[cryptography] Interesting Webcrypto question
Say you've implemented a bunch of crypto on your web page via Javascript. Someone in North Korea (or Iran, or one of the other export-restricted nations) visits your site. You've now exported crypto to a restricted country. What happens next? Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On Sun, Mar 3, 2013 at 1:39 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Say you've implemented a bunch of crypto on your web page via Javascript. Someone in North Korea (or Iran, or one of the other export-restricted nations) visits your site. You've now exported crypto to a restricted country. What happens next? most important question: what jurisdiction for you and your web page? perhaps you could argue you never exported, but merely cached remotely. some server http response headers could advance such a claim. ;) practical risk seems to be no one cares at this level; they're bypassing crypto if and when they need through easier avenues... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
You've now exported crypto to a restricted country. What happens next?
repl{physicist,
javascripter,
In some sort of crude sense, which no vulgarity, no humor, no
overstatement can quite extinguish, the physicists have known sin; and this is
a knowledge which they cannot lose.
}
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
You've now exported crypto to a restricted country. What happens next? You ask a lawyer or a legislator, not a bunch of amateurs in the subject? --Paul Hoffman ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
Paul Hoffman paul.hoff...@vpnc.org writes: You've now exported crypto to a restricted country. What happens next? You ask a lawyer or a legislator, not a bunch of amateurs in the subject? Have you tried asking a lawyer or legislator? Would you say the look you got in response was more deer-in-headlights, or cow-at-an-oncoming-train? (It was also something of a rhetorical question). Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
The entire idea that such countries don't have strong crypto because of the export restrictions is goofy. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Question on Entropy Gathering
Hi All, In Jesse Walker's slide on Requirements for random number generators (https://crypto.stanford.edu/RealWorldCrypto/slides/jesse.pdf), Walker provides a simple gatherer on slide 10: unsigned before, after, entropy; before = read_TSC(); usleep(0); after = read_TSC(); entropy = (after – before) 0x0ff; Repeat until sufficient entropy harvested Slide 11 provides an analysis.What does it mean to be an AR(1) process? Is it referring to section one of the man pages? If so, what does that have to do with this generator? The analysis states, this software entropy source is not portable across platforms without extensive rework. Wouldn't the code be suitable on platforms with a high resolution counter? In this case, one would only need to call the correct Operating System function (for example, QueryPerformanceCounter()). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On 03/03/2013 11:34 AM, Paul Hoffman wrote: You've now exported crypto to a restricted country. What happens next? You ask a lawyer or a legislator, not a bunch of amateurs in the subject? +1 As someone who personally reviewed hundreds of pages of EAR rules, applied for and received License Exceptions for the export of our key-management and PKI appliances, I would conjecture that crypto in JavaScript would violate US export laws. Companies/Individuals that create crypto are restricted from shipping/selling it to people even in the USA if they appear on the Denied Persons List: http://www.bis.doc.gov/dpl/default.shtm As is typical, my guess is that the law is trailing the technology curve, explaining why the practice is not explicitly controlled. But, in the US - and I suspect, many other nations - ignorance of the law is not an excuse/alibi for breaking the law. Arshad Noor StrongAuth, Inc. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On Sun, Mar 3, 2013 at 3:18 PM, Arshad Noor arshad.n...@strongauth.com wrote: On 03/03/2013 11:34 AM, Paul Hoffman wrote: You've now exported crypto to a restricted country. What happens next? You ask a lawyer or a legislator, not a bunch of amateurs in the subject? +1 As someone who personally reviewed hundreds of pages of EAR rules, applied for and received License Exceptions for the export Have you spoken to Anita? She is very helpful :) key-management and PKI appliances, I would conjecture that crypto in JavaScript would violate US export laws. Key management may or may not be covered by export controls. It depends on whether you are using encryption. You can perform key agreement (Diffie-Hellman) and not require an export license. But if you key a block cipher with the shared secret, you will need a license. If you are doing key transport (RSA), then you would need a license. EAP-PSK, with its underlying block cipher, also requires a license. Authentication does not require a license. Companies/Individuals that create crypto are restricted from shipping/selling it to people even in the USA if they appear on the Denied Persons List: http://www.bis.doc.gov/dpl/default.shtm I believe you can ship to banned countries/individuals, but you need a license that is administered by both Department of Commerce and State Department. Cookie cutter licenses to get approved for the App Store usually don't fall under joint jurisdiction. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question on Entropy Gathering
On Sun, Mar 3, 2013 at 3:30 PM, Jeffrey Walton noloa...@gmail.com wrote: In Jesse Walker's slide on Requirements for random number generators (https://crypto.stanford.edu/RealWorldCrypto/slides/jesse.pdf), Walker provides a simple gatherer on slide 10: unsigned before, after, entropy; before = read_TSC(); usleep(0); after = read_TSC(); entropy = (after – before) 0x0ff; Repeat until sufficient entropy harvested One possibly relevant paper: McGuire, Okech Schiesser, Analysis of inherent randomness of the Linux kernel, http://lwn.net/images/conf/rtlws11/random-hardware.pdf My attempt at a generator based on such ideas: ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/ suitable on platforms with a high resolution counter? In this case, one would only need to call the correct Operating System function (for example, QueryPerformanceCounter()). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question on Entropy Gathering
On Sun, Mar 3, 2013 at 4:11 PM, Stephan Neuhaus stephan.neuh...@tik.ee.ethz.ch wrote: On Mar 3, 2013, at 21:30, Jeffrey Walton wrote: What does it mean to be an AR(1) process? A sequence X(n) of real numbers (integer n = 0) describes an AR(1) process if X(n+1) = aX(n) + b + epsilon(n), where epsilon(n) is independent and normally distributed with zero mean. Thanks Stephan. That was definitely covered in my statistics class years ago. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Question on Entropy Gathering
On Sun, Mar 3, 2013 at 4:15 PM, Sandy Harris sandyinch...@gmail.com wrote: On Sun, Mar 3, 2013 at 3:30 PM, Jeffrey Walton noloa...@gmail.com wrote: In Jesse Walker's slide on Requirements for random number generators (https://crypto.stanford.edu/RealWorldCrypto/slides/jesse.pdf), Walker provides a simple gatherer on slide 10: unsigned before, after, entropy; before = read_TSC(); usleep(0); after = read_TSC(); entropy = (after – before) 0x0ff; Repeat until sufficient entropy harvested One possibly relevant paper: McGuire, Okech Schiesser, Analysis of inherent randomness of the Linux kernel, http://lwn.net/images/conf/rtlws11/random-hardware.pdf My attempt at a generator based on such ideas: ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/ Thanks sandy. I remember looking through the code some time ago. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On 03/03/2013 01:41 PM, Adam Back wrote: Dont tell me you still think you need permission to export RSA in perl to non-embargoed entities: Open-source crypto that is downloadable from public-sites has a special designation in the EAR; you only need to notify the BIS and provide the download URL. While I cannot confirm this, US-companies that provide downloading capabilities - such as sourceforge.net - are required to comply with the EAR when the FOSS has crypto in it and are expected to restrict its distribution. I agree that this does not prevent individuals in permitted countries from downloading such open-source crypto and carrying it with them to embargoed countries/individuals - but at this point, as a US citizen, you will have broken the law. What happens after that is up to your lawyers and the USDOJ. I also agree that all this seems irrelevant considering that everyone has access to strong crypto in one form or another; but, even a stupid law is still the law. As a democracy, we have the ability to change it if its important enough to us, but when bigger issues are fumbled regularly, crypto-regulation should be the least of our problems. Its easier for small companies like ours to comply with it than fight it. Arshad Noor StrongAuth, Inc. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On Sun, Mar 3, 2013 at 4:41 PM, Adam Back a...@cypherspace.org wrote: Unless you're selling SSL MITM boxes to tyrants dictators, then of course its alright ;) Well maybe they'll turn a blind eye if the West is propping up that particular tyrant until they flip flop. Anyway wasnt all that US export of crypto code nonsense tidied up a decade or so ago? PRZ did not go to jail, and neither will you? Isnt at this stage more that you optionally notify BIS via email as courtesy rather than ask for permission? Dont tell me you still think you need permission to export RSA in perl to non-embargoed entities: I believe it depends on who you are :) Little folks like me have to play by the rules, or risk getting the Schwartz treatment from folks like Steve Heymann and Carmen Ortiz. Corporate America gets to opt-in to Federal law. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
The realism of export restricting open source software is utterly ludicrous. Any self-declaration click-through someone might implement can be clicked through by anyone, from anywhere, and I presume someone from an embargoed country is more worried about their own countries laws than US laws, to the extent that it is apparently illegal in the US to ignore site policies (which itself is stupid, as the Swartz case demonstrates). In fact anyway most countries that are likely to be on an embargo list, probably are so repressive they dont allow encryption for their subjects anyway. If the government of the embargoed country wants a piece of software you can be damn sure a click through isnt going to stop them. Also the exemptions and conflicts are getting confusing - in some cases the USG has actually funded encryption softare for VPN tunneling targetted at the regimes of a very likely overlapping set of countries that it is embargoing. I guess we want their citizens to have encryption to tunnel out, but not their government nor arms-manufacturers. Governments and most corporations cant seem to keep the Chinese from bulk downloading all their firewalled restricted secrets or IP never mind stuff that is available for open download by design! I guess they never heard of VPNs and proxies. If everyone and his dog can stream movies from any country-IP restricted service, I dare say they can download any bits they care to with zip effort. You know I did hear it is also the law that hackney carriages (aka taxi cabs) in london must carry a fresh bale of straw, makes about as much sense as open source and jscript crypto export restrictions in an internet world. It does make a lot of sense not to sell embargoed countries physical weaponry. (I guess unless the West has just flip-flopped sides on the embargoed country and the newly installed dictator is now our dictator, then the mil-industry complex will be glad to have a clearance sale of previous previous gen old-stock mil-hardware.) Well anyway you can see the logic of not offering assistance of any form, paid or free, to these embargoed orgs and countries, but the futility of trying to censor information is just dumb. Maybe it would be more productive in the current USG info-war mentality to block and disconnect embargoed orgs and countries government sites from the internet in general. (But not their citizens who presumably we encourage to read international news etc). But that obviously is also at best going to be a minor irritant to them - they can just install consumer labeled IPs and tunnels. Adam On Mon, Mar 04, 2013 at 11:21:04AM +1300, Peter Gutmann wrote: Arshad Noor arshad.n...@strongauth.com writes: Open-source crypto that is downloadable from public-sites has a special designation in the EAR; you only need to notify the BIS and provide the download URL. Controls for export to the Twhatever-it-is-this-week countries override the 5D002 exception. In other words there's an exception to the exception (or in computer security terms the deny MAC overrides the allow MAC). This is why I specifically mentioned countries like North Korea and Iran. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On 2013-03-04 8:48 AM, Jeffrey Walton wrote: Little folks like me have to play by the rules, or risk getting the Schwartz treatment from folks like Steve Heymann and Carmen Ortiz. No, we don't have to play by these rules, which our rulers have pretty much forgotten about. Swartz penetrated the firewall by physically trespassing and hiding his laptop in a closet, which strikes me as mighty primitive for an officially designated genius, and the kind of thing that should get anyone into big trouble. If someone sticks his laptop in my closet to download my files, I will erase it with a ten pound hammer, and when he shows up to collect it, will deal with him similarly. It is a good thing that Swartz killed himself, like his hero Wallace. Both of them needed killing. Swartz was officially designated a genius because a leftist. He committed suicide, not because the state was feebly going through the motions of punishing him for illegal acts but because of the characteristic left wing disease of self hate.Leftists hate whites because they are themselves white and hate America because they are American. It is Jewish leftists like Rahm Israel Emanuel that seek the destruction of Israel.* *Swartz was a die-hard David Foster Wallace fan. Anyone who reads David Foster Wallace is influenced to commit suicide, and anyone who is a fan probably should commit suicide. David Foster Wallace is the type specimen for leftist self hatred. Wallace's suicidal propensities are an integral part of his leftism. If you want to be sincerely leftist, you have to be sincerely utilitarian. But no one can be sincerely utilitarian. The best approximation to utilitarianism one can achieve, is not to love distant strangers equally with oneself and those close to one, but hate oneself and those close to one, which Wallace did with maniacal intensity, until finally murdering himself out of hatred and despair. Leftists are notoriously self hating, Jews notoriously prone to self hate, so Jewish leftists are close to the top in self hate, though the Khmer Rouge take the all time prize for self hate by far. Of course often self haters are not literally self haters - like Rahm Israel Emanuel they hate the group of which they are part, and seek to exterminate it, but are very smug about themselves and their friends. But often, keenly aware of this hypocrisy, they are quite literally self haters, Wallace being an obvious example, indeed the obvious example. And since Swartz was a fan of Wallace, Swartz probably also literally hated himself - privileged and all that. Wallace, like Swartz, was a manufactured genius, an official genius. Wallace only wrote two fiction books, the broom of the system, and infinite jest, which very few people actually read. (The Pale King was ghostwritten) He seems to have been funded entirely by Academia, which is to say, funded by the left for being an articulate and relatively readable left winger - but not so articulate and readable that he could actually make a living out of writing. Wallace bears the same relationship to real writers, as Joe the puppeteer bears to real puppeteers. If someone is a fan of Wallace, it is because being an official leftist, it is officially high status to be a fan of Wallace. It is officially required that Wallace be highly regarded. He was officially credentialed as an important writer, therefore it demonstrates high status to fellow insiders to highly regard him. If you know that Wallace is officially a worthy writer, this shows you are knowledgeable about official truth, therefore an important cog in the system of propagating and enforcing official truth on the ignorant masses. Wallace was suicidally self hating, evil, and insane, murderously hating everyone close to him and himself most of all. The left loved him because his self hatred made demented evil seem plausibly moralistic, but as for his fiction writing, as far as I can tell, no one read him, including his biggest fans. Pity about that. If more of his biggest fans read him, more of them would follow in his tracks by killing themselves. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
It is a good thing that Swartz killed himself, like his hero Wallace. Both of them needed killing. This is the stupidest thing I have read in a long time. Shut the fuck up. It is Jewish leftists like Rahm Israel Emanuel that seek the destruction of Israel. Israel is disliked in most countries outside of the United States, not by self-hating Israelites, but by people who perceive Israel to be a harrasser. It is officially required that Wallace be highly regarded. He was officially credentialed as an important writer, therefore it demonstrates high status to fellow insiders to highly regard him. Yes, and your website celebrates Ayn Rand and dismisses Noam Chomsky. Could you possibly get more cliché? Say what you will about the semi-morbid posthumous inflation of Aaron Swartz contributions and stature, but don't pretend to know what he thought, or whether the prosecution's attempts were feeble. And try to see the world as a little more than one occupied by self-hating leftists who should kill themselves and people who love freedom. On Mon, Mar 4, 2013 at 1:45 AM, James A. Donald jam...@echeque.com wrote: On 2013-03-04 8:48 AM, Jeffrey Walton wrote: Little folks like me have to play by the rules, or risk getting the Schwartz treatment from folks like Steve Heymann and Carmen Ortiz. No, we don't have to play by these rules, which our rulers have pretty much forgotten about. Swartz penetrated the firewall by physically trespassing and hiding his laptop in a closet, which strikes me as mighty primitive for an officially designated genius, and the kind of thing that should get anyone into big trouble. If someone sticks his laptop in my closet to download my files, I will erase it with a ten pound hammer, and when he shows up to collect it, will deal with him similarly. It is a good thing that Swartz killed himself, like his hero Wallace. Both of them needed killing. Swartz was officially designated a genius because a leftist. He committed suicide, not because the state was feebly going through the motions of punishing him for illegal acts but because of the characteristic left wing disease of self hate.Leftists hate whites because they are themselves white and hate America because they are American. It is Jewish leftists like Rahm Israel Emanuel that seek the destruction of Israel.* *Swartz was a die-hard David Foster Wallace fan. Anyone who reads David Foster Wallace is influenced to commit suicide, and anyone who is a fan probably should commit suicide. David Foster Wallace is the type specimen for leftist self hatred. Wallace's suicidal propensities are an integral part of his leftism. If you want to be sincerely leftist, you have to be sincerely utilitarian. But no one can be sincerely utilitarian. The best approximation to utilitarianism one can achieve, is not to love distant strangers equally with oneself and those close to one, but hate oneself and those close to one, which Wallace did with maniacal intensity, until finally murdering himself out of hatred and despair. Leftists are notoriously self hating, Jews notoriously prone to self hate, so Jewish leftists are close to the top in self hate, though the Khmer Rouge take the all time prize for self hate by far. Of course often self haters are not literally self haters - like Rahm Israel Emanuel they hate the group of which they are part, and seek to exterminate it, but are very smug about themselves and their friends. But often, keenly aware of this hypocrisy, they are quite literally self haters, Wallace being an obvious example, indeed the obvious example. And since Swartz was a fan of Wallace, Swartz probably also literally hated himself - privileged and all that. Wallace, like Swartz, was a manufactured genius, an official genius. Wallace only wrote two fiction books, the broom of the system, and infinite jest, which very few people actually read. (The Pale King was ghostwritten) He seems to have been funded entirely by Academia, which is to say, funded by the left for being an articulate and relatively readable left winger - but not so articulate and readable that he could actually make a living out of writing. Wallace bears the same relationship to real writers, as Joe the puppeteer bears to real puppeteers. If someone is a fan of Wallace, it is because being an official leftist, it is officially high status to be a fan of Wallace. It is officially required that Wallace be highly regarded. He was officially credentialed as an important writer, therefore it demonstrates high status to fellow insiders to highly regard him. If you know that Wallace is officially a worthy writer, this shows you are knowledgeable about official truth, therefore an important cog in the system of propagating and enforcing official truth on the ignorant masses. Wallace was suicidally self hating, evil, and insane, murderously hating everyone close to him and himself
Re: [cryptography] Workshop on Real-World Cryptography
On 3/2/13 4:12 AM, ianG wrote: This one had the talk written out, which makes it a top talk in just that alone: things that bit us, things we fixed and things that are waiting in the grass [slides] Adam Langley (Google) http://www.imperialviolet.org/2013/01/13/rwc03.html This article surprised me, because it could almost be read as an argument against AES (or even against block ciphers in general). Which seems to contradict the common cryptographic wisdom of just use AES and be done with it. Besides the argument about AES having timing side-channels in #9, the room 101 section at the end suggests we should do away with not only CBC, but also AES-GCM, which is commonly touted as the solution to CBC's woes. (He admits it was his most controversial point, and I'm curious how it was received when the talk was given.) But I believe that if we rule out both CBC and AES-GCM ciphersuites in TLS, that leaves us with only RC4. (And indeed, unsurprisingly given the author, RC4 seems to be what Google's sites prefer.) It seems like we've been told for ages that RC4 is old and busted, and that AES is the one-size-fits-all algorithm, and yet recent developments like BEAST and Lucky 13 seem to be pushing us back into the arms of RC4 and away from AES. Although cipher suite proliferation is a common criticism of TLS (and indeed, it seems like neither Camellia nor SEED nor ARIA offer any benefit over AES as far as I'm aware, though I'm not a cryptographer), I wonder if there's benefit in adding a ciphersuite for a new stream cipher (such as Salsa20) to TLS, to eventually replace RC4? Such a proposal could at least have clearly-stated goals (faster than RC4 and AES, more secure than RC4, avoiding the side-channel issues and CBC issues of AES), versus the unclear and never-stated goals of yet-another-128-bit-block-cipher. --Patrick ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On 2013-03-04 11:09 AM, Patrick Mylund Nielsen wrote: Say what you will about the semi-morbid posthumous inflation of Aaron Swartz contributions and stature, but don't pretend to know what he thought I know what Wallace thought and Wallace was evil, insane, and suicidal. Swartz described himself as a die hard fan of Wallace. , or whether the prosecution's attempts were feeble. Everyone knew that after much drama Swartz was going to be let off, after the fashion of Thoreau and the Occupy arrestees. This dance, where the official left charges the official left with crimes against the state, then lets them off with a slap on the wrist, has been carried out every couple of years ever since Thoreau, carried out every few years for a hundred and sixty years. Why would Swartz be treated differently from all the others? And then, right in the middle of the dance, he kills himself. There was never the slightest danger that Swartz, official genius, was going to do hard time, any more than Thoreau was in any danger of doing hard time. It is government policy, and a perfectly sound, wise and uncontroversial government policy, that science should move to open publication. Swartz, like Thoreau, was doing the standard official left thing, of heroically demanding that the government do what it wants to do anyway and is about to do regardless. The prospect of going to jail for criminal acts committed in the course of making such demands is remote. And, to get back on topic, the prospect of going to jail for having encryption script on a web paged accessed from North Korea is remote, because the silliness of such laws is widely recognized, though unmentionable - which was, I think Peter Gutmann's point. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On Sun, Mar 3, 2013 at 12:29 PM, Open eSignForms yoz...@gmail.com wrote: The entire idea that such countries don't have strong crypto because of the export restrictions is goofy. this can be shorted to: export restrictions [are] goofy in the last decade the crypto export hassles i have experienced are around hardware security modules / crypto accelerators, not software. i'd love to see some useful information on the subject... (and by hassle i mean waiting 6-8 weeks to pass $tla_scrutiny for shipment, nothing more) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interesting Webcrypto question
On 2013-03-04 8:10 AM, Arshad Noor wrote: I also agree that all this seems irrelevant considering that everyone has access to strong crypto in one form or another; but, even a stupid law is still the law. Much though we long for the glory days when cypherpunks actually were a persecuted minority engaged in genuine civil disobedience, the government is not interested in supplying us with drama. Laws ceased to matter about a decade or so ago, having lost any relationship to what is likely to result in punishment. What was done to the constitution, has now been done to law, and is in turn being done to regulation. Laws are increasingly idiotic, because no one cares what they say, hence the famous proclamation that we had to pass Obamacare to find out what it was. (And we still do not know what it is) The US government has lost interest in restricting strong crypto, in part because everyone is reporting their most secret activities to google, in part because everyone relies on PKI, which is no obstacle to the US government, but mostly because that horse has bolted, it is a bit late to lock the stable door, and everyone knows it. It does not matter what the law says, it matters what the US Government cares about. And the US government does not care about strong crypto any more. Now bitcoin, that could well see some drama, especially when the US starts actively resisting the decline of its role as the supplier of the world's currency, but right now the potential for drama is limited even there, because our rulers cannot seem to imagine loss of faith in the US dollar. As yet they only care about bitcoin to the extent that it is a way of laundering US dollars, not as a competitor to US dollars. There are two ways you can get heroic and dramatic civil disobedience. One is, like Swartz, to demand what the government is about to give anyway, which is apt to be good for one's career, if you refrain from killing yourself for no sane reason. The other is to provide what seriously pisses the government off, like Julian Assange did, which is not so good for one's career. Hey, Julian Assange, how do you feel about feminism these days? Not quite so keen on it as you used to be? No means no even when it follows sex by thirty six hours. The state department is the in large part the headquarters of the official international left. Julian Assange supplied a whole pile of telegrams that made the state department, and official leftism, look extremely bad, revealed international leftists as muppets of the state department, as they used to be puppets of Stalin. An ample supply of entirely genuine heroic and dramatic disobedience ensued, probably a great deal more than Julian Assange was expecting. Way to Go Assange! I am cheering Assange as much as I am pissing on Swartz, though I doubt Assange realized just how genuine his civil disobedience was going to be. He never intended to be the actually genuine hero, though he is now very reluctantly rising to the occasion. However, we cannot commit strong crypto civil disobedience, because everyone know the government does not care, and bitcoin is not /yet/ civil disobedience, and when it becomes civil disobedience, it will be a whole lot safer committing that disobedience through a non US identity in a non US location. When the US government gets the hots to shut down bitcoin, it is going to be the way they went after Assange, not the way they went after Swartz. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Workshop on Real-World Cryptography
On 4/03/13 06:05 AM, Patrick Pelletier wrote: On 3/2/13 4:12 AM, ianG wrote: This one had the talk written out, which makes it a top talk in just that alone: things that bit us, things we fixed and things that are waiting in the grass [slides] Adam Langley (Google) http://www.imperialviolet.org/2013/01/13/rwc03.html This article surprised me, because it could almost be read as an argument against AES (or even against block ciphers in general). Which seems to contradict the common cryptographic wisdom of just use AES and be done with it. That is only managerial acronym blather, it isn't wisdom. Managers see the words 'AES' and 'RSA' and numbers like 128 and 2048 and feel confident their job is done. We sometimes flippantly call this cryptographic numerology. In reality, it is *always* AES+some-mode+some-maccing. And therein lies a mess which managers don't go in to. Besides the argument about AES having timing side-channels in #9, the room 101 section at the end suggests we should do away with not only CBC, but also AES-GCM, which is commonly touted as the solution to CBC's woes. (He admits it was his most controversial point, and I'm curious how it was received when the talk was given.) But I believe that if we rule out both CBC and AES-GCM ciphersuites in TLS, that leaves us with only RC4. (And indeed, unsurprisingly given the author, RC4 seems to be what Google's sites prefer.) It seems like we've been told for ages that RC4 is old and busted, and that AES is the one-size-fits-all algorithm, and yet recent developments like BEAST and Lucky 13 seem to be pushing us back into the arms of RC4 and away from AES. Yeah, the encryption field is in flux, again, and it's somewhat bemusing that we are on the other side of a successful competition to create a good algorithm -- yet we're already in rebellion. But, the problem is more a realisation that requirements have changed, in game-changing ways, than that the old work was bad. It's perhaps best seen as a time-line of black boxes. For much of the latter part of the last century, the block cipher was considered the black box of interest. But gradually simplistic use of this fell out of favour, and modes became interesting. Note the flippantly-named ECB mode. In the early 90s, we were into block ciphers and modes. As long as we learnt DES and CBC, we achieved the honourific of 'crypto expert'. As the 90s ended and into the 00s, we had to upgrade our knowledge with HMACs. Then, in the early 00s, the term 'authenticated encryption' became popular. Later on, perhaps the late 00s, it was also realised that there were no packets that were 16 bytes long, and indeed the whole notion of a block cipher was a historical convenience dating back to the typewriter construction of engima-style machines. Remember the DES 8 byte cipher? And the 56 bit key, and 7 bit ASCII? (Does anyone know what the thinking behind 8 byte blocks was?) We can see this realisation -- that nobody types out an IP packet these days -- in Keccak's sponge function. Perhaps it was the MD5/SHA1 internal blocking and how it broke with certificates that triggered it (I reading the runes here) but the requirements have now shifted to the point where a block cipher is no longer relevant. We need a variable-length, authenticated encryption function. Although cipher suite proliferation is a common criticism of TLS (and indeed, it seems like neither Camellia nor SEED nor ARIA offer any benefit over AES as far as I'm aware, though I'm not a cryptographer), In the 1990s there was a cry for crypto-freedom that we all fell for, like coffee or beer or pot, there was no too-much here. The feeling was strong that we wanted to have the freedom to choose and tinker with our own crypto choices, this was our right. Dammit! Unfortunately it also played into the hands of our nameless faceless bogeyman enemy, because it created a bureaucratic nightmare that left open chinks through complexity, and it also slowed down the deployment of crypto in a dramatic way. For an amusing reference [0]. Anyone here care to speculate what algorithm agility costs us? To my mind, it probably doubles the cost of the software. Which in more concrete terms probably halves the chance of deployment, and halves the user base growth. (That's without considering the introduction of weaknesses.) I wonder if there's benefit in adding a ciphersuite for a new stream cipher (such as Salsa20) to TLS, to eventually replace RC4? Such a proposal could at least have clearly-stated goals (faster than RC4 and AES, more secure than RC4, avoiding the side-channel issues and CBC issues of AES), versus the unclear and never-stated goals of yet-another-128-bit-block-cipher. Perhaps, the goals we now have are met more easily by a stream cipher than by a block cipher? Hence the fascination with counter modes. But really, what
[cryptography] Client TLS Certificates - why not?
Hi, Can anyone enlighten me why client TLS certificates are used so rarely? It used to be a hassle in the past, but now at least the major browsers offer quite decent client cert support, and seeing how most people struggle with passwords, I don't see why client certs could not be beneficial even to ordinary users. With CAcert, there is even an excellent infrastructure in place that could allow people to generate signed pseudonymous client certificates. A service provider could limit the amount of certificates allowed per user (as validated by CAcert), maybe even the amount of points required etc. That way, one could provide services without the requirement of registration, and still effectively limit abuse? Wondering -strife ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Workshop on Real-World Cryptography
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mar 3, 2013, at 7:05 PM, Patrick Pelletier c...@funwithsoftware.org wrote: This article surprised me, because it could almost be read as an argument against AES (or even against block ciphers in general). Which seems to contradict the common cryptographic wisdom of just use AES and be done with it. Besides the argument about AES having timing side-channels in #9, the room 101 section at the end suggests we should do away with not only CBC, but also AES-GCM, which is commonly touted as the solution to CBC's woes. (He admits it was his most controversial point, and I'm curious how it was received when the talk was given.) But I believe that if we rule out both CBC and AES-GCM ciphersuites in TLS, that leaves us with only RC4. (And indeed, unsurprisingly given the author, RC4 seems to be what Google's sites prefer.) Sadly, it's more complex than that. There are a bunch of rules of thumb that are independent of any particular cipher. Here's a few: * Stream ciphers are typically a seeded PRNG that XORs the pseudo-random stream (colloquially called a keystream, but I think would be better called an r-stream) onto the plaintext. Everything from Lorentz to GCM works this way. This means that known plaintext means known keystream. That means that if you reuse the keystream, then there's a cipher break and it's independent of the cipher construction or key size. So they are very bad to use on jobs like encrypting disk blocks. * Block ciphers need chaining modes to be effective, otherwise you can get a codebook built up. This is why ECB is suboptimal. Every chaining mode has its own plusses and minuses. CBC has weaknesses when you use it in a data stream, as opposed to a data block. The recent SSL attacks are attacks on the chaining mode more than on the cipher. Don't use CBC for a data stream. Counter mode turns a block cipher into a stream cipher and makes it good for streams, but then it gets all the drawbacks of stream ciphers. If you forget that counter mode is no longer a block cipher but a stream cipher, you can hurt yourself. But similarly, we've learned that CBC is tetchy when used in a data stream. CFB mode is kinda part stream cipher and part block cipher. It's CBC mode's poor relation for no good reason. There many cases where a CBC weakness (particularly one that boils down to a padding attack) could be fixed by using CFB mode. People don't though, for no good reason. There are plenty of places to use it -- but also look at the Katz-Schneier attack against OpenPGP, that was essentially an attack on CFB mode. Ironically, the easiest way to mitigate that attack is to compress your data before encrypting. * Every cipher and system is going to have weak points. There are ones worth worrying about and ones not worth worrying about. There are even ones worth arguing over or even deciding that gentlepersons can disagree. There's a very old saying, there ain't a lock that can't be picked and it's true of crypto, too. If you start hyperventilating about too many things, you *will* just throw your hands up in the air. Side channels are important. Pay attention to them. But if you start thinking too hard and expect perfect security, you won't do anything, and plaintext is always worse than ciphertext. That sounds obvious, but you would be surprised how hard it is for people to internalize that. You can use PKCS#1 properly, if you know what you're doing. You can screw up GCM if you don't. (Personally, I don't like GCM. I think it's too tetchy. But I'm pretty blasé about PKCS#1, because I'm used to pouring over it to make sure it's done right.) * There are many crypto problems that good engineering can paper over. There are many that don't really show up in the real world. There are others that manifest themselves for whatever reason. Engineering is hard. Don't panic. * There is a common thing that people do that I call engineering from ignorance as opposed to engineering from knowledge. For example, if you jump from AES or RC4 because of what you know about it to a cipher that hasn't been analyzed, you are engineering from ignorance. You're jumping from the devil you know to the devil you don't know. People like to do that, especially ones who want to live in a perfect world where ciphers have no drawbacks and there's no friction. It seems like we've been told for ages that RC4 is old and busted, and that AES is the one-size-fits-all algorithm, and yet recent developments like BEAST and Lucky 13 seem to be pushing us back into the arms of RC4 and away from AES. What do you mean we? RC4 got a bad rep because it has some weaknesses and because a lot of people didn't realize that you never send a stream cipher to do a block cipher's job. It has some other issues, like that its construction makes it hard to accelerate. For a cipher of its age, it's not bad, really, assuming you
