On 10/11/2013 11:22 AM, Jerry Leichter wrote:
1. Brute force. No public key-stretching algorithm can help, since the
attacker
will brute-force the k's, computing the corresponding K's as he goes.
There is a completely impractical solution for this which is applicable
in a very few
Saw this on Arstechnica today and thought I'd pass along the link.
http://arstechnica.com/security/2013/09/fatal-crypto-flaw-in-some-government-certified-smartcards-makes-forgery-a-snap/2/
More detailed version of the story available at:
https://factorable.net/paper.html
Short version:
On 10/10/2013 12:54 PM, John Kelsey wrote:
Having a public bulletin board of posted emails, plus a protocol
for anonymously finding the ones your key can decrypt, seems
like a pretty decent architecture for prism-proof email. The
tricky bit of crypto is in making access to the bulletin
On 10/07/2013 05:28 PM, David Johnston wrote:
We are led to believe that if it is shown that P = NP, we suddenly have a
break for all sorts of algorithms.
So if P really does = NP, we can just assume P = NP and the breaks will make
themselves evident. They do not. Hence P != NP.
As
On 10/04/2013 07:38 AM, Jerry Leichter wrote:
On Oct 1, 2013, at 5:34 AM, Ray Dillinger b...@sonic.net wrote:
What I don't understand here is why the process of selecting a standard
algorithm for cryptographic primitives is so highly focused on speed.
If you're going to choose a single
Is it just me, or does the government really have absolutely no one
with any sense of irony? Nor, increasingly, anyone with a sense of
shame?
I have to ask, because after directly suborning the cyber security
of most of the world including the USA, and destroying the credibility
of just about
Original message
From: Phillip Hallam-Baker hal...@gmail.com
Date: 10/06/2013 08:18 (GMT-08:00)
To: James A. Donald jam...@echeque.com
Cc: cryptography@metzdowd.com
Subject: Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was:
NIST about to weaken SHA3?
Original message
From: Jerry Leichter leich...@lrw.com
Date: 10/06/2013 15:35 (GMT-08:00)
To: John Kelsey crypto@gmail.com
Cc: cryptography@metzdowd.com List cryptography@metzdowd.com,Christoph
Anton Mitterer cales...@scientia.net,james hughes
On 10/03/2013 06:59 PM, Watson Ladd wrote:
On Thu, Oct 3, 2013 at 3:25 PM,leich...@lrw.com wrote:
On Oct 3, 2013, at 12:21 PM, Jerry Leichterleich...@lrw.com wrote:
As *practical attacks today*, these are of no interest - related key
attacks only apply in rather unrealistic scenarios, even
On 10/04/2013 01:23 AM, James A. Donald wrote:
On 2013-10-04 09:33, Phillip Hallam-Baker wrote:
The design of WSDL and SOAP is entirely due to the need to impedance match COM
to HTTP.
That is fairly horrifying, as COM was designed for a single threaded
environment, and becomes and
On 10/02/2013 02:13 PM, Brian Gladman wrote:
The NIST specification only eliminated Rijndael options - none of the
Rijndael options included in AES were changed in any way by NIST.
Leaving aside the question of whether anyone weakened it, is it
true that AES-256 provides comparable security
What I don't understand here is why the process of selecting a standard
algorithm for cryptographic primitives is so highly focused on speed.
We have machines that are fast enough now that while speed isn't a non issue,
it is no longer nearly as important as the process is giving it precedence
Okay, I didn't express myself very well the first time I tried to say this.
But as I see it, we're still basing the design of crypto algorithms on
considerations that had the importance we're treating them as having about
twelve years ago.
To make an analogy, it's like making tires when
*1 Anyone who attempts to generate random numbers by
deterministic means is, of course, living in a
state of sin. -- John Von Neumann
That said, it seems that most of these attacks on Pseudorandom
generators some of which are deliberately flawed, can be ameliorated
somewhat by using
On 09/16/2013 07:58 AM, Perry E. Metzger wrote:
Well, we do know they created things like the (not very usable)
seLinux MAC (Multilevel Access Control) system, so clearly they do
some hacking on security infrastructure.
SeLinux seems to be targeted mostly at organizational security,
whereas
On 09/08/2013 11:49 AM, Perry E. Metzger wrote:
That said, your hypothetical seems much like imagine that you can
float by the power of your mind alone. The construction of such a
cipher with a single master key that operates just like any other key
seems nearly impossible, and that should be
On 09/05/2013 07:00 PM, Jon Callas wrote:
I don't think they're actively bad, though. For the purpose they were created
for --
parallelizable authenticatedencryption -- it serves its purpose. You can have a
decent implementor implement them right in hardware and walk away.
Given some of the
On 09/06/2013 05:58 PM, Jon Callas wrote:
We know as a mathematical theorem that a block cipher with a back
door *is* a public-key system. It is a very, very, very valuable
thing, and suggests other mathematical secrets about hitherto
unknown ways to make fast, secure public key systems.
On 09/07/2013 07:51 PM, John Kelsey wrote:
Pairwise shared secrets are just about the only thing that scales
worse than public key distribution by way of PGP key fingerprints on
business cards.
If we want secure crypto that can be used by everyone, with minimal
trust, public key is the
On 09/08/2013 05:28 AM, Phillip Hallam-Baker wrote:
every code update to the repository should be signed and
recorded in an append only log and the log should be public and enable any
party to audit the set of updates at any time.
This would be 'Code Transparency'.
Problem is we would need to
On 09/08/2013 10:13 AM, Thor Lancelot Simon wrote:
On Sat, Sep 07, 2013 at 07:19:09PM -0700, Ray Dillinger wrote:
Given good open-source software, an FPGA implementation would provide greater
assurance of security.
How sure are you that an FPGA would actually be faster than you can already
On 09/08/2013 04:27 AM, Eugen Leitl wrote:
On 2013-09-08 3:48 AM, David Johnston wrote:
Claiming the NSA colluded with intel to backdoor RdRand is also to
accuse me personally of having colluded with the NSA in producing a
subverted design. I did not.
Well, since you personally did this,
On 09/06/2013 01:25 PM, Jerry Leichter wrote:
A response he wrote as part of a discussion at
http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html:
Q: Could the NSA be intercepting downloads of open-source encryption software and
silently replacing these with their own versions?
On 09/03/2013 09:54 AM, radi...@gmail.com wrote:
--Alexander Kilmov wrote:
--David Mercer wrote:
2) Is anyone aware of ITAR changes for SHA hashes in recent years
that require more than the requisite notification email to NSA for
download URL and authorship information? Figuring this one out
On 08/31/2013 02:53 PM, John Kelsey wrote:
I think it makes sense to separate out the user-level view of what happens.
True. I shouldn't have muddied up user-side view with notes about
packet forwarding, mixing, cover traffic, and domain lookup, etc.
Some users (I think) will want to know
On 08/30/2013 08:10 PM, Aaron Zauner wrote:
I read that WP report too. IMHO this can only be related to RSA (factorization,
side-channel attacks).
I have been hearing rumors lately that factoring may not in fact be as hard
as we have heretofore supposed. Algorithmic advances keep eating
Okay...
User-side spec:
1. An email address is a short string freely chosen by the email user.
It is subject to the constraint that it must not match anyone else's
email address, but may (and should) be pronounceable in ordinary language
and writable with the same character set
On 08/30/2013 01:52 PM, Jonathan Thornburg wrote:
On Fri, 30 Aug 2013, Ray Dillinger wrote:
3. When an email user gets an email, s/he is absolutely sure that it comes
from the person who holds the email address listed in its from line.
S/he may or may not have any clue who
On 08/26/2013 04:12 AM, Richard Salz wrote:
You need the client to be
able to generate a keypair, upload the public half, and pull down
(seamlessly) recipient public keys. You need a server to store and
return those keys. You need an installed base to kickstart the network
effect.
Who has
On 08/25/2013 03:28 PM, Perry E. Metzger wrote:
So, imagine that we have the situation described by part 1 (some
universal system for mapping name@domain type identifiers into keys
with reasonable trust) and part 2 (most users having some sort of
long lived $40 device attached to their home
On 08/25/2013 08:32 PM, Jerry Leichter wrote:
Where
mail servers have gotten into trouble is when they've tried to provide
additional services - e.g., virus scanners, which then try to look
inside of complex formats like zip files. This is exactly the kind
of thing you want to avoid - another
On 08/26/2013 10:39 AM, Jerry Leichter wrote:
On Aug 26, 2013, at 1:16 PM, Ray Dillinger b...@sonic.net wrote:
Even a tiny one-percent-of-a-penny payment
that is negligible between established correspondents or even on most email
lists would break a spammer.
This (and variants, like
On 08/22/2013 02:36 AM, Phillip Hallam-Baker wrote:
Thanks to Snowden we now have a new term of art 'Prism-Proof', i.e. a
security scheme that is proof against state interception. Having had
an attack by the Iranians, I am not just worried about US interception.
Chinese and Russian intercepts
On 06/28/2013 09:36 PM, Udhay Shankar N wrote:
On Sat, Jun 29, 2013 at 4:30 AM, John Gilmoreg...@toad.com wrote:
[John here. Let's try some speculation about what this phrase,
fabricating digital keys, might mean.]
Perhaps something conceptually similar to PGP's Additional Decryption
Key
Microsoft is sending up a test balloon on a plan to 'quarantine'
computers from accessing the Internet unless they produce a 'health
certificate' to ensure that software patches are applied, a firewall
is installed and configured correctly, an antivirus program with current
signatures is
a 19-year-old just got a 16-month jail sentence for his refusal to
disclose the password that would have allowed investigators to see
what was on his hard drive.
I suppose that, if the authorities could not read his stuff
without the key, it may mean that the software he was using may
have
On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote:
Moore's law helped immensely here. In the last 5 years systems have gotten
about 8 times faster, reducing the processing cost of crypto a lot.
The big drawback is that those who want to follow NIST's recommendations
Assume, contra facto, that in some future iteration of PKI, it
works, and works very well.
What the heck does it look like?
At a guess Anybody can create a key (or key pair). They
get one clearly marked private, which they're supposed to keep,
and one clearly marked public, which
On Fri, 2009-11-20 at 20:13 +1300, Peter Gutmann wrote:
Because (apart from the reasons given above) with business use specifically
you run into insurmountable PC - device communications problems. Many
companies who handle large financial transactions are also ones who, due to
concern over
[Moderator's note: this is getting a bit off topic, and I'd prefer to
limit followups. --Perry]
On Wed, 2009-08-19 at 06:23 +1000, James A. Donald wrote:
Ray Dillinger wrote:
If there is not an existing relationship (first time someone
uses an e-tailer) then there has to be a key
On Sat, 2009-07-04 at 10:39 -0700, Hal Finney wrote:
Rivest:
Thus, while MD6 appears to be a robust and secure cryptographic
hash algorithm, and has much merit for multi-core processors,
our inability to provide a proof of security for a
reduced-round (and possibly
On Tue, 2009-05-26 at 18:49 -0700, John Gilmore wrote:
It's a little hard to help without knowing more about the situation.
I.e. is this a software company? Hardware? Music? Movies?
Documents? E-Books?
It's a software company.
Is it trying to prevent access to something, or
the
On Wed, 2009-05-27 at 10:31 -0400, Roland Dowdeswell wrote:
I have noticed in my years as a security practitioner, that in my
experience non-security people seem to assume that a system is
perfectly secure until it is demonstrated that it is not with an
example of an exploit. Until an
experience, seems foolish?
Ray Dillinger
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
On Thu, 2009-04-30 at 13:56 +0200, Eugen Leitl wrote:
http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
Wow! These slides say that they discovered a way to find collisions
in SHA-1 at a cost of only 2^52 computations. If this turns out to
be right (and the authors
On Tue, 2009-03-03 at 21:33 -0500, Ivan Krsti? wrote:
If you give me the benefit of the doubt for having a reasonable
general grasp of the legal system and not thinking the judge is an
automaton or an idiot, can you explain to me how you think the judge
can meet the burden of proof for
On Wed, 2009-02-25 at 14:53 +, John Levine wrote:
You're right, but it's not obvious to me how a site can tell an evil
MITM proxy from a benign shared web cache. The sequence of page
accesses would be pretty similar.
There is no such thing as a benign web cache for secure pages.
If you
I have a disgustingly simple proposal. It seems to me that one
of the primary reasons why UCE-limiting systems fail is the
astonishing complexity of having a trust infrastructure
maintained by trusted third parties or shared by more than
one user. Indeed, trusted third party and trust shared
Okay I'm going to summarize this protocol as I understand it.
I'm filling in some operational details that aren't in the paper
by supplementing what you wrote with what my own design sense
tells me are critical missing bits or obvious methodologies for
use.
First, people spend computer
On Sat, 2008-11-15 at 12:43 +0800, Satoshi Nakamoto wrote:
I'll try and hurry up and release the sourcecode as soon as possible
to serve as a reference to help clear up all these implementation
questions.
Ray Dillinger (Bear) wrote:
When a coin is spent, the buyer and seller digitally
On Tue, 2008-11-04 at 06:20 +1000, James A. Donald wrote:
If I understand Simplified Payment Verification
correctly:
New coin issuers need to store all coins and all recent
coin transfers.
There are many new coin issuers, as many as want to be
issuers, but far more coin users.
On Thu, 2008-10-30 at 16:32 +1300, Peter Gutmann wrote:
Look at the XBox
attacks for example, there's everything from security 101 lack of
checking/validation and 1980s MSDOS-era A20# issues through to Bunnie Huang's
FPGA-based homebrew logic analyser and use of timing attacks to recover
On Sat, 2008-05-03 at 23:35 +, Steven M. Bellovin wrote:
There's a technical/philosophical issue lurking here. We tried to
solve it in IPsec; not only do I think we didn't succeed, I'm not at
all clear we could or should have succeeded.
IPsec operates at layer 3, where there are
On Fri, 2008-01-18 at 02:31 -0800, Alex Alten wrote:
At 07:35 PM 1/18/2008 +1000, James A. Donald wrote:
And all the criminals will of course obey the law.
Why not just require them to set an evil flag on all
their packets?
These are trite responses. Of course not. My point is
that
54 matches
Mail list logo