-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> Apparently this was just a "teaser" article. The following is apparently the
> full story: http://cryptome.org/2013/09/nsa-smartphones.pdf I can't tell >
> for sure - it's the German original, and my German is non-existent.
The high level summa
On Sep 8, 2013, at 9:15 PM, Perry E. Metzger wrote:
>> I don't see the big worry about how hard it is to generate random
>> numbers unless:
>
> Lenstra, Heninger and others have both shown mass breaks of keys based
> on random number generator flaws in the field. Random number
> generators have b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/8/13 1:51 PM, Perry E. Metzger wrote:
> On Sun, 8 Sep 2013 14:50:07 -0400 Jerry Leichter
> wrote:
>> Even for one-to-one discussions, these days, people want
>> transparent movement across their hardware. If I'm in a chat
>> session on my lapt
Ralph Holz writes:
>I've followed that list for a while. What I find weird is that there should
>be much dissent at all. This is about increasing security based on adding
>quite well-understood mechanisms. What's to be so opposed to there?
There wasn't really much dissent (there was some discuss
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/7/13 9:06 PM, Christian Huitema wrote:
>> Pairwise shared secrets are just about the only thing that
>> scales worse than public key distribution by way of PGP key
>> fingerprints on business cards. > The equivalent of CAs in an
>> all-symmetric
Apparently this was just a "teaser" article. The following is apparently the
full story: http://cryptome.org/2013/09/nsa-smartphones.pdf I can't tell for
sure - it's the German original, and my German is non-existent.
-- Jerry
_
On 09/08/2013 09:15 PM, Perry E. Metzger wrote:
Perhaps you don't see the big worry, but real world experience says it
is something everyone else should worry about anyway.
I overstated it.
Good random numbers are crucial, and like any cryptography, exact
details matter. Programmers are cons
This space is of particular interest to me. I implemented just one of
these and published the protocol (rather than pimp my blog if anyone wants
to read up on the protocol description feel free to email me and I'll send
you a link).
The system itself was built around a fairly simple PKI which the
On Sep 8, 2013, at 7:16 PM, james hughes wrote:
> Let me suggest the following.
>
> With RSA, a single quiet "donation" by the site and it's done. The situation
> becomes totally passive and there is no possibility knowing what has been
> read. The system administrator could even do this withou
note when the router hughes references was 1st introduced in in IETF gateway
committee meeting as VPN it caused lots of turmoil in the IPSEC camp as well as
with the other router vendors. The other router vendors went into standards
stall mode ... their problem was none of them had a product wi
On 2013-09-09 6:08 AM, John Kelsey wrote:
a. Things that just barely work, like standards groups, must in general be
easier to sabotage in subtle ways than things that click along with great
efficiency. But they are also things that often fail with no help at all from
anyone, so it's hard to
On 2013-09-09 4:49 AM, Perry E. Metzger wrote:
Your magic key must then take any block of N bits and magically
produce the corresponding plaintext when any given ciphertext
might correspond to many, many different plaintexts depending
on the key. That's clearly not something you can do.
Suppose
On 2013-09-09 11:15 AM, Perry E. Metzger wrote:
Lenstra, Heninger and others have both shown mass breaks of keys based
on random number generator flaws in the field. Random number
generators have been the source of a huge number of breaks over time.
Perhaps you don't see the big worry, but real
On Sep 8, 2013, at 1:47 PM, Jerry Leichter wrote:
> On Sep 8, 2013, at 3:51 PM, Perry E. Metzger wrote:
>>
>> In summary, it would appear that the most viable solution is to make
>> the end-to-end encryption endpoint a piece of hardware the user owns
>> (say the oft mentioned $50 Raspberry Pi
On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger wrote:
> On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker
> wrote:
> > The Registrars are pure marketing operations. Other than GoDaddy
> > which implemented DNSSEC because they are trying to sell the
> > business and more tech looks kewl du
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Sep 06, 2013 at 05:22:26PM -0700, John Gilmore wrote:
> Speaking as someone who followed the IPSEC IETF standards committee
> pretty closely, while leading a group that tried to implement it and
> make so usable that it would be used by default
On Sun, 08 Sep 2013 20:34:55 -0400 Kent Borg
wrote:
> On 09/08/2013 06:16 PM, John Kelsey wrote:
> > I don't think you can do anything useful in crypto without some
> > good source of random bits.
>
> I don't see the big worry about how hard it is to generate random
> numbers unless:
Lenstra, H
On 09/08/2013 06:16 PM, John Kelsey wrote:
I don't think you can do anything useful in crypto without some good
source of random bits.
I don't see the big worry about how hard it is to generate random
numbers unless:
a) You need them super fast (because you are Google, trying to secure
you
A new paper on the Tor network, entitled "Users Get Routed:
Traffic Correlation on Tor by Realistic Adversaries".
https://security.cs.georgetown.edu/~msherr/papers/users-get-routed.pdf
Quote to whet your appetite:
We present the first analysis of the popular Tor anonymity network
that
On Sep 8, 2013, at 3:51 PM, Perry E. Metzger wrote:
>
>> Even for one-to-one discussions, these days, people want
>> transparent movement across their hardware. If I'm in a chat
>> session on my laptop and leave the house, I'd like to be able to
>> continue on my phone. How do I hand off the con
On Sep 8, 2013, at 6:09 PM, Perry E. Metzger wrote:
> Not very surprising given everything else, but I thought I would
> forward the link. It more or less contends that the NSA has exploits
> for all major smartphones, which should not be surprising
> http://www.spiegel.de/international/world/
The Spiegel article perhaps contains a key to this capability:
"In the internal documents, experts boast about successful access to
iPhone data in instances where the NSA is able to infiltrate the
computer a person uses to sync their iPhone."
I have not seen security measures such as requiring a p
On Sep 7, 2013, at 8:16 PM, "Marcus D. Leech" wrote:
> But it's not entirely clear to me that it will help enough in the scenarios
> under discussion. If we assume that mostly what NSA are doing is acquiring a
> site
>RSA key (either through "donation" on the part of the site, or through
On Sun, Sep 08, 2013 at 06:16:45PM -0400, John Kelsey wrote:
> I don't think you can do anything useful in crypto without some
> good source of random bits. If there is a private key somewhere
> (say, used for signing, or the public DH key used alongside the
> ephemeral one), you can combine the
What's the current state of the art of attacks against AES? Is the
advice that AES-128 is (slightly) more secure than AES-256, at least
in theory, still current?
(I'm also curious as to whether anyone has ever proposed fixes to the
weaknesses in the key schedule...)
Perry
--
Perry E. Metzger
On Sep 8, 2013, at 3:55 PM, Thor Lancelot Simon wrote:
...
> I also wonder -- again, not entirely my own idea, my whiteboard partner
> can speak up for himself if he wants to -- about whether we're going
> to make ourselves better or worse off by rushing to the "safety" of
> PFS ciphersuites, whic
Not very surprising given everything else, but I thought I would
forward the link. It more or less contends that the NSA has exploits
for all major smartphones, which should not be surprising.
Quoting:
The United States' National Security Agency
intelligence-gathering operation is capab
> Not to discuss this particular case, but I often see claims to the
> effect that "there is no market demand for security".
Bill Gates 2003 "trustworthy computing" memo is a direct proof of the
opposite. He perceived lack of security, shown by reports of worms and
viruses, as a direct threat agai
Forwarded with permission.
So there *is* a BTNS implementation, after all. Albeit
only for OpenBSD -- but this means FreeBSD is next, and
Linux to follow.
- Forwarded message from Andreas Davour -
Date: Sun, 8 Sep 2013 09:10:44 -0700 (PDT)
From: Andreas Davour
To: Eugen Leitl
Subject
On Sun, 8 Sep 2013 15:55:52 -0400 Thor Lancelot Simon
wrote:
> On Sun, Sep 08, 2013 at 03:22:32PM -0400, Perry E. Metzger wrote:
> >
> > Ah, now *this* is potentially interesting. Imagine if you have a
> > crypto accelerator that generates its IVs by encrypting
> > information about keys in use u
On Sun, Sep 08, 2013 at 03:22:32PM -0400, Perry E. Metzger wrote:
>
> Ah, now *this* is potentially interesting. Imagine if you have a
> crypto accelerator that generates its IVs by encrypting information
> about keys in use using a key an observer might have or could guess
> from a small search s
On 09/08/2013 12:08 PM, Perry E. Metzger wrote:
> I doubt that safety is, per se, anything the market demands from
> cars, food, houses, etc.
I wouldn't have said that. It's a lot more complicated than
that. For one thing, there are lots of different "people".
However, as a fairly-general rule,
In principle, the malevolent crypto accellerator could flip into weak mode
(however that happens) only upon receiving a message for decryption with some
specific value or property. That would defeat any testing other than constant
observation. This is more or less the attack that keeps paralle
As an aside:
a. Things that just barely work, like standards groups, must in general be
easier to sabotage in subtle ways than things that click along with great
efficiency. But they are also things that often fail with no help at all from
anyone, so it's hard to tell.
b. There really are t
On Sun, 8 Sep 2013 14:50:07 -0400 Jerry Leichter
wrote:
> Even for one-to-one discussions, these days, people want
> transparent movement across their hardware. If I'm in a chat
> session on my laptop and leave the house, I'd like to be able to
> continue on my phone. How do I hand off the conve
This is just a wild story, It isn't true. If we cryptographers found it
was true we would all be totally gobsmacked.
The Beginning:
Sometime in 2008 the NSA - the United States National Security Agency,
who employ many times more mathematicians than anyone else does -
discovered a new mathema
I was asked to provide a list of potential points of compromise by a
concerned party. I list the following so far as possible/likely:
1) Certificate Authorities
Traditionally the major concern (perhaps to the point of distraction from
other more serious ones). Main caveat, CA compromises leave p
On Sep 8, 2013, at 1:08 PM, Jerry Leichter wrote:
> On Sep 8, 2013, at 1:06 PM, Jerry Leichter wrote:
>> There was a proposal out there based on something very much like this to
>> create tamper-evident signatures
Jonathan Katz found the paper I was thinking of -
http://eprint.iacr.org/2003/
On Sep 7, 2013, at 11:16 PM, Marcus D. Leech wrote:
> Jeff Schiller pointed out a little while ago that the crypto-engineering
> community have largely failed to make end-to-end encryption easy to use.
> There are reasons for that, some technical, some political, but it is
> absolutely true tha
On Sun, Sep 8, 2013 at 2:28 AM, Phillip Hallam-Baker wrote:
> This would be 'Code Transparency'.
>
> Problem is we would need to modify GIT to implement.
Git already supports signed comments. See the "-S" option to "git commit.
If you're paranoid, though, that still leaves someone getting on your
On 8 September 2013 11:45, Peter Gutmann wrote:
> Ralph Holz writes:
>
> >BTW, I do not really agree with your argument it should be done via TLS
> >extension.
>
> It's done that way based on discussions on (and mostly off) the TLS list by
> various implementers, that was the one that caused the
On Sun, 8 Sep 2013 15:10:45 -0400 Thor Lancelot Simon
wrote:
> On Sun, Sep 08, 2013 at 02:34:26PM -0400, Perry E. Metzger wrote:
> >
> > Any other thoughts on how one could sabotage hardware? An
> > exhaustive list is interesting, if only because it gives us
> > information on what to look for in
On Sun, Sep 08, 2013 at 02:34:26PM -0400, Perry E. Metzger wrote:
>
> Any other thoughts on how one could sabotage hardware? An exhaustive
> list is interesting, if only because it gives us information on what
> to look for in hardware that may have been tweaked at NSA request.
I'd go for leaking
On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker
wrote:
> The Registrars are pure marketing operations. Other than GoDaddy
> which implemented DNSSEC because they are trying to sell the
> business and more tech looks kewl during due diligence, there is
> not a market demand for DNSSEC.
Not
On Sat, 07 Sep 2013 20:14:10 -0700 Ray Dillinger
wrote:
> On 09/06/2013 05:58 PM, Jon Callas wrote:
>
> > We know as a mathematical theorem that a block cipher with a back
> > door *is* a public-key system. It is a very, very, very valuable
> > thing, and suggests other mathematical secrets about
On Sat, 07 Sep 2013 19:19:09 -0700 Ray Dillinger
wrote:
> Given some of the things in the Snowden files, I think it has
> become the case that one ought not trust any mass-produced crypto
> hardware.
Yes and no. There are limits to what such hardware can do. If such
hardware fails to implement a
On Sat, 07 Sep 2013 18:50:06 -0700 John Gilmore wrote:
> It was never clear to me why DNSSEC took so long to deploy,
[...]
> PS: My long-standing domain registrar (enom.com) STILL doesn't
> support DNSSEC records -- which is why toad.com doesn't have DNSSEC
> protection. Can anybody recommend a g
On 09/08/2013 04:27 AM, Eugen Leitl wrote:
On 2013-09-08 3:48 AM, David Johnston wrote:
Claiming the NSA colluded with intel to backdoor RdRand is also to
accuse me personally of having colluded with the NSA in producing a
subverted design. I did not.
Well, since you personally did this, wou
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 7, 2013, at 8:06 PM, John Kelsey wrote:
> There are basically two ways your RNG can be cooked:
>
> a. It generates predictable values. Any good cryptographic PRNG will do
> this if seeded by an attacker. Any crypto PRNG seeded with too l
> 3) Shortly after the token indictment of Zimmerman (thus prompting widespread
> use and promotion of the RSA public key encryption algorithm), the Clinton
> administration's FBI then advocated a relaxation of encryption export
> regulations in addition to dropping all plans for the Clipper chi
On 09/08/2013 05:28 AM, Phillip Hallam-Baker wrote:
every code update to the repository should be signed and
recorded in an append only log and the log should be public and enable any
party to audit the set of updates at any time.
This would be 'Code Transparency'.
Problem is we would need to
On 09/08/2013 10:13 AM, Thor Lancelot Simon wrote:
On Sat, Sep 07, 2013 at 07:19:09PM -0700, Ray Dillinger wrote:
Given good open-source software, an FPGA implementation would provide greater
assurance of security.
How sure are you that an FPGA would actually be faster than you can already
ac
On 09/08/2013 07:08 AM, Eugen Leitl wrote:
Okay, I need to eat my words here.
I went to review the deterministic procedure ...
The deterministic procedure basically computes SHA1 on some seed and
uses it to assign the parameters then checks the curve order, etc..
wash rinse repeat.
Then
On 8/09/13 16:42 PM, Phillip Hallam-Baker wrote:
Two caveats on the commentary about a symmetric key algorithm with a
trapdoor being a public key algorithm.
1) The trapdoor need not be a good public key algorithm, it can be
flawed in ways that would make it unsuited for use as a public key
algor
On Sat, Sep 7, 2013 at 6:50 PM, John Gilmore wrote:
> PS: My long-standing domain registrar (enom.com) STILL doesn't support
> DNSSEC records -- which is why toad.com doesn't have DNSSEC
> protection. Can anybody recommend a good, cheap, reliable domain
> registrar who DOES update their software
On Sep 8, 2013, at 1:06 PM, Jerry Leichter wrote:
> There was a proposal out there based on something very much like this to
> create tamper-evident signatures. I forget the details - it was a couple of
> years ago - but the idea was that every time you sign something, you modify
> your key in
On Sep 8, 2013, at 10:45 AM, Ray Dillinger wrote:
>> Pairwise shared secrets are just about the only thing that scales
>> worse than public key distribution by way of PGP key fingerprints on
>> business cards.
>> If we want secure crypto that can be used by everyone, with minimal
>> trust, pu
Hi,
http://www.youtube.com/watch?v=K8EGA834Nok
Is DNSSEC is really the right solution?
Daniel
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On Sep 7, 2013, at 11:45 PM, John Kelsey wrote:
> Let's suppose I design a block cipher such that, with a randomly generated
> key and 10,000 known plaintexts, I can recover that key At this point,
> what I have is a trapdoor one-way function. You generate a random key K and
> then compute
Ralph Holz writes:
>BTW, I do not really agree with your argument it should be done via TLS
>extension.
It's done that way based on discussions on (and mostly off) the TLS list by
various implementers, that was the one that caused the least dissent.
Peter.
__
"Jeffrey I. Schiller" writes:
>If I was the NSA, I would be scavenging broken hardware from âinterestingâ
>venues and purchasing computers for sale in interesting locations. I would be
>particularly interested in stolen computers, as they have likely not been
>wiped.
Just buy second-hand HSM
Hi,
>> BTW, I do not really agree with your argument it should be done via TLS
>> extension.
>
> It's done that way based on discussions on (and mostly off) the TLS list by
> various implementers, that was the one that caused the least dissent.
I've followed that list for a while. What I find we
On 09/07/2013 06:57 PM, james hughes wrote:
PFS may not be a panacea but does help.
There's no question in my mind that PFS helps. I have, in the past,
been very in much favor of turning on PFS support in various protocols,
when it has
been available. And I fully understand what the *pur
On Sun, Sep 8, 2013 at 9:42 AM, Phillip Hallam-Baker wrote:
> Two caveats on the commentary about a symmetric key algorithm with a
> trapdoor being a public key algorithm.
>
> 1) The trapdoor need not be a good public key algorithm, it can be flawed in
> ways that would make it unsuited for use as
On Sep 7, 2013, at 11:06 PM, Christian Huitema wrote:
>> Pairwise shared secrets are just about the only thing that scales worse than
>> public key distribution by way of PGP key fingerprints on business cards. >
>> The equivalent of CAs in an all-symmetric world is KDCs If we want
>> sec
On Sep 7, 2013, at 7:56 PM, Perry E. Metzger wrote:
>> I'm not as yet seeing that a block cipher with a backdoor is a public
>> key system,
>
> Then read the Blaze & Feigenbaum paper I posted a link to. It makes a
> very good case for that, one that Jerry unaccountably does not seem to
> believe.
On Sep 7, 2013, at 6:30 PM, "James A. Donald" wrote:
> On 2013-09-08 4:36 AM, Ray Dillinger wrote:
>>
>> But are the standard ECC curves really secure? Schneier sounds like he's got
>> some innovative math in his next paper if he thinks he can show that they
>> aren't.
>
> Schneier cannot sho
On Sun, Sep 8, 2013 at 12:19 PM, Faré wrote:
> On Sun, Sep 8, 2013 at 9:42 AM, Phillip Hallam-Baker
> wrote:
> > Two caveats on the commentary about a symmetric key algorithm with a
> > trapdoor being a public key algorithm.
> >
> > 1) The trapdoor need not be a good public key algorithm, it can
>
> Symetric cryptography does a much easier thing. It combines data and some
> mysterious data (key) in a way that you cannot extract data without the
> mysterious data from the result. It's like a + b = c. Given c you need b to
> find a. The tricks that are involved are mostly about sufficie
On 8/09/13 03:00 AM, Perry E. Metzger wrote:
On Sat, 07 Sep 2013 09:33:28 +0100
Brian Gladman wrote:
On 07/09/2013 01:48, Chris Palmer wrote:
Q: "Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own
versions?"
Why would they
On Sat, Sep 07, 2013 at 07:42:33PM -1000, Tim Newsham wrote:
> Jumping in to this a little late, but:
>
> > Q: "Could the NSA be intercepting downloads of open-source
> > encryption software and silently replacing these with their own versions?"
> > A: (Schneier) Yes, I believe so.
>
> perhaps,
- Forwarded message from Gregory Maxwell -
Date: Sun, 8 Sep 2013 06:44:57 -0700
From: Gregory Maxwell
To: "This mailing list is for all discussion about theory, design, and
development of Onion Routing."
Subject: Re: [tor-talk] NIST approved crypto in Tor?
Reply-To: tor-t...@li
- Forwarded message from "James A. Donald" -
Date: Sun, 08 Sep 2013 08:34:53 +1000
From: "James A. Donald"
To: cryptogra...@randombit.net
Subject: Re: [cryptography] Random number generation influenced, HW RNG
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130801
Thunderbird/
On 09/07/2013 07:51 PM, John Kelsey wrote:
Pairwise shared secrets are just about the only thing that scales
worse than public key distribution by way of PGP key fingerprints on
business cards.
If we want secure crypto that can be used by everyone, with minimal
trust, public key is the onl
Two caveats on the commentary about a symmetric key algorithm with a
trapdoor being a public key algorithm.
1) The trapdoor need not be a good public key algorithm, it can be flawed
in ways that would make it unsuited for use as a public key algorithm. For
instance being able to compute the privat
On Sat, Sep 07, 2013 at 08:45:34PM -0400, Perry E. Metzger wrote:
> I'm unaware of an ECC equivalent of the Shor algorithm. Could you
> enlighten me on that?
Shor's algorithm is a Fourier transform, essentially. It can find periods of
a function you can implement as a quantum circuit with only po
On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore wrote:
> > >> First, DNSSEC does not provide confidentiality. Given that, it's not
> > >> clear to me why the NSA would try to stop or slow its deployment.
>
> DNSSEC authenticates keys that can be used to bootstrap
> confidentiality. And it does so
On Sun, Sep 8, 2013 at 1:42 AM, Tim Newsham wrote:
> Jumping in to this a little late, but:
>
> > Q: "Could the NSA be intercepting downloads of open-source
> > encryption software and silently replacing these with their own
> versions?"
> > A: (Schneier) Yes, I believe so.
>
> perhaps, but the
On Sat, Sep 7, 2013 at 10:35 PM, Gregory Perry
wrote:
> >On 09/07/2013 09:59 PM, Phillip Hallam-Baker wrote:
> >
> >Anyone who thinks Jeff was an NSA mole when he was one of the main people
> behind the MIT version of PGP and the distribution of Kerberos is >talking
> daft.
> >
> >I think that t
On Sat, Sep 7, 2013 at 8:53 PM, Gregory Perry wrote:
> On 09/07/2013 07:52 PM, Jeffrey I. Schiller wrote:
> > Security fails on the Internet for three important reasons, that have
> > nothing to do with the IETF or the technology per-se (except for point
> > 3).
> > 1. There is little market for
Public key depends on high level math. That math has some asymetric
property that we can use to achieve the public-private key relationships.
The problem is that the discovery of smarter math can invalidate the
asymetry and make it more symetrical. This has to do with P=NP, which is
also less triv
Jumping in to this a little late, but:
> Q: "Could the NSA be intercepting downloads of open-source
> encryption software and silently replacing these with their own versions?"
> A: (Schneier) Yes, I believe so.
perhaps, but they would risk being noticed. Some people check file hashes
when down
82 matches
Mail list logo