What am I missing? /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
* NSA employees participted throughout, and occupied leadership roles in the committee and among the editors of the documents Slam dunk. If the NSA had wanted it, they would have designed it themselves. The only conclusion for their presence that is rational is to sabotage it [3]. No. One mission of the NSA is to protect US government secrets. Since the government can no longer afford to specify their own security products all the time (or rather that the computer market has become commoditized), the NSA has an interest in making standard COTS products be secure. I do not know if the NSA worked to subvert IETF specifications, but participation isn't proof of it. /r$ Flaming Carrot!... Do you see Communists behind every bush? No... but SOMETIMES they hide there. -- Principal Security Engineer Akamai Technology Cambridge, MA ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography