Re: [Cryptography] prism-proof email in the degenerate case

On Thu, Oct 10, 2013 at 04:22:50PM -0400, Jerry Leichter wrote: On Oct 10, 2013, at 11:58 AM, R. Hirschfeld r...@unipay.nl wrote: Very silly but trivial to implement so I went ahead and did so: To send a prism-proof email, encrypt it for your recipient and send it to

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

On Sat, Oct 05, 2013 at 09:29:05PM -0400, John Kelsey wrote: One thing that seems clear to me: When you talk about algorithm flexibility in a protocol or product, most people think you are talking about the ability to add algorithms. Really, you are talking more about the ability to *remove*

Re: [Cryptography] AES-256- More NIST-y? paranoia

On Mon, Oct 07, 2013 at 11:45:56AM -0400, Arnold Reinhold wrote: If we are going to always use a construction like AES(KDF(key)), as Nico suggests, why not go further and use a KDF with variable length output like Keccak to replace the AES key schedule? And instead of Note, btw, that Keccak is

Re: [Cryptography] AES-256- More NIST-y? paranoia

On Fri, Oct 4, 2013 at 11:20 AM, Ray Dillinger b...@sonic.net wrote: So, it seems that instead of AES256(key) the cipher in practice should be AES256(SHA256(key)). More like: use a KDF and separate keys (obtained by applying a KDF to a root key) for separate but related purposes. For example,

Re: [Cryptography] The hypothetical random number generator backdoor

On Sep 25, 2013 8:06 AM, John Kelsey crypto@gmail.com wrote: On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker hal...@gmail.com wrote: Either way, the question is how to stop this side channel attack. One simple way would be to encrypt the nonces from the RNG under a secret key

Re: [Cryptography] [cryptography] very little is missing for working BTNS in Openswan

On Mon, Sep 09, 2013 at 10:25:03AM +0200, Eugen Leitl wrote: Just got word from an Openswan developer: To my knowledge, we never finished implementing the BTNS mode. It wouldn't be hard to do --- it's mostly just conditionally commenting out code. There's obviously a large potential

Re: [Cryptography] Killing two IV related birds with one stone

On Wed, Sep 11, 2013 at 06:51:16PM -0400, Perry E. Metzger wrote: It occurs to me that specifying IVs for CBC mode in protocols like IPsec, TLS, etc. be generated by using a block cipher in counter mode and that the IVs be implicit rather than transmitted kills two birds with one stone. The

Re: [Cryptography] Summary of the discussion so far

On Wed, Sep 11, 2013 at 04:03:44PM -0700, Nemo wrote: Phillip Hallam-Baker hal...@gmail.com writes: I have attempted to produce a summary of the discussion so far for use as a requirements document for the PRISM-PROOF email scheme. This is now available as an Internet draft.

Re: [Cryptography] [cryptography] very little is missing for working BTNS in Openswan

active attacks, then you can get BTNS with minimal effort. This is quite true. At least some times we need to care about active attacks. On Thu, 12 Sep 2013, Nico Williams wrote: Note: you don't just want BTNS, you also want RFC5660 -- IPsec channels. You also want to define a channel binding