Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)
On Mar 25, 2012, at 1:16 PM, Florian Weimer wrote: * Thierry Moreau: The unusual public RSA exponent may well be an indication that the signature key pair was generated by a software implementation not encompassing the commonly-agreed (among number-theoreticians having surveyed the field) desirable strategies. I don't think this conclusion is warranted. Most textbooks covering RSA do not address key generation in much detail. Even the Menezes et al. (1996) is a bit sketchy, but it mentions e=3 and e=2**16+1 as used in practice. Knuth (1981) fixes e=3. On the other side, two popular cryptography textbooks, Schneier (1996) and Stinson (2002), recommend to choose e randomly. None of these sources gives precise guidance on how to generate the key material, although Menezes et al. gives several examples of what you should not do. 2^16+1 (or numbers of that pattern) give good performance for encryption or for signature verification. NIST's standards require that public keys be odd, positive [sic] integers between 65537 and 2^256-1 (http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf). --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)
On Sat, 24 Mar 2012 02:29:30 -0500 Marsh Ray ma...@extendedsubset.com wrote: If you're looking for someplace to feel subversive around, this isn't it. Crypto is a mainstream engineering discipline these days, and one greatly needed by modern civilization. Unfortunately, there is still a great deal of resistance to the notion that cryptography is something that people should have, at least cryptography without backdoors. When last I checked, the Department of Justice was still pushing communication service providers to include some sort of back door, so that law enforcement agencies can decrypt the encrypted communications of suspects in criminal cases. They basically think that the Hushmail model is the right one: http://judiciary.house.gov/hearings/hear_02172011.html (Apologies for the length; the summary is this: the FBI is worried about criminals or terrorists using encryption to hide their communications from law enforcement and national security agencies, as well as the lack of CALEA-style systems on the Internet. They as asking for a law that requires communications service providers to provide plaintexts if it is possible to do so e.g. Hushmail-style decryption. The FBI insists that they are not talking about key escrow or key recovery, and they avoid using the term back door to describe what they want.) Even worse, here at UVA we had a graduate student who was denied entry because he traveled to a cryptography conference (he is here on a student visa, and is a Chinese citizen). The State Department would not allow him to come back to school unless he switched fields and stopped doing computer security work. He is working on wireless sensor networks now -- clearly a field that could not possibly have any national security implications. The law has definitely improved over what cryptographers faced in the 90s, but the attitudes have not. The US government still wants a system where encrypted communications can be arbitrarily decrypted, they just dress up the argument and avoid using dirty words like key escrow. -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)
On Sun, Mar 25, 2012 at 9:45 AM, Benjamin Kreuter brk...@virginia.edu wrote: ... The law has definitely improved over what cryptographers faced in the 90s, but the attitudes have not. The US government still wants a system where encrypted communications can be arbitrarily decrypted, they just dress up the argument and avoid using dirty words like key escrow. now they pay to side step crypto entirely: iOS up to $250,000 Chrome or IE up to $200,000 Firefox or Safari up to $150,000 Windows up to $120,000 MS Word up to $100,000 Flash or Java up to $100,000 Android up to $60,000 OSX up to $50,000 via http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ plenty of weak links between you and privacy... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 25, 2012, at 1:22 PM, coderman wrote: now they pay to side step crypto entirely: iOS up to $250,000 Chrome or IE up to $200,000 Firefox or Safari up to $150,000 Windows up to $120,000 MS Word up to $100,000 Flash or Java up to $100,000 Android up to $60,000 OSX up to $50,000 via http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ plenty of weak links between you and privacy... This is precisely the point I've made: the budget way to break crypto is to buy a zero-day. And if you're going to build a huge computer center, you'd be better off building fuzzers than key crackers. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: iso-8859-1 wj8DBQFPb4NssTedWZOD3gYRAijMAKDNSNKcPYXxUZX2ekzFusz0cEEHTgCgqi8x lDqmYv4yOLL0C7hc+RDrpVI= =V0YJ -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)
On Mar 25, 2012, at 10:43 PM, Jon Callas wrote: On Mar 25, 2012, at 1:22 PM, coderman wrote: now they pay to side step crypto entirely: iOS up to $250,000 Chrome or IE up to $200,000 Firefox or Safari up to $150,000 Windows up to $120,000 MS Word up to $100,000 Flash or Java up to $100,000 Android up to $60,000 OSX up to $50,000 via http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ plenty of weak links between you and privacy... This is precisely the point I've made: the budget way to break crypto is to buy a zero-day. And if you're going to build a huge computer center, you'd be better off building fuzzers than key crackers. Bingo. To quote myself, you don't go through strong security, you go around it. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)
ianG writes: On 26/03/12 07:43 AM, Jon Callas wrote: This is precisely the point I've made: the budget way to break crypto is to buy a zero-day. And if you're going to build a huge computer center, you'd be better off building fuzzers than key crackers. point of understanding - what do you mean by fuzzers? Automatically trying to make software incur faults with large amounts of randomized (potentially invalid) input. https://en.wikipedia.org/wiki/Fuzz_testing If you get an observable fault you can repeat the process under a debugger and try to understand why it occurred and whether it is an exploitable bug. Here's a pretty detailed overview: https://www.blackhat.com/presentations/bh-usa-07/Amini_and_Portnoy/Whitepaper/bh-usa-07-amini_and_portnoy-WP.pdf When it was first invented, fuzzing basically just consisted of feeding random bytes to software, but now it can include sophisticated understanding of the kinds of data that a program expects to see, with some model of the internal state of the program. I believe there are also fuzzers that examine code coverage, so they can give feedback to the tester about whether there are parts of the program that the fuzzer isn't exercising. -- Seth David Schoen sch...@loyalty.org | No haiku patents http://www.loyalty.org/~schoen/| means I've no incentive to FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150 |-- Don Marti ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Key escrow 2012
(Nod to the rest of what you said) On 03/25/2012 11:45 AM, Benjamin Kreuter wrote: The US government still wants a system where encrypted communications can be arbitrarily decrypted, they just dress up the argument and avoid using dirty words like key escrow. Aside from the deep moral and constitutional problems it poses, does anyone think the US Govt could have that even from a practical perspective? * Some of the largest supercomputers in the world are botnets or are held by strategic competitor countries. This precludes the old key shortening trick. * The Sony PS3 and HDMI cases show just how hard it can be to keep a master key secure sometimes. Master keys could be quite well protected, but from a policy perspective it's still a gamble that something won't go wrong which compromises everyone's real security (cause a public scandal, expose industrial secrets, etc.). * Am I correct in thinking that computing additional trapdoor functions to enable USG/TLA/LEA decryption is not free? Mobile devices are becoming the primary computing devices for many. People may be willing to pay XX% in taxes, but nobody wants to pay a decrease in performance and battery life to enable such a misfeature. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Key escrow 2012
On Sun, Mar 25, 2012 at 10:55 PM, Marsh Ray ma...@extendedsubset.com wrote: On 03/25/2012 11:45 AM, Benjamin Kreuter wrote: The US government still wants a No, probably parts of it: the ones that don't have to think of the big picture. The U.S. government is not monolythic. The NSA has shown a number of times that they are interested in strong civilian cryptography for reasons of... national security. In a battle between law enforcement and national security the latter has to win. system where encrypted communications can be arbitrarily decrypted, they just dress up the argument and avoid using dirty words like key escrow. Aside from the deep moral and constitutional problems it poses, does anyone think the US Govt could have that even from a practical perspective? * Some of the largest supercomputers in the world are botnets or are held by strategic competitor countries. This precludes the old key shortening trick. * The Sony PS3 and HDMI cases show just how hard it can be to keep a master key secure sometimes. Master keys could be quite well protected, but from a policy perspective it's still a gamble that something won't go wrong which compromises everyone's real security (cause a public scandal, expose industrial secrets, etc.). Key escrow == gigantic SPOF. Even if you split the escrow across several agencies and don't use a single master key, it's still concentrating systemic failure potential into too few points. To build a single point of catastrophic failure into one's economic infrastructure is one of the biggest strategic blunders I can imagine (obviously there's worse, such as simply surrendering when one clearly has the upper hand, say). Back in the early 90s this probably wasn't as clear as it is today. * Am I correct in thinking that computing additional trapdoor functions to enable USG/TLA/LEA decryption is not free? Mobile devices are becoming the primary computing devices for many. People may be willing to pay XX% in taxes, but nobody wants to pay a decrease in performance and battery life to enable such a misfeature. Most users already pay heavy battery/performance taxes in the form of uninstallable adware built into their devices. The vendors might be the ones to object then since they might have to stop shipping such software. But ultimately this argument depends on how heavy a burden the users end up feeling. For my money the winning argument is the strategic idiocy/insanity of unnecessary SPOFs. Who wants to ever even think of saying to the POTUS Mr. President, we have a mole, they've stolen the codes for our civilian networks and they've shut them down from the people's shear fear of financial and other losses. It will take months to re-key everything and in the meantime we'll lose X% of GDP. The stock and bond markets have crashed. As time passes X will tend to increase in the event of such a catastrophe. The higher that percentage the more crippling the attack, with derivatives losses becoming overwhelming at small values of X. It could get worse: Mr. President, we can't even re-key without changing all these hardware dongles that are manufactured by the enemy, who's now not selling them to us. If the point of key escrow is to make law enforcement easier then there are much simpler non-cryptographic solutions -- not ones to your taste or mine perhaps, but certainly ones that don't involve strategic SPOFs. I'm with you: key escrow is necessarily dead letter, at least for the time being and the foreseeable future. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography