Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-12 Thread Ben Laurie
On 10 October 2013 17:06, John Kelsey crypto@gmail.com wrote: Just thinking out loud The administrative complexity of a cryptosystem is overwhelmingly in key management and identity management and all the rest of that stuff. So imagine that we have a widely-used inner-level

Re: [Cryptography] Sha3

2013-10-06 Thread Ben Laurie
On 5 October 2013 20:18, james hughes hugh...@mac.com wrote: On Oct 5, 2013, at 12:00 PM, John Kelsey crypto@gmail.com wrote: http://keccak.noekeon.org/yes_this_is_keccak.html From the authors: NIST's current proposal for SHA-3 is a subset of the Keccak family, one can generate the test

Re: [Cryptography] encoding formats should not be committee'ized

2013-10-01 Thread Ben Laurie
On 1 October 2013 01:10, James A. Donald jam...@echeque.com wrote: On 2013-10-01 04:22, Salz, Rich wrote: designate some big player to do it, and follow suit? Okay that data encoding scheme from Google protobufs or Facebook thrift. Done. We have a complie to generate C code from ASN.1

Re: [Cryptography] RSA equivalent key length/strength

2013-10-01 Thread Ben Laurie
On 30 September 2013 23:24, John Kelsey crypto@gmail.com wrote: Maybe you should check your code first? A couple nist people verified that the curves were generated by the described process when the questions about the curves first came out. If you don't quote the message you're

Re: [Cryptography] encoding formats should not be committee'ized

2013-10-01 Thread Ben Laurie
On 1 October 2013 09:46, James A. Donald jam...@echeque.com wrote: On 2013-10-01 18:06, Ben Laurie wrote: On 1 October 2013 01:10, James A. Donald jam...@echeque.com wrote: Further, google is unhappy that too-clever-code gives too-clever programmers too much power, and has prohibited

Re: [Cryptography] [cryptography] TLS2

2013-09-30 Thread Ben Laurie
On 30 September 2013 10:47, Adam Back a...@cypherspace.org wrote: I think lack of soft-hosting support in TLS was a mistake - its another reason not to turn on SSL (IPv4 addresses are scarce and can only host one SSL domain per IP#, that means it costs more, or a small hosting company can

Re: [Cryptography] RSA equivalent key length/strength

2013-09-21 Thread Ben Laurie
On 18 September 2013 22:23, Lucky Green shamr...@cypherpunks.to wrote: According to published reports that I saw, NSA/DoD pays $250M (per year?) to backdoor cryptographic implementations. I have knowledge of only one such effort. That effort involved DoD/NSA paying $10M to a leading

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Ben Laurie
On 18 September 2013 15:30, Viktor Dukhovni cryptogra...@dukhovni.orgwrote: On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote: Given that many real organizations have hundreds of front end machines sharing RSA private keys, theft of RSA keys may very well be much easier

Re: [Cryptography] End to end

2013-09-16 Thread Ben Laurie
On 16 September 2013 18:49, Phillip Hallam-Baker hal...@gmail.com wrote: To me the important thing about transparency is that it is possible for anyone to audit the key signing process from publicly available information. Doing the audit at the relying party end prior to every reliance seems

Re: [Cryptography] Suite B after today's news

2013-09-10 Thread Ben Laurie
On 10 September 2013 11:29, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Ben Laurie b...@links.org writes: We need to get an extension number allocated, since the one it uses clashes with ALPN. It does? draft-ietf-tls-applayerprotoneg-01 doesn't mention ID 0x10 anywhere. (In any case

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Ben Laurie
On 9 September 2013 22:49, Stephen Farrell stephen.farr...@cs.tcd.iewrote: Hi Ben, On 09/09/2013 05:29 PM, Ben Laurie wrote: Perry asked me to summarise the status of TLS a while back ... luckily I don't have to because someone else has: http://tools.ietf.org/html/draft-sheffer-tls

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Ben Laurie
On 10 September 2013 03:59, james hughes hugh...@mac.com wrote: On Sep 9, 2013, at 2:49 PM, Stephen Farrell stephen.farr...@cs.tcd.ie wrote: On 09/09/2013 05:29 PM, Ben Laurie wrote: Perry asked me to summarise the status of TLS a while back ... luckily I don't have to because someone

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Ben Laurie
On 10 September 2013 22:04, Joe Abley jab...@hopcount.ca wrote: Suppose Mallory has access to the private keys of CAs which are in the browser list or otherwise widely-trusted. An on-path attack between Alice and Bob would allow Mallory to terminate Alice's TLS connection, presenting an

[Cryptography] What TLS ciphersuites are still OK?

2013-09-09 Thread Ben Laurie
Perry asked me to summarise the status of TLS a while back ... luckily I don't have to because someone else has: http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 In short, I agree with that draft. And the brief summary is: there's only one ciphersuite left that's good, and unfortunately its

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Ben Laurie
On 6 September 2013 18:24, Perry E. Metzger pe...@piermont.com wrote: On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie b...@links.org wrote: On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote: Google is also now (I believe) using PFS on their connections

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Ben Laurie
On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote: Google is also now (I believe) using PFS on their connections, and they handle more traffic than anyone. A connection I just made to https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1, ECDHE_RSA. It would be good

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Ben Laurie
On 6 September 2013 17:20, Peter Saint-Andre stpe...@stpeter.im wrote: Is there a handy list of PFS-friendly ciphersuites that I can communicate to XMPP developers and admins so they can start upgrading their software and deployments? Anything with EDH, DHE or ECDHE in the name...

Re: [Cryptography] Using Raspberry Pis

2013-09-06 Thread Ben Laurie
On 26 August 2013 22:43, Perry E. Metzger pe...@piermont.com wrote: (I would prefer to see hybrid capability systems in such applications, like Capsicum, though I don't think any such have been ported to Linux and that's a popular platform for such work.) FWIW, we're working on a Linux port

Re: [Cryptography] Hashes into Ciphers

2013-09-04 Thread Ben Laurie
On 4 September 2013 15:49, Perry E. Metzger pe...@piermont.com wrote: On Wed, 4 Sep 2013 10:37:12 -0400 Perry E. Metzger pe...@piermont.com wrote: Phil Karn described a construction for turning any hash function into the core of a Feistel cipher in 1991. So far as I can tell, such ciphers

Re: [Cryptography] Thoughts about keys

2013-09-01 Thread Ben Laurie
On 25 August 2013 21:29, Perry E. Metzger pe...@piermont.com wrote: [Disclaimer: very little in this seems deeply new, I'm just mixing it up in a slightly different way. The fairly simple idea I'm about to discuss has germs in things like SPKI, Certificate Transparency, the Perspectives

Re: [Cryptography] PRISM PROOF Email

2013-08-23 Thread Ben Laurie
On 22 August 2013 10:36, Phillip Hallam-Baker hal...@gmail.com wrote: Preventing key substitution will require a combination of the CT ideas proposed by Ben Laurie (so catenate proof notaries etc) and some form of 'no key exists' demonstration. We have already outline how to make verifiable

Re: English 19-year-old jailed for refusal to disclose decryption key

2010-10-06 Thread Ben Laurie
On 6 October 2010 11:57, Ray Dillinger b...@sonic.net wrote: a 19-year-old just got a 16-month jail sentence for his refusal to disclose the password that would have allowed investigators to see what was on his hard drive. 16 weeks, says the article.

Re: Hashing algorithm needed

2010-09-15 Thread Ben Laurie
On 15/09/2010 00:26, Nicolas Williams wrote: On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote: How do you deliver Javascript to the browser securely in the first place? HTTP? I'll note that Ben's proposal is in the same category as mine (which was, to remind you, implement SCRAM in

Re: Hashing algorithm needed

2010-09-15 Thread Ben Laurie
On 14/09/2010 21:16, Marsh Ray wrote: On 09/14/2010 09:13 AM, Ben Laurie wrote: Demo here: https://webid.digitalbazaar.com/manage/ This Connection is Untrusted So? It's a demo. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do

Re: Hashing algorithm needed

2010-09-14 Thread Ben Laurie
On 14/09/2010 12:29, Ian G wrote: On 14/09/10 2:26 PM, Marsh Ray wrote: On 09/13/2010 07:24 PM, Ian G wrote: 1. In your initial account creation / login, trigger a creation of a client certificate in the browser. There may be a way to get a browser to generate a cert or CSR, but I don't

Re: Hashing algorithm needed

2010-09-09 Thread Ben Laurie
On 9 September 2010 10:08, James A. Donald jam...@echeque.com wrote: On 2010-09-09 6:35 AM, Ben Laurie wrote: What I do in Nigori for this is use DSA. Your private key, x, is the hash of the login info. The server has g^x, from which it cannot recover x, Except, of course, by dictionary

Re: Hashing algorithm needed

2010-09-08 Thread Ben Laurie
On 8 September 2010 16:45, f...@mail.dnttm.ro wrote: Hi. Just subscribed to this list for posting a specific question. I hope the question I'll ask is in place here. We do a web app with an Ajax-based client. Anybody can download the client and open the app, only, the first thing the app

Re: questions about RNGs and FIPS 140

2010-09-05 Thread Ben Laurie
On 27/08/2010 19:38, Joshua Hill wrote: The fact is that all of the approved deterministic RNGs have places that you are expected to use to seed the generator. The text of the standard explicitly states that you can use non-approved non-deterministic RNGs to seed your approved deterministic

Re: Merkle Signature Scheme is the most secure signature scheme possible for general-purpose use

2010-09-03 Thread Ben Laurie
On 01/09/2010 22:45, Zooko O'Whielacronx wrote: On Wed, Sep 1, 2010 at 2:55 PM, Ben Laurie b...@links.org wrote: Or, to put it another way, in order to show that a Merkle signature is at least as good as any other, then you'll first have to show that an iterated hash is at least as secure

Re: A mighty fortress is our PKI

2010-07-28 Thread Ben Laurie
On 28/07/2010 01:07, Paul Tiemann wrote: There is a long list of flyblown metaphors which could similarly be got rid of if enough people would interest themselves in the job; and it should also be possible to laugh the not un- formation out of existence*... *One can cure oneself of the not

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 00:14, Paul Tiemann wrote: On Jul 27, 2010, at 3:34 PM, Ben Laurie wrote: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 09:57, Peter Gutmann wrote: Ben Laurie b...@links.org writes: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 13:18, Peter Gutmann wrote: Ben Laurie b...@links.org writes: I find your response strange. You ask how we might fix the problems, then you respond that since the world doesn't work that way right now, the fixes won't work. Is this just an exercise in one-upmanship? You

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 14:05, Perry E. Metzger wrote: It is not always the case that a dead technology has failed because of infeasibility or inapplicability. I'd say that a number of fine technologies have failed for other reasons. However, at some point, it becomes incumbent upon the proponents of a

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28 July 2010 15:05, Perry E. Metzger pe...@piermont.com wrote: On Wed, 28 Jul 2010 14:38:53 +0100 Ben Laurie b...@links.org wrote: On 28/07/2010 14:05, Perry E. Metzger wrote: It is not always the case that a dead technology has failed because of infeasibility or inapplicability. I'd say

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 15:18, Peter Gutmann wrote: Ben Laurie b...@links.org writes: However, using private keys to prove that you are (probably) dealing with the same entity as yesterday seems like a useful thing to do. And still needs revocation. It depends on what you mean by revocation

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 16:01, Perry E. Metzger wrote: On Wed, 28 Jul 2010 15:16:32 +0100 Ben Laurie b...@google.com wrote: SSH does appear to have got away without revocation, though the nature of the system is s.t. if I really wanted to revoke I could almost always contact the users and tell them

Re: A mighty fortress is our PKI

2010-07-27 Thread Ben Laurie
On 27/07/2010 15:11, Peter Gutmann wrote: The intent with posting it to the list was to get input from a collection of crypto-savvy people on what could be done. The issue had previously been discussed on a (very small) private list, and one of the members suggested I post it to the

Re: A mighty fortress is our PKI, Part II

2010-07-27 Thread Ben Laurie
On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like this, particularly if the cert was used to sign 64-bit drivers, I wouldn't have revoked

Re: Intel to also add RNG

2010-07-14 Thread Ben Laurie
On 12 July 2010 18:13, Jack Lloyd ll...@randombit.net wrote: On Mon, Jul 12, 2010 at 12:22:51PM -0400, Perry E. Metzger wrote: BTW, let me note that if Intel wanted to gimmick their chips to make them untrustworthy, there is very little you could do about it. The literature makes it clear at

Re: Intel to also add RNG

2010-07-12 Thread Ben Laurie
On 2 July 2010 13:19, Eugen Leitl eu...@leitl.org wrote: http://www.technologyreview.com/printer_friendly_article.aspx?id=25670channel=Briefingssection=Microprocessors Tuesday, June 29, 2010 Nanoscale Random Number Circuit to Secure Future Chips Intel unveils a circuit that can pump out

Re: Spy/Counterspy

2010-07-11 Thread Ben Laurie
On 10 July 2010 11:57, Jerry Leichter leich...@lrw.com wrote: Beyond simple hacking - someone is quoted saying You can consider GPS a little like computers before the first virus - if I had stood here before then and cried about the risks, you would've asked 'why would anyone bother?'. - among

Re: Against Rekeying

2010-03-25 Thread Ben Laurie
On 24/03/2010 08:28, Simon Josefsson wrote: Perry E. Metzger pe...@piermont.com writes: Ekr has an interesting blog post up on the question of whether protocol support for periodic rekeying is a good or a bad thing: http://www.educatedguesswork.org/2010/03/against_rekeying.html I'd be

Re: TLS break

2009-11-17 Thread Ben Laurie
On Mon, Nov 16, 2009 at 11:30 AM, Bernie Cosell ber...@fantasyfarm.com wrote: As I understand it, this is only really a vulnerability in situations where a command to do something *precedes* the authentication to enable the command.  The obvious place where this happens, of course, is with

Re: Crypto dongles to secure online transactions

2009-11-09 Thread Ben Laurie
On Sun, Nov 8, 2009 at 7:07 AM, John Levine jo...@iecc.com wrote: So before I send it off, if people have a moment could you look at it and tell me if I'm missing something egregiously obvious?  Tnx. I've made it an entry in my blog at http://weblog.johnlevine.com/Money/securetrans.html

Re: Possibly questionable security decisions in DNS root management

2009-10-20 Thread Ben Laurie
On Sat, Oct 17, 2009 at 10:23 AM, John Gilmore g...@toad.com wrote: Even plain DSA would be much more space efficient on the signature side - a DSA key with p=2048 bits, q=256 bits is much stronger than a 1024 bit RSA key, and the signatures would be half the size. And NIST allows (2048,224)

Re: Client Certificate UI for Chrome?

2009-08-26 Thread Ben Laurie
On Mon, Aug 10, 2009 at 6:35 PM, Peter Gutmannpgut...@cs.auckland.ac.nz wrote: More generally, I can't see that implementing client-side certs gives you much of anything in return for the massive amount of effort required because the problem is a lack of server auth, not of client auth.  If I'm

Re: SHA-1 and Git (was Re: [tahoe-dev] Tahoe-LAFS key management, part 2: Tahoe-LAFS is like encrypted git)

2009-08-25 Thread Ben Laurie
Perry E. Metzger wrote: Yet another reason why you always should make the crypto algorithms you use pluggable in any system -- you *will* have to replace them some day. In order to roll out a new crypto algorithm, you have to roll out new software. So, why is anything needed for pluggability

Re: cleversafe says: 3 Reasons Why Encryption is Overrated

2009-08-06 Thread Ben Laurie
Zooko Wilcox-O'Hearn wrote: I don't think there is any basis to the claims that Cleversafe makes that their erasure-coding (Information Dispersal)-based system is fundamentally safer, e.g. these claims from [3]: a malicious party cannot recreate data from a slice, or two, or three, no matter

Re: The clouds are not random enough

2009-08-02 Thread Ben Laurie
On Sat, Aug 1, 2009 at 10:06 PM, Jerry Leichterleich...@lrw.com wrote: Why Cloud Computing Needs More Chaos: http://www.forbes.com/2009/07/30/cloud-computing-security-technology-cio-network-cloud-computing.html [Moderator's note: ... the article is about a growing problem -- the lack of good

Re: Factoring attack against RSA based on Pollard's Rho

2009-06-07 Thread Ben Laurie
Paul Hoffman wrote: At 8:07 PM -0700 6/5/09, Greg Perry wrote: Greetings list members, I have published a unique factoring method related to Pollard's Rho that is published here: http://blog.liveammo.com/2009/06/factoring-fun/ Any feedback would be appreciated. Is there any

Re: Solving password problems one at a time, Re: The password-reset paradox

2009-04-30 Thread Ben Laurie
Steven M. Bellovin wrote: We've become prisoners of dogma here. In 1979, Bob Morris and Ken Thompson showed that passwords were guessable. In 1979, that was really novel. There was a lot of good work done in the next 15 years on that problem -- Spaf's empirical observations, Klein's '90

Re: Crypto Craft Knowledge

2009-02-25 Thread Ben Laurie
Cat Okita wrote: On Sat, 21 Feb 2009, Peter Gutmann wrote: This points out an awkward problem though, that if you're a commercial vendor and you have a customer who wants to do something stupid, you can't afford not to allow this. While my usual response to requests to do things insecurely

Re: Crypto Craft Knowledge

2009-02-20 Thread Ben Laurie
Stephan Neuhaus wrote: Many mistakes in crypto coding come from the fact that API developers have so far very successfully shifted the burden of secure usage to the application developer, the API user. But I believe this hasn't worked and needs to be changed. I totally agree, and this is the

Re: full-disk subversion standards released

2009-02-13 Thread Ben Laurie
Alexander Klimov wrote: On Wed, 11 Feb 2009, Ben Laurie wrote: If I have data on my server that I would like to stay on my server and not get leaked to some third party, then this is exactly the same situation as DRMed content on an end user's machine, is it not? The treat model

Re: full-disk subversion standards released

2009-02-12 Thread Ben Laurie
Peter Gutmann wrote: Ben Laurie b...@links.org writes: Apart from the obvious fact that if the TPM is good for DRM then it is also good for protecting servers and the data on them, In which way, and for what sorts of protection? And I mean that as a serious inquiry, not just a Did you

Re: full-disk subversion standards released

2009-02-01 Thread Ben Laurie
Peter Gutmann wrote: John Gilmore g...@toad.com writes: The theory that we should build good and useful tools capable of monopoly and totalitarianism, but use social mechanisms to prevent them from being used for that purpose, strikes me as naive. There's another problem with this theory and

Re: What EV certs are good for

2009-01-28 Thread Ben Laurie
On Wed, Jan 28, 2009 at 5:14 AM, William Soley william.so...@sun.com wrote: On Jan 27, 2009, at 6:04 AM, Jerry Leichter wrote: It might be useful to put together a special-purpose HTTPS client which would initiate a connection and tell you about the cert returned, then exit. I use ...

Re: What EV certs are good for

2009-01-27 Thread Ben Laurie
On Sun, Jan 25, 2009 at 11:04 PM, Jerry Leichter leich...@lrw.com wrote: I just received a phishing email, allegedly from HSBC: Dear HSBC Member, Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV SSL Certification on this Internet

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-24 Thread Ben Laurie
On Sat, Jan 24, 2009 at 2:36 AM, Victor Duchovni victor.ducho...@morganstanley.com wrote: You seem to be out of touch I am afraid. Just look at what many O/S distributions do. They adopt a new OpenSSL 0.9.Xy release from time to time (for some initial y) and back-port security fixes never

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-23 Thread Ben Laurie
On Tue, Jan 20, 2009 at 5:14 AM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote: The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256 mandatory), so you can send a SHA-256 certificate to clients that

OpenPGP:SDK v0.9 released

2009-01-09 Thread Ben Laurie
I thought people might be interested in this now somewhat-complete, BSD-licensed OpenPGP library... http://openpgp.nominet.org.uk/cgi-bin/trac.cgi/wiki/V0.9 -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he

Re: Security by asking the drunk whether he's drunk

2008-12-30 Thread Ben Laurie
On Mon, Dec 29, 2008 at 10:10 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: David Molnar dmol...@eecs.berkeley.edu writes: Service from a group at CMU that uses semi-trusted notary servers to periodically probe a web site to see which public key it uses. The notaries provide the list of

Re: Security by asking the drunk whether he's drunk

2008-12-30 Thread Ben Laurie
On Tue, Dec 30, 2008 at 4:25 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Ben Laurie b...@google.com writes: what happens when the cert rolls? If the key also changes (which would seem to me to be good practice), then the site looks suspect for a while. I'm not aware of any absolute

Re: Security by asking the drunk whether he's drunk

2008-12-27 Thread Ben Laurie
On Fri, Dec 26, 2008 at 7:39 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Adding support for a service like Perspectives (discussed here a month or two back) would be a good start since it provides some of the assurance that a commercial PKI can't (and as an additional benefit it also

Re: combining entropy

2008-10-29 Thread Ben Laurie
On Tue, Oct 28, 2008 at 7:55 PM, Leichter, Jerry [EMAIL PROTECTED] wrote: 2. The Byzantine model. Failed modules can do anything including cooperating by exchanging arbitrary information and doing infinite computation. So in the Byzantine model I can

Re: combining entropy

2008-10-27 Thread Ben Laurie
On Sat, Oct 25, 2008 at 12:40 PM, IanG [EMAIL PROTECTED] wrote: Jonathan Katz wrote: I think it depends on what you mean by N pools of entropy. I can see that my description was a bit weak, yes. Here's a better view, incorporating the feedback: If I have N people, each with a single

Re: Who cares about side-channel attacks?

2008-10-27 Thread Ben Laurie
Peter Gutmann wrote: In fact none of the people/organisations I queried about this fitted into any of the proposed categories, it was all embedded devices, typically SCADA systems, home automation, consumer electronics, that sort of thing, so it was really a single category which was

Re: once more, with feeling.

2008-10-24 Thread Ben Laurie
Peter Gutmann wrote: If this had been done in the beginning, before users -- and web site designers, and browser vendors -- were mistrained, it might have worked. Now, though? I'm skeptical. For existing apps with habituated users, so am I. So how about the following strawman: Take an

Re: combining entropy

2008-10-24 Thread Ben Laurie
On Mon, Sep 29, 2008 at 1:13 PM, IanG [EMAIL PROTECTED] wrote: If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? Surely not. Consider N pools each of size 1 bit. Clearly you can do better than the 1 bit your suggestion would yield.

Re: Quiet in the list...

2008-09-06 Thread Ben Laurie
Allen wrote: So I'll ask a question. I saw the following on another list: I stopped using WinPT after is crashed too many times. I am now using Thunderbird with the Enigmail plugin for GPG interface. It works rather flawlessly and I've never looked back.

Re: Quiet in the list...

2008-09-06 Thread Ben Laurie
IanG wrote: 2. GPG + Engimail + Thunderbird. Will never be totally robust because there is too much dependency. What does this mean? GPG + Enigmail, whilst not the best architecture I ever heard of, is a tiny increment to the complexity of Thunderbird. Are you saying anything other than big

Re: [OpenID] rfc2817: https vs http

2008-09-01 Thread Ben Laurie
[Adding the cryptography list, since this seems of interest] On Wed, Aug 27, 2008 at 8:58 PM, Story Henry [EMAIL PROTECTED] wrote: Apparently rfc2817 allows an http url tp be used for https security. Given that Apache seems to have that implemented [1] and that the openid url is mostly used

Re: [OpenID] rfc2817: https vs http

2008-09-01 Thread Ben Laurie
On Mon, Sep 1, 2008 at 9:49 PM, Eric Rescorla [EMAIL PROTECTED] wrote: At Mon, 1 Sep 2008 21:00:55 +0100, Ben Laurie wrote: The core issue is that HTTPS is used to establish end-to-end security, meaning, in particular, authentication and secrecy. If the MitM can disable the upgrade to HTTPS

Keyczar

2008-08-13 Thread Ben Laurie
http://www.links.org/?p=374 When I joined Google over two years ago I was asked to find a small project to get used to the way development is done there. The project I chose was one that some colleagues had been thinking about, a key management library. I soon realised that unless the library

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-12 Thread Ben Laurie
On Tue, Aug 12, 2008 at 9:55 AM, Clausen, Martin (DK - Copenhagen) [EMAIL PROTECTED] wrote: You could use the SSL Blacklist plugin (http://codefromthe70s.org/sslblacklist.asp) for Firefox or heise SSL Guardian (http://www.heise-online.co.uk/security/Heise-SSL-Guardian--/features/11 1039/) for

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-09 Thread Ben Laurie
Hal Finney wrote: I thought of one possible mitigation that can protect OpenID end users against remote web sites which have not patched their DNS. OpenID providers who used weak OpenSSL certs would have to change their URLs so that their old X.509 CA certs on their old URLs no longer work on

OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Ben Laurie
Security Advisory (08-AUG-2008) (CVE-2008-3280) === Ben Laurie of Google's Applied Security team, while working with an external researcher, Dr. Richard Clayton of the Computer Laboratory, Cambridge University, found that various OpenID Providers (OPs

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Ben Laurie
On Fri, Aug 8, 2008 at 5:57 PM, Eric Rescorla [EMAIL PROTECTED] wrote: At Fri, 8 Aug 2008 17:31:15 +0100, Dave Korn wrote: Eric Rescorla wrote on 08 August 2008 16:06: At Fri, 8 Aug 2008 11:50:59 +0100, Ben Laurie wrote: However, since the CRLs will almost certainly not be checked

Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Ben Laurie
On Fri, Aug 8, 2008 at 8:27 PM, Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote: Ben Laurie: On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote: This affects any web site and service provider of various natures. It's not exclusive for OpenID nor for any

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Ben Laurie
On Fri, Aug 8, 2008 at 7:54 PM, Tim Dierks [EMAIL PROTECTED] wrote: Using this Bloom filter calculator: http://www.cc.gatech.edu/~manolios/bloom-filters/calculator.html , plus the fact that there are 32,768 weak keys for every key type size, I get various sizes of necessary Bloom filter,

Re: On the randomness of DNS

2008-08-03 Thread Ben Laurie
Philipp Gühring wrote: Hi, I would suggest to use http://www.cacert.at/random/ to test the randomness of the DNS source ports. Due to the large variety of random-number sources that have been tested there already, it's useful as a classification service of unknown randomly looking numbers.

Re: On the unpredictability of DNS

2008-08-03 Thread Ben Laurie
to make. Ben Laurie wrote: But just how GREAT is that, really? Well, we don't know. Why? Because there isn't actually a way test for randomness. ... While randomness is sufficient for perfect unpredictability, it isn't necessary in this threat environment. I agree, but my point is unaltered

Re: Strength in Complexity?

2008-08-03 Thread Ben Laurie
So, an executive summary of your responses appears to be EKMI leaves all the hard/impossible problems to be solved by components that are out of scope. As such, I'm not seeing much value. Anyway... Arshad Noor wrote: Ben Laurie wrote: OK, so you still have a PKI problem, in that you have

Re: On the randomness of DNS

2008-07-31 Thread Ben Laurie
Dirk-Willem van Gulik wrote: I fail to see how you could evaluate this without seeing the code (and even then - I doubt that one can properly do this -- the ?old? NSA habit of tweaking your random generated rather than your protocol/algorithm when they wanted your produced upgraded to export

On the randomness of DNS

2008-07-30 Thread Ben Laurie
I thought this list might be interested in a mini-rant about DNS source port randomness on my blog: http://www.links.org/?p=352. Ever since the recent DNS alert people have been testing their DNS servers with various cute things that measure how many source ports you use, and how random they

Re: On the randomness of DNS

2008-07-30 Thread Ben Laurie
Pierre-Evariste Dagand wrote: But just how GREAT is that, really? Well, we don' t know. Why? Because there isn't actually a way test for randomness. Your DNS resolver could be using some easily predicted random number generator like, say, a linear congruential one, as is common in the rand()

Re: On the randomness of DNS

2008-07-30 Thread Ben Laurie
Pierre-Evariste Dagand wrote: I doubt you can get a large enough sample in any reasonable time. Indeed. I don't see the point of evaluating the quality of a random number generator by statistical tests. Which is entirely my point. I fear I was not clear: I don't see what is wrong in

Explaining DNSSEC

2008-07-10 Thread Ben Laurie
I was asked off-list for a pointer to an explanation of DNSSEC. I guess there may be other readers who'd like that, so here's a pointer to Matasano Chargen's rather beautiful exposition: http://www.matasano.com/log/case-against-dnssec/ Unfinished, but good enough. In particular, part 2

Re: Kaminsky finds DNS exploit

2008-07-09 Thread Ben Laurie
Paul Hoffman wrote: First off, big props to Dan for getting this problem fixed in a responsible manner. If there were widespread real attacks first, it would take forever to get fixes out into the field. However, we in the security circles don't need to spread the Kaminsky finds meme. Take a

Re: Kaminsky finds DNS exploit

2008-07-09 Thread Ben Laurie
Steven M. Bellovin wrote: On Wed, 09 Jul 2008 11:22:58 +0530 Udhay Shankar N [EMAIL PROTECTED] wrote: I think Dan Kaminsky is on this list. Any other tidbits you can add prior to Black Hat? Udhay http://www.liquidmatrix.org/blog/2008/07/08/kaminsky-breaks-dns/ I'm curious about the

Re: Strength in Complexity?

2008-07-08 Thread Ben Laurie
Arshad Noor wrote: Ben Laurie wrote: Arshad Noor wrote: I may be a little naive, but can a protocol itself enforce proper key-management? I can certainly see it facilitating the required discipline, but I can't see how a protocol alone can enforce it. I find the question difficult

Re: Strength in Complexity?

2008-07-07 Thread Ben Laurie
Arshad Noor wrote: Florian Weimer wrote: * Arshad Noor: http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208800937 On a more serious note, I think the criticism probably refers to the fact that SKSML does not cryptopgrahically enforce proper key management. If a

Re: Can we copy trust?

2008-06-03 Thread Ben Laurie
Ed Gerck wrote: Ben Laurie wrote: But doesn't that prove the point? The trust that you consequently place in the web server because of the certificate _cannot_ be copied to another webserver. That other webserver has to go out and buy its own copy, with its own domain name it it. A copy

Re: Unpatented PAKE!

2008-06-02 Thread Ben Laurie
Scott G. Kelly wrote: Here's another approach to password authenticated key exchange with similar security claims. The underlying mechanism is under consideration for inclusion in by the 802.11s group in IEEE: http://www.ietf.org/internet-drafts/draft-harkins-emu-eap-pwd-01.txt Hmmm. I don't

Re: Unpatented PAKE!

2008-06-02 Thread Ben Laurie
Scott G. Kelly wrote: Ben Laurie wrote: Scott G. Kelly wrote: Here's another approach to password authenticated key exchange with similar security claims. The underlying mechanism is under consideration for inclusion in by the 802.11s group in IEEE: http://www.ietf.org/internet-drafts/draft

Re: Can we copy trust?

2008-06-02 Thread Ben Laurie
Ed Gerck wrote: In the essay Better Than Free, Kevin Kelly debates which concepts hold value online, and how to monetize those values. See www.kk.org/thetechnium/archives/2008/01/better_than_fre.php Kelly's point can be very useful: *When copies are free, you need to sell things which can

Unpatented PAKE!

2008-05-30 Thread Ben Laurie
http://grouper.ieee.org/groups/1363/passwdPK/submissions/hao-ryan-2008.pdf At last. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff

Re: The perils of security tools

2008-05-25 Thread Ben Laurie
Steven M. Bellovin wrote: On Sat, 24 May 2008 20:29:51 +0100 Ben Laurie [EMAIL PROTECTED] wrote: Of course, we have now persuaded even the most stubborn OS that randomness matters, and most of them make it available, so perhaps this concern is moot. Though I would be interested to know how

Re: The perils of security tools

2008-05-24 Thread Ben Laurie
Eric Young wrote: #ifndef PURIFY MD_Update(m,buf,j); /* purify complains */ #endif I just re-checked, this code was from SSLeay, so it pre-dates OpenSSL taking over from me (about 10 years ago, after I was assimilated by RSA Security). So in some ways I'm the one at

  1   2   3   4   >