Re: [Cryptography] Thoughts on hardware randomness sources

2013-09-14 Thread Marcus D. Leech
On 09/13/2013 11:32 PM, Jerry Leichter wrote: On Sep 12, 2013, at 11:06 PM, Marcus D. Leech wrote: There are a class of hyper-cheap USB audio dongles with very uncomplicated mixer models. A small flotilla of those might get you some fault-tolerance. My main thought on such things relates to

Re: [Cryptography] Thoughts on hardware randomness sources

2013-09-14 Thread Jerry Leichter
On Sep 12, 2013, at 11:06 PM, Marcus D. Leech wrote: There are a class of hyper-cheap USB audio dongles with very uncomplicated mixer models. A small flotilla of those might get you some fault-tolerance. My main thought on such things relates to servers, where power consumption isn't

Re: [Cryptography] Summary of the discussion so far

2013-09-14 Thread Max Kington
On 13 Sep 2013, at 21:46, Nico Williams wrote: On Fri, Sep 13, 2013 at 03:17:35PM -0400, Perry E. Metzger wrote: On Thu, 12 Sep 2013 14:53:28 -0500 Nico Williams n...@cryptonector.com wrote: Traffic analysis can't really be defeated, not in detail. What's wrong with mix networks?

[Cryptography] RSA equivalent key length/strength

2013-09-14 Thread Peter Fairbrother
Recommendations are given herein as: symmetric_key_length - recommended_equivalent_RSA_key_length, in bits. Looking at Wikipedia, I see: As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and

Re: [Cryptography] RSA equivalent key length/strength

2013-09-14 Thread Paul Hoffman
Also see RFC 3766 from almost a decade ago; it has stood up fairly well. --Paul Hoffman ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] prism proof email, namespaces, and anonymity

2013-09-14 Thread Max Kington
On Fri, Sep 13, 2013 at 10:12 PM, Perry E. Metzger pe...@piermont.comwrote: On Fri, 13 Sep 2013 16:55:05 -0400 John Kelsey crypto@gmail.com wrote: Everyone, The more I think about it, the more important it seems that any anonymous email like communications system *not* include

[Cryptography] Key management, key storage. (was Re: prism proof email, namespaces, and anonymity)

2013-09-14 Thread Perry E. Metzger
On Sat, 14 Sep 2013 17:23:40 +0100 Max Kington mking...@webhanger.com wrote: The keys. This to me is the critical point for widespread adoption, key management. How do you do this in a way that doesn't put people off immediately. You don't seem to be entirely talking about key management,

Re: [Cryptography] RSA equivalent key length/strength

2013-09-14 Thread Perry E. Metzger
On Sat, 14 Sep 2013 09:31:22 -0700 Paul Hoffman paul.hoff...@vpnc.org wrote: Also see RFC 3766 from almost a decade ago; it has stood up fairly well. For those not aware, the document, by Paul and Hilarie Orman, discusses equivalent key strengths and practical brute force methods, giving

Re: [Cryptography] Key management, key storage. (was Re: prism proof email, namespaces, and anonymity)

2013-09-14 Thread Trevor Perrin
On Sat, Sep 14, 2013 at 9:46 AM, Perry E. Metzger pe...@piermont.com wrote: However, on the topic of key management itself, my own proposal was described here: http://www.metzdowd.com/pipermail/cryptography/2013-August/016870.html In summary, I proposed a way you can map IDs to keys through

Re: [Cryptography] RSA equivalent key length/strength

2013-09-14 Thread Peter Fairbrother
On 14/09/13 17:14, Perry E. Metzger wrote: On Sat, 14 Sep 2013 16:53:38 +0100 Peter Fairbrother zenadsl6...@zen.co.uk wrote: NIST also give the traditional recommendations, 80 - 1024 and 112 - 2048, plus 128 - 3072, 192 - 7680, 256 - 15360. [...] But, I wonder, where do these longer

Re: [Cryptography] RSA equivalent key length/strength

2013-09-14 Thread ianG
On 14/09/13 18:53 PM, Peter Fairbrother wrote: But, I wonder, where do these longer equivalent figures come from? http://keylength.com/ (is a better repository to answer your question.) iang ___ The cryptography mailing list

Re: [Cryptography] RSA equivalent key length/strength

2013-09-14 Thread Adam Back
On Sat, Sep 14, 2013 at 12:56:02PM -0400, Perry E. Metzger wrote: http://tools.ietf.org/html/rfc3766 | requirement | Symmetric | RSA or DH| DSA subgroup | | for attack | key size | modulus size | size | +-+---+--+--+ |100

Re: [Cryptography] Perfection versus Forward Secrecy

2013-09-14 Thread Tony Arcieri
On Thu, Sep 12, 2013 at 11:08 PM, Eugen Leitl eu...@leitl.org wrote: I do not think that the spooks are too far away from open research in QC hardware. It does not seem likely that we'll be getting real QC any time soon, if ever. I don't think the spooks are ahead of the public either, and

[Cryptography] Quantum Computers for Shor's Algorithm (was Re: Perfection versus Forward Secrecy)

2013-09-14 Thread Perry E. Metzger
On Sat, 14 Sep 2013 11:49:50 -0700 Tony Arcieri basc...@gmail.com wrote: We still haven't seen quantum computers built yet which can truly rival their conventional electronic brethren, especially if you look at it from a cost perspective. DWave computers are interesting from a novelty

Re: [Cryptography] Quantum Computers for Shor's Algorithm (was Re: Perfection versus Forward Secrecy)

2013-09-14 Thread Tony Arcieri
On Sat, Sep 14, 2013 at 12:12 PM, Perry E. Metzger pe...@piermont.comwrote: DWave has never unambiguously shown their machine actually is a quantum computer There was some controversy about that a few months ago. In the end, my understanding is it netted out that it *is* a real (albeit

Re: [Cryptography] Quantum Computers for Shor's Algorithm (was Re: Perfection versus Forward Secrecy)

2013-09-14 Thread Perry E. Metzger
On Sat, 14 Sep 2013 12:42:22 -0700 Tony Arcieri basc...@gmail.com wrote: Sure, I never said it could ;) I also said that conventional computers can still outpace it. I'm certainly NOT saying, that in their present capacity, that DWave computers are any sort of threat to modern cryptography.

Re: [Cryptography] Thoughts on hardware randomness sources

2013-09-14 Thread Bill Stewart
At 08:32 PM 9/13/2013, Jerry Leichter wrote: If by server you mean one of those things in a rack at Amazon or Google or Rackspace - power consumption, and its consequence, cooling - is *the* major issue these days. Also, the servers used in such data centers don't have multiple free USB

Re: [Cryptography] real random numbers

2013-09-14 Thread Kent Borg
On 09/14/2013 03:29 PM, John Denker wrote: Things like clock skew are usually nothing but squish ... not reliably predictable, but also not reliably unpredictable. I'm not interested in squish, and I'm not interested in speculation about things that might be random. I see theoretical the

Re: [Cryptography] real random numbers

2013-09-14 Thread John Kelsey
Your first two categories are talking about the distribution of entropy--we assume some unpredictability exists, and we want to quantify it in terms of bits of entropy per bit of output. That's a useful distinction to make, and as you said, if you can get even a little entropy per bit and know