Re: [cryptography] 100 Gbps line rate encryption
On 6/22/13 8:24 PM, Greg Rose wrote: On Jun 22, 2013, at 15:31 , James A. Donald jam...@echeque.com wrote: On 2013-06-23 6:47 AM, Peter Maxwell wrote: I think Bernstein's Salsa20 is faster and significantly more secure than RC4, whether you'll be able to design hardware to run at line-speed is somewhat more questionable though (would be interested to know if it's possible right enough). I would be surprised if it is faster. Be surprised, then... almost all of the recent word- or block- oriented stream ciphers are faster than RC4. And NOTHING should still be using RC4; by today's standards it is quite insecure. So I spent some (much too much) time reading old PPP archives on our earlier discussions selecting an algorithm. Sadly, 3DES was chosen, but rarely implemented. I cobbled together a draft based on old discussion for ARC4. It surely needs more work. Although (as you mention) that's old stuff, it has the advantage of having running code in most existing systems, and could be rolled out quickly on high speed connections. http://tools.ietf.org/html/draft-simpson-ppp-arc4-00 I was attempting a draft for Salsa20, then discovered there's a successor called ChaCha. Since I didn't also have enough time to investigate (and it wasn't mentioned here), I held off pushing out the Salsa20 draft. But I'd like to have something more modern in the pipeline. Please discuss. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 100 Gbps line rate encryption
On Tue, Jul 16, 2013 at 03:23:01AM -0400, William Allen Simpson wrote: On 6/22/13 8:24 PM, Greg Rose wrote: On Jun 22, 2013, at 15:31 , James A. Donald jam...@echeque.com wrote: On 2013-06-23 6:47 AM, Peter Maxwell wrote: I think Bernstein's Salsa20 is faster and significantly more secure than RC4, whether you'll be able to design hardware to run at line-speed is somewhat more questionable though (would be interested to know if it's possible right enough). I would be surprised if it is faster. Be surprised, then... almost all of the recent word- or block- oriented stream ciphers are faster than RC4. And NOTHING should still be using RC4; by today's standards it is quite insecure. So I spent some (much too much) time reading old PPP archives on our earlier discussions selecting an algorithm. Sadly, 3DES was chosen, but rarely implemented. I cobbled together a draft based on old discussion for ARC4. It surely needs more work. Although (as you mention) that's old stuff, it has the advantage of having running code in most existing systems, and could be rolled out quickly on high speed connections. http://tools.ietf.org/html/draft-simpson-ppp-arc4-00 If you're really going to publish a new RFC -- even an Experimental one -- using RC4, you should really use RC4-drop-N. For even moderately sized packets and reasonable values of N, if you effectively rekey every packet, you will end up wasting 25-50% of the throughput of the system. Conclusion: RC4 is particularly poorly suited for this application in the modern day. Thor ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 100 Gbps line rate encryption
William Allen Simpson william.allen.simp...@gmail.com wrote: A quick question: what are our current options for 100 Gbps line rate encryption? Are we still using variants of ARC4? The European Union's Estream contest gave two small portfolios of ciphers, four for software implementation and three for hardware. That is the first place I'd look. http://www.ecrypt.eu.org/stream/index.html -- Who put a stop payment on my reality check? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 100 Gbps line rate encryption
The use of RC4 should be avoided even with the drop-N due to biases that occur later in the key stream. You should also be extremely careful about mixing IVs with the key. At a minimum you ought to use a modern cryptographic hash function -- there's no evidence that repeating key setup is sufficient to prevent correlations. http://www.isg.rhul.ac.uk/tls/RC4biases.pdf In summary, don't use RC4. Don't use it carelessly with IVs. And don't use RC4. Consider using Salsa20 instead. Matt On Jul 16, 2013, at 10:43 AM, Thor Lancelot Simon t...@panix.com wrote: On Tue, Jul 16, 2013 at 03:23:01AM -0400, William Allen Simpson wrote: On 6/22/13 8:24 PM, Greg Rose wrote: On Jun 22, 2013, at 15:31 , James A. Donald jam...@echeque.com wrote: On 2013-06-23 6:47 AM, Peter Maxwell wrote: I think Bernstein's Salsa20 is faster and significantly more secure than RC4, whether you'll be able to design hardware to run at line-speed is somewhat more questionable though (would be interested to know if it's possible right enough). I would be surprised if it is faster. Be surprised, then... almost all of the recent word- or block- oriented stream ciphers are faster than RC4. And NOTHING should still be using RC4; by today's standards it is quite insecure. So I spent some (much too much) time reading old PPP archives on our earlier discussions selecting an algorithm. Sadly, 3DES was chosen, but rarely implemented. I cobbled together a draft based on old discussion for ARC4. It surely needs more work. Although (as you mention) that's old stuff, it has the advantage of having running code in most existing systems, and could be rolled out quickly on high speed connections. http://tools.ietf.org/html/draft-simpson-ppp-arc4-00 If you're really going to publish a new RFC -- even an Experimental one -- using RC4, you should really use RC4-drop-N. For even moderately sized packets and reasonable values of N, if you effectively rekey every packet, you will end up wasting 25-50% of the throughput of the system. Conclusion: RC4 is particularly poorly suited for this application in the modern day. Thor ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Message
-BEGIN PGP MESSAGE- Version: PGP Desktop 9.6.3 (Build 3017) qANQR1DDDQQJAwIXvi8KsWclFpDScQE+4jMr/vUA6S04zV34wNYWizM9us1RAST3 sBEzlFcdRswogIGk52rTgpSi1gPQiOOcHWLWxmbf4NENBkiW1SEtv1qEAG87L+Ir kLJbnxerzrQiRNbH06h6EwNzNDMvL8/yjFdHaaf5P/JSR7JvHDys =C7n+ -END PGP MESSAGE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Message
Cool message bro On Tue, Jul 16, 2013 at 10:27 AM, John Young j...@pipeline.com wrote: -BEGIN PGP MESSAGE- Version: PGP Desktop 9.6.3 (Build 3017) qANQR1DDDQQJAwIXvi8KsWclFpDScQ**E+4jMr/**vUA6S04zV34wNYWizM9us1RAST3 sBEzlFcdRswogIGk52rTgpSi1gPQiO**OcHWLWxmbf4NENBkiW1SEtv1qEAG87**L+Ir kLJbnxerzrQiRNbH06h6EwNzNDMvL8**/yjFdHaaf5P/JSR7JvHDys =C7n+ -END PGP MESSAGE- __**_ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Message
On Tue, Jul 16, 2013 at 10:27 AM, John Young j...@pipeline.com wrote: -BEGIN PGP MESSAGE- ... -END PGP MESSAGE- you know you can use openssl for symmetric encryption, right John? ;) [NSA can neither confirm nor deny it received your message...] ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger
On Tue, Jul 16, 2013 at 5:04 AM, coderman coder...@gmail.com wrote: ... in short: rather than considering just one or another type of attack, these agencies should be assumed to be using all of them with the exploit method tailored to the particular access needs and target difficulty of every tasking. From In his own words: Confessions of a cyber warrior (http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-66), page 3: QUOTES Grimes [Interviewer]: How many exploits does your unit have access to? Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems. Grimes [Interviewer]: Is most of it zero-days? Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface. /QUOTE ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] New Bletchley Park and Ethics of Cyber Warfare
http://cryptome.org/2013/07/bletchley-cyberwar-ethics.htm ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography