On Tue, Sep 10, 2013 at 2:04 PM, Joe Abley jab...@hopcount.ca wrote:
As an aside, I see CAs with Chinese organisation names in my browser list.
I wouldn't pick on/fear/call out the Chinese specifically.
Also, be aware that browsers must transitively trust all the issuers
that the known trust
On Mon, Sep 09, 2013 at 06:41:23AM -0700, Andreas Davour wrote:
So there *is* a BTNS implementation, after all. Albeit
only for OpenBSD -- but this means FreeBSD is next, and
Linux to follow.
I might add that as far as I know, this work has not been picked up
yet by neither
On 2013-09-09, at 12:04, Salz, Rich rs...@akamai.com wrote:
➢ then maybe it's not such a silly accusation to think that root CAs are
routinely distributed to multinational secret
➢ services to perform MITM session decryption on any form of communication
that derives its security from the
On Tue, 10 Sep 2013 17:04:51 -0400 Joe Abley jab...@hopcount.ca
wrote:
On 2013-09-09, at 12:04, Salz, Rich rs...@akamai.com wrote:
then maybe it's not such a silly accusation to think that
root CAs are routinely distributed to multinational secret
services to perform MITM session
On 10 September 2013 22:04, Joe Abley jab...@hopcount.ca wrote:
Suppose Mallory has access to the private keys of CAs which are in the
browser list or otherwise widely-trusted.
An on-path attack between Alice and Bob would allow Mallory to terminate
Alice's TLS connection, presenting an
Hi Jeffery,
On 8/09/13 02:52 AM, Jeffrey I. Schiller wrote:
The IETF was (and probably still is) a bunch of hard working
individuals who strive to create useful technology for the
Internet.
Granted! I do not want to say that the IETF people are in a conspiracy
with someone or each other,
➢ then maybe it's not such a silly accusation to think that root CAs are
routinely distributed to multinational secret
➢ services to perform MITM session decryption on any form of communication
that derives its security from the CA PKI.
How would this work, in practice? How would knowing a
From: Eugen Leitl eu...@leitl.org
Forwarded with permission.
[snip]
http://hack.org/mc/projects/btns/
So there *is* a BTNS implementation, after all. Albeit
only for OpenBSD -- but this means FreeBSD is next, and
Linux to follow.
I might add that as far as I
* NSA employees participted throughout, and occupied leadership roles
in the committee and among the editors of the documents
Slam dunk. If the NSA had wanted it, they would have designed it themselves.
The only
conclusion for their presence that is rational is to sabotage it [3].
First, DNSSEC does not provide confidentiality. Given that, it's not
clear to me why the NSA would try to stop or slow its deployment.
DNSSEC authenticates keys that can be used to bootstrap
confidentiality. And it does so in a globally distributed, high
performance, high reliability
On 09/06/2013 05:58 PM, Jon Callas wrote:
We know as a mathematical theorem that a block cipher with a back
door *is* a public-key system. It is a very, very, very valuable
thing, and suggests other mathematical secrets about hitherto
unknown ways to make fast, secure public key systems.
Let's suppose I design a block cipher such that, with a randomly generated key
and 10,000 known plaintexts, I can recover that key. For this to be useful in
a world with relatively sophisticated cryptanalysts, I must have confidence
that it is extremely hard to find my trapdoor, even when you
On Sat, Sep 7, 2013 at 8:53 PM, Gregory Perry gregory.pe...@govirtual.tvwrote:
On 09/07/2013 07:52 PM, Jeffrey I. Schiller wrote:
Security fails on the Internet for three important reasons, that have
nothing to do with the IETF or the technology per-se (except for point
3).
1. There is
On Sat, Sep 7, 2013 at 10:35 PM, Gregory Perry
gregory.pe...@govirtual.tvwrote:
On 09/07/2013 09:59 PM, Phillip Hallam-Baker wrote:
Anyone who thinks Jeff was an NSA mole when he was one of the main people
behind the MIT version of PGP and the distribution of Kerberos is talking
daft.
On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore g...@toad.com wrote:
First, DNSSEC does not provide confidentiality. Given that, it's not
clear to me why the NSA would try to stop or slow its deployment.
DNSSEC authenticates keys that can be used to bootstrap
confidentiality. And it does
On Sep 7, 2013, at 11:45 PM, John Kelsey wrote:
Let's suppose I design a block cipher such that, with a randomly generated
key and 10,000 known plaintexts, I can recover that key At this point,
what I have is a trapdoor one-way function. You generate a random key K and
then compute
Hi,
http://www.youtube.com/watch?v=K8EGA834Nok
Is DNSSEC is really the right solution?
Daniel
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On Sat, Sep 7, 2013 at 6:50 PM, John Gilmore g...@toad.com wrote:
PS: My long-standing domain registrar (enom.com) STILL doesn't support
DNSSEC records -- which is why toad.com doesn't have DNSSEC
protection. Can anybody recommend a good, cheap, reliable domain
registrar who DOES update their
3) Shortly after the token indictment of Zimmerman (thus prompting widespread
use and promotion of the RSA public key encryption algorithm), the Clinton
administration's FBI then advocated a relaxation of encryption export
regulations in addition to dropping all plans for the Clipper chip
...@yahoo.com
To: Eugen Leitl eu...@leitl.org
Subject: [Cryptography] Opening Discussion: Speculation on BULLRUN
X-Mailer: YahooMailWebService/0.8.156.576
Reply-To: Andreas Davour ko...@yahoo.com
Apropos IPsec, I've tried searching for any BTNS (opportunistic encryption
mode for
IPsec) implementations
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Sep 06, 2013 at 05:22:26PM -0700, John Gilmore wrote:
Speaking as someone who followed the IPSEC IETF standards committee
pretty closely, while leading a group that tried to implement it and
make so usable that it would be used by default
On Thu, 5 Sep 2013, Phillip Hallam-Baker wrote:
* Allowing deployment of DNSSEC to be blocked in 2002(sic) by
blocking a technical change that made it possible to deploy in
.com.
As an opponent of DNSSEC opt-in back in the day, I think this is a
poor example of NSA influence in the
As an opponent of DNSSEC opt-in back in the day, I think this is a
poor example of NSA influence in the standards process.
I do not challenge PHB's theory that the NSA has plants in the
IETF to discourage moves to strong crypto, particularly given John
Gilmore's recent message on IPSEC, but I
On 7/09/13 01:51 AM, Peter Gutmann wrote:
ianG i...@iang.org writes:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
How does '(a) Organizations and Conferences' differ from SOP for these sorts
of things?
In
On 7/09/13 03:58 AM, Jon Callas wrote:
Could an encryption algorithm be explicitly designed to have properties like this? I
don't know of any, but it seems possible. I've long suspected that NSA might want this
kind of property for some of its own systems: In some cases, it completely
On Fri, Sep 06, 2013 at 09:19:07PM -0400, Derrell Piper wrote:
...and to add to all that, how about the fact that IPsec was dropped as a
'must implement' from IPv6 sometime after 2002?
Apropos IPsec, I've tried searching for any BTNS (opportunistic encryption mode
for
IPsec) implementations,
On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for confidentiality (although that
would have been a bonus).
If so, then the
On Sep 7, 2013, at 12:31 AM, Jon Callas wrote:
I'm sorry, but this is just nonsense. You're starting with informal, rough
definitions and claiming a mathematical theorem.
Actually, I'm doing the opposite. I'm starting with a theorem and arguing
informally from there
Actually, if you
If so, then the domain owner can deliver a public key with authenticity
using the DNS. This strikes a deathblow to the CA industry. This
threat is enough for CAs to spend a significant amount of money slowing
down its development [0].
How much more obvious does it get [1] ?
The PKI industry
On Sat, Sep 7, 2013 at 2:19 AM, ianG i...@iang.org wrote:
On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for
On 09/07/13 05:19, ianG wrote:
If so, then the domain owner can deliver a public key with authenticity using
the DNS.
This strikes a deathblow to the CA industry. This threat is enough for CAs to
spend a significant amount
of money slowing down its development [0].
unfortunately as far as
On 09/07/2013 04:20 PM, Phillip Hallam-Baker wrote:
Before you make silly accusations go read the VeriSign Certificate Practices
Statement and then work out how many people it takes to gain access to one of
the roots.
The Key Ceremonies are all videotaped from start to finish and the auditors
On Sat, Sep 7, 2013 at 5:19 AM, ianG i...@iang.org wrote:
On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for
On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote:
Good theory only the CA industry tried very hard to deploy and was prevented
from doing so because Randy Bush abused his position as DNSEXT chair to prevent
modification of the spec to meet the deployment requirements in .com.
DNSSEC would
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, Sep 07, 2013 at 09:14:47PM +, Gregory Perry wrote:
And this is exactly why there is no real security on the Internet.
Because the IETF and standards committees and working groups are all
in reality political fiefdoms and technological
I don't see what problem would actually be solved by dropping public key crypto
in favor of symmetric only designs. I mean, if the problem is that all public
key systems are broken, then yeah, we will have to do something else. But if
the problem is bad key generation or bad implementations,
On Thu, Sep 05, 2013 at 04:11:57PM -0400, Phillip Hallam-Baker wrote:
If a person at Snowden's level in the NSA had any access to information
Snowden didn't have clearance for that information. He's being described
as 'brilliant' and purportedly was able to access documents far beyond his
On Fri, 6 Sep 2013 01:19:10 -0400
John Kelsey crypto@gmail.com wrote:
I don't see what problem would actually be solved by dropping public
key crypto in favor of symmetric only designs. I mean, if the
problem is that all public key systems are broken, then yeah, we will
have to do
5. sep. 2013 kl. 23:14 skrev Tim Dierks t...@dierks.org:
I believe it is Dual_EC_DRBG. The ProPublica story says:
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered
by two Microsoft cryptographers in 2007, was engineered by the agency. The
N.S.A. wrote the
Perhaps it's time to move away from public-key entirely! We have a classic
paper - Needham and Schroeder, maybe? - showing that private key can do
anything public key can; it's just more complicated and less efficient.
Not really. The Needham-Schroeder you're thinking of is the essence of
On Sep 6, 2013, at 7:28 AM, Jerry Leichter wrote:
...Much of what you say later in the message is that the way we are using
symmetric-key systems (CA's and such)...
Argh! And this is why I dislike using symmetric and asymmetric to describe
cryptosystems: In English, the distinction is way
On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gjøsteen
kristian.gjost...@math.ntnu.no wrote:
Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
I mean, who on earth would be daft enough to use the slowest possible
DRBG? If this is the best NSA can do, they are over-hyped.
It's
On 6/09/13 04:50 AM, Peter Gutmann wrote:
Perry E. Metzger pe...@piermont.com writes:
At the very least, anyone whining at a standards meeting from now on that
they don't want to implement a security fix because it isn't important to
the user experience or adds minuscule delays to an initial
On 2013-09-06 12:31 PM, Jerry Leichter wrote:
Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced
cryptanalytic capabilities being developed by NSA/CSS. Elsewhere, enabling access and exploiting systems
of interest and inserting
On 6/09/13 11:32 AM, ianG wrote:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
Oops, for those unfamiliar with CAcert's peculiar use of secure
browsing, drop the 's' in the above URL. Then it will securely load.
On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen
kristian.gjost...@math.ntnu.no wrote:
As a co-author of an analysis of Dual-EC-DRBG that did not
emphasize this problem (we only stated that Q had to be chosen at
random, Ferguson co were right to emphasize this point), I would
like to ask:
ianG i...@iang.org writes:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
How does '(a) Organizations and Conferences' differ from SOP for these sorts
of things?
Peter.
___
Following up on my own posting:
[The NSA] want to buy COTS because it's much cheap, and COTS is based on
standards. So they have two contradictory constraints: They want the stuff
they buy secure, but they want to be able to break in to exactly the same
stuff when anyone else buys it.
On 6/09/13 08:04 AM, John Kelsey wrote:
It is possible Dual EC DRBG had its P and Q values generated to insert a
trapdoor, though I don't think anyone really knows that (except the people who
generated it, but they probably can't prove anything to us at this point).
It's also immensely
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 4:42 AM, Jerry Leichter leich...@lrw.com wrote:
Argh! And this is why I dislike using symmetric and asymmetric to
describe cryptosystems: In English, the distinction is way too brittle.
Just a one-letter difference - and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 6:23 AM, Jerry Leichter leich...@lrw.com wrote:
Is such an attack against AES *plausible*? I'd have to say no. But if you
were on the stand as an expert witness and were asked under cross-examination
Is this *possible*?, I
...and to add to all that, how about the fact that IPsec was dropped as a 'must
implement' from IPv6 sometime after 2002?
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
The cryptography mailing list
cryptography@metzdowd.com
On 9/6/2013 1:05 PM, Perry E. Metzger wrote:
I have re-read the NY Times article. It appears to only indicate that
this was *a* standard that was sabotaged, not that it was the only
one. In particular, the Times merely indicates that they can now
confirm that this particular standard was
On Sep 6, 2013, at 8:22 PM, John Gilmore g...@toad.com wrote:
Speaking as someone who followed the IPSEC IETF standards committee
pretty closely, while leading a group that tried to implement it and
make so usable that it would be used by default throughout the
Internet, I noticed some
On Sep 6, 2013, at 8:58 PM, Jon Callas wrote:
I've long suspected that NSA might want this kind of property for some of
its own systems: In some cases, it completely controls key generation and
distribution, so can make sure the system as fielded only uses good keys.
If the algorithm
OK how about this:
If a person at Snowden's level in the NSA had any access to information
that indicated the existence of any program which involved the successful
cryptanalysis of any cipher regarded as 'strong' by this community then the
Director of National Intelligence, the Director of the
On Thu, Sep 5, 2013 at 4:57 PM, Perry E. Metzger pe...@piermont.com wrote:
On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger
pe...@piermont.com wrote:
Anyone recognize the standard?
Please say it aloud. (I personally don't recognize the standard
offhand, but my memory is poor that
On 09/05/2013 01:57 PM, Perry E. Metzger wrote:
and am not sure which international group is being mentioned.
ISO. Not that narrows it down much.
Eric
___
The cryptography mailing list
cryptography@metzdowd.com
On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote:
I would bet that there is more than enough DES traffic to be worth
attack
and probably quite a bit on IDEA as well. There is probably even some 40
and 64 bit crypto in use.
Indeed -- would you (or any of us) guess that NSA could break TDES
The NYT article is pretty informative:
(http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html)
Because strong encryption can be so effective, classified N.S.A.
documents make clear, the agency’s success depends on working with
Internet companies — by getting their
First, I don't think it has anything to do with Dual EC DRGB. Who uses it?
My impression is that most of the encryption that fits what's in the article is
TLS/SSL. That is what secures most encrypted content going online. The easy
way to compromise that in a passive attack is to compromise
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What surprises me is that anyone is surprised. If you believed
OpenBSD's Theo de Raadt and Gregory Perry back in late 2010, various
government agencies (in this specific case the FBI- though one wonders
if they were the originating agency) have been
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey crypto@gmail.com
wrote:
First, I don't think it has anything to do with Dual EC DRGB. Who
uses it?
It did *seem* to match the particular part of the story about a
subverted standard that was complained about by Microsoft
researchers. I would
I would like to open the floor to *informed speculation* about
BULLRUN.
Informed speculation means intelligent, technical ideas about what
has been done. It does not mean wild conspiracy theories and the
like. I will be instructing the moderators (yes, I have help these
days) to ruthlessly prune
On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger
pe...@piermont.com wrote:
Classified N.S.A. memos appear to confirm that the fatal
weakness, discovered by two Microsoft cryptographers in 2007, was
engineered by the agency. The N.S.A. wrote the standard and
aggressively pushed it on the
On Thu, 05 Sep 2013 13:33:48 -0700 Eric Murray er...@lne.com wrote:
The NYT article is pretty informative:
(http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html)
[...]
Also interesting:
Cryptographers have long suspected that the agency planted
vulnerabilities in a
On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger
pe...@piermont.com wrote:
I would like to open the floor to *informed speculation* about
BULLRUN.
Here are a few guesses from me:
1) I would not be surprised if it turned out that some people working
for some vendors have made code and
On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger pe...@piermont.com wrote:
I would like to open the floor to *informed speculation* about
BULLRUN.
Informed speculation means intelligent, technical ideas about what
has been done. It does not mean wild conspiracy theories and the
like. I will
On Thu, Sep 5, 2013 at 4:41 PM, Perry E. Metzger pe...@piermont.com wrote:
On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger
pe...@piermont.com wrote:
I would like to open the floor to *informed speculation* about
BULLRUN.
Here are a few guesses from me:
1) I would not be surprised if
On Thu, 05 Sep 2013 16:43:59 -0400 Bernie Cosell
ber...@fantasyfarm.com wrote:
On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote:
I would bet that there is more than enough DES traffic to be worth
attack
and probably quite a bit on IDEA as well. There is probably even
some 40 and 64
Bruce Schneier explains the Dual_EC_DRBG attack:
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
___
The cryptography mailing list
cryptography@metzdowd.com
Hi all,
If you read the articles carefully, you'll note that at no point does the
NSA appear to have actually broken the *cryptography* in use. It's hard to
get concrete details from such vague writing and no access to the the
original documents, but it sounds like they've mostly gotten a lot
[This drifts from the thread topic; feel free to attach a different subject
line to it]
On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote:
3) I would not be surprised if random number generator problems in a
variety of equipment and software were not a very obvious target,
whether those
On Sep 5, 2013, at 7:14 PM, John Kelsey wrote:
My broader question is, how the hell did a sysadmin in Hawaii get hold of
something that had to be super secret? He must have been stealing files from
some very high ranking people.
This has bothered me from the beginning. Even the first
On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Perry E. Metzger pe...@piermont.com writes:
I would like to open the floor to *informed speculation* about
BULLRUN.
Not informed since I don't work for them, but a connect-the-dots:
1. ECDSA/ECDH (and DLP
BULLRUN seems to be just an overarching name for several wide programs
to obtain plaintext of passively encrypted internet communications by
many different methods.
While there seem to be many non-cryptographic attacks included in the
BULLRUN program, of particular interest is the
Perry E. Metzger pe...@piermont.com writes:
I would like to open the floor to *informed speculation* about BULLRUN.
Not informed since I don't work for them, but a connect-the-dots:
1. ECDSA/ECDH (and DLP algorithms in general) are incredibly brittle unless
you get everything absolutely
On Thursday, September 5, 2013, Jerry Leichter wrote:
[This drifts from the thread topic; feel free to attach a different
subject line to it]
On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote:
3) I would not be surprised if random number generator problems in a
variety of equipment and
Perry E. Metzger pe...@piermont.com writes:
At the very least, anyone whining at a standards meeting from now on that
they don't want to implement a security fix because it isn't important to
the user experience or adds minuscule delays to an initial connection or
whatever should be viewed with
On Fri, 06 Sep 2013 13:50:54 +1200 Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Perry E. Metzger pe...@piermont.com writes:
Does that make them NSA plants? There's drafts for one or
two more fairly basic fixes to significant problems from other
people that get stalled forever, while the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:01 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Perry E. Metzger pe...@piermont.com writes:
I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
that you're thinking of?
It's not just
The actual documents - some of which the Times published with few redactions -
are worthy of a close look, as they contain information beyond what the
reporters decided to put into the main story. For example, at
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:31 PM, Jerry Leichter leich...@lrw.com wrote:
Another interesting goal: Shape worldwide commercial cryptography
marketplace to make it more tractable to advanced cryptanalytic capabilities
being developed by NSA/CSS.
On Sep 5, 2013, at 10:19 PM, Jon Callas wrote:
I don't disagree by any means, but I've been through brittleness with both
discrete log and RSA, and it seems like only a month ago that people were
screeching to get off RSA over to ECC to avert the cryptocalypse. And that
the ostensible
Another interesting goal: Shape worldwide commercial cryptography
marketplace to make it more tractable to advanced cryptanalytic capabilities
being developed by NSA/CSS. ... This makes any NSA recommendation
*extremely* suspect. As far as I can see, the bit push NSA is making these
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 8:02 PM, Jerry Leichter leich...@lrw.com wrote:
Perhaps it's time to move away from public-key entirely! We have a classic
paper - Needham and Schroeder, maybe? - showing that private key can do
anything public key can; it's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 8:24 PM, Jerry Leichter leich...@lrw.com wrote:
Another interesting goal: Shape worldwide commercial cryptography
marketplace to make it more tractable to advanced cryptanalytic
capabilities being developed by NSA/CSS. ...
87 matches
Mail list logo