On Tue, Aug 31, 2010 at 11:27:39PM -0700, Bill Stewart wrote:
> It's possible that
> under some conditions, trying to brute-force the RSA is more efficient
> than simply brute-forcing the symmetric key
As of 2003, RSA said:
1024 bit RSA ~= 80 bit symmetric
2048 bit RSA ~= 112 bit symmetric
3072
On Thu, Aug 26, 2010 at 06:24:26PM +0300, Alexander Klimov wrote:
> I guess you misinterpret it. In no place 140-2 "does not allow
> TRNG".
On closer reading, I guess that's true. Annex C, "Approved Random
Number Generators", claims that no TRNGs have been approved, but
that's not the same as say
On Thu, Aug 26, 2010 at 06:25:55AM -0400, Jerry Leichter wrote:
> [F]IPS doesn't tell you how to *seed* your deterministic generator. In
> effect, a FIPS-compliant generator has the property that if you start it
> with an unpredictable seed, it will produce unpredictable values.
That brings
Hey all,
Looking for feedback on this section on RNGs:
http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc29
Equations are broken in HTML, but clear in PDF:
http://www.subspacefield.org/security/security_concepts/security_concepts.pdf
I am aware the Renyi entropy link is bro
https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf
Hey, another PRNG is broken. Raise your hand if you're surprised.
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program d
Hi folks,
Assume for a moment that we have a random number generator which is
non-uniform, and we are using it to generate a key.
What I'd like to do is characterize the work factor involved in
brute-force search of the key space, assuming that the adversary
has knowledge of the characteristics o
On Tue, Dec 11, 2007 at 02:01:03PM -0500, j...@tla.org wrote:
> How many bits (not just data, also preamble/postamble, sync bits, etc.)
> is the keyboard sending for each keystroke anyway?
FWIW, it is likely sending keyboard scan codes:
http://en.wikipedia.org/wiki/Scancode
It doesn't send the
http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/
Towards the end of this rather offbeat blog post they describe a
rather clever attack which is possible when the application provides
error messages (i.e. is an error oracle) for PKCS7 padding in e.g. AE
Reading really old email, but have new information to add.
On Wed, Oct 03, 2007 at 02:15:38PM +1000, Daniel Carosone wrote:
> Speculation: the drive always encrypts the platters with a (fixed) AES
> key, obviating the need to track which sectors are encrypted or
> not. Setting the drive password s
http://news.cnet.com/2300-1029_3-6240826-1.html?tag=ne.gall.pg
--
Crypto ergo sum. https://www.subspacefield.org/~travis/
Truth does not fear scrutiny or competition, only lies do.
If you are a spammer, please email [EMAIL PROTECTED] to get blacklisted.
--
http://www.kurzweilai.net/news/frame.html?main=/news/news_single.html?id%3D8471
Quantum cryptography broken
KurzweilAI.net, April 20, 2008
Two Swedish scientsts, Jorgen Cederlof, now of Google, and Jan-Ake
Larsson of Link In a paper published in IEEE Trans. Inf Theory, 54:
1735-1741 (2008), they
I've been working on the "randomness and unpredictability" this morning
instead of doing my taxes, and found these links:
http://crd.lbl.gov/~dhbailey/pi/
http://pisearch.lbl.gov/
The section on randomness, entropy, etc. is here:
http://www.subspacefield.org/security/security_concepts.html#tth_s
I've got two presentations I've given on encrypted storage technologies here:
http://www.subspacefield.org/security/
There's also a book I'm writing, if anyone is interested.
--
https://www.subspacefield.org/~travis/
I need a better strategy for being less analytical.
For a good time on my email
So at the company I work for, most of the internal systems have
expired SSL certs, or self-signed certs. Obviously this is bad.
I know that if we had IT put our root cert in the browsers, that we
could then generate our own SSL certs.
Are there any options that don't involve adding a new root CA
http://www.amk.ca/quotations/cryptography/
--
https://www.subspacefield.org/~travis/>
The stream is deaf, yet sings its melody for all to hear.
For a good time on my email blacklist, email [EMAIL PROTECTED]
pgpqS3cxnwgDl.pgp
Description: PGP signature
On Wed, Dec 19, 2007 at 08:22:09AM +0100, Luis Martin wrote:
> I am not sure I understood what you want but here's my suggestion.
The problem is that client code assumes that there is a fixed (constant)
relationship between the size of the output and the size of the input,
and does its own memory
So... supposing I was going to design a crypto library for use within
a financial organization, which mostly deals with credit card numbers
and bank accounts, and wanted to create an API for use by developers,
does anyone have any advice on it?
It doesn't have to be terribly complete, but it does
On Thu, Nov 15, 2007 at 10:28:43AM +0200, [EMAIL PROTECTED] wrote:
> There's a dependency from "negotiated capabililities"
> to the cryptographic things included in the first message
> from client to server (since e.g. what algorithm is
> used by the client, or even what certificate is selected,
>
On Tue, Nov 13, 2007 at 08:35:52AM +0200, [EMAIL PROTECTED] wrote:
> The "extra messages" might be irrelevant for cryptography,
> but they're not irrelevant for security or functionality.
> E.g. in SSL, you have capability/feature negotiation
> (cipher suites, trusted CAs, in TLS 1.2 also signature
Interesting-looking paper from some guys in Israel:
http://eprint.iacr.org/2007/419.pdf
Quoting:
We analyzed the security of the algorithm and found a non-trivial
attack: given the internal state of the generator, the previous state
can be computed in O(2^23) work (this is an attack on the
forwa
http://www.airtightnetworks.net/knowledgecenter/wep-caffelatte.html
The Caffe Latte attack debunks the age old myth that to crack WEP, the
attacker needs to be in the RF vicinity of the authorized network,
with at least one functional AP up and running. We demonstrate that it
is possible to retri
ASSUMPTIONS:
Network latency is important, and will only become more so, since
light won't go faster in a given medium, and we can't do better than
c, ever.
PROPOSED SOLUTION:
Refactor protocol to minimize number of interlocked steps.
Specifically, reduce the number of messages.
METHODOLOGY:
I
On Tue, Oct 30, 2007 at 12:27:53PM -0400, [EMAIL PROTECTED] wrote:
> I stumbled across this filing:
> http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.p
> rod_affiliate.25.pdf
I probably shouldn't say anything about this, but whoever made this
PDF failed to properly redact the pe
So back in the bad old days when hashing was DES encryption of the
zero vector with a fixed key, someone came up with salt as a password
strengthening mechanism.
I'm not quite sure why it was called salt.
It perturbed the S-boxes in DES IIRC, but essentially it was a known
bit of text that was an
On Tue, Oct 09, 2007 at 06:08:44PM +1300, Peter Gutmann wrote:
> how do you want access to the keys controlled? ACLs? Who sets the ACLs? Who
> can manage them? How are permissions managed? What's the UI for this? Under
> what conditions is sharing allowed? If sharing is allowed, how do you h
On Mon, May 21, 2007 at 04:32:10PM -0400, Victor Duchovni wrote:
> On Mon, May 21, 2007 at 02:44:28PM -0400, Perry E. Metzger wrote:
> > My take: clearly, 1024 bits is no longer sufficient for RSA use for
> > high value applications, though this has been on the horizon for some
> > time. Presumably
On Mon, May 21, 2007 at 01:44:23PM +1200, Peter Gutmann wrote:
> >Ignoring special-purpose hardware, does anyone have thoughts on what the
> >requirements for a kernel-level key management subsystem should be?
>
> Yes, but first you'd have to tell me what you're trying to do.
Protect keys in kern
Does anyone have information on:
1) The ECAES weakness that led to ECIES
2) Any known weaknesses of ECIES
3) Relative performance figures between ECC routines like ECIES
and D/H (or possibly RSA, though IES is based on EC-DH)
I can generate the last if these figures are not available.
BTW, I
http://it.slashdot.org/article.pl?sid=07/10/04/1639224&from=rss
Interesting quote:
Jon Callas, CTO and CSO of PGP Corp., responded that this [previously
undocumented] feature was required by unnamed customers and that
competing products have similar functionality.
--
http://www.subspacefield.org
I think it might be fun to start up a collection of snake oil
cryptographic methods and cryptanalytic attacks against them. It
would be more fun for me than crossword puzzles, and educational for
all the would-be cryptographers.
I'd like to start with the really simple stuff; classical
cryptograp
So I'm looking for a minimum cost transformation with _only_ the
following characteristic:
Given a set of m input bits X, produce a set of n output bits Y such
that knowledge of some subset of X and Y gives a minimum knowledge of
the remainder (of Y if that makes it simple, but of X would be nice)
31 matches
Mail list logo