Re: Papers about "Algorithm hiding" ?

>From: Ian G <[EMAIL PROTECTED]> >Sent: Jun 7, 2005 7:43 AM >To: John Kelsey <[EMAIL PROTECTED]> >Cc: Steve Furlong <[EMAIL PROTECTED]>, cryptography@metzdowd.com >Subject: Re: Papers about "Algorithm hiding" ? [My comment was that better crypto woul

Re: Papers about "Algorithm hiding" ?

access to that data for a fee. I'll bet the Choicepoints of the world are pretty careful protecting, say, their payroll and HR records from disclosure. It's just *your* data they don't mind giving out to random criminals. No amount of crypto could have helped this. >iang --John

Re: NSA warned Bush it needed to monitor networks

higher secrecy classifications, more top >than top, a process of classification inflation and debasement. I suspect something very similar happens with the watchlists. I wonder how many different layers of watchlist there are by now >--digsig > James A. Donald

Re: SHA-1 cracked

#x27;s hard to be sure of that. Suppose I can find collisions of the form (X,X*) where X is three blocks long, and X* is four blocks long. Now, that won't work as a full collision, because the length padding at the end will change for X and X*. But I can find t

Re: SHA-1 cracked

e best bet for a fallback right now, but it really hasn't seen anything like the amount of analysis I'd like. This is what it looks like when someone develops a new class of attack that breaks a whole bunch of your available cryptographic primitives in a big hurry. >

Re: SHA-1 cracked

ess -- especially since it comes just a week after NIST stated >that there were no successful attacks on SHA-1. Well, there *weren't* any a week ago > --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb --John Kelsey --

Re: Is 3DES Broken?

, it ends up making the keystream distinguishable from random. Also, most of the security proofs for block cipher constructions (like the secure CBC-MAC schemes) limit the number of blocks to some constant factor times 2^{n/2}. > --Prof. S

Re: Simson Garfinkel analyses Skype - Open Society Institute

>From: Adam Shostack <[EMAIL PROTECTED]> >Sent: Jan 30, 2005 1:09 PM >Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute > That's a very interesting point. There are clearly times when it's >the case. I suspect, with no data to back me up, that a form of >hyperbolic discount

Re: Simson Garfinkel analyses Skype - Open Society Institute

net access (maybe a wireless hop to a router that talks to a cable modem) to be eavesdropped by moderately technically savvy nosy neighbors, and because there are a lot of criminals who are using more technology, and will surely targe

Re: entropy depletion

at the algorithm used by /dev/random, but I think there are some narrow pipe issues there which might limit the total entropy that can affect a sequence of outputs from a sequence of inputs.) >William Allen Simpson --John Kelsey --

Re: entropy depletion

te to generate their high-value signing key, or the session key used to communicate their high-value secrets to some server, or whatever. > --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb --John Kelsey - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Entropy and PRNGs

>From: John Denker <[EMAIL PROTECTED]> >Sent: Jan 10, 2005 12:21 AM >To: David Wagner <[EMAIL PROTECTED]> >Cc: cryptography@metzdowd.com >Subject: Re: Entropy and PRNGs >> Conditioned on everything known to the attacker, of course. >Well, of course indeed! That notion of entropy -- the entropy >

Re: entropy depletion (was: SSL/TLS passive sniffing)

st output. What matters is how much entropy is shoved in between the time when the PRNG is in a known state, and the time when it's used to generate an output. --John Kelsey - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The Pointlessness of the MD5 "attacks"

>From: Ben Laurie <[EMAIL PROTECTED]> >Sent: Dec 22, 2004 12:24 PM >To: David Wagner <[EMAIL PROTECTED]> >Cc: cryptography@metzdowd.com >Subject: Re: The Pointlessness of the MD5 "attacks" ... >Assuming you could find a collision s.t. the resulting decryption looked >safe with one version and uns

Re: Cryptography Research wants piracy speed bump on HD DVDs

>From: Ian Grigg <[EMAIL PROTECTED]> >Sent: Dec 15, 2004 12:08 PM >To: cryptography@metzdowd.com >Subject: Re: Cryptography Research wants piracy speed bump on HD DVDs ... >A blockbuster worth $100m gets cracked ... and >the crack gets watermarked with the Id of the >$100 machine that played it.

Re: The Pointlessness of the MD5 "attacks"

>From: Ben Laurie <[EMAIL PROTECTED]> >Sent: Dec 14, 2004 9:43 AM >To: Cryptography <[EMAIL PROTECTED]> >Subject: The Pointlessness of the MD5 "attacks" >Dan Kaminsky's recent posting seems to have caused some excitement, but >I really can't see why. In particular, the idea of having two differen

Re: Blinky Rides Again: RCMP suspect al-Qaida messages

>From: Adam Shostack <[EMAIL PROTECTED]> >Sent: Dec 11, 2004 4:52 PM >Subject: Re: Blinky Rides Again: RCMP suspect al-Qaida messages ... >It seems consistent that Al Qaeda prefers being 'fish in the sea' to >standing out by use of crypto. Also, given the depth and breadth of >conspiracies they be

Re: MD5 To Be Considered Harmful Someday

y's published a way to exploit the attack on full messages yet." > James A. Donald --John Kelsey - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Gov't Orders Air Passenger Data for Test

News story quoted by RAH: >WASHINGTON - The government on Friday ordered airlines to turn over >personal information about passengers who flew within the United States in >June in order to test a new system for identifying potential terrorists. The interesting thing here is that they can't reall

A new academic hash result on the preprint server

Guys, Bruce and I have a new result on hash function security, which uses Joux' multicollision trick in a neat way to allow long-message second preimage attacks. We've posted it to the e-print server. The basic result is that for any n-bit hash function built along the lines of SHA1 or Whirlp

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

you tell a reasonably bright computer programmer with no particular expertise in security about how to keep a bearer asset as valuable as his car stored securely on a networked computer? If you can't give him an answer that will really work in a world where these bear

Re: AES Modes

>From: Ian Grigg <[EMAIL PROTECTED]> >Sent: Oct 10, 2004 11:11 AM >To: Metzdowd Crypto <[EMAIL PROTECTED]> >Subject: AES Modes >I'm looking for basic mode to encrypt blocks (using AES) >of about 1k in length, +/- an order of magnitude. Looking >at the above table (2nd link) there are oodles of p

Re: IBM's original S-Boxes for DES?

>From: Dave Howe <[EMAIL PROTECTED]> >Sent: Oct 5, 2004 12:32 PM >To: [EMAIL PROTECTED] >Subject: Re: IBM's original S-Boxes for DES? > More accurately, they didn't protect against linear cryptanalysis - >there is no way to know if they knew about it and either didn't want to >make changes to

Re: Linux-based wireless mesh suite adds crypto engine support

now, you've exposed the key outside the tamper-resistant module, which introduces a whole different set of problems. I'm sure there are some clever crypto protocol ways to address this (basically, do a zero-knowledge proof of the value of the random number you used in deriving

Re: Time for new hash standard

>From: Ian Farquhar <[EMAIL PROTECTED]> >Sent: Sep 20, 2004 10:14 PM >To: "\"Hal Finney\"" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], > [EMAIL PROTECTED] >Subject: Re: Time for new hash standard >At 05:43 AM 21/09/2004, Hal Finney wrote: >>I believe this is a MAC, despite the name. It seems t

Re: Academics locked out by tight visa controls

>From: "R. A. Hettinga" <[EMAIL PROTECTED]> >Sent: Sep 20, 2004 8:33 AM >Subject: Academics locked out by tight visa controls > >Posted on Mon, Sep. 20, 2004 >Academics locked out by tight visa control

Re: will spammers early adopt hashcash? (Re: Spam Spotlight on Reputation)

>From: Adam Back <[EMAIL PROTECTED]> >Sent: Sep 13, 2004 4:43 PM >To: Adam Shostack <[EMAIL PROTECTED]> >Cc: Ben Laurie <[EMAIL PROTECTED]>, bear <[EMAIL PROTECTED]>, > Hadmut Danisch <[EMAIL PROTECTED]>, > "R. A. Hettinga" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], > Eric Johanss

Re: Implementation choices in light of recent attacks?

n get some really nasty attacks if you can get Alice to use SHA256 and Bob to use SHA256 with the output truncated to 224 bits. (Yes, this is the reason SHA224 has a different starting IV than SHA256.) > Bear --John Kelsey - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: ?splints for broken hash functions

>From: "\"Hal Finney\"" <[EMAIL PROTECTED]> >Sent: Sep 1, 2004 1:55 PM >To: [EMAIL PROTECTED], [EMAIL PROTECTED] >Subject: Re: ?splints for broken hash functions >John Kelsey critiques the proposal from Practical Cryptography: ... > I believe this fall

Re: ?splints for broken hash functions

>From: Ivan Krstic <[EMAIL PROTECTED]> >Sent: Aug 29, 2004 8:40 AM >To: Metzdowd Crypto <[EMAIL PROTECTED]> >Subject: Re: ?splints for broken hash functions >This is Schneier's and Ferguson's solution to then-known hash function >weaknesses in Practical Cryptography, Wiley Publishing, 2003: >"We

Re: HMAC?

ays the *same* IV, if that helps, just not what it is. I don't think we can know that until we've seen the full explanation in the Wang, et. al. paper, which hasn't been released yet. --John Kelsey - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: On hash breaks, was Re: First quantum crypto bank transfer

gh. And new attacks (algebraic attacks, the integral attack that is so effective against reduced-round Rijndael versions) are always coming up, even so. I think seriously trying to beat up on our algorithms, publishing intermedaite results, etc., is the best we can do at our current state of knowledge. >-- Jerry --John Kelsey - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Cryptography and the Open Source Security Debate

> From: lrk <[EMAIL PROTECTED]> > Sent: Aug 6, 2004 1:04 PM > To: "R. A. Hettinga" <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: Cryptography and the Open Source Security Debate ... > More dangerous is a key generator which deliberately produces keys which > are easy to factor by some

Re: cryptograph(y|er) jokes?

From: bear <[EMAIL PROTECTED]> Sent: Jun 22, 2004 3:46 PM Bob and Alice routinely discuss bombs, terrorism, tax cheating, sexual infidelity, and deviant sex over the internet. They conspire to commit crimes, share banned texts and suppressed news, or topple tyrannical governments whos

Re: Chalabi Reportedly Told Iran That U.S. Had Code

they suspected >Crypto AG of selling them gear that had been doctored at the request of the >NSA. This would seem to confirm their suspicions). Did the Iranians actually think they could get technical information about a computer product from a *sale

Satellite eavesdropping of 802.11b traffic

Guys, Does anyone know whether the low-power nature of wireless LANs protects them from eavesdropping by satellite? Is there some simple reference that would easily let me figure out whether transmitters at a given power are in danger of eavesdropping by satellite? Thanks, --John ---

RE: voting

all over the country) is seriously scary. But it's sure not clear to me that adding computers to the mix must decrease security, or even must leave it unchanged. Peter Trei --John Kelsey, [EMAIL PROTECTED], who is definitely speaking only for himself. PGP: FA48 3237 9AD5 30AC EEDD BBC

Re: I don't know PAIN...

e nothing but a hash function, and for all the variants of the Merkle puzzle schemes I can think of. (Which are public key, but just barely.) ... -- Jerry --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80

Re: Non-repudiation (was RE: The PAIN mnemonic)

certain US government agency. :-) Surely a better government-related TLA for this would be derived from Non-changeability, Secrecy, and Authentication :) Richard --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948

RE: Keyservers and Spam

in a PKI, even if there are technical mechanisms to do so. "And then you go out of business" is almost as unsatisfactory a protocol step as "And then you go to jail." Bear --J

RE: Keyservers and Spam

s.) As you stated, that ends up undermining one of the assumptions of certificates and the web of trust. Also, it's nice to let e-mail software have some hope of figuring out which key in the keyring goes with which public key. Jill --John Kelsey, [EMAIL PROTEC

Re: Maybe It's Snake Oil All the Way Down

you'd like to improve your own privacy, you can't buy an end-to-end encrypting phone and improve it much. That's what I'd like to see change. ... Eric --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259 ---

Re: Maybe It's Snake Oil All the Way Down

. But the over-the-air stuff always gets encrypted. It sure seems like this would be worth putting up with a little delay in the call setup. (But maybe there's some reason this won't work.) Eric --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F2

Re: Maybe It's Snake Oil All the Way Down

cryption isn't nearly as important. There's no reason it couldn't be supported, of course, when both endpoints had the right kind of phone, but it's a small additional value. The big win is to stop spewing private conversations over the radio in the clear. iang --John

Re: "PGP Encryption Proves Powerful"

2/n schemes, most peoples' eyes glaze over. ... iang --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Nullsoft's WASTE communication system

pend lots of time trying to break it. The still-unresolved question is whether those equation-solving attacks can really be used against AES, and there doesn't seem to be anyone who's completely confident of the answer to that question. ... Bear --John Kelsey, [EM

Re: "PGP Encryption Proves Powerful"

technologically sophisticated terrorists and spies were doing stuff like that. (You could easily do this with pen and paper, too, for simple control structures. Each member of the cell holds some parts of the password written down, and 4/5 of them have to get togther to reconstruct the full password.)

Re: "PGP Encryption Proves Powerful"

swords, and the cops may try to beat the answers out of you if they're convinced enough that you're a bad guy --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259 - The

<    1   2