Re: [Cryptography] encoding formats should not be committee'ised

On Wed, 2 Oct 2013, Jerry Leichter wrote: > Always keep in mind - when you argue for "easy readability" - that one > of COBOL's design goals was for programs to be readable and > understandable by non-programmers. Managers, in particular. -- Dave ___

Re: [Cryptography] AES-256- More NIST-y? paranoia

On 02/10/2013 13:58, John Kelsey wrote: > On Oct 1, 2013, at 5:58 PM, Peter Fairbrother wrote: > >> AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 >> and AES-256. >> >> AES-256 is supposed to have a brute force work factor of 2^256 - but we >> find that in fact it

Re: [Cryptography] encoding formats should not be committee'ized

On Oct 2, 2013, at 10:46 AM, Viktor Dukhovni wrote: >> Text encodings are easy to read but very difficult to specify >> boundaries in without ambiguity. > > Yes, and not just boundaries. Always keep in mind - when you argue for "easy readability" - that one of COBOL's design goals was for progra

Re: [Cryptography] Why is emailing me my password?

2013/10/2 Russ Nelson > If you are proposing that something needs stronger encryption than > ROT-26, please explain the threat model that justifies your choice of > encryption and key distribution algorithms. > ROT-26 is fantastic for certain purposes. Like when encrypting for kids that just lea

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

On 1 Oct 2013 23:48 Jerry Leichter wrote: > The larger the construction project, the tighter the limits on this stuff. I > used to work with a former structural engineer, and he repeated some of the > "bad example" stories they are taught. A famous case a number of years back > involved a hot

[Cryptography] [nicol...@cmu.edu: [fc-announce] Financial Cryptography 2014 Call for Papers]

--- Start of forwarded message --- Date: Wed, 2 Oct 2013 10:55:03 -0400 From: Nicolas Christin Subject: [fc-announce] Financial Cryptography 2014 Call for Papers Call for Papers FC 2014 March 3-7, 2014 Accra Beach Hotel & Spa, Barbados Financial Cryptography and Data Security is a major

Re: [Cryptography] RSA equivalent key length/strength

2. okt. 2013 kl. 16:59 skrev John Kelsey : > On Oct 2, 2013, at 9:54 AM, Paul Crowley wrote: > >> On 30 September 2013 23:35, John Kelsey wrote: >> If there is a weak curve class of greater than about 2^{80} that NSA knew >> about 15 years ago and were sure nobody were ever going to find that

Re: [Cryptography] RSA equivalent key length/strength

On Oct 2, 2013, at 9:54 AM, Paul Crowley wrote: > On 30 September 2013 23:35, John Kelsey wrote: >> If there is a weak curve class of greater than about 2^{80} that NSA knew >> about 15 years ago and were sure nobody were ever going to find that weak >> curve class and exploit it to break clas

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

On Tue, 1 Oct 2013, someone who (if I've unwrapped the nested quoting correctly) might have been Jerry Leichter wrote: > There are three levels of construction. If you're putting together > a small garden shed, "it looks right" is generally enough - at least > if it's someone with sufficient expe

Re: [Cryptography] Why is emailing me my password?

> Hm.. that's a nice idea, but I don't think it can work reliably. What if > the send path changes in between? AFAIK there are legitimate reasons for > that, like load balancers or weird greylisting setups. You're right, I think I misunderstood you when you talked about a "one time password". I t

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

Has anyone tried to systematically look at what has led to previous crypto failures? That would inform us about where we need to be adding armor plate. My impression (this may be the availability heuristic at work) is that: a. Most attacks come from protocol or mode failures, not so much cryp

Re: [Cryptography] Why is emailing me my password?

On 10/02/2013 04:32 PM, Greg wrote: > I agree, I apologize for the excessively negative tone. I think RL (and > unrelated) agitation affected my writing and word choice. I've taken > steps to prevent that from happening again (via magic of self-censoring > software). Cool. :-) > I don't see why a

Re: [Cryptography] RSA equivalent key length/strength

Hi, On 01/10/2013 19:39, Peter Fairbrother wrote: > Also, the method by which the generators (and thus the actual groups in > use, not the curves) were chosen is unclear. > If we're talking about the NIST curves over prime fields, they all have cofactor 1, so the actual group used is E(F_p), the

Re: [Cryptography] encoding formats should not be committee'ized

On Wed, Oct 02, 2013 at 09:09:05AM -0400, Phillip Hallam-Baker wrote: > SMTP does not have nested structures or need > them. A lot of application protocols do. MIME: RFC 2045 - 2048, ... A rather complex nested structure, and frankly rather more ambiguous in practice than ASN.1. For example, wh

Re: [Cryptography] Why is emailing me my password?

> While I agree in principle, I don't quite like the tone here. I agree, I apologize for the excessively negative tone. I think RL (and unrelated) agitation affected my writing and word choice. I've taken steps to prevent that from happening again (via magic of self-censoring software). > But I

Re: [Cryptography] Why is emailing me my password?

> I'm interested in cases where Mailman passwords have been abused. "Show me one instance where a nuclear reactor was brought down by an earthquake! Just one! Then I'll consider spending the $$ on it!" -- Please do not email me anything that you are not comfortable also sharing with the NSA. O

Re: [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

On Oct 1, 2013, at 12:51 PM, Adam Back wrote: [Discussing how NSA might have generated weak curves via trying many choices till they hit a weak-curve class that only they knew how to solve.] ... > But the more interesting question I was referring to is a trapdoor weakness > with a weak proof of

Re: [Cryptography] RSA equivalent key length/strength

On 30 September 2013 23:35, John Kelsey wrote: > If there is a weak curve class of greater than about 2^{80} that NSA knew > about 15 years ago and were sure nobody were ever going to find that weak > curve class and exploit it to break classified communications protected by > it, then they could

Re: [Cryptography] encoding formats should not be committee'ized

Replying to James and John. Yes, the early ARPANET protocols are much better than many that are in binary formats. But the point where data encoding becomes an issue is where you have nested structures. SMTP does not have nested structures or need them. A lot of application protocols do. I have s

Re: [Cryptography] AES-256- More NIST-y? paranoia

On Oct 1, 2013, at 5:58 PM, Peter Fairbrother wrote: > AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 > and AES-256. > > AES-256 is supposed to have a brute force work factor of 2^256 - but we find > that in fact it actually has a very similar work factor to that

Re: [Cryptography] encoding formats should not be committee'ized

On 09/30/13 04:41, ianG wrote: Experience suggests that asking a standards committee to do the encoding format is a disaster. I just looked at my code, which does something we call Wire, and it's 700 loc. Testing code is about a kloc I suppose. Writing reference implementations is a piece o

Re: [Cryptography] RSA equivalent key length/strength

Hi Peter, On 30/09/13 23:31 PM, Peter Fairbrother wrote: On 26/09/13 07:52, ianG wrote: On 26/09/13 02:24 AM, Peter Fairbrother wrote: On 25/09/13 17:17, ianG wrote: On 24/09/13 19:23 PM, Kelly John Rose wrote: I have always approached that no encryption is better than bad encryption, other

Re: [Cryptography] TLS2

On 1/10/13 23:13 PM, Peter Fairbrother wrote: ... Sounds like you want CurveCP? http://curvecp.org/ Yes, EXACTLY that. Proposals like CurveCP. I have said this first part before: Dan Boneh was talking at this years RSA cryptographers track about putting some sort of quantum-computer-res

Re: [Cryptography] RSA recommends against use of its own products.

BBN has created three ASN.1 code generators over time and even released a couple. (ASN.1 to C, C++, and Java). I believe that DER to support typical X.509 management is the easiest subset. I can check on status for release to open source if there is interest. It has been available as part of Ce

Re: [Cryptography] Why is emailing me my password?

On 10/02/2013 12:03 AM, Greg wrote: > Running a mailing list is not hard work. There are only so many things > one can fuck up. This is probably one of the biggest mistakes that can > be made in running a mailing list, and on a list that's about software > security. It's just ridiculous. While I a

Re: [Cryptography] TLS2

On 2013-10-02 13:18, Tony Arcieri wrote: LANGSEC calls this: full recognition before processing http://www.cs.dartmouth.edu/~sergey/langsec/occupy/ I disagree slightly with langsec. At compile time you want an extremely powerful languag

Re: [Cryptography] Why is emailing me my password?

On 10/02/2013 12:11 AM, Joshua Marpet wrote: > Low security environment, minimal ability to inflict damage, clear > instructions from the beginning. Agreed. There certainly are bigger problems on earth. And I really don't mind if you move on and take care of any of those, first. :-) > If the sy

Re: [Cryptography] Why is emailing me my password?

On 10/01/2013 11:36 PM, R. Hirschfeld wrote: > Your objections are understandable but aren't really an issue with > mailman because if you don't enter a password then mailman will choose > one for you (which I always let it do) and there's no need to remember > it because if you ever need it (a rar

Re: [Cryptography] Why is emailing me my password?

Greg writes: > This falls somewhere in the land of beyond-the-absurd. > So, my password, iPoopInYourHat, is being sent to me in the clear by your > servers. Repeat after me: "crypto without a threat model is like cookies without milk." If you are proposing that something needs stronger encryp

Re: [Cryptography] TLS2

On 2/10/13 00:43 AM, James A. Donald wrote: On 2013-10-01 14:36, Bill Stewart wrote: It's the data representations that map them into binary strings that are a wretched hive of scum and villainy, particularly because you can't depend on a bit string being able to map back into any well-defined A

Re: [Cryptography] AES-256- More NIST-y? paranoia

On Oct 1, 2013, at 5:58 PM, Peter Fairbrother wrote: > [and why doesn't AES-256 have 256-bit blocks???] Because there's no security advantage, but a practical disadvantage. When blocks are small enough, the birthday paradox may imply repeated blocks after too short a time to be comfortable. Whet

Re: [Cryptography] Passwords

On Oct 1, 2013, at 5:10 PM, Jeffrey Schiller wrote: > A friend of mine who used to build submarines once told me that the first > time the sub is submerged, the folks who built it are on board. :-) Indeed. A friend served on nuclear subs; I heard about that practice from him. (The same practice

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

On Oct 1, 2013, at 12:27 PM, Dirk-Willem van Gulik wrote: >> It's clear what "10x stronger than needed" means for a support beam: We're >> pretty good at modeling the forces on a beam and we know how strong beams of >> given sizes are. > Actually - do we ? I picked this example as it is one of