minor addenda ... ref:
http://www.garlic.com/~lynn/aadsm19.htm#1 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm19.htm#2 Do You Need a Digital ID?
there are 2nd order implementations of public/private key authentication
business process where keeping the private key private might
now, i've said that all of these comments are within the 3 factor
authentication paradigm ... if you back up a couple paragraphs in the
original postings ... you will find the comments:
given 3-factor authentication:
* something you have
* something you know
* something you are
aka the
| now, i've said that all of these comments are within the 3 factor
| authentication paradigm ... if you back up a couple paragraphs in the
| original postings ... you will find the comments:
|
| given 3-factor authentication:
|
| * something you have
| * something you know
| * something you
Now that the taxing bodies (US states) have learned not to print the
SSN on the mailing label, Illinois has gone further and requires a
state-assigned PIN to file or access your tax information over the
internet. They helpfully provide you the PIN ... on the mailing label.
Jerrold Leichter wrote:
I don't think the 3-factor authentication framework is nearly as well-defined
as people make it out to be.
Here is what I've always taken to be the core distinctions among the three
prongs:
Something you know
Can be copied.
If copied
If it's just HMAC with K = h(m) then it's currently (or just recently)
been discussed on cfrg: http://www.irtf.org/cfrg/, starting here:
http://www1.ietf.org/mail-archive/web/cfrg/current/msg00708.html.
-- Michael
On Mon, 21 Mar 2005 11:56:44 +, Ben Laurie [EMAIL PROTECTED] wrote:
It was
Steven M. Bellovin wrote:
We all understand the need to move to better hash algorithms than SHA1.
At a minimum, people should be switching to SHA256/384/512; arguably,
Whirlpool is the right way to go. The problem is how to get there from
here.
I've been rather continually pinging people,
On Wed, 16 Mar 2005, Russell Nelson wrote:
I've seen Dan Bernstein (and you don't get much
more careful or paranoid about security than Dan) write code like
this:
static char line[999];
len = 0;
len += fmt_ulong(line + len,rp);
len += fmt_str(line + len, , );
len += fmt_ulong(line + len,lp);
Ben Laurie writes:
It was suggested at the SAAG meeting at the Minneapolis IETF that a way
to deal with weakness in hash functions was to create a new hash
function from the old like so:
H'(x)=Random || H(Random || x)
Yes. Suppose we use this for signing. The crucial part is to have
the
On Sun, 20 Mar 2005, Steven M. Bellovin wrote:
Dominated? No, of course not. But a hash function based on discrete
log will be slow enough that no one will use it.
This is simply not true, because we are _not always_ going to sign
megabytes, and SDLH is more than fast enough for sensibly
Steven M. Bellovin [EMAIL PROTECTED] writes:
We all understand the need to move to better hash algorithms than SHA1. At a
minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is
the right way to go. The problem is how to get there from here.
So -- what should we as a
Dan Kaminsky wrote:
Ben,
x can equal either test vector released by Wang, and H(x) will be
identical. With H(x) identical, the rest of the HMAC stays identical too.
This does not appear to be correct - in my construction, i.e. without
padding, then the fact that x and x' differ means that
--- begin forwarded text
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: FSTC-FS/ISAC Survey on Use of Encryption
Date: Tue, 22 Mar 2005 05:16:10 -0600
Colleagues,
FSTC and FS/ISAC have teamed together to conduct a survey on the use of
encryption in the
[Here's where an unconstitutional National ID will get created by the
back door. Do we have anybody in this community who cares? I can't
participate, because I can't travel to Washington for meetings,
because I don't have the proper ID documents. I note that they did
not think to include a
Nicolas Williams wrote:
On Mon, Mar 21, 2005 at 11:56:44AM +, Ben Laurie wrote:
It was suggested at the SAAG meeting at the Minneapolis IETF that a way
to deal with weakness in hash functions was to create a new hash
function from the old like so:
H'(x)=Random || H(Random || x)
Eric
Ken Raeburn wrote:
On Mar 22, 2005, at 11:51, Ben Laurie wrote:
This can be fixed quite easily:
H'(x)=H(H(x || H(x)) || H(x))
Doesn't this take us back to the original problem, by factoring in x
only at the start of hash computations, so H'(x') will generate the same
H(x') and the same internal
Nicolas Williams wrote:
On Tue, Mar 22, 2005 at 05:31:44PM +, Ben Laurie wrote:
Nicolas Williams wrote:
Now that we know that the attack is a differential cryptanalysis where
the attacker has to control the first pair of blocks of the original
message anything that makes it hard for the
On 14/03/05 Adam Fields said:
Given what may or may not be recent ToS changes to the AIM service,
I've recently been looking into encryption plugins for gaim.
If you use jabber, note that the Psi client supports 2-person PGP encrypted
conversations. I sometimes find it useful.
Collision resistance of message digests is effected by the birthday
paradox, but that does not effect pre-image resistance. (correct?)
So can we suggest that for pre-image resistance, the strength of
the SHA-1 algorithm may have been reduced from 160 to 149? Or can
we make some statement like
...
Obviously any bureaucrat with the authority to categorize
something as secret will more or less automatically so stamp
any information that passes through his hands, to inflate his
importance, and thus his job security and prospects for
promotion.
I think a bigger issue here is a sort of
Jerrold Leichter wrote:
That's fine for *describing* the system, and useful for analyzing its usability
or acceptability. But it's not the whole story.
3-factor authentication paradigm obviously doesn't take into account
whether the authentication material is treated as a secret or a
Anne Lynn Wheeler wrote:
3-factor authentication paradigm obviously also doesn't cover whether
the authentication is direct fact-to-face or that the relying party is
infering authentication taking place by the existance of other kinds of
evidence. for instance, a relying party validating a
All hash functions I'm aware of consist of an inner compression function
that hashes a fixed size block of data into a smaller fixed size block
and an outer composition function that applies the inner function
iteratively to the variable length data to be hashed. Essentially you're
proposing a
Charlie Kaufman wrote:
All hash functions I'm aware of consist of an inner compression function
that hashes a fixed size block of data into a smaller fixed size block
and an outer composition function that applies the inner function
iteratively to the variable length data to be hashed. Essentially
--- begin forwarded text
From: Claudio Agostino Ardagna [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Thu, 24 Mar 2005 12:24:21 +0100
Subject: [p2p-hackers] REMINDER: CFP - ESORICS 2005: Deadline extension
(April 1)
Reply-To: Peer-to-peer development. [EMAIL PROTECTED]
Sender: [EMAIL
*
DIMACS Workshop on Theft in E-Commerce: Content, Identity, and Service
April 14 - 15, 2005
DIMACS Center, Rutgers University, Piscataway, NJ
Organizers:
Drew Dean, SRI International, [EMAIL PROTECTED]
Blumenthal, Uri wrote:
Ernie Brickell suggested the following construct:
H'(x) = H( H(x) || H(0 || x) )
Like him, I see no reason in going (H(x) || H(0||x) || ... || H(n||x)).
Sorry, I got my parentheses wrong. I meant...
H'(x)=H(H(x || H(0 || x)) || H(0 || x))
or:
H'(x)=H(H(x || H(0 || x)) ||
Whether these various tricks help depends on the technical details of
the attacks found. I hope that the bit twiddling crypto types who are
finding the attacks are going to propose something to fix them.
There are probably cheaper fixes than the 2x or 3x performance loss of
your algorithm down in
Tyler Close has written an anti-phishing tool for the Firefox browser called
the Petname tool. It works with SSL sites, including those with self-signed
certificates, and is available at http://www.waterken.com/user/PetnameTool/.
Mark Stiegler has written an overview of petname systems,
http://online.wsj.com/article_print/0,,SB63038793988394,00.html
The Wall Street Journal
March 24, 2005
PERSONAL JOURNAL
Banks and Online Retailers Lose
Customers to the Fear of ID Theft
By KATHY CHU
DOW JONES NEWSWIRES
March 24, 2005; Page D2
Banks and online retailers are losing
I don't know if it's inappropriate to ask on this list, but regarding
http://www.securescience.net/ciphers/csc2/
Can I get off-list quotes regarding a formal professional review and
possible assistance in the steps taken to establish this cipher into the
review process.
Thank you.
--
Best
Ben,
I believe the fatal flaw here is not the crypto, but losing the ability
to hash a stream without keeping all of it. Both the hashes and HMAC
have this sometimes-vital property.
This can be fixed quite easily:
H'(x)=H(H(x || H(x)) || H(x))
I think this construction doesn't provide any
Really? How does one go about proving the security of a block cipher?
My understanding is that you, and others, perform attacks against it,
and see how it holds up. Many of the very best minds out there
attacked AES, so for your new CS2 cipher to be provably just as
secure as AES-128, all those
Adam Shostack wrote:
Really? How does one go about proving the security of a block cipher?
My understanding is that you, and others, perform attacks against it,
and see how it holds up. Many of the very best minds out there
attacked AES, so for your new CS2 cipher to be provably just as
secure
http://online.wsj.com/article_print/0,,SB45546123985866,00.html
The Wall Street Journal
March 22, 2005
MEDIA MARKETING
Information Incognito
In War on Terror, U.S. Tries
To Make Public Data Secret;
The Almanac Under Wraps?
By ROBERT BLOCK
Staff Reporter of THE WALL STREET JOURNAL
| Really? How does one go about proving the security of a block cipher?
They don't claim that:
This cipher is ... provably just as secure as AES-128.
I can come up with a cipher provably just as secure as AES-128 very quickly
(Actually, based on the paper a while back on many
Ian G writes:
Collision resistance of message digests is effected by the birthday
paradox, but that does not effect pre-image resistance. (correct?)
So can we suggest that for pre-image resistance, the strength of
the SHA-1 algorithm may have been reduced from 160 to 149?
Well, I'm not sure
Jerrold Leichter writes:
They don't claim that:
This cipher is ... provably just as secure as AES-128.
I can come up with a cipher provably just as secure as AES-128 very quickly
Actually, I think Adam is totally right.
Have you looked at their scheme?
| Jerrold Leichter writes:
| They don't claim that:
|
| This cipher is ... provably just as secure as AES-128.
|
| I can come up with a cipher provably just as secure as AES-128 very
quickly
|
| Actually, I think Adam is totally right.
|
| Have you looked at their scheme?
|
Jerrold Leichter wrote:
I can come up with a cipher provably just as secure as AES-128 very quickly
(Actually, based on the paper a while back on many alternative ways to
formulate AES - it had a catchy title something like How Many Ways Can You
Spell AES?, except that I can't find one like
* Adam Back:
Does anyone have info on the cost of sub-ordinate CA cert with a name
space constraint (limited to issue certs on domains which are
sub-domains of a your choice... ie only valid to issue certs on
sub-domains of foo.com).
Is there a technical option to enforce such a policy on
Ian,
The Wang attack does nothing (yet) for second preimages.
The best attack I know of against them refers is in Kelsey and
Schneier's *Second Preimages on n-bit Hash Functions for Much Less than
2^n Work.* It's at: http://eprint.iacr.org/2004/304
Once you cut through the
42 matches
Mail list logo