Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On Thu, 5 Sep 2013, Phillip Hallam-Baker wrote: * Allowing deployment of DNSSEC to be blocked in 2002(sic) by blocking a technical change that made it possible to deploy in .com. As an opponent of DNSSEC opt-in back in the day, I think this is a poor example of NSA influence in the standards

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 11:05 PM, Jaap-Henk Hoepman wrote: >> >> Public-key cryptography is less well-understood than symmetric-key >> cryptography. It is also tetchier than symmetric-key crypto, and if you pay >> attention to us talking about issues

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

> > Public-key cryptography is less well-understood than symmetric-key > cryptography. It is also tetchier than symmetric-key crypto, and if you pay > attention to us talking about issues with nonces, counters, IVs, chaining > modes, and all that, you see that saying that it's tetchier than tha

Re: [Cryptography] Using Raspberry Pis

On 09/07/2013 12:04 AM, Ben Laurie wrote: On 26 August 2013 22:43, Perry E. Metzger > wrote: (I would prefer to see hybrid capability systems in such applications, like Capsicum, though I don't think any such have been ported to Linux and that's a popular

[Cryptography] I have to whistle to blow...

... but I must scream. http://kebesays.blogspot.com/2013/09/i-have-no-whistle-to-blow-but-i-must.html FYI, and thanks, Dan McD. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 8:22 PM, Jerry Leichter wrote: > I'm sorry, but this is just nonsense. You're starting with informal, rough > definitions and claiming a mathematical theorem. Actually, I'm doing the opposite. I'm starting with a theorem and arg

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

The magic of public key crypto is that it gets rid of the key management problem -- if I'm going to communicate with you with symmetric crypto, how do I get the keys to you? The pain of it is that it replaces it with a new set of problems. Those problems include that the amazing power of pu

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On Sep 6, 2013, at 8:58 PM, Jon Callas wrote: >> I've long suspected that NSA might want this kind of property for some of >> its own systems: In some cases, it completely controls key generation and >> distribution, so can make sure the system as fielded only uses "good" keys. >> If the algo

Re: [Cryptography] People should turn on PFS in TLS

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 09:02 PM, Chris Palmer wrote: > First time I've heard of 128-bit symmetric called "weak"... Sure, > RC4 isn't awesome but they seem to be saying that 128-bit keys per > se are weak. calomel.org may be erring on the side of "weak" due to

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 08:48 PM, Chris Palmer wrote: > Why would they perform the attack only for encryption software? > They could compromise people's laptops by spiking any popular app. What is more important to them: A single system, or all of the comms go

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On Sep 6, 2013, at 8:22 PM, John Gilmore wrote: > Speaking as someone who followed the IPSEC IETF standards committee > pretty closely, while leading a group that tried to implement it and > make so usable that it would be used by default throughout the > Internet, I noticed some things: ...and

Re: [Cryptography] Using Raspberry Pis

On 26 August 2013 22:43, Perry E. Metzger wrote: > (I would prefer to see hybrid capability systems in such > applications, like Capsicum, though I don't think any such have been > ported to Linux and that's a popular platform for such work.) > FWIW, we're working on a Linux port of Capsicum. He

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman wrote: > In this oped in the Guardian > > http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance > > Bruce Schneier writes: "Prefer symmetric cryptography over public-key > cryptography." The only reason I can think of

Re: [Cryptography] NSA hates sunshine

> > As of Jan-2014 CAs are forbidden from issuing/signing anything less than > > 2048 certs. > > For some value of "forbidden". :-) Yeah, just like employees at big companies are "forbidden" to reveal how they are collaborating with NSA. Years ago I heard what happened when George Davida file

Re: [Cryptography] In the face of "cooperative" end-points, PFS doesn't help

It seems to me that while PFS is an excellent back-stop against NSA having/deriving a website RSA key, it does *nothing* to prevent the kind of "cooperative endpoint" scenario that I've seen discussed in other forums, prompted by the latest revelations about what NSA has been up to. But if yo

Re: [Cryptography] People should turn on PFS in TLS

On Fri, Sep 6, 2013 at 5:34 PM, The Doctor wrote: > Symmetric cipher RC4 (weak 10/49) > Symmetric key length 128 bits (weak 8/19) > Cert issued by Google, Inc, US SHA-1 with RSA @ 2048 bit (MODERATE 2/6) First time I've heard of 128-bit symmetric called "weak"... Sure, RC4 isn't awesome but they

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

> Q: "Could the NSA be intercepting downloads of open-source encryption > software and silently replacing these with their own versions?" Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app.

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On 9/6/2013 1:05 PM, Perry E. Metzger wrote: I have re-read the NY Times article. It appears to only indicate that this was *a* standard that was sabotaged, not that it was the only one. In particular, the Times merely indicates that they can now confirm that this particular standard was sabota

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

...and to add to all that, how about the fact that IPsec was dropped as a 'must implement' from IPv6 sometime after 2002? signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com h

[Cryptography] NYTimes: Legislation Seeks to Bar N.S.A. Tactic in Encryption

Quoting: After disclosures about the National Security Agency’s stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing “back doors” into encryption, the electronic scrambling that protects e-mai

[Cryptography] ADMIN: Reminder, yet again...

Sadly it seems I need to repeat this: We've got a very large number of participants on this list, and volume has gone way up at the moment thanks to current events. To make the experience pleasant for everyone please: 1) Cut down the original you're quoting to only the relevant portions to minimi

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 6:23 AM, Jerry Leichter wrote: > Is such an attack against AES *plausible*? I'd have to say no. But if you > were on the stand as an expert witness and were asked under cross-examination > "Is this *possible*?", I contend the o

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

Speaking as someone who followed the IPSEC IETF standards committee pretty closely, while leading a group that tried to implement it and make so usable that it would be used by default throughout the Internet, I noticed some things: * NSA employees participted throughout, and occupied leadershi

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 4:42 AM, Jerry Leichter wrote: > Argh! And this is why I dislike using "symmetric" and "asymmetric" to > describe cryptosystems: In English, the distinction is way too brittle. > Just a one-letter difference - and in includin

Re: [Cryptography] People should turn on PFS in TLS

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 01:13 PM, Perry E. Metzger wrote: > Google is also now (I believe) using PFS on their connections, and > they handle more traffic than anyone. A connection I just made to > https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,

Re: [Cryptography] People should turn on PFS in TLS

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 01:13 PM, Perry E. Metzger wrote: > Google is also now (I believe) using PFS on their connections, and > they handle more traffic than anyone. A connection I just made to > https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,

Re: [Cryptography] People should turn on PFS in TLS

> "PEM" == Perry E Metzger writes: PEM> Anyone at a browser vendor resisting the move to 1.2 should be PEM> viewed with deep suspicion. Is anyone? NSS has 1.2 now; it is, AIUI, in progress for ff and sm. Chromium supports it (as of version 29, it seems). Opera supports 1.2 (at least as of

Re: [Cryptography] Suite B after today's news

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 11:41 AM, "Jack Lloyd" wrote: > >> I think that any of OCB, CCM, or EAX are preferable from a security >> standpoint, but none of them parallelize as well. If you want to do >> a lot of encrypted and authenticated high-speed link

Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

Right. Maybe some AES32? 2013/9/7 Perry E. Metzger > Quoting: > >Google is racing to encrypt the torrents of information that flow >among its data centers around the world, in a bid to thwart >snooping by the NSA as well as the intelligence agencies of foreign >governments, com

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

That they have the capacity doesn't mean they ever actually did it, Schneier's comment is conservative. It is obviously within in their (legal) capacity to change anything going accross US and INTNET cables and to forge a some families of signatures. 2013/9/6 Eugen Leitl > On Fri, Sep 06, 2013

Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

On 09/06/2013 07:38 PM, Perry E. Metzger wrote: Quoting: Google is racing to encrypt the torrents of information that flow among its data centers around the world, in a bid to thwart snooping by the NSA as well as the intelligence agencies of foreign governments, company official

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

On 6 September 2013 16:25, Jerry Leichter wrote: > Q: "Could the NSA be intercepting downloads of open-source encryption > software and silently replacing these with their own versions?" > http://c2.com/cgi/wiki?TheKenThompsonHack (and many other references)

Re: [Cryptography] NSA and cryptanalysis

On 6/09/13 04:44 AM, Peter Gutmann wrote: John Kelsey writes: If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. If I had to bet, I'd bet on anything but the crypto. Why attack when you can bypass

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On 6/09/13 08:04 AM, John Kelsey wrote: It is possible Dual EC DRBG had its P and Q values generated to insert a trapdoor, though I don't think anyone really knows that (except the people who generated it, but they probably can't prove anything to us at this point). It's also immensely slowe

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

we were brought in as consultants to a small client/server startup that wanted to do payment transactions on their server, they had this technology they called "SSL" they wanted to use, the result is now frequently called "electronic commerce". The two people at the startup responsible for the

[Cryptography] Matthew Green on BULLRUN

Some interesting nuggets here, including the fact that he explicitly calls out the existence of NSA's new HUMINT division that infiltrates corporations for a living. http://blog.cryptographyengineering.com/2013/09/on-nsa.html -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

Following up on my own posting: > [The NSA] want to buy COTS because it's much cheap, and COTS is based on > standards. So they have two contradictory constraints: They want the stuff > they buy secure, but they want to be able to break in to exactly the same > stuff when anyone else buys it.

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

On 6 September 2013 17:20, Peter Saint-Andre wrote: > Is there a handy list of PFS-friendly > ciphersuites that I can communicate to XMPP developers and admins so > they can start upgrading their software and deployments? > Anything with EDH, DHE or ECDHE in the name...

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

On 6/09/13 20:15 PM, Daniel Veditz wrote: On 9/6/2013 9:52 AM, Raphaël Jacquot wrote: To meet today’s PCI DSS crypto standards DHE is not required. PCI is about credit card fraud. So was SSL ;-) Sorry, couldn't resist... Mastercard/Visa aren't worried that criminals are storing all your

Re: [Cryptography] tamper-evident crypto?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/05/2013 06:48 PM, Richard Clayton wrote: > so you'd probably fail to observe any background activity that tested > whether this information was plausible or not and then some chance > event would occur that caused someone from Law Enforcemen

Re: [Cryptography] People should turn on PFS in TLS

On 6 September 2013 18:13, Perry E. Metzger wrote: > Google is also now (I believe) using PFS on their connections, and > they handle more traffic than anyone. A connection I just made to > https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1, > ECDHE_RSA. > > It would be good to see them

[Cryptography] Washington Post: Google racing to encrypt links between data centers

Quoting: Google is racing to encrypt the torrents of information that flow among its data centers around the world, in a bid to thwart snooping by the NSA as well as the intelligence agencies of foreign governments, company officials said on Friday. The move by Google is among the

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

ianG writes: > And, controlling processes is just what the NSA does. > > https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html How does '(a) Organizations and Conferences' differ from SOP for these sorts of things? Peter. ___ The crypto

Re: [Cryptography] Suite B after today's news

Ralph Holz writes: >But for right now, what options do we have that are actually implemented >somewhere? Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST, >etc.), and I don't see any move towards TLS > 1.0. http://tools.ietf.org/html/draft-gutmann-tls-encrypt-then-mac-02 fixes al

[Cryptography] Bruce Schneier calls for independent prosecutor to investigate NSA

Quoting: All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA. We know secrecy corrupts, and we see that corruption. There's simply no credibilit

[Cryptography] Bruce Schneier has gotten seriously spooked

A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: Q: "Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions?" A: (Schneier) Yes, I believe so.

Re: [Cryptography] People should turn on PFS in TLS

On Fri, 06 Sep 2013 18:52:46 +0200 Raphaël Jacquot wrote: > While I applaud this move on the part of the Nginx dev team there > is a tradeoff and that is slower performance. DHE provides stronger > encryption which in turn requires more computation but here’s where > it gets interesting. To meet

Re: [Cryptography] People should turn on PFS in TLS

On Fri, 6 Sep 2013 18:56:51 +0100 Ben Laurie wrote: > The problem is that there's nothing good [in the way of ciphers] > left for TLS < 1.2. So, lets say in public that the browser vendors have no excuse left for not going to 1.2. I hate to be a conspiracy nutter, but it is that kind of week. An

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On 6/09/13 11:32 AM, ianG wrote: And, controlling processes is just what the NSA does. https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html Oops, for those unfamiliar with CAcert's peculiar use of secure browsing, drop the 's' in the above URL. Then it will securely load.

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen wrote: > As a co-author of an analysis of Dual-EC-DRBG that did not > emphasize this problem (we only stated that Q had to be chosen at > random, Ferguson &co were right to emphasize this point), I would > like to ask: > > Has anyone, anyw

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote: > A response he wrote as part of a discussion at > http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: > > Q: "Could the NSA be intercepting downloads of open-source encryption > software and silently replacing these

[Cryptography] Why prefer symmetric crypto over public key crypto?

In this oped in the Guardian http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance Bruce Schneier writes: "Prefer symmetric cryptography over public-key cryptography." The only reason I can think of is that for public key crypto you typically use an American (and th

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

On 06/09/13 15:36, Perry E. Metzger wrote: One solution, preventing passive attacks, is for major browsers and websites to switch to using PFS ciphersuites (i.e. those based on ephemeral Diffie-Hellmann key exchange). It occurred to me yesterday that this seems like something all major service

Re: [Cryptography] Suite B after today's news

> I think that any of OCB, CCM, or EAX are preferable from a security > standpoint, but none of them parallelize as well. If you want to do > a lot of encrypted and authenticated high-speed link encryption, > well, there is likely no other answer. It's GCM or nothing. OCB parallelizes very well i

[Cryptography] 1024 bit DH still common in Tor network

Summary: blog posting claims most of the Tor network is still running older software that uses 1024 bit Diffie-Hellman. http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html I'm not sure how cheap it actually would be to routinely crack DH key exchanges, but it does seem like

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On 2013-09-06 12:31 PM, Jerry Leichter wrote: Another interesting goal: "Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS." Elsewhere, "enabling access" and "exploiting systems of interest" and "ins

Re: [Cryptography] People should turn on PFS in TLS

On 6 September 2013 18:24, Perry E. Metzger wrote: > On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie wrote: > > On 6 September 2013 18:13, Perry E. Metzger > > wrote: > > > > > Google is also now (I believe) using PFS on their connections, and > > > they handle more traffic than anyone. A connecti

Re: [Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on "BULLRUN")

On Sep 6, 2013, at 11:37 AM, John Ioannidis wrote: > I'm a lot more worried about FDE (full disk encryption) features on modern > disk drives, for all the obvious reasons. > If you're talking about the FDE features built into disk drives - I don't know anyone who seriously trusts it. Every "sec

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On 6/09/13 04:50 AM, Peter Gutmann wrote: "Perry E. Metzger" writes: At the very least, anyone whining at a standards meeting from now on that they don't want to implement a security fix because "it isn't important to the user experience" or adds minuscule delays to an initial connection or wh

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

On 9/6/2013 9:52 AM, Raphaël Jacquot wrote: > To meet today’s PCI DSS crypto standards DHE is not required. PCI is about credit card fraud. Mastercard/Visa aren't worried that criminals are storing all your internet purchase transactions with the hope they can crack it later; if the FBI/NSA want y

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

On 06.09.2013 18:20, Peter Saint-Andre wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/6/13 8:36 AM, Perry E. Metzger wrote: One solution, preventing passive attacks, is for major browsers and websites to switch to using PFS ciphersuites (i.e. those based on ephemeral Diffie-Hellmann

Re: [Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on "BULLRUN")

On Sep 6, 2013, at 10:03 AM, Perry E. Metzger wrote: > > Naively, one could take a picture of the dice and OCR it. However, > one doesn't actually need to OCR the dice -- simply hashing the > pixels from the image will have at least as much entropy if the > position of the dice is recognizable fro

Re: [Cryptography] People should turn on PFS in TLS

Hi, >>> It would be good to see them abandon RC4 of course, and soon. >> >> In favour of what, exactly? We're out of good ciphersuites. > > I thought AES was okay for TLS 1.2? Isn't the issue simply that > Firefox etc. still use TLS 1.0? Note that this was a TLS 1.2 > connection. Firefox has add

Re: [Cryptography] IA side subverted by SIGINT side

> I have a small amount of raised eyebrow because the greatest bulwark > we have against the SIGINT capabilities of any intelligence agency are > that agency's IA cousins. I don't think that the Suite B curves would > have been intentionally weak. That would be a shock. Then be "shocked, shocked"

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gjøsteen < kristian.gjost...@math.ntnu.no> wrote: > Has anyone, anywhere ever seen someone use Dual-EC-DRBG? > > I mean, who on earth would be daft enough to use the slowest possible > DRBG? If this is the best NSA can do, they are over-hyped. > It

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On Sep 6, 2013, at 7:28 AM, Jerry Leichter wrote: > ...Much of what you say later in the message is that the way we are using > symmetric-key systems (CA's and such)... Argh! And this is why I dislike using "symmetric" and "asymmetric" to describe cryptosystems: In English, the distinction is w

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

>> Perhaps it's time to move away from public-key entirely! We have a classic >> paper - Needham and Schroeder, maybe? - showing that private key can do >> anything public key can; it's just more complicated and less efficient. > > Not really. The Needham-Schroeder you're thinking of is the ess

Re: [Cryptography] Can you backdoor a symmetric cipher (was Re: Opening Discussion: Speculation on "BULLRUN")

>> >> It is probably very difficult, possibly impossible in practice, to >> backdoor a symmetric cipher. For evidence, I direct you to this old >> paper by Blaze, Feigenbaum and Leighton: >> >> http://www.crypto.com/papers/mkcs.pdf >> > > There is also a theorem somewhere (I am forgetting where

Re: [Cryptography] People should turn on PFS in TLS

On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie wrote: > On 6 September 2013 18:13, Perry E. Metzger > wrote: > > > Google is also now (I believe) using PFS on their connections, and > > they handle more traffic than anyone. A connection I just made to > > https://www.google.com/ came out as, TLS 1

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

5. sep. 2013 kl. 23:14 skrev Tim Dierks : > I believe it is Dual_EC_DRBG. The ProPublica story says: > Classified N.S.A. memos appear to confirm that the fatal weakness, discovered > by two Microsoft cryptographers in 2007, was engineered by the agency. The > N.S.A. wrote the standard and aggre

Re: [Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on "BULLRUN")

On Sep 6, 2013, at 10:03 AM, Perry E. Metzger wrote: > Naively, one could take a picture of the dice and OCR it. However, > one doesn't actually need to OCR the dice -- simply hashing the > pixels from the image will have at least as much entropy if the > position of the dice is recognizable from

Re: [Cryptography] Suite B after today's news

Hi, > Same here. AES is, as far as we know, pretty secure, so any problems are > going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid > as you can get. AES-GCM is a design or coding accident waiting to happen. But for right now, what options do we have that are actually

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On Fri, 6 Sep 2013 01:19:10 -0400 John Kelsey wrote: > I don't see what problem would actually be solved by dropping public > key crypto in favor of symmetric only designs. I mean, if the > problem is that all public key systems are broken, then yeah, we will > have to do something else. But if

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/6/13 8:36 AM, Perry E. Metzger wrote: >>> One solution, preventing passive attacks, is for major >>> browsers and websites to switch to using PFS ciphersuites (i.e. >>> those based on ephemeral Diffie-Hellmann key exchange). > > It occurred to me

Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

On Thu, Sep 05, 2013 at 04:11:57PM -0400, Phillip Hallam-Baker wrote: > If a person at Snowden's level in the NSA had any access to information Snowden didn't have clearance for that information. He's being described as 'brilliant' and purportedly was able to access documents far beyond his lev

Re: [Cryptography] Is ECC suspicious?

Op 6 sep. 2013, om 01:09 heeft "Perry E. Metzger" het volgende geschreven: > http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance …. > The Suite B curves were picked some time ago. Maybe they have problems. …. > Now, this certainly was a problem for the random numb

Re: [Cryptography] Keeping backups (was Re: Separating concerns

Would be interested & interesting. Been doing the same thing with on-chipcard generated public keys to to the 'reverse' - be able to wipe a part of your off-site backup store by cutting up the secret. So I think there is a general case - and I've got a gut feeling that when propably analysed som

[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

> > One solution, preventing passive attacks, is for major browsers > > and websites to switch to using PFS ciphersuites (i.e. those > > based on ephemeral Diffie-Hellmann key exchange). It occurred to me yesterday that this seems like something all major service providers should be doing. I'm sur

[Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on "BULLRUN")

On Thu, 5 Sep 2013 22:31:50 -0400 Jerry Leichter wrote: > For example, at > http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?ref=us&pagewanted=all, > the following goal appears for FY 2013 appears: "Complete enabling > for [redacted] encryptio

[Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on "BULLRUN")

On Fri, 6 Sep 2013 01:04:31 -0400 John Kelsey wrote: > > I'm starting to think that I'd probably rather type in the > > results of a few dozen die rolls every month in to my critical > > servers and let AES or something similar in counter mode do the > > rest. > > > > A d20 has a bit more than 4

Re: [Cryptography] Can you backdoor a symmetric cipher

On Thu, 5 Sep 2013 21:42:29 -0700 Jon Callas wrote: > On Sep 5, 2013, at 9:33 PM, "Perry E. Metzger" > wrote: > > > > > It is probably very difficult, possibly impossible in practice, to > > backdoor a symmetric cipher. For evidence, I direct you to this > > old paper by Blaze, Feigenbaum and L