Hi Peter,
On 11 Feb 2013, at 22:45, Peter Gutmann wrote:
Ralph Holz h...@net.in.tum.de writes:
From what I can tell from our data, the most common symmetric ciphers in SSH
are proposed by client/servers to be used in CBC mode. With SSL/TLS and
XMLEnc, this mode has had quite some
Jeff,
There have been attacks on SSH based on the fact that portions of the packets
aren't authenticated, and as soon as the TLS folks stop bikeshedding and
adopt
encrypt-then-MAC I'm going to propose the same thing for SSH, it's such a
no-brainer it should have been adopted years ago
On 10 Mar 2013, at 10:51, Ben Laurie wrote:
On 10 March 2013 01:25, Tony Arcieri
tony.arci...@gmail.commailto:tony.arci...@gmail.com wrote:
On Sat, Mar 9, 2013 at 4:16 PM, Jeffrey Walton
noloa...@gmail.commailto:noloa...@gmail.com wrote:
The Web Cryptography Working Group looks well
On 10 Mar 2013, at 11:01, Ben Laurie wrote:
On 10 March 2013 10:58, Paterson, Kenny kenny.pater...@rhul.ac.uk wrote:
Right here: http://www.w3.org/TR/WebCryptoAPI:
Somehow missed that. Thanks.
19.1. Recommended algorithms
This section is non-normative
As the API is meant
Hi
On 20/09/2013 16:07, Alan Braggins alan.bragg...@gmail.com wrote:
On 20/09/13 13:22, Dominik Schürmann wrote:
I am wondering if it is okay to use the same asymmetric ECC key for
ECDSA and ECIES. Given that the signing and encryption algorithms are
not related like in RSA, I assume it is
. Indeed,
there's even a cryptographic principle - key separation - which says use
different keys for different functions.
Regards
Kenny
On 20/09/2013 19:35, Dominik Schürmann domi...@dominikschuermann.de
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20.09.2013 17:17, Paterson, Kenny wrote
Peter,
(Full disclosure: I was one of the external reviewers of this report.)
I take your point that there is a gap between cryptography and security
engineering, and I understand the gap well from first-hand experience,
first from my time in industry and more recently as a consultant to
The system is vulnerable to a simple chosen plaintext attack as soon as you
extract a workable scheme from the vague description in the paper (see appendix
A for the closest thing to an actual specification of an encryption scheme).
It should be an embarrassment to both Phys Rev X and the