Re: TLS break

[Chimpy McSimian IV, Esq.]

On Mon, Nov 9, 2009 at 5:08 PM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:

 attack, checking Referrer headers is no longer effective, so anti-CSRF
 defenses have to be more sophisticated (they *should* of course be more

Checking the Referer header never was effective. It's not even
guaranteed to be present, let alone true.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: TLS break

[dan]

 | 
 | This is the first attack against TLS that I consider to be
 | the real deal. To really fix it is going to require a change to
 | all affected clients and servers. Fortunately, Eric Rescorla
 | has a protocol extension that appears to do the job.
 | 

...silicon...

--dan

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: hedging our bets -- in case SHA-256 turns out to be insecure

[Sandy Harris]

On 11/8/09, Zooko Wilcox-O'Hearn zo...@zooko.com wrote:

  Therefore I've been thinking about how to make Tahoe-LAFS robust against
 the possibility that SHA-256 will turn out to be insecure.

NIST are dealing with that via the AHS process. Shouldn't you just use
their results?

  We could use a different hash function ...
 There are fourteen candidates left in the SHA-3
 contest at the moment.  Several of them have conservative designs and good
 performance, but there is always the risk that they will be found to have
 catastrophic design flaws or that a great advance in hash function
 cryptanalysis will suddenly show how to crack them.

Yes, but there's also a risk that whatever you come up with will turn
out to be flawed.

  I propose the following combined hash function C, built out of two hash
 functions H1 and H2:

  C(x) = H1(H1(x) || H2(x))

This requires two hash(x) operations. A naive implementation needs
two passes through the data and avoiding that does not appear to
be trivial. This is not ideal since you seem very concerned about
overheads.

What about this construction:

  C(x) = H1(H2(x) || H3(x))

H1 is something that gives the output size you require. Use SHA-256 or
choose an AHS candidate conservatively. This only hashes a few blocks
so you need not worry much about overheads here.

H2 is the 512-bit variant of a different AHS candidate, or Whirlpool, or
even Skein-1024. Here speed is a criterion, though of course not the
only one.

H3 might be some really cheap fast function invented for the situation.
As I recall, the GOST hash just used a sum of input blocks, and that's
enough to defeat the multi-block attacks. If it is simple enough, you
can code it into your implementation of H2 so you only need one
pass.

Since you are encrypting the files anyway, I wonder if you could
use one of the modes developed for IPsec where a single pass
with a block cipher gives both encrypted text and a hash-like
authentication output.  That gives you a free value to use as
H3 in my scheme or H2 in yours, and its security depends on
the block cipher, not on any hash.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Crypto dongles to secure online transactions

[Matt Crawford]

On Nov 10, 2009, at 8:44 AM, Jerry Leichter wrote:

Whether or not it can, it demonstrates the hazards of freezing  
implementations of crypto protocols into ROM:  Imagine a world in  
which there are a couple of hundred million ZTIC's or similar  
devices fielded - and a significant vulnerability is found in the  
protocol they speak.


Imagine a couple of hundred million devices with updatable firmware on  
them, and one or more rogue updates in the wild.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com