Re: GnuTLS (libgrypt really) and Postfix

erhaps not been clear in some of my comments in this thread. I think there is a world of difference between critical errors and detecting internal inconsistency. In the case of inconsistency I claim that it is _never_ correct to continue running because every instruction executed is another poten

Re: general defensive crypto coding principles

Paul Hoffman wrote: > At 5:40 PM + 2/12/06, Ben Laurie wrote: >> It also defends against the MD5 crack, and is one of the recommended >> IETF solutions to hash problems. > > s/recommended/proposed/ > > The IETF has not recommended any "solutions to hash probl

Re: general defensive crypto coding principles

Travis H. wrote: > On 2/8/06, Jack Lloyd <[EMAIL PROTECTED]> wrote: >> An obvious example occurs when using a >> deterministic authentication scheme like HMAC - an attacker can with high >> probability detect duplicate plaintexts by looking for identical tags. > > I think though that the solution

Re: Nonrepudiation - in some sense

Victor Duchovni wrote: > On Fri, Feb 10, 2006 at 07:49:59PM +0000, Ben Laurie wrote: > >> Secondly, obviously, you can only decrypt SSL if you have the private >> key, so presumably this is referring only to incoming SSL connections. >> > > And only if EDH (or more

Re: GnuTLS (libgrypt really) and Postfix

t can't produce that random > - what shall we do else than abort the process. This way the errors > will be detected before major harm might occur. > > It is the same rationale why defining NDEBUG in production code is a > Bad Thing. I agree. Cheers, Ben. -- http://w

Re: Nonrepudiation - in some sense

I co-authored on this and other stuff - executive summary: I don't believe it), you can't "maintain" the non-repudation of SSL because it doesn't provide non-repudation. Secondly, obviously, you can only decrypt SSL if you ha

Re: methods of filling encrypted disks

f you'd prefer not to be hit, being able to prove you decrypted everything might be a good idea. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he

Re: Hiding data on 3.5" using "40 track mode"

itwise differences on successive reads, much to my surprise, so if you want to do this, remember to include error correction :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no li

Abuse Resistant Publishing

George Danezis and I wrote a paper describing a technique for private, yet abuse-resistant, publishing. Here’s the abstract: We present the problem of abusive, off-topic or repetitive postings on open publishing websites, and the difficulties associated with filtering them out. We prop

Re: long-term GPG signing key

t; that key, which is little to none anyway. So that you can't be legally required to produce the private key (which you destroyed, right?). Perhaps this is time to remind people of "Security Against Compelled Disclosure": http://www.apache-ssl.org/disclosure.pdf. Cheers, B

Re: browser vendors and CAs agreeing on high-assurance certificat es

Steven M. Bellovin wrote: > In message <[EMAIL PROTECTED]>, Ben Laurie writes: >> Bill Frantz wrote: >>> On 12/24/05, [EMAIL PROTECTED] (Ben Laurie) wrote: >>> >>>> I don't see why not - the technical details actually matter. Since the &

Re: browser vendors and CAs agreeing on high-assurance certificat es

Bill Frantz wrote: > On 12/24/05, [EMAIL PROTECTED] (Ben Laurie) wrote: > >> I don't see why not - the technical details actually matter. Since the >> servers will all share a socket, on any normal architecture, they'll all >> have access to everyone's pri

Re: OpenSSL BIGNUM vs. GMP

Adam Back wrote: > On Tue, Jan 03, 2006 at 10:10:50PM +0000, Ben Laurie wrote: >> Jack Lloyd wrote: >>> Some relevant and recent data: in some tests I ran this weekend >>> [gmp faster than openssl] >>> AFAIK blinding alone can protect against all (publicly k

Re: OpenSSL BIGNUM vs. GMP

any other platforms, is simply a question of which library has hand-optimised assembler for the platform. That is, it tells us little about architectural differences and plenty about whether anyone has been bothered to optimise for that particular platform recently. Cheers, Ben. -- http://www.apac

OpenSSL BIGNUM vs. GMP

private keys. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --

Re: another feature RNGs could provide

David Malone wrote: > On Tue, Dec 27, 2005 at 03:26:59AM -0600, Travis H. wrote: >> On 12/26/05, Ben Laurie <[EMAIL PROTECTED]> wrote: >>> Surely if you do this, then there's a meet-in-the middle attack: for a >>> plaintext/ciphertext pair, P, C, I choose rand

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

on't solve the problem that it is hard to check the URL even the first time. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind wh

Re: crypto for the average programmer

Jack Lloyd wrote: > On Fri, Dec 16, 2005 at 05:41:48PM +0000, Ben Laurie wrote: > >> No, OpenSSL is self-contained. There is, IIRC, an engine that uses GMP >> if you want, but its entirely optional; OpenSSL has its own bignum >> implementation that's just as good. &g

Re: another feature RNGs could provide

m > permutation would help you at all. Having shot myself in the foot once already, I've hesitated over responding to this, but... Surely if you do this, then there's a meet-in-the middle attack: for a plaintext/ciphertext pair, P, C, I choose random keys to encrypt P and decrypt C.

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

ly valid SSL domain name digital certificates ... and it doesn't > stop the MITM-attack and/or phishing. Eh? It surely does stop MitM attacks - the problem is that there's little value in doing so for various reasons, such as no strong binding between domain name and owner, UI that doesn

Re: browser vendors and CAs agreeing on high-assurance certificat es

Ian G wrote: > Ben Laurie wrote: >> Ian G wrote: > ... >>> http://wiki.cacert.org/wiki/VhostTaskForce > >>> (The big problem of course is that you can use >>> one cert to describe many domains only if they >>> are the same administrative entity

Re: browser vendors and CAs agreeing on high-assurance certificat es

Eric Rescorla wrote: > Ben Laurie <[EMAIL PROTECTED]> writes: >>> And we need SSL v2 to die so it doesn't interfere >>> with the above. >> Actually, you just disable it in the server. I don't see why we need >> anything more than that. > >

Re: browser vendors and CAs agreeing on high-assurance certificat es

Ian G wrote: > Ben Laurie wrote: > ... >>> Hopefully over the next year, the webserver (Apache) >>> will be capable of doing the TLS extension for sharing >>> certs so then it will be reasonable to upgrade. >> >> >> In fact, I'm told (I'

Re: browser vendors and CAs agreeing on high-assurance certificat es

Ian G wrote: > >> BTW, illustrating points made here, the cert is for >> financialcryptography.com >> but your link was to www.financialcryptography.com. So of course Firefox >> generated a warning > > Indeed and even if that gets fixed we still have > to contend with: > > * the blog

Re: another feature RNGs could provide

Matt Crawford wrote: > On Dec 21, 2005, at 0:10, Ben Laurie wrote: >> Good ciphers aren't permutations, though, are they? Because if they >> were, they'd be groups, and that would be bad. > > A given cipher, with a given key, is a permutation of blocks. (Assuming &

Re: another feature RNGs could provide

Jack Lloyd wrote: > On Mon, Dec 12, 2005 at 12:20:26AM -0600, Travis H. wrote: >> 2) While CTR mode with a random key is sufficient for creating a >> permutation of N-bit blocks for a fixed N, is there a general-purpose >> way to create a N-bit permutation, where N is a variable? How about >> pick

Re: Crypto and UI issues

James A. Donald wrote: > -- > "James A. Donald" >>> Let us imagine that SSH had certified keys. Well, >>> certifying a key is bound to be complicated, and >>> things are bound to go wrong, and the name that you >>> bind it to is bound t

Re: Crypto and UI issues

James A. Donald wrote: > -- > From: Ben Laurie <[EMAIL PROTECTED]> > >>if the key changes in OpenSSH you can't connect until >>you take positive action by deleting the old key from >>the known_hosts file. This is totally different to &g

Re: crypto for the average programmer

[EMAIL PROTECTED] wrote: > | > | > My question is, what is the layperson supposed to do, if they must > use > | > | > crypto and can't use an off-the-shelf product? > | > | > | > | When would that be the case? > | > | > | > | The only defensible situations I can think of in which a > | > | non-cr

Re: Crypto and UI issues

David Mercer wrote: >>>Horrible, horrible UI, and I'm not sure what's worse, that or trying >>>to USE pgp (gpg, whatever) from a command line, or getting it >>>integrated into a gui mail client. >> >>Two words: Thunderbird, enigmail. > > > Sorry, I've become totally addicted to gmail and just can

Re: Crypto and UI issues

David Mercer wrote: > And my appologies to Ben Laurie and friends, but why after all these > years is the UI interaction in ssh almost exactly the same when > accepting a key for the first time as overriding using a different one > when it changed on the other end, whether from mi

Re: crypto for the average programmer

[EMAIL PROTECTED] wrote: > On Mon, 12 Dec 2005, Steve Furlong wrote: > | > My question is, what is the layperson supposed to do, if they must use > | > crypto and can't use an off-the-shelf product? > | > | When would that be the case? > | > | The only defensible situations I can think of in whic

Re: Session Key Negotiation

Will Morton wrote: > Eric Rescorla wrote: >> >> May I ask why you don't just use TLS? >> > > I would if I could, believe me. :o) > > The negotiated key will be used for both reliable (TCP-like) and > non-reliable (UDP-like) connections, all tunnelled over a single UDP > port for NAT-busting purpo

Re: Pseudorandom Number Generator in Ansi X9.17

Terence Joseph wrote: > Hi, > > The Pseudorandom Number Generator specified in Ansi X9.17 used to be one > of the best PRNGs available if I am correct. It was? When? I had to replace the OpenSSL PRNG with X9.31 (as has been discussed elsewhere, this is the same PRNG) for the FIPS-140 certificatio

Re: [Clips] [EMAIL PROTECTED]: [IP] Apple tries to patent 'tamper-resistant software']

R. A. Hettinga wrote: > In its application, Apple describes a means of securing code using > either a specific hardware address or read-only memory (ROM) serial > number. Apple also talks about securing the code while interchanging > information among multiple operating systems. Mac OS X, W

Re: [PracticalSecurity] Anonymity - great technology but hardly used

y making all packets meaningful. You can find it here: http://www.cl.cam.ac.uk/users/gd216/minx.pdf. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he c

Announcing OpenPGP:SDK

At EuroOSCon, Rachel Willmer and I announced OpenPGP:SDK, a BSD-licensed C library implementing the OpenPGP standard. The SDK is sponsored by Nominet. Although we are still very much in beta, feedback will be appreciated. Permalink: http://www.links.org/?p=20 Cheers, Ben. -- http

Writeup of Smooth MD5 Collisions...

...can be found here... http://www.links.org/?p=19. I'd quote it, but it won't render well in plain ASCII. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind

Re: Smooth prime MD5 collisions

Weger, B.M.M. de wrote: > Hi Ben, > > Looks like this is essentially the same as, or at least very similar to, > > what Arjen Lenstra and I did in Section 4 of the full version of our > paper > "On the possibility of constructing meaningful hash collisions for

Smooth prime MD5 collisions

primes. Code and stuff will follow, but now I'm going to bed. I expect its obvious how they are made, anyway. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who

Re: [saag] status of SSL vs SHA-1/MD-5, etc.?

Steven M. Bellovin wrote: > As Eric Rescorla and I showed, though, none of the network protocols > are ready for deployment of a new hash function. That is, newer > versions of OpenSSL support may SHA-256, but there's no way to > negotiate such usage if you don't know the status of the system t

Re: NSA Suite B Cryptography

ld be that the NSA has to approve of the particular piece of s/w. Incidentally, why the focus on GPL? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who

Re: Clearing sensitive in-memory data in perl

Adam Shostack wrote: On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote: | On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote: | | > >My view is that C is fine, but it needs a real library and programmers | > >who learn C need to learn to use the real libra

Re: Clearing sensitive in-memory data in perl

f we could all agree on a single such library? Or at least, a single API. Like the STL is for C++. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who

Re: Clearing sensitive in-memory data in perl

Perry E. Metzger wrote: What the world really needs is something between C++ and C -- a language with very clean obvious semantics (like C) which does run time bounds checking and strong typing, though it also needs explicit escapes in the type system so you can write things like device drivers i

Re: ECC patents?

Alexander Klimov wrote: On Sun, 11 Sep 2005, Ben Laurie wrote: Alexander Klimov wrote: ECC is known since 1985 but seems to be absent in popular free software packages, e.g., neither gnupg nor openssl has it (even if the relevant patches were created). It looks like the main reason is some

Re: ECC patents?

Alexander Klimov wrote: Hi. ECC is known since 1985 but seems to be absent in popular free software packages, e.g., neither gnupg nor openssl has it (even if the relevant patches were created). It looks like the main reason is some patent uncertainty in this area. An internet research shows tha

Re: Fwd: Tor security advisory: DH handshake flaw

ey're handed a number that is supposedly prime, they're pretty safe. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the c

MD5 Visualised, Mark II

I've revised the graphics somewhat, in light of comments received. Now shown are the input used in each round, and breaks between input blocks. Same place: http://www.shmoo.com/md5-collision.html. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ &quo

Re: Fwd: Tor security advisory: DH handshake flaw

Simon Josefsson wrote: No, the certificate is verifiable in deterministic polynomial time. The test is probabilistic, though, but as long as it works, I don't see why that matters. However, I suspect the ANSI X9.80 or ISO 18032 paths are more promising. I was just tossing out URLs. Surely Mil

Re: Fwd: Tor security advisory: DH handshake flaw

Simon Josefsson wrote: Ben Laurie <[EMAIL PROTECTED]> writes: [EMAIL PROTECTED] wrote: So Miller-Rabin is good for testing random candidates, but it is easy to maliciously construct an n that passes several rounds of Miller-Rabin. Interesting! So how does one go about constructin

Re: MD5 Collision, Visualised

Steven M. Bellovin wrote: In message <[EMAIL PROTECTED]>, Ben Laurie writes: I wrote some code to show the internal state of MD5 during a collision... http://www.shmoo.com/md5-collision.html Very nice, though you need to give a scale of rounds -- how many horizontal lines per

Re: Fwd: Tor security advisory: DH handshake flaw

Shawe-Taylor, which is similar in functioning but only reaches 10% of all primes of a specified set). I presume you mean densely distributed over the set of all primes? Uniform distribution isn't much use if its sparse! Cheers, Ben. -- http://www.apache-ssl.org/ben.html

MD5 Collision, Visualised

I wrote some code to show the internal state of MD5 during a collision... http://www.shmoo.com/md5-collision.html Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind wh

Re: Fwd: Tor security advisory: DH handshake flaw

Jerrold Leichter wrote: | > Isn't *proving* primality rather overkill for the purpose at hand (which | > seems to be verifying that an alleged prime isn't a non-prime, sent to | > "spike" the system). Are there any known sets of numbers - much less ways | > to *choose* members of those sets - wh

Re: Fwd: Tor security advisory: DH handshake flaw

Tero Kivinen wrote: Hal Finney writes: Several programs to implement ECPP can be found from http://primes.utm.edu/links/programs/seeking_large_primes/. I don't know about source code however. It might be interesting to run these over some of the Oakley primes and publish the certs - I vaguely

Re: Fwd: Tor security advisory: DH handshake flaw

gument from a closed source prover and verifier. Hmm. The point of proofs (at least, useful proofs) is that they produce certificates that are cheap to verify. So, yeah, sure it may be overkill, but I'll do the killing so you don't have to. Cheers, Ben. -- http://www.apache-ssl.

Re: Fwd: Tor security advisory: DH handshake flaw

Hal Finney wrote: Ben Laurie writes: Related to this is a project I keep considering and never quite getting around to is to include a prime proof verifier in OpenSSL. It would be pretty cool to have modes which only work when all relevant primes come with proofs. I've looked into t

Re: Fwd: Tor security advisory: DH handshake flaw

around to implementing. Oh, BTW, bonus points if the prover can be run on large numbers of processors in parallel. Even more points if communication between the CPUs are low bandwidth. It would also be nice to have a collection of primes and proofs in OpenSSL, so if people want t

Re: How many wrongs do you need to make a right?

Florian Weimer wrote: Can't you strip the certificates which have expired from the CRL? (I know that with OpenPGP, you can't, but that's a different story.) Yes, you can. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far

Re: Possible non-extension property for hash functions

sh. And this doesn't use the property above. It uses a stronger type of collision (i.e. a collision of internal state) - this allows s to be chosen freely. Cheers, Ben. -- ApacheCon Europe<<< http://www.apachecon.com/ http://www.apache-ssl.org/ben.html

Re: The summer of PKI love

Stephan Neuhaus wrote: Anne & Lynn Wheeler wrote: http://www.infoworld.com/article/05/08/10/33OPstrategic_1.html The page goes on to say: "One reason for PKI's slow uptake has been the lack of two kinds of portability. It hasn't been easy to move cryptographic keys from one machine to ano

Re: ID "theft" -- so what?

ss and architecture level. The *people* equation. PKI+SSL does not _cause_ the problem, it merely fails to solve it. You may as well blame HTTP - in fact, it would be fairer. Cheers, Ben. -- >>>ApacheCon Europe<<< http://www.apachecon.com/ ht

Re: mother's maiden names...

cheque and forgotten about it). Their response was that they didn't know and had no way to find out. In the end they faxed me a copy so I could check it myself. Cheers, Ben. -- >>>ApacheCon Europe<<< http://www.apachecon.com/ http://www.apache-ssl.org/b

Re: the limits of crypto and authentication

Perry E. Metzger wrote: Ben Laurie <[EMAIL PROTECTED]> writes: Perry E. Metzger wrote: Anonymity is a concern to me, too, but I suspect that it is hard to get anonymity in a credit card transaction using current means, even if the merchant isn't online. Pseudonymity, perhaps.

Re: the limits of crypto and authentication

Perry E. Metzger wrote: Anonymity is a concern to me, too, but I suspect that it is hard to get anonymity in a credit card transaction using current means, even if the merchant isn't online. Pseudonymity, perhaps. Can we not aim higher than merely doing as badly as current systems do? -- >>>Ap

Re: the limits of crypto and authentication

Perry E. Metzger wrote: Ben Laurie <[EMAIL PROTECTED]> writes: That could be fixed. I think the right design for such a device has it only respond to signed and encrypted requests from the issuing bank directed at the specific device, and only make signed and encrypted replies directed o

Re: EMV

the contactless system alters this risk in any way? Cheers, Ben. -- >>>ApacheCon Europe<<< http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go

Re: the limits of crypto and authentication

g party has to let the issuing bank come between it and you to get anywhere. This would preclude, for example, offline transactions. As I've said before, I totally agree that the only way to go is to have signatures made on such a device, but I do think its very important to design th

Re: the limits of crypto and authentication

;ve paid an arm and a leg for it themselves, sigh. Back when we used to run O2's (then Cellnet) web stuff, we used to authenticate user accounts by sending random words to their phone. This was so long ago I can't remember when it was, but certainly > 5 years. Cheers,

Re: Optimisation Considered Harmful

Victor Duchovni wrote: On Thu, Jun 23, 2005 at 07:36:38AM -0400, Jerrold Leichter wrote: - Develop algorithms that offer reasonable performance even if implemented in "unoptimized" ways. This will be difficult to maintain in the face of ever-increasing

Re: WYTM - "but what if it was true?"

Allan Liska wrote: 3. Use an on-screen keyboard. For extra points, try Dasher. http://www.inference.phy.cam.ac.uk/dasher/ -- >>>ApacheCon Europe<<< http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man

Optimisation Considered Harmful

ry_ hard to do. Could it be that for safe crypto we should be using Z80s? Cheers, Ben. [1] For those who don't know, even old Pentia have several different processing units internally, which run in parallel. They can even tell when instructions in one's pipeline conflict with an

Re: massive data theft at MasterCard processor

h the user at all times and be secure. Cheers, Ben. -- >>>ApacheCon Europe<<< http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mi

Re: encrypted tapes (was Re: Papers about "Algorithm hiding" ?)

[EMAIL PROTECTED] wrote: "Ben Laurie wrote" [EMAIL PROTECTED] wrote: Example: Cash_Ur_check is in the business of cashing checks. To cash a check, they ask you for "sensitive information" like SIN, bank account number, drivers licence number, etc. They use the

Re: encrypted tapes (was Re: Papers about "Algorithm hiding" ?)

[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: | Oracle, for example, provides encryption functions, but the real problem | is the key handling (how to make sure the DBA can't get the key, cannot | call functions that decrypt the data, key not copied with the backup, | etc.). | There are sev

Re: AmEx unprotected login site

Perry E. Metzger wrote: Ben Laurie <[EMAIL PROTECTED]> writes: Perry E. Metzger wrote: "Steven M. Bellovin" <[EMAIL PROTECTED]> writes: They're still doing the wrong thing. Unless the page was transmitted to you securely, you have no way to trust that your user

Re: AmEx unprotected login site

Perry E. Metzger wrote: "Steven M. Bellovin" <[EMAIL PROTECTED]> writes: They're still doing the wrong thing. Unless the page was transmitted to you securely, you have no way to trust that your username and password are going to them and not to someone who cleverly sent you an altered version o

Re: encrypted tapes (was Re: Papers about "Algorithm hiding" ?)

[EMAIL PROTECTED] wrote: | Oracle, for example, provides encryption functions, but the real problem | is the key handling (how to make sure the DBA can't get the key, cannot | call functions that decrypt the data, key not copied with the backup, | etc.). | There are several solutions for the key

Re: encrypted tapes

Perry E. Metzger wrote: Ben Laurie <[EMAIL PROTECTED]> writes: Perry E. Metzger wrote: Have a look, for example, at http://www.americanexpress.com/ which encourages users to type in their credentials, in the clear, into a form that came from lord knows where and sends the informatio

Re: AmEx unprotected login site (was encrypted tapes, was Re: Papersabout "Algorithm hiding" ?)

Amir Herzberg wrote: 3. They did not actually spell out the problem in using SSL in the homepage (like eTrade, for instance). But I think I know the reason (they didn't confirm or deny). I think the reason is that they host their site; in particlar, when I tried accessing it via https, I got an

Re: encrypted tapes (was Re: Papers about "Algorithm hiding" ?)

Perry E. Metzger wrote: Have a look, for example, at http://www.americanexpress.com/ which encourages users to type in their credentials, in the clear, into a form that came from lord knows where and sends the information lord knows where. Spoof the site, and who would notice? Every company s

Re: Digital signatures have a big problem with meaning

ould implement it correctly. Sadly, experience shows that no-one can. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit."

Re: Digital signatures have a big problem with meaning

people of my paper "Signatures: an Interface between Law and Technology" (written with Nicholas Bohm, a lawyer) which discusses this and other issues. http://www.apache-ssl.org/tech-legal.pdf Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "Ther

Re: What happened with the session fixation bug?

https and PKI worthless against such man in the middle attacks. Have these bugs been addressed? On 20 May 2005 at 23:21, Ben Laurie wrote: Do they exist? Certainly any session ID I've ever had a hand in has two properties that strongly resist session fixation: a) If a session ID ar

Re: What happened with the session fixation bug?

James A. Donald wrote: -- PKI was designed to defeat man in the middle attacks based on network sniffing, or DNS hijacking, which turned out to be less of a threat than expected. However, the session fixation bugs http://www.acros.si/papers/session_fixation.pdf make https and PKI worthless aga

Re: [Lucrative-L] double spends, identity agnosticism, and Lucrative

James A. Donald wrote: From: "Patrick" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal Sender: [EMAIL PROTECTED] A quick experiment has confirmed the obvious: when a client

Re: Malaysia car thieves steal finger

R.A. Hettinga wrote: Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system. Good to know that my "amputationware" meme was not just paranoia. -- http://www.apache-ssl.org/ben.html http://www.thebunk

RE: aid worker stego

that you advise your correspondant to discontinue this line of enquiry - for their own good and that of the aid community at large. "Not getting caught" is a derivation of "the ends justify the means". ben > -Original Message- > From: [EMAIL PROTECTED] >

Re: [saag] Re: Propping up SHA-1 (or MD5)

one required to get those properties, I should point out. I will confess that I have punted on whether those properties are actually useful. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he d

Re: Propping up SHA-1 (or MD5)

equire a single pass (but, unfortunately, two or three different instances of the hash). This seems similar to the mechanism used in MD2, except the checksum is expensive. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or h

Re: [saag] Propping up SHA-1 (or MD5)

Nicolas Williams wrote: On Tue, Mar 22, 2005 at 05:31:44PM +, Ben Laurie wrote: Nicolas Williams wrote: Now that we know that the attack is a differential cryptanalysis where the attacker has to control the first pair of blocks of the original message anything that makes it hard for the

Re: [saag] Re: Propping up SHA-1 (or MD5)

Ken Raeburn wrote: On Mar 22, 2005, at 11:51, Ben Laurie wrote: This can be fixed quite easily: H'(x)=H(H(x || H(x)) || H(x)) Doesn't this take us back to the original problem, by factoring in x only at the start of hash computations, so H'(x') will generate the same H(x

Re: [saag] Propping up SHA-1 (or MD5)

Nicolas Williams wrote: On Mon, Mar 21, 2005 at 11:56:44AM +, Ben Laurie wrote: It was suggested at the SAAG meeting at the Minneapolis IETF that a way to deal with weakness in hash functions was to create a new hash function from the old like so: H'(x)=Random || H(Random || x)

Re: Propping up SHA-1 (or MD5)

Barney Wolff wrote: On Mon, Mar 21, 2005 at 11:56:44AM +, Ben Laurie wrote: Musing on these points, I wondered about the construction: H'(x)=H(H(x) || H(H(x) || x)) which doesn't allow an attacker any choice, doesn't change APIs and doesn't change the length of the hash

Re: Propping up SHA-1 (or MD5)

Dan Kaminsky wrote: Ben, x can equal either test vector released by Wang, and H(x) will be identical. With H(x) identical, the rest of the HMAC stays identical too. This does not appear to be correct - in my construction, i.e. without padding, then the fact that x and x' differ means

Propping up SHA-1 (or MD5)

e the length of the hash. Does this have any merit? Note that this is essentially an HMAC where the key is H(x). I omitted the padding because it seems to me that this actually makes HMAC weaker against the current attacks. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.the

Re: NSA names ECC as the exclusive technology for key agreement and digital signature standards for the U.S. government

Ian G wrote: NSA names ECC as the exclusive technology for key agreement and digital signature standards for the U.S. government Certicom's ECC-based solutions enable government contractors to add security that meets NSA guidelines I should note that OpenSSL also supports ECC. -- http://www.apache

Re: MD5 collision in X509 certificates

. Generating colliding public keys takes quite a bit more work. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." -

MD5 collision in X509 certificates

al to your colliding block, as he claims. However, you can (according to the paper above) generate collisions with any IV, so if you know what the prepended material is, then Kaminsky's attack will still work. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ &qu

<    1   2   3   4   >