Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and if you pay
attention to us talking about issues with nonces, counters, IVs, chaining
modes, and all that, you see that saying that it's tetchier than that is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 11:05 PM, Jaap-Henk Hoepman j...@cs.ru.nl wrote:
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and if you pay
attention to us talking about
On Thu, 5 Sep 2013, Phillip Hallam-Baker wrote:
* Allowing deployment of DNSSEC to be blocked in 2002(sic) by
blocking a technical change that made it possible to deploy in
.com.
As an opponent of DNSSEC opt-in back in the day, I think this is a
poor example of NSA influence in the
Got a question that's been bothering me for a whlie, but it's likely
purely academic.
Take the plaintext and the ciphertext, and XOR them together. Does the
result reveal anything about the key or the painttext?
-- Dave
___
The cryptography mailing
As an opponent of DNSSEC opt-in back in the day, I think this is a
poor example of NSA influence in the standards process.
I do not challenge PHB's theory that the NSA has plants in the
IETF to discourage moves to strong crypto, particularly given John
Gilmore's recent message on IPSEC, but I
On 7/09/13 01:51 AM, Peter Gutmann wrote:
ianG i...@iang.org writes:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
How does '(a) Organizations and Conferences' differ from SOP for these sorts
of things?
In
On 7/09/13 03:58 AM, Jon Callas wrote:
Could an encryption algorithm be explicitly designed to have properties like this? I
don't know of any, but it seems possible. I've long suspected that NSA might want this
kind of property for some of its own systems: In some cases, it completely
On 6/09/13 21:11 PM, Perry E. Metzger wrote:
On Fri, 6 Sep 2013 18:56:51 +0100 Ben Laurie b...@links.org wrote:
The problem is that there's nothing good [in the way of ciphers]
left for TLS 1.2.
So, lets say in public that the browser vendors have no excuse left
for not going to 1.2.
I hate
On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote:
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and if you pay
attention to us talking about issues with nonces, counters, IVs, chaining
modes, and all that, you see
I have also, in debate with Jerry, opined that public-key cryptography is a
powerful thing that can't be replaced with symmetric-key cryptography. That's
something that I firmly believe. At its most fundamental, public-key crypto
allows one to encrypt something to someone whom one does not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 7, 2013, at 12:14 AM, Dave Horsfall d...@horsfall.org wrote:
Got a question that's been bothering me for a whlie, but it's likely
purely academic.
Take the plaintext and the ciphertext, and XOR them together. Does the
result reveal
On 07/09/2013 01:48, Chris Palmer wrote:
Q: Could the NSA be intercepting downloads of open-source encryption
software and silently replacing these with their own versions?
Why would they perform the attack only for encryption software? They
could compromise people's laptops by spiking any
On Fri, Sep 06, 2013 at 09:19:07PM -0400, Derrell Piper wrote:
...and to add to all that, how about the fact that IPsec was dropped as a
'must implement' from IPv6 sometime after 2002?
Apropos IPsec, I've tried searching for any BTNS (opportunistic encryption mode
for
IPsec) implementations,
On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for confidentiality (although that
would have been a bonus).
If so, then the
Thanks for the response; that's what I thought, but thought I'd better
ask (I'm still new at this crypto game).
-- Dave
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
- Forwarded message from Andy Isaacson a...@hexapodia.org -
Date: Fri, 6 Sep 2013 22:24:00 -0700
From: Andy Isaacson a...@hexapodia.org
To: liberationtech liberationt...@lists.stanford.edu
Subject: Re: [liberationtech] Random number generation being influenced - rumors
User-Agent:
On Sep 7, 2013, at 4:13 AM, Jon Callas wrote:
Take the plaintext and the ciphertext, and XOR them together. Does the
result reveal anything about the key or the painttext?
It better not. That would be a break of amazing simplicity that transcends
broken.
The question is much more subtle
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, Sep 07, 2013 at 10:57:07AM +0300, ianG wrote:
It's a big picture thing. At the end of the day, symmetric crypto
is something that good software engineers can master, and relatively
well, in a black box sense. Public key crypto not so
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
While we worry about symmetric vs. public key ciphers, we should not
forget the risk of compromise of our long-term keys. How are they
protected?
One of the most obvious ways to compromise a cryptographic system is
to get the keys. This is a
On Sep 7, 2013, at 12:31 AM, Jon Callas wrote:
I'm sorry, but this is just nonsense. You're starting with informal, rough
definitions and claiming a mathematical theorem.
Actually, I'm doing the opposite. I'm starting with a theorem and arguing
informally from there
Actually, if you
At 06:49 PM 9/6/2013, Marcus D. Leech wrote:
It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
cooperative endpoint scenario that I've seen discussed in other
forums, prompted by the latest
Hi,
On 09/07/2013 12:50 AM, Peter Gutmann wrote:
But for right now, what options do we have that are actually implemented
somewhere? Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST,
etc.), and I don't see any move towards TLS 1.0.
it boils down to this: symmetric crypto is much faster than asymmetric
crypto. Asymmetric crypto should only be used to exchange symmetric keys
and signing.
On Sat, Sep 7, 2013 at 11:10 AM, Jaap-Henk Hoepman j...@cs.ru.nl wrote:
I have also, in debate with Jerry, opined that public-key
On 09/06/2013 01:25 PM, Jerry Leichter wrote:
A response he wrote as part of a discussion at
http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html:
Q: Could the NSA be intercepting downloads of open-source encryption software and
silently replacing these with their own versions?
On Sep 7, 2013, at 2:36 PM, Ray Dillinger wrote:
SNIP!
Schneier states of discrete logs over ECC: I no longer trust the constants.
I believe the NSA has manipulated them through their relationships with
industry.
Is he referring to the standard set of ECC curves in use? Is it possible
- Forwarded message from Nick Mathewson ni...@alum.mit.edu -
Date: Sat, 7 Sep 2013 13:02:04 -0400
From: Nick Mathewson ni...@alum.mit.edu
To: tor-t...@lists.torproject.org tor-t...@lists.torproject.org
Subject: Re: [tor-talk] NIST approved crypto in Tor?
Reply-To:
If so, then the domain owner can deliver a public key with authenticity
using the DNS. This strikes a deathblow to the CA industry. This
threat is enough for CAs to spend a significant amount of money slowing
down its development [0].
How much more obvious does it get [1] ?
The PKI industry
On 09/07/2013 02:53 PM, Ray Dillinger wrote:
Is he referring to the standard set of ECC curves in use? Is it possible
to select ECC curves specifically so that there's a backdoor in cryptography
based on those curves?
I know that hardly anybody using ECC bothers to find their own curve; they
On Sat, Sep 7, 2013 at 2:19 AM, ianG i...@iang.org wrote:
On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for
On Fri, Sep 06, 2013 at 07:53:42PM -0400, Marcus D. Leech wrote:
One wonders why they weren't already using link encryption systems?
One wonders whether, if what we read around here lately is much guide,
they still believe they can get link encryption systems that are
robust against the only
- Forwarded message from Thor Lancelot Simon t...@panix.com -
Date: Sat, 7 Sep 2013 15:36:33 -0400
From: Thor Lancelot Simon t...@panix.com
To: Eugen Leitl eu...@leitl.org
Cc: cryptogra...@randombit.net
Subject: Re: [cryptography] Random number generation influenced, HW RNG
User-Agent:
On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote:
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and
if you pay attention to us talking about issues with nonces,
counters, IVs, chaining modes, and all that, you see
On Fri, Sep 6, 2013 at 6:49 PM, Marcus D. Leech mle...@ripnet.com wrote:
It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key
Well, it helps against passive eavesdropping. However if the NSA has a web
site's private TLS key, they can still MitM
* Dave Horsfall:
Take the plaintext and the ciphertext, and XOR them together. Does the
result reveal anything about the key or the painttext?
Yes, their length.
___
The cryptography mailing list
cryptography@metzdowd.com
On Sat, Sep 7, 2013 at 10:20 AM, Jeffrey I. Schiller j...@mit.edu wrote:
If I was the NSA, I would be scavenging broken hardware from
“interesting” venues and purchasing computers for sale in interesting
locations. I would be particularly interested in stolen computers, as
they have likely
On Sat, Sep 7, 2013 at 10:20 AM, Jeffrey I. Schiller j...@mit.edu wrote:
One of the most obvious ways to compromise a cryptographic system is
to get the keys. This is a particular risk in TLS/SSL when PFS is not
used. Consider a large scale site (read: Google, Facebook, etc.) that
uses SSL.
On 09/07/13 05:19, ianG wrote:
If so, then the domain owner can deliver a public key with authenticity using
the DNS.
This strikes a deathblow to the CA industry. This threat is enough for CAs to
spend a significant amount
of money slowing down its development [0].
unfortunately as far as
On Sat, Sep 7, 2013 at 1:33 AM, Brian Gladman b...@gladman.plus.com wrote:
Why would they perform the attack only for encryption software? They
could compromise people's laptops by spiking any popular app.
Because NSA and GCHQ are much more interested in attacking communictions
in transit
On Fri, Sep 6, 2013 at 4:53 PM, Marcus D. Leech mle...@ripnet.com wrote:
One wonders why they weren't already using link encryption systems?
Probably line rate and the cost of encrypting every single fiber link.
There are few vendors who sell line rate encryption for 10Gbps+
--
Tony Arcieri
On 09/07/2013 04:20 PM, Phillip Hallam-Baker wrote:
Before you make silly accusations go read the VeriSign Certificate Practices
Statement and then work out how many people it takes to gain access to one of
the roots.
The Key Ceremonies are all videotaped from start to finish and the auditors
On Sat, Sep 7, 2013 at 5:19 AM, ianG i...@iang.org wrote:
On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for
On Sat, Sep 07, 2013 at 01:53:13PM -0700, Tony Arcieri wrote:
On Fri, Sep 6, 2013 at 4:53 PM, Marcus D. Leech mle...@ripnet.com wrote:
One wonders why they weren't already using link encryption systems?
Probably line rate and the cost of encrypting every single fiber link.
There are few
On Sat, Sep 07, 2013 at 04:41:04PM -0400, Richard Outerbridge wrote:
Surely not Canada? After all, we're one of the five eyes! ;)
Six. Sweden (FRA) is part of it. http://www.heise.de/tp/blogs/8/154917
___
The cryptography mailing list
On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote:
Good theory only the CA industry tried very hard to deploy and was prevented
from doing so because Randy Bush abused his position as DNSEXT chair to prevent
modification of the spec to meet the deployment requirements in .com.
DNSSEC would
On Sep 6, 2013, at 11:51 PM, Marcus D. Leech mle...@ripnet.com wrote:
The other thing that I find to be a dirty little secret in PK systems is
revocation. OCSP makes things, in some ways, better than CRLs, but I still
find them to be a kind of swept under the rug problem when people are
On Sat, Sep 7, 2013 at 1:01 PM, Ray Dillinger b...@sonic.net wrote:
And IIRC, pretty much every asymmetric ciphersuite (including all public-
key crypto) is vulnerable to some transformation of Shor's algorithm that
is in fact practical to implement on such a machine.
Lattice-based (NTRU) or
On Sep 7, 2013, at 1:50 PM, Peter Fairbrother zenadsl6...@zen.co.uk wrote:
On 07/09/13 02:49, Marcus D. Leech wrote:
It seems to me that while PFS is an excellent back-stop against NSA
having/deriving a website RSA key, it does *nothing* to prevent the kind of
cooperative endpoint scenario
On Sat, 07 Sep 2013 09:33:28 +0100
Brian Gladman b...@gladman.plus.com wrote:
On 07/09/2013 01:48, Chris Palmer wrote:
Q: Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own
versions?
Why would they perform the attack
The NY Times has done a couple of reports over the last couple of months about
the incomprehensibility of hospital bills, even to those within the industry -
and the refusal of hospitals to discuss their charge rates, claiming that what
they will bill you for a treatment is proprietary.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, Sep 07, 2013 at 09:14:47PM +, Gregory Perry wrote:
And this is exactly why there is no real security on the Internet.
Because the IETF and standards committees and working groups are all
in reality political fiefdoms and technological
On 09/07/2013 07:32 PM, Brian Gladman wrote:
I don't have experience of how the FBI operates so my comments were
directed specifcally at NSA/GCHQ interests. I am doubtful that very
large organisations change their direction of travel very quickly so I
see the huge investments being made in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 7, 2013, at 5:09 PM, Perry E. Metzger pe...@piermont.com wrote:
Note that such systems should at this point be using deterministic
methods (hashes of text + other data) to create the needed nonces. I
believe several such methods have been
1) Volume has gotten understandably high the last few days given the
current news. I'd like people to please consider if their posting
conveys interesting information before sending.
2) Please adjust the Subject lines of your messages if your posting
deviates from the original Subject. This makes
On Sat, 07 Sep 2013 13:01:53 -0700
Ray Dillinger b...@sonic.net wrote:
I think we can no longer rule out the possibility that some attacker
somewhere (it's easy to point a finger at the NSA but it could be
just as likely pointed at GCHQ or the IDF or Interpol) may have
secretly developed a
On Sat, 7 Sep 2013 13:06:14 -0700
Tony Arcieri basc...@gmail.com wrote:
In order to beat quantum computers, we need to use public key systems
with no (known) quantum attacks, such as lattice-based (NTRU) or
code-based (McEliece/McBits) algorithms. ECC and RSA will no longer
be useful.
I'm
On Sat, 7 Sep 2013 17:46:39 -0400
Derrell Piper d...@electric-loft.org wrote:
On Sep 6, 2013, at 11:51 PM, Marcus D. Leech mle...@ripnet.com
wrote:
The other thing that I find to be a dirty little secret in PK
systems is revocation. OCSP makes things, in some ways, better
than CRLs,
On Sat, 7 Sep 2013 20:43:39 -0400 I wrote:
To my knowledge, there is no ECC analog of Shor's algorithm.
...and it appears I was completely wrong on that.
See, for example: http://arxiv.org/abs/quantph/0301141
Senility gets the best of us.
Perry
___
57 matches
Mail list logo