On 9/24/13 at 4:58 PM, hal...@gmail.com (Phillip Hallam-Baker) wrote:
And the problem appears to be compounded by dofus legacy implementations
that don't support PFS greater than 1024 bits. This comes from a
misunderstanding that DH keysizes only need to be half the RSA length.
So to go above 1
On Sep 25, 2013 8:06 AM, "John Kelsey" wrote:
> On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker wrote:
> > Either way, the question is how to stop this side channel attack.
> > One simple way would be to encrypt the nonces from the RNG under a
> > secret key generated in some other fashion.
> >
On Sep 25, 2013, at 12:31 PM, ianG wrote:
> Hi Jerry,
>
> I appreciate the devil's advocate approach here, it has helped to get my
> thoughts in order! Thanks!
:-)
> My conclusion is: avoid all USA, Inc, providers of cryptographic products.
In favor off ... who?
We already know that GCHQ is
On Sep 24, 2013, at 6:11 PM, Gerardus Hendricks wrote:
> I'm assuming you're talking about DUAL_EC_DBRG. ... According to the
> researchers from Microsoft, exploiting this would require
> at most 32 bytes of the PRNG output to reveal the internal state, thus
> revealing all random numbers generat
We had been asked to come in and help wordsmith the cal. state digital signature act. Several of
the parties were involved in privacy issues and also working on Cal. data breach notification act
and Cal. opt-in personal information sharing act. The parties had done extensive public surveys on
p
24. sep. 2013 kl. 18:01 skrev Jerry Leichter :
> At the time this default was chosen (2005 or thereabouts), it was *not* a
> "mistake". Dual EC DRBG was in a just-published NIST standard. ECC was
> "hot" as the best of the new stuff - with endorsements not just from NSA but
> from academic re
2013/9/24 Bill Frantz
> Field Programmable Gate Arrays (FPGA)
Yeah, those are definitely probably reflashable more easily than you'd
like. They're a bit more tricky than they'd seem to be at first. Definitely
a better choice than Intel though. On the todo list.
_
Peter Fairbrother writes:
>On 24/09/13 05:27, Peter Gutmann wrote:
>> Peter Fairbrother writes:
>>> If you just want a down-and-dirty 2048-bit FS solution which will work
>>> today,
>>> why not just have the websites sign a new RSA-2048 sub-certificate every
>>> day?
>>> Or every few hours? And
Stephen Farrell writes:
>That's a mischaracterisation I think. Some folks (incl. me) have said that
>1024 DHE is arguably better that no PFS and if current deployments mean we
>can't ubiquitously do better, then we should recommend that as an option,
>while at the same time recognising that 1024
Hi Jerry,
I appreciate the devil's advocate approach here, it has helped to get my
thoughts in order! Thanks!
My conclusion is: avoid all USA, Inc, providers of cryptographic
products. Argumentation follows...
On 24/09/13 19:01 PM, Jerry Leichter wrote:
On Sep 23, 2013, at 4:20 AM, ian
On 24/09/13 19:23 PM, Kelly John Rose wrote:
I have always approached that no encryption is better than bad
encryption, otherwise the end user will feel more secure than they
should and is more likely to share information or data they should not
be on that line.
The trap of a false sense of s
On Tue, Sep 24, 2013 at 12:30:40PM -0400, Kelly John Rose wrote:
> If Google, or other similar businesses want to convince people to store
> data in the cloud, they need to set up methods where the data is
> encrypted or secured before it is even provided to them using keys which
That would compl
On Sep 25, 2013, at 2:52 AM, james hughes wrote:
> Many, if not all, service providers can provide the government valuable
> information regarding their customers. This is not limited to internet
> service providers. It includes banks, health care providers, insurance
> companies, airline comp
On 24 September 2013 17:01, Jerry Leichter wrote:
> On Sep 23, 2013, at 4:20 AM, ianG wrote:
>>> ... But they made Dual EC DRBG the default ...
>>
>> At the time this default was chosen (2005 or thereabouts), it was *not* a
>> "mistake".
https://www.schneier.com/blog/archives/2007/11/the_stra
On Wed, Sep 25, 2013 at 11:59:50PM +1200, Peter Gutmann wrote:
Something that can "sign a new RSA-2048 sub-certificate" is called a CA. For
a browser, it'll have to be a trusted CA. What I was asking you to explain is
how the browsers are going to deal with over half a billion (source: Netcraft
Je n'ai fait celle-ci plus longue que parce que je n’ai pas eu le loisir de la
faire plus courte.
On Sep 23, 2013, at 12:45 PM, John Kelsey wrote:
> On Sep 18, 2013, at 3:27 PM, Kent Borg wrote:
>
>> You foreigners actually have a really big vote here.
>
> It needs to be in their business i
On Sun, Sep 22, 2013 at 2:00 PM, Stephen Farrell
wrote:
>
>
> On 09/22/2013 01:07 AM, Patrick Pelletier wrote:
> > "1024 bits is enough for anyone"
>
> That's a mischaracterisation I think. Some folks (incl. me)
> have said that 1024 DHE is arguably better that no PFS and
> if current deployments
On Sep 24, 2013, at 7:53 PM, Phillip Hallam-Baker wrote:
> There are three ways a RNG can fail
>
> 1) Insufficient randomness in the input
> 2) Losing randomness as a result of the random transformation
> 3) Leaking bits through an intentional or unintentional side channel
>
> What I was concerne
> So we think there is 'some kind' of backdoor in a random number
generator.
> One question is how the EC math might make that possible. Another is how
might the door be opened.
I'm assuming you're talking about DUAL_EC_DBRG. Where the backdoor is and
how it can be exploited is pretty simple to ex
On 23/09/2013 3:45 PM, John Kelsey wrote:
> It needs to be in their business interest to convince you that they *can't*
> betray you in most ways.
This is the most important element, and legislation that states you
"cannot" share that information won't be enough, especially since the
NSLs have gu
On 22/09/2013 2:00 PM, Stephen Farrell wrote:
>
> On 09/22/2013 01:07 AM, Patrick Pelletier wrote:
>> "1024 bits is enough for anyone"
> That's a mischaracterisation I think. Some folks (incl. me)
> have said that 1024 DHE is arguably better that no PFS
I would argue that 1024 DHE is worse than no
Hi,
On 09/23/2013 10:47 AM, Peter Gutmann wrote:
>> I'm inclined to agree with you, but you might be interested/horrified in the
>> "1024 bits is enough for anyone" debate currently unfolding on the TLS list:
>
> That's rather misrepresenting the situation. It's a debate between two
> groups, t
On Tue, Sep 24, 2013 at 10:59 AM, Jerry Leichter wrote:
> On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker
> wrote:
> > I was thinking about this and it occurred to me that it is fairly easy
> to get a public SSL server to provide a client with a session key - just
> ask to start a session.
> >
On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker wrote:
> So we think there is 'some kind' of backdoor in a random number generator.
> One question is how the EC math might make that possible. Another is how
> might the door be opened.
We don't know that there is a backdoor in dual ec, but we
On 9/22/13 at 6:07 PM, leich...@lrw.com (Jerry Leichter) wrote
in another thread:
Still, it raises the question: If you can't trust your
microprocessor chips, what do you do? One possible answer:
Build yourself a processor out of MSI chips. We used to do
that, not so long ago, and got res
On Sep 23, 2013, at 4:20 AM, ianG wrote:
>>> RSA today declared its own BSAFE toolkit and all versions of its
>>> Data Protection Manager insecure...
>
> Etc. Yes, we expect the company to declare itself near white, and the press
> to declare it blacker than the ace of spaces.
>
> Meanwhile, t
On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker wrote:
> I was thinking about this and it occurred to me that it is fairly easy to get
> a public SSL server to provide a client with a session key - just ask to
> start a session.
>
> Which suggests that maybe the backdoor [for an NSA-spiked ra
On 23 September 2013 01:09, Phillip Hallam-Baker wrote:
> So we think there is 'some kind' of backdoor in a random number generator.
> One question is how the EC math might make that possible. Another is how
> might the door be opened.
Are you talking about http://en.wikipedia.org/wiki/Dual_EC_DR
28 matches
Mail list logo
