I am not convinced that we need intuitive cryptography.
Many things in life are not understood by the general public.
How does a car really work: most people don't know but they still drive one.
How does a microwave oven work?
People don't need to understand the details, but the high level
Bill Stewart wrote:
Salt is designed to address a couple of threats
- Pre-computing password dictionaries for attacking wimpy passwords
...
Yes indeed. The rainbow-tables style attacks are important to protect
against, and a salt does the trick. This is why you can find rainbow tables
for
O.k., thanks to Hal Finney for pointing out to me in a private email that my
modulus wasn't in fact the right size. I have had some problems with the
openssl key generation (doesn't always seem to generate the exact modulus
size I ask for).
In attachment, the forged signature
spreads...
Anton Stiglic writes:
I tried coming up with my own forged signature that could be validated
with
OpenSSL (which I intended to use to test other libraries). ...
Now let's look at s^3
1FFF
As other's have mentioned, I don't believe the small RSA exponent (e = 3)
is to blame in Bleichenbacher's attack.
Indeed, the mathematical problem of computing the cubic root of m modulo
an rsa modulus n, for a *fixed*, arbitrary m, is still considered to be
hard (no one has shown the opposite).
I tried coming up with my own forged signature that could be validated with
OpenSSL (which I intended to use to test other libraries). I haven't
succeeded, either because in the particular example I came up with OpenSSL
does something that catches the invalid signature, or I messed up somewhere
David Wagner writes:
SB1386 says that if a company conducts business in Caliornia and
has a system that includes personal information stored in unencrypted from
and if that company discovers or is notified of a breach of the security
that system, then the company must notify any California
More strongly, if we've never met, and you are not in the habit of
routinely signing email, thereby tying a key to your e-persona, it
makes no sense to speak of *secure* communication to *you*.
Regularly signing email is not necessarily a good idea. I like to be able
to repudiate most emails I
I don't believe MtE is good advice, and I have yet to see a decent reason
why one would want to use that instead of EtM.
Of course when we talk about EtM, the MAC should be applied over all
plaintext headers and trailers (including IV used for encryption, algorithm
identifier, protocol version,
Actually, by definition, a cipher should be a permutation from the set
of plaintexts to the set of ciphertexts. It has to be 1 to 1 bijective
or it isn't an encryption algorithm.
Therefore, if you want an ergodic sequence of size 2^N, a counter
encrypted under an N bit block cipher will do it.
Ok after making that change, and a few others. Selecting only odd numbers
(which acts as a small seive) I'm not getting much useful information. It
appears to be such that at 512 bits if it passes once it passes 128 times,
and it appears to fail on average about 120-130 times, so the sieve
It can be useful to derive a key encryption key from the password, and not
use the key derived from the password to directly encrypt data you want to
protect, when the resulting ciphertext can be found in different places
where your encrypted key won't necessarly also be found. For example, to
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joseph Ashwood
Sent: November 18, 2005 3:18 AM
To: cryptography@metzdowd.com
Subject: Re: Fermat's primality test vs. Miller-Rabin
Look at table 4.3 of the Handbook of
applied cryptography: for t = 1
The general consensus is that for 500-bit numbers one needs only 6 MR
tests for 2^{-80} error probability [1]:
...
and thus a single test gives ~2^{-13}.
If you just took the exponent 80 and divided it by 6 to get ~13, I don't
think that is the right reasoning. Look at table 4.3 of the
I guess the small increase in efficiency would not be worth additional
program code.
That depends on the size of the numbers you're working with...
Considering the research that goes into fast implementations of
PowerMod I don't think the required computation is trivial.
Although the
Although the Carmichael numbers fool the Fermat test
(that is, $a^{n-1} = 1 (n)$) for *all* a, there are no such things for
the Miller-Rabin test: for any odd composite n at least 3/4 of a's
fail the test, that is if you made m MR tests with random a's then you
are mistaken with probability
This sounds very confused. Certs are public. How would knowing a copy
of the server cert help me to decrypt SSL traffic that I have intercepted?
I found allot of people mistakenly use the term certificate to mean
something like a pkcs12 file containing public key certificate and private
key.
Mathematicians could be on the verge of solving two separate million dollar
problems. If they are right - still a big if - and somebody really has
cracked the so-called Riemann hypothesis, financial disaster might follow.
Suddenly all cryptic codes could be breakable. No internet transaction
would
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Gerck
Sent: 10 août 2004 13:42
To: [EMAIL PROTECTED]
Subject: Re: Microsoft .NET PRNG (fwd)
The PRNG should be the least concern when using MSFT's cryptographic
provider. The MSFT report 140sp238.pdf
There is some detail in the FIPS 140 security policy of Microsoft's
cryptographic provider, for Windows XP and Windows 2000. See for example
http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf
where they say the RNG is based on FIPS 186 RNG using SHS. The seed is
based on the collection of
About using a signature key to only sign contents presented in a meaningful
way that the user supposedly read, and not random challenges:
The X.509 PoP (proof-of-possession) doesn't help things out, since a public
key certificate is given to a user by the CA only after the user has
demonstrated
[...] I find it hard to imagine how you
can even know whether it seems to work, let alone has some subtle
problem.
That's clearly a much harder problem--and indeed I suspect it's behind
the general lack of interest that the public has shown in anonymous
systems.
-Ekr
The lack of
You stated that http://www.pgp.com is an SSL-protected page, but did you
mean https://www.pgp.com? On my Powerbook, with all the browsers I get an
error that the certificate is wrong and they end up at http://www.pgp.com.
What I get is a bad certificate, and this is due to the fact that the
This barely deserves mention, but is worth it for the humor:
Information Security Expert says SSL (Secure Socket Layer) is Nothing More
Than a Condom that Just Protects the Pipe
http://www.prweb.com/releases/2004/7/prweb141248.htm
The article says
The weaknesses of SSL implementations have been
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Gerck
Sent: 7 juillet 2004 14:46
To: [EMAIL PROTECTED]
Subject: identification + Re: authentication and authorization
I believe that a significant part of the problems discussed here is that
the three
However, in some scenarios
http://www.garlic.com/~lynn/2001h.html#61
the common use of static data is so pervasive that an individual's
information
is found at thousands of institutions. The value of the information to the
criminal is that the same information can be used to perpetrate fraud
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Denker
Sent: 1 juillet 2004 14:27
To: [EMAIL PROTECTED]
Cc: Ian Grigg
Subject: Re: authentication and authorization (was: Question on the state of
the security industry)
1) For starters, identity theft
-Original Message-
From: John Denker [mailto:[EMAIL PROTECTED]
Sent: 5 juillet 2004 18:28
To: Anton Stiglic
Cc: [EMAIL PROTECTED]; 'Ian Grigg'
Subject: Re: authentication and authorization
[...]
We should assume that the participants on this list have a
goodly amount of technical
-Original Message-
From: [EMAIL PROTECTED]
[mailto:owner-[EMAIL PROTECTED] On Behalf Of Peter Gutmann
Sent: 29 juin 2004 09:49
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: recommendations/evaluations of free / low-cost crypto
libraries
Anton Stiglic [EMAIL
Does anyone know of an SSL acceleration card that actually works under
Linux/*BSD?
I successfully used a Broadcom PCI card on a Linux (don't remember
what Linux and kernel version, this was close to 2 years ago).
If I remember correctly it was the BCM5820 processor I used
Stefan Brands started his own company,
http://www.credentica.com/
There isn't much on the web site yet, but if you click on the image you get
the info
email address.
The code that was developed for Brands credentials at ZKS was never
released. There was also code written during the ESPRIT
The attacks by Dobbertin on MD5 only allow to find collisions in the
compression function, not the whole MD5 hash.
But it is a sign that something might be fishy about MD5.
MD5 output is 128 bits. There are two types of collision finding
attacks that can be applied. In the first you are given
- Original Message -
From: Jerrold Leichter [EMAIL PROTECTED]
Cc: Cryptography [EMAIL PROTECTED]
Sent: Wednesday, January 07, 2004 7:14 AM
Subject: Re: [Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)]
Now that we've trashed non-repudiation ... just how is it different from
The thing about CIA is that it is commonly used in security (not
cryptography)
courses to mean Confidentiality, Integrity (of systems) and Availability
(instead
of Authentication). Availability of systems, services and information.
For crypto I always talked about CAIN or PAIN (like in no PAIN
NSA Windows hardening guides:
http://nsa2.www.conxion.com/
--Anton
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Previously used primarily in scientific/academic applications, zero
knowledge authentication is a method of proving a user's identity without
revealing his password to the verifier.
So anybody knows exactly what this zero-knowledge authentication is
that they use?
Using this technology,
- Original Message -
From: Carl Ellison [EMAIL PROTECTED]
To: 'Will Rodger' [EMAIL PROTECTED]; 'Steve Bellovin'
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, December 07, 2003 8:44 AM
Subject: RE: yahoo to use public key technology for anti-spam
I, for one, hate the idea. My
- Original Message -
From: Ralf Senderek [EMAIL PROTECTED]
To: Werner Koch [EMAIL PROTECTED]; cryptography [EMAIL PROTECTED]
Sent: Thursday, November 27, 2003 11:23 AM
Subject: Re: Problems with GPG El Gamal signing keys?
On Thu, 27 Nov 2003, Werner Koch wrote:
Yes, yes, I should
- Original Message -
From: Perry E.Metzger [EMAIL PROTECTED]
Some notes have been floating around claiming that there are bugs in
GPG's use of El Gamal keys. For example, see:
http://groups.google.com/groups?selm=E1AOvTM-0001nY-00%40alberti.g10code.deoe=UTF-8output=gplain
Can
- Original Message -
From: Jeremiah Rogers [EMAIL PROTECTED]
To: crypto list [EMAIL PROTECTED]
Sent: Sunday, November 16, 2003 12:50 PM
Subject: Re: A-B-a-b encryption
This is Shamir's Three-Pass Protocol, described in section 22.3 of
Schneier. It requires a commutative cryptosystem.
David Wagner [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
martin f krafft wrote:
it came up lately in a discussion, and I couldn't put a name to it:
a means to use symmetric crypto without exchanging keys:
- Alice encrypts M with key A and sends it to Bob
- Bob encrypts
- Original Message -
From: Tom Otvos [EMAIL PROTECTED]
As far as I can glean, the general consensus in WYTM is that MITM attacks
are very low (read:
inconsequential) probability.
I'm not certain this was the consensus.
We should look at the scenarios in which this is possible, and
I'm not sure how you come to that conclusion. Simply
use TLS with self-signed certs. Save the cost of the
cert, and save the cost of the re-evaluation.
If we could do that on a widespread basis, then it
would be worth going to the next step, which is caching
the self-signed certs, and
- Original Message -
From: R.Sriram [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 10, 2003 1:20 AM
Subject: Internal format of RSA private keys in microsoft keystore.
Greetings,
In the process of trying to work around some of the limitations
of the m$-CAPI API, I'm
- Original Message -
From: Peter Gutmann [EMAIL PROTECTED]
[...]
The problem is
that what we really need to be able to evaluate is how committed a vendor
is
to creating a truly secure product.
[...]
I agree 100% with what you said. Your 3 group classification seems
accurate.
But
- Original Message -
From: Ian Grigg [EMAIL PROTECTED]
[...]
In terms of actual practical systems, ones
that implement to Brands' level don't exist,
as far as I know?
There were however several projects that implemented
and tested the credentials system. There was CAFE, an
- Original Message -
From: Peter Gutmann [EMAIL PROTECTED]
[...]
If you think that's scary, look at Microsoft's CryptoAPI for Windows XP
FIPS
140 certification. As with physical security certifications like BS 7799,
you
start by defining your security perimeter, defining everything
- Original Message -
From: Peter Gutmann [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 11:07 AM
Subject: Re: NCipher Takes Hardware Security To Network Level
Anton Stiglic [EMAIL PROTECTED] writes:
This is why you get requirements
- Original Message -
From: Tim Dierks [EMAIL PROTECTED]
I think it's a tautology: there's no such thing as MITM if there's no such
thing as identity. You're talking to the person you're talking to, and
that's all you know.
That seems to make sense. In anonymity providing systems
- Original Message -
From: Jerrold Leichter [EMAIL PROTECTED]
[...]
| I think it's a tautology: there's no such thing as MITM if there's no
such
| thing as identity. You're talking to the person you're talking to, and
| that's all you know.
|
| That seems to make sense
No;
Schu stressed that several layers of security will prevent hackers from
accessing the system. VeriSign will house the security servers in its own
hosting centers. The company will ask military personnel to use their
Common Access Cards--the latest form of ID for the military--to access
the
Why is it that none of those 100-odd companies with keys in the browsers
are doing anything with them? Verisign has such a central role in
the infrastructure, but any one of those other companies could compete.
Why isn't anyone undercutting Verisign's prices? Look what happened with
Thawte
Really exiting news. If I'm not mistaken, this would be the first free,
open-source,
crypto library that has FIPS 140 module certification! Other free
open-source
libraries have algorithms that have been FIPS 140 certified, but the whole
module
hasn't been certified (exemple Cryptlib and
Does anyone have any idea where I might learn about this algorithm - or
indeed any algorithm which does the job.
Just as Perry mentioned, look into Shamir Secret Sharing.
There are also implementations of this, see for example
http://www.astro.gla.ac.uk/users/norman/distrib/tontine.html
(I'm
- Original Message -
From: Whyte, William [EMAIL PROTECTED]
[...]
But you don't have to contact the CA to get someone's certificate.
A standard way is to send them an email saying can you send me
a signed message?
Yes, that works. When I want someone to send me confidential
email,
Integrity: Financial protocols that use crypto
(as opposed to ones abused by crypto) generally
include signed messages. The signature provides
for its own integrity, as well as a few other
things.
I don't believe that is enough. Take for example
the SSL 2.0 ciphersuite rollback
- Original Message -
From: Jaap-Henk Hoepman [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 20, 2003 5:02 AM
Subject: Security of DH key exchange
In practice the following method of exchanging keys using DH is used, to
ensure
bit security of the resulting session key. If
57 matches
Mail list logo