RE: Intuitive cryptography that's also practical and secure.

2007-02-03 Thread Anton Stiglic
I am not convinced that we need intuitive cryptography. Many things in life are not understood by the general public. How does a car really work: most people don't know but they still drive one. How does a microwave oven work? People don't need to understand the details, but the high level

RE: Private Key Generation from Passwords/phrases

2007-02-03 Thread Anton Stiglic
Bill Stewart wrote: Salt is designed to address a couple of threats - Pre-computing password dictionaries for attacking wimpy passwords ... Yes indeed. The rainbow-tables style attacks are important to protect against, and a salt does the trick. This is why you can find rainbow tables for

RE: Exponent 3 damage spreads...

2006-09-22 Thread Anton Stiglic
O.k., thanks to Hal Finney for pointing out to me in a private email that my modulus wasn't in fact the right size. I have had some problems with the openssl key generation (doesn't always seem to generate the exact modulus size I ask for). In attachment, the forged signature

RE: Exponent 3 damage spreads...

2006-09-21 Thread Anton Stiglic
spreads... Anton Stiglic writes: I tried coming up with my own forged signature that could be validated with OpenSSL (which I intended to use to test other libraries). ... Now let's look at s^3 1FFF

Re: Why the exponent 3 error happened:

2006-09-21 Thread Anton Stiglic
As other's have mentioned, I don't believe the small RSA exponent (e = 3) is to blame in Bleichenbacher's attack. Indeed, the mathematical problem of computing the cubic root of m modulo an rsa modulus n, for a *fixed*, arbitrary m, is still considered to be hard (no one has shown the opposite).

RE: Exponent 3 damage spreads...

2006-09-20 Thread Anton Stiglic
I tried coming up with my own forged signature that could be validated with OpenSSL (which I intended to use to test other libraries). I haven't succeeded, either because in the particular example I came up with OpenSSL does something that catches the invalid signature, or I messed up somewhere

Re: Interesting bit of a quote

2006-07-12 Thread Anton Stiglic
David Wagner writes: SB1386 says that if a company conducts business in Caliornia and has a system that includes personal information stored in unencrypted from and if that company discovers or is notified of a breach of the security that system, then the company must notify any California

RE: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Anton Stiglic
More strongly, if we've never met, and you are not in the habit of routinely signing email, thereby tying a key to your e-persona, it makes no sense to speak of *secure* communication to *you*. Regularly signing email is not necessarily a good idea. I like to be able to repudiate most emails I

RE: general defensive crypto coding principles

2006-02-14 Thread Anton Stiglic
I don't believe MtE is good advice, and I have yet to see a decent reason why one would want to use that instead of EtM. Of course when we talk about EtM, the MAC should be applied over all plaintext headers and trailers (including IV used for encryption, algorithm identifier, protocol version,

RE: another feature RNGs could provide

2005-12-22 Thread Anton Stiglic
Actually, by definition, a cipher should be a permutation from the set of plaintexts to the set of ciphertexts. It has to be 1 to 1 bijective or it isn't an encryption algorithm. Therefore, if you want an ergodic sequence of size 2^N, a counter encrypted under an N bit block cipher will do it.

RE: Fermat's primality test vs. Miller-Rabin

2005-12-05 Thread Anton Stiglic
Ok after making that change, and a few others. Selecting only odd numbers (which acts as a small seive) I'm not getting much useful information. It appears to be such that at 512 bits if it passes once it passes 128 times, and it appears to fail on average about 120-130 times, so the sieve

RE: Encryption using password-derived keys

2005-12-02 Thread Anton Stiglic
It can be useful to derive a key encryption key from the password, and not use the key derived from the password to directly encrypt data you want to protect, when the resulting ciphertext can be found in different places where your encrypted key won't necessarly also be found. For example, to

RE: Fermat's primality test vs. Miller-Rabin

2005-11-30 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Ashwood Sent: November 18, 2005 3:18 AM To: cryptography@metzdowd.com Subject: Re: Fermat's primality test vs. Miller-Rabin Look at table 4.3 of the Handbook of applied cryptography: for t = 1

RE: Fermat's primality test vs. Miller-Rabin

2005-11-16 Thread Anton Stiglic
The general consensus is that for 500-bit numbers one needs only 6 MR tests for 2^{-80} error probability [1]: ... and thus a single test gives ~2^{-13}. If you just took the exponent 80 and divided it by 6 to get ~13, I don't think that is the right reasoning. Look at table 4.3 of the

Re: Fermat's primality test vs. Miller-Rabin

2005-11-10 Thread Anton Stiglic
I guess the small increase in efficiency would not be worth additional program code. That depends on the size of the numbers you're working with... Considering the research that goes into fast implementations of PowerMod I don't think the required computation is trivial. Although the

Re: Fermat's primality test vs. Miller-Rabin

2005-11-10 Thread Anton Stiglic
Although the Carmichael numbers fool the Fermat test (that is, $a^{n-1} = 1 (n)$) for *all* a, there are no such things for the Miller-Rabin test: for any odd composite n at least 3/4 of a's fail the test, that is if you made m MR tests with random a's then you are mistaken with probability

RE: SSL/TLS passive sniffing

2004-12-05 Thread Anton Stiglic
This sounds very confused. Certs are public. How would knowing a copy of the server cert help me to decrypt SSL traffic that I have intercepted? I found allot of people mistakenly use the term certificate to mean something like a pkcs12 file containing public key certificate and private key.

New IBM Thinkpad includes biometrics

2004-10-19 Thread Anton Stiglic
http://www.theregister.co.uk/2004/10/05/biometric_thinkpad_t42/ I wonder how well it can counter the attacks discussed by researchers in the last few years. Like reactivating a fingerprint authentication by breathing on the sensor's surface containing residue fat traces of the finger, or

RE: Maths holy grail could bring disaster for internet

2004-09-08 Thread Anton Stiglic
Mathematicians could be on the verge of solving two separate million dollar problems. If they are right - still a big if - and somebody really has cracked the so-called Riemann hypothesis, financial disaster might follow. Suddenly all cryptic codes could be breakable. No internet transaction would

RE: Microsoft .NET PRNG (fwd)

2004-08-12 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Gerck Sent: 10 août 2004 13:42 To: [EMAIL PROTECTED] Subject: Re: Microsoft .NET PRNG (fwd) The PRNG should be the least concern when using MSFT's cryptographic provider. The MSFT report 140sp238.pdf

RE: Microsoft .NET PRNG (fwd)

2004-08-10 Thread Anton Stiglic
There is some detail in the FIPS 140 security policy of Microsoft's cryptographic provider, for Windows XP and Windows 2000. See for example http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf where they say the RNG is based on FIPS 186 RNG using SHS. The seed is based on the collection of

RE: dual-use digital signature vulnerability

2004-07-21 Thread Anton Stiglic
About using a signature key to only sign contents presented in a meaningful way that the user supposedly read, and not random challenges: The X.509 PoP (proof-of-possession) doesn't help things out, since a public key certificate is given to a user by the CA only after the user has demonstrated

RE: Verifying Anonymity

2004-07-16 Thread Anton Stiglic
[...] I find it hard to imagine how you can even know whether it seems to work, let alone has some subtle problem. That's clearly a much harder problem--and indeed I suspect it's behind the general lack of interest that the public has shown in anonymous systems. -Ekr The lack of

RE: New Attack on Secure Browsing

2004-07-16 Thread Anton Stiglic
You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. What I get is a bad certificate, and this is due to the fact that the

RE: Humorous anti-SSL PR

2004-07-15 Thread Anton Stiglic
This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm The article says The weaknesses of SSL implementations have been

RE: identification + Re: authentication and authorization

2004-07-09 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Gerck Sent: 7 juillet 2004 14:46 To: [EMAIL PROTECTED] Subject: identification + Re: authentication and authorization I believe that a significant part of the problems discussed here is that the three

RE: authentication and authorization (was: Question on the state of the security industry)

2004-07-08 Thread Anton Stiglic
However, in some scenarios http://www.garlic.com/~lynn/2001h.html#61 the common use of static data is so pervasive that an individual's information is found at thousands of institutions. The value of the information to the criminal is that the same information can be used to perpetrate fraud

RE: authentication and authorization (was: Question on the state of the security industry)

2004-07-07 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Denker Sent: 1 juillet 2004 14:27 To: [EMAIL PROTECTED] Cc: Ian Grigg Subject: Re: authentication and authorization (was: Question on the state of the security industry) 1) For starters, identity theft

RE: authentication and authorization

2004-07-07 Thread Anton Stiglic
-Original Message- From: John Denker [mailto:[EMAIL PROTECTED] Sent: 5 juillet 2004 18:28 To: Anton Stiglic Cc: [EMAIL PROTECTED]; 'Ian Grigg' Subject: Re: authentication and authorization [...] We should assume that the participants on this list have a goodly amount of technical

RE: recommendations/evaluations of free / low-cost crypto libraries

2004-06-30 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:owner-[EMAIL PROTECTED] On Behalf Of Peter Gutmann Sent: 29 juin 2004 09:49 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: recommendations/evaluations of free / low-cost crypto libraries Anton Stiglic [EMAIL

Re: SSL accel cards

2004-05-26 Thread Anton Stiglic
Does anyone know of an SSL acceleration card that actually works under Linux/*BSD? I successfully used a Broadcom PCI card on a Linux (don't remember what Linux and kernel version, this was close to 2 years ago). If I remember correctly it was the BCM5820 processor I used

Re: Is there a Brands certificate reference implementation?

2004-05-08 Thread Anton Stiglic
Stefan Brands started his own company, http://www.credentica.com/ There isn't much on the web site yet, but if you click on the image you get the info email address. The code that was developed for Brands credentials at ZKS was never released. There was also code written during the ESPRIT

Re: [Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

2004-04-05 Thread Anton Stiglic
The attacks by Dobbertin on MD5 only allow to find collisions in the compression function, not the whole MD5 hash. But it is a sign that something might be fishy about MD5. MD5 output is 128 bits. There are two types of collision finding attacks that can be applied. In the first you are given

Re: [Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)]

2004-01-08 Thread Anton Stiglic
- Original Message - From: Jerrold Leichter [EMAIL PROTECTED] Cc: Cryptography [EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 7:14 AM Subject: Re: [Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)] Now that we've trashed non-repudiation ... just how is it different from

Re: CIA - the cryptographer's intelligent aid?

2004-01-07 Thread Anton Stiglic
The thing about CIA is that it is commonly used in security (not cryptography) courses to mean Confidentiality, Integrity (of systems) and Availability (instead of Authentication). Availability of systems, services and information. For crypto I always talked about CAIN or PAIN (like in no PAIN

Re: Any good books or URLs for WinXP crypto security?

2004-01-07 Thread Anton Stiglic
NSA Windows hardening guides: http://nsa2.www.conxion.com/ --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Zero Knowledge Authentication? (was Cryptolog Unicity Software-Only Digital Certificates)

2003-12-14 Thread Anton Stiglic
Previously used primarily in scientific/academic applications, zero knowledge authentication is a method of proving a user's identity without revealing his password to the verifier. So anybody knows exactly what this zero-knowledge authentication is that they use? Using this technology,

Re: safety of Pohlig-Hellman with a common modulus?

2003-12-07 Thread Anton Stiglic
- Original Message - From: Peter Fairbrother [EMAIL PROTECTED] To: David Wagner [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, December 06, 2003 7:58 PM Subject: Re: safety of Pohlig-Hellman with a common modulus? David Wagner wrote: Steve Bellovin wrote: Is it safe to use

Re: yahoo to use public key technology for anti-spam

2003-12-07 Thread Anton Stiglic
- Original Message - From: Carl Ellison [EMAIL PROTECTED] To: 'Will Rodger' [EMAIL PROTECTED]; 'Steve Bellovin' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, December 07, 2003 8:44 AM Subject: RE: yahoo to use public key technology for anti-spam I, for one, hate the idea. My

Re: Problems with GPG El Gamal signing keys?

2003-12-01 Thread Anton Stiglic
- Original Message - From: Ralf Senderek [EMAIL PROTECTED] To: Werner Koch [EMAIL PROTECTED]; cryptography [EMAIL PROTECTED] Sent: Thursday, November 27, 2003 11:23 AM Subject: Re: Problems with GPG El Gamal signing keys? On Thu, 27 Nov 2003, Werner Koch wrote: Yes, yes, I should

Re: Problems with GPG El Gamal signing keys?

2003-11-27 Thread Anton Stiglic
- Original Message - From: Perry E.Metzger [EMAIL PROTECTED] Some notes have been floating around claiming that there are bugs in GPG's use of El Gamal keys. For example, see: http://groups.google.com/groups?selm=E1AOvTM-0001nY-00%40alberti.g10code.deoe=UTF-8output=gplain Can

Re: A-B-a-b encryption

2003-11-19 Thread Anton Stiglic
- Original Message - From: Jeremiah Rogers [EMAIL PROTECTED] To: crypto list [EMAIL PROTECTED] Sent: Sunday, November 16, 2003 12:50 PM Subject: Re: A-B-a-b encryption This is Shamir's Three-Pass Protocol, described in section 22.3 of Schneier. It requires a commutative cryptosystem.

Re: Are there...one-way encryption algorithms

2003-11-19 Thread Anton Stiglic
David Wagner [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] martin f krafft wrote: it came up lately in a discussion, and I couldn't put a name to it: a means to use symmetric crypto without exchanging keys: - Alice encrypts M with key A and sends it to Bob - Bob encrypts

Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Anton Stiglic
- Original Message - From: Tom Otvos [EMAIL PROTECTED] As far as I can glean, the general consensus in WYTM is that MITM attacks are very low (read: inconsequential) probability. I'm not certain this was the consensus. We should look at the scenarios in which this is possible, and

Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Anton Stiglic
I'm not sure how you come to that conclusion. Simply use TLS with self-signed certs. Save the cost of the cert, and save the cost of the re-evaluation. If we could do that on a widespread basis, then it would be worth going to the next step, which is caching the self-signed certs, and

Re: Internal format of RSA private keys in microsoft keystore.

2003-10-15 Thread Anton Stiglic
- Original Message - From: R.Sriram [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:20 AM Subject: Internal format of RSA private keys in microsoft keystore. Greetings, In the process of trying to work around some of the limitations of the m$-CAPI API, I'm

Re: NCipher Takes Hardware Security To Network Level

2003-10-15 Thread Anton Stiglic
- Original Message - From: Ian Grigg [EMAIL PROTECTED] * In contrast, someone who knows little about cars, can objectively evaluate a car. They can take it for a test drive and see if it feels right. Using it is proving it. I'm not totally convinced of this... Someone with

Re: NCipher Takes Hardware Security To Network Level

2003-10-11 Thread Anton Stiglic
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] The problem is that what we really need to be able to evaluate is how committed a vendor is to creating a truly secure product. [...] I agree 100% with what you said. Your 3 group classification seems accurate. But

Re: anonymity +- credentials

2003-10-07 Thread Anton Stiglic
- Original Message - From: Ian Grigg [EMAIL PROTECTED] [...] In terms of actual practical systems, ones that implement to Brands' level don't exist, as far as I know? There were however several projects that implemented and tested the credentials system. There was CAFE, an

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Anton Stiglic
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] If you think that's scary, look at Microsoft's CryptoAPI for Windows XP FIPS 140 certification. As with physical security certifications like BS 7799, you start by defining your security perimeter, defining everything

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Anton Stiglic
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 11:07 AM Subject: Re: NCipher Takes Hardware Security To Network Level Anton Stiglic [EMAIL PROTECTED] writes: This is why you get requirements

Re: anonymous DH MITM

2003-10-03 Thread Anton Stiglic
- Original Message - From: Tim Dierks [EMAIL PROTECTED] I think it's a tautology: there's no such thing as MITM if there's no such thing as identity. You're talking to the person you're talking to, and that's all you know. That seems to make sense. In anonymity providing systems

Re: DH with shared secret

2003-10-03 Thread Anton Stiglic
- Original Message - From: Jack Lloyd [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 03, 2003 5:13 AM Subject: DH with shared secret This was just something that popped into my head a while back, and I was wondering if this works like I think it does. And who came up

Re: anonymous DH MITM

2003-10-03 Thread Anton Stiglic
- Original Message - From: Jerrold Leichter [EMAIL PROTECTED] [...] | I think it's a tautology: there's no such thing as MITM if there's no such | thing as identity. You're talking to the person you're talking to, and | that's all you know. | | That seems to make sense No;

Re: VeriSign tapped to secure Internet voting

2003-10-02 Thread Anton Stiglic
Schu stressed that several layers of security will prevent hackers from accessing the system. VeriSign will house the security servers in its own hosting centers. The company will ask military personnel to use their Common Access Cards--the latest form of ID for the military--to access the

Re: End of the line for Ireland's dotcom star

2003-09-24 Thread Anton Stiglic
Why is it that none of those 100-odd companies with keys in the browsers are doing anything with them? Verisign has such a central role in the infrastructure, but any one of those other companies could compete. Why isn't anyone undercutting Verisign's prices? Look what happened with Thawte

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Anton Stiglic
Really exiting news. If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! Other free open-source libraries have algorithms that have been FIPS 140 certified, but the whole module hasn't been certified (exemple Cryptlib and

Re: PRNG design document?

2003-09-02 Thread Anton Stiglic
Allow me to clarify my problem a little. I'm commonly engaged to review source code for a security audit, some such programs include a random number generator, many of which are of ad-hoc design. The nature of such audits is that it's much more appealing to be able to say here are three

Re: Looking for an N -out-of-M split algorithm

2003-07-16 Thread Anton Stiglic
Does anyone have any idea where I might learn about this algorithm - or indeed any algorithm which does the job. Just as Perry mentioned, look into Shamir Secret Sharing. There are also implementations of this, see for example http://www.astro.gla.ac.uk/users/norman/distrib/tontine.html (I'm

Re: Fwd: [IP] A Simpler, More Personal Key to Protect Online Messages

2003-07-09 Thread Anton Stiglic
- Original Message - From: Whyte, William [EMAIL PROTECTED] [...] But you don't have to contact the CA to get someone's certificate. A standard way is to send them an email saying can you send me a signed message? Yes, that works. When I want someone to send me confidential email,

Re: replay integrity

2003-07-09 Thread Anton Stiglic
Integrity: Financial protocols that use crypto (as opposed to ones abused by crypto) generally include signed messages. The signature provides for its own integrity, as well as a few other things. I don't believe that is enough. Take for example the SSL 2.0 ciphersuite rollback

Re: pubkeys for p and g

2003-06-26 Thread Anton Stiglic
I'm not certain I understand your questions, but here are some answers (I think). In the DH protocol you have what we call public parameters, p and g. p is a large prime integer, which defines a group Z*p, g is a generator which defines a subgroup in Z*p. You can use fix values for p an g. Now,

Re: Security of DH key exchange

2003-06-20 Thread Anton Stiglic
- Original Message - From: Jaap-Henk Hoepman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 20, 2003 5:02 AM Subject: Security of DH key exchange In practice the following method of exchanging keys using DH is used, to ensure bit security of the resulting session key. If