Because not being fast enough means you don't ship. You don't ship, you
didn't secure anything.
Performance will in fact trump security. This is the empirical reality.
There's some budget for performance loss. But we have lots and lots of
slow functions. Fast is the game.
(Now, whether my
I've got a perfect vs. good question.
NIST is pushing RSA-2048. And I think we all agree that's probably a
However, performance on RSA-2048 is too low for a number of real world
Assuming RSA-2048 is unavailable, is it worth taking the intermediate
I looked at the GNFS runtime and plugged a few numbers in. It seems
RSA Security is using a more conservative constant of about 1.8 rather
than the suggested 1.92299...
So using 1.8, a 1024 bit RSA key is roughly equivalent to
Eric Rescorla wrote:
At Fri, 8 Aug 2008 17:31:15 +0100,
Dave Korn wrote:
Eric Rescorla wrote on 08 August 2008 16:06:
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
However, since the CRLs will almost certainly not be checked, this
means the site will still be
Peter Gutmann wrote:
David G. Koontz [EMAIL PROTECTED] writes:
Military silicon already has RNG on chip (e.g. AIM, Advanced INFOSEC Machine,
That's only a part of it. Military silicon has a hardware RNG on chip
alongside a range of other things because they know full
(as if anyone uses client certificates anyway)?
Guess why so few people are using it ...
If it were secure, more people would be able to use it.
People don't use it because the workload of getting signed up is vastly
beyond their skillset, and the user experience using the things
Crypto solves certain problems very well. Against others, it's worse
than useless -- worse, because it blocks out friendly IDSs as well as
Yawn. IDS is dead, has been for a while now. The bottom line discovery
has been that:
1) Anomaly detection doesn't work because
Ben Laurie wrote:
I wrote some code to show the internal state of MD5 during a collision...
(That being said -- I do like your output. Very nice.)
A quick question to anyone who might be in the banking industry.
Why do banks not collect simple biometric information like photographs
of their customers yet?
Bank Of America put my photo on my ATM card back in '97. They're
shipping me a new one right now, so I assume they kept it in
This is yet more reason why I propose that you authorize transactions
with public keys and not with the use of identity information. The
identity information is widely available and passes through too many
hands to be considered secret in any way, but a key on a token never
will pass through
Jerrold Leichter wrote:
| Credit card fraud has gone *down* since 1992, and is actually falling:
| 1992: $2.6B
| 2003: $882M
| 2004: $788M
| We're on the order of 4.7 cents on the $100.
I'm think you wrong on that one. Financial cost and benefit are easily
assessed on this, and I think the numbers add up. Credit card fraud
costs in the hundreds of billions of dollars a year, much of which
could be eliminated by a change to the sort of system I
mention. That's not a small
So the funny thing about, say, SHA-1, is if you give it less than 160
bits of data, you end up expanding into 160 bits of data, but if you
give it more than 160 bits of data, you end up contracting into 160 bits
of data. This works of course for any input data, entropic or not.
If you are insisting that there is always
a way and that, therefore, the situation is
permanently hopeless such that the smart
ones are getting the hell out of the
Internet, I can go with that, but then
we (you and I) would both be guilty of
letting the best be the enemy of the good.
I had something much more complicated, but it comes down to.
You trust Internet Explorer.
Spyware considers Internet Explorer crunchy, and good with ketchup.
A little less snarkily, Spyware can trivially use what MS refers to
as a Browser Helper Object
Suppose you have something that is inadvertently an
oracle - it encrypts stuff from many different users
preparatory to sending it out over the internet, and
makes no effort to strongly authenticate a user.
Have it encrypt stuff into a buffer, and on a timer
event, send out the buffer.
2) The cost in question is so small as to be unmeasurable.
Yes, because key management is easy or free.
Also, reliability of encrypted backups is problematic: CBC modes render
a single fault destructive to the entire dataset. Counter mode is
sufficiently new that it's not supported by
The likelihood of having the information compromised is very remote given
the type of equipment that is required to read it, Debby Hopkins,
Citigroup's chief operations and technology officer, said in an interview.
Additionally, the information is not in a format that an untrained eye
From what I've heard, datapath to the disk. I've read enough of the
specs to see they're well aware a worm could brick a couple hundred
thousand hard drives.
James A. Donald wrote:
Every ATA disk contains encryption firmware, though not
all bioses allow you to use it.
There is a master
Have you looked at their scheme?
The way to come up with a cipher provably as secure as AES-128 is to use
AES-128 as part of your cipher -- but their scheme does not do anything
I am very skeptical about claims that they have a mathematical
Steven M. Bellovin wrote:
We all understand the need to move to better hash algorithms than SHA1.
At a minimum, people should be switching to SHA256/384/512; arguably,
Whirlpool is the right way to go. The problem is how to get there from
I've been rather continually pinging people,
The Wang attack does nothing (yet) for second preimages.
The best attack I know of against them refers is in Kelsey and
Schneier's *Second Preimages on n-bit Hash Functions for Much Less than
2^n Work.* It's at: http://eprint.iacr.org/2004/304
Once you cut through the
Some initial thoughts:
I wouldn't be surprised if platters couldn't be analyzed for usage
levels / magnetic degradation (Peter?). Even without a clean room, ATA
is pretty rich -- anyone remember the guy who graphically plotted the
spiral damage caused by a falled drive head
My complaint is against the parroting of patently absurd claims by
manufacturers (or governments, for that matter) under the guide of
If you need the reason to be concrete, here's one: I might buy this
magic water and apply it to some of my stuff, figuring I don't have to
Semantic gap, and I do apologize if I didn't make this clear. Wang
adapts to any initial state, so you can create arbitrary content to
prepend your collision set with, adapt to its output, and then append
whatever you like. The temporal ordering is indeed important though;
Ben Laurie wrote:
Dan Kaminsky wrote:
The x.509 cert collision is a necessary consequence of the earlier
discussed prime/not-prime collision. Take the previous concept, make
both prime, and surround with the frame of an x.509 cert, and you get
the new paper.
Actually, not - an RSA
Matt Crawford wrote:
On Feb 15, 2005, at 12:40, R.A. Hettinga wrote:
Instant, is a property-marking fluid that, when
brushed on items like office equipment or motorcycles, tags them with
millions of tiny fragments, each etched with a unique SIN (SmartWater
identification number) that is
It is worth emphasizing that, as a 2^69 attack, we're not going to be
getting test vectors out of Wang. After all, if she had 2^69
computation available, she wouldn't have needed to attack MD5; she could
have just brute forced it in 2^64.
This means the various attacks in the MD5 Someday paper
Digital certificates can be explained as digital passports, which help in
authentication of the bearer on the Internet. This also helps maintain,
privacy and integrity of Net-based transactions. Digital signatures are
accorded the same value as paper-based signatures of the physical world by
Actually it's not that bad: using SIP, the RTP packets can be protected by
SRTP (RFC3711, with an opensource implementation from Cisco at
SRTP...heh. Take a look at RFC3711 for a second.
Specification of a key management protocol for SRTP is out of scope
Uh, you *really* have no idea how much the black hat community is
looking forward to TCPA. For example, Office is going to have core
components running inside a protected environment totally immune to
antivirus. Since these components are going to be managing
cryptographic operations, the
Mail list logo