On Oct 4, 2013, at 12:20 PM, Ray Dillinger wrote:
So, it seems that instead of AES256(key) the cipher in practice should be
AES256(SHA256(key)).
Is it not the case that (assuming SHA256 is not broken) this
defines a cipher
effectively immune to the related-key attack?
So you're
At 02:27 PM 9/30/2013, James A. Donald wrote:
On 2013-09-30 18:02, Adam Back wrote:
If we're going to do that I vote no ASN.1, and no X.509. Just BNF format
like the base SSL protocol;
Granted that ASN.1 is incomprehensible and horrid, but, since there
is an ASN.1 compiler that generates C
At 08:32 PM 9/13/2013, Jerry Leichter wrote:
If by server you mean one of those things in a rack at Amazon or
Google or Rackspace - power consumption, and its consequence,
cooling - is *the* major issue these days. Also, the servers used
in such data centers don't have multiple free USB
At 10:39 AM 9/11/2013, Phillip Hallam-Baker wrote:
Perfect Forward Secrecy is not perfect. In fact it is no better than
regular public key. The only difference is that if the public key
system is cracked then with PFS the attacker has to break every
single key exchange and not just the keys in
At 12:09 PM 9/7/2013, Chris Palmer wrote:
On Sat, Sep 7, 2013 at 1:33 AM, Brian Gladman b...@gladman.plus.com wrote:
Why would they perform the attack only for encryption software? They
could compromise people's laptops by spiking any popular app.
Because NSA and GCHQ are much more
At 06:49 PM 9/6/2013, Marcus D. Leech wrote:
It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
cooperative endpoint scenario that I've seen discussed in other
forums, prompted by the latest
On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote:
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and
if you pay attention to us talking about issues with nonces,
counters, IVs, chaining modes, and all that, you see
At 03:06 PM 9/3/2013, Jerry Leichter wrote:
On Sep 3, 2013, at 3:16 PM, Faré fah...@gmail.com wrote:
Can't you trivially transform a hash into a PRNG, a PRNG into a
cypher, and vice versa?
No.
[...]
I don't actually know if there exists a
construction of a PRNG from a cryptographically
At 01:53 PM 8/29/2013, Taral wrote:
Oh, wait. I misread the requirement. This is a pretty normal
requirement -- your reverse DNS has to be valid. So if you are
3ffe::2, and that reverses to abc.example.com, then abc.example.com
better resolve to 3ffe::2.
For IPv4, that's a relatively normal
Custom built hardware will probably be the smartest way to go for an
entrepreneur trying to sell these in bulk to people as home gateways anyway
Meanwhile, while Phill may have spent $25 for a USB Ethernet, I
frequently see them on sale for $10 and sometimes $5.
cryptography@metzdowd.com
On Thu, Sep 16, 2010 at 04:49:19PM +, M.R. wrote:
| I said (something like) this when Haystack first appeared on this
| list...
|
| Words dissidents and oppressive regimes have no place in
| serious discussions among cryptographers. Once we start assigning
| ethical
Potentially interesting lecture if you're in the Bay Area
From: alli...@stanford.edu
Reply-To: alli...@stanford.edu
Subject: Liberation Technology 10/7/2010 -- Lessons from the Haystack Affair
Date: Mon, 27 Sep 2010 13:40:55 -0700 (PDT)
STANFORD FREEMAN SPOGLI INSTITUTE FOR INTERNATIONAL
At 01:54 PM 8/16/2010, Perry E. Metzger wrote:
On Mon, 16 Aug 2010 12:42:41 -0700 Paul Hoffman
paul.hoff...@vpnc.org wrote:
At 11:35 AM +1000 8/16/10, Arash Partow wrote:
Just out of curiosity, assuming the optimal use of today's best of
breed factoring algorithms - will there be enough
At 07:16 AM 7/28/2010, Ben Laurie wrote:
SSH does appear to have got away without revocation, though the nature
of the system is s.t. if I really wanted to revoke I could almost
always contact the users and tell them in person. This doesn't scale
very well to SSL-style systems.
Unfortunately,
At 12:14 PM 10/22/2009, David Wagner wrote:
Back to DNSSEC: The original criticism was that DNSSEC has covert
channels. So what? If you're connected to the Internet, covert
channels are a fact of life, DNSSEC or no. The added risk due to any
covert channels that DNSSEC may enable is somewhere
At 05:11 PM 7/27/2009, Jon Callas wrote:
By the way, do you think it's safe to phase out MD5?
That will break all the PGP 2 users.
Depends - if you're only replacing it with SHA-1, it's probably not
worthwhile..
And if you're breaking things anyway, might as well replace most of the
At 10:40 AM 1/30/2009, Thomas Coppi wrote:
Just out of curiosity, does anyone happen to know of any documented
examples of a botnet being used for something more interesting than
just sending spam or DDoS?
There are good botnets and bad botnets.
Good ones ask you if you want to join, bad ones
Eugen Leitl and Stephan Somogyi [EMAIL PROTECTED] wrote
about the Skein hash function announcement.
http://www.schneier.com/blog/archives/2008/10/the_skein_hash.html?1
http://www.schneier.com/skein.html
One thing I noticed on a first read-through was
a discussion of speed for ASICs vs.
This isn't enough. Somehow, you have to state that the values emitted
on demand in any given round i (where a round consists of exactly one
demand on all N member and produces a single output result) cannot
receive any input from any other members. Otherwise, if N=2 and member
0 produces true
Ben wrote:
But just how GREAT is that, really? Well, we don'
t know. Why? Because there isn't actually a way test for randomness. Your
DNS resolver could be using some easily predicted random number generator
like, say, a linear congruential one, as is common in the rand() library
At 07:02 PM 2/9/2008, Peter Gutmann wrote:
I've always wondered why RNG speed is such a big deal for anything but a few
highly specialised applications. For security use you've got two options:
1. Use it with standard security protocols, in which case you need all of 128
or so bits every now
At 12:23 AM 1/20/2008, Alexander Klimov wrote:
Given what is required to get a license (for example, 4.b in the
first document, says that one must have people trained in
information security), I guess the new law is not supposed to
limit use of cryptography by ordinary people, but to limit
At 11:04 AM 1/18/2008, Ray Dillinger wrote:
More than half the servers on the Internet -
the very most desirable machines for botnet operators,
because they have huge storage and huge bandwidth - run
some form of Unix, and yet, since 1981 and the Morris Worm,
you've never heard of a botnet
Dan wrote:
Let's not do this or we'll have to talk about JF Kennedy
who, at least, bought his votes with real money.
That's because Democrats had become more professional,
and the tradition of buying votes with whiskey
only works for the retail level, not wholesale.
Dan also wrote:
May I
| Which is by the way exactly the case with SecureIM. How
| hard is it to brute-force 128-bit DH ? My guesstimate
| is it's an order of minutes or even seconds, depending
| on CPU resources.
Sun's Secure NFS product from the 1980s had 192-bit Diffie-Hellman,
and a comment in one of the
At 07:37 AM 7/12/2007, Eric Cronin wrote:
With current CPUs and audio codecs you can get
decent voice quality over 9600bps.
Yes and no. There are lots of 8kbps codecs, and some 6.5 and 5.3kbps codecs,
all off which give acceptable voice quality if transmission's ok.
(And you can reduce
At 10:59 PM 7/9/2007, Florian Weimer wrote:
Uh-oh, no. The protocol characteristics don't change depending on
who is selling you the device.
Of course they do, at least in the US,
where the mobile phones are generally carrier-specific,
often locked, and generally don't have open designs.
In
At 08:51 AM 6/28/2007, Alexander Klimov wrote:
I suspect there are two reasons for QKD to be still alive.
First of all, the cost difference between quantum and normal
approaches is so enormous that a lot of ignorant decision makers
actually believe that they get something extra for this money.
At 01:04 PM 5/18/2007, Trei, Peter wrote:
If the Russians aren't behind this, who else should be
suspected? It isn't like Estonia has a wide selection of
enemies. :-)
There are three likely suspects
- the actual Russian government (or some faction thereof)
- Russian Mafia for whatever reasons
I'd like one with Wearing an integer is not circumvention. on the
back or some such. :)
Large Integers are Not A Crime :-)
On the other hand, isn't the key really an MD5 hash of some haiku about
OK, so we know that
DVD-CSS was
Just Not Good Enough
?
With 4K possible salts, you'd need a
very large password file to have more than a very few collisions,
Definition of very large can vary. (alliteration intended).[...]
UCSD has maybe 60,000 active users. I think very large is very common
in the University environment.
Different decade,
At 01:55 PM 1/18/2007, John Denker wrote:
We would be better off maintaining just the one technical
definition of entropy, namely S = sum_i P_i log(1/P_i).
If you want to talk about something else, call it something
else ... or at least make it clear that you are using the
term in a nontechnical
As far as Full Disk Encryption's usefulness as a term goes,
I'd distinguish between several different kinds of applications
for encrypting the contents of a disk
1 - The disk drive or maybe disk controller card (RAID, SCSI, etc.)
encrypts all the bits written to the drive
and
At 11:26 AM 12/9/2006, Daniel F. Fisher wrote:
Ian Farquhar (ifarquha) wrote The other problem for this technique is
battery life.
Suppose this worked by recording from mic to memory and then transmitting
later. This leads to a bunch of questions:
By what factor could transmission
James Gleick's NYT article on the OED mentions cypherpunk
among the words recently added to the dictionary.
http://www.nytimes.com/2006/11/05/magazine/05cyber.html?pagewanted=all
The page requires registration to access, though there are enough
popular pseudonyms that have done so; I don't know
From: Computer History Museum [EMAIL PROTECTED]
Subject: Public Key Cryptography 30th Anniversary Event - October 26
Celebrating 30 years of Public Key Cryptography (PKC)
Join the Computer History Museum for a special public event celebrating 30
years of public key cryptography. This memorable
Crypto is usually about economics and scalability.
If you're doing this for DOS/DDOS prevention,
you don't need the NP-completeness perfection you get from
Hamiltonian paths or similar problems - SHA is fine,
or any other hash that's quick to verify and
hard to reverse. Even MD5 is probably
There are two sides to the voice phishing here -
- getting the target to call a phone number you've emailed him
- using cheap voice calls to call the target with your offer.
VOIP doesn't affect the former case much,
since the target is paying for the call,
but it does separate callee geography
At 10:37 AM 3/9/2006, Chris Palmer wrote:
Right, but even though a 1.5GHz machine is a bit old (heh...) for a
workstation, my dinky little Linksys WRT54GC wireless AP still needs to
AES-encrypt a theoretical maximum of 54Mbps when I turn on WPA.
Unless you're using your Linksys for
Somebody, probably Florian, wrote:
I couldn't find a PGP key server operator that committed itself to
keeping logs confidential and deleting them in a timely manner (but I
didn't look very hard, either).
Keyservers are a peripheral issue in PGP -
important for convenience and for quick
At 01:01 AM 2/4/2006, Travis H. wrote:
Assume further that it is not cost-effective to furnish each with a
HWRNG, even one as inexpensive as a sound card (for example, they may
not have a spare slot on the motherboard nor built-in sound).
...
Suppose that /dev/random is too slow (SHA-1 was never
Good ciphers aren't permutations, though, are they? Because if they
were, they'd be groups, and that would be bad.
Actually, by definition, a cipher should be a permutation from the set
of plaintexts to the set of ciphertexts. It has to be 1 to 1 bijective
or it isn't an encryption
At 03:34 PM 12/14/2005, [EMAIL PROTECTED] wrote:
An application programmer who is using PKCS1 doesn't even need to
know the small amount of ASN.1 in the spec... libraries that
implement RSA PKCS1 take care of the ASN.1 for the programmer.
This is in fact one reason that ASN.1 exploits
have
At 10:58 AM 12/18/2005, Perry E. Metzger wrote:
The President claims he has the prerogative to order such
surveillance. The law unambiguously disagrees with him.
There are minor exceptions in the law, but they clearly do not apply
in this case. They cover only the 15 days after a declaration of
At 09:40 AM 12/8/2005, Aram Perez wrote:
On Dec 7, 2005, at 10:24 PM, James A. Donald wrote:
Software is cheaper than boats - the poorest man can
afford the strongest encryption, but he cannot afford
the strongest boat.
If it is that cheap, then why are we having this discussion? Why
isn't
, they don't appear to state a policy of
always digitally signing all transactions, so I'm a bit concerned
beyond the more blatant phishing risks.
Thanks; Bill Stewart
-
The Cryptography Mailing List
Unsubscribe
At 06:56 PM 11/18/2005, William Allen Simpson wrote:
| tromped around the office singing, Every bit is sacred / Every bit
| is great / When a bit is wasted / Phil gets quite irate.
| Consider this to be one of the prime things to correct. Personally,
| I think that numbers should never
At 09:29 PM 7/9/2005, Perry E. Metzger wrote:
The Blue Card, so far as I can tell, was poorly thought out beyond its
marketing potential. I knew some folks at Amex involved in the
development of the system, and I did not get the impression they had
much of a coherent idea of what the
At 02:44 AM 6/20/2005, Peter Gutmann wrote:
Stephan Neuhaus [EMAIL PROTECTED] writes:
Concerning the practical use of AES, you may be right (even though it would
be nice to have some advice on what one *should* do instead).
Would switching to triple-AES (or double-AES) or something help?
Yeah,
At 01:14 PM 6/3/2005, [EMAIL PROTECTED] wrote:
I think we are already in a state where practically everybody that has a
computer has crypto available, and it's not difficult to use it!
Of course they have it -
the problem is having crypto in a way that's not suspicious,
and suspicious is
new address and new key,
but that seems a bit awkward, since you need a convenient way to
include the new keys for people who whitelist you or who you
only want to send encrypted mail to.
Thanks; Bill Stewart
At 10:19 PM 3/13/2005, Adam Fields wrote:
Given what may or may not be recent ToS changes to the AIM service,
I've recently been looking into encryption plugins for gaim.
AOL says that the ToS bits are only for things like chatrooms;
user-to-user AIM traffic doesn't even go through their servers.
transaction, but that's too annoying for most customers.
Bill Stewart [EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
.
It doesn't take a lot of power to power them;
not sure what it takes to fry them.
Bill Stewart [EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
then, inkjet printers are dirt cheap;
when they're on sale, they're essentially a free enclosure
in a box of overpriced printer cartridges,
so even of the printer wants to rat out the user and
it's not easy to change the serial number PROM,
you can just replace the printer.
Bill Stewart [EMAIL
been leaked for the passive eavesdropper.
Bill Stewart [EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
you've got complete documentation,
even if Ken Thompson wasn't helping write your compilers.
Bill Stewart
At 05:21 AM 9/25/2004, R. A. Hettinga wrote:
http://www.linuxdevices.com/news/NS1975038466.html ...
Sep. 24, 2004
The first commercial software product to exploit the cryptographic
At 10:19 PM 9/15/2004, Ed Gerck wrote:
Yes, PKC provides a workable solution for key distribution... when you
look at servers. For email, the PKC solution is not workable (hasn't been)
and gives a false impression of security. For example, the sender has no
way of knowing if the recipient's key is
enough at them to do the work of running a MITM attack?
Encryption against passive eavesdroppers makes password-stealing
and traffic analysis harder, so it's probably worth the risk,
but that wasn't the choice that FreeSWAM made.
Bill Stewart [EMAIL PROTECTED
that information at the same time.
Bill Stewart [EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
how about this simpler construction?
(IV1) - B1 - B2 - B3 - ... Bk - H1
(IV2) - B1 - B2 - B3 - ... Bk - H2
This approach and the cache Block 1 until the end approach
are both special-case versions of maintain more state attacks.
This special case maintains 2*(size of hash output) bits of
-bit
messages. Therefore 512 = 1024.
Bear
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Bill Stewart [EMAIL PROTECTED
At 02:02 AM 8/23/2004, Florian Weimer wrote:
* Bill Stewart:
I agree that it doesn't look useful, but lawful intercept is harder,
if you're defining that as undetected eavesdropping with
possible cooperation of the telco in the middle,
because quantum crypto needs end-to-end fiber so there's
At 01:00 PM 8/21/2004, Florian Weimer wrote:
However, I still don't believe that quantum cryptography can buy you
anything but research funding (and probably easier lawful intercept
because end-to-end encryption is so much harder).
I agree that it doesn't look useful, but lawful intercept is
forgotten the derivation of VH coordinates...
Bill Stewart [EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
At 03:20 AM 7/18/2004, Enzo Michelangeli wrote:
Can someone explain me how the phishermen escape identification and
prosecution? Gaining online access to someone's account allows, at most,
to execute wire transfers to other bank accounts: but in these days
anonymous accounts are not exactly easy
At 05:15 AM 6/2/2004, Ben Laurie wrote:
SPF will buy me one thing forever: I won't get email telling me I sent
people spam and viruses.
Unfortunately, that won't work for me.
My email address is at pobox.com, the mail forwarding service
where the main proponent of SPF works,
but my SMTP service
At 07:46 PM 12/30/2003 +, Richard Clayton [EMAIL PROTECTED] wrote:
[what about mailing lists]
Obviously you'd have to whitelist anybody's list you're joining
if you don't want your spam filters to robo-discard it.
moan
I never understand why people think spam is a technical problem :( let
At 09:37 PM 12/26/2003 -0500, Adam Back wrote:
The 2nd memory [3] bound paper (by Dwork, Goldber and Naor) finds a
flaw in in the first memory-bound function paper (by Adabi, Burrows,
Manasse, and Wobber) which admits a time-space trade-off, proposes an
improved memory-bound function and also in
At 09:38 AM 12/16/2003 -0500, Ian Grigg wrote:
In the late nineties, the smart card world
worked out that each smart card was so expensive,
it would only work if the issuer could do multiple
apps on each card. That is, if they could share
the cost with different uses (or users).
Of course, at
At 02:41 PM 12/14/2003 +, Dave Howe wrote:
Paul A.S. Ward wrote:
I'm not sure why no one has considered the PC banking problem to be a
justification for secure computing. Specifically, how does a user
know their computer has not been tampered with when they wish to use
it for banking
[Moderator's note: I'd really like to shut down the What license?
debate --Perry]
At 12:52 AM 11/27/2003 -0800, J Harper wrote:
1) Not GPL or LPGL, please. I'm a fan of the GPL for most things, but
for embedded software, especially in the security domain, it's a
killer. I'm supposed to allow
At 02:45 PM 11/27/2003 +1100, Greg Rose wrote:
At 12:27 PM 11/27/2003, Thor Lancelot Simon wrote:
RC4 is extremely weak for some applications.
A block cipher is greatly preferable.
I'm afraid that I can't agree with this howling logical error.
RC4 is showing its age, but there are other stream
=Step 1:
Exchange ID messages. An ID message contains the name of the tinc
daemon which sends it, the protocol version it uses, and various
options (like which cipher and digest algorithm it wants to use).
By name of the tinc daemon, do you mean identification information?
That data
If we use RSA encryption, then both sides know their message can only
be received by the intended recipient. If we use RSA signing, then we
both sides know the message they receive can only come from the assumed
sender. For the purpose of tinc's authentication protocol, I don't see
the
Trei, Peter wrote:
Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink,
and all GSM calls travel through the POTS land line system in the clear,
where they are subject to warranted wiretaps.
Breaking GSM is only of useful if you
At 11:49 PM 06/29/2003 +0200, Simon Josefsson wrote:
No, I believe only one of the following situations can occur:
* Your laptop see and uses the name yahoo.com, and the DNS server
translate them into yahoo.com.attackersdomain.com. If your laptop
knows the DNSSEC root key, the attacker
At 11:15 PM 06/28/2003 -0400, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Bill Stewart writes:
This looks like it has the ability to work around DNSSEC.
Somebody trying to verify that they'd correctly reached yahoo.com
would instead verify that they'd correctly reached
Somebody did an interesting attack on a cable network's customers.
They cracked the cable company's DHCP server, got it to provide a
Connection-specific DNS suffic pointing to a machine they owned,
and also told it to use their DNS server.
This meant that when your machine wanted to look up
At 11:38 AM 05/30/2003 -0700, John Young wrote:
If the FBI cannot crack PGP that does not mean other
agencies with greater prowess cannot. It is unlikely that
the capability to crack PGP would be publicly revealed
for that would close an invaluable source of information.
.
Still, it is
At 08:17 AM 06/03/2003 -0700, bear wrote:
what he said was with cryptanalysis alone.
Rubber-hose methods are not cryptanalysis, and
neither is password guessing.
Eh? Password guessing certainly is.
I'm not aware of a PGP port to the Psion, but at least the
Psion 3/3a/3c generation were 8086-like
At 08:53 AM 06/03/2003 -0700, bear wrote:
IDEA is still a good cipher as far as I know, but PGP has been driven
away from it in the US due to intellectual-property issues. Rather than
continue with incompatible versions for use inside/outside the USA, they're
switching to CAST (although this is
At 11:38 AM 06/03/2003 -0400, Ian Grigg wrote:
I (arbitratrily) define the marketplace for SSL as browsing.
...
There, we can show statistics that indicate that SSL
has penetrated to something slightly less than 1% of servers.
For transmitting credit card numbers on web forms,
I'd be surprised if
http://www.nullsoft.com/free/waste/ - Overview
http://www.nullsoft.com/free/waste/security.html - Security section
http://www.nullsoft.com/free/waste/network.html - Network design
http://slashdot.org/article.pl?sid=03/05/29/0140241mode=threadtid=126tid=93
- Slashdot discusssion
Nullsoft, who did
84 matches
Mail list logo