Re: [cryptography] Interactive graph of the CA ecosystem

On Fri, Dec 14, 2012 at 11:10 AM, Bernhard Amann bernh...@icsi.berkeley.edu wrote: Hi, On Dec 14, 2012, at 4:25 AM, Ralph Holz h...@net.in.tum.de wrote: Root-CAs are pictured as red nodes, intermediate CAs are green. The node diameter scales logarithmically with the number of certificates

Re: [cryptography] Here's What Law Enforcement Can Recover From A Seized iPhone

On Mar 27, 2013 11:38 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: http://blog.agilebits.com/2012/03/30/the-abcs-of-xry-not-so-simple-passcodes/ Days? Not sure about the algorithm but both ocl and jtr can be run in parallel and idk why you'd try to crack a password on an arm device

Re: [cryptography] Integrety checking GnuPG

on running GPG and/or on data presented to user on screen, but minimizes the risk for a lot of other possible mischief. Criticisms concerning cookbooklet above more than welcome. Sincerely, Erick On 05/29/2013 07:20 AM, shawn wilson wrote: This is sort of a trusting trust question. However

Re: [cryptography] Integrety checking GnuPG

I was not asked to keep this off list but removing attribution just in case. On Thu, May 30, 2013 at 8:49 PM, shawn wilson ag4ve...@gmail.com wrote: Thanks for all of the input. In the end I think I'm going to go with the simplest solution (along the way, I found ima-linux and signelf

Re: [cryptography] OpenPGP adoption post-PRISM

On Tue, Jul 30, 2013 at 1:51 AM, Andreas Bürki abue...@anidor.com wrote: Am 30.07.2013 01:25, schrieb Tony Arcieri: Here's the source of the data, if you're curious: https://sks-keyservers.net/ To me as a boring consumer it looks curious, right:

[cryptography] Crack Me If You Can!

Figured some here might be interrested in this... Our password cracking contest started about 4 hours ago. Register online and play along at home! Or just watch the pretty stats as the participants duke it out. http://contest-2013.korelogic.com/ And I really need to go to bed. -- You

[cryptography] urandom vs random

I thought that decent crypto programs (openssh, openssl, tls suites) should read from random so they stay secure and don't start generating /insecure/ data when entropy runs low. The only way I could see this as being a smart thing to do is if these programs also looked at how much entropy the

Re: [cryptography] urandom vs random

On Fri, Aug 16, 2013 at 10:03 AM, Swair Mehta swairme...@gmail.com wrote: As far as I know, there is no measure like 50 or so for /dev/random. /proc/sys/kernel/random/entropy_avail ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] urandom vs random

They're also not super good. They barely keep up with my ssh traffic and it took ages to create a key for whatever Arch wanted (don't recall what). On Mon, Aug 19, 2013 at 10:21 AM, Harald Hanche-Olsen han...@math.ntnu.nowrote: [Aaron Toponce aaron.topo...@gmail.com (2013-08-19 13:20:45 UTC)]

Re: [cryptography] urandom vs random

On Mon, Aug 19, 2013 at 11:31 AM, Aaron Toponce aaron.topo...@gmail.comwrote: Hopefully they rise like a phoenix, and their product is for sale again. I would like to purchase more. No kidding. I think someone on here told me about them and I tried to get one a bit later and couldn't. I

Re: [cryptography] urandom vs random

Not exactly. I think havaged is better at this as you're relying on the same type of data but with a single source. I also don't believe you want a microphone inline in order to do this. You should rely purely on electric noise with the ADC/mixer. I don't even think the volume level affects the

Re: [cryptography] Introducing TDMX - Trusted Domain Messaging eXchange (Specification)

Per the purpose - this is to encrypt messages that generally traverse TCP/53 (zone transfer and the like), correct? On Thu, Sep 19, 2013 at 4:37 PM, pjklau...@gmail.com wrote: Dear cryptographers, I've been working privately on the design and proof-of-concept of an enterprise messaging

[cryptography] Image hash function

Does anyone have a list of processes people have come up with to create images for hashes? The only one that I'm aware of is the randomart that is generated when creating a keypair for ssh ( http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdf) I wanted a fuzzy solution - so an image

Re: [cryptography] [Cryptography] RSA equivalent key length/strength

Just an example of how to spend $250M. Jared Hunter feralch...@gmail.com wrote: New to the list, so I'm sorry if I missed it, but what was the evidence presented that RSA took a $10M payoff to make Dual EC DRBG the default in Crypto-C? Thanks, -Jared On Sep 22, 2013, at 9:01 AM, Peter

Re: [cryptography] [Cryptography] RSA equivalent key length/strength

James A. Donald jam...@echeque.com wrote: On 2013-09-22 23:01, Peter Gutmann wrote: You're assuming that someone got passed a suitcase full of cash and that was it. Far more likely that RSA got a $10M contract for some government work and at some point that included a request to make the

Re: [cryptography] Password Blacklist that includes Adobe's Motherload?

On Wed, Nov 13, 2013 at 9:13 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, Is anyone aware of a blacklist that includes those 150 million records from Adobe's latest breach? This is the only thing I've seen (haven't really looked): http://stricture-group.com/files/adobe-top100.txt I

Re: [cryptography] beginner crypto

andrew cooke and...@acooke.org wrote: it's difficult to know what would interest you, but there's a collection of puzzles / challenges that you can sign up for here - http://www.matasano.com/articles/crypto-challenges/ - which are pretty inteesting. you get to solve problems and at the same

Re: [cryptography] To Protect and Infect Slides

If you'll notice that both political parties have expanded on the NSA's mission, scope, and probably funding. I doubt there are any business motives here. In fact, it seems to me there are the exact opposite. Though, since much of government is now contracted out, I do wonder who this was

[cryptography] Fwd: Re: Commercialized Attack Hardware on SmartPhones

On list -- Forwarded message -- From: shawn wilson ag4ve...@gmail.com Date: Mar 2, 2014 11:37 AM Subject: Re: [cryptography] Commercialized Attack Hardware on SmartPhones To: Tom Ritter t...@ritter.vg Cc: How about a dictionary and rules. Even if you choose an alphanumeric strong

Re: [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

On Apr 8, 2014 2:03 AM, Edwin Chu edwinche...@gmail.com wrote: I am not openssl expert and here is just my observation. TLS frame messages into length-prefixed records. Each records has a 1 byte contentType and a 2 byte record length, followed by the record content and MAC. Heartbeat

Re: [cryptography] [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

On Tue, Apr 8, 2014 at 3:18 PM, tpb-cry...@laposte.net wrote: Message du 08/04/14 18:44 De : ianG E.g., if we cannot show any damages from this breach, it isn't worth spending a penny on it to fix! Yes, that's outrageous and will be widely ignored ... but it is economically and

Re: [cryptography] question about heartbleed on Linux

On Thu, Apr 10, 2014 at 10:31 PM, John Levine jo...@iecc.com wrote: Well, the operating system clears memory when it is allocated to a new process, That's plenty bad, of course. Yeah, too bad none of that memory can be made executable :) ___

Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years

So I trust EFF's analysis more here. However this is newer than the latest article I've seen from EFF. So, where's Bloomberg's technical analysis on the subject? On Apr 11, 2014 5:50 PM, Jeffrey Walton noloa...@gmail.com wrote:

Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms

On Thu, Jul 10, 2014 at 10:52 PM, Tony Arcieri basc...@gmail.com wrote: On Thu, Jul 10, 2014 at 4:45 PM, John Young j...@pipeline.com wrote: This is the comsec dilemma. If a product or system becomes mainstream it is more likely to be overtly and/or covertly compromised. I don't find this a

[cryptography] Fwd: Cryptoparty 2014 - Hi my name is Ed - 2014/09/20

is interested, the hacdc forum is an open Google group or you can email me (I can also provide another email that I use gpg with if you'd prefer). -- Forwarded message -- From: shawn wilson ag4ve...@gmail.com Date: Sun, Jun 8, 2014 at 7:27 PM Subject: Cryptoparty 2014 - Hi my name

Re: [cryptography] Question About Best Practices for Personal File Encryption

I just use gpg and armor the file. If its text, there's also a vim plugin that works perfectly with this method. On Aug 16, 2014 12:06 AM, Mark Thomas mark00tho...@gmail.com wrote: I have a question for the group, if I may ask it here and in this manner (?). What are you guys using to encrypt

Re: [cryptography] Cryptoparty 2014 - Hi my name is Ed - 2014/09/20

I've created a @cryptopartydc twitter account where I'll put more frequent updates. On Sun, Aug 17, 2014 at 5:51 PM, shawn wilson ag4ve...@gmail.com wrote: Is anyone (or know anyone) in the DC area who would like to talk at this event? The focus is on defensive security, identity, and tools

[cryptography] best practice openssl.cnf

Does anyone have a best practice options to use in use for self signed certs with openssl? I just noticed that default_md = md5 was in most examples and a debian/ubuntu bug to up the default to sha1 and i think the best md openssl supports is sha256. So I figured I'd see if anyone had made some

Re: [cryptography] Cryptanalysis of RADIUS MD5 cipher?

I'd look at the rfc before asking this. You seem to be looking for application issue (overrun or parse issues) which has nothing to do with the crypto. IIRC the password is padded up to 112 characters - Idr much more than that. ___ cryptography mailing

Re: [cryptography] QODE(quick offline data encryption)

So the practical reason behind everyone saying unless you have qualifications, etc, don't do this is because, even if you make something and say it's just for your learning or a joke or w/e, someone (no joke) *will* use it and then some Fortune 500 will fall over because of your joke code. So,

Re: [cryptography] QODE(quick offline data encryption)

On Wed, Jan 7, 2015 at 2:40 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: On 2015-01-07, at 12:26 PM, Kevin kevinsisco61...@gmail.com wrote: Any company could review it and decide if it's worth using or not. Hi Kevin. Actually that’s a part of my job within the company I work for. I’m

Re: [cryptography] QODE(quick offline data encryption)

On Wed, Jan 7, 2015 at 1:26 PM, Kevin kevinsisco61...@gmail.com wrote: Any company could review it and decide if it's worth using or not. Ok, lets run with that - as a company, show me the steps (make file, a test suite in any programming language, or just english if you prefer), explain to

Re: [cryptography] Gogo inflight Internet uses fake SSL certs to MITM their users

You can smartly limit resolution in squid - I don't trust this is what they were doing, but you could provide a better experience like this. On Tue, Jan 6, 2015 at 11:01 AM, Peter Maxwell pe...@allicient.co.uk wrote: On 6 January 2015 at 15:40, Jeffrey Altman jalt...@secure-endpoints.com

Re: [cryptography] Underhanded Crypto Contest - All Entries Published

I skimmed a few of those and noticed two submissions for signature issues: RyanCastellucci, and AleksanderEssex. Is it normal for people to find issues with the signing/verification process or is this just coincidence? On Sat, Mar 21, 2015 at 5:44 PM, Adam Caudill a...@adamcaudill.com wrote: FYI

Re: [cryptography] Crypto Vulns

On Mar 7, 2015 9:11 PM, coderman coder...@gmail.com wrote: On 3/7/15, Dave Horsfall d...@horsfall.org wrote: On Sat, 7 Mar 2015, Kevin wrote: No 1 vulnerability of crypto is the user 2nd passphrases 3rd overconfidence 4th trust in the producer 5th believing backdoors are No. 1

Re: [cryptography] GoVPN -- reviewable secure state-off-art crypto free software VPN daemon

On May 4, 2015 5:09 AM, Jane laterc...@consultant.com wrote: Actually, in my oh so very humble opinion, world has enough reasonably good VPNs that can operate on reasonably good connections. What is lacking is something that can function transparently and effectively on a very flakey

Re: [cryptography] GeoTrust Launches GeoRoot; Allows Organizations with Their Own Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public Root

Good catch - it would seem 10 years old to be exact: http://www.hostreview.com/news/050215geotrust.html On Mon, Apr 6, 2015 at 10:30 AM, Peter Bowen pzbo...@gmail.com wrote: I think that press release is years old. GeoTrust was bought by VeriSign years ago who was then bought by Symantec.

Re: [cryptography] no, don't advertise that you support SSLv2!

Yahoo has always had lax security (weak spam filters, no bad pass lock, no attachment virus scan). But as a news site (as long as their reporters get to have better security), they don't do bad. On Aug 3, 2015 10:03 PM, Patrick Pelletier c...@funwithsoftware.org wrote: I was on an e-commerce

[cryptography] IIRC, there was discussion on this list a while back about D-Wave...

http://www.technologyreview.com/news/544276/google-says-it-has-proved-its-controversial-quantum-computer-really-works/ Just curious what y'all think about NASA's research and Google's paper (linked to in the article - I read the abstract, but not much else yet) ?

[cryptography] Kernel space vs userspace RNG

Just reflecting on the Linux RNG thread a bit ago, is there any technical reason to have RNG in kernel space? There are things like haveged which seem to work really well and putting or charging code in any kernel can be a bit of a battle (as it should be with code as complex as that involving

Re: [cryptography] Kernel space vs userspace RNG

On May 5, 2016 2:22 PM, wrote: > > I think this sums it up well. Today you are thrown into having to know > what to do specifically because it's a system level problem (matching > entropy sources to extractors to PRNGs to consuming functions). > > The OS kernel does a thing