On Tue, Jun 05, 2007 at 07:00:51PM -0500, Travis H. wrote:
I just did some performance testing on a file server (debian 4.0) and
thought I'd share the figures, both raw and using the luks
cryptosystem described here:
http://luks.endorphin.org/about
Here's the specs:
AMD Athlon 64 x2
I just did some performance testing on a file server (debian 4.0) and
thought I'd share the figures, both raw and using the luks
cryptosystem described here:
http://luks.endorphin.org/about
Here's the specs:
AMD Athlon 64 x2 3600+ (1800MHz)
2GB 800MHz DDR2 ECC DRAM
Asus M2N32WS motherboard
I have posted my ideas on defensive use of crypto here:
https://www.subspacefield.org/security/cgi-bin/moin.py/CryptoMaxims
This is not about cipher design, it's more about protocol design
and implementation.
Everyone here is welcome to edit it as they see fit; questions and
answers, discussion
Ignoring special-purpose hardware, does anyone have thoughts on what
the requirements for a kernel-level key management subsystem should be?
--
Kill dash nine, and its no more CPU time, kill dash nine, and that
process is mine. -- URL:http://www.subspacefield.org/~travis/
For a good time on my
On Wed, May 09, 2007 at 06:11:03PM -0400, Leichter, Jerry wrote:
Just being able to generate traffic over the link isn't enough to
carry out this attack.
Well, it depends on if you key per-flow or just once for the link. If
the latter, and you have the ability to create traffic over the link,
On Wed, May 02, 2007 at 06:12:31PM +0100, Dave Korn wrote:
If you wanted to be /really/ certain, I guess you'd have to take the tops
off all the ICs inside and look at them under an EM, to make sure they really
were the parts they claimed to be and don't have any extra circuitry or hidden
On Wed, May 09, 2007 at 06:04:20PM -0400, Leichter, Jerry wrote:
However, cryptographically secure RNG's are typically just as expensive
as doing a block encryption. So why not just encrypt the IV once with
the session key before using it? (This is the equivalent of pre-pending
a block of
On Fri, Apr 27, 2007 at 05:13:44PM -0400, Leichter, Jerry wrote:
Frankly, for SSH this isn't a very plausible attack, since it's not
clear how you could force chosen plaintext into an SSH session between
messages. A later paper suggested that SSL is more vulnerable:
A browser plugin can
On Wed, May 02, 2007 at 09:29:39AM -0600, Anne Lynn Wheeler wrote:
where there is possibly the suggestion that if the only thing being
performed
is authentication (and doesn't require either integrity and/or privacy) ...
then possibly a totally different protocol by utilized (rather than
On Thu, May 03, 2007 at 07:57:18PM +1000, James A. Donald wrote:
Assume Ann's secret key is a, and her public key is A = G^a mod P
Assume Bob's secret key is b, and his public key is B = G^b mod P
Bob wants to send Ann a message.
Bob generates a secret random number x, and sends Ann X =
On Wed, Apr 25, 2007 at 05:42:44PM -0500, Nicolas Williams wrote:
A confounder is an extra block of random plaintext that is prepended to
a message prior to encryption with a block cipher in CBC (or CTS) mode;
the resulting extra block of ciphertext must also be sent to the peer.
Not true.
I've always wondered this about the lesser-used modes. What's special
about CBC?
With CFB in particular, I think 8-bit CFB is stupid (one full block
encryption per byte processed - rather computationally expensive), but
n-bit CFB seems just as useful as CBC, if not more so. Specifically,
I can
One more thing to consider; if you pick a reasonable MAC with twice
the security factor you need, then truncate the output to half the
size, I believe you get both confidentiality and
integrity/authentication guarantees of the desired strength.
--
Kill dash nine, and its no more CPU time, kill
Forgive me as this isn't as technical as the usual posts, but I
find it interesting nonetheless.
OpenBSD has, for some time, supported encrypted swap.
Just recently I discovered Debian default installs now support
encrypted root (/boot still needs to be decrypted).
Presumably we are moving
On Thu, Feb 08, 2007 at 04:29:25PM -0800, Saqib Ali wrote:
i have been tasked by my advisor to create series of mini-lectures
slides on the topic of cryptography for a freshman year CS class.
You know, you shouldn't use the Internet to ask people to do your
homework for you... ;-) j/k
any
On Sun, Feb 04, 2007 at 03:46:41PM -0800, Allen wrote:
An idle question. English has a relatively low entropy as a
language. Don't recall the exact figure, but if you look at words
that start with q it is very low indeed.
I seem to recall Shannon did some experiments which showed that with a
On Wed, Feb 07, 2007 at 05:42:49AM -0800, Sandy Harris wrote:
He starts from information theory and an assumption that
there needs to be some constant upper bound on the
receiver's per-symbol processing time. From there, with
nothing else, he gets to a proof that the optimal frequency
On Wed, Feb 07, 2007 at 05:53:16PM -0500, Steven M. Bellovin wrote:
Speakers of such Native American languages as Navajo, Choctaw
and Cheyenne served as radio operators, know as Code Talkers,
to keep communications secret during both World Wars. Welsh
speakers played a
On Sun, Feb 04, 2007 at 11:27:00PM -0500, Leichter, Jerry wrote:
| 1) use a random key as large as the plaintext (one-time-pad)
...thus illustrating once again both the allure and the uselessness (in
almost all situations) of one-time pads.
For long-term storage, you are correct, OTP at best
Hey, quick question.
If one wants to have multiple keys, but for ease-of-use considerations
want to only have the user enter one, is there a preferred way to
derive multiple keys that, while not independent, are computationally
independent?
I was thinking of hashing the passphrase with a unique
On Wed, Jan 24, 2007 at 03:28:50PM -0800, Allen wrote:
If 4 gigs is right, would it then be records to look for to break
the code via birthday attacks would be things like seismic data,
In case anyone else couldn't parse this, he means the amount of
encrypted material necessary to break the
So I was reading this:
http://en.wikipedia.org/wiki/Merkle-Damgard
It seems to me the length-extension attack (given one collision, it's
easy to create others) is not the only one, though it's obviously a
big concern to those who rely on it.
This attack thanks to Schneier:
If the ideal hash
The wikipedia page on the IEEE SISWG debate about LRW says:
[A] general security requirement for any block cipher, regardless of
mode of operation, is that no block cipher should be used to encrypt
any more data, without changing the key, when the probability of a
collision becomes not negligible
Hi,
This is not really typical of the traffic on this list, hence the OT.
I send it because I think this is one of the few places where I'll
find some people with deep understanding of SSL certs.
Recently I had an issue where Google checkout would not accept an
SSL certificate because Apache
On Sun, Jan 21, 2007 at 12:13:09AM -0500, Steven M. Bellovin wrote:
Could you explain this? It's late, but this makes no sense at all to
me.
I probably wasn't clear, you bring out my realization that there
are a number of unwritten assumptions going on here.
Similarly, the size of the output
On Fri, Jan 19, 2007 at 12:11:40AM -0800, Bill Stewart wrote:
One of the roots of the problem is that for many applications,
i is a well-defined event and P(i) is a fixed value (for i) ,
but for many other applications,
i might not be a well-defined event, and/or
P(i) is really a conditional
On Sun, Dec 24, 2006 at 11:10:40PM +, Rick van Rein wrote:
This is not =entirely= true. A key stored in the same (non-swappable)
location for a long time will burn into the memory. (I know that I am
reacting beside the point of your story, to which I agree.)
Pimpin' Peters Papers:
Some very juicy details here:
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pd
--
Cryptography is nothing more than a mathematical framework for
discussing various paranoid delusions. -- Don Alvarez
URL:http://www.subspacefield.org/~travis/ --
On 10/19/06, Leandro Meiners [EMAIL PROTECTED] wrote:
Can anybody point me to any good references regarding traffic analysis?
This is the only interesting page I found on it:
http://guh.nu/projects/ta/safeweb/safeweb.html
There are some historical incidents that are sufficiently old to be
So I was reading about the OTP system (based on S/Key) described in RFC 2289.
It basically hashes a secret several times (with salt to individualize
it) and stores
the value that the correct password will hash to.
Now my question is, if we restrict ourselves to, say, 160-bit inputs, is SHA-1
a
On 10/12/06, Leichter, Jerry [EMAIL PROTECTED] wrote:
Beyond that: Are weak keys even detectable using a ciphertext-only
attack (beyond simply trying them - but that can be done with *any* small
set of keys)?
Yes, generally, that's the definition of a weak key.
But that's an odd
attack to
On 10/9/06, Adam Back [EMAIL PROTECTED] wrote:
The bad part is that the user is not given control to modify the hash
and attest as if it were the original so that he can insert his own
code, debug, modify etc.
(All that is needed is a debug option in the BIOS to do this that only
the user can
What is the accepted way to derive several keys from a user-supplied input?
Or, can you see anything wrong by prepending a counter to the passphrase
and hashing it to create derived keys?
k_n = hash(n || passphrase)
I suppose a faster system would involve using hash(passphrase) as the
key and
First, I found this interesting site by John Savard which discusses
the various crypto designs since... well, since pencil and paper
systems. Notable is the detailed discussion of the declassified
SIGABA machine:
http://www.quadibloc.com/crypto/jscrypt.htm
Next, can anyone point me in the
Hi all,
It occured to me that there is a half-decent way to avoid weak keys in
algorithms
when it is undesirable or impossible to prompt the user for a
different passphrase.
It is even field-upgradable if new weak keys are found.
Basically, instead of using the hash of the passphrase up front,
On 10/2/06, Erik Tews [EMAIL PROTECTED] wrote:
Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.:
Anyone have any information on how to develop TPM software?
http://tpm4java.datenzone.de/
Using this lib, you need less than 10 lines of java-code for doing some
simple
On 10/5/06, Erik Tews [EMAIL PROTECTED] wrote:
First, you need a system with tpm. I assume you are running linux. Then
you boot your linux-kernel and an initrd using the trusted grub
bootloader. Your bios will report the checksum of trusted grub to the
tpm before giving control to your grub
Hey does anyone have a good link for the various equivalencies
(or inequivalencies) for modular arithmetic?
I realize some will only apply to certain moduli, especially primes.
I'm basically wanting to find some good algorithms for certain
simple computations, like f(x) = ax + b (mod n), or the
Quoting:
Disk drives gear up for a lockdown
Rick Merritt, EE Times (09/25/2006 9:00 AM EDT)
Built-in security is the next big thing for hard-disk drives. By 2008,
drive makers should be shipping in volume a broad array of drives
based on a maturing standard.
...
The first version of the
http://frode.home.cern.ch/frode/ulfving/ulfving.html
This discusses Swedish decryption of a German crypto machine.
Although the break was done without any hints, it was a fairly
straightforward system of long-period XOR and fixed transposition, and
eventual success was predicated on the laziness
On 9/26/06, Richard Salz [EMAIL PROTECTED] wrote:
Really, what? There are things it doesn't do, but since it's only a
packaging format that's a good thing.
Though there are unshar tools, typically people run it as input to /bin/sh,
usually without reading through it (and given the level of
On 9/15/06, Taral [EMAIL PROTECTED] wrote:
*That* is the Right Way To Do It. If there are variable parts (like
hash OID, perhaps), parse them out, then regenerate the signature data
and compare it byte-for-byte with the decrypted signature.
You know, this sort of reminds me of a problem with
On 9/9/06, Adam Back [EMAIL PROTECTED] wrote:
IGE if this description summarized by Travis is correct, appears to be
a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
However the FREE-MAC mode (below described as IGE) was broken back in
Mar 2000 or maybe earlier by Gligor, Donescu
On 9/20/06, Leichter, Jerry [EMAIL PROTECTED] wrote:
Newspaper reports have claimed that many troops were sent into the
field with old equipment - including in particular 10+-year-old
communications equipment.
The Single Channel Ground and Airborne Radio System was designed in the 80's:
On 9/15/06, Daniel Carosone [EMAIL PROTECTED] wrote:
But let's not also forget that these criticisms apply approximately
equally to smart card deployments with readers that lack a dedicated
pinpad and signing display.
This looks mildly interesting:
http://www.projectblackdog.com/product.html
I
On 9/10/06, James A. Donald [EMAIL PROTECTED] wrote:
Typo:
We transmit T(k)= {W(k)} + W(k-1)|{W(k-1)} where |
means bitwise or, curly brace means encryption.
Should read:
We transmit T(k) = {W(k)} + ((~W(k-11){W(k-1)})
where ~ means bitwise negation, | means bitwise or,
curly brace means
Hey,
Does anyone know of any OSS OS facilities for managing keys?
With ssh-agent and gpg-agent providing access to key storage
by inherited processes, and the keys themselves being vulnerable
as stored on-disk, I wonder if there isn't any more general facility
for doing key management and
Found at doxpara.com:
fingerprints: http://chris.fornax.net/biometrics.html
faceprints:
http://www.site.uottawa.ca/~adler/publications/2003/adler-2003-fr-templates.pdf
More on fingerprints:
http://onin.com/fp/cyanoho.html
At home I have an excellent page on making fake fingerprints, but I
Has anyone created hooks in MTAs so that they automagically
sign outbound email, so that you can stop forgery spam via a
SRV DNS record?
--
If you're not part of the solution, you're part of the precipitate.
Unix guru for rent or hire -- http://www.lightconsulting.com/~travis/
GPG fingerprint:
Nevermind the algorithm, I saw the second PDF.
For the other readers, the algorithm in more
standard variable names is:
c_i = f_K(p_i xor c_(i-1)) xor p_(i-1)
IV = p_(-1), c_(-1)
I suppose the dependency on c_(i-1) and p_(i-1) is the part that
prevents the attacker from predicting and
The NIST server is down.
Care to post the algorithm?
By the term crib do you mean a known-plaintext?
I'd like to see a proof that it is not possible to alter the final
block to make it
decrypt to all zeroes; that seems worse than CRCs and putting a CRC at the
end of the plaintext is a common,
On 8/28/06, Ondrej Mikle [EMAIL PROTECTED] wrote:
Take as an example group of Z_p* with p prime (in another words: DLP).
The triplet (Z, p, generator g) is a compression of a string of p-1
numbers, each number about log2(p) bits.
Pardon my mathematical ignorance, but isn't Z just a notation to
I didn't know about this RFC, but apparently the IETF
has a standard for selecting people randomly for sortition
in a publicly-verifiable way.
References:
http://rfc.sunsite.dk/rfc/rfc3797.html
http://www.isi.edu/in-notes/rfc3797.txt
This got me to thinking about random selection.
They take
I just realized I made a small error in algorithm 2.
On 9/2/06, Travis H. [EMAIL PROTECTED] wrote:
2. This algorithm seems to waste fewer bits:
Initialize with c = 0.
x = extraction of n bits
That should read:
x = extraction of ceil(lg(p-c)) bits
Otherwise there's nothing gained by
carrying
On 8/23/06, Dave Korn [EMAIL PROTECTED] wrote:
Given that, whatever passphrase you use, you will decrypt the EDK block and
get /something/ that looks like a key, this comparison of hashes is a sanity
test. If you bypass it but enter the wrong passphrase, you'll get an
incorrectly-decrypted
On 8/23/06, Ondrej Mikle [EMAIL PROTECTED] wrote:
We discussed with V. Klima about the recent bug in PGPdisk that
allowed extraction of key and data without the knowledge of passphrase.
I skimmed the URL and it appears this claim was answered several times
in the original thread. Did you not
On 8/29/06, Alexander Klimov [EMAIL PROTECTED] wrote:
Well, it not really a claim since there was no definition, here it is:
A ``dependency stripping'' algorithm is a deterministic algorithm that
gets a stream of unbiased (but not necessary independent bits) and
produces a stream of several
What is the complexity class for Eulerian paths/trails?
Wikipedia doesn't say.
--
If you're not part of the solution, you're part of the precipitate.
Unix guru for rent or hire -- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
http://www.heise-security.co.uk/news/77244
``Although the demonstration was restricted to the reduced SHA-1
variant in 64 steps, it can, according to the experts, also be
generalised to the standard 80 step variant. This means that SHA-1
must also be considered as cracked in principle. Christian
Howdy!
I was talking to Terry Ritter, and he was explaining to me that when
he needed to make some keys from a user-supplied passphrase, he
computed various CRCs over the passphrase, and used those as derived
keys. I'd like to know more about it, and I was wondering if anyone
knew of any work
On 8/8/06, Ed Gerck [EMAIL PROTECTED] wrote:
The worst-case setting for the user is likely to be when the coercer can
do all that you said and has the time/resources to do them. However, if
the distress password is strong (ie, not breakable within the time/resources
available to the coercer),
On 8/9/06, Ed Gerck [EMAIL PROTECTED] wrote:
A debugger cannot decrypt without the key, which is produced only
with the access password.
Ah okay.
By the way, an interesting link from Schneier's blog, mentions
copyright and randomly-generated numbers:
On 8/8/06, Travis H. [EMAIL PROTECTED] wrote:
Or, nobody has the data:
http://monolith.sourceforge.net/
http://www.schneier.com/blog/archives/2006/03/monolith.html
Grr... remind me not to read the comments on old blogs, it's
irritating to see so much misrepresentation...
The monolith model
Hey,
I was mulling over some old emails about randomly-generated numbers
and realized that if I had an imperfectly random source (something
less than 100% unpredictable), that compressing the output would
compress it to the point where it was nearly so. Would there be any
reason to choose one
On 7/20/06, Florian Weimer [EMAIL PROTECTED] wrote:
Is this about Colin Percival's work?
The paper was by Dan Berstein; Percival's comments are specific to
hyperthreading, but I think djb's research showed that it's applicable
to non-HT architectures as well.
--
Follow where reason leads --
On 7/15/06, John Kelsey [EMAIL PROTECTED] wrote:
Another solution is to use cryptographic audit logs. Bruce Schneier
and I did some work on this several years ago, using a MAC to
authenticate the current record as it's written, and a one-way
function to derive the next key. (This idea was
On 7/14/06, David Mercer [EMAIL PROTECTED] wrote:
WORM drives (and WORM tapes)
are used by organizations that need to prove that things weren't
altered (or to be able to audit when they are).
The problem with this is determining if the media has been replaced.
Absent other protections, one
On 7/11/06, Hal Finney [EMAIL PROTECTED] wrote:
: So what went wrong? Answer: NIST failed to recognize that table lookups
: do not take constant time. âTable lookup: not vulnerable to timing
: attacks, NIST stated in [19, Section 3.6.2]. NIST's statement was,
: and is, incorrect.
That's
I'm still fleshing it out, but I've gathered a bunch of links/papers
on side-channel attacks:
http://www.lightconsulting.com/~travis/side_channel_attacks.html
Suggestions welcome.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix guru for sale or rent -
Sorry, noticed the subject line was misleading.
It contains every side channel attack I could find, including but not
limited to timing.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ --
GPG
On 7/11/06, Adam Fields [EMAIL PROTECTED] wrote:
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote:
Business ultimately depends on trust. There's some study out there -
Trust is not quite the opposite of security (in the sense of an
action, not as a state of being), but certainly
On 7/4/06, Taral [EMAIL PROTECTED] wrote:
On 7/4/06, Andrea Pasquinucci [EMAIL PROTECTED] wrote:
About RNG, does someone in the list have any comment, ideas on this
http://www.idquantique.com/products/quantis.htm
Why? Noise-based RNGs are just as random and just as quantum. :)
Hella fast.
On 7/3/06, Leichter, Jerry [EMAIL PROTECTED] wrote:
You're damned if you do and damned if you don't. Would you want to use a
hardware RNG that was *not* inside a tamper-proof package - i.e., inside
of a package that allows someone to tamper with it?
Yes. If someone has physical access to
On 7/2/06, Peter Gutmann [EMAIL PROTECTED] wrote:
You have to be pretty careful here. Most of the TPM chips are just rebadged
smart cards, and the RNGs on those are often rather dubious.
My last email of the day, I promise ;-)
And if you're interested in some of the smart card developments,
Going over old emails.
On 10/12/05, Jack Lloyd [EMAIL PROTECTED] wrote:
I prefer a multi-stage design, as described by various people smarter than I
am:
source(s) -- mixer -- pool -- extractor -- X9.31
Did you really mean X9.31 and not X9.17?
--
Resolve is what distinguishes a person who
Hi folks,
Does anyone here know of any computer-based aids for breaking
classical cryptosystems? I'm thinking in particular of the ones in
Body of Secrets, which are so short that I really hope they're
monoalphabetic substitutions. But I'm interested in these sorts of
programs more generally.
What kind of problems do people run into when they try to make
cryptographic algorithms that reduce to problems of known complexity?
I'm expecting that the literature is full of such attempts, and one
could probably spend a lifetime reading up on them, but I have other
plans and would appreciate
On 6/8/06, Max [EMAIL PROTECTED] wrote:
What they need is just to provide an access to their distinguisher in
the form of blackbox.
To prove its meaningfulness, the distinguisher must show consistent
results in distinguishing AES-encrypted data (say, for a fixed
plaintext without repeating
On 5/17/06, Kuehn, Ulrich [EMAIL PROTECTED] wrote:
Given known plaintext and corresponding ciphertext, there should not be too
many keys that map the plaintext to the ciphertext. I don't have the
probability at hand how many such 'collisions' you would expect from 256 random
permutations, but
On 5/18/06, Travis H. [EMAIL PROTECTED] wrote:
... There's 255 other permutations, so the chance that there is
at least one k' such that f_k'(x)=y is 255/256 = 99.6%. The chance
that there is exactly one such k' is sampling with replacement and if
I am not mistaken P(|K|=1) = (255/256)^255
I've googled for New Hash Functions and their Use in Authentication
and Set Equality and found several citations but no electronic
copies. I don't have access to a library that might have it, does
anyone here have one? Thanks.
On 5/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Other than post by a guy - Terry someone or another - on sci.crypt
a number of years ago - I've never seen any work in this direction.
Is there stuff I'm not aware of?
That would probably be Terry Ritter, www.ciphersbyritter.com.
He calls
So...
Suppose I want a function to provide integrity and authentication, and
that is to be combined with a stream cipher (as is the plaintext). I
believe that authentication is free once I have integrity given the
fact that the hash value is superencrypted using the stream cipher,
whose key is
On 5/14/06, Eric Rescorla [EMAIL PROTECTED] wrote:
Consider the case where you're transmitting message M. The
hash is H(M). You then encrypt (M || H(M)), generating
K XOR (M || H(M)). If the attacker knows M and H, he can
compute (M || H(M)) and compute K. Then he can re-encrypt
a message M' of
On 5/14/06, Victor Duchovni [EMAIL PROTECTED] wrote:
Security is fragile. Deviating from well understood primitives may be
good research, but is not good engineering. Especially fragile are:
Point taken. This is not for a production system, it's a research thing.
TLS (available via OpenSSL)
- Stream ciphers (additive)
This reminds me, when people talk about linearity with regard to a
function, for example CRCs, exactly what sense of the word do they
mean? I can understand f(x) = ax + b being linear, but how exactly
does XOR get involved, and are there +-linear functions and
On 5/2/06, Ivan Krstic [EMAIL PROTECTED] wrote:
I spent some time thinking about this a few years back:
http://diswww.mit.edu/bloom-picayune/crypto/15520
Rubberhose was one of the things that came up, along with StegFS and
BestCrypt. Unfortunately, it seems like Rubberhose hasn't seen work in
http://microcodes.sourceforge.net/
There you can find a PDF reviewing the microcode update feature.
Apparently the updates from Intel are 2048 bytes long overall, and
have a 4-byte checksum, and are encrypted using some kind of
mechanism on the processor. Since they don't (to my knowledge)
On 29 Apr 2006 02:00:18 -, StealthMonger
[EMAIL PROTECTED] wrote:
Interesting epilog: theregister has apparently now edited out all
mention of master keys.
They probably had their misunderstanding pointed out to them by
countless people by now.
But... did anyone else note the phrasing of
On 5/1/06, Perry E. Metzger [EMAIL PROTECTED] wrote:
Not if you design it correctly. Disk encryption systems like CGD work
on the block level, and do not propagate CBC operations across blocks,
So is it vulnerable to any of the attacks here?
http://clemens.endorphin.org/LinuxHDEncSettings
I
Ross Anderson once said cryptically,
HMAC has a long story attched to it - the triumph of the
theory community over common sense
He wouldn't expand on that any more... does anyone have an idea of
what he is referring to?
--
Curiousity killed the cat, but for a while I was a suspect -- Steven
In case you wondered what was behind those sequences of digits...
Gory details here:
http://www.licenturion.com/xp/fully-licensed-wpa.txt
Ew, I think I have to take a shower now.
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Security Guru for Hire
Background:
An A-code is a matrix E x M, where e is the encoding rule used, and m
is the message the transmitter should send (output). The message to
be authenticated (input) is s in { s_1 .. s_k }, and the contents of
the matrix are members of such that every row (encoding rule) contains
Hi, does anyone have a web reference on how to construct matrices for
non-cartesian A codes a la Simmons? I see descriptions of what they
should look like, but no algorithms for creating them.
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Security Guru for Hire
http://www.drizzle.com/~aboba/IEEE/
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
So I'm reading up on unconditionally secure authentication in Simmon's
Contemporary Cryptology, and he points out that with RSA, given d,
you could calculate e (remember, this is authentication not
encryption) if you could factor n, which relates the two. However,
the implication is in the less
I have examined the LRNG paper and have a few comments.
CC'd to the authors so mind the followups.
1) In the paper, he mentions that the state file could be altered by
an attacker, and then he'd know the state when it first came up. Of
course, if he could do that, he could simply install a
Hi,
Does anyone have a good idea on how to OWF passphrases without
reducing them to lower entropy counts? That is, I've seen systems
which hash the passphrase then use a PRF to expand the result --- I
don't want to do that. I want to have more than 160 bits of entropy
involved.
I was thinking
Anyone see a reason why the digits of Pi wouldn't form an excellent
public large (infinite, actually) string of random bits?
There's even an efficient digit-extraction (a/k/a random access to
fractional bits) formula, conveniently base 16:
http://mathworld.wolfram.com/BBPFormula.html
I dub this
Here's a 1997 paper on quantum computing in the large that I had
been asking about:
http://www.media.mit.edu/physics/projects/spins/home.html
Neil Gershenfeld and Isaac Chuang have developed an entirely new
approach to quantum computation that promises to solve many of these
problems. Instead of
1 - 100 of 167 matches
Mail list logo