On 09/05/2013 07:00 PM, Jon Callas wrote:
I don't think they're actively bad, though. For the purpose they were created
for --
parallelizable authenticatedencryption -- it serves its purpose. You can have a
decent implementor implement them right in hardware and walk away.
Given some of the
First, DNSSEC does not provide confidentiality. Given that, it's not
clear to me why the NSA would try to stop or slow its deployment.
DNSSEC authenticates keys that can be used to bootstrap
confidentiality. And it does so in a globally distributed, high
performance, high reliability
On 09/06/2013 05:58 PM, Jon Callas wrote:
We know as a mathematical theorem that a block cipher with a back
door *is* a public-key system. It is a very, very, very valuable
thing, and suggests other mathematical secrets about hitherto
unknown ways to make fast, secure public key systems.
At 12:09 PM 9/7/2013, Chris Palmer wrote:
On Sat, Sep 7, 2013 at 1:33 AM, Brian Gladman b...@gladman.plus.com wrote:
Why would they perform the attack only for encryption software? They
could compromise people's laptops by spiking any popular app.
Because NSA and GCHQ are much more
On 2013-09-08 4:36 AM, Ray Dillinger wrote:
But are the standard ECC curves really secure? Schneier sounds like
he's got
some innovative math in his next paper if he thinks he can show that they
aren't.
Schneier cannot show that they are trapdoored, because he does not know
where the magic
Your cryptosystem should be designed with the assumption that an attacker will
record all old ciphertexts and try to break it later. The whole point of
encryption is to make that attack not scary. We can never rule out future
attacks, or secret ones now. But we can move away from marginal
It depends on the encryption scheme used. For a stream cipher (including AES
in counter or OFB mode), this yields the keystream. If someone screws up and
uses the same key and IV twice, you can use knowledge of the first plaintext to
learn the second. For other AES chaining modes, it's less
On Sep 7, 2013, at 3:25 PM, Christian Huitema huit...@huitema.net wrote:
Another argument is “minimal dependency.” If you use public key, you depend
on both the public key algorithm, to establish the key, and the symmetric key
algorithm, to protect the session. If you just use symmetric
There are basically two ways your RNG can be cooked:
a. It generates predictable values. Any good cryptographic PRNG will do this
if seeded by an attacker. Any crypto PRNG seeded with too little entropy can
also do this.
b. It leaks its internal state in its output in some encrypted way.
Some of you may have seen my posts to postfix-users and openssl-users,
if so, apologies for the duplication.
http://archives.neohapsis.com/archives/postfix/2013-09/thread.html#80
http://www.mail-archive.com/openssl-users@openssl.org/index.html#71903
The short version is that while everyone
Let's suppose I design a block cipher such that, with a randomly generated key
and 10,000 known plaintexts, I can recover that key. For this to be useful in
a world with relatively sophisticated cryptanalysts, I must have confidence
that it is extremely hard to find my trapdoor, even when you
Pairwise shared secrets are just about the only thing that scales worse than
public key distribution by way of PGP key fingerprints on business cards.
The equivalent of CAs in an all-symmetric world is KDCs. Instead of having
the power to enable an active attack on you today, KDCs have
Jumping in to this a little late, but:
Q: Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own versions?
A: (Schneier) Yes, I believe so.
perhaps, but they would risk being noticed. Some people check file hashes
when
Public key depends on high level math. That math has some asymetric
property that we can use to achieve the public-private key relationships.
The problem is that the discovery of smarter math can invalidate the
asymetry and make it more symetrical. This has to do with P=NP, which is
also less
On Sat, Sep 7, 2013 at 8:53 PM, Gregory Perry gregory.pe...@govirtual.tvwrote:
On 09/07/2013 07:52 PM, Jeffrey I. Schiller wrote:
Security fails on the Internet for three important reasons, that have
nothing to do with the IETF or the technology per-se (except for point
3).
1. There is
On Sat, Sep 7, 2013 at 10:35 PM, Gregory Perry
gregory.pe...@govirtual.tvwrote:
On 09/07/2013 09:59 PM, Phillip Hallam-Baker wrote:
Anyone who thinks Jeff was an NSA mole when he was one of the main people
behind the MIT version of PGP and the distribution of Kerberos is talking
daft.
On Sun, Sep 8, 2013 at 1:42 AM, Tim Newsham tim.news...@gmail.com wrote:
Jumping in to this a little late, but:
Q: Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own
versions?
A: (Schneier) Yes, I believe so.
On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore g...@toad.com wrote:
First, DNSSEC does not provide confidentiality. Given that, it's not
clear to me why the NSA would try to stop or slow its deployment.
DNSSEC authenticates keys that can be used to bootstrap
confidentiality. And it does
On Sat, Sep 07, 2013 at 08:45:34PM -0400, Perry E. Metzger wrote:
I'm unaware of an ECC equivalent of the Shor algorithm. Could you
enlighten me on that?
Shor's algorithm is a Fourier transform, essentially. It can find periods of
a function you can implement as a quantum circuit with only
Two caveats on the commentary about a symmetric key algorithm with a
trapdoor being a public key algorithm.
1) The trapdoor need not be a good public key algorithm, it can be flawed
in ways that would make it unsuited for use as a public key algorithm. For
instance being able to compute the
On 09/07/2013 07:51 PM, John Kelsey wrote:
Pairwise shared secrets are just about the only thing that scales
worse than public key distribution by way of PGP key fingerprints on
business cards.
If we want secure crypto that can be used by everyone, with minimal
trust, public key is the
- Forwarded message from James A. Donald jam...@echeque.com -
Date: Sun, 08 Sep 2013 08:34:53 +1000
From: James A. Donald jam...@echeque.com
To: cryptogra...@randombit.net
Subject: Re: [cryptography] Random number generation influenced, HW RNG
User-Agent: Mozilla/5.0 (Windows NT 5.1;
- Forwarded message from Gregory Maxwell gmaxw...@gmail.com -
Date: Sun, 8 Sep 2013 06:44:57 -0700
From: Gregory Maxwell gmaxw...@gmail.com
To: This mailing list is for all discussion about theory, design, and
development of Onion Routing.
tor-t...@lists.torproject.org
Subject:
On Sat, Sep 07, 2013 at 07:42:33PM -1000, Tim Newsham wrote:
Jumping in to this a little late, but:
Q: Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own versions?
A: (Schneier) Yes, I believe so.
perhaps, but they
Symetric cryptography does a much easier thing. It combines data and some
mysterious data (key) in a way that you cannot extract data without the
mysterious data from the result. It's like a + b = c. Given c you need b to
find a. The tricks that are involved are mostly about sufficiently
On Sun, Sep 8, 2013 at 12:19 PM, Faré fah...@gmail.com wrote:
On Sun, Sep 8, 2013 at 9:42 AM, Phillip Hallam-Baker hal...@gmail.com
wrote:
Two caveats on the commentary about a symmetric key algorithm with a
trapdoor being a public key algorithm.
1) The trapdoor need not be a good
On Sep 7, 2013, at 6:30 PM, James A. Donald jam...@echeque.com wrote:
On 2013-09-08 4:36 AM, Ray Dillinger wrote:
But are the standard ECC curves really secure? Schneier sounds like he's got
some innovative math in his next paper if he thinks he can show that they
aren't.
Schneier
On Sep 7, 2013, at 7:56 PM, Perry E. Metzger wrote:
I'm not as yet seeing that a block cipher with a backdoor is a public
key system,
Then read the Blaze Feigenbaum paper I posted a link to. It makes a
very good case for that, one that Jerry unaccountably does not seem to
believe. Blaze
On Sep 7, 2013, at 11:06 PM, Christian Huitema wrote:
Pairwise shared secrets are just about the only thing that scales worse than
public key distribution by way of PGP key fingerprints on business cards.
The equivalent of CAs in an all-symmetric world is KDCs If we want
secure
On 09/07/2013 06:57 PM, james hughes wrote:
PFS may not be a panacea but does help.
There's no question in my mind that PFS helps. I have, in the past,
been very in much favor of turning on PFS support in various protocols,
when it has
been available. And I fully understand what the
Hi,
BTW, I do not really agree with your argument it should be done via TLS
extension.
It's done that way based on discussions on (and mostly off) the TLS list by
various implementers, that was the one that caused the least dissent.
I've followed that list for a while. What I find weird is
Jeffrey I. Schiller j...@mit.edu writes:
If I was the NSA, I would be scavenging broken hardware from âinterestingâ
venues and purchasing computers for sale in interesting locations. I would be
particularly interested in stolen computers, as they have likely not been
wiped.
Just buy
On Sep 7, 2013, at 11:45 PM, John Kelsey wrote:
Let's suppose I design a block cipher such that, with a randomly generated
key and 10,000 known plaintexts, I can recover that key At this point,
what I have is a trapdoor one-way function. You generate a random key K and
then compute
Hi,
http://www.youtube.com/watch?v=K8EGA834Nok
Is DNSSEC is really the right solution?
Daniel
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On Sep 8, 2013, at 10:45 AM, Ray Dillinger wrote:
Pairwise shared secrets are just about the only thing that scales
worse than public key distribution by way of PGP key fingerprints on
business cards.
If we want secure crypto that can be used by everyone, with minimal
trust, public key
On Sat, Sep 7, 2013 at 6:50 PM, John Gilmore g...@toad.com wrote:
PS: My long-standing domain registrar (enom.com) STILL doesn't support
DNSSEC records -- which is why toad.com doesn't have DNSSEC
protection. Can anybody recommend a good, cheap, reliable domain
registrar who DOES update their
On 8/09/13 16:42 PM, Phillip Hallam-Baker wrote:
Two caveats on the commentary about a symmetric key algorithm with a
trapdoor being a public key algorithm.
1) The trapdoor need not be a good public key algorithm, it can be
flawed in ways that would make it unsuited for use as a public key
On 09/08/2013 05:28 AM, Phillip Hallam-Baker wrote:
every code update to the repository should be signed and
recorded in an append only log and the log should be public and enable any
party to audit the set of updates at any time.
This would be 'Code Transparency'.
Problem is we would need to
On 09/08/2013 10:13 AM, Thor Lancelot Simon wrote:
On Sat, Sep 07, 2013 at 07:19:09PM -0700, Ray Dillinger wrote:
Given good open-source software, an FPGA implementation would provide greater
assurance of security.
How sure are you that an FPGA would actually be faster than you can already
3) Shortly after the token indictment of Zimmerman (thus prompting widespread
use and promotion of the RSA public key encryption algorithm), the Clinton
administration's FBI then advocated a relaxation of encryption export
regulations in addition to dropping all plans for the Clipper chip
On 09/08/2013 04:27 AM, Eugen Leitl wrote:
On 2013-09-08 3:48 AM, David Johnston wrote:
Claiming the NSA colluded with intel to backdoor RdRand is also to
accuse me personally of having colluded with the NSA in producing a
subverted design. I did not.
Well, since you personally did this,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 7, 2013, at 8:06 PM, John Kelsey crypto@gmail.com wrote:
There are basically two ways your RNG can be cooked:
a. It generates predictable values. Any good cryptographic PRNG will do
this if seeded by an attacker. Any crypto PRNG
On Sat, 07 Sep 2013 18:50:06 -0700 John Gilmore g...@toad.com wrote:
It was never clear to me why DNSSEC took so long to deploy,
[...]
PS: My long-standing domain registrar (enom.com) STILL doesn't
support DNSSEC records -- which is why toad.com doesn't have DNSSEC
protection. Can anybody
On Sat, 07 Sep 2013 20:14:10 -0700 Ray Dillinger b...@sonic.net
wrote:
On 09/06/2013 05:58 PM, Jon Callas wrote:
We know as a mathematical theorem that a block cipher with a back
door *is* a public-key system. It is a very, very, very valuable
thing, and suggests other mathematical
On Sun, 8 Sep 2013 15:55:52 -0400 Thor Lancelot Simon
t...@rek.tjls.com wrote:
On Sun, Sep 08, 2013 at 03:22:32PM -0400, Perry E. Metzger wrote:
Ah, now *this* is potentially interesting. Imagine if you have a
crypto accelerator that generates its IVs by encrypting
information about keys
Forwarded with permission.
So there *is* a BTNS implementation, after all. Albeit
only for OpenBSD -- but this means FreeBSD is next, and
Linux to follow.
- Forwarded message from Andreas Davour ko...@yahoo.com -
Date: Sun, 8 Sep 2013 09:10:44 -0700 (PDT)
From: Andreas Davour
On Sep 8, 2013, at 3:55 PM, Thor Lancelot Simon t...@rek.tjls.com wrote:
...
I also wonder -- again, not entirely my own idea, my whiteboard partner
can speak up for himself if he wants to -- about whether we're going
to make ourselves better or worse off by rushing to the safety of
PFS
What's the current state of the art of attacks against AES? Is the
advice that AES-128 is (slightly) more secure than AES-256, at least
in theory, still current?
(I'm also curious as to whether anyone has ever proposed fixes to the
weaknesses in the key schedule...)
Perry
--
Perry E. Metzger
On Sun, Sep 08, 2013 at 06:16:45PM -0400, John Kelsey wrote:
I don't think you can do anything useful in crypto without some
good source of random bits. If there is a private key somewhere
(say, used for signing, or the public DH key used alongside the
ephemeral one), you can combine the
On Sep 7, 2013, at 8:16 PM, Marcus D. Leech mle...@ripnet.com wrote:
But it's not entirely clear to me that it will help enough in the scenarios
under discussion. If we assume that mostly what NSA are doing is acquiring a
site
RSA key (either through donation on the part of the site,
The Spiegel article perhaps contains a key to this capability:
In the internal documents, experts boast about successful access to
iPhone data in instances where the NSA is able to infiltrate the
computer a person uses to sync their iPhone.
I have not seen security measures such as requiring a
On Sep 8, 2013, at 6:09 PM, Perry E. Metzger wrote:
Not very surprising given everything else, but I thought I would
forward the link. It more or less contends that the NSA has exploits
for all major smartphones, which should not be surprising
A new paper on the Tor network, entitled Users Get Routed:
Traffic Correlation on Tor by Realistic Adversaries.
https://security.cs.georgetown.edu/~msherr/papers/users-get-routed.pdf
Quote to whet your appetite:
We present the first analysis of the popular Tor anonymity network
that
On 09/08/2013 06:16 PM, John Kelsey wrote:
I don't think you can do anything useful in crypto without some good
source of random bits.
I don't see the big worry about how hard it is to generate random
numbers unless:
a) You need them super fast (because you are Google, trying to secure
On Sun, 08 Sep 2013 20:34:55 -0400 Kent Borg kentb...@borg.org
wrote:
On 09/08/2013 06:16 PM, John Kelsey wrote:
I don't think you can do anything useful in crypto without some
good source of random bits.
I don't see the big worry about how hard it is to generate random
numbers unless:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Sep 06, 2013 at 05:22:26PM -0700, John Gilmore wrote:
Speaking as someone who followed the IPSEC IETF standards committee
pretty closely, while leading a group that tried to implement it and
make so usable that it would be used by default
On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger pe...@piermont.com wrote:
On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker
hal...@gmail.com wrote:
The Registrars are pure marketing operations. Other than GoDaddy
which implemented DNSSEC because they are trying to sell the
business
On Sep 8, 2013, at 1:47 PM, Jerry Leichter leich...@lrw.com wrote:
On Sep 8, 2013, at 3:51 PM, Perry E. Metzger wrote:
In summary, it would appear that the most viable solution is to make
the end-to-end encryption endpoint a piece of hardware the user owns
(say the oft mentioned $50
On 2013-09-09 11:15 AM, Perry E. Metzger wrote:
Lenstra, Heninger and others have both shown mass breaks of keys based
on random number generator flaws in the field. Random number
generators have been the source of a huge number of breaks over time.
Perhaps you don't see the big worry, but real
On 2013-09-09 4:49 AM, Perry E. Metzger wrote:
Your magic key must then take any block of N bits and magically
produce the corresponding plaintext when any given ciphertext
might correspond to many, many different plaintexts depending
on the key. That's clearly not something you can do.
On 2013-09-09 6:08 AM, John Kelsey wrote:
a. Things that just barely work, like standards groups, must in general be
easier to sabotage in subtle ways than things that click along with great
efficiency. But they are also things that often fail with no help at all from
anyone, so it's hard
note when the router hughes references was 1st introduced in in IETF gateway
committee meeting as VPN it caused lots of turmoil in the IPSEC camp as well as
with the other router vendors. The other router vendors went into standards
stall mode ... their problem was none of them had a product
On Sep 8, 2013, at 7:16 PM, james hughes wrote:
Let me suggest the following.
With RSA, a single quiet donation by the site and it's done. The situation
becomes totally passive and there is no possibility knowing what has been
read. The system administrator could even do this without the
This space is of particular interest to me. I implemented just one of
these and published the protocol (rather than pimp my blog if anyone wants
to read up on the protocol description feel free to email me and I'll send
you a link).
The system itself was built around a fairly simple PKI which
On 09/08/2013 09:15 PM, Perry E. Metzger wrote:
Perhaps you don't see the big worry, but real world experience says it
is something everyone else should worry about anyway.
I overstated it.
Good random numbers are crucial, and like any cryptography, exact
details matter. Programmers are
Apparently this was just a teaser article. The following is apparently the
full story: http://cryptome.org/2013/09/nsa-smartphones.pdf I can't tell for
sure - it's the German original, and my German is non-existent.
-- Jerry
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/7/13 9:06 PM, Christian Huitema wrote:
Pairwise shared secrets are just about the only thing that
scales worse than public key distribution by way of PGP key
fingerprints on business cards. The equivalent of CAs in an
all-symmetric world is
Ralph Holz ralph-cryptometz...@ralphholz.de writes:
I've followed that list for a while. What I find weird is that there should
be much dissent at all. This is about increasing security based on adding
quite well-understood mechanisms. What's to be so opposed to there?
There wasn't really much
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/8/13 1:51 PM, Perry E. Metzger wrote:
On Sun, 8 Sep 2013 14:50:07 -0400 Jerry Leichter
leich...@lrw.com wrote:
Even for one-to-one discussions, these days, people want
transparent movement across their hardware. If I'm in a chat
session
On Sep 8, 2013, at 9:15 PM, Perry E. Metzger wrote:
I don't see the big worry about how hard it is to generate random
numbers unless:
Lenstra, Heninger and others have both shown mass breaks of keys based
on random number generator flaws in the field. Random number
generators have been the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Apparently this was just a teaser article. The following is apparently the
full story: http://cryptome.org/2013/09/nsa-smartphones.pdf I can't tell
for sure - it's the German original, and my German is non-existent.
The high level summary is
71 matches
Mail list logo