Re: XML signature HMAC truncation authentication bypass

2009-07-19 Thread Peter Gutmann
Leandro Meiners quotes: For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid. This excessive generality is a serious problem in way too many crypto

Re: work factor calculation for brute-forcing crypto

2009-07-19 Thread David Wagner
Assume for a moment that we have a random number generator which is non-uniform, and we are using it to generate a key. What I'd like to do is characterize the work factor involved in brute-force search of the key space, assuming that the adversary has knowledge of the characteristics of the

Re: 112-bit prime ECDLP solved

2009-07-19 Thread Zooko Wilcox-O'Hearn
By the way, we've recently been planning our next crypto-capabilities design for the TahoeLAFS secure distributed filesystem. This involves deciding whether a 192-bit elliptic curve public key is strong enough, as well as subtler and more unusual issues involving embedding keys directly

why hyperelliptic curves?

2009-07-19 Thread Zooko Wilcox-O'Hearn
Oh, and by the way the way that TahoeLAFS uses public key cryptography highlights some of the weaknesses of current public key techniques and some of the strengths of possible future techniques such as hyperelliptic curves. (I know that Tanja Lange has done a lot of work on those.)

Re: work factor calculation for brute-forcing crypto

2009-07-19 Thread David Malone
On Fri, Jul 17, 2009 at 01:37:43PM -0500, wrote: I'm curious if there's a way to express this calculation as a mathematical formula, rather than an algorithm, but right now I'm just blanking on how I could do it. This has been dubbed the guesswork of a