"Travis H." <[EMAIL PROTECTED]> writes:
> So...
>
> Suppose I want a function to provide integrity and authentication, and
> that is to be combined with a stream cipher (as is the plaintext). I
> believe that authentication is free once I have integrity given the
> fact that the hash value is sup
"Travis H." <[EMAIL PROTECTED]> writes:
> On 5/14/06, Victor Duchovni <[EMAIL PROTECTED]> wrote:
>> Security is fragile. Deviating from well understood primitives may be
>> good research, but is not good engineering. Especially fragile are:
>
> Point taken. This is not for a production system, it
Ryan Singel reports that despite the rather lax standards required for
wiretaps, some FBI agents seem to have decided that they could skip
procedure:
The revelation is the second this year showing that FBI employees
bypassed court order requirements for phone records. In July, the
FBI
At Wed, 30 Jan 2008 09:04:37 +1000,
James A. Donald wrote:
>
> Ivan Krstic' wrote:
> > Some number of these muppets approached me over the
> > last couple of years offering to donate a free license
> > for their excellent products. I used to be more polite
> > about it, but nowadays I ask that
At Wed, 30 Jan 2008 11:25:04 +0100,
Philipp Gühring wrote:
>
> Hi,
>
> > SSL key distribution and management is horribly broken,
> > with the result that everyone winds up using plaintext
> > when they should not.
>
> Yes, sending client certificates in plaintext while claiming that SSL/TLS is
At Wed, 30 Jan 2008 17:59:51 -,
Dave Korn wrote:
>
> On 30 January 2008 17:03, Eric Rescorla wrote:
>
>
> >>> We really do need to reinvent and replace SSL/TCP,
> >>> though doing it right is a hard problem that takes more
> >>> than morning
At Thu, 31 Jan 2008 03:04:00 +0100,
Philipp Gühring wrote:
>
> Hi,
>
> > Huh? What are you claiming the problem with sending client certificates
> > in plaintext is
>
> * It´s a privacy problem
> * It´s a security problem for people with a security policy that requires the
> their identities t
At Fri, 01 Feb 2008 18:42:03 +1000,
James A. Donald wrote:
>
> Guus Sliepen wrote:
> > Peter's write-up was the reason I subscribed to this cryptography
> > mailing list. After a while the anger/hurt feelings I had disappeared.
> > I knew then that Peter was right in his arguments. Nowadays I can
At Sun, 03 Feb 2008 12:51:25 +1000,
James A. Donald wrote:
>
> --
> Ivan Krstic' wrote:
> > The wider point of Peter's writeup -- and of the
> > therapy -- is that developers working on security
> > tools should _know_ they're working in a notoriously,
> > infamously hard field where the
At Mon, 4 Feb 2008 09:33:37 -0500 (EST),
Leichter, Jerry wrote:
>
> Commenting on just one portion:
> | 2. VoIP over DTLS
> | As Perry indicated in another message, you can certainly run VoIP
> | over DTLS, which removes the buffering and retransmit issues
> | James is alluding to. Similarly, you
At Mon, 04 Feb 2008 14:29:50 +1000,
James A. Donald wrote:
>
> James A. Donald wrote:
> >> I have figured out a solution, which I may post here
> >> if you are interested.
>
> Ian G wrote:
> > I'm interested. FTR, zooko and I worked on part of
> > the problem, documented briefly here:
> > h
At Thu, 7 Feb 2008 10:34:42 -0500 (EST),
Leichter, Jerry wrote:
> | Since (by definition) you don't have a copy of the packet you've lost,
> | you need a MAC that survives that--and is still compact. This makes
> | life rather more complicated. I'm not up on the most recent lossy
> | MACing literat
At Thu, 7 Feb 2008 14:42:36 -0500 (EST),
Leichter, Jerry wrote:
> | > Obviously, if you *really* use every k'th packet to define what is in
> | > fact a substream, an attacker can arrange to knock out the substream he
> | > has chosen to attack. So you use your encryptor to permute the
> | > subst
At Sun, 04 May 2008 20:14:42 -0400,
Perry E. Metzger wrote:
>
>
> Marcos el Ruptor <[EMAIL PROTECTED]> writes:
> > All this open-source promotion is a huge waste of time. Us crackers
> > know exactly how all the executables we care about (especially all
> > the crypto and security related program
At Wed, 14 May 2008 19:52:58 -0400,
Steven M. Bellovin wrote:
>
> Given the published list of bad ssh keys due to the Debian mistake (see
> http://metasploit.com/users/hdm/tools/debian-openssl/), should sshd be
> updated to contain a blacklist of those keys? I suspect that a Bloom
> filter would
At Fri, 27 Jun 2008 07:52:59 -0700 (PDT),
Erik Ostermueller wrote:
> If I exchange messages with a system and the messages are encrypted
> with a symmetric key, what further benefit would we get by using a
> MAC (Message Authentication Code) along with the message encryption?
> Being new to all thi
At Thu, 10 Jul 2008 18:10:27 +0200,
Eugen Leitl wrote:
>
>
> In case somebody missed it,
>
> http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)
>
> I'm not sure what the status of http://postel.org/anonsec/
> is, the mailing list traffic dried up a while back.
This is the firs
At Tue, 15 Jul 2008 18:33:10 -0400 (EDT),
Leichter, Jerry wrote:
> For an interesting discussion of IPETEE, see:
>
> www.educatedguesswork.org/moveabletype/archives/2008/07/ipetee.html
>
> Brief summary: This is an initial discussion - the results of a
> drinking session - that got leaked as an
At Wed, 23 Jul 2008 17:32:02 -0500,
Thierry Moreau wrote:
>
>
>
> Anne & Lynn Wheeler wrote about various flavors of certificateless
> public key operation in various standards, notably in the financial
> industry.
>
> Thanks for reporting those.
>
> No doubt that certificateless public key
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
> However, since the CRLs will almost certainly not be checked, this
> means the site will still be vulnerable to attack for the lifetime of
> the certificate (and perhaps beyond, depending on user
> behaviour). Note that shutting down the site D
At Fri, 8 Aug 2008 17:31:15 +0100,
Dave Korn wrote:
>
> Eric Rescorla wrote on 08 August 2008 16:06:
>
> > At Fri, 8 Aug 2008 11:50:59 +0100,
> > Ben Laurie wrote:
> >> However, since the CRLs will almost certainly not be checked, this
> >> means the site
At Fri, 08 Aug 2008 10:43:53 -0700,
Dan Kaminsky wrote:
> Eric Rescorla wrote:
> > It's easy to compute all the public keys that will be generated
> > by the broken PRNG. The clients could embed that list and refuse
> > to accept any certificate containing one of them
At Fri, 8 Aug 2008 15:52:07 -0400 (EDT),
Leichter, Jerry wrote:
>
> | > > Funnily enough I was just working on this -- and found that we'd
> | > > end up adding a couple megabytes to every browser. #DEFINE
> | > > NONSTARTER. I am curious about the feasibility of a large bloom
> | > > filter tha
At Fri, 15 Aug 2008 11:57:38 -0400,
John Ioannidis wrote:
>
> This just about sums it up: http://xkcd.com/463/
Without directly addressing the question of the quality of Diebold's
offerings, I actually don't think the criticism implied here is
entirely fair. If you're going to have voting machine
At Tue, 19 Aug 2008 20:57:33 -0700,
Alex Pankratov wrote:
>
> CC'ing cryptography mail list as it may be of some interest to the
> folks over there.
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:p2p-hackers-
> > [EMAIL PROTECTED] On Behalf Of Lars Eggert
> > Sent: August 1
At Wed, 20 Aug 2008 11:59:48 -0700,
Alex Pankratov wrote:
> > May I ask what you're trying to accomplish? Recall that TLS doesn't
> > start until a TCP connection has been established, so there's
> > aready a proof of the round trip.
> >
> > That said, a mechanism of this type has already been des
At Wed, 20 Aug 2008 13:27:50 -0700,
Adam Langley wrote:
>
> On Wed, Aug 20, 2008 at 1:15 PM, Alex Pankratov <[EMAIL PROTECTED]> wrote:
> > Based on this reply alone I'm not sure I follow. I also read quickly
> > through your exchange on TCPM and your comments appear to be specific
> > to Adam's dr
Some colleagues (Hovav Shacham, Brandon Enright, Scott Yikel, and
Stefan Savage) and I have been doing some followup work on the Debian
OpenSSL PRNG bug. Perry suggested that some cryptography readers
might be interested in our preliminary analysis of the DHE angle,
which can be found here:
http:/
At Wed, 27 Aug 2008 17:05:44 +0200,
Philipp Gühring wrote:
>
> Hi,
>
> I am searching for symmetric encryption algorithms for decimal strings.
>
> Let's say we have various 40-digit decimal numbers:
> 2349823966232362361233845734628834823823
> 3250920019325023523623692235235728239462
> 019823019
At Wed, 27 Aug 2008 16:10:51 -0400 (EDT),
Jonathan Katz wrote:
>
> On Wed, 27 Aug 2008, Eric Rescorla wrote:
>
> > At Wed, 27 Aug 2008 17:05:44 +0200,
> > There are a set of techniques that allow you to encrypt elements of
> > arbitrary sets back onto that set.
> &g
At Thu, 28 Aug 2008 17:32:10 +1200,
Peter Gutmann wrote:
>
> Eric Rescorla <[EMAIL PROTECTED]> writes:
>
> >There are a set of techniques that allow you to encrypt elements of arbitrary
> >sets back onto that set.
>
> ... and most of them seem to be excessively
At Mon, 1 Sep 2008 21:00:55 +0100,
Ben Laurie wrote:
> The core issue is that HTTPS is used to establish end-to-end security,
> meaning, in particular, authentication and secrecy. If the MitM can
> disable the upgrade to HTTPS then he defeats this aim. The fact that
> the server declines to serve a
At Mon, 1 Sep 2008 21:56:52 +0100,
Ben Laurie wrote:
>
> On Mon, Sep 1, 2008 at 9:49 PM, Eric Rescorla <[EMAIL PROTECTED]> wrote:
> > At Mon, 1 Sep 2008 21:00:55 +0100,
> > Ben Laurie wrote:
> >> The core issue is that HTTPS is used to establish end-to-end secu
At Sat, 20 Sep 2008 15:55:12 -0400,
Steven M. Bellovin wrote:
>
> On Thu, 18 Sep 2008 17:18:00 +1200
> [EMAIL PROTECTED] (Peter Gutmann) wrote:
>
> > - Use TLS-PSK, which performs mutual auth of client and server
> > without ever communicating the password. This vastly complicated
> > phishing s
At Tue, 30 Dec 2008 11:51:06 -0800 (PST),
"Hal Finney" wrote:
> Therefore the highest priority should be for the six bad CAs to change
> their procedures, at least start using random serial numbers and move
> rapidly to SHA1. As long as this happens before Eurocrypt or whenever
> the results end up
At Tue, 20 Jan 2009 17:57:09 +1300,
Peter Gutmann wrote:
>
> "Steven M. Bellovin" writes:
>
> >So -- who supports TLS 1.2?
>
> Not a lot, I think. The problem with 1.2 is that it introduces a pile of
> totally gratuitous incompatible changes to the protocol that require quite a
> bit of effort
At Sat, 24 Jan 2009 14:55:15 +1300,
Peter Gutmann wrote:
> >Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those
> >between SSL and TLS. I'm not particularly happy about that either, but it's
> >what we felt was necessary to do a principled job.
>
> It may have been a nicely prin
McDonald, Hawkes and Pieprzyk claim that they have reduced the collision
strength of SHA-1 to 2^{52}.
Slides here:
http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
Thanks to Paul Hoffman for pointing me to this.
-Ekr
At Sat, 02 May 2009 21:53:40 +1200,
Peter Gutmann wrote:
>
> "Perry E. Metzger" writes:
> >Greg Rose writes:
> >> It already wasn't theoretical... if you know what I mean. The writing
> >> has been on the wall since Wang's attacks four years ago.
> >
> >Sure, but this should light a fire under p
At Sat, 2 May 2009 15:00:36 -0400,
Matt Blaze wrote:
> The serious concern here seems to me not to be that this particular
> weakness is a last straw wedge that enables some practical attack
> against some particular protocol -- maybe it is and maybe it isn't.
> What worries me is that SHA-1 has be
At Tue, 10 Nov 2009 20:11:50 -0500,
d...@geer.org wrote:
>
>
> |
> | This is the first attack against TLS that I consider to be
> | the real deal. To really fix it is going to require a change to
> | all affected clients and servers. Fortunately, Eric Rescorla
> | has
101 - 141 of 141 matches
Mail list logo
