Re: Password hashing
> A proposal for a new password hashing based on SHA-256 or SHA-512 has > been proposed by RedHat but to my knowledge has not had any rigorous > analysis. The motivation for this is to replace MD-5 based password > hashing at banks where MD-5 is on the list of "do not use" algorithms. > I would prefer not to have the discussion "MD-5 is good enough for > this algorithm" since it is not an argument that the customers > requesting these changes are going to accept. blowfish anyone? http://www.usenix.org/events/usenix99/provos/provos_html/ itojun - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: improving ssh
i'm an OpenBSD developer, so i have some knowlege but could be biased. > SSH (OpenSSH) is routinely used in secure access for remote server > maintenance. However, as I see it, SSH has a number of security issues > that have not been addressed (as far I know), which create unnecessary > vulnerabilities. > > Some issues could be minimized by turning off password authentication, > which is not practical in many cases. Other issues can be addressed by > additional means, for example: > > 1. firewall port-knocking to block scanning and attacks > 2. firewall logging and IP disabling for repeated attacks (prevent DoS, > block dictionary attacks) i guess it can be handled in lines of spamd (greylisting) on OpenBSD. > 3. pre- and post-filtering to prevent SSH from advertising itself and > server OS is there any point in this as you can fingerprint OS both actively (nmap) and passively (p0f)? > 4. block empty authentication requests > 5. block sending host key fingerprint for invalid or no username > 6. drop SSH reply (send no response) for invalid or no username i can understand your desire, but this is a feature used by some of the anonymous services such as anonymous CVS. i'd leave it to openssh developers. itojun - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
How the Chinese internet is tapped.
on a similar topic as Greek. i was in Shinsen and DongAng, mainland china (right next to HongKong). i was able to experience GSM/GPRS Internet as well as hotel wired Internet (both are IPv4, sigh). in both cases, TCP port 80 (http) was sucked into transparent web proxy (squid). i was careful enough not to type offensive words, but zh.wikipedia.org was invisible (squid raises some kind of connection error, always). ja.wikipedia.org and en.wikipedia.org were visible. luckily TCP port 22 was open. the hotel net was behind NAT so i could not use IPsec VPN. i did not have enough time to configure NAT traversal stuff. from my past experience with chinese academic network operated in some university in Beijing (i forgot the name of the network/ university), i know that every connectivity from china goes out of Beijing. at least in year 2000-2002 timeframe. so if it is still true (inject me some clue if you know about the current situation), all the traffic that go out of china are tapped in Beijing. i'm wondering what kind of server farm they are operating which are able to suck all TCP port 80 traffic from the entire china... i forgot to run nmap OS fingerprint :-( also, my friend in china was using Skype from Tom Online on top of Windows. i did not believe it until i see it, but ContentFilter.exe was really there. it is the backdoor process for Tom Online Skype which transmits cleartext content to somewhere, which is likely to be some law enforcement or government organization. otherwise, Skype traffic is totally encrypted - see "silver needle in skype" paper. i was informed that it is a common practice for south east asian nations to run censorship on the internet. for instance, in thai www.youtube.com is not accessible. they have never seen dodolook, very cute taiwanese girl from canada (IIRC) i guess. for more info, the following URL would be useful. Japanese content and English content are a bit different so if possible be sure to check both of them (and other languages if possible). the email is encoded in iso-2022-jp (Japanese standard encoding for email) but when you click it please click it Japanese URL in utf-8. http://en.wikipedia.org/wiki/Golden_Shield_Project http://ja.wikipedia.org/wiki/
Re: SSL accel cards
> Does anyone know of an SSL acceleration card that actually works under > Linux/*BSD? I've been looking at vendor web pages (AEP, Rainbow, etc), and > while they all claim to support Linux, Googling around all I find are people > saying "Where can I get drivers? The ones shipped only work on RedHat > 5.2 with a 2.0.36 kernel." (or some similar 4-6 year old system), and certainly > they don't (gasp) make updated versions available for download. Because someone > might... what, steal the driver? Anyway... with openbsd, http://www.openbsd.org/crypto.html#hardware itojun - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]