Weeks after the informal announcement, the Taiwanese National ID
smartcard break is finally getting press. It is a great example of
a piece of certified crypto hardware that works poorly because
of bad random number generation.
Good explanation for your technical but not security oriented friends
On Sep 17, 2013, at 11:54 AM, Perry E. Metzger pe...@piermont.com wrote:
I'd like to note quite strongly that (with certain exceptions like
RC4) the odds of wholesale failures in ciphers seem rather small
compared to the odds of systems problems like bad random number
generators, sabotaged
On Tue, 17 Sep 2013 12:15:48 -0400 Jerry Leichter leich...@lrw.com
wrote:
Actually, I think there is a potentially interesting issue here:
RC4 is faster and requires significantly fewer resources than
modern block ciphers. As a result, people would really like to use
it - and actually they
On Tue, 17 Sep 2013 11:35:34 -0400 Perry E. Metzger
pe...@piermont.com wrote:
Added c...@panix.com -- if you want to re-submit this (and maybe not
top post it) I will approve it...
Gah! Accidentally forwarded that to the whole list, apologies.
--
Perry E. Metzger
On Mon, Sep 16, 2013 at 12:44 PM, Bill Frantz fra...@pwpconsult.com wrote:
Symmetric encryption:
Two algorithms give security equal to the best of them. Three
protect against meet-in-the-middle attacks. Performing the
multiple encryption at the block level allows block cyphers to
be
Tony Arcieri basc...@gmail.com writes:
On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz fra...@pwpconsult.com wrote:
After Rijndael was selected as AES, someone suggested the really paranoid
should super encrypt with all 5 finalests in the competition. Five level
super encryption is probably
On the Paranoid Cryptoplumbing discussion:
I'd like to note quite strongly that (with certain exceptions like
RC4) the odds of wholesale failures in ciphers seem rather small
compared to the odds of systems problems like bad random number
generators, sabotaged accelerator hardware, stolen keys,
Hi Bill,
On 17/09/13 01:20 AM, Bill Frantz wrote:
The idea is that when serious problems are discovered with one
algorithm, you don't have to scramble to replace the entire crypto
suite. The other algorithm will cover your tail while you make an
orderly upgrade to your system.
Obviously you
Added c...@panix.com -- if you want to re-submit this (and maybe not
top post it) I will approve it...
Perry
On Tue, 17 Sep 2013 11:08:43 -0400 Carl Ellison c...@panix.com wrote:
If you can examine your setup and determine all possible memory in
the device, count that memory in
On 17/09/13 01:40 AM, Tony Arcieri wrote:
On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz fra...@pwpconsult.com
mailto:fra...@pwpconsult.com wrote:
After Rijndael was selected as AES, someone suggested the really
paranoid should super encrypt with all 5 finalests in the
competition.
On 16/09/2013 23:39, Perry E. Metzger wrote:
On Mon, 16 Sep 2013 11:54:13 -1000 Tim Newsham
tim.news...@gmail.com wrote:
- A backdoor that leaks cryptographic secrets
consider for example applications using an intel chip with
hardware-assist for AES. You're feeding your AES keys
directly
On 2013-09-16 Phillip Hallam-Baker hal...@gmail.com wrote:
[snip]
If people are sending email through the corporate email system then in many
cases the corporation has a need/right to see what they are sending/receiving.
[snip]
Even if an organisation has a need/right to look into people's
On Sep 17, 2013, at 5:49 AM, ianG i...@iang.org wrote:
I wish there was a term for this sort of design in encryption systems
beyond just defense in depth. AFAICT there is not such a term.
How about the Failsafe Principle? ;)
A good question. In my work, I've generally modelled it such
Recommends phasing out RC4 among other things:
http://blog.ivanristic.com/2013/09/updated-best-practices-deprecate-rc4.html
--
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
On 17 Sep 2013 15:47, Christoph Gruber gr...@guru.at wrote:
On 2013-09-16 Phillip Hallam-Baker hal...@gmail.com wrote:
[snip]
If people are sending email through the corporate email system then in
many cases the corporation has a need/right to see what they are
sending/receiving.
[snip]
On Tue, Sep 17, 2013 at 9:28 AM, Perry E. Metzger pe...@piermont.comwrote:
In any case, I would continue to suggest that the weakest point
(except for RC4) is (probably) not going to be your symmetric cipher.
It will be protocol flaws and implementation flaws. No point in
making the barn out
Such a backdoor would be feasible.
It might be feasible in theory (and see the Illinois Malicious
Processor as an example) but I think it would be hard to pull off
well -- too hard to account for changes in future code, too hard to
avoid detection of what you've done.
Not sure this is
On Mon, 16 Sep 2013 17:47:11 -0700 Bill Frantz
fra...@pwpconsult.com wrote:
Authentication is achieved by signing the entire exchange with
DSA. -- Change the protocol to sign the exchange with both RSA
and DSA and send and check both signatures.
Remember to generate the nonce for DSA using
On Tue, 17 Sep 2013 10:07:38 -0700 Tony Arcieri basc...@gmail.com
wrote:
The NSA of course participated in active attacks too, but it seems
their main MO was passive traffic collection.
That's not what I've gotten out of the most recent revelations. It
would seem that they've been evading
On 2013-09-17 07:37, Peter Gutmann wrote:
Tony Arcieri basc...@gmail.com writes:
On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz fra...@pwpconsult.com wrote:
After Rijndael was selected as AES, someone suggested the really paranoid
should super encrypt with all 5 finalests [...].
I wish there
My phrase PRISM-Proofing seems to have created some interest in the press.
PRISM-Hardening might be more important, especially in the short term. The
objective of PRISM-hardening is not to prevent an attack absolutely, it is
to increase the work factor for the attacker attempting ubiquitous
On Tue, Sep 17, 2013 at 8:54 AM, Perry E. Metzger pe...@piermont.comwrote:
I'd like to note quite strongly that (with certain exceptions like
RC4) the odds of wholesale failures in ciphers seem rather small
compared to the odds of systems problems like bad random number
generators, sabotaged
Matthew Green tweeted earlier today that Johns Hopkins will be hosting
a roundtable at 10am EDT tomorrow (Wednesday, September 18th) to
discuss the NSA crypto revelations.
Livestream will be at: https://connect.johnshopkins.edu/jhuisicrypto/
Perry
--
Perry E. Metzger
On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
My phrase PRISM-Proofing seems to have created some interest in the press.
PRISM-Hardening might be more important, especially in the short term. The
objective of PRISM-hardening is not to prevent an attack
On 9/17/13 at 2:48 AM, i...@iang.org (ianG) wrote:
The problem with adding multiple algorithms is that you are also adding
complexity. ...
Both Perry and Ian point out:
And, as we know, the algorithms rarely fail. [but systems do] ...
Absolutely! The techniques I suggested used the
On Tue, 17 Sep 2013 16:52:26 -0400 John Kemp j...@jkemp.net wrote:
On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker
hal...@gmail.com wrote:
The objective of PRISM-hardening is not to prevent an
attack absolutely, it is to increase the work factor for the
attacker attempting ubiquitous
On Tue, Sep 17, 2013 at 05:01:12PM -0400, Perry E. Metzger wrote:
(Note that this assumes no cryptographic breakthroughs like doing
discrete logs over prime fields easily or (completely theoretical
since we don't really know how to do it) sabotage of the elliptic
curve system in use.)
Forwarded-By: David Farber d...@farber.net
Forwarded-By: Annie I. Anton Ph.D. aian...@mindspring.com
http://www.zdnet.com/nsa-cryptanalyst-we-too-are-americans-720689/
NSA cryptanalyst: We, too, are Americans
Summary: ZDNet Exclusive: An NSA mathematician shares his from-the-trenches
view
On Sep 17, 2013, at 11:41 AM, Perry E. Metzger pe...@piermont.com wrote:
I confess I'm not sure what the current state of research is on MAC
then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Encrypt then MAC has a couple of big advantages centering around the idea that
you
On Sep 17, 2013, at 6:21 PM, John Kelsey crypto@gmail.com wrote:
I confess I'm not sure what the current state of research is on MAC
then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Encrypt then MAC has a couple of big advantages centering around the idea
that you
On Sep 17, 2013, at 7:18 PM, Jerry Leichter wrote:
On Sep 17, 2013, at 6:21 PM, John Kelsey crypto@gmail.com wrote:
I confess I'm not sure what the current state of research is on MAC
then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Encrypt then MAC has a couple of
Re: http://www.zdnet.com/nsa-cryptanalyst-we-too-are-americans-720689/
In his Big Data argument, NSA analyst Roger Barkan carefully
skips over the question of what rules there should be for government
*collecting* big data, claiming that what matters are the rules for
how the data is used,
At a stretch, one can imagine circumstances in which trying multiple seeds
to choose a curve would lead to an attack that we would not easily
replicate. I don't suggest that this is really what happened; I'm just
trying to work out whether it's possible.
Suppose you can easily break an elliptic
Techdirt takes apart his statement here:
https://www.techdirt.com/articles/20130917/02391824549/nsa-needs-to-give-its-rank-and-file-new-talking-points-defending-surveillance-old-ones-are-stale.shtml
NSA Needs To Give Its Rank-and-File New Talking Points Defending
Surveillance; The Old
On 9/17/13 at 4:18 PM, leich...@lrw.com (Jerry Leichter) wrote:
MAC'ing the actual data always seemed more logical to me, but
once you look at the actual situation, it no longer seems like
the right thing to do.
When I chose MAC then encrypt I was using the MAC to check the
crypto code. CRC
The FISA court has a web site (newly, this year):
http://www.uscourts.gov/uscourts/courts/fisc/index.html
Today they released a Memorandum Opinion and Primary Order in
case BR 13-109 (Business Records, 2013, case 109), which lays
out the legal reasoning behind ordering several telephone
On Wed, Sep 18, 2013, at 11:02 AM, John Gilmore wrote:
That document is here:
http://www.uscourts.gov/uscourts/courts/fisc/br13-09-primary-order.pdf
Page 4:
In granting the government's request, the Court has prohibited the
government from accessing the data for any other intelligence
For hash functions, MACs, and signature schemes, simply concatenating
hashes/MACs/signatures gives you at least the security of the stronger one.
Joux multicollisions simply tell us that concatenating two or more hashes of
the same size doesn't improve their resistance to brute force collsion
Arggh! Of course, this superencryption wouldn't help against the CBC padding
attacks, because the attacker would learn plaintext without bothering with the
other layers of encryption. The only way to solve that is to preprocess the
plaintext in some way that takes the attacker's power to
39 matches
Mail list logo