Re: [Cryptography] prism proof email, namespaces, and anonymity

2013-09-15 Thread StealthMonger
John Kelsey writes: > In the overwhelming majority of cases, I know and want to know the > people I'm talking with. I just don't want to contents of those > conversations or the names of people I'm talking with to be revealed > to eavesdroppers. And if I get an email from one of my regular > co

Re: [Cryptography] Security is a total system problem (was Re: Perfection versus Forward Secrecy)

2013-09-15 Thread Dirk-Willem van Gulik
Op 13 sep. 2013, om 21:23 heeft Perry E. Metzger het volgende geschreven: > On Fri, 13 Sep 2013 08:08:38 +0200 Eugen Leitl > wrote: >> Why e.g. SWIFT is not running on one time pads is beyond me. > > I strongly suspect that delivering them securely to the vast number > of endpoints involved a

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-15 Thread Tony Arcieri
On Thu, Sep 12, 2013 at 1:11 PM, Nico Williams wrote: > - Life will look a bit bleak for a while once we get to quantum machine > cryptopocalypse... Why? We already have NTRU. We also have Lamport Signatures. djb is working on McBits. I'd say there's already many options on the table if you

[Cryptography] ADMIN: entropy of randomness discussion is falling...

2013-09-15 Thread Perry E. Metzger
One wants maximum entropy not only from one's RNG but also from one's discussions about randomness. Sadly, entropy is measured based on the level of "surprise" at the content, and the level of surprise is going down in the current discussion. As surprise goes to zero, so does interest on the part

Re: [Cryptography] real random numbers

2013-09-15 Thread Kent Borg
John Kelsey wrote: > I think the big problem with (b) is in quantifying the entropy you get. Maybe don't. When Bruce Schneier last put his hand to designing an RNG he concluded that estimating entropy is doomed. I don't think he would object to some coarse order-of-magnitude confirmation that t

Re: [Cryptography] real random numbers

2013-09-15 Thread Kent Borg
On 09/15/2013 10:19 AM, John Kelsey wrote: But those are pretty critical things, especially (a). You need to know whether it is yet safe to generate your high-value keypair. For that, you don't need super precise entropy estimates, but you do need at least a good first cut entropy estimate--doe

Re: [Cryptography] real random numbers

2013-09-15 Thread ianG
On 15/09/13 00:38 AM, Kent Borg wrote: On 09/14/2013 03:29 PM, John Denker wrote: And once we have built such vaguely secure systems, why reject entropy sources within those systems, merely because they you think they look like "squish"? If there is a random component, why toss it out? He'

Re: [Cryptography] real random numbers

2013-09-15 Thread Jerry Leichter
On Sep 14, 2013, at 5:38 PM, Kent Borg wrote: >> Things like clock skew are usually nothing but squish ... not reliably >> predictable, but also not reliably unpredictable. I'm not interested in >> squish, and I'm not interested in speculation about things that "might" be >> random. > > I see

Re: [Cryptography] real random numbers

2013-09-15 Thread John Denker
On 09/15/2013 03:49 AM, Kent Borg wrote: > When Bruce Schneier last put his hand to designing an RNG he > concluded that estimating entropy is doomed. I don't think he would > object to some coarse order-of-magnitude confirmation that there is > entropy coming in, but I think trying to meter entro

Re: [Cryptography] real random numbers

2013-09-15 Thread John Denker
Previously I said we need to speak more carefully about these things. Let me start by taking my own advice: Alas on 09/14/2013 12:29 PM, I wrote: > a) In the linux "random" device, /any/ user can mix stuff into the > driver's pool. This is a non-privileged operation. The idea is that > it can't

Re: [Cryptography] real random numbers

2013-09-15 Thread Watson Ladd
On Sat, Sep 14, 2013 at 12:29 PM, John Denker wrote: > > This discussion will progress more smoothly and more rapidly > if we clarify some of the concepts and terminology. [...] > > Things like clock skew are usually nothing but squish ... not > reliably predictable, but also not reliably unpredic

[Cryptography] A lot to learn from "Business Records FISA NSA Review"

2013-09-15 Thread John Gilmore
See: https://www.eff.org/document/nsa-business-records-fisa-redactedex-ocr This is one of the documents that an EFF Freedom of Information lawsuit asked for. The government had been claiming they could not release ANY FISA court orders or submissions. When the President ordered the intelligence

Re: [Cryptography] prism proof email, namespaces, and anonymity

2013-09-15 Thread John Kelsey
On Sep 15, 2013, at 7:47 AM, Adam Back wrote: > Another design permutation I was thinking could be rather interesting is > unobservable mail. That is to say the participants know who they are > talking to (signed, non-pseudonymous) but passive observers do not. It > seems to me that in that cir

Re: [Cryptography] real random numbers

2013-09-15 Thread John Kelsey
On Sep 15, 2013, at 6:49 AM, Kent Borg wrote: > John Kelsey wrote: >> I think the big problem with (b) is in quantifying the entropy you get. > > Maybe don't. > > When Bruce Schneier last put his hand to designing an RNG he concluded that > estimating entropy is doomed. I don't think he would

Re: [Cryptography] prism proof email, namespaces, and anonymity

2013-09-15 Thread Adam Back
On Fri, Sep 13, 2013 at 04:55:05PM -0400, John Kelsey wrote: The more I think about it, the more important it seems that any anonymous email like communications system *not* include people who don't want to be part of it, and have lots of defenses to prevent its anonymous communications from beco