I don't see what problem would actually be solved by dropping public key crypto
in favor of symmetric only designs. I mean, if the problem is that all public
key systems are broken, then yeah, we will have to do something else. But if
the problem is bad key generation or bad implementations,
Sent from my iPad
On Sep 3, 2013, at 6:06 PM, Jerry Leichter leich...@lrw.com wrote:
On Sep 3, 2013, at 3:16 PM, Faré fah...@gmail.com wrote:
Can't you trivially transform a hash into a PRNG, a PRNG into a
cypher, and vice versa?
No.
hash-PRNG: append blocks that are digest (seed ++
...
Let H(X) = SHA-512(X) || SHA-512(X)
where '||' is concatenation. Assuming SHA-512 is a cryptographically secure
hash H trivially is as well. (Nothing in the definition of a cryptographic
hash function says anything about minimality.) But H(X) is clearly not
useful for producing a
On Thu, 5 Sep 2013 21:42:29 -0700 Jon Callas j...@callas.org wrote:
On Sep 5, 2013, at 9:33 PM, Perry E. Metzger pe...@piermont.com
wrote:
It is probably very difficult, possibly impossible in practice, to
backdoor a symmetric cipher. For evidence, I direct you to this
old paper by
On Fri, 6 Sep 2013 01:04:31 -0400 John Kelsey crypto@gmail.com
wrote:
I'm starting to think that I'd probably rather type in the
results of a few dozen die rolls every month in to my critical
servers and let AES or something similar in counter mode do the
rest.
A d20 has a bit
On Thu, 5 Sep 2013 22:31:50 -0400 Jerry Leichter leich...@lrw.com
wrote:
For example, at
http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?ref=uspagewanted=all,
the following goal appears for FY 2013 appears: Complete enabling
for
One solution, preventing passive attacks, is for major browsers
and websites to switch to using PFS ciphersuites (i.e. those
based on ephemeral Diffie-Hellmann key exchange).
It occurred to me yesterday that this seems like something all major
service providers should be doing. I'm sure
Op 6 sep. 2013, om 01:09 heeft Perry E. Metzger pe...@piermont.com het
volgende geschreven:
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
….
The Suite B curves were picked some time ago. Maybe they have problems.
….
Now, this certainly was a problem for
On Thu, Sep 05, 2013 at 04:11:57PM -0400, Phillip Hallam-Baker wrote:
If a person at Snowden's level in the NSA had any access to information
Snowden didn't have clearance for that information. He's being described
as 'brilliant' and purportedly was able to access documents far beyond his
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/6/13 8:36 AM, Perry E. Metzger wrote:
One solution, preventing passive attacks, is for major
browsers and websites to switch to using PFS ciphersuites (i.e.
those based on ephemeral Diffie-Hellmann key exchange).
It occurred to me yesterday
On Fri, 6 Sep 2013 01:19:10 -0400
John Kelsey crypto@gmail.com wrote:
I don't see what problem would actually be solved by dropping public
key crypto in favor of symmetric only designs. I mean, if the
problem is that all public key systems are broken, then yeah, we will
have to do
Hi,
Same here. AES is, as far as we know, pretty secure, so any problems are
going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid
as you can get. AES-GCM is a design or coding accident waiting to happen.
But for right now, what options do we have that are actually
On Sep 6, 2013, at 10:03 AM, Perry E. Metzger pe...@piermont.com wrote:
Naively, one could take a picture of the dice and OCR it. However,
one doesn't actually need to OCR the dice -- simply hashing the
pixels from the image will have at least as much entropy if the
position of the dice is
5. sep. 2013 kl. 23:14 skrev Tim Dierks t...@dierks.org:
I believe it is Dual_EC_DRBG. The ProPublica story says:
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered
by two Microsoft cryptographers in 2007, was engineered by the agency. The
N.S.A. wrote the
On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie b...@links.org wrote:
On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com
wrote:
Google is also now (I believe) using PFS on their connections, and
they handle more traffic than anyone. A connection I just made to
It is probably very difficult, possibly impossible in practice, to
backdoor a symmetric cipher. For evidence, I direct you to this old
paper by Blaze, Feigenbaum and Leighton:
http://www.crypto.com/papers/mkcs.pdf
There is also a theorem somewhere (I am forgetting where) that says
Perhaps it's time to move away from public-key entirely! We have a classic
paper - Needham and Schroeder, maybe? - showing that private key can do
anything public key can; it's just more complicated and less efficient.
Not really. The Needham-Schroeder you're thinking of is the essence of
On Sep 6, 2013, at 7:28 AM, Jerry Leichter wrote:
...Much of what you say later in the message is that the way we are using
symmetric-key systems (CA's and such)...
Argh! And this is why I dislike using symmetric and asymmetric to describe
cryptosystems: In English, the distinction is way
On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gjøsteen
kristian.gjost...@math.ntnu.no wrote:
Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
I mean, who on earth would be daft enough to use the slowest possible
DRBG? If this is the best NSA can do, they are over-hyped.
It's
I have a small amount of raised eyebrow because the greatest bulwark
we have against the SIGINT capabilities of any intelligence agency are
that agency's IA cousins. I don't think that the Suite B curves would
have been intentionally weak. That would be a shock.
Then be shocked, shocked that
Hi,
It would be good to see them abandon RC4 of course, and soon.
In favour of what, exactly? We're out of good ciphersuites.
I thought AES was okay for TLS 1.2? Isn't the issue simply that
Firefox etc. still use TLS 1.0? Note that this was a TLS 1.2
connection.
Firefox has added TLS 1.2
On Sep 6, 2013, at 10:03 AM, Perry E. Metzger wrote:
Naively, one could take a picture of the dice and OCR it. However,
one doesn't actually need to OCR the dice -- simply hashing the
pixels from the image will have at least as much entropy if the
position of the dice is recognizable from
On 06.09.2013 18:20, Peter Saint-Andre wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/6/13 8:36 AM, Perry E. Metzger wrote:
One solution, preventing passive attacks, is for major
browsers and websites to switch to using PFS ciphersuites (i.e.
those based on ephemeral Diffie-Hellmann
On 9/6/2013 9:52 AM, Raphaël Jacquot wrote:
To meet today’s PCI DSS crypto standards DHE is not required.
PCI is about credit card fraud. Mastercard/Visa aren't worried that
criminals are storing all your internet purchase transactions with the
hope they can crack it later; if the FBI/NSA want
On 6/09/13 04:50 AM, Peter Gutmann wrote:
Perry E. Metzger pe...@piermont.com writes:
At the very least, anyone whining at a standards meeting from now on that
they don't want to implement a security fix because it isn't important to
the user experience or adds minuscule delays to an initial
On Sep 6, 2013, at 11:37 AM, John Ioannidis wrote:
I'm a lot more worried about FDE (full disk encryption) features on modern
disk drives, for all the obvious reasons.
If you're talking about the FDE features built into disk drives - I don't know
anyone who seriously trusts it. Every secure
On 6 September 2013 18:24, Perry E. Metzger pe...@piermont.com wrote:
On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie b...@links.org wrote:
On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com
wrote:
Google is also now (I believe) using PFS on their connections, and
they
On 2013-09-06 12:31 PM, Jerry Leichter wrote:
Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced
cryptanalytic capabilities being developed by NSA/CSS. Elsewhere, enabling access and exploiting systems
of interest and inserting
Summary: blog posting claims most of the Tor network is still running
older software that uses 1024 bit Diffie-Hellman.
http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html
I'm not sure how cheap it actually would be to routinely crack DH key
exchanges, but it does seem
I think that any of OCB, CCM, or EAX are preferable from a security
standpoint, but none of them parallelize as well. If you want to do
a lot of encrypted and authenticated high-speed link encryption,
well, there is likely no other answer. It's GCM or nothing.
OCB parallelizes very well in
On 06/09/13 15:36, Perry E. Metzger wrote:
One solution, preventing passive attacks, is for major browsers
and websites to switch to using PFS ciphersuites (i.e. those
based on ephemeral Diffie-Hellmann key exchange).
It occurred to me yesterday that this seems like something all major
service
In this oped in the Guardian
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Bruce Schneier writes: Prefer symmetric cryptography over public-key
cryptography. The only reason I can think of is that for public key crypto you
typically use an American (and
On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote:
A response he wrote as part of a discussion at
http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html:
Q: Could the NSA be intercepting downloads of open-source encryption
software and silently replacing these with
On 6/09/13 11:32 AM, ianG wrote:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
Oops, for those unfamiliar with CAcert's peculiar use of secure
browsing, drop the 's' in the above URL. Then it will securely load.
On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen
kristian.gjost...@math.ntnu.no wrote:
As a co-author of an analysis of Dual-EC-DRBG that did not
emphasize this problem (we only stated that Q had to be chosen at
random, Ferguson co were right to emphasize this point), I would
like to ask:
On Fri, 6 Sep 2013 18:56:51 +0100 Ben Laurie b...@links.org wrote:
The problem is that there's nothing good [in the way of ciphers]
left for TLS 1.2.
So, lets say in public that the browser vendors have no excuse left
for not going to 1.2.
I hate to be a conspiracy nutter, but it is that kind
A response he wrote as part of a discussion at
http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html:
Q: Could the NSA be intercepting downloads of open-source encryption software
and silently replacing these with their own versions?
A: (Schneier) Yes, I believe so.
Quoting:
All of this denying and lying results in us not trusting anything
the NSA says, anything the president says about the NSA, or
anything companies say about their involvement with the NSA. We
know secrecy corrupts, and we see that corruption. There's simply
no
ianG i...@iang.org writes:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
How does '(a) Organizations and Conferences' differ from SOP for these sorts
of things?
Peter.
___
Ralph Holz ralph-cryptometz...@ralphholz.de writes:
But for right now, what options do we have that are actually implemented
somewhere? Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST,
etc.), and I don't see any move towards TLS 1.0.
Quoting:
Google is racing to encrypt the torrents of information that flow
among its data centers around the world, in a bid to thwart
snooping by the NSA as well as the intelligence agencies of foreign
governments, company officials said on Friday.
The move by Google is among the
On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote:
Google is also now (I believe) using PFS on their connections, and
they handle more traffic than anyone. A connection I just made to
https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,
ECDHE_RSA.
It would be good
On 6/09/13 20:15 PM, Daniel Veditz wrote:
On 9/6/2013 9:52 AM, Raphaël Jacquot wrote:
To meet today’s PCI DSS crypto standards DHE is not required.
PCI is about credit card fraud.
So was SSL ;-) Sorry, couldn't resist...
Mastercard/Visa aren't worried that
criminals are storing all
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/05/2013 06:48 PM, Richard Clayton wrote:
so you'd probably fail to observe any background activity that tested
whether this information was plausible or not and then some chance
event would occur that caused someone from Law Enforcement
On 6 September 2013 17:20, Peter Saint-Andre stpe...@stpeter.im wrote:
Is there a handy list of PFS-friendly
ciphersuites that I can communicate to XMPP developers and admins so
they can start upgrading their software and deployments?
Anything with EDH, DHE or ECDHE in the name...
Following up on my own posting:
[The NSA] want to buy COTS because it's much cheap, and COTS is based on
standards. So they have two contradictory constraints: They want the stuff
they buy secure, but they want to be able to break in to exactly the same
stuff when anyone else buys it.
On 6/09/13 08:04 AM, John Kelsey wrote:
It is possible Dual EC DRBG had its P and Q values generated to insert a
trapdoor, though I don't think anyone really knows that (except the people who
generated it, but they probably can't prove anything to us at this point).
It's also immensely
we were brought in as consultants to a small client/server startup that wanted to do payment transactions on
their server, they had this technology they called SSL they wanted to use, the result is now
frequently called electronic commerce. The two people at the startup responsible for the
Some interesting nuggets here, including the fact that he explicitly
calls out the existence of NSA's new HUMINT division that infiltrates
corporations for a living.
http://blog.cryptographyengineering.com/2013/09/on-nsa.html
--
Perry E. Metzgerpe...@piermont.com
On 6/09/13 04:44 AM, Peter Gutmann wrote:
John Kelsey crypto@gmail.com writes:
If I had to bet, I'd bet on bad rngs as the most likely source of a
breakthrough in decrypting lots of encrypted traffic from different sources.
If I had to bet, I'd bet on anything but the crypto. Why attack
On 6 September 2013 16:25, Jerry Leichter leich...@lrw.com wrote:
Q: Could the NSA be intercepting downloads of open-source encryption
software and silently replacing these with their own versions?
http://c2.com/cgi/wiki?TheKenThompsonHack
(and many other references)
Right.
Maybe some AES32?
2013/9/7 Perry E. Metzger pe...@piermont.com
Quoting:
Google is racing to encrypt the torrents of information that flow
among its data centers around the world, in a bid to thwart
snooping by the NSA as well as the intelligence agencies of foreign
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 11:41 AM, Jack Lloyd ll...@randombit.net wrote:
I think that any of OCB, CCM, or EAX are preferable from a security
standpoint, but none of them parallelize as well. If you want to do
a lot of encrypted and authenticated
PEM == Perry E Metzger pe...@piermont.com writes:
PEM Anyone at a browser vendor resisting the move to 1.2 should be
PEM viewed with deep suspicion.
Is anyone?
NSS has 1.2 now; it is, AIUI, in progress for ff and sm.
Chromium supports it (as of version 29, it seems).
Opera supports 1.2 (at
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/06/2013 01:13 PM, Perry E. Metzger wrote:
Google is also now (I believe) using PFS on their connections, and
they handle more traffic than anyone. A connection I just made to
https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/06/2013 01:13 PM, Perry E. Metzger wrote:
Google is also now (I believe) using PFS on their connections, and
they handle more traffic than anyone. A connection I just made to
https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 4:42 AM, Jerry Leichter leich...@lrw.com wrote:
Argh! And this is why I dislike using symmetric and asymmetric to
describe cryptosystems: In English, the distinction is way too brittle.
Just a one-letter difference - and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 6:23 AM, Jerry Leichter leich...@lrw.com wrote:
Is such an attack against AES *plausible*? I'd have to say no. But if you
were on the stand as an expert witness and were asked under cross-examination
Is this *possible*?, I
Sadly it seems I need to repeat this:
We've got a very large number of participants on this list, and
volume has gone way up at the moment thanks to current
events. To make the experience pleasant for everyone please:
1) Cut down the original you're quoting to only the relevant portions
to
Quoting:
After disclosures about the National Security Agency’s stealth
campaign to counter Internet privacy protections, a congressman has
proposed legislation that would prohibit the agency from installing
“back doors” into encryption, the electronic scrambling that
protects
...and to add to all that, how about the fact that IPsec was dropped as a 'must
implement' from IPv6 sometime after 2002?
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
The cryptography mailing list
cryptography@metzdowd.com
On 9/6/2013 1:05 PM, Perry E. Metzger wrote:
I have re-read the NY Times article. It appears to only indicate that
this was *a* standard that was sabotaged, not that it was the only
one. In particular, the Times merely indicates that they can now
confirm that this particular standard was
Q: Could the NSA be intercepting downloads of open-source encryption
software and silently replacing these with their own versions?
Why would they perform the attack only for encryption software? They
could compromise people's laptops by spiking any popular app.
On Fri, Sep 6, 2013 at 5:34 PM, The Doctor dr...@virtadpt.net wrote:
Symmetric cipher RC4 (weak 10/49)
Symmetric key length 128 bits (weak 8/19)
Cert issued by Google, Inc, US SHA-1 with RSA @ 2048 bit (MODERATE 2/6)
First time I've heard of 128-bit symmetric called weak... Sure, RC4
isn't
It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
cooperative endpoint scenario that I've seen discussed in other
forums, prompted by the latest revelations about what NSA has been up to.
But if
As of Jan-2014 CAs are forbidden from issuing/signing anything less than
2048 certs.
For some value of forbidden. :-)
Yeah, just like employees at big companies are forbidden to reveal
how they are collaborating with NSA.
Years ago I heard what happened when George Davida filed a
On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman j...@cs.ru.nl wrote:
In this oped in the Guardian
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Bruce Schneier writes: Prefer symmetric cryptography over public-key
cryptography. The only reason I can
On 26 August 2013 22:43, Perry E. Metzger pe...@piermont.com wrote:
(I would prefer to see hybrid capability systems in such
applications, like Capsicum, though I don't think any such have been
ported to Linux and that's a popular platform for such work.)
FWIW, we're working on a Linux port
On Sep 6, 2013, at 8:22 PM, John Gilmore g...@toad.com wrote:
Speaking as someone who followed the IPSEC IETF standards committee
pretty closely, while leading a group that tried to implement it and
make so usable that it would be used by default throughout the
Internet, I noticed some
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/06/2013 08:48 PM, Chris Palmer wrote:
Why would they perform the attack only for encryption software?
They could compromise people's laptops by spiking any popular app.
What is more important to them: A single system, or all of the comms
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/06/2013 09:02 PM, Chris Palmer wrote:
First time I've heard of 128-bit symmetric called weak... Sure,
RC4 isn't awesome but they seem to be saying that 128-bit keys per
se are weak.
calomel.org may be erring on the side of weak due to known
On Sep 6, 2013, at 8:58 PM, Jon Callas wrote:
I've long suspected that NSA might want this kind of property for some of
its own systems: In some cases, it completely controls key generation and
distribution, so can make sure the system as fielded only uses good keys.
If the algorithm
The magic of public key crypto is that it gets rid of the key
management problem -- if I'm going to communicate with you with
symmetric crypto, how do I get the keys to you? The pain of it is that
it replaces it with a new set of problems. Those problems include that
the amazing power of
... but I must scream.
http://kebesays.blogspot.com/2013/09/i-have-no-whistle-to-blow-but-i-must.html
FYI, and thanks,
Dan McD.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On 09/07/2013 12:04 AM, Ben Laurie wrote:
On 26 August 2013 22:43, Perry E. Metzger pe...@piermont.com
mailto:pe...@piermont.com wrote:
(I would prefer to see hybrid capability systems in such
applications, like Capsicum, though I don't think any such have been
ported to Linux
75 matches
Mail list logo