Re: [Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!

2013-09-09 Thread Alexander Klimov
On Mon, 9 Sep 2013, Daniel wrote: Is there anyone on the lists qualified in ECC mathematics that can confirm that? NIST SP 800-90A, Rev 1 says: The Dual_EC_DRBG requires the specifications of an elliptic curve and two points on the elliptic curve. One of the following NIST approved

Re: [Cryptography] AES state of the art...

2013-09-09 Thread Alexander Klimov
On Sun, 8 Sep 2013, Perry E. Metzger wrote: What's the current state of the art of attacks against AES? Is the advice that AES-128 is (slightly) more secure than AES-256, at least in theory, still current? I am not sure what is the exact attack you are talking about, but I guess you

Re: [Cryptography] A Likely Story!

2013-09-09 Thread Alexander Klimov
On Sun, 8 Sep 2013, Peter Fairbrother wrote: On the one hand, if they continued to recommend that government people use 1024-bit RSA they could be accused of failing their mission to protect government communications. On the other hand, if they told ordinary people not to use 1024-bit RSA,

Re: [Cryptography] FIPS, NIST and ITAR questions

2013-09-03 Thread Alexander Klimov
On Tue, 3 Sep 2013, radi...@gmail.com wrote: 1) Is there a NIST announce type list so I don't miss an entire standards update cycle or two again? That doesn't cover all the nitty gritty goings on during the journey to publication for FIPS updates?

Re: questions about RNGs and FIPS 140

2010-08-26 Thread Alexander Klimov
On Wed, 25 Aug 2010 travis+ml-cryptogra...@subspacefield.org wrote: No, because FIPS 140-2 does not allow TRNGs (what they call non-deterministic). I couldn't tell if FIPS 140-1 allowed it, but FIPS 140-2 supersedes FIPS 140-1. I assume they don't allow non-determinism because it makes the

Re: Quantum Key Distribution: the bad idea that won't die...

2010-07-09 Thread Alexander Klimov
http://arxiv.org/abs/1005.2376 Unconditional security proofs of various quantum key distribution (QKD) protocols are built on idealized assumptions. One key assumption is: the sender (Alice) can prepare the required quantum states without errors. However, such an assumption may be

Re: Crypto dongles to secure online transactions

2009-11-21 Thread Alexander Klimov
On Wed, 18 Nov 2009, Bill Frantz wrote: Perhaps I'm missing something, but my multiple banks will all accept my signature when made with the same pen. Why wouldn't they not accept my signature when made with the same, well protected, signing/user verifying device. I might have to take it to

Re: TLS man in the middle

2009-11-09 Thread Alexander Klimov
On Sat, 7 Nov 2009, Sandy Harris wrote: I'm in China and use SSL/TLS for quite a few things. Proxy connections, Gmail set to always use https and so on. This is the main defense for me and many others against the Great Firewall. Should I be worrying about man-in-the-middle attacks from the

Re: Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

2009-11-02 Thread Alexander Klimov
On Fri, 30 Oct 2009, Darren J Moffat wrote: The SHA256 checksums are used even for blocks in the pool that aren't encrypted and are used for detecting and repairing (resilvering) block corruption. Each filesystem in the pool has its own wrapping key and data encryption keys. Due to some

US crypto/munitions again?

2009-10-26 Thread Alexander Klimov
Does it means that US starts the war on crypto-munitions again or it is simply a new article about the status quo? http://www.ddj.com/linux-open-source/220800130: October 24, 2009 Since then, the Department of Commerce, which administers munitions exports, has made some changes, forming

QNAP backdoor

2009-09-23 Thread Alexander Klimov
http://www.securityfocus.com/archive/1/506607 Overview: The premium and new line of QNAP network storage solutions allow for full hard disk encryption. When rebooting, the user has to unlock the hard disk by supplying the encryption passphrase via the web GUI. However, when the hard disk is

Re: brute force physics Was: cleversafe...

2009-08-13 Thread Alexander Klimov
Jerry Leichter wrote: If current physical theories are even approximately correct, there are limits to how many bit flips (which would encompass all possible binary operations) can occur in a fixed volume of space-time. The physical arguments to which I was referring say *nothing* about

brute force physics Was: cleversafe...

2009-08-11 Thread Alexander Klimov
On Sun, 9 Aug 2009, Jerry Leichter wrote: Since people do keep bringing up Moore's Law in an attempt to justify larger keys our systems stronger than cryptography, it's worth keeping in mind that we are approaching fairly deep physical limits. I wrote about this on this list quite a while

Attacks against GOST? Was: Protocol Construction

2009-08-03 Thread Alexander Klimov
On Sun, 2 Aug 2009, Joseph Ashwood wrote: So far, evidence supports the idea that the stereotypical Soviet tendency to overdesign might have been a better plan after all, because the paranoia about future discoveries and breaks that motivated that overdesign is being regularly proven out.

white-box crypto Was: consulting question....

2009-05-27 Thread Alexander Klimov
On Tue, 26 May 2009, James Muir wrote: There is some academic work on how to protect crypto in software from reverse engineering. Look-up white-box cryptography. Disclosure: the company I work for does white-box crypto. Could you explain what is the point of white-box cryptography (even if

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Alexander Klimov
On Sun, 15 Feb 2009, Rene Veerman wrote: Recently, on both the jQuery(.com) and PHP mailinglists, a question has arisen on how to properly secure a login form for a non-ssl web-application. But the replies have been get ssl.. :( Unfortunately, they are right: get SSL. If you have a

Re: full-disk subversion standards released

2009-02-12 Thread Alexander Klimov
On Wed, 11 Feb 2009, Ben Laurie wrote: If I have data on my server that I would like to stay on my server and not get leaked to some third party, then this is exactly the same situation as DRMed content on an end user's machine, is it not? The treat model is completely different: for DRM the

AES HDD encryption was XOR

2008-12-07 Thread Alexander Klimov
http://www.heise-online.co.uk/security/Encrypting-hard-disk-housing-cracked--/news/112141: With its Digittrade Security hard disk, the German vendor Digittrade has launched another hard disk housing based on the unsafe IM7206 controller by the Chinese manufacturer Innmax. The German

Re: Randomness testing Was: On the randomness of DNS

2008-08-04 Thread Alexander Klimov
On Mon, 4 Aug 2008, Stephan Neuhaus wrote: Or better still, make many tests and see if your p-values are uniformly distributed in (0,1). [Hint: decide on a p-value for that last equidistribution test *before* you compute that p-value.] Of course, there are many tests for goodness of fit

Randomness testing Was: On the randomness of DNS

2008-08-03 Thread Alexander Klimov
On Thu, 31 Jul 2008, Pierre-Evariste Dagand wrote: Just by curiosity, I ran the Diehard tests[...] Sum-up for /dev/random: Abnormally high value: 0.993189 [1] Abnormally low value: 0.010507 [1] Total: 2 Sum up for Sha1(n): Abnormally high values: 0.938376, 0.927501 [2] Abnormally low

Re: Ransomware

2008-06-10 Thread Alexander Klimov
On Mon, 9 Jun 2008, Leichter, Jerry wrote: Even worse, targeted malwared could attack your backups. If it encrypted the data on the way to the backup device, it could survive silently for months, by which time encrypting the live data and demanding the ransom would be a very credible threat.

Re: The perils of security tools

2008-05-22 Thread Alexander Klimov
On Tue, 13 May 2008, Ben Laurie wrote: Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing I think we all should not miss this ROTFL experience: Original code (see ssleay_rand_add)

Re: The perils of security tools

2008-05-22 Thread Alexander Klimov
On Thu, 15 May 2008, Paul Hoffman wrote: The bigger picture is that distributions who are doing local mods should really have an ongoing conversation with the software's developers. Even if the developers don't want to talk to you, a one-way conversation of we're doing this, we're doing that

Re: OpenSparc -- the open source chip (except for the crypto parts)

2008-05-04 Thread Alexander Klimov
On Thu, 1 May 2008, zooko wrote: I would think that it also helps if a company publishes the source code and complete verification tools for their chips, such as Sun has done with the Ultrasparc T2 under the GPL. To be sure that implementation does not contain back-doors, one needs not only

privacy expectations Was: SSL and Malicious Hardware/Software

2008-04-30 Thread Alexander Klimov
On Tue, 29 Apr 2008, Jack Lloyd wrote: Expectations of privacy at work vary by jurisdiction and industry. In the US, and say in the financial services industry, any such expectations are groundless (IANAL). Most places I have worked (all in the US) explicitly required consent to more or

no possible brute force Was: Cruising the stacks and finding stuff

2008-04-23 Thread Alexander Klimov
On Tue, 22 Apr 2008, Leichter, Jerry wrote: Interestingly, if you add physics to the picture, you can convert no practical brute force attack into no possible brute force attack given known physics. Current physical theories all place a granularity on space and time: There is a smallest unit

RE: Toshiba shows 2Mbps hardware RNG

2008-02-21 Thread Alexander Klimov
On Wed, 13 Feb 2008, Dave Korn wrote: On 11 February 2008 17:37, Crawford Nathan-HMGT87 wrote: I'm wondering if they've considered the possibility of EMI skewing the operation of the device, or other means of causing the device to genearate less than completely random numbers. Not

Re: Changes in Russian licensing of cryptraghical tools

2008-01-20 Thread Alexander Klimov
On Thu, 17 Jan 2008, Gleb Paharenko wrote: Russian government accepted a changes in laws about licensing cryptographic algorithms and devices. The statement in Russian language: http://www.garant.ru/hotlaw/doc/109485.htm Essential in English: You do not need to license staff which uses:

Re: Scare tactic?

2007-09-20 Thread Alexander Klimov
On Wed, 19 Sep 2007, Nash Foster wrote: Any actual cryptographers care to comment on this? I don't feel qualified to judge. Not a single IKE implementation [...] were validating the Diffie-Hellman public keys that I sent. There are many ways to use DH key-agreement. The one described on the

Re: using SRAM state as a source of randomness

2007-09-16 Thread Alexander Klimov
Hi. On Sun, 16 Sep 2007, Joachim Strmbergson wrote: One could add test functionality that checks the randomness of the initial SRAM state after power on. But somehow I don't think a good test suite and extremely low cost devices (for example RFID chips) are very compatible concepts. One can

Re: Quantum Cryptography

2007-06-28 Thread Alexander Klimov
I suspect there are two reasons for QKD to be still alive. First of all, the cost difference between quantum and normal approaches is so enormous that a lot of ignorant decision makers actually believe that they get something extra for this money. If you tell a lie big enough and keep repeating

Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Alexander Klimov
On Mon, 25 Jun 2007, Hal Finney wrote: The idea of putting a TPM on a smart card or other removable device is even more questionable from this perspective. A TPM which communicates via an easily accessible and tamperable bus is almost useless for the security concepts behind the Trusted

Re: luks disk encryption benchmarks

2007-06-21 Thread Alexander Klimov
On Tue, 5 Jun 2007, Travis H. wrote: 1048576000 bytes (1.0 GB) copied, 3.08291 seconds, 340 MB/s [...] That seems to reflect that it isn't really going to disk. I'm surprised the controller has that much RAM on it, I guess it is not the controller, but the kernel. Encryption reduces

Re: wrt Network Endpoint Assessment

2007-06-21 Thread Alexander Klimov
Hi. On Wed, 20 Jun 2007 [EMAIL PROTECTED] wrote: Network Endpoint Assessment (NEA): Overview and Requirements http://www.ietf.org/internet-drafts/draft-ietf-nea-requirements-02.txt [...] NEA technology may be used for several purposes. One use is to facilitate endpoint compliance

Re: question re practical use of secret sharing

2007-06-21 Thread Alexander Klimov
On Fri, 22 Jun 2007, Peter Gutmann wrote: It's available as part of other products (e.g. nCipher do it for keying their HSMs), but I don't know of any product that just does... secret sharing. What would be the user interface for such an application? What would be the target audience? (I

Re: Enterprise Right Management vs. Traditional Encryption Tools

2007-05-13 Thread Alexander Klimov
On Fri, 11 May 2007, Jon Callas wrote: What about DRM/ERM that uses TPM? With TPM the content is pretty much tied to a machine (barring screen captures etc) Will ERM/DRM be ineffective even with the use of TPM? There are two different features of TPM: it can work as an embedded smartcard (to

Re: AACS and Processing Key

2007-05-06 Thread Alexander Klimov
On Wed, 2 May 2007, Perry E. Metzger wrote: All cryptography is about economics. In crypto, we usually consider what the best strategy for an attacker is in terms of breaking a cryptosystem, but here I think the right question is what the optimal strategy is for the attacker in terms of

Re: open source disk crypto update

2007-04-29 Thread Alexander Klimov
On Thu, 26 Apr 2007, Simon Josefsson wrote: Are you afraid of attackers secretly changing your software (to monitor you?) while your computer is off? I believe this is a not completely unreasonable threat. Modifying files on the /boot partition to install a keylogger is not rocket science,

Re: More info in my AES128-CBC question

2007-04-27 Thread Alexander Klimov
On Wed, 25 Apr 2007, Travis H. wrote: If the IV chained across continguous messages as in SSHv2 then you have a problem (see above). I don't fully understand what it means to have IVs chained across contiguous (?) messages, as in CBC mode each ciphertext block forms the IV of the block

Re: More info in my AES128-CBC question

2007-04-26 Thread Alexander Klimov
On Wed, 25 Apr 2007, Hagai Bar-El wrote: It seems as Aram uses a different IV for each message encrypted with CBC. I am not sure I see a requirement for randomness here. As far as I can tell, this IV can be a simple index number or something as predictable, as long as it does not repeat within

Re: open source disk crypto update

2007-04-26 Thread Alexander Klimov
On Wed, 25 Apr 2007, Travis H. wrote: Just recently I discovered Debian default installs now support encrypted root (/boot still needs to be decrypted). Presumably we are moving back the end of the attack surface; with encrypted root, one must attack /boot or the BIOS. What is the limit?

Re: Intuitive cryptography that's also practical and secure.

2007-02-04 Thread Alexander Klimov
On Tue, 30 Jan 2007, Leichter, Jerry wrote: This is a common misconception. The legal system does not rely on lawyers, judges, members of Congress, and so on understanding how technology or science works. It doesn't rely on them coming to accept the trustworthiness of the technology on any

Re: Private Key Generation from Passwords/phrases

2007-02-03 Thread Alexander Klimov
On Sun, 28 Jan 2007, Steven M. Bellovin wrote: Beyond that, 60K doesn't make that much of a difference even with a traditional /etc/passwd file -- it's only an average factor of 15 reduction in the attacker's workload. While that's not trivial, it's also less than, say, a one-character

Re: analysis and implementation of LRW

2007-01-23 Thread Alexander Klimov
On Tue, 23 Jan 2007, Peter Gutmann wrote: The IEEE P1619 standard group has dropped LRW mode. It has a vulnerability that that are collisions that will divulge the mixing key which will reduce the mode to ECB. Is there any more information on this anywhere? I haven't been able to find

Re: Can you keep a secret? This encrypted drive can...

2006-12-04 Thread Alexander Klimov
On Sun, 3 Dec 2006, David Johnston wrote: Moreover, AES-256 is 20-ish percent slower than AES-128. Compared to AES-128, AES-256 is 140% of the rounds to encrypt 200% as much data. So when implemented in hardware, AES-256 is substantially faster. AES-256 means AES with 128-bit block and

Re: Can you keep a secret? This encrypted drive can...

2006-11-10 Thread Alexander Klimov
On Wed, 8 Nov 2006, Travis H. wrote: On Wed, Nov 08, 2006 at 05:58:41PM -0500, Leichter, Jerry wrote: Sorry, that doesn't make any sense. If your HWRNG leaks 64 bits, you might as well assume it leaks 256. When it comes to leaks of this sort, the only interesting numbers are 0 and all.

Re: Can you keep a secret? This encrypted drive can...

2006-11-07 Thread Alexander Klimov
On Tue, 7 Nov 2006, Peter Gutmann wrote: Saqib Ali [EMAIL PROTECTED] writes: I compile a lot of software on my laptop, and I *certainly notice* the difference between my office laptop (no encryption) and my travel laptop (with FDE). The laptops are exactly the same, with the same image

Re: Can you keep a secret? This encrypted drive can...

2006-11-03 Thread Alexander Klimov
On Wed, 1 Nov 2006, Saqib Ali wrote: Well for one thing, any software based FDE is extremely slow, doubles the file access times, and is a serious drain on the laptop battery. If a PC is used by an interactive user, it is irrelevant how much access time is increased, as far as the user cannot

Re: TPM disk crypto

2006-10-12 Thread Alexander Klimov
On Mon, 9 Oct 2006 kkursawe at esat.kuleuven.ac.be wrote: IIUC, TPM is pointless for disk crypto: if your laptop is stolen the attacker can reflash BIOS and bypass TPM. According to TCG Specification, the first part of the BIOS (called Core Root of Trust for Measurement) should be

Re: TPM disk crypto

2006-10-12 Thread Alexander Klimov
On Mon, 9 Oct 2006, James A. Donald wrote: Well obviously I trust myself, and do not trust anyone else all that much, so if I am the user, what good is trusted computing? One use is that I can know that my operating system has not changed behind the scenes, perhaps by a rootkit, know that

Re: TPM disk crypto

2006-10-09 Thread Alexander Klimov
On Fri, 6 Oct 2006, Erik Tews wrote: And the TPM knows that your BIOS has not lied about the checksum of grub how? The TPM does not know that the BIOS did not lie about the checksum of grub or any other bios component. What you do is, you trust your TPM and your BIOS that they never lie

Re: interesting HMAC attack results

2006-09-28 Thread Alexander Klimov
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions, by Scott Contini and Yiqun Lisa Yin (*) On Mon, 25 Sep 2006, Anton Stiglic wrote: Very interesting, I wonder how this integrates with the following paper http://citeseer.ist.psu.edu/bellare06new.html (**)

Re: Did Hezbollah use SIGINT against Israel?

2006-09-21 Thread Alexander Klimov
On Wed, 20 Sep 2006, Steven M. Bellovin wrote: http://www.newsday.com/news/printedition/stories/ny-wocode184896831sep18,0,7091966,print.story That isn't supposed to be possible these days... It is not clear that with modern technology interception is impossible, at least during Second Gulf War

Re: Raw RSA

2006-09-11 Thread Alexander Klimov
On Sun, 10 Sep 2006, James A. Donald wrote: Could you describe this attack in more detail. I do not see a scenario where it would be useful. Suppose that an attacker runs an activex control on the user's computer and the control is able to ask a smart card connected to the computer to perform

Re: Raw RSA

2006-09-08 Thread Alexander Klimov
On Thu, 7 Sep 2006, Leichter, Jerry wrote: | If an attacker is given access to a raw RSA decryption oracle (the | oracle calculates c^d mod n for any c) is it possible to extract the | key (d)? If I hand you my public key, I have in effect handed you an oracle that will compute c^d mod n for

Raw RSA

2006-09-07 Thread Alexander Klimov
Hi. If an attacker is given access to a raw RSA decryption oracle (the oracle calculates c^d mod n for any c) is it possible to extract the key (d)? It is known, that given such an oracle, the attacker can ask for decryption of all primes less than B, and then he will be able to sign PKCS-1

Re: compressing randomly-generated numbers

2006-08-30 Thread Alexander Klimov
On Mon, 28 Aug 2006, Travis H. wrote: On 8/23/06, Alexander Klimov [EMAIL PROTECTED] wrote: A random bit stream should have two properties: no bias and no dependency between bits. If one has biased but independent bits he can use the von Neumann algorithm to remove the bias

RE: compressing randomly-generated numbers

2006-08-27 Thread Alexander Klimov
On Thu, 10 Aug 2006, Jeremy Hansen wrote: I see where you're coming from, but take an imperfectly random source and apply a deterministic function to it, and if I recall correctly, you still have a imperfectly random output. It would be better to use something like Von Neumann's unbiasing

Re: Solving systems of multivariate polynomials modulo 2^32

2006-08-27 Thread Alexander Klimov
On Mon, 14 Aug 2006, David Wagner wrote: Here's an example. Suppose we have the equations: x*y + z = 1 x^3 + y^2 * z = 1 x + y + z = 0 Step 1: Find all solutions modulo 2. This is easy: you just have to try 2^3 = 8 possible assignments and see which one satisfy the

Re: A security bug in PGP products?

2006-08-27 Thread Alexander Klimov
On Mon, 21 Aug 2006, Max A. wrote: Could anybody familiar with PGP products look at the following page and explain in brief what it is about and what are consequences of the described bug? http://www.safehack.com/Advisory/pgp/PGPcrack.html The text there looks to me rather obscure with a

Re: Crypto to defend chip IP: snake oil or good idea?

2006-07-26 Thread Alexander Klimov
On Tue, 25 Jul 2006, Perry E. Metzger wrote: EE Times is carrying the following story: http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=190900759 [...] I'd be interested in other people's thoughts on this. Can you use DRM to protect something worth not eight dollars but eight

Re: Your secrets are safe with quasar encryption

2006-03-30 Thread Alexander Klimov
On Wed, 29 Mar 2006, Sean McGrath wrote: He adds that the method does not require a large radio antenna or that the communicating parties be located in the same hemisphere, as radio signals can be broadcast over the internet at high speed. It sounds like encrypting $P$ by xoring it with random

square roots modulo a prime p

2006-02-08 Thread Alexander Klimov
Hi. I have checked several papers and software packages which implement modular square root and it looks like there is no agreement about what algorithm is the best except that everybody does the same for p=3(4). Chapter 3 of HAC suggests special algorithms for p=3(4) and p=5(8); a general

Re: long-term GPG signing key

2006-01-13 Thread Alexander Klimov
On Wed, 11 Jan 2006, Ian G wrote: Even though triple-DES is still considered to have avoided that trap, its relatively small block size means you can now put the entire decrypt table on a dvd (or somesuch, I forget the maths). This would need 8 x 2^{64} bytes of storage which is approximately

Re: RNG quality verification

2005-12-22 Thread Alexander Klimov
On Thu, 22 Dec 2005, Philipp [iso-8859-1] G?hring wrote: I have been asked by to verify the quality of the random numbers which are used for certificate requests that are being sent to us, to make sure that they are good enough, and we don?t issue certificates for weak keys. Consider an

Re: whoops (residues in a finite field)

2005-12-21 Thread Alexander Klimov
On Mon, 19 Dec 2005, Travis H. wrote: He says no mpi/modular arithmetic libraries that he knows of use this technique I guess the main reason is that the environments where these libraries are supposed to be used are believed to be immune to the attacks these checks are trying to prevent: the

Re: How security could benefit from high volume spam

2005-12-15 Thread Alexander Klimov
On Wed, 14 Dec 2005, Hadmut Danisch wrote: Maybe in near future the advantages of that noise produced by millions of bots will outweigh the disadvantages? First of all, even if you receive 1000 spams a day plus a message from your commander it does not give you much since the spams are from

Re: [Clips] Hacker attacks in US linked to Chinese military: researchers

2005-12-13 Thread Alexander Klimov
On Mon, 12 Dec 2005, R. A. Hettinga wrote: --- begin forwarded text [...] These attacks come from someone with intense discipline. No other organization could do this if they were not a military organization, Paller said in a conference call to announced a new cybersecurity education

Re: crypto for the average programmer

2005-12-12 Thread Alexander Klimov
On Mon, 12 Dec 2005, Travis H. wrote: In Peter Gutmann's godzilla cryptography tutorial, he has some really good (though terse) advice on subtle gotchas in using DH/RSA/Elgamal. I learned a few no-nos, such as not sending the same message to 3 seperate users in RSA (if using 3 as an encryption

Re: NSA posts notice about faster, lighter crypto

2005-12-12 Thread Alexander Klimov
On Sat, 10 Dec 2005, Anne Lynn Wheeler wrote: NSA posts notice about faster, lighter crypto http://www.fcw.com/article91669-12-09-05-Web This makes me wonder how news are created -- the NSA announcement made on 16 February 2005 becomes a news in December... BTW, we already discussed here

Re: crypto wiki -- good idea, bad idea?

2005-12-12 Thread Alexander Klimov
On Mon, 12 Dec 2005, Travis H. wrote: Seems like a lot of new folks (myself included) ask questions that have the following answer: Read the literature, no there's no one site, that would be too much effort, c. Would a wiki specifically for crypto distribute the burden enough to be useful?

Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-12-07 Thread Alexander Klimov
On Thu, 17 Nov 2005, Jari Ruusu wrote: Unfortunately truecrypt is just another broken device crypto implementation that uses good ciphers in insecure way. Specially crafted static bit patterns are easily detectable through that kind of bad crypto. Looks like they have fixed it: version 4.1

Re: Encryption using password-derived keys

2005-12-02 Thread Alexander Klimov
On Tue, 29 Nov 2005, Jack Lloyd wrote: The basic scenario I'm looking at is encrypting some data using a password-derived key (using PBKDF2 with sane salt sizes and iteration counts). [...] My inclination is to use the PBKDF2 output as a key encryption key, rather than using it to directly

Re: Haskell crypto

2005-11-30 Thread Alexander Klimov
On Sat, 19 Nov 2005, Ian G wrote: Someone mailed me with this question, anyone know anything about Haskell? It is a *purely* functional programming language. http://www.haskell.org/aboutHaskell.html Original Message I just recently stepped into open source cryptography

Re: Fermat's primality test vs. Miller-Rabin

2005-11-14 Thread Alexander Klimov
On Fri, 11 Nov 2005, Joseph Ashwood wrote: From: Charlie Kaufman [EMAIL PROTECTED] I've heard but not confirmed a figure of one failure in 20 million. I've never heard an estimate of the probability that two runs would fail to detect the composite. It couldn't be better than one failure is 20

Re: Fermat's primality test vs. Miller-Rabin

2005-11-10 Thread Alexander Klimov
On Wed, 9 Nov 2005, Jeremiah Rogers wrote: I guess the small increase in efficiency would not be worth additional program code. That depends on the size of the numbers you're working with... Considering the research that goes into fast implementations of PowerMod I don't think the

Re: Pseudorandom Number Generator in Ansi X9.17

2005-11-10 Thread Alexander Klimov
On Thu, 10 Nov 2005, Terence Joseph wrote: The Pseudorandom Number Generator specified in Ansi X9.17 used to be one of the best PRNGs available if I am correct. I was just wondering if this is still considered to be the case? Is it widely used in practical situations or is there some better

Re: gonzo cryptography; how would you improve existing cryptosystems?

2005-11-08 Thread Alexander Klimov
On Mon, 7 Nov 2005, Jason Holt wrote: Take a look at ecryptfs before rewriting cfs ... or at TrueCrypt (which works on linux and windows): http://www.truecrypt.org/downloads.php -- Regards, ASK - The Cryptography Mailing

Re: [PracticalSecurity] Anonymity - great technology but hardly used

2005-10-31 Thread Alexander Klimov
On Wed, 26 Oct 2005, JЖrn Schmidt wrote: --- Travis H. [EMAIL PROTECTED] wrote: [snip] Another issue involves the ease of use when switching between a [slower] anonymous service and a fast non-anonymous service. I have a tool called metaprox on my website (see URL in sig) that allows

Re: ECC patents?

2005-10-15 Thread Alexander Klimov
On Sun, 11 Sep 2005, Alexander Klimov wrote: Does anyone know a good survey about ECC patent situation? I have made a shallow review (comments are welcome!) of the patents that Certicom claims are pertained to ECC implementation and it looks like there are no real road-blocks for ECDH and ECDSA

Re: Pseudonymity for tor: nym-0.1 (fwd)

2005-10-06 Thread Alexander Klimov
On Sun, 2 Oct 2005, Matt Crawford wrote: On Sep 29, 2005, at 18:32, Jason Holt wrote: Of course, you can put anything you want in the cert, since the servers know that my CA only certifies 1 bit of data about users (namely, that they only get one cert per scarce resource). One per person

Re: ECC patents?

2005-09-14 Thread Alexander Klimov
On Tue, 13 Sep 2005, Paul Hoffman wrote: At 9:32 AM -0700 9/12/05, James A. Donald wrote: It has been a long time, and no one has paid out money on an ECC patent yet. That's pretty bold statement that folks at Certicom might disagree with, even before

Re: Is there any future for smartcards?

2005-09-13 Thread Alexander Klimov
On Mon, 12 Sep 2005, Jaap-Henk Hoepman wrote: I believe smartcards (and trusted computing platforms too, btw) aim to solve the following problem: How to enforce your own security policy in a hostile environment, not under your own physical control? Examples: - Smartcard: electronic

Re: ECC patents?

2005-09-12 Thread Alexander Klimov
On Sun, 11 Sep 2005, Ben Laurie wrote: Alexander Klimov wrote: ECC is known since 1985 but seems to be absent in popular free software packages, e.g., neither gnupg nor openssl has it (even if the relevant patches were created). It looks like the main reason is some patent uncertainty

ECC patents?

2005-09-11 Thread Alexander Klimov
Hi. ECC is known since 1985 but seems to be absent in popular free software packages, e.g., neither gnupg nor openssl has it (even if the relevant patches were created). It looks like the main reason is some patent uncertainty in this area. An internet research shows that Certicom claims to hold

Re: How many wrongs do you need to make a right?

2005-08-17 Thread Alexander Klimov
On Wed, 17 Aug 2005, Florian Weimer wrote: Can't you strip the certificates which have expired from the CRL? (I know that with OpenPGP, you can't, but that's a different story.) Probably, you want to save the signatures on the old lists, but I dont see why you can not download only delta of

Re: Number of rounds needed for perfect Feistel?

2005-08-12 Thread Alexander Klimov
On Fri, 12 Aug 2005, Tim Dierks wrote: I'm attempting to design a block cipher with an odd block size (34 bits). I'm planning to use a balanced Feistel structure with AES as the function f(), padding the 17-bit input blocks to 128 bits with a pad dependent on the round number, encrypting with

Re: Query about hash function capability

2005-08-04 Thread Alexander Klimov
On Thu, 4 Aug 2005, Arash Partow wrote: My question relates to hash functions in general and not specifically cryptographic hashes. I was wondering if there exists a group of hash function(s) that will return an identical result for sequentially similar yet rotate/shift wise dissimilar input:

Re: Ostiary

2005-08-03 Thread Alexander Klimov
On Tue, 2 Aug 2005, Udhay Shankar N wrote: Sounds interesting. Has anybody used this, and are there any comments? For similar purpose I used to use .qmail based system: the script started from .qmail when a message to some special address arrives, the script checks the digital signature on the

Re: mother's maiden names...

2005-07-14 Thread Alexander Klimov
On Wed, 13 Jul 2005, Perry E. Metzger wrote: Why is it, then, that banks are not taking digital photographs of customers when they open their accounts so that the manager's computer can pop up a picture for him, which the bank has had in possession the entire time and which I could not have