I am thinking of making a userland entropy distribution system, so
that expensive HWRNGs may be shared securely amongst several machines.
Here's the algorithm from generation to use:
1) Entropy harvested from HWRNG.
2) Entropy mixed with PRNG output to disguise any biases present in
source.
I can't say I a fan of the idea of having multiple ways of mixing entropy into
the system. In particular, the idea of producing output by XORing your PRNGs
output with the output of a semi-public RNG seems like a bad idea to me,
because an attacker can easily control those values by taking
Speaking of two-factor authentication, can anyone explain how servers
validate the code from a SecurID token in the presence of clockskew?
Does it look backwards and forwards in time a few minutes?
Similarly, how do those garage door openers with rolling codes work,
given that the user may have
This problem has implications for sensor fusion (the latest hot
topic) in IDS; for example when combining host logs (HIDS) with NIDS
alerts. The risk of false positives is particularly relevant when you
try to write signatures that match similar but unknown bad stuff, and
false negatives when
That's a fairly interesting review, and Skype should be commended for
hiring someone to do it. I hope to see more evaluations from vendors
in the future.
However, I have a couple of suggestions.
My understanding of the peer-to-peer key agreement protocol (hereafter
p2pka) is based on section
I can't say I a fan of the idea of having multiple ways of mixing entropy into
the system. In particular, the idea of producing output by XORing your PRNGs
output with the output of a semi-public RNG seems like a bad idea to me,
because an attacker can easily control those values by taking
I recall reading somewhere that the NSA got ahold of some KGB numeric
OTPs (in the standard five-digit groups). They found that they
contained corrections, typos, and showed definite non-random
characteristics. Specifically, they had a definite left-hand
right-hand alternation, and tended to not
If you have
to be that confident in your computer security to use the payment
system, it's not going to have many clients.
Maybe the trusted computing platform (palladium) may have something to
offer after all, namely enabling naive users to use services that
require confidence in their own
Good catch on the encryption. I feel silly for not thinking of it.
If your plaintext consists primarily of small packets, you should set the MTU
of the transporter to be small. This will cause fragmentation of the
large packets, which is the price you have to pay. Conversely, if your
I assume that the length is
explicitly encoded in the legitimate packet. Then the peer for the
link ignores everything until the next escape sequence introducing a
legitimate packet.
I should point out that encrypting PRNG output may be pointless, and
perhaps one optimization is to stop
For anyone interested in more details, Daniel Ellsberg's book
Secrets deals with the content of the cables coming in in real-time
during this incident. They dispell any certainty about the attacks
actually happening the way they were officially reported. The picture
it paints is a very confused
How does one properly use a symmetric cipher as a cryptographic hash
function? I seem to be going around in circles.
Isn't this is like asking a mechanic how to use a screwdriver as a hammer?
Reversing the situation (using the data as the key and a known plain-
text) makes a plaintext attack
Not so... the SHA family are all unbalanced Feistel structures.
Sorry, I guess I am thinking of AES. I don't know where I got the
doesn't need to be invertible bit, I must be conflating it with
something else.
He should also take a look at OCB, CCM, and CBC-MAC modes.
Perhaps he intends to
By my calculations, it looks like you could take a keypair n,e,d and
some integer x and let e'=e^x and d'=d^x, and RSA would still work,
albeit slowly. Reminds me of blinding, to some extent, except we're
working with key material and not plaintext/ciphertext.
Since I'm on the topic, does doing
Hi folks,
If one had the ability to create standards over, with reckless
disregard for performance, how would you improve their security?
Feel free to pick a protocol or system (e.g. gpg or isakmp) and let me
know how it is done, and how it should have been done.
For example, pgp doesn't hide
Does ISAKMP do encryption where the input is
meant to be secret, instead of the key?
I meant MAC, not encryption, sorry.
Of course encryption inputs are secret.
--
http://www.lightconsulting.com/~travis/ --
We already have enough fast, insecure systems. -- Schneier Ferguson
GPG fingerprint:
I'd recommend DRM (I think what you really mean is Palladium, err,
excuse me, the Trusted Computing Platform Alliance, see the web site
and Ross Anderson's take on it) to my grandmother, because I don't
trust her to understand the implications of clicking on something in
an email (thank you active
In Practical Cryptography, Schneier states that the you can prove
that when n is not a prime, a certain property of a mod n holds for at
most 25% of possible values 1 a n. He later states that Fermat's
test can be fooled by Carmichael numbers, and finally he basically
says that Miller-Rabin is
Nice, but linux-only and requires special kernel support. cfs supports
lots and lots of different OSs and doesn't require kernel modes. So far
as I know, in this regard cfs is unique among cryptographic filesystems.
The only thing close that I've seen is Bestcrypt, which is commercial
and
Although the Carmichael numbers fool the Fermat test
(that is, $a^{n-1} = 1 (n)$) for *all* a,
I thought it would work properly if a shares a factor with n.
Yes I guess the difference is that with MR you are trying to find a
number that is *likely* a prime, whereas with Fermat you are
Don't ever encrypt the same message twice that way, or you're likely to
fall to a common modulus attack, I believe.
Looks like it (common modulus attack involves same n, different (e,d) pairs).
However, you're likely to be picking a random symmetric key as the
message, and Schneier even
In Practical Cryptography, Schneier discusses a new PRNG design called Fortuna.
It has some neat features.
He also discusses problems with the ANSI PRNG here:
http://www.schneier.com/paper-prngs.html
--
http://www.lightconsulting.com/~travis/ --
We already have enough fast, insecure systems.
The naive countermeasure to timing attacks is to add a random delay,
but of course that can be averaged out by repeating the computation.
I have never heard anyone propose a delay that is based on the input,
and maybe some per-machine secret, so that it is unpredictable but
constant. Of course
actually justified for cryptosystems: It turned out, on the key escrow side
of the protocol design, NSA actually fell over the edge, and there was a
simple attack (Matt Blaze's work, as I recall).
Details on the so-called LEAF blower here:
http://www.crypto.com/papers/eesproto.pdf
--
Does anyone have any references on how one would go about creating
manipulating the boolean equations that govern symmetric ciphers?
I know that most of the time ciphers describe an algorithm, often
using tables (S-boxes and E-tables) in lieu of providing equations,
and I'm wondering how one goes
In many cases, the observed time depends both on the input and on some
other random noise. In such cases, averaging attacks that use the same
input over and over again will continue to work, despite the use of
a pseudorandom input-dependent delay. For instance, think of a timing
attack on
Good points all.
I was implicitly assuming that d(k, x) is related to the timing of
f(k,x) -- tailored to the algorithm(s) used, and that the attacker
cannot control k. Actually the idea was to have k merely provide a
unique function d_k(x) for each host.
The only way to avoid this is to make
Why do you need to separate f from f+d? The attack is based on a timing
variation that is a function of k and x, that's all. Think of it this way:
Your implementation with the new d(k,x) added in is indistinguishable, in
externally visible behavior, from a *different* implementation f'(k,x)
Hey,
I've been reading through the TCPA documents and thinking a bit about
changes that might give higher assurance to an ordinary PC, or at
least a PC with only minor changes.
Specifically, one of the things I've always been mulling over is a
secure boot sequence. Basically, like the TCPA, I
IMO it is pointless to
write SHA in a language that ``can have properties of programs
proved,'' because test vectors are good enough, and there is no real
assurance that when you write the specification in a machine-readable
form you do not make the same mistake as in your code.
I think you
On 12/3/05, Victor Duchovni [EMAIL PROTECTED] wrote:
Actually, this is inaccurate, proving the strength of AES or factoring is
difficult, and may never happen, we may even prove AES to be not secure
(in a broad sense) some day. Proving an RNG secure is *impossible*.
I'm not sure it's
I'm dissatisfied with the state of /dev/random devices on Unix. Here
are my gripes:
So far I haven't seen any userland tools for updating the entropy count.
This is unfortunate, because sometimes I generate entropy on one machine
and want to pipe it into the /dev/random pool.
However, I cannot
Does anyone here have any links to voting system designs that use
cryptography to achieve their goals? I'm curious what could be
achieved in that direction.
--
http://www.lightconsulting.com/~travis/ -- Knight of the Lambda Calculus
We already have enough fast, insecure systems. -- Schneier
A recent magazine article suggested a spoofing technique involving
wrapping one's finger with a few layers of cellophane; the latent
print on the reader apparently is visible enough to be reused in this
manner, at least with some currently-available scanners.
--
One thing I haven't seen from a PRNG or HWRNG library or device is an
unpredictable sequence which does not repeat; in other words, a
[cryptographically strong?] permutation. This could be useful in all
sorts of places in the kernel and elsewhere to prevent replay (for
example, in DNS ID #s, in
In Peter Gutmann's godzilla cryptography tutorial, he has some really
good (though terse) advice on subtle gotchas in using DH/RSA/Elgamal.
I learned a few no-nos, such as not sending the same message to 3
seperate users in RSA (if using 3 as an encryption exponent).
My question is, what is the
Seems like a lot of new folks (myself included) ask questions that
have the following answer:
Read the literature, no there's no one site, that would be too much effort, c.
Would a wiki specifically for crypto distribute the burden enough to be useful?
Or should we just stick to wikipedia? Is
Not to side track the discussion, but frequently I've heard PKI
compared to PGP's model. Isn't PGP's trust model the same as everyone
being their own CA?
I find PGP to be problematic. Many keys I see are only self-signed,
and this includes important keys like CERT. Many others sit unsigned
on
I am discussing implementing a very simple version of this with the
author. If anyone else is interested in participating or just
watching, email me and I'll keep you in the loop.
--
http://www.lightconsulting.com/~travis/ -- P=NP if (P=0 or N=1)
My love for mathematics is like 1/x as x
On 12/14/05, Peter Gutmann [EMAIL PROTECTED] wrote:
I don't know if there's any site tracking this, but (as the tutorial says) you
can either go with PKCS #1 (the de facto standard, easy to implement and
widely used) ...
Actually, I'm embarassed to admit this but I've seen PKCS before but
Anytime someone wants to rewrite a C library in a language less prone
to buffer overflows, I'm totally for it. Some say that it's not the
library, it's the programmer, but I think that denies human factors.
C simply requires too much machinery on top of it to use it securely.
It is possible to
On 12/18/05, Ben Laurie [EMAIL PROTECTED] wrote:
It would happen at least as much as it happens with
https, and it happens enough with https that false
negatives enormously outweigh true negatives.
True, but I don't see false negatives very often with https at all. And
I visit far more
On 12/19/05, Richard Levitte - VMS Whacker [EMAIL PROTECTED] wrote:
C has three really strong points:
- portability. It's one of the most wide-spread and portable
compiled languages that I know of.
I beg your pardon? If I want to store 128 bits of information, and
access the 8 most
On 12/19/05, Richard Levitte - VMS Whacker [EMAIL PROTECTED] wrote:
unsigned char foo[8];
(no, it isn't fool proof, but close enough after 1 second of thought).
I think C guarantees that a char is a byte, but exactly how wide that
is is processor-dependent. IIRC, some of the machines it was
Schneier mentions whooping values (whoops? I don't know the precise
term) in doing modular arithmetic. I was wondering what people
thought of this.
Basically if you've got a huge finite field, and do arithmetic on it,
the whoop values are the residues in a much smaller field that is
unknown to
On 12/21/05, Perry E. Metzger [EMAIL PROTECTED] wrote:
Good ciphers aren't permutations, though, are they? Because if they
were, they'd be groups, and that would be bad.
Actually, by definition, a cipher should be a permutation from the set
of plaintexts to the set of ciphertexts. It has to
On 12/26/05, Ben Laurie [EMAIL PROTECTED] wrote:
Surely if you do this, then there's a meet-in-the middle attack: for a
plaintext/ciphertext pair, P, C, I choose random keys to encrypt P and
decrypt C. If E_A(P)=D_B(C), then your key was A.B, which reduces the
strength of your cipher from 2^x
Interview with OpenSSH developer:
http://www.securityfocus.com/columnists/375
Summary: Arbitrary layer 2/3 tunnelling using tun(4) interfaces over
ssh. Various changes to reduce attack possibilities. My first
encounter with the term attack surface.
Commentary: TCP over TCP --- retransmit
I'd like to make a long-term key for signing communication keys using
GPG and I'm wondering what the current recommendation is for such. I
remember a problem with Elgamal signing keys and I'm under the
impression that the 1024 bit strength provided by p in the DSA is not
sufficiently strong when
You can get records of most kinds from various private investigators
and data brokers for a fee. I first found out about this in the
mid-90s, but I'm sure they existed before that.
Where the data collection is illegal, the reputable firms assure you
that they are not doing anything illegal,
I must admit, I just had a duh moment.
Why the heck am I expiring encryption keys each year? Anyone who
records the email can crack it even if the key is invalid by then.
All it really does is crudely limit the quantity of data sent under
that key, which is little to none anyway.
*bonks
Two chapters are online here:
http://www.fas.org/irp/eprint/sp/
--
If I could remember the names of these particles, I would have been a botanist
-- Enrico Fermi -- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
I'm fairly ignorant of quantum computers, having had the opportunity
to see Schor lecture at a local university but unfortunately finding
myself quickly out of my depth (I still don't understand the weird
notation they use for representing [superpositions of?] states in
Bell inequalities and his
In this article, Bruce Schneier argues against the practicality of a
one-time pad:
http://www.schneier.com/crypto-gram-0210.html#7
I take issue with some of the assumptions raised there.
For example, you may have occasional physical meetings with a good
friend, colleague, family member, or
http://www.cryptodox.com/Main_Page
--
The generation of random numbers is too important to be left to chance.
-- Robert Coveyou -- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
There are various versions of getting rid of a disk file.
2) Zeroizing the blocks in place (followed by deletion). This
is vastly better, but still not entirely secure, because there
are typically stray remnants of the pattern sitting beside
the nominal track, and a
On 1/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
In our office, we have a shredder that happily
takes CDs and is designed to do so. It is noisy
and cost $500.
Here's one for $40, although it doesn't appear to shred them so much
as make them pitted:
In one environment I worked in, it was important that people know what
kind of data they were looking at. The way they solved it was to put a
green colored border and label on one kind of data, and a red border and
different label on another kind of data. This reduces usable screen area
a bit,
In the FBI's public statement about Hannsen, they relate how he used a 3.5
floppy in 40 track mode to store data, but if it was read in the
ordinay way it
would appear blank. IIRC, high-density floppies are 80 tracks per inch, and
double density were 40 tpi. So, how do you suppose this trick
On 2/3/06, Jaap-Henk Hoepman [EMAIL PROTECTED] wrote:
could this be
done using phone conference facilities?
Good guess!
http://www.schneier.com/blog/archives/2006/02/phone_tapping_i.html
``The code tapped into the conference call system. It conference
called phone calls to 14 prepaid mobile
Assume that one is the sole user of a LAN and that the 10-20 machines
on this network have a need for unpredictable numbers.
Assume further that it is not cost-effective to furnish each with a
HWRNG, even one as inexpensive as a sound card (for example, they may
not have a spare slot on the
If anyone is interested in participating in the design of a system
that could be used for manual key distribution and/or OTP purposes,
email me. I figure we can talk about our special cases off-list, and
maybe submit the final design to the list for people to take their
best crack at it.
--
Hey,
In Practical Cryptography, Schneier mentions a couple of general
principles that he thinks wise when writing code which uses or
implements cryptographic routines.
Bear with me as I try to remember them:
1) When using a user input, run it through a OWF first. NB: This is a
possible DoS
On 2/13/06, Peter Gutmann [EMAIL PROTECTED] wrote:
I would expect that typically implementors would be following a published
standard, which would (well, one would hope) have had expert cryptographers
check it over sometime prior to publication
Published implementations aren't immune to
http://www.hamachi.cc/security
Based on a cursory look over this, I'm impressed by both the level of
detail and the level of security apparently afforded. Too bad I can't
see the source code.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5
On 2/24/06, Alex Pankratov [EMAIL PROTECTED] wrote:
Tero Kivinen wrote:
Secondly I cannot find where it
authenticates the crypto suite used at all (it is not included in the
signature of the AUTH message).
Crypto suite is essentially just a protocol number. It requires
no authentication.
Here's a 1997 paper on quantum computing in the large that I had
been asking about:
http://www.media.mit.edu/physics/projects/spins/home.html
Neil Gershenfeld and Isaac Chuang have developed an entirely new
approach to quantum computation that promises to solve many of these
problems. Instead of
Hey,
In Maurer's paper, which is the last link here on the following page,
he proposes to use a public random pad to encrypt the plaintext
based on bits selected by a key. What I'm wondering is why he chose
the strange construction for encryption; namely, that he uses an
additive (mod 2) cipher
Anyone see a reason why the digits of Pi wouldn't form an excellent
public large (infinite, actually) string of random bits?
There's even an efficient digit-extraction (a/k/a random access to
fractional bits) formula, conveniently base 16:
http://mathworld.wolfram.com/BBPFormula.html
I dub this
Hi,
Does anyone have a good idea on how to OWF passphrases without
reducing them to lower entropy counts? That is, I've seen systems
which hash the passphrase then use a PRF to expand the result --- I
don't want to do that. I want to have more than 160 bits of entropy
involved.
I was thinking
I have examined the LRNG paper and have a few comments.
CC'd to the authors so mind the followups.
1) In the paper, he mentions that the state file could be altered by
an attacker, and then he'd know the state when it first came up. Of
course, if he could do that, he could simply install a
So I'm reading up on unconditionally secure authentication in Simmon's
Contemporary Cryptology, and he points out that with RSA, given d,
you could calculate e (remember, this is authentication not
encryption) if you could factor n, which relates the two. However,
the implication is in the less
http://www.drizzle.com/~aboba/IEEE/
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Hi, does anyone have a web reference on how to construct matrices for
non-cartesian A codes a la Simmons? I see descriptions of what they
should look like, but no algorithms for creating them.
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Security Guru for Hire
Background:
An A-code is a matrix E x M, where e is the encoding rule used, and m
is the message the transmitter should send (output). The message to
be authenticated (input) is s in { s_1 .. s_k }, and the contents of
the matrix are members of such that every row (encoding rule) contains
On 29 Apr 2006 02:00:18 -, StealthMonger
[EMAIL PROTECTED] wrote:
Interesting epilog: theregister has apparently now edited out all
mention of master keys.
They probably had their misunderstanding pointed out to them by
countless people by now.
But... did anyone else note the phrasing of
On 5/1/06, Perry E. Metzger [EMAIL PROTECTED] wrote:
Not if you design it correctly. Disk encryption systems like CGD work
on the block level, and do not propagate CBC operations across blocks,
So is it vulnerable to any of the attacks here?
http://clemens.endorphin.org/LinuxHDEncSettings
I
Ross Anderson once said cryptically,
HMAC has a long story attched to it - the triumph of the
theory community over common sense
He wouldn't expand on that any more... does anyone have an idea of
what he is referring to?
--
Curiousity killed the cat, but for a while I was a suspect -- Steven
In case you wondered what was behind those sequences of digits...
Gory details here:
http://www.licenturion.com/xp/fully-licensed-wpa.txt
Ew, I think I have to take a shower now.
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Security Guru for Hire
On 5/2/06, Ivan Krstic [EMAIL PROTECTED] wrote:
I spent some time thinking about this a few years back:
http://diswww.mit.edu/bloom-picayune/crypto/15520
Rubberhose was one of the things that came up, along with StegFS and
BestCrypt. Unfortunately, it seems like Rubberhose hasn't seen work in
http://microcodes.sourceforge.net/
There you can find a PDF reviewing the microcode update feature.
Apparently the updates from Intel are 2048 bytes long overall, and
have a 4-byte checksum, and are encrypted using some kind of
mechanism on the processor. Since they don't (to my knowledge)
So...
Suppose I want a function to provide integrity and authentication, and
that is to be combined with a stream cipher (as is the plaintext). I
believe that authentication is free once I have integrity given the
fact that the hash value is superencrypted using the stream cipher,
whose key is
On 5/14/06, Eric Rescorla [EMAIL PROTECTED] wrote:
Consider the case where you're transmitting message M. The
hash is H(M). You then encrypt (M || H(M)), generating
K XOR (M || H(M)). If the attacker knows M and H, he can
compute (M || H(M)) and compute K. Then he can re-encrypt
a message M' of
On 5/14/06, Victor Duchovni [EMAIL PROTECTED] wrote:
Security is fragile. Deviating from well understood primitives may be
good research, but is not good engineering. Especially fragile are:
Point taken. This is not for a production system, it's a research thing.
TLS (available via OpenSSL)
- Stream ciphers (additive)
This reminds me, when people talk about linearity with regard to a
function, for example CRCs, exactly what sense of the word do they
mean? I can understand f(x) = ax + b being linear, but how exactly
does XOR get involved, and are there +-linear functions and
On 5/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Other than post by a guy - Terry someone or another - on sci.crypt
a number of years ago - I've never seen any work in this direction.
Is there stuff I'm not aware of?
That would probably be Terry Ritter, www.ciphersbyritter.com.
He calls
I've googled for New Hash Functions and their Use in Authentication
and Set Equality and found several citations but no electronic
copies. I don't have access to a library that might have it, does
anyone here have one? Thanks.
On 5/17/06, Kuehn, Ulrich [EMAIL PROTECTED] wrote:
Given known plaintext and corresponding ciphertext, there should not be too
many keys that map the plaintext to the ciphertext. I don't have the
probability at hand how many such 'collisions' you would expect from 256 random
permutations, but
On 5/18/06, Travis H. [EMAIL PROTECTED] wrote:
... There's 255 other permutations, so the chance that there is
at least one k' such that f_k'(x)=y is 255/256 = 99.6%. The chance
that there is exactly one such k' is sampling with replacement and if
I am not mistaken P(|K|=1) = (255/256)^255
On 6/8/06, Max [EMAIL PROTECTED] wrote:
What they need is just to provide an access to their distinguisher in
the form of blackbox.
To prove its meaningfulness, the distinguisher must show consistent
results in distinguishing AES-encrypted data (say, for a fixed
plaintext without repeating
What kind of problems do people run into when they try to make
cryptographic algorithms that reduce to problems of known complexity?
I'm expecting that the literature is full of such attempts, and one
could probably spend a lifetime reading up on them, but I have other
plans and would appreciate
Hi folks,
Does anyone here know of any computer-based aids for breaking
classical cryptosystems? I'm thinking in particular of the ones in
Body of Secrets, which are so short that I really hope they're
monoalphabetic substitutions. But I'm interested in these sorts of
programs more generally.
Going over old emails.
On 10/12/05, Jack Lloyd [EMAIL PROTECTED] wrote:
I prefer a multi-stage design, as described by various people smarter than I
am:
source(s) -- mixer -- pool -- extractor -- X9.31
Did you really mean X9.31 and not X9.17?
--
Resolve is what distinguishes a person who
On 7/3/06, Leichter, Jerry [EMAIL PROTECTED] wrote:
You're damned if you do and damned if you don't. Would you want to use a
hardware RNG that was *not* inside a tamper-proof package - i.e., inside
of a package that allows someone to tamper with it?
Yes. If someone has physical access to
On 7/2/06, Peter Gutmann [EMAIL PROTECTED] wrote:
You have to be pretty careful here. Most of the TPM chips are just rebadged
smart cards, and the RNGs on those are often rather dubious.
My last email of the day, I promise ;-)
And if you're interested in some of the smart card developments,
On 7/4/06, Taral [EMAIL PROTECTED] wrote:
On 7/4/06, Andrea Pasquinucci [EMAIL PROTECTED] wrote:
About RNG, does someone in the list have any comment, ideas on this
http://www.idquantique.com/products/quantis.htm
Why? Noise-based RNGs are just as random and just as quantum. :)
Hella fast.
On 7/11/06, Adam Fields [EMAIL PROTECTED] wrote:
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote:
Business ultimately depends on trust. There's some study out there -
Trust is not quite the opposite of security (in the sense of an
action, not as a state of being), but certainly
On 7/11/06, Hal Finney [EMAIL PROTECTED] wrote:
: So what went wrong? Answer: NIST failed to recognize that table lookups
: do not take constant time. âTable lookup: not vulnerable to timing
: attacks, NIST stated in [19, Section 3.6.2]. NIST's statement was,
: and is, incorrect.
That's
I'm still fleshing it out, but I've gathered a bunch of links/papers
on side-channel attacks:
http://www.lightconsulting.com/~travis/side_channel_attacks.html
Suggestions welcome.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix guru for sale or rent -
Sorry, noticed the subject line was misleading.
It contains every side channel attack I could find, including but not
limited to timing.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ --
GPG
1 - 100 of 167 matches
Mail list logo
