. Maybe study ZRTP and tcpcrypt for comparison. Don't try to study
foolscap, even though it is a very interesting practical approach,
because there doesn't exist documentation of the protocol at the right
level for you to learn from.
Regards,
Zooko
https://LeastAuthority.com ← verifiably end
safer than RSA-PSS
is with regard to this issue.
Regards,
Zooko
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
neighborhood TLS implementor to move fast on
http://tools.ietf.org/id/draft-josefsson-salsa20-tls-02.txt .
Regards,
Zooko
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
there was an automated thing in Time
Machine to let me trade backups with an offsite friend as well.
The Least-Authority Filesystem comes with a nice backup tool (tahoe backup),
but it does not come with a nice GUI for your non-technical friends.
Regards,
Zooko
*backup*, and a secure cloud storage API that people use to build
other services. So we aren't competitors.)
Regards,
Zooko Wilcox-O'Hearn
Founder, CEO, and Customer Support Rep
https://LeastAuthority.com
Freedom matters.
___
The cryptography mailing list
Here's a nice resource: RFC 6090!
https://tools.ietf.org/html/rfc6090
Also relevant:
http://cr.yp.to/ecdh/patents.html
I'd be keen to see a list of potentially-relevant patents which have
expired or are due to expire within the next 5 years.
Regards,
Zooko Wilcox-O'Hearn
Founder, CEO
encryption. It is possible. It isn't easy, but we just might make it!
We welcome criticism, suggestions, and requests from you all.
Regards,
Zooko Wilcox-O'Hearn
Founder, CEO, and Customer Support Rep
https://LeastAuthority.com
Freedom matters
than the current core developers are possible. In that event, we
would try to persuade any such forks to adopt a similar policy.
The following Tahoe-LAFS developers agree with this statement:
David-Sarah Hopwood
Zooko Wilcox-O'Hearn
Brian Warner
Kevan Carstensen
Frédéric Marti
Jack Lloyd
François
and Zooko Wilcox-O'Hearn
on behalf of the Tahoe-LAFS team
September 23, 2010
Rainhill, Merseyside, UK and Boulder, Colorado, USA
[1] http://tahoe-lafs.org/trac/tahoe/browser/relnotes.txt?rev=4579
[2] http://tahoe-lafs.org/trac/tahoe/browser/NEWS?rev=4732
[3] http://tahoe-lafs.org/trac/tahoe/wiki
of love by volunteers. Thank you very much to the
team of hackers in the public interest who make Tahoe-LAFS
possible.
David-Sarah Hopwood and Zooko Wilcox-O'Hearn
on behalf of the Tahoe-LAFS team
July 18, 2010
Rainhill, Merseyside, UK and Boulder, Colorado, USA
[1] http://tahoe-lafs.org/trac
with a better demonstration
that they were generated with any possible back door than do the
NIST curves [3].
Regards,
Zooko
[1] http://www.keylength.com/
[2] http://bench.cr.yp.to/results-sign.html
[3]
http://www.ecc-brainpool.org/download/draft-lochter-pkix-brainpool-ecc-00.txt
has good properties (efficiency, simplicity, ease of implementation)
and which is based on substantially different ideas and which isn't
currently under patent protection (therefore excluding NTRUSign).
Any ideas?
[1] http://eprint.iacr.org/2007/019
Regards,
Zooko
lector.
Regards,
Zooko
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
On Thu, Apr 22, 2010 at 12:40 PM, Jonathan Katz jk...@cs.umd.edu wrote:
On Thu, 22 Apr 2010, Zooko O'Whielacronx wrote:
Unless I misunderstand, if you read someone's plaintext without having
the private key then you have proven that P=NP!
…
The paper you cite reduces security to a hard
on to talk about more Tahoe-LAFS-specific
engineering considerations and expose my ignorance about exactly what
properties are required of the underlying secure hash functions.
Regards,
Zooko
-
The Cryptography Mailing List
.
Regards,
Zooko
ANNOUNCING Tahoe, the Least-Authority File System, v1.7.0
The Tahoe-LAFS team is pleased to announce the immediate
availability of version 1.7.0 of Tahoe-LAFS, an extremely
reliable distributed storage system.
Tahoe-LAFS is the first distributed storage system which offers
against key-leakage attacks, as well as an oblivious
transfer protocol that is secure against semi-honest adversaries.
Unless I misunderstand, if you read someone's plaintext without having
the private key then you have proven that P=NP!
Nice. :-)
Regards,
Zooko
!
Unfortunately that one in particular doesn't provide digital
signatures, only public key encryption, and what I most need for the
One Hundred Year Cryptography project is digital signatures.
Regards,
Zooko
[1] http://allmydata.org/pipermail/tahoe-dev/2010-April/date.html
[2] http
on the MAC and you
want 128-bit crypto strength) or something in between.
Regards,
Zooko
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
to be much stronger than
H1 or H2 alone.
Regards,
Zooko
[1] http://extendedsubset.com/Renegotiating_TLS.pdf
[2] http://allmydata.org/trac/tahoe/wiki/NewCaps/WhatCouldGoWrong
[3] http://bench.cr.yp.to/results-hash.html#arm-apollo
[4] Krzysztof Pietrzak: Non-Trivial Black-Box Combiners
and birth number or other such
guaranteed-unique data instead of storing an IV? (Apropos recent
discussion on the cryptography list [2].)
Regards,
Zooko
[1] http://hub.opensolaris.org/bin/download/Project+zfs%2Dcrypto/
files/zfs%2Dcrypto%2Ddesign.pdf
[2] http://www.mail-archive.com
to the prescribed technique?
Regards,
Zooko
P.S. If you read this letter all the way to the end then please let
me know. I try to make them short, but sometimes I think they are
too long and make too many assumptions about what the reader already
knows. Did this message make sense
he finds the current solution unsatisfactory,
perhaps because he assumed the audience already shared his view. (I
think he mentioned something in his letter like the well-known
failures of the SSL/CA approach to this problem.)
Regards,
Zooko
following-up to my own post:
On Monday,2009-09-14, at 10:22 , Zooko Wilcox-O'Hearn wrote:
David-Sarah Hopwood suggested the improvement that the integrity-
check value V could be computed as an integrity check (i.e. a
secure hash) on the K1_enc in addition to the file contents.
Oops
And while you are at it, please implement these test vectors and
report to Niels Ferguson:
http://blogs.msdn.com/si_team/archive/2006/05/19/aes-test-vectors.aspx
Regards,
Zooko
-
The Cryptography Mailing List
Unsubscribe
].
If any smart cryptographer or hacker reading this wants to create
secure, decentralized storage, please join us! We could use the
help! :-)
Regards,
Zooko
[1] http://allmydata.org/~zooko/lafs.pdf
[2] http://allmydata.org/pipermail/tahoe-dev/2009-June/001995.html
[3] http://allmydata.org
On Thursday,2009-08-27, at 19:14 , James A. Donald wrote:
Zooko Wilcox-O'Hearn wrote:
Right, and if we add algorithm agility then this attack is
possible even if both SHA-2 and SHA-3 are perfectly secure!
Consider this variation of the scenario: Alice generates a
filecap and gives
of this series will be about Tahoe-LAFS directories
(those are the most convenient way to bundle together multiple caps
-- put them all into a directory and then use the cap which points to
that directory). Installment 5 will be about future work and new
crypto ideas.
Regards,
Zooko
[1
the file and then pass it on to his trusted, v1.7-using,
partner?
Hm...
This at least suggests that the v1.7 readers need to check *all*
hashes that are offered and raise an alarm if some verify and others
don't. Is that good enough?
:-/
Regards,
Zooko
[1] http://www.mail-archive.com
people who keep
their Tahoe-LAFS caps more securely, on Unix filesystems, on
encrypted USB keys, etc..
Regards,
Zooko
[*] Linus Torvalds got the idea of a Cryptographic Hash Function
Directed Acyclic Graph structure from an earlier distributed revision
control tool named Monotone. He
On Wednesday,2009-08-19, at 10:05 , Jack Lloyd wrote:
On Wed, Aug 19, 2009 at 09:28:45AM -0600, Zooko Wilcox-O'Hearn wrote:
[*] Linus Torvalds got the idea of a Cryptographic Hash Function
Directed Acyclic Graph structure from an earlier distributed
revision control tool named Monotone
consider to be the most
important issue for practical security of systems like these.
Regards,
Zooko, writing e-mail on his lunch break
[1] http://dev.cleversafe.org/weblog/?p=63
[2] http://dev.cleversafe.org/weblog/?p=95
[3] http://dev.cleversafe.org/weblog/?p=111
[4] http
archive:
http://www.mail-archive.com/cryptography@metzdowd.com/msg10680.html
Here it is on the tahoe-dev mailing list archive. Note that
threading is screwed up in our mailing list archive. :-(
http://allmydata.org/pipermail/tahoe-dev/2009-August/subject.html#start
Regards,
Zooko
On Monday,2009-08-10, at 13:47 , Zooko Wilcox-O'Hearn wrote:
This conversation has bifurcated,
Oh, and while I don't mind if people want to talk about this on the
tahoe-dev list, it doesn't have that much to do with tahoe-lafs
anymore, now that we're done comparing Tahoe-LAFS
[dropping tahoe-dev from Cc:]
On Thursday,2009-08-06, at 2:52 , Ben Laurie wrote:
Zooko Wilcox-O'Hearn wrote:
I don't think there is any basis to the claims that Cleversafe
makes that their erasure-coding (Information Dispersal)-based
system is fundamentally safer
...
Surely
or on
your corporate server. The Cleversafe FUD doesn't help people
understand the issues better.
Regards,
Zooko
[1] http://allmydata.org/pipermail/tahoe-dev/2009-July/002482.html
[2] http://allmydata.org/pipermail/tahoe-dev/2009-August/002514.html
[*] Somebody stated on a mailing list
modern cryptosystems and in many cases would not
be necessary either.
Okay I think that's it. I hope these notes are not so terse as to be
confusing or inflammatory.
Regards,
Zooko Wilcox-O'Hearn
[1] http://allmydata.org/pipermail/tahoe-dev/2009-July/002482.html
[2] http://allmydata.org
Poly1305 to VMAC, please report
your measurement, at least to me privately if not to the list. I can
use that sort of feedback to contribute improvements to the Crypto++
library. Thanks!
Regards,
Zooko Wilcox-O'Hearn
---
Tahoe, the Least-Authority Filesystem -- http://allmydata.org
store
will be added to the Hall Of Fame
at http://hacktahoe.org . :-)
Regards,
Zooko
---
The Tahoe-LAFS team is pleased to announce the immediate availability of
version 1.5 of Tahoe, the Lofty Atmospheric File System.
Tahoe-LAFS is the first cloud storage technology which offers security
and privacy
.
http://allmydata.org/pipermail/tahoe-dev/2009-July/002482.html
Jason Resch of cleversafe has also been participating in the
discussion on that list.
Regards,
Zooko
-
The Cryptography Mailing List
Unsubscribe by sending
).
But, it is time for me to stop reading about cryptography and get
ready to go to work. :-)
Regards
Zooko
---
Tahoe, the Least-Authority Filesystem -- http://allmydata.org
store your data: $10/month -- http://allmydata.com/?tracking=zsig
I am available for work -- http://zooko.com/résumé.html
On Sunday,2009-07-19, at 13:24 , Paul Hoffman wrote:
At 7:54 AM -0600 7/18/09, Zooko Wilcox-O'Hearn wrote:
This involves deciding whether a 192-bit elliptic curve public key
is strong enough...
Why not just go with 256-bit EC (128-bit symmetric strength)? Is
the 8 bytes per signature
...@echeque.com to the list of
addresses that can post to tahoe-dev without being subscribed.
Regards,
Zooko
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
(in addition to RSA and ECDSA
for backward compatibility).
Regards,
Zooko Wilcox-O'Hearn
P.S. Oh, I told a lie in the interests of brevity when I said that
file handles contain actual public keys or actual private keys. RSA
keys are way too big for that. So instead we go through interesting
-
based access control scheme.
Regards,
Zooko
[1] http://allmydata.org
[2] http://allmydata.org/trac/tahoe/browser/docs/architecture.txt
[3] http://duplicity.nongnu.org
[4] http://podcast.utos.org/index.php?id=52
support.
Zooko Wilcox-O'Hearn
on behalf of the allmydata.org team
Special acknowledgment goes to Brian Warner, whose superb engineering
skills and dedication are primarily responsible for the Tahoe
implementation, and significantly responsible for the Tahoe design as
well, not to mention most
, or malicious.
Such ambitious security goals benefit greatly from public criticism
and review, so please kick the tires and let us know what you think.
Regards,
Zooko
ANNOUNCING allmydata.org Tahoe, the Least-Authority Filesystem, v1.3
We are pleased to announce the release of version 1.3.0
of these
currencies?
My white paper could use a little updating, but the basic conclusions
remain sound:
http://www.taugh.com/epostage.pdf
Thanks! I'll read this.
Regards,
Zooko
-
The Cryptography Mailing List
Unsubscribe
being involved in a project that might lead to a third
attempt.
Regards,
Zooko
---
http://allmydata.org -- Tahoe, the Least-Authority Filesystem
http://allmydata.com -- back up all your files for $10/month
-
The Cryptography
to think about parallelism of hash
functions, I'm all ears.
Thanks,
Zooko
---
http://allmydata.org -- Tahoe, the Least-Authority Filesystem
http://allmydata.com -- back up all your files for $5/month
-
The Cryptography
Dear people of the Cryptography mailing list:
The Hack Tahoe! contest (http://hacktahoe.org ) has already led a
security researchers to spot a flaw in our crypto design. This
release fixes that flaw.
Regards,
Zooko
ANNOUNCING Allmydata.org Tahoe, the Least-Authority Filesystem, v1.2
Folks:
This contest is inspired by Sameer Parekh's Hack Netscape! contest
in the fall of 1995.
It is already eliciting some really good security insights from smart
people.
Regards,
Zooko
ANNOUNCING the Hack Tahoe! contest
http://hacktahoe.org
Tahoe, the Least-Authority Filesystem
Obfuscated TCP:
http://code.google.com/p/obstcp/
One of the design constraints for Obfuscated TCP was that an
Obfuscated TCP connection is required to take zero more round trips
to set up and use than a normal TCP connection. Way to go, Adam!
Regards,
Zooko
,
Zooko
[1] https://financialcryptography.com/mt/archives/001064.html
[2] http://www.creativedestruction.com/archives/000937.html
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
that it would be illegal to release it, or
threatened them with unfortunate coincidences if they went ahead, or
persuaded them that GPL'ing it would aid terrorists and cause the
needless deaths of innocents.
Regards,
Zooko
-name for the most recent
OpenSPARC -- its product name is T2.)
Appended is my reply. If anyone on this list knows more about the
relevant export regulations, please share.
Regards,
Zooko
[1] http://www.opensparc.net/opensparc-t2/downloads.html
[2] http://www.mail-archive.com/cryptography
, bug reports, suggestions, demands, and money (employing several
allmydata.org Tahoe hackers and instructing them to spend part of
their work time on this free-software project). We are eternally
grateful!
Zooko O'Whielacronx
on behalf of the allmydata.org team
June 11, 2008
San Francisco
On May 24, 2008, at 9:18 PM, Steven M. Bellovin wrote:
I believe that all open source Unix-like systems have /dev/random
and /dev/urandom; Solaris does as well.
By the way, Solaris is an open source Unix-like system nowadays. ;-)
Regards,
Zooko
, and the Sun open source ombudsman, Simon Phipps. None of
them ever wrote back.
This experience rather dampened my enthusiasm about relying on T2
hardware as a higher-assurance, but still pretty commodified, crypto
implementation.
Regards,
Zooko
I will be forced to
rely on an argument of the other form -- that users are unlikely to
use it in an unsafe way.
Thank you again for your thoughtful comments on this issue.
Regards,
Zooko O'Whielacronx
-
The Cryptography
further
ideas, especially as would be relevant to the Tahoe Least-Authority
Filesystem, I would love to hear them.
Regards,
Zooko O'Whielacronx
[1] http://copacobana.org/
-
The Cryptography Mailing List
Unsubscribe by sending
it with files that she intended not to divulge, but
that were susceptible to being brute-forced in this way by an attacker.
On Mar 20, 2008, at 10:56 PM, Jim McCoy wrote:
On Mar 20, 2008, at 12:42 PM, zooko wrote:
Security engineers have always appreciated that convergent
encryption allows
, demands, and money (employing several
allmydata.org Tahoe hackers and instructing them to spend part of
their work time on this free-software project). We are eternally
grateful!
Zooko O'Whielacronx
on behalf of the allmydata.org team
March 25, 2008
San Francisco, California, USA
[1] http
(This is an ASCII rendering of https://zooko.com/
convergent_encryption_reconsidered.html .)
Convergent Encryption Reconsidered
Written by Zooko Wilcox-O'Hearn, documenting ideas due to Drew
Perttula, Brian Warner, and Zooko Wilcox-O'Hearn, 2008-03-20.
Abstract
Dear Perry Metzger:
Jim McCoy asked me to forward this, as he is not subscribed to
cryptography@metzdowd.com, so his posting bounced.
Regards,
Zooko
Begin forwarded message:
From: Jim McCoy [EMAIL PROTECTED]
Date: March 20, 2008 10:56:58 PM MDT
To: theory and practice of decentralized
. Allmydata, Inc. contributes hardware, software,
ideas, bug reports, suggestions, demands, and money (employing several
allmydata.org Tahoe hackers and allowing them to spend part of their
work time on the next-generation, free-software project). We are
eternally grateful!
Zooko O'Whielacronx
to spend part of their
work time on the next-generation, free-software project). We are
eternally grateful!
Zooko O'Whielacronx
on behalf of the allmydata.org team
February 15, 2008
Boulder, Colorado, USA
[1] http://allmydata.org/trac/tahoe/browser/relnotes.txt?rev=1805
[2] http
on it before the May 2000 patent submission by
Doceur et al., but Mojo Nation and Freenet each published the idea
shortly after May 2000. According to my limited understanding of
patent law, this means that they don't count as prior art on that
patent.
Regards,
Zooko
[1] http
on it?
I'm curious if your crypto library is to be implemented by use of
another one, perhaps an open-source one that I am familiar with.
Nowadays I prefer Crypto++ [1].
Regards,
Zooko
[1] http://cryptopp.com
them to
short hand-written notes is what the Pet Name Toolbar automates for you:
https://addons.mozilla.org/en-US/firefox/addon/957
Please let us know how it works for you.
Regards,
Zooko
-
The Cryptography Mailing List
at the time was to avoid the risk of Java being
export-controlled as crypto. The theory within Sun was that crypto with a
hole would be free from export controls but also be useful for programmers.
Regards,
Zooko
-
The Cryptography
function is more important than speed in encryption.
By the way, the traditional practice of using a hash function as a
component of a MAC should, in my humble opinion, be retired in favor of
the Carter-Wegman alternative such as Poly-1305 AES [7].
Regards,
Zooko
[1] http://allmydata.com/
[2
is vulnerable to
Charles's choice of package because she trusts Bob to choose packages
and Bob trusts Charles to provide image files. And because they are
using a non-collision-resistant hash function.
Regards,
Zooko
-
The Cryptography
On 2004, Sep 11, , at 17:20, Sandy Harris wrote:
Zooko O'Whielcronx wrote:
I believe that in the context of e-mail [1, 2, 3, 4] and FreeSWAN
this is called opportunistic encryption.
That is certainly not what FreeS/WAN meant by opportunistic
encryption.
http://www.freeswan.org/freeswan_trees
of such ideas, but I
have not yet read your book on TLS.
Thanks,
Zooko
[1] http://www.terisa.com/shttp/current.txt
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
://www.cse.ucsc.edu/~abadi
[2] http://research.microsoft.com/users/needham/
[3] http://citeseer.nj.nec.com/manber96simple.html
[4] http://www.cse.ucsc.edu/~abadi/Papers/pwd-revised.ps
Regards,
Zooko
-
The Cryptography Mailing List
misunderstood your desiderata though, so don't take my word for it. ;-)
Regards,
Zooko
License
| Hackers like accepting code under it
| | Combine with proprietary and redistribute
| | | Combine with GPL'ed code and redistribute
,
Zooko the Zoogulant
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
peripheral. The same qualities would arise if this were implemented
with a different commitment protocol, such as sending a secure hash of the
tuple of (my_message, a_random_nonce).
Regards,
Zooko
http://zooko.com/log.html
) will make the scripting language glue code for you
automatically.
I use SWIG and like it. They say that the new SWIG handles templates better
than good old 1.1.
I haven't tried SWIG on Crypto++. I would really *like* for someone else to
do so and share the results...
Regards,
Zooko
Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85,
which are on my shelf. Where was it published?
R. L. Rivest and A. Shamir. How to expose an eavesdropper. Communications of the ACM,
27:393-395, April 1984.
that requirement, but I'm not sure
it is the same definition that other people are thinking of.
Anyway, it is a funny and underappreciated niche in cryptography, IMO. AFAIK
nobody has yet spelled out in the open literature what the actual theoretical
limitations are.
Regards,
Zooko
http
for him to see.
Regards,
Zooko
http://zooko.com/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
applies to remote
filesystems.
It is an excellent idea.
Regards,
Zooko
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
for these sorts of apps, but I am saying that the
notion of replay-prevention and integrity which is implemented in TLS is
insufficient for these sorts of apps, and that I'm interested in attempts to
offer a higher-level abstraction.
Regards,
Zooko
http://zooko.com/
^-- under re
85 matches
Mail list logo