Re: MD5 Collision, Visualised
Steven M. Bellovin wrote: In message <[EMAIL PROTECTED]>, Ben Laurie writes: I wrote some code to show the internal state of MD5 during a collision... http://www.shmoo.com/md5-collision.html Very nice, though you need to give a scale of rounds -- how many horizontal lines per round? 1 line is 1 round. There are 64 rounds per block and 2 message blocks, plus a block of padding. That is, 192 rounds. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Another entry in the internet security hall of shame....
Nicolas Williams wrote: Yes, a challenge-response password authentication protocol, normally subject to off-line dictionary attacks by passive and active attackers can be strengthened by throwing in channel binding to, say, a TLS channel, such that: a) passive attacks are not possible, b) MITMs below TLS get nothing that can be attacked off-line, and c) server impersonators can be detected heuristically when the attacker can't retrieve the password in real-time (such an attack is indistinguishable from password incorrect situations, but...). Indeed. The main problem with TLS is lack of PKI support; in principle, this isn't true - TLS uses X509 certs, just like any other SSL based protocol - but in practice, everyone uses self signed certificates and nobody checks them or even caches them to see if they change. So - interesting idea time. what if 1) Talk strongly authenticated *all* connections, even p2p ones, using a GoogleMail master certificate and a Googletalk.Googlemail single-use certificate to authenticate the GoogleMail server. 2) Google got into the CA business; namely, all GoogleMail owners suddenly found they could send and receive S/Mime messages from their googlemail accounts, using a certificate that "just appeared" and was signed by the GoogleMail master cert. Given the GoogleMail user base, this could make GoogleMail a defacto CA in days. 3) This certificate was downloaded to your GoogleTalk client on login, and NEVER cached locally Ok, from a Security Professional's POV this would be a horror - certificates all generated by the CA (with no guarantees they aren't available to third parties) but it *would* bootstrap X509 into common usage, and takeup of s/mime certificates was always the bottleneck for getting encrypted mail to go mainstream (PGP has the same problem, but in addition has the WoT issues and up to recently actual obtaining of the software to contend with) I can only hope that if this *is* in the gameplan, that the certificates be marked "autogenerated" so that in the longer term a more conventional, clientside-generated certificate can be used instead. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: MD5 Collision, Visualised
In message <[EMAIL PROTECTED]>, Ben Laurie writes: >I wrote some code to show the internal state of MD5 during a collision... > >http://www.shmoo.com/md5-collision.html > Very nice, though you need to give a scale of rounds -- how many horizontal lines per round? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Fwd: Tor security advisory: DH handshake flaw
[EMAIL PROTECTED] wrote: So Miller-Rabin is good for testing random candidates, but it is easy to maliciously construct an n that passes several rounds of Miller-Rabin. Interesting! So how does one go about constructing such an n? Maurer’s method doesn’t pick and test random candidates, rather it constructs, in a special way, an integer that is guaranteed to be prime. Don’t be concerned about secrecy of prime generated with Maurer’s method, the method generates primes that are almost uniformly distributed over the set of all numbers (this is different from another algorithm called Shawe-Taylor, which is similar in functioning but only reaches 10% of all primes of a specified set). I presume you mean densely distributed over the set of all primes? Uniform distribution isn't much use if its sparse! Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
MD5 Collision, Visualised
I wrote some code to show the internal state of MD5 during a collision... http://www.shmoo.com/md5-collision.html Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]