Re: [openssl-users] Lattice Ciphers
> I find that Firefox refuses to do any ephemeral ciphers whatsoever. What the > heck? Why am I surprised. Somebody paid them. > > If you follow Schnieder, elliptic curve is not an option. > > I know you guys are severely underfunded, but is there any chance that > lattice encryption will be coming soon? I've searched until my face turned > blue. VPN is doing it now: https://wiki.strongswan.org/projects/strongswan/wiki/Bliss-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
On 18/12/2017 22:35, Colony.three via openssl-users wrote: >> PS, Jakob I'm getting on your email: "This email has failed its >> domain's authentication requirements. It may be spoofed or improperly >> forwarded!" >> The reason is: HEADER_FROM_DIFFERENT_DOMAINS,T_DKIM_INVALID > > Can you send me the full headers, so I can debug? > > Enjoy > > Jakob Return-Path: < openssl-users-boun...@openssl.org > X-Original-To: colony.th...@protonmail.ch Delivered-To: colony.th...@protonmail.ch Received: from mta.openssl.org (xmpp.openssl.org [194.97.150.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail6i.protonmail.ch (Postfix) with ESMTPS id 635D4E2F for < colony.th...@protonmail.ch >; Mon, 18 Dec 2017 17:36:53 -0500 (EST) Received: from mta.openssl.org (localhost [IPv6:::1]) by mta.openssl.org (Postfix) with ESMTP id 870BAE6ECC; Mon, 18 Dec 2017 22:36:01 + (UTC) Received: by mta.openssl.org (Postfix, from userid 106) id D5E38E6EBF; Mon, 18 Dec 2017 22:35:57 + (UTC) Received: from smtpv6n-hq2.wisemo.com (smtpv6n-hq2.wisemo.com [IPv6:2a01:4f0:4018::24b]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mta.openssl.org (Postfix) with ESMTPS id CB89CE6EBF for < openssl-users@openssl.org >; Mon, 18 Dec 2017 22:35:56 + (UTC) Received: from jb0008.i.wisemo.com ([2a01:4f0:4018:f0:fabc:12ff:fe78:9014]) by mailout.i.wisemo.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from < jb-open...@wisemo.com >) id 1eR40p-jg-Kf for openssl-users@openssl.org ; Mon, 18 Dec 2017 23:35:55 +0100 Authentication-Results: mail6i.protonmail.ch; dmarc=fail (p=none dis=none) header.from=wisemo.com Authentication-Results: mail6i.protonmail.ch; spf=none smtp.mailfrom= openssl-users-boun...@openssl.org Authentication-Results: mail6i.protonmail.ch; dkim=fail reason="signature verification failed" (2048-bit key) header.d=wisemo.com header.i=@wisemo.com header.b="FD31MWS4" X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on maili.protonmail.ch X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=4.0 tests=DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.0 Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=wisemo.com; s=v2016; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=rWDo5ZVDxE3Y8t96X0ktB8yt0P5rzC+4PmeG1upOaRI=; b=FD31MWS4Qjwk0h1d1L5sBiACNSThWYoMRmzye4hP5+hIDqU+9bGRAyLvYqCPDVEhGMpCfOO2h7Jffkp32kSgZ4F8r8a0IO9MVkX65S4t5mIah5d3/vyZFxyOtAhSByJy6yWd32vUlG5JuuECt96sz/kg7hWOcUCGs1OOnTSi5/PJZwOBIwf6ZiATElTUrM+jAecoKw0ErgUmZ6po2J4A+9nBILmn5vYLSS/FklVIKZEUuNBW8f2fs3uNo/DYUCXNlIaB3wVP4A5XV7uOVOJBiQ3i5njunAxqZJdRJs0cXSjPZ2Km3ciELCRVqi9K6CDPwnL7eVwJNdhj77UTDCBQDQ==; To: "Colony.three via openssl-users" < openssl-users@openssl.org > References: <4mvmY5QeDcVaNTb3ESs174N_UTtbj0PYXYaGzuIpm0eTtX3xSH_z3OJVtCKZpxpiVGjE6dRE8wnTQUnyj3ybWQ==@protonmail.ch>
Re: [openssl-users] Lattice Ciphers
PS, Jakob I'm getting on your email: "This email has failed its domain's authentication requirements. It may be spoofed or improperly forwarded!" The reason is: HEADER_FROM_DIFFERENT_DOMAINS,T_DKIM_INVALID-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
. > For your information, I actually tracked down the original report > about this (and posted some corrections in a comment to the > researcher): > > - This was not HP's keyboard driver. This was Synaptics' touch > pad driver (SynTP.sys). Never said it is HP's driver. But understand, that it only went in to HP machines. As far as we know. That, I have said. > - The code in question was apparently the common classic issue > that the driver checks if a hotkey related to the touchpad is > pressed, and has a test feature to help each laptop manufacturer > check if they configured the correct (laptop-specific) scan code > for that hotkey by using a special test driver that logs the keys > that match/don't match the configured one. On a number of > occasions HP (and maybe others) have sent such test drivers to end > users instead of the drivers without the debug feature. A keylogger is not useful in this case, particularly as timing is an acute issue. At the most basic, when they want what you portray, a utility like evtest. > - In this case, no keys were logged unless someone (or something) > with admin rights on the laptop did extra steps to turn on the > feature and to read back the results. Any malicious code with > those rights could just install its own logging without depending > on that particular wrong driver being installed, > - So to me, that particular issue falls into the less serious tier of: > Possible misuse if other things go wrong first, upgrade when ready as > a defense in depth. > - Jakob Correct, it is not turned on by default. Never said otherwise. But it can be manually. So far I've raised three independent issues in this thread, and have been fought on all three. I am bored now with trying to raise awareness, so let's just all agree that nobody wants to hear it. You do your thing and I'll do mine.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
>> On Mon, Dec 18, 2017 at 9:59 AM, Colony.three via openssl-users >> openssl-users@openssl.org wrote: >> >>> Hear about the HP keylogging case recently? Do you think a keylogger is >>> actually used in testing of a keyboard driver, in practice? >>> >>> Yes. >>> >>> More specifically, it's used to ensure that the scancodes that should >>> be detected when a particular key is hit or released are actually >>> detected when that key is hit or released. It's also useful for >>> identifying how a particular keyboard has failed, to see which >>> scancodes aren't being transmitted properly. >>> >>> That said, it's not something that should be left in a production >>> driver. It's more suited for a development/diagnostics station than a >>> general-purpose system. > > Actually no. Microseconds count, when testing a keyboard driver. It's easy > to imagine that a keylogger could be used, that's why the cover story worked > on so many. But in actual practice it's not useful. > >>> (Eeesh. And my friends call me "paranoid".) > > It's easy to characterize this as paranoia. Unless you are paying attention > to -facts- as the feedstock. I should have said, "It's easy --and fun-- to characterize this as paranoia."-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
> On Mon, Dec 18, 2017 at 9:59 AM, Colony.three via openssl-users > openssl-users@openssl.org wrote: > >> Hear about the HP keylogging case recently? Do you think a keylogger is >> actually used in testing of a keyboard driver, in practice? >> >> Yes. >> >> More specifically, it's used to ensure that the scancodes that should >> be detected when a particular key is hit or released are actually >> detected when that key is hit or released. It's also useful for >> identifying how a particular keyboard has failed, to see which >> scancodes aren't being transmitted properly. >> >> That said, it's not something that should be left in a production >> driver. It's more suited for a development/diagnostics station than a >> general-purpose system. Actually no. Microseconds count, when testing a keyboard driver. It's easy to imagine that a keylogger could be used, that's why the cover story worked on so many. But in actual practice it's not useful. >> (Eeesh. And my friends call me "paranoid".) It's easy to characterize this as paranoia. Unless you are paying attention to -facts- as the feedstock.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
> Colony.three via openssl-users wrote: > >> I've set mine to test this comprehensively. (Apache and NginX) With >> Apache Firefox -ignores- server-prescribed ciphers and chooses an EC. >> NginX does properly prevail with the algo. Was this an accident, Apache? >> >> I'd suggest to read the Apache httpd docs first: >> >> https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder So you think I didn't use this. For those who are aware, I implied this by intentionally using the word 'insist' WRT NginX. I could have overtly said what proper options I'd used for every case in every instance, but I was hoping ppl here would see. This is why I believe this is not an accident. Hear about the [HP keylogging case](http://www.bbc.com/news/technology-42309371) recently? Do you think a keylogger is actually used in testing of a keyboard driver, in practice? How about you actually try SSLHonorCipherOrder on in Apache, Michael, and try the different cipher combinations? Let us know how it works out.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
> Have you submitted a bug report for Apache (not honouring server config > cipher order) if one doesn't exist? That never works. > As for resistant to quantum computers, given the current aim is for systems > that can calculate things that would currently take the age of the universe > to calculate, resistance is futile ;) I never allow the perfect, to become the enemy of the good. I am looking forward to lattice.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
> - FF [claims it does > DHE/EDH](https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.mozilla.org_Security_Server-5FSide-5FTLS-23Intermediate-5Fcompatibility-5F.28default.29=DwMGaQ=96ZbZZcaMF4w0F4jpN6LZg=4LM0GbR0h9Fvx86FtsKI-w=XJoX203uiiC98n6L2888TI9zC37FTWeD7taNoV50GDE=v0qGxpAFrqvTmiNnI5_Cl-Yd-tKrA-FDw6jO-lERXjY=), > but it does not actually, in practice. It does either EC, or RSA. I've > tested it. (v52) This does not look like an accident. > > Have you find a server that does DHE/EDH, and only that, that FF cannot > connect to? I've set mine to test this comprehensively. (Apache and NginX) With Apache Firefox -ignores- server-prescribed ciphers and chooses an EC. NginX does properly prevail with the algo. Was this an accident, Apache? And Firefox simply can not make a connexion when the only choices are the DHE/EDH algos -- which they say they can do [here](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29). > - "Prefer conventional discrete-log-based systems over elliptic-curve > systems; the latter have constants that the NSA influences when they can." > > I missed that, thanks. And for non-NSA curves that aren’t influenced? As with Schnier, I don't trust any EC. It's a shame. I am looking forward to [independent lattice](https://policyreview.info/articles/news/post-snowden-cryptography-and-network-security/390). (Not that Mozilla, will implement it) For now I'm set to DHE/EDH (fruitlessly) and RSA (AES). RSA is cracked by a very few, but this is the decision I've made.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
>> Okay, FF does ECDHE not DHE/EDH. The whole industry does that, and most are >> using X25519 which was developed by Dan Bernstein. > > FF [claims it does > DHE/EDH](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29), > but it does not actually, in practice. It does either EC, or RSA. I've > tested it. (v52) This does not look like an accident. > >> The Guardian article you referenced didn’t even have the word curve in it. >> My question – do you have a reference that shows Schneier says not to use >> elliptic curve – was not answered. > > You don't have to read the article if you don't want to. > "Prefer conventional discrete-log-based systems over elliptic-curve systems; > the latter have constants that the NSA influences when they can." > >> - The NSA actually provided the elliptic curves for NIST's standards. And >> the Snowden docs now show that those curves are related. >> >> No they do not show that the curves are related. And BTW, NIST just put >> 25519 and 448 into their recommended list. > > By its nature (secrecy), nothing public will prove the curves are related. > But Snowden documents show that they are. And related curves have an > inherent shortcut to cracking, which any well-funded haqxor or > state-sponsored entity will have access to. > > From: noloa...@gmail.com > >>> Later I realized that was the best warning Google and Schmidt could >>> give. He basically told you government has infiltrated their systems, >>> and you should avoid their systems if security and privacy matters. > > What great PR, that it's become almost instinctive for people to ascribe > benevolance to G**gle. I believe that Schmidt was telling us his true > position though. > > The one I am angry with is Mozilla, for not giving us a choice. Chrome is a > choice?! Safari is a choice?! IE is a choice?! No. They are not.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Lattice Ciphers
> - I find that Firefox refuses to do any ephemeral ciphers whatsoever. What > the heck? Why am I surprised. Somebody paid them. > > I don’t know what server you are testing against, but FF does ECDHE all the > time with no problems. I should have said, "I find that Firefox refuses to do any ephemeral ciphers whatsoever, which are not elliptic curve. (referring to DHE, EDH, et al) What the heck? Why am I surprised. Somebody paid them. Firefox insists on EC." > - If you follow Schnieder, elliptic curve is not an option. > > That’s interesting, you have a reference for that? Certainly. Below. > - I know you guys are severely underfunded, but is there any chance that > lattice encryption will be coming soon? I've searched until my face turned > blue. > > We will most likely follow the IETF recommendation and see what the NIST > post-quantum work comes up with. That’s my personal opinion, not necessarily > that of the whole time. In August 2015, the NSA announced that it is planning to introduce a list of approved crypto methods that would resist quantum computers. In April 2017, NIST naturally followed suit, starting a public vetting process which will last 4 to 6 years. Needless to say, I am hoping that there will be lattice open-source alternatives which are not based on NIST algos. I do enterprise infosec, and if the NSA can do it, KGB probably has similar methods, not to mention Russian, Israeli, & Chinese haqxors, the Norks, corporate operations, and so on. Any crypto weakening, whether through flaw or Intent, is the wrong thing. G**gle's [Eric Schmidt says](https://en.wikipedia.org/wiki/Eric_Schmidt#Privacy), "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. This is a profoundly undemocratic attitude. What would Thomas Paine, or Ben Franklin, or Patrick Henry say to this? > On Sun, Dec 17, 2017 at 3:58 PM, Salz, Rich via openssl-users > > openssl-users@openssl.org wrote: > >>> If you follow Schnieder, elliptic curve is not an option. >> >> That’s interesting, you have a reference for that? >> >> I'm guessing OP's referring to "Applied Cryptography, 2nd Edition". >> There was one page on elliptical curve cryptography, and it didn't >> give any real information on what it was, what problem it uses (the >> discrete logarithm problem), how it's used, or how DH is adapted to >> use it. The book was pretty much entirely against software patents, >> and because ECC had been freshly patented it seemed to be much more >> scary about the topic than it should have been. No: https://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance ... and many more Schnier articles. He puts out a monthly newsletter. The NSA actually provided the elliptic curves for NIST's standards. And the Snowden docs now show that those curves are related. (Unfortunately Schnier's own website doesn't take his advice for some reason -- he's busy) Also Apache is not actually enforcing server-ordering of ciphers BTW, but NginX does. PS - does OpenSSL get funding from the DoD?-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Lattice Ciphers
I find that Firefox refuses to do any ephemeral ciphers whatsoever. What the heck? Why am I surprised. Somebody paid them. If you follow Schnieder, elliptic curve is not an option. I know you guys are severely underfunded, but is there any chance that lattice encryption will be coming soon? I've searched until my face turned blue.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
