combining entropy

2008-10-24 Thread IanG
If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. iang

[Fwd: [announce] THC releases video and tool to backup/modify ePassports]

2008-10-24 Thread Allen
We knew it was coming, right? Original Message Subject: [announce] THC releases video and tool to backup/modify ePassports Date: Mon, 29 Sep 2008 10:00:26 + From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] http://freeworld.thc.org/thc-epassport/ 29th September 2008

TLS Server Name Indication and IDNA?

2008-10-24 Thread Victor Duchovni
I am considering adding TLS Server Name Indication support in the Postfix SMTP server and client. I am puzzled by the exceedingly terse description of the semantics of the HostName sent in the SNI extension: http://tools.ietf.org/html/rfc4366#section-3.1 If the hostname labels

Re: TLS Server Name Indication and IDNA?

2008-10-24 Thread Paul Hoffman
RFC 4366 is somewhat of a mess. I do not remember the authors asking the authors of IDNA (of which I am one) about what they should do. FWIW, I'm not sure why this would be on the cryptography list, but I'm not sure of that for most of the we can design a better UI threads either. What

Re: EV certs: Doing more of what we already know doesn't work

2008-10-24 Thread Stefan Kelm
Cool! ;-) Verisign's CPS has been an inspiration for me for quite a few years now. E.g., this statement has been in there for a number of years: The Certificate, however, provides no proof of the identity of the Subscriber. Taken from page 12 of the current version, obviously (?) referring

unbreakable quantum crypto cracked by a laser

2008-10-24 Thread Steven M. Bellovin
http://technology.newscientist.com/channel/tech/dn14866-laser-cracks-unbreakable-quantum-communications.html?feedId=online-news_rss20 Not surprisingly, it's attacking the implementation, not the physics -- but of course we use implementations to communicate, rather than theories.

What does knot theory have to do with P^#P != NP ?

2008-10-24 Thread R.A. Hettinga
http://ephermata.livejournal.com/190880.html?mode=reply David Molnar (ephermata) wrote, @ 2008-10-04 01:59:00 Current music: Crystal Castles - Air War What does knot theory have to do with P^#P != NP ? I didn't know, but Michael H. Freedman has an answer - by assuming that the complexity

Quantum Crypto broken again

2008-10-24 Thread [EMAIL PROTECTED]
A failure in implementation leads to the ability to eavesdrop on a quantum-secrecy based key exchange on 2/3 of the types of quantum equipment used. From: http://technology.newscientist.com/article/dn14866-laser-cracks-unbreakable-quantum-communications.html Makarov and colleagues from

Re: Cube cryptanalysis?

2008-10-24 Thread James Muir
Paul Hoffman wrote: At 11:08 AM -0700 8/21/08, Greg Rose wrote: Adi mentioned that the slides and paper will go online around the deadline for Eurocrypt submission; it will all become much clearer than my wounded explanations then. There now: http://eprint.iacr.org/2008/385 Given all the

Re: once more, with feeling.

2008-10-24 Thread Ben Laurie
Peter Gutmann wrote: If this had been done in the beginning, before users -- and web site designers, and browser vendors -- were mistrained, it might have worked. Now, though? I'm skeptical. For existing apps with habituated users, so am I. So how about the following strawman: Take an

Using GPUs to crack crypto

2008-10-24 Thread Steven M. Bellovin
Elcomsoft has a product that uses GPUs to do password-cracking on a variety of media. They claim a speed-up of up to 67x, depending on the application being attacked. http://www.elcomsoft.com/edpr.html?r1=prr2=wpa (This has led to a variety of stories (see, for example,

Snatching defeat from the jaws of victory

2008-10-24 Thread Peter Gutmann
The DailyWTF has an entertainnig writeup on how not to use strong crypto to protect an embedded device, in this case a Wii, at http://thedailywtf.com/Articles/Anatomii-of-a-Hack.aspx. The signature-verification function was particularly entertaining: decrypt_rsa(signature, public_key,

Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'

2008-10-24 Thread John Gilmore
[British shoppers were promised high security by switching from credit cards to cards that have a chip in them and require that a PIN be entered for each transaction. That was the reason for changing everything over, at high cost in both money and inconvenience to shops and shoppers. Perhaps

German data rentention law

2008-10-24 Thread R.A. Hettinga
Begin forwarded message: From: Eugen Leitl [EMAIL PROTECTED] Date: October 18, 2008 7:08:22 AM GMT-04:00 To: [EMAIL PROTECTED] Subject: German data rentention law - Forwarded message from Karsten N. [EMAIL PROTECTED] - From: Karsten N. [EMAIL PROTECTED] Date: Sat, 18 Oct 2008

Pulling Keystrokes Out of the Air

2008-10-24 Thread Arshad Noor
Computer keyboards are often used to transmit sensitive information such as username/password (e.g. to log into computers, to do e-banking money transfer, etc.). A vulnerability on these devices will definitely kill the security of any computer or ATM. http://lasecwww.epfl.ch/keyboard/ Arshad

Re: combining entropy

2008-10-24 Thread John Denker
On 09/29/2008 05:13 AM, IanG wrote: My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. If I have N pools of entropy (all same size X) and I pool them together with XOR,

ADMIN: backlog cleared

2008-10-24 Thread Perry E. Metzger
Moderator's note: Yes, I'm alive. I've just been insanely busy. I'm planning on adding a system so I can turn the list over to guest moderators before this happens again (in about a month, I'm anticipating.) Perry - The

Re: combining entropy

2008-10-24 Thread Jonathan Katz
[Moderator's note: top posting is not tasteful. --Perry] I think it depends on what you mean by N pools of entropy. Are you assuming that one of these is sources is (pseudo)random, but you don't know which one? Are you assuming independence of these difference sources? If both these

Re: combining entropy

2008-10-24 Thread Ben Laurie
On Mon, Sep 29, 2008 at 1:13 PM, IanG [EMAIL PROTECTED] wrote: If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? Surely not. Consider N pools each of size 1 bit. Clearly you can do better than the 1 bit your suggestion would yield.

Re: combining entropy

2008-10-24 Thread Stephan Neuhaus
On Oct 24, 2008, at 14:29, John Denker wrote: On 09/29/2008 05:13 AM, IanG wrote: My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. If I have N pools of entropy (all same

Re: combining entropy

2008-10-24 Thread Wouter Slegers
L.S., If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. I

Re: combining entropy

2008-10-24 Thread Stephan Neuhaus
On Oct 24, 2008, at 15:37, Stephan Neuhaus wrote: Ah, but for this to hold, you will also have to assume that the N pools are all independent. Slight correction: You will have to assume that one of the trusted pools is independent from the others. Best, Stephan

Re: combining entropy

2008-10-24 Thread Thierry Moreau
IanG wrote: If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination.

Re: once more, with feeling.

2008-10-24 Thread Tom Scavo
On Sun, Oct 12, 2008 at 7:39 AM, Ben Laurie [EMAIL PROTECTED] wrote: One argument that I have increasing sympathy with is that SSO (or if you want to be modern, federated login) Federated identity is the fancy modern term for cross-domain SSO. Obviously the end game here is that the user

Re: Who cares about side-channel attacks?

2008-10-24 Thread Jack Lloyd
On Mon, Oct 06, 2008 at 05:51:50PM +1300, Peter Gutmann wrote: For the past several years I've been making a point of asking users of crypto on embedded systems (which would be particularly good targets for side-channel attacks, particularly ones that provide content-protection capabilities)

26 historic Enigmas found in Spain

2008-10-24 Thread Eugen Leitl
http://www.theregister.co.uk/2008/10/24/spanish_enigmas/ Spanish discover cache of 26 Enigma machines Franco's 'secret weapon' tracked to army HQ By Lester Haines Posted in Science, 24th October 2008 10:03 GMT Spanish newspaper El Pa�s last week tracked down 26 examples of Franco's secret

Re: combining entropy

2008-10-24 Thread Jon Callas
On Sep 29, 2008, at 5:13 AM, IanG wrote: If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular

Re: combining entropy

2008-10-24 Thread Jack Lloyd
On Fri, Oct 24, 2008 at 10:23:07AM -0500, Thierry Moreau wrote: Do you really trust that no single source of entropy can have knowledge of the other source's output, so it can surreptitiously correlate its own? I.e, you are are also assuming that these sources are *independent*. I do not

Re: combining entropy

2008-10-24 Thread John Denker
On 10/24/2008 01:12 PM, Jack Lloyd wrote: is a very different statement from saying that lacking such an attacker, you can safely assume your 'pools of entropy' (to quote the original question) are independent in the information-theoretic sense. The question, according to the original

Re: combining entropy

2008-10-24 Thread Jack Lloyd
On Fri, Oct 24, 2008 at 03:20:24PM -0700, John Denker wrote: On 10/24/2008 01:12 PM, Jack Lloyd wrote: is a very different statement from saying that lacking such an attacker, you can safely assume your 'pools of entropy' (to quote the original question) are independent in the