Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Jaap-Henk Hoepman
Public-key cryptography is less well-understood than symmetric-key cryptography. It is also tetchier than symmetric-key crypto, and if you pay attention to us talking about issues with nonces, counters, IVs, chaining modes, and all that, you see that saying that it's tetchier than that is

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 11:05 PM, Jaap-Henk Hoepman j...@cs.ru.nl wrote: Public-key cryptography is less well-understood than symmetric-key cryptography. It is also tetchier than symmetric-key crypto, and if you pay attention to us talking about

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Samuel Weiler
On Thu, 5 Sep 2013, Phillip Hallam-Baker wrote: * Allowing deployment of DNSSEC to be blocked in 2002(sic) by blocking a technical change that made it possible to deploy in .com. As an opponent of DNSSEC opt-in back in the day, I think this is a poor example of NSA influence in the

[Cryptography] XORing plaintext with ciphertext

2013-09-07 Thread Dave Horsfall
Got a question that's been bothering me for a whlie, but it's likely purely academic. Take the plaintext and the ciphertext, and XOR them together. Does the result reveal anything about the key or the painttext? -- Dave ___ The cryptography mailing

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Gregory Perry
As an opponent of DNSSEC opt-in back in the day, I think this is a poor example of NSA influence in the standards process. I do not challenge PHB's theory that the NSA has plants in the IETF to discourage moves to strong crypto, particularly given John Gilmore's recent message on IPSEC, but I

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread ianG
On 7/09/13 01:51 AM, Peter Gutmann wrote: ianG i...@iang.org writes: And, controlling processes is just what the NSA does. https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html How does '(a) Organizations and Conferences' differ from SOP for these sorts of things? In

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread ianG
On 7/09/13 03:58 AM, Jon Callas wrote: Could an encryption algorithm be explicitly designed to have properties like this? I don't know of any, but it seems possible. I've long suspected that NSA might want this kind of property for some of its own systems: In some cases, it completely

Re: [Cryptography] People should turn on PFS in TLS

2013-09-07 Thread ianG
On 6/09/13 21:11 PM, Perry E. Metzger wrote: On Fri, 6 Sep 2013 18:56:51 +0100 Ben Laurie b...@links.org wrote: The problem is that there's nothing good [in the way of ciphers] left for TLS 1.2. So, lets say in public that the browser vendors have no excuse left for not going to 1.2. I hate

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread ianG
On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote: Public-key cryptography is less well-understood than symmetric-key cryptography. It is also tetchier than symmetric-key crypto, and if you pay attention to us talking about issues with nonces, counters, IVs, chaining modes, and all that, you see

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Jaap-Henk Hoepman
I have also, in debate with Jerry, opined that public-key cryptography is a powerful thing that can't be replaced with symmetric-key cryptography. That's something that I firmly believe. At its most fundamental, public-key crypto allows one to encrypt something to someone whom one does not

Re: [Cryptography] XORing plaintext with ciphertext

2013-09-07 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 7, 2013, at 12:14 AM, Dave Horsfall d...@horsfall.org wrote: Got a question that's been bothering me for a whlie, but it's likely purely academic. Take the plaintext and the ciphertext, and XOR them together. Does the result reveal

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-07 Thread Brian Gladman
On 07/09/2013 01:48, Chris Palmer wrote: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Eugen Leitl
On Fri, Sep 06, 2013 at 09:19:07PM -0400, Derrell Piper wrote: ...and to add to all that, how about the fact that IPsec was dropped as a 'must implement' from IPv6 sometime after 2002? Apropos IPsec, I've tried searching for any BTNS (opportunistic encryption mode for IPsec) implementations,

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread ianG
On 7/09/13 10:15 AM, Gregory Perry wrote: Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for confidentiality (although that would have been a bonus). If so, then the

Re: [Cryptography] XORing plaintext with ciphertext

2013-09-07 Thread Dave Horsfall
Thanks for the response; that's what I thought, but thought I'd better ask (I'm still new at this crypto game). -- Dave ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] [liberationtech] Random number generation being influenced - rumors

2013-09-07 Thread Eugen Leitl
- Forwarded message from Andy Isaacson a...@hexapodia.org - Date: Fri, 6 Sep 2013 22:24:00 -0700 From: Andy Isaacson a...@hexapodia.org To: liberationtech liberationt...@lists.stanford.edu Subject: Re: [liberationtech] Random number generation being influenced - rumors User-Agent:

Re: [Cryptography] XORing plaintext with ciphertext

2013-09-07 Thread Jerry Leichter
On Sep 7, 2013, at 4:13 AM, Jon Callas wrote: Take the plaintext and the ciphertext, and XOR them together. Does the result reveal anything about the key or the painttext? It better not. That would be a break of amazing simplicity that transcends broken. The question is much more subtle

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Jeffrey I. Schiller
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Sep 07, 2013 at 10:57:07AM +0300, ianG wrote: It's a big picture thing. At the end of the day, symmetric crypto is something that good software engineers can master, and relatively well, in a black box sense. Public key crypto not so

[Cryptography] Protecting Private Keys

2013-09-07 Thread Jeffrey I. Schiller
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 While we worry about symmetric vs. public key ciphers, we should not forget the risk of compromise of our long-term keys. How are they protected? One of the most obvious ways to compromise a cryptographic system is to get the keys. This is a

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Jerry Leichter
On Sep 7, 2013, at 12:31 AM, Jon Callas wrote: I'm sorry, but this is just nonsense. You're starting with informal, rough definitions and claiming a mathematical theorem. Actually, I'm doing the opposite. I'm starting with a theorem and arguing informally from there Actually, if you

Re: [Cryptography] In the face of cooperative end-points, PFS doesn't help

2013-09-07 Thread Bill Stewart
At 06:49 PM 9/6/2013, Marcus D. Leech wrote: It seems to me that while PFS is an excellent back-stop against NSA having/deriving a website RSA key, it does *nothing* to prevent the kind of cooperative endpoint scenario that I've seen discussed in other forums, prompted by the latest

Re: [Cryptography] Suite B after today's news

2013-09-07 Thread Ralph Holz
Hi, On 09/07/2013 12:50 AM, Peter Gutmann wrote: But for right now, what options do we have that are actually implemented somewhere? Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST, etc.), and I don't see any move towards TLS 1.0.

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Naif M. Otaibi
it boils down to this: symmetric crypto is much faster than asymmetric crypto. Asymmetric crypto should only be used to exchange symmetric keys and signing. On Sat, Sep 7, 2013 at 11:10 AM, Jaap-Henk Hoepman j...@cs.ru.nl wrote: I have also, in debate with Jerry, opined that public-key

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-07 Thread Ray Dillinger
On 09/06/2013 01:25 PM, Jerry Leichter wrote: A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions?

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-07 Thread Dan McDonald
On Sep 7, 2013, at 2:36 PM, Ray Dillinger wrote: SNIP! Schneier states of discrete logs over ECC: I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry. Is he referring to the standard set of ECC curves in use? Is it possible

Re: [Cryptography] [tor-talk] NIST approved crypto in Tor?

2013-09-07 Thread Eugen Leitl
- Forwarded message from Nick Mathewson ni...@alum.mit.edu - Date: Sat, 7 Sep 2013 13:02:04 -0400 From: Nick Mathewson ni...@alum.mit.edu To: tor-t...@lists.torproject.org tor-t...@lists.torproject.org Subject: Re: [tor-talk] NIST approved crypto in Tor? Reply-To:

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Gregory Perry
If so, then the domain owner can deliver a public key with authenticity using the DNS. This strikes a deathblow to the CA industry. This threat is enough for CAs to spend a significant amount of money slowing down its development [0]. How much more obvious does it get [1] ? The PKI industry

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-07 Thread Gregory Perry
On 09/07/2013 02:53 PM, Ray Dillinger wrote: Is he referring to the standard set of ECC curves in use? Is it possible to select ECC curves specifically so that there's a backdoor in cryptography based on those curves? I know that hardly anybody using ECC bothers to find their own curve; they

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread David Mercer
On Sat, Sep 7, 2013 at 2:19 AM, ianG i...@iang.org wrote: On 7/09/13 10:15 AM, Gregory Perry wrote: Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for

Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

2013-09-07 Thread Thor Lancelot Simon
On Fri, Sep 06, 2013 at 07:53:42PM -0400, Marcus D. Leech wrote: One wonders why they weren't already using link encryption systems? One wonders whether, if what we read around here lately is much guide, they still believe they can get link encryption systems that are robust against the only

Re: [Cryptography] [cryptography] Random number generation influenced, HW RNG

2013-09-07 Thread Eugen Leitl
- Forwarded message from Thor Lancelot Simon t...@panix.com - Date: Sat, 7 Sep 2013 15:36:33 -0400 From: Thor Lancelot Simon t...@panix.com To: Eugen Leitl eu...@leitl.org Cc: cryptogra...@randombit.net Subject: Re: [cryptography] Random number generation influenced, HW RNG User-Agent:

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Bill Stewart
On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote: Public-key cryptography is less well-understood than symmetric-key cryptography. It is also tetchier than symmetric-key crypto, and if you pay attention to us talking about issues with nonces, counters, IVs, chaining modes, and all that, you see

Re: [Cryptography] In the face of cooperative end-points, PFS doesn't help

2013-09-07 Thread Tony Arcieri
On Fri, Sep 6, 2013 at 6:49 PM, Marcus D. Leech mle...@ripnet.com wrote: It seems to me that while PFS is an excellent back-stop against NSA having/deriving a website RSA key Well, it helps against passive eavesdropping. However if the NSA has a web site's private TLS key, they can still MitM

Re: [Cryptography] XORing plaintext with ciphertext

2013-09-07 Thread Florian Weimer
* Dave Horsfall: Take the plaintext and the ciphertext, and XOR them together. Does the result reveal anything about the key or the painttext? Yes, their length. ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] Protecting Private Keys

2013-09-07 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 10:20 AM, Jeffrey I. Schiller j...@mit.edu wrote: If I was the NSA, I would be scavenging broken hardware from “interesting” venues and purchasing computers for sale in interesting locations. I would be particularly interested in stolen computers, as they have likely

Re: [Cryptography] Protecting Private Keys

2013-09-07 Thread Jim Popovitch
On Sat, Sep 7, 2013 at 10:20 AM, Jeffrey I. Schiller j...@mit.edu wrote: One of the most obvious ways to compromise a cryptographic system is to get the keys. This is a particular risk in TLS/SSL when PFS is not used. Consider a large scale site (read: Google, Facebook, etc.) that uses SSL.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Anne Lynn Wheeler
On 09/07/13 05:19, ianG wrote: If so, then the domain owner can deliver a public key with authenticity using the DNS. This strikes a deathblow to the CA industry. This threat is enough for CAs to spend a significant amount of money slowing down its development [0]. unfortunately as far as

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-07 Thread Chris Palmer
On Sat, Sep 7, 2013 at 1:33 AM, Brian Gladman b...@gladman.plus.com wrote: Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app. Because NSA and GCHQ are much more interested in attacking communictions in transit

Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

2013-09-07 Thread Tony Arcieri
On Fri, Sep 6, 2013 at 4:53 PM, Marcus D. Leech mle...@ripnet.com wrote: One wonders why they weren't already using link encryption systems? Probably line rate and the cost of encrypting every single fiber link. There are few vendors who sell line rate encryption for 10Gbps+ -- Tony Arcieri

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Gregory Perry
On 09/07/2013 04:20 PM, Phillip Hallam-Baker wrote: Before you make silly accusations go read the VeriSign Certificate Practices Statement and then work out how many people it takes to gain access to one of the roots. The Key Ceremonies are all videotaped from start to finish and the auditors

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 5:19 AM, ianG i...@iang.org wrote: On 7/09/13 10:15 AM, Gregory Perry wrote: Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for

Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

2013-09-07 Thread Eugen Leitl
On Sat, Sep 07, 2013 at 01:53:13PM -0700, Tony Arcieri wrote: On Fri, Sep 6, 2013 at 4:53 PM, Marcus D. Leech mle...@ripnet.com wrote: One wonders why they weren't already using link encryption systems? Probably line rate and the cost of encrypting every single fiber link. There are few

Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

2013-09-07 Thread Eugen Leitl
On Sat, Sep 07, 2013 at 04:41:04PM -0400, Richard Outerbridge wrote: Surely not Canada? After all, we're one of the five eyes! ;) Six. Sweden (FRA) is part of it. http://www.heise.de/tp/blogs/8/154917 ___ The cryptography mailing list

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Gregory Perry
On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote: Good theory only the CA industry tried very hard to deploy and was prevented from doing so because Randy Bush abused his position as DNSEXT chair to prevent modification of the spec to meet the deployment requirements in .com. DNSSEC would

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Derrell Piper
On Sep 6, 2013, at 11:51 PM, Marcus D. Leech mle...@ripnet.com wrote: The other thing that I find to be a dirty little secret in PK systems is revocation. OCSP makes things, in some ways, better than CRLs, but I still find them to be a kind of swept under the rug problem when people are

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Tony Arcieri
On Sat, Sep 7, 2013 at 1:01 PM, Ray Dillinger b...@sonic.net wrote: And IIRC, pretty much every asymmetric ciphersuite (including all public- key crypto) is vulnerable to some transformation of Shor's algorithm that is in fact practical to implement on such a machine. Lattice-based (NTRU) or

Re: [Cryptography] In the face of cooperative end-points, PFS doesn't help

2013-09-07 Thread james hughes
On Sep 7, 2013, at 1:50 PM, Peter Fairbrother zenadsl6...@zen.co.uk wrote: On 07/09/13 02:49, Marcus D. Leech wrote: It seems to me that while PFS is an excellent back-stop against NSA having/deriving a website RSA key, it does *nothing* to prevent the kind of cooperative endpoint scenario

[Cryptography] Does NSA break in to endpoints (was Re: Bruce Schneier has gotten seriously spooked)

2013-09-07 Thread Perry E. Metzger
On Sat, 07 Sep 2013 09:33:28 +0100 Brian Gladman b...@gladman.plus.com wrote: On 07/09/2013 01:48, Chris Palmer wrote: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? Why would they perform the attack

[Cryptography] New task for the NSA

2013-09-07 Thread Jerry Leichter
The NY Times has done a couple of reports over the last couple of months about the incomprehensibility of hospital bills, even to those within the industry - and the refusal of hospitals to discuss their charge rates, claiming that what they will bill you for a treatment is proprietary.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Jeffrey I. Schiller
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Sep 07, 2013 at 09:14:47PM +, Gregory Perry wrote: And this is exactly why there is no real security on the Internet. Because the IETF and standards committees and working groups are all in reality political fiefdoms and technological

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-07 Thread Gregory Perry
On 09/07/2013 07:32 PM, Brian Gladman wrote: I don't have experience of how the FBI operates so my comments were directed specifcally at NSA/GCHQ interests. I am doubtful that very large organisations change their direction of travel very quickly so I see the huge investments being made in

Re: [Cryptography] ElGamal, DSA randomness (was Re: Why prefer symmetric crypto over public key crypto?)

2013-09-07 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 7, 2013, at 5:09 PM, Perry E. Metzger pe...@piermont.com wrote: Note that such systems should at this point be using deterministic methods (hashes of text + other data) to create the needed nonces. I believe several such methods have been

[Cryptography] ADMIN: Volume, top posting, trimming, SUBJECT LINES

2013-09-07 Thread Perry E. Metzger
1) Volume has gotten understandably high the last few days given the current news. I'd like people to please consider if their posting conveys interesting information before sending. 2) Please adjust the Subject lines of your messages if your posting deviates from the original Subject. This makes

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 07 Sep 2013 13:01:53 -0700 Ray Dillinger b...@sonic.net wrote: I think we can no longer rule out the possibility that some attacker somewhere (it's easy to point a finger at the NSA but it could be just as likely pointed at GCHQ or the IDF or Interpol) may have secretly developed a

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 7 Sep 2013 13:06:14 -0700 Tony Arcieri basc...@gmail.com wrote: In order to beat quantum computers, we need to use public key systems with no (known) quantum attacks, such as lattice-based (NTRU) or code-based (McEliece/McBits) algorithms. ECC and RSA will no longer be useful. I'm

[Cryptography] Replacing CAs (was Re: Why prefer symmetric crypto over public key crypto?)

2013-09-07 Thread Perry E. Metzger
On Sat, 7 Sep 2013 17:46:39 -0400 Derrell Piper d...@electric-loft.org wrote: On Sep 6, 2013, at 11:51 PM, Marcus D. Leech mle...@ripnet.com wrote: The other thing that I find to be a dirty little secret in PK systems is revocation. OCSP makes things, in some ways, better than CRLs,

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 7 Sep 2013 20:43:39 -0400 I wrote: To my knowledge, there is no ECC analog of Shor's algorithm. ...and it appears I was completely wrong on that. See, for example: http://arxiv.org/abs/quantph/0301141 Senility gets the best of us. Perry ___