Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Oct 6, 2010, at 10:48 AM, Victor Duchovni wrote: > On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: > >> From https://wiki.mozilla.org/CA:MD5and1024: >> >> December 31, 2010 - CAs should stop issuing intermediate and end-entity >> certificates from roots with RSA key sizes smaller than 2048 bits [0]. All >> CAs should stop issuing intermediate and end-entity certificates with RSA >> key size smaller than 2048 bits under any root. >> >> [...] >> >> [0] This is ambiguously worded, but it's talking about key sizes in EE certs. > > What are "EE certs", did you mean "EV"? EE = End Entity, but I don't read the first sentence the way Peter did. I parse it as >> CAs should stop issuing (intermediate and end-entity >> certificates) from (roots with RSA key sizes smaller than 2048 bits). That is, if your CA key size is smaller, stop signing with it. Of course, if it's important to stop signing with it, it's equally important to revoke all signatures already made. smime.p7s Description: S/MIME cryptographic signature
Re: 2048-bit RSA keys
On Aug 17, 2010, at 10:25 PM, John Gilmore wrote: > (Given their prediction that they won't be done with a 1024-bit number > within 5 years, but they will be done "well within the next decade", > which 1024-bit number are they starting to factor now? I hope it's a > major key that certifies big chunks of the Internet for https today, > rather than one of those silly challenge keys.) If they announced which key they were working on, I would completely expect someone to demand a very amusing injunction against the performing of arithmetical operations. "When mathematics is outlawed ..." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: 2048-bit RSA keys
On Aug 15, 2010, at 8:35 PM, Arash Partow wrote: > Just out of curiosity, assuming the optimal use of today's best of breed > factoring algorithms - will there be enough energy in our solar system to > factorize a 2048-bit RSA integer? Computation can be performed with arbitrarily small energy expenditure or entropy increase. http://en.wikipedia.org/wiki/Reversible_computing Not by the architectures we use, of course. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Intel to also add RNG
On Jul 12, 2010, at 11:22 AM, Perry E. Metzger wrote: > The > literature makes it clear at this point that short of carefully > tearing apart and analyzing the entire chip, you're not going to catch > subtle behavioral changes designed to allow attackers backdoor > access. I happen to be re-reading Vernor Vinge's _A Deepness in the Sky_ right now. In it, a conquering power needs to use the computing and communication technology of its subjugated foe, and has unusual resources to carry out a thorough code audit. However, the foe has been hiding secrets since before the victors were fooling with electricity ... smime.p7s Description: S/MIME cryptographic signature
Re: Question regarding common modulus on elliptic curve cryptosystems
On Mar 21, 2010, at 4:13 PM, Sergio Lerner wrote: > I looking for a public-key cryptosystem that allows commutation of the > operations of encription/decryption for different users keys > ( Ek(Es(m)) = Es(Ek(m)) ). > I haven't found a simple cryptosystem in Zp or Z/nZ. > > I think the solution may be something like the RSA analogs in elliptic > curves. Maybe a scheme that allows the use of a common modulus for all users > (RSA does not). If your application can work with a trusted authority generating all the keypairs, and you sacrifice the use of short public exponents *and* sacrifice the possession of the factors of the modulus by the key owners, making them do more work on decryption, I think you can have what you asked for. But that's a lot of ifs. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Crypto dongles to secure online transactions
On Nov 10, 2009, at 8:44 AM, Jerry Leichter wrote: Whether or not it can, it demonstrates the hazards of freezing implementations of crypto protocols into ROM: Imagine a world in which there are a couple of hundred million ZTIC's or similar devices fielded - and a significant vulnerability is found in the protocol they speak. Imagine a couple of hundred million devices with updatable firmware on them, and one or more rogue updates in the wild. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
On Sep 21, 2009, at 3:57 PM, Steven Bellovin wrote: Is there any way to use FileVault on MacOS except on home directories? I don't much want to use it on my home directory; it doesn't play well with Time Machine (remember that availability is also a security property); besides, different directories of mine have different sensitivity levels. According to an Apple security person who spoke here about a year ago, you can use the underlying CLI to do everything FileVault does, but at some other point(s) in the directory tree than home directories. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: "Fed's RFIDiocy pwnd at DefCon"
On Sep 1, 2009, at 9:55 PM, Jerry Leichter wrote: ". . . federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader. The reader, connected to a web camera, sniffed data from RFID- enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view" I told them so... http://csrc.nist.gov/groups/SNS/piv/documents/FIPS201-Public-Comments/Fermilab-Computer-Security.pdf - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: The password-reset paradox
On Feb 21, 2009, at 10:26 PM, Charlie Kaufman wrote: Assuming that's true, OTP tokens add costs by introducing new failure modes (e.g., I lost it, I ran it through the washing machine, etc.) Or even more surprising hazards. http://home.fnal.gov/~crawdad/CryptoCard.jpg The token on the left in that picture was issued in 2003 by postal mail to a Sloane Digital Sky Survey collaborator at the US Naval Observatory. All incoming packages were subjected to high doses of electron and x-ray radiation, as it is also the residence of the Vice President. On the right is the normal appearance of the token and its holder. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
XKCD shows the real world of cryptography to the masses
Perry, I couldn't possibly be the first to pass along today's XKCD, could I? http://xkcd.com/538/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: padlocks with backdoors - TSA approved
Each of these (three digit code) locks had a small keyhole for the master key to open. I'm just waiting for someone with access to photograph said keys and post it all over the internet. I'm just waiting for two or three governments to demand the same access to my luggage. Mechanically solvable, yes (link locks in series), but it will hasten the collapse-by-ridicule. Ceterum censeo Fenestras esse delendas. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Banking Follies
I once got email from my bank (which has since merged and then been merged into Chase) offering me some new service, and correctly identifying me as an account holder. However, I had never given them any email address! I called them about this and they said it was "a computer error." The error was cross-linking the Big Brother computer to the sales promotion computer, I guess. Now that they are Chase, I drove up to the ATM in the bank's drive- through lanes and used it in the ordinary way and received, instead of my receipt, a yards-long hex dump of the ATM's memory. That was fun. I still have the souvenir, since the bank wasn't interested. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: statistical inferences and PRNG characterization
On May 19, 2006, at 6:51, Travis H. wrote: As I understand it, when looking at output, one can take a hypothetical source model (e.g. "P(0) = 0.3, P(1) = 0.7, all bits independent") and come up with a probability that the source may have generated that output. One can come up with the probability that the defined source will generate that output in a single run. One cannot, however, say what probability such a source had generated the output, because there is an infinite number of sources (e.g. "P(0) = 0.2.., P(1) = 7.000..."). Can one say that, if the source must be A or B, what probability it actually was A (and if so, how)? If you can put your question into the form, "Source A or B is chosen with probability pA or 1-pA. Output X is generated. What is the probability that it was source A that was chosen?" then Bayesian inference can answer the question. However, you don't generally have a known a priori probability of each source being chosen, and you don't even know the characteristics of the "other" source. You can generalize to an arbitrary number of alternative sources, but that doesn't provide the prior data that's lacking. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: passphrases with more than 160 bits of entropy
On Mar 22, 2006, at 20:11, John Denker wrote: But if you apply thoughtfully to a single fixed sequence, you correctly get the answer zero. I agree with all that, except for the "But". Shannon well knew that the entropy was zero in such a situation. Sure. The "but" was to someone who thought the application would give a different answer. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: passphrases with more than 160 bits of entropy
Let me rephrase my sequence. Create a sequence of 256 consecutive bytes, with the first byte having the value of 0, the second byte the value of 1, ... and the last byte the value of 255. If you measure the entropy (according to Shannon) of that sequence of 256 bytes, you have maximum entropy. I so often get irritated when non-physicists discuss entropy. The word is almost always misused. I looked at Shannon's definition and it is fine, from a physics point of view. But if you apply thoughtfully to a single fixed sequence, you correctly get the answer zero. If your sequence is defined to be { 0, 1, 2, ..., 255 }, the probability of getting that sequence is 1 and of any other sequence, 0. Plug it in. If you have a generator of 8-bit random numbers and every sample is independent and uniformly distributed, and you ran this for a gazillion iterations and wrote to the list one day saying the special sequence { 0, 1, 2, ..., 255 } had appeared in the output, that's a different story. But still, we would talk about the entropy of your generator, not of one particular sequence of outputs. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: another feature RNGs could provide
On Dec 21, 2005, at 0:10, Ben Laurie wrote: Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. A given cipher, with a given key, is a permutation of blocks. (Assuming output blocks and input blocks are the same size.) It may be (and often is) the case that the set of all keys does not span the set of all possible permutations, in which case the permutations { E_k() | k in set of all keys } may or may not turn out to be a group. For blocks of n bits and keys of m bits, there are n! permutations but 2^m of them are representable by some key. If m = n, this is a fraction roughly equal to (2e/n)^n About 10^-70 for n=64. I don't know the probability of a randomly selected subset of a permutation group being a group, but at these scales, I bet it's small. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Japan Puts Its Money on E-Cash
On Dec 12, 2005, at 18:14, R. A. Hettinga wrote: But would it work in a place like the United States, where 24 percent of transactions are made on credit? Some Americans, analysts note, are already using a version of e- cash to bypass toll lanes on highways. Don't take that as a sign of consumer acceptance, though. In Illinois, if you won't pre-pay your tolls in $40 increments, you will pay double the rate in cash at the toolbooth. And the electronic system is anything but anonymous. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Pseudonymity for tor: nym-0.1 (fwd)
On Sep 29, 2005, at 18:32, Jason Holt wrote: Of course, you can put anything you want in the cert, since the servers know that my CA only certifies 1 bit of data about users (namely, that they only get one cert per scarce resource). "One per person" is a tough thing to do purely over the internet. IP addresses get NATted or reassigned dynamically. Email addresses are free in infinite quantity. Any system that levels penalties on nyms for bad actions is playing whack-a-mole. A system in which nyms accumulate {fame, credit, privilege} for good actions still has a hope ... as long as those credits can't be granted by an army of extra nyms of the same person. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: ECC patents?
On Sep 12, 2005, at 11:32, James A. Donald wrote: Someone recently patented the wheel, to show how bad the situation is. That's a bit misleading without the context. Google patented-the- wheel for details. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Clips] Visa Sets Antifraud-System Upgrade
On Jun 14, 2005, at 14:27, R.A. Hettinga wrote: Antifraud systems help distinguish suspicious purchasing behavior, such as one credit card being used in multiple states within minutes. Such a pattern often can't be detected, however, until some purchases have been made. My wife was a victim of this antifraud system last month. She went to a thrice-yearly show where vendors from all over the country sell their wares. She made two purchases at one booth. The goods were from two different vendors -based in different states- so were processed as two transactions. The second one, just a minutes or two after the first, was denied with a "card cancelled" code. Then automated phone calls started coming from Visa to our home number. It was quite annoying. Impressive, but annoying. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: de-identification
On Jun 8, 2005, at 15:19, [EMAIL PROTECTED] wrote: I'd like to come up to speed on the state of the art in de-identification (~=anonymization) of data especially monitoring data (firewall/hids logs, say). I don't know the state of the art, but I can tell you the state of the artless. I had a request to share ourr border router traffic logs (Cisco netflow) with a university, so they could try out some anomaly detection schemes they were working on. (Bkgnd: We don't consider our network topology sensitive. Our traffic logs are subject to a general respect for privacy.) Since they could send us packets of their choosing, I deemed it useless to obfuscate our own IP addresses. I chose to anonymize all the external addresses. My design note is below. But then, as fate would have it, the university said they needed the true external addresses. That left me a bit stumped. Perhaps a less chaotic mapping, like one that is bijective between classful network numbers, would do. obfuscation filter program Parameters Blocks of IP addresses deemed internal. Internal includes multicast addresses and RFC 1918 "private use" address. Working data preserved across runs For each date, a database of (true address, substituted address) pairings. Algorithms Substituted addresses are pseudo-random, formed by MD5-hashing a string (S | D | A | N) and taking the first 32 bits. S = fixed secret hash seed, long term D = date of data, in MMDD format N = integer, starting at 0 and incremented if resulting address is an internal one or a collision. to obfuscate an IP address: { if it's internal, return it unchanged. otherwise is a substitute is already assigned? If so, return it. otherwise for ( done = N = 0; !done; N++ ) { generate substitute address by hashing as above if ( !collision ) done = 1 } save forward & reverse mappings } for each netflow record { i = 0 if ( src is external ) { obfuscate src; i++ } if ( dst is external ) { obfuscate dst; i++ } if ( i != 1 ) log an unusual condition write output } Scripts: generator loops over input files, applying obfuscator, writing temp-named output file, then renaming completed output file to permanent name. mover looks for completed output files, copies them to destination, then looks for more, sleeping and retrying if there are none. Other notes: The obfuscated mappings can be regenerated at will if exactly the same data is processed in the same sequence, and the secret hash seed is known. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Clips] Paying Extra for Faster Airport Security
The [express-line security] program will be operated by New York-based Verified Identity Pass Inc., a private company run by Steven Brill, whose former ventures included Court TV and The American Lawyer magazine. The program marks the first time a private company has teamed up with the government to speed up airport security lines. Yesterday, the Greater Orlando Aviation Authority board awarded the contract for its new system to Verified Identity Pass's system, opting for its prospectus over a proposal from Unisys Corp. I wonder what testing is planned and what penalties are specified in the contract for false negatives. My guess: little and none. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Bluetooth cracked further
On Jun 3, 2005, at 11:55, Perry E. Metzger wrote: 2) They also have a way of forcing pairing to happen, by impersonating one of the devices and saying "oops! I need to pair again!" to the other. Do the devices then pair again without user intervention, re-using the PIN that paired them initially? I always imagined I could use a lame PIN if I was far from any eavesdroppers... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Citibank discloses private information to improve security
On May 26, 2005, at 13:24, Ed Gerck wrote: A better solution, along the same lines, would have been for Citibank to ask from their account holders when they login for Internet banking, whether they would like to set up a three- or four-character combination to be used in all emails from the bank to the account holder. Why couldn't they just use digitally signed S/MIME email? I'm sure that works just as well as signed SSL handshakes. Oh. Answered my own question, didn't I? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: and constrained subordinate CA costs?
On Mar 25, 2005, at 16:06, Adam Back wrote: There's an X.509v3 NameConstraints extension (which the higher CA would include in the lower CA's cert) but I have the impression that ends system software does not widely support it. And of course if you don't flag it critical, it's not very effective. Well I would say downright dangerous -- if its not flagged critical and not understood, right? Implication would be an intended constrained subordinate CA would be able to function as an unconstrained subordinate CA in the eyes of many clients -- free ability to forge any domain in the global SSL PKI. Exactly. (Just like the root CAs in the browser's shipped list. :-) And if it's marked critical, the certificate is no damn use to almost anyone. Chicken, meet egg. Egg, chicken. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: and constrained subordinate CA costs?
On Mar 25, 2005, at 11:55, Florian Weimer wrote: Does anyone have info on the cost of sub-ordinate CA cert with a name space constraint (limited to issue certs on domains which are sub-domains of a your choice... ie only valid to issue certs on sub-domains of foo.com). Is there a technical option to enforce such a policy on subordinated CAs? There's an X.509v3 NameConstraints extension (which the higher CA would include in the lower CA's cert) but I have the impression that ends system software does not widely support it. And of course if you don't flag it critical, it's not very effective. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Do You Need a Digital ID?
Now that the taxing bodies (US & states) have learned not to print the SSN on the mailing label, Illinois has gone further and requires a state-assigned PIN to file or access your tax information over the internet. They helpfully provide you the PIN ... on the mailing label. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PK -> OTP?
My educated-layman's opinion is that the following is not feasible, but I'd be happy to be shown wrong ... Given a closed public-key device such as a typical smart card with its limited set of operations (chiefly "sign"), is it possible to implement a challenge/response function such that * Both the challenge and the response are short enough for an average user to be willing to type them when needed. * The challenge can be generated, and the response verified using the cardholder's public key and a reasonable amount of computation. What's wrong with sending the device encryption of a random number (using the public key of the device), and the device sending back the number as proof of possession of the corresponding secret key? Would it not be the case that the challenge would be as long as the key, and hence to long to reasonably expect a user to type into a keypad? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
PK -> OTP?
My educated-layman's opinion is that the following is not feasible, but I'd be happy to be shown wrong ... Given a closed public-key device such as a typical smart card with its limited set of operations (chiefly "sign"), is it possible to implement a challenge/response function such that * Both the challenge and the response are short enough for an average user to be willing to type them when needed. * The challenge can be generated, and the response verified using the cardholder's public key and a reasonable amount of computation. My reasoning is that the full output of the signing function will almost always be as long as the key, if only response = f(signature) is given, with f having a range in some set of size ~ 2^32, verifying response must be nearly as hard as brute-force guessing. Matt Crawford <[EMAIL PROTECTED]> - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: two-factor authentication problems
On Mar 5, 2005, at 11:32, Ed Gerck wrote: The worse part, however, is that the server side can always fake your authentication using a third-party because the server side can always calculate ahead and generate "your next number" for that third-party to enter -- the same number that you would get from your token. So, if someone breaks into your file using "your" number -- who is responsible? The server side can always deny foul play. Huh? The server can always say "response was good" when it wasn't good. Unless someone reclaims the server from the corrupt operator and analyzes it, the results are the same. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code name "Killer Rabbit": New Sub Can Tap Undersea Cables
On Feb 18, 2005, at 19:47, R.A. Hettinga wrote: "It does continue to be something of a puzzle as to how they get this stuff back to home base," said John Pike, a military expert at GlobalSecurity.org. I should think that in many cases, they can simply lease a fiber in the same cable. What could be simpler? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Digital Water Marks Thieves
On Feb 22, 2005, at 10:57, Dan Kaminsky wrote: The point is that the thief should think anything expensive is protected, by which I mean it's too traceable to fence. That would be the thinking of a thief who read the article and took it at face value. A more clever thief would realize that the magic water would respond to *his* ultraviolet light just as well as the police's. (And in today's climate, the counter-counteraction will be a measure to outlaw ultraviolet lights in the hands of private citizens ...) "Let's vary piracy / with a little burglary!" - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Digital Water Marks Thieves
that is [...] invisible until illuminated by police officers using ultraviolet light. That's amazing! How do the tiny particles know that it's not a civilian illuminating them with ultraviolet light? And how does Wired reporter Robert Andrews fail to ask that question? Why would it matter? [...] I don't really understand the complaints here. My complaint is against the parroting of patently absurd claims by manufacturers (or governments, for that matter) under the guide of journalism. If you need the reason to be concrete, here's one: I might buy this magic water and apply it to some of my stuff, figuring I don't have to shell out for a second pint because Robert Andrews has assured me the thieves can't determine that it's on my Thing-1 but not my Thing-2. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Digital Water Marks Thieves
On Feb 15, 2005, at 12:40, R.A. Hettinga wrote: Instant, is a property-marking fluid that, when brushed on items like office equipment or motorcycles, tags them with millions of tiny fragments, each etched with a unique SIN (SmartWater identification number) that is registered with the owner's details on a national police database and is invisible until illuminated by police officers using ultraviolet light. That's amazing! How do the tiny particles know that it's not a civilian illuminating them with ultraviolet light? And how does Wired reporter Robert Andrews fail to ask that question? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Desire safety on Net? (n) code has the solution
On Feb 10, 2005, at 12:42, Dan Kaminsky wrote: The SEC also asserts that the company's 10-Q bore an unauthorized electronic signature of Guccione Electronic but not digital, perhaps? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: how to tell if decryption was successfull?
On Feb 1, 2005, at 13:29, Andreas wrote: I was wondering how can one tell if some data was successfully decrypted. Isn't there an assumption going on about what the cleartext data should be? Text? Image? ZIP file? Ziped jpeg? Another cyphertext? rot-13? Embedded checksums or hash codes added before encryption. The types of those checks must not interact badly with the encryption. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Do We Need a National ID Card?
On Dec 22, 2004, at 8:53, R.A. Hettinga wrote: Do we need a national ID card? The comment period on NIST's draft FIPS-201 (written in very hasty response to Homeland Security Presidential Directive HSPD-12) ends tomorrow. The draft, as written, enables use of the card by "Smart IEDs" and for improved selection of kidnapping victims. One cabinet department's Associate CIO for Cybersecurity said of this project, "Eventually this is going to lead to a national ID card." Refs: http://csrc.nist.gov/piv-project/ http://www.fas.org/irp/offdocs/nspd/hspd-12.html http://csrc.nist.gov/publications/drafts/draft-FIPS_201-110804- public1.pdf - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cryptography Research wants piracy speed bump on HD DVDs
On Dec 15, 2004, at 11:54, Taral wrote: What stops someone using 3 players and majority voting on frame data bits? As I understand it, they use such a huge number of bits for marking, that any reasonably-sized assembly of players will still coincide on some marked bits. (However, I very much doubt whether they can blacklist all the players in the assembly without blacklisting some "innocent" players as well!) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Maths holy grail could bring disaster for internet
On Sep 6, 2004, at 21:52, R. A. Hettinga wrote: But the proof should give us more understanding of how the primes work, and therefore the proof might be translated into something that might produce this prime spectrometer. If it does, it will bring the whole of e-commerce to its knees, overnight. So there are very big implications." This would be a good thing. Because to rebuild the infrastructure based on symmetric crypto would bring the trusted third party (currently the CA) out of the shadows and into the light. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Compression theory reference?
On Aug 31, 2004, at 15:56, John Denker wrote: 4) Don't forget the _recursion_ argument. Take their favorite algorithm (call it XX). If their claims are correct, XX should be able to compress _anything_. That is, the output of XX should _always_ be at least one bit shorter than the input. Then the compound operation XX(XX(...)) should produce something two bits shorter than the original input. If you start with a N-bit message and apply the XX function N-1 times, you should be able to compress each and every message down to a single bit. Plus a string of log(N) bits telling you how many times to apply the decompression function! Uh-oh, now goes over the judge's head ... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Compression theory reference?
On Aug 31, 2004, at 14:50, Victor Duchovni wrote: This is a question in elementary finite set theory, not computer science (whatever that is :-). All proofs will involve some mathematics. The above is I think simpler than your original argument and is the simplest I can come up with... I think Hadmut was looking for an authority that would be respected by the CS department he is dealing with. It's a sad state of affairs when they will accept authority over proof. However, I can give what I think is a simpler proof, using only high school math. Assume that some invertible function f() turns no input message into a longer output message. We can prove that it also does not make any message *shorter*, and hence is not a "compression" function after all. In particular, f() turns every one-bit message into a one-bit message. Suppose f() preserves the length of all n-bit messages, for 1 <= n <= N. (This is already the case for N=1.) What does f() do to a message M of N+1 bits length? By assumption, f(M) is not N+2 bits or longer. But all output messages of N bits or less are the result of some input of N bits or less and hence cannot be f(M). So by elimination, f(M) is N+1 bits long. By mathematical induction, f() preserves the length of every message. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How thorough are the hash breaks, anyway?
certificates. The public key data is public, and it's a "random" bitpattern where nobody would ever notice a few different bits. If someone finds a collision for microsoft's windows update cert (or a number of other possibilities), and the fan is well and truly buried in it. Correct me if I'm wrong ... but once finding a hash collision on a public key, you'd also need to find a matching private key, right? But the odds are that you'd get an easy-to-factor modulus. Would the casual relying party ever notice that? I think not. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: First quantum crypto bank transfer
| However, I still don't believe that quantum cryptography can buy you | anything but research funding (and probably easier lawful intercept | because end-to-end encryption is so much harder). Not to attack you personally - I've heard the same comments from many other people - but this is a remarkably parochial attitude. Quantum crypto raises fundamental issues in physics. But we aren't physicists. Hey! It isn't research any more. There are companies trying to *sell this*. Please don't blame the physicists for that. It is still research, but someone is selling tincture of quantum physics in their snake-oil bottles. Too bad that may poison the market for a really useful development a few years from now, but it does help shake the money tree for research. And physics can use every dime it can get right now. Matt Crawford <[EMAIL PROTECTED]> Fermilab Computer Security Coordinator http://www.fnal.gov/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: RPOW - Reusable Proofs of Work
On Aug 20, 2004, at 16:09, Hal Finney wrote: If you think of POW as a possible SPAM mitigation, how does the first receiving MTA assure the next MTA in line that a message was "paid for?" Certainly the mail relay doesn't want to do new work, but the second MTA doesn't know that the first isn't a spambot. The first MTA would exchange the received RPOW for a new one of equal value, and pass it along with the message to the next MTA in line. Right, I'm saying that's a possible use for RPOW, other than one that's equivalent to digital cash. Sorry if my intent wasn't clear. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: RPOW - Reusable Proofs of Work
I'm wondering how applicable RPOW is. Generally speaking, all the practical applications I can think of for a proof-of-work are defeated if proofs-of-work are storable, transferable, or reusable. I have some code to play online games with cryptographic protection, cards and dice, and I am planning to modify it to let people make bets with RPOWs as the betting chips. If you think of POW as a possible SPAM mitigation, how does the first receiving MTA assure the next MTA in line that a message was "paid for?" Certainly the mail relay doesn't want to do new work, but the second MTA doesn't know that the first isn't a spambot. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Too Much Information?
On Aug 12, 2004, at 20:06, R. A. Hettinga wrote: Officials call that argument outrageous and argue some secrecy is necessary. It's an easy shot, but I'll take it: If some government secrecy is necessary, then the government should maintain some secrecy. If Mr. Young found the information, there was no secrecy. How about starting with the REAL secrets, like the names of cooperating al-Qaeda defectors? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How a Digital Signature Works
NEWS ANALYSIS :TECH By Stephen H. Wildstrom How a Digital Signature Works Is this a "count the errors" contest? I count six. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: E-commerce attack imminent; Sudden increase in port scanning for SSL doesn't look good
E-commerce attack imminent; Sudden increase in port scanning for SSL doesn't look good. http://www.techworld.com/security/news/index.cfm?NewsID=1975 ... aka not necessarily an attack on SSL itself ... but identifying end-points with open SSL ports as attack targets i.e. end-points with open SSL ports are likely to be somewhat higher value targets than machines w/o SSL ports since the operators possibly feel they have something to protect. I can't see any reasonable way to derive your conclusion from the cited article. "The surge began on 15 July, the day before the public disclosure of a critical flaw in a server module called mod_ssl. "The last time Netcraft observed similar activity was in April, shortly before a wave of attacks on SSL servers that included the compromise of some major e-commerce sites. Attackers used a flaw in Microsoft's implementation of SSL to install malicious code..." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: High hopes for unscrambling the vote
On Jun 8, 2004, at 6:30, R. A. Hettinga wrote: ... scientists are borrowing from decades of academic work to invent systems that are probably secure against malfeasance. Ooh, what a terrible typo! - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Passwords can sit on disk for years
On Jun 8, 2004, at 9:44, [EMAIL PROTECTED] wrote: And of course, the article didn't get it right. Because of optimizing compilers, it is *not* trivial to zero passwords. The full paper does make that point. http://www.stanford.edu/~talg/papers/USENIX04/abstract.html Me, I run machines with no swap disk if they have important keys on them, and aren't in a very secure facility. A master decryption key is needed at boot time, of course. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Satellite eavesdropping of 802.11b traffic
Don't dismiss possibilities for wireless data eavesdropping without considering the possibilities of this new chip http://pr.caltech.edu/media/Press_Releases/PR12490.html and its friends http://www.chic.caltech.edu/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: voting
On Apr 15, 2004, at 8:58 PM, Ed Gerck wrote: Currently, voter privacy is absolute in the US and does not depend even on the will of the courts. For example, there is no way for a judge to assure that a voter under oath is telling the truth about how they voted, or not. For many years in the 90's there was (maybe still is) a resident of Cook County, Illinois, who refused to vote because she was the only voter in her precinct, and the precinct totals would consist purely of her vote. (She lived in a forest preserve. There's probably some latter-day Brothers Grimm tale in this.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: I don't know PAIN...
On Dec 27, 2003, at 10:01 AM, Ben Laurie wrote: "Note that there is no theoretical reason that it should be possible to figure out the public key given the private key, either, but it so happens that it is generally possible to do so" So what's this "generally possible" business about? Well, AFAIK its always possible, but I was hedging my bets :-) I can imagine a system where both public and private keys are generated from some other stuff which is then discarded. Sure. Imagine RSA where instead of a fixed public exponent (typically 2^16 + 1), you use a large random public exponent. After computing the private exponent, you discard the two primes and all other intermediate information, keeping only the modulus and the two exponents. Now it's very hard to compute either exponent from the other, but they do constitute a public/private key-pair. The operations will be more expensive that in standard RSA where one party has a small exponent and the other party has an arithmetical shortcut, but still far less computation than cracking the other party's key. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: NEMA rotor machine offered again on ebay
On Dec 14, 2003, at 8:26 AM, Steve Bellovin wrote: http://cgi.ebay.com/ws/eBayISAPI.dll? ViewItem&item=2210624662&ssPageName=ADME:B:SS:US:1 Last time such a machine appeared, some people reported that ebay blocked their access to the listing. That included one person in the U.S. Curious. I can access that page from my US IP address on a government netblock, with bidirectional DNS resolution to a .gov domain name, IF I use Internet Explorer, but not if I use Opera or Safari on the very same host. Cookies are not the issue. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Open Source (was Simple SSL/TLS - Some Questions)
On Thursday, Oct 9, 2003, at 04:31 America/Chicago, Peter Clay wrote: If you want a VPN that road warriors can use, you have to do it with IP-over-TCP. [...] If someone out there wants to write VPN software that becomes widely used, then they should make a free IP-over-TCP solution that works on Windows and Linux which uses password authentication. And people will mostly want to run TCP over their VPN. See "Why TCP Over TCP Is A Bad Idea" by Olaf Titz at http://sites.inka.de/sites/bigred/devel/tcp-tcp.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Who is this Mallory guy anyway?
Well, that's the question - is Eve allowed to forward packets, in the act of listening, or is that the Mallory's job? I don't know. You can't measure a single-particle state without at least some chance of destroying the state. (Even quantum non-demolition methods affect the measured system a bit.) So you can't have a purely passive Eve. Perhaps "Quentin" is the Quantum Eavesdropper who makes his optimal tradeoff between gathering the most information and being the least detectable. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
BTW, you can decrease the wavelength of a photon by bouncing it off moving mirrors. Sure. To double the energy (halve the wavelength), move the mirror at 70% of the speed of light. And since you don't know exactly when the photon is coming, keep it moving at that speed ... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
I'm always stuck on that little step where Alice tells Bob what basis she used for each photon sent. Tells him how? They need integrity protection and endpoint authentication for N bits of basis. Is the quantum trick converting those N bits to N/2 privacy-protected bits really as exciting as it's made out to be? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encrypted Virtual Drives
Does anyone here have knowledge (or opinions) about the quality of Mac OS X's encrypted disk images as a crypto file system? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: An attack on paypal
> "Matt Crawford" <[EMAIL PROTECTED]> writes: > >... Netscrape ind Internet Exploder each have a hack for > >honoring the same cert for multiple server names. Opera seems to honor at > >least one of the two hacks, and a cert can incorporate both at once. > > > > /C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Services > > /CN=(alpha|bravo|charlie).fnal.gov/CN=alpha.fnal.gov > > /CN=bravo.fnal.gov/CN=charlie.fnal.gov > > Just to clarify this, so you need a multivalued CN, with one containing the > expression "(a|b|c)" and the remaining containing each of "a", "b", and "c"? > Is it multiple AVAs in an RDN, or multiple RDNs? (Either of these could be > hard to generate with a lot of software, which can't handle multiple AVAs in > an RDN or multiple same-type RDNs). Which hack is for MSIE and which is for > Netscape? Each CN is in a single-element RDN as usual. Netscape honors only the first CN in the SubjectDN, but will treat it as a restricted regex (shell-like * wildcard, alternation and grouping). IE checks the server name against each CN's individually. This was mainly determined by experimentation. I think we did find a limit on how long that first regex could be, but I don't remember what it was. Longer than my example, but short enough that some of our bigger virtual-hosting servers were inconvenienced by it. Openssl has no qualms about multiple same-type components. You just have to use the somewhat documented 0.commonName = ... 1.commonName = ... 2.commonName = ... in the configuration file. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: An attack on paypal
> You can also use *.fnal.gov Yes, we know, but our in-house CA operator (me) won't issue such a certificate. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: An attack on paypal
> The worst trouble I've had with https is that you have no way to use host > header names to differentiate between sites that require different SSL > certificates. True as written, but Netscrape ind Internet Exploder each have a hack for honoring the same cert for multiple server names. Opera seems to honor at least one of the two hacks, and a cert can incorporate both at once. /C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Services /CN=(alpha|bravo|charlie).fnal.gov/CN=alpha.fnal.gov /CN=bravo.fnal.gov/CN=charlie.fnal.gov > So you need to waste IP's for this. Waste? Heck no, that's what they're for! - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]