On Mon, 9 Sep 2013, Daniel wrote:
Is there anyone on the lists qualified in ECC mathematics that can
confirm that?
NIST SP 800-90A, Rev 1 says:
The Dual_EC_DRBG requires the specifications of an elliptic curve and
two points on the elliptic curve. One of the following NIST approved
On Sun, 8 Sep 2013, Perry E. Metzger wrote:
What's the current state of the art of attacks against AES? Is the
advice that AES-128 is (slightly) more secure than AES-256, at least
in theory, still current?
I am not sure what is the exact attack you are talking about, but I
guess you
On Sun, 8 Sep 2013, Peter Fairbrother wrote:
On the one hand, if they continued to recommend that government people use
1024-bit RSA they could be accused of failing their mission to protect
government communications.
On the other hand, if they told ordinary people not to use 1024-bit RSA,
On Tue, 3 Sep 2013, radi...@gmail.com wrote:
1) Is there a NIST announce type list so I don't miss an entire
standards update cycle or two again? That doesn't cover all the
nitty gritty goings on during the journey to publication for FIPS
updates?
On Wed, 25 Aug 2010 travis+ml-cryptogra...@subspacefield.org wrote:
No, because FIPS 140-2 does not allow TRNGs (what they call
non-deterministic).
I couldn't tell if FIPS 140-1 allowed it, but FIPS 140-2 supersedes FIPS
140-1.
I assume they don't allow non-determinism because it makes the
http://arxiv.org/abs/1005.2376
Unconditional security proofs of various quantum key
distribution (QKD) protocols are built on idealized
assumptions. One key assumption is: the sender (Alice) can
prepare the required quantum states without errors. However,
such an assumption may be
On Wed, 18 Nov 2009, Bill Frantz wrote:
Perhaps I'm missing something, but my multiple banks will all accept
my signature when made with the same pen. Why wouldn't they not
accept my signature when made with the same, well protected,
signing/user verifying device. I might have to take it to
On Sat, 7 Nov 2009, Sandy Harris wrote:
I'm in China and use SSL/TLS for quite a few things. Proxy connections,
Gmail set to always use https and so on. This is the main defense for
me and many others against the Great Firewall.
Should I be worrying about man-in-the-middle attacks from the
On Fri, 30 Oct 2009, Darren J Moffat wrote:
The SHA256 checksums are used even for blocks in the pool that aren't
encrypted and are used for detecting and repairing (resilvering) block
corruption. Each filesystem in the pool has its own wrapping key and
data encryption keys.
Due to some
http://www.securityfocus.com/archive/1/506607
Overview:
The premium and new line of QNAP network storage solutions allow for
full hard disk encryption. When rebooting, the user has to unlock the
hard disk by supplying the encryption passphrase via the web GUI.
However, when the hard disk is
Jerry Leichter wrote:
If current physical theories are even approximately correct,
there are limits to how many bit flips (which would
encompass all possible binary operations) can occur in
a fixed volume of space-time.
The physical arguments to which I was referring say *nothing*
about
On Sun, 9 Aug 2009, Jerry Leichter wrote:
Since people do keep bringing up Moore's Law in an attempt to justify
larger keys our systems stronger than cryptography, it's worth
keeping in mind that we are approaching fairly deep physical limits.
I wrote about this on this list quite a while
On Sun, 2 Aug 2009, Joseph Ashwood wrote:
So far, evidence supports the idea that the stereotypical Soviet
tendency to overdesign might have been a better plan after all,
because the paranoia about future discoveries and breaks that
motivated that overdesign is being regularly proven out.
On Tue, 26 May 2009, James Muir wrote:
There is some academic work on how to protect crypto in software from
reverse engineering. Look-up white-box cryptography.
Disclosure: the company I work for does white-box crypto.
Could you explain what is the point of white-box cryptography (even
if
On Sun, 15 Feb 2009, Rene Veerman wrote:
Recently, on both the jQuery(.com) and PHP mailinglists, a question has
arisen on how to properly secure a login form for a non-ssl web-application.
But the replies have been get ssl.. :(
Unfortunately, they are right: get SSL.
If you have a
On Wed, 11 Feb 2009, Ben Laurie wrote:
If I have data on my server that I would like to stay on my server
and not get leaked to some third party, then this is exactly the
same situation as DRMed content on an end user's machine, is it not?
The treat model is completely different: for DRM the
http://www.heise-online.co.uk/security/Encrypting-hard-disk-housing-cracked--/news/112141:
With its Digittrade Security hard disk, the German vendor
Digittrade has launched another hard disk housing based on the
unsafe IM7206 controller by the Chinese manufacturer Innmax.
The German
On Mon, 4 Aug 2008, Stephan Neuhaus wrote:
Or better still, make many tests and see if your p-values are
uniformly distributed in (0,1). [Hint: decide on a p-value for that
last equidistribution test *before* you compute that p-value.]
Of course, there are many tests for goodness of fit
On Thu, 31 Jul 2008, Pierre-Evariste Dagand wrote:
Just by curiosity, I ran the Diehard tests[...]
Sum-up for /dev/random:
Abnormally high value: 0.993189 [1]
Abnormally low value: 0.010507 [1]
Total: 2
Sum up for Sha1(n):
Abnormally high values: 0.938376, 0.927501 [2]
Abnormally low
On Mon, 9 Jun 2008, Leichter, Jerry wrote:
Even worse, targeted malwared could attack your backups. If it
encrypted the data on the way to the backup device, it could survive
silently for months, by which time encrypting the live data and
demanding the ransom would be a very credible threat.
On Tue, 13 May 2008, Ben Laurie wrote:
Had Debian done this in this case, we (the OpenSSL Team) would have
fallen about laughing
I think we all should not miss this ROTFL experience:
Original code (see ssleay_rand_add)
On Thu, 1 May 2008, zooko wrote:
I would think that it also helps if a company publishes the source
code and complete verification tools for their chips, such as Sun has
done with the Ultrasparc T2 under the GPL.
To be sure that implementation does not contain back-doors, one needs
not only
On Tue, 29 Apr 2008, Jack Lloyd wrote:
Expectations of privacy at work vary by jurisdiction and industry. In
the US, and say in the financial services industry, any such expectations
are groundless (IANAL).
Most places I have worked (all in the US) explicitly required consent
to more or
On Tue, 22 Apr 2008, Leichter, Jerry wrote:
Interestingly, if you add physics to the picture, you can convert
no practical brute force attack into no possible brute force
attack given known physics. Current physical theories all place a
granularity on space and time: There is a smallest unit
On Wed, 13 Feb 2008, Dave Korn wrote:
On 11 February 2008 17:37, Crawford Nathan-HMGT87 wrote:
I'm wondering if they've considered the possibility of EMI skewing
the operation of the device, or other means of causing the device
to genearate less than completely random numbers.
Not
On Thu, 17 Jan 2008, Gleb Paharenko wrote:
Russian government accepted a changes in laws about licensing
cryptographic algorithms and devices. The statement in Russian
language:
http://www.garant.ru/hotlaw/doc/109485.htm
Essential in English:
You do not need to license staff which uses:
On Wed, 19 Sep 2007, Nash Foster wrote:
Any actual cryptographers care to comment on this? I don't feel
qualified to judge.
Not a single IKE implementation [...] were validating the
Diffie-Hellman public keys that I sent.
There are many ways to use DH key-agreement. The one described
on the
Hi.
On Sun, 16 Sep 2007, Joachim Strmbergson wrote:
One could add test functionality that checks the randomness of the
initial SRAM state after power on. But somehow I don't think a good test
suite and extremely low cost devices (for example RFID chips) are very
compatible concepts.
One can
I suspect there are two reasons for QKD to be still alive.
First of all, the cost difference between quantum and normal
approaches is so enormous that a lot of ignorant decision makers
actually believe that they get something extra for this money.
If you tell a lie big enough and keep repeating
On Mon, 25 Jun 2007, Hal Finney wrote:
The idea of putting a TPM on a smart card or other removable device is
even more questionable from this perspective. A TPM which communicates
via an easily accessible and tamperable bus is almost useless for the
security concepts behind the Trusted
On Tue, 5 Jun 2007, Travis H. wrote:
1048576000 bytes (1.0 GB) copied, 3.08291 seconds, 340 MB/s
[...]
That seems to reflect that it isn't really going to disk.
I'm surprised the controller has that much RAM on it,
I guess it is not the controller, but the kernel.
Encryption reduces
Hi.
On Wed, 20 Jun 2007 [EMAIL PROTECTED] wrote:
Network Endpoint Assessment (NEA): Overview and Requirements
http://www.ietf.org/internet-drafts/draft-ietf-nea-requirements-02.txt
[...]
NEA technology may be used for several purposes. One use is to
facilitate endpoint compliance
On Fri, 22 Jun 2007, Peter Gutmann wrote:
It's available as part of other products (e.g. nCipher do it for keying their
HSMs), but I don't know of any product that just does... secret sharing. What
would be the user interface for such an application? What would be the target
audience? (I
On Fri, 11 May 2007, Jon Callas wrote:
What about DRM/ERM that uses TPM? With TPM the content is
pretty much tied to a machine (barring screen captures etc)
Will ERM/DRM be ineffective even with the use of TPM?
There are two different features of TPM: it can work as an embedded
smartcard (to
On Thu, 26 Apr 2007, Simon Josefsson wrote:
Are you afraid of attackers secretly changing your software (to
monitor you?) while your computer is off?
I believe this is a not completely unreasonable threat. Modifying files
on the /boot partition to install a keylogger is not rocket science,
On Wed, 25 Apr 2007, Travis H. wrote:
If the IV chained across continguous messages as in SSHv2
then you have a problem (see above).
I don't fully understand what it means to have IVs chained
across contiguous (?) messages, as in CBC mode each ciphertext
block forms the IV of the block
On Wed, 25 Apr 2007, Hagai Bar-El wrote:
It seems as Aram uses a different IV for each message encrypted with
CBC. I am not sure I see a requirement for randomness here. As far
as I can tell, this IV can be a simple index number or something as
predictable, as long as it does not repeat within
On Wed, 25 Apr 2007, Travis H. wrote:
Just recently I discovered Debian default installs now support
encrypted root (/boot still needs to be decrypted).
Presumably we are moving back the end of the attack surface; with
encrypted root, one must attack /boot or the BIOS. What is the
limit?
On Tue, 30 Jan 2007, Leichter, Jerry wrote:
This is a common misconception. The legal system does not rely on
lawyers, judges, members of Congress, and so on understanding how
technology or science works. It doesn't rely on them coming to
accept the trustworthiness of the technology on any
On Sun, 28 Jan 2007, Steven M. Bellovin wrote:
Beyond that, 60K doesn't make that much of a difference even with a
traditional /etc/passwd file -- it's only an average factor of 15
reduction in the attacker's workload. While that's not trivial, it's
also less than, say, a one-character
On Tue, 23 Jan 2007, Peter Gutmann wrote:
The IEEE P1619 standard group has dropped LRW mode. It has a vulnerability
that that are collisions that will divulge the mixing key which will reduce
the mode to ECB.
Is there any more information on this anywhere? I haven't been able to find
On Sun, 3 Dec 2006, David Johnston wrote:
Moreover, AES-256 is 20-ish percent slower than AES-128.
Compared to AES-128, AES-256 is 140% of the rounds to encrypt 200% as
much data. So when implemented in hardware, AES-256 is substantially faster.
AES-256 means AES with 128-bit block and
On Wed, 8 Nov 2006, Travis H. wrote:
On Wed, Nov 08, 2006 at 05:58:41PM -0500, Leichter, Jerry wrote:
Sorry, that doesn't make any sense. If your HWRNG leaks 64 bits,
you might as well assume it leaks 256. When it comes to leaks of
this sort, the only interesting numbers are 0 and all.
On Tue, 7 Nov 2006, Peter Gutmann wrote:
Saqib Ali [EMAIL PROTECTED] writes:
I compile a lot of software on my laptop, and I *certainly notice* the
difference between my office laptop (no encryption) and my travel laptop
(with FDE). The laptops are exactly the same, with the same image
On Wed, 1 Nov 2006, Saqib Ali wrote:
Well for one thing, any software based FDE is extremely slow, doubles
the file access times, and is a serious drain on the laptop battery.
If a PC is used by an interactive user, it is irrelevant how much
access time is increased, as far as the user cannot
On Mon, 9 Oct 2006 kkursawe at esat.kuleuven.ac.be wrote:
IIUC, TPM is pointless for disk crypto: if your laptop is stolen the
attacker can reflash BIOS and bypass TPM.
According to TCG Specification, the first part of the BIOS (called
Core Root of Trust for Measurement) should be
On Mon, 9 Oct 2006, James A. Donald wrote:
Well obviously I trust myself, and do not trust anyone else all that
much, so if I am the user, what good is trusted computing?
One use is that I can know that my operating system has not changed
behind the scenes, perhaps by a rootkit, know that
On Fri, 6 Oct 2006, Erik Tews wrote:
And the TPM knows that your BIOS has not lied about the checksum of grub
how?
The TPM does not know that the BIOS did not lie about the checksum of
grub or any other bios component.
What you do is, you trust your TPM and your BIOS that they never lie
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using
Hash Collisions, by Scott Contini and Yiqun Lisa Yin (*)
On Mon, 25 Sep 2006, Anton Stiglic wrote:
Very interesting, I wonder how this integrates with the following paper
http://citeseer.ist.psu.edu/bellare06new.html (**)
On Wed, 20 Sep 2006, Steven M. Bellovin wrote:
http://www.newsday.com/news/printedition/stories/ny-wocode184896831sep18,0,7091966,print.story
That isn't supposed to be possible these days...
It is not clear that with modern technology interception is
impossible, at least during Second Gulf War
On Sun, 10 Sep 2006, James A. Donald wrote:
Could you describe this attack in more detail. I do not see a
scenario where it would be useful.
Suppose that an attacker runs an activex control on the user's
computer and the control is able to ask a smart card connected to the
computer to perform
On Thu, 7 Sep 2006, Leichter, Jerry wrote:
| If an attacker is given access to a raw RSA decryption oracle (the
| oracle calculates c^d mod n for any c) is it possible to extract the
| key (d)?
If I hand you my public key, I have in effect handed you an oracle that
will compute c^d mod n for
Hi.
If an attacker is given access to a raw RSA decryption oracle (the
oracle calculates c^d mod n for any c) is it possible to extract the
key (d)?
It is known, that given such an oracle, the attacker can ask for
decryption of all primes less than B, and then he will be able to
sign PKCS-1
On Mon, 28 Aug 2006, Travis H. wrote:
On 8/23/06, Alexander Klimov [EMAIL PROTECTED] wrote:
A random bit stream should have two properties: no bias and no
dependency between bits. If one has biased but independent bits he
can use the von Neumann algorithm to remove the bias
On Mon, 14 Aug 2006, David Wagner wrote:
Here's an example. Suppose we have the equations:
x*y + z = 1
x^3 + y^2 * z = 1
x + y + z = 0
Step 1: Find all solutions modulo 2. This is easy: you just have to try
2^3 = 8 possible assignments and see which one satisfy the
On Mon, 21 Aug 2006, Max A. wrote:
Could anybody familiar with PGP products look at the following page
and explain in brief what it is about and what are consequences of the
described bug?
http://www.safehack.com/Advisory/pgp/PGPcrack.html
The text there looks to me rather obscure with a
On Tue, 25 Jul 2006, Perry E. Metzger wrote:
EE Times is carrying the following story:
http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=190900759
[...]
I'd be interested in other people's thoughts on this. Can you use DRM
to protect something worth not eight dollars but eight
On Wed, 29 Mar 2006, Sean McGrath wrote:
He adds that the method does not require a large radio antenna or
that the communicating parties be located in the same hemisphere, as
radio signals can be broadcast over the internet at high speed.
It sounds like encrypting $P$ by xoring it with random
Hi.
I have checked several papers and software packages which implement
modular square root and it looks like there is no agreement about what
algorithm is the best except that everybody does the same for p=3(4).
Chapter 3 of HAC suggests special algorithms for p=3(4) and p=5(8); a
general
On Wed, 11 Jan 2006, Ian G wrote:
Even though triple-DES is still considered to have avoided that
trap, its relatively small block size means you can now put the
entire decrypt table on a dvd (or somesuch, I forget the maths).
This would need 8 x 2^{64} bytes of storage which is approximately
On Thu, 22 Dec 2005, Philipp [iso-8859-1] G?hring wrote:
I have been asked by to verify the quality of the random numbers which are
used for certificate requests that are being sent to us, to make sure that
they are good enough, and we don?t issue certificates for weak keys.
Consider an
On Mon, 19 Dec 2005, Travis H. wrote:
He says no mpi/modular arithmetic libraries that he knows of use
this technique
I guess the main reason is that the environments where these libraries
are supposed to be used are believed to be immune to the attacks
these checks are trying to prevent: the
On Wed, 14 Dec 2005, Hadmut Danisch wrote:
Maybe in near future the advantages of that noise produced by millions
of bots will outweigh the disadvantages?
First of all, even if you receive 1000 spams a day plus a message from
your commander it does not give you much since the spams are from
On Mon, 12 Dec 2005, R. A. Hettinga wrote:
--- begin forwarded text
[...]
These attacks come from someone with intense discipline. No other
organization could do this if they were not a military organization,
Paller said in a conference call to announced a new cybersecurity education
On Mon, 12 Dec 2005, Travis H. wrote:
In Peter Gutmann's godzilla cryptography tutorial, he has some really
good (though terse) advice on subtle gotchas in using DH/RSA/Elgamal.
I learned a few no-nos, such as not sending the same message to 3
seperate users in RSA (if using 3 as an encryption
On Sat, 10 Dec 2005, Anne Lynn Wheeler wrote:
NSA posts notice about faster, lighter crypto
http://www.fcw.com/article91669-12-09-05-Web
This makes me wonder how news are created -- the NSA announcement made
on 16 February 2005 becomes a news in December...
BTW, we already discussed here
On Mon, 12 Dec 2005, Travis H. wrote:
Seems like a lot of new folks (myself included) ask questions that
have the following answer: Read the literature, no there's no one
site, that would be too much effort, c. Would a wiki specifically
for crypto distribute the burden enough to be useful?
On Thu, 17 Nov 2005, Jari Ruusu wrote:
Unfortunately truecrypt is just another broken device crypto implementation
that uses good ciphers in insecure way. Specially crafted static bit
patterns are easily detectable through that kind of bad crypto.
Looks like they have fixed it: version 4.1
On Tue, 29 Nov 2005, Jack Lloyd wrote:
The basic scenario I'm looking at is encrypting some data using a
password-derived key (using PBKDF2 with sane salt sizes and
iteration counts). [...] My inclination is to use the PBKDF2 output
as a key encryption key, rather than using it to directly
On Sat, 19 Nov 2005, Ian G wrote:
Someone mailed me with this question, anyone know
anything about Haskell?
It is a *purely* functional programming language.
http://www.haskell.org/aboutHaskell.html
Original Message
I just recently stepped into open source cryptography
On Fri, 11 Nov 2005, Joseph Ashwood wrote:
From: Charlie Kaufman [EMAIL PROTECTED]
I've heard but not confirmed a figure of one failure in 20 million. I've
never heard an estimate of the probability that two runs would fail to
detect the composite. It couldn't be better than one failure is 20
On Wed, 9 Nov 2005, Jeremiah Rogers wrote:
I guess the small increase in efficiency would not be worth additional
program code.
That depends on the size of the numbers you're working with...
Considering the research that goes into fast implementations of
PowerMod I don't think the
On Thu, 10 Nov 2005, Terence Joseph wrote:
The Pseudorandom Number Generator specified in Ansi X9.17 used to be one of
the best PRNGs available if I am correct. I was just wondering if this is
still considered to be the case? Is it widely used in practical situations
or is there some better
On Mon, 7 Nov 2005, Jason Holt wrote:
Take a look at ecryptfs before rewriting cfs
... or at TrueCrypt (which works on linux and windows):
http://www.truecrypt.org/downloads.php
--
Regards,
ASK
-
The Cryptography Mailing
On Wed, 26 Oct 2005, JЖrn Schmidt wrote:
--- Travis H. [EMAIL PROTECTED] wrote:
[snip]
Another issue involves the ease of use when switching between a
[slower] anonymous service and a fast non-anonymous service. I
have a tool called metaprox on my website (see URL in sig) that
allows
On Sun, 11 Sep 2005, Alexander Klimov wrote:
Does anyone know a good survey about ECC patent situation?
I have made a shallow review (comments are welcome!) of the
patents that Certicom claims are pertained to ECC implementation
and it looks like there are no real road-blocks for ECDH and
ECDSA
On Sun, 2 Oct 2005, Matt Crawford wrote:
On Sep 29, 2005, at 18:32, Jason Holt wrote:
Of course, you can put anything you want in the cert, since the
servers know that my CA only certifies 1 bit of data about users
(namely, that they only get one cert per scarce resource).
One per person
On Tue, 13 Sep 2005, Paul Hoffman wrote:
At 9:32 AM -0700 9/12/05, James A. Donald wrote:
It has been a long time, and no one has paid out
money on an ECC patent yet.
That's pretty bold statement that folks at Certicom might disagree
with, even before
On Mon, 12 Sep 2005, Jaap-Henk Hoepman wrote:
I believe smartcards (and trusted computing platforms too, btw) aim to solve
the following problem:
How to enforce your own security policy in a hostile environment, not
under your own physical control?
Examples:
- Smartcard: electronic
On Sun, 11 Sep 2005, Ben Laurie wrote:
Alexander Klimov wrote:
ECC is known since 1985 but seems to be absent in popular free
software packages, e.g., neither gnupg nor openssl has it (even if the
relevant patches were created). It looks like the main reason is some
patent uncertainty
Hi.
ECC is known since 1985 but seems to be absent in popular free
software packages, e.g., neither gnupg nor openssl has it (even if the
relevant patches were created). It looks like the main reason is some
patent uncertainty in this area.
An internet research shows that Certicom claims to hold
On Wed, 17 Aug 2005, Florian Weimer wrote:
Can't you strip the certificates which have expired from the CRL? (I
know that with OpenPGP, you can't, but that's a different story.)
Probably, you want to save the signatures on the old lists,
but I dont see why you can not download only delta of
On Thu, 4 Aug 2005, Arash Partow wrote:
My question relates to hash functions in general and not specifically
cryptographic hashes. I was wondering if there exists a group of hash
function(s) that will return an identical result for sequentially
similar yet rotate/shift wise dissimilar input:
On Tue, 2 Aug 2005, Udhay Shankar N wrote:
Sounds interesting. Has anybody used this, and are there any comments?
For similar purpose I used to use .qmail based system: the script
started from .qmail when a message to some special address arrives,
the script checks the digital signature on the
On Wed, 13 Jul 2005, Perry E. Metzger wrote:
Why is it, then, that banks are not taking digital photographs of
customers when they open their accounts so that the manager's computer
can pop up a picture for him, which the bank has had in possession the
entire time and which I could not have
85 matches
Mail list logo