Re: [cryptography] Detecting Crypto Compromises
Am 31.03.2012 04:23, schrieb Landon Hurley: Does anyone have any knowledge of academic papers focused on methods of detecting whether a crypto scheme has been compromised in situ or on how to utilize intelligence gleaned from compromised cipher texts without giving away that compromise to the enemy? Apart from any spy-and-nazi-stuff: Fail-stop signatures may have some properties that you are looking for. Birgit Pfitzmann, Michael Waidner, Torben Pedersen and others were working on these schemes in the 90s. It's not encryption crypto but signature crypto, but nevertheless quite interesting. An early paper from 1991 can be found here: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.43.2478rep=rep1type=pdf Further work has been done at least in 2007 by some guys from the University of Malaysia: http://www.fs.utm.my/matematika/images/stories/matematika/20072312.pdf Regards, Jürgen Brauckmann ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bitcoin-mining Botnets observed in the wild? (was: Re: Bitcoin in endgame
On 3/04/12 05:16 AM, lodewijk andré de la porte wrote: ... Good observations and calculations. So, let's say you wanted a botnet to do mining. What could you do to improve that? Get a bigger network! Targeting gamers would also help, given their hardware. Hmmm... you're thinking small? Target the game company, and get them to distro the code. conspiracy Maybe that's what happened to Sony? How would we even know they aren't already doing it? /hat Would a gaming company make more money from a successful game by means of sales or by means of mining? Meanwhile, back to crypto... iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] World-class protracted social engineering [was: Re: Key escrow 2012]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ianG i...@iang.org writes: The crypto wars were about opening up that battlefield so that open source could start to experiment with lots and lots of alternatives. The reason we lost the war was because we thought we'd won it. We were tricked. What actually happened was a high profile weapon - the export control - was loosened up enough just enough to make many think we'd won. All the low-profile weapons were left in place. It's world-class protracted social engineering. Orchestrated by whom? - -- -- StealthMonger stealthmon...@nym.mixmin.net Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=sourceoutput=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/ iEYEARECAAYFAk966TIACgkQDkU5rhlDCl66JgCeI1PW1ILSEnAwBkpcShILkfkl nLgAnRmSYYe/csO9kWrDwk4uUX0Cvawa =/JP9 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Combined cipher modes
On Tue, Apr 3, 2012 at 6:35 AM, ianG i...@iang.org wrote: ... To tip my hand here somewhat I'm thinking of GCM. (Digression.) Now, this thread was useful to me because I started reading up on new modes and so forth, and combined that with my past experiences. What I wanted was a fast AES mode coupled with a heavyweight keyed CRC for opportunistic/DOS protection. Hey presto - GCM is that! (I think, haven't finished reading yet.) If you look at the formula for Galois, it is basically a CRC expanded out to 128 bits. Perfect! Fast! more reasons to love GCM: easily pipelined and parallelized. Intel has PCLMULQDQ on die now. not patent encumbered. i often wonder why adoption is so slow. (cryptographers are conservative, they say) When Zooko and I designed the random||counter||time construct it is because we knew that some or many servers could get into a pathological mode w.r.t. entropy. And saying have good entropy is like telling teenaged girls not to hang around teenaged boys. *grin* regarding the crypto cracking rumors around the new NSA datacenter this seems a much more likely target. bad entropy by mistake or malfeasance, it is a problem everywhere. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Combined cipher modes
-Original Message- From: coderman [mailto:coder...@gmail.com] Sent: Tuesday, April 03, 2012 15:23 To: Wyss, Felix Cc: ianG; cryptography@randombit.net Subject: Re: [cryptography] Combined cipher modes On Tue, Apr 3, 2012 at 12:02 PM, Wyss, Felix felix.w...@inin.com wrote: ... Maybe being conservative is warranted: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/F erguson2.pdf don't use GCM wrong? short tags are bad. changing tag lengths are bad. use 128bit tags. reminds me of CTR mode arguments... I think that is a dangerous assertion as it is generally understood (assumed?) that shorter tags don't weaken the authentication worse than to 1/2^n. The fact that GCM more or less breaks if you don't use the full tag size IMHO makes it brittle and certainly fails to meet the principle of least surprise. Supposedly, SGCM (http://eprint.iacr.org/2011/326.pdf) doesn't have these deficiencies (and can be implemented efficiently without custom instructions like PCLMULQDQ). A bit new for my taste, though. --Felix ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Combined cipher modes
On Tue, Apr 3, 2012 at 4:10 PM, Wyss, Felix felix.w...@inin.com wrote: -Original Message- From: coderman [mailto:coder...@gmail.com] Sent: Tuesday, April 03, 2012 15:23 To: Wyss, Felix Cc: ianG; cryptography@randombit.net Subject: Re: [cryptography] Combined cipher modes On Tue, Apr 3, 2012 at 12:02 PM, Wyss, Felix felix.w...@inin.com wrote: ... Maybe being conservative is warranted: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/F erguson2.pdf don't use GCM wrong? short tags are bad. changing tag lengths are bad. use 128bit tags. reminds me of CTR mode arguments... I think that is a dangerous assertion as it is generally understood (assumed?) that shorter tags don't weaken the authentication worse than to 1/2^n. The fact that GCM more or less breaks if you don't use the full tag size IMHO makes it brittle and certainly fails to meet the principle of least surprise. EAX' (EAX Prime) suffered the same fate with its 32-bit tags. Its currently used in the Smart Grid. http://eprint.iacr.org/2012/018. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] World-class protracted social engineering [was: Re: Key escrow 2012]
On 2012-04-03 11:25 PM, StealthMonger wrote: It's world-class protracted social engineering. Orchestrated by whom? You attribute too much competence to our enemies. The problem is that our tools are unsatisfactory, no one wants to use them. They need improvement. One tool that works and is widely used is the vpn. vpns cross borders, with the result that the Chinese economy has most of its management outside the grasp of the Chinese state, which strikes me as a pretty big step towards the cypherpunk economy. But aside from that one success, the problem is that we are not that good. Fortunately our opponents are worse. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Combined cipher modes
On Tue, Apr 3, 2012 at 12:02 PM, Wyss, Felix felix.w...@inin.com wrote: ... Maybe being conservative is warranted: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf don't use GCM wrong? short tags are bad. changing tag lengths are bad. use 128bit tags. If you use 128 bit tags and follow the 96 bit IV recommendation, the gains of GCM over classic AES-CBC with HMAC-MD5 or HMAC-SHA1 are somewhat limited, saving between 12 bytes or 16 bytes on per-message overhead (assuming that GCM lacks padding, which I haven't checked). 28 bytes of overhead remain. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography