### Re: Physical security rather than crypto---but perhaps of interest

Since we are on this topic: You don’t need to be a crowned Ranger class master hacker to sneak into someone’s email or facebook account these days. Which means that you’re not simply being a nervous nellie if you’re worried about security. In fact, users of public WiFi should be worried. If you use WiFi to access some of the most popular email and social networking services, like, gmail, yahoo mail, hotmail, and facebook, your account information floats around in the air, often completely unsecured. You want some more fear with your coffee? Chris Soghoian, a fellow at the Berkman Center for Internet and Society, took a look into WiFi and account security to find out just how scary the situation is. Listen to the audio at: http://blogs.law.harvard.edu/mediaberkman/2009/07/16/radio-berkman-126-the-g-fail/ saqib http://www.capital-punishment.us - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: 112-bit prime ECDLP solved

On Jul 14, 2009, at 12:43 PM, James A. Donald wrote: 2033130 Subsequent expansions in computing power will involve breaking up Jupiter to build really big computers, and so forth, which will slow things down a bit. So 144 bit EC keys should be good all the way to the singularity and a fair way past it. Prediction is very difficult, especially about the future. I have researched the possibility of 50 or 100 year key sizes. All we have to do is look back 50 years to the (unbreakable) Enigma, and 30 years to the famous Sci.Am article by Rivest that said it would take 40 quadrillion years to break the challenge, which actually took 25, or more recently, or FEAL, or RC-4 (WEP), or MD-5, or SHA-1, or, or need I say more? If we assume that all knowledge to be discovered has been discovered, and all mathematical insight humanity is capable of has been achieved, you are correct that 144 bit EC keys are good all the way to the singularity (which actually depends on the Hubble constant, but I digress) and that everything that could be invented has been invented. I believe it is folly to suggest that 144 bit keys will never be broken. Frankly, I hope to see the day. Jim - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: Intercepting Microsoft wireless keyboard communications

On Tue, Dec 11, 2007 at 02:01:03PM -0500, j...@tla.org wrote: How many bits (not just data, also preamble/postamble, sync bits, etc.) is the keyboard sending for each keystroke anyway? FWIW, it is likely sending keyboard scan codes: http://en.wikipedia.org/wiki/Scancode It doesn't send the actual characters typed, because games and the like need to know when keys are depressed and released, not just what letter was typed. Here's an overview of keyboard input under Linux: http://www.subspacefield.org/~travis/keyboard/index.html -- Obama Nation | My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpePeM4q7uNa.pgp Description: PGP signature

### XML signature HMAC truncation authentication bypass

XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2104. However, the XMLDsig specification does not follow the RFC2104 recommendation to not allow truncation to less than half of the length of the hash output or less than 80 bits. When HMAC truncation is under the control of an attacker this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid. - http://www.kb.cert.org/vuls/id/466161 More information at: HMAC truncation in XML Signature: When Alice didn't look. - http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html -- Leandro Federico Meiners - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### work factor calculation for brute-forcing crypto

Hi folks, Assume for a moment that we have a random number generator which is non-uniform, and we are using it to generate a key. What I'd like to do is characterize the work factor involved in brute-force search of the key space, assuming that the adversary has knowledge of the characteristics of the random number generator? The algorithm for this is simple: Let the array X represent the probabilities of the outcomes of the random number generator, sorted by probability, with x[0] being the probability of the most probable value. Then, for a given fraction of the messages n (0 n = 1): i = 0 m = 0 while (m + x[i]) n: m = m + x[i] i = i + 1 return (i - 1) + (n - m) / (m + x[i]) This return value represents the average number of decryption attempts required to guess the right key. If one wanted to round up, one could just return i instead of the last expression above, because the second term is always in (0, 1] I'm curious if there's a way to express this calculation as a mathematical formula, rather than an algorithm, but right now I'm just blanking on how I could do it. -- Obama Nation | My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpJ4gqi6vQJo.pgp Description: PGP signature

### Re: 112-bit prime ECDLP solved

So with about 1 000 000 USD and a full year you would get 122 bits already now and agencies have a bit more budget than this! Furthermore, the algorithm parallelizes extremely well and can handle a batch of 100 targets at only 10 times the cost. No it cannot handle a bunch of a hundred targets at only ten times the cost. It is already parallelized. A hundred targets is a hundred times the cost. NO. Read Fabian Kuhn, René Struik: Random Walks Revisited: Extensions of Pollard's Rho Algorithm for Computing Multiple Discrete Logarithms. Selected Areas in Cryptography 2001: 212-229 Section 4. Besides, the estimates assume only playstations and the EPFL code instead of special purpose hardware which would give an extra speed up. And, no, I'm not suggesting to use the entire US gross national product for a year to break your key but given that that breaks 172 bits (SHARCS 2006 estimates for ECC-163 and 9 bits to scale from USD 5.8*10^11 to the GDP 1.4*10^13) I'm not comfortable with 160 bits, let alone 144. All the best Tanja - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com