Re: [cryptography] Introducing SC4 -- feedback appreciated
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, what problem of traditional PGP implementations did you solve? * Looks like key exchange problem is still present (sent by mail) * Any key authentication? I don't see any verification or certification model. Regards Dominik On 04/17/2015 08:21 PM, stef wrote: ohio, On Fri, Apr 17, 2015 at 10:56:01AM -0700, Ron Garret wrote: 1. It is a standalone web application. putting keys in the browser is like putting keys in front of a dmz. browsers are not designed for this, they are designed for delivering impressions and services to you. the security features you find in any browser are there to secure the revenue-stream of some companies, not for the protection of the interests of its users. (same goes for phones), the tool might be good (haven't checked), but the foundation it's built on is sand. you want to isolate your keys, current end-host security does not provide much protection against some malware in case recovery of your keys becomes a priority. you also want to make sure the code running is authentic, with js delivered over the net this is quite hard to do verifiably (again, not your protection, industry revenues are the thing to protect). cheers,s ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBAgAGBQJVMVCNAAoJEHGMBwEAASKCdd0IAIP0zgu/GcT8V3RqjPGDqJ+K aoX2dneLwuPtYmCvoRRkv3iiCoc/XdefktJsF7bMKo4k1cnpq3+Y1mUa4kHG6PjK sBL5o0Jj9xKH3hTol18ownZB1oCZuKIsJB83+RdndjZdvdPqTl3mHldUkRWtyS6n sC7RM9THBHNRvBCWntYyolY0wsdpO61Aagq60joEeoQWM4Yb2l4hmLp10CTm6EJU 66SJoJkDR/VGCJHbFKUSHfJEsOPTyltbxUXR5hpvR+DpPPHO0l/e2uHzdQ3xLiKC jSi+GfQbCYoZIBc5Hzl0rmJjECP7Mg+LEts4aV66s3zpRjaDfe4Won1sUvFxU9M= =nwNR -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Silent Circle Takes on Phones, Skype, Telecoms
On 07/11/2014 04:23 PM, StealthMonger wrote: While I'm interested in how they're doing that, I'm far more interested in how Ann convinces Bob that she is Ann, and Bob convinces Ann that he is Bob. We left the OpenPGP/cert building a long time ago, we need more than just 1980s PKI ideas with elegant proofs. Note there's a philosophical issue here. A very good actress could convince Bob that she's Ann no matter how high the bandwidth of their communication, such as intimate body contact. Besides getting the timing of your MitM right, attacking ZRTP requires to mimic _both_ persons' voice. So you need (at best) more than one Eve that mimic Bob and Alice at the right time by speaking out some words displayed on the phones. I am leaving out all the details of Hash Commitments before ZRTP's DH etc, because they are not relevant here. There is a new somewhat related paper presented here on SOUPS about mimicing voice: https://www.usenix.org/system/files/conference/soups2014/soups14-paper-panjwani.pdf The next question here is how the implementation handles that verification. Does the implementation a) ask to cancel the call if something seems wrong or b) does it prevent you from proceeding by asking you is the spoken word equals the displayed and sounds the voice like Bob? yes/no. I don't know of any app that implements b), but I haven't tested SilentCircle's apps. I personally think that people will _not_ cancel the application without being explicitly ask to do so, even when the words do not sound like being said by your friend Bob. Conclusively, I think ZRTP is a nice approach, but thinking of your average Jonny: He will not cancel the conversation just because the voice sounds strange (only when the verification words were spoken, maybe the voice quality was just bad...) Regards Dominik signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Using same key for ECDSA and ECIES
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am wondering if it is okay to use the same asymmetric ECC key for ECDSA and ECIES. Given that the signing and encryption algorithms are not related like in RSA, I assume it is okay to use the same key for both operations. Are there any things I need to pay attention to when combining both schemes using same keys? Can Bob decrypt messages by forcing Alice to sign messages? (as in naive RSA implementations). Regards Dominik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSPD3wAAoJEHGMBwEAASKCOBAIAItX7FpM5DM3fVimkU1ae/7E BYRYznwAdb2K+fyAJJA5GVgiWe8T013WQUMmKbtHyvLWL1BwSrszhCVpHxgK7ij2 FsfuWHmiiVI4LE8t8GsZqq5SFV/vhswDL9TywqpXTMR9Uo+FSvEyvYOo+7yrmXoC S6mLm8uZCl9NOh0lD4ApQhcrmFZnjcWpR6RVQnzR5RM2ZNhJPPHFe285JsSO7wIP oKlOOXvOZLEp/HM0lzDtslucAEAMqzRzuoMaSOcn1brxTkdEiY8vUsod9nU1WoTy orOa4TV/PnX63OKps7t5vsjPIa3Wgrch9hQsNAzRloDnnturt+c81tlmJDtTq48= =2pxI -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20.09.2013 17:17, Paterson, Kenny wrote: It is technically secure. See: http://eprint.iacr.org/2011/615 Thanks you so much for this paper, it's even mostly understandable with some basic knowledge of attack models :) Even so, I would not recommend this approach unless you absolutely have to use it. Could you elaborate more on this? Do you see problems besides Alan Braggins remark? In my scenario I have a network with nodes sending messages hop-by-hop, where the ids of these nodes are the public keys itself. The problem is that these networks are highly unreliable and have high delays (Delay tolerant networking). Thus, DH key exchange protocols are out of scope. The idea is to always sign messages with your private key which could be verified by anyone using the node id itself (your pub key), and encrypted using the destination's node id (which is the pub key of the destination). How you know if you are using the right node id (for verification or encryption) is not a problem which should be discussed here. Because ids should be as short as possible it would be nice to use the same pub key for verification and encryption. After reading related literature, I came to the conclusion to use ECDSA and ECIES (Both with Koblitz curves, as I am sceptical about the random curves ;), Bernstein's curve25519 would be too difficult to integrate, as I didn't found a library, which is present in current linux distros and handles both EC sign and encryption schemes. Regards Dominikh -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSPJVmAAoJEHGMBwEAASKC6rMH/1Q4edycmw1CIwTVBsz0RG0E wlstAuBkHm4Msd7nnVzK601imXfkqRaXI8uuzhm4XlCFhykh6DrPQ7W9idWqJSyG ioefr7od5up0aGZna5PZQCinm0X7b1e8HbcMLXFhgYcXVvQWMbcLfdikUpHgotbW XgiH4JwR9xC178bPzacduBZI0Gy7IZPNUO0geTCYEvvcS144V+w5WlGidzsP6F1p sDYEjI6oxfYxQ8ThzKnzxYQSNfzpPGaLIUdSb6WkLSJOGGtoPGCigxlAXUC3L6fE n3V6n2mALHDgjmnReMg/4cNK+8TFjJcohCL2k0ZO+8WiHNAl5PT//D+6Q8FSbPc= =Z59x -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20.09.2013 22:09, Jeffrey Walton wrote: Crypto++ has the schemes and Dr. Bernstein's curve. The library is available on all major Linux and BSD platforms. I am using Crypto++ already, but I can't find ed25519 anywhere in the library. FYI: The maintainers of pycryptopp are including ed25519 as a separate dependency besides Crypto++. Regards Dominik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSPK6LAAoJEHGMBwEAASKC6zAH/RlefcJrP0GPhxPcD72T9DWp 0F3jyUmnzPaNq2wg8nKwrvh5/XP28/m1WNOryP0bNB5qTDfmw59CGtAU1RDPm2MZ yTMAT9p8cxuvoyIZiEYFhio00VAlSmSivhWN3KjDU92Ng1C+0Bc5nmSxmBkRC4Ud KdKfnEZrnVf2nvrQoUOomfAj3z7tNue7f4DkUblpsAm+lAValw6FRFfaBW2F2bkg pJTLmPrg7Dsl3ZaAsIRvqt+froJMHlqBur44dEUp9XnHVLBHwd4VEy5UcIV2CahD 4wfwzpl7XdPO9cyKyUi/5L9BbmrsBuIp3ltM/V+k2eUpJN/k3sLLzzqyMQECB8k= =dEUI -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] urandom vs random
You can use DieHarder, which is a collection of statistical tests to evaluate if somethings looks random. grarpamp grarp...@gmail.com schrieb: The subject thread is covering a lot about OS implementations and RNG various sources. But what are the short list of open source tools we should be using to actually test and evaluate the resulting number streams? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
They have implemented ZRTP for end to end security. It works with a diffie hellman key exchange, while protecting against man-in-the-middle attackers by comparing Short Authentication Strings (SAS). When you know the voice of the other person you can exclude Eve. see https://jitsi.org/Documentation/ZrtpFAQ Regards Dominik On 23.05.2013 20:01, Jonas Wielicki wrote: Jitsi is XMPP or SIP. For the text-part, they have built-in support for OTR. Otherwise, there is no end-to-end secrecy as far as I know. For voicecalls, they have something similar, with some shared-secret verification which is validated using the text-channel, which is best secured with OTR I guess. I know of no throughout reviews of their model though. regards, Jonas ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 About the SAS: ZRTP uses a so called Hash Commitment with traditional Hashes before generating SAS values for voice comparison. See http://zfone.com/docs/ietf/rfc6189bis.html#HashCommit The use of hash commitment in the DH exchange constrains the attacker to only one guess to generate the correct Short Authentication String (SAS) in his attack, which means the SAS can be quite short. A 16-bit SAS, for example, provides the attacker only one chance out of 65536 of not being detected. Without this hash commitment feature, a MiTM attacker would acquire both the pvi and pvr public values from the two parties before having to choose his own two DH public values for his MiTM attack. He could then use that information to quickly perform a bunch of trial DH calculations for both sides until he finds two with a matching SAS. To raise the cost of this birthday attack, the SAS would have to be much longer. The Short Authentication String would have to become a Long Authentication String, which would be unacceptable to the user. A hash commitment precludes this attack by forcing the MiTM to choose his own two DH public values before learning the public values of either of the two parties. Regards Dominik On 23.05.2013 20:59, Wasabee wrote: can someone give a few lines of explanation on how the Retained shared Secret (RS) is used in ZRTP? second, is it possible for an attacker to force an RS validation error (e.g. simulating network connection error by having a router drop packets) and then MiTM the DH handshake? the SAS is only 4 characters. presumably this is ascii so 2^27 = 531441 possibilities. On average the active MiTM attacker would need to try only half of them (real time) to find a collision. Do parties first commit (e.g. send H(N,g^x)) prior to sending their g^x to avoid the latter problem? If so, then what's the use of the SAS? Sorry if all those questions are trivial... Wasa On 23/05/2013 19:05, Dominik Schürmann wrote: They have implemented ZRTP for end to end security. It works with a diffie hellman key exchange, while protecting against man-in-the-middle attackers by comparing Short Authentication Strings (SAS). When you know the voice of the other person you can exclude Eve. see https://jitsi.org/Documentation/ZrtpFAQ Regards Dominik On 23.05.2013 20:01, Jonas Wielicki wrote: Jitsi is XMPP or SIP. For the text-part, they have built-in support for OTR. Otherwise, there is no end-to-end secrecy as far as I know. For voicecalls, they have something similar, with some shared-secret verification which is validated using the text-channel, which is best secured with OTR I guess. I know of no throughout reviews of their model though. regards, Jonas ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJRnmn+AAoJEHGMBwEAASKCDP8H/id2iQhe53uzeZH20K89mcKd 44WWMUkyo9MROK5nH2/7B+KhrWQVLTqeToE3SqfwSBnQiBde+CY2lPnDgvN+M1ax 8p6ES2umbgHXM9Cg9qzW+AKEW7QmoyeaVu4f6g9zsrJDOMzx9XjWLoKQjKgjNL89 Bw1rVbFKoZEmT/XzEBrzm8UyxyYClXQvOe5XQ8o5ICeMKvCwFCCmKDMFjMyDsInf 2x+mxJqoImntWKQp9SigdLIxQ0upt3zK0XsvSKbSB6eupLgv6SpgiUsP1MWFk9ML q0dzom+A5BS8E8UD5GOXUunOCAGZNhoLAGPgEZkgeyl6pEmV/bQW35VeGHDqge0= =uVm2 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, we recently wrote a small section about skype with some references: http://sufficientlysecure.org/uploads/skype.pdf Interesting references (from 2005, 2006): http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf http://secdev.org/conf/skype_BHEU06.pdf In my understanding it provided some sort of minimum end-to-end security in the past, but it could never be verified as it is a highly obfuscated protocol. Regards Dominik On 22.05.2013 19:28, Florian Weimer wrote: * Adam Back: If you want to claim otherwise we're gonna need some evidence. https://login.skype.com/account/password-reset-request This is impossible to implement with any real end-to-end security. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJRnQNPAAoJEHGMBwEAASKC5woH/3RJCrM4mXhvFwAHCGf4Hdpo dtP5NkZNHTrpTT2Gj6ECbfbD6GZLg+RxeBimDiVEpIovW9lyB/T3bV/yBqkE7ZDV xdFYGMH5+ZBxpg8q3K8D6hL1maLSV7DWRyye5z45/DVmLPe1Sax3Dh7XHOn1k0k8 VI3ck/YLTaOIBhaifc7qXBAV8gWs/GjCpr+o3+S23SLLTWV8Qla2nucwCdtKVQAM LWMH5I0mBMssVF3dKkPvGtinoJ51gqiZb19z+2DwNucRPHOo2+kZNFpjafNKqjsh 1TGU1d/DmUsDQsMeUoprRG2yt6hORIb2ZYgG49JzuQa7Zya3TIzhGsfIjN5Nk8M= =yIS5 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography