Jerrold Leichter <[EMAIL PROTECTED]> writes:
>They also sold a full solution for encrypted Ethernet - KDC, encrypting
>Ethernet adapters, associated software. None of this stuff went anywhere.
>People just weren't interested.
That wasn't quite the case for the Ethernet encryption. What happened
Ian G wrote:
> I'd like to take a password and expand it into
> several keys. It seems like a fairly simple operation
> of hashing the concatonatonation of the password
> with each key name in turn to get each key.
there is financial standard for derived key per transaction
from x9f taxonomy and
Ian,
You need to go beyond the scope of simple-minded PKCS recommendations
to calculate keys from passwords. If you want to improve security,
just adding padding and salt is not enough.
Yes, of course, your code should add padding, so that the sha1 argument
always has the same, fixed, length for
On 6/12/05, Ian G <[EMAIL PROTECTED]> wrote:
> I'd like to take a password and expand it into
> several keys. It seems like a fairly simple operation
> of hashing the concatonatonation of the password
> with each key name in turn to get each key.
>
> Are there any 'gotchas' with that?
>
> iang
>
"Weger, B.M.M. de" <[EMAIL PROTECTED]> writes:
>
> Technically speaking you're correct, they're signing a program.
> But most people, certainly non-techies like Alice's boss,
> view postscript (or MS Word, or format that allows macros>) files not as programs but as static
> data. In being targete
Back when software was free, ~1974, the standard DEC PDP10 disk->tape backup
program, FRS, included an encryption option.
Rich Schroeppel [EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cr
On 6/13/05, Eric Rescorla <[EMAIL PROTECTED]> wrote:
> While this is a clever idea, I'm not sure that it means what you imply
> it means. The primary thing that makes your attack work is that the
> victim is signing a program which he is only able to observe mediated
> through his viewer. But once
>From: Ian G <[EMAIL PROTECTED]>
>Sent: Jun 12, 2005 11:27 AM
>To: cryptography@metzdowd.com
>Subject: expanding a password into many keys
>I'd like to take a password and expand it into several keys. It
>seems like a fairly simple operation of hashing the concatonatonation
>of the password with
Hi Eric,
Technically speaking you're correct, they're signing a program.
But most people, certainly non-techies like Alice's boss,
view postscript (or MS Word, or ) files not as programs but as static
data. In being targeted at non-techies I find this attack more
convincing than those of Mikle a
Florian Weimer wrote:
> We call it pseudonymization ("Pseudonymisierung"). It's a commonly
> used technique in Germany to detaint personally identifiable
> information, so you can share it freely for statistics purposes. The
> methods used in the field are rather crude (time-seeded LCGs are very
On Fri, 10 Jun 2005, Rich Salz wrote:
I don't want to have to re-implement Apache in order to do
an SSL implementation. ...
Those analogies aren't apt. XML is a data format, so it's more like
I don't want to have to implement ASN1/DER to do S/MIME
Which is a nonsens
Stefan Lucks <[EMAIL PROTECTED]> writes:
> Magnus Daum and myself have generated MD5-collisons for PostScript files:
>
> http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions/
>
> This work is somewhat similar to the work from Mikle and Kaminsky, except
> that our colliding files are
OpenSSL version 0.9.8 Beta 5
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
OpenSSL is currently in a release cycle. The fifth beta is now
released. The beta release is available for download via HTTP and
FTP from the following
I'd like to take a password and expand it into
several keys. It seems like a fairly simple operation
of hashing the concatonatonation of the password
with each key name in turn to get each key.
Are there any 'gotchas' with that?
iang
PS: some psuedo code if the above is not clear.
for k in {se
> I'd like to come up to speed on the state of the
> art in de-identification (~=anonymization) of data
> especially monitoring data (firewall/hids logs, say).
We call it pseudonymization ("Pseudonymisierung"). It's a commonly
used technique in Germany to detaint personally identifiable
informati
In message <[EMAIL PROTECTED]>, Jerrold Leichter writes:
>| | The paper itself (there's a link in the article) has several more items
>| | of interest to this list. Especially interesting is the effective
>| | cryptanalysis of the PRNG used by the worm. Implicit in many of the
>| | analyses, t
| ...It is not that nobody ever thought of encrypting tapes, it is that there
| has been no uptake on the idea because the management overhead costs
| outweighed the perceived benefit. The big vendors didn't bother offering it
| because they didn't think they could make money, and the start-ups
| | The paper itself (there's a link in the article) has several more items
| | of interest to this list. Especially interesting is the effective
| | cryptanalysis of the PRNG used by the worm. Implicit in many of the
| | analyses, though not a focus of the paper, is the amount of information
| Readers of this list may be interested in an analysis of the Witty
| worm's spread by Kumark, Paxson, and Weaver. An article summarizing
| the paper is at
http://www.zdnet.co.uk/print/?TYPE=story&AT=39200183-39020375t-1025c
| A tentative conclusion is that the worm was probably written by
On 6/8/05, [EMAIL PROTECTED] (Perry E. Metzger) wrote:
-+--
| If you have no other choice, pick keys for the next five years,
| changing every six months, print them on a piece of paper, and put it
| in several safe deposit boxes. Hardcode the
> [EMAIL PROTECTED] wrote:
>> "Ben Laurie wrote"
>>
>>>[EMAIL PROTECTED] wrote:
>>>
Example:
Cash_Ur_check is in the business of cashing checks. To cash a
check,
they ask you for "sensitive information" like SIN, bank account number,
drivers licence number, etc. They use
On Fri, Jun 10, 2005 at 01:11:45PM -0400, [EMAIL PROTECTED] wrote:
| "Ben Laurie wrote"
| > Sure, but Equifax should.
|
| No, they shouldn't! If you think they should, you are missinformed. At
| least in Canada, the Privacy Act protects the SIN, Equifax cannot demand
| it.
| See for example
| h
[EMAIL PROTECTED] wrote:
"Ben Laurie wrote"
[EMAIL PROTECTED] wrote:
Example:
Cash_Ur_check is in the business of cashing checks. To cash a check,
they ask you for "sensitive information" like SIN, bank account number,
drivers licence number, etc. They use the information to query
Equifa
"Ben Laurie wrote"
> [EMAIL PROTECTED] wrote:
>> Example:
>>Cash_Ur_check is in the business of cashing checks. To cash a check,
>> they ask you for "sensitive information" like SIN, bank account number,
>> drivers licence number, etc. They use the information to query
>> Equifax or the like
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
| Oracle, for example, provides encryption functions, but the real
problem
| is the key handling (how to make sure the DBA can't get the key,
cannot
| call functions that decrypt the data, key not copied with the backup,
| etc.).
| There are sev
I don't want to have to re-implement Apache in order to do
an SSL implementation. ...
Those analogies aren't apt. XML is a data format, so it's more like
I don't want to have to implement ASN1/DER to do S/MIME
Which is a nonsensical complaint.
Makes sense to me. The
Rich Salz <[EMAIL PROTECTED]> writes:
>Peter's shared earlier drafts with me, and we've exchanged email about this.
>The only complaint that has a factual basis is this:
>
>I don't want to have to implement XML processing to do
>XML Digital Signatures
I don't want to have
27 matches
Mail list logo