Re: Gutmann Soundwave Therapy

2008-02-09 Thread Daniel Carosone
Others have made similar points and suggestions, not picking on this instance in particular: On Mon, Feb 04, 2008 at 02:48:08PM -0700, Martin James Cochran wrote: Additionally, in order to conserve bandwidth you might want to make a trade-off where some packets may be forged with small

Re: Dutch Transport Card Broken

2008-02-09 Thread Peter Gutmann
James A. Donald [EMAIL PROTECTED] writes: However, seems to me that logging into the website using SRP is a non trivial refactoring, and not just a matter of dropping in TLS-SRP as a simple replacement of TLS-DSA-X509 I've discussed this with (so far) a small sample of assorted corporate TLS

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| - Truncate the MAC to, say, 4 bytes. Yes, a simple brute | force attack lets one forge so short a MAC - but | is such an attack practically mountable in real | time by attackers who concern you? | | In fact, 32-bit authentication tags are a feature

Re: TLS-SRP TLS-PSK support in browsers (Re: Dutch Transport Card Broken)

2008-02-09 Thread Peter Gutmann
Victor Duchovni [EMAIL PROTECTED] writes: While Firefox should ideally be developing and testing PSK now, without stable libraries to use in servers and browsers, we can't yet expect anything to be released. Is that the FF devlopers' reason for holding back? Just wondering... why not release it

Re: Dutch Transport Card Broken

2008-02-09 Thread Steven M. Bellovin
On Thu, 07 Feb 2008 17:37:02 +1300 [EMAIL PROTECTED] (Peter Gutmann) wrote: The real issues occur in two locations: 1. In the browser UI. 2. In the server processing, which no longer gets the password via an HTTP POST but as a side-effect of the TLS connect. (1) is a one-off cost for the

Re: Gutmann Soundwave Therapy

2008-02-09 Thread dan
Amateurs talk about algorithms. Professionals talk about economics. That would be Amateurs study cryptography; professionals study economics. -- Allan Schiffman, 2 July 04 Quotationally yours, --dan - The

Re: TLS-SRP TLS-PSK support in browsers (Re: Dutch Transport Card Broken)

2008-02-09 Thread Peter Gutmann
Frank Siebenlist [EMAIL PROTECTED] writes: With the big browser war still going strong, wouldn't that provide fantastic marketing opportunities for Firefox? There's always the problem of politics. You'd think that support for a free CA like CAcert would also provide fantastic marketing

Re: Dutch Transport Card Broken

2008-02-09 Thread Peter Gutmann
Steven M. Bellovin [EMAIL PROTECTED] writes: There's another issue: initial account setup. People will still need to rely on certificate-checking for that. It's a real problem at some hotspots, where Evil Twin attacks are easy and lots of casual users are signing up for the first time. It

Want to drive a Jaguar?

2008-02-09 Thread Peter Gutmann
http://eprint.iacr.org/2008/058 Physical Cryptanalysis of KeeLoq Code Hopping Applications Recently, some mathematical weaknesses of the KeeLoq algorithm have been reported. All of the proposed attacks need at least 2^16 known or chosen plaintexts. In real-world applications of

Re: TLS-SRP TLS-PSK support in browsers (Re: Dutch Transport Card Broken)

2008-02-09 Thread Victor Duchovni
On Thu, Feb 07, 2008 at 08:47:20PM +1300, Peter Gutmann wrote: Victor Duchovni [EMAIL PROTECTED] writes: While Firefox should ideally be developing and testing PSK now, without stable libraries to use in servers and browsers, we can't yet expect anything to be released. Is that the FF

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Richard Salz
Thus unlike with bridges, you fundamentally can't evaluate the quality of a security system you built if you're unfamiliar with the state of the art of _attacks_ against security systems, and you can't become familiar with those unless you realize that these attacks have each brought

customs searching laptops, demanding passwords

2008-02-09 Thread John Denker
I quote from http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763_pf.html By Ellen Nakashima Washington Post Staff Writer Thursday, February 7, 2008; A01 The seizure of electronics at U.S. borders has prompted protests from travelers who say they now weigh

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread Hal Finney
Jeff Hodges wrote: It turns out the supplied default for p is 1024 bit -- I'd previously goofed when using wc on it.. DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057 F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA7

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Eric Rescorla
At Thu, 7 Feb 2008 10:34:42 -0500 (EST), Leichter, Jerry wrote: | Since (by definition) you don't have a copy of the packet you've lost, | you need a MAC that survives that--and is still compact. This makes | life rather more complicated. I'm not up on the most recent lossy | MACing

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| So, this issue has been addressed in the broadcast signature context | where you do a two-stage hash-and-sign reduction (cf. [PG01]), but | when this only really works because hashes are a lot more efficient | than signatures. I don't see why it helps with MACs. Thanks for the reference. |

RE: Gutmann Soundwave Therapy

2008-02-09 Thread Crawford Nathan-HMGT87
humans are not going to carry around large strong secrets every time either end of the connection restarts Which is what makes good crypto challenging. I think, though, that because people can understand the concept of physical locks and keys, that this should be carried forward... Good

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread ' =JeffH '
Thanks for your thoughts on this Hal. Quite educational. Jeff Hodges wrote: It turns out the supplied default for p is 1024 bit -- I'd previously goofed when using wc on it.. DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Eric Rescorla
At Thu, 7 Feb 2008 14:42:36 -0500 (EST), Leichter, Jerry wrote: | Obviously, if you *really* use every k'th packet to define what is in | fact a substream, an attacker can arrange to knock out the substream he | has chosen to attack. So you use your encryptor to permute the | substreams,

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread ' =JeffH '
I think I already know the answer to this question, but I just want to test my understanding... How wise (in a real-world sense) is it, in a protocol specification, to specify that one simply obtain an ostensibly random value, and then use that value directly as the signature key in, say, an

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread Hal Finney
Jeff Hodges wrote: Thanks for your thoughts on this Hal. Quite educational. Jeff Hodges wrote: It turns out the supplied default for p is 1024 bit -- I'd previously goofed when using wc on it.. DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread Hal Finney
Hi Jeff - How wise (in a real-world sense) is it, in a protocol specification, to specify that one simply obtain an ostensibly random value, and then use that value directly as the signature key in, say, an HMAC-based signature, without any further stipulated checking and/or massaging of

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Peter Gutmann
Leichter, Jerry [EMAIL PROTECTED] writes: All of this ignores a significant issue: Are keying and encryption (and authentication) mechanisms really independent of each other? I'm not aware of much work in this direction. Is there much work to be done here? If you view the keyex mechanism as a

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread Joseph Ashwood
- Original Message - From: Hal Finney [EMAIL PROTECTED] To: [EMAIL PROTECTED]; cryptography@metzdowd.com Sent: Wednesday, February 06, 2008 8:54 AM Subject: Re: questions on RFC2631 and DH key agreement Joseph Ashwood writes, regarding unauthenticated DH: I would actually recommend

Open source FDE for Win32

2008-02-09 Thread Hagai Bar-El
List, Finally, an open source FDE (Full Disk Encryption) for Win32. It is the first one I am aware of: www.truecrypt.org TC is not a new player, but starting February 5th (version 5) it also provides FDE. Didn't get to try it yet. Hagai.

fyi: Encrypted laptop poses legal dilemma

2008-02-09 Thread ' =JeffH '
From:[EMAIL PROTECTED] (Dewayne Hendricks) Subject: [Dewayne-Net] Encrypted laptop poses legal dilemma To: Dewayne-Net Technology List [EMAIL PROTECTED] Date:Thu, 07 Feb 2008 15:38:22 -0800 [Note: This item comes from reader Randall. DLH] From: Randall [EMAIL PROTECTED] Date:

Fwd: [IP] U.S. Agents Seize Travelers' Devices

2008-02-09 Thread David Chessler
From: David Farber [EMAIL PROTECTED] To: ip [EMAIL PROTECTED] From: Sashikumar N [sashikumar.n@ ] Sent: Thursday, February 07, 2008 1:46 PM To: David Farber Subject: U.S. Agents Seize Travelers' Devices Dear Prof Dave, Happen to read this link from

Toshiba shows 2Mbps hardware RNG

2008-02-09 Thread Perry E. Metzger
EE Times: Toshiba tips random-number generator IC SAN FRANCISCO -- Toshiba Corp. has claimed a major breakthrough in the field of security technology: It has devised the world's highest-performance physical random-number generator (RNG) circuit. The device generates random

Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-09 Thread David Wagner
Tim Dierks writes: (there are totally different reasons that client certs aren't being widely adopted, but that's beside the point). I'd be interested in hearing your take on why SSL client certs aren't widely adopted. It seems like they could potentially help with the phishing problem (at

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread ' =JeffH '
E.g., here's such a specfication excerpt and is absolutely everything said in the spec wrt obtaining said signature keys: When generating MAC keys, the recommendations in [RFC1750] SHOULD be followed. One point, RFC1750 has been superceded by RFC4086. I'll point that out,

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| All of this ignores a significant issue: Are keying and encryption | (and authentication) mechanisms really independent of each other? I'm | not aware of much work in this direction. | | Is there much work to be done here? If you view the keyex mechanism | as a producer of an authenticated

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread Joseph Ashwood
[to and CC trimmed] - Original Message - From: ' =JeffH ' [EMAIL PROTECTED] To: Hal Finney [EMAIL PROTECTED]; Eric Rescorla [EMAIL PROTECTED]; [EMAIL PROTECTED]; Joseph Ashwood [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; cryptography@metzdowd.com Sent: Thursday, February 07, 2008 2:17 PM

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-09 Thread Anne Lynn Wheeler
David Wagner wrote: I'd be interested in hearing your take on why SSL client certs aren't widely adopted. It seems like they could potentially help with the phishing problem (at least, the problem of theft of web authenticators -- it obviously won't help with theft of SSNs). If users don't

Re: Toshiba shows 2Mbps hardware RNG

2008-02-09 Thread Peter Gutmann
Perry E. Metzger [EMAIL PROTECTED] writes: EE Times: Toshiba tips random-number generator IC SAN FRANCISCO -- Toshiba Corp. has claimed a major breakthrough in the field of security technology: It has devised the world's highest-performance physical random-number generator (RNG)

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-09 Thread Taral
On 2/9/08, David Wagner [EMAIL PROTECTED] wrote: By the way, it seems like one thing that might help with client certs is if they were treated a bit like cookies. I don't see how this helps with phishing. Phishers will just go after the password or other secrets used to authenticate a new

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-09 Thread Victor Duchovni
On Sat, Feb 09, 2008 at 05:04:28PM -0800, David Wagner wrote: By the way, it seems like one thing that might help with client certs is if they were treated a bit like cookies. Today, a website can set a cookie in your browser, and that cookie will be returned every time you later visit that

Truecrypt Encryption (WAS: Fwd: [IP] Re: Encrypted laptop poses legal dilemma)

2008-02-09 Thread David Chessler
I forwarded a couple of messages about US Customs seizing computers, sometimes failing to return them, and demanding passwords. Cellphones are also sometimes seized. The TSA claims it does not do this. This can cause problems for people who travel with company-sensitive or other private