Cryptography-Digest Digest #858, Volume #12 Fri, 6 Oct 00 18:13:01 EDT
Contents:
Re: CRC vs. HASH functions (Bryan Olson)
Why trust root CAs ? ([EMAIL PROTECTED])
Re: NSA quote on AES ("Brian Gladman")
Re: are doubly encrypted files more secure than singly encrypted ones? (Jim)
Re: No Comment from Bruce Schneier? (Forrest Johnson)
Re: Why trust root CAs ? (Alun Jones)
Re: Choice of public exponent in RSA signatures (D. J. Bernstein)
Re: Why trust root CAs ? (Allen Ethridge)
Re: Why trust root CAs ? (Bruce Stephens)
Re: TEA (David Wagner)
Re: NSA quote on AES (DJohn37050)
Re: Choice of public exponent in RSA signatures (DJohn37050)
Re: On block encrpytion processing with intermediate permutations (Bryan Olson)
Re: simple equation for Rijndael (Albert Yang)
Re: Why trust root CAs ? ([EMAIL PROTECTED])
Re: Getting best available security without knowing which cipher to use (David
Schwartz)
Re: Authenticating a PIN Without Compromising the PIN ("Lyalc")
Re: Any products using Rijndael? (dbt)
Re: Why trust root CAs ? ([EMAIL PROTECTED])
Re: Why trust root CAs ? (David Schwartz)
Re: Why trust root CAs ? ("Lyalc")
Re: Why trust root CAs ? ("Lyalc")
one time pad using a pseudo-random number generator ("William A. McKee")
----------------------------------------------------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: CRC vs. HASH functions
Date: Fri, 06 Oct 2000 18:02:25 GMT
Mack wrote:
> >Mack wrote:
> >
> >> 1) CRC are faster than HASH functions of
> >> comparable size. That is a fact. Many
> >> hash functions use a CRC like layer at the
> >> top to mix in data linearly. SHA-1 is no exception.
> >> A table driven 256 bit hash function requires 4 32-bit word
> >> lookups/byte, four 32-bit word XORs, a shift and an XOR
> >> to add data.
> >
> >A table driven hash function? Did you mean a CRC? In any
> >case, I'd like to see the algorithm to compute a 256 bit
> >result with the stated operations.
> Ack yes ... of course a table driven hash function is a possibility.
> Hmmm ... yes ... full of possibilities.
>
> Of course I did mean table driven CRC function. Sorry for the error
> it has been a long long month.
I'd still like to see the algorithm. It's not obvious to me
how to get a 256 bit CRC from four of each of the 32-bit
operations/byte. You wrote that a 16-bit table (16-bit input
I assume) would require even fewer lookups, so I assume you
index in 8-bit units. I think I see how to update a 128-bit
CRC with roughly those ops, but even then my shifting comes
out significantly worse when working with 32-bit words.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Why trust root CAs ?
Crossposted-To: comp.security.misc,alt.security.keydist
Date: Fri, 06 Oct 2000 18:23:06 GMT
OK, so you're off to do some e-shopping. You click on the padlock and
it says "this certificate belongs to bogus.com" and
"this certificate was issued by snakeoil CA" (no I don't mean
the CA generated by OpenSSL, I mean one of the "normal" ones
like verisign or thawte...).
So, I can discover snakeoil CA's procedures for verifying bogus.com,
and assure myself that they have checked out bogus.com.
But how can I trust snakeoil CA itself ?
I had a conversation with a CA on this subject and the answer was
"because it's in the browser". But my browser was downloaded off
the Internet in clear, and besides, do I really trust the browser
vendor ? Do you trust Microsoft not to lie ? Do you trust Microsoft
or Netscape to produce secure independantly verified code ?
I have more faith in PGP/GPG, since the source code is open, I built
it myself, and I can control who I trust. (OK, I can probably
build Mozilla and OpenSSL ...)
Is there a chain of trust from any institution that I might trust,
such as my bank, back to the root CAs ?
Is there any reason, apart from the fact that they've been operating for
a number of years now and AFAIK nothing's gone wrong, for us all to trust
the root CAs ? Apart from a general lack of trust leading the the end
of e-civilization as we know it ?
As a non-US citizen, I have a slight problem with most of the CAs and browser
vendors being US corporations. If I were a member of some organization
or country that the US regards as an enemy (Libya, Iraq ??) I might have
a more serious problem with it.
--
Andrew Daviel
PGP id 0xC7624B49
The geographic search engine at http://geotags.com
is looking for content.
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Fri, 6 Oct 2000 19:56:34 +0100
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Brian Gladman <[EMAIL PROTECTED]> wrote:
> : "SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote:
> :> [EMAIL PROTECTED] (David Crick) wrote in <[EMAIL PROTECTED]>:
>
> :> >"The National Security Agency (NSA) wishes to congratulate the
National
> :> >Institute of Standards and Technology on the successful selection of
an
> :> >Advanced Encryption Standard (AES). It should serve the nation well.
In
> :> >particular, NSA intends to use the AES where appropriate in meeting
the
> :> >national security information protection needs of the United States
> :> >government."
> :>
> :> These are weseal words if nothing else. To say they will use it
> :> where its appropraite does not mean anything at all. They may
> :> only use it in the sense of decoding messages. And they don't say
> :> where its appropriate for them to use. But I guess it is to much
> :> to expect an honest anwser from them.
>
> : Once again we can see that accuracy and objective analysis are not among
> : your stronger abilities.
>
> : You see 'where appropriate' as a 'let out' clause but you fail to notice
> : that the statement also says that NSA intends to use the AES in meeting
the
> : national security ***information protection*** needs of the United
States
> : government".
>
> : There are none so blind as those who will not see.
>
> The get-out clause reduces the positive statement about intended use
> to meaninglessness.
What you mean is that *you* see this statement as meaningless because you
judge that NSA is being insincere in making it.
I take a different view, namely that this is a sincere statement of support
and that NSA does intend to use the algorithm for protecting some US
national security information. Their policy does not surprise me since
there are very good reasons for doing this.
Brian Gladman
> As always, information flows into the NSA, but not much is seen to emerge
from it.
Quite a bit of information does flow out of NSA but people are not willing
to trust the organisation. In fact NSA are always rigouous and
------------------------------
From: [EMAIL PROTECTED] (Jim)
Subject: Re: are doubly encrypted files more secure than singly encrypted ones?
Date: Fri, 06 Oct 2000 19:14:23 GMT
Reply-To: Jim
On Fri, 06 Oct 2000 08:55:05 GMT, jtnews <[EMAIL PROTECTED]> wrote:
>If I use gnupg on a file and then encrypt the encrypted file again
>is it anymore secure? Will it take longer for someone to crack it?
No great advantage if you have a good strong cipher in
the first place.
--
Jim Dunnett
amadeus @ netcomuk.co.uk
nordland @ lineone.net
------------------------------
From: [EMAIL PROTECTED] (Forrest Johnson)
Subject: Re: No Comment from Bruce Schneier?
Date: 6 Oct 2000 18:14:18 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
>
> I guess that is why I never became
>a manager. Its hard for me to lie.
>
>David A. Scott
>
Try again, Mr. Scott. Have you forgotten the claims you made a year or so ago
about altering software in fielded weapons systems? I challenged you to prove
those claims and you were unable to do so. Not only are you a liar, you are an
accomplished one.
------------------------------
From: [EMAIL PROTECTED] (Alun Jones)
Subject: Re: Why trust root CAs ?
Date: Fri, 06 Oct 2000 19:22:22 GMT
In article <eMoD5.416654$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> So, I can discover snakeoil CA's procedures for verifying bogus.com,
> and assure myself that they have checked out bogus.com.
> But how can I trust snakeoil CA itself ?
> I had a conversation with a CA on this subject and the answer was
> "because it's in the browser". But my browser was downloaded off
> the Internet in clear, and besides, do I really trust the browser
> vendor ? Do you trust Microsoft not to lie ? Do you trust Microsoft
> or Netscape to produce secure independantly verified code ?
The answer, I'm afraid, is another question - do you trust the posters in
this newsgroup to answer your question?
Trust has to begin with an explicit trust of someone. That link carries a
weight of risk. Each implicit link of trust thereafter carries a weight of
risk, and the longer the chain of trust goes, the more risk you carry that
one or more elements of the chain are untrustworthy.
But the alternative is not to trust. And with that, you'd be unable to do
business with anyone except by one-to-one barter. Trust is implicit in the
cash system, in the banking system, and in the prospect of buying through
any means beyond direct barter.
Alun.
~~~~
[Note that answers to questions in newsgroups are not generally
invitations to contact me personally for help in the future.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email [EMAIL PROTECTED]
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Subject: Re: Choice of public exponent in RSA signatures
Date: 6 Oct 2000 19:34:25 GMT
David Hopwood <[EMAIL PROTECTED]> wrote:
> PSS has better security bounds than Full Domain Hashing, for example,
That's because FDH is deterministic. You need randomness to get good
security bounds.
Rabin's original proposal was to attach a random number to the message
before hashing it. This is much simpler than PSS and achieves the same
security bounds. See http://cr.yp.to/papers/sigs.dvi.
The only advantage of PSS is that signatures are slightly shorter: you
don't need to transmit the random number. However, this compression is
incompatible with fast verification.
---Dan
------------------------------
From: [EMAIL PROTECTED] (Allen Ethridge)
Subject: Re: Why trust root CAs ?
Date: 6 Oct 2000 19:58:09 GMT
[EMAIL PROTECTED] wrote in
<eMoD5.416654$[EMAIL PROTECTED]>:
>Is there a chain of trust from any institution that I might trust,
>such as my bank, back to the root CAs ?
Assuming this isn't already known to this group -
Bruce Schneier's new book, "Secrets and Lies", has an interesting section
on certificates and such where, if I understand him correctly, he concludes
that the real security in B2C web transactions comes from the credit card
company and it's limits on personal liability and not the CA.
If had the book I'd give the page, but I'm at work, where I shouldn't be
reading sci.crypt since it's not related to my job, and the book is at
home, where all the other cryptology and game theory stuff not related to
my job is.
--
"Sadness falling like burned skin."
------------------------------
From: Bruce Stephens <[EMAIL PROTECTED]>
Subject: Re: Why trust root CAs ?
Date: 06 Oct 2000 21:35:06 +0100
[EMAIL PROTECTED] (Allen Ethridge) writes:
[...]
> Bruce Schneier's new book, "Secrets and Lies", has an interesting section
> on certificates and such where, if I understand him correctly, he concludes
> that the real security in B2C web transactions comes from the credit card
> company and it's limits on personal liability and not the CA.
>
> If had the book I'd give the page,
pp.238-239.
"Digital certificates provide no actual security for electronic
commerce; it's a complete sham."
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: TEA
Date: 6 Oct 2000 20:49:48 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Runu Knips wrote:
>Then read it as 'still very secure', especially if one remembers
>when it was developed.
How do you know GOST was ever 'very secure'?
Remember, just because we don't know of any attacks don't mean
there aren't any.
>I don't understand why you trust 3DES and Rijndael more than
>Blowfish or Serpent,
At the moment, I trust 3DES more than Rijndael, Blowfish, or Serpent
because 3DES has received far more scrutiny (in the open community)
than any of those.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 06 Oct 2000 20:49:41 GMT
Subject: Re: NSA quote on AES
I also take the NSA endorsement as just that albeit with some clarifications to
not make it more nor less than is intended
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 06 Oct 2000 20:55:56 GMT
Subject: Re: Choice of public exponent in RSA signatures
This reminds me of a anecdote I think I read in The Codebreakers. The censors
could change words around, delete, and substitute words with similar meanings
in WW!!. One time they did that on a suspicious letter and the letter in
response was "Is XXX dead or deceased?" haha, it looks like their scrambling
was effective in confusing the covert channel.
Also, I think Gus Simmons discovered that any sig system has a covert channel
that cannot be eliminated, when he was designing an a-bomb/earthquake sensor
message machine and he tried to prove it was NOT sending any data it was not
supposed to send. He found to his surprise he could not prove it and proved
the contrary instead.
Don Johnson
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: On block encrpytion processing with intermediate permutations
Date: Fri, 06 Oct 2000 20:51:45 GMT
Mok-Kong Shen wrote:
> Bryan Olson wrote:
> >
> > Mok-Kong Shen wrote:
> > [...]
> > > Now please tell me what if there is no permutation
> > > at all and you have before you the original block cipher
> > > and you use a chosen ciphertext on it. Would that involve
> > > less work or more work than in the case with permutation as
> > > I described? I like to have a definite answer and a tiny
> > > bit explanation for that.
> >
> > If you think your question is so important, why are you
> > unwilling to work on it? I think it's nonsense, based on not
> > studying the issues. How much work is it to break an
> > unspecified block cipher? Have you even thought about whether
> > the question is well-formed enough to make sense?
>
> Since you seem to claim that with permutation is poorer
> than without (i.e. with the original block cipher) that
> clearly would interest me (for the usefulness of the
> scheme). Since you are the 'author' of the attack you
> conceived, you are the person that can at least give
> some useful information, isn't it?
Seem to claim? Give some useful information? I posted
it. It's been right there in front of you.
> Having said the above,
> why do you think it is not well-formed? Could you
> elaborate that? I want to know whether there is
> reduction or enhancement of strength. Is this issue
> not well-formed? Where?
See my rhetorical question on breaking an unspecified
cipher.
> > > Please do answer my question this
> > > time. If you really want to 'laugh', as you indicated in
> > > the following part that I snipped, you can do that much
> > > much better later on, if indeed you succeed to win your
> > > arguments. I am not used to discussions where people don't
> > > express their direct opinions. We are discussing science,
> > > not politics or theology, etc.
> >
> > I see nothing in your writing that qualifies as science. I
> > explained one way your system fails as directly as I could in
> > my very first post in the thread. I later provided further
> > detail when it seemed unclear to you. I see no evidence that
> > you made any serious attempt to understand either what I wrote
> > or the subjects you brought up yourself. In one case, I
> > believe you deliberately played dumb, claiming that you could
> > not understand my language.
>
> I described my scheme and you even attempted to work
> out a method of attack. If you call that not science,
> what was the nature of your own work?
Look more carefully at what I called not science.
> If you think
> that others in this group is not doing work at a level
> as high as yours, then you need not deal with them, nor
> even subscribe to the group. Simply claiming that others
> are at lower level doesn't automatically lead you to
> a higher level per se.
I thought I was entirely clear about what I think: the level
that is inadequate is not your level of knowledge but your
level of effort. You don't look into the attack. Instead you
act as if you cannot figure out what exposing the key says
about your suggestion.
I've learned not to make your questions the center of my
efforts. I posted proofs in
http://x56.deja.com/[ST_rn=ps]/getdoc.xp?AN=636649064
that you yourself requested in
http://x56.deja.com/[ST_rn=ps]/getdoc.xp?AN=636497466
You then incorrectly brushed it off as having some bug. Had
you worked to understand the material, you would not have been
mislead by what you thought was a counter-example. I can tell
you that getting the proof to the point that it did not have
that "bug" took me a while.
> > The point is that the scheme inevitably loses synchronization
> > even in the absence of any attack. How would you handle two
> > simultaneous streams? If we have some stored ciphertext, how
> > would we know what state to use to decrypt? If we backs up
> > keys, how would we restore the PRNG state? If you need a
> > different state for each message or session, you can either
> > describe the mechanism that provides it or state that the
> > system depends on an outside means.
>
> The state of the PRNG at the start of a session (the
> first if many sessions to be used with the same secret
> material) is given by the secret seed. At the end of
> the session the current seed can be stored for use
> in the following session (if there are many sessions).
> So unless there are attacks of your kind, there is
> no problem in synchronization.
But there are such attacks. Note that your explanation
answers zero of the three questions above.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: simple equation for Rijndael
Date: Fri, 06 Oct 2000 21:10:11 GMT
http://www.counterpane.com/rijndael.html
I think this is what you are looking for...
Albert
Anton Stiglic wrote:
> At the rump session of Crypto 2000,
> N. Ferguson presented a nice relatively
> short equation
> which if we could solve would let us
> break Rijndael's symmetric scheme.
>
> Someone knows what that equation was?
>
> Thanks,
>
> Anton
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why trust root CAs ?
Date: Fri, 06 Oct 2000 21:06:48 GMT
In article <eMoD5.416654$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> "because it's in the browser". But my browser was downloaded off
> the Internet in clear, and besides, do I really trust the browser
The browser contains the public key of the CA, so the real issue of
trust here is whether someone has hacked the site and put a spoofed
version of the browser for you to download.
> vendor ? Do you trust Microsoft not to lie ? Do you trust Microsoft
> or Netscape to produce secure independantly verified code ?
Part of the core crypto in both IE and Netscape are indpendently
verified by the National Institute of Standards and Technology.
> I have more faith in PGP/GPG, since the source code is open, I built
> it myself, and I can control who I trust. (OK, I can probably
> build Mozilla and OpenSSL ...)
Yes, but in the world of e-commerce, most intitutions will be more
likely to trust a particular CA than to trust your own personal web of
trust.
>
> Is there a chain of trust from any institution that I might trust,
> such as my bank, back to the root CAs ?
> Is there any reason, apart from the fact that they've been operating
for
> a number of years now and AFAIK nothing's gone wrong, for us all to
trust
> the root CAs ?
For the serious CA issuer, like Verisign, the generation of a root CA
key takes several individuals. Furthermore, the key must be resident in
trustworthy hardware. In general, the compromise of a CA key would
usually require several bad apples to work together to compromise the
key.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Getting best available security without knowing which cipher to use
Date: Fri, 06 Oct 2000 14:23:47 -0700
Ray Dillinger wrote:
>
> It is possible to split messages into multiple parts and transmit
> the parts -- so that the message may be reassembled only when all
> of the parts are present.
Obviously, if you're only missing 128 bits of the message, it can't be
harder than 2^128 to recover the whole message.
DS
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Authenticating a PIN Without Compromising the PIN
Date: Sat, 7 Oct 2000 00:39:41 +1000
Use encryption or one-way functions/Hash to encode the PIN
Only allow PIN verification to occur in a trusted system. If the trusted
system sees excessive failed PINs for a user, lock the user account.
Lyal
Arnold Shore wrote in message <8riq8o$7v2$[EMAIL PROTECTED]>...
>Agreed that PIN's are typically too short. Address that (at least in part)
>by appending the userID prior to the hashing, which might provide the
>measure of difficulty you want.
>
>There's a couple of MD5 Javascript functions around, allowing full
>client-side operation. A piece of cake!
>
>Arnold Shore
>Ananpolis, MD USA
>
>
>"Guy Lancaster" <[EMAIL PROTECTED]> wrote in message
>news:8rd6d8$4a9$[EMAIL PROTECTED]...
>> If it's possible, how could a protocol authenticate a user's
>> PIN without revealing information that would make it
>> relatively easy to determine the actual PIN value?
>
>
------------------------------
From: [EMAIL PROTECTED] (dbt)
Subject: Re: Any products using Rijndael?
Date: Fri, 06 Oct 2000 21:36:37 GMT
Marc <[EMAIL PROTECTED]> says:
>>Good ciphers I would trust under all conditions are:
>>
>>Twofish
>>Blowfish
>>Serpent
>>
>>AES/Rijndael and IDEA are also ciphers with not too low
>>security.
>
>Why do you trust Twofish/Blowfish more than IDEA? Hasn't IDEA
>received more analysis already? Do you have logical reasons
>towards your prefered ciphers or is it just a feeling?
IDEA isn't free to use, though that doesn't have anything to do
with its strength.
--
David Terrell | "Instead of plodding through the equivalent of
Prime Minister, NebCorp | literary Xanax, the pregeeks go for sci-fi and
[EMAIL PROTECTED] | fantasy: LSD in book form." - Benjy Feen,
http://wwn.nebcorp.com | http://www.monkeybagel.com/ "Origins of Sysadmins"
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why trust root CAs ?
Date: Fri, 06 Oct 2000 21:31:44 GMT
In article <[EMAIL PROTECTED]>,
Bruce Stephens <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] (Allen Ethridge) writes:
>
> [...]
>
> > Bruce Schneier's new book, "Secrets and Lies", has an interesting
section
> > on certificates and such where, if I understand him correctly, he
concludes
> > that the real security in B2C web transactions comes from the credit
card
> > company and it's limits on personal liability and not the CA.
> >
> > If had the book I'd give the page,
>
> pp.238-239.
>
> "Digital certificates provide no actual security for electronic
> commerce; it's a complete sham."
I haven't read the book, so I don't know the context, but CAs are not in
the business of verifying the legitimacy of a business or transactions
thereof. CAs merely "sign" the public key of an entity based on the
entity meeting certain requirements comensurate with the CA signature
level. Just like with PGP, a signature on your key means someone has
vouched for the coherencey in parts of your identity (real or psuedo),
not for your character. Just because a business has a certificate
doesn't mean they are honest. Your money and credit card number can be
very efficiently stolen via a secure link to a web site, even when the
site checks out with a valid certificate.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Why trust root CAs ?
Date: Fri, 06 Oct 2000 14:34:35 -0700
[EMAIL PROTECTED] wrote:
> OK, so you're off to do some e-shopping. You click on the padlock and
> it says "this certificate belongs to bogus.com" and
> "this certificate was issued by snakeoil CA" (no I don't mean
> the CA generated by OpenSSL, I mean one of the "normal" ones
> like verisign or thawte...).
You really have to analyze what possible attacks you want protection
from and whether you are getting any. The attack I'm most worried about
is my bandwidth provider (ISP, employer, whatever) intercepting all of
my secure web connections with a man-in-the-middle type attack (proxy
that decrypts/recrypts and logs).
The little lock that appears in my browser assures me that someone
outside of the control of my employer or ISP asserts that the key
belongs to the name I typed into my browser. That's certainly better
than sending the data in the clear.
For credit card transactions, there are much easier ways of getting
credit card numbers, and significant legal protections exist should my
credit card number get out. So it's certainly adequate for that task.
DS
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Why trust root CAs ?
Date: Sat, 7 Oct 2000 08:45:12 +1000
Yes, but which CA's certificates are included?
How many additional CA certificates can be loaded in the browser's
certificate store?
In short, trusting a CA comes down to a personal choice, and if the specific
CA has trust among one's peers.
Trusing a CA noone else does means you can't rely on certs to check data
integrity ('cos that all todays digital signatures do)
Lyal
[EMAIL PROTECTED] wrote in message <8rlet3$sgg$[EMAIL PROTECTED]>...
>In article <eMoD5.416654$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>
>> "because it's in the browser". But my browser was downloaded off
>> the Internet in clear, and besides, do I really trust the browser
>
>The browser contains the public key of the CA, so the real issue of
>trust here is whether someone has hacked the site and put a spoofed
>version of the browser for you to download.
>
>> vendor ? Do you trust Microsoft not to lie ? Do you trust Microsoft
>> or Netscape to produce secure independantly verified code ?
>
>Part of the core crypto in both IE and Netscape are indpendently
>verified by the National Institute of Standards and Technology.
>
>> I have more faith in PGP/GPG, since the source code is open, I built
>> it myself, and I can control who I trust. (OK, I can probably
>> build Mozilla and OpenSSL ...)
>
>Yes, but in the world of e-commerce, most intitutions will be more
>likely to trust a particular CA than to trust your own personal web of
>trust.
>
>>
>> Is there a chain of trust from any institution that I might trust,
>> such as my bank, back to the root CAs ?
>> Is there any reason, apart from the fact that they've been operating
>for
>> a number of years now and AFAIK nothing's gone wrong, for us all to
>trust
>> the root CAs ?
>
>For the serious CA issuer, like Verisign, the generation of a root CA
>key takes several individuals. Furthermore, the key must be resident in
>trustworthy hardware. In general, the compromise of a CA key would
>usually require several bad apples to work together to compromise the
>key.
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Why trust root CAs ?
Date: Sat, 7 Oct 2000 08:48:03 +1000
A pretty self evident fact, in my not so humble opinion.
At best, trusting a digital signature means trusting the password(s) and
password verification process that protects the private key.
Certificates offer nothing more than passwords, and usually much less; the
private key always remains vulnerable to dictionary attack in almost all
implementations and proposed packages I've reviewed.
Lyal
Bruce Stephens wrote in message <[EMAIL PROTECTED]>...
>[EMAIL PROTECTED] (Allen Ethridge) writes:
>
>[...]
>
>> Bruce Schneier's new book, "Secrets and Lies", has an interesting section
>> on certificates and such where, if I understand him correctly, he
concludes
>> that the real security in B2C web transactions comes from the credit card
>> company and it's limits on personal liability and not the CA.
>>
>> If had the book I'd give the page,
>
>pp.238-239.
>
>"Digital certificates provide no actual security for electronic
>commerce; it's a complete sham."
>
------------------------------
Reply-To: "William A. McKee" <[EMAIL PROTECTED]>
From: "William A. McKee" <[EMAIL PROTECTED]>
Subject: one time pad using a pseudo-random number generator
Date: Fri, 06 Oct 2000 22:00:21 GMT
Is using a strong pseudo-random number generator (2^19937) as a one-time pad
a good way to encrypt data? If not, why?
TIA,
Will McKee.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
