On 10 October 2013 17:06, John Kelsey crypto@gmail.com wrote:
Just thinking out loud
The administrative complexity of a cryptosystem is overwhelmingly in key
management and identity management and all the rest of that stuff. So
imagine that we have a widely-used inner-level
On 5 October 2013 20:18, james hughes hugh...@mac.com wrote:
On Oct 5, 2013, at 12:00 PM, John Kelsey crypto@gmail.com wrote:
http://keccak.noekeon.org/yes_this_is_keccak.html
From the authors: NIST's current proposal for SHA-3 is a subset of the
Keccak family, one can generate the test
On 1 October 2013 01:10, James A. Donald jam...@echeque.com wrote:
On 2013-10-01 04:22, Salz, Rich wrote:
designate some big player to do it, and follow suit?
Okay that data encoding scheme from Google protobufs or Facebook thrift.
Done.
We have a complie to generate C code from ASN.1
On 30 September 2013 23:24, John Kelsey crypto@gmail.com wrote:
Maybe you should check your code first? A couple nist people verified
that the curves were generated by the described process when the questions
about the curves first came out.
If you don't quote the message you're
On 1 October 2013 09:46, James A. Donald jam...@echeque.com wrote:
On 2013-10-01 18:06, Ben Laurie wrote:
On 1 October 2013 01:10, James A. Donald jam...@echeque.com wrote:
Further, google is unhappy that too-clever-code gives too-clever
programmers too much power, and has prohibited
On 30 September 2013 10:47, Adam Back a...@cypherspace.org wrote:
I think lack of soft-hosting support in TLS was a mistake - its another
reason not to turn on SSL (IPv4 addresses are scarce and can only host one
SSL domain per IP#, that means it costs more, or a small hosting company
can
On 18 September 2013 22:23, Lucky Green shamr...@cypherpunks.to wrote:
According to published reports that I saw, NSA/DoD pays $250M (per
year?) to backdoor cryptographic implementations. I have knowledge of
only one such effort. That effort involved DoD/NSA paying $10M to a
leading
On 18 September 2013 15:30, Viktor Dukhovni cryptogra...@dukhovni.orgwrote:
On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote:
Given that many real organizations have hundreds of front end
machines sharing RSA private keys, theft of RSA keys may very well be
much easier
On 16 September 2013 18:49, Phillip Hallam-Baker hal...@gmail.com wrote:
To me the important thing about transparency is that it is possible for
anyone to audit the key signing process from publicly available
information. Doing the audit at the relying party end prior to every
reliance seems
On 10 September 2013 11:29, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
We need to get an extension number allocated, since the one it uses
clashes
with ALPN.
It does? draft-ietf-tls-applayerprotoneg-01 doesn't mention ID 0x10
anywhere.
(In any case
On 9 September 2013 22:49, Stephen Farrell stephen.farr...@cs.tcd.iewrote:
Hi Ben,
On 09/09/2013 05:29 PM, Ben Laurie wrote:
Perry asked me to summarise the status of TLS a while back ... luckily I
don't have to because someone else has:
http://tools.ietf.org/html/draft-sheffer-tls
On 10 September 2013 03:59, james hughes hugh...@mac.com wrote:
On Sep 9, 2013, at 2:49 PM, Stephen Farrell stephen.farr...@cs.tcd.ie
wrote:
On 09/09/2013 05:29 PM, Ben Laurie wrote:
Perry asked me to summarise the status of TLS a while back ... luckily I
don't have to because someone
On 10 September 2013 22:04, Joe Abley jab...@hopcount.ca wrote:
Suppose Mallory has access to the private keys of CAs which are in the
browser list or otherwise widely-trusted.
An on-path attack between Alice and Bob would allow Mallory to terminate
Alice's TLS connection, presenting an
Perry asked me to summarise the status of TLS a while back ... luckily I
don't have to because someone else has:
http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
In short, I agree with that draft. And the brief summary is: there's only
one ciphersuite left that's good, and unfortunately its
On 6 September 2013 18:24, Perry E. Metzger pe...@piermont.com wrote:
On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie b...@links.org wrote:
On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com
wrote:
Google is also now (I believe) using PFS on their connections
On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote:
Google is also now (I believe) using PFS on their connections, and
they handle more traffic than anyone. A connection I just made to
https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,
ECDHE_RSA.
It would be good
On 6 September 2013 17:20, Peter Saint-Andre stpe...@stpeter.im wrote:
Is there a handy list of PFS-friendly
ciphersuites that I can communicate to XMPP developers and admins so
they can start upgrading their software and deployments?
Anything with EDH, DHE or ECDHE in the name...
On 26 August 2013 22:43, Perry E. Metzger pe...@piermont.com wrote:
(I would prefer to see hybrid capability systems in such
applications, like Capsicum, though I don't think any such have been
ported to Linux and that's a popular platform for such work.)
FWIW, we're working on a Linux port
On 4 September 2013 15:49, Perry E. Metzger pe...@piermont.com wrote:
On Wed, 4 Sep 2013 10:37:12 -0400 Perry E. Metzger
pe...@piermont.com wrote:
Phil Karn described a construction for turning any hash function
into the core of a Feistel cipher in 1991. So far as I can tell,
such ciphers
On 25 August 2013 21:29, Perry E. Metzger pe...@piermont.com wrote:
[Disclaimer: very little in this seems deeply new, I'm just
mixing it up in a slightly different way. The fairly simple idea I'm
about to discuss has germs in things like SPKI, Certificate
Transparency, the Perspectives
On 22 August 2013 10:36, Phillip Hallam-Baker hal...@gmail.com wrote:
Preventing key substitution will require a combination of the CT ideas
proposed by Ben Laurie (so catenate proof notaries etc) and some form of
'no key exists' demonstration.
We have already outline how to make verifiable
On 6 October 2010 11:57, Ray Dillinger b...@sonic.net wrote:
a 19-year-old just got a 16-month jail sentence for his refusal to
disclose the password that would have allowed investigators to see
what was on his hard drive.
16 weeks, says the article.
On 15/09/2010 00:26, Nicolas Williams wrote:
On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote:
How do you deliver Javascript to the browser securely in the first
place? HTTP?
I'll note that Ben's proposal is in the same category as mine (which
was, to remind you, implement SCRAM in
On 14/09/2010 21:16, Marsh Ray wrote:
On 09/14/2010 09:13 AM, Ben Laurie wrote:
Demo here: https://webid.digitalbazaar.com/manage/
This Connection is Untrusted
So? It's a demo.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do
be used to prototype
UI, perhaps finally leading to something usable in browsers.
Slide deck here: http://payswarm.com/slides/webid/#(1)
(note, videos use flash, I think, so probably won't work for anyone with
their eye on the ball).
Demo here: https://webid.digitalbazaar.com/manage/
Cheers,
Ben
On 9 September 2010 10:08, James A. Donald jam...@echeque.com wrote:
On 2010-09-09 6:35 AM, Ben Laurie wrote:
What I do in Nigori for this is use DSA. Your private key, x, is the
hash of the login info. The server has g^x, from which it cannot
recover x,
Except, of course, by dictionary
On 8 September 2010 16:45, f...@mail.dnttm.ro wrote:
Hi.
Just subscribed to this list for posting a specific question. I hope the
question I'll ask is in place here.
We do a web app with an Ajax-based client. Anybody can download the client
and open the app, only, the first thing the app
then I
wonder why NIST didn't specify how to generate and validate such a seed?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
On 01/09/2010 22:45, Zooko O'Whielacronx wrote:
On Wed, Sep 1, 2010 at 2:55 PM, Ben Laurie b...@links.org wrote:
Or, to put it another way, in order to show that a Merkle signature is
at least as good as any other, then you'll first have to show that an
iterated hash is at least as secure
On 28/07/2010 01:07, Paul Tiemann wrote:
There is a long list of flyblown metaphors which could similarly be
got rid of if enough people would interest themselves in the job; and
it should also be possible to laugh the not un- formation out of
existence*...
*One can cure oneself of the not
On 28/07/2010 00:14, Paul Tiemann wrote:
On Jul 27, 2010, at 3:34 PM, Ben Laurie wrote:
On 24/07/2010 18:55, Peter Gutmann wrote:
- PKI dogma doesn't even consider availability issues but expects the
straightforward execution of the condition problem - revoke cert. For a
situation like
On 28/07/2010 09:57, Peter Gutmann wrote:
Ben Laurie b...@links.org writes:
On 24/07/2010 18:55, Peter Gutmann wrote:
- PKI dogma doesn't even consider availability issues but expects the
straightforward execution of the condition problem - revoke cert. For
a
situation like
On 28/07/2010 13:18, Peter Gutmann wrote:
Ben Laurie b...@links.org writes:
I find your response strange. You ask how we might fix the problems, then
you
respond that since the world doesn't work that way right now, the fixes
won't
work. Is this just an exercise in one-upmanship? You
On 28/07/2010 14:05, Perry E. Metzger wrote:
It is not always the case that a dead technology has failed because of
infeasibility or inapplicability. I'd say that a number of fine
technologies have failed for other reasons. However, at some point, it
becomes incumbent upon the proponents of a
On 28 July 2010 15:05, Perry E. Metzger pe...@piermont.com wrote:
On Wed, 28 Jul 2010 14:38:53 +0100 Ben Laurie b...@links.org wrote:
On 28/07/2010 14:05, Perry E. Metzger wrote:
It is not always the case that a dead technology has failed
because of infeasibility or inapplicability. I'd say
On 28/07/2010 15:18, Peter Gutmann wrote:
Ben Laurie b...@links.org writes:
However, using private keys to prove that you are (probably) dealing with
the
same entity as yesterday seems like a useful thing to do. And still needs
revocation.
It depends on what you mean by revocation
On 28/07/2010 16:01, Perry E. Metzger wrote:
On Wed, 28 Jul 2010 15:16:32 +0100 Ben Laurie b...@google.com wrote:
SSH does appear to have got away without revocation, though the
nature of the system is s.t. if I really wanted to revoke I could
almost always contact the users and tell them
On 27/07/2010 15:11, Peter Gutmann wrote:
The intent with posting it to the list was to get input from a collection of
crypto-savvy people on what could be done. The issue had previously been
discussed on a (very small) private list, and one of the members suggested I
post it to the
by the Realtek or JMicron certs?
One way to mitigate this would be to revoke a cert on a date, and only
reject signatures on files you received after that date.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can
On 12 July 2010 18:13, Jack Lloyd ll...@randombit.net wrote:
On Mon, Jul 12, 2010 at 12:22:51PM -0400, Perry E. Metzger wrote:
BTW, let me note that if Intel wanted to gimmick their chips to make
them untrustworthy, there is very little you could do about it. The
literature makes it clear at
On 2 July 2010 13:19, Eugen Leitl eu...@leitl.org wrote:
http://www.technologyreview.com/printer_friendly_article.aspx?id=25670channel=Briefingssection=Microprocessors
Tuesday, June 29, 2010
Nanoscale Random Number Circuit to Secure Future Chips
Intel unveils a circuit that can pump out
On 10 July 2010 11:57, Jerry Leichter leich...@lrw.com wrote:
Beyond simple hacking - someone is quoted saying You can consider GPS a
little like computers before the first virus - if I had stood here before
then and cried about the risks, you would've asked 'why would anyone
bother?'. - among
protocols is hard. And TLS
isn't one. Or maybe it is, now that the channels before and after
rekeying are bound together (which would seem to invalidate your
argument above).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do
On Mon, Nov 16, 2009 at 11:30 AM, Bernie Cosell ber...@fantasyfarm.com wrote:
As I understand it, this is only really a vulnerability in situations
where a command to do something *precedes* the authentication to enable
the command. The obvious place where this happens, of course, is with
On Sun, Nov 8, 2009 at 7:07 AM, John Levine jo...@iecc.com wrote:
So before I send it off, if people have a moment could you look at it
and tell me if I'm missing something egregiously obvious? Tnx.
I've made it an entry in my blog at
http://weblog.johnlevine.com/Money/securetrans.html
On Sat, Oct 17, 2009 at 10:23 AM, John Gilmore g...@toad.com wrote:
Even plain DSA would be much more space efficient on the signature
side - a DSA key with p=2048 bits, q=256 bits is much stronger than a
1024 bit RSA key, and the signatures would be half the size. And NIST
allows (2048,224)
On Mon, Aug 10, 2009 at 6:35 PM, Peter Gutmannpgut...@cs.auckland.ac.nz wrote:
More generally, I can't see that implementing client-side certs gives you much
of anything in return for the massive amount of effort required because the
problem is a lack of server auth, not of client auth. If I'm
Perry E. Metzger wrote:
Yet another reason why you always should make the crypto algorithms you
use pluggable in any system -- you *will* have to replace them some day.
In order to roll out a new crypto algorithm, you have to roll out new
software. So, why is anything needed for pluggability
Zooko Wilcox-O'Hearn wrote:
I don't think there is any basis to the claims that Cleversafe makes
that their erasure-coding (Information Dispersal)-based system is
fundamentally safer, e.g. these claims from [3]: a malicious party
cannot recreate data from a slice, or two, or three, no matter
On Sat, Aug 1, 2009 at 10:06 PM, Jerry Leichterleich...@lrw.com wrote:
Why Cloud Computing Needs More Chaos:
http://www.forbes.com/2009/07/30/cloud-computing-security-technology-cio-network-cloud-computing.html
[Moderator's note: ... the article is about a growing problem -- the
lack of good
Paul Hoffman wrote:
At 8:07 PM -0700 6/5/09, Greg Perry wrote:
Greetings list members,
I have published a unique factoring method related to Pollard's Rho
that is published here:
http://blog.liveammo.com/2009/06/factoring-fun/
Any feedback would be appreciated.
Is there any
Steven M. Bellovin wrote:
We've become prisoners of dogma here. In 1979, Bob Morris and Ken
Thompson showed that passwords were guessable. In 1979, that was
really novel. There was a lot of good work done in the next 15 years
on that problem -- Spaf's empirical observations, Klein's '90
Cat Okita wrote:
On Sat, 21 Feb 2009, Peter Gutmann wrote:
This points out an awkward problem though, that if you're a commercial
vendor
and you have a customer who wants to do something stupid, you can't
afford not
to allow this. While my usual response to requests to do things
insecurely
, or the Java JCE, and in fact is built
on these libraries.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
Alexander Klimov wrote:
On Wed, 11 Feb 2009, Ben Laurie wrote:
If I have data on my server that I would like to stay on my server
and not get leaked to some third party, then this is exactly the
same situation as DRMed content on an end user's machine, is it not?
The treat model
Peter Gutmann wrote:
Ben Laurie b...@links.org writes:
Apart from the obvious fact that if the TPM is good for DRM then it is also
good for protecting servers and the data on them,
In which way, and for what sorts of protection? And I mean that as a
serious inquiry, not just a Did you
Peter Gutmann wrote:
John Gilmore g...@toad.com writes:
The theory that we should build good and useful tools capable of monopoly
and totalitarianism, but use social mechanisms to prevent them from being
used for that purpose, strikes me as naive.
There's another problem with this theory and
On Wed, Jan 28, 2009 at 5:14 AM, William Soley william.so...@sun.com wrote:
On Jan 27, 2009, at 6:04 AM, Jerry Leichter wrote:
It might be useful to put together a special-purpose HTTPS client which
would initiate a connection and tell you about the cert returned, then exit.
I use ...
On Sun, Jan 25, 2009 at 11:04 PM, Jerry Leichter leich...@lrw.com wrote:
I just received a phishing email, allegedly from HSBC:
Dear HSBC Member,
Due to the high number of fraud attempts and phishing scams, it has been
decided to
implement EV SSL Certification on this Internet
On Sat, Jan 24, 2009 at 2:36 AM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
You seem to be out of touch I am afraid. Just look at what many O/S
distributions do. They adopt a new OpenSSL 0.9.Xy release from time to
time (for some initial y) and back-port security fixes never
On Tue, Jan 20, 2009 at 5:14 AM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote:
The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256
mandatory), so you can send a SHA-256 certificate to clients that
I thought people might be interested in this now somewhat-complete,
BSD-licensed OpenPGP library...
http://openpgp.nominet.org.uk/cgi-bin/trac.cgi/wiki/V0.9
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go if he
On Mon, Dec 29, 2008 at 10:10 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
David Molnar dmol...@eecs.berkeley.edu writes:
Service from a group at CMU that uses semi-trusted notary servers to
periodically probe a web site to see which public key it uses. The notaries
provide the list of
On Tue, Dec 30, 2008 at 4:25 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@google.com writes:
what happens when the cert rolls? If the key also changes (which would seem
to me to be good practice), then the site looks suspect for a while.
I'm not aware of any absolute
On Fri, Dec 26, 2008 at 7:39 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Adding support for a
service like Perspectives (discussed here a month or two back) would be a good
start since it provides some of the assurance that a commercial PKI can't (and
as an additional benefit it also
with
that information. Please be aware that you shouldn.t provide this
information to anyone.
Rest at http://thedailywtf.com/Articles/SlowMotion-Automation.aspx.
I believe that the correct URL is:
http://thedailywtf.com/Articles/Go-Phish.aspx
--
Ben Pfaff
http://benpfaff.org
On Tue, Oct 28, 2008 at 7:55 PM, Leichter, Jerry
[EMAIL PROTECTED] wrote:
2. The Byzantine model. Failed modules can do anything
including cooperating by exchanging arbitrary
information and doing infinite computation.
So in the Byzantine model I can
On Sat, Oct 25, 2008 at 12:40 PM, IanG [EMAIL PROTECTED] wrote:
Jonathan Katz wrote:
I think it depends on what you mean by N pools of entropy.
I can see that my description was a bit weak, yes. Here's a better
view, incorporating the feedback:
If I have N people, each with a single
Peter Gutmann wrote:
In fact none of the people/organisations I queried about this fitted into any
of the proposed categories, it was all embedded devices, typically SCADA
systems, home automation, consumer electronics, that sort of thing, so it was
really a single category which was
much better.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
On Mon, Sep 29, 2008 at 1:13 PM, IanG [EMAIL PROTECTED] wrote:
If I have N pools of entropy (all same size X) and I pool them
together with XOR, is that as good as it gets?
Surely not. Consider N pools each of size 1 bit. Clearly you can do
better than the 1 bit your suggestion would yield.
Allen wrote:
So I'll ask a question. I saw the following on another list:
I stopped using WinPT after is crashed too many times.
I am now using Thunderbird with the Enigmail plugin
for GPG interface. It works rather flawlessly and I've
never looked back.
IanG wrote:
2. GPG + Engimail + Thunderbird. Will never be totally robust because
there is too much dependency.
What does this mean? GPG + Enigmail, whilst not the best architecture I
ever heard of, is a tiny increment to the complexity of Thunderbird.
Are you saying anything other than big
[Adding the cryptography list, since this seems of interest]
On Wed, Aug 27, 2008 at 8:58 PM, Story Henry [EMAIL PROTECTED] wrote:
Apparently rfc2817 allows an http url tp be used for https security.
Given that Apache seems to have that implemented [1] and that the
openid url is mostly used
On Mon, Sep 1, 2008 at 9:49 PM, Eric Rescorla [EMAIL PROTECTED] wrote:
At Mon, 1 Sep 2008 21:00:55 +0100,
Ben Laurie wrote:
The core issue is that HTTPS is used to establish end-to-end security,
meaning, in particular, authentication and secrecy. If the MitM can
disable the upgrade to HTTPS
to the real version (C++, of course!).
[1] http://www.keyczar.org/
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
). If the RP
communicates with the OP, then it needs to use TLS and CRLs or OCSP.
Browser plugins do not bail it out.
Cheers,
Ben.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
as vulnerable as travellers.
But increasingly we are all travellers some of the time, from a how we
get our 'net POV. We really can't ignore this use case.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go
Security Advisory (08-AUG-2008) (CVE-2008-3280)
===
Ben Laurie of Google's Applied Security team, while working with an
external researcher, Dr. Richard Clayton of the Computer Laboratory,
Cambridge University, found that various OpenID Providers (OPs
On Fri, Aug 8, 2008 at 5:57 PM, Eric Rescorla [EMAIL PROTECTED] wrote:
At Fri, 8 Aug 2008 17:31:15 +0100,
Dave Korn wrote:
Eric Rescorla wrote on 08 August 2008 16:06:
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
However, since the CRLs will almost certainly not be checked
On Fri, Aug 8, 2008 at 8:27 PM, Eddy Nigg (StartCom Ltd.)
[EMAIL PROTECTED] wrote:
Ben Laurie:
On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
[EMAIL PROTECTED] wrote:
This affects any web site and service provider of various natures. It's not
exclusive for OpenID nor for any
On Fri, Aug 8, 2008 at 7:54 PM, Tim Dierks [EMAIL PROTECTED] wrote:
Using this Bloom filter calculator:
http://www.cc.gatech.edu/~manolios/bloom-filters/calculator.html , plus the
fact that there are 32,768 weak keys for every key type size, I get
various sizes of necessary Bloom filter,
attention to known security problems has
bitten us collectively.
Never-the-less, with rephrasing, Ben has some good points
I don't see any actual rephrasing below, unless you are suggesting I
should have said unpredictable instead of random. I think that's a
perfectly fine substitution
So, an executive summary of your responses appears to be EKMI leaves
all the hard/impossible problems to be solved by components that are out
of scope.
As such, I'm not seeing much value.
Anyway...
Arshad Noor wrote:
Ben Laurie wrote:
OK, so you still have a PKI problem, in that you have
,
code/silicon inspection probably suffices.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
I thought this list might be interested in a mini-rant about DNS source
port randomness on my blog: http://www.links.org/?p=352.
Ever since the recent DNS alert people have been testing their DNS
servers with various cute things that measure how many source ports you
use, and how random they
Pierre-Evariste Dagand wrote:
But just how GREAT is that, really? Well, we don'
t know. Why? Because there isn't actually a way test for randomness. Your
DNS resolver could be using some easily predicted random number generator
like, say, a linear congruential one, as is common in the rand()
Pierre-Evariste Dagand wrote:
I doubt you can get a large enough sample in any reasonable time.
Indeed.
I don't see the point of evaluating the quality of a random number
generator by statistical tests.
Which is entirely my point.
I fear I was not clear: I don't see what is wrong in
explains DNSSEC
http://www.matasano.com/log/772/a-case-against-dnssec-count-2-too-complicated-to-deploy/
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert
Paul Hoffman wrote:
First off, big props to Dan for getting this problem fixed in a
responsible manner. If there were widespread real attacks first, it
would take forever to get fixes out into the field.
However, we in the security circles don't need to spread the Kaminsky
finds meme. Take a
Steven M. Bellovin wrote:
On Wed, 09 Jul 2008 11:22:58 +0530
Udhay Shankar N [EMAIL PROTECTED] wrote:
I think Dan Kaminsky is on this list. Any other tidbits you can add
prior to Black Hat?
Udhay
http://www.liquidmatrix.org/blog/2008/07/08/kaminsky-breaks-dns/
I'm curious about the
Arshad Noor wrote:
Ben Laurie wrote:
Arshad Noor wrote:
I may be a little naive, but can a protocol itself enforce proper
key-management? I can certainly see it facilitating the required
discipline, but I can't see how a protocol alone can enforce it.
I find the question difficult
on the client devices, so their polices are not subverted.
Ha ha. Like that's going to work. Even if we assume that libraries are
verified (fat chance, IMO), how are you going to stop, for example,
cut'n'paste? Employees reading things out over the phone? Bugs? Etc.
Cheers,
Ben.
--
http://www.apache
Ed Gerck wrote:
Ben Laurie wrote:
But doesn't that prove the point? The trust that you consequently
place in the web server because of the certificate _cannot_ be copied
to another webserver. That other webserver has to go out and buy its
own copy, with its own domain name it it.
A copy
Scott G. Kelly wrote:
Here's another approach to password authenticated key exchange with
similar security claims. The underlying mechanism is under
consideration for inclusion in by the 802.11s group in IEEE:
http://www.ietf.org/internet-drafts/draft-harkins-emu-eap-pwd-01.txt
Hmmm. I don't
Scott G. Kelly wrote:
Ben Laurie wrote:
Scott G. Kelly wrote:
Here's another approach to password authenticated key exchange with
similar security claims. The underlying mechanism is under
consideration for inclusion in by the 802.11s group in IEEE:
http://www.ietf.org/internet-drafts/draft
? The trust that you consequently place
in the web server because of the certificate _cannot_ be copied to
another webserver. That other webserver has to go out and buy its own
copy, with its own domain name it it.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http
http://grouper.ieee.org/groups/1363/passwdPK/submissions/hao-ryan-2008.pdf
At last.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
Steven M. Bellovin wrote:
On Sat, 24 May 2008 20:29:51 +0100
Ben Laurie [EMAIL PROTECTED] wrote:
Of course, we have now persuaded even the most stubborn OS that
randomness matters, and most of them make it available, so perhaps
this concern is moot.
Though I would be interested to know how
, and most of them make it available, so perhaps this
concern is moot.
Though I would be interested to know how well they do it! I did have
some input into the design for FreeBSD's, so I know it isn't completely
awful, but how do other OSes stack up?
Cheers,
Ben.
--
http://www.apache-ssl.org
1 - 100 of 303 matches
Mail list logo