Re: AES-CBC + Elephant diffuser

2009-11-01 Thread Darren J Moffat
Eugen Leitl wrote: We discuss why no existing cipher satisfies the requirements of this application. Uh-oh. http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555DisplayLang=en AES-CBC + Elephant diffuser Brief Description A Disk Encryption Algorithm

Re: AES-CBC + Elephant diffuser

2009-11-01 Thread Paul Hoffman
At 2:24 PM +0100 10/29/09, Eugen Leitl wrote: We discuss why no existing cipher satisfies the requirements of this application. Uh-oh. Yeah, we all know what a light-weight and careless person Neils Ferguson is. Who would listen to him? --Paul Hoffman, Director --VPN Consortium

Re: AES-CBC + Elephant diffuser

2009-11-01 Thread Eugen Leitl
On Thu, Oct 29, 2009 at 07:15:53AM -0700, Paul Hoffman wrote: At 2:24 PM +0100 10/29/09, Eugen Leitl wrote: We discuss why no existing cipher satisfies the requirements of this application. Uh-oh. Yeah, we all know what a light-weight and careless person Neils Ferguson is. Who would listen

deterministic random numbers in crypto protocols -- Re: Possibly questionable security decisions in DNS root management

2009-11-01 Thread Zooko Wilcox-O'Hearn
On 2009 Oct 19, at 9:15 , Jack Lloyd wrote: On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote: DSA was (designed to be) full of covert channels. one can make DSA deterministic by choosing the k values to be HMAC- SHA256(key, H(m)) I've noticed people tinkering with (EC) DSA by

re: Security of Mac Keychain, Filevault

2009-11-01 Thread Jerry Leichter
A couple of days ago, I pointed to an article claiming that these were easy to break, and asked if anyone knew of security analyses of these facilities. I must say, I'm very disappointed with the responses. Almost everyone attacked the person quoted in the article. The attacks they

Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

2009-11-01 Thread Darren J Moffat
For the encryption functionality in the ZFS filesystem we use AES in CCM or GCM mode at the block level to provide confidentiality and authentication. There is also a SHA256 checksum per block (of the ciphertext) that forms a Merkle tree of all the blocks in the pool. Note that I have to