OK how about this:
If a person at Snowden's level in the NSA had any access to information
that indicated the existence of any program which involved the successful
cryptanalysis of any cipher regarded as 'strong' by this community then the
Director of National Intelligence, the Director of the
I hate to ask this yet again, but:
Please, please, please don't top post.
Please, please, please edit down your replies.
If your mobile device, say, doesn't let you do otherwise, it can
probably wait half an hour until you get to a machine with a keyboard.
--
Perry E. Metzger
On Thu, Sep 5, 2013 at 4:57 PM, Perry E. Metzger pe...@piermont.com wrote:
On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger
pe...@piermont.com wrote:
Anyone recognize the standard?
Please say it aloud. (I personally don't recognize the standard
offhand, but my memory is poor that
On 09/05/2013 01:57 PM, Perry E. Metzger wrote:
and am not sure which international group is being mentioned.
ISO. Not that narrows it down much.
Eric
___
The cryptography mailing list
cryptography@metzdowd.com
On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote:
I would bet that there is more than enough DES traffic to be worth
attack
and probably quite a bit on IDEA as well. There is probably even some 40
and 64 bit crypto in use.
Indeed -- would you (or any of us) guess that NSA could break TDES
The NYT article is pretty informative:
(http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html)
Because strong encryption can be so effective, classified N.S.A.
documents make clear, the agency’s success depends on working with
Internet companies — by getting their
First, I don't think it has anything to do with Dual EC DRGB. Who uses it?
My impression is that most of the encryption that fits what's in the article is
TLS/SSL. That is what secures most encrypted content going online. The easy
way to compromise that in a passive attack is to compromise
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What surprises me is that anyone is surprised. If you believed
OpenBSD's Theo de Raadt and Gregory Perry back in late 2010, various
government agencies (in this specific case the FBI- though one wonders
if they were the originating agency) have been
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey crypto@gmail.com
wrote:
First, I don't think it has anything to do with Dual EC DRGB. Who
uses it?
It did *seem* to match the particular part of the story about a
subverted standard that was complained about by Microsoft
researchers. I would
I would like to open the floor to *informed speculation* about
BULLRUN.
Informed speculation means intelligent, technical ideas about what
has been done. It does not mean wild conspiracy theories and the
like. I will be instructing the moderators (yes, I have help these
days) to ruthlessly prune
On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger
pe...@piermont.com wrote:
Classified N.S.A. memos appear to confirm that the fatal
weakness, discovered by two Microsoft cryptographers in 2007, was
engineered by the agency. The N.S.A. wrote the standard and
aggressively pushed it on the
Quoting:
US and British intelligence agencies have successfully cracked
much of the online encryption relied upon by hundreds of millions
of people to protect the privacy of their personal data, online
transactions and emails, according to top-secret documents
revealed by
On Thu, 05 Sep 2013 13:33:48 -0700 Eric Murray er...@lne.com wrote:
The NYT article is pretty informative:
(http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html)
[...]
Also interesting:
Cryptographers have long suspected that the agency planted
vulnerabilities in a
On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger
pe...@piermont.com wrote:
I would like to open the floor to *informed speculation* about
BULLRUN.
Here are a few guesses from me:
1) I would not be surprised if it turned out that some people working
for some vendors have made code and
On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger pe...@piermont.com wrote:
I would like to open the floor to *informed speculation* about
BULLRUN.
Informed speculation means intelligent, technical ideas about what
has been done. It does not mean wild conspiracy theories and the
like. I will
Quite worth reading. There is some speculation in there about various
weaknesses that may have been added as well.
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
--
Perry E. Metzgerpe...@piermont.com
On 2013-09-04 13:12:21 +0200 (+0200), Ilja Schmelzer wrote:
There is already a large community of quite average users which use
Torchat, which uses onion-Adresses as Ids, which are 512 bit hashs if
I remember correctly.
Typical ways of communication in this community are look for my
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Aloha!
Stephan Neuhaus wrote:
On 2013-09-04 16:37, Perry E. Metzger wrote:
Phil Karn described a construction for turning any hash function
into the core of a Feistel cipher in 1991. So far as I can tell,
such ciphers are actually quite secure,
On Wed, Sep 4, 2013 at 3:54 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
On Sep 4, 2013, at 2:15 PM, Andy Steingruebl stein...@gmail.com wrote:
As of Jan-2014 CAs are forbidden from issuing/signing anything less than
2048 certs.
For some value of forbidden. :-)
This is why you're seeing
On Sep 4, 2013, at 2:15 PM, Andy Steingruebl stein...@gmail.com wrote:
As of Jan-2014 CAs are forbidden from issuing/signing anything less than 2048
certs.
For some value of forbidden. :-)
--Paul Hoffman
___
The cryptography mailing list
Quoting:
The National Security Agency is winning its long-running secret
war on encryption, using supercomputers, technical trickery,
court orders and behind-the-scenes persuasion to undermine the
major tools protecting the privacy of everyday communications in
the Internet age,
On Thu, Sep 5, 2013 at 4:41 PM, Perry E. Metzger pe...@piermont.com wrote:
On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger
pe...@piermont.com wrote:
I would like to open the floor to *informed speculation* about
BULLRUN.
Here are a few guesses from me:
1) I would not be surprised if
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Aloha!
Jerry Leichter wrote:
On Sep 1, 2013, at 2:11 PM, Perry E. Metzger wrote:
On Sun, 1 Sep 2013 07:11:06 -0400 Jerry Leichter
leich...@lrw.com wrote:
Meanwhile, just what evidence do we really have that AES is
secure?
The fact that the
On Thu, 05 Sep 2013 16:43:59 -0400 Bernie Cosell
ber...@fantasyfarm.com wrote:
On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote:
I would bet that there is more than enough DES traffic to be worth
attack
and probably quite a bit on IDEA as well. There is probably even
some 40 and 64
In this posting:
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Bruce Schneier casts some doubt on the use of ECC
5) Try to use public-domain encryption that has to be compatible
with other implementations. For example, it's harder for the NSA to
Bruce Schneier explains the Dual_EC_DRBG attack:
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
___
The cryptography mailing list
cryptography@metzdowd.com
Hi all,
If you read the articles carefully, you'll note that at no point does the
NSA appear to have actually broken the *cryptography* in use. It's hard to
get concrete details from such vague writing and no access to the the
original documents, but it sounds like they've mostly gotten a lot
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 4:09 PM, Perry E. Metzger pe...@piermont.com wrote:
Now, this certainly was a problem for the random number generator
standard, but is it an actual worry in other contexts? I tend not to
believe that but I'm curious about
I don't have any hard information or even any speculation about
BULLRUN, but I have an observation and a question:
Traditionally it has been very hard to exploit a break without
giving away the fact that you've broken in. So there are two
fairly impressive parts to the recent reports: (a)
On Thu, 05 Sep 2013 16:56:38 -0700 John Denker j...@av8n.com wrote:
The generator can
be easily tested for correct behavior if it is simply a block
cipher.
I wouldn't have said that.
As Dykstra was fond of saying:
Testing can show the presence of bugs;
testing can never show
[This drifts from the thread topic; feel free to attach a different subject
line to it]
On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote:
3) I would not be surprised if random number generator problems in a
variety of equipment and software were not a very obvious target,
whether those
On Sep 5, 2013, at 7:14 PM, John Kelsey wrote:
My broader question is, how the hell did a sysadmin in Hawaii get hold of
something that had to be super secret? He must have been stealing files from
some very high ranking people.
This has bothered me from the beginning. Even the first
On Thu, 5 Sep 2013 20:30:40 -0400 Jerry Leichter leich...@lrw.com
wrote:
On Sep 5, 2013, at 7:14 PM, John Kelsey wrote:
My broader question is, how the hell did a sysadmin in Hawaii get
hold of something that had to be super secret? He must have been
stealing files from some very high
On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Perry E. Metzger pe...@piermont.com writes:
I would like to open the floor to *informed speculation* about
BULLRUN.
Not informed since I don't work for them, but a connect-the-dots:
1. ECDSA/ECDH (and DLP
John Denker j...@av8n.com writes:
To say the same thing the other way, I was always amazed that the Nazis were
unable to figure out that their crypto was broken during WWII. There were
experiments they could have done, such as sending out a few U-boats under
strict radio silence and comparing
Consider the Suite B set of algorithms:
AES-GCM
AES-GMAC
IEEE Elliptic Curves (256, 384, and 521-bit)
Traditionally, people were pretty confident in these. How are people's
confidence in them now?
Curious,
(first-time caller) Dan McD.
BULLRUN seems to be just an overarching name for several wide programs
to obtain plaintext of passively encrypted internet communications by
many different methods.
While there seem to be many non-cryptographic attacks included in the
BULLRUN program, of particular interest is the
Perry E. Metzger pe...@piermont.com writes:
I would like to open the floor to *informed speculation* about BULLRUN.
Not informed since I don't work for them, but a connect-the-dots:
1. ECDSA/ECDH (and DLP algorithms in general) are incredibly brittle unless
you get everything absolutely
Sent from my difference engine
On Sep 5, 2013, at 9:22 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
John Denker j...@av8n.com writes:
To say the same thing the other way, I was always amazed that the Nazis were
unable to figure out that their crypto was broken during WWII. There were
Perry E. Metzger pe...@piermont.com writes:
I can think of no circumstances where I would voluntarily use LDAP as the
solution to any problem of any sort.
Our direct competitor has asked us to recommend a technology for whatever it
is that LDAP is meant to be the solution for. What should we
[Apparently a pile of my mail got dropped, the following few messages are
re-sends]
The Doctor dr...@virtadpt.net writes:
It might be a reasonable way of protecting PGP key information in DNS records
so that someone doesn't try inserting their own when it's looked up.
And that's the problem
John Kelsey crypto@gmail.com writes:
If I had to bet, I'd bet on bad rngs as the most likely source of a
breakthrough in decrypting lots of encrypted traffic from different sources.
If I had to bet, I'd bet on anything but the crypto. Why attack when you can
bypass [1].
Peter.
[1] From
Phillip Hallam-Baker hal...@gmail.com writes:
To backup the key we tell the device to print out the escrow data on paper.
Let us imagine that there there is a single sheet of paper which is cut into
six parts as follows:
You read my mind :-). I suggested more or less this to a commercial
On Thursday, September 5, 2013, Jerry Leichter wrote:
[This drifts from the thread topic; feel free to attach a different
subject line to it]
On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote:
3) I would not be surprised if random number generator problems in a
variety of equipment and
Perry E. Metzger pe...@piermont.com writes:
At the very least, anyone whining at a standards meeting from now on that
they don't want to implement a security fix because it isn't important to
the user experience or adds minuscule delays to an initial connection or
whatever should be viewed with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In message 52291a36.9070...@av8n.com, John Denker j...@av8n.com
writes
To say the same thing the other way, I was always amazed that the
Nazis were unable to figure out that their crypto was broken during
WWII. There were experiments they could
On Fri, 06 Sep 2013 13:50:54 +1200 Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Perry E. Metzger pe...@piermont.com writes:
Does that make them NSA plants? There's drafts for one or
two more fairly basic fixes to significant problems from other
people that get stalled forever, while the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 6:16 PM, Dan McDonald dan...@kebe.com wrote:
Consider the Suite B set of algorithms:
AES-GCM
AES-GMAC
IEEE Elliptic Curves (256, 384, and 521-bit)
Traditionally, people were pretty confident in these.
On Thu, Sep 5, 2013 at 9:18 PM, Peter Gutmann pgut...@cs.auckland.ac.nzwrote:
To say the same thing the other way, I was always amazed that the Nazis
were
unable to figure out that their crypto was broken during WWII. There were
experiments they could have done, such as sending out a few
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:15 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Jon Callas j...@callas.org writes:
My opinion about GCM and GMAC has not changed. I've never been a fan.
Same here. AES is, as far as we know, pretty secure, so any
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:01 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Perry E. Metzger pe...@piermont.com writes:
I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
that you're thinking of?
It's not just
Jon Callas j...@callas.org writes:
My opinion about GCM and GMAC has not changed. I've never been a fan.
Same here. AES is, as far as we know, pretty secure, so any problems are
going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid
as you can get. AES-GCM is a design or
The actual documents - some of which the Times published with few redactions -
are worthy of a close look, as they contain information beyond what the
reporters decided to put into the main story. For example, at
Jon Callas j...@callas.org writes:
How do you feel (heh, I typoed that as feal) about the other AEAD modes?
If it's not a stream cipher and doesn't fail catastrophically with IV reuse
then it's probably as good as any other mode. Problem is that at the moment
modes like AES-CTR are being
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:31 PM, Jerry Leichter leich...@lrw.com wrote:
Another interesting goal: Shape worldwide commercial cryptography
marketplace to make it more tractable to advanced cryptanalytic capabilities
being developed by NSA/CSS.
On Sep 5, 2013, at 10:19 PM, Jon Callas wrote:
I don't disagree by any means, but I've been through brittleness with both
discrete log and RSA, and it seems like only a month ago that people were
screeching to get off RSA over to ECC to avert the cryptocalypse. And that
the ostensible
Another interesting goal: Shape worldwide commercial cryptography
marketplace to make it more tractable to advanced cryptanalytic capabilities
being developed by NSA/CSS. ... This makes any NSA recommendation
*extremely* suspect. As far as I can see, the bit push NSA is making these
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 8:02 PM, Jerry Leichter leich...@lrw.com wrote:
Perhaps it's time to move away from public-key entirely! We have a classic
paper - Needham and Schroeder, maybe? - showing that private key can do
anything public key can; it's
On 8/25/13 at 8:32 PM, leich...@lrw.com (Jerry Leichter) wrote:
*The* biggest headache is HTTP support. Even the simplest
modern HTTP server is so complex you can never be reasonably
sure it's secure (though, granted, it's simpler than a
browser!) You'd want to stay simple and primitive.
On Thu, 5 Sep 2013 23:24:54 -0400 Jerry Leichter leich...@lrw.com
wrote:
They want to buy COTS because it's much cheap, and COTS is based on
standards. So they have two contradictory constraints: They want
the stuff they buy secure, but they want to be able to break in to
exactly the same
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 8:24 PM, Jerry Leichter leich...@lrw.com wrote:
Another interesting goal: Shape worldwide commercial cryptography
marketplace to make it more tractable to advanced cryptanalytic
capabilities being developed by NSA/CSS. ...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 9:33 PM, Perry E. Metzger pe...@piermont.com wrote:
It is probably very difficult, possibly impossible in practice, to
backdoor a symmetric cipher. For evidence, I direct you to this old
paper by Blaze, Feigenbaum and
The following is from a similar list in Europe. Think this echoes much on this
list but has an interesting twist about PFS cipher suites.
Begin forwarded message:
From: Paterson, Kenny [kenny.pater...@rhul.ac.uk]
Sent: Friday, September 06, 2013 12:03
63 matches
Mail list logo