Re: [Cryptography] AES-256- More NIST-y? paranoia

2013-10-05 Thread Ray Dillinger
On 10/03/2013 06:59 PM, Watson Ladd wrote: On Thu, Oct 3, 2013 at 3:25 PM,leich...@lrw.com wrote: On Oct 3, 2013, at 12:21 PM, Jerry Leichterleich...@lrw.com wrote: As *practical attacks today*, these are of no interest - related key attacks only apply in rather unrealistic scenarios, even

Re: [Cryptography] encoding formats should not be committee'ised

2013-10-05 Thread Ray Dillinger
On 10/04/2013 01:23 AM, James A. Donald wrote: On 2013-10-04 09:33, Phillip Hallam-Baker wrote: The design of WSDL and SOAP is entirely due to the need to impedance match COM to HTTP. That is fairly horrifying, as COM was designed for a single threaded environment, and becomes and

Re: [Cryptography] Sha3 and selecting algorithms for speed

2013-10-05 Thread John Kelsey
Most applications of crypto shouldn't care much about performance of the symmetric crypto, as that's never the thing that matters for slowing things down. But performance continues to matter in competitions and algorithm selection for at least three reasons: a. We can measure performance,

[Cryptography] Performance vs security

2013-10-05 Thread John Kelsey
There are specific algorithms where you have a pretty clear-cut security/performance tradeoff. RSA and ECC both give you some choice of security level that has a big impact in terms of performance. AES and SHA2 and eventually SHA3 offer you some secuirty level choices, but the difference in

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-05 Thread John Kelsey
On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker hal...@gmail.com wrote: ... Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had no impact on the security of certificates issued using MD5 until the attack was dramatically improved and the second pre-image attack became

Re: [Cryptography] [tor-talk] Guardian Tor article

2013-10-05 Thread grarpamp
Some have said... this [Snowden meta arena] has been a subject of discussion on the [various] lists as well Congrats, torproject :-D Tor Stinks means you're doing it right; good job Tor devs :) good news everybody; defense in depth is effective and practical! Yes, fine work all hands,

Re: [Cryptography] Sha3

2013-10-05 Thread Dan Kaminsky
Because not being fast enough means you don't ship. You don't ship, you didn't secure anything. Performance will in fact trump security. This is the empirical reality. There's some budget for performance loss. But we have lots and lots of slow functions. Fast is the game. (Now, whether my

Re: [Cryptography] Sha3

2013-10-05 Thread David Johnston
On 10/4/2013 10:23 AM, Phillip Hallam-Baker wrote: On Fri, Oct 4, 2013 at 12:27 AM, David Johnston d...@deadhat.com mailto:d...@deadhat.com wrote: On 10/1/2013 2:34 AM, Ray Dillinger wrote: What I don't understand here is why the process of selecting a standard algorithm for

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-05 Thread Phillip Hallam-Baker
On Thu, Oct 3, 2013 at 5:38 AM, Alan Braggins alan.bragg...@gmail.comwrote: On 02/10/13 18:42, Arnold Reinhold wrote: On 1 Oct 2013 23:48 Jerry Leichter wrote: The larger the construction project, the tighter the limits on this stuff. I used to work with a former structural engineer, and

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-05 Thread Phillip Hallam-Baker
On Thu, Oct 3, 2013 at 5:17 AM, ianG i...@iang.org wrote: On 2/10/13 17:46 PM, John Kelsey wrote: Has anyone tried to systematically look at what has led to previous crypto failures? This has been a favourite topic of mine, ever since I discovered that the entire foundation of SSL was

Re: [Cryptography] Sha3

2013-10-05 Thread Jerry Leichter
On Oct 1, 2013, at 5:34 AM, Ray Dillinger b...@sonic.net wrote: What I don't understand here is why the process of selecting a standard algorithm for cryptographic primitives is so highly focused on speed. If you're going to choose a single standard cryptographic algorithm, you have to

Re: [Cryptography] encoding formats should not be committee'ised

2013-10-05 Thread Jerry Leichter
On Oct 3, 2013, at 7:33 PM, Phillip Hallam-Baker hal...@gmail.com wrote: XML was not intended to be easy to read, it was designed to be less painful to work with than SGML, that is all More to the point, it was designed to be a *markup* format. The markup is metadata describing various

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-05 Thread Phillip Hallam-Baker
On Fri, Oct 4, 2013 at 10:23 AM, John Kelsey crypto@gmail.com wrote: On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker hal...@gmail.com wrote: ... Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had no impact on the security of certificates issued using MD5 until the

Re: [Cryptography] Sha3

2013-10-05 Thread Phillip Hallam-Baker
On Fri, Oct 4, 2013 at 12:27 AM, David Johnston d...@deadhat.com wrote: On 10/1/2013 2:34 AM, Ray Dillinger wrote: What I don't understand here is why the process of selecting a standard algorithm for cryptographic primitives is so highly focused on speed. ~ What makes you think Keccak is

Re: [Cryptography] Sha3

2013-10-05 Thread james hughes
On Oct 3, 2013, at 9:27 PM, David Johnston d...@deadhat.com wrote: On 10/1/2013 2:34 AM, Ray Dillinger wrote: What I don't understand here is why the process of selecting a standard algorithm for cryptographic primitives is so highly focused on speed. ~ What makes you think Keccak is

Re: [Cryptography] check-summed keys in secret ciphers?

2013-10-05 Thread Phillip Hallam-Baker
On Mon, Sep 30, 2013 at 7:44 PM, arxlight arxli...@arx.li wrote: Just to close the circle on this: The Iranians used hundreds of carpet weavers (mostly women) to reconstruct a good portion of the shredded documents which they published (and I think continue to publish) eventually reaching

Re: [Cryptography] encoding formats should not be committee'ized

2013-10-05 Thread ianG
On 4/10/13 11:17 AM, Peter Gutmann wrote: Trying to get back on track, I think any attempt at TLS 2 is doomed. We've already gone through, what, about a million messages bikeshedding over the encoding format and have barely started on the crypto. Can you imagine any two people on this list

Re: [Cryptography] encoding formats should not be committee'ized

2013-10-05 Thread ianG
On 2/10/13 00:16 AM, James A. Donald wrote: On 2013-10-02 05:18, Jerry Leichter wrote: To be blunt, you have no idea what you're talking about. I worked at Google until a short time ago; Ben Laurie still does. Both of us have written, submitted, and reviewed substantial amounts of code in the

Re: [Cryptography] Sha3

2013-10-05 Thread John Kelsey
http://keccak.noekeon.org/yes_this_is_keccak.html --John___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] A stealth redo on TLS with new encoding

2013-10-05 Thread Phillip Hallam-Baker
I think redoing TLS just to change the encoding format is to tilt at windmills. Same for HTTP (not a fan of CORE over DTLS), same for PKIX. But doing all three at once would actually make a lot of sense and I can see something like that actually happen. But only if the incremental cost of each

Re: [Cryptography] Sha3

2013-10-05 Thread radix42
Jerry Leichter wrote: Currently we have SHA-128 and SHA-256, but exactly why one should choose one or the other has never been clear - SHA-256 is somewhat more expensive, but I can't think of any examples where SHA-128 would be practical but SHA-256 would not. In practice, when CPU is thought

[Cryptography] System level security in low end environments

2013-10-05 Thread John Gilmore
b. There are low-end environments where performance really does matter. Those often have rather different properties than other environments--for example, RAM or ROM (for program code and S-boxes) may be at a premium. Such environments are getting very rare these days. For example, an

Re: [Cryptography] AES-256- More NIST-y? paranoia

2013-10-05 Thread Jerry Leichter
On Oct 4, 2013, at 12:20 PM, Ray Dillinger wrote: So, it seems that instead of AES256(key) the cipher in practice should be AES256(SHA256(key)). Is it not the case that (assuming SHA256 is not broken) this defines a cipher effectively immune to the related-key attack? Yes, but think about

Re: [Cryptography] Sha3

2013-10-05 Thread James A. Donald
On 2013-10-05 16:40, james hughes wrote: Instead of pontificating at length based on conjecture and conspiracy theories and smearing reputations based on nothing other than hot air But there really is a conspiracy, which requires us to consider conjectures as serious risks, and people

Re: [Cryptography] Sha3

2013-10-05 Thread Jerry Leichter
On Oct 5, 2013, at 11:54 AM, radi...@gmail.com wrote: Jerry Leichter wrote: Currently we have SHA-128 and SHA-256, but exactly why one should choose one or the other has never been clear - SHA-256 is somewhat more expensive, but I can't think of any examples where SHA-128 would be

Re: [Cryptography] Sha3

2013-10-05 Thread james hughes
On Oct 5, 2013, at 12:00 PM, John Kelsey crypto@gmail.com wrote: http://keccak.noekeon.org/yes_this_is_keccak.html From the authors: NIST's current proposal for SHA-3 is a subset of the Keccak family, one can generate the test vectors for that proposal using the Kecca kreference code. and

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-05 Thread james hughes
On Oct 2, 2013, at 7:46 AM, John Kelsey crypto@gmail.com wrote: Has anyone tried to systematically look at what has led to previous crypto failures? T In the case we are now, I don't think that it is actually crypto failures (RSA is still secure, but 1024 bit is not. 2048 DHE is still